I was reading the newspaper the other day (the real dead tree newspaper) and I came across an op-ed from my congressperson. Gallagher: Cybersecurity for small business It’s about what you’d expect but comes with some actionable advice! Well, not really. Here it is so you don’t have to read the whole thing. Businesses can start by taking some simple and relatively inexpensive steps to protect themselves, such as: » Installing antivirus, threat detection and firewall software and systems. » Encrypting company data and installing security patches to make sure computers and servers are up to date. » Strengthening password practices, including requiring the use of strong passwords and two-factor authentication. » Educating employees on how to recognize an attempted attack, including preparing rapid response measures to mitigate the damage of an attack in progress or recently completed. ...

Josh and Kurt discuss not-counterfeit MTG cards, antivirus, squirrelmail, unroll.me, grsecurity, baby monitors, and trust. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/320432805-opensourcesecuritypodcast-episode-45-trust-is-more-important-now-than-the-truth.mp3 Show Notes Mom Apologizes For Trying To Sell Son’s Rare Magic Card Squirrelmail security issue Stealing all your mail grsecurity Baby monitor security Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

The other day I ran across someone trying to keep their locker secured by using a combination lock. As you can see in the picture, the lock is on the handle of the locker, not on the loop that actually locks the door. When I saw this I had a good chuckle, took a picture, and put out a snarky tweet. I then started to think about this quite a bit. Is this the user’s fault or is this bad design? I’m going to blame bad design on this one. It’s easy to blame users, we do it often, but I think in most instances, the problem is the design, not the user. If nothing is ever our fault, we will never improve anything. I suspect this is part of the problem we see across the cybersecurity universe. ...

Josh and Kurt discuss Lego, bug bounties, pen testing, thought leadership, cars, lemons, entropy, and CVE. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/319388588-opensourcesecuritypodcast-episode-44-bug-bounties-vs-pen-testing.mp3 Show Notes Josh’s Blog on Bug Bounties A Security Market for Lemons Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Every now and then I see something on a blog or Twitter about how you can’t replace a pen test with a bug bounty. For a long time I agreed with this, but I’ve recently changed my mind. I know this isn’t a super popular opinion (yet), and I don’t think either side of this argument is exactly right. Fundamentally the future of looking for issues will not be a pen test. They won’t really be bug bounties either, but I’m going to predict pen testing will evolve into what we currently call bug bounties. ...

Josh and Kurt discuss Shadow Brokers, pronouncing GIF, Atlanta’s road problems, browser phishing, warning sirens, IoT, and fake Magic the Gathering cards. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/318438805-opensourcesecuritypodcast-episode-43-we-are-totally-immature.mp3 Show Notes Shadow Brokers How to pronounce GIF Atlanta gas leak breaks road New browser location phishing attack Hacked warning sirens IoT bricking malware Fake MTG cards Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

It’s that time of year again. I don’t mean when all the government secrets are leaked onto the Internet by some unknown organization. I mean the time of year when it’s unsafe to cross streets or ride your bike. At least in the United States. It’s possible more civilized countries don’t have this problem. I enjoy getting around without a car, but I feel like the number of near misses has gone up a fair bit, and it’s always a person much younger than me with someone much older than them in the passenger seat. At first I didn’t think much about this and just dreamed of how self driving cars will rid us of the horror that is human drivers. After the last near fatality while crossing the street it dawned on me that now is the time all the kids have their driving learner’s permit. I do think I preferred not knowing this since now I know my adversary. It has a name, and that name is “youth”. ...

Josh and Kurt discuss the security themes and events in the context of the HHGG movie. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/317490724-opensourcesecuritypodcast-episode-42-hitchhikers-guide-to-security.mp3 Show Notes HHGG Movie (2005) Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

One of the few themes that comes up time and time again when we talk about security is how bad people tend to be at understanding what’s actually going on. This isn’t really anyone’s fault, we’re expecting people to go against what is essentially millions of years of evolution that created our behaviors. Most security problems revolve around the human being the weak link and doing something that is completely expected and completely wrong. ...

Josh and Kurt discuss airplane laptop bans, ATM hacking, pointing at things, and Certificate Authorities. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/316915938-opensourcesecuritypodcast-episode-41-all-your-money-are-belong-to-us.mp3 Show Notes Loaner laptops on planes ATM hacking Japanese rail safety point and call Certificate Authority Authorization in DNS Join our Facebook Group Comment on Twitter with the #osspodcast hashtag