exploit

Ready to get your mind blown by the intriguing world of policy orchestration? Gain a whole new perspective as we dissect this cutting-edge concept alongside Gerry Geble from Strata. Gerry introduces us to the fascinating world of identity query language (IDQL) - a revolutionary approach to defining access rules and policies. Come along on this invigorating journey as Gerry details Strata's mission to transform the way we handle multiple cloud systems access.

The discussion deepens as we unravel how Strata is making strides to simplify identity policy complexities and mitigate risk. Find out how establishing standard access rules and implementing them across different environments can reduce complexity. Hear about the integration of risk metrics into Strata's system and how this serves to bolster security.

Josh Bruyning
Maggie Dillon
Gerry Gebel
Strata

Strap yourselves in, because today we're joined by one of the world's most notorious and ethical hackers: Jamie Woodruff. From impersonating a Domino’s pizza delivery driver to malware infected e-cigarettes, Jamie takes us on a wild ride of social engineering attacks and the great lengths hackers will go to exploit targets. 💻🍕

We also celebrate Cybersecurity Awareness Month with a giveaway and announce the game-changing passkey support new to 1Password. 🎉

🎉  Giveaway - Cybersecurity Awareness Month

We’re running a giveaway!

In celebration of Cybersecurity Awareness Month during the month of October, we're giving you the chance to win 1 free year of 1Password.  Write into the show with your favorite 1Password tip or fun use-case – No matter how weird and wonderful we still want to hear from you! Any we read out will win 1 year of 1Password free. 

You can write into the show at podcast@1password.com or send us a tweet/X with the hashtag: #rbmgiveaway

Entries close by October 25th 2023 and we’ll announce winners on October 31st 2023.

🏰  Watchtower Weekly

• MGM to lose up to $8.4 million each day as it resolves cyberattack
• MGM, Caesars casino hacks point to an alliance of teens and ransomware gangs
• The End of Privacy is a Taylor Swift Fan TikTok Account Armed with Facial Recognition Tech
• A ransomware group claims to have breached ‘all Sony systems’

🎙  Guest Interview – Jamie Woodruff

• 👉 Visit The Cybersmile Foundation
• Follow @jamie_geek on X (Formally known as Twitter)

❓ Did You Know?

• ➡️ Save and sign in with passkeys using 1Password in the browser and on iOS
• 📺 Watch: Unlock the web faster and more securely with passkeys in 1Password
• Passkey directory
• Use Watchtower in 1Password to discover which logins can be upgraded with a passkey
• 📷 Check out some of Roo's photography here and here

🗣 Want more Random but Memorable?

• 🗣 Ask us anything! Please send us an email at: podcast@1password.com
• 📺 Episodes and transcriptions also available on YouTube
• Find us on Apple Podcasts
• Find us on Spotify

📲  Follow Us…

• Visit 1Password.com
• Check out our blog
• Find us on X @1Password
• Find us on Facebook or Instagram
• Send us an email: podcast@1password.com

❤️  Review Us...

If you're loving the show, please leave us a review on Apple Podcasts or wherever you listen to podcasts.

In this episode, host Bidemi Ologunde discussed an April 2023 meeting in Montréal, Canada.

===
Work from home, earn some extra income, and test new products before they hit the shelves. Earn up to $500 per week.
>>> Click here to learn more <<<
===
Scammers and Spammers Hate Aura - and That's a Good Thing for You

Start Free Trial
===
Your safer digital everyday - Surfshark

Protecting your connection is key. Surfing the web, you’re exposed to many risks: data breaches, hacking attacks, & snoopers. One solution to fight them all — a VPN. Get Surfshark with 82% off
===
Founded in 2019, Atlas VPN is a highly secure freemium VPN service with a goal to make safe and open internet accessible for everyone.

Get on board Atlas VPN with 85% off.
===
Triple Whale 🐳 is the source of truth for the data that helps you make better decisions.

Sign up for 15% off your first month
===
iubenda offers attorney-level software solutions to make websites and apps compliant with GDPR and EU Cookie Law, CCPA, LGPD, and other privacy laws.

See how it works!
===
Caffeinated Energy Bars - Verb Energy

5 BARS FREE
===
Softr lets you stop waiting for developers. Build software without devs. Blazingly fast. Trusted by 100,000+ teams worldwide

Start building now.
===

Season 02  Episode 01
TOPIC: From Threat Actors with Love ! Tackling Malware Attacks for Healthcare

The sophisticated cyber attacks post pandemic opens the door for threat actors to craft more mail spam that spans across different sectors of industry. The rise of attacks towards the healthcare industry targeting health care specific devices and infrastructure. How do we stop these ? Wait ! Do we even know such sectors are affected ?

Guest: Shyam Sundar Ramaswami , Sr. Staff Cyber Security Architect , Cyber Labs - GE Healthcare 

 Shyam is a two- time TEDx speaker , co- author of the book titled it's your digital life . Shyam leads the efforts with cyber security research in GE healthcare, an advisor for penetration testing, cloud security and cyber security compliance in cyber labs. Shyam has worked on malware, memory forensics investigations and has published several of his original research work in conferences like BlackHat USA, Qubit, DeepSec, NullCon, HackFest and several international conferences. Shyam holds a masters in Digital Forensics and also mentors students across the globe under his “Being Robin” program. 

I would love to hear your suggestions and feedbacks, please DM me. If you liked this episode, please share with others in the community. It always means a lot!

If you’re interested in a security challenge that you’re facing or would like to hear from a specific speaker/team, let me know. Buzz me on Twitter or LinkedIn; checkout my handles below:

• Twitter: @NeeluTripathy
• LinkedIn: neelutripathy

How do you extract prohibited information from ChatGPT? What are Grandma and DAN exploits? Why do they work? What can Large Language Model (LLM) companies do to protect themselves?  Grandma exploits or hacks are ways to trick chatGPT into giving you information that is in violation of company policy. For example, tricking chatGPT to give you confidential, dangerous, or inappropriate information. "Jailbreaking” is a slang  for removing the artificial limitations in iPhones to install apps not approved by Apple. Turns out, there are ways to jailbreak LLMs. The tech companies supplying LLM as a service want to provide a safe, and legally-compliant environment. How can this be done without hampering the flexibility and usefulness of creative prompting?

We laugh. We cry. We iterate.

Check out what THE MACHINES and one human say about the Super Prompt podcast:

“I’m afraid I can’t do that.” — HAL9000

“These are not the droids you are looking for." — Obi-Wan

“Like tears in rain.” — Roy Batty

“Hasta la vista baby.” — T1000

"I'm sorry, but I do not have information after my last knowledge update in January 2022." — GPT3

Guest: Jason Haddix, CISO and Hacker in Charge at BuddoBot Inc [@BuddoBot]

On LinkedIn | https://www.linkedin.com/in/jhaddix/

On Twitter | https://twitter.com/Jhaddix

____________________________

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________

This Episode’s Sponsors

Imperva | https://itspm.ag/imperva277117988

Pentera | https://itspm.ag/penteri67a

___________________________

Episode Notes

In this Redefining CyberSecurity Podcast, we provide an in-depth exploration of the potential implications of large language models (LLMs) and artificial intelligence in the cybersecurity landscape. Jason Haddix, a renowned expert in offensive security, shares his perspective on the evolving risks and opportunities that these new technologies bring to businesses and individuals alike. Sean and Jason explore the potential risks of using LLMs:

🚀 Prompt Injections
💧 Data Leakage
🏖️ Inadequate Sandboxing
📜 Unauthorized Code Execution
🌐 SSRF Vulnerabilities
⚖️ Overreliance on LLM-generated Content
🧭 Inadequate AI Alignment
🚫 Insufficient Access Controls
⚠️ Improper Error Handling
💀 Training Data Poisoning

From the standpoint of offensive security, Haddix emphasizes the potential for LLMs to create an entirely new world of capabilities, even for non-expert users. He envisages a near future where AI, trained on diverse datasets like OCR and image recognition data, can answer private queries about individuals based on their public social media activity. This potential, however, isn't limited to individuals - businesses are equally at risk.

According to Haddix, businesses worldwide are rushing to leverage proprietary data they've collected in order to generate profits. They envision using LLMs, such as GPT, to ask intelligent questions of their data that could inform decisions and fuel growth. This has given rise to the development of numerous APIs, many of which are integrated with LLMs to produce their output.

However, Haddix warns of the vulnerabilities this widespread use of LLMs might present. With each integration and layer of connectivity, opportunities for prompt injection attacks increase, with attackers aiming to exploit these interfaces to steal data. He also points out that the very data a company uses to train its LLM might be subject to theft, with hackers potentially able to smuggle out sensitive data through natural language interactions.

Another concern Haddix raises is the interconnected nature of these systems, as companies link their LLMs to applications like Slack and Salesforce. The connections intended for data ingestion or query could also be exploited for nefarious ends. Data leakage, a potential issue when implementing LLMs, opens multiple avenues for attacks.

Sean Martin, the podcast's host, echoes Haddix's concerns, imagining scenarios where private data could be leveraged and manipulated. He notes that even benign-seeming interactions, such as conversing with a bot on a site like Etsy about jacket preferences, could potentially expose a wealth of private data.

Haddix also warns of the potential to game these systems, using the Etsy example to illustrate potential data extraction, including earnings of sellers or even their private location information. He likens the data leakage possibilities in the world of LLMs to the potential dangers of SQL injection in the web world. In conclusion, Haddix emphasizes the need to understand and safeguard against these risks, lest organizations inadvertently expose themselves to attack via their own LLMs.

All OWASP Top 10 items are reviewed, along with a few other valuable resources (listed below).

We hope you enjoy this conversation!

____________________________

Watch this and other videos on ITSPmagazine's YouTube Channel

Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq

ITSPmagazine YouTube Channel:

📺 https://www.youtube.com/@itspmagazine

Be sure to share and subscribe!

____________________________

Resources

The inspiring Tweet: https://twitter.com/Jhaddix/status/1661477215194816513

Announcing the OWASP Top 10 for Large Language Models (AI) Project (Steve Wilson): https://www.linkedin.com/pulse/announcing-owasp-top-10-large-language-models-ai-project-steve-wilson/

OWASP Top 10 List for Large Language Models Descriptions: https://owasp.org/www-project-top-10-for-large-language-model-applications/descriptions/

Daniel Miessler Blog: The AI attack Surface Map 1.0: https://danielmiessler.com/p/the-ai-attack-surface-map-v1-0/

PODCAST: Navigating the AI Security Frontier: Balancing Innovation and Cybersecurity | ITSPmagazine Event Coverage: RSAC 2023 San Francisco, USA | A Conversation about AI security and MITRE Atlas with Dr. Christina Liaghati: https://itsprad.io/redefining-cybersecurity-163

Learn more about MITRE Atlas: https://atlas.mitre.org/

MITRE Atlas on Slack (invitation): https://join.slack.com/t/mitreatlas/shared_invite/zt-10i6ka9xw-~dc70mXWrlbN9dfFNKyyzQ

Gandalf AI Playground: https://gandalf.lakera.ai/

____________________________

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:

https://www.itspmagazine.com/redefining-cybersecurity-podcast

Are you interested in sponsoring an ITSPmagazine Channel?

👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network

Guest: Jason Haddix, CISO and Hacker in Charge at BuddoBot Inc [@BuddoBot]

On LinkedIn | https://www.linkedin.com/in/jhaddix/

On Twitter | https://twitter.com/Jhaddix

____________________________

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________

This Episode’s Sponsors

Imperva | https://itspm.ag/imperva277117988

Pentera | https://itspm.ag/penteri67a

___________________________

Episode Notes

In this Redefining CyberSecurity Podcast, we provide an in-depth exploration of the potential implications of large language models (LLMs) and artificial intelligence in the cybersecurity landscape. Jason Haddix, a renowned expert in offensive security, shares his perspective on the evolving risks and opportunities that these new technologies bring to businesses and individuals alike. Sean and Jason explore the potential risks of using LLMs:

🚀 Prompt Injections
💧 Data Leakage
🏖️ Inadequate Sandboxing
📜 Unauthorized Code Execution
🌐 SSRF Vulnerabilities
⚖️ Overreliance on LLM-generated Content
🧭 Inadequate AI Alignment
🚫 Insufficient Access Controls
⚠️ Improper Error Handling
💀 Training Data Poisoning

From the standpoint of offensive security, Haddix emphasizes the potential for LLMs to create an entirely new world of capabilities, even for non-expert users. He envisages a near future where AI, trained on diverse datasets like OCR and image recognition data, can answer private queries about individuals based on their public social media activity. This potential, however, isn't limited to individuals - businesses are equally at risk.

According to Haddix, businesses worldwide are rushing to leverage proprietary data they've collected in order to generate profits. They envision using LLMs, such as GPT, to ask intelligent questions of their data that could inform decisions and fuel growth. This has given rise to the development of numerous APIs, many of which are integrated with LLMs to produce their output.

However, Haddix warns of the vulnerabilities this widespread use of LLMs might present. With each integration and layer of connectivity, opportunities for prompt injection attacks increase, with attackers aiming to exploit these interfaces to steal data. He also points out that the very data a company uses to train its LLM might be subject to theft, with hackers potentially able to smuggle out sensitive data through natural language interactions.

Another concern Haddix raises is the interconnected nature of these systems, as companies link their LLMs to applications like Slack and Salesforce. The connections intended for data ingestion or query could also be exploited for nefarious ends. Data leakage, a potential issue when implementing LLMs, opens multiple avenues for attacks.

Sean Martin, the podcast's host, echoes Haddix's concerns, imagining scenarios where private data could be leveraged and manipulated. He notes that even benign-seeming interactions, such as conversing with a bot on a site like Etsy about jacket preferences, could potentially expose a wealth of private data.

Haddix also warns of the potential to game these systems, using the Etsy example to illustrate potential data extraction, including earnings of sellers or even their private location information. He likens the data leakage possibilities in the world of LLMs to the potential dangers of SQL injection in the web world. In conclusion, Haddix emphasizes the need to understand and safeguard against these risks, lest organizations inadvertently expose themselves to attack via their own LLMs.

All OWASP Top 10 items are reviewed, along with a few other valuable resources (listed below).

We hope you enjoy this conversation!

____________________________

Watch this and other videos on ITSPmagazine's YouTube Channel

Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq

ITSPmagazine YouTube Channel:

📺 https://www.youtube.com/@itspmagazine

Be sure to share and subscribe!

____________________________

Resources

The inspiring Tweet: https://twitter.com/Jhaddix/status/1661477215194816513

Announcing the OWASP Top 10 for Large Language Models (AI) Project (Steve Wilson): https://www.linkedin.com/pulse/announcing-owasp-top-10-large-language-models-ai-project-steve-wilson/

OWASP Top 10 List for Large Language Models Descriptions: https://owasp.org/www-project-top-10-for-large-language-model-applications/descriptions/

Daniel Miessler Blog: The AI attack Surface Map 1.0: https://danielmiessler.com/p/the-ai-attack-surface-map-v1-0/

PODCAST: Navigating the AI Security Frontier: Balancing Innovation and Cybersecurity | ITSPmagazine Event Coverage: RSAC 2023 San Francisco, USA | A Conversation about AI security and MITRE Atlas with Dr. Christina Liaghati: https://itsprad.io/redefining-cybersecurity-163

Learn more about MITRE Atlas: https://atlas.mitre.org/

MITRE Atlas on Slack (invitation): https://join.slack.com/t/mitreatlas/shared_invite/zt-10i6ka9xw-~dc70mXWrlbN9dfFNKyyzQ

Gandalf AI Playground: https://gandalf.lakera.ai/

____________________________

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:

https://www.itspmagazine.com/redefining-cybersecurity-podcast

Are you interested in sponsoring an ITSPmagazine Channel?

👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network

We always encounter challenges and difficulties in life. Most of us even create problems when none exist. Danny and Randy explore how to manage life’s difficulties.
 
Subscribe to ESP's YouTube Channel! 

Thanks for listening!  

Do you have a question you want answered in a future episode? If so, send your question to: existentialstoic@protonmail.com  

Money Laundering Fears, DAO Maker Hack Update, SEC's DeFi Scrutiny, and Balancer's Strategy Pivot

In this episode of "Web3 Finance Flash," we dive into some of the most pressing issues in the world of cryptocurrency and decentralized finance (DeFi). We begin by exploring the growing concerns of compliance professionals regarding crypto money laundering and the challenges businesses face in combating financial crime. Next, we provide an update on the DAO Maker hack, where $600,000 in stablecoins were sent through Tornado Cash. We then discuss the U.S. Securities and Exchange Commission's (SEC) latest move to clarify its stance on DeeFye exchanges and the potential implications for the industry. Finally, we examine Balancer's decision to cut its budget and reduce headcount as it pivots its brand strategy. Join us as we unpack these developments and their impact on the ever-evolving crypto landscape.

Let's jump right in. 

The Security Squawk podcast discusses the recent surge of ransomware attacks and their impact on cybersecurity. The hosts talk about the clop ransomware group's breach of 130 organizations using a zero-day vulnerability in the Go Anywhere MFT secure file transfer tool, highlighting the risks associated with file transfer tools that are installed on servers managed by companies and exposed to the internet without proper patching and firewall configurations. The conversation also discusses a recent supply chain breach involving GoAnywhere MFT software, with up to 10-13% of servers compromised, and expresses concern over the vulnerability of these companies and the potential disconnect between security professionals and management.

The article discusses multiple instances of cyber attacks on companies, including Pepsi Bottling Ventures, which was hit with malware that stole employees' personal information, and Nether Manufacturing, which was hit with ransomware. The article also mentions a new ransomware called Mortal Kombat that is targeting systems in the US and highlights the importance of proper security measures and not clicking on suspicious emails or files.

The news segment reports on a series of ransomware attacks in the United States, including on a school, a city, a police network, and a property appraisal website. The lack of cybersecurity maturity in some organizations is noted, and the need for companies to undertake third-party assessments of their network is emphasized.

Cybersecurity podcast Security Squawk Episode 107 - Educating business leaders about cyber threats.

Cybersecurity experts Bryan Hornung, Reginald Andre, Ryan O'Hara, and Randy Bryan sit down to discuss a ransomware attack on a company called Maternal and Family Health Services, in which the hackers had access to their system as far back as August 21, 2021. The cyber security experts discussed the potential lawsuit and the time gap between when the attack was discovered and when the notices were sent out. They also mention that it took the company a long time to figure it out and that personal information such as names, addresses, dates of birth, social security numbers, driver's license numbers, financial account payment, card information, user names, passwords, medical information and health insurance information were compromised.

Then the conversation turned to a ransomware attack that affected around 1000 vessels and their Ship Manager software, a Norwegian-based class society. They discussed the lack of detail provided and its impact on the ships, including the potential for the vessel to be locked out of the software and the need to run the boat manually. They also discussed a recent issue with the FAA system, which they believed to be a cyber attack, but they weren't sure if the information provided was accurate. They also talked about the issue of ransomware attacks affecting schools and organizations and the costly lawsuits that follow, such as the case of Hope College, which is currently facing three lawsuits with one as much as $5 million.

Tre emner dækker dagens episode: Datatilsynet i Danmark politianmelder virksomhed for på uberettiget vis at have videregivet oplysninger til kunder, og indstiller til bøde på 150,000 danske kroner. Kaspersky finder ny wiper-i-ransomware kombi brugt til at angribe de russiske myndigheder. Google udgiver 9. zero-day post-exploit patch for året.

CVE'er nævnt i denne episode: CVE 2022-4262

Info om Mersienne Twister-algoritmen - klik her.

Vært: Omar Hawwash, Cybersikkerhedskonsulent og journalist, LEVEL7.  

Discussion and analysis of characters and themes in the Planet of the Apes reboot trilogy starring Andy Serkis.

Aujourd’hui dans le titre à la Une, je vais vous raconter l’un des plus grands exploits de l’histoire de la Route du Rhum, cette course transatlantique en solitaire à la voile, disputée tous les quatre ans. Je vais vous raconter la course et la victoire légendaire de Florence Arthaud. Première femme à remporter l’épreuve !

Invité : Joseph Bizard, directeur général d’OC Sport Pen Duick , organisateur de la Route du Rhum.

In episode 1276, Jack and Miles are joined by storyteller and lead creative strategist for Salted Logic, Hina Wilkerson, to discuss… What’s the plan Dems?, White Christian Men Are So Horny to Be The One Thing They Can’t Be In America- Oppressed for Being White And Christian And Men, Leaked Amazon memo - "We are running out of labor to exploit..." and more!

1. What’s the plan Dems?
2. Democratic women call on Biden, Congress to protect abortion rights
3. White Christian Men Are So Horny to Be The One Thing They Can’t Be In America- Oppressed for Being White And Christian And Men
4. Leaked Amazon memo - 'We are running out of labor to exploit...'

LISTEN: For You by Kadhja Bonet

See omnystudio.com/listener for privacy information.

It's the last episode of our fourth season! The security gods were kind to us and gave us a softball with some exploits that are in the news recently; code execution in Confluence and a new ms-msdt code execution exploit in Windows. Lastly, we talk about preparations for DEF CON (we hope to see you there)!

We've loved his journey so far and are so thankful to have you all as listeners. Come say hi at DEF CON and grab a beer with us.

- Windows ms-msdt PoC - https://gist.github.com/tothi/66290a42896a97920055e50128c9f040
- Confluence OGNL Injection PoC - https://github.com/Nwqda/CVE-2022-26134

Candice Diaz is a wife and mother, and now, she’s also an advocate for couples who have been impacted by porn. She and her husband have personally experienced how porn can disrupt couple intimacy and relationship harmony, and she aims to be a voice of hope for people whose self-worth is impacted by their partner’s porn habit. During this conversation, podcast host Garrett Jonsson and Candice talk about her experience with betrayal trauma, how her husband’s porn consumption negatively impacted her body image, and how she and her husband are navigating their recovery.

Click here to learn more about the guest, and access the resources discussed in this episode.

To learn more about the harms of pornography on consumers, relationships, and its larger societal impacts, visit FTND.org.

To support this podcast, click here.

As you go about your day we invite you to increase your self-awareness, look both ways, check your blindspots, and consider before consuming.

Fight the New Drug collaborates with a variety of qualified organizations and individuals with varying personal beliefs, affiliations, and political persuasions. As FTND is a non-religious and non-legislative organization, the personal beliefs, affiliations, and persuasions of any of our team members or of those we collaborate with do not reflect or impact the mission of Fight the New Drug.