An Information Security Place

Link to MP3

Episode 14 is here.  First off, let me thank everyone that is listening to Jim and me spout off about everything.  Fourteen shows does not seem like a big number, but it involves a lot of work getting this going (especially on Jim’s part – thanks Jim) and keeping it going, and Jim and I appreciate everyone sticking in there with us.

Second, we have made some changes with my setup, so there might be a sound difference and some issues with this episode.  Forgive us as we get some new kinks worked out.

Third, this episode includes an interview with Mike Rothman from eIQnetworks.  You might know him better as that guy from Security Incite that has a yankee accent and tells everyone what he is thinking.  Either way, Mike is a great guy and a great friend, and I was honored to interview him.  I think you will enjoy that portion of the show.

And lastly, there is a programming note.  The geek toys segment that is brought to you by Jim every show is now going to be made more of a quarterly thing.  The reason is because Jim has to find something to talk about every time, and it is getting a little more difficult to find something for every show.

Here’s the breakdown of the show.

Show Notes:

InfoSec News Update: there’s been a lot happening the last two weeks

• Largest CC breach Ever !! Yes, I am talking about Heartland.  100 million + credit cards and the accusation that they attempted to hide behind the inauguration
• Heartland Followup – Law Enforcement Closing in on Perp – Looks like they are outside the US (thanks for narrowing that down)
• Monster.com Hacked … Again!
• Using Twitter for Info/Data Mining – Lenny Zeltser
• Conficker Worm Takes down a Hospital
• Follow up – Same worm variant is also attacking the UK MOD – Michael at mcwresearch.com
• Shavlik apologies for hyped MS patch Analysis – Eric Shultze: “So here’s my official apology for crying wolf on this issue when I should have done my due diligence and read all three Microsoft locations before offering my opinion on this issue”
• New Report from US Dept of Health and Human Services (HHS) – Task force recommends that government spearhead medical identity theft awareness and prevention initiatives (link is a PDF). I get a tad cynical here.  Hey, it involves government.

Discussion – New president declares his plan for US Cyber Security (more cynicism from Michael)

Vendor Interview – Michael interviews Mike Rothman from eIQnetworks

Consultants Corner -Combining compliance initiatives and what that means for security practices

Music Notes:

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – Eric Kauschen – “Speed of Light”
• Segway 2 – GK & TheRenegades – “Enemies”

Link to MP3

An Information Security Place Podcast Lucky Episode 13 is here!  Sorry for the delay between podcasts.  Jim and I usually try to maintain the every-2-weeks schedule, but since we had Accuvant’s annual meeting coming up, we decided to push it out so we could do it there (“there” was Sedona, AZ – a beautiful place).  This is the first time Jim and I have been in the same room recording the podcast, which was different (Jim kinda smells a bit).  We had fun with it.

In addition, I wanted to take advantage of having some vendors close by (we have a vendor fair every year) for some interviews.  I only got one, but it was a good one with Bluecoat.  Thanks to Greg Buchan and Thomas Lee for spending some time with me.

So without further ado, here are the show notes:

Show Notes:

InfoSec News Update:

• South Korean woman defeats Japan’s airport Biometric systems
• Some Nokia Phones vulnerable to DoS attacks due to SMS
• The Academy Home Launched
• McAfee’s Virtual Criminology Report
• MS doesn’t release a patch for Windows 7 Beta
• Twitter Security Problems

Discussion – Security Predictions for 2009 from Computer World

Geek Toys – MiniStack v3 Review

Consultants Corner – Choosing the right travel plans for yourself

Vendor Interview – Michael interviews Bluecoat

Music Notes:

* Intro/Outro – Digital Breaks – “Therapy”
* Segway1 - SatelliteState – “ClockWorks”
* Segway2 -  Naked Gun – “A.D.D.”

…is officially OPEN.

I just finished signing up.  I usually receive a confirmation in a couple of days.  I highly advise you to take advantage of this if you are a security blogger or freelance writer.  You essentially get free access to just about everything.  Yes, you have to wear the press badge, but I found last year that it was to my advantage because people tended to underestimate me when I interviewed them.  Yes, you have to deal with about a million emails from vendors wanting you to write about them, but you get used to it.

You also get access to the press room, where you get fed, watered, and generally pampered.  Just watch out for people trying to hack the wireless network and make you look stupid.  Probably not as much of a risk as at Blackhat, but if you have your own wireless broadband card, I would bring it along.  Or use your SSL VPN to browse and post.

Vet

This is an awesome account of Max Butler, a.k.a Iceman, and his exploits as a credit card cyber crook.  The details are superb.  The writing is excellent.  It is long, but it is worth the read.

Kudos to Kevin Poulsen (a.k.a Dark Dante) on this article.

Vet

JJ over at Security Uncorked wrote a great post on the MD5 CA hack.  She called it "A Layman’s Explanation of the CA Certificate Vulnerability", and though I would say it is not exactly layman level, it is definitely understandable and digestible for most people who have decent technical security chops but don’t know much about crypto.

This is one of the things I love about the blogosphere.  There is always someone willing to write something like this that benefits the community.  Thanks for the explanation JJ. 

Vet

A good friend of mine from church (@johndcook) put out a link on Twitter this morning.  It pointed to this Seth Godin post, which inspired me to write a bit.  Since the post is not long, I will recreate it here (but I urge you to go read Seth’s stuff if you want to get some good advice on marketing):

Unless you work in a nuclear power plant, the answer is certainly no (and if you work there, I hope the answer is yes.)

No, everything is not okay. Not in a growing organization. Not if your company is making change happen, or dealing with customers. How could it be?

And yet, that’s what so many managers focus on. How to make everything okay.

We spend so much time smoothing things out, we lose the opportunity for change, or for texture or creativity.

Instead of working so hard to make everything okay, perhaps it is more helpful to work hard at living with a world that rarely is. (emphasis added)

 

That is a great post.  What I take from this is that if we can’t hold everyone’s hand and lead them through the hard times (the ol’ "give a man a fish" saying).  We have to give people the tools to make it through hard times.  While we should support them, we SHOULD NOT just clear the lane and make things easy.  That does nothing but make our employees dependent on us rather than their own intelligence and talent to figure out how to make the best of a situation.  A guide is a good thing.  A mommy is not a good thing.

When I think of this quote, I think of my children.  My wife and I were having a discussion with our 7-year old last night during our family devotional time that centered around how parents discipline their children because they love them, not because it is fun or because we don’t like our children.  We want our children to be responsible adults.  If we didn’t care how they ended up, then we would just let them do whatever they wanted so they would grow up to be terrors (I am still not sure he understood how discipline had anything to do with how much we loved him – he had to spend his money to buy his brother a new football because he left it outside and the dog tore it up – but oh well).  This post by Mr. Godin applies perfectly to that situation, so that the lesson is applicable in work AND life. 

That last paragraph is also about as Twitter-worthy as you can get in my mind.

Vet