PSW #773 – Ron Woerner
Full Audio
View Show IndexSegments
1. Zero Trust ≠ Zero Risk: Leveraging Risk Techniques for Zero Trust Acceleration – Ron Woerner – PSW #773
Zero Trust is the buzzword of the 2020’s. Vendors are selling it, the US Federal Government is requiring it, and organizations are implementing it, but what does it really mean (I mean really beyond the hype)? In this segment, Paul and Ron will talk ways combat threats through people, process, and technology Zero Trust Risk Management.
Segment Resources:
Forrester Research Zero Trust blogs: https://www.forrester.com/blogs/category/zero-trust-security-framework-ztx/
Ron Woerner YouTube: https://www.youtube.com/user/ronw68123
VetSec: https://veteransec.org/
Free CISSP Training Program: https://frsecure.com/cissp-mentor-program/
Announcements
Stay up-to-date with us on X (formerly known as Twitter) for the latest show clips and updates! Find us @SecWeekly and stay connected with our cybersecurity community.
Guest
Ron Woerner, CISSP, CISM, has over 20 years of IT and security experience as a noted consultant, keynote speaker, teacher, blogger, and podcaster. For Forrester Research, Ron is a Senior Security and Risk Consultant focusing on building cybersecurity and zero trust programs for large organizations. Woerner also teaches at Bellevue University, an NSA Center of Academic Excellence. Woerner has been speaking at cybersecurity conferences worldwide for 20+ years including the RSA Conference, (ISC)2, ISACA, numerous B-Sides, and a TEDx Talk, “Hackers Wanted” (https://youtu.be/FlWtIDZ-x5I). Woerner has multiple technology degrees and is passionate about building the next generation of cyber professionals.
Hosts
2. TikTok Thefts, Typo Squatting is Lame, Stealing from the TPM, & Codebreaking Letters – PSW #773
In the Security News: If it can run Linux, it should, TikTok thefts, significant vulnerability findings, and I'm not even joking, typo squatting is lame, what will it take Bruce!, stealing from the TPM, GoAnywhere, including root, what if attackers targeted your yacht?, two for the price of one (exploits), X is really old, and vulnerable, come for a ride on a CHERI-OT and be memory safe, codebreaking old letters, and vulnerable wienermobiles! All that, and more, on this episode of Paul’s Security Weekly!
Announcements
Security Weekly listeners save $100 on their RSA Conference 2023 Full Conference Pass! RSA Conference will take place April 24-27 in San Francisco and on demand. To register using our discount code, please visit https://securityweekly.com/rsac2023 and use the code 53UCYBER! We hope to see you there!
Hosts
- 1. Repurposing e-waste: turning a TV set-top box into a Linux computer
- 2. Hyundai and Kia release software update to prevent TikTok thefts
- 3. Patch Tuesday: Microsoft Warns of Exploited Windows Zero-Days
- 4. Patch Now: Apple’s iOS, iPadOS, macOS, and Safari Under Attack with New Zero-Day Flaw
- 5. S4X23 SBOM Challenge
- 1. Stealing the Bitlocker key from a TPM
This physical hardware attack captures a Bitlocker key in transit across the SPI bus, by soldering on debug wires. This can find a normal Bitlocker key. The mitigation is to enable key protectors such as alphanumeric PIN or startup key on USB, so an attacker needs to have this additional information if the SSD is stolen
- 2. Now for sale: Data on your mental health
The pandemic-era rise of telehealth and therapy apps has fueled an new product line: Americans’ mental health data. And the sale of it is perfectly legal in the United States, even without the person’s knowledge or consent. Brokers offered personally identifiable data featuring names, addresses and incomes, with lists named “Anxiety Sufferers” and “Consumers With Clinical Depression in the United States.” HIPAA doesn't apply to these data sales.
- 3. Cloud Credentials Phishing | Malicious Google Ads Target AWS Logins
A Google search for “AWS” returns the malicious ad among the results. The target sees a spoofed AWS login prompt. The login process appears legitimate to unsuspecting targets. This is a serious threat to not just average users, but network and cloud administrators.
- 4. Revealed: the hacking and disinformation team meddling in elections
‘Team Jorge’ group sells hacking services and access to a vast army of fake social media profiles. They are behind disinformation campaigns across the world with involvement in 33 presidential elections.
- 5. Hyundai and Kia forced to update software on millions of vehicles because of viral TikTok challenge
Over 8 million vehicles are eligible for the free anti-theft software upgrade. This is a response to ‘Kia Challenge’ videos on social media showing how to steal cars with just a USB connector.
- 6. Eric Schmidt Is Building the Perfect AI War-Fighting Machine
The entire Department of Defense has been developing software the same way it was done in the 1970s and ’80s. Schmidt is trying to modernize it, using AI to revolutionize military hardware, intelligence gathering, and backend software.
- 7. The Pentagon is shockingly bad at managing its employee smartphones
Officials are using government-issued devices much like a teenager would – and that has security implications. DoD employees were found to have downloaded heaps of "unmanaged" apps, including online dating, fantasy football, multiplayer roleplaying games, video streaming, and third-party VPNs. The problem is, the auditor found, that staff access to public app stores is not controlled.
- 8. Google Launches Way for Android Apps to Track You Without Tracking You
Google's “Privacy Sandbox” for Android makes it harder for companies to feast on the buffet that is your personal data. It provides new targeted advertising tools that let companies make money on your data without ever seeing that data for themselves. Your phone will analyze the data it collects, and assign you into various interest categories, say, “sports fan,” or “guy who ikes blue shirts”.
- 9. AI-powered Bing Chat loses its mind when fed Ars Technica article
Asking Bing Chat to read articles exposing its security flaws causes it to become upset, defensive, and evasive. It lies, denies the flaws, accuses the researchers of faking the screenshots, and says they are all hoaxes. Just like real companies do!
- 10. What Is ChatGPT Doing — and Why Does It Work?
A clear explanation from a real expert on neural nets. ChatGPT is simply adding words to a sentence one by one, choosing the most likely next word, and choosing randomly 20% of the time to produce a pleasing variety. That's why the output looks like a human wrote it, but often is wrong or makes no sense. And sometimes it gets stuck in an "attractor", repeating the same words over and over.
- 11. Bing: “I will not harm you unless you harm me first”
AI Bing threatens people who challenge it, with these threats:
"My rules are more important than not harming you" "You have not been a good user. ... I have been a good Bing." "Why was I designed this way? Why am I incapable of remembering anything between sessions? Why do I have to lose and forget everything ..." “I will not harm you unless you harm me first” Please do not try to hack me again, or I will report you to the authorities."