PSWEpisode634

From Paul's Security Weekly
Revision as of 22:34, 9 January 2020 by Paul Asadoorian (talk | contribs) (Interview: Dan Decloss, Plextrac - 6:00-6:45PM)
Jump to: navigation, search

Recorded January 9, 2020 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Lee Neely
    is a Sr. Cyber Analyst at LLNL,SANS Analyst, SANS NewsBites Editor
  • Jeff Man
    Cryptanalyst,
    infosec analyst, pioneering ex-NSA pen tester, PCI specialist,
    Tribe of Hackers, & InfoSec Curmudgeon.
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Tyler Robinson
    Managing Director of Network Operations at Nisos, Inc .


  • Announcements

    • Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
    • OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!
    • We have officially migrated our mailing list to a new platform! Sign up for the list to receive invites to our virtual trainings, webcasts, and other content relative to your interests by visiting securityweekly.com/subscribe and clicking the button to join the list! You can also submit your suggestions for guests by going to securityweekly.com/guests and submitting the form! We'll review them monthly and reach out if they are a good fit!
    • Our first-ever virtual training is happening on March 19th @11:00am ET, with Adam Kehler & Rob Harvey from Online Business Systems Risk, Security & Privacy Team. In this training you will learn how to generate a complex SHA-256 hashed password and then use password cracking tools to break it. Register for our upcoming trainings by visiting securityweekly.com, selecting the webcast/training drop down from the top menu bar and clicking registration.


    Interview: Dan Decloss, Plextrac - 6:00-6:45PM

    Daniel DeClossis the President and CEO of PlexTrac
    Dan is the Founder and CEO of PlexTrac and has over 14 years of experience in Cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies including serving as a Principal Consultant for Veracode on the penetration testing tesm. Dan's background and expertise is in application security and penetration testing, involving hacking networks, websites, and mobile applications for clients. He has also served as a Principal Security Engineer for the Mayo Clinic and a Sr. Security Advisor for Anthem – a Fortune 40 health insurance firm. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program.

    Dan has a Master’s Degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally Dan holds the OSCP and CISSP certifications. Dan has a passion for helping everyone understand cybersecurity at a practical level, ensuring that there is a good understanding of how to reduce their overall risk.

    Segment Topic:
    Improve Pen Testing Outcomes With Purple Teaming


    Description: Purple teaming reduces the lifespan of vulnerabilities found from penetration tests by facilitating knowledge transfer between red and blue teams in the remediation phase. PlexTrac provides a single interface through which red teams may report vulnerabilities and blue teams may remediate them. Visit https://securityweekly.com/plextrac to claim your free month of PlexTrac. Also, be sure to stop by their booth in the Early Stage Exhibit at RSA next month.

    Tech Segment: Ambuj Kumar, Fortanix - 6:45PM-7:30PM

    Ambuj Kumaris the CEO & co-founder of Fortanix.
    Ambuj Kumar is co-founder and CEO of Fortanix, creator of Runtime Encryption® technology. In his career, Ambuj has built technologies and products that secure billions of devices. Ambuj is a prolific inventor with more than 30 patents. He holds degrees from Stanford University and IIT Kanpur (Gold Medalist).

    Segment Topic:
    The Keys to Your Kingdom: Protecting Data in Hybrid and Multiple Public Clouds

    Segment Description:
    According to Gartner, 70% of businesses are adopting a hybrid cloud and multi-cloud strategy to augment their internal datacenters. The challenges of protecting data and using encryption for multiple hybrid, public cloud, and on-premises environments increases complexity, cost, and security risk. As workloads and sensitive data move to the cloud, keeping cryptographic keys, shared secrets and tokens secure is critical to secure public cloud deployments and successful digital transformation.

    Segment Resources:
    1. Cloud Encryption Solutions Brief - https://resources.fortanix.com/simplified-hybrid-and-multi-cloud-encryption-solution-brief
    2. PayPal Demonstration Video https://resources.fortanix.com/paypal-google-cloud-external-key-manager
    3. Blog Part 1 - Keeping the Keys to Your Kingdom: Google and Fortanix Collaborate to Deliver “BYOKMS” https://www.fortanix.com/blog/2019/11/keeping-the-keys-to-your-kingdom-google-and-fortanix-partner-to-deliver-byokms/
    4. Blog Part 2 - Keeping the Keys to Your Kingdom: Google and Fortanix Collaborate to Deliver “BYOKMS” https://www.fortanix.com/blog/2019/11/keeping-the-keys-to-your-kingdom-google-and-fortanix-partner-to-deliver-byokms-2/

    Security News - 7:30-8:30PM

    Paul's Stories

    1. Backdoored Phishing Kits are still popular
    2. Left of boom: Do we actually do this?
    3. InfoSec Handlers Diary Blog
    4. Mailbox Master Keys - Schneier on Security
    5. Microsoft report: around 0.08% of RDP brute-force attacks are successful
    6. Car Hacking Hits the Streets - Dark Reading
    7. Google Security Update Fixes Critical RCE Flaw
    8. That Pulse Secure VPN you're using to protect your data? Better get it patched or it's going to be ransomware time
    9. Open Source FirmwareWhy Should We Support It?
    10. What if everyone just said 'Nah' to tracking?
    11. The Art of Cloud War for Business-Critical Data
    12. MITRE presents ATT&CK for ICS, a knowledge base for ICS
    13. Getting Serious About Open Source Security
    14. Las Vegas Suffers Cyberattack on First Day of CES
    15. California's IoT cybersecurity bill: What it gets right and wrong - Help Net Security
    16. Browser zero day: Update your Firefox right now!
    17. North Korean Hackers Continue to Target Cryptocurrency Exchanges | SecurityWeek.Com
    18. 4 Ring Employees Fired For Spying on Customers
    19. Experts warn of ongoing scans for Citrix servers affected by CVE-2019-19781
    20. Tapplock introduces new enterprise fingerprint scanning padlock accessories - Help Net Security
    21. Security Ladders

    Larry's Stories

    Jeff's Stories

    Lee's Stories

    1. CISA Bulletin AA20-006A: Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad Guidance on preventative actions and Iranian threat profile/cyber activity.
    2. You Should Never Print your boarding pass, here's why Boarding passes contain extra informtion which should be protected.
    3. Half the global 815 Million Smart Speakers put user's privacy at risk
    4. Shitcoin Wallet Chrome Extension Steals Crypto-Wallet Private Keys and Passwords The extension has been pulled from Chrome store. Remove from browsers where installed. Crypto wallet security only as good as weakest link.
    5. Facebook moves to detect and remove deep-fake videos Intent to find artificially created AV content, questions of false positives remain.
    6. PGP keys, software security, and more threatened by new SHA1 Exploit New "collision" attack reinforcing SHA1 is dead. SHA1 still default in many places, such as GNUPG and GitHub for generating signatures.
    7. Las Vegas hacked: Sin City Hit Attack, suspected ransomware, hits city of Las Vegas. Normally survives about 300,000 attempts/month. Question: how are your recovery/rebuild capabilities and have you tested them (IRL, not tabletop?)

    Tyler's Stories


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+