Podcast appearances and mentions of jeremiah grossman

Episode SummaryJoin Jeremiah Grossman, application security pioneer and former CEO of WhiteHat Security, as he reflects on decades of innovation in the industry, from the early days of OWASP to today's AI-driven development landscape. Explore critical discussions about the escalating costs of security, aligning developer incentives, and the future challenges posed by AI-generated vulnerabilities. Packed with insights, this episode dives deep into the strategies and frameworks shaping the way we build and secure modern software.Show NotesIn this episode of The Secure Developer, we sit down with Jeremiah Grossman, a pioneer in application security and former CEO of WhiteHat Security. Jeremiah shares fascinating insights from his decades of experience shaping the security landscape, including the origins of the OWASP project and his role in raising awareness about critical vulnerabilities like SQL injection and cross-site scripting.The conversation delves into how the industry has evolved over the past two decades, from the early days when nearly every application was riddled with vulnerabilities to today's more robust frameworks and heightened security awareness. Despite these advancements, Jeremiah and Danny discuss why security spending remains high while organizations continue to struggle with improving their overall security posture.Key topics include:The misalignment of incentives in software development that prioritizes speed over security.The emerging role of cyber insurance in shaping organizational security practices.The challenges of unknown assets and their contribution to breaches, highlighting the importance of asset inventory and attack surface management.The impact of AI on software development, particularly the risks and opportunities presented by AI-generated code and new attack surfaces.Jeremiah also shares his thoughts on aligning incentives for secure development, including innovative approaches like developer performance metrics and reward structures for secure coding. The episode concludes with a look at Jeremiah's current focus on venture capital and fostering innovation in security, as well as his personal passion for Brazilian jiu-jitsu and its parallels with the security industry.This episode is a deep dive into the critical challenges and opportunities facing modern security professionals, offering actionable insights and thought-provoking discussions for developers, CISOs, and security practitioners alike.LinksOWASP (Open Web Application Security Project)Black HatNode.jsBrave BrowserChromiumCornell Study on AI Code VulnerabilitiesSnyk - The Developer Security Company Follow UsOur WebsiteOur LinkedIn

It's not always easy to determine the value of digital assets. The potential of overestimating or undervaluing your data can make it difficult to establish how much protection you need for a cyber intrusion.  Today's guest is Jeremiah Grossman. Jeremiah has spent over 25 years as an InfoSec professional and hacker. He is the Managing Director of Grossman Ventures. He is an industry creator and founder of White Hat Security and Bit Discovery. He has his black belt in Brazilian Jiu-Jitsu and is an avid car collector. Show Notes: [0:53] - Jeremiah shares his background and what he does as the managing director of new venture capital, Grossman Venture. [1:55] - When he was 24, Jeremiah's business was victimized by a data breach. [5:30] - This experience taught him that if you treat your customers with integrity and have their best interests in mind, they will keep doing business with you. [7:43] - These things happen to countless businesses. It is important to keep customers and clients informed. [10:27] - Cybercrime is one of the only crimes where the victim doesn't always know they're a victim. [13:30] - When it comes to solving these problems, we have to narrow in on the problems that are worth solving and then work for a solution. [14:53] - Doing an asset evaluation is a good starting point. There is no algorithm to determine the value of digital assets. [19:18] - What role does AI play in this and what should people be wary of? [20:31] - How do we raise the cost on the adversary? [23:12] - There are ways to bait adversaries as well which is an inexpensive solution. [25:17] - These days, adversaries are nowhere physically near the data. They access it all through digital means. [27:28] - Jeremiah is optimistic about AI and in his perspective, AI is a tool that will help us determine solutions. [28:07] - Currently, cyber insurance has become compulsory. [30:48] - Jeremiah explains how things work in venture capital and the problems that are common. [34:11] - There are many things that we can do better in this space. [35:46] - Jeremiah shares advice for small and medium-sized businesses. Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.  Links and Resources: Podcast Web Page Facebook Page whatismyipaddress.com Easy Prey on Instagram Easy Prey on Twitter Easy Prey on LinkedIn Easy Prey on YouTube Easy Prey on Pinterest Jeremiah Grossman's Website Jeremiah on Twitter

Illuminating the Cybersecurity Path: A Conversation with Jeremiah Grossman Join us for a compelling episode featuring Jeremiah Grossman, a prominent figure in the cybersecurity landscape. As a recognized expert, Jeremiah has played a pivotal role in shaping the discourse around web security and risk management. Jeremiah's journey in cybersecurity is marked by a series of influential roles, including Chief of Security Strategy at SentinelOne and Founder of WhiteHat Security. With a focus on web application security, he has been a driving force in advocating for innovative approaches to protect organizations from cyber threats. In this episode, we explore Jeremiah's vast experience and delve into his insights on the ever-evolving cybersecurity challenges. From his early days as a hacker to his current position as a sought-after industry thought leader, Jeremiah shares valuable perspectives on the strategies and philosophies that underpin effective cybersecurity practices. As a pioneer in the field, Jeremiah has contributed significantly to the development of best practices for identifying and mitigating web-related vulnerabilities. Tune in to gain a deeper understanding of the evolving threat landscape and the proactive measures organizations can take to secure their digital assets. Whether you're a cybersecurity professional, tech enthusiast, or someone eager to comprehend the complexities of online security, this podcast with Jeremiah Grossman promises to be an illuminating exploration of the past, present, and future of cybersecurity. Show Notes: https://securityweekly.com/psw-828

Illuminating the Cybersecurity Path: A Conversation with Jeremiah Grossman Join us for a compelling episode featuring Jeremiah Grossman, a prominent figure in the cybersecurity landscape. As a recognized expert, Jeremiah has played a pivotal role in shaping the discourse around web security and risk management. Jeremiah's journey in cybersecurity is marked by a series of influential roles, including Chief of Security Strategy at SentinelOne and Founder of WhiteHat Security. With a focus on web application security, he has been a driving force in advocating for innovative approaches to protect organizations from cyber threats. In this episode, we explore Jeremiah's vast experience and delve into his insights on the ever-evolving cybersecurity challenges. From his early days as a hacker to his current position as a sought-after industry thought leader, Jeremiah shares valuable perspectives on the strategies and philosophies that underpin effective cybersecurity practices. As a pioneer in the field, Jeremiah has contributed significantly to the development of best practices for identifying and mitigating web-related vulnerabilities. Tune in to gain a deeper understanding of the evolving threat landscape and the proactive measures organizations can take to secure their digital assets. Whether you're a cybersecurity professional, tech enthusiast, or someone eager to comprehend the complexities of online security, this podcast with Jeremiah Grossman promises to be an illuminating exploration of the past, present, and future of cybersecurity. Show Notes: https://securityweekly.com/psw-828

In this RSAC 2024 South Stage Keynote, Mikko Hyppönen will look back at the past decade of ransomware evolution and explore how newer innovations, like AI, are shaping its future.   Illuminating the Cybersecurity Path: A Conversation with Jeremiah Grossman Join us for a compelling episode featuring Jeremiah Grossman, a prominent figure in the cybersecurity landscape. As a recognized expert, Jeremiah has played a pivotal role in shaping the discourse around web security and risk management. Jeremiah's journey in cybersecurity is marked by a series of influential roles, including Chief of Security Strategy at SentinelOne and Founder of WhiteHat Security. With a focus on web application security, he has been a driving force in advocating for innovative approaches to protect organizations from cyber threats. In this episode, we explore Jeremiah's vast experience and delve into his insights on the ever-evolving cybersecurity challenges. From his early days as a hacker to his current position as a sought-after industry thought leader, Jeremiah shares valuable perspectives on the strategies and philosophies that underpin effective cybersecurity practices. As a pioneer in the field, Jeremiah has contributed significantly to the development of best practices for identifying and mitigating web-related vulnerabilities. Tune in to gain a deeper understanding of the evolving threat landscape and the proactive measures organizations can take to secure their digital assets. Whether you're a cybersecurity professional, tech enthusiast, or someone eager to comprehend the complexities of online security, this podcast with Jeremiah Grossman promises to be an illuminating exploration of the past, present, and future of cybersecurity. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-828

In this RSAC 2024 South Stage Keynote, Mikko Hyppönen will look back at the past decade of ransomware evolution and explore how newer innovations, like AI, are shaping its future.   Illuminating the Cybersecurity Path: A Conversation with Jeremiah Grossman Join us for a compelling episode featuring Jeremiah Grossman, a prominent figure in the cybersecurity landscape. As a recognized expert, Jeremiah has played a pivotal role in shaping the discourse around web security and risk management. Jeremiah's journey in cybersecurity is marked by a series of influential roles, including Chief of Security Strategy at SentinelOne and Founder of WhiteHat Security. With a focus on web application security, he has been a driving force in advocating for innovative approaches to protect organizations from cyber threats. In this episode, we explore Jeremiah's vast experience and delve into his insights on the ever-evolving cybersecurity challenges. From his early days as a hacker to his current position as a sought-after industry thought leader, Jeremiah shares valuable perspectives on the strategies and philosophies that underpin effective cybersecurity practices. As a pioneer in the field, Jeremiah has contributed significantly to the development of best practices for identifying and mitigating web-related vulnerabilities. Tune in to gain a deeper understanding of the evolving threat landscape and the proactive measures organizations can take to secure their digital assets. Whether you're a cybersecurity professional, tech enthusiast, or someone eager to comprehend the complexities of online security, this podcast with Jeremiah Grossman promises to be an illuminating exploration of the past, present, and future of cybersecurity. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-828

In this episode of The Gate 15 Interview, Andy Jabbour speaks with Amanda Berlin and Megan Roddie, cybersecurity leaders & mental health hackers, and they've got their hands in a lot more too!  Amanda is the Lead Incident Detection Engineer at Blumira and has worked in I.T. for almost her entire adult life. Before working at Blumira, Amanda's responsibilities have included infrastructure security, network hardware and software repair, email management, network/server troubleshooting and installation, purple teaming with a focus on phishing employees and organizational infrastructure as well as teaching employees about security and preventing exploits. She currently serves as the Chief Executive Officer for Mental Health Hackers and is the co-host of the Brakeing Down Security Podcast (BrakeSec Podcast, @brakesec)!  Megan is a Senior Security Engineer at IBM, Co-Author of SANS FOR509 and has worked in cybersecurity since graduating from Sam Houston State University (and while she was still a student!). Previous roles have been with the Texas Department of Public Safety, Recon InfoSec, and with IBM's X-Force. She currently serves as the Chief Financial Officer for Mental Health Hackers. Megan is also a Muay Thai fighter and coach.  Follow Mental Health Hackers on Twitter! @HackersHealth Follow Amanda on Twitter at @InfoSystir and on LinkedIn and follow Blumira on Twitter! Follow Megan on Twitter at @megan_roddie and on LinkedIn.  In the discussion we address:  Amanda & Megan's backgrounds and origin stories  Awesome tips for breaking into security!  DEFCON and how to score a free breakfast at DEFCON!!  Mental Health Hackers  The Brakeing Down Security podcast  Muay Thai, Musicals, Apples & Bannanas!  Fruits, music and so much more!  A few references mentioned in or relevant to our discussion include:  Mental Health Hackers website  Mental Health Hackers on Twitter! @HackersHealth  Amanda on Twitter at @InfoSystir and on LinkedIn.  Megan on Twitter at @megan_roddie and on LinkedIn.  Tom Williams on Twitter: @ginger_hax  Amanda's InfoSec Staples tweet - https://twitter.com/infosystir/status/972906318875983873?s=21&t=CCp0CmDgDcZXQVWtnpEXEA Blackhat USA 2022 - https://www.blackhat.com/us-22/defcon.html?_mc=sem_bhus_sem_bhus_x_tspr_Google_defcon30_bhusagcompetitvedefcon30_2022&gclid=Cj0KCQjwn4qWBhCvARIsAFNAMihsrClH8Aygi2UnTsbSus3teDdktlK2NiamBzyAORwM5nHcaE4pynwaArHkEALw_wcB  DEFCON 30 - https://defcon.org 10th Annual Brazilian Jiu-Jitsu Smackdown. A Brazilian Jiu-Jitsu event for information security professionals hosted by Jeremiah Grossman during Black Hat and Defcon - https://www.eventbrite.com/e/10th-annual-brazilian-jiu-jitsu-smackdown-tickets-348058561527 Amanda's Book! Defensive Security Handbook: Best Practices for Securing Infrastructure (1st Edition) - https://www.amazon.com/Defensive-Security-Handbook-Practices-Infrastructure/dp/1491960388 Megan's SANS Course! FOR509 Course Update - Introducing Google Workspace, the Multi-Cloud Intrusion Challenge - https://www.sans.org/blog/for509-course-update---introducing-google-workspace-the-multi-cloud-intrusion-challenge-and-more/

RSnake and Jeremiah Grossman discuss the state of Information Security, how the industry seems to be allergic to change, how Jeremiah innovates in such a complex ecosystem, and where he sees things moving for security in the future.

Sitting down with Jeremiah Grossman of Bit Discovery and Jeffrey Smith of Cyber Risk Underwriters to talk about the need to have cyber insurance. What it covers and how relatively inexpensive it is compared to not having coverage at all. Advocating for everyone to buy insurance (cyber insurance). Knowing that the cost of insurance in many cases is far less expensive than trying to satisfy one more security control. Looking at the risk and probability will help you determine how much coverage you might need to buy. Requirements to get cyber insurance are becoming more significant. It is no longer just about the questions or questionnaire but it is now becoming more about seeing the evidence of security.

Brazilian Jiu-Jitsu (BJJ) is extremely difficult to master since it goes against conventional thinking. It is procedural and it is technical. While in combat, chaos ensues although the fighters must stay laser focused. Just as one needs to apply the proper technique in BJJ, cybersecurity professionals must find ways to creatively apply their techniques in unconventional attack scenarios as well. It's proven that implementing fundamental BJJ concepts and principles will help strengthen the core of your security strategy, tactics and overall mindset. The methodology also will help minimize the risk of an organizational tapout.Security experts and highly skilled BJJ practitioners Jeremiah Grossman, Jeremiah Batac and Tyler Bohlmann join me to watch the main event at BarCode. As the highly anticipated Jiu-Jitsu match progresses, we discuss the parallels between security and BJJ including the importance of preparation, mind-preparedness, training, energy conservation, overcoming adversary, embracing the grind and keys to victory.Tony the Bartender submits a “Caipirinha”.Support the show (https://www.patreon.com/barcodepodcast)

Want to know more? Check out these links!The very best place to have a few beers while at Infosec Europe in person is, naturally, the Prince of TeckFollow up to the HSE attack in Ireland, from ZDNet's Danny PalmerIreland's first CERT, co-founded by Brian Honan; they announced their intention for IRISSCON 2021 in November on TwitterRob Wright, of SearchSecurity, interviewed Jeremiah Grossman about SentinelOne's cyber warranty programReal quick correction for the Rapid Rundown: In the original recording, Tod once accidentally referred to "14.4" as the current version of iOS, when he should have said 14.6. He edited that correction directly in the audio and tried to make it sound normal. But, with that said, 14.7 was released right before we published this episode, but we still don't know if the DoS was fixed there.Now for the links mentioned in the Rapid Rundown:WifiDemon is described in detail over at ZecOps Apple Developer Support , which notes what's current out in the iOS worldThe mentioned job Rapid7 hiring for is right hereAnd here's where you can learn about the DEF CON IoT Village

As the internet fills with more assets stacked with value, designing and building net secure products is quickly becoming the new baseline. How can product leaders accelerate product innovation by building products with security as the priority? This week on Product Talk we welcome Jeremiah Grossman, CEO of Bit Discovery, a Mighty Capital portfolio company, to share his insights on customer satisfaction, process prioritization, and how to think about innovation from the perspective of secure design.

Special guest and friend, Jeremiah Grossman, CEO at Bit Discovery joins the podcast with a fantastic back and forth conversation that doesn't seem to let up. He is also the founder of WhiteHat Security, a World-Renowned Professional Hacker, former Yahoo, Brazilian Jiu-Jitsu Black Belt, published Author, Influential Blogger, and an Off-Road Race Car Driver. Ladies and gentlemen, what can't he do? - Mr. Jeremiah Grossman!In this episode, we learn more about all his special talents, ideas, thoughts, backstories, and how he ended up at Bit Discovery. We dive into infosec budgets not increasing at the same rate as the attack surface of an organization and what this means for protecting the individual, analyzing attack surface maps, industry hitting peak prevention relating to sentiment attackers, why Jeremiah doesn't listen to music, and much more! -Cam

This week Jeremiah Grossman hangs out talk InfoSec, ransomware and asset inventory. My 3 main takeaways were how we can use metadata to corrolate assets to an entity. Second, why cyber insurance will dictate what security tests are run and third Jeremiah's 3 super powers that aren't related to Jiu-jitsu For more information, including the show notes check out https://breachsense.io/podcast

Security experts, Jeremiah Grossman and Robert Hansen talk with Monica Verma about what is asset discovery, why is it important and why should businesses care. If you are interested in listening to amazing stories about how Jeremiah and Robert came to download the entire Internet, tune in right now!

This week on DtSR Podcast, a long-awaited guest joins us. That's right, the one and only Jeremiah Grossman joins us live from a tropical paradise, and you need to hear his message. On this show we cover history, "the basics", and the necessity to know what your security attack surface looks like. It's perhaps one of the least sexy topics ever - but if you ignore it, you're pretty much screwed. Guest: Jeremiah Grossman - @Jeremiahg - https://www.linkedin.com/in/grossmanjeremiah/

http://www.thebjjmentalcoachpodcast.com/wp-content/uploads/2019/12/bjj_mental_podcast_E80-01.jpg () Jeremiah Grossman is a jiu-jitsu black belt and serial entrepreneur. He is the founder and CEO of Bit Discovery. He is a published author writing extensively on computer security. He talked about practicing leadership; he also shared about the importance of balancing work and family time, and my takeaway from the interview came when we talked about failure, which inspired me to title this episode “Be okay with failure.” Stick around for my final thoughts after the interview when I expand on the topic that Failure is not just acceptable, it's necessary for your personal growth. Stay tuned right after jiu-jitsu tribe's message. OSS! Gustavo Dantas Itunes – https://tinyurl.com/y45kymp4 (https://tinyurl.com/y45kymp4) Google Plus – https://tinyurl.com/ydetberf (https://tinyurl.com/ydetberf) Stitcher – http://tinyurl.com/y52f5u6z (http://tinyurl.com/y52f5u6z) Book recommendation: https://www.amazon.com/Art-War-Sun-Tzu/dp/1505572835/ref=sr_1_4?keywords=the+art+of+war&qid=1572984741&sr=8-4 (The Art of War – Sun Tzu)  

Did you hear about the latest breach? Who didn’t right? For many, however, even if the news is heard, it’s seldom taken seriously—“who cares” right? It seems that some people and companies are paying attention, taking these notifications seriously, and turning up the “care” dial a bit. They may not be investing in all of the best/right places, but, when it comes to acquiring cyber insurance, the checkbooks seem to be coming out as one means to mitigate (rather, transfer) some of the risk associated with being the potential next company to fall victim to an attack and a breach. According to our guest for this chats on the road to Las Vegas, Jeffrey Smith, Managing Partner at Cyber Risk Underwriters, there’s been a considerable uptick in the number of policies written, especially at the small/medium business level. What does this mean, though, in terms of the overall readiness for businesses to deal with an attack or a breach? Does the use of cyber insurance as a tool help companies raise their IT security posture and/or prepare them to respond more effectively when things hit the cyber fan? Are companies buying a policy, or are they establishing a partnership with an organization that will be there with them—and for them—when the event occurs? And, flipping the coin on its side for a moment, we ask Jeffrey some questions about the status of the cyber insurance products and market compared to the rest of the insurance industry. Do we have the data to make the best decisions when it comes to writing policies, pricing policies, and paying out on claims? Or, are we just kinda “wingin’ it” at the moment, hoping for the best? Do we have the right products available to paint a complete risk management picture (including options like software guarantees), or are we playing with a partial deck of cards? Jeffrey shares some of his professional views on these questions, and much more—but doesn’t give anything away concerning the three-session micro summit covering the topic of cyber insurance. The newly-formed cyber insurance micro summit is being chaired by Jeremiah Grossman and is taking place on Wednesday, August 7th, during Black Hat. So, if you want to learn more about cyber insurance from a group of people that know this space like the back of their hands, you’ll have to join Jeffrey and the rest of the micro summit team for their half-day session. Details for the three talks are below. In the meantime, as you prepare for and make your way to Las Vegas, have a listen to this chat. Oh, wait, one more thing. Sean and Marco will be playing a game with Jeffrey. Are you going to join us and play along too?

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He is the Founder of WhiteHat Security, a world-renowned professional hacker, and published Author among many other things. Tune in for this week's interview!

Today's standalone episode of Unsupervised Learning is a political conversation with Jeremiah Grossman, who many of you will know as the founder of Whitehat Security, current CEO of BitDiscovery, Jujitsu Blackbelt, and all-around great individual. In this episode, however, we’re not going to be talking about Information Security, but Politics. We have remarkably different and similar views on politics, which we’ve been discussing in private for years, and we thought now was the perfect time to show that it’s possible to disagree with someone, respect them, and have a conversation about those disagreements in a positive and useful way. This is the first experiment of this kind on Unsupervised Learning, and I’m quite pleased with how it turned out. So with that, Here’s Jeremiah Grossman.

Bit Discovery (https://bitdiscovery.com/) . Jeremiah's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. Since Jeremiah earned a Brazilian Jiu-Jitsu black belt, the media has described him as "the embodiment of converged IT and physical security.” In 2001, Jeremiah founded WhiteHat Security (https://www.whitehatsec.com/) , which today has one of the largest professional hacking armies on the planet. Jeremiah has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for privately informing them of weaknesses in their systems -- a polite way of saying, ‘hacking them'. In this episode we discuss RSAC 2018, starting in infosec, web application vulnerabilities, what to look for in application security developers, building security development metrics, why you need to inventory websites, making time to contribute to the community, and so much more. Where you can find Jer: LinkedIn (https://www.linkedin.com/in/grossmanjeremiah/) Twitter (https://twitter.com/jeremiahg) Blog (http://blog.jeremiahgrossman.com/) Jeremiahgrossman.com (https://www.jeremiahgrossman.com/)

When two legends in the InfoSec world start a new company, people take notice. Jeremiah Grossman and Robert "RSnake" Hansen recently announced their new venture BitDiscovery (http://www.bitdiscovery.com) was coming out of stealth, fresh off a venture raise and the acquisition Robert's company, Outside Intel. BitDiscovery offers a radically different way of doing asset inventory and website discovery. Rather than scanning when you want to discover your assets, with BitDiscovery, you just query the master database that the company has assembled and it tells you what it has already found there. This is possible because BitDiscovery keeps a snapshot updated constantly of just about the entire Internet. That is one Big Data based solution right there. Robert and Jeremiah are just the kind of guys to make something like this work. Also after speaking to them, I believe that with that kind of data, there will be a lot more uses for this technology that will present themselves to the BitDiscovery team. With the track record of these two pioneers, look for big things!

Top Security Geek Jeremiah Grossman Hacks Microsoft, Google, Yahoo and is also a Jiu Jitsu Black Belt who rolls with Forest Griffin   https://www.linkedin.com/in/businessvoip/  

Top Security Geek Jeremiah Grossman Hacks Microsoft, Google, Yahoo and is also a Jiu Jitsu Black Belt who rolls with Forest Griffin   https://www.linkedin.com/in/businessvoip/  

The debate over privacy and encryption is a very serious problem. US Federal law enforcement are demanding a solution that doesn't allow encryption to hinder criminal investigations and even national security. Some are pushing for legislative action to force companies to abandon their current business models. But advocates for privacy seem to have the ear of the majority of Americans, and right now it would seem the balance of the debate is landing on the side of privacy. Jeremiah Grossman weighs in on what he thinks about the issue and much more on this episode of Task Force 7 Radio.

Paul discusses on this Security News segment, Jeremiah Grossman, Apple hires crypto-wizard Jon Callas to beef up security, Google To Kill Passwords On Android, and a ton more from our other guests! Here on Security News!

This week on Security Weekly, we interview Wade Baker, Vice President of ThreatConnect! Paul, Jack, Jeff, and Larry address listener feedback and questions. Paul discusses, Jeremiah Grossman, Apple hiring crypto-wizard Jon Callas to beef up security, Google killing passwords on Android, and lots more in Security News.

Paul discusses on this Security News segment, Jeremiah Grossman, Apple hires crypto-wizard Jon Callas to beef up security, Google To Kill Passwords On Android, and a ton more from our other guests! Here on Security News.  

Interview with Jeremiah Grossman, one of Application Security’s leading figures and founder of WhiteHat Security.

Interview with Jeremiah Grossman, one of Application Security’s leading figures and founder of WhiteHat Security. We discuss his career, his recommendations for protecting yourself and your web apps, and hear his outlook for the future of the InfoSec industry. Show Notes

Infosec veteran and former CEO of WhiteHat Security Jeremiah Grossman joins Ryan Naraine on the podcast to talk about the parallels between jiu-jitsu and computer security and the ongoing cat-and-mouse game between attackers and defenders.

Today's episode features our first conversation with someone who trains primarily in Brazilian Jiu Jitsu. Mr. Jeremiah Grossman started his martial arts training in other styles but found his calling later when he switched. With the strong ties we often hear of between BJJ and mixed martial arts, you might go into this episode thinking we're going to have a wholly different conversation than normal. But we didn't. Mr. Grossman is every bit the martial artist that our other guests have been, and I really enjoyed our conversation. But enough of that, let's hear from our guest. ~jeremy   For full show notes and a lot more, please visit: http://www.whistlekickmartialartsradio.com/074-jeremiah-grossman/

Tune in to Paul's Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel. Jeremiah Grossman Interview: Video coming soon… Drunken Security News Weekly #278: Video coming soon... Episode 278 Show Notes Episode 278 - Direct Audio Download (mp3) Episode Hosts: Paul Asadoorian, Host of Security Weekly and Stogie Geeks Larry Pesce, Host of Hack Naked At Night Darren Wigley, Host of Hack Naked At Night John Strand, Host of Hack Naked TV Audio Feeds: Video Feeds:

Thanks go to Jeremiah Grossman for sitting down with Michael for some great discussion. Jeremiah is the CTO at Whitehat Security and a very well known figure [...]

"Clickjacking" is all over the news lately. For the uninitiated, it's a set of techniques discovered by Jeremiah Grossman and Robert Hansen that allows an attacker to transparently capture a user's clicks, forcing the user to do all manner of unpleasant things ranging from adjusting security settings to unwittingly visiting websites with malicious code.

"The use of phishing/cross-site scripting (XSS) hybrid attacks for financial gain is spreading. It?s imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information. This isn't just another presentation about phishing scams or cross-site scripting. We?re all very familiar with each of those issues. Instead, we?ll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help. By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks. Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As a seven-year industry veteran and well-known security expert, Mr. Grossman is a frequent international conference speaker at the Blackhat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writings, and discoveries have been featured in USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, BetaNews, etc. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites."

"Imagine you?re visiting a popular website and invisible JavaScript Malware steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005?s ""Phishing with Superbait"" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite.Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript Malware that automatically reconfigures your company?s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it?s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You?ll see: * Port scanning and attacking intranet devices using JavaScript Malware * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing"

The use of phishing/cross-site scripting hybrid attacks for financial gain is spreading. It's imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information. This isn't just another presentation about phishing scams or cross-site scripting. We're all very familiar with each of those issues. Instead, we'll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help. By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks. Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security Rresearch and developmentD and industry evangelism. As a seven-year industry veteran and well-known security expert, Mr. Grossman is a frequent conference speaker at the BlackHat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writings, and discoveries have been featured in USA Today, VAR Business, NBC, ZDNet, eWeek, BetaNews, etc. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites.

The use of phishing/cross-site scripting hybrid attacks for financial gain is spreading. It's imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information. This isn't just another presentation about phishing scams or cross-site scripting. We're all very familiar with each of those issues. Instead, we'll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help. By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks. Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security Rresearch and developmentD and industry evangelism. As a seven-year industry veteran and well-known security expert, Mr. Grossman is a frequent conference speaker at the BlackHat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writings, and discoveries have been featured in USA Today, VAR Business, NBC, ZDNet, eWeek, BetaNews, etc. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites.

"Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You’ll see: * Port scanning and attacking intranet devices using JavaScript * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites. T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology."

Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You’ll see: * Port scanning and attacking intranet devices using JavaScript * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites. T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology."

Attacks always get better, never worse. The malicious capabilities of Cross-Site Scripting (XSS) and Cross-Site Request Forgeries (CSRF), coupled with JavaScript malware payloads, exploded in 2006. Intranet Hacking from the Outside, Browser Port Scanning, Browser History Stealing, Blind Web Server Fingerprinting, and dozens of other bleeding-edge attack techniques blew away our assumptions that perimeter firewalls, encryption, A/V, and multi-actor authentication can protect websites from attack. One quote from a member of the community summed it way: ""The last quarter of this year (2006), RSnake and Jeremiah pretty much destroyed any security we thought we had left - including the ""I'll just browse without JavaScript"" mantra. Could you really call that browsing anyway?"" -Kryan That's right. New research is revealing that even if JavaScript has been disabled or restricted, some of the now popular attack techniques - such as Browser Intranet Hacking, Port Scanning, and History Stealing - can still be perpetrated. From an enterprise security perspective, when users are visiting ""normal"" public websites (including web mail, blogs, social networks, message boards, news, etc.), there is a growing probability that their browser might be silently hijacked by a hacker and exploited to target the resources of the internal corporate network. This years new and lesser-known attacks attack techniques Anti-DNS Pinning, Bypassing Mozilla Port Blocking / Vertical Port Scanning, sophisticated filter evasion, Backdooring Media Files, Exponential XSS, and Web Worms are also finding their way into the attackers' arsenals. The ultimate goal of this presentation is to describe and demonstrate many of the latest Web application security attack techniques and to highlight best practices for complete website vulnerability management to protect enterprises from attacks. You'll see: - Web Browser Intranet Hacking / Port Scanning - (with and without JavaScript) - Web Browser History Stealing / Login Detection - (with and without JavaScript) - Bypassing Mozilla Port Blocking / Vertical Port Scanning - The risks involved when websites include third-party Web pages widgets/gadgets (RSS Feeds, Counters, Banners, JSON, etc.) - Fundamentals of DNS Pinning and Anti-DNS Pinning - Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)

Attacks always get better, never worse. The malicious capabilities of Cross-Site Scripting (XSS) and Cross-Site Request Forgeries (CSRF), coupled with JavaScript malware payloads, exploded in 2006. Intranet Hacking from the Outside, Browser Port Scanning, Browser History Stealing, Blind Web Server Fingerprinting, and dozens of other bleeding-edge attack techniques blew away our assumptions that perimeter firewalls, encryption, A/V, and multi-actor authentication can protect websites from attack. One quote from a member of the community summed it way: ""The last quarter of this year (2006), RSnake and Jeremiah pretty much destroyed any security we thought we had left - including the ""I'll just browse without JavaScript"" mantra. Could you really call that browsing anyway?"" -Kryan That's right. New research is revealing that even if JavaScript has been disabled or restricted, some of the now popular attack techniques - such as Browser Intranet Hacking, Port Scanning, and History Stealing - can still be perpetrated. From an enterprise security perspective, when users are visiting ""normal"" public websites (including web mail, blogs, social networks, message boards, news, etc.), there is a growing probability that their browser might be silently hijacked by a hacker and exploited to target the resources of the internal corporate network. This years new and lesser-known attacks attack techniques Anti-DNS Pinning, Bypassing Mozilla Port Blocking / Vertical Port Scanning, sophisticated filter evasion, Backdooring Media Files, Exponential XSS, and Web Worms are also finding their way into the attackers' arsenals. The ultimate goal of this presentation is to describe and demonstrate many of the latest Web application security attack techniques and to highlight best practices for complete website vulnerability management to protect enterprises from attacks. You'll see: - Web Browser Intranet Hacking / Port Scanning - (with and without JavaScript) - Web Browser History Stealing / Login Detection - (with and without JavaScript) - Bypassing Mozilla Port Blocking / Vertical Port Scanning - The risks involved when websites include third-party Web pages widgets/gadgets (RSS Feeds, Counters, Banners, JSON, etc.) - Fundamentals of DNS Pinning and Anti-DNS Pinning - Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)