Archive for Charlie Miller

November 15, 2011 – Episode 238

Posted in Court Cases, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle with tags , , , on November 15, 2011 by datasecurityblog

Episode 238  of  The CyberJungle is about 21 minutes long.  You can hear it by clicking on the flash player below. The first interview (with Sean Morrissey of Katana Forensics) begins at about 03min. The second interview (with Ryan Washington of AR-Forensics) begins at about 10min. You may download the file directly – great for listening on many smartphones. Or, you  may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 238 via the flash player:

We break from our normal programming schedule. The CyberJungle went to the Paraben Forensics Innovator’s Conference last week. We have special extended coverage with Ryan Washington of AR-Forensics, on so-called “anti-forensics” techniques. And, Sean Morrissey, CEO of Katana Forensics gives us his take on Apple’s moves against a well-respected security researcher.



July 25, 2011 – Episode 223

Posted in Court Cases, darkweb, Report Security Flaws, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , on July 25, 2011 by datasecurityblog

Episode 223 of  The CyberJungle is about 31 minutes long.  You may hear it by clicking on the flash player below. The interview begins at about 15min. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show, including a direct link to our audio feeds.

To listen to Episode 223 via the flash player:


Imperva CTO, Amichai Shulman on the web app attack preso you won’t see at BlackHat Las Vegas.  As a part of their ongoing Hacker Intelligence Initiative, Imperva has compiled a Web Application Attack Report (WAAR) that gives a new insight into attacks against the top 30 web applications based on more than 10 million individual attacks over the last 6 months.  WAAR outlines the frequency, type and geography of origin of each attack.  Surprisingly a little known type of attack has become very common. was the link mentioned in the segment

Our Take On This Week’s News

The CyberJungle Radio’s take on this Las Vegas Review Journal news story: Providing Wi-Fi as a perk has a price for businesses

Mac battery cyberflaw exposes explosive risk?


No Soup For You! No over the air updates for jailbroken iOS5 powered devices, according to the ZDNet posting

Conference Coverage

The CyberJungle goes to BlackHat Las Vegas and DefCon19  week. Get the reports in Conference Notes starting the middle of next week.

Pwn2Own Update: Charlie Miller Changes Course, Now Headed to “Hacker” Contest

Posted in Conference Coverage, Exclusive News with tags , , on March 7, 2011 by datasecurityblog

Charlie Miller has changed his mind and he will now attend CanSecWest and the Pwn2Own contest. CyberJungle Radio just talked with Charlie Miller, the only three times in a row winner of the CanSecWest “hacker conference.” The CyberJungle broke the story last week that Charlie had decided to stay home this year, due to a disagreement over the contest rules.  CyberJungle Radio is running an interview with Charlie Miller on Episode 203. Following the posting of that interview, Charlie Miller told CyberJungle Radio that he has changed course again, and he will now attend the conference. Although he still disagrees with the rules, for the good of the security community, he has decided to attend this week’s events in Vancouver, British Columbia. Charlie said that he did not speak with the conference organizer regarding his decision.

Charlie Miller Looses Interest in CanSecWest Pwn2Own Contest, Stays Home

Posted in Conference Coverage, Exclusive with tags , , on March 3, 2011 by datasecurityblog

For the first time in years, Charlie Miller will not be attending CanSecWest, where he holds a record-breaking hat trick winning streak in the Pwn2Own vulnerability contest. Charlie Miller told CyberJungle Radio tonight that he is staying away due in part, to the winner-take-all, entrants picked at random, nature of the rules.

The Pwn2Own contest is a high-profile event that highlights the solitary work of security researchers that stare in front of code looking for vulnerabilities, or run fuzzing programs that try to find combinations of characters that spring open a previously-unpublished pathway further into a system. Successful contestants can win tens of thousands at Pwn2Own, and significant notoriety.

According to the contest rules, the first contest entrant to successfully breach IE, Firefox, Safari, Chrome browser, or a Google Android, Blackberry, or Windows 7 Phone wins $15,000 ($20,000 if Chrome is breaches). But there is the rub. The contestants don’t start at the same time. Each contestants are randomly chosen to determine their order in demonstrating their attack. Only the first contestant to breach one browser, and the first contestant to breach one phone wins one of the two cash prizes.

In previous years, there were just a handful of contestants, so the odds were pretty good for a skilled security researcher to get a crack at either a browser or phone platform. But with the success and popularity of the contest, a much larger number of contestant entered this year. So many entrants have entered this year, that Charlie Miller feels that luck will play a greater roll than skill, and others will win the contest before he can even get his hands on a keyboard. If by chance the entrants before Miller fail to breach a browser and a phone, Charlie told CyberJungle radio that a proxy contestant at the event will follow Miller’s instructions using successful attacks Miller has created.

CyberJungle Radio also spoke with CanSecWest spokesperson, Dragos. Dragos said that Charlie Miller’s complaints may have some validity. According to Dragos, it is probably too late to change the rules this year, but the rules may be changed next year due to the complaints highlighted by Mr. Miller.

We’ll have more on this story in the next episode of CyberJungle Radio.

Episode 157 – July 25, 2010

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , on July 24, 2010 by datasecurityblog

You can hear episode 157 by clicking on the Flash player below, or if your device does not support Flash, you can visit our  listening options page for other ways to receive the show. Episode 157 is one hour and 10 minutes long.


Dr. Charlie Miller, Principal Analyst for Independent Security Evaluators,  offers a preview of his DefCon presentation about cyberwarfare to be given in Las Vegas at the end of the month.  “Kim Jong-il and Me.” (Yes he’s that Charlie Miller.) Charlie says he really didn’t feel qualified to address the topic of cyberwarfare when he was first asked, but then decided to treat the request as an opportunity to play a game in he pretended he was approached by a rogue government for the purpose of building a cyberarmy.  What would it take?  Hear Charlie’s interview about 23 minutes into episode 157.


The CyberJungle mistakenly reported that it is not possible to turn off an Apple iPad and iPhone feature that reports the owner’s location to the Big A twice daily.  We oversimplified this story and we got it wrong.  We have been informed by our favorite Apple connoisseurs that it is possible to turn the feature off.  We apologize for the misinformation. We have removed the segment from the podcast, so it won’t be heard again,  and we will note in next week’s radio show that we were incorrect.

Tales from the Dark Web

If you’re using Microsoft Windows this attack is aimed at you.  (Raise your hand if you aren’t using Microsoft Windows.)  Here is the MSFT Advisory on the Microsoft Link Attacks. Here is an explanation of the attack and video demo from Sophos.

Our Take on This Week’s News

A consumer survey that measured for the first time customer satisfaction with social media sites reports that — are you sitting down? — people hate Facebook.  It scored lower than the airlines and the cable companies, and even lower than the IRS.

A watchdog organization reports that White House Emails Show More Extensive Improper Contact With Google. The National Law and Policy Center posts links to its letter to the House Committee on Oversight and Government Reform, asking for an investigation of the relationship between Google and its former lobbyist who now occupies the top advisory position to president Obama on internet policy.  There are also links to some of the emails, which seem to support the conclusion that Deputy Chief Technology Officer Andrew McLaughlin is helping to stack the policy deck in Google’s favor on a number of issues.

And while we’re at it, was Google providing intelligence data to the federal government as part of its WiFi Streetview program?

This should freak you out. A Woman found a webcam hidden inside a copy of Chicken Soup for the Soul, which was on a bookcase in her bedroom, pointed directly at her bed.  We found a source for these cameras, which are supposed to be a security tool,  for less than 50 bucks.

Get comfy on the patio with a cold brew and read this great story about a fake infosec chick who persuaded her social networking pals — mostly guys who know secrets related to national security — to forget themselves and reveal a lot of stuff they aren’t supposed to give up.  To anyone.  The girl — Robin Sage — was named after a military training exercise, which was just one of many clues that “screamed fake,” according to her creator, a security researcher whose ruse has demonstrated something we all knew.  Only James Bond can flirt with an exotic hottie and not get burned.

GM suffers theft of hybrid technology worth an estimated $40million. Insider stole information by using a portable USB drive. Data allegedly sold to at least one Chinese auto maker, Chery.

Major Zero-day flaw in Apple’s Safari browser discovered, Apple ignored the warnings so well-known researcher goes public.

Some Dell replacement motherboards come pre-loaded with malware.

Episode 126 and 127 – April 10, 2010

Posted in Breach, Court Cases, criminal forensics, eMail Security, Podcast, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , on April 11, 2010 by datasecurityblog

Interviews:  Peter Schlampp, VP of Marketing and New Products, from Solera Networks, who discussed a new approach to uncovering the source of attacks:  network forensics.  Stuart Staniford Chief Scientist from FireEye, who discussed research to help counter the attacks that bypass firewalls and antivirus.  And world famous white-hat hacker Charlie Miller talks with us about Apple Security, how he won the CanSec West PWNtoOwn contest… and the security implications of Apple’s announcement about location-aware advertising, and  multitasking on the iPhone OS 4 platform. Dr. Miller is also a researcher at Security Evaluators. The full show can be streamed with via the Flash player here:

Download the Episode 127 MP3 file here or visit the Listening Options page for more ways to hear the program.

Episode 126 is the su root version of The CyberJungle.  It features only these three unedited versions of the interviews with these three men. We have also featured partial versions of the interview along with all the other regular content  in the full version of the show. Listen via the Flash player here:

Download the Episode 126 MP3 file here or visit the Listening Options page for more ways to hear the program.

Our Take on This Week’s News

Class action suit against Countrywide Financial: Plaintiffs ask $20 million after Countrywide employee stole and sold tens of thousands (or millions?) of customer records.

Another inside job: Bank of America Employee Charged With Planting Malware on ATMs.

German Government Pays Hacker For Stolen Bank Account Data Gov pays cybercriminals for data stolen from banks in tax haven countries, and uses the info to catch tax cheats.

Computer Hacker Sentenced to 37 Months in Prison in Manhattan Federal Court for Scheme to Steal and Launder Money from Brokerage Accounts.  This guy got three years for perpetrating something that sounds like the Zeus attack… in addition to credit card fraud and other counts.  No wonder cybercrime is proliferating.

Phishing Attacks on Taxpayers Rise in the Weeks Leading up to April 15th IRS Tax Filing. Sonic wall offers an online quiz to test your phishing IQ.  Ten questions. It’s actually harder than you think, but it’s fun. We recommend you give this quiz to employees, bosses, family… anyone who might benefit from learning the difference between legitimate email and a phishing attack.

Looking for Tiger Woods’ Nike advert could lead to users  into visiting malicious sites.

Sierra Nevada Infragard announcement:

InfraGard Sierra Nevada April Lunch Event

KEYNOTER: Stuart Staniford, Chief Scientist with security firm FireEye has a long history in the intrusion detection field, starting in the research arena at UC Davis back in 1994. He was conducting a variety of research projects with government contractor Silicon Defense before joining FireEye.

WHERE: The Washoe County Regional Public Safety Training Center, 5190 Spectrum Blvd. Room 105, in Reno, Nevada.

WHEN: Thursday, April 15, 2010; 11:15am-1PM, includes lunch

DONATION: $10 for InfraGard members with advanced purchase before April 13th, 2010;

$15 at the door and for non-members.

To register for the Infragard lunch event, please follow this link

If you heard Ira Victor live on The John Sanchez Show (the live program that follows The CybeJungle on, Ira mentioned the web site to report phishing and other scams: