Securit13 Podcast
Первый украинский подкаст об информационной безопасности

В качестве возвращения и начала нового сезона осень-зима 2017-2018, Андрей и Алиса кратенько прошлись по последним новостям

Взлом сайтів в доменій зоні *.gov.ua та помилка у CERT-UA https://goo.gl/A6kJve
4G/5G Wireless Networks as Vulnerable as WiFi and putting SmartCities at Risk http://securityaffairs.co/wordpress/64098/hacking/4g5g-wireless-networks-flaws.html
Microsoft silently fixes security holes in Windows 10 – dumps Win 7, 8 out in the cold https://www.theregister.co.uk/2017/10/06/researchers_say_windows_10_patches_punch_holes_in_older_versions/
FIN7 hacking group is switched to new techniques to evade detection http://securityaffairs.co/wordpress/64083/apt/fin7-new-techniques.html
VPN logs helped unmask alleged 'net stalker, say feds http://www.theregister.co.uk/2017/10/08/vpn_logs_helped_unmask_alleged_net_stalker_say_feds/
Russian spies used Kaspersky AV to hack NSA staffer, swipe exploit code – new claim http://www.theregister.co.uk/2017/10/05/anonymous_report_russian_spies_used_kaspersky_lab_software_to_steal_nsa_secrets/
Sri Lanka police arrest two men over cyber theft at the Taiwan Bank http://securityaffairs.co/wordpress/64034/cyber-crime/taiwan-bank-cyber-heist.html
Microsoft Cortana Can Now Read Your Skype Messages to Make Chat Smarter https://thehackernews.com/2017/10/cortana-for-skype.html
Warning: Millions Of P0rnHub Users Hit With Malvertising Attack https://thehackernews.com/2017/10/online-malvertising-attack.html
Disqus Hacked: More than 17.5 Million Users' Details Stolen in 2012 Breach https://thehackernews.com/2017/10/disqus-comment-system-hacked.html
The iPhone's Constant Password Popups Are a Hacker's Dream https://motherboard.vice.com/en_us/article/ne7gxz/ios-iphone-password-phishing-app-popups

Music - KEYGEN MUSIC ~ One hour mix https://www.youtube.com/watch?v=c17k4LfLkaE

Direct download: 87_1.mp3
Category:Technology -- posted at: 5:39pm CEST
Comments[0]

Intro / Outro Finest Cockles by Blah Blah Blah http://freemusicarchive.org/music/Blah_Blah_Blah/MOONRAKER_5317_1904/Finest_Cockles

Интервью с Максимом Тульевым о блокировках и будущем украинского интернета

Direct download: 83.mp3
Category:Technology -- posted at: 8:15am CEST
Comments[0]

Intro / Outro I Do Believe I've Had Enough by Zephaniah And The 18 Wheelers http://freemusicarchive.org/music/Zephaniah_And_The_18_Wheelers/Live_On_WFMUs_Honky_Tonk_Radio_Girl_Program_with_Becky_11316/Zephaniah_And_The_18_Wheelers_02_I_Do_Believe_Ive_Had_Enough

Big 4 of the top security and privacy conferences: S&P ("Oakland"), NDSS, CCS and USENIX Security.

Наука не делается самостоятельно, a нужно учиться у передовых исследований, как они интегрируются с практикой, понимать их уровень, и себя показывать. По-этому, для того кто первый с украинским affiliation опубликует статью на этих конференциях - с меня можно пообещать "коньяк" :)

The Network and Distributed System Security Symposium (NDSS) 2017 by Internet Society - http://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017

> From the keynote speech by J. Alex Halderman:
"Want to Know if the Election was Hacked? Look at the Ballots" - https://medium.com/@jhalderm/want-to-know-if-the-election-was-hacked-look-at-the-ballots-c61a6113b0ba
"Securing Digital Democracy" course - https://www.coursera.org/learn/digital-democracy
Video - https://www.youtube.com/watch?v=Snoo6CXiyWU&feature=youtu.be


> Web Security section:
"(Cross-)Browser Fingerprinting via OS and Hardware Level Features" by Yinzhi Cao et al. - https://www.internetsociety.org/doc/cross-browser-fingerprinting-os-and-hardware-level-features
Websites to test your browser and device fingerprint:
https://panopticlick.eff.org
https://amiunique.org
http://uniquemachine.org (now, cross-browser!)
"Fake Co-visitation Injection Attacks to Recommender Systems" by Guolei Yang et al. - https://www.internetsociety.org/doc/fake-co-visitation-injection-attacks-recommender-systems

> User Authentication section:
"Cracking Android Pattern Lock in Five Attempts" by Guixin Ye at el. - https://www.internetsociety.org/doc/cracking-android-pattern-lock-five-attempts
"Towards Implicit Visual Memory-Based Authentication" by  - https://www.internetsociety.org/doc/towards-implicit-visual-memory-based-authentication

> TLS et al. (several papers on Diffie-Hellman and more)
"The Security Impact of HTTPS Interception" by Zakir Durumeric et al. - https://www.internetsociety.org/doc/security-impact-https-interception
"WireGuard: Next Generation Kernel Network Tunnel" by Claude Castelluccia et al. - https://www.internetsociety.org/doc/wireguard-next-generation-kernel-network-tunnel  (by a single author, Jason Donenfeld!)
More on WireGuard:
https://fosdem.org/2017/schedule/event/wireguard/
https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-2016
https://www.wireguard.io

> On Tor:
"The Effect of DNS on Tor's Anonymity" by Benjamin Greschbach et al. - https://www.internetsociety.org/doc/e-effect-dns-tors-anonymity
"Avoiding The Man on the Wire: Improving Tor's Security with Trust-Aware Path Selection" by Aaron Johnson et al.  - https://www.internetsociety.org/doc/avoding-man-wire-improving-tors-security-trust-aware-path-selection  (more on proper path selection for Tor, possible attacks on Astoria).

> Malware:
"Dial One for Scam: A Large-Scale Analysis of Technical Support Scams" - наша статья, получившая Distinguished Paper Award!
https://www.internetsociety.org/doc/dial-one-scam-large-scale-analysis-technical-support-scams
"MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models" by Enrico Mariconti et al. - https://www.internetsociety.org/doc/mamadroid-detecting-android-malware-building-markov-chains-behavioral-models
"A Broad View of the Ecosystem of Socially Engineered Exploit Documents" by Stevens Le Blond et al. - https://www.internetsociety.org/doc/broad-view-ecosystem-socially-engineered-exploit-document s (можно проводить много интересных исследований на базе данных из VirusTotal).

... and much more interesting works on SGX, virtualization, and binary reassembly, etc.

Plus, a DNS Privacy Workshop program - https://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017/dns-privacy-workshop-2017-programme

Direct download: 82.mp3
Category:Technology -- posted at: 8:13am CEST
Comments[0]

Intro / Outro Semme Automatic Stay the Course https://www.jamendo.com/track/1421989/stay-the-course

00:00:34 Слухи про блокировки в интернетах ДО их официальной блокировки
00:04:52 Давайте поговорим про фищинг
00:07:40 Google Docs users hit with sophisticated phishing attack https://www.theverge.com/2017/5/3/15534768/google-docs-phishing-attack-share-this-document-with-you-spam
00:08:44 Recruiters considered really harmful: Devs on GitHub hit with booby-trapped fake job emails https://www.theregister.co.uk/2017/03/30/github_devs_malware_mails/
00:09:47 Получили письмо из налоговой?
00:11:08 __blank в Edge
Researcher pwns Charles Darwin to demonstrate Microsoft Edge exploit https://www.scmagazine.com/researcher-pwns-charles-darwin-to-demonstrate-microsoft-edge-exploit/article/652807/
00:13:16 Захист від фішингу від Британської податкової
00:14:27 https://en.wikipedia.org/wiki/Phishing
00:24:45 В Тернополе в торговом центре мужчина при свидетелях открыл банкомат и похитил оттуда полмиллиона (видео) https://www.unian.net/incidents/1893219-v-ternopole-v-torgovom-torgovom-tsentre-mujchina-pri-svidetelyah-otkryil-bankomat-i-pohitil-ottuda-polmilliona-video.html
00:29:06 Prevent & report phishing attacks https://support.google.com/websearch/answer/106318?hl=en
00:31:53 Киберполиция Украины помогла ликвидировать киберсеть "Аваланш" (Avalanche), которая с 2009 года использовалась для распространения вредоносных программ, спама и фишинга - ITC.ua http://itc.ua/news/kiberpolitsiya-ukrainyi-likvidirovali-kiberset-avalansh-avalanche-kotoraya-s-2009-goda-ispolzovalas-dlya-rasprostraneniya-vredonosnyih-programm-i-spama-a-takzhe-fishinga-i-otmyivaniya-deneg/

Direct download: 81.mp3
Category:Technology -- posted at: 12:28am CEST
Comments[0]

Intro / Outro Lady We Knew by Cullah http://freemusicarchive.org/music/MC_Cullah/Cullahmity/03_-_Lady_We_Knew
Hackers Can Easily Hijack This Dildo Camera and Livestream the Inside of Your Vagina (Or Butt) https://motherboard.vice.com/en_us/article/camera-dildo-svakom-siime-eye-hacked-livestream?utm_source=mbtwitter
Teampass http://teampass.net/
Squid: Optimising Web Delivery http://www.squid-cache.org/
SNORT https://www.snort.org/
Suricata https://suricata-ids.org/
pfSense https://www.pfsense.org/
Life and death for Windows: Vista support ends as Creators Update starts to roll out https://www.geekwire.com/2017/microsoft-makes-april-11-a-day-of-life-and-death-for-versions-of-windows-and-office/

Direct download: 80.mp3
Category:Technology -- posted at: 8:05pm CEST
Comments[2]

Intro / Outro Just Wait by Drake Stafford http://freemusicarchive.org/music/Drake_Stafford/SUNDAY/JUST_WAIT_-_DRAKE_STAFFORD
Identity management system https://en.wikipedia.org/wiki/Identity_management_systems
Dashlane https://www.dashlane.com
TeamPass http://teampass.net/
Microsoft built a special government-approved version of Windows 10 for China https://thenextweb.com/microsoft/2016/03/28/microsoft-windows-10-china/

Direct download: 79.mp3
Category:Technology -- posted at: 1:55am CEST
Comments[0]

Intro / Outro StrangeZero - Burnin Star  https://www.jamendo.com/track/1378740/burnin-star
00:03:12 Vault 7: CIA Hacking Tools Revealed https://wikileaks.org/ciav7p1/
Vault 7 Megathread - Technical Analysis & Commentary of the CIA Hacking Tools Leak https://www.reddit.com/r/netsec/comments/5y1pag/vault_7_megathread_technical_analysis_commentary/
00:06:10 Интервью с Евгением Пилянкевичем. Связаться с Евгением можно по почте eugene@cossacklabs.com или в твиттере @9gunpi
Acra https://www.cossacklabs.com/acra/
Work Rules!: Insights from Inside Google That Will Transform How You Live and Lead https://www.amazon.com/Work-Rules-Insights-Inside-Transform/dp/1455554790/ref=asap_bc?ie=UTF8
A Graduate Course in Applied Cryptography https://crypto.stanford.edu/~dabo/cryptobook/

Direct download: 78.mp3
Category:Technology -- posted at: 1:19pm CEST
Comments[0]

Intro / Outro Brady Harris  - Welcome Me Back https://www.jamendo.com/track/1381589/welcome-me-back
00:01:24 Incident report on memory leak caused by Cloudflare parser bug https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Pragmatic thoughts on #CloudBleed https://www.troyhunt.com/pragmatic-thoughts-on-cloudbleed/
00:11:14 We have broken SHA-1 in practice http://shattered.io/
00:19:26 KasperskyOS 11-11: в России разработана уникальная операционная система https://hi-tech.mail.ru/news/kaspersky-os-11-11/
00:23:15 Microsoft forced to issue emergency Flash fix after delaying Windows patches http://www.theverge.com/2017/2/22/14696358/microsoft-security-fix-adobe-flash-february-2017-patch-tuesday
00:30:08 China just made VPNs illegal https://www.engadget.com/2017/01/23/china-vpn-illegal-internet-censorship-government-approval/
An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf
00:35:14 Security experts now warn AGAINST changing online passwords often as it leaves Brits vulnerable to hackers https://www.thesun.co.uk/news/2865824/security-experts-now-warn-against-changing-online-passwords-often-as-it-leaves-brits-vulnerable-to-hackers/

Direct download: 77.mp3
Category:Technology -- posted at: 5:19pm CEST
Comments[0]

Intro / Outro DDmyzik- Gypsy Swing https://www.jamendo.com/track/1369034/gypsy-swing
 
Про будущее Астории, Tor-client Cipollino:
 
Полная статье по Technical Support Scam:
(о други проектах лаборатории можно узнать на http://pragsec.com)
 
The full paper about web shells:
и немного визуализации на картах можно найти тут:
 
Про PrivacyMeter: 
 
Про браузерные дополнения:
1) Our study "Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions"
- на днях появится на http://www.cyber-investigator.org/about/
2) WOT extension:
3) Other spying extensions:
 
Detecting browser extensions:
1) https://extensions.inrialpes.fr (based on web accessible resources)
2) Our study on fingerprinting browser extensions based on their functional side effects and on-page changes
- скоро появится на http://www.cyber-investigator.org/about/
 
Занимательные сервисы для обучения:
 
Книги по алгоритмам:
Кнут и Кормен
Седжвик Р. Фундаментальные алгоритмы на C++
 
Прошариться в философию:
 
Кстати, именно по поводу Фейсбук и Tor: 
facebookcorewwwi.onion
 
И на внеклассное чтение, нашумевшее про "data science" и "big data" касательно "personalized/targeted agitation" :) 
Direct download: 76.mp3
Category:Technology -- posted at: 8:17pm CEST
Comments[0]

Intro / Outro Muciojad - Before I sleep https://www.jamendo.com/track/1406716/before-i-sleep
00:00:44 Best company name ever! Share capital £1, name priceless… https://nakedsecurity.sophos.com/2017/01/06/best-company-name-ever-share-capital-1-name-priceless/
00:04:07 Bug Bounty anniversary promotion: bigger bounties in January and February https://github.com/blog/2302-bug-bounty-anniversary-promotion-bigger-bounties-in-january-and-february
00:05:13 Немного истории о расскрытии уязвимостей
Disclosing vulnerabilities to protect users https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
Charlie Miller and Apple. iPhone Security Bug Lets Innocent-Looking Apps Go Bad http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/#5fd06fe62336
Legal woes http://martin.swende.se/blog/IP-issues.html
Fatal flaw found in PricewaterhouseCoopers SAP security software http://www.theregister.co.uk/2016/12/09/fatal_flaw_in_pricewaterhousecoopers_sap_software/ 
00:29:23 MongoDB hackers now sacking ElasticSearch http://www.theregister.co.uk/2017/01/13/elasticsearch_mongodb/
00:30:46 WordPress plugs eight holes in latest release http://www.theregister.co.uk/2017/01/13/wordpress_plugs_eight_holes_in_latest_release/
00:31:17 Peace-sign selfie fools menaced by fingerprint-harvesting tech http://www.theregister.co.uk/2017/01/12/fingerprint_photographs/
00:32:21 We already have a contender for the "Best PR Description" aware for 2017 https://github.com/rapid7/metasploit-framework/pull/7815
00:33:20 ISC squishes BIND packet-of-death bugs http://www.theregister.co.uk/2017/01/13/isc_fixes_bind_denialofservice_vuls/
00:34:01 Docker swings door shut on privilege escalation bug http://www.theregister.co.uk/2017/01/12/docker_container_escape_vuln_patched/
00:34:23 GoDaddy revokes 9,000 SSL certificates wrongly validated by code bug http://www.theregister.co.uk/2017/01/11/godaddy_pulls_unvalidated_digital_certs/
00:34:45 Who is Anna-Senpai, the Mirai Worm Author? https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
00:35:23 Windows 10 anniversary update: Security and privacy, hope and change? http://www.welivesecurity.com/2017/01/12/windows-10-anniversary-update-security-privacy/

Direct download: 75.mp3
Category:Technology -- posted at: 3:24pm CEST
Comments[0]