Episode #56 You Got Breached, Congratulations.

You Got Breached, Congratulations. 

You’re NOT a special snowflake
You can’t go round pouting
You don’t need to find anyone to blame
No, the Russians probably didn’t do it
No, I don’t need tagging in the post
Yes, likely you DO need to change some things
No, you probably couldn’t have stopped it
Yes, you could have likely detected it sooner
Yes, you could probably have remediated it faster
No, don’t you DARE blame the users!
No, your annual training for 30 mins isn’t effective (it sucks)
Yes, you can recover from it (hopefully)
No, it won’t kill you JUST yet, wait a few more years though…
More budget? Stop wining and spend what you have wisely
Yes, it means you have to roll up your sleeves
Yes, interns or apprentices can help remediate this
Yes, get off your ass, it got pwned, get over it
No, you’re still NOT a special snowflake.

Congratulations.
You’re JUST like all the other breaches
You can sit down and plan
You should go look in the mirror
You likely did it to yourself, we’ll get to that.
Yes, you can reach out for help and advice
NO, you don’t need to buy everyone’s cyber-crap
NO, everyone’s cyber-crap isn’t going to stop it either
YES, it would be good to know what you actually have
YES, it would be great to know WHERE your data IS
Yep, IF you can track it back, it probably starts on a users machine
Yes, ongoing education HELPS (doesn’t fix, but helps)
Yes, you can recover from it (get the basics in order)
Yes, we are working on hacking the chips in humans, fun eh?
Nope, don’t expect more money, so work smarter
Yes, it means you can now get your house in order, good!
Yes, you can probably justify headcount but save $$ and get folk TO train
Yea, it sucks, sorry, but it’s the way of the new world.
And no, you’re not special, you CAN however be a good example.

Get the basics sorted out BEFORE your ass is delivered TO you on a silver platter

* Assets, what do you have?
* Assets, where are they?
* Who’s got access to them, and why?
* What DO they do, what is their purpose?
* What’s on them?
* Which ones do you need to care about?

Got it? Good, now go get a cuppa tea or coffee and go deal with it…. I’m going to go make breakfast.

‘all for now

Chris

All this and more tonight on the Security Shit Show.

10 pm Central, 21:00 mountain  

https://www.youtube.com/watch?v=DrUpbCrXegw

Episode #55 To Code Scan or Not to Code Scan That is the Question

 

This last year we have seen a huge uptick in attacks leveraging compromised software as the means of getting exploits to the end points. 

With more and more companies relaying on managed services to run their day-to-day operations, understanding the security of the management tools being used and the security practices of those who make the tools is more important than ever.

We have tried for years to close the gap between development, operations and security that journey has led us to what we now call DevSecOps or said the long way Development Security Operations, this has worked to a varying degree but is still not adequate for the increased threat we face.

Just like we preach all the time to focus on the fundamentals, we usually talk about the fundamentals in the context of network, end point and organizational risk, tonight we are going to take a deeper dive into a specific fundamental Development security practices.

How do you develop software that is secure by design? how do you test the software to insure the least possible chance for a vulnerability to slip through into the release? How do you ensure the security of your code base? And do not get me started on the use of 3^rd party got from GitHub without understanding what it does beyond the narrow need for a handful of functions. How do you control and manage in a way that is non disruptive to the business, innovation and development velocity?

Is there a way to simplify securing code and ultimately the products that use that code to function?

All this and more tonight on the Security Shit Show with Chris Roberts Evan Francen and myself

10 pm central, 9pm mountain time

https://www.youtube.com/watch?v=xrV3Vn4gacw

Episode #51 Honey! The Neighbors are Watching us Again!

 At least in years gone past we could at least spot the neighbors as they tried to hide behind the shrubs in the garden, the curtains in the house, or ducked down below the fence line that separated each of our little slices of the American Dream....

These days however things are a little more subtle (if the neighbors have been paying attention to the InfoSec world for more than 5 minutes...)

Long gone are the days of just borrowing the neighbors wireless to launch an attack against the NSA through their cable provider (although it IS fun to see the black suburban roll up occasionally to their doorstep when you’re feeling mischievous..)

Today’s targets for neighborhood “watching” varies across an entire spectrum of fun and games...

I still feel slightly guilty about the 50-gallon barrel of lube my neighbors have, but “Hey Siri...” we just have to have some fun....

I DO enjoy making their microwave go off in the middle of the night, although they have replaced it a few times now, and the electrician doesn’t use Google Maps anymore to find them... amazing just how far away those WEMO plugs can be controlled from.

Now, thankfully Xfinity allows themselves to provide “free” WiFi to anyone with account credentials, so it IS still possible to get directly TO their router (you’d think folks would update the things.... but no) and given I’ve got around 1,335,000 Xfinity account ID/Passwords I’m set for a LONG time before I must leave my own fingerprints...

Oh, speaking of fingerprints, confession time... one of the neighbors has a RING doorbell, oh how we laughed when we changed out the screws during install and just last week got the doorbell to short circuit and burn ½ the place down... shame the fire alarms didn’t work, someone should REALLY unblock NEST’s fire alarms from the firewall and allow them to do their job... The video of the owners yelling “Hey Google FFS call the fire brigade” will be posted on YouTube later (thanks Arlo for the default account credentials...)

Oh, while we’re on the subject of the recently deceased, I guess playing Poltergeist on the other neighbors Roku device and having it display on all their nice Samsung IoT enabled TV’s is probably a mean thing to do... although it does make for entertainment as we might have also hooked up their Phillips Hue to pulse at the same frequency as the TV... I guess that’s why they seem a little nervous these days.

Oh, and we won’t mention the fun we had with the Tesla and some bright spark in the neighborhood thinking they could geofence the car into opening/closing the garage as they came home... Watching the garage door rapidly open and close AS the car tried to get in watching Grandma eat dinner with her falsies...

Speaking of that, I need to go mess with dear old Grandma’s IoT toothbrush, I think tonight we’ll set it for “killer mode” and see if it can chase her round the bathroom again...

We haven’t even gotten to the fun part watching the cute couple across the road react as their adult toys came to life in the middle of a webinar and started to inch across the desk... now THAT was fun to record… got to LOVE Bluetooth enabled things.

You get the idea; the neighborhood is SO much more fun these days....

Join us tonight as we talk though the evolution of the nosey neighbor :)

10 pm Central 2100 mountain time 

https://www.youtube.com/watch?v=TbT1DknqRw4

Episode #49 Sorry to Disturb You...

 

Sorry to Disturb You...

·      But your front doors open...

·      Your flies are undone...

·      I found your kid wandering on the street...

·      But I think you dropped your wallet...

All things many of us have said, done, acted upon OR been the recipient of over our years, and all of them taken in the spirit of the manner delivered, graciously, often with relief and a huge thanks to whomever delivered the news.

HOWEVER, in the digital realm...

·      I do say, you appear to have an open port on the Internet...

·      Um, your application has a hole in it...

·      We found your data lost and confused....

·      I think you might have a hole in your cloud...

SOME of us have tried to have these conversations with companies, individuals, and entities out in the digital realm and have been met with a variety of responses ranging from thanks AND relief, to accusation, lawyers, silence, or the FED’s arriving on the doorstep etc.

Somehow, in the physical realm when point out your mistakes, flaws and general numptiness you are happy to receive the feedback, yet in the digital realm when we do the same it’s as if we called your baby “robust with a face only a mother could love.”

What gives? How DO we give you YOUR data BACK in the digital realm without all this grief?

I mean, it’s NOT as if you realized it was gone, OR that chocolate fireguard you were sold would have slowed us down anyhow IF we did want it!

Things to ponder on and discuss this coming Thursday on the Shit Show with Evan, Ryan, and Chris

‘all for now

Chris

Episode #48 - Jeopardy v2 (and other interesting things... Attempt #2)

 

Well we are going to try this again Episode #47 went a different direction, so tonight we are going to to try Jeopardy again

It's time to play some Security Shit Show Jeopardy again. Hell yeah!

I will be your host Ryan Trebek 

One game, one Cham Peon. Like v1, we'll pick three contestants from our live audience to play our version of Jeopardy. Winner gets some bragging rights and a Security Shit Show T-shirt (that I'll forget to send you).

YOU THINK YOU'VE GOT WHAT IT TAKES?! 

COME PROVE IT!

After the game, I want to talk to the guys about a beef I've got. We'll have time for this too.

In prepping for the v2 Security Shit Show Jeopardy game, I got to thinking about some of the classic SNL Jeopardy skits. Remember some of these lines?

 - Category: A PETIT DEJEUNER, Turd Ferguson "why don't you give me ape tit for $200."

 - Category: CATCH THESE MEN, Sean Connery "I'll take catch the semen for $800."

 - Category: JAPAN US RELATIONS, Sean Connery "I'll take Jap Anus relations for $200."

 - Category: LET IT SNOW, Sean Connery "I'll take le tits now for $800."

 - Category: AN ALBUM COVER, Sean Connery "I'll take anal bum cover for $7,000."

And the list goes on. Some funny shit. These won't be our categories tonight, DAMMIT!

After we crown our new Security Shit Show Jeopardy Cham Peon, we'll use the time we got left to talk about this quote I read recently:

"55% of C-Suites respondents had viewed data breaches as 'not a big deal' and 'blown out of proportion' with an overwhelming 86% of consumers believing that data breaches are in fact 'a big deal'."

Or, maybe we'll talk about this new Presidential Executive Order that just came out yesterday. No shortage of shit going on around this industry, is there?!

This will be another fun Shit Show!

-Ryan

Episode #47 - Jeopardy v2 (and other interesting things...)

It's time to play some Security Shit Show Jeopardy again. Hell yeah!

One game, one Cham Peon. Like v1, we'll pick three contestants from our live audience to play our version of Jeopardy. Winner gets some bragging rights and a Security Shit Show T-shirt (that I'll forget to send you).

YOU THINK YOU'VE GOT WHAT IT TAKES?! 

COME PROVE IT!

After the game, I want to talk to the guys about a beef I've got. We'll have time for this too.

In prepping for the v2 Security Shit Show Jeopardy game, I got to thinking about some of the classic SNL Jeopardy skits. Remember some of these lines?

 - Category: A PETIT DEJEUNER, Turd Ferguson "why don't you give me ape tit for $200."

 - Category: CATCH THESE MEN, Sean Connery "I'll take catch the semen for $800."

 - Category: JAPAN US RELATIONS, Sean Connery "I'll take Jap Anus relations for $200."

 - Category: LET IT SNOW, Sean Connery "I'll take le tits now for $800."

 - Category: AN ALBUM COVER, Sean Connery "I'll take anal bum cover for $7,000."

And the list goes on. Some funny shit. These won't be our categories tonight, DAMMIT!

After we crown our new Security Shit Show Jeopardy Cham Peon, we'll use the time we got left to talk about this quote I read recently:

"55% of C-Suites respondents had viewed data breaches as 'not a big deal' and 'blown out of proportion' with an overwhelming 86% of consumers believing that data breaches are in fact 'a big deal'."

Or, maybe we'll talk about this new Presidential Executive Order that just came out yesterday. No shortage of shit going on around this industry, is there?!

This will be another fun Shit Show!

-Evan

Episode #46 Lawnmower Man

My Retirement Plan:



Is to head to New Zealand

Somewhere nice and remote

With good power (Wind farm, etc.)

Good internet (Wire and Satellite)



AND a nice AS/400 to live in

If I have my way, and I think well get there before I go too much more senile given the work being done on untangling some of the innerworkings of the brain, I should be at a point where not only can my current intelligent system recognize when I want a cuppa tea, but it can also figure out why.

As I’m helping TO push the boundaries of integration, I’ve every confidence that a digital version of me will be coursing around the Interwebs before I’m pushing up daisies. Which brings a WHOLE heap of questions.

What makes us human?

Are we just quarks and binding energy?

Is there really something else to this?

Can we be broken down into pulses?

Where are the limits? (if any)

So, for now, I’m going to hang out in my AS/400 and watch things unfold AND if it looks really dodgy I’m going to work out a way to simply fire my digital self into space as a set of waves and see what the hell happens…

Lawnmower man, here we come!


Join Evan Francen Ryan Cloutier, CISSP Rachel Arnold and I this evening on the #shitshow to discuss.

‘all for now

Chris
#power #energy #hacker #technology #infosec #ai