[00:00:00] Good morning folks it is Thursday May 2nd 2019 and here’s today’s security news.
[00:00:05] First things first from security week by AFP. Putin signs controversial Internet law. So today Putin signed this sovereign internet bill act in Russia which would essentially do a few things. One of those is it creates a central point of entrance and exit out of the country for the country’s Internet traffic. A lot of criticism of this bill comes from its vagueness in the way it was written. A lot of people are trying to get a lot of people. People are trying to claim that this will create an avenue censor the voice and opinion of the folks on the Internet in Russia. I don’t necessarily disagree and I don’t think this is one of those we have to see how it plays out. This is pretty well bad off for everybody involved. You know I tried not to get too deep into the privacy stuff on this thing is how it’s a security podcast but it’s sort of part of the deal. So for this one, I’m going to steer away from the privacy aspect to this and I want to try to sort of ask a few questions about the security aspect of this. One of those being if there is a central point of entrance and exit for all internet traffic coming from Russia. No attribution is already really hard, especially for the regular non-government agencies. So this. My assumption is that we’ll make it extremely difficult because now they can control more heavily what they can and will mask in and out of that country. So you know common tactics of hopping VPN or different boxes upon boxes around the world. That’s common, I think. Obviously, they use it. Everybody uses it. I think that having this central point of entrance and exit is gonna make it extremely difficult for there to be any further additional attribution for anything Russian related. You know this comes off the heels of last year when the federal government essentially said that Russia meddled in the elections and it was their fault. So this feels like a response to that in such that they say Well you figured out who it was well good luck finding out next time. So we’ll keep an eye on this we’ll see what happens. You know this reminds me a lot of when net neutrality was repealed the first time all these companies said oh well well we’ll never actually you know use these stipulations that are in here. We’re still for the consumer. This feels a lot like that right. We know that eventually at some point they’re going to use this for the wrong reasons. OK let’s stop on that let’s move on.
[00:02:40] Next a from the Register by Ian Thompson in San Francisco. Sinister secret backdoor found networking gear perfect for government espionage. The Chinese are Oh no wait it’s Cisco again. So Cisco issued a fix yesterday for their 9000 Series Nexus switches. Excuse me Cisco Nexus 9000 Series Application Centric Infrastructure mode switch software that is a mouthful anyway. A piece of software on one of their switches. There was a backdoor into it and it was it was caused by. Let me get this right. Default SSH key pair. Hardcoded into the software so understandably people make mistakes. That’s a pretty big mistake. We talked about default passwords yesterday and IOT law that came from me that’s coming out of the UK. Clearly, anything default is bad because once you get it one of them you’ve got access to everything. So they are now it’s patched. You know this is an interesting article because the author immediately was turned it right into the highway stuff so he got back to the point but I know there’s clearly another incentive here in this article but nonetheless, Cisco patch a vulnerability due to SSH key management not being up to par they’re doing me wrong. That is not easy. That is a hard problem is not a hard problem to solve. There’s plenty of solutions for it. It’s a hard problem to continue to solve and get developers and training people to do things the right way.
Next from the register. By Ian Thompson still in San Francisco. We don’t know what’s worse. Hackers ransacked Citrix for five months. Or that Equifax was picked to help mop up the mess. So yesterday we talked about the Citrix breach and how their employee’s information was stolen while more and more is coming out about this six terabytes of data were pulled out. They suspect that some of that was not just employee data but was also intellectual property. You know any business document sort of like Crown Jewels sort of stuff. But here’s the deal so as you guys know we’ve all had our accounts taken over dinner. Identity issues. So when this happens there’s always free credit monitoring offered for the employees or the users whoever it may be. Well, in this case, Citrix has chosen to go with Equifax which is just dripping with irony considering everything that happened with Equifax. Not even two years ago at this point. And so my question is there are three of these credit reporting agencies there’s plenty of other consumer report credit reporting agencies out there companies third party companies that do this. You had to pick Equifax you couldn’t just go with one of the other two. That’s what you had to pick Equifax. Something stinks here. From my perspective. All right. I know I got my rant on today. Thank you for listening. I appreciate it. I hope you get as upset as about this stuff as I do because it just motivates me to go out there and change things. Today is Thursday, May 2nd. This is security in the bayou. Thank you for listening everybody have a wonderful day.