Summary: Show Notes: http://pauldotcom.com/wiki/index.php/Episode301 Answers to Allison's Puzzle Contest, Paul's Stories: 100,000 Vulnerabilities - Security vulnerabilities measured in numbers is sometimes a scary thing. At some level there you can prove strength or weakness in numbers. If you count vulnerabilities, for better or worse, how are you qualifying them? Severity? Exploitability? Ubiquity? All those things, and more, can impact your view on the matter, in fact it can make it matter, or not. The point being, try not to play the numbers game. There is a "shit ton" of vulnerabilities out there, and what we do to prevent them from happening in the first place and how we deal with them in the real world is what matters. Schneier on Security: CSOs/CISOs Wanted: Cloud Security Questions - This is one topic which we did not debate, that is the cloud. I think, like security vs. obscurity, its a simple solution on the surface. For example, if you care about your data, don't store it in the cloud. Similarly, if you care about the security of anything, don't just obscure it, secure it. Wow, that sounds even cheesier than I thought. Secret account in mission-critical router opens power plants to tampering | Ars Technica - This speaks to the continued lack of awareness in device manufacturers when it comes to security. I'm baffled that they have not solved the problem. The common problems they have, such as easily exploitable vulnerabilities, are easy to fix. It requires two things: Awarenesss training for developers and QA (ala Rugged/DevOps) and regular security assessments. In the grand scheme of things, it doesn't cost all that much. In the end, you produce a better product. Hopefully the market has changed, and customers value security as one component of a great product. Or maybe I live in a dream world... The Social-Engineer Toolkit (SET) v3.7 Street Cred has been released. « - Java 0-Day is in SET. Coupled with the other Java payloads, this ensures your phishing success. On the defense side, I disagree with everyone saying "Disable Java" or "Disable Flash". There is going to be users that require this technology. Those are the users we will target. Sure, it reduces your attack surface, and that does help. But I believe what people miss the boat is just how deep "security" needs to go. Its more than layers. Its more than awareness and technology. Its about doing all sorts of things to keep your organization resilient to attacks, and having a plan to deal with successful attacks and minimize damage. Cracking Story – How I Cracked Over 122 Million SHA1 and MD5 Hashed Passwords « Thireus' Bl0g - Nice crack...ing. BYOD creates generation of workaholics - Saying that BYOD adds 20 hours to your work week is ridiculous. How much work can you really get done on your smartphone? If your spending that much time in email or some such thing, you need to re-evaluate your strategy. Devices and technology should make you more productive or your doing it wrong. However, it does increase the threat landscape.
