Cyber Exposure
Podcast

It was a long summer and fall months; nevertheless, we are back at it. This is the "lost" episode and final for 2020. We will try to be more regular in 2021.Happy New Year! & Stay Safe!In this episode, Gavin and I discuss what we have been up to over the last several months as we'll discuss some major improvements/innovations here at Tenable.

• Listen:
• 
• 
• 

Show notes:

• Cyber Exposure Alerts

In this episode Bill and Gavin are joined by Wei Tai from the Data Science team to discuss Machine Learning and how accurate the team have identified the major vulnerabilities of 2019. Bill also learns how to press the record button so the team don’t have to record the podcast for a third time in a week.

• Listen:
• 
• 
• 
• 

In this episode Bill and Gavin discuss Nessus on Raspberry Pi, which unfortunately didn't make it through the rigorous testing processes, and the top vulnerabilities you should be patching to secure the remote workforce.

• Tenable Solution Center: Protecting Your Remote Workforce
• How COVID-19 Response Is Expanding the Cyberattack Surface

Also apologies if we offend anyone this week, we might be going a tad stir crazy which is affecting our (Gavin's) filter somewhat.

• Listen:
• 
• 
• 
• 

In this episode Bill and Gavin discuss a presentation on the top 5 attack vectors in 2020 according to SANS.

Here’s a link to the video of the presentation Bill and Gavin are referencing: https://www.youtube.com/watch?v=xz7IFVJf3Lk

• Listen:
• 
• 
• 
• 

In this special episode, Bill and Gavin are joined by Tenable's CISO Bob Huber and Data Scientist Bryan Doyle. The chaps discuss measurements that matter and how to communicate security effectiveness.

• Listen:
• 
• 
• 
• 

In this episode, Bill and Gavin talk RDP honeypot, ATM jackpots and RCE hotspots. The chaps are also joined by Satnam Narang to talk about cash app scams.

• Honey is not just for Pooh
• Mo Money
• Oh boy
• Whoa - this is crazy
• A great blog
• Gavin made this up, right?
• RCEs are fun
  1. Nasty PHP7 remote code execution bug exploited in the wild
  2. CVE-2019-7609: Exploit Script Available for Kibana Remote Code Execution Vulnerabilit

• The power of VPR
• Mo Money Mo Money
  1. Cash App Scams: Legitimate Giveaways Provide Boost to Opportunistic Scammers
  2. Cash App Scams: Giveaway Offers Ensnare Instagram Users, While YouTube Videos Promise Easy Money

• Listen:
• 
• 
• 
• 

In this episode Bill and Gavin talk snooping on cat scans, TGIF data breach, breaking into Gavin's bank account with a handy sound board and power grid blackouts. Bill also interviews Steve Smith and Kent Dyer from the Government Affairs team to understand issues affecting Governments across the Globe.

• Can we get Gavin out of retirement
• It could have been way worse
• “My voice is my password, verify”
• TGIF - down under is not as relaxing
• Lessons are everywhere
• How are you feeling?
• Love the idea, the devil will be in the details

• Listen:
• 
• 
• 
• 

In this episode, Bill and Gavin discuss attacks against adult apps, a WhatsApp flaw that enables an attacker to change messages and join groups, hacking alarm systems with a $2 device, and predicting the NVD future with Predictive Prioritization.

• Rogue Asset Discovery for free!
• Seeing into the future, or before NVD, with Predictive Prioritization
• LockPickingLawyer takes on IoT Alarms
• 3Fun hacking for fun and embarrassment
• WhatsApp hack attack can change your messages
• VXWorks flaw affects over 200M devices

• Listen:
• 
• 
• 
• 

In this episode Bill and Gavin discuss strange meetings in English Forests, improvements in security guidelines around IoT devices, bricking iPhone with a single message and the issues with non experts defining Government policy. Bill is also joined by Jimi Sebree to discuss how he discovers new zero days and a recent Arlo Camera teardown.

• All things IoT
• Crime does not pay
• 1 more reason to use a password vault
• Convenient loss @ a convenience store
• 2019 so far so….
• Protect yourself at all times 
  1. https://www.infosecurity-magazine.com/news/bas-magecart-breach-lands-it-183m
  2. https://www.infosecurity-magazine.com/news/ba-hit-by-global-web-skimming/
• When the non-experts are making policy
• Bricking an iphone with malformed imessage
  1. Fixed in 12.3
  2. Similar to “Black dot” from last year

• Listen:
• 
• 
• 
• 

Bill and Gavin talk about Baltimore City being hit with Ransomware, yet another leak of hundreds of millions of personal details, and the chaps are joined by Claire Tills to discuss how the media drive remediation efforts for popular vulnerabilities.

• Baltimore City
  https://www.welivesecurity.com/2019/05/17/eternalblue-new-heights-wannacryptor/
• First American Title
  https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/
• SandboxEscaper
  1. https://kb.cert.org/vuls/id/119704/
  2. https://www.bleepingcomputer.com/news/security/new-windows-10-zero-day-bug-emerges-from-bypassing-patched-flaw/ (this one has all the other bugs discovered)
• ICS in Poland
  https://medium.com/@woj_ciech/state-of-industrial-control-systems-in-poland-and-switzerland-656e2e363fe3
• Old vulns and bad habits
  
  1. https://www.infosecurity-magazine.com/news/microsoft-warns-of-campaign-1/
  2. https://www.forbes.com/sites/daveywinder/2019/06/07/nsa-warns-microsoft-windows-users-update-now-or-face-devastating-damage/#6c0f5efb3aa0

• Listen:
• 
• 
• 
• 

In this episode Bill and Gavin talk easy to guess passwords, the Beapy Cryptojacking worm sweeping through Asia and hungry cybercriminals leveraging credential stuffing attacks

• 10 most hacked passwords
• The Chipotle Hack And The Troubling Trend Of Credential Stuffing
• New zero-day vulnerability CVE-2019-0859 in win32k.sys
• Beapy: Cryptojacking Worm Hits Enterprises in China

• Listen:
• 
• 
• 
• 

In this episode, Bill tries to track Merger and Acquisition activity with children's GPS devices, Gavin highlights the issues of hiding malware in BIOS and Thom Langford from TL(2) joins to give a CISO's perspective.

• Motherboard flaws can lead to hidden malware
• Mar-a-lago physical security failure
• Game of Thrones torrents packing nasty surprises
• Researcher prints PWNED! on hundreds of GPS watches

• Listen:
• 
• 
• 
•