Mostly Security

Jon does more bee stuff, and Eric releases a new version of Cast/Snip. Moare Farcebook password woes, McAfee partners with the University of Guelph, and unlocking laptops with faces is suspect. 1 in 4 people purposefully ignore security rules, identity theft sites can look good on the surface, and an iOS Chrome bug that lets malvertising run amok. For fun, Microsoft may remove password expiration as defaults, software hardware keys exist, bees survive Notre Dame fire, and Libby is still awesome. 0:00 - Intro 2:02 - New Version of Cast/Snip 3:40 - Instagram Passwords Logged 4:57 - McAfee partners with University of Guelph 6:25 - Fields of Blueberries (swarming bees) 7:57 - Kids + Pamphlets 10:27 - 1 in 4 Ignore Security Guidelines 18:29 - Phishing for Identity Theft 23:00 - Let's Encrypt Root Certificate 24:19 - Easter Chrome Attack 31:41 - Sane(r) Password Guidance 32:50 - Software Hardware Key 35:51 - Bees Survive Notre Dame Fire 36:54 - Libby is Still Awesome  

Jon modifies a rootbeer request while Eric watches a movie by himself and Jon wires up a solar panel. Breaking: The internet needs to relax. Next: Ask yourself, who's tracking your child? Then: Apple makes nice with Qualcomm. Intermission: StackOverflow Developer Survey notes. Later: Father-Son Fire Fun. Coming soon: Space Billboards. Finally: Zork! 0:00 - Intro 4:34 - It's Alive! 6:40 - Let it go... 8:10 - The S in IoT is for Security 15:22 - Apple makes nice with Qualcomm 22:22 - StackOverflow Survey 36:15 - Fire Wall 40:08 - Space Billboard 42:00 - Zork!  

Eric returns from California with head full of Google kool-aid and ears full of Gwen Stefani. Eero acquisition wasn't all roses, Facebook mobile SDK sends lots of data to Facebook, and a robo voice mailer data breach. Jon talks about training Alexa, and Eric wants the world to know and avoid stalkerware. For fun, we of course have pics of a BLACK HOLE. Also "Hacker" "News." 0:00 - Intro 0:49 - Google Cloud Next 7:11 - Eero Acquisition 10:50 - Privacy International on Facebook SDK 17:25 - Stratics Data Leak 23:52 - Alexa is Listening 28:58 - Against Stalkerware 31:57 - Motherboard on Stalkerware 33:05 - Pics or it's not a Black Hole 34:25 - Katie Bouman, Superstar 36:27 - The Schwarzschild Radius 36:56 - Suspected Burglar 37:54 - "Hacker" "News"  

Eric misses Chicago and ends up in Texas eating a tomahawk. Water is still wet (aka Facebook data leak in the news again). Jon follows up with some ASUS/Shadowhammer info (then his cat chimes). Robocalls are bad. Java is now bad - or at least the unlicensed version is. Eric and Jon reminisce about Java. NuGet package signing info and heat moving at the speed of sound. Finally, something different. Jon talks about bees. 0:00 - Intro 2:27 - Tomahawk Steak 3:43 - Water is Still Wet 6:38 - ASUS Hack 8:17 - Jon's cat chimes in... 10:25 - Shadowhammer Targets 13:16 - Robocalls Bad 15:25 - Caller ID Auth Good 17:03 - STIR/SHAKEN 21:38 - Java License Extortion 24:40 - The Java Reminisce 30:22 - NuGet Package Signing 38:49 - Heat moves at speed of sound 43:03 - Bee Video  

Cedric Cochin joins the podcast while Eric is on Spring Break. Norsk is still recovering from ransomware and Apple's News+ service is strangely open. ASUS distributed hundreds of thousands of malicious, signed updates, and heart implants that are vulnerable to attack. Cedric's vacuum cleaner is too smart, and Jon appreciates a fossil find in China. 0:00 - Intro, Welcome Cedric 2:24 - Norsk Recovering 7:08 - Apple News+ 11:21 - Herd Immunity 12:09 - ASUS Malicious Updates (Shadowhammer) 20:16 - Heart Implants Remotely Controllable 24:47 - Falsifying Patient Vitals 29:25 - Too Smart Vacuum 33:30 - Spectacular Fossils  

Cast/Snip is live. Jon corrects the record on SHA. Phone numbers are horrible identity proofs. Most AntiVirus for Android is garbage. Aluminum Ransomware. Mirai is not dead yet. Eric rides into Quantum Country. Jon sneaks a peek at an original iPhone prototype. 0:00 - Intro 0:10 - Cast/Snip is Live 1:33 - SHA is a hashing algorithm 4:40 - Phone Numbers Stink 12:47 - AV for Android Mostly Stinks 16:16 - Commodity Ransomware 24:18 - Mirai is not Dead Yet 29:24 - Quantum Country 33:19 - Apple M68  

Eric's app (Cast/Snip) is launching soon, and Libby is awesome. Marriott discloses much more information about the previous Starwood breach, and Amazon has their own Project Zero. Microsoft releases a Windows 7 patch to add SHA-256 support, and Jon spends 15 minutes talking about serverless and serverless vulnerabilities. For fun we have potential dinosaurs, quantum mechanics turning back time, and new synthetic DNA pairs. Scientific fun FTW. 0:00 - Intro 0:33 - Cast/Snip 4:27 - Libby is Awesome 5:20 - Starwood Details 9:51 - Amazon Project Zero 14:05 - Windows 7 Signature Update 17:52 - Windows 7 Market Share 21:56 - Serverless Architecture 28:16 - 12 Serverless Risks 31:00 - Little Bobby Tables 36:48 - Making Dinosaurs 37:23 - Jeff Goldblum's Response 38:09 - Quantum Time Reversal 41:26 - 4 New DNA Letters  

Jon's gonna catch himself some bees. Eric's trying to avoid getting sick. Facebook - uh, is still Facebook and there's still no cryptocurrency to be found. The NSA open sources a reverse engineering tool and, not to be outdone, Microsoft open sources a calculator. Your Chrome browser should have updated by now. McAfee gets a live look at servers used by North Korean Hackers. Jon pokes at a Drupal hack and a MongoDB leak - and then geeks about mice with infrared vision. Eric admires the Dangerously Funny. 0:00 - Intro 5:49 - Facebook 2FA Phone Shenanigans 7:28 - Facebook on Privacy? 8:50 - More Cryptocurrency Woes 9:51 - NSA - GHIDRA 11:11 - Windows Calculator 11:42 - Update Chrome! 13:19 - North Korean Hackers 14:55 - Video: North Korean Hackers 16:51 - Drupal Hack 24:15 - Caller ID App Ooops 28:40 - Mice with Infrared Vision 32:20 - Once Upon a Mattress 34:50 - Dangerously Funny

Jon is back from Arizona and Eric's playing seamster. Another cryptocurrency heist, another Ring vulnerability, how to abuse (web) Service Workers, and a hardware attack at bare metal clouds. For fun, both the NSA and Eric are on GitHub, and Jon had a good time at Biosphere2 and Taliesin West. 0:00 - Intro 0:53 - Suspicious White Powder 4:38 - More Cryptocurrency Fun 9:22 - Ring Doorbell Interception 19:17 - Abusing Service Workers 25:51 - Baremetal Cloud Firmware Attack 33:41 - NSA on GitHub 35:03 - MacWiFiChecker 37:13 - Biosphere #2 43:22 - Taliesin West  

Jon is out, Peter is in. A listener has a question about using consumer devices at work - we kinda-sorta answered it. Followup on Facebook, Apple, Amazon Eero and Nike AirBricks. Eric likes PASTA (but can't figure out where the last A came from). Peter details Google's Ad Blocking changes. Eric finds out where he lived 750 million years ago and Peter loves a digital library. Intro (Reminder, Javascript != Python) Send us Questions! Enterprise Certs, Part X+1 Enterprise Certs, Part XXX The $1 Bet The Nike Air Bricks Toyota PASTA Google Chrome and Ad Blockers 750 Million Years Ago Libby the Library App  

Follow-up galore: Ubiquiti, Android transcription, the FaceTime bug, and USB-C encryption. MacOS needs a bounty program, Eero gets bought by Amazon, patch Tuesday fun, and using Mono to bypass Mac security. We remember Opportunity and recommend watching the Cassini episode of 7 Days Out. Intro Ubiquiti Homework Android Live Transcribe FaceTime Bounty Default Root Keys Mac Bounty Program Amazon Acquires Eero Eero + Alexa Patch Tuesday Mono on Mac Farewell Opportunity 7 Days Out  

Eric has an app for taking snips of podcasts, Facebook gets their certs back and still TBD on the curious case of the Cryptocurrency Exchange CEO. Jon gets personal with a Ubiquiti bug while GoDaddy either has or doesn't have a bug - it isn't clear - but No More Ransom gets a call out, so whatevs. Eric has only one something fun while Jon has two. Again. Hotel Room Intro Eric's Cast/Snip App Facebook's Certs are Back Schrödinger's CEO Jon's Ubiquiti Bug GoDaddy's Spammy Bear Raspberry's Pi Issues AI's 3D Printing Google's Live Transcribe

Eric has a new mic, and Jon's bees are still alive. The Chromecast hackers were kids, shutdown fallout, and Japan takes a bold step in "hacking" its citizens. A huge FaceTime bug followed by YAFS (Yet Another Facebook Scandal) -- this time involving side loading an app to snoop on teenagers. What secrets does an old Smart Lightbulb hold, and another WiFi Chipset vulnerability. For fun: the Portland Auto Show, how old joysticks used to work, and a possible cause for Alzheimers. Intro More about Bees Chromecast Hackers Quit Internet Did Hackers Exploit Shutdown Japanese Government Hacking IoT Devices Facetime Group Chat Bug Facebook "Research" Smart Lightbulb Disposal WiFi Chipset Vulnerability Portland Auto Show DOS Joystick Hell A Cause for Alzheimers  

Raj Samani, one of the founders of nomoreransom.org and the head of McAfee's Advanced Threat Research team joins the show. Eric confuses JavaScript and Python. Jon and Raj discuss statistical probabilities. Why do you ransom Cryptocurrency Miners? Because that's where the Bitcoin is. Raj reports on a new ransomware family. Eric likes fonts. Jon likes old sound cards. Raj is going to get his sneakers hacked. Intro Eric makes a mistake DNS Infrastructure Tampering Airport Security Sidebar... DNS Hijacking Campaign Miner Ransomware New Ransomware: Anatova Programming Fonts Sound Blaster 1.0 Nike Self Lacing Shoes Raj Samani on Twitter Podcast: Komrade Cyber

Jon scares security guards, Eric teaches Python, and we have an open slack invite on mostlysecurity.com. The Ring article from last week never got much traction, beware the Facebook challenge, ancient vulnerabilities unearthed, and Troy Hunt loads another massive breach into HIBP. Eric's going to build a Pi calendar, measuring programming language efficiencies, and what are Fourier transforms anyway? Intro Join Our Slack If you Want... Ring Videos 10 Year Challenge SCP Client Vulnerabilities 773 Million Breached Records Pi Family Calendar Language Energy Efficiency Fourier Transforms  

Hi, Canada! Where is the Krusty Krab anyway? Carriers are still kinda awful. More Android phones fail the Face Test. Crashcast Part 2. The Promiscuity of Ring Security Cameras. Eric reads from his Spam Folder. Jon questions data anonymization and learns something about IRSF. Eric can't wait for the iPhone YubiKey. Jon gets punk'd from '96. Intro (Hi, Canada!) Eric's Krusty Krab Konundrum Carriers are still kinda awful Followup: More Android #FaceFail Followup: Crashcast is Easy Amazon Ring Security? Cameras Don't fall for the scam There is no Anonymous Data International Revenue Share Fraud YubiKey for iPhones! Circuit Evolution Is this the Krusty Krab?  

Eric and Jon celebrate the new year in style (not). Weeding out Craigslist ads and Jon wants a Prusa 3d printer. USB-C gets authentication (and a rant from us) and remotely playing videos on Chromecast devices. For fun: millitext, the origins of BASIC, and China lands a rover on the Dark Side of the Moon. Intro Prusa i3 MK3 USB-C Authentication ChromeOS blocks USB when Locked Chromecast Hack Millitext Origins of BASIC China Lands Moon Rover  

Christmas Skiing, Drone Crashing, and Fake Glitter Bombs. Eric rants (politely) about passwords (again) and Jon talks Hot Tubs and Cryptocurrencies... (What?) Play a game and learn VIM at the same time - and, just FYI, IPv6 is a lot of address space. Intro #DroneCrashmas Partially Faked Glitter Bomb Never reveal your password Hot Tub Hacking More Bitcoin Thievery VIM Adventures Merry IPv6 Christmas!  

Jon (maybe?) saves his bees, Beaverton schools on lockdown, glitter bombs, and cryptojacking on the rise. SMS is weak 2FA, FaceId on Android easily fooled, steganography is real, CenturyLink behaves unethically, and Microsoft adds a Windows sandbox. Eric likes terrible maps and Jon watches more YouTube. Intro Winterizing Bee Hives Beaverton School Lockdown Glitter Bomb Cryptojacking on the Rise Bypassing SMS 2FA At Scale Fooling FaceID Malware Commands in Images Free McAfee Steganography Tool CenturyLink Forces Ad Windows Adds Sandboxing Terrible Maps Frank Makes  

Eric's office nears completion, and Jon experiments with yogurt. Followup about the crypto crash and the Marriott breach. An Android trojan that skirts 2FA, malware on the high seas, and the biggest data breaches of 2018. Eric likes Amazon's honey packages (no bees included), and Jon likes a "unique" assembler project. Intro Yogurt Making Nvidia Stock Crash Ex-Starwood Executive Speaks Tricky Android Trojan Malware on Ships Top 21 Data Breaches of 2018 Grand Challenge Accepted Honey Packages Batch Assembly