ISC StormCast for Friday, July 19th 2019
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 19 July 2019
⏱️ 7 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Friday, July 19th, 2019 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Svindon, England. |
| 0:13.2 | One technology to better control who is able to connect to your network is 802.1X, and with that, it directly applies to critical control number one which has its |
| 0:25.2 | focused an inventory of all systems connected to your network. Now implementing 80.1 is often a daunting |
| 0:34.5 | task and a lot of administrators are shying away from it. |
| 0:39.8 | Now, to help you a little bit out here, Rob has today published some tips |
| 0:44.3 | how to implement 80.1X in a Windows environment. |
| 0:50.1 | So if you're interested in this, take a look at it and see if this will help you implement this technology. |
| 0:58.0 | And when it comes to TLS, probably the simplest way to intercept TLS is to get users to accept your certificate authority |
| 1:10.0 | and then to set up a proxy that will intercept |
| 1:12.8 | TLS connections. Now, there have been many attempts over the years to do this on a large-scale |
| 1:20.3 | country level. And back in 2016, Kazakhstan made news by actually trying to have its certificate authority added as a trusted |
| 1:30.3 | certificate authority to browsers. While that attempt failed, they just recently now started |
| 1:38.3 | to mandate that users in Kazakhstan will add their certificate authority, their country level certificate authority |
| 1:46.7 | to browsers in order to allow for traffic inspection. There has been some discussion and a link to |
| 1:54.6 | that in the show notes on the Mozilla security list, how to respond to these kind of actions. Now one option of course would be for |
| 2:05.1 | browsers to blacklist these certificate authorities so even if a user adds them |
| 2:11.0 | manually they wouldn't really work. Certificate pinning while it's no longer really |
| 2:17.3 | in use would potentially offer a solution |
| 2:20.7 | here but turns out that browsers who did implement certificate pinning did allow the override |
| 2:27.9 | for certificate authorities that users specifically installed. |
| 2:32.2 | Looks like so far a compromise that may be developing here is to just add a more prominent |
| 2:39.5 | visual indicator if such a certificate authority is used to verify a particular site, essentially |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.