The Security Ledger Podcasts

In this episode of the The Security Ledger podcast (#158): the NotPetya malware outbreak in 2017 raised red flags about the potential for malware to pose systemic risk to insurers: affecting broad swaths of the economy. We talk to Bruce McConnell of the East West Institute about how insurers are responding. NotPetya spread across Europe and North America at lightening speed. It was one of the most expensive malware attacks of all time: with damages totaling $10 billion. And, for companies impacted, it was impressively damaging: halting production lines and operations at global corporations in shipping, pharmaceuticals and manufacturing. one of the most virulent malware attacks ever. Read Security Ledger coverage of NotPetya here. But NotPetya was important for other reasons, as well. It exposed gaps in traditional approaches to information security. For industries like insurance, NotPetya underscored the prospect of “systemic cyber risk”: the ability of a malware, believed to be of Russian origin, to cause ripple effects that could spread beyond its immediate victims and throughout an economy. Bruce McConnell is the Executive Vice President at the East West Institute NotPetya’s rapid spread from small Ukrainian firms to some of the biggest companies in the world and the disruption it caused hinted at the kinds of ripple effects a devastating malware outbreak could have if it targeted a commonly used software component or a major services or infrastructure provider.  To better understand what systemic cyber risk is all about and how the insurance industry is taking steps to address it, we invited Bruce McConnell, the Executive Vice President of the East West Institute into The Security Ledger podcast to talk. East West has authored a report : Cyber Insurance and Systemic Market Risk—to provide a framework to better understand and address the systemic nature of cyber risk and the challenges it presents to the burgeoning cyber insurance industry.  In this interview, Bruce and I talk about the growing specter of systemic cyber risk and how insurance companies are adapting to that risk.  As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast,

In this week’s episode of the Podcast, # 157, sponsored by LookingGlass Cyber Solutions: Sarah Zatko of the Cyber Independent Testing Lab joins us to talk about CITL’s big new study of firmware security. In our second segment, we’re joined by Allan Thomson who is the Chief Technology Officer at LookingGlass* to talk about the growing use of cyber threat intelligence and the need to evolve cybersecurity practices to keep ahead of fast-evolving threats. On Firmware Security: Nobody’s Trying The Mirai Botnet caught the world’s attention back in 2016 as the first, high profile IoT botnet. Since then, attacks on Internet of Things devices have grown rapidly. Why? Well, for one thing: they’re easy marks. Two decades ago, Microsoft’s Windows Operating System, IE browser and Office software were the primary targets of malicious hackers because they were widely used and widely known to be vulnerable to attack. Today, those platforms are far more secure and boast protections against a wide range of common attacks like buffer overflows. On the Internet of Things, however, things are different. Connected devices like home routers, IP enabled cameras and digital video recorders or smart televisions and appliances commonly run software – or “firmware” – that lacks even basic protections against common threats like buffer overflow attacks. That makes them easy prey for hackers looking to gain a foothold on a home or business network, or interested in building powerful “botnets” of infected devices to do their bidding. How bad is it on the Internet of Things? It has been hard to say. Unlike Windows or Office – which were made and managed by a single company – there are thousands, even tens of thousands of device makers out there. Each is distributing its own device firmware. Up until now, nobody has ever undertaken the job of studying this software to figure out how secure it is. But that changed last week, when the Cyber Independent Testing Lab released data from what it is calling the first longitudinal study of IoT device security. The results were not surprising, but they were surprisingly bad. The CITL study surveyed firmware from 18 vendors including ASUS, D-link, Linksys, NETGEAR, Ubiquiti and others. In all, more than 6,000 firmware versions were analyzed, totaling close to 3 million binaries created from 2003 to 2018. Time and again, firmware from commonly used manufacturers failed to implement basic security features even when researchers studied the most recent versions of the firmware. Even worse, CITL researchers found no clear progress in any protection category over time, said Zatko. Researchers documented 299 positive changes in firmware security scores over the 15 years covered by the study…but 370 negative changes over the same period. Looking across its entire data set, in fact, firmware security actually appeared to get worse over time, not better, CITL said. In our first segment this week, Security Ledger is airing an interview that I did with Sarah Zatko, the Chief Scientist of CITL last week in Las Vegas. Sarah was presenting the CITL’s findings at an event sponsored by the Hewlett Foundation. I started by asking her about one of the proposals she made for shoring up software security: to create an agency akin to the FDA just to manage software security. Wasn’t that the job of the FTC, I wanted to know? Does Threat Intelligence make you Smarter? In our second segment: threat intelligence services have fast emerged as a critical tool in the tool belt of enterprise security teams. But what is security intelligence really?

In this Spotlight Podcast, we broadcast from the Black Hat Briefings in Las Vegas Nevada. Dan Timpson, the Chief Technology Officer at DigiCert* joins us to talk about some of the high profile hacks at this week’s “hacker summer camp” and the common weaknesses and security lapses that are common to all of them. In this week’s episode of the Podcast, # 156: we’re back at “hacker summer camp” in Las Vegas this week – also known as the Black Hat, B-Sides and DEF CON conferences, which bring tens of thousands of the world’s top security experts to the Las Vegas Strip.  The three conferences, collectively, feature hundreds of presentations on security vulnerabilities, exploits and attacks on all manner of devices – from airplanes to vacuuming robots.  “What was a conversation about authentication on the web is now accelerated to all kinds of avenues in the ecosystem” – Dan Timpson, Chief Technology Officer, Digicert Authentication, Encryption and Code Authenticity Core Issues Dan Timpson is the Chief Technology Officer at DigiCert But if you look behind many of the security demonstrations, a common theme emerges: poor security designs and implementation centered on a trifecta of issues: authentication, encryption and code signing. Our guest this week, Dan Timpson, sees this first hand at the Chief Technology Officer at DigiCert, one of the world’s largest certificate authorities. In this conversation with The Security Ledger, Dan and I dig into some of the hot talks at this year’s show and talk about the underlying security issues that inform them, including poor implementations of PKI technologies and, increasingly, threat modeling that is inadequate to the new context of the Internet of Things.  To start off, Dan and I talk about the shifting conversation about PKI and authentication that has come with the Internet of Things and how events like the Edward Snowden leak of data from the CIA changed the conversation about protecting sensitive data and authenticating transactions.  (*) Disclosure: This podcast was sponsored by Digicert. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations. As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

In this episode of the Security Ledger Podcast (#156), we’re joined by Michael Coates, the former Chief Information Security Officer at Twitter and the CEO and co-founder of Altitude Networks.* With “hacker summer camp” kicking off in Las Vegas, Michael and I talk about the pre-eminent challenge for the information security industry: how to do security at the massive scale and speed of cloud environments like AWS. In this week’s episode of the Podcast, # 156: It’s time for Hacker Summer Camp again, as the The Black Hat Briefings kick off this week in Las Vegas along with B-Sides Las Vegas and, of course, the DEF CON Conference.  As the world’s top security professionals gather on the Las Vegas Strip, one question hanging in the air is ‘how to secure the cloud?’ A vast and growing cloud-based infrastructure today runs dynamic start-ups and unicorns like Slack and Lyft but also industry stalwarts up and down the Fortune 500.  Capital One a Warning on Cloud Insecurity Michael Coates is the CEO and co-founder of Altitude Networks. The recent breach at Capitol One is a fresh reminder of the risks that go along with cloud adoption. In that incident, information on more than 100 million credit card applicants was snatched from an Amazon S3 storage bucket by a rogue AWS employee. The incident has rattled the technology world and prompted at least one U.S. Senator in recent days to demand an explanation by Amazon CEO Jeff Bezos of how such a breach could happen. (Server side request forgery, maybe?) Our guest this week knows a thing or two about securing vast, cloud-based infrastructure. Michael Coates is the former Chief Information Security Officer at Twitter and the CEO and co-founder of Altitude Networks, a startup that does data security for cloud collaboration platforms. Altitude just emerged from stealth mode with a $9 million series A round from Felicis Ventures, Accomplice and a personal investment from former Facebook CISO Alex Stamos. The company will be demonstrating its technology at Black Hat’s Innovation City.  Altitude Networks focuses on securing data in cloud-based collaboration platforms. Secure Everything. Everywhere. At Massive Scale. In this conversation, Michael and I talk about how cloud based collaboration platforms like G-Suite, Office 365 and DropBox present a unique challenge to the security industry. As Michael notes: they require organizations to secure “everything, everywhere and at massive scale.” It’s a challenge that Coates experienced first hand as the CISO at Twitter, where just monitoring how data was moving was a challenge- let alone whether that movement constituted a risk or security breach.  Check out our full conversation in the podcast! (*) Disclosure: This podcast was sponsored by Altitude Networks. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger,

In this week’s episode of the Podcast (#155): Jerome Segura of Malwarebytes joins us to talk about how disinformation campaigns and cyber crime are part of the same toxic cocktail in the world’s trouble spots, like Ukraine. Also: Adam Meyers of CrowdStrike joins us to talk about that company’s first ever report on mobile malware, which is gaining currency with advanced persistent threat (APT) groups. What MH-17 tell us about our Future Online rumors, conspiracy theories, disinformation campaigns: these are the tools of modern information warfare and they can be used to devastating effect: sowing distrust of institutions and making it difficult if not impossible for casual observers to ascertain the truth about important and consequential events. Jerome Segura is the Director of Threat Intelligence at the firm Malwarebytes. But as the researchers at Malwarebytes noted recently, disinformation campaigns don’t exist in a vacuum. Increasingly, rumors and disinformation campaigns are part of a global cocktail of instability that also includes cyber attacks and even kinetic attacks and conflict.  In our first segment, we speak with Jerome Segura, the director of threat intelligence at Malwarebytes, about Russian efforts to shape public understanding of the downing of Malaysian Airlines Flight 17 which was shot down over Eastern Ukraine in July 2014 by rebels armed by the Russian military. In this conversation, Segura talks about how Ukraine has become a theater on which the future of conflict is playing out – a future that includes the intersection of military, paramilitary and criminal actors, including cyber criminal groups operating beyond the reach of the law.  The Growing Threat of Mobile Malware The information security industry has been raising red flags about mobile malware for more than a decade. Most of those warnings however turned out to be (way) premature. To date, mobile malware represents just a sliver of all the malware detected in a given year. But that may be changing. As mobile devices become the go to platform for billions of Internet users, mobile threats are finally gaining traction, not only with cyber criminals but by Advanced Persistent Threat (APT) and nation-state groups.  Adam Meyers is the Vice President of Threat intelligence at the firm CrowdStrike. In our second segment, we welcome Adam Meyers, the Vice President of Intelligence at CrowdStrike into the Security Ledger studio to talk about the growing threat posed by mobile malware, as everyone from repressive governments to run of the mill thieves look to gain a foothold on mobile devices.  As always,  you can check our full conversation in our latest Security Ledge...

In this Spotlight edition of The Security Ledger Podcast, sponsored by CyberArk*, we interview serial entrepreneur Gil Rapaport about his latest creation: Alero, a new remote authentication tool that promises to fix remote vendor access by doing away with passwords…and agents…and VPNs. If that sounds like a tall order, check out our podcast to learn how he does it!  Third party risk is exploding for organizations. Whether the organization is in healthcare (where EHR hacks are a huge problem) or e-commerce where groups like Magecart have been targeting insecure deployments on platforms like Amazon’s S3 storage cloud. The fact is: more data breaches and network compromises are being linked to third party vendors such as contractors, managed service firms and SaaS providers. Cyber criminal groups and nation states are pursuing a “weakest link” strategy gain access to sensitive networks and data – and its working. Authentication: the Weak Link in Remote Vendor Access That puts the onus on companies to shore up the systems they use to manage third party providers and third party access to their environments. Historically, that job has fallen to technologies like Virtual Private Networks (or VPN), which create a secure tunnel from a third party into protected networks. But these days, few organizations are willing to grant third parties unfettered access to protected networks. Permissions – if they’re granted at all – will be limited to a specific application and a specific user role for that application – a use case that VPN was not designed for. And even the most granular access policy can be undermined by weak authentication schemes and account takeovers. Simply put: how does your company know that the third party seeking access to your trusted application is who they claim to be? The cost of not knowing is high. Granting access to an attacker or malicious actor – even to a single application – can spell disaster if your organizations handles highly sensitive or regulated data. (Just as British Airways and Marriott!) Alero: Beyond Passwords, Beyond VPN That’s where our guest this week comes in. Gil Rapaport is the co-founder of the firm Viewfinity, which made Windows least privilege management and application control software and was purchased by the firm CyberArk back in 2015. An expert in password management and application control, Rapaport’s next act he’s taking on the third party authentication challenge. As you would expect, he’s doing that by launching a startup, Alero, that promises to solve third party access by dispensing not just with VPNs but with passwords, also. What’s unusual is that rather than go it alone, this time Rapaport is launching his new company from within the confines of CyberArk itself: turning himself back into an entrepreneur without leaving the company that facilitated his latest exit. In this conversation, recorded on the sidelines of CyberArk’s Impact Conference in Chicago last week, Gil and I talk about Alero and how it works, as well as the larger problem of moving beyond passwords. (*) Disclosure: This podcast was sponsored by CyberArk. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger,

The Pentagon calls cyberspace “the fifth domain” of conflict. But what does that mean? And how do you defend a human-made space that’s everywhere and nowhere? In this episode of the podcast, Richard Clarke joins us to discuss his new book, The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats.   When we last spoke to Richard Clarke, he was on tour to promote his book Warnings: Finding Modern Cassandras to Stop Catastrophes. That book saw Clarke and a co-author: R.P. Eddy interviewing people who had warned fruitlessly about pending disasters like 9/11 and the Fukushima Daiichi nuclear power plant melt-down. That book was a way to get everyone thinking about the Cassandras among us and who are warning about coming storms, including Cyber War. In his latest book, The Fifth Domain co-written with Robert Knake, Richard goes deep on that very topic. The title, is reference to military parlance for cyber space, which has joined land, sea, air and space as a theater of warfare. But cyber space is different from those theaters. In this conversation we talk about how it is different and how those differences warrant new thinking about how to secure and protect the Internet and everything in our lives that has come to depend on it. To start off, Richard and I talk about his last book with Mr. Knake, Cyber War, which a decade ago predicted many of the trends we now see every day, including destructive cyber attacks launched by militaries – claims that at the time were considered “fiction.” Richard Clarke is the CEO at Good Harbor Consulting. He’s a former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States and a veteran of four administrations, from President Ronald Reagan through to President George W. Bush His new book, The Fifth Domain: Defending our Country, Our Companies and Ourselves in the Age of Cyber Threats.

In this week’s podcast episode (#153): The researcher who discovered serious remote access security flaws in anesthesia machines by GE says such security holes are common. Also: the US Conference of Mayors voted unanimously to swear off paying ransoms for cyber attacks. But is that a smart idea? We’re joined by Andrew Dolan of the Multi State Information Sharing and Analysis Center to talk about it. In our first segment: the Department of Homeland Security on Tuesday warned hospitals about a serious and remotely exploitable security hole has been found in two anesthesia devices made by GE Healthcare. ICS Medical Advisory (ICSMA-19-190-01), released Tuesday, warns that the GE Aestiva and GE Aespire Anesthesia Machines, versions 7100 and 7900 contain software that could allow a remote attacker to connect to and remotely modify device configurations without first authenticating to them. Take a deep breath…or not! In our first segment in this week’s podcast, we speak with  the man who discovered the flaw: Elad Luz, the Head of Research at CyberMDX. He tells us that the GE anesthesia machines – like many medical devices – were not designed to be connected directly to local- or wide area networks that are now common in clinical settings. That connectivity comes by way of so-called “terminal servers,” that translate the serial port communications used by medical devices into TCP/IP, the lingua franca of most networks and the Internet. Unfortunately, GEs devices allow anyone able to communicate with a terminal server to send commands directly to the anesthesia devices without further authenticating to them. And, while many clinical organizations might wish to remotely monitor telemetry from devices like anesthesia machines, the GE devices allow remote actors to configure the machine: changing the makeup of the gasses distributed to patients, changing the time settings on the device or suppressing alarms. Luz said that serious and potentially life threatening security lapses like this aren’t uncommon, with medical device makers frequently failing to disable diagnostic or calibration features prior to release, or offering them to customers as a convenience without considering how they might be abused by a malicious actor. Mayor say ‘no’ to ransoms…then what? Amid a scourge of ransomware attacks affecting municipal networks, the U.S. Conference of Mayors voted unanimously this week to adopt a resolution opposing payment of  ransoms to cyber criminal groups. That’s a laudable declaration, but is it smart? Recent cases like the ransomware infection that hit the City of Baltimore (check out Podcast  #151 where we talk to IOActive’s Cesar Cerrudo about this) suggest that, absent strong IT security controls and a robust backup and recovery practice, some communities may face a difficult and expensive road to recovery should they tell ransomware groups to take a hike. That has certainly been the case in Atlanta and Baltimore where decisions to forego ransom demands of tens of thousands of dollars have led to weeks long disruptions in services and necessitated cleanup and recovery operations measured in millions of dollars. So is telling ransomware gangs to stuff it  really the best response? In our second segment,

In this week’s podcast episode, #152: we talk with Akamai researcher Larry Cashdollar about his discovery of Silex, a new example of IoT killing malware allegedly authored by a 14 year old. Also: Steve Mullaney, the CEO of the cloud security start up Aviatrix joins us to talk about Amazon’s new cloud security conference: Re:Inforce. When Akamai researcher Larry Cashdollar checked the contents of a honeypot operates from his home network on a recent morning, he was surprised by what he saw. Buried in a binary file that turned up in his honeypot was an apologetic message from an unknown malware author for hacking and then bricking his device. Malware…and an Apology The binary turned out to be a new malicious program, which Cashdollar dubbed Silex, that was designed to break into and then wipe clean any Internet of Things device running embedded versions of the Linux operating system.  In our first segment, we talk to Larry about his discovery and about its alleged teenage author. We also talk about the bigger problem of insecure Internet of things devices, which are proving to be easy targets for malicious programs.  Larry Cashdollar is a senior security information response engineer at Akamai.  When Amazon brought its re:inforce show to Boston in late June,  the goal was to highlight the latest efforts that the massive cloud computing provider is taking to make its environment friendly for application developers and for security companies. But is Amazon and its AWS service a playground for new security startups, or a competitor to them?  In securing the Cloud is Amazon Friend or Foe? Watch out RSA Conference. Amazon – the world’s biggest cloud provider – hosted its first ever security conference last week: Re:inforce. But for would be cloud security providers, is the world’s biggest commercial cloud company a partner or a competitor?   Steve Mullaney is the President and CEO of the firm Aviatrix.  In our second segment this week, we’re joined by someone who should know. Steve Mullaney, the President and CEO Of Aviatrix, a startup that focuses on securing multi-cloud environments. In this conversation, Steve and I talk about the rapid computing transformation, as enterprise IT migrates swiftly to the cloud. Steve and I discuss the security needs that companies have as they migrate to cloud environments like AWS and whether Amazon, Google and Microsoft are partners to security providers, or competitors. As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.

In this week’s episode, #151: Cesar Cerrudo, the head of research at the firm IOActive joins us to talk about the recent spate of massive ransomware payouts and why municipal government networks are the favorite target of hackers these days. It happened again. Less than a week after Riviera Beach Florida agreed to pay a whopping $600,000  ransom to get their data back from hackers, another Sunshine State city’s administration has been forced to do the same. On Monday, the City Council of  Lake City Florida, population of 65,000, voted to pay a ransom demand of 42 bitcoins, worth nearly $500,000. Podcast Episode 141: Massive Data Breaches Just Keep Happening. We Talk about Why. Cesar Cerrudo is the CTO at IOActive. This follows incidents in bigger cities, including Baltimore which notoriously turned down a $70,000 ransom demand, and ended up paying upwards of $18 million to recover data from thousands of city systems.  But why are cyber criminals going after the computers and networks of cash strapped municipalities? Report: Obvious Security Flaws Make ICS Networks Easy Targets To better understand what’s going on we invited Cesar Cerrudo, the Chief Technology officer in charge of Research at the firm IOActive. Cesar is the founder of Securing Smart Cities, a non profit that provides guidance and advice to city governments on how to secure their networks.  He is also the author of the IOActive report “An Emerging US (and World) Threat: Cities Wide Open to Cyber Attacks.” (PDF) I started our conversation by asking Cesar what explained the surge in attacks against cash-strapped municipal computer networks. As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

In this week’s episode, #150: Microsoft cloud evangelist Tanya Janca joins us to talk about securing Azure and the challenges of pushing security left. Also: we continue our series on life after passwords as we speak with Nick Buchanan, CTO of Armor Scientific joins us to talk about the imminent demise of the password and what might replace it.  Microsoft dominated the 1980s, 90s and 2000s as the pre-eminent supplier of desktop and server operating systems and the maker of the most popular office productivity suite, web browser, email client – you name it. But in 2019, the days of the desktop computer are numbered and Microsoft’s future – like that of every other technology company – is intimately linked to the cloud – specifically: Azure, Microsoft’s massive cloud platform.  Podcast Episode 135: The Future of Passwords with Google Account Security Chief Guemmy Kim Secure and Azure Tanya Janca is a cloud developer advocate at Microsoft. But how do you get a population of tens of millions of developers who are used to Windows and Windows applications to start developing for the cloud? That’s part of the job of our first guest: Tanya Janca, a senior cloud advocate at Microsoft.  Where Microsoft grew in the 1980s and 90s by putting Windows, Office and Internet Explorer on every desktop and laptop PC (thus pushing out smaller rivals), Microsoft can’t hope to dominate the new era of cloud computing so completely, especially since its chief rival, Amazon, largely invented the space.  That requires a different take and a different touch, says Janca, who writes and Tweets) with the handle @shehackspurple. Among other things, it means playing nice with other “not developed here” clouds and technologies and making sure that the sheer complexity of multi cloud environments doesn’t cause customers are accidentally leaving data and assets exposed.  Microsoft ‘Bluekeep’ Flaw threatens Medical Devices, IoT In our first segment this week, Tanya and I talk about her work as an Azure evangelist and how to promote security in the age of cloud and DEVOPS.  Life after the Password with Armor Scientific Up Next: as much as people complain about the weak security offered by alphanumeric passwords, they’re still plenty popular. Possibly that’s because so many otherwise unsophisticated technology users are familiar with them – and because they’re easy. Nick Buchanan is the CTO of Armor Scientific After all, the last 10 years has brought an explosion of password alternatives into common use: fingerprint biometrics, face biometrics, hard second factors, soft second factors and so on.  Each new layer of authentication in theory adds to the security of your system: raising the bar for attackers. But it also adds work and complexity for your users. That, in turn, can hamper productivity or – even worse – drive users to look for shortcuts. 

In this episode of the podcast we’re joined by Priscilla Moriuchi of the firm Recorded Future, which released a report this week analyzing the security risks posed by Huawei, the Chinese telecommunications and technology giant. In recent months, the Trump Administration has made the technology and telecommunications giant Huawei Technologies a poster child for its assault on China’s anti-competitive practices. The Shenzen maker of everything from networking equipment to smart phones, Huawei has over $100 billion in sales and 180,000 employees globally. It is a key participant in China’s ambitious Belt and Road initiative to develop and modernize a broad swath of Africa, Asia and even Europe. Priscilla Moriuchi is the Director of Strategic Threat Development at Recorded Future Western doubts about Huawei’s intentions are nothing new. Silicon Valley competitors and lawmakers have long warned about Huawei’s business practices and the ties of the company and its founder Ren Zhengfei’s ties to the Chinese Military and the Communist Party.  The Trump Administration has ratcheted up the pressure on the company, indicting 10 senior executives on charges of theft of trade secrets and warning U.S. government agencies and allied not to use Huawei’s technology and warning companies that do business with the US government to beware. There’s evidence that the warnings are having an impact, especially in countries closely aligned with the U.S. DoJ Charges Huawei Execs in Broad Indictment Spanning 10 Years of Criminal Activity But China’s government has retaliated: warning US and western firms about the dangers of participating in Washington’s ban. That leave businesses in a pinch. But  our guest this week suggests that they may do well to be wary of Huawei, regardless of what the US Government and the Trump Administration says.  Priscilla Moriuchi is the director of strategic threat development at Recorded Future. In a report released this week, Moriuchi and Recorded Future warn that Huawei’s risk to western companies is more than just a hypothetical. The company is unique because of the breadth of its technology portfolio – everything from undersea cables to smart phones. By extension, that makes it unique in the breadth of data that it collects from customers world-wide. Today – or at any point in the future -that data could prove irresistible to a Communist Party interested in lifting China’s stature as a global superpower and wary of democratic values like free expression and freedom of association, Moriuchi says.  A map showing undersea cables that Huawei has laid or upgrade...

In this week’s episode of the podcast: Joseph Menn’s new book Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World hit store shelves this week. We reprise our March interview with Joe and talk about the origins of CDC. Also: is the talent pipeline for information security empty, or has it sprung a leak? We’re joined by Veracode * CEO Sam King to talk about one of the top problems facing organizations: how to cultivate and keep information security talent. Joseph Menn’s new book on the seminal hacking group Cult of the Dead Cow was making headlines months before its release, after Menn – a reporter at Reuters – broke the news that presidential candidate Beto O’Rourke was a long standing member of the group. That scoop helped propel Menn’s book to become a top selling cyber security book on Amazon even before it was released. With the book’s release finally here, we’re reprising an interview with did with Joe back in March (episode 138). The Cult of the Cult of the Dead Cow In our first segment, Joe and I talk about the origins of CDC in the early days of the Internet in the 1980s and 1990s to the group’s growth and release of the Black Orifice hacking tool in the late 1990s.  Joseph Menn is an investigative reporter for Reuters and author of Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World. Joe tells me that the group’s early incarnations were more creative than technical: a loose gathering of computer enthusiasts exchanging ideas, writing and conversation via online bulletin boards. CDC was consistently irreverent and, even more important, fun and funny. Over time, that drew people to the group: more skilled hackers like Josh Buchbinder (“Sir Dystic”), Peiter Zatko (aka “Mudge”) and Christien Rioux (aka “Dildog”). The addition of new, more skilled members drove CDC’s evolution into a more serious hacking group that produced “Back Orifice,” a remote administration tool for Microsoft Windows that was among the first and most widely used Windows hacking tools. Solving Infosec’s Pipeline Problem In our second segment: its common knowledge that there are too few information security workers to meet the needs of our domestic economy or – indeed – the global economy, where the shortage of cyber security pros numbers in the millions. Furthermore, of the information security workers who are available to hire, there is an acute lack of diversity. They’re 50% to 51% of the population, but just 20 percent of information security professionals globally are women. In countries like the U.S., racial and ethnic diversity is also a challenge in the information security space, which can exacerbate conditions for those working in the field.   Epis...

A programming glitch in GPS satellite software grounded planes in China and other countries. But what does it tell us about the security of the Internet of Things? Bill Malik of Trend Micro joins us to discuss. You’ve  no doubt heard about (or lived through) the Y2K crisis. You remember: Y2K was the software “dragon” that lurked just beyond midnight on December 31st 1999, threatening to destroy civilization as date counters rolled over from 99 to 00. Maybe you spent New Year’s Eve in a bunker instead of at a party. A shot of a rolled over date counter on a Boeing plane in China in April. (Image courtesy of Simpleflying.com) But have you been following the Y2019 scare? That went down (quietly) on April 6 of this year, when older Global Positioning System (GPS) satellites rolled over a critical date counter that is used to calculate the satellite’s position in orbit. The rollover prompted the satellites to feed unreliable data to earthbound systems, grounding Boeing 787 planes in China and causing other disruptions globally.   Disaster averted? As it turned out the Y2019 issue wasn’t the disaster some expected. That might be due to the fact that it wasn’t the first time the world had encountered this problem. An identical rollover occurred in the fall of 1999. Also: many, newer GPS satellites use a much more robust date counter and were not affected by the flaw. Bill Malik is the Vice President of Infrastructure Strategies at Trend Micro. How Digital Transformation is forcing GRC to evolve But don’t get too comfortable. Our guest this week, William Malik, the Vice President of Infrastructure Strategies with Trend Micro, says that the rollover problem with GPS satellites is a small example of a much more widespread problem. Namely: poorly architected cyber-physical systems. Decisions about architecture made decades ago can have long term and often unexpected consequences today, he notes. Even worse: poor decision making in the design of connected products today could bite the world on the backside decades hence.   Spotlight Podcast: Managing the Digital Risk in your Digital Transformation Lurking problems The big question going forward, says Malik, is what other date counters or similar features are out there ready to rollover, expire or otherwise barf? As we move to the Internet of Things, we are living more and more in a system of systems in which any malfunction can have a cascading effect and cyber-physical consequences.  RSA Recap: CTO Zulfikar Ramzan talks about Trust, Zero Trust and the Debate over Going Dark In this conversation with The Security Ledger, Bill and I talk about the recent GPS rollover and the bigger problem of securing operational systems for the long term.  As always,  you can check our full conversation in 

In this week’s episode, #146: we speak with the researchers behind a new analysis of more than 20 political parties in the US and Europe showing that many suffer from poor cyber security. Also: DEV-OPS methodologies are transforming the way organizations are creating and consuming software. But security technology is stuck in the past. In our second segment, we speak with the  Amir Sharif of the firm Aporeto*, a provider of identity-based access control for the cloud.  It’s the Cyber Security, Stupid! There is ample evidence that nations like Russia, China and Iran are interested in inserting themselves into elections in the West as a way to influence the outcome in their favor. Whether or not they will succeed depends, in part, on the cyber security of political parties in the U.S. and Europe. That’s why a new study from the firm SecurityScorecard is reason for concern.  The survey of more than 20 political parties in the EU and four major political parties in the U.S. found indicators of poor security hygiene in almost all political parties. Those ranged from expired web site certificates to insecure web applications and evidence of malware and botnet infestations.  Still – the news wasn’t all bad. To get a better sense of what political parties are getting wrong (and right) we invited two of the study’s authors in to speak with us. Jason Casey is the CTO  and Paul Gagliardi is the director of threat intelligence  at Security Scorecard.  In this conversation, Paul, Jason and I talk about their survey of political party cyber security hygiene and how weak party cyber security can contribute to disinformation campaigns designed to undermine public faith in the election system.  Cloud is the Future, so why are Security Tools stuck in the Past? Change is afoot in the enterprise. The embrace of DEV-OPS methodologies is fast replacing monolithic software stacks with more nimble, distributed architectures. At the same time, organizations are swapping out physical data centers and moving workloads to both public and private clouds.  But all that change brings with it cyber risk and security technologies are generally stuck in the past: assuming more static environments with on premises, physical IT assets. In our second segment, we’re joined by Amir Sharif, the co-founder of the firm Aporeto which provides identity based access control for users and applications in hybrid on premises and cloud environments. In this conversation Amir and I talk about how DEV OPS and cloud are transforming risk – and security – for enterprises.   As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher,