Larry Cashdollar, senior security response engineer at Akamai, talks about the craziest stories he's faced, reporting CVEs since 1994.
Larry Cashdollar, senior security response engineer at Akamai, has been finding CVEs since the 1990s, around when MITRE was first being established. Since then, he’s found 305 CVEs – as well as various security findings, such an IoT bricking malware called Silex, and cybercriminals targeting poorly secured Docker images.
Cashdollar shares his craziest bug finding stories, including his first flaw (CVE-1999-0765) found during his position as a UNIX Systems Administrator, which accidentally threw a wrench in a demo for a Navy Admiral on the Aegis destroyer class ship.
Beyond his own personal stories, Cashdollar shares the top pieces of advice he would impart on today’s security researchers and those hunting for vulnerabilities. Listen to more on the Threatpost podcast.
Below find a lightly edited podcast transcript.
Lindsey O’Donnell Welch: This is Lindsey O’Donnell-Welch and welcome back to the Threatpost Podcast. I am joined today by Larry Cashdollar, who is the senior security intelligence response engineer at Akamai. Larry has been conducting security research and finding vulnerabilities since 1994. So he can really give a sense of what has changed in the industry in terms of finding and reporting bugs as well as the threat landscape. So Larry, thank you so much for joining me today. How are you doing?
*Larry Cashdollar: *Good. How are you?
LO: I’m good. Good. I know we were just talking about this. But we’re getting some strange weather here in the northeast, very warm for fall.
LC: yeah, it’s been it’s been wacky.
LO: Definitely. Well, so Larry, just to start, can you tell us a little bit about yourself and how you first got into the security space?
LC: So I was studying computer science at the University of Southern Maine back in the 1993 timeframe. And I had a friend who was in the Linux users group back then with me, and he told me that this company was hiring, what they called at the time “internet analysts” to work on security stuff. And I’m like, okay, I like to, you know, I could work there part time, make some money. And the company I joined was a small consulting company in Portland, Maine. And this company did security for a couple of a couple of companies in Southern Maine, but also a large bank that was out of Manhattan. And what we did was we did, we built firewalls or what we called Bastion hosts back then. So we would handle these firewalls. And we would put in rules to allow you know, certain services like pop mail and send mail and web browser, things like that, to occur while keeping the company secure. And build these these systems to keep these companies connected to the internet, but also keeping them secure. And that’s where I first really sink my teeth into the security industry.
newsmaker interviews podcasts vulnerabilities web security aegis akamai bath iron works bug bounty cve cve-1999-0765 cve-2000-0588 cve-2000-0589 larry cashdollar midikeys mitre patch podcast us navy vulnerability vulnerability disclosure
Admins should patch their Citrix ADC and Gateway installs immediately.
At [email protected], Luta Security CEO Katie Moussouris stressed that bug bounty programs aren't a 'silver bullet' for security teams.
October 2020 Patch Tuesday: Microsoft fixes potentially wormable Windows TCP/IP RCE flaw. On this October 2020 Patch Tuesday: Microsoft has plugged 87 security holes, including critical ones in the Windows TCP/IP stack and Microsoft Outlook and Microsoft 365 Apps for Enterprise.
Ethical hackers so far have earned nearly $300K in payouts from the Apple bug-bounty program for discovering 55 bugs, 11 of them critical, during a three-month hack. The wormable iCloud bug is a cross-site scripting (XSS) issue, according to the writeup.
The majority of the bugs in Cisco’s Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) software can enable denial of service (DoS) on affected devices.