In this episode of Security Nation, Jen and Tod chat with Steve Micallef about SpiderFoot, the open-source intelligence tool of which he is the creator and founder. He tells us how the platform went from a passion project to a fully fledged open-source offering, with a SaaS option to boot, and how it can help security engineers automate tasks and focus on finding the major threats in their data.
Stick around for our Rapid Rundown, where Tod chats with producer Jesse about a new paper that reveals all is not as it seems with CVSS scores.
Steve Micallef is the author of SpiderFoot (www.spiderfoot.net), an open-source OSINT automation platform. You can follow him @binarypool on Twitter.
In this episode of Security Nation, Jen and Tod chat with Phillip Maddux about his project HoneyDB, a site that pulls data together from honeypots around the world in a handy, open-source format for security pros and researchers. He details how his motivations for creating HoneyDB derived from his time in application security and why he thinks open source is such a great format for this kind of project.
No Rapid Rundown this week, since RSAC 2022 has Tod tied up (and several time zones farther from Jen than usual). If you’re in San Francisco for the conference, stop by the Rapid7 booth and say hi!
Phillip Maddux is a staff engineer on the Detection and Response Engineering team at Compass. He has over 15 years of experience in information security, with the majority of that time focused on application security in the financial services sector. Throughout his career, Phillip has been a honeypot enthusiast and is the creator of HoneyDB.io.
In this episode of Security Nation, Jen and Tod chat with academics Omer Akgul and Richard Roberts about their recent paper, “Investigating Influencer VPN Ads on YouTube.” They talk about the over-promising and obfuscation that’s commonplace in advertisements for commercial VPN services on the video streaming platform and what these tactics reveal about communication around security tools and ideas to laypeople.
Stick around for our Rapid Rundown, where our hosts talk with Rapid7’s public policy guru Harley Geiger about the recent news that the US Department of Justice will stop prosecuting ethical hackers.
Omer Akgul is a fifth-year Computer Science Ph.D. student at the University of Maryland, College Park. Advised by Michelle Mazurek, Omer works on several human factors in security and privacy problems. Most recently, he has been investigating harmful mental models of secure communication tools. His research regularly appears in prominent security and privacy venues and can be found here.
Richard Roberts is a Ph.D. student at the University of Maryland studying computer science with Dr. Dave Levin. There is often a disconnect between technical specification and lay user perception. Richard is interested in how those cracks form, how they are leveraged by malicious actors, and how to design technical solutions that meet users where they are. Richard’s other research interests include authentication and impersonation on the internet, measurements and unintended consequences of the web’s PKI, and how security is depicted in media.
You can find links to his publications and more information about his work here.
In this episode of Security Nation, Jen and Tod sit down with Jim O’Gorman and Ben “g0tmi1k” Wilson of Offensive Security to chat about Kali Linux. They walk our hosts through the vision behind Kali and how they understand the uses, advantages, and challenges of open-source security tools.
Stick around for our Rapid Rundown, where producer Jesse joins Tod to talk about an upcoming change in security protocols across the internet that might make passwords obsolete (eventually).
Jim O’Gorman (Elwood) began his tech career as a network administrator with a particular talent for network intrusion simulation, digital investigations, and malware analysis. Jim started teaching for OffSec in 2009 as an instructor for the Penetration Testing with Kali (PWK) course — a role he still enjoys. He went on to co-author Metasploit: The Penetration Tester’s Guide and Kali Linux: Revealed, and has developed and curated a number of OffSec courses. As the Chief Content and Strategy officer, he currently oversees the open source Kali Linux development project and participates with OffSec’s Penetration Testing Team.
Ben “g0tmi1k” Wilson
Ben “g0tmi1k” Wilson has been in the information security world for nearly two decades. Since joining Offensive Security nine years ago, he has applied his experience in a number of roles including live instructor, content developer, and security administrator. He is currently managing the day-to-day activity as well as developing Kali Linux, pushing it forward. He has worked on various vulnerabilities, which are published on Exploit-DB that he also works on. Furthermore he created and still runs VulnHub, allowing for hands-on experience.
In this episode of Security Nation, Jen and Tod chat with Whitney Merrill, Data Protection Officer at Asana, about her work on the Crypto & Privacy Village and data privacy more broadly. She talks about how she keeps up with both the excitement and the effort of running the village, a mainstay at DEF CON each year – including the curveballs thrown by COVID-19. Whitney also takes Jen and Tod’s questions about the major data privacy topics of the day, touching on everything from vaccine passports to new legislation in California, targeted advertising, and the overlap between security and privacy.
Stick around for our Rapid Rundown, where Tod and Jen talk about psychic signatures in Java – which doesn’t involve ghosts, but does involve Dr. Who.
Whitney Merrill is Asana’s Data Protection Officer and heads up the growing privacy team. Previously she was Privacy, eCommerce & Consumer Protection Counsel at Electronic Arts (EA) and an attorney at the Federal Trade Commission. In her spare time, she runs the Crypto & Privacy Village, a nonprofit, which appears at DEF CON & BSidesSF each year.
In this episode of Security Nation, Jen and Tod chat with Kate Stewart, VP of Dependable Embedded Systems at the Linux Foundation, about the open-source security projects she’s working on, including the Zephyr project. They chat about strategies for dealing with bugs and vulnerabilities in today’s complex tech landscape, including the much talked-about software bill of materials (SBOM), so we can reap the benefits of open source while avoiding the downsides as much as possible.
Stick around for our Rapid Rundown, where Tod and Jen talk about a recent piece of news in the open-source community: A developer used the “event-source-polyfill” npm package to write a piece of “protestware” decrying Russia’s aggression in Ukraine. They also pay homage to healthcare cybersecurity stalwart Mike Murray, who recently passed away.
Kate Stewart works with the safety, security, and license compliance communities to advance the adoption of best practices into embedded open-source projects. With over 30 years of experience in the software industry, she has held a variety of roles and worked as a developer in Canada, Australia, and the US and for the last 20 years has managed international software development teams and activities. Kate was one of the founders of SPDX and is currently the specification coordinator. She is also the co-lead for the NTIA SBOM formats and tooling working group. Since joining The Linux Foundation, she has launched the ELISA and Zephyr Projects among others, as well as supporting other embedded projects.
In this episode of Security Nation, Jen and Tod chat with David Rogers, CEO at Copper Horse Ltd., about the Product Security and Telecommunications Infrastructure (PSTI) bill, a new piece of IoT security legislation in the UK. He runs through the new regulations that the bill includes for manufacturers of connected smart devices – including everything from home products to health devices – and details all the many steps it takes to get legislation like this signed into law.
Stick around for our Rapid Rundown, where Tod and Jen talk about the latest edition of Rapid7’s Vulnerability Intelligence Report, which covers all the need-to-know vulnerabilities from 2021, a year that began with SolarWinds and ended with Log4j (i.e. a VERY busy year for this sort of thing).
David is a mobile phone and IoT security specialist who runs Copper Horse Ltd, a software and security company based in Windsor, UK. His company is currently focusing on product security for the Internet of Things, as well as future automotive cybersecurity.
David chairs the Fraud and Security Group at the GSMA and sits on the Executive Board of the Internet of Things Security Foundation. He authored the UK’s Code of Practice for Consumer IoT Security, in collaboration with UK government and industry colleagues, and is a member of the UK’s Telecoms Supply Chain Diversification Advisory Council.
He has worked in the mobile industry for over 20 years in security and engineering roles. Prior to this, he worked in the semiconductor industry. David holds an MSc in Software Engineering from the University of Oxford and a HND in Mechatronics from the University of Teesside. He lectured in Mobile Systems Security at the University of Oxford from 2012-2019 and served as a Visiting Professor in Cyber Security and Digital Forensics at York St John University.
He was awarded an MBE for services to Cyber Security in the Queen’s Birthday Honours 2019.
Listen to Caitlin Condon, lead author of the report, on Duo’s Decipher podcast.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.
Want More Inspiring Stories From the Security Community?
In this episode of Security Nation, Jen and Tod chat with Bob Lord, recently the Chief Security Officer for the Democratic National Committee, about the unique challenges of overseeing cybersecurity at a high-profile political entity. Bob talks about becoming the Marie Condo of cybersecurity, the importance of people and process, and getting peers and leaders alike to buy into major habit changes designed to improve security.
Stick around for our Rapid Rundown, where Tod and Jen talk about a recent academic paper on influencer VPN ads on YouTube and its implications for how laypeople learn about security.
Bob Lord most recently served as the first Chief Security Officer at the Democratic National Committee. In that role he worked to secure the Committee, as well as helping state parties and campaigns with their security programs. Previous roles include CISO at Yahoo, CISO in Residence at Rapid 7, and before that he headed up Twitter’s information security program as its first security hire. You can see some of his hobbies at https://www.ilord.com.
In this episode of Security Nation, Jen and Tod chat with Matthew Kienow, Senior Software Engineer at Rapid7, about open-source security – a subject he knows a thing or two about from his work on Metasploit, AttackerKB, and most recently the Recog recognition framework. They discuss the selling points and drawbacks of open source, why seeing all the code doesn’t mean you can see all the bugs, and how open-source projects like Recog make the digital world a better place.
Stick around for our Rapid Rundown, where Matt sticks around to chat with Tod and Jen about a worrying trend in DDoS attacks that allows for amplification levels of 65x.
Matthew Kienow is a software engineer and security researcher. Matthew is currently responsible for the Recog recognition framework project at Rapid7 and previously worked on the AttackerKB project, as well as Metasploit’s MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost, and SC Magazine.
In this episode of Security Nation, Jen and Tod chat with Amit Serper, Director of Security Research at Akamai, on his work uncovering a flaw in the Autodiscover protocol within Microsoft Exchange that can leak domain credentials outside an organization. Amit details some of the techniques he and his team used during the discovery – and the five months of research that followed to validate and document their findings, including the social media aftermath of the disclosure.
Stick around for our Rapid Rundown, where Tod and Jen talk about the improvements in vulnerability disclosure time as revealed by the latest report from Google’s Project Zero.
Amit Serper is the Director of Security Research at Akamai Technologies’ Enterprise Security group. He specializes in low-level, vulnerability, and kernel research, malware analysis, and reverse engineering on Windows, Linux, and macOS. Amit’s career in security spans over 15 years, in which he worked at an Israeli government intelligence agency conducting cutting edge research and, later, at security startups Cybereason and Guardicore, where he led complex research projects and thwarted a few global attacks (such as NotPetya, BadRabbit, and Operation Softcell). Amit has been active in the security community for a few years now, speaking at conferences and releasing various research papers and blogs.
In this episode of Security Nation, Jen chats with John Rouffas, CISO at intelliflo, about his experience building out a security function and team at a young and growing SaaS company. He shares his secrets of relationship-building (being a Brit, pubs are involved) and some of the key questions he asks when starting at a company that’s never had a CISO before. He also covers some of the challenges, including gaining visibility, and why being the dumbest person in the room is sometimes a good thing.
Stick around for our Rapid Rundown, where Tod and Jen talk about the 8 new vulnerabilities that CISA recently added to their Known Exploited Vulnerability (KEV) list.
John Rouffas is recognized and respected as a leader in security operations on both sides of the Atlantic, having designed and implemented security operational and threat response capabilities since before the advent of SIEM technologies, for some of the largest government and multinational organizations in the world. He’s been involved with the development of operational technology security techniques for alerting within IT security operations environments, some of which have been adopted by critical infrastructure organizations in the United States. More recently, he’s been leading security maturity capabilities for SaaS organizations in the UK and US. Currently, he sits in the role of CISO at intelliflo.
John has been fortunate to combine two of his main passions in life: intelligence and technology. Some of his most notable experiences came while working with various US government agencies and developing large-scale security transformations, critical infrastructure defense techniques, innovative security operations, forensics, and threat intelligence strategies.
He’s also a qualified cricket coach, who still possesses a solid forward defensive stroke, and a very loud drummer (not necessarily a good one).
Take up John on the offer to spam him on LinkedIn.
In our first episode of Security Nation Season 5, Jen and Tod chat with Mike Hanley, Chief Security Officer at GitHub, all about the major vulnerability in Apache’s Log4j logging library (aka Log4Shell). Mike talks about the ins and outs of GitHub’s response to this blockbuster vulnerability and what could have helped the industry deal with an issue of this massive scope more effectively (hint: he drops the SBOM). They also touch on GitHub’s updated policy on the sharing of exploits.
Stick around for our Rapid Rundown, where Tod and Jen talk about Microsoft’s release of emergency fixes for Windows Server and VPN over Martin Luther King Day weekend.
Mike Hanley is the Chief Security Officer at GitHub. Prior to GitHub, Mike was the Vice President of Security at Duo Security, where he built and led the security research, development, and operations functions. After Duo’s acquisition by Cisco for $2.35 billion in 2018, Mike led the transformation of Cisco’s cloud security framework and later served as CISO for the company. Mike also spent several years at CERT/CC as a Senior Member of the Technical Staff and security researcher focused on applied R&D programs for the US Department of Defense and the Intelligence Community.
When he’s not talking about security at GitHub, Mike can be found enjoying Ann Arbor, MI with his wife and seven kids.
Most of us allow ourselves a few extra indulgences around the holidays — so despite my best editorial sensibilities, I’m letting myself indulge here in a well-deserved and sincerely meant cliche: For those of us who work on the Security Nation podcast, it really is a gift that keeps on giving.
Getting to hear our research and policy champions Jen Ellis and Tod Beardsley chat with some of the most thoughtful and influential people in cybersecurity on a biweekly basis is a welcome reminder of how vibrant and forward-thinking the security community is — especially during a time when virtual meetings and at-home workweeks are still the norm for most of us, and our work lives still feel more isolated than they once did.
To wrap up this year of podcasting, Security Nation’s Producer Jennifer Carson (who’s also a Senior Solutions Engineer here at Rapid7) and I thought it would be fun to convince Jen and Tod to let us turn the tables and interview them for a change. Sure, it was a somewhat transparent attempt to win ourselves a few moments in the spotlight, but it also gave us a chance to get together and reminisce about the year’s podcasting exploits. We covered:
How Jen and Tod got started in the podcasting game
The biggest security stories we covered this year
Jen and Tod’s most memorable podcast moments from 2021
The episode that made our normally fearless hosts tear up
Why PCI DSS compliance is more exciting than you might think
Who our dream guests are for 2022
And much more!
Check out the full conversation, see all of our shining faces, and get excited for what’s to come in 2022.
In the final installment of Season 4 of Security Nation, Jen and Tod sit down with Chris John Riley, senior security engineer at Google and co-host of the First Impressions podcast (the one about cybersecurity, not Jane Austen). They chat about Minimum Viable Secure Product (MVSP), a set of controls Chris recently helped develop at Google that aim to provide a better baseline for security when evaluating vendor risk. They discuss the state of supply chain security for technology vendors and the challenges of establishing what really qualifies as “minimum” in terms of security protocols.
Stick around for our Rapid Rundown, where Tod and Jen talk about a recently disclosed DNS rebinding vulnerability in Sky routers that exposed them to takeover attacks over the course of a whopping 17 months.
Check back in with us for Season 5 of Security Nation in January. In the meantime, have a safe holiday and a happy New Year!
Chris John Riley
Chris John Riley is a Senior Security Engineer at Google, where he is tech lead for the vendor reviews focus area.
In his spare time, Chris collects books (that he never finds time to read) and spends his weekend taking long romantic walks from the sofa to the kitchen (mostly for snacks).
In this episode of Security Nation, Jen and Tod chat with Michael Powell about his work as specialist cyber representative to North America for the UK’s Department for International Trade (DIT). After confirming that Michael is not actually a spy (or is he?), they discuss the excitement and challenges of creating cross-continental collaboration on some of the most pressing cybersecurity issues organizations face today — including supply chain risk, ransomware, and the role of government in moving the needle on these threats.
Stick around for our Rapid Rundown, where Tod and Jen talk about inTheWild, a new open-source, community-driven database for vulnerabilities that are being actively exploited.
Michael Powell is DIT’s cyber sector trade specialist in North America. His background includes over 15 years of experience with major enterprise and start-ups, defining and delivering managed and professional cybersecurity services for law enforcement and commercial organizations. Michael is based on the East Coast, advising UK companies on North America market entry – leveraging DIT’s network to discuss resourcing, legislation, and the evolving needs of buyers. He is a proponent of workforce diversity across the tech sector and has a strong technical background to understand and discuss solutions to complex organizational cybersecurity problems. When not advising UK companies, he works closely with the London specialist teams, and partners, on investment opportunities and being an in-market voice for the UK cybersecurity ecosystem.
In this special bonus episode of Security Nation, Jen and Tod chat with Pete Cooper and Irene Pontisso from the UK Cabinet Office about their current competition aiming to promote cybersecurity culture among small businesses. They highlight their 9 hypotheses, which touch on the role of human factors, the distinction between cyber culture and security culture, and the importance of leadership. They chat about why they decided to get help validating these ideas through a competition format — the “Bakeoff Approach,” as Irene calls — to promote collaborative thinking and get a sense of what organizations are doing on these issues today.
The deadline to apply for the competition is fast approaching on Monday, November 8, and winners will be awarded contracts to carry out the competition over 12 weeks, beginning in late November. Check out the Invitation to Tender to submit your entry!
Pete Cooper is Deputy Director Cyber Defence within the Government Security Group in the UK Cabinet Office, where he looks over the whole of the Government sector and is responsible for the Government Cyber Security Strategy, standards, and policies as well as responding to serious or cross-government cyber incidents. With a diverse military, private-sector, and government background, he has worked on everything ranging from cyber operations, global cyber security strategies, advising on the nature of state-vs.-state cyber conflict to leading cybersecurity change across industry, public sector, and the global hacker community, including founding and leading the Aerospace Village at DEF CON. A fast jet pilot turned cyber operations advisor, who on leaving the military in 2016, founded the UK’s first multi-disciplinary cyber strategy competition, he is passionate about tackling national and international cybersecurity challenges through better collaboration, diversity, and innovative partnerships. He has a Post Grad in Cyberspace Operations from Cranfield University, is a Non-Resident Senior Fellow at the Cyber Statecraft Initiative of the Scowcroft Centre for Strategy and Security at the Atlantic Council, and is a Visiting Senior Research Fellow in the Department of War Studies, King’s College London.
Irene is Assistant Head of Engagement and Information within the Government Security Group in the UK Cabinet Office. Irene is responsible for the design and strategic oversight of cross-government security education, awareness, and culture-related initiatives. She is also responsible for leading cross-government engagement and press activities for Government Security and the Government Chief Security Officer. Irene started her career in policy and international relations through her roles at the United Nations Platform for Space-Based Information for Disaster Management and Emergency Response (UN-SPIDER). Irene also has significant industry and third-sector experience, and she partnered with the world’s leading law firms to provide free access to legal advice for NGOs on international development projects. She also has experience in leading large-scale exhibitions and policy research in corporate environments. She holds a MSc in International Relations from the University of Bristol and a BSc from the University of Turin.
In this episode of Security Nation, Jen and Tod chat with Jack Cable, security architect at the Krebs Stamos Group, about Ransomwhere, a crowdsourced ransomware payment tracker. They chat about how Cable came up with the idea, the role of cryptocurrency in tracking these payments, and how better data sharing can help combat the surge in ransomware attacks.
Stick around for our Rapid Rundown, where Tod and Jen talk about a remote code execution vulnerability that open-source forum provider Discourse experienced recently, which CISA released a notification about over the weekend. Tod highlights some of the many things Discourse is doing right with its security program.
Jack Cable is a security researcher and student at Stanford University, currently working as a security architect at Krebs Stamos Group. Jack formerly served as an Election Security Technical Advisor at CISA, where he led the development and deployment of Crossfeed, a pilot to scan election assets nationwide. Jack is a top-ranked bug bounty hacker, having identified over 350 vulnerabilities in companies including Google, Facebook, Uber, Yahoo, and the US Department of Defense. After placing first in the Hack the Air Force challenge, Jack began working at the Pentagon’s Defense Digital Service. Jack was named one of Time Magazine’s 25 most influential teens for 2018. At Stanford, Jack is a research assistant with the Stanford Internet Observatory and Stanford Empirical Security Research Group and launched Stanford’s bug bounty program, one of the first in higher education.
In this episode of Security Nation, Jen and Tod chat with Michael Daniel, president and CEO of the Cyber Threat Alliance (CTA), as well as a co-chair on the IST’s Ransomware Task Force. After discussing Michael’s career in cybersecurity with the US government, they talk about what makes information sharing so hard in the security space and how the CTA has addressed this challenge in its efforts to promote better threat intelligence.
Stick around for the Rapid Rundown – with Tod on holiday (AKA vacation), Jen brings on Rapid7’s public policy guru Harley Geiger. They chat about the Cyber Incident Reporting Act, which is likely headed to a Senate floor vote and, if passed, would bring major changes to the reporting requirements around cybersecurity events for owners and operators of critical infrastructure.
Michael Daniel serves as the President and CEO of the Cyber Threat Alliance (CTA), a not-for-profit that enables high-quality cyber threat information sharing among cybersecurity organizations. Prior to CTA, Michael served for four years as US Cybersecurity Coordinator, leading US cybersecurity policy development, facilitating US government partnerships with the private sector and other nations, and coordinating significant incident response activities. From 1995 to 2012, Michael worked for the Office of Management and Budget, overseeing funding for the US Intelligence Community. Michael also works with the Aspen Cybersecurity Group, the World Economic Forum’s Partnership Against Cybercrime, and other organizations improving cybersecurity in the digital ecosystem. In his spare time, he enjoys running and martial arts.
In this episode of Security Nation, Jen and Tod chat with Rob Graham of Errata Security about his experience attending pillow magnate Mike Lindell’s Cyber Symposium, where he claimed packet captures would reveal incontrovertible evidence of widespread fraud in the 2020 US presidential election. (Spoiler alert: Nothing resembling that description actually occurred at Lindell’s event.) An expert on packet captures, Graham recounts the Kafkaesque forensic logic behind the Cyber Symposium data — some of which was presented in a file type only known to a single living person — as well as the value of having real experts attend highly dubious events like this one.
Stick around for the Rapid Rundown, where Tod and Jen discuss Microsoft’s plan to turn off Basic Auth in Exchange Online next year and the Autodiscover bug that may have prompted the change.
Rob Graham is a well-known cybersecurity expert. He created the BlackICE personal firewall, the first IPS, sidejacking, and masscan. He frequently speaks at conferences and blogs.
In this episode of Security Nation, Jen and Tod chat with Craig Williams, recently of Cisco Talos, about proxyware and integrating security acquisitions the right way. Along the way, they touch on the challenges of being a security communicator with an audience that extends beyond practitioners – and a few real-life stories of people who didn’t realize their cameras were spying on them.
Stick around for our Rapid Rundown, where Tod and Jen talk about the REvilware ransomware gang’s return from “retirement” and how lagging adoption of EMV is leading to high-profile cases of ATM fraud.
Craig Williams has always had a passion for learning how things operate – and circumventing security measures. His deep interest in security technology began with research into vulnerabilities, threats, and network detection techniques. His research over the past decade has included running global threat intelligence teams, malware labs, and trying to outwit the very security products he has helped design.
Craig is on Twitter, but his OpSec is pretty tight so good luck getting that follow back.
You can read up on Cisco Talos, and check their most recent on proxyware here.
Rapid Rundown Links
Check out the Bleeping Computer story on the ATM robbers.
Back in 2016, Rapid7’s Weston Hecker demonstrated some EMV attacks.