From Paul's Security Weekly
Interview: Dennis Fisher, Security Evangelist at Kaspersky Lab
- How did you get your start in security journalism?
- What are some of the more interesting trends in security news?
- What major problems have we overcome over the years?
- What's the most interesting security news going on today?
- What are the hot technologies/vendors/solutions on the market today?
- What do you think will happen with IoT security?
- Tell us about Pindrop
- Three words to describe yourself.
- If you were a serial killer, what would be your weapon of choice?
- If you wrote a book about yourself, what would the title be?
- In the popular game of ass grabby-grabby, do you prefer to go first or second?
- Choose two celebrities to be your parents.
- Erin Andrews awarded $55m over nude video shot through hotel door peep hole - Hotel security stinks, call the front desk and ask for someone, the room number shows up on the in house phone, and replace the peephole in a door without anyone noticing.
- My last days at WhiteHat and setting sights on the future - Big news...
- Why Your Security Tools Are Exposing You to Added Risks - Some great recommendations in this article. Funny though, A/V is still recommended!
- Quick Analysis of a Recent MySQL Exploit - SANS Internet Storm Center
- A Warning for Wearables: Think Before You Emote
- Patch Management Still Plagues Enterprise - Steps on Soap Box... Here's the rub which showed that at least some of the time 67% of security teams have a difficult time understanding which patch needs to be applied to which system. That's made even more complicated by embedded products such as Adobe Flash patches released with Google Chrome updates--86% of respondents said this made it more difficult to understand the impact of a patch. No, no no! If you try to understand the impact of a patch by reading or reverse engineering, you've failed. You just have to test, deploy it to select users, then gauge the impact. Its super frustrating on the browser side, the browser itself, Java, Flash, Silverlight, etc... all come into play. Chances are users will still be able to browse the web, however you risk impacting business operations. This is where things get tricky, as you have a few thousand users accessing an internal application that all of a sudden can't do their job because you rolled out a browser patch. Yuk. Client-side attacks will keep winning until we can get a handle on this problem, but I don't see solutions out there offering any easy wins.
- "DROWN Vulnerability Remains ‘High’ Risk - I think they are High alright.
- Trivial Path For DDoS Amplification Attacks Found - Hurray for old protocols, in this case TFTP!
- Boffins Bust Biometrics With Inkjet Printer - Okay but you still need a picture of my finger and access to my phone. I still believe two-factor is the way to go and wish more people would use it. Let me enter a passphrase and send a code via text to my phone. Done. I am usually never without my phone, unless someone steals its...
- "Security market to exceed $170 billion by 2020 - But just what are people buying? And it it working? What works best for you?
- Opera Becomes First Major Web Browser to Introduce Native Ad-Blocking Feature - Lets face it, web page ads can be really super annoying. Look, I'm on both sides of the fence, but there are many different types of ads, some more annoying than others (Reddit seems to have the best ads, they are mostly text and not annoying). However, more dynamic ads come with security-related baggage, and I'd bet you can be safer with an ad blocker than without. Its only a matter of time before other browsers follow suite, and I can't remember the last time I browsed the web without an ad blocker. Opera on my mobile device sounds great.
- The @ legacy of Ray Tomlinson - Inventor of email passed away this week. Some interesting history in this article, like how we ended up with the "@".
- Before Moving on From RSA… - The author makes four points in this article. #3 is about cloud, okay fine we all know that already. #4 is about MSSPs, and well, thats a whole different topic and I can't say I completely agree. However he does say in #1 "We need to get away from product categories", and yes, that! and #2 Its not about the underlying tech, its about the results, and yes that too!
- Cisco Patches A Bunch Of Cable Modem Vulns - Cisco's joined the “residential broadband gateways with SOHOpeless security” club, announcing not one but three vulnerable systems. Just another nail in coffin for embedded systems. Again, the HTTP interface was the cause of at least one vulnerability. We've written standards and guidelines on how to do this securely and even test it. We must take the next step and embed it into the software and product development life-cycles, or this will continue to happen.