.
@jonsakoda
is a great interviewer. We went deep and way back. “How Hackers Became the Celebrities of Cybersecurity” - The Decibel Podcast: Founders Helping Founders
We've lost a true pioneer of the digital world, Kevin Mitnick. His ingenuity challenged systems, incited dialogues, and pushed boundaries in cybersecurity. He will remain a testament to the uncharted power of curiosity.
#RIPKevinMitnick
.
@sifutweety
pointed out that the fact that this is getting so many retweets is a credit to infosec education -- everyone knows this is a stupid idea.
"There are nearly 600K unfilled cybersecurity jobs in the U.S. right now, and about 3.5M open roles globally, says Lisa Gevelber, Google’s chief marketing officer for the Americas"
This is because all the openings are entry level positions requiring 5 yrs experience.
"Password expiration requirements do more harm than good, because these requirements make users select predictable passwords"
Thank you Microsoft. NIST agrees. Everyone who attacks password auth agrees. Can we get compliance to update their requirements.
An infrastructure bill should include funding for cybersecurity. The internet is critical infrastructure for public and private realms in the 21st century.
20 years ago today 7 hackers from the L0pht testified about cyber security on Capitol Hill.
@spacerog
@joegrand
@WeldPond
&
@dotMudge
will return on 5/22/18 to discuss what has improved what hasn’t.
The patched version of log4j 2.15.0 requires a minimum of Java 8. If you are on Java 7 you will need to upgrade to Java8
When there is active exploitation and you need to patch fast it is beneficial if you have been updating your other dependencies over time.
#protip
If your lawyer, doctor, or therapist has an Amazon Echo or other voice device in their office, tell them they need to remove it or you will be taking your business elsewhere.
For Apache Log4j remediation priority it seems the best approach right now is:
1. log4j 2.x through 2.14 - update to 2.16
2. log4j 1.x - update to 2.16
3. log4j 2.15 - update to 2.16
Tonight Pres. Biden mentioned cybersecurity twice. Once as a career a student can learn at a community college (potentially for free) and once as an example of a global challenge where the U.S. can’t go it alone. This bodes well for a more secure digital world.
Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location that's beyond the reach of the user and security solutions.
"We [Facebook] also describe our in-house BGP software implementation, and its testing and deployment pipelines. These allow us to treat BGP like any other software component, enabling fast incremental updates."
Going through TSA tonight I got randomly flagged for an electronics inspection. Seeing the stickers on my laptop the agent asked if this was my college laptop. I didn’t have the guts to tell him they didn’t have laptops when I graduated college.
“But the [Luxor] beam has also become a magnet for grasshoppers, which experts say could linger in Las Vegas for weeks.” The Luxor is next to the Black Hat conference hotel. This is not the bug bounty I was expecting.
I first learned hacking from underground BBSs. Banning demos/info from mainstream services will harm security. One of my earliest hacker lessons is all cybersecurity info is dual use. Let's stop pretending learning about attacks is harmful.
Not the best way to open an email to a security person.
"Chris,
I would like to introduce you to XXXX, the premier global solution for non-hackable, completely secure and authentic long term data storage."
On Sunday, it will be 25 years since day was registered. was a homebrew 486 33MHz running a Slackware distribution of Linux 1.0 on a 28.8K dialup line to . The machine also ran mail and routed our class C.
27 year old invoice for
@L0phtHeavyInd
56 kbps dedicated line which ran our website and gave our LAN internet access. We eventually stepped up to 128 kbps ISDN as we sold more shell accounts, t-shirts and archive CDs.
Imagine if election security hadn't improved in the last 4 years and instead of the current 95% paper ballots we were back at 82% like in 2016. Our democracy depends on secure elections. Thank you to all the patriots who defended and continue to defend our elections.
Following a serious vulnerability disclosure affecting casinos globally, an executive of casino technology vendor Atrient has assaulted the security researcher who disclosed the vulnerability at the ICE conference in London.
Today is the 25th anniversary of my testimony to the U.S. Senate as part of a group of 7 hackers from the L0pht. The hearings were titled, "Weak Computer Security in Government: Is the Public at Risk?" (cont)
What was the very first cybersecurity task you remember doing? For me it was turning off services in /etc/inetd.conf to harden a default Linux install.
How much is my PiHole is costing them? Can simple network blocking evaporate 10s of $billions? Is it really this easy to gain privacy and destroy value.
*New*:
@Apple
’s privacy settings caused an estimated $9.85bn of revenues to evaporate in the second half of this year at
@Snap
,
@Facebook
,
@Twitter
and
@YouTube
, as their advertising businesses were shaken by the new rules
Average impact on revenue: -12%
*Thread*
There will be an AI Village at
@defcon
and many AI players (Anthropic, Google, Hugging Face, Microsoft, NVIDIA, OpenAI and Stability AI) are bringing their models to be hacked.
Hey U.S. govt. look here! "The Swiss government has issued a 150,000 Swiss franc (US$149,790) challenge to online hackers; break into our new generation electronic voting system and we'll reward you."
"Computer scientists from Stanford University have found that programmers who accept help from AI tools like Github Copilot produce less secure code than those who fly solo."
Looks like there will be a market for AI vuln remediation!
The Colonial Pipeline shutdown is a good example of why we need a CyberNTSB. If a criminal group can shut down 45% of the east coast's fuel supply we all have a right to know how this happened and how it should be prevented.
A response to ISIS required a new kind of warfare, and so the NSA and U.S. Cyber Command created a secret task force, a special mission, and an operation that would become one of the largest and longest offensive cyber operations in U.S. military history.
Yes those 1981 Hayes Modem Command set AT commands. "including the ability to enable USB debugging, bypass Android security controls, exfiltrate sensitive information, perform screen unlocks, reflash device firmware, and inject touch events solely through the use of AT commands."
Who remembers reading newspaper articles on microfiche? We had a portable unit at the L0pht bought at the MIT flea market. Then we found DEC manuals on microfiche. Such cool tech.
I see the following advice over and over.
Enable 2FA for any sensitive accounts
I don't think people understand how difficult and expensive this is to do (and enforce) across any business with thousands of employees and 100+ SaaS applications.
Don't fear the tool. Fear the vulns. Police are alerting on
@flipper_zero
's potential for bypassing access control systems. I wouldn't call it a bypass. These are systems *missing* access control and relying on solely security by obscurity.
Re: log4j 2.17.1. Wherever RCE or “arbitrary code execution” is mentioned it needs to be qualified with “where an attacker with permission to modify the logging configuration file” or you are overhyping this vuln. This is how you ruin relationships with dev teams.
“the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn’t. In fact, if you uninstall Zoom that web server persists and can reinstall Zoom without your intervention.”