Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security
Episode: 2024-10-28 - Sarsaparilla
Release Date: October 30, 2024

Introduction: A Refreshing Start

The episode opens with a light-hearted discussion about sarsaparilla vs. root beer, setting a casual tone for the show. Hosts John and Cory reminisce about their experiences with sarsaparilla, while Kelly delves into the nuanced flavors distinguishing it from root beer.

AWS Authentication Keys in Mobile Applications

Timestamp: [06:35] – [15:02]

The hosts transition into a critical discussion about the mismanagement of AWS authentication keys found in various iOS and Android applications. John raises concerns about hard-coded API keys:

John [06:39]: "If that key is living within that app itself, you may be exposing that particular key so another app can actually snatch it."

Kelly emphasizes the prevalence of such vulnerabilities in low-quality apps, questioning the effectiveness of app store scanning mechanisms:

Kelly [07:13]: "How is this not picked up in scanning? How is it... don't they scan these things?"

Cory and Alex discuss potential origins of these insecure apps, suggesting many may be developed by Chinese app factories using the same flawed codebase.

John advocates for robust Software Development Lifecycle (SDLC) processes, urging vendors to adopt comprehensive security measures rather than playing "whack a mole" with vulnerabilities:

John [21:10]: "I really have serious doubts as to whether or not they're actually implementing that."

Fortinet Vulnerabilities and SDLC Critique

Timestamp: [15:07] – [26:49]

The conversation shifts to the Fortinet vulnerability (CVE-2024-47575), highlighting its high severity score of 9.8 and widespread impact on approximately 60,000 devices. John criticizes Fortinet's handling of the vulnerability disclosure:

John [15:52]: "Could this be handled any worse?"

Ryan clarifies the existence of the CVE and its implications, while Kelly and the team discuss the broader implications for large vendors struggling with legacy systems and inadequate SDLC practices.

John draws parallels to past vulnerabilities in Java and Adobe products, emphasizing the need for major vendors to overhaul their security protocols:

John [17:15]: "Serious concerns as to whether or not Fortinet has implemented a solid software development lifecycle process."

Ralph and Jason echo these sentiments, questioning the prioritization of patch deployments and the financial burdens associated with extensive security overhauls.

Delta vs. CrowdStrike Lawsuit

Timestamp: [26:49] – [40:59]

A heated debate unfolds around the lawsuit between Delta Air Lines and CrowdStrike following a significant cyber incident. John expresses strong criticism towards Delta's handling of the situation:

John [34:49]: "Delta screwed up. Delta shouldn't have pulled the trigger on this."

Kelly and Cory discuss the power dynamics, noting Delta's substantial market presence compared to CrowdStrike's smaller scale. The team speculates on the potential outcomes and repercussions, highlighting the complexities of large-scale litigation involving cybersecurity firms and major corporations.

Jason introduces the perspective of regulatory scrutiny, mentioning how the SEC's involvement could influence public disclosures and accountability measures.

SEC Charges Against Tech Companies for SolarWinds

Timestamp: [40:59] – [50:55]

The hosts analyze recent actions by the Securities and Exchange Commission (SEC), which has fined tech companies like Unisys, Avaya, Checkpoint, and Minikats for misleading breach disclosures related to the SolarWinds incident. Jason emphasizes the SEC's stringent requirements for timely and accurate reporting:

Jason [41:54]: "The SEC has a very, very talented team of technical engineers... you're not going to pull one over on the SEC."

Kelly criticizes companies for downplaying breaches with vague terminology, resulting in hefty fines:

Kelly [43:15]: "They got their hand caught in the cookie jar. They probably knew about it and had been trying to figure out how to fix it."

John and the team discuss the implications for publicly traded companies, advising adherence to best practices in breach reporting to avoid regulatory penalties.

Largest Retail Breach: Hot Topic

Timestamp: [50:55] – [54:14]

The episode covers the largest retail data breach in history, targeting Hot Topic with an alleged compromise of 350 million customer records. The hosts express skepticism about the scale, questioning its plausibility:

Kelly [51:13]: "It seems insane to me. Does that mean the entire population of the U.S.?"

Alex shares a personal anecdote about intrusive data collection in retail environments, highlighting privacy concerns:

Alex [52:27]: "If you're like a Star Wars fan and you want to get like the latest... they're like, well, put in your rewards number."

The discussion underscores the dangers of massive data breaches and the potential fallout for both consumers and retailers.

Innovative AI Health Apps: Poop Camera

Timestamp: [54:14] – [61:56]

In a humorous yet critical segment, the hosts explore a novel AI-powered toilet camera app designed to analyze users' bowel movements for health insights. John mocks the practicality and necessity of such an app:

John [55:33]: "Can you imagine being the developer of this and claiming it was doing something straight face?"

Kelly and Alex debate the privacy implications and actual usefulness, pointing out the invasive nature of having a camera in the bathroom:

Kelly [57:07]: "How many people are going to be willing to put a camera in their toilet?"

The segment highlights the quirky extremes of consumer tech innovation while raising legitimate concerns about privacy and data security.

Mental Health Support and Community Care

Timestamp: [61:13] – [63:31]

Towards the end of the episode, the hosts address a sensitive topic when a community member expresses thoughts of self-harm. John and Kelly compassionately reach out, urging listeners to seek professional help:

John [61:43]: "Please do me a favor and get help. Help... you are cared for and you matter."

They provide the National Suicide Prevention Lifeline number (1-800-273-8255) and encourage listeners to support one another within their community.

Conclusion: Reflecting on Security and Privacy

The episode wraps up with a reiteration of the importance of robust security measures, accurate breach reporting, and the ethical considerations of emerging technologies. The hosts emphasize the need for continuous vigilance in the information security landscape and the value of community support in addressing personal struggles.

Notable Quotes:

• John [06:39]: "If that key is living within that app itself, you may be exposing that particular key so another app can actually snatch it."

• John [15:52]: "Could this be handled any worse?"

• John [21:10]: "I really have serious doubts as to whether or not they're actually implementing that."

• John [34:49]: "Delta screwed up. Delta shouldn't have pulled the trigger on this."

• Jason [41:54]: "The SEC has a very, very talented team of technical engineers... you're not going to pull one over on the SEC."

• Kelly [51:13]: "It seems insane to me. Does that mean the entire population of the U.S.?"

• John [55:33]: "Can you imagine being the developer of this and claiming it was doing something straight face?"

• John [61:43]: "Please do me a favor and get help. Help... you are cared for and you matter."

This episode of Talkin' About [Infosec] News provides a comprehensive exploration of current cybersecurity challenges, from mishandled API keys in mobile apps to high-stakes litigation between major corporations. The hosts blend technical analysis with relatable anecdotes, fostering an engaging and informative discussion for both seasoned professionals and newcomers to the information security field.