Serious About Security

Serious About Security Episode 68: Disabling Webcam Lights and a Presidential Panel Recommends Changes for the NSA

kaw@cerias.purdue.edu (Keith Watson) — Fri, 20 Dec 2013 22:56:38 +0000

Youtube

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Research shows how MacBook Webcams can spy on their users without warning by Ashkan Soltani and Timothy B.Lee (The Washington Post), FBI’s search for ‘Mo,’ suspect in bomb threats, highlights use of malware for surveillance by Craig Timberg and Ellen Nakashima (The Washington Post), iSeeYou: Disabling the MacBook Webcam Indicator LED by Matthew Brocker and Stephen Checkoway (Technical Report 13-02, Department of Computer Science, Johns Hopkins University)
Liberty and Security in a Changing World by The President’s Review Group on Intelligence and Communications Technologies, White House panel recommends new limits on NSA surveillance by Ken Dilanian and Christi Parsons (Los Angeles Times), Obama Is Urged to Sharply Curb N.S.A. Data Mining by David E. Sanger and Charlie Savage (The New York Times), Obama review panel: strip NSA of power to collect phone data records by Dan Roberts and Spencer Ackerman (The Guardian), EFF Statement on President’s Review Group’s NSA Report by Rebecca Jeschke (The Electronic Frontier Foundation)

Serious About Security Episode 67: Dial 00000000 for Launch and French Government Attempts to be Google

kaw@cerias.purdue.edu (Keith Watson) — Fri, 13 Dec 2013 07:36:55 +0000

Youtube

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

For Nearly Two Decades the Nuclear Launch Code at All Minuteman Silos in the United States was 00000000 by Karl Smallwood (Today I Found Out), ‘Secret’ Nuclear Missile Launch Code During Cold War Was ‘00000000’ by Ryan Grenoble (The Huffington Post), Zero protection from nuclear code by Oliver Burkeman (The Guardian), Keeping Presidents in the Nuclear Dark by Bruce Blair (Bruce Blair’s Nuclear Column), For nearly 20 years, the launch code for US nuclear missiles was 00000000 by Lisa Vaas (nakedsecurity blog), Permissive Action Links by Steven M. Bellovin
Further improving digital certificate security by Adam Langley (Google Online Security Blog), Serious Security: Google finds fake but trusted SSL certificates for its domains, made in France by Paul Ducklin (nakedsecurity blog), Google catches French finance ministry pretending to be Google by David Meyer (GigaOM)

Serious About Security Episode 66: Forward Secrecy and Botnet Gathered Passwords

kaw@cerias.purdue.edu (Keith Watson) — Sat, 07 Dec 2013 06:27:03 +0000

Youtube

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Forward Secrecy (Wikipedia), Twitter Enables Perfect Forward Secrecy Across Sites To Protect User Data Against Future Decryption by Matthew Panzarino (TechCrunch), Forward Secrecy at Twitter by Jacob Hoffman-Andrews (Twitter Engineering Blog), Pushing for Perfect Forward Secrecy, an Important Web Privacy Protection by Parker Higgins (EFF Deeplinks Blog)
Google, Facebook, payroll accounts targeted in major password theft, security experts say by Hayley Tsukayama (The Washington Post), 2 Million Stolen Facebook, Yahoo And Google Passwords Posted Online by Alexis Kleinman (The Huffington Post), Look What I Found: Moar Pony! by Trustwave SpiderLabs

Serious About Security Episode 65: Yahoo! Encrypts and Healthcare.gov Has Some Security Issues

kaw@cerias.purdue.edu (Keith Watson) — Thu, 21 Nov 2013 04:26:58 +0000

Youtube

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Our Commitment to Protecting Your Information by Marissa Mayer (Yahoo!), After N.S.A. Disclosures, Yahoo Moves to Encrypt Internal Traffic by Nicole Perlroth (NY Times Bits Blog), Yahoo Will Follow Google In Encrypting Data Center Traffic, Customer Data Flow By Q1 ’14 by Matthew Panzarino (TechCrunch), Google encrypts data amid backlash against NSA spying by Craig Timberg (The Washington Post)
Expert to warn Congress of HealthCare.gov security bugs by Reuters, Hackers throw 16 attacks at HealthCare.gov plus a DoS for good measure by Lisa Vaas (nakedsecurity blog), Healthcare.gov ‘may already have been compromised,’ security expert says by FoxNews.com

Serious About Security Episode 64: Facebook Warns Adobe Users and IE 0-day Injects Payload into Memory

kaw@cerias.purdue.edu (Keith Watson) — Fri, 15 Nov 2013 08:18:54 +0000

Youtube

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Facebook Warns Users After Adobe Breach by Brian Krebs (Krebs on Security), Facebook mines Adobe breach data for reused passwords, warns users to change them or disappear by Liam Tung (ZDNet), Anatomy of a password disaster - Adobe’s giant-sized cryptographic blunder by Paul Ducklin (naked security blog)
IE zero-day exploit disappears on reboot by Shona Ghosh (PC Pro), IE Zero Day Watering Hole Attack Injects Malicious Payload into Memory by Michael Mimoso (threat post)

Serious About Security Episode 63: The badBIOS Controversy and the NSA taps Google and Yahoo!

kaw@cerias.purdue.edu (Keith Watson) — Sun, 10 Nov 2013 23:08:35 +0000

Youtube

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Keith Watson, CISSP-ISSAP, CISA

Articles

Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps by Dan Goodin (Ars Technica), badBIOS by Bruce Schneier (Schneier on Security), Security researcher says new malware can affect your BIOS; communicate over the air by Ian Paul (PCWorld), ‘BadBIOS’ System-Hopping Malware Appears Unstoppable by Marshall Honorof (Tom’s Guide), The badBIOS Analysis Is Wrong. by Phillip Jaenke
NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say by Barton Gellman and Askan Soltani (Washington Post), How the NSA’s MUSCULAR tapped Google’s and Yahoo’s private networks by Sean Gallagher (Ars Technica), How we know the NSA had access to internal Google and Yahoo cloud data by Barton Gellman, Askkan, and Andrea Peterson (Washington Post)

Serious About Security Episode 62: Steps to Avoid Internet Surveillance and Big Corp Social Engineering Fails

kaw@cerias.purdue.edu (Keith Watson) — Fri, 01 Nov 2013 23:57:47 +0000

Youtube

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Ten Steps You Can Take Right Now Against Internet Surveillance by Danny O’Brien (EFF)
Major Corporations Fail to Defend Against Social Engineering by Michael Mimoso ()

Serious About Security Episode 61: iCloud Insecurity and Avoid the Hacker Title

kaw@cerias.purdue.edu (Keith Watson) — Fri, 25 Oct 2013 06:32:54 +0000

Youtube

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Apple’s iCloud iConundrum - does convenience mean insecurity? by Chester Wisniewski (nakedsecurity), Cracking and Analyzing Apple’s iCloud Protocols by Vladimir Katalov (Hack in the Box Malaysia)
Call yourself a ‘hacker’, lose your 4th Amendment right against seizures by John Leyden (The Register), Call Yourself A Hacker, Lose Your 4th Amendment Rights by Dale Peterson (Digital Bond), Battelle Energy Alliance, LLC v. Southfork Security, Inc. et al

Serious About Security Episode 60: Let’s Audit Truecrypt and Beware of Ransomware

kaw@cerias.purdue.edu (Keith Watson) — Fri, 18 Oct 2013 05:45:02 +0000

Youtube

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Keith Watson, CISSP-ISSAP, CISA

Articles

Is Truecrypt Audited Yet?, The TrueCrypt Audit Project, New effort to fully audit TrueCrypt raises $16,000+ in a few short weeks by Cyrus Farivar (Ars Technica), Let’s audit Truecrypt! by Matthew Green (A Few Thoughts on Cryptographic Engineering)
Destructive malware “CryptoLocker” on the loose - here’s what to do by Paul Ducklin (nakedsecurity), CryptoLocker Ransomware Information Guide and FAQ by Lawrence Abrams (bleepingcimputer.com)

Serious About Security Episode 59: Tor Stinks According to the NSA and Microsoft Follows Yahoo!

kaw@cerias.purdue.edu (Keith Watson) — Sat, 12 Oct 2013 05:54:28 +0000

Youtube

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Attacking Tor: how the NSA targets users’ online anonymity by Bruce Schneier (The Guardian), NSA and GCHQ target Tor network that protects anonymity of web users by James Ball, Bruce Schneier and Glenn Greenwald (The Guardian), ‘Tor Stinks’ presentation – read the full document on The Guardian
Is Microsoft recycling old Outlook.com and Windows Live email accounts? by Lee Munson (nakedsecurity blog), Microsoft is quietly recycling Outlook email accounts by Andreas Udo de Haes (PC World)

Serious About Security Episode 58: Kids Crack iPad Security and Circle Security Avoids NIST Crytpo

kaw@cerias.purdue.edu (Keith Watson) — Fri, 04 Oct 2013 21:11:31 +0000

Youtube

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Students Find Ways To Hack School-Issued iPads Within A Week by Sam H. Sanders (NPR), LAUSD halts home use of iPads for students after devices hacked by Howard Blume (LA Times)
Silent Circle Moving Away from NIST Ciphers In Wake of NSA Revelations by Dennis Fisher (threatpost)

Serious About Security Episode 57: Follow-ups on Java, Yahoo! recycling email addresses, and iPhone 5s fingerprint sensor

kaw@cerias.purdue.edu (Keith Watson) — Mon, 30 Sep 2013 05:03:37 +0000

Youtube

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Oracle Java fails at security in new and creative ways by Chester Wisniewski (nakedsecurity blog)
Recycled Yahoo email addresses still receiving messages for previous owners - passwords included by Lee Munson (nakedsecurity blog)
Chaos Computer Club claims to have “cracked” the iPhone 5s fingerprint sensor by Paul Ducklin (nakedsecurity blog), Is Touch ID Hacked Yet?

Serious About Security Episode 56: Apple’s iPhone 5S has a fingerprint reader

kaw@cerias.purdue.edu (Keith Watson) — Sun, 22 Sep 2013 19:10:29 +0000

Youtube

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

iPhone fingerprint scanner sparks privacy worries by Charlie Osborne (CNet), Fingerprint-Reading IPhone Seen as Protection Against NSA by Todd Shields & Allan Holmes (Bloomberg), How secure is your iPhone 5S fingerprint? by Brandon Griggs (CNN), Is Touch ID Hacked Yet?

Serious About Security Episode 55: The NSA allegedly weakens and attacks cryptography

kaw@cerias.purdue.edu (Keith Watson) — Sat, 14 Sep 2013 01:28:32 +0000

Youtube

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security by Jeff Larson (ProPublica), Nicole Perlroth and Scott Shane (The New York Times), Revealed: how US and UK spy agencies defeat internet privacy and security by James Ball, Jullian Borger and Glenn Greenwald (The Guardian), N.S.A. Able to Foil Basic Safeguards of Privacy on Web by Nicole Perlroth, Jeff Larson and Scott Shane (The New York Times), How The NSA Revelations Are Hurting Businesses by Kashmir Hill (Forbes), NSA shares raw intelligence including Americans’ data with Israel by Glenn Greenwald, Laura Poitras and Ewen MacAskill (The Guardian)

Serious About Security Episode 54: Password Complexity and Apple Products Have Trouble with Six Arabic Characters

kaw@cerias.purdue.edu (Keith Watson) — Sun, 01 Sep 2013 06:01:43 +0000

Google+ Hangout

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Anatomy of a brute force attack - how important is password complexity? by Paul Ducklin (nakedsecurity blog), How Important is Password Complexity by Brien Posey (Redmond Magazine)
Apple apps turned upside down writing right to left - you’re only 6 characters from a crash! by Paul Ducklin (nakedsecurity blog), Rendering bug crashes OS X, iOS apps with string of Arabic characters (Updated) by Andrew Cunningham and Dan Goodin (Ars Technica)

Serious About Security Episode 53: US Email Providers Close and Facebook Founder’s TImeline Hacked

kaw@cerias.purdue.edu (Keith Watson) — Thu, 22 Aug 2013 01:17:38 +0000

Google+ Hangout

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

To Our Customers by Silent Circle, Silent Circle follows Lavabit in shuttering encrypted e-mail by Steven Musil (CNet), Important Announcement by Ladar Levison (Lavabit LLC), Edward Snowden has applied for asylum in Russia Live Blog from Global Post, Forced Exposure ~pj by Pamela Jones (Groklaw)
Security Researcher Hacks Mark Zuckerberg’s Wall To Prove His Exploit Works by Greg Kumparak (TechCrunch), Mark Zuckerberg’s own Facebook timeline hacked by Palestinian researcher by Lee Munson (nakedsecurity blog)

Serious About Security Episode 52: Blackhat and DEFCON Review

kaw@cerias.purdue.edu (Keith Watson) — Thu, 15 Aug 2013 17:48:50 +0000

Google+ Hangout

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

iPhone Hacked in Under 60 Seconds Using Malicious Charger by David Gilbert (International Business Times), Apple Fixes Threat from Fake iPhone Chargers in iOS 7 by Bryan Chaffin (the Mac Observer), Apple fixes Malicious Charger Hack in iOS 7 (iPhone Hacks)
Black Hat: Ad networks lay path to million-strong browser botnet by Paul F. Roberts (IT World)
Samsung Smart TV: Like A Web App Riddled With Vulnerabilities by Paul (the security ledger)

Serious About Security Episode 51: The Feds Hate Criminals using Tor and The Twitter Two-Step (Auth)

kaw@cerias.purdue.edu (Keith Watson) — Fri, 09 Aug 2013 06:15:25 +0000

Google+ Hangout

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP

Articles

Feds Are Suspects in New Malware That Attacks Tor Anonymity by Kevin Poulsen (Wired), Freedom Hosting arrest and takedown linked to Tor privacy compromise by John Hawes (nakedsecurity blog)
Take two: Twitter drops SMS for private keys stored on Android or iPhone smartphones, adds previously missing recovery capability by Mathew J. Schwartz (Information Week), Twitter hardens two-factor authentication with app-based secure logins by Neil McAllister (The Register), New Twitter Login Verification System Avoids SMS Codes by Dennis Fisher (threatpost)

Serious About Security Episode 50: Data Breaches Galore!

kaw@cerias.purdue.edu (Keith Watson) — Thu, 01 Aug 2013 22:06:25 +0000

Google+ Hangout

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Personal data on 72,000 staff taken in University of Delaware hack by John Hawes (nakedsecurity blog), Stanford University hacked, becomes latest data breach victim by John Hawes (nakedsecurity blog), Stanford University Is Investigating An Apparent Security Breach, Urges Community To Reset Passwords by Billy Gallagher (Tech Crunch), University of Massachusetts Announces Data Breach by Gabriel Perna (Healthcare Informatics), University of Virginia Admits Data Breach by Jeff Goldman (eSecurity Planet)

Serious About Security Episode 49: Apple Developer Site Hacked and Tumblr iOS Shared Their Passwords!

kaw@cerias.purdue.edu (Keith Watson) — Thu, 25 Jul 2013 19:20:29 +0000

Google+ Hangout

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Apple Developer Site Breached InfoSecurity Magazine, Apple takes Dev Center down for days, finally admits, “We got owned!” by Paul Ducklin (nakedsecurity blog), Researcher claims responsibility for security breach at Apple Developer website by Lucian Constantin (PCWorld)
D’OH! Use Tumblr on iPhone or iPad, give your password to the WORLD by John Leyden (The Register), Tumblr’s iOS fix for clear-text password login howler was WEEKS LATE by John Leyden (The Register), Tumblr security lapse - iPhone and iPad users update your passwords now! by Lee Munson (nakedsecurity blog)

Serious About Security Episode 48: Android App Packaging has a Hole and There’s Big Business in Exploits

kaw@cerias.purdue.edu (Keith Watson) — Wed, 17 Jul 2013 00:55:45 +0000

Google+ Hangout

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Anatomy of a security hole - Google’s “Android Master Key” debacle explained by Paul Ducklin (nakedsecurity blog), Relax: Google, Carriers Patching Android “Master Key” Exploit by Kevin Parrish (Tom’s Hardware), Uncovering Android Master Key that Makes 99% of Devices Vulnerable by Jeff Forristal, Bluebox CTO (Bluebox blog)
Nations Buying as Hackers Sell Flaws in Computer Code by Nicole Perlroth and David E. Sanger (NY Times), VUPEN Services, Business Is Booming In the ‘Zero-Day’ Game on Slashdot

Serious About Security Episode 47: Club Nintendo has Hacked Accounts and the Emergency Alert System has a flaw

kaw@cerias.purdue.edu (Keith Watson) — Thu, 11 Jul 2013 02:15:23 +0000

Google+ Hangout

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Nintendo cracks after month-long, 15.5 million-strong hacker bombardment by Lisa Vaas (nakedsecurity blog), Nintendo’s fan site hit by illicit logins, 24,000 accounts accessed by Jay Alabaster (Network World)
IOActive Security Advisory: DASDEC Vulnerabilities by IOActive and Mike Davis, Monroe Electronics DASDEC Compromised Root SSH Key by ICS-CERT, Did brainless flaw in US Emergency Alert System lead to epic zombie attack warning? by Lisa Vaas (nakedsecurity blog), Root SSH Key Compromised in Emergency Alerting Systems by Steve Ragan (Security Week)

Serious About Security Episode 46: Privacy Tools!

kaw@cerias.purdue.edu (Keith Watson) — Wed, 03 Jul 2013 06:09:11 +0000

Google+ Hangout

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Keith Watson, CISSP-ISSAP, CISA

Tools

Tor
Using Tor and other means to hide your location piques NSA’s interest in you
VPN Services That Take Your Anonymity Seriously, 2013 Edition
Private Internet Access, VPN Service (used by Preston)
BoxCryptor Classic
TrueCrypt
BotTorrent Sync
Gibberbot
Cryptocat
Pidgin and the Off-the-Record Messaging Plugin

Serious About Security Episode 45: Facebook leaks and Microsoft pays out!

kaw@cerias.purdue.edu (Keith Watson) — Wed, 26 Jun 2013 06:08:51 +0000

Google+ Hangout

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP
Keith Watson, CISSP-ISSAP, CISA

Articles

Important Message from Facebook’s White Hat Program by Facebook Security (Facebook), Facebook issues data breach notification - may have leaked your email and phone number by Paul Ducklin (nakedsecurity blog), Facebook squashes bug that exposed e-mail addresses for 6 million users by Dan Goodin (Ars Technica)
New Bounty Program Details by swiat (Microsoft Security Research & Defense blog), Microsoft Launches $100K Bug Bounty Program by Kim Zetter (Wired), Microsoft ready to cough up (potentially big!) bounty bucks for bugs by Lisa Vaas (nakedsecurity blog)

Serious About Security Episode 44: Yahoo! to kick out deadbeat users and the FDA offers medical device guidance

kaw@cerias.purdue.edu (Keith Watson) — Thu, 20 Jun 2013 06:06:33 +0000

Youtube video

Show Notes

Hosts

Preston Wiley, CISSP, CCNA
Mike Hill, CISSP

Articles

Yahoo’s going to boot us off our deadbeat accounts, but who is going to grab them? by Lisa Vaas (nakedsecurity blog), Yahoo tries to breathe life into dead pool of email accounts by offering IDs to newcomers by The Associated Press (Yahoo! News)
US FDA calls on medical device makers to focus on cybersecurity by Grant Gross (Network World), FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks by the Food and Drug Administration, Probing Insulin Pumps For Vulnerabilities by Soulskill (Slashdot), Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - Draft Guidance for Industry and Food and Drug Administration Staff by the Food and Drug Administration