DtSR Episode 140 - Ethics of Hacking Live from AtlSecCon 2015

04/27/15 • 38 min

Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!

In this episode...

What about public safety, where do we draw the line on open research?
Self-regulation? Disclosure? What are our options...
What makes a researcher? We discuss
“Chilling security research”
A quick dive into bug bounty programs; do they help?
Ethics vs. moral compass ...we discuss
Hacker movies, and what they’re doing for our profession

Guests

Keren Elezari ( @K3r3n3 ) - brings years of experience in the international cyber security industry to the stage. Since 2000, Keren has worked with leading Israeli security firms, government organizations, Global Big 4 and Fortune 500 companies. Keren holds a CISSP security certification, a BA in History and Philosophy of Science and is currently a senior research fellow with the prestigious Security & Technology workshop at Tel Aviv University. In 2012, Keren held the position of Security Teaching Fellow with Singularity University, a private think tank, founded by Dr. Ray Kurzweil and sponsored by Google & NASA amongst others. Since 2013, Keren covers emerging security technologies and trends as a security industry analyst with GIGAOM research, a leading independent media hub. In 2014, Keren became the first Israeli woman to be invited to speak at the prestigious international annual TED conference. Keren’s TED talk has been viewed by 1.2 million people, translated to more than 20 languages and selected for TED’s list of ‘Most Powerful Ideas in 2014’ and for Inc.com’s list of ‘Top TED Talks of 2014’.
Kellman Meghu ( @kellman ) - heads up a team of Security Architects for CheckPoint Software Technologies Inc., the worldwide leader in securing the Internet. His background includes almost 20 years of experience deploying application protection and network-based security. Since 1996 Mr. Meghu has been involved with consultation on various network security strategies to protect ISP's in Southern Ontario as well as security audits and security infrastructure deployments for various Commercial and Governmental entities across Canada and the Central United States. Kellman has delivered security talks in private corporate focused events, at school internet safety classes for students and teachers, as well as public events such as, SecureWorld Seattle, The Check Point Experience, Bsides St. Johns, Bsides San Francisco, Bsides Iowa, Bsides Detroit, Secure360, Trilateral Conference, and Sector lunch keynote for 2014. Kellman has contributed to live TV interviews in the Toronto area with CP24, CityNews, and CHCH TV, as well as radio stati

Support the show

>>> Please consider clicking the link above to support the show!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHq
LinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!

In this episode...

What about public safety, where do we draw the line on open research?
Self-regulation? Disclosure? What are our options...
What makes a researcher? We discuss
“Chilling security research”
A quick dive into bug bounty programs; do they help?
Ethics vs. moral compass ...we discuss
Hacker movies, and what they’re doing for our profession

Guests

Keren Elezari ( @K3r3n3 ) - brings years of experience in the international cyber security industry to the stage. Since 2000, Keren has worked with leading Israeli security firms, government organizations, Global Big 4 and Fortune 500 companies. Keren holds a CISSP security certification, a BA in History and Philosophy of Science and is currently a senior research fellow with the prestigious Security & Technology workshop at Tel Aviv University. In 2012, Keren held the position of Security Teaching Fellow with Singularity University, a private think tank, founded by Dr. Ray Kurzweil and sponsored by Google & NASA amongst others. Since 2013, Keren covers emerging security technologies and trends as a security industry analyst with GIGAOM research, a leading independent media hub. In 2014, Keren became the first Israeli woman to be invited to speak at the prestigious international annual TED conference. Keren’s TED talk has been viewed by 1.2 million people, translated to more than 20 languages and selected for TED’s list of ‘Most Powerful Ideas in 2014’ and for Inc.com’s list of ‘Top TED Talks of 2014’.
Kellman Meghu ( @kellman ) - heads up a team of Security Architects for CheckPoint Software Technologies Inc., the worldwide leader in securing the Internet. His background includes almost 20 years of experience deploying application protection and network-based security. Since 1996 Mr. Meghu has been involved with consultation on various network security strategies to protect ISP's in Southern Ontario as well as security audits and security infrastructure deployments for various Commercial and Governmental entities across Canada and the Central United States. Kellman has delivered security talks in private corporate focused events, at school internet safety classes for students and teachers, as well as public events such as, SecureWorld Seattle, The Check Point Experience, Bsides St. Johns, Bsides San Francisco, Bsides Iowa, Bsides Detroit, Secure360, Trilateral Conference, and Sector lunch keynote for 2014. Kellman has contributed to live TV interviews in the Toronto area with CP24, CityNews, and CHCH TV, as well as radio stati

Support the show

Previous Episode

DtSR Episode 139 - NewsCast for April 20th, 2015

Send the hosts a message - try it now!

In this episode...

Friend and security researcher Chris Roberts steps into it...
- A poorly-conceived tweet, followed by mass hysteria
- Most everyone talking about this is missing the point entirely
- Of course, the EFF jumps in to keep from "chilling research" (roll eyes)
- http://www.usatoday.com/story/tech/2015/04/19/chris-roberts-one-world-labs-united-rsa-computer-security-tweets/26036397/
- The EFF take: https://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-security
Corporate threat intelligence teams opting to go anonymous?
- New company, making intelligence sharing work, anonymously?
- Many questions on whether anonymity is workable in the intelligence space
- https://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-security
Target settles with Mastercard for $19M USD
- Mastercard trying to settle this out, as alternative payout option for victims (this time the issuers, not card holders)
- http://www.theregister.co.uk/2015/04/16/target_settles_with_mastercard_for_us19_million/
The looming security threat no one is talking about
- We're talking about it!
- Windows 2003 is going out of service... after 12 yrs?
- Final deadlines is July 14th
- Panic? Compensating security controls?
- http://www.healthcaredive.com/news/himss15-the-looming-it-security-threat-that-no-one-is-talking-about/386754/
HTTP "ping of death" coming to a Windows IIS web-server near you
- Patch now... people are actively exploiting this flaw to knock over web servers
- Quick turn-around from "patch released" to "patch reverse-engineered to attack IIS servers"
- http://www.theregister.co.uk/2015/04/16/http_sys_exploit_wild_ms15_034/
JPMC algorithmn knowns you're an insider threat, before you do
- Fascinating, applies to the financial world
- Uses behavioral indicators
- http://www.bl

Support the show

Next Episode

DtSR Episode 141 - NewsCast for May 4th, 2015

Send the hosts a message - try it now!

In this episode...

A join Ponemon Institute & IBM Security study shows that, surprise surprise, developers are "neglecting security"
- The study only looked at mobile apps and app developers
- Less than half (of their study) test the mobile apps they build
- About 33% never test their apps
- http://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.html
Illinois Bill SB1833 expands the definition of PII to include almost everything
- Requires notification in the event of a breach of...
- Online browsing history, online search history, or purchasing history
- Is this absurd, or just protecting our privacy?
- http://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.html
The DOJ has jumped in and issued some sound fundamental breach guidance!
- 4 sections: what to do before, during and after a breach plus what NOT to do after a breach
- Fantastic fundamentals... great idea
- The push to fundamentals is critical!
- http://www.alstonprivacy.com/doj-issues-data-breach-guidance/
- http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdf
Mozilla is phasing out non-secure HTTP
- HTTPS only is the way forward, so Mozilla (champions of liberty and all that) are leading the way
- https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
First foreign hacker is convicted in the US
- Canadian kid who hacked and stole trade secrets and other sensitive info from video game companies
- He pled guity in September 2014, maximum of 5yr prison sentence
- http://blogs.orrick.com/trade-secrets-watch/2015/04/30/first-foreign-hacker-is-convicted-in-the-united-states-of-hacking-crimes-involving-theft-of-trade-secrets-from-american-companies/