Category Archives: Security

Defensive Security Podcast Episode 140

http://krebsonsecurity.com/2015/11/breach-at-it-automation-firm-landesk/

http://www.slate.com/articles/technology/users/2015/11/sony_employees_on_the_hack_one_year_later.html

http://www.csoonline.com/article/3006816/cyber-attacks-espionage/damballa-finds-tools-related-to-the-malware-that-hit-sony.html

http://www.databreachtoday.com/interviews/what-jpmorgan-chase-breach-teaches-us-i-2982

http://www.healthcaredive.com/news/ftc-data-breach-case-dismissal-raises-bar-for-demonstrating-consumer-harm/409634/

Defensive Security Podcast Episode 134

http://arstechnica.com/security/2015/10/patreon-was-warned-of-serious-website-flaw-5-days-before-it-was-hacked/

http://www.scmagazine.com/sec-hits-security-adviser-with-75000-penalty-in-breach-settlement/article/440268/

http://krebsonsecurity.com/2015/10/scottrade-breach-hits-4-6-million-customers/

http://www.wired.com/2015/10/hack-brief-hackers-steal-15m-t-mobile-customers-data-experian/

http://time.com/4056928/trump-hotels-hacked/

http://fortune.com/2015/10/02/american-bankers-association-breach/

Defensive Security Podcast Episode 96

Defensive Security Podcast Episode 87

Derbycon Videos: http://www.irongeek.com/i.php?page=videos/derbycon4/mainlist

http://www.tripwire.com/state-of-security/top-security-stories/att-discovers-second-insider-breach-this-year/
http://www.zdnet.com/yahoo-confirms-servers-infected-but-not-by-shellshock-7000034411/
http://www.futuresouth.us/wordpress/?p=32
http://www.theregister.co.uk/2014/10/05/report_says_russians_behind_jpmorgan_chase_cyber_attack/
http://nakedsecurity.sophos.com/2014/10/06/badusb-now-with-do-it-yourself-instructions/
http://hackaday.com/2014/10/05/badusb-means-were-all-screwed/
http://www.csoonline.com/article/2689609/network-security/threat-intelligence-firm-mistakes-research-for-nation-state-attack.html#tk.rss_all

 

Lacie the security dog:

lacie

Defensive Security Podcast Episode 78

Web Site | Subscribe in iTunes | Podcast RSS Feed | Twitter Email

[1] Researchers to demonstrate attacks by reprogramming firmware of commodity USB devices
[2] Survey find that enterprises are not paying attention to 3rd party risks, despite recent headlines
[3] Ransomware attack failed thanks to security awareness training
[4] Stubhub defrauded out of $1.6M using stolen passwords of its users
[5] Maricopa County fires IT manager in the wake of a data breach that the IT manager apparently warned the school about
[6] Why PCI can’t stop RAM scraping malware
[7] Plans for Israel’s Iron Dome apparently stolen by Chinese hackers

[1] http://nakedsecurity.sophos.com/2014/08/02/badusb-what-if-you-could-never-trust-a-usb-device-again/
[2] http://www.csoonline.com/article/2458048/security-leadership/insecure-connections-enterprises-hacked-after-neglecting-third-party-risks.html#tk.rss_all
[3] http://www.csoonline.com/article/2459961/security-leadership/security-managers-journal-a-ransomware-flop-thanks-to-security-awareness.html#tk.rss_all
[4] http://www.darkreading.com/7-arrested-3-more-indicted-for-roles-in-cyber-fraud-ring-that-stung-stubhub/d/d-id/1297510
[5] http://www.azfamily.com/news/School-fires-IT-manager-who-warned-of-security-breach-268218462.html
[6] http://www.darkreading.com/attacks-breaches/ram-scraper-malware-why-pci-dss-cant-fix-retail/a/d-id/1297501
[7] http://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-defense-system/

No Podcast This Week

It is with a heavy heart that I have to inform our tens of listeners that unseen forces in the universe have prevented a podcast recording this week. My Scarlett 2i2 tragically died of as-yet unknown causes Tuesday evening. Subsequently, Amazon and the USPS collaborated to ensure the replacement unit, with a guaranteed delivery date of  today, would not be here until Friday or Saturday.  Amazon appears ready to refund the cost of the free second day shipping I incurred as a result of this travesty of logistics.

Until next week my friends…

New logo!

The Defensive Security Podcast marketing department has been griping for a while about the terrible logo that Jerry made almost 2 year ago during a fit of Everclear-fueled “creativity”.

“We can’t file an for an IPO without a decent logo!”

Indeed.

So, we approached the most prestigious ad agency we could find – Weiden + Kennedy – of Old Spice fame – to help develop an image befitting the institution that the Defensive Security Podcast has become. After it became apparent that the ad firm wasn’t going to return our calls, we decided to take another approach and put the logo out for bid on logobids.com.

There were a lot of… interesting…. designs – clearly from people who had not heard the podcast before. And also a lot of really good ones too. The selection process was arduous. Marketing wanted one design, HR wanted another, finance wouldn’t stop complaining about the cost and the sales department was too busy playing golf to participate. We asked for feedback from our twitter followers. In the ensuing chaos, Andy and I picked our favorite. And so, here is our new logo:

20140616-191850-69530737.jpg

Defensive Security Podcast Episode 57

Security recommendations from Bob; Meetup.com rides out a DDOS attack rather than pay a ransom; How to test the security savvy of your employees; Why companies need to think about this insider threat; 6 lessons learned from advanced attacks; How IT can establish better cloud control; Council on Cyber Security releases version 5 of critical security controls.

Subscribe in iTunes | Podcast RSS Feed | Twitter Email

http://meetupblog.meetup.com/post/78413031007/no-doubt-this-has-been-a-tough-weekend-for
http://www.networkworld.com/research/2014/022414-how-to-test-the-security-279049.html
http://www.networkworld.com/news/2014/022014-why-companies-need-to-check-278927.html
http://www.networkworld.com/news/2014/022414-6-lessons-learned-about-the-279082.html
http://www.networkworld.com/news/2014/022414-how-it-can-establish-better-279048.html
http://www.counciloncybersecurity.org/attachments/article/12/CSC-MASTER-VER50-2-27-2014.pdf

 

Defensive Security Podcast Episode 36

How to change your SSN; How Snowden was able to access and steal the documents; Liberty Mutual sues Schucks grocery store over cyber breach insurance policy; Barclays and Santander banks hit with physical IT attacks; password security

 

Subscribe in iTunes | Podcast RSS Feed | Twitter Email Continue reading Defensive Security Podcast Episode 36

Vulnerability Wednesday?

Here is an interesting article on changing the social contract of vulnerability disclosures from the current, though recent, seven day cycle, to one that follows patch Tuesday, or whatever equivalent date the particular software vendor has for patches.

It’s a good idea, but I think the author missed an important nuance: the short 7 day notice is for situations where the discovering researcher has found evidence that the vulnerability is being actively exploited. In other cases where the vulnerability is not being actively exploited, the time frame is 6o days, which is compatible with the author’s idea. Note that the 7 day recommendation comes from Google and is available to read here.

I do not think that it makes sense to wait until after the next patch Tuesday in cases of active exploitation. The point is that users of the vulnerable technology need to know that there is a vulnerability being actively exploited, whether or not a patch is available, so that the user can take steps to mitigate the problem.