Certificate Transparency (CT) is a recent and important development in the world of SSL certificates. Popular browsers require trusted CAs to log all SSL certificates to publicly available CT Logs. Join our hosts to find out how various parties are using CT Logs to learn about CA behavior and SSL usage patterns and to improve the overall quality of public trust.
Nearly a year ago our hosts launched Root Causes to provide a forum for discussion of the issues surrounding the critically important PKI technology. Now at the end of 2019 we discuss how this podcast has taken shape, how that compares to our original expectations, and what we are looking forward to in 2020.
Random number generation is an essential part of successful cryptography. Quantum computers offer to improve this niche technology industry. Join our hosts to learn what quantum random number generators (qRNGs) are, how they stand to improve cryptography and other computing functions, and how they tie into post-quantum cryptography (or don't).
2019 saw important changes in the world's cryptographic standards, including changes in browser treatment of SSL certificates, the removal of a public CA from trusted root stores, widespread serial number entropy problems across many CAs, and progress in building quantum-resistant PKI. Join our hosts as they detail these going-on and others and talk about what 2020 may hold in terms of evolving cryptography.
California Senate Bill 327 (SB-327) goes into effect January 1, 2020. This groundbreaking ordinance requires basic security measures for devices deployed in California. Join us to learn what SB-327 requires from device manufacturers, which threats it protects against, and how this ordinance is leading the way toward stronger IoT security practices.
2019 was a highly eventful year for infrastructure and IoT security. The year saw the emergence of wholesale attacks on the world's energy infrastructure, an epidemic of ransomware incidents against municipalities, heightened attention to automotive identity and security, and a number of legislative measures to try to secure this whole set of systems and devices. Join our hosts as they talk about the trends in IoT and infrastructure security in 2019 and where these trends may go in 2020.
2019 has been an eventful year for PKI. In this episode, first in a series of four lookbacks at the year, our hosts discuss how governments sought to control encryption, certificates, and public trust in 2019.
New research out of Indiana University Bloomington reviews nearly 400 "incidents" with public SSL certificates over the course of more than a decade. Join us as we go through the main findings from this piece of original research, including methodology, incident types and causes, and rogue certificates.
In our industry interactions we frequently run into questions about how PKI and blockchain compare with each other. How do they work similarly or differently? Are they surrogates for each other? Are they complimentary? Join us this episode as we explain the details of how blockchain and PKI work, similarities and differences between them, and what use cases are appropriate for each.
Global energy infrastructure continues to find itself under cyber attack from Advanced Persistent Threats (APTs). Join our hosts as we discuss recent attacks on power plants, why these attacks persist, and possible responses.
The California Consumer Privacy Act (CCPA) has been described by some as California's GDPR. This act provides broad protections to consumers in California, and businesses must comply starting January 1, 2020. Join us as we discuss this act, what protections it provides, and what businesses must do to comply.
A recent FBI warning cautions of attacks that circumvent Multi-Factor Authentication (MFA). Join us as we describe contemporary attacks against MFA and how to defend against them.
Expert consensus states that we will need to update cryptography before quantum computers break our existing algorithms in the next ten or fifteen years. But what do we do about IoT devices, which may lack updating mechanisms and live in the field for decades with little available access. Our hosts are joined by repeat guest Alan Grau as we explore how IoT has specific requirements and challenges for quantum resistant crypto.
In a new variant on a known attack, a Russian Advanced Persistent Threat has begun applying patches to Chrome and Firefox to enable TLS fingerprinting even after the malware is removed from a system. To learn more about this new development, join our hosts as they explain how this attack works, its significance, and where the criminals may go from here.
SSL certificate practices are governed by the rules of the CA/Browser Forum. But what is the CA/Browser Forum, who is in it, and where do they get their authority? If you've ever wondered about questions like these join our hosts as they describe the origins of the CA/Browser Forum and how it operates.
The automobile is undoubtedly among today's most complex, commonplace, and security-sensitive IoT devices. Our hosts describe the cyber threats facing connected cars, including real attacks that already have been proven, new challenges that will come with increasingly advanced capabilities, and what manufacturers can do to protect drivers from harm.
In episode 35 our hosts explained Mosca's Inequality, a formula for calculating when we need to have post-quantum encryption in place to prevent the Quantum Apocalypse. In this episode our hosts embark on a nuanced exploration of the factors influencing this calculation and test whether popular estimates are credible.
We talk about botnets a lot, but not everyone understands how they are built and used by the criminals who control them or how headless IoT devices have greatly added to their power. Expert guest Alan Grau (VP of IoT and Embedded Security, Sectigo) joins us to help dissect today's botnets.
Our hosts frequently run into the assumption that blockchain and PKI are extremely similar technologies and are possibly even competitive to each other. While the two approaches accomplish some related goals, they are very different in how they work and ultimately accomplish different ends. Join us as we explain what blockchain actually does and how it compares to PKI, including some examples of use cases that are appropriate for each of these technologies.
Recently at Black Hat and on public YouTube videos security newcomer Crown Sterling has claimed to factor the RSA algorithm. It turns out the breathlessly discussed feats were already accomplished as early as 1999. Join our hosts as they debunk this fundamentally misleading rumor and discuss the reality of RSA encryption today.
The majority of all phishing sites now use SSL certificates to more closely imitate the behavior of legitimate sites. New research from RWTH Aachen, a large, German technical university, investigates the patterns behind this certificate usage. Join our hosts as we dig into the details of these findings to learn specifically which certificate types are more or less likely to appear on phishing sites - and some thoughts on why.
The month of August saw some unusual criminal activity when it comes to PKI and malware. Our hosts explain four August news stories including a SHA-1 enabled breach, stolen certificates and keys, and some interesting developments with malware-driven botnets.
Quantum annealing is a special case of quantum computing for which the engineering challenges are lessened - and therefore we expect computers of this sort to achieve stability sooner. In this episode we examine the potential for the quantum annealing approach to break RSA-based cryptography sooner than most people have been expecting, and the difficulty of predicting the "Z date" at all.
Finding the new quantum-resistant cryptography we will need to replace RSA and ECC is a difficult task requiring the coordinated effort of academics, industry, and government. NIST has stepped in to lead this volunteer community. Join us to learn about this project to discover and vet going-forward crypto candidates, where we stand in the process, and where we go from here.
Quantum computers have the potential to defeat the RSA and ECC encryption underlying our digital world. We must swap out these algorithms before quantum computers reach that stage of maturity. But how long to we have? Join our hosts Tim Callan and Jason Soroko as they explain how to calculate the ominously named "Z date," the possible consequences of missing that deadline, and potential hairstyles for a post-apocalyptic world.
Shadow IT has become a fact of the modern enterprise. SaaS, BYOD, outsourced development, embedded IT, DevOps, and public cloud have all chipped away at the CIO's ability to oversee and control the enterprise's technology systems. This fragmentation leads to identity and access challenges that can affect security, governance, auditability, and compliance. Join our hosts as they discuss these challenges and what IT departments can do to address them.
The CA/Browser Forum faces a proposed ballot to limit the maximum duration of an SSL certificate to 13 months. Even if this ballot fails, browsers such as Google Chrome have the ability to simply distrust certificates of longer duration, creating the same de facto situation. Our hosts discuss the trend to shorter certificates, the pluses and minuses of decreased maximum term, and automation as the only solution to fill the gap.
Breaking research from two esteemed universities shows that sites with Extended Validation SSL certificates are much less likely to be engaged in criminal behavior like malware and phishing. And yet, leading browsers are reducing or removing EV information from the interface. Join our hosts as they explore the research results, this paradoxical browser behavior, and the effect it's likely to have on consumer security.
Few people know that caller ID numbers have no identity value as they are completely self-reported. This fact enables the plague of robocalling scams sweeping our society right now. Join our hosts as they discuss public telephony systems and other environments that suffer from this problem, where this situation creates vulnerabilities, and what can be done about it.
Recently we have seen major news items in some of the common Root Causes themes. Join our hosts as they discuss new whopping breach fines from GDPR and the FTC, what happens when an entire country has its PII stolen, and phishing sites with SSL.
