3 Security Buddies

3SB-8: Password Complexity

Follow up: * No follow ups Topics: * NIST changing password requirements * Roundtable how we got into security + suggestions Paul Rant: * Paul is on vacation. No Rants. Links: * https://pages.nist.gov/800-63-3/sp800-63b.html [https://pages.nist.gov/800-63-3/sp800-63b.html] * https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords [https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords] Hosts: Paul Kehrer @reaperhulk Robert Clark @hyakuhei Matías Brutti @MrBrutti Special Guest: Travis McPeak @travismcpeak Post-Production: Matias Brutti @MrBrutti Disclaimer:The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.

3SB-7: 🍎 Security Worms

Follow up: * US is elevating ransomware the same level of terrorism. Topics: * Apple Security WWDC * Move beyond passwords ( iCloud Keychain WebAuthN keys ) * Discover account-driven User Enrollment * Secure login with iCloud Keychain verification codes ( domain-binding apple-totp ) * Polkit PrivEsc * Growing abuse of Kubernetes (it’s not containers) Paul Rant: * Apple Bug Report blackhole Links: * https://www.reuters.com/technology/exclusive-us-give-ransomware-hacks-similar-priority-terrorism-official-says-2021-06-03/ [https://www.reuters.com/technology/exclusive-us-give-ransomware-hacks-similar-priority-terrorism-official-says-2021-06-03/] * https://threatpost.com/microsoft-cryptomining-kubeflow/166777/ [https://threatpost.com/microsoft-cryptomining-kubeflow/166777/] * https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ [https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/] Hosts: Paul Kehrer @reaperhulk Robert Clark @hyakuhei Matías Brutti @MrBrutti Post-Production: Matias Brutti @MrBrutti Disclaimer:The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.

3SB-6: Dependency Hell

Follow up: - Nothing this week Topics: * Automated Fuzzing Testing in Go * Stack Overflow Supply Chain Attacks * Deps.dev * Update on Github’s policies regarding exploits, malware, and vulnerability research Paul Rant: * Pinning dependencies on Libraries Links: * https://blog.golang.com/fuzz-beta [https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-machine-protection-system/] * https://www.wsj.com/articles/software-developer-community-stack-overflow-sold-to-tech-giant-prosus-for-1-8-billion-11622648400 [https://www.wsj.com/articles/software-developer-community-stack-overflow-sold-to-tech-giant-prosus-for-1-8-billion-11622648400] * https://deps.dev [https://deps.dev] * https://github.blog/2021-06-04-updates-to-our-policies-regarding-exploits-malware-and-vulnerability-research/ [https://github.blog/2021-06-04-updates-to-our-policies-regarding-exploits-malware-and-vulnerability-research/] Hosts: Paul Kehrer @reaperhulk Robert Clark @hyakuhei Matías Brutti @MrBrutti Post-Production: Matias Brutti @MrBrutti Disclaimer:The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.

3SB-5: Hardware Apocalypses

Follow up: * Vaxxed || Mask Rant Update * WhatsApp will not be removing functionality. Topics: * OpenSSL Rustification * Data without context is useless * AMD attacks on Virtual Machine Protection System. * M1ssing Register Access Controls Leak EL0 State Paul Rant: * QC35 switch is garbage. GARBAGE! Links: * https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-machine-protection-system/ [https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-machine-protection-system/] * https://m1racles.com [https://m1racles.com] Hosts: Paul Kehrer @reaperhulk Robert Clark @hyakuhei Matías Brutti @MrBrutti Post-Production: Matias Brutti @MrBrutti Disclaimer:The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.

3SB-4: EuroCyberVision

Episode Follow up: * Codecov Mercari * Audacity Open Source Telemetry Topics: * WhatsApp: Give me your privacy or I will stop working. * Russian Keyboard as a first line of defense * Craig Federighi MacOS vs iOS Security Model Paul Rant: * Vaxxed or Mask. Trust by Verify Rant by Matias Brutti. Links: * https://about.mercari.com/en/press/news/articles/20210521_incident_report/ * https://github.com/audacity/audacity/discussions/889 * https://blog.malwarebytes.com/privacy-2/2021/05/whatsapp-calls-and-messages-will-break-unless-you-share-data-with-facebook/ * https://www.schneier.com/blog/archives/2021/05/adding-a-russian-keyboard-to-protect-against-ransomware.html * https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/ * https://9to5mac.com/2021/05/19/craig-federighi-mac-malware-problem/ * https://www.imore.com/craig-federighi-defends-iphone-security-throwing-mac-under-bus Hosts: Paul Kehrer @reaperhulk Robert Clark @hyakuhei Matías Brutti @MrBrutti Post-Production: Matias Brutti @MrBrutti Disclaimer:The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.