Monday, September 25, 2023

7 Minute Security

7MS #590: Hacking Billy Madison – Part 2 Today my Paul and I continued hacking Billy Madison (see part one here) and learned some interesting things: You can fuzz a URL with a specific file type using a format like this: wfuzz -c -z file,/root/Desktop/wordlist.txt --hc 404 http://x.x.x.x/FUZZ.cap To rip .cap files apart and make them "pretty" you can use tpick: tcpick -C -yP -r tcp_dump.pcap Or tcpflow: apt install tcpflow tcpflow -r To do port knocking, you can use the knock utility: sudo git clone /opt/knock knock 21 23 25 69 444 7777777

7MS #589: Tales of Pentest Pwnage – Part 51 In today's tale of pentest pwnage we talk about: The importance of local admin and how access to even one server might mean instant, full control over their backup or virtualization infrastructure Copying files via WinRM when copying over SMB is blocked: $sess = New-PSSession -Computername SERVER-I-HAVE-LOCAL-ADMIN-ACCESS-ON -Credential * ...then provide your creds...and then: copy-item c:superimportantfile.doc -destination c:my-local-hard-drivesuperimportantfile.doc -fromsession $sess If you come across PowerShell code that crafts a secure string credential, you may able to decrypt the password variable with: ::PtrToStringAuto(::SecureStringToBSTR($MyVarIWantToDecryptGoesHere))

Brakeing Down Security

NIcole Sundin – CPO at Axio – SEC compliance, usable security, setting up risk mgmt programs

Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views...

John Aron, letters of marque, what does a “junior” job look like with AI?

Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views...


Cyber Security Interviews

#126 – Douglas Brush (Part 4): Dollars and Cents, Not Bytes

This is the 4th part of the podcast's return after a brief hiatus. Daniel Ayala continues his interview of me. In this fourth part, we will discuss my first forensic litigation case, the importance of data governance, the myth of cyber, why I am tired of cybersecurity conferences, and so much more!

#125 – Douglas Brush (Part 3): What is a Special Master?

This is the 3rd part of the podcast's return after a brief hiatus. Daniel Ayala continues his interview of me. In this third part, we will discuss what I am doing as a Special Master and Court Appointed Neutral, the reasons I think there will be a continued convergence of legal, cybersecurity, and data privacy, why I decided to start another consulting firm, data valuation, and so much more!

Darknet Diaries

137: Predator

A new type of mercenary spyware came on the radar called Predator. It’ll infect a mobile phone, and then suck up all the data from it. Contacts, text messages, location, and more. This malware is being sold to intelligence agencies around the world.In this episode we hear from Crofton Black at Lighthouse Reports who spent 6 months with a team of journalists researching this story which was published here: also hear from Bill Marczak and John Scott-Railton from Citizen Lab.If you want to hear about other mercenary spyware, check out...

136: Team Xecutor

Team Xecutor was a group involved with making and selling modchips for video game systems. They often made mods that allowed the video game system to rip games or play pirated games. It was a crowd favorite in the modding scene. Until it all fell apart. The story of what happened to Team Xecutor must be heard to believe.This episode features Gary Bowser. You can find more about Gary here: for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide...

Defensive Security

Down The Security Rabbithole

Open Source Security

Episode 394 – The lie anyone can contribute to open source

Josh and Kurt talk about filing bugs for software. There's the old saying that anyone can file bugs and submit patches for open source, but the reality is most people can't. Filing bugs for both closed and open source is nearly impossible in many instances. Even if you want to file a bug for an open source project, there are a lot of hoops before it's something that can be actionable. Show Notes ...

Episode 393 – Can you secure something you don’t own?

Josh and Kurt talk about the weird world we live in how where we can't control a lot of our hardware. We don't really have control over most devices we interact with on a daily basis. The conversation shifts into a question of how can we decide what to trust and where. It's a very strange problem we experience now. Show Notes Boots theory MGM cybersecurity issue shuts down slot machines and ATMs...

Episode 392 – Curl and the calamity of CVE

Josh and Kurt talk about why CVE is making the news lately. Things are not well in the CVE program, and it's not looking like anything will get fixed anytime soon. Josh and Kurt have a unique set of knowledge around CVE. There's a lot of confusion and difficulty in understanding how CVE works. Show Notes Curl blog post Now it's PostgreSQL's turn to have a bogus CVE GitHub Advisory Database Josh's "CVE...

OWASP 24/7

ep2023-08 Finding Next Gen Cybersecurity Professionals with Brad Causey

For years we've heard talk about a shortage of cybersecurity professionals so what can be done about that? In this episode, I speak to Brad Causey who has taken one approach he's found successful. We cover the trade-offs of his approach and how, should you agree with him, you can help fill those troubling vacancies at your company. Show Links: - SecurIT360 - Offensive Security Blog

ep2023-07 What’s Audit got to do with IT

In this episode we talk with Zain Haq and take a leap and bound over the first and second line to discover more about the third line - internal audit. We discover answers to a number of questions: What role does audit play in the overall cybersecurity of an organization? What does the CISO gain from having an audit function? What makes a good auditor? Learn how to get the most out of audit and what they bring to the table. Special thanks to Tina Turner for inspiring the show title. 😉 Show Links: - Zain Haq:

Purple Squad Security

Risky Business

Snake Oilers: Sublime Security, Vulncheck and Devicie

In this edition of Snake Oilers you’ll hear product pitches from: Sublime Security: e-mail security for people who want to tune their detections Vulncheck: Provides vulnerability intelligence to governments, large enterprises and vendors Devicie: Manage your devices with Intune without pulling your hair out ...

Risky Business #722 — Microsoft embraces Zero Trust… Authentication?

On this week’s show Patrick Gray, Adam Boileau and Lina Lau discuss the week’s security news. They cover: Microsoft’s 38TB oopsie MGM’s Okta compromised, was this what Okta was warning us about? Why we need a cyber knife fight Google Authenticator sync abused in the wild Much, much more This week’s show is brought to you by Push Security. Co-founder Adam Bateman is this week’s sponsor guest. Links...


ISC StormCast for Monday, September 25th, 2023

Scanning for Laravel - a PHP Framework for Web Artisants

ISC StormCast for Thursday, September 21st, 2023

What's Normal: DNS TTL Values's%20Normal%3F%20DNS%20TTL%20Values/30234/ CISA Highlights Snatch Ransomware

Security Now

SN 940: When Hashes Collide – Secure-wipe best practices, browser identity segregation, bye bye Twitter (X)

Last week's news about evidence of LastPass vault decryption targeting cryptocurrency keys, and the UK's backing down on its encryption monitoring legislation. How hardware security modules (HSMs) allow cryptographic operations like code signing without exposing private keys. Browser identity segregation using multiple profiles rather than separate browsers. Requirements and best practices for securely wiping data from modern solid state drives. A countdown clock for the 32-bit UNIX time rollover in the year 2038. Steve's plan to move off Twitter and onto email lists for Security Now communication. A deep dive into cryptographic hash collisions, using fewer hash bits,...

SN 939: LastMess – Online Safety Bill, Microsoft Outlook breach details, auto brand data privacy

UK government appears to back down on demands to break encryption in Online Safety Bill Microsoft reveals how China-based hackers acquired secret key used to breach Outlook accounts Multiple flaws allowed key to improperly leave highly secure environment Mozilla research finds all major auto brands fail on privacy protection Evidence suggests LastPass encrypted vault data is being decrypted Researchers tie $35M in crypto thefts to compromised LastPass accounts Brute force feasible on old low iteration count passwords Show Notes - Hosts: Steve Gibson and Jason Howell Download or subscribe to this show at Get episodes ad-free...

Security Weekly

2024 Security Planning, Better Tabletop Exercises – Merritt Maxim, Ryan Fried – ESW #332

Forrester Research releases a few annual reoccurring cybersecurity reports, but one of the biggest that covers the most ground is the Security Risk Planning Guide, which was recently released for 2024. One of the report's 17 authors, and research director, Merritt Maxim, will walk us through the report's most interesting insights and highlights. This is going to be considerably interesting considering some of this year's trends impacting security teams: An economic downturn, resulting in layoffs and budget freezes The widespread proliferation of generative AI technology The relentless and resilient nature of cybercrime, despite some notable law enforcement wins...

Passkeys, bots, hotels, conning the con, TrendMicro, Pizza & Aaran Leyland – SWN #327

This week on the Security Weekly News: Passkeys, bots, hotels, conning the con, TrendMicro, Pizza, Aaran Leyland, & more! Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook: Show Notes:

Shared Security

Content Creation, Mental Health in Cyber, The MGM Ransomware Attack

In this episode Matt Johansen, Security Architect at Reddit and Vulnerable U newsletter and YouTube content creator, joins host Tom Eston to discuss Matt’s background as one of the original “Security Twits”, his career journey, his passion for mental health advocacy, the significance of the recent MGM ransomware attack, and a discussion on the pros and cons of paying ransoms. ** Links mentioned on the show * Follow Matt on X aka: Twitter Follow Matt on LinkedIn Vulnerable U Newsletter and YouTube Channel Threat...

The Changing Role of the CISO with Ryan Davis, Chief Information Security Officer at NS1

In this episode Ryan Davis, Chief Information Security Officer at NS1, speaks with host Tom Eston about the changing role of the CISO, acquisitions, what the biggest challenges are, and Ryan’s advice for those considering a career as a CISO. This is one episode you don’t want to miss if you’re curious what a CISO does, thinking about becoming one, or currently a CISO yourself. ** Links mentioned on the show * Connect with Ryan on LinkedIn ** Watch this episode on...

Smashing Security

Heated seats, car privacy, and Graham’s porn video

Do you know what data your car is collecting about you? Do you think it's right for a car manufacturer to collect a subscription to keep your bottom warm? And just why has YouPorn sent an email to Graham about his sex video?All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Host Unknown's Andrew Agnês.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Yikes! My sex video has been uploaded to YouPorn, apparently - Graham...

Bitcoin boo-boo, deepfakes for good, and time to say goodbye to usernames?

Deepfakes are being used for good (perhaps), common usernames could pose a security threat, and someone has paid a $500,000 fee... just to send $1,865.Oh, and our guest mentions Mr Blobby (to the horror of the show's hosts...)All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire's Dave Bittner.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Tweet by Jameson Lopp.Bitcoin user’s costly error leads to record transaction fee of $510,000 - Cryptoslate.Root Admin User: When...


S3 Ep149: How many cryptographers does it take to change a light bulb?

Miss Manners confronts copy-and-paste. WinRAR patches bugs. When Airplane mode isn't. How many cryptographers to change a light bulb? With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge ( Email questions and suggestions to:

S3 Ep148: Remembering crypto heroes

Navajo Code Talkers Day. Beta bogosities. Skimming shenanigans. Hooligan hosting. A cybercrime conundrum. With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge ( Email questions and suggestions to:

S3 Ep147: What if you type in your password during a meeting?

An amazing Art Deco computer. Yet more performance-versus-security trouble. Is sound alone enough to sniff out your password? A rap song (of sorts) with a cybersecurity connection. With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge ( Email questions and suggestions to:

Southern Fried Security

The CyberJungle

The CyberWire

Threat intelligence discussion with Chris Krebs. [Special Edition]

In this extended interview, Simone Petrella sits down with Chris Krebs of the Krebs Stamos Group at the mWise 2023 Cybersecurity Conference to discuss threat intelligence . Learn more about your ad choices. Visit

Merritt Baer: No one has to go down for you to go up. [CISO] [Career Notes]

This week our guest is Merritt Baer, a Field CISO from Lacework, and a cloud security unicorn, sits down to share her incredible story working through the ranks to get to where she is today. Before working at Lacework Merritt served in the Office of the CISO at Amazon Web Services,...

The Silver Bullet

The Social-Engineer


Troy Hunt Weekly

Weekly Update 366

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSiteWell that's it, Europe is done! I've spent the week in Prague with highlights including catching up with Josef Prusa, keynoting at Experts Live EU and taking a "beer spa" complete with our own endless supply of tap beer. Life is good 🍻 That’s it - we’ve peaked - life is all downhill from here 🤣 🍻 #BeerSpa— Troy Hunt (@troyhunt) September 21, 2023 that and more in this week's video, next week I'll come to you from...

Weekly Update 365

Presently sponsored by: 1 in 3 families have been affected by fraud. Secure your personal info with Aura’s award-winning identity protection. Start free trial.It's another week of travels, this time from our "second home", Oslo. That's off the back of 4 days in the Netherlands and starting tomorrow, another 4 in Prague. But today, the 17th of September, is extra special 😊1 year today ❤️— Troy Hunt (@troyhunt) September 17, 2023'll be going out and celebrating accordingly as soon as I get this post published so I'll be brief: enjoy this week's video! ReferencesSponsored by: 1 in 3...

Unsupervised Learning

UL NO. 399: Wisdom Extraction From Any Text, Vegas Gets Cyber Jesus, AI Creativity Performance, Pentagon Cyber Strategy…

This week we talk about how I extract manual-quality wisdom from any text/transcript, what I learn from biographies, 25 lessons in 17 years of infosec, and tons of new tools and projects. 📢Sponsored by - scales with your business, helping you enter new markets, land bigger deals, and earn customer loyalty. 📢Sponsored by Moonlock — cybersecurity wing of MacPaw. Developers ofthe antimalware tech in CleanMyMac X — Moonlock Engine.Become a Member: for privacy...

UL NO. 398: Storm Vuln Stacking, CloudRecon, The S-Tier Guide to AI Whispering, Full-body MRIs…

Explore the explosive separation of society into the Thriving 10% vs. the Suffering 90%, how AI is becoming an integral part of our brains, and how to defend your family's privacy 📢Sponsored by Vanta Building a SaaS business? Get ready for the compliance questions! 📈 Achieving SOC 2, ISO 27001, or HIPAA compliance can be a game-changer, but it's often tough. Automate up to 90% of work, save time & money, and scale effortlessly. a Member:...

UL NO. 397: Propaganda in a Box, Glacier-like Security, AGI by 2028?, Ancient Wisdom via AI, and Newsletter Differentiation

🎥 Embracing Short-Form Video Creation🔬 Piping into Portscanner: A Guide📚 Long/Slow Content: The UL Book of the Month🛡️ Defensive Security: A Glacier's Pace🧠 Predicting AGI Attainment by 2025-2028📜 Timeless Concepts from Ancient Myths📰 Russian Impersonation Disinformation Exposed🤖 AI Disinformation: Counteracting Propaganda👗 Forever 21 Data Breach: Half a Million Impacted🚗 Automotive Hacking Contest: Pwn2Own Automotive🍏 Apple's Private Access Tokens: A Sneak Peek📡 WiFi Vision Surveillance: Tracking Living Beings🔭 Tool & Article Discovery➡️ The Recommendation of...