The First Annual Cyber Santa!

And it's not just because Tony Robinson featured AlienVault and me. https://blindseeker.com/blahg/?p=668?utm_medium=Social&utm_source=Twitter

This is an amazing way to help turn infosec more positive, by recognizing the folks doing positive things for the infosec community. It is kick ass. Enough said, it's the holidays :)

Samy Kamkar presents at InnoTech Austin ISSA Security Summit

I really enjoyed the talk by Samy Kamkar last week at Innotech Austin, where the ISSA Capital of Texas chapter put on their Security Summit. If you don’t know of Samy, he’s the security researcher best known for creating The MySpace worm, one of the fastest spreading malware of all time. His talk, Covert Attack Vectors, was lighthearted and fun.

Here’s one of his slides:

Samy discussed several exploits – some of them done by him as a teenager. The final analysis was that the only way to really protect your privacy might be this approach:

A great crowd was on-hand, and everyone seemed to have a great time!

Security Practitioners: Eat Your Own Dogfood!

Josh Sokol presented at the Austin OWASP chapter meeting in August.  His talk was about how we should set a better example for colleagues as security practitioners by using a security-sensitive thought process in our day-to-day lives.

A recording of his talk is here: https://vimeo.com/channels/owaspaustin  We had a good turnout for the talk, and the audience interaction was great!

Here are some of his key points:

In the Car

•           Don’t indulge in bumper stickers that give away too much information. There are a lot of bad guys running around that can use it for evil purposes.
•           Don’t leave valuables in your car. It gets the interest of the wrong element.
•           Keep an eye on neighborhoods you travel through, and observe when you need to get out of bad neighborhoods.
•           Don’t leave your garage door opener in the car. It’s a simple matter for bad guys to get your codes from it and possibly break into your house via the garage
•           Get a CarSafety Hammer, Window Breaker and Seatbelt Cutter.

House – think about deterrents

•           Have an escape plan in case of an emergency
•           Even if you don’t have an alarm system like ADT, be sure to get some of their signs/stickers
•           If you have an alarm system, make sure you set up a panic code. That’s a code you use if the bad guy forces you to disable the alarm, and it sends a distress call while appearing to simply disable.
•           Get good door locks! Guys like Jgor can get through the cheap ones in 30 seconds.
•           Get motion lights
•           Get a camera surveillance system. They are cheap now.
•           Get a “Beware of Dog” sign, even if you happen to be a cat person.
•           Consider getting a device to separate your cable modem from your router like the PA-200. That way, you don’t have to trust your ISP and you can allow guest access to wifi in your house without worries
•           Backup the Backup of your Backups
•           Use WPA2 encryption
•           Have  a Fireproof Safe
•           Have a week’s worth of home rations
•           Have a “bug out” bag and location decided

At Work

•           Keep your desk clean
•           If in doubt, take your computer with you wherever you go
•           Shred sensitive documents
•           Don’t leave valuables unattended
•           Don’t expect police to help you with a stolen cell phone – even if you can track it they will not help . Get set up for remote wipe instead.

Your Computer

•           Check before clicking
•           Check to make sure it’s HTTPS
•           Know what you’re running
•           Cover your camera
•           Disable JavaScript
•           Use 2-step verification
•           Use KeePass – it’s free and open source
•           Don’t use a bank debit card – all the liability is on you
•           Use one card for in-person transactions; consider a card with a Virtual Account Number
• 
  

Bug Bounty Programs: “Asking for it”

At Austin OWASP Charles Valentine, VP of Technical Services at Indeed, presented on “Case Study: Key Takeaways from Indeed’s Crowdsourced Security Testing Program." Here's a recording of his talk: https://vimeo.com/channels/owaspaustin

Indeed, with a slogan of “We help people all over the world hire and get hired”, prides itself on having a secure environment for both job seekers and job providers to interact. They also have a rapid rate of change in their application and data. For these reasons, they’re highly motivated to deal with bugs, especially related to security, very proactively.

Indeed is careful to avoid “toxic assets” like credit cards – they keep any financial transactions between individuals and banks, keeping only a token for credit cards, rather than actual information. They also acknowledge that with their rate of change, they need a way to find bugs quickly. Charles emphasized what we all know is true: the faster you find a bug, the less cost to fix.

Of course, it’s possible to hire legions of testers and penetration testers. It’s also possible to crowd-source this testing and enlist bug bounty hunters to find the bugs.

Indeed chose to set up a bug bounty program using Bugcrowd. They pay between $50 - $1500 for each bug that hunters find. So far, they’ve paid for 228 bugs, with an average payment of $162.50. They typically respond within 7 days.  They figure using Bugcrowd technology is saving them about 80% of the administrative costs for the program.

2015 Social Security Blogger Awards – Who are the Nominees?

If (and only if) you are a security blogger, you can vote HERE. Voting ends March 16. The following judges provided the nominations: Ericka Chickowski, George Hulme, Kelly Jackson-Higgins (Dark Reading), Illena Armstrong (SC Magazine) and Eleanor Dallaway (InfoSecurity Magazine) and Rich Mogull. 

The most exciting part is that AlienVault has been nominated for Best Corporate Security Blog! 

Here are the categories and nominees for each category:

Most Entertaining Security Blog

Graham Cluley Uncommon Sense Security krypt3ia Blog Naked Security Blog Security Uncorked Dave Shackleford Blog   Most Educational Security Blog SANS Internet StormCast Security Now EFF Deeplinks blog Avivah Litan's blog ThreatPost Troy Hunt The Security Ledger Branden Williams blog Imperial violet Errata Security/Rob Graham Best New Security Blog or Podcast Dave Waterson on Security Elastica blog: Zulfikar Ramazan Infospectives Blog Norse DarkMatters Best Security Podcast SANS StormCast Southern Fried Security Podcast Paul Dot Com/Paul’s Security Weekly ThreatPost Podcast Security Now Risky Biz Best Blog Post of the Year  Attack Attribution in Cyberspace - Bruce Schneier https://www.schneier.com/blog/archives/2015/01/attack_attribut.html More Data on Attributing the Sony Attack - Bruce Schneier https://www.schneier.com/blog/archives/2014/12/more_data_on_at.html A Hacker Looks at 40- Dave Shakleford http://daveshackleford.com/?p=1037 Future of the firewall series - Firemon Blog http://www.firemon.com/category/future-of-the-firewall/ Sony hack was the work of SPECTRE - Robert Graham http://blog.erratasec.com/2014/12/sony-hack-was-work-of-spectre.html#.VPFepPnF98F In the Beginning There was Full Disclosure - Space Rogue Blog http://www.spacerogue.net/wordpress/?p=536 We need to talk about attribution - Jack Daniels http://blog.uncommonsensesecurity.com/2015/02/we-need-to-talk-about-attribution.html Best Corporate Security Blog  TripWire State of Security Trend Micro ThreatPost Symantec Akamai Security Blog Sophos Naked Security Blog Crowdstrike Adversary Manifesto Threat Attack blog The Alien Vault Blogs    <- That's us! Recorded Future Blog