Securit13 Podcast
Первый украинский подкаст об информационной безопасности

Ми тут вирішили згадати найголосніші події року, що вже майже минув. Приєднуйтесь!

Incident report on memory leak caused by Cloudflare parser bug https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Vault 7: CIA Hacking Tools Revealed https://wikileaks.org/ciav7p1/
NSA-leaking Shadow Brokers just dumped its most damaging release yet https://arstechnica.com/information-technology/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/
Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/
New ransomware, old techniques: Petya adds worm capabilities https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
The MeDoc Connection http://blog.talosintelligence.com/2017/07/the-medoc-connection.html
Threat Spotlight: Follow the Bad Rabbit http://blog.talosintelligence.com/2017/10/bad-rabbit.html
Equifax website hack exposes data for ~143 million US consumers https://arstechnica.com/information-technology/2017/09/equifax-website-hack-exposes-data-for-143-million-us-consumers/
We have broken SHA-1 in practice http://shattered.io/
ROCA: Vulnerable RSA Key Generation https://blog.rapid7.com/2017/10/25/roca-vulnerable-rsa-key-generation/
KRACK Attacks: Breaking WPA2 https://www.krackattacks.com/
Hackers Can Easily Hijack This Dildo Camera and Livestream the Inside of Your Vagina (Or Butt) https://motherboard.vice.com/en_us/article/53847a/camera-dildo-svakom-siime-eye-hacked-livestream
MsMpEng: Remotely Exploitable Type Confusion in Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials, and more. https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
Why 'blank' Gets You Root https://objective-see.com/blog/blog_0x24.html
Thousand-dollar iPhone X's Face ID wrecked by '$150 3D-printed mask' https://www.theregister.co.uk/2017/11/13/iphone_x_face_id/
Блокування веб-русурсів в Україні
МОН доручило вишам не користуватися сайтами з доменами “.ru” і “.ру” http://life.pravda.com.ua/society/2017/12/29/228234/
Мінінформ оприлюднить доповнення до списку заборонених сайтів http://www.pravda.com.ua/news/2017/12/29/7167028/
#FuckResponsibleDisclosure Sean Brian Townsend https://www.facebook.com/ruheight
https://informnapalm.org/uca/
http://usa.mfa.gov.ua/ua/consular-affairs/services/passport


Music - KEYGEN MUSIC ~ One hour mix https://www.youtube.com/watch?v=c17k4LfLkaE

Direct download: 91.mp3
Category:Technology -- posted at: 8:06pm CET
Comments[0]

Самые громкие новости последних недель. Удивительное яблоко, #FuckResponsibleDisclosure, обновленно обещание от Джона и еще что-то. Не пропустите!

00:00:58 #FuckResponsibleDisclosure Sean Brian Townsend https://www.facebook.com/ruheight
https://informnapalm.org/uca/
http://usa.mfa.gov.ua/ua/consular-affairs/services/passport
00:07:26 Apple и все все все
Why 'blank' Gets You Root https://objective-see.com/blog/blog_0x24.html
As Apple fixes macOS root password hole, here's what went wrong http://www.theregister.co.uk/2017/11/29/apple_macos_high_sierra_root_bug_patch/
https://forums.developer.apple.com/thread/79235
https://twitter.com/fristle/status/935670476214378496
Repair file sharing after Security Update 2017-001 for macOS High Sierra 10.13.1 https://support.apple.com/en-us/HT208317
MACOS UPDATE ACCIDENTALLY UNDOES APPLE'S "ROOT" BUG PATCH https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/
Thousand-dollar iPhone X's Face ID wrecked by '$150 3D-printed mask' https://www.theregister.co.uk/2017/11/13/iphone_x_face_id/
Zero-day iOS HomeKit vulnerability allowed remote access to smart accessories including locks, fix rolling out https://9to5mac.com/2017/12/07/homekit-vulnerability/
00:12:50 John McAfee https://twitter.com/officialmcafee/status/935900326007328768/photo/1
Bitcoin Miner NiceHash Hacked, Possibly Losing $62 Million in Bitcoin https://www.darkreading.com/cloud/bitcoin-miner-nicehash-hacked-possibly-losing-$62-million-in-bitcoin/d/d-id/1330585
Сайт блокчейн-проекта Confido недоступен: все профили команды проекта оказались поддельными https://forklog.com/sajt-blokchejn-proekta-confido-nedostupen-vse-profili-komandy-proekta-okazalis-poddelnymi/
00:15:17 CVE-2017-11937 | Microsoft releases an emergency update to fix a flaw in Malware Protection Engine http://securityaffairs.co/wordpress/66475/hacking/cve-2017-11937-malware-protection-engine.html
00:17:49 Uber Paid Hackers to Delete Stolen Data on 57 Million People https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data
00:18:28 Intel Management Engine pwned by buffer overflow https://www.theregister.co.uk/2017/12/06/intel_management_engine_pwned_by_buffer_overflow/
00:18:52 Thousands of WordPress sites infected with a Keylogger and cryptocurrency miner scripts http://securityaffairs.co/wordpress/66432/hacking/keylogger.html
Websites use your CPU to mine cryptocurrency even when you close your browser https://arstechnica.com/information-technology/2017/11/sneakier-more-persistent-drive-by-cryptomining-comes-to-a-browser-near-you/
00:19:09 Android flaw lets attack code slip into signed apps https://www.theregister.co.uk/2017/12/08/android_flaw_lets_attack_code_slip_into_signed_apps/
00:19:24 Mailsploit: It's 2017, and you can spoof the 'from' in email to fool filters http://www.theregister.co.uk/2017/12/06/mailsploit_email_spoofing_bug/

Music - KEYGEN MUSIC ~ One hour mix https://www.youtube.com/watch?v=c17k4LfLkaE

Direct download: 90_1.mp3
Category:Technology -- posted at: 12:20pm CET
Comments[0]

Немного самых громких новостей последних недель вам в ленту. Тут и кролик, и Алиса, и сладкие истории на ночь.

ROCA: Vulnerable RSA Key Generation https://blog.rapid7.com/2017/10/25/roca-vulnerable-rsa-key-generation/
Certificate expiry monitoring, KeyChest for HTTPS, TLS, Letsencrypt expiry and server status https://keychest.net/roca
Estonia government locks down ID smartcards: Refresh or else https://www.theregister.co.uk/2017/11/03/estonian_e_id_lockdown/
Threat Spotlight: Follow the Bad Rabbit http://blog.talosintelligence.com/2017/10/bad-rabbit.html
BadRabbit Technical Analysis https://www.endgame.com/blog/technical-blog/badrabbit-technical-analysis
Bad Rabbit: Not-Petya is back with improved ransomware https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/
The Shadow Internet – Comae Technologies https://blog.comae.io/the-shadow-internet-d42b7195a118
Fake WhatsApp app in official Google Play Store downloaded by over a million Android users http://securityaffairs.co/wordpress/65159/malware/fake-whatsapp-app.html
Tor Project fixed TorMoil, a critical Tor Browser flaw that can leak users IP Address http://securityaffairs.co/wordpress/65168/hacking/tor-tormoil-vulnerability.html
Oracle Security Alert CVE-2017-10151 http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html
Dangerous liaisons https://securelist.com/dangerous-liaisons/82803/
Equifax execs sold shares before mega-hack reveal. All above board – Equifax probe http://www.theregister.co.uk/2017/11/03/equifax_share_trade_investigation/

 

Music - KEYGEN MUSIC ~ One hour mix https://www.youtube.com/watch?v=c17k4LfLkaE

Direct download: 89_1.mp3
Category:Technology -- posted at: 9:06pm CET
Comments[0]

И снова вместо 300 секунд наши неугомонные ведущие обсуждают новости и события. Присоединяйтесь!

A new Mirai-Like IoT Botnet is growing in a new mysterious campaign http://securityaffairs.co/wordpress/64565/malware/new-iot-botnet-growing.html
Google launched Google Play Security Reward bug bounty program to protect apps in Play Store http://securityaffairs.co/wordpress/64545/mobile-2/google-play-security-reward.html
Equifax website borked again, this time to redirect to fake Flash update https://arstechnica.com/information-technology/2017/10/equifax-website-hacked-again-this-time-to-redirect-to-fake-flash-update/?amp=1
New Ransomware Not Just Encrypts Your Android But Also Changes PIN Lock https://thehackernews.com/2017/10/android-ransomware-pin.html
PUBLIC SECURITY ALERT: New Facebook attack - watch out for phishy messages that say you’re a “Trusted Contact” - Access Now https://www.accessnow.org/public-security-alert-new-facebook-attack/
KRACK Attacks: Breaking WPA2 https://www.krackattacks.com/
YouTube sin-bins account of KRACK WPA2 researcher https://www.theregister.co.uk/2017/10/19/youtube_krack_down/
Malware hidden in vid app is so nasty, victims should wipe their Macs https://www.theregister.co.uk/2017/10/20/mac_os_reinstall_eltima_elmedia_malware/

Music - KEYGEN MUSIC ~ One hour mix https://www.youtube.com/watch?v=c17k4LfLkaE

Direct download: 88_1.mp3
Category:Technology -- posted at: 8:46am CET
Comments[0]

Intro / Outro Art Of Escapism - The Sands of Windhoek http://freemusicarchive.org/music/Artofescapism/Midnight_Caravan/The_Sands_of_Windhoek

В связи с повышением количества атак на цепь поставок (Supply chain), в том числе и обновления, программного обеспечения, наши ведушие Андрей, Алиса, Алексей и Тарас решили разобраться что же это такое и с чем его едят, рассмотреть примеры и варианты, а так же возможные пути защиты и предотвращения.

Supply chain https://en.wikipedia.org/wiki/Supply_chain
What Is a 'Supply Chain Attack?' https://motherboard.vice.com/en_us/article/d3y48v/what-is-a-supply-chain-attack
CCleanup: A Vast Number of Machines at Risk http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
Java security plagued by crappy docs, complex APIs, bad advice https://www.theregister.co.uk/2017/09/29/java_security_plagued_stack_overflow/
Apple Mac fans told: Something smells EFI in your firmware https://www.theregister.co.uk/2017/09/29/mac_firmware_insecurity/
Reflections on Trusting Trust https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

Direct download: 87_2.mp3
Category:Technology -- posted at: 4:38pm CET
Comments[0]

В качестве возвращения и начала нового сезона осень-зима 2017-2018, Андрей и Алиса кратенько прошлись по последним новостям

Взлом сайтів в доменій зоні *.gov.ua та помилка у CERT-UA https://goo.gl/A6kJve
4G/5G Wireless Networks as Vulnerable as WiFi and putting SmartCities at Risk http://securityaffairs.co/wordpress/64098/hacking/4g5g-wireless-networks-flaws.html
Microsoft silently fixes security holes in Windows 10 – dumps Win 7, 8 out in the cold https://www.theregister.co.uk/2017/10/06/researchers_say_windows_10_patches_punch_holes_in_older_versions/
FIN7 hacking group is switched to new techniques to evade detection http://securityaffairs.co/wordpress/64083/apt/fin7-new-techniques.html
VPN logs helped unmask alleged 'net stalker, say feds http://www.theregister.co.uk/2017/10/08/vpn_logs_helped_unmask_alleged_net_stalker_say_feds/
Russian spies used Kaspersky AV to hack NSA staffer, swipe exploit code – new claim http://www.theregister.co.uk/2017/10/05/anonymous_report_russian_spies_used_kaspersky_lab_software_to_steal_nsa_secrets/
Sri Lanka police arrest two men over cyber theft at the Taiwan Bank http://securityaffairs.co/wordpress/64034/cyber-crime/taiwan-bank-cyber-heist.html
Microsoft Cortana Can Now Read Your Skype Messages to Make Chat Smarter https://thehackernews.com/2017/10/cortana-for-skype.html
Warning: Millions Of P0rnHub Users Hit With Malvertising Attack https://thehackernews.com/2017/10/online-malvertising-attack.html
Disqus Hacked: More than 17.5 Million Users' Details Stolen in 2012 Breach https://thehackernews.com/2017/10/disqus-comment-system-hacked.html
The iPhone's Constant Password Popups Are a Hacker's Dream https://motherboard.vice.com/en_us/article/ne7gxz/ios-iphone-password-phishing-app-popups

Music - KEYGEN MUSIC ~ One hour mix https://www.youtube.com/watch?v=c17k4LfLkaE

Direct download: 87_1.mp3
Category:Technology -- posted at: 5:39pm CET
Comments[0]

Intro / Outro Finest Cockles by Blah Blah Blah http://freemusicarchive.org/music/Blah_Blah_Blah/MOONRAKER_5317_1904/Finest_Cockles

Интервью с Максимом Тульевым о блокировках и будущем украинского интернета

Direct download: 83.mp3
Category:Technology -- posted at: 8:15am CET
Comments[0]

Intro / Outro I Do Believe I've Had Enough by Zephaniah And The 18 Wheelers http://freemusicarchive.org/music/Zephaniah_And_The_18_Wheelers/Live_On_WFMUs_Honky_Tonk_Radio_Girl_Program_with_Becky_11316/Zephaniah_And_The_18_Wheelers_02_I_Do_Believe_Ive_Had_Enough

Big 4 of the top security and privacy conferences: S&P ("Oakland"), NDSS, CCS and USENIX Security.

Наука не делается самостоятельно, a нужно учиться у передовых исследований, как они интегрируются с практикой, понимать их уровень, и себя показывать. По-этому, для того кто первый с украинским affiliation опубликует статью на этих конференциях - с меня можно пообещать "коньяк" :)

The Network and Distributed System Security Symposium (NDSS) 2017 by Internet Society - http://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017

> From the keynote speech by J. Alex Halderman:
"Want to Know if the Election was Hacked? Look at the Ballots" - https://medium.com/@jhalderm/want-to-know-if-the-election-was-hacked-look-at-the-ballots-c61a6113b0ba
"Securing Digital Democracy" course - https://www.coursera.org/learn/digital-democracy
Video - https://www.youtube.com/watch?v=Snoo6CXiyWU&feature=youtu.be


> Web Security section:
"(Cross-)Browser Fingerprinting via OS and Hardware Level Features" by Yinzhi Cao et al. - https://www.internetsociety.org/doc/cross-browser-fingerprinting-os-and-hardware-level-features
Websites to test your browser and device fingerprint:
https://panopticlick.eff.org
https://amiunique.org
http://uniquemachine.org (now, cross-browser!)
"Fake Co-visitation Injection Attacks to Recommender Systems" by Guolei Yang et al. - https://www.internetsociety.org/doc/fake-co-visitation-injection-attacks-recommender-systems

> User Authentication section:
"Cracking Android Pattern Lock in Five Attempts" by Guixin Ye at el. - https://www.internetsociety.org/doc/cracking-android-pattern-lock-five-attempts
"Towards Implicit Visual Memory-Based Authentication" by  - https://www.internetsociety.org/doc/towards-implicit-visual-memory-based-authentication

> TLS et al. (several papers on Diffie-Hellman and more)
"The Security Impact of HTTPS Interception" by Zakir Durumeric et al. - https://www.internetsociety.org/doc/security-impact-https-interception
"WireGuard: Next Generation Kernel Network Tunnel" by Claude Castelluccia et al. - https://www.internetsociety.org/doc/wireguard-next-generation-kernel-network-tunnel  (by a single author, Jason Donenfeld!)
More on WireGuard:
https://fosdem.org/2017/schedule/event/wireguard/
https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-2016
https://www.wireguard.io

> On Tor:
"The Effect of DNS on Tor's Anonymity" by Benjamin Greschbach et al. - https://www.internetsociety.org/doc/e-effect-dns-tors-anonymity
"Avoiding The Man on the Wire: Improving Tor's Security with Trust-Aware Path Selection" by Aaron Johnson et al.  - https://www.internetsociety.org/doc/avoding-man-wire-improving-tors-security-trust-aware-path-selection  (more on proper path selection for Tor, possible attacks on Astoria).

> Malware:
"Dial One for Scam: A Large-Scale Analysis of Technical Support Scams" - наша статья, получившая Distinguished Paper Award!
https://www.internetsociety.org/doc/dial-one-scam-large-scale-analysis-technical-support-scams
"MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models" by Enrico Mariconti et al. - https://www.internetsociety.org/doc/mamadroid-detecting-android-malware-building-markov-chains-behavioral-models
"A Broad View of the Ecosystem of Socially Engineered Exploit Documents" by Stevens Le Blond et al. - https://www.internetsociety.org/doc/broad-view-ecosystem-socially-engineered-exploit-document s (можно проводить много интересных исследований на базе данных из VirusTotal).

... and much more interesting works on SGX, virtualization, and binary reassembly, etc.

Plus, a DNS Privacy Workshop program - https://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017/dns-privacy-workshop-2017-programme

Direct download: 82.mp3
Category:Technology -- posted at: 8:13am CET
Comments[0]

Intro / Outro Semme Automatic Stay the Course https://www.jamendo.com/track/1421989/stay-the-course

00:00:34 Слухи про блокировки в интернетах ДО их официальной блокировки
00:04:52 Давайте поговорим про фищинг
00:07:40 Google Docs users hit with sophisticated phishing attack https://www.theverge.com/2017/5/3/15534768/google-docs-phishing-attack-share-this-document-with-you-spam
00:08:44 Recruiters considered really harmful: Devs on GitHub hit with booby-trapped fake job emails https://www.theregister.co.uk/2017/03/30/github_devs_malware_mails/
00:09:47 Получили письмо из налоговой?
00:11:08 __blank в Edge
Researcher pwns Charles Darwin to demonstrate Microsoft Edge exploit https://www.scmagazine.com/researcher-pwns-charles-darwin-to-demonstrate-microsoft-edge-exploit/article/652807/
00:13:16 Захист від фішингу від Британської податкової
00:14:27 https://en.wikipedia.org/wiki/Phishing
00:24:45 В Тернополе в торговом центре мужчина при свидетелях открыл банкомат и похитил оттуда полмиллиона (видео) https://www.unian.net/incidents/1893219-v-ternopole-v-torgovom-torgovom-tsentre-mujchina-pri-svidetelyah-otkryil-bankomat-i-pohitil-ottuda-polmilliona-video.html
00:29:06 Prevent & report phishing attacks https://support.google.com/websearch/answer/106318?hl=en
00:31:53 Киберполиция Украины помогла ликвидировать киберсеть "Аваланш" (Avalanche), которая с 2009 года использовалась для распространения вредоносных программ, спама и фишинга - ITC.ua http://itc.ua/news/kiberpolitsiya-ukrainyi-likvidirovali-kiberset-avalansh-avalanche-kotoraya-s-2009-goda-ispolzovalas-dlya-rasprostraneniya-vredonosnyih-programm-i-spama-a-takzhe-fishinga-i-otmyivaniya-deneg/

Direct download: 81.mp3
Category:Technology -- posted at: 12:28am CET
Comments[0]

Intro / Outro Lady We Knew by Cullah http://freemusicarchive.org/music/MC_Cullah/Cullahmity/03_-_Lady_We_Knew
Hackers Can Easily Hijack This Dildo Camera and Livestream the Inside of Your Vagina (Or Butt) https://motherboard.vice.com/en_us/article/camera-dildo-svakom-siime-eye-hacked-livestream?utm_source=mbtwitter
Teampass http://teampass.net/
Squid: Optimising Web Delivery http://www.squid-cache.org/
SNORT https://www.snort.org/
Suricata https://suricata-ids.org/
pfSense https://www.pfsense.org/
Life and death for Windows: Vista support ends as Creators Update starts to roll out https://www.geekwire.com/2017/microsoft-makes-april-11-a-day-of-life-and-death-for-versions-of-windows-and-office/

Direct download: 80.mp3
Category:Technology -- posted at: 8:05pm CET
Comments[2]

Intro / Outro Just Wait by Drake Stafford http://freemusicarchive.org/music/Drake_Stafford/SUNDAY/JUST_WAIT_-_DRAKE_STAFFORD
Identity management system https://en.wikipedia.org/wiki/Identity_management_systems
Dashlane https://www.dashlane.com
TeamPass http://teampass.net/
Microsoft built a special government-approved version of Windows 10 for China https://thenextweb.com/microsoft/2016/03/28/microsoft-windows-10-china/

Direct download: 79.mp3
Category:Technology -- posted at: 1:55am CET
Comments[0]

Intro / Outro StrangeZero - Burnin Star  https://www.jamendo.com/track/1378740/burnin-star
00:03:12 Vault 7: CIA Hacking Tools Revealed https://wikileaks.org/ciav7p1/
Vault 7 Megathread - Technical Analysis & Commentary of the CIA Hacking Tools Leak https://www.reddit.com/r/netsec/comments/5y1pag/vault_7_megathread_technical_analysis_commentary/
00:06:10 Интервью с Евгением Пилянкевичем. Связаться с Евгением можно по почте eugene@cossacklabs.com или в твиттере @9gunpi
Acra https://www.cossacklabs.com/acra/
Work Rules!: Insights from Inside Google That Will Transform How You Live and Lead https://www.amazon.com/Work-Rules-Insights-Inside-Transform/dp/1455554790/ref=asap_bc?ie=UTF8
A Graduate Course in Applied Cryptography https://crypto.stanford.edu/~dabo/cryptobook/

Direct download: 78.mp3
Category:Technology -- posted at: 1:19pm CET
Comments[0]

Intro / Outro Brady Harris  - Welcome Me Back https://www.jamendo.com/track/1381589/welcome-me-back
00:01:24 Incident report on memory leak caused by Cloudflare parser bug https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Pragmatic thoughts on #CloudBleed https://www.troyhunt.com/pragmatic-thoughts-on-cloudbleed/
00:11:14 We have broken SHA-1 in practice http://shattered.io/
00:19:26 KasperskyOS 11-11: в России разработана уникальная операционная система https://hi-tech.mail.ru/news/kaspersky-os-11-11/
00:23:15 Microsoft forced to issue emergency Flash fix after delaying Windows patches http://www.theverge.com/2017/2/22/14696358/microsoft-security-fix-adobe-flash-february-2017-patch-tuesday
00:30:08 China just made VPNs illegal https://www.engadget.com/2017/01/23/china-vpn-illegal-internet-censorship-government-approval/
An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf
00:35:14 Security experts now warn AGAINST changing online passwords often as it leaves Brits vulnerable to hackers https://www.thesun.co.uk/news/2865824/security-experts-now-warn-against-changing-online-passwords-often-as-it-leaves-brits-vulnerable-to-hackers/

Direct download: 77.mp3
Category:Technology -- posted at: 5:19pm CET
Comments[0]

Intro / Outro DDmyzik- Gypsy Swing https://www.jamendo.com/track/1369034/gypsy-swing
 
Про будущее Астории, Tor-client Cipollino:
 
Полная статье по Technical Support Scam:
(о други проектах лаборатории можно узнать на http://pragsec.com)
 
The full paper about web shells:
и немного визуализации на картах можно найти тут:
 
Про PrivacyMeter: 
 
Про браузерные дополнения:
1) Our study "Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions"
- на днях появится на http://www.cyber-investigator.org/about/
2) WOT extension:
3) Other spying extensions:
 
Detecting browser extensions:
1) https://extensions.inrialpes.fr (based on web accessible resources)
2) Our study on fingerprinting browser extensions based on their functional side effects and on-page changes
- скоро появится на http://www.cyber-investigator.org/about/
 
Занимательные сервисы для обучения:
 
Книги по алгоритмам:
Кнут и Кормен
Седжвик Р. Фундаментальные алгоритмы на C++
 
Прошариться в философию:
 
Кстати, именно по поводу Фейсбук и Tor: 
facebookcorewwwi.onion
 
И на внеклассное чтение, нашумевшее про "data science" и "big data" касательно "personalized/targeted agitation" :) 
Direct download: 76.mp3
Category:Technology -- posted at: 8:17pm CET
Comments[0]

Intro / Outro Muciojad - Before I sleep https://www.jamendo.com/track/1406716/before-i-sleep
00:00:44 Best company name ever! Share capital £1, name priceless… https://nakedsecurity.sophos.com/2017/01/06/best-company-name-ever-share-capital-1-name-priceless/
00:04:07 Bug Bounty anniversary promotion: bigger bounties in January and February https://github.com/blog/2302-bug-bounty-anniversary-promotion-bigger-bounties-in-january-and-february
00:05:13 Немного истории о расскрытии уязвимостей
Disclosing vulnerabilities to protect users https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
Charlie Miller and Apple. iPhone Security Bug Lets Innocent-Looking Apps Go Bad http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/#5fd06fe62336
Legal woes http://martin.swende.se/blog/IP-issues.html
Fatal flaw found in PricewaterhouseCoopers SAP security software http://www.theregister.co.uk/2016/12/09/fatal_flaw_in_pricewaterhousecoopers_sap_software/ 
00:29:23 MongoDB hackers now sacking ElasticSearch http://www.theregister.co.uk/2017/01/13/elasticsearch_mongodb/
00:30:46 WordPress plugs eight holes in latest release http://www.theregister.co.uk/2017/01/13/wordpress_plugs_eight_holes_in_latest_release/
00:31:17 Peace-sign selfie fools menaced by fingerprint-harvesting tech http://www.theregister.co.uk/2017/01/12/fingerprint_photographs/
00:32:21 We already have a contender for the "Best PR Description" aware for 2017 https://github.com/rapid7/metasploit-framework/pull/7815
00:33:20 ISC squishes BIND packet-of-death bugs http://www.theregister.co.uk/2017/01/13/isc_fixes_bind_denialofservice_vuls/
00:34:01 Docker swings door shut on privilege escalation bug http://www.theregister.co.uk/2017/01/12/docker_container_escape_vuln_patched/
00:34:23 GoDaddy revokes 9,000 SSL certificates wrongly validated by code bug http://www.theregister.co.uk/2017/01/11/godaddy_pulls_unvalidated_digital_certs/
00:34:45 Who is Anna-Senpai, the Mirai Worm Author? https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
00:35:23 Windows 10 anniversary update: Security and privacy, hope and change? http://www.welivesecurity.com/2017/01/12/windows-10-anniversary-update-security-privacy/

Direct download: 75.mp3
Category:Technology -- posted at: 3:24pm CET
Comments[0]

Intro / Outro Freaky girl by Yung Vikk https://www.jamendo.com/track/1334898/freaky-girl

Antivirus tools are a useless box-ticking exercise says Google security chap http://www.theregister.co.uk/2016/11/17/google_hacker_pleads_try_whitelists_not_just_bunk_antivirus_ids/

Medical Equipment Crashes During Heart Procedure Because of Antivirus Scan http://news.softpedia.com/news/medical-equipment-crashes-during-heart-procedure-because-of-antivirus-scan-503642.shtml

USE OF FANCY BEAR ANDROID MALWARE IN TRACKING OF UKRAINIAN FIELD ARTILLERY UNITS (pdf) https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf

Cuckoo Sandbox https://cuckoosandbox.org/

How to Stay Safe Online v0.0.2 https://www.xmind.net/m/8tR8

Standards body warned SMS 2FA is insecure and nobody listened http://www.theregister.co.uk/2016/12/06/2fa_missed_warning/

 

Direct download: 74.mp3
Category:Technology -- posted at: 6:49am CET
Comments[1]

Intro / Outro BeenCalledWorse-DueTime (produced by Expo) by Tab https://www.jamendo.com/track/1338032/beencalledworse-duetime-produced-by-expo

Hofling hospital experiment https://en.wikipedia.org/wiki/Hofling_hospital_experiment

Security scare: Kate Middleton nurse reveals medical details to DJ impersonating the Queen in radio prank call http://www.mirror.co.uk/news/uk-news/kate-middleton-nurse-reveals-medical-1473720?service=responsive

“Успешный” дедушка из Москвы https://www.facebook.com/photo.php?fbid=10208638914708436&set=a.2961938685656.2129723.1177252976&type=3&theater

https://www.instagram.com/borisbork/

Осторожно! Появились мошенники, которые выманивают деньги представляясь работниками "Ощадбанка" http://7dniv.info/lang-ru/society/81796-oberezhno-ziavilis-shahraii-iak-vimaniuiut-koshti-predstavliaiuchis-pracvnikami-oschadbanku.html

Drammer: Deterministic Rowhammer Attacks on Mobile Platforms (pdf) https://vvdveen.com/publications/drammer.pdf

Рассуждения на тему стандартизации и укрепления законодательной базы

Direct download: 71.mp3
Category:Technology -- posted at: 1:11pm CET
Comments[0]

Intro / Outro The last ones by Jahzzar http://freemusicarchive.org/music/Jahzzar/Smoke_Factory/The_last_ones

00:01:00 UISGCON12. Afterworlds. https://12.uisgcon.org/

https://www.facebook.com/rekun.photo/photos/?tab=album&album_id=730563853779312

Видео докладов https://www.youtube.com/playlist?list=PL0YHqSi934_5fPXaoNxqx42PI7PrCC2xI

00:01:54 No Name Podcast https://nonamepodcast.podbean.com/

00:02:14 Интервью с Сергеем Смитиенко.

00:12:34 Hundreds of thousands of TalkTalk and Post Office broadband users are knocked off the internet by cyber-attack that seizes control of their routers http://www.dailymail.co.uk/news/article-3991714/Hundreds-thousands-TalkTalk-Post-Office-broadband-users-knocked-internet-cyber-attack-seizes-control-routers.html

00:16:43 Six seconds to hack a credit card http://www.ncl.ac.uk/press/news/2016/12/cyberattack/

Does The Online Card Payment Landscape Unwittingly Facilitate Fraud? (pdf) http://eprint.ncl.ac.uk/file_store/production/230123/19180242-D02E-47AC-BDB3-73C22D6E1FDB.pdf

How it takes just six seconds to hack a credit card (video) https://www.youtube.com/watch?v=uwvjZGKwKvY

00:34:23 Хакери атакували українське казначейство http://znaj.ua/news/regions/80081/hakeri-atakuvali-ukrayinske-kaznachejstvo.html

00:43:52 Утверждена Доктрина информационной безопасности России http://kremlin.ru/acts/news/53418

00:51:54 Связаться с Сергеем можно через facebook https://www.facebook.com/sergey.smitienko

00:53:34 Полтавський суд відпустив кіберзлочинця, якого 4 роки шукали правоохоронці 30 країн світу http://poltava.to/news/40979/

00:56:04 СМИ сообщили о краже 2 млрд руб. со счетов в ЦБ http://www.rbc.ru/finances/03/12/2016/584238709a7947256285e2ff

00:56:59 The UK now wields unprecedented surveillance powers — here’s what it means http://www.theverge.com/2016/11/23/13718768/uk-surveillance-laws-explained-investigatory-powers-bill

00:58:06 FBI’s New Hacking Powers Take Effect This Week http://fortune.com/2016/11/30/rule-41/

01:01:06 [tor-talk] Javascript exploit https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html

Security vulnerabilities fixed in Firefox 50.0.1 https://www.mozilla.org/en-US/security/advisories/mfsa2016-91/

01:03:03 Standards body warned SMS 2FA is insecure and nobody listened http://www.theregister.co.uk/2016/12/06/2fa_missed_warning/

01:04:02 Android, Qualcomm move on insecure GPS almanac downloads http://www.theregister.co.uk/2016/12/07/android_qualcomm_move_on_insecure_gps_almanac_downloads/

01:08:11 Six seconds to hack a credit card http://www.ncl.ac.uk/press/news/2016/12/cyberattack/ (повторение мать заикания)

01:09:16 Clarkson stung after bank prank http://news.bbc.co.uk/2/hi/7174760.stm

01:12:28 Printer security is so bad HP Inc will sell you services to fix it http://www.theregister.co.uk/2016/12/06/printer_security_sucks_so_bad_hp_has_opened_a_pain_outsourcing_unit/

 

Книги:

Donald E. Knuth The Art of Computer Programming https://www.amazon.com/Computer-Programming-Volumes-1-4A-Boxed/dp/0321751043

Peter Watts Blindsight https://www.amazon.com/Blindsight-Peter-Watts/dp/0765319640/ref=sr_1_1?s=books&ie=UTF8&qid=1483619160&sr=1-1&keywords=Blindsight

Cixin Liu The Three-Body Problem https://www.amazon.com/Three-Body-Problem-Cixin-Liu/dp/0765382032/ref=sr_1_1?s=books&ie=UTF8&qid=1483619237&sr=1-1&keywords=The+Three-Body+Problem

Neal Stephenson Cryptonomicon https://www.amazon.com/Cryptonomicon-Neal-Stephenson/dp/0060512806/ref=sr_1_1?s=books&ie=UTF8&qid=1483619337&sr=1-1&keywords=Cryptonomicon

Direct download: 73.mp3
Category:Technology -- posted at: 1:28am CET
Comments[0]

1