Application Security and Privacy One Year Ago

Some security gems from around April 2015.

Last Week Tonight with John Oliver: Government Surveillance (HBO)

Application Security Meme

CNBC: Execs We’re Not Responsible for Cybersecurity

CNBC: Execs We’re Not Responsible for Cybersecurity, “…executives like CEOs and CIOs, and even board members — didn’t feel personally responsible for cybersecurity or protecting the customer data…” (Twitter: @ArigatoDamato)
Video: Execs We’re Not Responsible for Cybersecurity

Laws and regulations have not kept pace with growth of Internet technologies.  No clear expectations have been communicated to the software industry or users of these services by policy makers.  Executives have responsibility for protecting customer data but enforcement remains selective.  In the most egregious incidents, top C-level execs have been terminated for poor cybersecurity (e.g., Target).

USENIX Enigma 2016 – NSA TAO Chief on Disrupting Nation State Hackers

Rob Joyce, Chief, Tailored Access Operations, National Security Agency(NSA) presents on defending against nation states and criminals.  Joyce provides a number of tips useful for defending against advisories.  Some points from his presentation enumerated.

  • “0-days not necessary”, persistence and exploration will get you in,  continuous defensive work required
  • Top intrusion vectors: email, web site, removable media 
  • Use software improvements, automatic/rapid patching and anti-exploitation features
  • Use secure host [and software] baselines
  • Training, NSA trains and teaches exploitation.  Are you actively teaching defense?
  • Monitoring, if you were hacked how would you know?  You can’t fix a problem you don’t know exists.  Incident response plans necessary.
  • Trust, don’t allow untrusted devices within the trusted perimeter.  Home computer with Steam installed brought into the corporate[trusted] environment.
  • Discriminate between nation state and criminal intruders.  Nation states select targets and persistent in their efforts.  Criminals are opportunistic, catch the weak gazelle.
  • Specific tips: 2FA makes stealing credentials challenging, limited account privileges and super user access, dynamic privileges based on location, network segmentation, no passwords in scripts, defend pass the hash, block sites on neutral or bad reputation.

The talk provided few surprises and was more of a reaffirmation for keeping tidy systems – an incredible challenge in practical application.  While simple, Joyce’s advice is difficult to apply at scale.  Other advice, creates a computing environment some users consider unfriendly.  In the end there are no silver bullets or quick fixes.  Be vigilant, keep tidy systems, and invest in your staff through education.

Happy Holidays 2015 – Favorite Drone Videos

IMG_2650.JPGAbout two years ago drones where beginning to receive some attention in the press my son, a college student, started working on me to purchase one.  Drones were cool but I thought I would loose interest in flying so I resisted.  He worked on me for awhile longer.  Eventually, I gave in and purchased a few toy drones to experiment with flying.  I settled on a really great toy drone that flies like the more expensive drones, Hubsan X4.  I still use my X4 today and X4 series is amazing for price.  My X4 provided me experience on the stick learning to fly which helped as I transitioned to more sophisticated aircraft.  Flying was more fun than I imagined.  I decided to build my own multi-rotor aircraft.

I like electronics and projects, programming, and security so I figured I would build my own multi-rotor.  By building my own aircraft I force myself to learn all about aircraft.  It’s been more than a year building.  My experience is more like the Wright Brothers.  Lots of failures and crashes over the course of the year.  Some crashes from as high as 200ft(61m).  I have broken and rebuilt aircraft many, many times.  Twice my speed controllers(ESC’s) bursted into balls of flame on my desk.  I don’t know anyone in my area building their own multi-rotors so it’s been a learning adventure.

The point of the post is to share some of the videos I find most interesting that helped to spark my interest and enthusiasm for building and flying multi-rotor aircraft.  I hope you enjoy them.  Happy Holidays and thanks for following my blog over the years!

FPV – Kiss chasey, I love the chase scenes in this video complete with bad ass crashes.  Juz70 is one of my favorite pilots.

Blackout Hex – One Take Wonder, Adam Potts shows us his backyard.  Amazing!

FPV – super cool, Juz70 finds something amazing on this beautiful leisure morning flight.

Blackout Spider Hex, dem0n1k sold me a Blackout Hex for my first project.  This was a bit of a mistake since I should have started with an easier aircraft to build.

Kiss 30A 6S Blackout Mini H, FinalGlideAus shows off some experimental Kiss ESC’s and overclocks his mini H.  Somewhat related, Tiger Motor announced a new “F” series motor designed for racing multi-rotors that’s likely to power a 250mm quad over 200mph(322km/h).

FPV – Haunted, juz70 is an awesome pilot and also knows how to make an interesting video.  There are a few clues on the walls why this home was abandoned.  Can you find them?

Turkey Hunter // Blackout Mini Spider Hex // MN1806 //, Blackout makes awesome carbon fiber multi-rotor frames.  In this park video he encounters a crazy wild turkey.

BLACKOUT 330 . COBRA 2000KV, Metaldanny tearing up the skies.

BLACKOUT . TEST Higher Rates . (RAW), Metaldanny showing us some real Starwars Pod Racing.  Metaldanny is one of the worlds best FPV multi-rotor pilots.

FPV – elixir, I want to end on a strong video.  Juz70 flies through and around his home.  Amazing flying (and a nice house).