Capital One gets hacked, critical vulnerabilities are found in iMessage, and data anonymization may not be as good as we hope. But listen up, we also discuss the Legend of Zelda, a biography of tech giants, offer advice for escaping an angry moose, and are introduced to… Penelope?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by technology journalist and broadcaster David McClelland.
Smashing Security #139: 'Capital One hacked, iMessage flaws, and anonymity my ass!'
Listen on Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | Other... | RSS
Graham Cluley – @gcluley
Carole Theriault – @caroletheriault
David McClelland – @davidmcclelland
- Woman arrested after Capital One hack spills personal info on 106 million — Tripwire.
- South Seattle woman arrested, charged in massive data breach of Capital One — The Seattle Times.
- Love Bug suspect speaks — BBC News speaks to the author of the Michael-B Word macro virus.
- United States vs Paige A Thompson (PDF)
- Ranji Sinha on Twitter: "Managed to get video of the raid in Seattle that lead to the arrest of Paige Thompson" — Twitter.
- Capital One Hit With First Class Action Over Security Breach — Bloomberg.
- Google reveals fistful of flaws in Apple's iMessage app — BBC News.
- Google researchers disclose vulnerabilities for 'interactionless' iOS attacks — ZDNet.
- Earn up to $200,000 as Apple *finally* launches a bug bounty — Graham Cluley.
- Look, No Hands! — The Remote, Interaction-less Attack Surface of the iPhone — Black Hat USA 2019
- Your Data Were ‘Anonymized’? These Scientists Can Still Identify You — New York Times.
- Estimating the success of re-identifications in incomplete datasets using generative models — Nature.
- Hackers breach FSB contractor, expose Tor deanonymization project and more — ZDNet.
- The Legend of Zelda: Breath of the Wild — Wikipedia.
- The Making of The Legend of Zelda: Breath of the Wild – The Beginning — YouTube.
- Steve Jobs book by Walter Isaacson — Simon & Schuster
- The Innovators by Walter Isaacson — Simon & Schuster
- What knowledge might save your life one day? — Reddit.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management.
Listeners can get a 10% discount off the high-quality CyberSecurity eLearning catalog by quoting the code SMASHING. Visit smashingsecurity.com/metacompliance now.
Follow the show:
Follow the show on Twitter at @SmashinSecurity, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
5 comments on “Smashing Security podcast #139: Capital One hacked, iMessage flaws, and anonymity my ass!”
I take it that your sarcasm relating to the word "Data" is a knock at Troy Hunt and his use of the word, i must say not very funny and highly intolerant. I might go as far as to say that the childish squabbling between you Graham and you Carole that you use as comic relief in each episode is getting quite tiresome again, i don't get it, if you get on each others nerves so much , why work together. I am seriously rethinking of whether this podcast is worth listening to, if it weren't for guests like Maria, David, Mikko and others I probably would have done a while ago.
Huh? I have no idea how Troy uses the word "data". Whatever we said on the podcast that upset you was nothing to do with Troy.
If you'd worked in close proximity to Carole for 20 years you'd probably speak to each other like we do as well. It's not put on for comic effect, it's just how we talk.
Listening is not compulsory. If you don't enjoy it I'd hate to think that you felt you had to listen. Lots of other great podcasts out there.
The breach… So you say the data (or links to it) were published on gitHub?
Is that not owned now by MS?
Do they have it too?
Presumably they have at least weekly backups/archives and if this has been up for a month or two, who knows who else may have had access to this client database?
TL;DR: I would say not at all. Besides normal licenses (for the stuff published) illegal content they would not have a right to say they own. As for backups: that's a complicated thing indeed but it should be assumed that once something is public it will never be removed from all hosts because someone is likely to have downloaded it. Fact of life. Otherwise:
I don't know particulars but …
As an open source advocate (who has contributed to open source and have written my own OSS etc.) I was rather disconcerted when I first heard about MS involving themselves with GitHub. But I seem to recall (dimly – and I was sceptical) that they were not going to 'change' things in that way. Of course that isn't always how it happens in reality …
Still if there was a data breach published on GitHub I really doubt MS would get involved in that. Also there is the licensing issue even besides the fact that it's not the publisher's rights in this case. This goes for all things published there. So I don't see how they could 'own' it – especially not legally.
How they manage backups I do not know but one would presume it's nightly. As for your last question who can tell? It is an interesting question though isn't it? If someone publishes illegal content on a platform such as GitHub that is backed up how does that work? How is it verified that it is purged from their backups? And the longer it's there the longer people have time to download it etc. It also brings up a lot of ethical/moral and also philosophical questions and I personally believe there will ever be a fully satisfactory answer here.
I recall from years ago that it was the responsibility of the owner of a server (or say a web host) to make sure illegal content is not there but I think that things are so much more complicated nowadays (I thought at the time that that was also complicated and not necessarily right full stop as a black and white thing) – not to mention there being so many more people on the Internet. Even just back to the late 1990s there are so many many many more people on the Internet. Going back to earlier decades all the more. Before the early 1990s there wasn't the web but there were still ways to share data. In those days though there weren't really hat many people in comparison and as I have observed most people don't even know that it's that old (actually if you consider the predecessor it's decades older than that). As it is many people conflate the world wide web with the Internet when it's not at all the same thing. The Internet is what allows it to be 'world wide' but it's much more than the web.
Unfortunately if content is made public you should assume that it's going to have been downloaded by someone and thus never properly removed even if the hosts wipe it out. Of course for some things this can be good but when it comes to things like this it's not good. Of course it can also be good if it's used to find the perpetrators but that goes to show just how complicated things can be in this world…
You know Graham the interesting thing is that what attracted me to check the link is the reference to 'The Legend of Zelda'. I was hoping for the original two from the 1980s but still nice to be brought back to time in another world even if only briefly. The Love Bug reference also was interesting to me. It sounded like there was a new thing or maybe the author spoke up for the first time (or again). I almost want to say I knew the author but if so nothing more than brief chats. I don't know if I did though but I certainly knew some other infamous authors.
Actually there is a lot of content and despite how dead tired I am I think it's one I should listen to definitely. Besides I love your sense of humour (and punning of course).
And I am surprised that you refer to donkeys and anonymity (Obviously I am referring to the spelling) but hey why not? Not even donkeys are anonymous unless it be that they don't have names!
Otherwise enjoy your new HQ! I much prefer your name for your new building rather than 'shed' or such things as that. But add GCHQ and it's even better. A most amusing and ironic and maybe even sardonic name but it's so perfect too.