The Jerich Show Podcast

Mohammed Aldoub AKA @voulnet is an API and Cloud security expert. While Erich is off nursing a sore neck, Mohammed keeps Javvad quiet and drops some serious API security knowledge.

Links discussed:
Clubhouse https://twitter.com/_DanielSinclair/status/1363738761339826177?s=19 

Hacking Starbucks https://samcurry.net/hacking-starbucks/ 

Cloud pricing specialists https://www.duckbillgroup.com/

API vulnerability https://hackerone.com/reports/810320

Exploiting Drupal8's REST RCE https://www.ambionics.io/blog/drupal8-rce

Stop using JWT for sessions http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/ 

 

Mohammed's Github (tools, upcoming training schedule) https://github.com/Voulnet 

Follow Mohammed on twitter @voulnet

Javvad's internet is broken, so he is a pixelated mess, but we still talk ransomware and the new Mac M1 virus. 

Stories from the show:

Kia Motors Hit With $20M Ransomware Attack – Report  (with a cameo ad for Erich's upcoming ThreatPost panel)
https://threatpost.com/kia-motors-ransomware-attack/164085/

When Cyber Gangs Disregard Ransomware Payments, Victims Can Be Hit Twice
https://securityintelligence.com/news/when-cyber-gangs-disregard-ransomware-payments/

First Malware Running Natively on M1 Chip Discovered
https://www.macrumors.com/2021/02/17/first-m1-chip-malware/

In this episode, Erich and Javvad welcome Kylee Lockwood, a pro in the field of compliance, to the show as they discuss issues with ICS, the impact of cat filters on professional people and another loss of source code.

Kylee's contact information:
LinkedIn - https://www.linkedin.com/in/kyleemarie/
Twitter - @kyleemariel

Links from the show:

Hackers steal StormShield firewall source code in data breach
https://www.bleepingcomputer.com/news/security/hackers-steal-stormshield-firewall-source-code-in-data-breach/

ICS Challenges 
https://www.zdnet.com/article/hacker-modified-drinking-water-chemical-levels-in-a-us-city/

Lawyer is NOT a cat:
https://www.entrepreneur.com/article/365148

Cat filter accidentally used in Pakistani minister’s live press conference:
https://www.bbc.com/news/world-asia-48663289

In this episode Erich and Javvad discuss stories related to ransomware, vulnerabilites in some WiFi chipsets and issues related to the Greek police officers being issued hardware allowing for facial recognition and fingerprint identification.

Stories in this episode:

Critical Bugs Found in Popular Realtek Wi-Fi Module for Embedded Devices:
https://thehackernews.com/2021/02/critical-bugs-found-in-popular-realtek.html

Ransomware attacks increasingly destroy victims’ data by mistake:
https://www.bleepingcomputer.com/news/security/rise-in-ransomware-attacks-mistakenly-causing-data-destruction/

Ransomware: A company paid millions to get their data back, but forgot to do one thing. So the hackers came back again:
https://www.zdnet.com/article/ransomware-this-is-the-first-thing-you-should-think-about-if-you-fall-victim-to-an-attack/

Greek Police to Introduce Live Facial Recognition:
https://www.infosecurity-magazine.com/news/greek-police-to-introduce-live

This week Javvad and Erich welcome a long time friend and former colleague of Javvad's, Adrian Sanabria to the show as they discuss news around the takedown of the the Emotet group, a new phishing toolkit that dynamically changes brands and other news from they cybersecurity world. Adrian also discusses his new job and how it will change the future of infosec tool product reviews.

Don't forget to like and subscribe for more great weekly content! 

Adrian's Social Media:
Twitter: @sawaba
LinkedIn: https://www.linkedin.com/in/adrian-sanabria/
OnlyFans: TBD

Stories from the show:

Emotet Takedown:
https://www.bbc.com/news/technology-55826258

New Phishing Toolkit:
https://www.zdnet.com/article/new-cybercrime-tool-can-build-phishing-pages-in-real-time/

Krebs on Solarwinds:
https://krebsonsecurity.com/2021/01/solarwinds-what-hit-us-could-hit-others/

The Sonicwall Problem:
https://threatpost.com/sonicwall-breach-zero-days-in-remote-access/163290/

The Security Products We Deserve:
https://youtu.be/GHuQC1qLnJ4

Knowing that Erich was going in for doctor visit that morning, Javvad decided rather than a traditional show, to help take his mind off things, he would put Erich on the spot to comment to stories he had no idea were coming. 

Welcome to Headline Roulette, a speed response to the following stories with no time to actually read these articles: 

 

Privacy-focused search engine DuckDuckGo grew by 62% in 2020
https://www.bleepingcomputer.com/news/technology/privacy-focused-search-engine-duckduckgo-grew-by-62-percent-in-2020/

FBI: Disinformation Campaigns Seek to Exploit Capitol Siege
https://www.bankinfosecurity.com/fbi-disinformation-campaigns-seek-to-exploit-capitol-siege-a-15782

FBI warns of vishing attacks stealing corporate accounts
https://www.bleepingcomputer.com/news/security/fbi-warns-of-vishing-attacks-stealing-corporate-accounts/

A Chinese hacking group is stealing airline passenger details
https://www.zdnet.com/article/a-chinese-hacking-group-is-stealing-airline-passenger-details/

70% of UK finance industry hit with cyber-attacks in 2020
https://uk.finance.yahoo.com/news/70-percent-uk-finance-industry-hit-with-cyberattacks-in-2020-000851797.html

Hacker posts 1.9 million Pixlr user records for free on forum
https://www.bleepingcomputer.com/news/security/hacker-posts-19-million-pixlr-user-records-for-free-on-forum/

Coin-Mining Malware Volumes Soar 53% in Q4 2020
https://www.infosecurity-magazine.com/news/coinmining-malware-volumes-soar-53/

When you browse Instagram and find former Australian Prime Minister Tony Abbott's passport number
https://mango.pdf.zone/finding-former-australian-prime-minister-tony-abbotts-passport-number-on-instagram

X-rated social media app Fleek exposed explicit photos of users
https://www.hackread.com/social-media-app-fleek-explicit-photos-leak/

DON'T FORGET TO LIKE AND SUBSCRIBE

In this episode, Javvad and Erich are joined by privacy expert Rowenna Fielding for a fun and informative show discussing privacy issues around the globe. The group discusses changes made by TikTok, the new WhatsApp privacy debacle, the use crowdsourcing by law enforcement after the capitol fiasco, and how to move from and infosec role to a job focused on privacy. 

Rowenna’s recommended books:
• Surveillance capitalism - https://www.amazon.com/Age-Surveillance-Capitalism-Future-Frontier/dp/1541758005/
• Weapons of math destruction - https://www.amazon.com/Weapons-Math-Destruction-Increases-Inequality/dp/0553418831/
• Algorithms of oppression - https://www.amazon.com/Algorithms-Oppression-Search-Engines-Reinforce/dp/1479837245/

Rowenna’s Patreon link:
http://patreon.com/missiggeek

Links from the show:
TikTok: All under-16s' accounts made private - https://www.bbc.com/news/amp/technology-55639920

WhatsApp gives users an ultimatum: Share data with Facebook or stop using the app - https://arstechnica.com/tech-policy/2021/01/whatsapp-users-must-share-their-data-with-facebook-or-stop-using-the-app/

Rowenna’s breakdown of the WhatApp privacy changes - https://missinfogeek.net/whatsapp-privacy-policy-translated/

Capitol riots: Who has the FBI arrested so far? - https://www.bbc.com/news/world-us-canada-55626148

@sawaba plotted video uploads from the GPS coordinates of the capital on 1/6/21 - https://twitter.com/sawaba/status/1349056336202522625

I Cut the 'Big Five' Tech Giants From My Life. It Was Hell - https://gizmodo.com/i-cut-the-big-five-tech-giants-from-my-life-it-was-hel-1831304194

Join Javvad and Erich as they trick the ever funny and good humored Garrett Gross in to joining, them one last time before their end of year break, for a solid 9 minutes of great discussion followed by his dismissal. Once rid of him, the team turns the topic to their own favorite infosec stories of 2020. 

After this episode Erich and Javvad will be taking a break until the new year while they try incantations, burning of incense, interprative dance and any other possible method of ensuring 2021 won't be the dumpster fire that 2020 was. 

This is a great time to catch up on earlier episodes here and on Youtube at: https://www.youtube.com/channel/UCDCt5A9GDeTHWEBE8hHkKeg

Please like and subscribe to be notified of new episodes

Follow Garrett on Twitter at: @breachparty

Links from the show:

A Hacker Nearly Stole $8 Million From An Aussie Hedge Fund Using A Fake Zoom Invite:
https://www.gizmodo.com.au/2020/11/a-hacker-nearly-stole-8-million-from-an-aussie-hedge-fund-using-a-fake-zoom-invite/

Travelex driven into financial straits by ransomware attack:
https://www.scmagazine.com/home/security-news/travelex-driven-into-financial-straits-by-ransomware-attack/

A Hacker Is Threatening to Leak Patients' Therapy Notes:
https://www.wired.com/story/hacker-threaten-release-therapy-notes-patients/

Patients of Hacked US Surgical Company Hit with Ransom Demands:
https://www.infosecurity-magazine.com/news/patients-of-hacked-surgical/

 

In this episode, Javvad and Erich welcome Althe Denis, winner of the Social Engineering Capture the The Flag (SECTF) at DEFCON and one of the most motivated and awesome people we have met. 

They discuss her path to an infosec career, how she keeps things straight and advice for those interested in getting in to the infosec community from other careers. 

They also discuss some interesting news stories related to cyber attacks on homes, the OGUsers forum hack/ransom, Amazon delivery scams and the value of C-Level executive credentials and accounts. 

All this and more! Be sure to like and subscribe to catch the latest episode each week.

Alethe's Contact info:
Twitter - @AletheDenis
Website - Alethedenis.com

 

Links from the story:

Hackers attack homes on average 104 times a month, says new Comcast report
https://www.gearbrain.com/are-smart-home-devices-secure-2649035325.html

Stolen credentials forum OGUsers hacked again with user data stolen
https://siliconangle.com/2020/12/02/stolen-credentials-forum-ogusers-hacked-user-data-stolen/

Beware - that email about your Amazon delivery alert could be an online scam
https://www.techradar.com/news/that-amazon-delivery-alert-email-could-be-a-phishing-scam

A hacker is selling access to the email accounts of hundreds of C-level executives
https://www.zdnet.com/article/a-hacker-is-selling-access-to-the-email-accounts-of-hundreds-of-c-level-executives/

 

Alethe's book recommendations:

The Code of Trust
https://www.amazon.com/Code-Trust-American-Counterintelligence-Experts/dp/1250093465/

Swing Away
https://www.amazon.com/Swing-Away-Conquering-Impostor-Syndrome/dp/B086MKGHVG/

Operator Handbook
https://www.amazon.com/Operator-Handbook-Team-OSINT-Reference/dp/B085RR67H5/

Pentester Blueprint:
https://www.amazon.com/Pentester-BluePrint-Your-Guide-Being/dp/1119684307/

Hacking Multifactor Authentication
https://www.amazon.com/Hacking-Multifactor-Authentication-Roger-Grimes/dp/1119650798/

In this special Thanksgiving episode, Erich and Javvad talk about privacy issues related to both the government and in the private sector. Should your employer judge your performance on based on an Office 360 report? Should the government restrict singing in your own home? 

These questions and more will be answered in this episode.

Don't forget to like and subscribe!

Links from the show:

CDC Guidance:
https://www.cdc.gov/coronavirus/2019-ncov/global-covid-19/shielding-approach-humanitarian.html

California Guidance:
https://www.cdph.ca.gov/Programs/CID/DCDC/Pages/COVID-19/Guidance-for-the-Prevention-of-COVID-19-Transmission-for-Gatherings-November-2020.aspx

Amazon and Employees:
https://www.vice.com/en/article/5dp3yn/amazon-leaked-reports-expose-spying-warehouse-workers-labor-union-environmental-groups-social-movements

Wolfie Christl and O365:
https://twitter.com/WolfieChristl/status/1331221942850949121?s=20