Content

DerbyCon Guys and Stories – Episode 345

We've got a good one for you this week. Paul and Jack were in studio and after interviews with Rich Mogull and Pete Finnigan (see those videos below) we were treated with a visit from the DerbyCon organizers. Dave "Rel1k" Kennedy, Adrian "Irongeek" Crenshaw, Martin "PureHate_" Bos and Nick "Nick8ch" Hitchcock. Derby is one of those cons that that sells out within minutes or less, so they're surely not here to sell tickets for the September 25-29th even in Louisville, Kentucky. Listen to find out all the great things they have in store for this year's event. They've expanded with six tracks this year, two nights of big events and will have The Crystal Method playing on Saturday night! Dave also mentioned that his choice of Weird Al Yankovic got vetoed, but if I had any kind of vote, I'd love to see Al. In addition to some of the best talks on the planet, you'll see some games such as "Are You Smarter Than a CISSP?" and "Whose Slide Is It Anyway?" One of the other great things about DerbyCon is they make many, if not all of the videos available for people to view, in near real time, thanks to the kickass video guy Adrian.
Then on to the stories. Talking with the Derby guys is always so much fun, and with the weekly Stogie Geeks podcast immediately after, there wasn't much time left for stories. Paul and Jack got into Marissa Mayer not locking her iPhone and people trying to board commercial aircraft with hand grenades. Yeah. According to the article, TSA found 83 people with hand grenades in either their carry-on or checked luggage. But when we dig a little deeper in the article, we see those 83 also included "The majority of these grenades were inert, replica, or novelty items". The basically took away toys. I guess that sounds silly at first until you figure the hassle someone could cause by pulling out a toy but real-looking grenade mid-flight. Who's going to confirm that it's just a toy? It'd make for one heckuva stressful flight. So leave your grenades at home. The only other story the guys talked about was Yahoo! CEO Marissa Mayer and how she avoids the hassle of locking her iPhone with a passcode. The article is an interesting one where one side wonders why she takes mobile security so casually? If hers fell into the wrong hands, first imagine the phishing that someone could pull off. But also what kind of trove of data is available on there from upcoming plans at Yahoo! (a publicly traded company) to private email conversations with other executives at the company. But then the other side wonders if the security advice for Mayer has the same level of appropriateness as for an average user. Maybe Mayer takes better physical precautions with her iPhone than a typical 16 year old high school student. Is her point valid that the extra step of entering a passcode isn't worth the ease of getting into her device many times a day to conduct business? Seems like an interesting question at least. That's all that Paul and Jack had time to talk about but Paul did put up a handful of other articles in the Show Notes. I do have the luxury of time and can go over a few of those with you. Here are some of the ones that stuck out to me and that I liked. Seagate is saying they'll put out a 5TB hard drive next year and possibly a 20TB hard drive by 2020. They say they're reaching the theoretical limits of magnetic storage, or as they put it, the "superparamagnetic limit". Yeah, use that at the next conference party and impress someone. I admit to not being much of a hardware guy, so I'll just move on to the next one. Ok, this next one sounds like BS to me. According to some lawyers, including Marcia Hoffman, formerly of the EFF, with the iPhone's new biometric ("fingerprint") auth, you might not be able to invoke your 5th Amendment rights in the US to avoid self-incrimination. The claim is because a passcode is something you know where a fingerprint is something you are. They can't force you to tell them something you know but can force you to give up something you are. To me, this just sounds like BS. Either way, you're unlocking information that could be incriminating against yourself, thus self-incrimination which should be covered by the US Constitution's Fifth Amendment. Now, I'm not a lawyer and certainly have never studied these things as people like Hoffman have, so I'm not going to say they're wrong. I'm simply saying that this just doesn't pass the smell test. But as the article advises near the end, and as Jack said during the show, the easy way to fix this is to add a passcode along with the fingerprint, and now we have even better auth. Now we have our usual two-factor, "something you know, something you have", which will avoid this self-incrimination problem. It just seems that security conferences are expanding all over. First we talked with the DerbyCon guys and now there's this news that Black Hat is expanding its training offerings. On December 9-12 in Seattle, Black Hat will offer a series of classes including Advanced OSINT, Pentesting with Kali Linux, and Advanced Source Code Analysis, plus more. Check it out if you're looking for some training opps on the west coast. Then there's also this article from DarkReading about Five Signs of Trouble in Your Network. Maybe one of the biggest takeaways is to know what is "normal" on your network and in your systems so when something out of the ordinary happens, you will recognize it. Things like keeping changes within a certain time frame window, if possible, get an idea on your traffic, where it comes from and when. Would it be possible or make sense for any of your systems to be making a database call like "SELECT * FROM Users"? If not, and you see that sort of thing happening, maybe you have a problem. Do you have a BYOD policy where you register devices to users? If so, what if you see a new device tied to a user that isn't registered? Is that valid? One other one that is not mentioned in this article, that I've actually seen first hand is to keep track of what patches you have on your systems. What if you find your system has been patched and you have no record of applying that patch? It's quite possible that someone has broken in and then applied a patch to keep others out while they are in your network. Some other quick hits for you to check out this week include Android malware spotted hitching a ride on mobile botnet, another article about "Layer 8" and the human being the weak link in networks, Red Hat CIO Takes an Open-Source Approach to Security and BYOD, and finally, a survey that showed IT Pros Lack Security Management Support, Budget & Training That's it for this week. Please come on by and check out the show every Thursday night at 6 pm Eastern Time (US)!

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.