There's a lot of cool techy stuff going down in cybersecurity, and we love it. But you can't deny that a lot of the time we humans get forgotten. Our podcast takes a not-so-serious look at issues in security from a human point of view. Covering social engineering to hacker motivations and everything in between, we chat through security stories and themes and what they mean to us: the oft-neglected humans behind the screen. Apart from Kev, Kev is a cyborg.
These weekly podcasts come in two main flavors. We’re either ranting about themes close to the heart of us security types, or we’re discussing threats and vulnerabilities that have hit headlines – or slipped under the radar – in recent weeks.
Join Chris Pace (tech advocate and keeper of the coloring pencils), Kev Breen (pro blue teamer, also known as 'Mr Nothing to CVE here...'), Max Vetter (former dark web detective and pretty cool guy), and Paul Bentham (ex-gov. type and Immersive Labs product guru) as they wend their way through the murky world of Cyber Humanity.
24: Next Stop: HackTown
We love stories about the Dark Web – and we're apparently not alone in that. This week, we're talking about HackTown, which seems to be Hogwarts for wannabe hackers (just without the...magic). HackTown promises to teach registrants how to become professional cyber criminals in 2020, which is both amusing and intriguing.
The HackTown/Dark Web chat brings us neatly onto REvil, who have deposited $1m in Bitcoin on a Russian-speaking hacker forum to attract new hacker talent to join their criminal activities.
Also featuring this week is HP. A researcher uncovered a severe vulnerability in HP Device Manager – yeah, not that exciting in itself. What is exciting, however, is all the tantrums and drama around the disclosure process that followed. Maybe next time HP will learn to lock the backdoor.
REvil are hiring:
HP forgot to lock the backdoor:
23: Watch Your Wrist: The Fitbit Spyware Special
This episode is a little different to normal – and all because Kev went poking around in Fitbit.
Kev, doing what Kev does, found a flaw in the Fitbit App Store that allowed him to deliver a malicious application from fitbit.com (http://fitbit.com/), it bypassed protections and installed inside the Fitbit app as if it were legitimate. The flaw was reported to Fitbit who have since moved to mitigate it.
In this special edition of Cyber Humanity, we join Chris Pace, Kev Breen and our guest cyber PR Svengali, Anthony D’Alton, to discuss Kev’s findings and their implications from every perspective. If you’re more of a reader than a listener, you can check out this blog post (https://www.immersivelabs.com/resources/blog/fitbit-spyware) on Kev’s research.
22: Rotten to the Core?
First up in this week’s episode is news that, as part of its ‘notarization’ process, Apple approved code used by Shlayer, the most common threat faced by Macs last year. Is it reasonable to expect Apple – or any app store – to keep their entire ecosystem squeaky clean at all times, or is it up to the user to always be sceptical about what they’re downloading?
Next up, another perfect 10 vulnerability. This one, Zerologon, was (luckily) patched back in August, but had the potential for eye-watering consequences. Considering the details of the vulnerability were not made public at the time, users and admins never knew how severe it really was – until now. Thanks to Kev, we get to see it in all its glory. Oh and by the way, we have a lab on this vulnerability, so if you’re a user, log on to check it out. And if you’re not a user…well, maybe you should be.
APT 41 makes an appearance next as five alleged Chinese citizens have been accused of hacking over 100 companies. Paul borders on seriously ranty territory (nothing new here) and Kev sheds some light on the ridiculous Zone-H.
And finally, our ever-popular ‘Hackers could…’ feature covers everything from the fairly noteworthy to the downright groan-inducing. Do people *really* still share photos of their shiny new credit cards?
Apple vs Shlayer:
21: When Sysadmins Attack: The Snowden Edition
We want to talk about Edward Snowden. It’s harder than you would imagine, considering most of the Cyber Humanity team have at some point worked for government agencies and therefore can’t quite remember what they do and “don’t” know about him. Even so, he’s still in the public eye even after all this time, and there are certainly some lessons to be learnt and ridiculous happenings to puzzle over.
Hopefully Paul, Immersive Labs’ resident International Man of Mystery, won’t be facing a prison sentence by the end of this episode.
20: Bugging Out Over Bounties
What’s been bugging the team recently? Slack’s bug bounty – if it can even be called that – causes some consternation in this episode and raises serious questions about bug bounty programs. The bug in question was classified as a ‘critical’ RCE vulnerability and yet the researcher who discovered it only got $1750. Yup, you read that right. Apparently doing the right thing doesn’t always pay, but if you’re like Kev you might end up with some free chicken or a heartfelt ‘thank you’. We’re absolutely certain that such rewards are enough to keep people on the responsible disclosure side of the fence…
Also covered in this episode is the strange news that a Russian national was arrested for trying to convince a Tesla employee into installing malware onto the company’s network for the tasty sum of $1m. Color us intrigued…
Slack Bug Bounty:
Tesla Hacking Plot:
19: Virus Vaccines and Secret Squirrels
We have a vaccine! No, not that one. The Emotet vaccine has been quietly doing the rounds over the last few months. Kev gives a nice overview of malware vaccines and how this particular one works.
We also chat about circles of trust, old boys’ networks and secret handshakes, and the part they pay in intelligence sharing and international collaboration on cybersecurity. Who decides who’s inside the circle?
Next up, the secret service has been buying location data. This in itself isn’t new; however, they’re now getting around getting warrants by buying location data off private companies. Sure, it’s publicly available – but should governments and law enforcement be buying it when they should be held to a higher standard? Of course the ex gov type believes that governments couldn’t possibly break the law (listen carefully – this might be the only time Chris has ever been shocked to silence), so isn’t it in safe hands?
And finally, could hackers hack your car?! Hack your kettle?! Listen to your keys?! GASP! More to the point: why would they want to? If you’re looking for some light entertainment, these articles are well worth a read.
Australia's new cybersecurity strategy:
Secret Service buys location data that would otherwise need a warrant:
Hackers could hijack lane keeping systems to control your car:
Customer ReviewsSee All
Insightful and Hilarious!
These guys are great-! Smart, witty and filled with insight.