Former FBI Special Agent Chris Tarbell and ex-Anonymous/LulzSec blackhat hacker Hector Monsegur (aka Sabu) faced off as adversaries in cyberspace before becoming close friends and podcast co-hosts. Listen to Tarbell, co-founder of the elite cybersecurity firm NAXO, and Monsegur, a top network penetration tester and security engineer, break down the must-know cybersecurity news and topics of the week. You’ll walk away from each episode with unique perspectives on keeping your family, your company, and yourself safe from cyber attacks.
Authentication Attacks, US Government Domains, and New Cyber Incident Disclosure Guidelines
This week on Hacker And The Fed what authentication attacks might look like in a phishing resistant future, the SEC now requires companies to disclose cyber attacks, there are many more US government domains in the .com world than you might think, and other news stories from this week in cyber security. Links from the episode: What might authentication attacks look like in a phishing-resistant future? https://blog.talosintelligence.com/what-might-authentication-attacks-look-like-in-a-phishing-resistant-future/ The Messaging Layer Security (MLS) Protocol https://datatracker.ietf.org/doc/html/rfc9420 List of public government managed domains that exist outside of the top-level .gov and .mil domains https://github.com/GSA/govt-urls/blob/main/1_govt_urls_full.csv Top level domain operator wants out of the business https://domainnamewire.com/2023/07/26/top-level-domain-operator-wants-out-of-the-business/ Network giants unite to fight security risks https://www.networkworld.com/article/3703233/network-giants-unite-to-fight-security-risks.html Cybersecurity Agencies Warn Against IDOR Bugs Exploited for Data Breaches https://thehackernews.com/2023/07/cybersecurity-agencies-warn-against.html Norwegian government IT systems hacked using zero-day flaw https://www.bleepingcomputer.com/news/security/norwegian-government-it-systems-hacked-using-zero-day-flaw/ https://www.dss.dep.no/aktuelle-saker/departementer-utsatt-for-dataangrep/ https://www.wsj.com/articles/critical-infrastructure-companies-warned-to-watch-for-ongoing-cyberattack-76508d83 Satellites Are Rife With Basic Security Flaws https://www.wired.com/story/satellites-basic-security-flaws/ Support our sponsors: Go to hellofresh.com/50hatf code 50hatf for 50% off plus free shipping Get your Hacker and the Fed merchandise at hackerandthefed.com Get your Hacker and the Fed merchandise at hackerandthefed.com
Thousands of Intelligence and Defense Employees Exposed, a Hacker Infects His Own Computer, Google Accuses Apple Employee of Not Reporting a Zero-day
This week on Hacker And The Fed new cyber security labels proposed by the US government could help us buy our new devices, an employee exposes thousands of intelligence and defense employees, Google may be restricting internet access to some employees to reduce their cyber attack risk, a hacker infects his own computer, and Google says an Apple employee found a zero-day but didn't report it, and we answer listener questions about our phones getting searched and email encryption. Links from the episode: White House teams with Amazon, Google and Qualcomm on cybersecurity labels for gadgets https://www.cnbc.com/2023/07/18/us-cyber-trust-labels-will-help-consumers-pick-safer-smart-devices.html Google exposes intelligence and defense employee names in VirusTotal leak https://therecord.media/virustotal-user-email-addresses-leaked-google-military-intelligence Google restricting internet access to some employees to reduce cyberattack risk https://www.cnbc.com/2023/07/18/google-restricting-internet-access-to-some-employees-for-security.html Black Hat Hacker Exposes Real Identity After Infecting Own Computer With Malware https://www.securityweek.com/black-hat-hacker-exposes-real-identity-after-infecting-own-computer-with-malware/ IT Security Analyst Jailed for Impersonating as a Hacker in Own Company https://cybersecuritynews.com/it-security-analyst-jailed/ Google says Apple employee found a zero-day but did not report it https://techcrunch.com/2023/07/20/google-says-apple-employee-found-a-zero-day-but-did-not-report-it/ https://news.ycombinator.com/item?id=36803537 Microsoft Cybersecurity Analyst Professional Certificate https://www.coursera.org/professional-certificates/microsoft-cybersecurity-analyst Cybersecurity Expert Kevin David Mitnick died https://www.dignitymemorial.com/obituaries/las-vegas-nv/kevin-mitnick-11371668 Listener Questions: https://www.theverge.com/2021/8/18/22630439/apple-csam-neuralhash-collision-vulnerability-flaw-cryptography Support our sponsors: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off Go to drata.com/partner/hacker-fed and get 10% off Drata and waived implementation fees Get your Hacker and the Fed merchandise at hackerandthefed.com
The Dangers of Googling Phone Numbers, an Attack on a Security Platform, and Typo Squatting on US Military Domains
This week on Hacker And The Fed you can't always count on Google for the right telephone number for an airline, an American cloud based directory as a service platform announces that they were hacked by a state sponsored threat actor, millions of US military emails may be ending up in the wrong hands, a new ransomware looks like a windows update, we answer listener questions, and Hector tells a fascinating story about a hacking methodology. Links from the episode: Airline Fake Contact Number on Google Maps https://twitter.com/Shmuli/status/1680669938468499458 https://twitter.com/SwiftOnSecurity/status/1680926780599812098 JumpCloud discloses breach by state-backed APT hacking group https://www.bleepingcomputer.com/news/security/jumpcloud-discloses-breach-by-state-backed-apt-hacking-group/ JumpClouds IOCs - https://jumpcloud.com/support/july-2023-iocs Domains like army․ml, pentagon․ml, navy․ml and af․ml all have Mail Exchange records pointing to 'handle․catchemail․ml' https://twitter.com/mikko/status/1680947795862200325 Watch out for this new malicious ransomware disguised as Windows updates https://www.foxnews.com/tech/watch-out-new-malicious-ransomware-disguised-windows-updates https://www.trendmicro.com/en_id/research/23/g/tailing-big-head-ransomware-variants-tactics-and-impact.html Listener Questions https://www.lsu.edu/mediacenter/news/2023/06/13-cyber-clinic.php Support our sponsors: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off Go to drata.com/partner/hacker-fed and get 10% off Drata and waived implementation fees Get your Hacker and the Fed merchandise at hackerandthefed.com
Are Your Lightbulbs a Security Risk? Voice Authentication May be Broken, and Logistics Security
This week on Hacker And The Fed your lightbulbs may be giving away the location of your house, could Microsoft end ransomware right now? Also, voice authentication may be broken, the latest ransomware attack shows us the important of logistics security, convenience has once again jeopardized Google authenticator security, and a listener shares a wild car theft story. Links from the episode: Your lightbulbs may be giving out your exact location twitter.com/haxrob/status/1676416949499338752 Microsoft Can Fix Ransomware Tomorrow darkreading.com/vulnerabilities-threats/microsoft-can-fix-ransomware-tomorrow Cybercriminals can break voice authentication with 99% success rate helpnetsecurity.com/2023/07/06/voice-authentication-insecurity/ INTERPOL Nabs Hacking Crew OPERA1ER's Leader Behind $11 Million Cybercrime thehackernews.com/2023/07/interpol-nabs-hacking-crew-opera1ers.html Japan's biggest port, Nagoya, hit by suspected cyberattack asia.nikkei.com/Business/Technology/Japan-s-biggest-port-Nagoya-hit-by-suspected-cyberattack Raising concerns over Google Authenticator’s new features techradar.com/pro/raising-concerns-over-google-authenticators-new-features Trinidad and Tobago facing outages after cyberattack therecord.media/trinidad-tobago-hit-with-cyberattack Listener Questions ksltv.com/563455/police-release-images-of-suspect-who-broke-into-familys-car-at-airport-then-their-home/ Support our sponsors: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off Go to drata.com/partner/hacker-fed and get 10% off Drata and waived implementation fees
Your Car’s Data Might Be For Sale, a New Malware Payload Vector Using DNS, and Listener Questions
This week on Hacker And The Fed your car may be collecting up to 25 GB per hour of data about you and a new malware payload vector is using DNS, what is “encryptionless ransomware”. We also answer listener questions about a variety of topics, including how to prepare for a cybersecurity career in the US government, banking security, and hack-backs. Links from the episode: How Your New Car Tracks You https://www.wired.com/story/car-data-privacy-toyota-honda-ford/ DNS TXT Records Can Be Used by Hackers to Execute Malware https://cybersecuritynews.com/dns-txt-records-to-execute-malware/?amp Encryption-less ransomware: Warning issued over emerging attack method for threat actors https://www.itpro.com/security/ransomware/encryption-less-ransomware-warning-issued-over-emerging-attack-method-for-threat-actors Support our sponsors: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off Go to drata.com/partner/hacker-fed and get 10% off Drata and waived implementation fees
A Hack-Back Lands a CEO in Prison, Repo Jacking, and When to Use a VPN
This week on Hacker And The Fed a CEO did a hack back and was sentenced to prison, Reddit hackers demanded a price roll back, repo jacking and fake Github repositories, and we answer listener questions about Hector's old hacks and VPNs. Links from the episode: I Was Sentenced to 18 Months in Prison for Hacking Back - My Story twitter.com/silascutler/status/1671144482769608705 -> https://hackernoon.com/i-was-sentenced-to-18-months-in-prison-for-hacking-back-my-story Reddit hackers demand $4.5 million ransom and API pricing changes theverge.com/2023/6/19/23765895/reddit-hack-phishing-leak-api-pricing-steve-huffman GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking Attackers Create Synthetic Security Researchers to Steal IP darkreading.com/attacks-breaches/attackers-create-synthetic-security-researchers Google announces $20 million investment for cyber clinics cyberscoop.com/google-investment-cyber-clinics/ Listener Questions https://fidoalliance.org/ Support our sponsors: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off
A Massive Ongoing Ransomware Attack, Google Claims to Catch Chinese Hackers, and the Feds Arrest a Russian Hacker in Arizona
This week on Hacker And The Fed a ransomware group hacked a widely used file transfer software and began leaking stolen data, Google claims it caught Chinese government hackers red-handed breaking into hundreds of networks, the Feds arrest a ransomware perpetrator in Arizona, and we nerd out on security researchers taking over various countries domains. Links from the episode: MOVEit Cyber Attack: Personal Data Of Millions Stolen From Oregon, Louisiana, U.S. Agency forbes.com/sites/maryroeloffs/2023/06/16/moveit-cyber-attack-personal-data-of-millions-stolen-from-oregon-louisiana-us-agency/?sh=3cf2b1b46b05 US govt offers $10 million bounty for info on Clop ransomware bleepingcomputer.com/news/security/us-govt-offers-10-million-bounty-for-info-on-clop-ransomware/amp/ Google claims it caught China government hackers redhanded breaking into hundreds of networks around the world fortune.com/2023/06/15/china-hacking-networks-cybersecurity-google-mandiant/amp/ 20-Year-Old Russian LockBit Ransomware Affiliate Arrested in Arizona thehackernews.com/2023/06/20-year-old-russian-lockbit-ransomware.html Can I speak to your manager? hacking root EPP servers to take control of zones hackcompute.com/hacking-epp-servers/ Darknet Parliament is now a thing cybernews.com/security/darknet-parliament-killnet-hackers/ -- Support our sponsor: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off -- For more information on Chris and his current work visit naxo.com and follow him on LinkedIn. Follow Hector @hxmonsegur
China's Tik Tok "God Credential" Allegation, a New Phishing and Email Takeover Campaign, and Listener Questions
This week on Hacker And The Fed we discuss the latest development in the Tik Tok controversy, how to detect and mitigate a new phishing and email takeover campaign, Google's new top-level domain, and some interesting statistics in the new Verizon breach investigation report. Links from the episode: Former exec at TikTok's parent company says Communist Party members had a 'god credential' that let them access Americans' data businessinsider.com/communist-party-god-credential-data-bytedance-tiktok-former-executive-alleges-2023-6 Detecting and mitigating a multi-stage AiTM phishing and BEC campaign microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/ America’s Most Cybersecure Companies forbes.com/lists/most-cybersecure-companies Hackers claim to have crippled Russia’s banking system cybernews.com/cyber-war/infotel-hack-impacts-russian-banks/ Verizon 2023 Data Breach Investigations Report verizon.com/business/resources/reports/dbir/ -- Support our sponsors: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off -- For more information on Chris and his current work visit naxo.com and follow him on LinkedIn. Follow Hector @hxmonsegur
Zero-click Exploits Attacking iPhones, PC Motherboards Downloading Malware, and a New Dutch Mandate
This week on Hacker And The Fed we discuss another zero-click exploit attacking iPhones via the iMessage app, millions of PC motherboards may be downloading malware, the FTC slams another company for violations, security researchers find a vulnerability in Gmail's checkmark system that is already being abused. And the Dutch government now mandates an easy way to contact website administrators. Links from the episode: Operation Triangulation: iOS devices targeted with previously unknown malware securelist.com/operation-triangulation/109842/ thehackernews.com/2023/06/new-zero-click-hack-targets-ios-users.html Millions of PC motherboards were sold with a firmware backdoor arstechnica.com/security/2023/06/millions-of-pc-motherboards-were-sold-with-a-firmware-backdoor/ FTC Slams Amazon with $30.8M Fine for Privacy Violations Involving Alexa and Ring thehackernews.com/2023/06/ftc-slams-amazon-with-308m-fine-for.html Bug in Gmail twitter.com/chrisplummer/status/1664075886545575941 twitter.com/ChristopheDary/status/1664907465924681728 linkedin.com/posts/christophe-dary-85330561_spf-dmarc-bimi-activity-7070510499196489728-pPTh?utm_source=share&utm_medium=member_desktop Security.txt now mandatory for Dutch government websites netherlands.postsen.com/trends/198695/Securitytxt-now-mandatory-for-Dutch-government-websites.html securitytxt.org -- Support our sponsors: Go to HelloFresh.com/hatf16 and use code hatf16 for 16 free meals plus free shipping! Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off -- For more information on Chris and his current work visit naxo.com and follow him on LinkedIn. Follow Hector @hxmonsegur
An Insider Exploits A Ransomware Attack, AI Photos, And Hector's Indonesian Hack
This week on Hacker And The Fed we dive into the world of ransomware. An insider exploits a ransomware attack for personal gain and a CISO's biggest lessons from quarterbacking a ransomware attack. We discuss AI generated photos and what happened to the stock market. And then we answer listener questions about geopolitics, Hector's hack on the Indonesian government and victims keeping their hacks a secret. Links from the episode: IT employee impersonates ransomware gang to extort employer bleepingcomputer.com/news/security/it-employee-impersonates-ransomware-gang-to-extort-employer/ AI Generated Photos twitter.com/jsrailton/status/1660679743266607105 Suspicion stalks Genesis Market’s competitors following FBI takedown therecord.media/genesis-market-russian-market-2easy-shop-cybercrime-fraud FBI releases warning about fake crypto job advertisements ic3.gov/Media/Y2023/PSA230522 Bridgestone CISO: Lessons From Ransomware Attack Include Acting, Not Thinking darkreading.com/ics-ot/bridgestone-ciso-lessons-ransomware-attack-acting-thinking
Pig Butchering And Crypto Crime-fighting With Erin West
This week on Hacker And The Fed we speak with Erin West, a Santa Clara County Deputy District Attorney, Founder of the “Crypto Coalition” an over 800-member group of active law enforcement partners sharing cryptocurrency crime-fighting techniques, and the very tip of the spear for Pig Butchering – the latest online romance scam. Erin educates us on what Pig Butchering is and how we can protect ourselves and our loved ones from being victimized. Links from the episode: SCARS: Society of Citizens Against Relationship Scams againstscams.org Advocating Against Romance Scammers advocatingforu.com This podcast is sponsored by BetterHelp. Visit BetterHelp.com/HATF today to get 10% off your first month. -- For more information on Chris and his current work visit naxo.com Follow Hector @hxmonsegur
Vehicle Location Data Leaked For Over 2 million Drivers, Another US Government Breach, And D.B. Cooper
This week on Hacker And The Fed, up to 10 years of your location data may have been exposed if you’ve driven vehicles from a certain manufacturer, stolen private keys may lead to insecure boot ups of your computer, Congress gets another notification of a US government breach, and we answer more listener questions about failed hacks and intentional exploits. And we talk about D. B. Cooper! Links from the episode: Toyota: Car location data of 2 million customers exposed for ten years bleepingcomputer.com/news/security/toyota-car-location-data-of-2-million-customers-exposed-for-ten-years/ Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security securityonline.info/intel-oem-private-key-leak-a-blow-to-uefi-secure-boot-security/ Data of 237,000 US government employees breached reuters.com/world/us/data-237000-us-government-employees-breached-2023-05-12/ Mastermind Behind Twitter 2020 Hack Pleads Guilty and Faces up to 70 Years in Prison ustice.gov/opa/pr/uk-citizen-extradited-and-pleads-guilty-cyber-crime-offenses T-Mobile Worker Joked About Adding Extra Phone Lines and Tablet to a Customer’s Account Without Them Knowing twistedsifter.com/2023/05/a-t-mobile-worker-joked-about-adding-2-extra-phone-lines-and-a-tablet-to-a-customers-account-without-them-knowing/ Google Cybersecurity Certificate grow.google/certificates/cybersecurity/#?modal_active=none -- For more information on Chris and his current work visit naxo.com Follow Hector @hxmonsegur
Chinese State Hackers, Ransom Negotiation, And Listener Questions
This week on Hacker And The Fed we discuss private data leaking due to a misconfiguration, and no one is listening to the researchers. We are shown the mindset of hackers during a ransom negotiation, a cell phone provider is hacked for the 9th time in 6 years, there are 50 Chinese state hackers for every FBI cyber agent, and using AI to help hack. And finally, we answer listener questions about .xyz, pen testing tools, and possible Hacker And The Fed swag. Links from the episode: Many Public Salesforce Sites are Leaking Private Data krebsonsecurity.com/2023/04/many-public-salesforce-sites-are-leaking-private-data/ Hackers Claim Vast Access to Western Digital Systems techcrunch.com/2023/04/13/hackers-claim-vast-access-to-western-digital-systems/ T-Mobile Discloses 2nd Data Breach of 2023, This One Leaking Account PINs and More arstechnica.com/information-technology/2023/05/t-mobile-discloses-2nd-data-breach-of-2023-this-one-leaking-account-pins-and-more/ Chinese Hackers Outnumber FBI Cyber Personnel 'By At Least 50 to 1,' Wray Testifies foxnews.com/politics/chinese-hackers-outnumber-fbi-cyber-personnel-wray-testifies Capturing the Flag with GPT-4 micahflee.com/2023/04/capturing-the-flag-with-gpt-4/ The Cyber Police Exposed an Attacker in the Sale of Databases with Personal Data of Citizens of Ukraine and the EU cyberpolice.gov.ua/news/kiberpolicziya-vykryla-zlovmysnyka-u-zbuti-baz-iz-personalnymy-danymy-gromadyan-ukrayiny-ta-yes-6598/ -- For more information on Chris and his current work visit naxo.com Follow Hector @hxmonsegur
Cyber Insurance With Michelle Chia, Head Of Cyber Insurance At Zurich North America
This week on Hacker And The Fed we sit down with Michele Chia, Head of Cyber Insurance at Zurich North America. We ask a number of questions including what is cyber insurance? Who needs it? And How much coverage is needed? Does cyber insurance cover an insider threat attack? What does a ransomware attack look like when you have cyber insurance? And finally, we find out how our guest cultivated such a successful career in cyber insurance. Link from the episode: zurichna.com/knowledge/experts/michelle-chia -- For more information on Chris and his current work visit naxo.com Follow Hector @hxmonsegur
Search Engine Vulnerabilities, Ghost Tokens, Anna Kournikova
This week on Hacker And The Fed security researchers find a vulnerability allowing them to run code on Search Engine computers, ghost tokens could be used to totally control Search Engine Workplace accounts, we let you know what a Pumpkin Sandstorm and a Spandex Tempest are, how long does it take to crack your password in 2023, we answer listener questions about the FBI and diversity in cyber security appliances, and we talk about Anna Kournikova. Links from the episode: Remote Code Execution Vulnerability in Google They Are Not Willing To Fix giraffesecurity.dev/posts/google-remote-code-execution/ 'GhostToken' Opens Google Accounts to Permanent Infection darkreading.com/remote-workforce/-ghosttoken-opens-google-accounts-to-permanent-infection Hacker Group Names Are Now Absurdly Out of Control wired.com/story/hacker-naming-schemes-spandex-tempest/amp How Long It Would Take A Hacker To Brute Force Your Password In 2023 hivesystems.io/blog/are-your-passwords-in-the-green Support this episode's sponsors: DeleteMe: Visit JoinDeleteMe.com/FED and use promo code FED20 BetterHelp: Visit BetterHelp.com/HATF and get 10% off your first month -- For more information on Chris and his current work visit naxo.com Follow Hector @hxmonsegur