badge image
Dec 01, 2021 / 37:35

EP 35: Digital Forensics

So you’ve been hit with ransomware and, for whatever reason, you paid the bitcoin but now the decryptor doesn’t work. Who are you going to call for help?

Paula Januszkiewicz, from Cqure, joins The Hacker Mind to discuss her two presentations at SecTor 2021 on digital forensics. She talks about the various ways criminal hackers hide their work, what happens after ransomware hits on a system, how investigators go about looking for recovery information, and what type of skills those practitioners need to succeed.

Nov 16, 2021 / 01:01:24

EP 34: Hacking Behavioral Biometrics

AI is almost good enough at simulating human activity to defeat the biometric systems designed to fight fraud, effectively putting us back at square one.

Iain Paterson and Justin Macorin join The Hacker Mind podcast to share insights from their SecTor 2021 talk on hacking behavioral biometrics. If an adversarial actor wants to simulate user behavior, that actor can use techniques similar to those that a behavioral biometrics firm would use to detect abnormal usage. The researchers predict that soon it'll be hard to tell a human user at the keyboard, or at the mouse, from a bot or AI-driven entity.

Nov 02, 2021 / 40:27

EP 33: Scanning the Internet

Traditional anti-malware research relies on customer systems but what if a particular malware wasn’t on the same platform as your solution software?

Marc-Etienne M.Léveillé from ESET joins The Hacker Mind podcast to talk about the challenges of building his own internet scanner to scan for elusive malware. Speaking at this year’s SecTor 2021, he shares some of his findings on Kabolos, a stealthy malware that uses SSH credentials to hide, that is perhaps exposed much easier through scanning the IPv4 space -- all 3.7 billion addresses.

Oct 20, 2021 / 56:43

EP 32: The Hunt For Ghost #1

Ghost #1 was a digital film server that should have stayed blacklisted but due to a unique software flaw it continued to produce pirated films.

Patrick Von Sychowski from the Celluloid Junkie joins the Hacker Mind podcast to discuss his SecTor 2021 talk on Ghost #1, explaining how the transition from 35mm to digital in theaters and how the unique third iteration of cinema in China also allowed this digital projector to evade anti-piracy safeguards for nearly three years. He credits one engineer at the Chinese propaganda department for helping solve a mystery that resulted in the largest film piracy takedown operation of all time, anywhere in the world.

In 2016, the Mirai IoT botnet shut down part of the internet, yet variations still plague us today. Maybe our current approach to IoT botnets isn’t working? 

Ali Davanian and Ahmad Darki join the Hacker Mind podcast to discuss their Black Hat USA 2021 talk and their tool, CnCHunter, which looks for active CnC servers that can be discovered, so law enforcement can take them down, or at least networks can block them, effectively denying them access to the 100s of thousands of compromised devices worldwide.

Sep 22, 2021 / 58:57

EP 30: Surviving Stalkerware

What role does technology play in facilitating intimate partner abuse? What role might the security industry have in identifying or even stopping it?

Martijn Grooten and Lodrina Cherne join the The Hacker Mind podcast to discuss their Black Hat USA 2021 presentation. They talk about how software and IoT companies can avoid becoming the next Black Mirror episode and share resources that can help survivors (and those who want to help them) deal with the technology issues that can be associated with technologically facilitated abuse. 

PPP wanted to give their past high school selves the infosec education they didn’t have. But if you think picoCTF is only for HS students, think again. 

Megan Kearns of Carnegie-Mellon University's Cylab joins The Hacker Mind to talk about the early days and the continued evolution of this popular online infosec competition site. No matter what your age or interest level, picoCTF probably has something new for you to learn.

 

Aug 25, 2021 / 35:16

EP 28: Fuzzing Hyper-V

At Black Hat USA 2021, two researchers presented how they used their own fuzzer designed for hypervisors to find a critical vulnerability in Microsoft Azure. 

 

Ophir Harpaz and Peleg Hadar join The Hacker Mind to discuss their journey from designing a custom hypervisor fuzzer to identifying a vulnerability within Hyper-V and how their new research tool, hAFL1, can benefit others looking to secure cloud architectures.

Aug 10, 2021 / 42:11

EP 27: Car Hacking 0x05

We haven’t seen many attacks on our smart cars. That’s perhaps because of a dedicated group of hackers who are working to improve automotive security.

Robert Leale, the driving force behind the Car Hacking village at DEF CON, joins The Hacker Mind to talk about CANBus basics, and whether we’ll see cars subjected to ransomware attacks. He also shares some tools, books, and website resources that you can use to get started hacking cars yourself.

Jul 27, 2021 / 36:49

EP 26: Hacking Charity

Hackers are charitable in ways that might surprise you. Whether it is in Africa or rural Arkansas, hackers find ways to use their skills for good reasons.

 

Jack Daniel and Jason Kent return to The Hacker Mind to discuss the various ways hackers are helping society by contributing to charitable organizations … even starting their own. From BSides, to DerbyCon, to Shmoocon, even on the Apple App Store you can find evidence of their hard work.

Jul 13, 2021 / 48:11

EP 25: Hacking Communities

As we head to Hacker Summer Camp, how should we rebuild our infosec communities to be more inclusive and diverse? Jack Daniel offers his unique voice.  

As one of the founders of BSides, and as a community advocate for Tenable, Jack provides guidance on how we can re-emerge from the pandemic and successfully amplify and support people of different ethnicities, faiths, and genders within our hacking communities without being patronizing.

Jun 29, 2021 / 35:14

EP 24: Hacking Biology

There are a lot of parallels between computer security and biology. If you think you already understand hacking systems, then I’ve got a story for you.

In this episode, Harrison Green talks about his experience creating exploits during capture the flag competitions and how it relates to his current day to day work with the Durrant Lab at the University of Pittsburgh on computational biology.

Jun 15, 2021 / 42:24

EP 23: Hacking APIs

APIs are vital in our mobile digital world, but the consequences of API security flaws have yet to be seen. So how hard is it to hack APIs? Not very hard.

In this Episode, Jason Kent from Cequence talks about his experience hacking a garage door opener API, the tools he uses such as Burp, ZAP, and APK tool, and why we need to be paying more attention to the OWASP API Security Top 10.

Jun 01, 2021 / 43:58

EP 22: Hacking Social Media

With more than 600K followers on YouTube, LiveOverflow is one of infosec’s first social media influencers. How did he get started and what’s next? 

In this episode, LiveOverflow talks about his six years of producing engaging YouTube content and what the rise of social media influencers might mean for traditional conferences like Black Hat. He also gives a preview of his new YouTube series on the sudo vulnerability.

May 18, 2021 / 49:11

EP 21: Hacking Ransomware

What if you discovered a flaw in a ransomware payment system that unlocked the data without paying the ransom? Would you use it? Would you help others?

 

In this episode, Jack Cable talks about hacking the Qlocker ransomware and briefly interrupting its payment system. He also talks about his infosec journey hacking cryptocurrencies, joining the Digital Defense Service and CISA, and helping secure the 2020 presidential election… all before the age of 22. 

May 04, 2021 / 43:03

EP 20: MITRE ATT&CK Evaluations

MITRE ATT&CK catalogs the known tactics, techniques, and procedures of past advanced persistent threats, providing a roadmap for any red or blue team.

In this episode, Frank Duff, Director of ATT&CK Evaluations for MITRE Engenuity, talks about how both red and blue teams can directly benefit from ATT&CK, and how organizations -- and even some security vendors -- are now evaluating their solutions against it.

Apr 20, 2021 / 40:31

EP 19: Hacking IoT

It seems everything smart is hackable, with startups sometimes repeating security mistakes first made decades ago. How then does one start securing IoT?

In this episode, Beau Woods and Paulino Calderon discuss their book, Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things. They talk about IoT threat models, the technologies being used today, and what tools and knowledge you need to get started successfully hacking IoT devices today.

Apr 06, 2021 / 36:18

EP 18: Hacking Diversity

You’d think that having an amazing resume, a couple of bug bounties, or a CTF win would land you that dream infosec job. For many, though, that isn’t true.

That’s why Tennisha Martin founded Black Girls Hack, an organization designed to help the next generation receive the skills and experience they need to land jobs in the C-suites, and perhaps begin to address the acute shortage of infosec professionals with qualified people of color.

Mar 24, 2021 / 30:54

EP 17: Shellshock

Shortly after OpenSSL’s Heartbleed, Shellshock was discovered lurking in Bash code two decades old. How could open source software be vulnerable for so long?

This episode looks at how fuzz testing has evolved over the years, how open source projects have for the most part gone untested over time, and how new efforts to match fuzzing to software development are today helping to discover dangerous new vulnerabilities before they become the next Shellshock.

What is the allure of lockpicking at hacker conferences? In this episode Deviant Ollam explains why these mechanical puzzles remain popular with hackers.

Ollam, who was an early member of Toool, The Open Organization of Lockpickers, discusses his career as a physical pen tester and also shares some basic lockpicking hacks.

To help more people become penetration testers, Kim Crawley and Phillip L. Wylie wrote The Pentester BluePrint: Starting A Career As An Ethical Hacker. 

 

In this episode of The Hacker Mind, Kim talks about the practical steps anyone can take to gain the skills and confidence necessary to become a successful pentester -- from gaining certifications, to building your own lab, to participating in bug bounties and even CTFs. 

Feb 09, 2021 / 37:50

EP 14: The Right To Repair

How do the current DMCA laws impact those who hack digital devices? And why doesn’t the basic right to repair our devices extend into the digital world?

To answer these questions, Paul Roberts, Editor-in-Chief of The Security Ledger, has founded securepairs.org, a group of infosec experts who are volunteering their free time to fight for the digital right to repair in local legislation. In this episode of The Hacker Mind, Paul talks about the consequences of not paying enough attention today.

Jan 26, 2021 / 39:03

EP 13: Shall We Play A Game?

Capture the Flag is a game, a community, and a really cool hacker culture. But will we one day stream CTFs like we do World of Warcraft or League of Legends?

Whether it’s designing or just playing CTFs, John Hammond knows a lot about the gamification of infosec. He even has his own YouTube channel where he shares what he’s learned from different challenges. In this episode of The Hacker Mind John shares his experiences building and executing his own CTFs.

Jan 13, 2021 / 35:42

EP 12: Hacking Healthcare

After breaches like SolarWinds, companies pledge to improve their digital hygiene. What if they don’t? And what parallels might infosec learn from COVID-19?

In this episode, Mike Ahmadi draws on his years of experience in infosec, his years hacking medical devices. Mike notes how some basic rules of physical hygiene that can slow the spread of COVID-19 can also map into the digital world.

Dec 08, 2020 / 25:17

EP 11: Hacking OpenWRT

For three years OpenWRT had a severe validation problem with its download package manager, until a fuzz tester found and reported the vulnerability.  

 

In this episode, Guido Vranken talks about his approach to hacking, about the differences between memory safe and unsafe languages, his use of fuzz testing as a preferred tool, and how he came to discover the validation error in OpenWRT, as well as a serialization error in Cereal, and other vulnerabilities. 

Nov 24, 2020 / 28:58

EP 10: Hunting The Next Heartbleed

For two years Heartbleed was a zero-day in OpenSSL until fuzz testing exposed it. How many others are in the wild now? And how will we find the next one?

 

In this episode I talk about how Heartbleed (CVE 2014-0160) was found and also interview Rauli Kaksonen, someone who was at Codenomicon at the time of its discovery and is now a senior security specialist at the University of Oulu in Finland, about how new security tools are still needed to find the next big zero day.

Nov 10, 2020 / 34:40

EP 09: Bug Bounty Hunters

You’ve probably heard of bug bounties. But did you know there’s an elite group of bug bounty hunters that travel the world? Meet Stok; he’s one of them.

In this episode, Stok talks about his beginnings in enterprise security and his transition into the top tier of bug bounty hunters. Star of his own YouTube channel, Stok believes in community and in giving back what he’s learned along the way.

Oct 27, 2020 / 29:24

EP 08: Hacking Voting Systems

While digital polling booth devices are more secure today, what about the larger ecosystem, starting from the moment you register until your vote is counted? Who’s keeping those systems secure?

 

In this episode of The Hacker Mind, Dr. Jared DeMott of VDA Labs talks about his work securing voter registration tablets and also about the prospects for downloadable, safe voting applications on your preferred mobile device in the future.  JBSA5E9aNj9D6pkOTI7p

Oct 13, 2020 / 20:58

EP 07: Hacking the Chrome Sandbox

In 1994, the first commercial internet browser was released. Netscape Navigator went on to be eclipsed by Internet Explore, Safari, Firefox, and now Chrome, but it helped kick start the internet-focused world we live in today. And along with that we’ve also learned a lot about browser security.

 

No matter how strong we build our browsers, that does not prevent hackers from trying to break new things. In this episode, one researcher explains how he successfully escaped the Chrome sandbox, and how bug bounties might just be a good thing resulting in better security for us all. 

If you think hacking only involves the use of a keyboard or code, then you’re probably missing out. What about using light? What about using sound?

In this episode, The Hacker Mind looks at some of the work Dr. Kevin Fu has been doing at the University of Michigan -- in particular using laser pointers to pwn voice-activated digital assistants, and using specific frequencies of sound to corrupt or crash magnetic hard disk drives.

In the infosec world, blue team hackers are hands down the more elite--and why not? They are defending the crown jewels, 24/7. They have to think of every attack vector. And the red team? They only have to be right once.

Game Theory is an important part of the underlying strategy used by hackers when playing attack and defend Capture the Flag. It’s thinking how your opponent might respond to an event and then planning for it. Knowing when to patch and when not to was part of the winning strategy behind DARPA’s 2016 Cyber Grand Challenge, which was modeled off the DEF CON CTF. 

But what happened the day after CGC at DEF CON 24? That was the day the very best human CTF hackers were invited to play against the winner of CGC, a computer reasoning system named Mayhem. This episode of The Hacker Mind starts to answer the question, can a machine really think like a hacker?

DARPA’s Cyber Grand Challenge in 2016 showed the world what's coming -- autonomous adversaries -- and raised serious questions. How can organizations react to something that makes decisions in milliseconds? How can you still have humans in the loop when reaction time is key? And how can organizations defend or stop something that increases its own cyber capabilities autonomously?

 

In this episode we go behind the scenes for the first and only completely autonomous capture the flag competition at DEF CON 24 with Team ForAllSecure.

After winning DEF CON's annual Capture The Flag (CTF) competition five of the last seven years, the Plaid Parliament of Pwning (PPP) returns as reigning champions but under very different conditions because of COVID 19. So, how is the team preparing?  

 

In this The Hacker Mind episode, one of PPP's members, Zaratec, tells how she first joined PPP, how the team is making changes for this year's online CTF final, and what skills she’s learned from CTFs in general that apply to real-world infosec jobs.

In this inaugural episode, The Hacker Mind looks at why the West Point Military Academy, and other organizations within the DoD, is training its young cadets to hack. The answer? To help fill a critical shortage of infosec experts that is only getting worse.

 

This is the story of how DARPA created a series of capture the flag contests to train and define infosec talent at the U.S. military academies, and how one young cadet joined a team of competitive hackers at West Point.

Jul 15, 2020 / 01:55

EP 00: The Hacker Mind (Promo)

Welcome to Hacker Mind, an original podcast from ForAllSecure. It’s about solving software security problems through advanced fuzz testing technology. 

In each episode, host Robert Vamosi shares stories from the individuals who are influencing the world of software security, and the real world impact that is having in our cars, our planes, our weapons systems, and in our mobile phones and browsers.