Securit13 Podcast
Первый украинский подкаст об информационной безопасности

Intro/Outro: Etherwood - Begin By Letting Go

'FREAK' in Android and iOS http://thehackernews.com/2015/03/freak-openssl-vulnerability.html

'FREAK' in Windows http://thehackernews.com/2015/03/freak-openssl-vulnerability_5.html

Вопрос от слушателя по мотивам очередного pre-load in Android http://thehackernews.com/2015/03/Xiaomi-Mi-4-malware.html

Cyber BINGO

Truecrypt audit http://blog.cryptographyengineering.com/2015/02/another-update-on-truecrypt-audit.html

Dropbox Accesses All The Files in Your PC (Not Just Sync Folder) and Steals Everything http://www.e-siber.com/guvenlik/dropbox-accesses-all-the-files-in-your-pc-not-just-sync-folder-and-steals-everything/?utm_content=bufferec71c&utm_medium=social&utm_source=linkedin.com&utm_campaign=buffer

Dropbox Is Probably Not Stealing All Your Files https://one.darrenpmeyer.com/blog/dropbox-is-problably-not-stealing-all-your-files.html

Seagate NAS Remote Code Execution Vulnerability https://beyondbinary.io/advisory/seagate-nas-rce/

How the NSA’s Firmware Hacking Works http://www.wired.com/2015/02/nsa-firmware-hacking/

Gemalto Confirms It Was Hacked But Insists the NSA Didn’t Get Its Crypto Keys http://www.wired.com/2015/02/gemalto-confirms-hacked-insists-nsa-didnt-get-crypto-keys/

How Hackers Abused Tor To Rob Blockchain, Steal Bitcoin, Target Private Email And Get Away With It http://www.forbes.com/sites/thomasbrewster/2015/02/24/blockchain-and-darknet-hacks-lead-to-epic-bitcoin-losses/

Github Hacking for fun and... sensitive data search! http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html

Hillary Rodham Clinton and her emails http://www.washingtonpost.com/politics/state-department-reviewing-whether-clinton-e-mail-violated-security-rules/2015/03/05/16d1547e-c378-11e4-9271-610273846239_story.html

Spies Just by Watching Your Phone’s Power Use http://www.wired.com/2015/02/powerspy-phone-tracking/

Lenovo.com has been hacked http://www.theverge.com/2015/2/25/8110201/lenovo-com-has-been-hacked-apparently-by-lizard-squad

Google is More Protected from Unwanted Software http://googleonlinesecurity.blogspot.com/2015/02/more-protection-from-unwanted-software.html

Cloud based web app security scanner released by GOOGLE http://www.latesthackingnews.com/2015/02/21/cloud-based-web-app-security-scanner-released-by-google/#

Most vulnerable operating systems and applications in 2014 http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/ 

Blogger porn content policy https://support.google.com/blogger/answer/6177281?hl=en

Internet is for PORN!! https://www.youtube.com/watch?v=eWEjvCRPrCo&feature=youtu.be

Direct download: 29.mp3
Category:Technology -- posted at: 3:15am CEST
Comments[0]

Intro/Outro: La Fouine - Controle Abusif

CTF движение в Украине и мире – интервью с Николаем Ильиным @MykolaIlin

Рейтинги команд CTF https://ctftime.org и успехи dcua https://ctftime.org/team/762

Популярность CTF-соревнований в Украине и мире

Принципы проведения CTF http://captf.com/maxims.html

Типы соревнований, тактика и стратегия участия в CTF http://felicity.iiit.ac.in/contest/break_in/ http://ructf.org/e/2014/ http://ictf.cs.ucsb.edu/ http://www.phdays.com/ctf/king/ http://c2.cnews.ru/news/top/crc_opublikovany_rezultaty_onlajnkvesta https://ctftime.org/event/list/upcoming https://www.reddit.com/r/securityctf http://captf.com/calendar/ https://time.xctf.org.cn/ctfs/event/list/upcoming

Для связи с Николаем используйте Twitter или пишите на mykola.ilin@defcon.org.ua

Ten Million (Logins and) Passwords https://xato.net/passwords/ten-million-passwords/ https://www.reddit.com/r/10millionpasswords/comments/2w07mf/a_list_of_flaws_in_the_data_set/

Author: https://xato.net/about/#.VOioXELpb8F

Online Check: http://peersm.com/findmyass

Lenovo caught installing adware on new computers http://www.tripwire.com/state-of-security/security-data-protection/superfish-lenovo-adware-faq/ http://news.lenovo.com/article_display.cfm?article_id=1929 https://github.com/hannob/superfishy

Кража миллиардов из 100 финансовых организаций по всему миру http://www.kaspersky.ru/about/news/virus/2015/ugroza-na-milliard http://krebsonsecurity.com/2015/02/the-great-bank-heist-or-death-by-1000-cuts/

Anunak vs Carbanak FAQ https://www.fox-it.com/en/press-releases/anunak-aka-carbanak-update/

Microsoft Pushes Patches for Dozens of Flaws http://krebsonsecurity.com/2015/02/microsoft-pushes-patches-for-dozens-of-flaws/

Bypassing Windows Security by modifying 1 Bit Only http://thehackernews.com/2015/02/bypassing-windows-security.html

Universal XSS in IE 11 http://thehackernews.com/2015/02/internet-explorer-xss.html

NSA Planted Stuxnet-Type Malware Deep Within Hard Drive Firmware http://top.rbc.ru/politics/17/02/2015/54e257fe9a7947e06164f582

Решили как-то за блогерами следить http://jurliga.ligazakon.ua/news/2015/2/13/124332.htm

но потом передумали http://www.pravda.com.ua/rus/news/2015/02/16/7058739/

Рада ликвидировала Нацкомиссию по вопросам морали http://news.liga.net/news/politics/5053048-rada_likvidirovala_natskomissiyu_po_voprosam_morali.htm

Отчет об уязвимости моб.интернета от Positive Technologies (pdf) http://www.ptsecurity.com/download/Vulnerabilities_of_Mobile_Internet.pdf

The great SIM heist https://firstlook.org/theintercept/2015/02/19/great-sim-heist/

SSL is officially declared dead https://pciguru.wordpress.com/2015/02/07/ssl-is-officially-declared-dead/

GnuPG 2.1.2 released https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000361.html

Facebook SCAM Alert: Get FREE $200 Amazon Gift Card! http://www.hacker9.com/free-amazon-gift-card-facebook.html

Spat leads to partial leak of Rig Exploit Kit http://threatpost.com/spat-leads-to-partial-leak-of-rig-exploit-kit/111029

Forbes.com compromised by Chinese cyber spies targeting US firms http://www.net-security.org/secworld.php?id=17938

Direct download: 28.mp3
Category:Technology -- posted at: 1:54pm CEST
Comments[0]

Intro/Outro: Mad Heads – Молода кров

GnuPG donations https://www.gnupg.org/donate/

Support Risky.Biz https://www.patreon.com/riskybusiness

GPG Tools https://gpgtools.org

GPG encrypted loopback disks http://patrick.uiterwijk.org/2013/02/25/gpg-encrypted-loopback-disks/

Mofilla, Tor & Privacy https://blog.mozilla.org/it/2015/01/28/deploying-tor-relays/

Anthem hack http://krebsonsecurity.com/2015/02/data-breach-at-health-insurer-anthem-could-impact-millions/

World's Biggest Data Breaches infographic http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

The Pirate Bay & CloudFlare CDN http://n4gm.com/thepiratebay-using-cloudflare-cdn/

Tsarev & Kolomoyskiy https://www.youtube.com/watch?v=9H4Eb9UI5xg

BlackPhone https://blackphone.ch

Kyivstar cell network blackout in Eastern Ukraine https://www.facebook.com/peter.chernyshov/posts/10205651506638154 https://www.facebook.com/peter.chernyshov/posts/10205679729343704

SS7 security concerns http://www.zdnet.com/article/invasive-phone-tracking-new-ss7-research-blows-the-lid-off-personal-security/

Had Russian blackhats pwned Sony? http://www.forbes.com/sites/thomasbrewster/2015/02/04/russians-hacked-sony-too-claims-us-firm/

Tech journalism in Ukraine http://biz.liga.net/all/it/stati/2924651-proslushat-kazhdogo-reyting-nadezhnosti-mobilnykh-messendzherov-.htm

RetroShare http://retroshare.sourceforge.net Signal https://itunes.apple.com/us/app/signal-private-messenger/id874139669?mt=8 Silent Circle https://silentcircle.com

Extradition aspects http://arstechnica.com/tech-policy/2015/01/dutch-judge-allows-alleged-sophisticated-russian-hacker-to-be-sent-to-us/

Snare on MacOS X bootkitting http://arstechnica.com/security/2015/01/worlds-first-known-bootkit-for-os-x-can-permanently-backdoor-macs/

Cisco Annual Security Report http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html

Source 114 vs Verizon Business. Who wins? https://pbs.twimg.com/media/B81r299IUAEu2qT.jpg:large http://www.verizonenterprise.com/DBIR/2014/

Fear the known: why AV companies publish security reports?

Binary Risk Analysis https://binary.protect.io https://binary.protect.io/workcard.pdf

2 factor authentication vs 2 step verification

Yubikey https://www.yubico.com/products/yubikey-hardware/yubikey-2/

Army cyber defenders open source code in new GitHub project http://www.army.mil/article/141734

CERT-UA 2014 report http://cert.gov.ua/?p=2019

Direct download: 27.mp3
Category:Technology -- posted at: 4:28pm CEST
Comments[0]

 

  1. Sony Hack

    1. Хронология событий http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501/

    2. Мнение Дейва Атила http://seclists.org/dailydave/2014/q4/70

    3. Сомнение в причастности Северной Кореи http://www.wired.com/2014/12/evidence-of-north-korea-hack-is-thin/

    4. США подтвердило проведение мониторинга интернет активности Северной Кореи http://www.bloomberg.com/news/2015-01-19/u-s-spies-tapped-north-korean-computers-prior-to-sony-attack.html

  2. Lizard Kids атаковали Sony PlayStation и Microsoft xBox Networks

    1. http://krebsonsecurity.com/2014/12/cowards-attack-sony-playstation-microsoft-xbox-networks/

    2. Арест учасников http://krebsonsecurity.com/2014/12/lizard-kids-a-long-trail-of-fail/ и http://krebsonsecurity.com/2015/01/another-lizard-arrested-lizard-lair-hacked/

  3. Взлом и приостановка биржи bitcoin

    1. http://www.esecurityplanet.com/network-security/bitcoin-exchange-bitstamp-hacked.html

    2. http://www.zdnet.com/article/bitstamp-exchange-reopens-doors-after-5m-hack/

    3. Анализ курса биткоинта (с небольшим графиком) после приостановки биржи http://www.coindesk.com/markets-weekly-questions-bitcoin-price-torrid-week/

  4. Атака на Tor

    1. http://cointelegraph.com/news/113174/the-tor-onion-is-under-attack-and-rapidly-disintegrating

    2. http://thehackernews.com/2014/12/tor-network-hacked.html
Direct download: 26.mp3
Category:general -- posted at: 5:39pm CEST
Comments[0]

Эпизод 25: (туманное) Будущее (облачной) безопасности

Семейное счастье, яркие вулны, хаки и политические акции последнего времени, обачные инфраструктуры и их влияние на область ИБ, знания и инструменты безопасника будущего.

Ссылки на обсуждаемые материалы.

Intro/Outro: Крихітка Цахес – Пароль (http://www.kryhitka.com.ua)

Direct download: 25.mp3
Category:Technology -- posted at: 9:06pm CEST
Comments[0]

Feature interview: Andrey "login" Loginov

Windows XPinction in 2014

Snowden leaks 

Anti DDoS in banking 

ØMQ/Saltstack firewall DDoS side effect

DNS amplification classics

Personal VPN on amazon EC2

Hadoop’ed Big Data swamp smelling like Redis

Data aggregation risks

Threat modeling fails

Quantum crypto progress

Outro: Alliance Ethnik - Respect (feat. Vinia Mojica) http://goo.gl/OI7Vn0

Direct download: 24.mp3
Category:Technology -- posted at: 8:07pm CEST
Comments[0]

Интервью с Владимиром Кочетковым (https://twitter.com/kochetkov_v)

Тернистый путь специалиста по безопасности приложений: где учиться, чему учиться, к чему стремиться и многое другое.

Безопасность open source, аспекты безопасности использования разделяемых библиотек и frameworks.

Экзотическое поведение списков в Python (http://rsdn.ru/forum/security/4547724.flat)

О безопасности компиляторов (http://www.opennet.ru/opennews/art.shtml?num=29981https://www.veracode.com/blog/2009/08/trust-your-own-code-trust-your-own-compiler/)

Форум по безопасности для разработчиков на RSDN (http://rsdn.ru/forum/security)

Язык программирования Nemerle (http://vkochetkov.blogspot.ru/2011/06/nemerle.html)

The Tangled Web: A Guide to Securing Modern Web Applications (http://www.amazon.com/The-Tangled-Web-Securing-Applications/dp/1593273886)

Источники информации об исследованиях по безопасности кода:

http://seclab.cs.ucdavis.edu/

http://www.cs.dartmouth.edu/~sergey/

http://ceur-ws.org/

http://suif.stanford.edu/~livshits/work/griffin/lit.html

http://www.cs.utexas.edu/~shmat/courses/cs380s/

http://www.engpaper.com/research-paper-computer-science-web-application.htm

http://www.engpaper.com/research-paper-computer-science-network-security.htm

http://security.cs.berkeley.edu/

Outro: Веня Д'ркин - Нибелунг (http://drdom.ru/)

Direct download: 23.mp3
Category:Technology -- posted at: 6:39am CEST
Comments[0]

Intro/Outro: 2Pac – Dear Mama (MelodyAngel Guitar Cover) - https://soundcloud.com/melodyangel/dearmamacover 

Призмы и линзы https://en.wikipedia.org/wiki/PRISM_(surveillance_program) (Meet Mr. Prism! http://i.imgur.com/znAbpIS.png)

Natural Language Processing & Нейронные сети

Безопасность облаков - своими руками http://security-ingvar-ua.blogspot.com/2013/05/cloudstack-iaas-insecure-password-reset.html

(не)безопасность open/closed-source ПО

Усиление Украинского законодательства в области защиты авторского права

No WebMoney – no honey

Тоска по Netflix & Spotify

UISGCON 9 CFP http://uisgcon.org/9/speakers/ 

Прогресс в области гомоморфной криптографии

Пару слов за PHDays

Direct download: 22.mp3
Category:Technology -- posted at: 12:12am CEST
Comments[0]

Intro/Outro Malukah - Frozen Sleep - Halo 4 / Cortana Tribute (http://www.malukah.com/FREE/)

Latest Java o-day recap, still not fully patched (http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html)

Java 1.7u10 Security Settings fail (http://seclists.org/fulldisclosure/2013/Jan/241)

Good Morning, Your Mac Keeps A Log Of All Your Downloads(http://www.macgasm.net/2013/01/18/good-morning-your-mac-keeps-a-log-of-all-your-downloads/)

Google looks to ditch passwords for good with NFC-based replacement(http://www.zdnet.com/google-looks-to-ditch-passwords-for-good-with-nfc-based-replacement-7000010073/)

How to Secure SSH with Google Authenticator’s Two-Factor Authentication(http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/)

Red October (http://arstechnica.com/security/2013/01/why-red-october-malware-is-the-swiss-army-knife-of-espionage/)

Gozi Malware (http://www.csoonline.com/article/727438/gozi-malware-arrests-report-highlight-russian-cybercrime)

Google cached HP printers (http://www.wired.com/insights/elsewhere/whoops-google-indexes-more-than-86000-hp-public-printers-20130125/)

PHDays is coming (http://phdays.ru/)

PentestersLab (https://www.pentesterlab.com/), DVL (http://www.damnvulnerablelinux.org/), DVWA (http://www.dvwa.co.uk/), CFT365 (http://ctf365.com/), Hack.me (https://hack.me/)

PoewrShell 3 (http://blogs.technet.com/b/heyscriptingguy/archive/2012/09/06/powershell-3-0-is-now-available-for-download.aspx)

Direct download: 21.mp3
Category:Technology -- posted at: 3:25pm CEST
Comments[0]

Intro/Outro: Ylvis - Someone Like Me [dubstep edit] (https://www.youtube.com/watch?v=DwDHiTQq49U)

Fail #1 - Безмолвный Карпик

Fail #2 - Неудавшееся обсуждение "бани трафика"

Криптоанализ в "облаках" - PoC извлечения приватных ключей RSA из соседней виртуальной машины (http://arstechnica.com/security/2012/11/crypto-keys-stolen-from-virtual-machine/)

Смещение парадигмы защиты ИТ-систем в "облаках"

Курсы, связанные с безопасностью, доступные на Coursera (http://coursera.org)

Direct download: 20.mp3
Category:Technology -- posted at: 9:25pm CEST
Comments[0]