Network Security Podcast

I had the opportunity to talk to Dr. Suguru Yamaguchi, Professor of the Graduate School of Information at the Nara Institute of Science and Technology, member of the JPCERT and advisor on Information Security for the National Information Security Center, Cabinet Office Japan.  Dr. Yamaguchi presented the opening keynote for the FIRST 2009 Conference here in Kyoto, Japan and talked about Information Security Management  and Economic Crisis.  And at least as interesting for me was having my questions translated into Japanese and asked to Dr. Yamaguchi again to answer in his native language. 

Two of the points I found intensely interesting about Dr. Yamaguchi’s talk were his assertion that businesses should be investing in technology during the down turn rather than cutting back, because the investment now may be what enables there survival and his observation that compromises have an affect on company sales in the Asia Pacific region.  I don’t believe we’re seeing the same sort of downturn in sales when a compromise happens to an American company and would like to know why there is such a difference.

FIRST 2009 Episode 7:  Interview with Dr. Suguru Yamaguchi – Japanese

FIRST 2009 Episode 7:  Interview with Dr. Suguru Yamaguchi – English

We start the show off by wishing Martin luck with his presentation at the FIRST conference in Kyoto, foolishly trusting Rich with the keys to the podcast. Then Rich fawns over his iPhone 3GS a little too much, but he does manage to talk about some cool new security features.

Rich also rants a little on one of our PCI stories, and Martin updates us on his XBox wireless situation. Finally, we geek out a bit on Adam Savage appearing at DefCon.

Network Security Podcast, Episode 155
Time:  35:28

Show Notes:

• The Clear Card finally dies. What a scam.
• Mozilla reveals some new ways of combating XSS and Clickjacking. A positive move, but with a lot of caveats.
• An end user talks about his experiences with a WAF.
• DHS has a blog.
• Nevada mandates PCI. Even for non-credit card PII that wouldn’t normally be covered.
• The National Retail Foundation whines about PCI. What a silly responses- back to the drawing board guys. I don’t think you’ve even read the standard.
• Get your Certified Application Security Specialist hats, shirts, and other gear.
• Tonight’s Music:  Reggae Far East with Cost Cut Japan

This week we had a chance to talk to Jeff Moss, the founder of a couple minor security events, Black Hat and Defcon.  Of course some would say that they’re the biggest social events of the year, along with having the best presentations on cutting edge security research, but what do they know.  A lot apparently, given the number of security professionals and hackers who’ll be be making the trip to Las Vegas at the end of July to attend both of these events.

Jeff was recently asked to be a part of the Homeland Security Advisor Council, a diverse group of sixteen individuals who will be advising the DHS and Secretary Napolitano on the security concerns they’re seeing in the real world.  This group includes Govenors, both past and present, Mayors, CEO’s and Presidents, though Mr. Moss is the only computer security expert.  Jeff is still learning about what this really means, but we spent a significant part of the interview talking about what it means and the agendas he personally would like to see pushed at the DHS.  One of his big concerns is the tradeoff we’re making between security and privacy and if anyone is taking steps to measure those tradeoffs. 

Network Security Podcast, Episode 154, June 16, 2009
Time:  45:34
Tonight’s Music: Song of Sixpence by 4 and 20 Blackbirds

Rich was somewhere in the air over the Midwest today, which would have made recording a podcast questionable at best.  So rather than take any chances with technology, we got a stand in for him in the form of our very own Security Curmudgeon, Jack Daniel.  I met Jack face to face for the first time at one of the first big ’security’ conferences I’d ever been to on the East Coast, Shmoocon 2007.  I haven’t made it back for another conference recently, but when I do, I’m sure that there will be people like Jack who will give me a warm welcome.

Jack and I spend a little time bashing the CISSP yet again, we talk about some very interesting news stories and wrap up discussing getting involved in the security community.  All in all, another good show.

Network Security Podcast, Episode 153
Time:  41:41

Show Notes:

• T-mobile sources and data – Here’s where the news started
• T-Mobile confirms stolen data is genuine
• T-Mobile confirms hackers’ info is legit
• FTC sues, shuts down N. Calif. web hosting firm
• Google Translation of 3FN termination – Jack says read the comments
• UK web host falls victim to attack
• Webhost hack wipes out data for 100,000 sites – It doesn’t matter if it’s virtualization or cloud computing when you lose data.
• Yay, it’s Patch Tuesday again!
• Tonight’s Music:  Bradley West with Slow Train

I’ve been so busy lately that I only realized when I edited episode six of the Forum for Incident Response and Security Teams (FIRST) that I hadn’t posted that fifth episode was available, which it has been for a week.  In episode five, I interviewed Jeff Crume, the Executive IT Security Architect for IBM Compliance Solutions.  Jeff will be giving a presentation at the conference, “What the Hackers Still Don’t Want You to Know”, a follow-up to his book “What Hackers Don’t Want You to Know”.  In episode six, I had a conversation with Slawek Legier from VeriSign about his talk “On-line Fraud Prevention and Detection – Multiple Layers of Security”.  We also discuss what value he sees in being a member of FIRST.

FIRST Podcast, Episode Five:  Jeff Crume
FIRST Podcast, Episode Six:  Slawek Legier

We hope no one begrudges us for taking last week off due to the holiday, and we’re back this week with all your juicy security goodness. After a short discussion of our mutual weekends spent recovering old hard drives and systems, we talk about the upcoming Black Hat and DefCon conferences before digging into the news. We discuss stories from a return of the L0pht Heavy Industries, to White House speeches, and Mac security.

Network Security Podcast, Episode 152, June 2, 2009

Time:  35:36

Show Notes:

• L0phtcrack 6 is officially released. It’s alive!
• Judge rules Lifelock fraud service is illegal. This is a serious blow to consumers.
• The CardSystems auditor is being sued due to certifying a non-compliant company.
• White House releases cyberspace policy review.
• Jericho Forum and the Cloud Security Alliance join forces.
• The truth about Apple, security, and responsibility. Yes, Rich wrote it, but it’s still good.
• Tonight’s Music: Mass Confusion by Cranston Foundation

We probably more the doubled the number of stories we talked about this week, but we only added about 8 minutes to the length of the podcast. You can consider this the “death by a thousand cuts” podcasts as we cover a string of shorter stories, ranging from a major IIS vulnerability, through breathalyzer spaghetti code, to how to get started in security.

We also spend a bit of time talking about Black Hat and Defcon, and celebrate hitting 500,000 downloads on episode 150. Someone call a numerologist!

Network Security Podcast, Episode 151, May 19, 2009
Time:  42:24

Show Notes:

• Breathalyzer source code released as part of a DUI defense… and it’s a mess.
• A DHS system was hacked, but only a little information made it out.
• Secret questions for password resets are often weaker than passwords, and easy to guess.
• Does tokenization solve anything? Yep.
• Kaspersky finds malware installed on a brand new netbook.
• Malware inserts malicious links into Google searchers.
• Google Chrome was vulnerable to Safari Pwn2Own bug. Both are WebKit-based, so we shouldn’t be too surprised.
• Information on the IIS 6 vulnerability/0day.
• How to get started in information security by Paul Asadoorian.
• Tonight’s Music:  Liberate Your Mind by The Ginger Ninjas

Continuing education is an important part of being a security professional and a required part of the different certifications we acquire to support our careers.  For this year’s FIRST conference in Kyoto, the organizers have worked with a number of certification institutions and coordinated continuing education credits for most of the major certifications.  This week I have a conversation with Traci Wei, one of the organizers of this years FIRST conference to talk about the benefits of attending in completing your collection of CPE’s for the year.

FIRST Podcast, Episode 4:  Traci Wei on the importance of continuing education credits

This is one of those good news/bad news weeks. On the bad side, Rich messed up and now has to retake an EMT refresher course, despite almost 20 years of experience. Yes, it’s important, but boy does it hurt to lose 2 full weekends learning things you already know. On the upside, this is, as you probably noticed from the title of the post, episode 150! No, we aren’t doing a 12 hour podcast like Paul and Larry did (of PaulDotCom Security Weekly), but we do have the usual collection of interesting security stories.

Network Security Podcast, Episode 15, May 12, 2009

Time:  38:18

Show Notes:

• UC Berkeley loses 160K healthcare records.
• Most people think they will be hacked. Duh.
• Heartland spends $12.6M on breach response. Possibly half going to MasterCard fines.
• Rich debuts the Data Breach Triangle, which Martin improves.
• Tonight’s Music:  Neko Case with People Got a Lotta Nerve.  Who knew Neko case had a podsafe MP3 available?