Former FBI Special Agent Chris Tarbell and ex-Anonymous/LulzSec blackhat hacker Hector Monsegur (aka Sabu) faced off as adversaries in cyberspace before becoming close friends and podcast co-hosts. Listen to Tarbell, co-founder of the elite cybersecurity firm NAXO, and Monsegur, a top network penetration tester and security engineer, break down the must-know cybersecurity news and topics of the week. You’ll walk away from each episode with unique perspectives on keeping your family, your company, and yourself safe from cyber attacks.
Similar Podcasts
In Machines We Trust
A podcast about the automation of everything. Host Jennifer Strong and the team at MIT Technology Review look at what it means to entrust artificial intelligence with our most sensitive decisions.
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
Elixir Outlaws
Elixir Outlaws is an informal discussion about interesting things happening in Elixir. Our goal is to capture the spirit of a conference hallway discussion in a podcast.
The SolarWinds hack, North Korea IT Workers, Hackers Targeting a Data Company, and Listener Questions
This week on Hacker And The Fed we break down the SolarWinds hack, there are 8 new vulnerabilities found in SolarWinds, thousands of remote IT workers have been working for North Korea, hackers are targeting a company that handles data requests for law enforcement, and we answer listener questions about VPN services, password managers and patch management. Links from the episode: Critical SolarWinds RCE Bugs Enable Unauthorized Network Takeover https://www.darkreading.com/vulnerabilities-threats/critical-solarwinds-rce-bugs-enable-unauthorized-network-takeover Thousands of Remote IT Workers Sent Wages to North Korea to Help Fund Weapons Program, FBI Says https://apnews.com/article/north-korea-weapons-program-it-workers-f3df7c120522b0581db5c0b9682ebc9b?taid=6531b8b29c11a80001ef2a28 Hackers Target Company That Vets Police Data Requests for Tech Giants https://www.404media.co/hackers-target-kodex-accounts-edrs/ Support our sponsors: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off Go to Cloudsolvers.com and tell them "Hacker and the Fed sent you" for a free assessment of your current environment Get your Hacker and the Fed merchandise at hackerandthefed.com Send HATF your questions at questions@hackerandthefed.com
MOVEit and MGM Resorts Hacks, U.S. Senate's Email System Melts Down, Cisco Can't Stop Using Static Passwords, and Listener Questions
This week on Hacker And The Fed we offer updates on the MOVEit and MGM Resorts hacks, the US State Department has no idea if its IT security actually works, the Senate's email system melts down in the face of a security test, Cisco can't stop using static passwords, and we answer listener questions about Single Sign-on, circumventing company IT rules, and LinkedIn profiles. Links from the episode: MOVEit Maker Announces New Critical Vulnerability Affecting a Different File Transfer Tool https://therecord.media/progress-new-file-transfer-vulnerability MGM Resorts Hack Update https://x.com/brettforrest89/status/1711885567695433765 US State Dept has No Idea if its IT Security Actually Works, Say Auditors https://www.theregister.com/2023/10/02/us_state_security_gao/ https://endoflife.date/windows The Senate’s Email System Melted Down in the Face of Security Test https://www.politico.com/minutes/congress/09-8-2023/senate-reply-all-mess/ Cisco Can't Stop Using Static Passwords https://www.schneier.com/blog/archives/2023/10/cisco-cant-stop-using-hard-coded-passwords.html Support our sponsors: Get your Hacker and the Fed merchandise at hackerandthefed.com Send HATF your questions at questions@hackerandthefed.com
Are Paying Ransoms Illegal? Ransomware Shuts Down a 158 Year Old Company, Fido2 Security Keys, and Hacktivist Rules
This week on Hacker And The Fed Microsoft releases their 2023 digital defense report, are paying ransoms illegal in the United States? The NSA and CISA red and blue teams share top 10 cyber security misconfigurations, a 158 year old company shuts down because of a ransomware attack, and we answer listener questions about fido2 security keys and "hacktivist" rules. Links from the episode: Microsoft Releases Its Yearly Digital Defense Report https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023 Are Paying Ransoms Illegal in the U.S.? https://www.huntonprivacyblog.com/2022/07/26/florida-enacts-law-prohibiting-state-agencies-from-paying-cyber-ransoms/ NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a Zero-days for Hacking WhatsApp are Now Worth Millions of Dollars https://techcrunch.com/2023/10/05/zero-days-for-hacking-whatsapp-are-now-worth-millions-of-dollars/ Lazarus Impersonated Meta Recruiter to Breach Spanish Aerospace Firm https://www.helpnetsecurity.com/2023/10/02/lazarus-lightlesscan/ Kettering logistics firm enters administration with 730 jobs lost https://www.bbc.com/news/uk-england-northamptonshire-66927965 FDA Cyber Mandates for Medical Devices Goes into Effect https://cyberscoop.com/fda-cybersecurity-medical-devices/ City of Dallas Suffers a Ransomware Attack https://dallascityhall.com/DCH%20Documents/dallas-ransomware-incident-may-2023-incident-remediation-efforts-and-resolution.pdf International Committee of the Red Cross Published Rules of Engagement for Civilian Hackers Involved in Conflicts https://www.bbc.co.uk/news/technology-66998064 https://www.theregister.com/2023/10/04/red_cross_hacktivist_rules/ Support our sponsors: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off Get your Hacker and the Fed merchandise at hackerandthefed.com Send HATF your questions at questions@hackerandthefed.com
Artificial Intelligence Doxxing in Viral Videos, Billions of Usernames and Passwords Exposed, and a HATF Contest
This week on Hacker And The Fed the end of privacy with AI being used to dox people in viral videos, billions of usernames and passwords are exposed, nationstate hackers are hiding in router firmware updates, we answer listener questions about working with the FBI, setting up a cyber security business, and safely using data sent to you be others. Finally, we announce Hacker And The Fed's first contest for cyber security awareness month. Links from the episode: The End of Privacy is a Taylor Swift Fan TikTok Account Armed with Facial Recognition Tech https://www.404media.co/the-end-of-privacy-is-a-taylor-swift-fan-tiktok-account-armed-with-facial-recognition-tech/ Darkbeam Leaks Billions of Email and Password Combinations https://securityaffairs.com/151566/security/darkbeam-data-leak.html FBI Hacker Dropped Stolen Airbus Data on 9/11 https://krebsonsecurity.com/2023/09/fbi-hacker-dropped-stolen-airbus-data-on-9-11/ People's Republic of China-Linked Cyber Actors Hide in Router Firmware https://media.defense.gov/2023/Sep/27/2003309107/-1/-1/0/CSA_BLACKTECH_HIDE_IN_ROUTERS_TLP-CLEAR.PDF Russian Exploit Marketplace offering $20M for a Full Chain Mobile Exploit https://twitter.com/opzero_en/status/1706762507631677760 McDonalds Point of Sale System Hacked https://twitter.com/vxunderground/status/1706508703745151211 Support our sponsors: Go to HelloFresh.com/50hatf and use the code 50hatf for 50% off plus free shipping Get your Hacker and the Fed merchandise at hackerandthefed.com Send HATF your questions at questions@hackerandthefed.com
Equifax Breach, a Hack of 27 Crypto Companies, and the Arrest of a Department of State IT Contractor
This week on Hacker And The Fed we break down how Equifax was breached, is Google Authenticator MFA Cloud Sync feature responsible for a hack into 27 crypto companies? Google’s Threat Analysis Group announces an in-the-wild 0-day exploit chain for iPhones, the year of the insider threat continues with the arrest of a Department of State IT Contractor on espionage charges. Links from the episode: How Equifax Was Breached in 2017 https://blog.0x7d0.dev/history/how-equifax-was-breached-in-2017/ https://twitter.com/vxunderground/status/1700335482440204521 Retool Blames Breach on Google Authenticator MFA Cloud Sync feature https://www.bleepingcomputer.com/news/security/retool-blames-breach-on-google-authenticator-mfa-cloud-sync-feature/ 0-days Exploited by Commercial Surveillance Vendor in Egypt https://blog.google/threat-analysis-group/0-days-exploited-by-commercial-surveillance-vendor-in-egypt/ Department of State IT Contractor Arrested on Espionage Charges https://fedscoop.com/department-of-state-it-contractor-arrested-on-espionage-charges/ Support our sponsors: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off Get your Hacker and the Fed merchandise at hackerandthefed.com Send HATF your questions at questions@hackerandthefed.com
Finding out our Relative is a Hacker, Working for the FBI, Prepping for a Technical Interview, and More Listener Questions
This week on Hacker And The Fed we answer listener questions about finding out our relative is a hacker, applying for a cyber security job as a chemical engineer, preparing you for a technical interview, the FBI being a great place to work, is MFA once every 24 hours too much, and much more. Get your Hacker and the Fed merchandise at hackerandthefed.com Send HATF your questions at questions@hackerandthefed.com
Your Car and Your Sex Life, US Departments of State and Commerce Compromised, Iran and North Korea Hacking Crews, and Victories Over Russian Hackers
This week on Hacker And The Fed your car may know all the details about your sex life, the Swiss fined an insurer 3 million dollars for horrible cyber security practices, the US Departments of State and Commerce were compromised because of a two-year-old Windows crash report, Iran and New Korea hacking crews have active campaigns against security researchers, and two victories over Russian hackers for the US government. Links from the episode: Insurer Fined $3M for Exposing Data of 650k Clients for Two Years https://www.bleepingcomputer.com/news/security/insurer-fined-3m-for-exposing-data-of-650k-clients-for-two-years/ If You’ve Got a New Car, It’s a Data Privacy Nightmare https://gizmodo.com/mozilla-new-cars-data-privacy-report-1850805416 https://arstechnica.com/cars/2023/09/connected-cars-are-a-privacy-nightmare-mozilla-foundation-says/ Microsoft Finally Explains Cause of Azure Breach: An Engineer’s Account Was Hacked https://arstechnica.com/security/2023/09/hack-of-a-microsoft-corporate-account-led-to-azure-breach-by-chinese-hackers/ https://twitter.com/0xdabbad00/status/1699596048392736812 Hacker Group Disguised as Marketing Company to Attack Enterprise Targets https://gbhackers.com/hacker-group-disguised-as-marketing/ Active North Korean Campaign Targeting Security Researchers https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/ Russian Infosec Boss Gets Nine Years for $100M Insider-Trading Caper Using Stolen Data https://www.theregister.com/AMP/2023/09/08/russian_insider_training_prison/ United States and United Kingdom Sanction Additional Members of the Russia-Based Trickbot Cybercrime Gang https://home.treasury.gov/news/press-releases/jy1714 Support our sponsors: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off Get your Hacker and the Fed merchandise at hackerandthefed.com Send HATF your questions at questions@hackerandthefed.com
The FBI's Operation "Duck Hunt" Takes Down a Botnet, NYC Subway Allows Users to be Tracked Online, and Why Chris Left the FBI
This week on Hacker And The Fed the FBI's Operation "Duck Hunt" takes down a ransomware botnet, we disclose the secret weapon hackers use for doxing, the New York City subway system allows its users to be tracked online, and we answer listener questions about leaving the FBI, getting jobs in cyber security, and Hector's detailed description of a red teamer. Links from the episode: How the FBI Took Down the Notorious Qakbot Botnet https://techcrunch.com/2023/09/01/fbi-qakbot-takedown-operation-duck-hunt/ The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15 https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/ I Tracked an NYC Subway Rider's Movements with an MTA ‘Feature’ https://www.404media.co/i-tracked-nyc-subway-rider-home-omny-mta/ Paramount Discloses Data Breach Following Security Incident https://www.bleepingcomputer.com/news/security/paramount-discloses-data-breach-following-security-incident/ Hacking Campaign Bruteforces Cisco VPNs to Breach Networks https://www.bleepingcomputer.com/news/security/hacking-campaign-bruteforces-cisco-vpns-to-breach-networks/ Big Ass Data Broker Opt Out List https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List Support Our Sponsors HelloFresh! Go to hellofresh.com/50hatf use code 50hatf for 50% off plus 15% off the next 2 months! Get your Hacker and the Fed merchandise at hackerandthefed.com Send HATF your questions at questions@hackerandthefed.com
Hacking Through a Fire Stick, a Danish Cloud Provider Loses all Their Customer Data, an Active Hacker Becoming a White Hat
This week on Hacker And The Fed a Danish cloud provider loses all of their customer's data, a hacker in custody continues hacking through a fire stick, there are two great write ups about a zero day vulnerability and HTML smuggling, cyber security entry jobs should be just that, entry into the industry, and we answer listener questions that include an ongoing dialogue with an active hacker about becoming a white hat. Links from the episode: Criminals Go Full Viking on CloudNordic, Wipe All Servers and Customer Data https://www.theregister.com/AMP/2023/08/23/ransomware_wipes_cloudnordic/ GTA 6 Hacker Found to be Teen with Amazon Fire Stick in Small Town Hotel Room https://hackaday.com/2023/08/26/gta-6-hacker-found-to-be-teen-with-amazon-fire-stick-in-small-town-hotel-room/ Traders' Dollars in Danger: Zero-Day Vulnerability in WinRAR Exploited by Cybercriminals to Target Traders https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ HTML Smuggling Leads to Domain Wide Ransomware https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ Cybersecurity Hiring Gap: Time to Rethink Who Can Contribute https://www.csoonline.com/article/649166/cybersecurity-hiring-gap-time-to-rethink-who-can-contribute.html https://twitter.com/CyberWarship/status/1692239445188120950 Support our sponsors: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off Get your Hacker and the Fed merchandise at hackerandthefed.com
Demystifying Internet Honeypots and Getting into Cyber Security with Andrew Morris, Founder and CEO of GreyNoise
This week on Hacker And The Fed we have Andrew Morris, CEO and founder of GreyNoise on the show. GreyNoise is a cybersecurity company that collects and analyzes mass internet data to remove pointless security alerts, find compromised devices, or identify emerging threats. We talk internet honeypots, how to get into the cyber security industry and much more. Links from the episode: Andrew Morris, CEO & Founder of GreyNoise https://www.greynoise.io/ https://twitter.com/Andrew___Morris https://twitter.com/GreyNoiseIO Support our sponsor: Go to JoinDeleteMe.com/FED code FED20 for 20% off all consumer plans Get your Hacker and the Fed merchandise at hackerandthefed.com
Zoom and AI, the NSA and DARPA Presenting Challenges to the Cyber Security Community and Listener Questions
This week on Hacker And The Fed Zoom wanted to use your calls to train artificial intelligence, the NSA and DARPA are presenting challenges to the cyber security community, and we answer listener questions from a US military chaplain about justice, a former black hat about a career in cyber security, and even a hacker who used a compromised email account to ask us how to stop hacking. Links from the episode: Zoom walks back controversial privacy policy https://www.thestreet.com/technology/zooms-latest-move-may-make-you-reconsider-using-the-service Microsoft Exposes Russian Hackers' Sneaky Phishing Tactics via Microsoft Teams Chats https://thehackernews.com/2023/08/microsoft-exposes-russian-hackers.html Hackers to compete for nearly $20 million in prizes by using A.I. for cybersecurity, Biden administration announces https://www.cnbc.com/2023/08/09/biden-admin-launches-hacking-challenge-to-use-ai-for-cybersecurity.html https://aicyberchallenge.com/rules/ NSA: Codebreaker Challenge Helps Drive Cybersecurity Education https://www.darkreading.com/attacks-breaches/nsa-talks-codebreaker-challenge-success-influence-on-education Lil Tay Meta Helped Get Account Back from Hacker https://www.tmz.com/2023/08/12/lil-tay-dead-dies-hacker-meta-instagram-hacked-account-hoax/ CISCO Launches a FREE 120-Hour Ethical Hacking Training https://cursin.net/en/cisco-launches-a-free-120-hour-ethical-hacking-training/ Support our sponsor: Go to JoinDeleteMe.com/FED code FED20 for 20% off all consumer plans Get your Hacker and the Fed merchandise at hackerandthefed.com
Chinese Malware, a Year in Review of Zero-day Exploits, a Ransomware Study, and Listener Questions
This week on Hacker And The Fed the US hunts Chinese malware that could disrupt American Military operations, a year in review of zero-day exploits, a study finds no evidence that ransomware victims with cyber insurance pay up more often, there's fighting words between Tenable CEO and Microsoft, and we answer listener questions from a listener in Greece, Holland, and a new minted NSA hacker. Links from the episode: U.S. Hunts Chinese Malware That Could Disrupt American Military Operations https://dnyuz.com/2023/07/29/u-s-hunts-chinese-malware-that-could-disrupt-american-military-operations/ The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022 https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in.html No evidence ransomware victims with cyber insurance pay up more often https://therecord.media/ransomware-cyber-insurance-payments-uk-report Tenable CEO accuses Microsoft of negligence in addressing security flaw https://cyberscoop.com/tenable-microsoft-negligence-security-flaw/ https://twitter.com/MalwareJake/status/1686869818912202755 https://www.wired.com/2002/01/bill-gates-trustworthy-computing/ SMS Traffic Pumping Fraud https://support.twilio.com/hc/en-us/articles/8360406023067-SMS-Traffic-Pumping-Fraud New acoustic attack steals data from keystrokes with 95% accuracy https://www.bleepingcomputer.com/news/security/new-acoustic-attack-steals-data-from-keystrokes-with-95-percent-accuracy/ Get your Hacker and the Fed merchandise at hackerandthefed.com
Authentication Attacks, US Government Domains, and New Cyber Incident Disclosure Guidelines
This week on Hacker And The Fed what authentication attacks might look like in a phishing resistant future, the SEC now requires companies to disclose cyber attacks, there are many more US government domains in the .com world than you might think, and other news stories from this week in cyber security. Links from the episode: What might authentication attacks look like in a phishing-resistant future? https://blog.talosintelligence.com/what-might-authentication-attacks-look-like-in-a-phishing-resistant-future/ The Messaging Layer Security (MLS) Protocol https://datatracker.ietf.org/doc/html/rfc9420 List of public government managed domains that exist outside of the top-level .gov and .mil domains https://github.com/GSA/govt-urls/blob/main/1_govt_urls_full.csv Top level domain operator wants out of the business https://domainnamewire.com/2023/07/26/top-level-domain-operator-wants-out-of-the-business/ Network giants unite to fight security risks https://www.networkworld.com/article/3703233/network-giants-unite-to-fight-security-risks.html Cybersecurity Agencies Warn Against IDOR Bugs Exploited for Data Breaches https://thehackernews.com/2023/07/cybersecurity-agencies-warn-against.html Norwegian government IT systems hacked using zero-day flaw https://www.bleepingcomputer.com/news/security/norwegian-government-it-systems-hacked-using-zero-day-flaw/ https://www.dss.dep.no/aktuelle-saker/departementer-utsatt-for-dataangrep/ https://www.wsj.com/articles/critical-infrastructure-companies-warned-to-watch-for-ongoing-cyberattack-76508d83 Satellites Are Rife With Basic Security Flaws https://www.wired.com/story/satellites-basic-security-flaws/ Support our sponsors: Go to hellofresh.com/50hatf code 50hatf for 50% off plus free shipping Get your Hacker and the Fed merchandise at hackerandthefed.com Get your Hacker and the Fed merchandise at hackerandthefed.com
Thousands of Intelligence and Defense Employees Exposed, a Hacker Infects His Own Computer, Google Accuses Apple Employee of Not Reporting a Zero-day
This week on Hacker And The Fed new cyber security labels proposed by the US government could help us buy our new devices, an employee exposes thousands of intelligence and defense employees, Google may be restricting internet access to some employees to reduce their cyber attack risk, a hacker infects his own computer, and Google says an Apple employee found a zero-day but didn't report it, and we answer listener questions about our phones getting searched and email encryption. Links from the episode: White House teams with Amazon, Google and Qualcomm on cybersecurity labels for gadgets https://www.cnbc.com/2023/07/18/us-cyber-trust-labels-will-help-consumers-pick-safer-smart-devices.html Google exposes intelligence and defense employee names in VirusTotal leak https://therecord.media/virustotal-user-email-addresses-leaked-google-military-intelligence Google restricting internet access to some employees to reduce cyberattack risk https://www.cnbc.com/2023/07/18/google-restricting-internet-access-to-some-employees-for-security.html Black Hat Hacker Exposes Real Identity After Infecting Own Computer With Malware https://www.securityweek.com/black-hat-hacker-exposes-real-identity-after-infecting-own-computer-with-malware/ IT Security Analyst Jailed for Impersonating as a Hacker in Own Company https://cybersecuritynews.com/it-security-analyst-jailed/ Google says Apple employee found a zero-day but did not report it https://techcrunch.com/2023/07/20/google-says-apple-employee-found-a-zero-day-but-did-not-report-it/ https://news.ycombinator.com/item?id=36803537 Microsoft Cybersecurity Analyst Professional Certificate https://www.coursera.org/professional-certificates/microsoft-cybersecurity-analyst Cybersecurity Expert Kevin David Mitnick died https://www.dignitymemorial.com/obituaries/las-vegas-nv/kevin-mitnick-11371668 Listener Questions: https://www.theverge.com/2021/8/18/22630439/apple-csam-neuralhash-collision-vulnerability-flaw-cryptography Support our sponsors: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off Go to drata.com/partner/hacker-fed and get 10% off Drata and waived implementation fees Get your Hacker and the Fed merchandise at hackerandthefed.com
The Dangers of Googling Phone Numbers, an Attack on a Security Platform, and Typo Squatting on US Military Domains
This week on Hacker And The Fed you can't always count on Google for the right telephone number for an airline, an American cloud based directory as a service platform announces that they were hacked by a state sponsored threat actor, millions of US military emails may be ending up in the wrong hands, a new ransomware looks like a windows update, we answer listener questions, and Hector tells a fascinating story about a hacking methodology. Links from the episode: Airline Fake Contact Number on Google Maps https://twitter.com/Shmuli/status/1680669938468499458 https://twitter.com/SwiftOnSecurity/status/1680926780599812098 JumpCloud discloses breach by state-backed APT hacking group https://www.bleepingcomputer.com/news/security/jumpcloud-discloses-breach-by-state-backed-apt-hacking-group/ JumpClouds IOCs - https://jumpcloud.com/support/july-2023-iocs Domains like army․ml, pentagon․ml, navy․ml and af․ml all have Mail Exchange records pointing to 'handle․catchemail․ml' https://twitter.com/mikko/status/1680947795862200325 Watch out for this new malicious ransomware disguised as Windows updates https://www.foxnews.com/tech/watch-out-new-malicious-ransomware-disguised-windows-updates https://www.trendmicro.com/en_id/research/23/g/tailing-big-head-ransomware-variants-tactics-and-impact.html Listener Questions https://www.lsu.edu/mediacenter/news/2023/06/13-cyber-clinic.php Support our sponsors: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off Go to drata.com/partner/hacker-fed and get 10% off Drata and waived implementation fees Get your Hacker and the Fed merchandise at hackerandthefed.com