Listen Now

It was a long summer and fall months; nevertheless, we are back at it. This is the "lost" episode and final for 2020. We will try to be more regular in 2021.Happy New Year! & Stay Safe!In this episode, Gavin and I discuss what we have been up to over the last several months as we'll discuss some major improvements/innovations here at Tenable.Links:https://www.tenable.com/bloghttps://www.tenable.com/blog/research

In this episode Bill and Gavin discuss becoming more business aligned security leaders and how to influence change. 

In this episode Bill and Gavin are joined by Wei Tai from the Data Science team to discuss Machine Learning and how accurate the team have identified the major vulnerabilities of 2019. Bill also learns how to press the record button so the team don’t have to record the podcast for a third time in a week.

In this episode Bill and Gavin discuss predicting the vulnerabilities that matter most through machine learning and reducing the burden of patching the infrastructure.

In this episode Bill and Gavin discuss Nessus on Raspberry Pi, which unfortunately didn't make it through the rigorous testing processes, and the top vulnerabilities you should be patching to secure the remote workforce.https://www.tenable.com/remote-workforcehttps://www.tenable.com/blog/how-covid-19-response-is-expanding-the-cyberattack-surfaceAlso apologies if we offend anyone this week, we might be going a tad stir crazy which is affecting our (Gavin's) filter somewhat.

In this episode Bill and Gavin talk about protecting the new norm of the remote workforce and discuss CVE-2020-0796.Tenable SRT Blog https://www.tenable.com/blog/cyber-exposure-alertsTenable Plugin list - https://www.tenable.com/plugins

In this episode Bill and Gavin discuss a presentation on the top 5 attack vectors in 2020 according to SANS.Here’s a link to the video of the presentation Bill and Gavin are referencing:https://www.youtube.com/watch?v=xz7IFVJf3Lk

New year, new format. Instead of the usual Olson mocking through the use of the latest cyber news, Bill and Gavin will be sharing some inner workings of team Tenable and what the dev are creating.In this episode, Bill and Gavin talk about the innovation competition between dev teams and measuring the maturity of your assessment practices. 

In this special episode, Bill and Gavin are joined by Tenable's CISO Bob Huber and Data Scientist Bryan Doyle. The chaps discuss measurements that matter and how to communicate security effectiveness.

In this episode Bill finally gets some payback on Gavin, they discuss Smart Televisions on spending sprees, a goose with a bad attitude and poor cyber hygiene and Bluekeep exploitation. Bill is also joined by Amit Yoran, CEO of Tenable, to discuss learned helplessness in the world of Cyber Security.Need a new job? Run for officehttps://www.wsj.com/articles/the-new-hot-job-real-time-password-manager-11573237540https://thehill.com/policy/cybersecurity/469961-retirements-pose-threat-to-cybersecurity-expertise-in-congressMore More stunt hackinghttps://www.theregister.co.uk/2019/10/31/amazon_account_hacking/HONK HONKhttps://gizmodo.com/untitled-goose-game-vulnerability-allows-hackers-to-sew-1839443617Bad hackershttps://www.cnet.com/news/hackers-plead-guilty-for-extorting-uber-linkedin/#ftag=CAD-09-10aai5bMarket differentiation?https://securityintelligence.com/posts/why-its-time-to-adopt-iot-security-by-design/Who has the real blueshttps://arstechnica.com/information-technology/2019/11/solved-why-in-the-wild-bluekeep-exploits-are-causing-patched-machines-to-crash/More adobe flawshttps://www.zdnet.com/article/adobe-squashes-critical-vulnerabilities-in-illustrator-media-encoder/

Honey is not just for Poohhttps://www.wilbursecurity.com/2019/10/rdp-honeypotting/Mo Moneyhttps://www.vice.com/en_us/article/7x5ddg/malware-that-spits-cash-out-of-atms-has-spread-across-the-worldOh boyhttps://www.techdirt.com/articles/20191004/19564743128/city-baltimore-blew-off-76000-ransomware-demand-only-to-find-out-bunch-data-had-never-been-backed-up.shtmlWhoa - this is crazyhttps://fossbytes.com/hackers-use-wav-audio-files/A great bloghttps://medium.com/anton-on-security/move-to-cloud-a-chance-to-finally-transform-security-e9614aae4f9cGavin made this up, right?https://arstechnica.com/information-technology/2019/10/alexa-and-google-home-abused-to-eavesdrop-and-phish-passwords/RCEs are funhttps://www.zdnet.com/article/nasty-php7-remote-code-execution-bug-exploited-in-the-wild/#ftag=CAD-03-10abf5fhttps://www.tenable.com/blog/cve-2019-7609-exploit-script-available-for-kibana-remote-code-execution-vulnerabilityThe power of VPRhttps://www.tenable.com/blog/cve-2019-7609-exploit-script-available-for-kibana-remote-code-execution-vulnerability Mo Money Mo Moneyhttps://www.tenable.com/blog/cash-app-scams-legitimate-giveaways-provide-boost-to-opportunistic-scammershttps://www.tenable.com/blog/cash-app-scams-giveaway-offers-ensnare-instagram-users-while-youtube-videos-promise-easy-money

In this episode Bill and Gavin talk about dismantling hotel lamps for fun and profit, multiple router Vulnerabilities and keeping track of private information in repositories. Bill is also joined by Ryan and Scott from the research team to discuss a couple of major zero days affecting Exim and vBulletin.Keeping track of all your assets is hardhttps://github.com/eth0izzle/shhgit/https://www-vice-com.cdn.ampproject.org/c/s/www.vice.com/amp/en_us/article/ywanev/thousands-of-cloud-computing-servers-could-be-owned-with-very-simple-attack-researchers-sayCisco has lots of things needing patchinghttps://www.theregister.co.uk/2019/10/04/cisco_patches/tieing it  to this d-link vulnerability https://www.zdnet.com/article/d-link-routers-contain-remote-code-execution-vulnerability/Do you know the game - “never have I ever”?https://www.verdict.co.uk/wework-data-security-ipo/Are people thinking about BYOD anymorehttps://arstechnica.com/information-technology/2019/10/attackers-exploit-0day-vulnerability-that-gives-full-control-of-android-phones/Is it me, or could this have been the plan along, too good be true is often…https://threatpost.com/bug-in-nsas-ghidra/148787/With all that is going on - could this be a thing that makes you go hmmmhttps://www.darkreading.com/vulnerabilities---threats/facebook-patches-critical-whatsapp-security-flaw/d/d-id/1335993 and signal had a nasty bug as well https://thenextweb.com/security/2019/10/07/signal-patches-android-bug-that-allowed-hackers-to-answer-calls-on-your-behalf/Here take my charger, pleasehttps://www.vice.com/en_us/article/3kx5nk/fake-apple-lightning-cable-hacks-your-computer-omg-cable-mass-produced-soldTenable researchhttps://www.tenable.com/blog/cve-2019-16928-critical-buffer-overflow-flaw-in-exim-is-remotely-exploitablehttps://www.tenable.com/blog/critical-zero-day-pre-authentication-remote-code-execution-exploit-published-for-5-x-versions

In this episode Bill and Gavin talk snooping on cat scans, TGIF data breach, breaking into Gavin's bank account with a handy sound board and power grid blackouts. Bill also interviews Steve Smith and Kent Dyer from the Government Affairs team to understand issues affecting Governments across the Globe.Can we get Gavin out of retirementhttps://www.wired.com/story/air-force-defcon-satellite-hacking/It could have been way worsehttps://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/“My voice  is my password, verify”https://www.aidaily.co.uk/articles/y6lb0fd9agmmvc2fgkhorc3teapmddhttps://www.youtube.com/watch?v=-zVgWpVXb64TGIF - down under is not as relaxinghttps://www.smartcompany.com.au/technology/cyber-security/tgi-fridays-data-breach/Lessons are everywherehttps://www.tenable.com/blog/what-skyjacking-and-kidnapping-cases-can-teach-us-about-responding-to-ransomware-attacks?mkt_tok=eyJpIjoiTldOaE1tVXdOelkxWWpVNSIsInQiOiJEQldWVUtpMjZ1YXU2aDZcL1k0b2U3K1RoZlY0Mlh0YnpFS1BYUmw1NUR6aXJHdmYyUXlXRGFtd0xFbDk5VHNGN0gzdGQyYVVtXC9lWlwvWXlqUVJLdzZmS2lRRXpPV1IxNzhBYTJkR2hnKzdKTVkrMmVaaG1mS1Z0QkJWTWhhcWR2aiJ9How are you feeling?https://healthitsecurity.com/news/82-iot-devices-of-health-providers-vendors-targeted-by-cyberattackshttps://www.propublica.org/article/millions-of-americans-medical-images-and-data-are-available-on-the-internetLove the idea, the devil will be in the detailshttps://www.smartcitiesdive.com/news/st-louis-dhs-team-up-for-smart-city-pilot/562031/

States be getting pwnd https://www.dallasnews.com/business/technology/2019/08/17/20-texas-jurisdictions-hit-coordinated-ransomware-attack-state-saysWhere are your notes, or is this your favorite text editor?https://www.digitaltrends.com/computing/major-security-flaw-in-notepad-leaves-windows-pcs-vulnerable-to-hackers/https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.htmlRCEs in Windows 10https://www.digitaltrends.com/computing/microsoft-patches-two-critical-windows-10-security-flaw/What else happens 20 times a day….https://www.darkreading.com/attacks-breaches/more-than-20-data-breaches-reported-per-day-in-first-half-of-2019/d/d-id/1335538https://www.theregister.co.uk/2019/08/07/black_hat_keynote/Do you know what your business does?https://www.theregister.co.uk/2019/08/26/security_roundup/Fun with appshttps://www.tenable.com/blog/tiktok-scams-how-social-currency-fuels-the-economy-for-impersonation-accounts-and-free

In this episode, Bill and Gavin discuss attacks against adult apps, a WhatsApp flaw that enables an attacker to change messages and join groups, hacking alarm systems with a $2 device, and predicting the NVD future with Predictive Prioritization.Rogue Asset Discovery for free!https://www.tenable.com/blog/new-capabilities-to-automatically-discover-and-assess-rogue-assetsSeeing into the future, or before NVD, with Predictive Prioritizationhttps://www.tenable.com/predictive-prioritizationLockPickingLawyer takes on IoT Alarmshttps://www.youtube.com/watch?v=UlNkQJzw4oA3Fun hacking for fun and embarrassmenthttps://www.theregister.co.uk/2019/08/09/threesome_hookup_app_insecurity/WhatsApp hack attack can change your messageshttps://www.forbes.com/sites/daveywinder/2019/08/07/whatsapp-hack-attack-changes-your-messages-and-facebook-doesnt-seem-to-care/#1fa389532332VXWorks flaw affects over 200M deviceshttps://www.wired.com/story/vxworks-vulnerabilities-urgent11/

In this episode, Bill turns the insecurity tables on Gavin with the iOS 13 keychain bug. The chaps also discuss insecure trains, remote code execution vulnerabilities in Atlassian, and how to publicly respond to a major outage. This episode also features David Wells, who talks about the recent vulnerability he discovered in Comodo AV.Rundownhttps://9to5mac.com/2019/07/15/ios-13-password-bug/Major software bug in IOS 13 beta reveals stored passwords without authenticationhttps://www.theregister.co.uk/2019/07/12/train_software_theftTrain software snaffled by employeehttps://www.corben.io/atlassian-crowd-rce/Multiple Atlassian Vulnerabilitieshttps://medium.com/tenable-techblog/an-exploit-chain-against-citrix-sd-wan-709db08fb4acMultiple vulnerabilities to pivot through the Citrix SD-WANhttps://www.tenable.com/press-releases/tenable-research-discovers-vulnerability-in-siemens-critical-infrastructure-designTenable research discover major weaknesses in Siemenshttps://qz.com/work/1666535/cloudflare-turned-outage-into-teaching-point-about-transparency/Cloudflare shows the right way to discuss a major public incident

In this episode, Bill and Gavin discuss strange meetings in English Forests, improvements in security guidelines around IoT devices, bricking iPhone with a single message, and the issues with non-experts defining government policy. Bill is also joined by Tenable Researcher Jimi Sebree to discuss how he discovers new zero-days and a recent Arlo Camera teardown.All things IoT https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdfCrime does not pay https://www.darkreading.com/attacks-breaches/former-equifax-cio-sentenced-to-prison-for-insider-trading/d/d-id/13350781 more reason to use a password vaulthttps://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311bConvenient loss @ a convenience store https://www.zdnet.com/article/7-eleven-japanese-customers-lose-500000-due-to-mobile-app-flaw/2019 so far so….https://www.wired.com/story/biggest-cybersecurity-crises-2019-so-far/Protect yourself at all times https://www.infosecurity-magazine.com/news/bas-magecart-breach-lands-it-183mhttps://www.infosecurity-magazine.com/news/ba-hit-by-global-web-skimming/When the non-experts are making policyhttps://www.itnews.com.au/news/amazon-blasts-australias-technically-flawed-anti-encryption-laws-527855Bricking an iphone with malformed imessage https://bugs.chromium.org/p/project-zero/issues/detail?id=1826Fixed in 12.3https://www.forbes.com/sites/daveywinder/2019/07/07/google-confirms-apple-iphone-bricking-imessage-bomb/#788e01f07a43Similar to “Black dot” from last year