On this week’s show we’re chatting with Travis McPeak at Netflix about a tool they’ve developed called RepoKid. It automatically strips unused AWS permissions, which I’m guessing a lot of you will find quite useful.
We’ll also chat with Dan Kuykendall in this week’s sponsor interview. Dan works for Rapid7, and they’ve been doing some interesting stuff with their agents, basically tweaking them to give better visibility of application security issues and exploitation attempts. T
hat conversation is really about how security firms these days are using the agent footprint they have to just do whatever they can.
Adam Boileau, as always, pops in to discuss the week’s news. We cover the:
- AutoSploit arm waving
- Lauri Love beating extradition
- Nik Cubrilovic’s arrest
- Threat or menace? “Autosploit” tool sparks fears of empowered “script kiddies” | Ars Technica
- Rob Joyce on Twitter: "Releasing AutoSploit, making mass exploitation even easier, was irresponsible. My friends at the FBI remind us all that while exploitation is easier, it is not any less illegal. #scriptkiddiesbeware"
- Lauri Love case: Hacking suspect wins extradition appeal - BBC News
- Young criminal hackers get assigned jobs at Dutch ICT firms | NL Times
- Julian Assange loses challenge to UK arrest warrant, court to rule on new bid next week - ABC News (Australian Broadcasting Corporation)
- Alleged Spam Kingpin ‘Severa’ Extradited to US — Krebs on Security
- Georgia SB 315 (The Computer Intrusion Bill)
- TechCrunch alumni arrested over alleged hacking of car sharing company - SiliconANGLE
- Trump administration wants larger role in shaping international data laws
- CLOUD Act Would Erode Trust in Privacy of Cloud Storage | Center for Democracy & Technology
- Experts push back on Trump administration's call to respond to cyberattacks with nukes
- Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers - Hearings - U.S. Senate Committee On Commerce, Science, & Transportation
- Nicole Perlroth on Twitter: "Wow this Commerce Committee hearing on Uber payment is going off the rails. Blumenthal accusing Uber of aiding and abetting extortion, and a cover up. Flynn, "I agree... This is not the way we are going to do these things moving forward." Calls it "multilevel data intrusion.""
- Berkshire Hathaway’s Business Wire Suffers Cyberattack - WSJ
- Credit card ban, regulator scrutiny latest challenges for bitcoin
- Seoul claims North Korea stole millions worth of cryptocurrency from domestic exchanges
- DHS won't reverse ban on Kaspersky products, court docs show
- Apple, Cisco team up with cyber insurers for policy discounts
- Oh, banks have cameras? Two men arrested for ATM jackpotting scheme must've forgot
- Telegram iOS app removed from App Store last week due to child pornography | Ars Technica
- Hacking Team Is Still Alive Thanks to a Mysterious Investor From Saudi Arabia - Motherboard
- T-Mobile Is Sending a Mass Text Warning of ‘Industry-Wide’ Phone Hijacking Scam - Motherboard
- NSA Exploits Ported to Work on All Windows Versions Released Since Windows 2000
- Covert Data Channel in TLS Dodges Network Perimeter Protection | Threatpost | The first stop for security news
- An Adobe Flash 0day is being actively exploited in the wild | Ars Technica
- In just 24 hours, 5,000 Android devices are conscripted into mining botnet | Ars Technica
- Bug in Grammarly browser extension exposes virtually everything a user ever writes
- Cisco investigation reveals ASA vulnerability is worse than originally thought
- Matthew Olney on Twitter: "Hey guys, I know you're excited about CVE-2018-0101 (Cisco ASA SSL VPN RCE), but even if you don't have a service contract you can obtain the update from TAC. DO NOT download and install images from anyone but Cisco. (We appreciate the help, we really do...but...just....don't)"
- Cyber Operations Tracker | Council on Foreign Relations Interactives
- Atlassian Security Engineering Team Lead | SmartRecruiters
- Atlassian Sr. Manager of Global Security Engineering | SmartRecruiters