PSW #645 | SC Media
DevOps, IOT, Privacy, Blue team

PSW #645

April 7, 2020

Matt and the Security Weekly crew will discuss how the interaction between network engineers and security operations has changed over the years, as well as the value of the network when identifying security threats and performing remediation.

For more information on VIAVI Solutions, visit: https://securityweekly.com/viavi

Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

Collaboration Between NetOps and SecOps in Today’s World

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant

Larry Pesce

Larry Pesce – Senior Managing Consultant and Director of Research

Lee Neely

Lee Neely – Senior Cyber Analyst

Paul Asadoorian

Paul Asadoorian – Founder & CTO

Tyler Robinson

Tyler Robinson – Managing Director of Network Operations

Guests

Matt Allen

Matt Allen – Senior Solutions Engineer

Announcements

  • Is your Open Source code secure? Learn how to verify your code during development, not after the build in our next webcast with Synopsys. Register for our upcoming webcasts or virtual trainings by visiting securityweekly.com/webcasts. You can also access our on-demand library of previously recorded webcasts/trainings by visiting securityweekly.com/ondemand. Each webcast will earn you 1 CPE credit that we will submit on your behalf if you provide your ISC2 number.
  • We have officially migrated our mailing list to BACK to our original platform! We have our categories nailed down and you are now able to customize what you receive from us based on your preferences by visiting securityweekly.com/subscribe and clicking the button to join the list! Once you have joined, you will also be able to go back and update your “interests” so that we can grow with you as you progress through your journey in InfoSec!
  • We are looking for high-quality guest suggestions for our Enterprise Security Weekly podcast to fill our upcoming recording schedule! We’re committed to educating and providing entertainment for the InfoSec community and we would love to hear from you about who you would like us to interview on the show! Submit your suggestions for guests by visiting securityweekly.com/guests and submitting the form! We review suggestions monthly and will reach out to you once reviewed!
  • Join Qualys for VMDR Live on April 21 at 2pm ET for a live demonstration of the game-changing Vulnerability Management, Detection & Response offering – a unified solution that integrates vulnerability management, threat prioritization and patching in a single app. Register at securityweekly.com/VMDR2020

At Carnegie Mellon University we are designing a usable security and privacy label for smart devices to help consumers make informed choices about Internet of Things device purchases and encourage manufacturers to disclose their privacy and security practices. The label includes information on privacy and security practices of the smart device, such as the type of data the device collects and whether or not the device gets automatic security updates. Based on research with both consumers and experts, we have designed a two-layer label that includes a simple, understandable primary layer for consumers and a more detailed secondary layer that includes information important to experts.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

IoT Devices: Security and Privacy Labels Research

The IoT security and privacy label and 2 research papers are at https://iotsecurityprivacy.org

Lorrie also talked about another paper that isn’t published yet in which they did a large user study to find out whether users understand the factors in the label and whether they would influence their purchase decisions.

The IoT privacy infrastructure is at https://www.iotprivacy.io/ (See the video in the bottom left of the front page).

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant

Larry Pesce

Larry Pesce – Senior Managing Consultant and Director of Research

Lee Neely

Lee Neely – Senior Cyber Analyst

Paul Asadoorian

Paul Asadoorian – Founder & CTO

Tyler Robinson

Tyler Robinson – Managing Director of Network Operations

Guests

Lorrie Cranor

Lorrie Cranor – Director, CyLab Security and Privacy Institute

Announcements

  • Is your Open Source code secure? Learn how to verify your code during development, not after the build in our next webcast with Synopsys. Register for our upcoming webcasts or virtual trainings by visiting securityweekly.com/webcasts. You can also access our on-demand library of previously recorded webcasts/trainings by visiting securityweekly.com/ondemand. Each webcast will earn you 1 CPE credit that we will submit on your behalf if you provide your ISC2 number.
  • We have officially migrated our mailing list to BACK to our original platform! We have our categories nailed down and you are now able to customize what you receive from us based on your preferences by visiting securityweekly.com/subscribe and clicking the button to join the list! Once you have joined, you will also be able to go back and update your “interests” so that we can grow with you as you progress through your journey in InfoSec!
  • We are looking for high-quality guest suggestions for our Enterprise Security Weekly podcast to fill our upcoming recording schedule! We’re committed to educating and providing entertainment for the InfoSec community and we would love to hear from you about who you would like us to interview on the show! Submit your suggestions for guests by visiting securityweekly.com/guests and submitting the form! We review suggestions monthly and will reach out to you once reviewed!
  • Join Qualys for VMDR Live on April 21 at 2pm ET for a live demonstration of the game-changing Vulnerability Management, Detection & Response offering – a unified solution that integrates vulnerability management, threat prioritization and patching in a single app. Register at securityweekly.com/VMDR2020

This segment will largely focus on the recent Zoom vulnerabilities and the responses from security researchers, the security community and enterprises. Should you stop using Zoom? Tune in to find out! (Hint: Uhm, probably not).

Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

Security News – To Zoom or Not to Zoom

https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/ Two Zoom Zero-Day Flaws Uncovered
https://www.securityweek.com/trojanized-zoom-apps-target-work-home-android-users Trojanized Zoom Apps Target Remote Workers
https://threatpost.com/zoom-removes-data-mining-linkedin-feature/154404/ Zoom Removes Data-Mining LinkedIn Feature
https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/ War Dialing Tool Exposes Zooms Password Problems
https://www.vmray.com/cyber-security-blog/zoom-macos-installer-analysis-good-apps-behaving-badly/ Good Apps Behaving Badly: Zoom macOS Installer – VMRay
https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account
https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5 Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
https://github.com/jitsi/docker-jitsi-meet Jitsi Meet on Docker – We are testing this here, but only because we can control the network flows, e.g. we can stand up servers and clients and have them connect directly rather than bouncing through other people’s servers. I have not done a security assessment yet. It was not security that drove us to test it out, in fact, I am worried about how tightly maintained WE can keep it, vs. having an entire team like Zoom or Microsoft.

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant

Larry Pesce

Larry Pesce – Senior Managing Consultant and Director of Research

Lee Neely

Lee Neely – Senior Cyber Analyst

Paul Asadoorian

Paul Asadoorian – Founder & CTO

Tyler Robinson

Tyler Robinson – Managing Director of Network Operations

Guests

David Kennedy

David Kennedy – Co-Founder/CTO

Announcements

  • Is your Open Source code secure? Learn how to verify your code during development, not after the build in our next webcast with Synopsys. Register for our upcoming webcasts or virtual trainings by visiting securityweekly.com/webcasts. You can also access our on-demand library of previously recorded webcasts/trainings by visiting securityweekly.com/ondemand. Each webcast will earn you 1 CPE credit that we will submit on your behalf if you provide your ISC2 number.
  • We have officially migrated our mailing list to BACK to our original platform! We have our categories nailed down and you are now able to customize what you receive from us based on your preferences by visiting securityweekly.com/subscribe and clicking the button to join the list! Once you have joined, you will also be able to go back and update your “interests” so that we can grow with you as you progress through your journey in InfoSec!
  • We are looking for high-quality guest suggestions for our Enterprise Security Weekly podcast to fill our upcoming recording schedule! We’re committed to educating and providing entertainment for the InfoSec community and we would love to hear from you about who you would like us to interview on the show! Submit your suggestions for guests by visiting securityweekly.com/guests and submitting the form! We review suggestions monthly and will reach out to you once reviewed!
  • Join Qualys for VMDR Live on April 21 at 2pm ET for a live demonstration of the game-changing Vulnerability Management, Detection & Response offering – a unified solution that integrates vulnerability management, threat prioritization and patching in a single app. Register at securityweekly.com/VMDR2020
prestitial ad