Yes! Made it to another Friday. I didn’t get enough stuff done this week, but whatever. It’s always good to make it to another Friday!
We have a special guest this week! Read on…
If you’re new to this thing, these are our show notes for the Unsecurity Podcast. This is episode 25 already, can you believe it? If you missed episode 24, you can find the shows in a bunch of places:
There’s a few other places, but these are the most common ones.
So, I hope you all had a good week! Mine, well it was busy. Work highlights had to be the CISSP Mentor Program class on Wednesday and the great time I spent with the only client I work with on a recurring basis, Flight Centre.
I attended the Mentor Program remotely from New York, while Brad Nigh led the class in person from Minnesota. I had some fun chiming in with random crap during class. Brad being the pro that he is, took it all in stride.
We held the Spring 2019 Flight Centre Americas Security Summit on Wednesday. They’re a very large global company, and they’re really rocking it. I won’t bore you with the details, but it was really fun. Great people, great conversation, great collaboration, great progress, etc., etc. See the pic.
I’m sure Brad had a week too. He mentioned something to me about three incident response (IR) calls. We’ll find out on the show.
Episode 25
Date: Monday, April 29th, 2019
Today’s Topic(s):
- Introduction and Discussion with Christophe Foulon
- More Password Guidance
- News
[Evan] It’s another Monday morning here at FRSecure/SecurityStudio world headquarters, and you know what that means? It’s time for another episode of the Unsecurity podcast. It’s Monday, April 29th 2019 and this is episode 25. I’m Evan Francen and I’m your host this week. Brad’s here. You know he’s my guy. Say “Hi” Brad.
[Brad] Hi.
[Evan] I’m pumped today Brad! We have a special guest today. Joining us today is Christophe Foulon! Welcome Christophe.
[Christophe] Probably says something here.
Introduction
We’re excited to have Christophe join us today. He’s one of the good guys that I’ve grown to admire.
Things to talk about with Christophe:
- What got you into information security?
- What part of information security gets you excited?
- Do you have a personal mission or purpose in the field?
- I noticed that you do a lot of volunteer work, tells us about it?
- You’re the co-host of the Breaking into Cybersecurity podcast (https://www.crowdcast.io/e/breaking-into-2/register), let’s talk about that for a bit.
- In episode 20 we covered the topic of staying healthy in the information security industry. How do you keep a good balance between personal time, work, volunteering, social media (LinkedIn), etc.?
- What sorts of things are you working on now?
- You appear to be very active on LinkedIn, posting articles regularly and commenting often. I find you posting good content all the time. How important is LinkedIn to an information security professional’s career?
Segue into More Password Guidance
One of the posts you (Christophe) made this last week in particular caught my eye. You posted a reference to a Microsoft Security Guidance blog article titled “Security baseline (DRAFT) for Windows 10 v1903 and Windows Server v1903” . In the article written by Aaron Margosis, he writes about Microsoft’s plans about “Dropping the password expiration policies.”
We’re going to discuss this revelation and the recent(ish) NIST guidance in SP 800-63-3. Interesting changes to the NIST guidance included:
- Focus on Making Passwords Easy to Remember and Hard to Guess
- The Use of Special Characters Is No Longer a Requirement
- Character Allowances Increase and a Minimum Number Required
- No Longer Requiring Password Time Periods or Expirations
- Copy and Paste Functionality in Password Fields Are Enabled
Open Discussion
We talk about the new guidance, whether we agree or not, what it means for us, what it means for users, and how it differs so much from what we grew up with.
I’m sure it will be a good discussion. 🙂
[Evan] OK. Thanks guys. Now some quick news stories from the past week.
News
Facebook is facing a big fine, but…
- Facebook Expects to Be Fined Up to $5 Billion by F.T.C. Over Privacy Issues
- Why a multibillion-dollar FTC fine would barely faze Facebook
- Regulators Around the World are Circling Facebook
How a Nigerian ISP Accidentally Hijacked the Internet https://www.darkreading.com/cloud/how-a-nigerian-isp-accidentally-hijacked-the-internet/a/d-id/1334482
Cybersecurity Job Openings Boom, Pool of U.S. Job Seekers Shrinks https://spectrum.ieee.org/view-from-the-valley/at-work/tech-careers/cybersecurity-job-openings-boom-pool-of-us-jobseekers-shrinks.amp.html
One last thing. Some drama last week as Brian Krebs doxxed a couple of good security folks. Causing quite a stir on Twitter. Here’s a screen shot of the since-deleted tweet.
Closing
[Evan] Man, that was a full show! A special thanks to Christophe for visiting with us today! Thank you.
Don’t forget, you can follow me or Brad on Twitter; @evanfrancen and @BradNigh. Email us on the show at unsecurity@protonmail.com. Christophe, how do you like people finding you?
[Christophe] Gives some info.
[Evan] Awesome. Thanks again! That’s it for episode 25. Have a great week everyone! Until next week, eh?