Discussed Articles

1) Special Report: We can all go home.

You can rest easy knowing that we've unearthed the last solution you'll ever need. Tune in to hear about why you can consider your job mission accomplished.

* https://threatbutt.com/index.html

* http://www.trousersnake.org/

Discussed Articles

1) China Dabbles in Pre-Crime

The Communist Party has directed one of the country’s largest state-run defense contractors, China Electronics Technology Group, to develop software to collate data on jobs, hobbies, consumption habits, and other behavior of ordinary citizens to predict terrorist acts before they occur.

* http://www.bloomberg.com/news/articles/2016-03-03/china-tries-its-hand-at-pre-crime

2) How to Hire Good Security Engineers

A survey of some good articles about how to do useful interviews and hire good security nerds.

* https://blog.codinghorror.com/we-hire-the-best-just-like-everyone-else/

* https://danielmiessler.com/study/infosec_interview_questions/

* https://sites.google.com/site/steveyegge2/five-essential-phone-screen-questions

* https://www.digitalocean.com/company/careers#software-engineer:-services--applications

* http://philcalcado.com/2016/03/15/on_asking_job_candidates_to_code.html

3) FBI Abandons It's Order to Apple

The FBI files a motion to vacate their order to Apple to help them remove the security controls on the iPhone belonging to one of the San Bernardino shooters.

* https://threatpost.com/fbi-drops-its-case-against-apple/116918/

* https://assets.documentcloud.org/documents/2773542/031123152171.pdf

* http://www.zdziarski.com/blog/?p=5966

Breach of the Week

OPM Breach: It's Worse Than You Thought

In which we learn that more and more incredibly personal information was stolen from the OPMs systems.

* https://www.lawfareblog.com/why-opm-hack-far-worse-you-imagine

* https://blogs.technet.microsoft.com/johnla/2015/04/26/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win/

Discussed Articles

1) The Pentagon prepares for Spacewar

The DoD has submitted a $582.7 budget which includes a new domain for war, space. We talk about how InfoSec folks ought to think about future problems in their own neck of the woods.

* http://www.defense.gov/News/Speeches/Speech-View/Article/672855/submitted-statement-house-appropriations-committee-defense-fy-2017-budget-reque

* http://www.theregister.co.uk/2016/02/26/pentagon_asks_for_only_580bn_to_fight_cyber_and_space_warfare/

2) Ad Industry Group Tells Sites How Best to Block the Blockers

The Interactive Advertising Bureau (IAB) publishes a primer for advertising networks on how they can block the ad-blockers. Is the IAB taking the right approach here? Are there lessons to be learned here?

* http://www.wired.com/2016/03/ad-industry-group-tells-sites-best-block-blockers/

3) Google publishes the Vendor Security Assessment Questionnaire (VSAQ)

Google open sources its set of common questions that it has for its vendors. Although this may not entirely apply to your particula organization, it is a great way to create a measurable way to judge your third party vendors.

* https://github.com/google/vsaq

* https://vsaq-demo.withgoogle.com/

Breach of the Week

Seagate Phish Exposes All Employee W-2’s

Employees in companies are being spear phished for a large number of W-2 records in the name of tax season. If your company doesn't do phishing related education for your users, consider this a timely warning.

* http://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/

Discussed Articles

1) WWW Smackdown: FBI vs Apple

We interview law student Wendy Knox Everette about what the implications could be for the much talked about FBI warrant requiring Apple to remove security capabilities on the iPhone of one of the San Bernardino shooters.

* https://twitter.com/wendyck

* https://www.apple.com/customer-letter/

* https://www.apple.com/customer-letter/answers/

* https://assets.documentcloud.org/documents/2714001/SB-Shooter-Order-Compelling-Apple-Asst-iPhone.pdf

* https://www.documentcloud.org/documents/2716811-Statement-from-the-FBI-Feb-20-2016.html

* http://www.theguardian.com/technology/2016/feb/20/san-bernadino-county-fbi-gunman-apple-account

* http://www.reuters.com/article/us-apple-encryption-victims-exclusive-idUSKCN0VV00B

* http://www.bloomberg.com/news/articles/2015-10-26/apple-fights-doj-bid-to-force-it-to-help-unlock-iphone

* https://www.lawfareblog.com/trust-apple-and-first-amendment

* https://www.youtube.com/watch?v=CviaSxIltSg

2) How to Safely Store Your Users' Passwords in 2016

A review of the current recommendations for how to safely hash user passwords in 2016, which includes code samples. More importantly, it makes the often overlooked recommendation to design your password hashing system to be able to support changing which algorithm you use as technology and cryptanalysis techniques improve.

* https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016

* https://en.wikipedia.org/wiki/Key_derivation_function

* https://eprint.iacr.org/2016/104.pdf

3) Hack Brief: Hackers Are Holding an LA Hospital’s Computers Hostage

Hackers compromise the network of an LA hospital using a CryptoLocker-style malware. After spending a week evaluating the scope of the damage, the hospital administrators decided to pay the ransom to get their data back for $17,000 in bitcoins.

* http://www.wired.com/2016/02/hack-brief-hackers-are-holding-an-la-hospitals-computers-hostage/

4) Honorable Mention: B-Sides Seattle 2016 Recap

We unfortunately ran out of time to cover this, but here are some links to check out from Braxton's time at B-Sides Seattle 2016.

* http://www.securitybsides.com/w/page/103147483/BsidesSeattle2015

* https://docs.google.com/spreadsheets/u/1/d/1kAmyddbdYOnAHMz6r5j-zi6rv-8xJkJi49QTsSEPEo8/pubhtml?gid=1604256727#

* https://www.blackhat.com/eu-15/briefings.html#bypassing-local-windows-authentication-to-defeat-full-disk-encryption

Discussed Articles

1) Osman’s Shmoocon 2016 Recap

Hear about the awesome talks and things learned from Osman’s trip to DC

* https://archive.org/details/Where_Do_The_Phishers_Live

* https://archive.org/details/Containing_An_Attack_With_Linux_Containers

* https://archive.org/details/Penetration_Testing_Custom_Tls_Stacks

* https://archive.org/details/Keynote_Address

* https://archive.org/details/Hiding_From_The_Investigator

* https://archive.org/details/Gatekeeper_Exposed

2) President Obama to appoint CISO

President Obama opens up a position for a new Federal CISO position for the US Government. Thanks Obama!

* https://www.usajobs.gov/GetJob/ViewDetails/428904900

* http://www.federaltimes.com/story/government/cybersecurity/2016/02/09/obama-federal-ciso/80032796/

3) Where Should Information Security Teams Report

CISOs can report to a variety of different positions besides directly to a CEO. We explore various different articles on the topic and provide our own take.

* http://krebsonsecurity.com/2015/04/whats-your-security-maturity-level/

* http://www.computerworld.com/article/2490736/cybercrime-hacking/target-top-security-officer-reporting-to-cio-seen-as-a-mistake.html

* http://resources.idgenterprise.com/original/AST-0135469_ESG-Brief-HP-Maturity-Model-Oct-2014.pdf

4) Hacked Toy Company VTech’s TOS Now Says It’s Not Liable for Hacks

A company decides that liability can be waived away through a strongly worded clickthrough agreement. A duo of podcasters disagree with their limited legal knowledge.

* https://motherboard.vice.com/read/hacked-toy-company-vtech-tos-now-says-its-not-liable-for-hacks

* http://www.troyhunt.com/2016/02/no-vtech-cannot-simply-absolve-itself.html

Discussed Articles

1) Fortinet SSH Backdoor - Fortidoor

A piece of exploit code was released on FullDisclosure that shows how to get root SSH access to Fortinet ForiOS firewalls if they haven’t been patched since July 2014.

* http://www.darknet.org.uk/2016/01/fortinet-ssh-backdoor-found-firewalls/

* http://seclists.org/fulldisclosure/2016/Jan/26

2) GM Announces New Bug Bounty Program

At CES this year, GM announced they’re launching a vulnerability disclosure, 'bug bounty' program on HackerOne

* http://www.fastcompany.com/3054535/gms-cybersecurity-secrets

* http://samy.pl/popular/

* http://www.autoalliance.org/index.cfm?objectid=8D04F310-2A45-11E5-9002000C296BA163

Breach of the Week

Ex-Cardinals exec: Yes, I hacked rival Astros’ database

Now ex-scouting director for the St. Louis Cardinals confessed to accessing rival team’s player recruiting database multiple times over the course of a year. He admitted after being investigated by the FBI. Plead guilty on Friday to five counts of computer hacking.

* https://nakedsecurity.sophos.com/2016/01/12/ex-cardinals-exec-yes-i-hacked-rival-astros-database/

* https://www.washingtonpost.com/politics/dnc-sanders-campaign-improperly-accessed-clinton-voter-data/2015/12/17/a2e2e14e-a522-11e5-b53d-972e2751f433_story.html

Discussed Articles

1) Juniper Finds An Unauthorized Backdoor

Juniper, a purveyor of all networking things, discovered a backdoor placed in their ScreenOS operation system by an unauthorized persons. What does this mean for the integrity of their products and how can we find backdoors in our own software?

* http://blog.cryptographyengineering.com/2015/12/on-juniper-backdoor.html

* https://www.imperialviolet.org/2015/12/19/juniper.html

* http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/

2) Bug Bounty Ethics

An independent reacher reports bugs to Facebook and minor drama occurs. The researcher alleges Facebook is being unfair to him, while Facebook alleges the researcher crossed the line.

* http://exfiltrated.com/research-Instagram-RCE.php

* https://www.facebook.com/notes/alex-stamos/bug-bounty-ethics/10153799951452929

3) 2016 Predictions

2015 is over and 2016 is here, so it's about time that the Sound Security crew come up with some very accurate and in no way whatsoever wrong predictions for the glorious year that is 2016.

Discussed Articles

1) Sony Hack, one year later

Slate revisits the hack that impacted Sony Entertainment Pictures after one year later.

* http://www.slate.com/articles/technology/users/2015/11/sony_employees_on_the_hack_one_year_later.html

* https://www.youtube.com/watch?v=u4Zxk6WeVio

2) Toyota Camry 2015

An older article from 2013 covering the Toyota Camry unintended acceleration report.

* http://www.safetyresearch.net/blog/articles/toyota-unintended-acceleration-and-big-bowl-%E2%80%9Cspaghetti%E2%80%9D-code

3) SHA1 Sunset

Alex Stamos, CISO of Facebook, discusses the upcoming impending doom that is the SHA1 sunset in web browsers.

* https://www.facebook.com/notes/alex-stamos/the-sha-1-sunset/10153782990367929

Breach of the Week

Osman's Breeches

Osman discusses a recent breach of his credit card number.

* https://surkatty.org

Discussed Articles

1) Interview with Josh on PhishReporter Plugin

The developer of an open-source plugin for Outlook that makes reporting phishing emails a cinch for end-users, Josh comes on the podcast to talk about the tool he wrote and the impact it's had in his organization.

* http://msadministrator.com/2015/10/31/phishreporter-outlook-add-in/

* https://github.com/MSAdministrator/PhishReporter

* https://blog.apnic.net/2015/03/27/rdap-now-a-published-standard/

* https://tools.ietf.org/html/rfc7482

* https://apwg.org/

2) Have Security Engineers Earned the Engineering Title?

Have security engineers driven enough consistency and maturity into their industry to join the ranks of their civil, aeronautical, chemical, or electrical engineering brethren and sistren?

* http://www.theatlantic.com/technology/archive/2015/11/programmers-should-not-call-themselves-engineers/414271/

* http://www.wired.com/2015/11/programmers-lets-earn-the-right-to-be-called-engineers/

* http://www.pentest-standard.org/index.php/Main_Page

* https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

Discussed Articles

1) The Doxing Trend - Schneier on Security

* https://www.schneier.com/blog/archives/2015/10/the_doxing_tren.html

* http://www.wired.com/2015/10/hacker-who-broke-into-cia-director-john-brennan-email-tells-how-he-did-it/

* http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

2) University Networks

* https://blog.whitehatsec.com/university-networks/

* http://www.theatlantic.com/technology/archive/2015/10/can-campus-networks-ever-be-secure/409813/

3) Sustaining Digital Certificate Security

* https://googleonlinesecurity.blogspot.com/2015/10/sustaining-digital-certificate-security.html

* https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_10_13_2015v3b.pdf

Breach of the Week

Breaches, traders, plain text passwords, ethical disclosure and 000webhost

* http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html