The Southern Fried Security Podcast
Join Andy Willingham, Martin Fisher,Steve Ragan, Yvette Johnson, and Joseph Sokoly as they discuss information security, news, and interview interesting people. Get in the discussion at www.southernfriedsecurity.com.

Tonight, Martin, Joseph, Steve, and Andy got together and went over how their 2015 predictions went, and laid out what their predictions were for 2016.

The gang is on break from now until the new year, happy holidays!

Direct download: SFS_Podcast_Ep_-_171.mp3
Category:podcasts -- posted at: 9:45pm EDT

Check for signs of the apocalypse, everyone was here tonight...

Comcast resets nearly 200,000 passwords

In the era of GPS, Naval Academy revives celestial navigation

How Carders Can Use eBay as a Virtual ATM

What Flu Season Can Teach Us About Fighting Cyberattacks

Find us on Twitter:
@SFSPodcast
@jsokoly
@steveD3
@armorguy
@jetsetyvette

Direct download: SFS_Podcast_Ep_-_170.mp3
Category:podcasts -- posted at: 10:59pm EDT

This week, Andy's back!

The FitBit "hack"

The FBI's Advice on Ransomware? Just Pay The Ransom

Find us on Twitter:
@SFSPodcast
@jsokoly
@steveD3

Direct download: SFS_Podcast_Ep_-_169.mp3
Category:podcasts -- posted at: 9:27pm EDT

Dale Myers - 1Password Leaks Your Data

AgileBits - When a Leak Isn't a Leak

Jessy on Twitter
Joseph on Twitter
Steve on Twitter

Direct download: SFS_Microcast_-_Interview_With_1Password.mp3
Category:microcasts -- posted at: 8:55pm EDT

Tonight, Steve and Joseph talked password managers and consumer reports for cybersecurity.

LogMeIn now owns LastPass

Troy Hunt's article on switching from LastPass

Websites, Please Stop Blocking Password Managers. It's 2015

Mudge's Consumer Cyber Reports

Find us on Twitter:
@SFSPodcast
@jsokoly
@steveD3

Direct download: SFS_Podcast_Ep_-_168.mp3
Category:podcasts -- posted at: 10:27pm EDT

This week, Joseph and Guillaume Ross talked content blockers, phishing consequences, and home network monitoring.

Back to Work Episode 239

Accidental Tech Podcast Episode 136

FireEye: Forbes.com served malicious ads to visitors | CSO Online

Ad Blocking, Ad Networks, & Your IP Address

DHS infosec chief: We should pull clearance of feds who fail phish test | Ars Technica

Cujo Is a Smart-Home Device That Protects Against Hacks | Digital Trends

Find us on Twitter:
@SFSPodcast
@jsokoly
@gepeto42

Direct download: SFS_Podcast_Ep_-_167.mp3
Category:podcasts -- posted at: 10:52am EDT

This week Martin and Joseph sat down and talked about stress, burnout, and why Martin took a break for a while. 

Direct download: SFS_Podcast_Ep_-_166.mp3
Category:podcasts -- posted at: 10:40pm EDT

Tweet from Ed Willson

Chrome and Firefox dump Flash

Netflix dumps antivirus

Windows 10:
Even When Told Not To, Windows 10 Can't Stop Talking to Microsoft
Even the pirates are nervous about Windows 10
Timcast - Windows 10 is spying on you and it's super creepy

Where you can find us:
@SFSPodcast
@jsokoly
@steved3

Direct download: SFS_Podcast_-_Ep_165.mp3
Category:podcasts -- posted at: 9:48pm EDT

This week's show notes:

Vegas:
BlackHat Day 1
Car Hacking
BlackHat Day 2
Defcon Roundup
@sawaba's BSides Talk
Washington Post's Article on l0pht

Oracle's CSO makes a questionable publishing decision

Where you can find us:
@SFSPodcast
@jsokoly
@steved3

Direct download: SFS_Podcast_-_Ep_164.mp3
Category:podcasts -- posted at: 9:51pm EDT

No full episode this week thanks to Security Summer Camp, but Martin got to sit down and chat with good friend of the podcast Wendy Nather. 

We'll be back soon!

Direct download: SFS_Podcast_Interview_With_Wendy.mp3
Category:podcasts -- posted at: 10:47pm EDT

Life is Short. For some it may get shorter?

Archuleta is out at OPM: Who didn't see that one coming?

If you look for breaches, you might find them.

Darkode Shutdown: Former FireEye Intern Accused Of Creating $65,000 Android Malware - Forbes 

BREAKING: UCLA Health breach hits data of 4.5M - Modern Healthcare

Direct download: SFS_Podcast_-_Ep_163.mp3
Category:podcasts -- posted at: 12:38am EDT

Tonight, Joseph and Steve tackled the Hacking Team breach: why it's interesting, what's happening, and some of the data that's come out so far. 
 
 

 

 
Find us on Twitter:
Direct download: SFS_Podcast_-_Ep_162.mp3
Category:podcasts -- posted at: 9:56pm EDT

This episode, the gang was joined by Chris Burton (@cyberhiker) to talk about the OPM breach.

OPM - The Breach that Keeps on Giving:

Second OPM Hack Exposed Information About Military, Intelligence Workers - Defense One
http://www.defenseone.com/technology/2015/06/second-opm-hack-compromised-information-military-intelligence-workers/115213/

Report: Hack of government employee records discovered by product demo | Ars Technica
http://arstechnica.com/security/2015/06/report-hack-of-government-employee-records-discovered-by-product-demo/

Carnal0wnage Attack Research Blog: Hard to Sprint When You Have Two Broken Legs
http://carnal0wnage.attackresearch.com/2015/06/hard-to-sprint-when-you-have-two-broken.html

Data hacked from U.S. government dates back to 1985: U.S. official | Reuters
http://www.reuters.com/article/2015/06/06/us-cybersecurity-usa-idUSKBN0OL1V320150606?irpc=932

Brief: 4 million federal employees affected by data breach at OPM | CSO Online
http://www.csoonline.com/article/2931560/data-breach/brief-4-million-federal-employees-affected-by-data-breach-at-opm.html

Find us on Twitter:

@SFSPodcast
@jsokoly
@JetSetYvette
@cyberhiker

 

Direct download: SFS_Podcast_-_Ep_161.mp3
Category:podcasts -- posted at: 8:54am EDT

The show notes for this episode have some screenshots, see the website for the full notes:

http://www.southernfriedsecurity.com/apple-and-privacy-with-guillaume-ross/ 

Find us on Twitter: 
@SFSPodcast 
@jsokoly 
@gepeto42

Direct download: Apple_and_Privacy_with_Guillaume_Ross.mp3
Category:podcasts -- posted at: 12:07pm EDT

This week Steve and Joseph were joined by a guest from America's hat: Guillaume Ross. 

 

The IRS and PII as verification:

Security checks that rely on PII put businesses and consumers at risk | CSO Online http://www.csoonline.com/article/2927652/data-protection/security-checks-that-rely-on-pii-put-businesses-and-consumers-at-risk.html

If you're not paying for the service, you're probably the product:
Adios, Hola! - Why you should immediately uninstall Hola http://adios-hola.org/

 

Hola VPN client vulnerabilities put millions of users at risk | CSO Online

http://www.csoonline.com/article/2928817/vulnerabilities/hola-vpn-client-vulnerabilities-put-millions-of-users-at-risk.html

 

Facebook Uses PGP

Official announcement:

https://www.facebook.com/notes/protect-the-graph/securing-email-communications-from-facebook/1611941762379302

https://threatpost.com/facebook-bolsters-message-security-adds-openpgp/113079

 

Find us on Twitter:

@SFSPodcast

@jsokoly

@SteveD3
@gepeto42

Direct download: SFS_Podcast_-_Ep_160.mp3
Category:podcasts -- posted at: 7:00am EDT

Joseph and Steve were joined by a special guest tonight, Mr. Kevin Riggins. They tackled mafia-style shakedowns, vulnerabilities in medical equipment, and “stunt hacking.”

 

"Breach" Extortion:

http://money.cnn.com/2015/05/07/technology/tiversa-labmd-ftc/index.html

 

ICS-CERT issues advisory for medical equipment for the first time:

https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01A

http://hextechsecurity.com/?p=123

 

"Stunt Hacking":

http://aptn.ca/news/2015/05/15/hacker-told-f-b-made-plane-fly-sideways-cracking-entertainment-system/

http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/

http://idoneous-security.blogspot.com/2015/05/lessons-in-grown-up-security.html

http://carnal0wnage.attackresearch.com/2015/05/normal-0-false-false-false-en-us-x-none.html

 

Find us on Twitter:

@SFSPodcast

@jsokoly

@SteveD3
@kriggins

 

Direct download: SFS_Podcast_-_Ep_159.mp3
Category:podcasts -- posted at: 9:14pm EDT

This week, Joseph and Steve talked about what these "six hacker tribes" are, and the recent rise of some accountability in security in both the government and the private sector.

"The Six Hacker Tribes"
http://www.telegraph.co.uk/technology/internet-security/11568376/Unmasked-the-six-hacker-tribes-you-need-to-watch-out-for.html

“Accountability in Security” on multiple fronts:
http://www.forbes.com/sites/davelewis/2015/04/29/notes-from-rsa-accountability-in-security/

http://www.csoonline.com/article/2916649/disaster-recovery/fireeye-customers-get-liability-shield-thanks-to-safety-act.html

And if you have any feedback, questions, or comments, find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Ep_158.mp3
Category:podcasts -- posted at: 9:32pm EDT

The gang is back with some cast changes. Martin will be taking a break for a while, so Joseph will be hosting for the next while.

This week, we talked Wordpress, Steve's experiences at RSAC, and this year's DBIR:

Wordpress:
http://www.csoonline.com/article/2915142/vulnerabilities/wordpress-promises-patch-for-zero-day-within-hours.html 

RSAC:
RSAC 2015: RSA Conference (Day 1): http://www.csoonline.com/article/2910943/security-industry/rsac-2015-rsa-conference-day-1.html

RSAC 2015: RSA Conference (Day 2): http://www.csoonline.com/article/2912475/security-awareness/rsac-2015-rsa-conference-day-2.html 

RSAC 2015: RSA Conference (Day 3): http://www.csoonline.com/article/2912411/data-protection/rsac-2015-rsa-conference-day-3.html

Defcon/BH Attendance: http://venturebeat.com/2014/08/12/black-hat-and-defcon-see-record-attendance-and-thats-not-even-counting-the-spies/

The DBIR:
http://www.verizonenterprise.com/DBIR/2015/

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Ep_157.mp3
Category:podcasts -- posted at: 9:51am EDT

It's going to be a little bit before the next episode of the podcast as we work out some changes.  Until then take a listen to some news about BSides Las Vegas Proving Grounds!  See you in Vegas!

Direct download: SFS_Podcast_-_Proving_Grounds.mp3
Category:microcasts -- posted at: 7:01pm EDT

Episode 156 - Sad Panda Martin, Steve, and Joseph got on tonight to talk about clickbait-that-wasn't, AV eating itself, and 6 ways the Sony breach didn't actually change everything. A great slideshow article from friend of the podcast Michael Santarcangelo http://www.csoonline.com/article/2895341/security-leadership/8-steps-successful-security-leaders-follow-to-drive-improvement.html A bad, bad day for Panda AV http://www.infosecurity-magazine.com/news/panda-labs-detects-itself-as/ http://redd.it/2yofpo "6 Ways The Sony Hack Changes Everything" http://www.darkreading.com/risk/6-ways-the-sony-hack-changes-everything-/a/d-id/1319415 And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Episode_156.mp3
Category:podcasts -- posted at: 8:28pm EDT

The Show Notes

 

Opening Music

 

BSides Atlanta

  • SFS Podcast is a sponsor

  • Martin is presenting “The Art of Speaking with Muggles”

  • Sold out but sponsors have tix they are handing out. Also Eventbrite courtesy.

 

Stories:

 

It’s hard to find infosec folks…

http://www.csoonline.com/article/2894377/infosec-staffing/shortage-of-security-pros-worsens.html

 

http://www.zdnet.com/article/how-infosec-hiring-lost-its-way-harsh-findings-in-leviathan-report/

 

The number of things wrong with the editorial are immense…  We read it so you don’t have to….

http://www.darkreading.com/application-security/which-apps-should-you-secure-first--wrong-question/a/d-id/1319355

 

Anthem declines post-breach audit from regulators…

https://threatpost.com/anthem-refusing-oig-security-audit-following-breach/111476



Twitter: @SFSPodcast

www.SouthernFriedSecurity.com

Direct download: SFS_Podcast_-_Episode_155.mp3
Category:podcasts -- posted at: 8:48pm EDT

 Martin & Steve get a change to talk to Rob Fuller (@mubix) about his ideas on Open Source Architecture.  It's a great conversation where you can see the idea grow in front of your own ears!

 

The link to the Open Source Architecture group is:

 

https://groups.google.com/forum/#!forum/ossag

 

Remember BSidesATL and BSidesLV!

Direct download: SFS_Podcast_-_Episode_154.mp3
Category:podcasts -- posted at: 7:39pm EDT

Episode 153 - Internet Veapon The gang braved the snow to get a show together tonight, here's what they covered: $17 mill-yun dollars scammed from Omaha company… A cautionary tale on business process controls... http://www.csoonline.com/article/2884339/malware-cybercrime/omahas-scoular-co-loses-17-million-after-spearphishing-attack.html You get an attribution! And you get an attribution! You all get attributions! https://threatpost.com/massive-decades-long-cyberespionage-framework-uncovered/111080 Feds want more threat info from private companies. Is this the way to go? http://www.wired.com/2015/02/president-obama-signs-order-encourage-sharing-cyber-threat-information/ Join us next week for episode 1784 of the continuing special “Responsible Disclosure!” http://www.infosecurity-magazine.com/news/google-blinks-first-with-project/ PSAs: BSidesATL 2015 CFP is open http://www.securitybsides.com/w/page/92311122/BSidesATL2015 BSidesLV 2015 CFP and Call for Mentors is open as well http://www.bsideslv.org/ And if you have any feedback, questions, or comments, drop us a comment here or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Episode_153.mp3
Category:podcasts -- posted at: 8:22pm EDT

SFS Podcast

Run Sheet for 2/9/15 - Episode 152

 

The Stories

 

Anthem…. a megabreach if ever we've seen one...

 

http://www.csoonline.com/article/2881532/business-continuity/anthem-how-does-a-breach-like-this-happen.html

 

With the end of Microsoft’s Trusted Computing Group has the overall security posture of products taken a hit?  Anecdotes say...maybe.

 

http://www.itproportal.com/2015/02/02/microsofts-new-ios-outlook-app-serious-security-flaws/

 

BSides Vegas PSA

 

Security Model is Broken. In other news, water is wet, and if you stop breathing, you may die.

 

http://www.scmagazine.com/the-security-model-is-broken/article/393033/

 

A vendor sponsored survey is slanted so that the “biggest problem” is likely fixed by the sponsor?  NO WAY!!

 

http://www.csoonline.com/article/2879117/data-protection/vendor-math-doesnt-add-up-on-federal-security-priorities.html





 

 

Direct download: SFS_Podcast_-_Episode_152.mp3
Category:podcasts -- posted at: 8:31pm EDT

Episode 151 -  

 

Tonight, the gang dodged the snow for long enough to talk about some of the stories that have come out in the past week or two.

 

Can we finally quantify risk?

http://www.csoonline.com/article/2874171/data-protection/new-framework-helps-companies-quantify-risk.html

 

Security budgets seem to be on the rise according to Ponemon:

http://www.darkreading.com/attacks-breaches/security-budgets-going-up-thanks-to-mega-breaches/d/d-id/1318714?

 

Filed under "Duh..."

http://www.infosecisland.com/blogview/24236-Fear-Hackers-First-Invest-in-an-IT-Security-Culture-Change.html

 

There are lots of potential changes to the CFAA, what can you do?

http://www.csoonline.com/article/2873537/security-industry/post-state-of-the-union-reaction-to-proposed-legislation-remains-mixed.html

 

https://medium.com/message/we-should-all-step-back-from-security-journalism-e474cd67e2fa

 

https://community.rapid7.com/community/infosec/blog/2015/01/26/how-do-we-de-criminalize-security-research-aka-what-s-next-for-the-cfaa

 

Public Service Announcement:

BSidesLV's awesome Proving Grounds track is looking for speakers: http://www.securitybsides.com/w/page/89943218/BSidesLV2015

CircleCityCon's CFP is open: https://circlecitycon.com/

BSidesCharm is looking for sponsors: http://www.securitybsides.com/w/page/80637041/BSidesCharm2015

 

And if you have any feedback, questions, or comments, drop us a comment here or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Episode_151.mp3
Category:podcasts -- posted at: 8:35pm EDT

Episode 150 - Not Quite Explicit The gang is back after their holiday break, and it sure was nice that nothing big happened between episodes, right? Right? Now, we're not tackling Sony in this episode, but there was still plenty to discuss. Microsoft is ending Advanced Patch Notification Service for everyone except for certain support levels. http://windowsitpro.com/security/microsoft-ends-advanced-patch-notification-service-and-slams-google-early-warning-policy Microsoft and Google are starting up the disclosure discussion all over again. http://blog.erratasec.com/2015/01/a-call-for-better-vulnerability-response.html http://blogs.technet.com/b/msrc/archive/2015/01/11/a-call-for-better-coordinated-vulnerability-disclosure.aspx http://www.csoonline.com/article/2867534/vulnerabilities/microsoft-blasts-google-for-vulnerability-disclosure-policy.html Surprise surprise, politicians are calling for regulation of technology. http://www.nytimes.com/2015/01/12/us/politics/obama-to-call-for-laws-covering-data-hacking-and-student-privacy.html If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes. And if you have any feedback, questions, or comments, drop us a comment here or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Episode_150.mp3
Category:podcasts -- posted at: 8:21pm EDT