Claim OwnershipError Code
Subscribed: 12Played: 274
Subscribe
© Copyright 2022 All rights reserved.
Description
Error Code is a biweekly narrative podcast that provides you both context and conversation with some of the best minds working today toward code resilience and dependability. Work that can lead to autonomous vehicles and smart cities. It’s your window in the research solving tomorrow’s code problems today.
37 Episodes
Reverse
This is a story about how organizations are moving their SCADA systems to the cloud and how they need to secure them or they’ll be attacked. Chris Doman, co-founder and CTO of Cado Security discusses the new NSC guidelines on SCADA in the Cloud and whether the guidelines are prescriptive enough.
If you knock down an email server, you could stand up a parallel server or you could find workarounds. If you knock down a factory floor, there is no real parallel, alternative to a factory floor. Dane Grace of Brinqa talks about how the risks to OT carries with it an outsized kinetic response in the real world. For example, what would happen if someone managed to put a botnet on a defibrillator?
One of the problems with security is ROI. If I put in next gen this and next gen that and no security events happen, am I justified in making those expenditures? How do you quantify a risk like that? Padraic O’Reilly, founder and Chief Innovation Officer at CyberSaint, walks us through the risk analysis for IoT and OT systems, and why it’s important to understand this as we secure our critical infrastructure.
This is the story of how a researcher turns commercial and commonly used EDRs and Cloud-based backup systems into wipers against the very data they’re designed to protect. Or Yair, security research team lead at Safe Breach, talks about his two presentations at SecTor 2023 that consider how to turn common security tools into potentially malicious weapons.
There’s a lot of talk about using AI and LLM in security. For example, could ChatGPT detect the vulnerable spots for power for analysis in particular pieces of code using Advanced Encryption Standard? Witold Waligora, CEO of CloudVA, talks about his Black Hat Europe presentation, How We Taught ChatGPT-4 to Break mbedTLS AES With Side-Channel Attacks.
You might think that internet connected cameras would be limited in use by a bad actor. Actually such devices can be an entry point into an organization, providing yet another means of accessing the internal network. Mohammad Waqas, a field CTO at Armis, spoke at SecTor 2023 about the threat posed by IoT and OT devices in future cyberwarfare and discusses here why we need to broaden our attack surface defenses to include them.
There’s a fake news report about three million internet-enabled toothbrushes contributing to a botnet. Unfortunately the mainstream media ran with the story before questioning its basic assumptions. This is a story about IoT devices and the fact that we still don’t understand how they are vulnerable. Tom Pace, co-founder and CEO of NetRise, talks about vulnerabilities inherent in the IoT space that are often misconstrued and how we need to ask more questions about the software and the hardware being used if we want to secure critical infrastructure tomorrow.
Ransomware groups have bifurcated with some doing pure ransomware and others going straight to extortion; it's whether the data is ransomed on your network or theirs. Nick Biasini from Cisco Talos talks about the threats he’s seeing, in particular, SapphireStealer which is open source and using GitHub to crowdsource new features.
The Purdue Model used in OT is essentially network security from the 1990s. New threats and new tech however required us to rethink that on the network side so how do we bring that new thinking to work with legacy OT systems? John Taylor of Versa Networks explains how there's a lot of implicit trust in the IoT and OT devices themselves, yet they don't have antivirus. Or firewalls. Worse, you're basically depending on the manufacturer of that device to provide security updates if necessary, and oftentimes they don't. Perhaps it’s time for a new approach such as SASE or secure access service edge.
Flaws within the chips in our laptops, in our homes, and in our critical infrastructure could become the access one needs to steal data if not just shut down an assembly line, or hold up production of a vital resource like power or water. Josh Salmanson, senior vice president at Telos, discusses why we’re seeing more and more pre-compromised routers in critical environments today and what we might do to mitigate that in the near future.
Can your OT function if the IT system goes down? OT self-sufficiency is critical for infrastructure such as rail systems. Christopher Warner, from GuidePoint Security, discusses how this infrastructure resilience is important not only for the rail industry but for most of the other critical infrastructures in general.
Quantum computers will change and even break the cryptography we have today. To defeat a "Harvest Now, Decrypt Later" strategy by bad actors (even nation states), Denis Mandich, CTO and co-founder of Qrypt, is proposing a type of crypto agility that compiles the keys on your laptop instead of distributing them across the internet. He also talks about how you won’t need a quantum computer in your home; you’ll be able to access one in the cloud the way you can access AWS today.
When we think of massive compute power, we think of the Cloud when we really should consider the millions of unprotected OT devices with even greater slack computer power than all our current Cloud services combined. Sonu Shankar, Vice President of Product at Phosphorus Cybersecurity, talks about the challenge of communicating with PLCs and other devices, the risks from newer OT devices, and how all password-less OT devices really need to be protected. He says attacks aren’t just DDoS; today OT attacks can exfiltrate data as well.
There’s much of the electromagnetic spectrum that we cannot see. Like how LED wristbands are triggered at concerts or how to identify someone at DEF CON in a crowd of cellphones and electrical devices. Eric Escobar of SecureWorks provides some really clear analogies to help anyone visualize the differences between NFC, Bluetooth, and Wi Fi such as how your router and your microwave are both 2.4GHz - the difference is the number of watts behind each signal.
How might we mitigate the risk to millions of unauthenticated devices already out in the field? Ron Fabela, Field CTO at XONA Systems, has some ideas about how to achieve zero trust in either legacy or new OT systems. Really, it’s just a matter of reducing the attack surface.
In a talk at Black Hat USA 2023, Sharon Brizinov and Noam Moshe from Claroty Team82, disclosed a significant vulnerability in the Open Platform Communications Universal Architecture or OPC-UA, a univsersal protocol used to synchronize different OT devices. In this episode they also discuss a new open source OPC exploit framework designed to help OT vendors check their devices in development.
Transcript.
What would happen if someone stole the encryption keys for a major satellite? Well, it’d be game over. Unless the satellite used quantum cryptography. Skip Sanzeri from QuSecure explains how using “quantum tunnels” will allow even legacy satellites in orbit today to become secure in a rapidly approaching post-quantum world.
This is a story of what's needed for the Capture The Flag competition at DEF CON 31 to be hosted for the first time on a live satellite orbiting 400 kilometers above the Earth. Mike Walker continues his conversation, focusing more on the game to be played in Hack-A-Sat 4.
Moonlighter is the world’s first and only hacking sandbox in space. Currently orbiting the earth near the International Space Station, the satellite is the playground for this year’s Hack-A-Sat 4 competition at DEF CON 31. Mike Walker, from Cromulence, discusses the difference between hacking a live satellite in orbit vs the previous Hack-A-Sat CTFs which only simulated the experience. We discuss limited contact windows, latency, and other aspects of orbital mechanics which will surely influence how Hack-a-Sat 4 will be played.
Could a personal medical device be a threat for an organization? Turns out it’s similar to protecting against an attack on a mobile device. Except a denial of service here could prove fatal. Todd Brasel, the author of Security Issues of Personal Medical Devices: Concerns, Characteristics, and Controls, discusses with Error Code the research he’s done on devices either inside the body or just outside, the vulnerabilities in communications they sometimes have, and the mitigations available today.
Comments
Download from Google Play
Download from App Store
United States