Derbycon Videos: http://www.irongeek.com/i.php?page=videos/derbycon4/mainlist
Lacie the security dog:
 Researchers to demonstrate attacks by reprogramming firmware of commodity USB devices
 Survey find that enterprises are not paying attention to 3rd party risks, despite recent headlines
 Ransomware attack failed thanks to security awareness training
 Stubhub defrauded out of $1.6M using stolen passwords of its users
 Maricopa County fires IT manager in the wake of a data breach that the IT manager apparently warned the school about
 Why PCI can’t stop RAM scraping malware
 Plans for Israel’s Iron Dome apparently stolen by Chinese hackers
It is with a heavy heart that I have to inform our tens of listeners that unseen forces in the universe have prevented a podcast recording this week. My Scarlett 2i2 tragically died of as-yet unknown causes Tuesday evening. Subsequently, Amazon and the USPS collaborated to ensure the replacement unit, with a guaranteed delivery date of today, would not be here until Friday or Saturday. Amazon appears ready to refund the cost of the free second day shipping I incurred as a result of this travesty of logistics.
Until next week my friends…
The Defensive Security Podcast marketing department has been griping for a while about the terrible logo that Jerry made almost 2 year ago during a fit of Everclear-fueled “creativity”.
“We can’t file an for an IPO without a decent logo!”
So, we approached the most prestigious ad agency we could find – Weiden + Kennedy – of Old Spice fame – to help develop an image befitting the institution that the Defensive Security Podcast has become. After it became apparent that the ad firm wasn’t going to return our calls, we decided to take another approach and put the logo out for bid on logobids.com.
There were a lot of… interesting…. designs – clearly from people who had not heard the podcast before. And also a lot of really good ones too. The selection process was arduous. Marketing wanted one design, HR wanted another, finance wouldn’t stop complaining about the cost and the sales department was too busy playing golf to participate. We asked for feedback from our twitter followers. In the ensuing chaos, Andy and I picked our favorite. And so, here is our new logo:
Security recommendations from Bob; Meetup.com rides out a DDOS attack rather than pay a ransom; How to test the security savvy of your employees; Why companies need to think about this insider threat; 6 lessons learned from advanced attacks; How IT can establish better cloud control; Council on Cyber Security releases version 5 of critical security controls.
How to change your SSN; How Snowden was able to access and steal the documents; Liberty Mutual sues Schucks grocery store over cyber breach insurance policy; Barclays and Santander banks hit with physical IT attacks; password security
Here is an interesting article on changing the social contract of vulnerability disclosures from the current, though recent, seven day cycle, to one that follows patch Tuesday, or whatever equivalent date the particular software vendor has for patches.
It’s a good idea, but I think the author missed an important nuance: the short 7 day notice is for situations where the discovering researcher has found evidence that the vulnerability is being actively exploited. In other cases where the vulnerability is not being actively exploited, the time frame is 6o days, which is compatible with the author’s idea. Note that the 7 day recommendation comes from Google and is available to read here.
I do not think that it makes sense to wait until after the next patch Tuesday in cases of active exploitation. The point is that users of the vulnerable technology need to know that there is a vulnerability being actively exploited, whether or not a patch is available, so that the user can take steps to mitigate the problem.