PVCSec 74: Eye of the Champions

On this episode of PVCSec, Ed & Paul talk why we make security difficult, attack attribution, mobile access, Tactical Edge, and more!

Dear Friends,

Welcome to episode 74 of the PVC Security Podcast. This week, Paul duets with the Silver Fox himself, Ed Rojas. The rest of the cast are off on adventures, we presume.

Show Notes

Making InfoSec Hard

 

https://www.troyhunt.com/security-insanity-how-we-keep-failing-at-the-basics/

 

  1. Password complexity rules still suck (for your own good, allegedly)

  2. Sites are still breaking password managers (making it hard for people to do good)

  3. HTTPS remains hard (except it’s not)

  4. Crazy password advice (and censoring critics)

  5. Security is often mixed, crazy messaging (and uncoordinated, too)

  6. Because security is just pointless (not really)

 

Paul’s story: A large international corporation I know does the typical phishing testing in their organization. Quarter after quarter the number of employees who were tricked into clicking on the testing email links fell, showing the program was working.

 

All of a sudden the number shoots up. No one can explain it, but the numbers start dropping again.

 

Then it shoots back up again.

 

Baffled, the security VP sent the team to interview the employees who clicked on the fake email links. All reported back the same thing: there were mass emails sent to employees from HR and benefits outsourcers right before the phishing emails went out. The outsourcers’ used their own URLs, not the corporation’s URLs, in their emails.

 

Oh, and the phishing emails looked MORE professional than the legitimate ones.

Does Attack Attribution Matter?

 

http://www.darkreading.com/threat-intelligence/the-attribution-question-does-it-matter-who-attacked-you/d/d-id/1326103

 

http://www.darkreading.com/analytics/improving-attribution-and-malware-identification-with-machine-learning/d/d-id/1326321

 

http://www.tripwire.com/state-of-security/security-awareness/events/how-to-rob-a-bank-or-the-swift-and-easy-way-to-grow-your-online-savings/

 

Paul’s take: NO! Unless you’re a security researcher, it’s not actionable data!

 

Wifi on the Road

 

http://www.zdnet.com/article/free-wi-fi-connections-put-business-travellers-at-risk-kaspersky/#ftag=RSSbaffb68

 

http://www.tripwire.com/state-of-security/security-awareness/finding-using-and-staying-safe-on-public-free-wi-fi/

 

http://www.darkreading.com/endpoint/5-tips-for-staying-cyber-secure-on-your-summer-vacation/d/d-id/1325930

 

http://www.darkreading.com/endpoint/staying-cyber-safe-at-the-olympics/d/d-id/1326278

 

https://heimdalsecurity.com/blog/cyber-security-travelers/

 

http://www.welivesecurity.com/2016/07/14/comic-con-travel-safety-privacy-guide/

 

http://www.welivesecurity.com/2016/07/07/types-vpn-networks-work-know-kind-use/

 

Songs:

Eye of the Tiger by Survivor

We are the Champions by Queen