An Information Security Place

Yes, the logo is weird this time.  If you can’t tell what it is, maybe this will help.  For the first time ever (and probably the only time since I don’t get to Atlanta much), An Information Security Place Podcast has joined forces with the  Southern Fried Security Podcast to create a joint episode.  Can you see it now??  Yes, that is the logo for An Information Security Place Podcast placed over Colonel Sander’s face (he is the patron saint for the SFS podcast).  Yea,  I thought it was actually kinda freaky, too.  but what else do I have to do with my time??

So we joined forces for a couple of reasons:

1. Because I was in Atlanta to speak about security assessments at the local NAISG chapter.
2. I begged Martin to let me post it up as episode 33 over here since Dan, Jim and I haven’t had a chance to record yet, and this makes it all better!

So we stayed in the same room where the event was held and got irradiated by a myriad of computer and sound equipment while recording the podcast.  I had to wear someone’s headset, and now I have some kind of weird rash and some minor swelling around my ears.  And to make it even more fun, Mike Rothman sat across from us the whole time and heckled us.  What a night.

Actually, I had an awesome time.  Very good times with very good friends.  Thanks to the whole Atlanta NAISG crew and the SFS podcast crew (Andy Willingham, Martin Fisher, and Steve Ragan) for inviting me in with typical southern hospitality (even though Steve is a Yankee).

As to show notes, I am lazy.  I am only going to have one note (below) because it is the one news item that I brought along and the ONLY one that Andy didn’t include in his notes (in fairness, I never sent him the link).  Here’s a link to the SFS podcast site with the rest of the notes.   (Hey, Andy did the hard work – why duplicate efforts??)

• Caleb Sima says that developers shouldn’t learn anything about security – Link here

Link to MP3

Just realized that iTunes picked up Episode 31 instead of episode 32 on the latest post. I had to delete the enclosure in Wordpress and then recreate it. Not sure what happened. If you subscribe to the podcast via iTunes, you may need to delete Episode 32 and then update. Sorry about that!

Vet

OK, holy crap.  We expected this episode to be pretty short since Jim was not around to add his golden commentary, but we got to yappin’ and churned out almost an hour of content (I use that term loosely).  So enjoy the show!

Show Notes:

InfoSec News Update –

• Iran Shutters Google’s Gmail Service, offering own email for citizens – Link here
• Security Scoreboard – Link here
• Brian Kreb’s has blog post used by scammers - Link here and Sophos article link here
• The Death of Product Reviews (Mike Rothman at Securosis) - Link here
• TSA agent arrested for molestation - Link here

Link to MP3

 
Link to MP3

OK, this was just a stupid, crazy, and fun episode.  We had technical hiccups, a roving co-host that likes to text another cohost during recording, plus this episode is late getting recorded because of end-of-year schedule.  But we powered through it, and Jim got to spend a lot of time on post-production.

I think you are going to enjoy this randomness…

Show Notes:

InfoSec News Update and Geek Toys Update –

• T-Mobile Employee causes largest data theft in the UK – Link Here
• Government Security Woes
  Story 1 – 5 TSA workers put on leave over online posting – Link here
  Story 2 – The Party Crashing Scandal – Link Here
  Story 3 – Felon working for DHS for 2 years – Link Here
• Nessus 4.2 is released – Link Here
• Rapid7 and Metasploit Community Projects – Link 1 / Link 2
• ProxMark3 now shipping completed RFID read/write/clone kits – Link here
• Moxie launched cloud-based WPA password Cracking – Link Here
• Cure for Eye Strain – Gunnar Glasses – Link Here

Discussion Topic -

Changes to OWASP standard for 2010 –

Link Here

Consultants Corner - Picking your tools wisely… 2009/2010 update

Music Notes –

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – This is Fiction – “Breathe”
• Segway 2 – Patent Pending – “Los Angeles”
• Segway 3 – The FUMP – “”All You Can Tweet”

Link to MP3

Link to MP3

Link to MP3

Episode 25 is here.  Today’s podcast is different than our usual.  Instead of having Jim, Dan, and me spout off and pontificate, I am interviewing Wesley McGrew from McGrew Security.  Wesley is a security researcher at Mississippi State University’s Critical Infrastructure Protection Center, where he works to find vulnerabilities in SCADA software.  He also operates mcgrewsecurity.com , where he blogs about information security topics.

Wesley caught a script-kiddie back in June trying to do some pretty weak SCADA hacking at a Dallas-area hospital.  He and I talked about the incident and also discussed some of Wesley’s future plan (not much since he couldn’t divulge a lot – oooo, mysterious!).  So enjoy the show.  Links to the blog posts from Wesley’s script kiddie adventure are below.

http://www.mcgrewsecurity.com/2009/06/30/ghostexodus-the-eta-and-a-control-systems-incident-at-carrell-clinic-part-1/

http://www.mcgrewsecurity.com/2009/07/02/ghostexodus-part2/

http://www.mcgrewsecurity.com/2009/07/06/ghostexodus-the-eta-and-a-control-systems-incident-at-carrell-clinic-part-3/

http://www.mcgrewsecurity.com/2009/07/07/ghostexodus-part4/

Vet

Link to MP3

Link to MP3

We’re back with episode 23.  Jim is back (you can decide if that is good news or bad news), and Dan Kuykendall is joining us again (calls himself the guest that won’t leave the couch).  Thanks for listening…

Show notes:

InfoSec News Update -

• Big Thank You to all our Clients and the folks that stopped by thebBooth and our party at BlackHat!
• UK ID card Hacked/Cloned in 12 Minutes – Link Here
• “Mega breaches” use preventable attacks – Link Here
• Hackers target outsourced app development – Link Here
• National Retail Federation still struggling with PCI – Link Here
• Reset Password problems, and reusing passwords in general:
  • Wordpress Password hack – Link Here / Link2
  • The Twitter hack – Link Here
• “FILE UNDER DUH” – Study warns of cyberwarfare during military conflicts – Link Here

Discusstion Topic - Web Security On Cell Phones – Link Here

Geek Toyz –

• SheevaPlug PC
• Dual Geforce GTX 295s for the Win!!
  • GPU Acceleration for Cracking Galore -
    • Rainbowcrack
    • Pyrit
    • CUDA MultiForcer
    • ElcomSoft
• G2 / MyTouch Review from Dan
• Hitting up your local Surplus Dealer
• How To Quite down high end gear – PCI slot fan / 4MM Fans
• Good Source for parts and tools

Music Notes:

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – Megaphone – “Write it Down”
• Segway 2 – Patent Pending – “Los Angeles”
• Segway 3 – Devo Spice – “Platform Wars”

Link to MP3

Episode 21 is up and going. Looks like Jim and I are back on a regular cycle again. Hopefully it stays that way! Here are the show notes:

InfoSec News Update -

• Goldman Sachs looses its secret sauce online – Link Here
• Fed gets and F on Physical Security – Link Here
• North Korea Blamed in Cyber Attacks over July 4th – Link Here
• Juniper Pulls ATM hacking preso from BH – Link Here
• Month of Twitter Bugs – Link Here
• 10 Things Your Auditor Isn’t Telling Your – Link Here
• New head of MI6 wears Speedos on Facebook – Link Here
• Algorithm for Predicting and guessing SSNs – Link Here
• Iphone SMS Vulnerability – Link Here
• Study – Oracle Users struggle with patch management – Link Here

Discussion Topic - Cloud Computing – is it a security nightmare waiting to happen? – Link Here

Consultants Corner - Developing an offering before going public!

Music Notes:

• Intro/Outro – Digital Breaks – "Therapy"
• Segway 1 – Eric Kauschen – "Speed of Light"
• Segway 2 – The WaterMarks – "Shut Down"
• Segway 3 – Megaphone – "Not your enemy"

Vet

Link to MP3

The long-awaited episode 20 is finally here. Sorry for the crazy long wait!

InfoSec News Update –

• Data Breach Suit Targets Auditor – Link Here
• Exobox data leak detection coming out – Link Here
• "CloudBurst" allows attackers to break VM guest OS and attack Host – Link Here
• Obama creates the office of Cyber Czar – Link Here
• Twitter and Iran – Link Here
• IOSCAT talk from SANS – Link Here
• Tmobile Breached….Maybe? – Link 1 / Link 2
• Wireless Keyboard sniffing just got alot easier – Link Here
• LC6 is Officially Released – Link Here
• Trojan Attack on ATMs – Link Here
• Patch Your Blackberry Servers – Link Here

Discussion Topic -Whats the difference between an Auditor and a Assessor?

Consultant’s Corner - To Scope or Not to Scope

Music Notes:

• Intro/Outro – Digital Breaks – "Therapy"
• Segway 1 – PawnShop Diamonds – "High Road Low Down"
• Segway 2 – Woodfish – "Melody"
• Segway 3 – The WaterMarks – "Shut Down"

Link to MP3

So, we officially have our first lost episode. I recorded episode 18 a while back with Michael Santarcangelo, but we had some crazy technical problems. When I tried to get everything edited together to make it work, I started having some major problems. Without getting into all the details, the recording was not salvageable. Sorry to Michael for this since I know he took his valuable time to record with me.

So know we have episode 19. I guess we could have just said this one was episode 18 and went on, but we are honest people over here at An Information Security Place Podcast. And as far as episode 19 goes, Jim and I have been balls-to-the-wall busy lately, and I have had a crazy schedule for over a month. Jim got a break in his schedule (probably more like forced a break) and coerced Kirk Greene to help him out in my place. And then Jim had some technical problems as well and ended up recording the last 15 minutes by himself (or Kirk pissed him off – not sure which). Yes, it has been a crazy time for us. But we are back, and hopefully we will get back on a regular schedule.

Now, here are the show notes for episode 19:

InfoSec News Update –

• Warm Fuzzy Story – Many Users say they’d sell company info for the right price! – Link Here
• Another Twitter Admin Account Compromised – Link Here
• New Tools Emerge To Ease Enterprise Fear Of Firewall Swapping – Link Here
• Acrobat with Yet Another 0-day – Link Here
• Feb Bank Worker charged with Data Theft – Link Here
• More Federal Reg ‘a’ Coming for Power companies – Link Here
• Thats gonna leave a mark! – Multiple Vulns found on Mcaffee’s website – Link Here
• Hacker’s demand: $10M for Virginia prescriptions database – Link Here
• Economy Note – Security Suffers Cuts but fares better than most – Link Here

Geek Toys -

• Interceptor – Hak5 Episode – DigiNinja’s Page
• Acer Aspire One 10.1 Netbook
• Wifi Card of Choice – Alfa Network AWUS036H
• Need a second NIC on a laptop? – Apple USB Ethernet is rather inexpensive and works with Windows / Linux / and OSX (duh). / Windows Driver
• NAS From Heaven – QNAP TS-809

Consultants Corner - DIY Security Testing Lab

Music Notes:

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – Dave Stanley Band – “Lights Out”
• Segway 2 – John Taglieri – ” Make A Mistake With Me”
• Segway 3 – Junior – “What Was I Thinking?”

Vet

I have been answering quite a few security assessment RFP’s lately, most specifically geared towards penetration testing of the external and internal environment (you guessed it – PCI).  And what I have noticed is that the writers of the RFP typically do not include enough detail in the RFP for the organizations attempting to answer to give a solid response.  Basically, if you need a good answer to your RFP, you have to give me enough to scope the amount of time it is going to take me to get it done. 

1. If you have 200 external IPs and you want to have those scanned for vulnerabilities, and then you want to have those vulnerabilities used for penetration testing, I have to know that in order to scope.
2. If you have some applications on those servers, I need to know if I will have credentials or if this is going to be totally black-box testing.  I also need to have SOME idea of how many apps I am going to run up against.
3. If you want me to scan your internal network for vulnerabilities, I have to know how many machines I am going to be scanning.
4. Etc, etc, etc

If you would provide this quantity type of information up front, I would not have to write up a bunch of questions and send them to you.  You would not have to take the time to answer these questions (and probably send them to me 2 days before the responses are due).  It really is simple: if I don’t have this information, I have to guess, and you are going to get an inaccurate response (of course, you might be looking for a completely black-box test where I am blind to any information – the effectiveness and efficiency of that is for another blog post on another day).

Of course, many people will tell you that RFP’s are often written in such a way to discourage responses because the company writing the RFP already has a partner in mind, and that partner probably already has the answers to any questions.  The RFP writer is simply going through the motions because of company policy.  I get that.

But if you are writing an honest RFP, one that is simply inspired by a need and is seeking multiple responses from which the best is chosen, then please include the information needed in the RFP itself so things can proceed smoothly.  Thank you for your consideration.

Vet

Finally the day has come.  I have been pushing to get this done internally at Accuvant for a while, and things just never lined up.  But now we finally are there.  Yes, the Accuvant blog is up and running.  You can find it at http://insight.accuvant.com.

There are already some great posts up by some of our uber-smart assessment consultants.  We have some very high-end research guys on our team, plus just some of the best all around assessment people.  There is no weak link on that team, and they continue to amaze me.

Some of you may not be aware that Dave Maynor joined our team at the beginning of the year.  I was fortunate enough to sit next to him at a client down here in Houston as he smacked around their AS400 environment.  And not only is Dave smart, he is friggin’ hilarious as well. 

So anyway, go take a gander at the blog.  Look for more great stuff to pop up on there.

Oh, and Accuvant has a Twitter account as well at http://twitter.com/Accuvant.  It will likely be mostly reflecting blog posts right now, but there might be more in the future.

Vet

As most of you know, Twitter was hit with a series of worms this past weekend.  They were created by 17 year old, Mikey Mooney, creator of the website StalkDaily.com (don’t visit the site).  The original worm seemed fairly innocuous, with messages that were created to drive traffic to the StalkDaily website.

I wrote a Computerworld blog post, where I detailed the original attack as well as provided a list of security recommendations.  In that post, I commented that Twitter users should be on the lookout for modified worms, especially as additional details of the original attack come to light.

After Twitter patched the original cross site scripting (XSS) flaw, which exploited the “link” field in a user profile, another variant of the worm appeared.  This time, the worm exploited the “color” setting of the user profile.   Modifying the worm highlighted that the XSS vulnerability was not limited to a single field and that Twitter would have to institute a comprehensive patch, not a band-aid solution.

The variant of the worm automatically generated tweets with the term “mikeyy”. These were sarcasitic in nature and seemed to be tounge-in-cheek.  Examples include:

• Mikeyy I am done…
• Mikeyy is done…
• Twitter please fix this, regards Mikeyy

The general consensus today is that the “StalkDaily” and “Mikeyy” worms have been adequately addressed.   However, I am not fully convinced. Four days after the original worm, I am still seeing suspicious behavior.  A colleague of mine has a Twitter account that automatically started generating tweets saying “I am not here right now.”

Using a third party iPhone application, TweetStack, I am conducting periodic searches on the string “I am not here right now.”  I found that this is not nearly as wide spread as the “StalkDaily” Twitter worm, but has affected at least a couple dozen accounts.

While this could be yet another variant of worm created by Mikey Mooney, my suspicion is that this is a copycat worm created by another party (most likely a Scriptkiddie).

Are YOU still seeing anomalous behavior on Twitter?  I would love to hear about it!  Please comment below as well as notify the Internet Storm Center if you see anything noteworthy.

- WiFiJedi

Douglas J. Haider is a Principal Technologist with Xirrus.  He hosts a personal blog at WiFiJedi.com, and micro-blogs on Twitter @wifijedi (which was not infected by the Twitter worm at the time of this writing…)

Sorry for the delay in getting the last podcast posted.  I recorded it with Michael Santarcangelo last week (Jim was sick), but we had some issues with the recording (Skype cut out twice, other issues), and I have not had the time to edit everything.  I have a good bit of it done, but I am not as good as Jim is on getting all that cut and put together.  I hope to have it done this week.

Vet

If anyone is heading to TRISC (Texas Regional Infrastructure Security Conference) tomorrow in Austin, let me know.  I will be there tomorrow for a day doing booth duty with Citrix.  I think they will mostly be showing their NetScaler product (load balancer, reverse proxy, and WAF).

Sometimes I like doing booth duty just because it enables me to do what I like doing, which is talking to people.  I like the interaction, and I enjoy helping people find what they need.  Of course, a security evangelist-type of job is what I would really enjoy, and this falls into that.  Maybe one day.

Vet

Link to MP3

Here is Episode 17. Sorry for the delay in getting it out. Last week was extremely rough for Jim and I, but we are back at full strength now. Well, maybe 85% strength anyway.

In this show Jim and I relate the latest news as always, then we have some discussion about layoffs and how that is causing a lot of orphaned hardware and software. Then we discuss some challenges for the consultant in walking the mind field of politics at client companies.

Also, we had some listener feedback from Geir. He was busting on us a bit about our saying you need to patch your stuff when we were talking about 0day. Thanks for keeping us straight Geir.  If you want to send feedback, you can send it to podcast-at-infosecplace.com.

Here are the show notes:

InfoSec News Update:

• Follow up – Another Payment Processor Has Been Hacked – Visa says JUST KIDDING! – Link Here – This Just In – A new timeline of the Unnamed Processor – Link Here
• Gartner – Nearly 8 Percent of U.S. Adults Lost Money To Financial Fraud in ‘08 – Link Here
• Federal cybersecurity director quits, complains of NSA role – Link Here
• Health Records Show Up in Yard – Link Here
• Study: Antivirus Software Catches About Half Of Malware – Link Here
• MS Finally killing off AutoRun – Link Here
• Marine One data leak – Link Here
• The Return of L0phtCrack!! – Link Here
• WarVox Released – Link Here
• Theives Steal the Show at Cebit – Link Here
• Checklist for complying with PCI security standard – Link Here / Link To Checklist

Discussion - Orphaned hardware and Software – Link Here

Consultant’s Corner - Dealing with political landscapes at your client’s company

Music Notes:

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – Beth Thornley – “Mr. Lovely”
• Segway 2 – Munk – “DirtyWork”
• Segway 3 – By The Wayside – “Do You Ever Notice”

Vet

Sorry everyone.  Jim and I are big time swamped with work right now.  Plus I have a friend is very ill, and I am tied up with that as well.  We’ll be back next week.

Vet

Vet

Link to MP3

Episode 16 is up and running. Jim and I cover a lot of news again in this episode. Also, Jim goes a little crazy with the geek toys, but it is all really cool stuff and good info. We get into some PCI futures, playing off of Rich Mogull’s ideas on the subject. And we have a good cert discussion as well.

Show notes:

InfoSec News Update:

• Another Payment Processor Has Been Hacked

• Follow Up from last podcast – Chris Pagets ShmooCon session video is up

• Reported raids on federal computer data soar

• Backtrack 4 Beta Released

• FaceBook Privacy Changes

• Acrobat 0-Day running Wild

• XSS Stealing Data without a trace -”Our goal was to retrieve Web content anonymously,” says Matthew Flick, principal with FYRM Associates, who, along with fellow researcher Jeff Yestrumskas, demonstrated the XSS Anonymous Browser (XAB) framework at Black Hat DC yesterday. “We [said], ‘Why don’t we volunteer people for our network?’…Cross-site scripting can make people do things we want.

• Weaponizing Cyberspace

• Threats the Smart Phones Increase

• Intel’s new Bios Gets Slapped

• Researcher demonstrates SSL attack

• GNU Radio Kit – Universal Software Radio Peripheral
• Netbooks A Plenty – MSI Wind and Lenovo S Series
• Tmobile @home Service

Consultants Corner: Top three security certifications (uhhh, yeah…)

Music Notes:

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – Electric Touch – “Sounds From the Underground”
• Segway 2 – Junkyard Groove – “Thank You”
• Segway 3 – InnerLogics – “Bam’s GirlFriend”

I had an interesting phone discussion a couple days ago with Veriwave’s CTO, Tom Alexander and VP of Marketing, Eran Karoly.  We were talking about field tools for testing the quality of installed wireless LANs.  At a high level, we all agreed that much of the field testing and verification for WLANs today have centered around data related to site surveys, such as signal strength, RF interference, and the coverage “footprint”.

There are many existing tools for testing wireless coverage ranging from embedded supplicant software & Netstumbler to more complex commercial tools such AirMagnet Site Surveyor or Motorola’s LANPlanner.  Check out my blog for more information about site surveys, including the difference between active and passive site surveys.  More sophisticated wireless engineers might also gather data regarding RF interference with a spectrum analyzer, such as the WiSpy DBx, or AirMagnet Spectrum Analyzer.

However, our conversation highlighted the need to expand WLAN installation and verification tools beyond the focus on complete WiFi coverage with low interference.  How do wireless vendors and/or VARs ensure that an organization’s business and technical requirements have been met?   A focus on signal strength neglects other critical areas such as roaming, quality of service, and security.  Additionally, there is often no verification of the proper configuration of the *wired* network.

We discussed how many of the testing tools available today focus on the wireless infrastructure (the APs, arrays, WLAN controllers) and lacked visibility into the client side of the equation.  Most testing seems to concentrate on laptops – but what about wireless VOIP phones, hand-held scanners, printers, and RFID?

The three of us on the phone, as well as everyone I have discussed this with since, seems to understand the inherent value of a more robust way to validate WLAN installations.  However, what are the costs?  Personally, I don’t see a good cost model for a product of this nature.  It seems that a system that tests both the infrastructure and clients across many functional boundaries would be extremely expensive, especially for a field testing unit (where vendors or VARs might need more than one kit as they are running multiple projects).

Many wireless LAN vendors can justify the capital expenditure of Veriwave’s existing test beds, because they are involved with testing new product lines, etc.   However, many vendors seem to have a bare bones professional services group and turn over that work to VARs.  I also can’t see many VARs purchase uber expensive field testing tools – many are too small to afford tools like the AirMagnet suite, let alone something more costly.  If VARs do purchase, they will inevitably have to pass along the cost to their customers. Is this viable either?  Why would a customer pay a higher cost to insure themselves against a WLAN that wasn’t properly field verified?  Customers should be able to do this by properly scoping their projects and enforcing the terms of their contract.

What do you think?  Do you see the value of such a tool?  Do you see an appropriate cost model?  Sound off in the comments below!

- WiFi Jedi

I wanted to take a second to introduce a good friend of mine who has recently started blogging and will also be guest blogging here from time to time.  This friend of mine is Douglas Haider.  He is a former coworker at Accuvant and is now working for Xirrus, a Wi-Fi company.

I have pimped Douglas’ SANS classes in the past on my blog before.  I have also worked on some gigs with him as well as attended some of his speaking engagements.  He has been around and has seen it all.  Basically, Douglas has some serious Wi-Fi and security chops.  I welcome him to the blogging ranks, and I am honored that he wants to guest blog here.

Here are some links so you can learn more about Douglas and read his stuff:

• Blog
• LinkedIn
• Twitter – @wifijedi

Vet

Link to MP3

Here is episode 15. There was a lot to cover in this episode. Jim and I were in discussion mode, so be prepared to sit down for a while longer than normal this time. Jim and I were also in a joking mood and consequently cracked ourselves up on this episode, so enjoy the laughter and comedy at a fellow human’s expense.

BTW, I am a milestone guy, and any time a “0″ or a “5″ is at the end of the episode number, I think it is cool. So 15 is a cool number to me. On to the show notes.

Show notes:

InfoSec News Update: whole lot of crap!

• FAA Security Breach Exposes 45K Employees
• AV makers Hacked – BitDefender and Kaspersky, More: Full Info on hackers Blog
• Electronics Firm Faces FTC Lawsuit Following Multiple Hacks – “The complaint alleges that until at least December 2007, Compgeeks (geeks.com) routinely stored this sensitive information in unencrypted text on its corporate computer network, among other security failures. The complaint also charges that the respondents did not adequately assess whether its Web application and network were vulnerable to commonly known or reasonably foreseeable attacks, such as SQL injection.”
• Identity thieves beat Obama to stimulus package punch
• Obama’s new CyberSec Chief Named
• Federal Workers Warned Of Potential Data Compromise At SRA
• Jailed SF network admin files $3M claim – Looks like the S.F. Mayor has some l33t admin skills because “Childs, formerly a network administrator with the city’s Telecommunications and Information Services (DTIS), had argued that the department’s staff was incompetent and that the mayor was the only person qualified to handle the passwords.”
• Heartland Breach Follow up – 157 institutions claiming issues – includes Bermuda, Canada, and Guam
• War cloning, the “new hacker sport”
• The latest MS Patches – One is for MS SQL, and there is exploit code out there

Discussion: File Under DUH! Unauthorized Web Use On The Rise

Consultants Corner: How does “Compliant” equal Owned?

Music Notes:

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – Munk – “DirtyWork”
• Segway 2 – Patent Pending – “Cheer up Emo Kid”
• Segway 3 – Fabienne Delson – “I’m Gonna Catch Me a Rat”

Link to MP3

Episode 14 is here.  First off, let me thank everyone that is listening to Jim and me spout off about everything.  Fourteen shows does not seem like a big number, but it involves a lot of work getting this going (especially on Jim’s part – thanks Jim) and keeping it going, and Jim and I appreciate everyone sticking in there with us.

Second, we have made some changes with my setup, so there might be a sound difference and some issues with this episode.  Forgive us as we get some new kinks worked out.

Third, this episode includes an interview with Mike Rothman from eIQnetworks.  You might know him better as that guy from Security Incite that has a yankee accent and tells everyone what he is thinking.  Either way, Mike is a great guy and a great friend, and I was honored to interview him.  I think you will enjoy that portion of the show.

And lastly, there is a programming note.  The geek toys segment that is brought to you by Jim every show is now going to be made more of a quarterly thing.  The reason is because Jim has to find something to talk about every time, and it is getting a little more difficult to find something for every show.

Here’s the breakdown of the show.

Show Notes:

InfoSec News Update: there’s been a lot happening the last two weeks

• Largest CC breach Ever !! Yes, I am talking about Heartland.  100 million + credit cards and the accusation that they attempted to hide behind the inauguration
• Heartland Followup – Law Enforcement Closing in on Perp – Looks like they are outside the US (thanks for narrowing that down)
• Monster.com Hacked … Again!
• Using Twitter for Info/Data Mining – Lenny Zeltser
• Conficker Worm Takes down a Hospital
• Follow up – Same worm variant is also attacking the UK MOD – Michael at mcwresearch.com
• Shavlik apologies for hyped MS patch Analysis – Eric Shultze: “So here’s my official apology for crying wolf on this issue when I should have done my due diligence and read all three Microsoft locations before offering my opinion on this issue”
• New Report from US Dept of Health and Human Services (HHS) – Task force recommends that government spearhead medical identity theft awareness and prevention initiatives (link is a PDF). I get a tad cynical here.  Hey, it involves government.

Discussion – New president declares his plan for US Cyber Security (more cynicism from Michael)

Vendor Interview – Michael interviews Mike Rothman from eIQnetworks

Consultants Corner -Combining compliance initiatives and what that means for security practices

Music Notes:

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – Eric Kauschen – “Speed of Light”
• Segway 2 – GK & TheRenegades – “Enemies”

Link to MP3

An Information Security Place Podcast Lucky Episode 13 is here!  Sorry for the delay between podcasts.  Jim and I usually try to maintain the every-2-weeks schedule, but since we had Accuvant’s annual meeting coming up, we decided to push it out so we could do it there (“there” was Sedona, AZ – a beautiful place).  This is the first time Jim and I have been in the same room recording the podcast, which was different (Jim kinda smells a bit).  We had fun with it.

In addition, I wanted to take advantage of having some vendors close by (we have a vendor fair every year) for some interviews.  I only got one, but it was a good one with Bluecoat.  Thanks to Greg Buchan and Thomas Lee for spending some time with me.

So without further ado, here are the show notes:

Show Notes:

InfoSec News Update:

• South Korean woman defeats Japan’s airport Biometric systems
• Some Nokia Phones vulnerable to DoS attacks due to SMS
• The Academy Home Launched
• McAfee’s Virtual Criminology Report
• MS doesn’t release a patch for Windows 7 Beta
• Twitter Security Problems

Discussion – Security Predictions for 2009 from Computer World

Geek Toys – MiniStack v3 Review

Consultants Corner – Choosing the right travel plans for yourself

Vendor Interview – Michael interviews Bluecoat

Music Notes:

* Intro/Outro – Digital Breaks – “Therapy”
* Segway1 - SatelliteState – “ClockWorks”
* Segway2 -  Naked Gun – “A.D.D.”

…is officially OPEN.

I just finished signing up.  I usually receive a confirmation in a couple of days.  I highly advise you to take advantage of this if you are a security blogger or freelance writer.  You essentially get free access to just about everything.  Yes, you have to wear the press badge, but I found last year that it was to my advantage because people tended to underestimate me when I interviewed them.  Yes, you have to deal with about a million emails from vendors wanting you to write about them, but you get used to it.

You also get access to the press room, where you get fed, watered, and generally pampered.  Just watch out for people trying to hack the wireless network and make you look stupid.  Probably not as much of a risk as at Blackhat, but if you have your own wireless broadband card, I would bring it along.  Or use your SSL VPN to browse and post.

Vet

This is an awesome account of Max Butler, a.k.a Iceman, and his exploits as a credit card cyber crook.  The details are superb.  The writing is excellent.  It is long, but it is worth the read.

Kudos to Kevin Poulsen (a.k.a Dark Dante) on this article.

Vet

JJ over at Security Uncorked wrote a great post on the MD5 CA hack.  She called it "A Layman’s Explanation of the CA Certificate Vulnerability", and though I would say it is not exactly layman level, it is definitely understandable and digestible for most people who have decent technical security chops but don’t know much about crypto.

This is one of the things I love about the blogosphere.  There is always someone willing to write something like this that benefits the community.  Thanks for the explanation JJ. 

Vet