Network Security Podcast

We probably more the doubled the number of stories we talked about this week, but we only added about 8 minutes to the length of the podcast. You can consider this the “death by a thousand cuts” podcasts as we cover a string of shorter stories, ranging from a major IIS vulnerability, through breathalyzer spaghetti code, to how to get started in security.

We also spend a bit of time talking about Black Hat and Defcon, and celebrate hitting 500,000 downloads on episode 150. Someone call a numerologist!

Network Security Podcast, Episode 151, May 19, 2009
Time:  42:24

Show Notes:

• Breathalyzer source code released as part of a DUI defense… and it’s a mess.
• A DHS system was hacked, but only a little information made it out.
• Secret questions for password resets are often weaker than passwords, and easy to guess.
• Does tokenization solve anything? Yep.
• Kaspersky finds malware installed on a brand new netbook.
• Malware inserts malicious links into Google searchers.
• Google Chrome was vulnerable to Safari Pwn2Own bug. Both are WebKit-based, so we shouldn’t be too surprised.
• Information on the IIS 6 vulnerability/0day.
• How to get started in information security by Paul Asadoorian.
• Tonight’s Music:  Liberate Your Mind by The Ginger Ninjas

Continuing education is an important part of being a security professional and a required part of the different certifications we acquire to support our careers.  For this year’s FIRST conference in Kyoto, the organizers have worked with a number of certification institutions and coordinated continuing education credits for most of the major certifications.  This week I have a conversation with Traci Wei, one of the organizers of this years FIRST conference to talk about the benefits of attending in completing your collection of CPE’s for the year.

FIRST Podcast, Episode 4:  Traci Wei on the importance of continuing education credits

This is one of those good news/bad news weeks. On the bad side, Rich messed up and now has to retake an EMT refresher course, despite almost 20 years of experience. Yes, it’s important, but boy does it hurt to lose 2 full weekends learning things you already know. On the upside, this is, as you probably noticed from the title of the post, episode 150! No, we aren’t doing a 12 hour podcast like Paul and Larry did (of PaulDotCom Security Weekly), but we do have the usual collection of interesting security stories.

Network Security Podcast, Episode 15, May 12, 2009

Time:  38:18

Show Notes:

• UC Berkeley loses 160K healthcare records.
• Most people think they will be hacked. Duh.
• Heartland spends $12.6M on breach response. Possibly half going to MasterCard fines.
• Rich debuts the Data Breach Triangle, which Martin improves.
• Tonight’s Music:  Neko Case with People Got a Lotta Nerve.  Who knew Neko case had a podsafe MP3 available?

It’s been a bit of a strange week on the security front, with good guys hacking a botnet, a major security vendor called to the carpet for some vulnerabilities, and yet another set of Adobe 0days. But being Cinco de Mayo, we can just margarita our worries away.

In this episode we review some of the bigger stories of the week, and spend a smidge of time pimping for a (relatively) new site started by some of our security friends, and a new project Rich is involved with.

Network Security Podcast, Episode 149, May 5, 2009

Time:  34:08

Show Notes:

• The Social Security Awards video is up!
• Yet more Adobe zero day exploits. Now it’s just annoying.
• McAfee afflicted with XSS and CSRF vulnerabilities.
• Torpig botnet hijacked by researchers.
• New School of Information Security blog launched.
• Project Quant patch management project seeking feedback.
• Tonight’s Music: Wound up Tight by Hal Newman & the Mystics of Time

In this week’s episode of the FIRST Podcast, I interviewed Gib Sorebo, who will be presenting “Content: The Next Generation of Incident Response” at the FIRST convention in Kyoto this summer.  Gib Sorebo is the Chief Security Engineer and Assistant Vice President for Technology at SAIC.  We talk about his presentation at the conference, DLP and extrustion detection and what FIRST has to offer enterprises.  I suspect Gib and Rich Mogull would have a lot to talk about in the DLP arena.

FIRST Podcast, Episode 3:  Gib Sorebo, Chief Security Engineer for SAIC