Shows
Hacking the GibsonSeason 7 Episode 12 - Firewalls, Part 1Whether you’re working in cybersecurity or acting as your own tech support at home, you’ve probably heard about firewalls. A properly configured firewall acts like a fastidious border guard, making all the little data packets show their credentials before they can enter the country - er, the computer. In this episode, we’ll learn about the history of firewalls (including where that name came from), how they work, and how they’ve adapted from the days of big hair to the era of big data.
2023-10-2344 minHacking the GibsonSeason 7 Episode 11 - McFraudIn the 1990s and early 2000s, fast food giant McDonald’s teamed up with iconic board game Monopoly to run a promotion that lured customers with prizes ranging from a free small fries to a million dollars in cash. Pairing fast food with a game that’s famous for taking hours and straining family relationships might not seem like an obvious choice, but it generated a ton of buzz in the U.S. It all ended in scandal when the FBI charged the head of security for the contest with fraud and conspiracy for rigging the game. We’ll talk about...
2023-10-1624 minHacking the GibsonHacker Summer Camp 2023 Part 2Welcome to part two of Hacker Summer Camp, reviewing the highlights of hacking conventions our hosts attended this summer. Ymir and Hackalope share what they learned on a range of topics, from updates in the field of satellite and spacecraft security, cloud service event logging, and newly discovered vulnerabilities in keycard security systems. They also discuss how the hype cycle is distorting our understanding of AIs capabilities, and why humans are uniquely bad at distinguishing between writing generated by people and large language models.
2023-10-0927 minHacking the GibsonHacker Summer Camp 2023 Part 1At this year’s annual Black Hat convention in Las Vegas, artificial intelligence was top of mind for attendees and presenters alike. Join us as Hackalope recounts the talks and topics that got his brain churning. We discuss using AI in incursion and defense, and how it works as a modeling tool. We also talk about how the cost of cyber defense is straining budgets at smaller organizations, and a new wrinkle in the history of systems that are hard to get to, but easy to crack.
2023-10-0244 minHacking the GibsonSeason 7 Episode 10 - The New PhreakWe’ve Been Trying To Reach You About Your Firewall’s Extended Warranty
Voice over IP (or VoIP) lets a user make phone calls over a computer data connection rather than a phone line. This union of computing and calling enables lots of flexibility and fancy features, but it also makes phone calling vulnerable to all the security challenges of being on the Internet. We’re talking about the protocols and infrastructure of VoIP this week, and why phone fraud that doesn’t compromise a computer system can still be an infosec issue.
2023-09-2547 minHacking the GibsonSeason 7 Episode 9 - Where The Streets Have No PlaneOne of the main features of the Cold War was the great lengths the United States and Soviet Union went to gather intelligence about each other. Few of those went further than the U-2, a US spy plane so secret that its pilots were issued suicide pills, and so advanced that it could take detailed photographs from an altitude above most anti-aircraft defenses. This week, we’re talking about what happened when the Soviets finally managed to shoot down a U-2, and captured the plane and its pilot, Gary Powers, mostly intact.
2023-09-1829 minHacking the GibsonSeason 7 Episode 8 - Say It Ain’t NSOIn the constant arms race between cybersecurity and hackers, law enforcement is a huge player. Without effective oversight, programs they deploy to investigate potential crimes can easily be used for illegal mass surveillance, or to target and punish political dissent. This week we’re talking about the NSO Group, a vendor whose tools have emboldened law enforcement agencies, and also enabled human rights abuses by governments around the world.
2023-09-0432 minHacking the GibsonSeason 7 Episode 7 - Dorking, Dorking EverywhereGoogle has arguably the most comprehensive index of all the publicly identifiable websites, files, and servers that are available on the Internet. Inevitably, that’s going to include evidence of security vulnerabilities that might be turned up by the right search query. A “dork” is a specialized search string that can zero in on interesting results. Some of these are just curiosities, but others can hint at weaknesses for bad actors to exploit. This week, we’re talking about the development of Google Dorks alongside attempts to limit their utility for evil.
2023-08-2831 minHacking the GibsonSeason 7 Episode 6 - Dat Missile GapDuring the Cold War, information about the enemy's nuclear arsenal was a top priority for intelligence operations. Force deployment, base construction, and untold billions of dollars in weapons development all turned on how many nukes each side had pointed at the other. So what did military, intelligence, and political officials do when they couldn’t be sure of those all-important numbers? They made guesses that ranged from educated to outright exaggerated. This week, we’re talking about just how wrong our tally of the tools of armageddon actually was.
2023-08-2138 minHacking the GibsonSeason 7 Episode 5 - Viruses Part 2: Going ProThe mid-90’s to the end of the 2000’s is a fascinating period in the cat-and-mouse history of viruses and the methods to defend against them. Dozens of vulnerabilities were identified, exploited, and (mostly) fixed. New attack vectors were opened up as well, many of which are still with us today. Various countries started taking steps to criminalize viral attacks, cybersecurity became a real industry, and virus programmers went from pulling high-profile pranks to extorting billions through ransomware and fraud. Join us as we walk through some of the biggest milestone moments.
2023-08-0744 minHacking the GibsonSeason 7 Episode 4 - The JSTOR Underground: Sci HubJournal publishing is a cornerstone of science. It’s how new findings get shared with other researchers, and plays a huge role in career advancement for scientists. But the companies who control those journals charge exorbitant fees to access their papers, despite the fact that most of the research is paid for with taxpayer money. This week, we’re talking about a scrappy pirate website that’s liberating publicly funded scientific research from behind the publishers’ rapacious paywall.
2023-07-3130 minHacking the GibsonSeason 7 Episode 3 - PyPi In The FaceOpen-source code is woven into programs running on virtually every machine on Earth. When a free program solves a common problem, of course developers don’t want to solve the same problem from scratch. But widespread adaptation makes popular open-source software a tempting target for bad actors spreading malicious code. This week, we’re talking about the security risks presented by open-source adoption, and two resources attempting to make sharing and using open-source code more reliable.
2023-07-1137 minHacking the GibsonSeason 7 Episode 2 - APT Files: Deep Panda and SandwormJust in case you’ve been sleeping well lately, we’re back with some more scary bedtime stories about advanced persistent threats. This time, we’re talking about APTs where the attackers weren’t just looking to ransom data, they were actively trying to steal, or even destroy, data held by healthcare companies, veterans’ service providers, and energy companies. Learn more about their tactics, and the ways bad actors try to cover their tracks.
2023-07-0437 minHacking the GibsonSeason 7 Episode 1 - Getting The Soviet Blocks to FitTetris is one of the most popular video games of all time. Its simple premise and straightforward reward system (drop a block, clear a line) made it easy to learn and majorly addictive. But the game’s path to the world stage from the secrecy of the Cold War Soviet Union was as twisty as the game itself is elegant. Join us as we discuss the secret meetings, tense negotiations, and high-profile lawsuits over cleverly drafted contracts.
2023-06-2743 minHacking the GibsonSeason 6 Episode 12 - Virus AnthropologyViruses have been a part of computing history almost from the beginning. Programs that could hide on systems and replicate themselves onto other machines leapt from theory to actual code long before most people dreamed of having a computer in their homes. This week, we’re taking the long view, talking about the history of those early viruses. We’ll look at specific examples, trends in the types of programs we’ve seen, and the beginnings of the arms race between malicious software and antivirus protections.
2023-06-2038 minHacking the GibsonSeason 6 Episode 11 - Operation Ivy BellsIn the mid-80’s, Cold War spy games between the United States and USSR were taking place all over the world. Playing a hunch, US intelligence and the Navy were able to find and tap undersea cables carrying unencrypted Soviet communications. Info they gained from the tap helped guide negotiations on a landmark nuclear arms treaty. This week, we’ll talk about how they did it, what they learned, and why it came to an abrupt end.
2023-06-1325 minHacking the GibsonSeason 6 Episode 10 - How to Torture an Acronym: MITREThe MITRE Corporation is a nonprofit think tank with Cold War origins. MITRE has brought government, business, and academia together to develop some of the most important modern technical and logistical infrastructure. For cybersecurity pros, one of their most important developments is ATT&CK, a framework for identifying and labeling the methods used by bad actors.
2023-06-0637 minHacking the GibsonSeason 6 Episode 9 - Stupid Sexy SmartcardsThere are lots of ways to protect sensitive systems with multifactor authentication. Big businesses and government agencies often rely on physical, machine-readable cards assigned to specific users. Smartcards offer some advantages over passwords and pins, but setting up and running the systems to manage them can be a challenge. We’ll talk through some of the tools you’ll need and pitfalls to watch out for.
2023-05-3043 minHacking the GibsonSeason 6 Episode 8 - Internets Before The InternetThe modern Internet has made the global exchange of information easy, ubiquitous, and relatively inexpensive. But it’s only the latest expression of the human drive to communicate and share. This week, we’re looking at historical systems that used phone lines, telegraphs, and even pen and paper, to establish widespread, efficient networks of communication without computers.
2023-05-2330 minHacking the GibsonSeason 6 Episode 7 - Indistinct SignalsWe’re back on orbit this week, talking about two incidents from the 2000s where satellites in space were interfered with from the ground. We’ll talk about what the attackers were able to do, the kind of info that’s necessary to detect a satellite hack in progress, how trends in the aerospace industry make cybersecurity a challenge, and why physical security at a satellite control center might involve being eaten by a polar bear.
2023-05-1641 minHacking the GibsonSeason 6 Episode 6 - The APT Files - Elfin & LazarusAdvanced Persistent Threats (APTs) are the incursions that keep cybersecurity professionals up at night. When an attacker gets in undetected they can spend months or years installing malware, stealing data, and invading every corner of a network. This time, we’re profiling two hacking groups that have achieved APT status, the attacks that put them on the threat map, and the tools they used to work their dark magic.
2023-05-0933 minHacking the GibsonSeason 6 Episode 5 - No Solace In QuantumThe next leap forward in computing will likely come from calculating in the quantum realm. Harnessing the non-binary states of quantum bits could allow machines to run problems and break codes that would choke even the most powerful digital computers. Can we still protect our data in a world of quantum computers, or will their probabilistic problem-solving make encryption obsolete?
2023-05-0227 minHacking the GibsonSeason 6 Episode 4 - Windows Security Analysis Without a NetSecuring networked Windows machines is a badge of misery honor shared by admins the world over. But, like a lot of things in Windows, the tools to report and track potential security events can be about as helpful as a cat lying on the keyboard. Tune in for tips, tricks, and tetchiness about the audit utilities in Windows, and some external tools and techniques to make your system safer and your life easier.
2023-04-2549 minHacking the GibsonSeason 6 Episode 3 - Cyber MiseducationInformation technology is an ever-changing field. Cybersecurity paradigms can change overnight. New types of vulnerability are always being discovered, and niche tools can rapidly become industry standard. If you’re an aspiring cybersecurity professional, is getting an academic degree a good use of your time? Our hosts weigh in, and share their tips for getting hired with or without a degree.
2023-04-1848 minHacking the GibsonSeason 6 Episode 2 - Black Hat Time MachineThe year is 2013. The Harlem Shake is getting millions of views on Vine. “Selfie” is the Oxford English Dictionary’s word of the year. And thousands of computing professionals and enthusiasts have gathered for another installment of the Black Hat conference. Fire up the time circuits as we revisit the prescient presentations from the cybersecurity elite, and see how the trends they predicted have played out in the intervening decade.
2023-04-1126 minHacking the GibsonSeason 6 Episode 1 - Social EngineeringEven the most comprehensive network security is only as tight as its least careful user. When a system is compromised, it’s often because a user has been tricked into revealing their sign-in credentials. We’ll discuss the techniques used to tease out passwords, review some of the most dramatic incidents of this kind of attack, and tackle the big question: is a social engineering infiltration really “hacking” at all?
2023-04-0429 minHacking the GibsonSeason 5 Episode 12 - The L0phtIn 1998, several members of the hacking collective known as The L0pht accepted an invitation to testify in front of the United States Senate about “Weak Computer Security in Government.” These rock-star hackers schooled legislators on widespread vulnerabilities that threatened the information security of both government and private industry. Tune in to find out which ones have been addressed in the subsequent 25 years, and which ones haven’t. Stay tuned for a cameo by an actor turned Senator turned actor again.
2023-03-2830 minHacking the GibsonSeason 5 Episode 11 - Right to DespairElectronics are expensive, and replacing or upgrading parts can be a much cheaper, more sustainable way to keep your hardware humming. But the biggest obstacle to your right to repair a thing you own is often the company that originally sold it to you. We’ll talk about the tricks and tactics tech vendors use to keep you from updating gear on your own, and why, when you can’t trust vendors to be transparent, the right to repair depends on the right to hack in order to find vulnerabilities in the first place.
2023-03-2142 minHacking the GibsonSeason 5 Episode 10 - Hacking In The Sky With Diamonds, Part 2When a manmade satellite is whizzing through space at 11,000 kph, sending up a repair team to kick the tires is a non-starter. Ground-based mission crews can get around this by using virtual environments to simulate satellite software, hardware, and even the physics of being on orbit. And, there’s hardly ever been a useful computing tool that hackers couldn’t turn into a vector for a cyberattack.
2023-03-1430 minHacking the GibsonSeason 5 Episode 9 - Securing ElectionsIn 2016, a website of the Philippines election agency was hacked, and information on millions of voters was leaked. Can governments modernize election systems, while still keeping them secure from large-scale manipulation? We look to Brazil, which has been rigorously testing and securing its homegrown electronic voting system, for an example of how it might be done.
2023-03-0726 minHacking the GibsonSeason 5 Episode 8 - Sweet ScienceInsulin pumps are small, wearable computers. They help Type I Diabetes patients maintain safe blood glucose levels by delivering critical insulin without the need for injections. Thanks to the late Barnaby Jack and other cybersecurity researchers, we also know they’re vulnerable to being hacked. We’ll talk about the implications for patients, and how the medical regulatory system protects vendors and de-emphasizes fixes for even known vulnerabilities.
2023-02-2832 minHacking the GibsonSeason 5 Episode 7 - I'm in Love with Stasi's MomThe East German secret police, AKA the Stasi, kept the citizenry under their thumb through a combination of fear tactics and near-total surveillance. Neighbors, friends, even family members informed on each other, and Stasi operatives gathered huge troves of data which they used to influence and blackmail everyone they could. You won’t believe how broad - and how sinister - this pre-internet domestic spying program was.
2023-02-2134 minHacking the GibsonSeason 5 Episode 6 - Internet of ThreatsIf you want a twisted nightmare landscape dominated by machines, look no further than the Internet. Humans online are completely outnumbered by internet-enabled devices. Each one is a thing that might be able to run DOOM, and also a potential security problem. Go change the default password on your router, then learn about all the other things in your home that hackers could be targeting.
2023-02-1447 minHacking the GibsonSeason 5 Episode 5 - The Wrongfully AccusedTechnology moves a lot faster than the laws intended to regulate it. One of those tools is the Computer Fraud and Abuse Act, which was passed in 1984. Vague and outdated language in the CFAA gives ambitious law enforcers a lot of power to criminalize ordinary conduct and harass people who never could have known they were breaking the law. Join us for a few stories of unfortunate people caught up in that system.
2023-02-1338 minHacking the GibsonSeason 5 Episode 4 - Logging, The Final FrontierAn important part of cybersecurity is reviewing the messages our systems send about potential problems, and looking into the ones that seem most serious. But there’s no way a fragile human (or team) can check the sheer volume of pings coming from even fairly small systems. Fortunately, there are tools, tips, and tricks to reduce the flood of info down to a more manageable stream.
2023-02-061h 03Hacking the GibsonSeason 5 Episode 3 - Pwn to OwnHey, kid, you want a shot at some sweet new hardware? How about cash prizes? All you need to do is find and exploit (on the fly) a unique vulnerability in some of the world’s most popular tech. This week we’re exploring the history of Pwn to Own, one of the OG bug bounty contests that’s been digging up security vulnerabilities since 2007.
2023-01-3032 minHacking the GibsonSeason 5 Episode 2 - The Infamous 2600It’s November of 1992. The Internet is slowly starting to move beyond the boundaries of government and educational institutions. A group of hackers are meeting in broad daylight just outside our nation’s capital. What were they discussing that had law enforcement so worried? We don’t know. But we do know they bent the law as far as they could to break up the gathering.
2023-01-2327 minHacking the GibsonSeason 5 Episode 1 - Crypto Wars Pt 4What happens when the people in charge of setting the standards for secure cryptography are also tasked with spying on private communications? What could an intelligence agency do with a secret back door into widely adopted crypto? Could the open-source community discover the hidden vulnerability and make us all safer?
2023-01-1622 minHacking the GibsonSpecial Report - Mar-a-LagoA former president's home was raided, mishandling of presidential records and classified material is allged. So what happened, is it really differnet from events in the past, and exactly what are the rules and why? The US government classifcation system seems byzantine and archaic, in this episode we use these examples to explore why these policies exist and what we should take away from them for data security in general.
2023-01-0944 minHacking the GibsonFirst Year End SpecialIt’s been a year, and every week we’ve given you your dose of HtG. We’ve covered some of the Internet Hall of Fame, like John Postel and Paul Vixie. We’ve talked about some of the infamous like APT1 and Brian’s club. We’ve even eulogized a few of the greats that passed – Barnaby Jack and Dan Kaminsky, and a bunch of episodes on the Internet and how we got here. Wait until you see what we cover next year.
2023-01-0336 minHacking the GibsonSeason 4 Episode 12 - Going to ChurchQuis Custodiet Ipsos Custodes, Who watches the Watchers is an eternal question. Famously, the United States didn’t have an intelligence agency until World War 2. It only took a few more decades to realize that they needed oversight as well. It difficult not to be shocked at the breadth of activities uncovered by Sen Frank Church and his Select Committee to Study Governmental Operations with Respect to Intelligence Activities. This was far-reaching government oversight and it had far-reaching consequences.
2022-12-1933 minHacking the GibsonSeason 4 Episode 11 - The Crypto Wars Pt 3Universally available encryption tools started to pave the path of freedom and security on the Internet. The early 2000’s also brought technical content controls, using the same encryption tools, known as Digital Rights Management (DRM). Unfortunately for them every crypto-system can have weaknesses and the world is filled with hackers. This is the beginning of the Digital Millennium Copyright Act, Right to Repair, and first amendment protections for code.
2022-12-1240 minHacking the GibsonSeason 4 Episode 10 - The Crypto Wars Pt 2In part one we talked about DES, Horst Feistel, the NSA and the public. Who was right about the durability of the algorithm and key standard? How long was DES viable, and how long was it used?Even after the genesis of the DES algorithm and the drama associated, things were still incomplete. We still need asymmetric cryptography to achieve all the things that the Internet needs. We’ll talk through the history of RSA and what happened when source code wants to be free.
2022-12-0541 minHacking the GibsonSeason 4 Episode 9 - The Crypto Wars Pt 1Have you ever thought you would change the world? Have you ever read something from decades ago that saw so clearly into the future that it could have been written yesterday? The hero of our story did change the world and wrote an article for Scientific American that laid out the same case for digital privacy that we deal with today, in 1973. This is the story of the beginning of how the Internet got the cryptography tools we have today, and turbulent road it took. This is the first of a five episode series on the development, use, and failures...
2022-11-2840 minHacking the GibsonSeason 4 Episode 8 - Credit Card Fraud Pt 2Now we’re living in the future, right? All of the sins of the past have been absolved, and all our credit cards are secure, because everybody took lessons to heart, right? Well of course not, some old problems remain, some previous fixes didn’t work as well as intended, and some new problems have shown up. In this episode we talk about the solutions to some of the old problems that are nearly ubiquitous, and why we know that it hasn’t really solved credit card fraud.
2022-11-2145 minHacking the GibsonSeason 4 Episode 7 - Credit Card Fraud Pt 1Take out you wallet, inside you’ll have at least 3 on average in America. In much of the world it’s becoming the default payment method, and yet we cope with billions of dollars in fraud – approaching $12B in 2022. In this episode we’ll talk about the first one, the golden age of carding, and the early days of PCI DSS.
2022-11-1343 minHacking the GibsonSeason 4 Episode 6 - Operation PaperclipWhat would you do you win a war? What would you do after you won a war? The US had to face those questions, but in the reverse order. Seeing both the Nazi crimes and the science and weapons they developed, they were faced with a choice. Knowing that the confrontation with the Soviets was on the horizon, they chose to give a way out to a number of Nazi scientists regardless of their crimes. They started Operation Paperclip. We found that some of that science was cruelty dressed up as science, but also fundamental work that served as building...
2022-11-0731 minHacking the GibsonSeason 4 Episode 5 - Weird Wide Web Pt 3The modern web is a crazy place. We started with a simple protocol that gave us formatted text that was flexible about the way it was displayed, to active processing of user input, to globe spanning integration at all scales. It sometimes seem like the web services of the 2020’s has infinite variety and complexity. It would be a mistake to think that breadth of services and the economies of scale that has emerged to service them hasn’t cause some brand new problems. In the final episode of Internet fundamentals, we’ll go over some problems unique to this enviro...
2022-10-3153 minHacking the GibsonSeason 4 Episode 4 - Barnby Jack of All TradesWhat can we say about Barnaby Jack? Was his life cut short? Yes. Did he change how we think about device security? Absolutely. Did the work he left behind lay the groundwork for hacks to come? Without a doubt. By many accounts he took excesses to excess and paid the price. Dead at 36, for a reported drug overdose, he left a legacy, an impact in the community, and perhaps a warning. In the end, we still can’t forget him.
2022-10-2432 minHacking the GibsonSeason 4 Episode 3 - Weird Wide Web Pt 2In our first episode on HTTP we saw the seeds on the modern web be planted. The beginning sprouts of the active responsive web began to break the surface. This was both the start of the mania for Internet businesses and the large scale web attacks.
2022-10-1735 minHacking the GibsonSeason 4 Episode 2 - CIA Grab BagThe 50’s were a crazy time. The world was still coming to terms with the aftermath of World War II and the United States was just learning what it meant to be a superpower. And the CIA was trying to transition from a war-time intelligence service to one that could serve the long term strategic needs of the superpower. Perhaps a product of an exuberant can-do attitude, or a hubris born of fear and lack of consequences, the CIA had its share of missteps over the subsequent decades. Stories about the CIA are the gift that keeps on giving. We’ll t...
2022-10-1039 minHacking the GibsonSeason 4 Episode 1 - The Weird Wide Web Pt1The last fundamental technology of the modern Internet that lays the groundwork for the every more advanced attack is HyperText Transfer Protocol. Its the HTTP in your URLs, it’s the reason you can’t live with out a web browser. But most of us never thing about the why and how of the World Wide Web – or even that it’s not synonymous with the Internet. Now you don’t have to, we’ve done the work for you. Listen to our homage to Sir Tim Berners-Lee and how a mid-western college set the foundations for the web we have today.
2022-10-0353 minHacking the GibsonSeason 3 Episode 12 - Power to the UkraineAfter the removal of Viktor Yanukovych from the Ukrainian presidency he retreated to Russia. There had been a year of protest to remove him over his pro-Russia policies and the general desire to join the European Union. Yanukovych gave his backers the patina of legitimacy for Russia to invade. Putin’s aim? The Crimea, by whatever means necessary, be it propaganda, espionage, or violations of the Geneva Conventions. In 2014 he largely succeeded, but this was not enough. This episode is about the 2015 attempted takeover of the Ukrainian power grid, what we can now see as a preliminary to the invasion of...
2022-09-2625 minHacking the GibsonSeason 3 Episode 11 - LoFi WiFiIt’s almost as hard for us today to think about a world without WiFi as it is a world without an Internet. There was a time when you were bound to the place at home where the phone jack or possibly broadband connected. In offices across America moving your computer from your desk meant giving up a connection to the outside world. Then we started herding the untamed public use air waves, and connecting things together changed forever.WiFi’s ubiquity shows its necessity. The number of buildings that don’t have it in America is getting smalle...
2022-09-1950 minHacking the GibsonSeason 3 Episode 10 - Project AzorianThis week’s episode goes pretty deep. I mean the bottom of the ocean deep, literally. While there have been movies made about Project Azorian, it’s a plotline that could only come from the cold war CIA. Even Tom Clancy couldn’t sell a story about stealing a sunken Soviet submarine with the help of Howard Hughes. We got the story courtesy of the Los Angeles times and a few thieves who accidentally uncovered the evidence.
2022-09-1228 minHacking the GibsonSeason 3 Episode 9 - You have mailCan you imagine a world without email? While billions of people in the world don’t have an email address yet, chances are if you’re listening you do. Moreover you’ve probably had one for most of your life, or at least decades. If you have an email address, you’ve dealt with spam. Spam is almost as old as email, so how to stop it is one of the oldest problems in the Internet world. We’ll talk about how spam defenses for email delivery have evolved and the current standards.
2022-09-051h 06Hacking the GibsonSeason 3 Episode 8 - Google Being EvilFamously Google corporate motto was “Don’t be Evil”, there’s even in XKCD comic about it. One thing lead to another, and one billion lead to another, and sooner or later priorities change. At the end of that we found a multi-billion dollar company capturing enormous amounts of un-encrypted data almost everywhere in the US. The government got involved, fines were levied, but was it justice? Was it enough? Was it Evil?
2022-08-2930 minHacking the GibsonSeason 3 Episode 7 - Cobalt Strikes BackWhy is it that so much cybercrime gets committed using Cobalt Strike? A tool originally developed to help red teams mimic the behavior of attackers, it became a tool of the attackers. How did that happen? Why does it still happen? What does it mean for detection and attribution in the future? And perhaps most importantly, can we stop them from using our tools against us?
2022-08-2230 minHacking the GibsonSeason 3 Episode 6 - Ma Ma Ma My SatoshiIt's an investment, it's a scam, it's a dessert topping! It's Bitcoin and the whole family of alternative payment methods. No matter what else they've done, they've enabled cybercrime. In this episode we're going to talk about some of the original Bitcoin crimes and the first time we saw its use in ransomware.This episode was recorded before the general Crypto currency crash. The bitcoin values presented are somewhere close to the top of the market. We decided to publish it because the history hasn't changed even if the market has. Bitcoin itself isn't history though, in fact...
2022-08-1536 minHacking the GibsonSeason 3 Episode 5 - Rosenburg and Gildenstern are Dead Pt2Spies were caught, and the wheels of justice turned. Julius and Ethel were found guilty and sentenced to death, and fears rose about what our once ally might do with nuclear weapons. But had justice actually been served? Some testimony given was kept under wraps, some of the players escaped the highest penalties. Maybe this is how it had to be, maybe favorites were played for a quick decisive win. We may never know the complete truth, even today with a fallen USSR and testimony released more than 50 years later.
2022-08-0844 minHacking the GibsonSeason 3 Episode 4 - Rosenburg and Gildenstern are Dead Pt1Right between the end of World War 2 and the Cold War, there was a time of one nuclear power. It lasted just a hand full of years, and is almost unfathomable for us today. In Europe the Nazi’s had been defeated and the rebuilding of a continent was just beginning. We lived in a volatile miasma of our Soviet war time allies and an America with deep seated anti-communist sentiments. We saw what the future held and it was the bomb. There is a spy story that’s hard to avoid from this time, and may have caused the end...
2022-08-0136 minHacking the GibsonSeason 3 Episode 3 - One Network to Rule Them AllWhat is the Internet? Really, what makes the Internet the Internet? It’s not just agreeing on a set of rules and protocols. It’s not just the equipment and connections. It’s the universal participation, we don’t have a hand full of large networks, we have one globe spanning Internet. The Internet is the prime proof of Metcalfe’s Law, that a network’s value is the square of it’s nodes. This week’s episode is about the Internet down to the packet, how it works…. and sometimes doesn’t.
2022-07-2557 minHacking the GibsonSeason 3 Episode 2 - Hacking in the Sky with DiamondsWe’ve talked about hacking networks, computers, domains, and even typewriters - but look up. It’s a bird, it’s a plane, it’s a satellite. Satellites have come a long way from the beep beep beep of Sputnik One. Now they’re computers in the sky, only they have all the limitations of stuff that’s space bound. Satellite hacking is where a world that patches up to the minute clashes with systems that haven’t seen human hands for a decade or more.
2022-07-1835 minHacking the GibsonSeason 3 Episode 1 - Back from The Black HatJust in time for DefCON 30, an episode about the theme of DefCON 29. Yes it's another episode on ransomware, the gift the keeps on giving... and taking. In this episode we talk about several examples of ransomware victims, the costs they bore and if they paid. We also talk about cyber insurance, and the legal side of an incident.
2022-07-1140 minHacking the GibsonSeason 2 Episode 12 - Guerilla LoggingIt seems like logs are the beginning and end of security. Where do they come from, where are they going, and how do they get there? More hosts, more systems, more applications – what do we do with them all, and how do we keep from drowning? In the episode, we talk about some of the functional basics of how to start dealing with logs as complexity starts to grow. This is less a structured course, and more of discussion to give you sign posts to help you find the right direction to go.
2022-07-0453 minHacking the GibsonSeason 2 Episode 11 - Ransomware is REvilIf you’re an enterprise, and you use a Managed Service Provider (MSP), you’re paying them so you can let experts do the work for you. That doesn’t just mean that they keep the lights on these days; it also means monitoring, patching and securing access to your data. What happens if an attacker gets into their tools set? They don’t only get your business, they get everybody that MSP works for. It’s Hack once, exploit everywhere at its worst, and it’s down right REvil.
2022-06-2726 minHacking the GibsonSeason 2 Episode 10 - Solving Equations from the ShadowsWe’ve speculated that various malware efforts may have been created and used by US government actors, but how do we know? In this episode we talk about the tantalizing trail of evidence that attributes some very dangerous zero day vulnerabilities to the NSA. We know because exploit tools were stolen, put up for purchase and used by attackers as soon as they were released.
2022-06-2025 minHacking the GibsonSeason 2 Episode 9 - Educational VideogamesDid your mom or dad ever tell you that you were wasting time on video games? What if I told you that video games have spawned real world research in areas like economics and epidemiology? It’s not always a good time, but videogames can be educational.
2022-06-1338 minHacking the GibsonSeason 2 Episode 8 - Cult of the Dead CowPicture a hacker of the ‘90s, straight from central casting. Matthew Broderic from Wargames, but a bit scruffier and not as photogenic. That image along with the irreverent attitude to question all authority, tinker with everything and talk about it until every depth was plumbed and every point was down to nanometers, started with the dialup BBSs. No BBS has had more written about it, and made the same kind of mark as The Cult of the Dead Cow.
2022-06-0630 minHacking the GibsonSeason 2 Episode 7 - Ransoming a PipelineIt was bound to happen. After we’ve seen counties and cities, hospitals and businesses, all affected by ransomware, critical infrastructure was hit. In an episode that had ripple effects through most of the country for days or even weeks. When we have a world that requires computer remote control, the security has to match. This was an economic disaster, and with an oil pipeline, it could have been an ecological disaster. The US Department of Homeland Security raised the security standards as a result, but is it enough? Recorded shortly after the breach was reported, the Darkside ransomware group ca...
2022-05-3041 minHacking the GibsonSeason 2 Episode 6 - DNS DanYou can’t count me as objective on this, Dan Kaminsky is one of my hacker heroes. He died on April 23, 2021, not very long before the recording of this episode. I was always impressed by the clarity of his work and how easily I understood it and still marveled at it. In this episode we bring you through the maturing of DNS for the modern Internet and talk through Dan’s infamous 2008 vulnerability finding. This also led to the rise of DNSSEC, for which Dan was one of the original key holders.
2022-05-2337 minHacking the GibsonSeason 2 Episode 5 - What's in a NameWe all see computer names, like www.hackingthegibson.online, every day. Likewise, spending any time looking at networks will show IP addresses everywhere. You’ve heard of DNS, and you may even use some of the more advanced tools, but it’s hard to not take it for granted. This week’s episode is on the history and fundamentals of the Domain Name Service.
2022-05-1650 minHacking the GibsonSeason 2 Episode 4 - Bad CryptoHow could you not trust a company called Crypto? Over a hundred countries did. Unfortunately, the CIA was engineering backdoors and weaknesses from the start. For decades the CIA and NSA used the access enabled by the Crypto AG devices to spy on enemies, international players, and even allies. This is the story of probably the greatest intelligence coup of the entire Cold War.
2022-05-0954 minHacking the GibsonSeason 2 Episode 3 - FlashbackWhat ever happened to Flash? After being an indispensable component of the internet for over a decade, and the means for some of the earliest streaming, it’s gone. How did it start? Why did it end? And most importantly, what hacks happened in between?
2022-05-0233 minHacking the GibsonSeason 2 Episode 2 - Cracking EnigmaFrom Merriam-Webster “Enigma - something hard to understand or explain”. That’s fitting, because the Enigma system was one of the most formidable cryptosystems devised in the pre-digital era - and may be ever. The story of Alan Turning’s brilliance and foundational work in modern computing can’t be ignored, but he couldn’t have done it alone. In addition to the minds of Alan and his team in Bletchley Park, several other things had to fall into place. From flaws in the German implementation to covert intelligence and of course, gaining access to the hardware itself.
2022-04-2538 minHacking the GibsonSeason 2 Episode 1 - Certificate AuthoritiesCertificate Authorities are the cornerstone of our secure internet communications, but we rarely think about how much we should trust them. We’ll talk about what certificates are and how they work, even take a peek in to the mechanics of how they are issued. We’ll also talk about some of the times they didn’t live up to the trust that the Internet placers in them.
2022-04-1841 minHacking the GibsonSeason 1 Episode 12 - Exception Driver ErrorCompters are in everything nowadays. What about the computer in your car? Sure there have been little proprietary computers in cars for decades, but for modern cars and their infotainment systems you have modern hacking. The cars of tomorrow have the security risks of today, and the flip side of computer driven cars is hacked computer driven cars.
2022-04-1137 minHacking the GibsonSeason 1 Episode 11 - That's a Nice Internet You Have There Part 2From the indie cybercime scene to the big time. Now ransomeware is big business, not just targeting them but also operating like them and creating a whole marketplace. Not only that, but adding rocket fuel to a new part of the cyber security business - insurance. This is how ransomware came to strike fear in executive everywhere.
2022-04-0441 minHacking the GibsonSeason 1 Episode 10 - More Lulz More ProblemsFirst the was Anonymous, then Lulzsec. Sometimes antogonistic, occasionally aligned, but philisophically similar both made ansgt turned hacktivism something that couldn't be ignored. In operation AntiSec the lulz turned to panic by the large governments and corporations that were exposed. There's the thing - they were only exposed and not exploited. None the less the LOEs still came and extracted their price. Maybe it was showing off by people that might have deserved the consequences, or maybe it was the wake up call we all needed, but it definitely was Lulzsec.
2022-03-2841 minHacking the GibsonSeason 1 Episode 9 - That's a nice Internet you have thereHow long have we been dealing with ransomware? Where did it start, and what happened to make it such a big part on security today? We dive in to the history of ransomware, and show that it's perhaps not as simple as it seems.
2022-03-2136 minHacking the GibsonSeason 1 Episode 8 - The APT Files, Comment CrewAdvanced Persistent Threats (APT) are the boogeymen of enterprise cybersecurity. But who did ti start with? Where were they from and what did they do? This is all about APT 1, the Comment Crew.
2022-03-1445 minHacking the GibsonSpecial Report - Invasion of UkraineMaybe February 24th 2022 won’t be a moment that everyone will remember where they were when they heard, but it certainly won’t be forgotten soon. Russia, in an attempt to build the 3rd Russian Empire, invaded Ukraine. Unfortunately wars of aggression aren’t anything new, what is new is the Internet component. If Cyberwar is a war by Von Clausewitz’s definition, politics by Internet attack, then Hybrid war is just adding another battlefield. The Russian invasion of Ukraine is a near real time example of what happens when 2 nations that rely on Information Technology collide.
2022-03-1141 minHacking the GibsonSeason 1 Episode 7 - I can’t believe I scanned the whole thingWe know the Internet is big. There are than 4 billion addresses, but what if we wanted to see what's listening on every single one of them? In this episode we go over the development of the techniques to survey the entire Internet, and why people are constantly doing it.
2022-03-0750 minHacking the GibsonSeason 1 Episode 6 - For the LulzYou’ve heard of them, even if their name is supposed to make them unidentifiable. Yes, it’s an episode about Anonymous, the 4chan spawned… Group? Movement? Performance Art? We don’t know if anyone really knows, but we’re going to talk about what we do know. Remember:Anonymous is not your personal army.None of us is a cruel as all of us.We do it for the lulz.
2022-02-2848 minHacking the GibsonSeason 1 Episode 5 - The Italian JobEveryone knows the CIA can track you by your cellphone....except, apparently, the CIA. This is the story of a CIA operation gone wrong – gone very wrong, in a way that created a quagmire of international embarrassment, all due to poor cellphone operational security.Then NBC producer Matthew Cole tracked this story for years and uncovered the magnitude of the failures. Agents were burned, allies were angered, and international incident ensued. For what? Listen in for the most extraordinary of the extraordinary renditions.
2022-02-2136 minHacking the GibsonSeason 1 Episode 4 - Capital Assets2021 started off with a bang to try to unseat 2020 as the craziest year in recent history!In this episode we deviate a bit from our normal format to cover the riots in DC and the cyber security implications that may arise from this. Recorded just after the insurrection attempt on January 6th, 2021, we talk about an angle that wasn’t getting much attention at the time – the implications of stolen devices. We proved to be a bit prophetic – a member of the mob was later charged with one of the scenarios we discussed.
2022-02-1439 minHacking the GibsonSeason 1 Episode 3 - MimiKatzFrench hackers? What have they ever done? As it turns out, one of the most influential and dangerous hacking tools to appear in the last 10 years came from a French hacker. MimiKatz and the research it spawned has turned Active Directory security on its head. But how does it work? What can it be used for? And most importantly: How do we stop it?This episode talks about passing the hash and similar problems with Active Directory and Kerberos. This is down and dirty Active Directory security and you won’t want to miss it.
2022-02-0732 minHacking the GibsonSeason 1 Episode 2 - Sony ExposedIf you're a gamer and owned a PlayStation back in 2011 you may remember that little hiccup where the network exploded and didn't come back up for some time.We'll look into exactly what happened or what is thought to have happened during this attack and who the culprits may have been and what led up to this.
2022-01-3135 minHacking the GibsonSeason 1 Episode 1 - Operation Ghost ClickSomething strange in your Internet neighborhood? Who you gonna call? Not the Internet Police, that’s for sure. They don’t exist. But law enforcement sometimes tries to save the internet. It can require cooperation between multiple nations and years of efforts to put a stop to bad actors on the internet.This is the story of one of those efforts, and it’s a success story – but a rare one in the wild west of the internet.
2022-01-2428 minHacking the GibsonPre-Season Episode 4 - StuxnetIt’s still one of the most complex pieces of malware ever discovered. Stuxnet made headlines for years – a 1 megabyte monstrosity that was deployed as a digital weapon into the Middle East morass. The virus used four undisclosed zero-day Windows vulnerabilities to target a specific nation’s nuclear program using air-gap networks. Who made it? What was it for? What did it do?One thing is clear - Stuxnet was expensive. Stuxnet cost more money to develop than any other malware we know about. It still wasn’t perfect, and the places where it failed may give us clues ab...
2022-01-1733 minHacking the GibsonPre-Season Episode 3 - A Tale of two ProtocolsIt was the best of protocols, it was the worst of protocols. What would the Internet be without HTTPS? SSL and TLS started as a solution to using credit cards online, but it has become a requirement for almost every modern Internet application. In this episode we go over some of the fundamentals of HTTPS and how we got here.The journey covers Netscape, Heartbleed, and a lot of ground in between. If you’ve ever looked at a security report that had HTTPS findings for the web service, and had no idea what to look for, this mi...
2022-01-1734 minHacking the GibsonPre-Season Episode 2 - Operation GunmanHacking in the age of typewriters? It happened. This episode is a cold war spy story, a classic clash of the titans, the United States of America vs United Soviet Socailist Republics. This was one of the earliest public successes of the National Security Agency.In Operation Gunman we have an event ‘80 that has many things that we recognize today - keyloggers, exfiltration channels, supply chain security, and even a bug bounty (literally). Strict secrecy and clandestine office supply shipments were the order of the day, sorry any martini recipes remain undisclosed.
2022-01-1024 minHacking the GibsonPre-Season Episode 1 - My Favorite VirusThis is an episode about the havoc wrought by the virus W32/SQL.Slammer, sometimes referred to as the Sapphire worm. The worm was a weaponization of the vulnerability presented to the public more than 6 months before the worm started taking down networks far and wide. Why wasn’t the patch deployed? Why did it cause so much havoc? Why haven’t we seen anything quite like it since?This event, along with the other worms of this era, caused a re-examination of the priority of patching and other enterprise security practices. From the demands that vendors release patc...
2022-01-1025 min