Post Syndicated from Tod Beardsley original https://blog.rapid7.com/2022/12/21/never-mind-the-ears-heres-security-nation/

It’s another year down and another season down for Security Nation. With the close of our fifth season, I wanted to take a minute here to reflect on who we spoke with and what we talked about. The show titles focus (as you would expect) on the individual interview subjects, but there’s a bunch of good stuff in there on fresh-at-the-time news stories, published papers, and other goings on in the cybers.

The Theme: Open Source Security

We set out with an aim to focus on open source security in 2022, and we kind of succeeded!

In Season 5, we talked to:

• Fyodor, aka Gordon Lyon, about the 25th (!!) anniversary of nmap. I admit, I got a little misty on this one. We’ve been pals with Gordon for a while, and he has had a weirdly outsized influence on my career—stretching back to the 1990s. If you weren’t aware, peak infosec was 1996-1997, so if you want some historical perspective on this crazy industry, you could do worse than starting with nmap.
• Curt Barnard, about Defaultinator. On the other end of the historical spectrum, we talked to Curt about Defaultinator, which a) should be pronounced in a Doctor Doofenshmirtz style, and b) is an open source solution for tracking default credentials across all sorts of things, released at Black Hat Arsenal in 2022. It’s also secretly a pure-Javascript implementation of the Common Platform Enumeration dictionary, and it’s extensible to cover your own custom CPEs. Check it out!
• Steve Micallef, about Open Source Intelligence (OSI). While there’s an open source community around SpiderFoot, we talked mostly about the kinds of things you can find out in the world and how it can help on all sorts of cyber investigations. Since we recorded this, SpiderFoot got itself acquired by Intel471, so congrats on that!
• Phillip Maddux, about HoneyDB, which is a fun and educational way to get yourself in the business of setting up and maintaining an extensible honeypot network. It’s pretty neat, and you can get started with his Honeypots 101 blog.
• Jim O’Gorman and g0tmi1k (aka Ben Wilson) on Kali Linux, which is pretty much the standard all-the-bells-and-whistles-and-drivers Linux distribution for offensive security. Kali Linux is a massive undertaking, and is a great way to get exposure to a whole lot of security tooling all at once. It’s coming up on its 10th anniversary, if you don’t count Backtrack Linux (but you should, and that’s from 2006).
• Kate Stewart, about the Linux Foundation. Honestly, you can’t get much more open sourcey than the LF, and Kate is here to talk specifically about how open source is literally all over the place in all kinds of embedded systems we depend on for, well, everything.
• Matthew Kienow on Recog, which is central to Rapid7’s open source strategy. Recog gives practitioners standard and quality-checked methods to fingerprint devices all over the internet, is integrated in pretty much every Rapid7 product, and is super fun and easy to contribute to. Even a tourist like me is able to contribute! Plus, it’s multilingual, with implementations in Ruby, Java, and Go, which is quite a feat for an open source project.
• Mike Hanley, about GitHub’s unique role as a platform for zillions of open source projects, and how they help make the open source world a better place with projects like Dependabot. We also talked to Mike about the nuance and peril that comes with running a hugely popular platform and how they deal with hosting live exploit code (which, in turn, does help researchers, but also can help bad guys). It was the first interview of the season, and really, one of the best. Check it.

Also: Not Open Source

While that’s a pretty thorough bullet list of open source punditry, it’s only eight episodes out of 22. In Season 4, we talked to quite a few government and government-adjacent people, and this year, we managed to rope in more of them, such as Chris Levendis from MITRE (along with Lisa Olsen from Microsoft), Pete Cooper and Irene Pontisso from the UK Cabinet Office, and Bob Lord of CISA (and formerly of the DNC).

We also talked to a bunch of in-the-field practitioners, like John Rouffas, CISO at Intelliflo, Amit Serper, Director of Security Research at Akamai, David Rogers of Copper Horse, Whitney Merrill of the Crypto & Privacy Village, Jacques Chester of Shopify, Taki Uchiyama of Panasonic, and James Kettle of PortSwigger.

TODO: Academics

Finally, we talked to Omer Akgul and Richard Roberts, both of the University of Maryland, about their paper, “Investigating Influencer VPN Ads on YouTube.” This was a super fun paper I stumbled across while researching for a Rapid Rundown segment a few weeks earlier, and I have to say, we don’t talk to academics nearly enough.

We have our own conferences and paper submission norms and all that here in cybersecurity, but we would do well to pay more attention to formal academic research when it comes to the pressing issues of the day. Hopefully in Season 6 of Security Nation, we can spend a little more time in the cloistered halls of academia, and bring some of that discipline and rigor back to the hack-as-you-can world of infosec.

Thanks For Listening!

If you’re among the dozens listening to Security Nation, thank you so much for listening! If this is all news to you, just head on over to securitynationpodcast.com and binge on your next roadtrip. It’s the holidays, after all, and podcasts are a pretty great way to pass the travel time. And, have a great New Year! 2023! It can’t possibly be worse than the last few!

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/10/26/security-nation-jeremi-gosney-on-the-psychology-of-password-hygiene/

In this episode of Security Nation, Jen and Tod talk to renowned password security expert Jeremi Gosney about how we are all guilty of bad password practices. He discusses the psychology of how we develop the various words/phrase combinations that become our crackable passwords.

Stick around for the Rapid Rundown, where Tod and Jen dive into a great story for Cybersecurity Awareness Month as well as bad data-governance practices.    

Jeremi Gosney

Jeremi Gosney is a renowned password cracker and password security expert. He is a member of the Hashcat core development team, the former CEO of the password cracking firm Terahash, and the author of the Pufferfish and hmac-bcrypt password hashing functions. He also helps run the DEF CON Password Village and the PasswordsCon track at Security BSides Las Vegas.

Show notes

Interview links

• Jeremi on Password Nihilism
• The Rails bug Jeremi referenced

Rapid Rundown links

• Risky Business Newsletter on fake PoCs: “GitHub aflood with fake and malicious PoCs“
• The cited paper: “How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub“
• Also relevant is Honeysploit by Curtis Brazzell

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/10/12/security-nation-james-kettle-of-portswigger-on-advancing-web-attack-research/

In this episode of Security Nation, Jen and Tod talk to James Kettle of PortSwigger. Their discussion includes research for new web-attack techniques and how those get field tested (hint: bug bounties). The research is kept fresh from donations gleaned from the bug bounty field tests. PortSwigger validates their research in the real world, and those advances in web-attack techniques are published and disseminated in and effort to fix bugs and misconfigurations.

Stick around for the Rapid Rundown, where Tod and Jen talk about the recent Fortinet advisory concerning the “silent patching” of bugs without disclosure of any real details – only to have attackers go and reverse it all anyway.  

James Kettle

James ‘albinowax’ Kettle is Director of Research at PortSwigger. His latest work includes browser-powered desync attacks and web-cache poisoning. James has extensive experience cultivating novel attack techniques, including RCE via Server-Side Template Injection and abusing the HTTP Host header to poison password reset emails and server-side caches. James is also the author of various popular open-source tools including Param Miner, Turbo Intruder, and HTTP Request Smuggler. He is a frequent speaker at numerous prestigious venues, including both Black Hat USA and EU, OWASP AppSec USA and EU, and DEFCON.

Show notes

Interview links

• Prior Security Nation episode in which loads of Portswigger references were dropped:
• https://www.rapid7.com/blog/post/2021/08/18/security-nation-daniel-crowley/
• New research from James about browser-powered desync attacks:
• https://portswigger.net/research/browser-powered-desync-attacks

Rapid Rundown links

• Semi-secret Fortinet advisory: https://twitter.com/Gi7w0rm/status/1578398457227878407
• CVE Details as they come: https://www.rapid7.com/blog/post/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/
• Existence of Fortinet CVE-2022-40684 PoC posted, but not the PoC itself: https://twitter.com/Horizon3Attack/status/1579285863108087810
• The Hidden Harms of Silent Patches: https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-of-silent-patches/

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/09/28/security-nation-taki-uchiyama-of-panasonic-on-product-security-and-incident-response/

In this episode of Security Nation, Jen and Tod chat with Taki Uchiyama about his work on Panasonic’s Product Security Incident Response Team (PSIRT). They chat about educating folks on vulnerabilities associated with smart devices, the challenges of running PSIRT’s training sessions during the pandemic, and the importance of building security into internet-connected products.

Stick around for our Rapid Rundown, where Tod and Jen talk about a new white paper that shows how parking and toll apps that read license plates could inadvertently be used as a surveillance system.

Taki Uchiyama

Taki Uchiyama is a member of Panasonic PSIRT and is in charge of global product security activities. His main roles include the coordination of vulnerabilities, creating and conducting product security training to product developers, and providing assistance to product development teams on product security matters as necessary. Aside from his role in Panasonic, Taki has been a CVE Board Member since 2016. Prior to joining Panasonic, Takayuki worked at JPCERT/CC, where his main tasks involved the coordination of vulnerability reports with PSIRT’s, taking part in various discussions groups related to the identification, analysis, coordination, and disclosure of vulnerabilities.

Show notes

Interview links

• Check out Panasonic’s delightful PSIRT page – especially if you have a vulnerability in one of Panasonic’s many, many products to report.

Rapid Rundown links

• Check out Inti’s research on “oops, we made a surveillance system” at notmyplate.com.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/08/18/security-nation-jen-and-tod-on-hacker-summer-camp-2022/

In this episode of Security Nation, Tod and Jen chat about their experience at this year’s Hacker Summer Camp, the multi-event lineup of cybersecurity conferences in Las Vegas that includes BSides, Black Hat, and DEF CON. Tod gives us his highlights from the virtual sessions, and Jen recounts her jam-packed week of presentations (which resulted in a somewhat diminished ability to use her voice for this recording).

No Rapid Rundown this week, since our Vegas wrap-up overlaps with much of the latest security news, making it a Rapid Rundown in itself!

Show notes

Learn more about some of our favorite presentations from the Vegas conferences, including:

• Susan Paskey on threat hunting in MFA logs
• Jeremi Gosney on “passwords, but nihilism” (an apparently unscheduled, live threat modeling exercise on password risks)
• Patrick Wardle on Zoom LPE vulnerabilities
• Gaurav Keerthi, Pete Cooper, and Lily Newman on global policy challenges
• Jake Baines on Cisco ASA vulnerabilities and weaknesses (check out the blog post, too)
• Jonathan Leitschuh on fixing OSS vulnerabilities at scale
• Eugene Lim on so many iCal standards within standards

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/08/03/security-nation-curt-barnard-on-defaultinator-black-hat-arsenal-preview/

In this episode of Security Nation, Jen and Tod chat with Curt Barnard, Principal Security Researcher at Rapid7, about a new tool he’ll be presenting at Black Hat Arsenal, the showcase of open-source tools at Black Hat 2022 in Las Vegas. Curt gives us the details about the tool, Defaultinator, which helps security pros look up and audit for default credentials more quickly and effectively. He also tells us what else he’s excited about at this year’s lineup of cybersecurity conferences in Vegas next week.

Stick around for our Rapid Rundown, where Tod and Jen talk about a Rapid7 alum’s discovery of a vulnerability in DSL- and fiber-based web routers from Arris, as well as a recent article that debates the benefits of sharing exploit proofs of concept versus keeping them private.

Curt Barnard

Curt Barnard is a cybersecurity professional with 15 years of experience across both the public and private sector. At Rapid7, Curt is a Principal Security Researcher working with projects Sonar and Heisenberg, analyzing internet-wide security issues with global impact. Before joining the team at Rapid7, Curt spent time breaking software with the Department of Defense, vetting cybersecurity companies for venture capital firms, and building his own startup from the ground up. When he isn’t busy popping calc.exe, Curt enjoys changing your desktop’s wallpaper and moving your icons around.

Show notes

Interview links

• Learn all about Defaultinator.
• Read up on the Raspberry Pi default password vulnerability.
• Check out the GitHub repositories for Defaultinator.

Rapid Rundown links

• Read Derek Abdine’s disclosures on Arris and Arris-like routers.
• Check out the Security Boulevard article on keeping PoCs secret.
• Peruse Matt Blaze’s tweet thread on teaching physical security secrets despite complaints from locksmiths.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/07/20/security-nation-jacques-chester-of-shopify-talks-cvss-scores/

In this episode of Security Nation, Shopify Senior Staff Software Developer Jacques Chester joins Jen and Tod to discuss his intriguing paper on CVSS scores and the overall oddness of vulnerability distribution. The trio also dives into Jacques’ journey to understanding how security systems affect people in the real world.

Stick around for our Rapid Rundown, where Tod and Jen discuss PyPi’s alert to certain open-source publishers about the institution of 2FA technology on the platform.

Jacques Chester

Jacques is a Senior Staff Software Developer at Shopify in the Ruby & Rails Infrastructure group. He leads work on upstream and community improvements to supply chain security, with a focus on the Ruby ecosystem. Previously he worked in cloud-native platforms and consulting for VMware and Pivotal. He is a cat dad.

Show notes

Interview Links

• A Closer Look at CVSS Scores

Rapid Rundown Links

• Bleeping Computer story: PyPI mandates 2FA for critical projects, developer pushes back
• Twitter thread on deleting atomicwrites, and undeleting it

PyPi issues mentioned

• https://github.com/pypi/warehouse/issues/11625
• https://github.com/pypi/warehouse/issues/11805
• https://github.com/pypi/warehouse/issues/11798

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/07/06/security-nation-pete-cooper-and-irene-pontisso-on-the-results-of-the-uk-governments-security-culture-challenge/

In this episode of Security Nation, Jen and Tod are joined again by Pete Cooper and Irene Pontisso of the UK Cabinet Office for a follow-up on the cybersecurity culture challenge they launched in 2021. Pete and Irene run us through the results, what kinds of interventions participants came up with, and what has them excited about building a more resilient government security culture in the years to come.

Stick around for our Rapid Rundown, where Tod and Jen talk about a recent write-up that takes a deep dive into a curious form of phishing: pig-butchering scams. Spoiler: They have nothing to do with actual pigs but everything to do with highly specific text messages from numbers you don’t recognize.

Pete Cooper

Pete is Deputy Director Cyber Defence within the Government Security Group in the UK Cabinet Office where he looks over the whole of the Government sector and is responsible for the Government Cyber Security Strategy, standards, and policies, as well as responding to serious or cross-government cyber incidents. With a diverse military, private sector, and government background, he has worked on everything ranging from cyber operations, global cybersecurity strategies, advising on the nature of state-versus-state cyber conflict to leading cybersecurity change across industry, public sector and the global hacker community, including founding and leading the Aerospace Village at DEF CON.  A fast jet pilot turned cyber operations advisor, who on leaving the military in 2016 founded the UK’s first multi-disciplinary cyber strategy competition, he is passionate about tackling national and international cybersecurity challenges through better collaboration, diversity, and innovative partnerships. He has a Post Grad in Cyberspace Operations from Cranfield University. He is a Non-Resident Senior Fellow at the Cyber Statecraft Initiative of the Scowcroft Centre for Strategy and Security at the Atlantic Council and a Visiting Senior Research Fellow in the Dept of War Studies, King’s College London.

Irene Pontisso

Irene is Assistant Head of Engagement and Information within the Government Security Group in the UK Cabinet Office. Irene is responsible for the design and strategic oversight of cross-government security education, awareness, and culture-related initiatives. She is also responsible for leading cross-government engagement and press activities for Government Security and the Government Chief Security Officer. Irene started her career in policy and international relations through her roles at the United Nations Platform for Space-based Information for Disaster Management and Emergency Response (UN-SPIDER). Irene also has significant industry and third sector experience, and she partnered with the world’s leading law firms to provide free access to legal advice for NGOs on international development projects. She also has experience in leading large-scale exhibitions and policy research in corporate environments. She holds a MSc in International Relations from the University of Bristol and a BSc from the University of Turin.

Show notes

Interview links

• Revisit our first episode with Peter and Irene from Season 4.
• Read the paper on the UK government’s cybersecurity strategy through 2030.

Rapid Rundown links

• Check out the article on so-called pig-butchering scams.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/05/25/security-nation-omer-akgul-and-richard-roberts-on-youtube-vpn-ads/

In this episode of Security Nation, Jen and Tod chat with academics Omer Akgul and Richard Roberts about their recent paper, “Investigating Influencer VPN Ads on YouTube.” They talk about the over-promising and obfuscation that’s commonplace in advertisements for commercial VPN services on the video streaming platform and what these tactics reveal about communication around security tools and ideas to laypeople.

Stick around for our Rapid Rundown, where our hosts talk with Rapid7’s public policy guru Harley Geiger about the recent news that the US Department of Justice will stop prosecuting ethical hackers.

Omer Akgul

Omer Akgul is a fifth-year Computer Science Ph.D. student at the University of Maryland, College Park. Advised by Michelle Mazurek, Omer works on several human factors in security and privacy problems. Most recently, he has been investigating harmful mental models of secure communication tools. His research regularly appears in prominent security and privacy venues and can be found here.

Richard Roberts

Richard Roberts is a Ph.D. student at the University of Maryland studying computer science with Dr. Dave Levin. There is often a disconnect between technical specification and lay user perception. Richard is interested in how those cracks form, how they are leveraged by malicious actors, and how to design technical solutions that meet users where they are. Richard’s other research interests include authentication and impersonation on the internet, measurements and unintended consequences of the web’s PKI, and how security is depicted in media.

You can find links to his publications and more information about his work here.

Show notes

Interview links

• Check out Omer and Richard’s paper.
• Learn more about Omer’s work and Richard’s work.

Rapid Rundown links

• Read the news about the change in DOJ policy toward ethical hackers.
• Visit the Rapid7 blog on the same topic.
• Dive into Harley’s great Twitter thread on the topic.
• Read up on the HiQ and Missouri cases mentioned.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/04/27/security-nation-whitney-merrill-on-the-crypto-privacy-village-and-the-latest-in-data-privacy/

In this episode of Security Nation, Jen and Tod chat with Whitney Merrill, Data Protection Officer at Asana, about her work on the Crypto & Privacy Village and data privacy more broadly. She talks about how she keeps up with both the excitement and the effort of running the village, a mainstay at DEF CON each year – including the curveballs thrown by COVID-19. Whitney also takes Jen and Tod’s questions about the major data privacy topics of the day, touching on everything from vaccine passports to new legislation in California, targeted advertising, and the overlap between security and privacy.

Stick around for our Rapid Rundown, where Tod and Jen talk about psychic signatures in Java – which doesn’t involve ghosts, but does involve Dr. Who.

Whitney Merrill

Whitney Merrill is Asana’s Data Protection Officer and heads up the growing privacy team. Previously she was Privacy, eCommerce & Consumer Protection Counsel at Electronic Arts (EA) and an attorney at the Federal Trade Commission. In her spare time, she runs the Crypto & Privacy Village, a nonprofit, which appears at DEF CON & BSidesSF each year.

Show notes

Interview links

• Follow Whitney on Twitter, and check out her website.
• Submit a CFP for this year’s Crypto & Privacy Village at DEF CON.

Rapid Rundown links

• Read Neil Madden’s blog post on psychic signatures.
• Follow Neil Madden on Twitter.
• Check out Project Wycheproof on GitHub.
• Learn about Mount Wycheproof (the actual mountain).

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/04/13/security-nation-kate-stewart-on-open-source-projects-at-the-linux-foundation/

In this episode of Security Nation, Jen and Tod chat with Kate Stewart, VP of Dependable Embedded Systems at the Linux Foundation, about the open-source security projects she’s working on, including the Zephyr project. They chat about strategies for dealing with bugs and vulnerabilities in today’s complex tech landscape, including the much talked-about software bill of materials (SBOM), so we can reap the benefits of open source while avoiding the downsides as much as possible.

Stick around for our Rapid Rundown, where Tod and Jen talk about a recent piece of news in the open-source community: A developer used the “event-source-polyfill” npm package to write a piece of “protestware” decrying Russia’s aggression in Ukraine. They also pay homage to healthcare cybersecurity stalwart Mike Murray, who recently passed away.

Kate Stewart

Kate Stewart works with the safety, security, and license compliance communities to advance the adoption of best practices into embedded open-source projects. With over 30 years of experience in the software industry, she has held a variety of roles and worked as a developer in Canada, Australia, and the US and for the last 20 years has managed international software development teams and activities. Kate was one of the founders of SPDX and is currently the specification coordinator. She is also the co-lead for the NTIA SBOM formats and tooling working group. Since joining The Linux Foundation, she has launched the ELISA and Zephyr Projects among others, as well as supporting other embedded projects.

Show notes

Interview links

• Read Project Zephyr’s blog post on Amnesia33.
• Get Linux’s perspective on SBOM.
• Listen to our previous episode on SBOM with Josh Corman and Audra Hatch.
• Check out Zephyr’s Renode dashboard.
• Learn about the Software Package Data Exchange (SPDX) specification from ISO.

Rapid Rundown links

• Read the story on the npm protestware.
• Peruse the issue logged against the project on Github.
• See Dark Reading’s homage to Mike Murray.
• Watch Mike Murray talk about hiring hackers.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/03/30/security-nation-david-rogers-on-iot-security-legislation/

In this episode of Security Nation, Jen and Tod chat with David Rogers, CEO at Copper Horse Ltd., about the Product Security and Telecommunications Infrastructure (PSTI) bill, a new piece of IoT security legislation in the UK. He runs through the new regulations that the bill includes for manufacturers of connected smart devices – including everything from home products to health devices – and details all the many steps it takes to get legislation like this signed into law.

Stick around for our Rapid Rundown, where Tod and Jen talk about the latest edition of Rapid7’s Vulnerability Intelligence Report, which covers all the need-to-know vulnerabilities from 2021, a year that began with SolarWinds and ended with Log4j (i.e. a VERY busy year for this sort of thing).

David Rogers

David is a mobile phone and IoT security specialist who runs Copper Horse Ltd, a software and security company based in Windsor, UK. His company is currently focusing on product security for the Internet of Things, as well as future automotive cybersecurity.

David chairs the Fraud and Security Group at the GSMA and sits on the Executive Board of the Internet of Things Security Foundation. He authored the UK’s Code of Practice for Consumer IoT Security, in collaboration with UK government and industry colleagues, and is a member of the UK’s Telecoms Supply Chain Diversification Advisory Council.

He has worked in the mobile industry for over 20 years in security and engineering roles. Prior to this, he worked in the semiconductor industry. David holds an MSc in Software Engineering from the University of Oxford and a HND in Mechatronics from the University of Teesside. He lectured in Mobile Systems Security at the University of Oxford from 2012-2019 and served as a Visiting Professor in Cyber Security and Digital Forensics at York St John University.

He was awarded an MBE for services to Cyber Security in the Queen’s Birthday Honours 2019.

He blogs from https://mobilephonesecurity.org and tweets at @drogersuk.

Show notes

Interview links

• Listen to David’s previous Security Nation episode
• Give him a follow on Twitter.
• Read up on the PTSI bill.
• Learn who the heck Mystic Meg is.
• Check out ETSI (not the home crafts marketplace).

Rapid Rundown links

• Download Rapid7’s Vulnerability Intelligence Report.
• Check out AttackerKB.
• Listen to Caitlin Condon, lead author of the report, on Duo’s Decipher podcast.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/03/16/bob-lord-on-securing-the-dnc/

In this episode of Security Nation, Jen and Tod chat with Bob Lord, recently the Chief Security Officer for the Democratic National Committee, about the unique challenges of overseeing cybersecurity at a high-profile political entity. Bob talks about becoming the Marie Condo of cybersecurity, the importance of people and process, and getting peers and leaders alike to buy into major habit changes designed to improve security.

Stick around for our Rapid Rundown, where Tod and Jen talk about a recent academic paper on influencer VPN ads on YouTube and its implications for how laypeople learn about security.

Bob Lord

Bob Lord most recently served as the first Chief Security Officer at the Democratic National Committee. In that role he worked to secure the Committee, as well as helping state parties and campaigns with their security programs. Previous roles include CISO at Yahoo, CISO in Residence at Rapid 7, and before that he headed up Twitter’s information security program as its first security hire. You can see some of his hobbies at https://www.ilord.com.

Show notes

Interview links

• Follow Bob on Twitter.
• Check out the DNC Security Checklist.

Rapid Rundown links

• Read the paper on VPN influencer ads on YouTube.
• Give the lead author, Omer, a follow on Twitter.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/02/16/security-nation-amit-serper-on-finding-leaks-in-autodiscover/

In this episode of Security Nation, Jen and Tod chat with Amit Serper, Director of Security Research at Akamai, on his work uncovering a flaw in the Autodiscover protocol within Microsoft Exchange that can leak domain credentials outside an organization. Amit details some of the techniques he and his team used during the discovery – and the five months of research that followed to validate and document their findings, including the social media aftermath of the disclosure.

Stick around for our Rapid Rundown, where Tod and Jen talk about the improvements in vulnerability disclosure time as revealed by the latest report from Google’s Project Zero.

Amit Serper

Amit Serper is the Director of Security Research at Akamai Technologies’ Enterprise Security group. He specializes in low-level, vulnerability, and kernel research, malware analysis, and reverse engineering on Windows, Linux, and macOS. Amit’s career in security spans over 15 years, in which he worked at an Israeli government intelligence agency conducting cutting edge research and, later, at security startups Cybereason and Guardicore, where he led complex research projects and thwarted a few global attacks (such as NotPetya, BadRabbit, and Operation Softcell). Amit has been active in the security community for a few years now, speaking at conferences and releasing various research papers and blogs.

Show notes

Interview links

• Follow Amit on Twitter at @0xAmit.
• Read Amit’s blog post on the Autodiscover leak.

Rapid Rundown links

• Read up on the vulnerability disclosure metrics from Google’s Project Zero.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.