An Information Security Place Podcast – Episode 20

June 19, 2009 // Posted in Security (Tags: , , , , , , , , , , , , , , ) | 

 

Link to MP3

The long-awaited episode 20 is finally here. Sorry for the crazy long wait!

InfoSec News Update –

  • Data Breach Suit Targets Auditor – Link Here
  • Exobox data leak detection coming out – Link Here
  • "CloudBurst" allows attackers to break VM guest OS and attack Host – Link Here
  • Obama creates the office of Cyber Czar – Link Here
  • Twitter and Iran – Link Here
  • IOSCAT talk from SANS – Link Here
  • Tmobile Breached….Maybe? – Link 1 / Link 2
  • Wireless Keyboard sniffing just got alot easier – Link Here
  • LC6 is Officially Released – Link Here
  • Trojan Attack on ATMs – Link Here
  • Patch Your Blackberry Servers – Link Here

Discussion Topic -Whats the difference between an Auditor and a Assessor?

Consultant’s Corner - To Scope or Not to Scope

Music Notes:

Some advice when writing security assessment RFP’s

May 15, 2009 // Posted in Security  | 

I have been answering quite a few security assessment RFP’s lately, most specifically geared towards penetration testing of the external and internal environment (you guessed it – PCI).  And what I have noticed is that the writers of the RFP typically do not include enough detail in the RFP for the organizations attempting to answer to give a solid response.  Basically, if you need a good answer to your RFP, you have to give me enough to scope the amount of time it is going to take me to get it done. 

  1. If you have 200 external IPs and you want to have those scanned for vulnerabilities, and then you want to have those vulnerabilities used for penetration testing, I have to know that in order to scope.
  2. If you have some applications on those servers, I need to know if I will have credentials or if this is going to be totally black-box testing.  I also need to have SOME idea of how many apps I am going to run up against.
  3. If you want me to scan your internal network for vulnerabilities, I have to know how many machines I am going to be scanning.
  4. Etc, etc, etc

If you would provide this quantity type of information up front, I would not have to write up a bunch of questions and send them to you.  You would not have to take the time to answer these questions (and probably send them to me 2 days before the responses are due).  It really is simple: if I don’t have this information, I have to guess, and you are going to get an inaccurate response (of course, you might be looking for a completely black-box test where I am blind to any information – the effectiveness and efficiency of that is for another blog post on another day).

Of course, many people will tell you that RFP’s are often written in such a way to discourage responses because the company writing the RFP already has a partner in mind, and that partner probably already has the answers to any questions.  The RFP writer is simply going through the motions because of company policy.  I get that.

But if you are writing an honest RFP, one that is simply inspired by a need and is seeking multiple responses from which the best is chosen, then please include the information needed in the RFP itself so things can proceed smoothly.  Thank you for your consideration.

Vet

Accuvant blog is up and running

May 4, 2009 // Posted in Security  | 

Finally the day has come.  I have been pushing to get this done internally at Accuvant for a while, and things just never lined up.  But now we finally are there.  Yes, the Accuvant blog is up and running.  You can find it at http://insight.accuvant.com.

There are already some great posts up by some of our uber-smart assessment consultants.  We have some very high-end research guys on our team, plus just some of the best all around assessment people.  There is no weak link on that team, and they continue to amaze me.

Some of you may not be aware that Dave Maynor joined our team at the beginning of the year.  I was fortunate enough to sit next to him at a client down here in Houston as he smacked around their AS400 environment.  And not only is Dave smart, he is friggin’ hilarious as well. 

So anyway, go take a gander at the blog.  Look for more great stuff to pop up on there.

Oh, and Accuvant has a Twitter account as well at http://twitter.com/Accuvant.  It will likely be mostly reflecting blog posts right now, but there might be more in the future.

Vet

Copycat Twitter Worm?

April 15, 2009 // Posted in Malware, Security, Social Networking, Twitter (Tags: , , , , , ) | 

 

As most of you know, Twitter was hit with a series of worms this past weekend.  They were created by 17 year old, Mikey Mooney, creator of the website StalkDaily.com (don’t visit the site).  The original worm seemed fairly innocuous, with messages that were created to drive traffic to the StalkDaily website.

I wrote a Computerworld blog post, where I detailed the original attack as well as provided a list of security recommendations.  In that post, I commented that Twitter users should be on the lookout for modified worms, especially as additional details of the original attack come to light.

After Twitter patched the original cross site scripting (XSS) flaw, which exploited the “link” field in a user profile, another variant of the worm appeared.  This time, the worm exploited the “color” setting of the user profile.   Modifying the worm highlighted that the XSS vulnerability was not limited to a single field and that Twitter would have to institute a comprehensive patch, not a band-aid solution.

The variant of the worm automatically generated tweets with the term “mikeyy”. These were sarcasitic in nature and seemed to be tounge-in-cheek.  Examples include:

  • Mikeyy I am done…
  • Mikeyy is done…
  • Twitter please fix this, regards Mikeyy

The general consensus today is that the “StalkDaily” and “Mikeyy” worms have been adequately addressed.   However, I am not fully convinced. Four days after the original worm, I am still seeing suspicious behavior.  A colleague of mine has a Twitter account that automatically started generating tweets saying “I am not here right now.”

Using a third party iPhone application, TweetStack, I am conducting periodic searches on the string “I am not here right now.”  I found that this is not nearly as wide spread as the “StalkDaily” Twitter worm, but has affected at least a couple dozen accounts.

While this could be yet another variant of worm created by Mikey Mooney, my suspicion is that this is a copycat worm created by another party (most likely a Scriptkiddie).

Are YOU still seeing anomalous behavior on Twitter?  I would love to hear about it!  Please comment below as well as notify the Internet Storm Center if you see anything noteworthy.

- WiFiJedi

Douglas J. Haider is a Principal Technologist with Xirrus.  He hosts a personal blog at WiFiJedi.com, and micro-blogs on Twitter @wifijedi (which was not infected by the Twitter worm at the time of this writing…)

Podcast delays

April 8, 2009 // Posted in Security  | 

Sorry for the delay in getting the last podcast posted.  I recorded it with Michael Santarcangelo last week (Jim was sick), but we had some issues with the recording (Skype cut out twice, other issues), and I have not had the time to edit everything.  I have a good bit of it done, but I am not as good as Jim is on getting all that cut and put together.  I hope to have it done this week.

Vet

Heading to TRISC in the morning

March 22, 2009 // Posted in Security  | 

If anyone is heading to TRISC (Texas Regional Infrastructure Security Conference) tomorrow in Austin, let me know.  I will be there tomorrow for a day doing booth duty with Citrix.  I think they will mostly be showing their NetScaler product (load balancer, reverse proxy, and WAF).

Sometimes I like doing booth duty just because it enables me to do what I like doing, which is talking to people.  I like the interaction, and I enjoy helping people find what they need.  Of course, a security evangelist-type of job is what I would really enjoy, and this falls into that.  Maybe one day.

Vet

An Information Security Place Podcast – Episode 17

March 19, 2009 // Posted in Podcasts, Security (Tags: , , , , , , , , , , , , , , , , , ) | 

 

Link to MP3

Here is Episode 17. Sorry for the delay in getting it out. Last week was extremely rough for Jim and I, but we are back at full strength now. Well, maybe 85% strength anyway.

In this show Jim and I relate the latest news as always, then we have some discussion about layoffs and how that is causing a lot of orphaned hardware and software. Then we discuss some challenges for the consultant in walking the mind field of politics at client companies.

Also, we had some listener feedback from Geir. He was busting on us a bit about our saying you need to patch your stuff when we were talking about 0day. Thanks for keeping us straight Geir.  If you want to send feedback, you can send it to podcast-at-infosecplace.com.

Here are the show notes:

InfoSec News Update:

  • Follow up – Another Payment Processor Has Been Hacked – Visa says JUST KIDDING! – Link Here – This Just In – A new timeline of the Unnamed Processor – Link Here
  • Gartner – Nearly 8 Percent of U.S. Adults Lost Money To Financial Fraud in ‘08 – Link Here
  • Federal cybersecurity director quits, complains of NSA role – Link Here
  • Health Records Show Up in Yard – Link Here
  • Study: Antivirus Software Catches About Half Of Malware – Link Here
  • MS Finally killing off AutoRun – Link Here
  • Marine One data leak – Link Here
  • The Return of L0phtCrack!! – Link Here
  • WarVox Released – Link Here
  • Theives Steal the Show at Cebit – Link Here
  • Checklist for complying with PCI security standard – Link Here / Link To Checklist

Discussion - Orphaned hardware and Software – Link Here

Consultant’s Corner - Dealing with political landscapes at your client’s company

Music Notes:

Vet

No podcast this week

March 12, 2009 // Posted in Security  | 

Sorry everyone.  Jim and I are big time swamped with work right now.  Plus I have a friend is very ill, and I am tied up with that as well.  We’ll be back next week.

Vet

Can IT Vendors be Objective?

February 26, 2009 // Posted in Blogging, Blogging Buddies, Rant (Tags: ) | 

Here is another guest post by WiFi Jedi

————————————————————————————

Can IT Vendors truly be objective? Or does everything they say have to be viewed through a lens of “they are trying to sell me something”?

Join me while I rant…

Personally, I think IT vendors can be objective.

Sure, we manufacture and sell things…

*Gasp* – We even profit from selling.

But that doesn’t mean we can’t be objective.

i.e. – I try to provide solid vendor-neutral information to the wireless community through my blog, http://wifijeidi.com.

(In fact, only 2 of the nearly 40 blog posts I have completed to-date have been about my employer, Xirrus.)

However, not everyone sees it that way.


Let me give you an example…

I requested press access to an industry event as a blogger.

However, I was told that I can’t get a pass of this nature because I work for a vendor.

Furthermore, I was told that bloggers of major publications (ComputerWorld, Network World, ZDNet, etc.) would qualify.

So I went out seeking a spot with one of these publications as one of their bloggers.

(I even had a solid lead directly to an editor with a reference from another well know blogger at one of these publications.)

However, I was turned down again. Because I work for a vendor.

 

My “commentary”…

Presumably, working for a vendor means that I can’t be objective. Which I personally think is %^&$*&!

Let’s take a look at some profiles of bloggers who have been picked up by these publications. I would like to take a closer look at two common blogger profiles: Value Added Resellers (VARs) and Independent Consultants.

I have noticed that if you work for a VAR, you can blog for major publications. Correct me if I am wrong – as a VAR, don’t you sell some vendor’s equipment, but not others? It would seem to me, in that position, it is possible to have nuances or conflicting agendas. At least working for a manufacturer, you know where my “official” loyalties are.

Other common profile for bloggers on these publications is that of an “independent” consultant. I would think a large portion of their livelihood depends on their ability to provide consulting services. If that’s the case, don’t you think they would blog about things that (at least indirectly) drive their own business? After all, their financial success is directly tied to the success of a single person - themselves. Working for a manufacturer (or any large organization) mitigates this factor because my financial situation is determined by the success of the group, and not by what I do or say to drive my own consulting business.

This isn’t intended as an attack on publications or their bloggers, just an honest discussion of how they can be objective, but somehow it is perceived that I can’t. What about my credentials?!?

Besides working for a vendor (for several months), I have also worked as a consultant and auditor (for many years). I hold over a dozen IT certifications, ALL of which are vendor-neutral. On my LinkedIn profile, I have the coveted “500+ connections”, many of who are employed by my competition – Aruba, Meru, Motorola, etc. I started my blog to serve as a thought leader and I am a frequent speaker at industry events, professional organization meetings, and universities.

If you know someone at an IT publication that is willing to have me as a wireless networking and security blogger, have them contact me at douglas.haider@xirrus.com

Wait, I had better not use my corporate email address. That might signal I can’t be objective. 

Instead, have them contact me at douglashaider@hotmail.com

Twitter fail

February 26, 2009 // Posted in Security  | 

image

Vet

An Information Security Place Podcast – Episode 16

February 26, 2009 // Posted in Security  | 

 

Link to MP3

Episode 16 is up and running. Jim and I cover a lot of news again in this episode. Also, Jim goes a little crazy with the geek toys, but it is all really cool stuff and good info. We get into some PCI futures, playing off of Rich Mogull’s ideas on the subject. And we have a good cert discussion as well.

Show notes:

InfoSec News Update:

Discussion: Continued from Martin’s Network Security Podcast Episode 139 and Rich’s post - Will Outbound monitoring and filtering be the next PCI requirement?
Geek Toys:

Consultants Corner: Top three security certifications (uhhh, yeah…)

Music Notes:

Playing with the Packeteer PacketShaper

February 25, 2009 // Posted in Hardware, Internet  | 

I just got an eval PacketShaper 2500 for a few days from my local Bluecoat SE (Bluecoat bought them a few months ago).  I actually used to work with these boxes just about everyday a few years back.  I worked for a company that built apartment complexes for college students at a lot of major universities across the country.  We acted as the ISP for the students, and these complexes would house 500-1000 students.  These kids went EVERYWHERE on the Internet.  There were so many different types of traffic flowing around on those networks, and there was A LOT of it.  Students were constantly complaining about the slowness of there Internet connection.  Every day I was getting calls with someone griping.  So the company would spend a little more money and I would bond another T-1 to the two or three we had.  We would see improvement for MAYBE a day (two if we were lucky), then that pipe would fill up.

So we decided to bust out with the Packeteer boxes.  I would put in a box, and we would see every type of traffic imaginable within about an hour.  Back then Napster and Kazaa were the big bad boys.  These kids would kick off 10-20 downloads before they went to class and just let them run all day.  Multiply that by at least 100 students, and that traffic would just consume the pipe completely.  When that happened, the poor students just trying to surf the web for actual schoolwork would suffer horribly.

So when we started cutting that traffic off at the knees (either killing it entirely or making the bandwidth limit so low that it wasn’t worth it), things changed dramatically.  All of a sudden people were able to surf the web.  They could still download their music, but it would take a little longer (who cares if it is downloading while you are in class).  Everything just improved, and the calls almost completely stopped.  Of course, you always had the spoiled brat who complained because his DSL or cable at home was always fast and his online game never suffered there.  It was always fun trying to explain to some punk getting a degree in underwater basket weaving that he didn’t have 900 other people trying to download porn and music on his DSL at home.  What was more fun was explaining that I didn’t give a crap if Elf Quest was fast or slow and that he should probably be doing homework instead of screwing around with games.  But I digress…

Anyway, good stuff.  Click on the picture below to see some of the traffic on my little network (some purposefully generated by me). 

image

Vet

The Next Great Wireless LAN Vendor

February 18, 2009 // Posted in Security Reselling (Tags: ) | 

Yesterday was one of the few days that I bought a hard copy of the USA Today newspaper.  I get the Arizona Republic paper delivered to the house daily. I even get six copies of the Sunday paper  (don’t ask…)  I bought it because one headline on the cover page of the USA Today caught my attention.  It was “Who Might Rise From the Wreckage” with a subtitle of “It’s happened before – Cisco and MySpace emerged in tough times.  Tech can bloom again“.

The headline and subtitle brought up a good point.   In the economic crash of the late 1980’s, Cisco began it’s rise as one of the large tech companies.  The article mentions Facebook and MySpace as companies who had a similar rise after the dot-com crash.  Personally, I remember two *other* (more relevant to networking) companies who accomplished a similar jump in market share in the wake of the dot-com crash – Foundry Networks and Extreme Networks.

This economic downturn presents the same opportunity for tech companies to rise out of the aftermath stronger than when they entered.  Who are likely candidates this go-around?   I would suggest that the opportunity is particularly ripe for Wireless LAN vendors.

Why?  There are several reasons WLAN manufacturers have an opportunity to grab market share in this economy, especially compared to their wired counterparts.  Most reasons point back to the fact that organizations are now forced to do more with less.

During these times companies…

  • need to get more out of their employees – WLANs enable their employees to be connected everywhere in their enterprise all the time
  • will not want to invest in permanent infrastructure - WLANs can easily be moved from location to location vs. desktop switches / cabling
  • will want even tighter security because of dismissed employees and competitive pressures – WLANs allow for easy deployment of 802.1X port based authentication and can execute rapid adds and deletes

Which WLAN vendor is poised to take advantage of such a situation?  Aerohive? Bluesocket? Meru? Rukus? Xirrus?  Let me know what you think in the comments section!  Be sure to state specific reasons that you think one vendor will be able to gain more market share than another.  Also, if you like this post, check out my blog for related info such as 50 Questions K-12 School Districts Should Ask WLAN Vendors.

- WiFi Jedi

Factors Determining Installed WLAN Quality

February 12, 2009 // Posted in Security, Security Products, Security Reselling (Tags: , ) | 

I had an interesting phone discussion a couple days ago with Veriwave’s CTO, Tom Alexander and VP of Marketing, Eran Karoly.  We were talking about field tools for testing the quality of installed wireless LANs.  At a high level, we all agreed that much of the field testing and verification for WLANs today have centered around data related to site surveys, such as signal strength, RF interference, and the coverage “footprint”.

There are many existing tools for testing wireless coverage ranging from embedded supplicant software & Netstumbler to more complex commercial tools such AirMagnet Site Surveyor or Motorola’s LANPlanner.  Check out my blog for more information about site surveys, including the difference between active and passive site surveys.  More sophisticated wireless engineers might also gather data regarding RF interference with a spectrum analyzer, such as the WiSpy DBx, or AirMagnet Spectrum Analyzer.

However, our conversation highlighted the need to expand WLAN installation and verification tools beyond the focus on complete WiFi coverage with low interference.  How do wireless vendors and/or VARs ensure that an organization’s business and technical requirements have been met?   A focus on signal strength neglects other critical areas such as roaming, quality of service, and security.  Additionally, there is often no verification of the proper configuration of the *wired* network.

We discussed how many of the testing tools available today focus on the wireless infrastructure (the APs, arrays, WLAN controllers) and lacked visibility into the client side of the equation.  Most testing seems to concentrate on laptops – but what about wireless VOIP phones, hand-held scanners, printers, and RFID?

The three of us on the phone, as well as everyone I have discussed this with since, seems to understand the inherent value of a more robust way to validate WLAN installations.  However, what are the costsPersonally, I don’t see a good cost model for a product of this nature.  It seems that a system that tests both the infrastructure and clients across many functional boundaries would be extremely expensive, especially for a field testing unit (where vendors or VARs might need more than one kit as they are running multiple projects).

Many wireless LAN vendors can justify the capital expenditure of Veriwave’s existing test beds, because they are involved with testing new product lines, etc.   However, many vendors seem to have a bare bones professional services group and turn over that work to VARs.  I also can’t see many VARs purchase uber expensive field testing tools – many are too small to afford tools like the AirMagnet suite, let alone something more costly.  If VARs do purchase, they will inevitably have to pass along the cost to their customers. Is this viable either?  Why would a customer pay a higher cost to insure themselves against a WLAN that wasn’t properly field verified?  Customers should be able to do this by properly scoping their projects and enforcing the terms of their contract.

What do you think?  Do you see the value of such a tool?  Do you see an appropriate cost model?  Sound off in the comments below!

- WiFi Jedi

Introducing Douglas Haider a.k.a. wifijedi

February 12, 2009 // Posted in Security  | 

I wanted to take a second to introduce a good friend of mine who has recently started blogging and will also be guest blogging here from time to time.  This friend of mine is Douglas Haider.  He is a former coworker at Accuvant and is now working for Xirrus, a Wi-Fi company.

I have pimped Douglas’ SANS classes in the past on my blog before.  I have also worked on some gigs with him as well as attended some of his speaking engagements.  He has been around and has seen it all.  Basically, Douglas has some serious Wi-Fi and security chops.  I welcome him to the blogging ranks, and I am honored that he wants to guest blog here.

Here are some links so you can learn more about Douglas and read his stuff:

Vet

An Information Security Place Podcast – Episode 15

February 12, 2009 // Posted in Podcasts, Security (Tags: , , , , , , , , , , , , , , , , , , , , , ) |  Comments Off

 

Link to MP3

Here is episode 15. There was a lot to cover in this episode. Jim and I were in discussion mode, so be prepared to sit down for a while longer than normal this time. Jim and I were also in a joking mood and consequently cracked ourselves up on this episode, so enjoy the laughter and comedy at a fellow human’s expense.

BTW, I am a milestone guy, and any time a “0″ or a “5″ is at the end of the episode number, I think it is cool. So 15 is a cool number to me. On to the show notes.

Show notes:

InfoSec News Update: whole lot of crap!

Discussion: File Under DUH! Unauthorized Web Use On The Rise

Consultants Corner: How does “Compliant” equal Owned?

Music Notes:

Learning the “Reply All” lesson

February 9, 2009 // Posted in Business of Security, Careers, Security Products, Security Reselling  | 

Most people probably would read the title of this blog post and think, “another idiot hit ‘Reply All’” and pissed a bunch of people off and Michael thinks it is funny”.  Well, you would right on two and three quarters of those points because the person who hit Reply All is not an idiot.  In fact, though it was accidental, it actually served a great purpose and hopefully taught someone a lesson.  So after that cryptic intro, here’s the story:

A client of mine (I have his permission to write this, even though I am not mentioning his name or his company’s name) is looking for a specific security product to cure a compliance pain they are currently having.  We work with a few companies that sell the type of product he is looking for, but we recommended the one of those that we think has the best answer for the problem our client is trying to solve.  Since that company came back with some fairly high prices, the client asked us to contact some of the competing vendors and setup some meetings.

Well, one of those competing companies we contacted immediately decided to sic their inside sales person on our client.  This inside sales guy was calling our client at least 3-4 times a day (if not more) and was sending multiple meeting requests and emails, even after we asked him to back off.  He then started calling from other numbers when the client started screening his calls.  It got to the point where our client was getting pretty upset and was asking us to make some further demands that the guy back off.  The client seriously had no desire to be mean to the inside sales person, and we certainly did not want to cause bad relations between our company and the vendor, but the customer obviously comes first.

So after a few days of this going on, our client decided to forward one of the vendor’s emails to our sales person.  Our client was nearing the end of his rope, so the email was frustrated in tone.  It pointed out that the inside sales person was making his company seem cheap and desperate, and it was written with some fairly strong language.  But of course, as you have probably guessed by now, the client accidentally hit reply all when he was trying to forward, causing the vendor to receive a copy of the email.  Our client says that he received cancellation notices for the multiple meeting requests that he had received from the vendor within about 5 minutes after his email went out, and he has yet to hear back from that inside sales person.

So, while all of this is funny and falls right in there with a lot of these types of stories, it really serves a purpose beyond the “be careful with email” lesson.  Though our client swears it was accidental, the “accident” actually served the purpose of which I spoke in the introduction paragraph (it got the client some peace), and it hopefully taught that inside sales person a few lessons, which are these: persistence does not mean annoyance, listen to your clients and partners, and, for goodness’ sake, BE SELF AWARE.  Think about what you are doing.  And if you ARE self aware and you are being forced to make all these calls by your management, you might want to ask yourself why they are making you do this.  Is your company about to tank?  Do you need to start looking for a job?  Are you going to give yourself a bad reputation in the industry by making these calls and pissing people off?  Think about what you are doing and how you can do it better.

And another lesson: if you persist in pissing off my client, I have no qualms in calling in some favors from some friends of mine named Vito and Santino.

Vet

An Information Security Place Podcast – Episode 14

January 29, 2009 // Posted in Security (Tags: , , , , , , , , , , , , , , , ) | 

 

Link to MP3

Episode 14 is here.  First off, let me thank everyone that is listening to Jim and me spout off about everything.  Fourteen shows does not seem like a big number, but it involves a lot of work getting this going (especially on Jim’s part – thanks Jim) and keeping it going, and Jim and I appreciate everyone sticking in there with us.

Second, we have made some changes with my setup, so there might be a sound difference and some issues with this episode.  Forgive us as we get some new kinks worked out.

Third, this episode includes an interview with Mike Rothman from eIQnetworks.  You might know him better as that guy from Security Incite that has a yankee accent and tells everyone what he is thinking.  Either way, Mike is a great guy and a great friend, and I was honored to interview him.  I think you will enjoy that portion of the show.

And lastly, there is a programming note.  The geek toys segment that is brought to you by Jim every show is now going to be made more of a quarterly thing.  The reason is because Jim has to find something to talk about every time, and it is getting a little more difficult to find something for every show.

Here’s the breakdown of the show.

Show Notes:

InfoSec News Update: there’s been a lot happening the last two weeks

DiscussionNew president declares his plan for US Cyber Security (more cynicism from Michael)

Vendor Interview – Michael interviews Mike Rothman from eIQnetworks

Consultants Corner -Combining compliance initiatives and what that means for security practices

Music Notes:

An Information Security Place Podcast – Lucky Episode 13

January 19, 2009 // Posted in Security (Tags: , , , , , , , , , , , , , , ) | 

 

Link to MP3

An Information Security Place Podcast Lucky Episode 13 is here!  Sorry for the delay between podcasts.  Jim and I usually try to maintain the every-2-weeks schedule, but since we had Accuvant’s annual meeting coming up, we decided to push it out so we could do it there (”there” was Sedona, AZ – a beautiful place).  This is the first time Jim and I have been in the same room recording the podcast, which was different (Jim kinda smells a bit).  We had fun with it.

In addition, I wanted to take advantage of having some vendors close by (we have a vendor fair every year) for some interviews.  I only got one, but it was a good one with Bluecoat.  Thanks to Greg Buchan and Thomas Lee for spending some time with me.

So without further ado, here are the show notes:

Show Notes:

InfoSec News Update:

Discussion – Security Predictions for 2009 from Computer World

Geek Toys – MiniStack v3 Review

Consultants Corner – Choosing the right travel plans for yourself

Vendor Interview – Michael interviews Bluecoat

Music Notes:

* Intro/Outro – Digital Breaks – “Therapy”
* Segway1 - SatelliteState – “ClockWorks”
* Segway2 -  Naked Gun – “A.D.D.”

RSA Conference 2009 Press Registration…

January 12, 2009 // Posted in Security  | 

is officially OPEN.

I just finished signing up.  I usually receive a confirmation in a couple of days.  I highly advise you to take advantage of this if you are a security blogger or freelance writer.  You essentially get free access to just about everything.  Yes, you have to wear the press badge, but I found last year that it was to my advantage because people tended to underestimate me when I interviewed them.  Yes, you have to deal with about a million emails from vendors wanting you to write about them, but you get used to it.

You also get access to the press room, where you get fed, watered, and generally pampered.  Just watch out for people trying to hack the wireless network and make you look stupid.  Probably not as much of a risk as at Blackhat, but if you have your own wireless broadband card, I would bring it along.  Or use your SSL VPN to browse and post.

Vet

Uber Credit Card "Hacker" Story

January 7, 2009 // Posted in Security  | 

This is an awesome account of Max Butler, a.k.a Iceman, and his exploits as a credit card cyber crook.  The details are superb.  The writing is excellent.  It is long, but it is worth the read.

Kudos to Kevin Poulsen (a.k.a Dark Dante) on this article.

Vet

Good post on the cert MD5 hack

January 5, 2009 // Posted in Security  | 

JJ over at Security Uncorked wrote a great post on the MD5 CA hack.  She called it "A Layman’s Explanation of the CA Certificate Vulnerability", and though I would say it is not exactly layman level, it is definitely understandable and digestible for most people who have decent technical security chops but don’t know much about crypto.

This is one of the things I love about the blogosphere.  There is always someone willing to write something like this that benefits the community.  Thanks for the explanation JJ. 

Vet

Managing people instead of Managing problems

January 4, 2009 // Posted in Security  | 

A good friend of mine from church (@johndcook) put out a link on Twitter this morning.  It pointed to this Seth Godin post, which inspired me to write a bit.  Since the post is not long, I will recreate it here (but I urge you to go read Seth’s stuff if you want to get some good advice on marketing):

Unless you work in a nuclear power plant, the answer is certainly no (and if you work there, I hope the answer is yes.)

No, everything is not okay. Not in a growing organization. Not if your company is making change happen, or dealing with customers. How could it be?

And yet, that’s what so many managers focus on. How to make everything okay.

We spend so much time smoothing things out, we lose the opportunity for change, or for texture or creativity.

Instead of working so hard to make everything okay, perhaps it is more helpful to work hard at living with a world that rarely is. (emphasis added)

 

That is a great post.  What I take from this is that if we can’t hold everyone’s hand and lead them through the hard times (the ol’ "give a man a fish" saying).  We have to give people the tools to make it through hard times.  While we should support them, we SHOULD NOT just clear the lane and make things easy.  That does nothing but make our employees dependent on us rather than their own intelligence and talent to figure out how to make the best of a situation.  A guide is a good thing.  A mommy is not a good thing.

When I think of this quote, I think of my children.  My wife and I were having a discussion with our 7-year old last night during our family devotional time that centered around how parents discipline their children because they love them, not because it is fun or because we don’t like our children.  We want our children to be responsible adults.  If we didn’t care how they ended up, then we would just let them do whatever they wanted so they would grow up to be terrors (I am still not sure he understood how discipline had anything to do with how much we loved him – he had to spend his money to buy his brother a new football because he left it outside and the dog tore it up – but oh well).  This post by Mr. Godin applies perfectly to that situation, so that the lesson is applicable in work AND life. 

That last paragraph is also about as Twitter-worthy as you can get in my mind.

Vet

The scourge of default passwords

December 30, 2008 // Posted in Security  | 

One security issue that befuddles me is the default password issue.  When you put a device in an Internet-facing position, you really should make sure the password is not set to the default.

You can probably guess why I am ranting.  Yes, a client for whom we are performing a security assessment just received their first status report, and that report showed a MAJOR device on the Internet was set with a default password.  This device literally controls their Internet connection, and THEY HAD A DEFAULT PASSWORD ON IT.  Argh…

Normally I would write this kind of post pretty quickly in Twitter, but I really feel like it warranted a  blog post since it is such a pet peeve, especially since my blogging here has become almost nonexistent since I can summarize things so quickly in Twitter.  It seems to fit the way my brain works.  Of course, that is a whole other post.

Vet

Merry Christmas to all

December 25, 2008 // Posted in Security  | 

image

Vet

An Information Security Place Podcast – Episode 12

December 24, 2008 // Posted in Podcasts (Tags: , , , , , , , , , ) | 

 

Link to MP3

MERRY CHRISTMAS and welcome to Episode 12!  I have been sick all week, and it hit me hard yesterday and today.  So Jim and Kirk saved the day and recorded the podcast without me.  I am a little bummed that I was not on the last podcast of the year, but you would not have wanted to listen to me sounding all nasally.

So thanks to Jim and Kirk.  Here are the…

Show Notes:

InfoSec News Update:

Discussion - Using Local resources for Social Engineering

Geek Toys – Last Minute Geek Gift Ideas

Consultant’s Corner - 2008 Year in Review – the Consultant’s Perspective

Music Notes:

Another Apple Software Update

December 23, 2008 // Posted in Apple, Sheesh  | 

Technorati Tags: ,,

How much more crap can Apple try to fool me into installing on my machine?  Makes we want to uninstall QuickTime and iTunes.  Are they trying to convert  PC’s into Macs?  Sheesh!!

image

Vet

Good Nessus 3 PCI scanning video

December 11, 2008 // Posted in Security  | 

image There’s a good video on scanning for PCI compliance with Nessus 3 over at The Academy.  Go take a look.

BTW,  there’s a lot of other good stuff over there as well.  Peter and that group have put together a lot of great content that is relevant.  Browse around while you are there.

Vet

An Information Security Place Podcast – Episode 11

December 11, 2008 // Posted in Podcasts, Security (Tags: , , , , , , , , ) | 

 

Link to MP3

Show Notes:

Segment 1: InfoSec News Update (Michael gets to do a little talkin’ here – and he promptly screws it up):

  • New Security Awareness video on YouTube – kinda cheesey, but a pretty good production
  • Digittrade HD Encryption Broken- “in our test, unscrewing the housing took longer than cracking its encryption mechanism.”
  • Lenovo’s new Facial recognition software defeated by printed photo
  • Massachusetts new law – 201 CRM 17.00 – “Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information” – a civil penalty of $5,000 may be awarded for each violation of 93H. In addition, under the portion of 93H concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal.  Requires – Regular Monitoring, Documenting responsive actions taken during breach, and reasonable monitors of systems.
  • File Under DUH!Symantec Discovers Cybercrime makes money – estimates value around $1.7Bil
  • Really simple PCI FAQ that you should be aware of
  • Apple and the AntiVirus Debate – In a written statement sent to security news site Securityfocus.com, Apple explained their decision to pull the document: “We have removed the KnowledgeBase article because it was old and inaccurate,” Apple said in a statement sent to SecurityFocus. “The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, running antivirus software may offer additional protection.”

Discussion: BLATANT FUDPatching at the Enterprise level – Securina “virtually every Windows PC is at risk” – 98% of Windows computers are missing patches – 46% were missing more than 11 patches

Segment 2: Geek Toys and Consultants Corner

  • Geek Toys – Kensington Portable Power outlet – AS SEEN ON REGIS AND KELLY!!!!
  • Consultants Corner – Helping client dealing with a breach (specifically as how it relates to compliance issues)

Music Notes: NEW – CHECK OUT THE LINKS TO THE BANDS ON PODSHOW.COM

Vet