Morioh
Login
Domingo Jakubowski

Domingo Jakubowski

3 years ago

Larry Cashdollar, senior security response engineer at Akamai, has been finding CVEs since the 1990s, around when MITRE was first being established. Since then, he’s found 305 CVEs – as well as various security findings, such an IoT bricking malware called Silex, and cybercriminals targeting poorly secured Docker images.

Cashdollar shares his craziest bug finding stories, including his first flaw (CVE-1999-0765) found during his position as a UNIX Systems Administrator, which accidentally threw a wrench in a demo for a Navy Admiral on the Aegis destroyer class ship.

Beyond his own personal stories, Cashdollar shares the top pieces of advice he would impart on today’s security researchers and those hunting for vulnerabilities. Listen to more on the Threatpost podcast.

For the full podcast, listen below or download here.

Below find a lightly edited podcast transcript.

Lindsey O’Donnell Welch: This is Lindsey O’Donnell-Welch and welcome back to the Threatpost Podcast. I am joined today by Larry Cashdollar, who is the senior security intelligence response engineer at Akamai. Larry has been conducting security research and finding vulnerabilities since 1994. So he can really give a sense of what has changed in the industry in terms of finding and reporting bugs as well as the threat landscape. So Larry, thank you so much for joining me today. How are you doing?

**Larry Cashdollar: **Good. How are you?

LO: I’m good. Good. I know we were just talking about this. But we’re getting some strange weather here in the northeast, very warm for fall.

LC: yeah, it’s been it’s been wacky.

LO: Definitely. Well, so Larry, just to start, can you tell us a little bit about yourself and how you first got into the security space?

LC: So I was studying computer science at the University of Southern Maine back in the 1993 timeframe. And I had a friend who was in the Linux users group back then with me, and he told me that this company was hiring, what they called at the time “internet analysts” to work on security stuff. And I’m like, okay, I like to, you know, I could work there part time, make some money. And the company I joined was a small consulting company in Portland, Maine. And this company did security for a couple of a couple of companies in Southern Maine, but also a large bank that was out of Manhattan. And what we did was we did, we built firewalls or what we called Bastion hosts back then. So we would handle these firewalls. And we would put in rules to allow you know, certain services like pop mail and send mail and web browser, things like that, to occur while keeping the company secure. And build these these systems to keep these companies connected to the internet, but also keeping them secure. And that’s where I first really sink my teeth into the security industry.

#newsmaker interviews #podcasts #vulnerabilities #web security #aegis #akamai #bath iron works #bug bounty #cve #cve-1999-0765 #cve-2000-0588 #cve-2000-0589 #larry cashdollar #midikeys #mitre #patch #podcast #us navy #vulnerability #vulnerability disclosure

305 CVEs and Counting: Bug-Hunting Stories From a Security Engineer

threatpost.com

305 CVEs and Counting: Bug-Hunting Stories From a Security Engineer

Larry Cashdollar, senior security response engineer at Akamai, talks about the craziest stories he's faced, reporting CVEs since 1994.

1.20 GEEK