В качестве возвращения и начала нового сезона осень-зима 2017-2018, Андрей и Алиса кратенько прошлись по последним новостям

Взлом сайтів в доменій зоні *.gov.ua та помилка у CERT-UA https://goo.gl/A6kJve 4G/5G Wireless Networks as Vulnerable as WiFi and putting SmartCities at Risk http://securityaffairs.co/wordpress/64098/hacking/4g5g-wireless-networks-flaws.html Microsoft silently fixes security holes in Windows 10 – dumps Win 7, 8 out in the cold https://www.theregister.co.uk/2017/10/06/researchers_say_windows_10_patches_punch_holes_in_older_versions/ FIN7 hacking group is switched to new techniques to evade detection http://securityaffairs.co/wordpress/64083/apt/fin7-new-techniques.html VPN logs helped unmask alleged 'net stalker, say feds http://www.theregister.co.uk/2017/10/08/vpn_logs_helped_unmask_alleged_net_stalker_say_feds/ Russian spies used Kaspersky AV to hack NSA staffer, swipe exploit code – new claim http://www.theregister.co.uk/2017/10/05/anonymous_report_russian_spies_used_kaspersky_lab_software_to_steal_nsa_secrets/ Sri Lanka police arrest two men over cyber theft at the Taiwan Bank http://securityaffairs.co/wordpress/64034/cyber-crime/taiwan-bank-cyber-heist.html Microsoft Cortana Can Now Read Your Skype Messages to Make Chat Smarter https://thehackernews.com/2017/10/cortana-for-skype.html Warning: Millions Of P0rnHub Users Hit With Malvertising Attack https://thehackernews.com/2017/10/online-malvertising-attack.html Disqus Hacked: More than 17.5 Million Users' Details Stolen in 2012 Breach https://thehackernews.com/2017/10/disqus-comment-system-hacked.html The iPhone's Constant Password Popups Are a Hacker's Dream https://motherboard.vice.com/en_us/article/ne7gxz/ios-iphone-password-phishing-app-popups

Music - KEYGEN MUSIC ~ One hour mix https://www.youtube.com/watch?v=c17k4LfLkaE

Intro / Outro Finest Cockles by Blah Blah Blah http://freemusicarchive.org/music/Blah_Blah_Blah/MOONRAKER_5317_1904/Finest_Cockles Интервью с Максимом Тульевым о блокировках и будущем украинского интернета

Intro / Outro I Do Believe I've Had Enough by Zephaniah And The 18 Wheelers http://freemusicarchive.org/music/Zephaniah_And_The_18_Wheelers/Live_On_WFMUs_Honky_Tonk_Radio_Girl_Program_with_Becky_11316/Zephaniah_And_The_18_Wheelers_02_I_Do_Believe_Ive_Had_Enough Big 4 of the top security and privacy conferences: S&P ("Oakland"), NDSS, CCS and USENIX Security. Наука не делается самостоятельно, a нужно учиться у передовых исследований, как они интегрируются с практикой, понимать их уровень, и себя показывать. По-этому, для того кто первый с украинским affiliation опубликует статью на этих конференциях - с меня можно пообещать "коньяк" :) The Network and Distributed System Security Symposium (NDSS) 2017 by Internet Society - http://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017 > From the keynote speech by J. Alex Halderman: "Want to Know if the Election was Hacked? Look at the Ballots" - https://medium.com/@jhalderm/want-to-know-if-the-election-was-hacked-look-at-the-ballots-c61a6113b0ba "Securing Digital Democracy" course - https://www.coursera.org/learn/digital-democracy Video - https://www.youtube.com/watch?v=Snoo6CXiyWU&feature=youtu.be > Web Security section: "(Cross-)Browser Fingerprinting via OS and Hardware Level Features" by Yinzhi Cao et al. - https://www.internetsociety.org/doc/cross-browser-fingerprinting-os-and-hardware-level-features Websites to test your browser and device fingerprint: https://panopticlick.eff.org https://amiunique.org http://uniquemachine.org (now, cross-browser!) "Fake Co-visitation Injection Attacks to Recommender Systems" by Guolei Yang et al. - https://www.internetsociety.org/doc/fake-co-visitation-injection-attacks-recommender-systems > User Authentication section: "Cracking Android Pattern Lock in Five Attempts" by Guixin Ye at el. - https://www.internetsociety.org/doc/cracking-android-pattern-lock-five-attempts "Towards Implicit Visual Memory-Based Authentication" by  - https://www.internetsociety.org/doc/towards-implicit-visual-memory-based-authentication > TLS et al. (several papers on Diffie-Hellman and more) "The Security Impact of HTTPS Interception" by Zakir Durumeric et al. - https://www.internetsociety.org/doc/security-impact-https-interception "WireGuard: Next Generation Kernel Network Tunnel" by Claude Castelluccia et al. - https://www.internetsociety.org/doc/wireguard-next-generation-kernel-network-tunnel  (by a single author, Jason Donenfeld!) More on WireGuard: https://fosdem.org/2017/schedule/event/wireguard/ https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-2016 https://www.wireguard.io > On Tor: "The Effect of DNS on Tor's Anonymity" by Benjamin Greschbach et al. - https://www.internetsociety.org/doc/e-effect-dns-tors-anonymity "Avoiding The Man on the Wire: Improving Tor's Security with Trust-Aware Path Selection" by Aaron Johnson et al.  - https://www.internetsociety.org/doc/avoding-man-wire-improving-tors-security-trust-aware-path-selection  (more on proper path selection for Tor, possible attacks on Astoria). > Malware: "Dial One for Scam: A Large-Scale Analysis of Technical Support Scams" - наша статья, получившая Distinguished Paper Award! https://www.internetsociety.org/doc/dial-one-scam-large-scale-analysis-technical-support-scams "MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models" by Enrico Mariconti et al. - https://www.internetsociety.org/doc/mamadroid-detecting-android-malware-building-markov-chains-behavioral-models "A Broad View of the Ecosystem of Socially Engineered Exploit Documents" by Stevens Le Blond et al. - https://www.internetsociety.org/doc/broad-view-ecosystem-socially-engineered-exploit-document s (можно проводить много интересных исследований на базе данных из VirusTotal). ... and much more interesting works on SGX, virtualization, and binary reassembly, etc. Plus, a DNS Privacy Workshop program - https://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017/dns-privacy-workshop-2017-programme

Intro / Outro Semme Automatic Stay the Course https://www.jamendo.com/track/1421989/stay-the-course 00:00:34 Слухи про блокировки в интернетах ДО их официальной блокировки 00:04:52 Давайте поговорим про фищинг 00:07:40 Google Docs users hit with sophisticated phishing attack https://www.theverge.com/2017/5/3/15534768/google-docs-phishing-attack-share-this-document-with-you-spam 00:08:44 Recruiters considered really harmful: Devs on GitHub hit with booby-trapped fake job emails https://www.theregister.co.uk/2017/03/30/github_devs_malware_mails/ 00:09:47 Получили письмо из налоговой? 00:11:08 __blank в Edge Researcher pwns Charles Darwin to demonstrate Microsoft Edge exploit https://www.scmagazine.com/researcher-pwns-charles-darwin-to-demonstrate-microsoft-edge-exploit/article/652807/ 00:13:16 Захист від фішингу від Британської податкової 00:14:27 https://en.wikipedia.org/wiki/Phishing 00:24:45 В Тернополе в торговом центре мужчина при свидетелях открыл банкомат и похитил оттуда полмиллиона (видео) https://www.unian.net/incidents/1893219-v-ternopole-v-torgovom-torgovom-tsentre-mujchina-pri-svidetelyah-otkryil-bankomat-i-pohitil-ottuda-polmilliona-video.html 00:29:06 Prevent & report phishing attacks https://support.google.com/websearch/answer/106318?hl=en 00:31:53 Киберполиция Украины помогла ликвидировать киберсеть "Аваланш" (Avalanche), которая с 2009 года использовалась для распространения вредоносных программ, спама и фишинга - ITC.ua http://itc.ua/news/kiberpolitsiya-ukrainyi-likvidirovali-kiberset-avalansh-avalanche-kotoraya-s-2009-goda-ispolzovalas-dlya-rasprostraneniya-vredonosnyih-programm-i-spama-a-takzhe-fishinga-i-otmyivaniya-deneg/

Intro / Outro Lady We Knew by Cullah http://freemusicarchive.org/music/MC_Cullah/Cullahmity/03_-_Lady_We_Knew Hackers Can Easily Hijack This Dildo Camera and Livestream the Inside of Your Vagina (Or Butt) https://motherboard.vice.com/en_us/article/camera-dildo-svakom-siime-eye-hacked-livestream?utm_source=mbtwitter Teampass http://teampass.net/ Squid: Optimising Web Delivery http://www.squid-cache.org/ SNORT https://www.snort.org/ Suricata https://suricata-ids.org/ pfSense https://www.pfsense.org/ Life and death for Windows: Vista support ends as Creators Update starts to roll out https://www.geekwire.com/2017/microsoft-makes-april-11-a-day-of-life-and-death-for-versions-of-windows-and-office/

Intro / Outro Just Wait by Drake Stafford http://freemusicarchive.org/music/Drake_Stafford/SUNDAY/JUST_WAIT_-_DRAKE_STAFFORD Identity management system https://en.wikipedia.org/wiki/Identity_management_systems Dashlane https://www.dashlane.com TeamPass http://teampass.net/ Microsoft built a special government-approved version of Windows 10 for China https://thenextweb.com/microsoft/2016/03/28/microsoft-windows-10-china/

Intro / Outro StrangeZero - Burnin Star  https://www.jamendo.com/track/1378740/burnin-star 00:03:12 Vault 7: CIA Hacking Tools Revealed https://wikileaks.org/ciav7p1/ Vault 7 Megathread - Technical Analysis & Commentary of the CIA Hacking Tools Leak https://www.reddit.com/r/netsec/comments/5y1pag/vault_7_megathread_technical_analysis_commentary/ 00:06:10 Интервью с Евгением Пилянкевичем. Связаться с Евгением можно по почте [email protected] или в твиттере @9gunpi Acra https://www.cossacklabs.com/acra/ Work Rules!: Insights from Inside Google That Will Transform How You Live and Lead https://www.amazon.com/Work-Rules-Insights-Inside-Transform/dp/1455554790/ref=asap_bc?ie=UTF8 A Graduate Course in Applied Cryptography https://crypto.stanford.edu/~dabo/cryptobook/

Intro / Outro Brady Harris  - Welcome Me Back https://www.jamendo.com/track/1381589/welcome-me-back 00:01:24 Incident report on memory leak caused by Cloudflare parser bug https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/ Pragmatic thoughts on #CloudBleed https://www.troyhunt.com/pragmatic-thoughts-on-cloudbleed/ 00:11:14 We have broken SHA-1 in practice http://shattered.io/ 00:19:26 KasperskyOS 11-11: в России разработана уникальная операционная система https://hi-tech.mail.ru/news/kaspersky-os-11-11/ 00:23:15 Microsoft forced to issue emergency Flash fix after delaying Windows patches http://www.theverge.com/2017/2/22/14696358/microsoft-security-fix-adobe-flash-february-2017-patch-tuesday 00:30:08 China just made VPNs illegal https://www.engadget.com/2017/01/23/china-vpn-illegal-internet-censorship-government-approval/ An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf 00:35:14 Security experts now warn AGAINST changing online passwords often as it leaves Brits vulnerable to hackers https://www.thesun.co.uk/news/2865824/security-experts-now-warn-against-changing-online-passwords-often-as-it-leaves-brits-vulnerable-to-hackers/

Intro / Outro Muciojad - Before I sleep https://www.jamendo.com/track/1406716/before-i-sleep 00:00:44 Best company name ever! Share capital £1, name priceless… https://nakedsecurity.sophos.com/2017/01/06/best-company-name-ever-share-capital-1-name-priceless/ 00:04:07 Bug Bounty anniversary promotion: bigger bounties in January and February https://github.com/blog/2302-bug-bounty-anniversary-promotion-bigger-bounties-in-january-and-february 00:05:13 Немного истории о расскрытии уязвимостей Disclosing vulnerabilities to protect users https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html Charlie Miller and Apple. iPhone Security Bug Lets Innocent-Looking Apps Go Bad http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/#5fd06fe62336 Legal woes http://martin.swende.se/blog/IP-issues.html Fatal flaw found in PricewaterhouseCoopers SAP security software http://www.theregister.co.uk/2016/12/09/fatal_flaw_in_pricewaterhousecoopers_sap_software/  00:29:23 MongoDB hackers now sacking ElasticSearch http://www.theregister.co.uk/2017/01/13/elasticsearch_mongodb/ 00:30:46 WordPress plugs eight holes in latest release http://www.theregister.co.uk/2017/01/13/wordpress_plugs_eight_holes_in_latest_release/ 00:31:17 Peace-sign selfie fools menaced by fingerprint-harvesting tech http://www.theregister.co.uk/2017/01/12/fingerprint_photographs/ 00:32:21 We already have a contender for the "Best PR Description" aware for 2017 https://github.com/rapid7/metasploit-framework/pull/7815 00:33:20 ISC squishes BIND packet-of-death bugs http://www.theregister.co.uk/2017/01/13/isc_fixes_bind_denialofservice_vuls/ 00:34:01 Docker swings door shut on privilege escalation bug http://www.theregister.co.uk/2017/01/12/docker_container_escape_vuln_patched/ 00:34:23 GoDaddy revokes 9,000 SSL certificates wrongly validated by code bug http://www.theregister.co.uk/2017/01/11/godaddy_pulls_unvalidated_digital_certs/ 00:34:45 Who is Anna-Senpai, the Mirai Worm Author? https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/ 00:35:23 Windows 10 anniversary update: Security and privacy, hope and change? http://www.welivesecurity.com/2017/01/12/windows-10-anniversary-update-security-privacy/