All three of us are on this time. Some good talk about disclosure and web app firewalls, and Google, and some other stuff. Enjoy!
Show Notes:
InfoSec News Update -
Discussion Topic #1 – Google Is Watching Your Wifi, But do You Really Care?
Discussion Topic #2 - Ye’ Old “Disclosure” Debate…Again?!? Link 1 / Link 2
Music Notes –
Link to MP3
Episode 35 is here. The format is different today. Instead of you listening to Dan, Jim, and me yap about news and pontificate about security topics, you are going to hear a talk I gave at the Texas Technology Summit in early April 2010. The talk title and synopsis are below, along with a link to the slide deck.
Title: Breaking Down the Enterprise Security Assessment
Synopsis: Many enterprise security assessments look at too few attack vectors or do not dig far enough into the attack vectors once a vulnerability has been discovered. Come join a discussion on the breakdown of a security assessment, explore the essential attack vectors, and debate the depth to which the assessment should go.
Link to MP3
Link to slides
Yes, the logo is weird this time. If you can’t tell what it is, maybe this will help. For the first time ever (and probably the only time since I don’t get to Atlanta much), An Information Security Place Podcast has joined forces with the Southern Fried Security Podcast to create a joint episode. Can you see it now?? Yes, that is the logo for An Information Security Place Podcast placed over Colonel Sander’s face (he is the patron saint for the SFS podcast). Yea, I thought it was actually kinda freaky, too. but what else do I have to do with my time??
So we joined forces for a couple of reasons:
- Because I was in Atlanta to speak about security assessments at the local NAISG chapter.
- I begged Martin to let me post it up as episode 33 over here since Dan, Jim and I haven’t had a chance to record yet, and this makes it all better!
So we stayed in the same room where the event was held and got irradiated by a myriad of computer and sound equipment while recording the podcast. I had to wear someone’s headset, and now I have some kind of weird rash and some minor swelling around my ears. And to make it even more fun, Mike Rothman sat across from us the whole time and heckled us. What a night.
Actually, I had an awesome time. Very good times with very good friends. Thanks to the whole Atlanta NAISG crew and the SFS podcast crew (Andy Willingham, Martin Fisher, and Steve Ragan) for inviting me in with typical southern hospitality (even though Steve is a Yankee).
As to show notes, I am lazy. I am only going to have one note (below) because it is the one news item that I brought along and the ONLY one that Andy didn’t include in his notes (in fairness, I never sent him the link). Here’s a link to the SFS podcast site with the rest of the notes. (Hey, Andy did the hard work – why duplicate efforts??)
- Caleb Sima says that developers shouldn’t learn anything about security – Link here
Link to MP3
Just realized that iTunes picked up Episode 31 instead of episode 32 on the latest post. I had to delete the enclosure in Wordpress and then recreate it. Not sure what happened. If you subscribe to the podcast via iTunes, you may need to delete Episode 32 and then update. Sorry about that!
Vet
OK, holy crap. We expected this episode to be pretty short since Jim was not around to add his golden commentary, but we got to yappin’ and churned out almost an hour of content (I use that term loosely). So enjoy the show!
Show Notes:
InfoSec News Update –
- Iran Shutters Google’s Gmail Service, offering own email for citizens – Link here
- Security Scoreboard – Link here
- Brian Kreb’s has blog post used by scammers - Link here and Sophos article link here
- The Death of Product Reviews (Mike Rothman at Securosis) - Link here
- TSA agent arrested for molestation - Link here
We won’t get intot he details here because this guy is sick, but I had to point out this line from the TSA blog about the issue:
“TSA holds the highest standards for our workforce and this individual’s actions do not reflect on the more than 50,000 men and women who work every day to keep the traveling public safe.”
- Hacker threat forces DoH to close appraisal site (Political Activist?) - Link here
Discussion Topic – Smaller, more intimate security conferences (Security B-Sides, Schmoocon, etc)
Link to MP3
OK, this was just a stupid, crazy, and fun episode. We had technical hiccups, a roving co-host that likes to text another cohost during recording, plus this episode is late getting recorded because of end-of-year schedule. But we powered through it, and Jim got to spend a lot of time on post-production.
I think you are going to enjoy this randomness…
Show Notes:
InfoSec News Update and Geek Toys Update –
- T-Mobile Employee causes largest data theft in the UK – Link Here
- Government Security Woes
Story 1 – 5 TSA workers put on leave over online posting – Link here
Story 2 – The Party Crashing Scandal – Link Here
Story 3 – Felon working for DHS for 2 years – Link Here
- Nessus 4.2 is released – Link Here
- Rapid7 and Metasploit Community Projects – Link 1 / Link 2
- ProxMark3 now shipping completed RFID read/write/clone kits – Link here
- Moxie launched cloud-based WPA password Cracking – Link Here
- Cure for Eye Strain – Gunnar Glasses – Link Here
Discussion Topic -
Changes to OWASP standard for 2010 –
Link Here
Consultants Corner - Picking your tools wisely… 2009/2010 update
Music Notes –
Link to MP3
Episode 25 is here. Today’s podcast is different than our usual. Instead of having Jim, Dan, and me spout off and pontificate, I am interviewing Wesley McGrew from McGrew Security. Wesley is a security researcher at Mississippi State University’s Critical Infrastructure Protection Center, where he works to find vulnerabilities in SCADA software. He also operates mcgrewsecurity.com , where he blogs about information security topics.
Wesley caught a script-kiddie back in June trying to do some pretty weak SCADA hacking at a Dallas-area hospital. He and I talked about the incident and also discussed some of Wesley’s future plan (not much since he couldn’t divulge a lot – oooo, mysterious!). So enjoy the show. Links to the blog posts from Wesley’s script kiddie adventure are below.
http://www.mcgrewsecurity.com/2009/06/30/ghostexodus-the-eta-and-a-control-systems-incident-at-carrell-clinic-part-1/
http://www.mcgrewsecurity.com/2009/07/02/ghostexodus-part2/
http://www.mcgrewsecurity.com/2009/07/06/ghostexodus-the-eta-and-a-control-systems-incident-at-carrell-clinic-part-3/
http://www.mcgrewsecurity.com/2009/07/07/ghostexodus-part4/
Vet
Link to MP3
We’re back with episode 23. Jim is back (you can decide if that is good news or bad news), and Dan Kuykendall is joining us again (calls himself the guest that won’t leave the couch). Thanks for listening…
Show notes:
InfoSec News Update -
- Big Thank You to all our Clients and the folks that stopped by thebBooth and our party at BlackHat!
- UK ID card Hacked/Cloned in 12 Minutes – Link Here
- “Mega breaches” use preventable attacks – Link Here
- Hackers target outsourced app development – Link Here
- National Retail Federation still struggling with PCI – Link Here
- Reset Password problems, and reusing passwords in general:
- “FILE UNDER DUH” – Study warns of cyberwarfare during military conflicts – Link Here
Discusstion Topic - Web Security On Cell Phones – Link Here
Geek Toyz –
Music Notes:
Link to MP3
Episode 22 is here. Jim was not available to join me this time (been traveling and real busy), so Dan Kuykendall from NT Objectives was kind enough to fill in as co-host for today. We had some good discussion, and a show that I thought would be a little shorter ended up being pretty long. But it is good stuff. Here are the show notes:
InfoSec News Update -
- Vulnerable web servers on webcams, NAS, etc – Link Here
- Obama’s cybersecurity Czar quits – Link Here
People familiar with the matter said Ms. Hathaway has been “spinning her wheels” in the White House, where the president’s economic advisers sought to marginalize her
politically.
In February, the White House tapped Ms. Hathaway, a senior intelligence official who had launched President George W. Bush’s cybersecurity initiative, to lead a 60-day
cybersecurity policy review. Ms. Hathaway completed her review in April, but the White House spent another 60 days debating the wording of her report and how to structure the
White House cyber post. National Economic Adviser Larry Summers argued forcefully that his team should have a say in the work of the new cyber official.
- SSL Under attack this year at BlackHat/Defcon. These attacks don’t attack the math, they attack the (mis)usage of the clients and cert authorities
New Tricks For Defeating SSL In Practice (sslstrip) -Link Here
Researcher Exposes Flaws In Certificate Authority Web Applications – Link Here
- Defcon goon “Priest” is everywhere – Links Here and Here
Discussion Topic - The ol’ security guidelines / best practices discussion
Consultants Corner – Varied BlackHat / Defcon points -
- SSL issues
- Unmasking You talk by Joshua “Jabra” Abraham and Robert “RSnake” Hansen
- Dan’s general Opinions about web security talks – he was underwhelmed
Music Notes:
Link to MP3
Episode 21 is up and going. Looks like Jim and I are back on a regular cycle again. Hopefully it stays that way! Here are the show notes:
InfoSec News Update -
- Goldman Sachs looses its secret sauce online – Link Here
- Fed gets and F on Physical Security – Link Here
- North Korea Blamed in Cyber Attacks over July 4th – Link Here
- Juniper Pulls ATM hacking preso from BH – Link Here
- Month of Twitter Bugs – Link Here
- 10 Things Your Auditor Isn’t Telling Your – Link Here
- New head of MI6 wears Speedos on Facebook – Link Here
- Algorithm for Predicting and guessing SSNs – Link Here
- Iphone SMS Vulnerability – Link Here
- Study – Oracle Users struggle with patch management – Link Here
Discussion Topic - Cloud Computing – is it a security nightmare waiting to happen? – Link Here
Consultants Corner - Developing an offering before going public!
Music Notes:
Vet
Link to MP3
The long-awaited episode 20 is finally here. Sorry for the crazy long wait!
InfoSec News Update –
Discussion Topic -Whats the difference between an Auditor and a Assessor?
Consultant’s Corner - To Scope or Not to Scope
Music Notes:
Link to MP3
So, we officially have our first lost episode. I recorded episode 18 a while back with Michael Santarcangelo, but we had some crazy technical problems. When I tried to get everything edited together to make it work, I started having some major problems. Without getting into all the details, the recording was not salvageable. Sorry to Michael for this since I know he took his valuable time to record with me.
So know we have episode 19. I guess we could have just said this one was episode 18 and went on, but we are honest people over here at An Information Security Place Podcast. And as far as episode 19 goes, Jim and I have been balls-to-the-wall busy lately, and I have had a crazy schedule for over a month. Jim got a break in his schedule (probably more like forced a break) and coerced Kirk Greene to help him out in my place. And then Jim had some technical problems as well and ended up recording the last 15 minutes by himself (or Kirk pissed him off – not sure which). Yes, it has been a crazy time for us. But we are back, and hopefully we will get back on a regular schedule.
Now, here are the show notes for episode 19:
InfoSec News Update –
- Warm Fuzzy Story – Many Users say they’d sell company info for the right price! – Link Here
- Another Twitter Admin Account Compromised – Link Here
- New Tools Emerge To Ease Enterprise Fear Of Firewall Swapping – Link Here
- Acrobat with Yet Another 0-day – Link Here
- Feb Bank Worker charged with Data Theft – Link Here
- More Federal Reg ‘a’ Coming for Power companies – Link Here
- Thats gonna leave a mark! – Multiple Vulns found on Mcaffee’s website – Link Here
- Hacker’s demand: $10M for Virginia prescriptions database – Link Here
- Economy Note – Security Suffers Cuts but fares better than most – Link Here
Geek Toys -
Consultants Corner - DIY Security Testing Lab
Music Notes:
Vet
I have been answering quite a few security assessment RFP’s lately, most specifically geared towards penetration testing of the external and internal environment (you guessed it – PCI). And what I have noticed is that the writers of the RFP typically do not include enough detail in the RFP for the organizations attempting to answer to give a solid response. Basically, if you need a good answer to your RFP, you have to give me enough to scope the amount of time it is going to take me to get it done.
- If you have 200 external IPs and you want to have those scanned for vulnerabilities, and then you want to have those vulnerabilities used for penetration testing, I have to know that in order to scope.
- If you have some applications on those servers, I need to know if I will have credentials or if this is going to be totally black-box testing. I also need to have SOME idea of how many apps I am going to run up against.
- If you want me to scan your internal network for vulnerabilities, I have to know how many machines I am going to be scanning.
- Etc, etc, etc
If you would provide this quantity type of information up front, I would not have to write up a bunch of questions and send them to you. You would not have to take the time to answer these questions (and probably send them to me 2 days before the responses are due). It really is simple: if I don’t have this information, I have to guess, and you are going to get an inaccurate response (of course, you might be looking for a completely black-box test where I am blind to any information – the effectiveness and efficiency of that is for another blog post on another day).
Of course, many people will tell you that RFP’s are often written in such a way to discourage responses because the company writing the RFP already has a partner in mind, and that partner probably already has the answers to any questions. The RFP writer is simply going through the motions because of company policy. I get that.
But if you are writing an honest RFP, one that is simply inspired by a need and is seeking multiple responses from which the best is chosen, then please include the information needed in the RFP itself so things can proceed smoothly. Thank you for your consideration.
Vet
Finally the day has come. I have been pushing to get this done internally at Accuvant for a while, and things just never lined up. But now we finally are there. Yes, the Accuvant blog is up and running. You can find it at http://insight.accuvant.com.
There are already some great posts up by some of our uber-smart assessment consultants. We have some very high-end research guys on our team, plus just some of the best all around assessment people. There is no weak link on that team, and they continue to amaze me.
Some of you may not be aware that Dave Maynor joined our team at the beginning of the year. I was fortunate enough to sit next to him at a client down here in Houston as he smacked around their AS400 environment. And not only is Dave smart, he is friggin’ hilarious as well.
So anyway, go take a gander at the blog. Look for more great stuff to pop up on there.
Oh, and Accuvant has a Twitter account as well at http://twitter.com/Accuvant. It will likely be mostly reflecting blog posts right now, but there might be more in the future.
Vet
Sorry for the delay in getting the last podcast posted. I recorded it with Michael Santarcangelo last week (Jim was sick), but we had some issues with the recording (Skype cut out twice, other issues), and I have not had the time to edit everything. I have a good bit of it done, but I am not as good as Jim is on getting all that cut and put together. I hope to have it done this week.
Vet
If anyone is heading to TRISC (Texas Regional Infrastructure Security Conference) tomorrow in Austin, let me know. I will be there tomorrow for a day doing booth duty with Citrix. I think they will mostly be showing their NetScaler product (load balancer, reverse proxy, and WAF).
Sometimes I like doing booth duty just because it enables me to do what I like doing, which is talking to people. I like the interaction, and I enjoy helping people find what they need. Of course, a security evangelist-type of job is what I would really enjoy, and this falls into that. Maybe one day.
Vet
Link to MP3
Here is Episode 17. Sorry for the delay in getting it out. Last week was extremely rough for Jim and I, but we are back at full strength now. Well, maybe 85% strength anyway.
In this show Jim and I relate the latest news as always, then we have some discussion about layoffs and how that is causing a lot of orphaned hardware and software. Then we discuss some challenges for the consultant in walking the mind field of politics at client companies.
Also, we had some listener feedback from Geir. He was busting on us a bit about our saying you need to patch your stuff when we were talking about 0day. Thanks for keeping us straight Geir. If you want to send feedback, you can send it to podcast-at-infosecplace.com.
Here are the show notes:
InfoSec News Update:
- Follow up – Another Payment Processor Has Been Hacked – Visa says JUST KIDDING! – Link Here – This Just In – A new timeline of the Unnamed Processor – Link Here
- Gartner – Nearly 8 Percent of U.S. Adults Lost Money To Financial Fraud in ‘08 – Link Here
- Federal cybersecurity director quits, complains of NSA role – Link Here
- Health Records Show Up in Yard – Link Here
- Study: Antivirus Software Catches About Half Of Malware – Link Here
- MS Finally killing off AutoRun – Link Here
- Marine One data leak – Link Here
- The Return of L0phtCrack!! – Link Here
- WarVox Released – Link Here
- Theives Steal the Show at Cebit – Link Here
- Checklist for complying with PCI security standard – Link Here / Link To Checklist
Discussion - Orphaned hardware and Software – Link Here
Consultant’s Corner - Dealing with political landscapes at your client’s company
Music Notes:
Vet
Sorry everyone. Jim and I are big time swamped with work right now. Plus I have a friend is very ill, and I am tied up with that as well. We’ll be back next week.
Vet
Link to MP3
Episode 16 is up and running. Jim and I cover a lot of news again in this episode. Also, Jim goes a little crazy with the geek toys, but it is all really cool stuff and good info. We get into some PCI futures, playing off of Rich Mogull’s ideas on the subject. And we have a good cert discussion as well.
Show notes:
InfoSec News Update:
Geek Toys:
Consultants Corner: Top three security certifications (uhhh, yeah…)
Music Notes:
I just got an eval PacketShaper 2500 for a few days from my local Bluecoat SE (Bluecoat bought them a few months ago). I actually used to work with these boxes just about everyday a few years back. I worked for a company that built apartment complexes for college students at a lot of major universities across the country. We acted as the ISP for the students, and these complexes would house 500-1000 students. These kids went EVERYWHERE on the Internet. There were so many different types of traffic flowing around on those networks, and there was A LOT of it. Students were constantly complaining about the slowness of there Internet connection. Every day I was getting calls with someone griping. So the company would spend a little more money and I would bond another T-1 to the two or three we had. We would see improvement for MAYBE a day (two if we were lucky), then that pipe would fill up.
So we decided to bust out with the Packeteer boxes. I would put in a box, and we would see every type of traffic imaginable within about an hour. Back then Napster and Kazaa were the big bad boys. These kids would kick off 10-20 downloads before they went to class and just let them run all day. Multiply that by at least 100 students, and that traffic would just consume the pipe completely. When that happened, the poor students just trying to surf the web for actual schoolwork would suffer horribly.
So when we started cutting that traffic off at the knees (either killing it entirely or making the bandwidth limit so low that it wasn’t worth it), things changed dramatically. All of a sudden people were able to surf the web. They could still download their music, but it would take a little longer (who cares if it is downloading while you are in class). Everything just improved, and the calls almost completely stopped. Of course, you always had the spoiled brat who complained because his DSL or cable at home was always fast and his online game never suffered there. It was always fun trying to explain to some punk getting a degree in underwater basket weaving that he didn’t have 900 other people trying to download porn and music on his DSL at home. What was more fun was explaining that I didn’t give a crap if Elf Quest was fast or slow and that he should probably be doing homework instead of screwing around with games. But I digress…
Anyway, good stuff. Click on the picture below to see some of the traffic on my little network (some purposefully generated by me).
Vet
I wanted to take a second to introduce a good friend of mine who has recently started blogging and will also be guest blogging here from time to time. This friend of mine is Douglas Haider. He is a former coworker at Accuvant and is now working for Xirrus, a Wi-Fi company.
I have pimped Douglas’ SANS classes in the past on my blog before. I have also worked on some gigs with him as well as attended some of his speaking engagements. He has been around and has seen it all. Basically, Douglas has some serious Wi-Fi and security chops. I welcome him to the blogging ranks, and I am honored that he wants to guest blog here.
Here are some links so you can learn more about Douglas and read his stuff:
Vet
