Episode332

From Security Weekly Wiki
Jump to navigationJump to search


Episode Media

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 332 for Thursday May 16th, 2013

  • We are looking for sponsors for monthly webcasts in conjunction with SANS - contact paul -at- hacknaked.tv for details!
  • Come to Security BSides Rhode Island Two-Day Conference on June 14th and 15th tickets are NOW ON SALE at WePay.com. Featured presentations from Josh Wright , Kevin Finisterre, Kati Rodzon and Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire PaulDotCom crew!
  • This Saturday May 18th, almost sold out of BSides Boston! Keynotes by Dan Geer and Josh Corman and presentations from Alissa Torres, Andrew Case and the lady who keeps a low profile on the InterWebz: Allison Nixon.
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Sunday nights at 8:30PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here! (Web site experiencing problems, will update link when it comes back)

Interview: Mr. Brian Snow

Mathematician/computer scientist, Brian taught mathematics and helped lay the groundwork for a computer science department at Ohio University in the late 1960’s. He joined the National Security Agency in 1971 where he became a cryptologic designer and security systems architect.

Brian spent his first 20 years at NSA doing and directing research that developed cryptographic components and secure systems. Many cryptographic systems serving the U.S. government and military use his algorithms; they provide capabilities not previously available and span a range from nuclear command and control to tactical radios for the battlefield. He created and managed NSA’s Secure Systems Design division in the 1980s. He has many patents, awards, and honors attesting to his creativity.

Brian retired in 2006 and is now a Security Consultant and Ethics Advisor.

  1. How did you get your start in information security?
  2. We often call people out for trying to create their own encryption algorithms. What are the major hurdles when creating such an algorithm?
  3. In a recent Keynote you outlined some major problems facing the security industry and described the "bare minimum" approach to software design. However, how can companies sufficiently compete with each other and differentiate themselves from their competitors, with simple or stripped down designs? More importantly, how do we convince consumers of that approach?
  4. If one of the answers to better cybersecurity is regulation, how can we ensure Mutual Suspicion/ Checks and Balances? How can we ensure regulations are agile when regulations are designed to be enduring and historically difficult to update?
  5. Tell us about the “Cyber Manhattan Project" effort.
  6. Why is it necessary for a secure system to consider Malicious intent in its design? Does Malice matter if a system is engineered well against failures or disruptions?

Tech Segment: Tim Conway

Tim is the Technical Director of the Industrial Control Systems and SCADA programs at SANS, where he is responsible for developing, reviewing, and implementing technical components of the ICS and SCADA product offerings. Tim was formerly the Director of Compliance and Operations Technology at the Northern Indiana Public Service Company (NIPSCO).


  1. Allison: If hacking industrial control systems is so easy, why are internet trolls not causing rolling blackouts and destruction of dams, etc?
  2. Greg: What is the general sentiment of the ICS industry regarding security - is the industry embracing security? Is proper air gapping sufficient to help? Is inadequate funding the issue?
  3. As a general statement in the US, where does the budget for ICS security come from? Public, private, federal or local?
  4. Tell us about the Securing The Human Utility Training initiative.
  5. Are some "malfunctions" being blamed on equipment, overloading or other failures that you suspect were actually successful exploits?
  6. Does the industry view the prodding of initiatives like SHODAN or Project Basecamp as providing value or just plain antagonistic?
  7. Intern Rob: with fortune 500 vendors trying to play in this space (see http://www.ambientcorp.com/partners/ ). It seems ROI and providing a turnkey solutions is more important than security to them, this is even more apparent when I did a Shodan scan of 'EV-DO' and '3g' and found 5000+ exposed devices. What do you recommend to combat this?


Upcoming SANS ICS Events:


For More Information:


Announcement

  • Larry teaching SANS SEC617 all over and coming to a city near you in 2013. It isn't too Late to sign up for my class in San Diego this May! (actually, it is)

Stories

Paul's Stories

Larry’s Stories

Jack’s Stories

Allison's Stories

Patrick's Stories