))
The Hacker Mind is an original podcast from the makers of Mayhem Security. It’s the stories from the individuals behind the hacks you’ve read about. It’s about meeting some of the security challenges in software through advanced techniques such as fuzz testing. It’s a view of the hackers and their world that you may not have heard before.
…
continue reading
In your own skull you carry the single most complex and powerful tool in the universe, which also is the sole determinate of the quality and happiness level for your entire life. It's about time that you took control of that thing and learned how to use it to its fullest potential. Sean Webb teaches you how to hack and take control of your mind like you never have before. You'll be amazed at how much you didn't actually know about the topic of you. The truth is you do have hidden powers with ...
…
continue reading
1
EP 85: The Rise Of Bots (and Bots As A Service)
40:49
40:49
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
40:49
Bots are actionable scripts that can slow your day to day business, be enlisted in denial of service attacks, or even keep you from getting those tickets Taylor Swift you desperately want. Antoine Vastel from DataDome explains how it's an arms race: the better we get at detecting them, the more the bots evolve to evade detection. Transcript here.…
…
continue reading
1
EP 84: When Old Medical Devices Keep Pre-shared Keys
43:38
43:38
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
43:38
You would think there is a procedure to End-of-Life a medical device, right? Erase personal health info. Erase network configuration info. Speaking at SecTor 2023, Deral Heiland from Rapid 7 said he found that he was able to buy infusion pumps on the secondary market with the network credentials for the original Health Care Delivery Organization in…
…
continue reading
1
EP 83: Tales From The Dark Web: Ransomware, Data Extortion, and Operational Technology
37:07
37:07
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
37:07
With the recent Clop attack on customers of MoveIt, ransomware is now old news. Attackers are skipping the encryption and simply extorting the exfiltrated data, according to Thomas “Mannie” Wilken, from the Accenture Cyber Threat Intelligence Dark Web Reconnaissance Team. He should know; he spends his days on the Dark Web seeing the rise of new inf…
…
continue reading
Imagine a data dump of files similar to the Snowden Leaks in 2013, only this it’s not from the NSA but from NT Vulkan, a Russian contractor. And it’s a framework for targeting critical IT infrastructures. In a talk at DEF CON 31, Joe Slowick from Huntress, shares what a Russian whistleblower released in the form of emails and documents, and how we …
…
continue reading
Rather than use backdoor exploits, attackers are stealing credentials going through the front door. How are they gaining credentials. Sometimes it’s from the tools we trust. Paul Geste and Thomas Chauchefoin discuss their DEF CON 31 presentation Visual Studio Code is why I have (Workspace) Trust issues as well as the larger question of how much we …
…
continue reading
What if an GPC project OAUTH access token wasn’t deleted? This could expose databases to bad actors. Tal Skverer from Astrix discusses his DEF CON 31 presentation GhostToken: Exploiting Google Cloud Platform App Infrastructure to Create Unremovable Trojan Apps. Transcript here.Robert Vamosi による
…
continue reading
1
EP 79: Conducting Incident Response in Costa Rica Post Conti Ransomware
56:50
56:50
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
56:50
How do you conduct an incident response for an entire country? When it’s 27 different life-critical government ministries each with up to 850 individual devices -- that’s uncharted territory. Esteban Jimenez of ATTI Cyber talks about his experience with the reconstruction of the cybersecurity system following Conti, how the country handled a second…
…
continue reading
1
EP 78: Defending Costa Rica From Conti Ransomware
56:46
56:46
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
56:46
What is is like to hack an entire country, to take it’s government services offline, to deny a government an ability to function? Costa Rica knows. Esteban Jimenez of ATTI Cyber has been helping Costa Rica improve its cybersecurity posture for more than 16 years, and he has been helping them recently recover from a crippling ransomware attack in Ap…
…
continue reading
1
EP 77: Security Chaos Engineering with Kelly Shortridge
40:32
40:32
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
40:32
Speaking at Black Hat 2023, Kelly Shortridge is bringing cybersecurity out of the dark ages by infusing security by design to create secure patterns and practices. It’s a subject of her new book on Security Chaos Computing, and it’s a topic that’s long overdue to be discussed in the field. Transcript.…
…
continue reading
Are we doing enough to secure our health delivery organizations? Given the rise of ransomware attacks, one could day we are not. Karl Sigler from Trustwave SpiderLabs, talks about a new report that his team has written that is focused on the threat landscape for medical devices and the healthcare industry in general. Transcript here.…
…
continue reading
1
EP 75: Hacking .Mil And Other TLD Domains (Ethically)
48:45
48:45
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
48:45
Internet domains are brittle. One could hack into a military, a foreign government, or even global commercial web services domain using flaws in the underlying architecture. Fredrik Nordberg Almroth, co-founder of Detectify, talks about how he did just that -- hack .mil, hack the top level domain of the Democratic Republic of Congo, and even Gmail …
…
continue reading
Phishing is everywhere. Who among us has not seen phish in their inbox? Aviv Grafi, from Votiro, gets into the weeds about how malicious documents are formed and how they might (despite good secure posture) still end up in your inbox or browser. He’s created a rather novel method to strip out the good content from the bad without affecting your ove…
…
continue reading
Could the nudges and prompts like those from our Fitbits and Apple watches be effective in enforcing good security behavior as well? Oz Alashe, CEO and founder of CybSafe, brings his experience in the UK Intelligence Community to the commercial world along with some solid science around what motivates us to make changes in our lives. It’s not just …
…
continue reading
Say you’re an organization that’s been hit with ransomware. At what point do you need to bring in a ransomware negotiator? Should you pay, should you not? Mark Lance, the VP of DFIR and Threat Intelligence for GuidePoint Security, provides The Hacker Mind with stories of ransomware cases he’s handled and best practices for how to handle such an eve…
…
continue reading
Small to Medium Business are increasingly the target of APTs and ransomware. Often they lack the visibility of a SOC. Or even basic low level threat analysis. Chris Gray of Deepwatch talks about the view from the inside of a virtual SOC, the ability to see threats against a large number of SMB organizations, and the changes to cyber insurance we’re…
…
continue reading
More and more criminals are identified through open source intelligence (OSINT). Sometimes a negative Yelp review can reveal their true identity. Daniel Clemens, CEO of ShadowDragon, talks about his more than two decades of digital investigations, from the origins of the Code Red worm to the mass shooter in Las Vegas, with a fair number of pedophil…
…
continue reading
It’s time to evolve beyond the UNIX operating system. OSes today are basically ineffective database managers, so why not build an OS that’s a database manager? Michael Coden, Associate Director, Cybersecurity, MIT Sloan, along with Michael Stonebreaker will present this novel concept at RSAC 2023. You can learn more at dbos-project.github.io…
…
continue reading
Incident response in the cloud. How is it different, and why do we need to pay more attention to it today, before something major happens tomorrow. James Campbell, CEO of Cado Security, shares his experience with traditional incident response, and how the cloud, with its elastic structure, able to spin up and spin down instances, is changing incide…
…
continue reading
We’ve seen drug marketplaces and extremists use the Dark Web. Will generative AI tools like ChatGPT make things crazier by lowering the barrier to entry? Delilah Schwartz, from Cybersixgill, brings her extensive background with online extremism to The Hacker Mind to talk about how she’s seeing a lot of chatter in the dark web.about AI online. She d…
…
continue reading
Booth babes and rampant sexism were more of a problem in infosec in the past. That is, until Chenxi Wang spoke up. And she’s not done changing the industry. She’s an amazing person who has done an incredible number of things in a short amount of time -- a PhD in Computer Engineering, inventor of a process still used by the DoD today, a successful t…
…
continue reading
1
EP 65: The Hacker Revolution Will Be Televised
50:32
50:32
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
50:32
What if DEF CON CTFs were televised? What if you could see their screens and have interviews with the players in the moment? Turns out, you can. Jordan Wiens, from Vector 35, maker of Binary Ninja, is no stranger to CTFs. He’s played in ten final DEF CON CTFs, was a part of DARPA’s Cyber Grand Challenge, and recently he’s moderated the live broadca…
…
continue reading
When we hear about bad actors on a compromised system for 200+ days, we wonder how they survived for so long. Often they hide in common misconfigurations. From her talk at SecTor 2022, Paula Januszkiewicz, CEO of Cqure, returns to The Hacker Mind and explains how a lot of little configuration errors in common Windows tools and services can open the…
…
continue reading
1
EP 63: What Star Wars Can Teach Us About Threat Modeling
42:57
42:57
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
42:57
Having a common framework around vulnerabilities, around threats, helps us understand the infosec landscape better. STRIDE provides an easy mnemonic. Adam Shostack has a new book, Threats: What Every Engineer Should Learn From Star Wars. that uses both Star Wars and STRIDE to help engineers under vulnerabilities and threats in software development.…
…
continue reading
Hacking websites is perhaps often underestimated yet is super interesting with all its potential for command injections and cross site scripting attacks. Tib3rius from White Oak Security discusses his experience as a web application security pen tester, his OSCP certification, and how he’s giving back to the community with his Twitch, Youtube, and …
…
continue reading
Holiday air travel tips from The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data by Kevin Mitnick and Robert Vamosi. This is a short episode until The Hacker Mind returns in the new year.Robert Vamosi による
…
continue reading
If you call someone on the other side of the world, perhaps you notice the delay in their response. For voice that’s okay, but for live music that’s disastrous. Mark Goldstein thinks he’s solved the latency problem associated with the production of live musical performances online. Having one musician in Bangalore, another in California, and yet an…
…
continue reading
Sometimes complex technology doesn't necessarily raise the barrier for entry for cyber criminals. Sometimes, as with our cars, it does the exact opposite.Robert Vamosi による
…
continue reading
The LockBit ransomware gang no longer offers just one service, like ransomware, but multiple services, like anti-analysis tools and bug bounty programs. Mick Baccio from Splunk’s SURGe explains how ransomware gangs are evolving into crimeware-as-a-service platforms, as a one stop shop for all your online criminal needs.…
…
continue reading
In this follow up podcast, I talk about encrypting your hard drive with Tails OS, using Virtual Machines, and other ways to keep your laptop secure. In my book The Art of Invisibility, I challenged my co author, Kevin Mitnick, to document various ways to keep your data private. This is a companion episode with episode 41.…
…
continue reading
You could of course sell your skillz to the dark web. Or you could legitimately report what you find and get paid to do so. You might even travel the world. In this episode of The Hacker Mind, I return to Episode 7 with Tim Becker, Episode 9 with Stok, and Episode 22 with Jack Cable to get their perspective on leaving 1337 skillz while getting paid…
…
continue reading
Playing Capture the Flag challenges you to solve problems creatively, something that is missing in computer science programs. What else is needed? In this episode of The Hacker Mind, we return to where we started in Episode One: Why is West Point -- and for that matter, others -- Training Hackers? Think of this as the greatest hits from The Hacker …
…
continue reading
Red teams and pen tests are point-in-time assessments. What if you could simulate an ongoing attack to test your teams’ readiness? You can with a cyber range. Lee Rossi, CTO and co founder.of SimSpace, a cyber range company, joins The Hacker Mind podcast to explain how using both live Red Teams and automated cyber ranges can keep your organization …
…
continue reading
Just because you have a tool, like ATT&CK, you might not realize its full potential without someone being there to guide you … at least in the beginning. Frank Duff, now the chief innovation officer and co founder of Tidal Security, returns to The Hacker Mind to discuss the ATT&CK framework, only this time from the perspective of his new company. H…
…
continue reading
DEF CON is 30 years old this year, and it’s bigger and better in part because of topic-specific villages. Here’s an inside look at four of the most popular villages. In this episode I’m talking to the organizers of the Lockpicking Village,the ICS village, the Car Hacking Village, and the Aerospace Village. And, there’s thirty more villages includin…
…
continue reading
Fighting organized crime online might seem like a logical extension for law enforcement, but, in fact, it is not all that straight forward. Michael McPherson is someone with 25 years in the FBI, who has transitioned out to the corporate world, and can best describe the experiences on both sides of fighting cybercrime.…
…
continue reading
There’s an online war in Ukraine, one that you haven’t heard much about because that country is holding its own with an army of infosec volunteers worldwide. Mikko Hypponen joins The Hacker Mind to discuss cybercrime unicorns, the fog of cyber war that surrounds the Ukrainian war with its much larger neighbor, and of course Mikko’s new book, If It’…
…
continue reading
Living off the Land (LoL) is an attack where files already on your machine, ie your operating system, are used against you. They would be undetectable, right? Kyle Hanslovan, CEO of Huntress, joins The Hacker Mind to discuss recent LoL attacks, specifically the Microsoft Follina attack and the Kaseya ransomware attack, and how important it is for s…
…
continue reading
With digital convenience there’s often a price. And if that means a bad actor can create a wireless key for your new Tesla, that price is pretty steep. At CanSecWest 2022, researcher Martin Herfurt announced a new tool, TeslaKee, which he hopes prevents wireless key attacks from happening. Martin joins The Hacker Mind to discuss this and his earlie…
…
continue reading
Is hacking a crime? The US Justice Dept says it will no longer prosecute good-faith security researchers, but what constitutes good-faith security research? Bryan McAninch (Aph3x) talks about his organization, Hacking Is Not A Crime, and the ethical line it draws on various hacking activities. He also talks about the future generation of hacking, w…
…
continue reading
1
EP 46: Reverse Engineering Smart Meters
1:04:19
1:04:19
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
1:04:19
After hearing a talk, a Dallas-based hacker set out to find out what was going on inside the smart meter attached to his home, and what he found was surprising. Since then Hash started a reverse engineering wiki site called Recessim and created dozens of YouTube videos in a channel of that same name to chronicle his adventures. He joins The Hacker …
…
continue reading
Can criminal hackers shut down a city’s electrical grid? Well, nothing’s impossible. But how might it actually happen? And how might we defend ourselves? Tom Van Norman, co-founder of the ICS Village, joins The Hacker Mind to share the group’s upcoming plans for RSAC and DEF CON, where they will again present present virtual scenarios and hands on …
…
continue reading
1
EP 44: Hackers Wanted: Filling the Cybersecurity Skills Gap
55:42
55:42
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
55:42
Should infosec now be considered vocational training just like becoming an electrician or a plumber? How else should we address the skills gap in infosec? In this episode, Sonny Sandelius, Assistant Director of the SANS workforce programs, talks about programs that recruit people from outside computer sciences, encouraging those from diverse backgr…
…
continue reading
Hackers often make it look easy when in fact they started with no plan and were just following their curiosity, going down paths erratically just like a rabbit. Researchers Nir Ohfeld and Sagi Tzadik join The Hacker Mind to talk about their presentation at Black Hat Europe 2021 on the ChaosDB vulnerability. It’s about how they started with a delibe…
…
continue reading
Can you hack an airplane? A satellite in orbit? Turns out you can. And the fact that hackers are thinking about this now, that’s actually a good thing. Steve Luczynski and Matt Mayes join The Hacker Mind to talk about the importance of having hackers, vendors, and the government get together and work through problems. That’s why the Aerospace Villa…
…
continue reading
In the book The Art of Invisibility, I challenged my co author Kevin Mitnick to document the steps needed to become invisible online. There are a lot. In this episode, I'm going to discuss how hard it is to be absolutely invisible online. How there are always breadcrumbs and fingerprints left behind that could potentially identify you. That said, t…
…
continue reading
1
EP 40: Hacking Ethereum Smart Contracts
1:03:38
1:03:38
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
1:03:38
How do you stop a half billion dollars in cryptocurrency from being stolen? You perform software testing and responsibly disclose it first, of course. Yannis Smaragdakis, a researcher with Dedaub, found a major vulnerability in Ethereum smart contracts, arguably within the billion-dollar range, that would have made it one of the largest hacks ever—…
…
continue reading
For some people, crypto means cryptography. For others, it means cryptocurrency. Fortunately, in this episode, we’re discussing vulnerabilities in both. Guido Vranken returns to The Hacker Mind to discuss his CryptoFuzz tool on GitHub, as well as his experience fuzzing and finding vulnerabilities in cryptographic libraries and also within cryptocur…
…
continue reading
Passwords are everywhere, but they probably weren't intended to be used as much as they are today. Is there something more secure? Something better? Yes. Simon Moffatt from The Cyber Hut joins The Hacker Mind to discuss how identity and access management (IAM) is fundamental to everything we do online today, and why even multi factor access, while …
…
continue reading
This is the story of a film star who connected the simple concept behind a player piano to complex communication technology in use in our devices today. Hedy Lamarr is perhaps best known for the dozen or so motion pictures she made -- and as the most beautiful woman in the world -- but did you know that she also co-patented the frequency hopping sp…
…
continue reading
Fuzzing makes it possible to locate vulnerabilities even in “safe” environments like Erlang, a language designed for high availability and robust services. Jonathan Knudsen from Synopsys joins The Hacker Mind to discuss his presentation at SecTor 2021 on fuzzing common message brokers such as RabbitMQ and VerneMQ, both written in Erlang, demonstrat…
…
continue reading
