From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly #554

This week, Katherine Teitler, the Director of Content for MISTI, joins us to talk about past and future Infosec World events. Our next interview features Masha Sedova, the co-founder of Elevate Security, to discuss security awareness training. Masha is giving a keynote talk at the upcoming SOURCE Boston conference titled "Using Behavioral Science To Secure Your Organization". In the security news this week, thinking differently about the relationship between security and development, EEG devices are vulnerable, new Cisco IOS exploits, and if you're running older Intel chips you may never see a Spectre patch. All that and more ion this episode of Paul's Security Weekly.

Recorded April 5, 2018 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jeff Man
    infosec analyst, pioneering ex-NSA pen tester, PCI specialist & certified security curmudgeon.
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Not Kevin
    Senior Security Engineer at Barkly, Co-Founder of Vermont Hackspaces, definitely Not Kevin.
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security
  • Announcements

    • Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Check out SOURCE Boston 2018 from May 9th - 10th! Go to sourceconference.com and register using the code SW75WMKW to get a $75 discount!
    • The webcast with Distil Networks on 9 Ways To Protect Your Business, is being held on Wednesday, April 25th. Register now at securityweekly.com/distilnetworks.

    Interview: Katherine Teitler - 6:00PM-6:45PM

    Katherine Teitler is the Director of Content for MISTI, where she is responsible for programming information security conferences, workshops, and summits. Katherine also writes on a variety of security topics for the company’s Infosec Insider, and contributes articles to third-party security media. Previously, Katherine was the Director of Content at IANS, where she built the research program for subscription clients, and has held various editorial and sales roles at CFO Research, Forrester Research, and Bitpipe (acquired by TechTarget).
    1. What were some of the most popular talks at Infosec World this year?
    2. For the fist time INfosec World features a capture the flag event, how did that go and what did people win?
    3. What was your greatest challenge and how did you overcome it?
    4. What advice do you have for those in the community who are planning on running a security conference?
    5. Breaches are in the headlines more than ever before, how can you avoid being the "security scapegoat"?
    6. What's in store for future conferences, and especially Infosec World Orlando 2019?

    Interview: Masha Sedova, Elevate Security - 6:45-7:45PM

    Masha Sedova
    is the co-founder of Elevate Security.
    Masha Sedova is an industry-recognized people-security expert, speaker and trainer focused on engaging people to be key elements of secure organizations. She is the co-founder of Elevate Security delivering the first human-centric security platform that leverages behavioral-science to transform employees into security superhumans. Before Elevate, Masha Sedova was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners and customers. In addition, Masha has been a member of the Board of Directors for the National Cyber Security Alliance and regular presenter at conferences such as Blackhat, RSA, ISSA, Enigma and SANS.
    1. How did you get your start in information security?
    2. How do we get our employees to care about security?
    3. How importantant is the gamification of security awareness training?
    4. Some believe that end user security awareness is not worth the effort because the attacker only needs to fool one user, what are your thoughts on this opinion?
    5. Employees tend to come and go, including those that posses a high level of security awareness, how should we combat this problem?
    6. How does awareness differ from training and how can we use them together effectively?
    7. Some organizations consider the strategy of punishing employees for security vioaltions, why is this a bad idea?
    8. Others choose to reward, however what are some examples of a poor reward system vs. an excellent reward system?

    Security News - 7:45PM-8:30PM

    Paul's Stories

    1. Intel drops plans to develop Spectre microcode for ancient chips - Core 2 processors are no longer scheduled to receive updates, and, while some first generation Core products have microcode updates available already, others have had their update cancelled.
    2. Critical remote code execution vulnerabilities impact Natus medical devices - The firm's electroencephalogram (EEG) offerings are described as "leading-edge features you want in critical care." The systems include amplifier ports compatible with USB and TCP/IP cables, while the NeuroWorks software connects to monitoring equipment to record data in SQL databases.
    3. Critical flaw leaves thousands of Cisco Switches vulnerable to remote hacking - The stack-based buffer overflow vulnerability (CVE-2018-0171) resides due to improper validation of packet data in Smart Install Client, a plug-and-play configuration and image-management feature that helps administrators to deploy (client) network switches easily.
    4. VirusTotal launches 'Droidy' sandbox to detect malicious Android apps - Android Sandbox performs both static and dynamic analysis to automatically detect suspicious applications by executing and monitoring applications in a simulated Android OS environment.
    5. Cloudflares promises to make DNS more secure
    6. Facebook and Twitter may be forced to identify bots - according to California lawmakers. They’ve introduced a bill that would give online platforms such as Facebook and Twitter three days to investigate whether a given account is a bot, to disclose that it’s a bot if it is in fact auto-generated, or to remove the bot outright.
    7. Four Gas Pipeline Firms Hit in Attack on Their EDI Service Provider
    8. How Security Can Bridge the Chasm with Development - I believe we need to move past the old way of thinking about this problem (for example, just go have some beers with your developers, etc...). Devops, at its core, blends development with IT and with security into value streams. Once more organizations implement this model, we'll stop seeing development, IT and security working in silos.
    9. A new Mirai-style botnet is targeting the financial sector
    10. Hooray! Facebook ditches searching for people by phone number or email
    11. Python Regex Cheat Sheet
    12. New Android Malware Secretly Records Phone Calls and Steals Private Data

    Joff's Stories

    1. Critical Cisco Switch Vulnerability

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+