Sound Security Podcast

Discussed Articles

1) FICO Enterprise Security Score

The venerable Fair Isaac Corporation known for it's credit ratings metrics releases a metric to gauge the likelihood of a breach within the next 12 months.

* http://www.fico.com/en/newsroom/fico-enterprise-security-score-gives-long-term-view-of-cyber-risk-exposure-10-27-2016

* https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/liu

* https://www.privacyrights.org/data-breaches

2) Shamoon disk-wiping malware resurfaces with renewed cyberattacks on Saudi Arabia

Iran-attributed malware attacks Saudi Aramco machines and wipes the MBR.

* http://www.ibtimes.co.uk/shamoon-disk-wiping-malware-resurfaces-renewed-cyberattacks-saudi-arabia-1594494

* https://www.bloomberg.com/news/articles/2016-12-01/destructive-hacks-strike-saudi-arabia-posing-challenge-to-trump

* http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/

* http://www.irongeek.com/i.php?page=videos/bsideslasvegas2015/pw22-blind-hashing-jeremy-spilman

3) Honorable Mention: US fails to renegotiate arms control rule for hacking tools

A nearly two-year effort to renegotiate language related to export controls around intrusion software in the Wassenaar Arrangement was rejected earlier this month during the member states’ plenary meeting.

* http://hosted2.ap.org/APDEFAULT/89ae8247abe8493fae24405546e9a1aa/Article_2016-12-19-US--Cybersecurity%20Exports/id-580c483618a04410879cf61da6b7e675

* https://threatpost.com/wassenaar-renegotiation-will-be-in-trump-administrations-hands/122653/

Breach of the Week

All the Breaches

Bringing you not one, not two, but four breaches: DNC/Russian compromise follow up, Lynda, Yahoo, and Ashley Madison follow up.

* http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html

* https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/

* https://krebsonsecurity.com/2016/12/yahoo-one-billion-more-accounts-hacked/

* http://www.csoonline.com/article/3150426/security/ashley-madison-to-pay-16m-settlement-related-to-data-breach.html

* http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

* https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b

Discussed Articles

1) Kenneth White's Review of HTTP TLS in 2016

Ken White presents a great overview of the state of the art of HTTPS and TLS in 2016, covering: definitions, HTTPS by default, HSTS, Certificate Transparency, modern technologies, ciphersuites, OpenSSL 1.1 Audit

* https://speakerdeck.com/kwhite/https-and-tls-in-2016-security-practices-from-the-front-lines

* https://security.googleblog.com/2016/03/certificate-transparency-for-untrusted.html

* https://http2.github.io/faq/#does-http2-require-encryption

* https://daniel.haxx.se/blog/2015/03/06/tls-in-http2/

2) Chris Nickerson: Bring a bit more Zen to cybersecurity

In light of today's focus on data-driven, objectively proven methods of decision making and prioritization, it's fascinating to see a security vendor conference keynote focus on adding some subjectivity back into the mix. Or at least acknowledging it.

* http://www.csoonline.com/article/3138547/security/chris-nickerson-bring-a-bit-more-zen-to-cybersecurity.html

* http://chainsawsuit.com/comic/2014/09/16/on-research/

* https://www.amazon.com/Flaws-Fallacies-Statistical-Thinking-Mathematics/dp/0486435989?tag=braxtoncom0f-20

* https://goo.gl/TKJ9GS

Breach of the Week

DynDNS Record-breaking DDoS

The IoT cannon heard 'round the Internet.

* https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/

* https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/

Discussed Articles

1) CloudFlare, SSL and Unhealthy Security Absolutism

We discuss Troy Hunt's discussion of security’s unhealthy obsession of absolutism

* https://www.troyhunt.com/cloudflare-ssl-and-unhealthy-security-absolutism/

* https://www.troyhunt.com/cloudflare-ssl-and-unhealthy-security-absolutism/#comment-2866817518

2) Google Chrome's Indicator Migration for Non-HTTPS Connections

Google is moving to decrease the visual trust level for HTTP sites. Is this a good thing? Should all sites everywhere need to be HTTPS by default or does it not matter for your mom and pop bagel shop site?

* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

* http://arstechnica.com/security/2015/04/ddos-attacks-that-crippled-github-linked-to-great-firewall-of-china/

3) Why Do We Judge Parents For Putting Kids At Perceived — But Unreal — Risk?

Apparently CVSS should have a modifier for the rater's estimate of the moral wrongness of a vulnerability. Research recently published to Collabra gives us some really interesting insights into how humans make estimations of risks based on how morally wrong they deem an action to be.

* http://www.npr.org/sections/13.7/2016/08/22/490847797/why-do-we-judge-parents-for-putting-kids-at-perceived-but-unreal-risk

* http://www.collabra.org/article/10.1525/collabra.33/

* https://twitter.com/DavidKenner/status/773160292536680449

Breach of the Week

Dropbox

User database dumps from Dropbox's 2012 breach are starting to surface prompting Dropbox to force password resets.

* https://www.troyhunt.com/the-dropbox-hack-is-real/

* https://blogs.dropbox.com/dropbox/2016/08/resetting-passwords-to-keep-your-files-safe/

* http://www.businessinsider.com/yahoo-announces-on-demand-passwords-so-users-never-have-to-remember-a-password-again-2015-3

Discussed Articles

1) NIST Declares Cyber War Against 2FA Via SMS

Did you enjoy that click bait title? I hope you did because in this week's episode we talk extensively about NIST's recent SP800-63-3 publication. According to Duo Security 2FA adoption is only at 6.5% on Google, so why are we fighting any kind of 2FA adoption?

* https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/

* https://pages.nist.gov/800-63-3/

* https://github.com/usnistgov/800-63-3

* https://krebsonsecurity.com/2016/08/social-security-administration-now-requires-two-factor-authentication/

* https://duo.com/blog/estimating-googles-two-factor-2sv-adoption

2) High Frequency Bug Hunting

A Mr. Shubham Shah spent 120 days hunting bugs in various different websites, services, APIs, and more. We talk about what this means for our community.

* https://shubs.io/high-frequency-security-bug-hunting-120-days-120-bugs/

* https://github.com/infosec-au/altdns

* https://github.com/infosec-au/assetnote

* https://github.com/infosec-au/bugbountydash

* https://bugcrowd.com/list-of-bug-bounty-programs

3) Braxton Goes To Blackhat and DEF CON

Braxton heads to the venerable security summer camp for the first time. We talk about his experience there, about OPSEC, hacker handles, and discuss which one he likes better and if he'll go back.

* https://www.blackhat.com/us-16/

* https://defcon.org/html/defcon-24/dc-24-index.html

Discussed Articles

1) CISSP certification: Are multiple choice tests the best way to hire infosec pros?

Does having a certificate make you a better security engineer? What could we be doing to better recruit security folks?

* http://arstechnica.com/security/2016/07/cissp-certification-how-to-hire-infosec-pros/

2) Why Mozilla shouldn't copy Chrome's permission prompt for extensions

What are the unintended consequences of trying to make sure your users are informed as possible about the security implications of installing browser extensions? How can you effectively, programmatically communicate risk?

* https://palant.de/2016/07/02/why-mozilla-shouldn-t-copy-chrome-s-permission-prompt-for-extensions

3) Honorable Mention: How I Cracked a Keylogger and Ended Up in Someone's Inbox

What happens when you reverse engineer an piece of Word doc malware?

* https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/

Breach of the Week

FDIC Was Hacked By China, and CIO Covered It Up

How not to respond to a breach, and how we can all get better at dealing with breaches.

* http://arstechnica.com/security/2016/07/fdic-was-hacked-by-china-and-cio-covered-it-up/

Discussed Articles

1) Out-of-Box Exploitation: A Security Analysis of OEM Updaters

OEM laptop vendors for a long time have included their own bits of software in with retail sales. These bits included update mechanisms which appear to be poorly designed. Duo Security, a 2 factor auth company, looks into the matter and writes down their results.

* https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters

* https://duo.com/assets/pdf/out-of-box-exploitation_oem-updaters.pdf

2) Typosquatting in Programming Language Package Managers

Nikolai Tschacher, an undergraduate Informatics student from University of Hamburg, released a paper detailing his work at analyzing typos made by programmers when working with package managers. He furthers the work of a few earlier security researchers and his approach to collecting data for his research brings up questions on what is acceptable to collect.

* http://incolumitas.com/2016/06/08/typosquatting-package-managers/

* https://soundsecurity.io/episodes/2015/07/20/a-googol-google-articles/

* https://www.youtube.com/watch?v=gXY3jm34RFU

3) SELinux is beyond saving at this point

Chris Siebenmann writes about SELinux's usability nightmare and how it is beyond saving. When you are too hard headed to listen to your customers, you may be the one who is wrong.

* https://utcc.utoronto.ca/~cks/space/blog/linux/SELinuxBeyondSaving

* https://en.wikipedia.org/wiki/Seccomp

* https://en.wikipedia.org/wiki/Trust_on_first_use

Breach of the Week

Russians Hacking DNC Computers

A group of hackers, presumably Russian at this point-in-time, broke into the Democratic National Committe's (DNC) servers and subsequently released a treasure drove of confidential documents out onto the Internet. What does this mean to folks in a corporate environment? Is APT1 now DNC1? Will we continue asking rhetorical questions you can't answer?

* https://twitter.com/thegrugq/timelines/743231527639621632

* https://www.washingtonpost.com/world/national-security/russian-government-hackers-penetrated-dnc-stole-opposition-research-on-trump/2016/06/14/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html

* http://arstechnica.com/security/2016/06/hackers-invade-dems-servers-steal-entire-trump-opposition-file/

* https://www.schneier.com/blog/archives/2016/06/russians_hackin.html

Discussed Articles

1) How Netflix Gives All Its Engineers SSH Access To Instances Running In Production

One of the ways Netflix enables engineering velocity is with a culture of 'freedom and responsibility' that empowers individuals with the freedom to do what is needed to get the job done. As a result, the security teams at Netflix focus on reducing developer friction, making it hard to do the wrong thing, and then rely on auditing, automated analysis, and alerting to keep things safe. Russell Lewis reviews a few approaches used in the industry to secure SSH bastions (aka jumpboxes) and evaluates them through the lens of Netflix’s security culture.

* https://speakerdeck.com/rlewis/how-netflix-gives-all-its-engineers-ssh-access-to-instances-running-in-production

* https://github.com/netflix/bless

2) Chrome Defaults To HTML5 Over Adobe Flash Starting in Q4

In which we discuss Google's continued efforts to kill off Flash and how long Google will continue to be a chaotic force for good on the Internet

* https://threatpost.com/chrome-defaults-to-html5-over-adobe-flash-starting-in-q4/118109/

3) Clearing up Some Misconceptions Around the 'ImageTragick' Bug

A discussion of the underlying issues that lead to the impact of the ImageMagick vulnerabilities and whether it's always the right choice to rely on third-party modules for basic functionality.

* https://lcamtuf.blogspot.nl/2016/05/clearing-up-some-misconceptions-around.html

* https://github.com/oneuijs/You-Dont-Need-jQuery

* http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

* https://github.com/rubysec/bundler-audit

* https://jenssegers.com/63/automatically-check-your-composer-file-for-security-vulnerabilities

* https://github.com/OSSIndex/DevAudit

4) Honorable Mention: 'Demonically Clever' Backdoor Hides In a Tiny Slice of a Computer Chip

* https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/

* https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

Discussed Articles

1) Adobe Bug Bounty Experience

Adobe talks about their experience in running a bug bounty program. We go over some of the lessons that they've shared as well as share some of our own.

* https://blogs.adobe.com/security/2016/04/a-vendor-perspective-on-crowd-sourced-penetration-tests.html

2) How Facebook Uses Empathy to Keep User Data Safe

It isn't enough just to offer your customers the right security services, you need to convince them to adopt them. Facebook shares some lessons learned from getting their own customer base to adopt security practices.

* https://hbr.org/2016/04/how-facebook-uses-empathy-to-keep-user-data-safe

* https://news.ycombinator.com/item?id=11596004

* http://adversari.es/blog/2013/06/19/cant-we-all-just-get-along/

* http://darrennegraeff.com/the-importance-of-t-shaped-individuals/

* http://www.amazon.com/Business-People-Speak-Like-Idiots/dp/0743269098

3) Verizon's 2016 DBIR Report

Verizon Enterprise releases their annual Data Breach Investigations Report (DBIR)

* http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf

* https://jacobian.org/writing/2016-dbir-highlights/

* https://blog.osvdb.org/2016/04/27/a-note-on-the-verizon-dbir-2016-vulnerabilities-claims/

* https://twitter.com/dguido/status/725786943737442308

* https://twitter.com/spacerog/status/725350506579648512

Discussed Articles

1) Ransomware: Past, Present, And Future

A thoroughly researched history of ransomware by the Cisco Talos group that provides great insights into where ransomware has come and where it might go.

* http://blog.talosintel.com/2016/04/ransomware.html

2) Early Impacts of Certificate Transparency

Facebook's security team posts a great article about their attempts to use Certificate Transparency logs to detect nefarious SSL certificates issued for domains they control from unexpected CAs.

* https://www.facebook.com/notes/protect-the-graph/early-impacts-of-certificate-transparency/1709731569266987

* https://security.googleblog.com/2016/04/improvements-to-safe-browsing-alerts.html

3) 'Think Like an Attacker' is an opt-in mistake / HackingTeam Breach Walkthrough

In which we give you insight into how an attacker moves through a network, and admonish you not to waste your time building defenses by thinking like an attacker.

* http://emergentchaos.com/archives/2016/04/think-like-an-attacker-is-an-opt-in-mistake.html

* http://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/ref=sr_1_1?ie=UTF8tag=braxtoncom0f-20qid=1461647269sr=8-1keywords=threat+modeling

* https://www.youtube.com/watch?v=WKgD305OFAQ

* http://www.ranum.com/security/computer_security/editorials/dumb/

* https://ghostbin.com/paste/6kho7

* http://www.csoonline.com/article/3058764/security/hacking-team-postmortem-is-something-all-security-leaders-should-read.html

Breach of the Week

MongoDB Configuration Error Exposed 93 Million Mexican Voter Records

Pretty much what it says on the box, yet another huge PII database set out on the interwebs for everyone to query.

* http://www.csoonline.com/article/3060204/security/mongodb-configuration-error-exposed-93-million-mexican-voter-records.html

Discussed Articles

1) WhatsApp's Signal Protocol integration is now complete

We give praise to usability in end-to-end security. Cypherpunks rejoice!

* https://whispersystems.org/blog/whatsapp-complete/

* https://security.stackexchange.com/questions/119633/how-does-whatsapps-new-group-chat-protocol-work-and-what-security-properties-do?atw=1

* https://moxie.org/blog/gpg-and-me/

2) A Day in the Life of Virginia Tech’s CISO

We explore a day in the life of a CISO at an American university.

* https://www.linkedin.com/pulse/day-life-virginia-techs-ciso-joseph-cardin

3) BadLock

We predict the future; a day early.

* http://badlock.org/

Breach of the Week

Crooks Steal, Sell Verizon Enterprise Customer Data

We take a look at how specialized databreach investigation company gets breached.

* https://krebsonsecurity.com/2016/03/crooks-steal-sell-verizon-enterprise-customer-data/