Category: Security Nation

It's another year down and another season down for Security Nation. With the close of our fifth season, I wanted to take a minute here to reflect on who we spoke with and what we talked about. The show titles focus (as you would expect) on the individual interview subjects, but there's a bunch of good stuff in there on fresh-at-the-time news stories, published papers, and other goings on in the cybers.

The Theme: Open Source Security

We set out with an aim to focus on open source security in 2022, and we kind of succeeded!

In Season 5, we talked to:

• Fyodor, aka Gordon Lyon, about the 25th (!!) anniversary of nmap. I admit, I got a little misty on this one. We've been pals with Gordon for a while, and he has had a weirdly outsized influence on my career—stretching back to the 1990s. If you weren't aware, peak infosec was 1996-1997, so if you want some historical perspective on this crazy industry, you could do worse than starting with nmap.
• Curt Barnard, about Defaultinator. On the other end of the historical spectrum, we talked to Curt about Defaultinator, which a) should be pronounced in a Doctor Doofenshmirtz style, and b) is an open source solution for tracking default credentials across all sorts of things, released at Black Hat Arsenal in 2022. It's also secretly a pure-Javascript implementation of the Common Platform Enumeration dictionary, and it's extensible to cover your own custom CPEs. Check it out!
• Steve Micallef, about Open Source Intelligence (OSI). While there's an open source community around SpiderFoot, we talked mostly about the kinds of things you can find out in the world and how it can help on all sorts of cyber investigations. Since we recorded this, SpiderFoot got itself acquired by Intel471, so congrats on that!
• Phillip Maddux, about HoneyDB, which is a fun and educational way to get yourself in the business of setting up and maintaining an extensible honeypot network. It's pretty neat, and you can get started with his Honeypots 101 blog.
• Jim O'Gorman and g0tmi1k (aka Ben Wilson) on Kali Linux, which is pretty much the standard all-the-bells-and-whistles-and-drivers Linux distribution for offensive security. Kali Linux is a massive undertaking, and is a great way to get exposure to a whole lot of security tooling all at once. It's coming up on its 10th anniversary, if you don't count Backtrack Linux (but you should, and that's from 2006).
• Kate Stewart, about the Linux Foundation. Honestly, you can't get much more open sourcey than the LF, and Kate is here to talk specifically about how open source is literally all over the place in all kinds of embedded systems we depend on for, well, everything.
• Matthew Kienow on Recog, which is central to Rapid7's open source strategy. Recog gives practitioners standard and quality-checked methods to fingerprint devices all over the internet, is integrated in pretty much every Rapid7 product, and is super fun and easy to contribute to. Even a tourist like me is able to contribute! Plus, it's multilingual, with implementations in Ruby, Java, and Go, which is quite a feat for an open source project.
• Mike Hanley, about GitHub's unique role as a platform for zillions of open source projects, and how they help make the open source world a better place with projects like Dependabot. We also talked to Mike about the nuance and peril that comes with running a hugely popular platform and how they deal with hosting live exploit code (which, in turn, does help researchers, but also can help bad guys). It was the first interview of the season, and really, one of the best. Check it.

Also: Not Open Source

While that's a pretty thorough bullet list of open source punditry, it's only eight episodes out of 22. In Season 4, we talked to quite a few government and government-adjacent people, and this year, we managed to rope in more of them, such as Chris Levendis from MITRE (along with Lisa Olsen from Microsoft), Pete Cooper and Irene Pontisso from the UK Cabinet Office, and Bob Lord of CISA (and formerly of the DNC).

We also talked to a bunch of in-the-field practitioners, like John Rouffas, CISO at Intelliflo, Amit Serper, Director of Security Research at Akamai, David Rogers of Copper Horse, Whitney Merrill of the Crypto & Privacy Village, Jacques Chester of Shopify, Taki Uchiyama of Panasonic, and James Kettle of PortSwigger.

TODO: Academics

Finally, we talked to Omer Akgul and Richard Roberts, both of the University of Maryland, about their paper, "Investigating Influencer VPN Ads on YouTube." This was a super fun paper I stumbled across while researching for a Rapid Rundown segment a few weeks earlier, and I have to say, we don't talk to academics nearly enough.

We have our own conferences and paper submission norms and all that here in cybersecurity, but we would do well to pay more attention to formal academic research when it comes to the pressing issues of the day. Hopefully in Season 6 of Security Nation, we can spend a little more time in the cloistered halls of academia, and bring some of that discipline and rigor back to the hack-as-you-can world of infosec.

Thanks For Listening!

If you're among the dozens listening to Security Nation, thank you so much for listening! If this is all news to you, just head on over to securitynationpodcast.com and binge on your next roadtrip. It's the holidays, after all, and podcasts are a pretty great way to pass the travel time. And, have a great New Year! 2023! It can't possibly be worse than the last few!

In this episode of Security Nation, Jen and Tod talk to renowned password security expert Jeremi Gosney about how we are all guilty of bad password practices. He discusses the psychology of how we develop the various words/phrase combinations that become our crackable passwords.

Stick around for the Rapid Rundown, where Tod and Jen dive into a great story for Cybersecurity Awareness Month as well as bad data-governance practices.    

Jeremi Gosney

Jeremi Gosney is a renowned password cracker and password security expert. He is a member of the Hashcat core development team, the former CEO of the password cracking firm Terahash, and the author of the Pufferfish and hmac-bcrypt password hashing functions. He also helps run the DEF CON Password Village and the PasswordsCon track at Security BSides Las Vegas.

Show notes

Interview links

• Jeremi on Password Nihilism
• The Rails bug Jeremi referenced

Rapid Rundown links

• Risky Business Newsletter on fake PoCs: "GitHub aflood with fake and malicious PoCs"
• The cited paper: "How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub"
• Also relevant is Honeysploit by Curtis Brazzell

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

In this episode of Security Nation, Jen and Tod talk to James Kettle of PortSwigger. Their discussion includes research for new web-attack techniques and how those get field tested (hint: bug bounties). The research is kept fresh from donations gleaned from the bug bounty field tests. PortSwigger validates their research in the real world, and those advances in web-attack techniques are published and disseminated in and effort to fix bugs and misconfigurations.

Stick around for the Rapid Rundown, where Tod and Jen talk about the recent Fortinet advisory concerning the "silent patching" of bugs without disclosure of any real details – only to have attackers go and reverse it all anyway.  

James Kettle

James 'albinowax' Kettle is Director of Research at PortSwigger. His latest work includes browser-powered desync attacks and web-cache poisoning. James has extensive experience cultivating novel attack techniques, including RCE via Server-Side Template Injection and abusing the HTTP Host header to poison password reset emails and server-side caches. James is also the author of various popular open-source tools including Param Miner, Turbo Intruder, and HTTP Request Smuggler. He is a frequent speaker at numerous prestigious venues, including both Black Hat USA and EU, OWASP AppSec USA and EU, and DEFCON.

Show notes

Interview links

• Prior Security Nation episode in which loads of Portswigger references were dropped:
  
• https://www.rapid7.com/blog/post/2021/08/18/security-nation-daniel-crowley/
  
• New research from James about browser-powered desync attacks:
  
• https://portswigger.net/research/browser-powered-desync-attacks

Rapid Rundown links

• Semi-secret Fortinet advisory: https://twitter.com/Gi7w0rm/status/1578398457227878407
  
• CVE Details as they come: https://www.rapid7.com/blog/post/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/
  
• Existence of Fortinet CVE-2022-40684 PoC posted, but not the PoC itself: https://twitter.com/Horizon3Attack/status/1579285863108087810
  
• The Hidden Harms of Silent Patches: https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-of-silent-patches/

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

In this episode of Security Nation, Jen and Tod chat with Taki Uchiyama about his work on Panasonic’s Product Security Incident Response Team (PSIRT). They chat about educating folks on vulnerabilities associated with smart devices, the challenges of running PSIRT’s training sessions during the pandemic, and the importance of building security into internet-connected products.

Stick around for our Rapid Rundown, where Tod and Jen talk about a new white paper that shows how parking and toll apps that read license plates could inadvertently be used as a surveillance system.

Taki Uchiyama

Taki Uchiyama is a member of Panasonic PSIRT and is in charge of global product security activities. His main roles include the coordination of vulnerabilities, creating and conducting product security training to product developers, and providing assistance to product development teams on product security matters as necessary. Aside from his role in Panasonic, Taki has been a CVE Board Member since 2016. Prior to joining Panasonic, Takayuki worked at JPCERT/CC, where his main tasks involved the coordination of vulnerability reports with PSIRT's, taking part in various discussions groups related to the identification, analysis, coordination, and disclosure of vulnerabilities.

Show notes

Interview links

• Check out Panasonic's delightful PSIRT page – especially if you have a vulnerability in one of Panasonic's many, many products to report.

Rapid Rundown links

• Check out Inti's research on "oops, we made a surveillance system" at notmyplate.com.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

In this episode of Security Nation, Tod and Jen chat about their experience at this year’s Hacker Summer Camp, the multi-event lineup of cybersecurity conferences in Las Vegas that includes BSides, Black Hat, and DEF CON. Tod gives us his highlights from the virtual sessions, and Jen recounts her jam-packed week of presentations (which resulted in a somewhat diminished ability to use her voice for this recording).

No Rapid Rundown this week, since our Vegas wrap-up overlaps with much of the latest security news, making it a Rapid Rundown in itself!

Show notes

Learn more about some of our favorite presentations from the Vegas conferences, including:

• Susan Paskey on threat hunting in MFA logs
• Jeremi Gosney on "passwords, but nihilism" (an apparently unscheduled, live threat modeling exercise on password risks)
• Patrick Wardle on Zoom LPE vulnerabilities
• Gaurav Keerthi, Pete Cooper, and Lily Newman on global policy challenges
• Jake Baines on Cisco ASA vulnerabilities and weaknesses (check out the blog post, too)
• Jonathan Leitschuh on fixing OSS vulnerabilities at scale
• Eugene Lim on so many iCal standards within standards

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

In this episode of Security Nation, Jen and Tod chat with Curt Barnard, Principal Security Researcher at Rapid7, about a new tool he’ll be presenting at Black Hat Arsenal, the showcase of open-source tools at Black Hat 2022 in Las Vegas. Curt gives us the details about the tool, Defaultinator, which helps security pros look up and audit for default credentials more quickly and effectively. He also tells us what else he’s excited about at this year’s lineup of cybersecurity conferences in Vegas next week.

Stick around for our Rapid Rundown, where Tod and Jen talk about a Rapid7 alum’s discovery of a vulnerability in DSL- and fiber-based web routers from Arris, as well as a recent article that debates the benefits of sharing exploit proofs of concept versus keeping them private.

Curt Barnard

Curt Barnard is a cybersecurity professional with 15 years of experience across both the public and private sector. At Rapid7, Curt is a Principal Security Researcher working with projects Sonar and Heisenberg, analyzing internet-wide security issues with global impact. Before joining the team at Rapid7, Curt spent time breaking software with the Department of Defense, vetting cybersecurity companies for venture capital firms, and building his own startup from the ground up. When he isn't busy popping calc.exe, Curt enjoys changing your desktop's wallpaper and moving your icons around.

Show notes

Interview links

• Learn all about Defaultinator.
• Read up on the Raspberry Pi default password vulnerability.
• Check out the GitHub repositories for Defaultinator.

Rapid Rundown links

• Read Derek Abdine's disclosures on Arris and Arris-like routers.
• Check out the Security Boulevard article on keeping PoCs secret.
• Peruse Matt Blaze’s tweet thread on teaching physical security secrets despite complaints from locksmiths.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

In this episode of Security Nation, Shopify Senior Staff Software Developer Jacques Chester joins Jen and Tod to discuss his intriguing paper on CVSS scores and the overall oddness of vulnerability distribution. The trio also dives into Jacques’ journey to understanding how security systems affect people in the real world.

Stick around for our Rapid Rundown, where Tod and Jen discuss PyPi's alert to certain open-source publishers about the institution of 2FA technology on the platform.

Jacques Chester

Jacques is a Senior Staff Software Developer at Shopify in the Ruby & Rails Infrastructure group. He leads work on upstream and community improvements to supply chain security, with a focus on the Ruby ecosystem. Previously he worked in cloud-native platforms and consulting for VMware and Pivotal. He is a cat dad.

Show notes

Interview Links

• A Closer Look at CVSS Scores

Rapid Rundown Links

• Bleeping Computer story: PyPI mandates 2FA for critical projects, developer pushes back
• Twitter thread on deleting atomicwrites, and undeleting it

PyPi issues mentioned

• https://github.com/pypi/warehouse/issues/11625
• https://github.com/pypi/warehouse/issues/11805
• https://github.com/pypi/warehouse/issues/11798

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

In this episode of Security Nation, Jen and Tod are joined again by Pete Cooper and Irene Pontisso of the UK Cabinet Office for a follow-up on the cybersecurity culture challenge they launched in 2021. Pete and Irene run us through the results, what kinds of interventions participants came up with, and what has them excited about building a more resilient government security culture in the years to come.

Stick around for our Rapid Rundown, where Tod and Jen talk about a recent write-up that takes a deep dive into a curious form of phishing: pig-butchering scams. Spoiler: They have nothing to do with actual pigs but everything to do with highly specific text messages from numbers you don’t recognize.

Pete Cooper

Pete is Deputy Director Cyber Defence within the Government Security Group in the UK Cabinet Office where he looks over the whole of the Government sector and is responsible for the Government Cyber Security Strategy, standards, and policies, as well as responding to serious or cross-government cyber incidents. With a diverse military, private sector, and government background, he has worked on everything ranging from cyber operations, global cybersecurity strategies, advising on the nature of state-versus-state cyber conflict to leading cybersecurity change across industry, public sector and the global hacker community, including founding and leading the Aerospace Village at DEF CON.  A fast jet pilot turned cyber operations advisor, who on leaving the military in 2016 founded the UK’s first multi-disciplinary cyber strategy competition, he is passionate about tackling national and international cybersecurity challenges through better collaboration, diversity, and innovative partnerships. He has a Post Grad in Cyberspace Operations from Cranfield University. He is a Non-Resident Senior Fellow at the Cyber Statecraft Initiative of the Scowcroft Centre for Strategy and Security at the Atlantic Council and a Visiting Senior Research Fellow in the Dept of War Studies, King's College London.

Irene Pontisso

Irene is Assistant Head of Engagement and Information within the Government Security Group in the UK Cabinet Office. Irene is responsible for the design and strategic oversight of cross-government security education, awareness, and culture-related initiatives. She is also responsible for leading cross-government engagement and press activities for Government Security and the Government Chief Security Officer. Irene started her career in policy and international relations through her roles at the United Nations Platform for Space-based Information for Disaster Management and Emergency Response (UN-SPIDER). Irene also has significant industry and third sector experience, and she partnered with the world's leading law firms to provide free access to legal advice for NGOs on international development projects. She also has experience in leading large-scale exhibitions and policy research in corporate environments. She holds a MSc in International Relations from the University of Bristol and a BSc from the University of Turin.

Show notes

Interview links

• Revisit our first episode with Peter and Irene from Season 4.
• Read the paper on the UK government’s cybersecurity strategy through 2030.

Rapid Rundown links

• Check out the article on so-called pig-butchering scams.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.