Chris serves as Technology Advocate for Immersive Labs and works to engage and educate organizations about the power of human cyber readiness. Before beginning his career in information security, Chris trained as a broadcast journalist.
We want to talk about Edward Snowden. It’s harder than you would imagine, considering most of the Cyber Humanity team have at some point worked for government agencies and therefore can’t quite remember what they do and “don’t” know about him. Even so, he’s still in the public eye even after all this time, and there are certainly some lessons to be learnt and ridiculous happenings to puzzle over. Hopefully Paul, Immersive Labs’ resident International Man of Mystery, won’t be facing a prison sentence by the end of this episode. ***https://www.theguardian.com/us-news/2020/sep/03/edward-snowden-nsa-surveillance-guardian-court-ruleshttps://www.wired.com/story/edward-snowden-in-his-own-words-why-i-became-a-whistle-blower/
What’s been bugging the team recently? Slack’s bug bounty – if it can even be called that – causes some consternation in this episode and raises serious questions about bug bounty programs. The bug in question was classified as a ‘critical’ RCE vulnerability and yet the researcher who discovered it only got $1750. Yup, you read that right. Apparently doing the right thing doesn’t always pay, but if you’re like Kev you might end up with some free chicken or a heartfelt ‘thank you’. We’re absolutely certain that such rewards are enough to keep people on the responsible disclosure side of the fence…Also covered in this episode is the strange news that a Russian national was arrested for trying to convince a Tesla employee into installing malware onto the company’s network for the tasty sum of $1m. Color us intrigued…***Slack Bug Bounty:https://mashable.com/article/slack-fixes-critical-remote-code-execution-vulnerabilitybug-bounty/?europe=trueTesla Hacking Plot:https://www.zdnet.com/article/elon-musk-confirms-russian-hacking-plot-targeted-tesla-factory/
We have a vaccine! No, not that one. The Emotet vaccine has been quietly doing the rounds over the last few months. Kev gives a nice overview of malware vaccines and how this particular one works.We also chat about circles of trust, old boys’ networks and secret handshakes, and the part they pay in intelligence sharing and international collaboration on cybersecurity. Who decides who’s inside the circle? Next up, the secret service has been buying location data. This in itself isn’t new; however, they’re now getting around getting warrants by buying location data off private companies. Sure, it’s publicly available – but should governments and law enforcement be buying it when they should be held to a higher standard? Of course the ex gov type believes that governments couldn’t possibly break the law (listen carefully – this might be the only time Chris has ever been shocked to silence), so isn’t it in safe hands? And finally, could hackers hack your car?! Hack your kettle?! Listen to your keys?! GASP! More to the point: why would they want to? If you’re looking for some light entertainment, these articles are well worth a read.Emotet Vaccine: https://threatpost.com/emocrash-exploit-emotet-6-months/158414/Australia's new cybersecurity strategy: https://www.itnews.com.au/news/govt-finally-unveils-australias-new-cyber-security-strategy-551358Secret Service buys location data that would otherwise need a warrant: https://arstechnica.com/tech-policy/2020/08/secret-service-other-agencies-buy-access-to-mobile-phone-location-data/Hackers could hijack lane keeping systems to control your car:https://www.autoevolution.com/news/hackers-could-hijack-lane-keeping-systems-to-control-your-car-experts-warn-147642.html
If you notice the team being a little bit more careful with their words than usual, it's because the topic of this episode is...a SANSitive one.We'll leave it like that, shall we?We also chat about the NCC/CREST/GitHub debacle, which sparks debate over how valuable certifications are when they can be played with 'leaked' step-by-step guides. Is there any real-world value in simply learning how to pass an exam? Does a certification truly indicate aptitude?The topic turns next to facial recognition in law enforcement, following the news that Liberty won the first international case banning the use of facial recognition technology for policing. It's a serious debate – that gets a bit dystopian at times – and we take a look at it from every angle. ***SANS data breach: https://www.bleepingcomputer.com/news/security/sans-shares-details-on-attack-that-led-to-their-data-breach/NCC/Crest: https://www.theregister.com/2020/08/14/crest_investigates_ncc_group/Liberty wins facial recognition technology case:https://iottechnews.com/news/2020/aug/11/liberty-wins-case-banning-police-facial-recognition/