Episode332

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 332 for Thursday May 16th, 2013

  • We are looking for sponsors for monthly webcasts in conjunction with SANS - contact paul -at- hacknaked.tv for details!
  • Come to Security BSides Rhode Island Two-Day Conference on June 14th and 15th tickets are NOW ON SALE at WePay.com. Featured presentations from Josh Wright , Kevin Finisterre, Kati Rodzon and Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire PaulDotCom crew!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Sunday nights at 8:30PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here! (Web site experiencing problems, will update link when it comes back)

Interview: Mr. Brian Snow

Media

Episode Media

Listen to the Audio Version of This Interview

Mathematician/computer scientist, Brian taught mathematics and helped lay the groundwork for a computer science department at Ohio University in the late 1960’s. He joined the National Security Agency in 1971 where he became a cryptologic designer and security systems architect.

Brian spent his first 20 years at NSA doing and directing research that developed cryptographic components and secure systems. Many cryptographic systems serving the U.S. government and military use his algorithms; they provide capabilities not previously available and span a range from nuclear command and control to tactical radios for the battlefield. He created and managed NSA’s Secure Systems Design division in the 1980s. He has many patents, awards, and honors attesting to his creativity.

Brian retired in 2006 and is now a Security Consultant and Ethics Advisor.

  1. How did you get your start in information security?
  2. Given limited resources, which deserves the most focus for protection against attacks; commercial stores satisfying shoppers, Infrastructure elements (gas, electricity, water, transportation, etc.) or the fiscal sector (banks, stock markets, etc.)
    1. PDF of the testimony of O. Sami Saydjari mentioned by Brian in this section
  3. "Risk" has become a religion to some in the InfoSec community; many apply a balanced and pragmatic approach, but many seem to become statisticians instead of defenders. You've ruffled some feathers in the risk metrics crowd over this in the past. I would like to explore this with you a little, possibly discussion where risk analysis is valuable, and where you see it coming up short.
  4. What is the current state of computer engineering talent in the US that can provide support for national security? What can we do to better develop this talent in the US?
  5. Encryption Questions
    1. What is the lifetime of an encryption algorithm? Does it have a defined lifetime before you must work on an update or something completely different?
    2. We are not crypto or mathematics specialists, but the implications you've raised with quantum computing don't require a deep understanding of crypto to understand the implications of the pending loss of confidentiality that is looming somewhere in the future, undoubtedly within the careers of some of our younger listeners (and possibly some not-so-young listeners).
    3. Your ideas on assurance, starting with defining what that means, and the implications of a lack of assurance in the modern landscape- you've written and spoken about this for years, do you see any progress in this?
    4. We often call people out for trying to create their own encryption algorithms. What are the major hurdles when creating such an algorithm?
    5. What do most people get wrong when it comes to implementation and encryption? It seems as though the math works, but someone always manages to mess up implementation.
  6. Trust, you've spoken very clearly about the pitfalls of applying human concepts of trust to the realities of digital "trust". Could you elaborate on that a little for us?
  7. In a recent Keynote you outlined some major problems facing the security industry and described the "bare minimum" approach to software design. However, how can companies sufficiently compete with each other and differentiate themselves from their competitors, with simple or stripped down designs? More importantly, how do we convince consumers of that approach?
  8. If one of the answers to better cybersecurity is regulation, how can we ensure Mutual Suspicion/ Checks and Balances? How can we ensure regulations are agile when regulations are designed to be enduring and historically difficult to update?
  9. Tell us about the “Cyber Manhattan Project" effort.
  10. Why is it necessary for a secure system to consider Malicious intent in its design? Does Malice matter if a system is engineered well against failures or disruptions?

Tech Segment: Tim Conway

Tim is the Technical Director of the Industrial Control Systems and SCADA programs at SANS, where he is responsible for developing, reviewing, and implementing technical components of the ICS and SCADA product offerings. Tim was formerly the Director of Compliance and Operations Technology at the Northern Indiana Public Service Company (NIPSCO).


  1. Allison: If hacking industrial control systems is so easy, why are internet trolls not causing rolling blackouts and destruction of dams, etc?
  2. Greg: What is the general sentiment of the ICS industry regarding security - is the industry embracing security? Is proper air gapping sufficient to help? Is inadequate funding the issue?
  3. As a general statement in the US, where does the budget for ICS security come from? Public, private, federal or local?
  4. Tell us about the Securing The Human Utility Training initiative.
  5. Are some "malfunctions" being blamed on equipment, overloading or other failures that you suspect were actually successful exploits?
  6. Does the industry view the prodding of initiatives like SHODAN or Project Basecamp as providing value or just plain antagonistic?
  7. Intern Rob: with fortune 500 vendors trying to play in this space (see http://www.ambientcorp.com/partners/ ). It seems ROI and providing a turnkey solutions is more important than security to them, this is even more apparent when I did a Shodan scan of 'EV-DO' and '3g' and found 5000+ exposed devices. What do you recommend to combat this?


Upcoming SANS ICS Events:


For More Information:


Announcement

  • Larry teaching SANS SEC617 all over and coming to a city near you in 2013. It isn't too Late to sign up for my class in San Diego this May! (actually, it is, so sign up for SANSFIRE next month and NS2013 in Vegas!)

Stories

Paul's Stories

  1. Catching hackers with virtual industrial plants - This is an excellent usage of a honeypot. Its a SCADA honeypot, simulating a Siemens device. I worry that attackers will figure this out quick and identify it, then destoy it. Though these are cool to see how attackers are exploiting the systems, maybe even catch a few 0days while your at it
  2. PentesterLab.com – Excercises To Learn Penetration Testing - Free training is great, and we get lots of people asking for these types of tutorials. Not sure about this one, but check it out and l

et us know what you think.

  1. Bluetooth-Controlled Door Lock - I'm not saying that you shouldn't use this lock, only that you understand that new technology brings new security risks, and electronic technology brings new kinds of security risks. Security is a trade-off, and the trade-off is particularly stark in this case. well put Bruce. And another good point he makes is that a security
vulnerability in the locks affects ALL the locks. Universal Bluetooth key anyone?
  1. Lulzsec Noble Hackers? Opinion: No
  2. Which browser is safest? The answer may surprise you
  3. Five Things Every Organization Should Know about Detecting And

Larry’s Stories

  1. This might be useful - [Larry] - Deploy and execute a metasploit payload with SSH creds…
  2. ICS Honeypot - [Larry] - If we can honeypot everything else, why not a PLC and some Industrial Control Systems? I wonder where this fits in to ICS security strategies; I think the answer is that they should figure out the rest, and why it it connected to the internet, maybe with poor security to begin with.
  3. US Govt is a hacker - [Larry] - Well, they must be, as they buy the most "grey market" hacker tools…
  4. Twitter e-mail verification - [Larry] - on your password reset, which can then be used to start resetting the password, in combination with your username and phone number…
  5. fun SDR hacks - [Larry] Well, we can track airplanes with ADS-B and a cheap SDR, now we can also do the same for ships with AIS.

Jack’s Stories

  1. Uplifting Study Confirms Sexiness of Beards, General Magnificence of Men Who Wear Them That about says it all.
  2. Skype with care – Microsoft is reading everything you write at least according to this article from heise Security.
  3. Exploit Sales: The New Disclosure Debate an interesting take on the evolution of the "disclosure" debate.
  4. A Saudi Arabia Telecom's Surveillance Pitch hopefully everyone has already read Moxie's latest post, typical eloquence and enlightenment from Moxie. And I have some possibly argumentative comments about it.

Allison's Stories

Patrick's Stories