Unsupervised Learning: Episode 35


[ Subscribe to the Podcast: iTunes | Android ]


  • [ ] The hack of Mossak Fonseca has been tied to a breach of their wordpress install through a plugin called Revolution Slider, leading to the Panama Papers breach. So just to be clear, we might have just seen the biggest data leak ever, due to wordpress plugins. The plugin makes it easy by installing a version file, which tells you if they’re running a vulnerable version, and the vulnerability lets you upload arbitrary files, including web shells. Attackers were able to pivot because their network infrastructure was flat and unprotected.

  • [ ] Critical new Flash bug

  • [ ] In related news, wordpress.com just enabled encryption on all their sites (not that that would have helped with the breach, mind you)

  • [ ] Government surveillance over most major cities | http://www.buzzfeed.com/peteraldhous/spies-in-the-skies | tricked out cesnas that constantly circle major cities, 70% less coverage on weekends and holidays

  • [ ] If you can’t break crypto, break the client | http://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/ | webkit parsing that’s vulnerable to attacker javascript

  • [ ] Microsoft has posted the roadmap for Windows 10 Business, includes things like Edge Extensions, Enterprise Data Protection, Multifactor Auth for Apps using Hello and Passport. File level encryption to make data leak prevention better. Also more for Continuum which lets Windows phone connect to large monitors and perhiperals to work like computers (didn’t they cancel windows phone?)

  • [ ] Application-layer Attacks Bypassing DDoS Protection | http://www.infoworld.com/article/3052882/security/massive-application-layer-attacks-could-defeat-hybrid-ddos-protection.html

  • [ ] First Windows 10 preview with Bash is out

Exploring ideas

  • [ ] Conscientiousness as the Primary Hacker Attribute | https://danielmiessler.com/blog/conscientiousness-as-athe-primary-hacker-attribute/

  • [ ] Five ways to become immortal | https://danielmiessler.com/blog/5-increasingly-effective-ways-achieve-immortality/

Tools, talks, articles, papers, and projects

  • [ ] RepoSessed | (still in progress)

  • [ ] The Perfect Exfiltration Technique | Talk at Hack in the Box in Amsterdam, by Safebreach (by the way, I have no problem mentioning vendor names here, whether they’re talks or products or whatever. If I have any sort of relationship with the vendor that might compromise me, I’ll mention it)

  • [ ] 7 Insider Threat Profiles | http://www.darkreading.com/vulnerabilities—threats/7-profiles-of-highly-risky-insiders/a/d-id/1325045?_mc=RSS_DR_EDT

  • [ ] [ TOOL ] Guinevere is an automated security assessment reporting tool


  • [ ] How to Handle a Dip in Creativity: https://danielmiessler.com/blog/how-to-handle-a-dip-in-creativity-and-productivity/

  • [ ] Gum Disease Opens Body to Host of Infections | https://www.sciencenews.org/article/gum-disease-opens-body-host-infections | arthritis to alzheimers, | 50% of us adults over 30 have gum disease, 6 times faster decline for Alzheimers patients who have gum disease vs those who don’t, 2.5 times risk of several cancers for nonsmokers with gum disease vs. not

  • [ ] Top Hacker News Submissions from 2006-2015 | https://github.com/antontarasenko/smq/blob/master/reports/hackernews-top-submissions-by-year.md


  • [ ] The podcast is renamed

  • [ ] Going to try something new this episode and see if it sticks. I’m adding a new section to the show called summary and recommendations, which basically captures the main points of the show and tells you what you should do as a result. This basically comes out of my strong belief that when someone presents something to you, you should be asking what you’ll do different as a result, and this section will try to clarify that. We’ll see how it goes

Summary and Recommendations

  1. If you use WordPress, use as few plugins as possible, and keep them updated

  2. Don’t run WordPress in a protected environment; assume it’s compromised and act accordingly

  3. When you’re thinking about crypto-secured data, remember to think not just about the algorithms and the keys that are used, but the client and server interfaces to handling the data, because those are likely to be far more vulnerable than the crypto itself

  4. Incorporate conscientiousness into your considerations of tester skill, both in yourself and those you are considering hiring

  5. Remember that insider threat doesn’t always mean the purely malicious kind; it can mean the oversharing and clueless types as well

  6. Update Flash/Java (this should be a weekly recommendation, only because it can’t be hourly)

  7. Keep an eye out for my RepoSsessed project that will launch soon

  8. Floss


  • [ ] Thank you for listening, see you next time

  • [ ] And if you like the show, please recommend it to your friends

[ Subscribe to the Podcast: iTunes | Android]


  1. The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM.

  2. Please let me know what you think of the new show concept.

No related posts.