Jan 232014


Jim, Dan, and Michael have a lot of catching up to do. We talk about a lot of stuff because a lot of stuff has been happening. From RSA, NSA, QSAs… security is busy! Show notes below!

Show Notes:

InfoSec News Update –

  • 123456 is the new best of the worst – Link
  • RSA Conf and those skipping it this year – Link
  • Fixing a flawed VA medical records system: Tenacity pays off for a researcher – Link
  • Do you believe the Obamacare website is secure? These guys don’t – Link1, Link2, Link3
    • Discussion Topic – The Failure Themes of the Target Breach:

    • Massive Props to Brian Krebs on his coverage of the whole debacle – Krebsonsecurity.com
    • AntiVirus Takes it on the Chin …Again – Link
    • Egress Filter Much? – Link
    • Credit Card Processing Fundamentally flawed – Link
    • EMPHATIC POINT OF THE PODCAST!! Complacent with Compliance … again PCI!= security

      Music Notes: Special Thanks to the guys at RivetHead for use of their tracks – http://www.rivetheadonline.com/

    • Intro: “Stay Alive“ – Rivethead
    • Segment 1 – “CricketBat” – RivetHead
    • Segment 2 – “Burn Us Down” – Early Morning Rebel
    • Outro: “Zero Gravity“ – RivetHead

    Link to MP3

Aug 082009


Link to MP3

Episode 22 is here. Jim was not available to join me this time (been traveling and real busy), so Dan Kuykendall from NT Objectives was kind enough to fill in as co-host for today. We had some good discussion, and a show that I thought would be a little shorter ended up being pretty long. But it is good stuff. Here are the show notes:

InfoSec News Update –

  • Vulnerable web servers on webcams, NAS, etc – Link Here
  • Obama’s cybersecurity Czar quits – Link Here

People familiar with the matter said Ms. Hathaway has been “spinning her wheels” in the White House, where the president’s economic advisers sought to marginalize her


In February, the White House tapped Ms. Hathaway, a senior intelligence official who had launched President George W. Bush’s cybersecurity initiative, to lead a 60-day

cybersecurity policy review. Ms. Hathaway completed her review in April, but the White House spent another 60 days debating the wording of her report and how to structure the

White House cyber post. National Economic Adviser Larry Summers argued forcefully that his team should have a say in the work of the new cyber official.

  • SSL Under attack this year at BlackHat/Defcon. These attacks don’t attack the math, they attack the (mis)usage of the clients and cert authorities

New Tricks For Defeating SSL In Practice (sslstrip) –Link Here

Researcher Exposes Flaws In Certificate Authority Web Applications – Link Here

  • Defcon goon “Priest” is everywhere – Links Here and Here

Discussion Topic – The ol’ security guidelines / best practices discussion

Consultants Corner – Varied BlackHat / Defcon points –

  • SSL issues
  • Unmasking You talk by Joshua “Jabra” Abraham and Robert “RSnake” Hansen
  • Dan’s general Opinions about web security talks – he was underwhelmed

Music Notes:

Feb 122009


Link to MP3

Here is episode 15. There was a lot to cover in this episode.  Jim and I were in discussion mode, so be prepared to sit down for a while longer than normal this time.  Jim and I were also in a joking mood and consequently cracked ourselves up on this episode, so enjoy the laughter and comedy at a fellow human’s expense.

BTW, I am a milestone guy, and any time a “0” or a “5” is at the end of the episode number, I think it is cool. So 15 is a cool number to me. On to the show notes.

Show notes:

InfoSec News Update: whole lot of crap!

Discussion: File Under DUH! Unauthorized Web Use On The Rise

Consultants Corner: How does “Compliant” equal Owned?

Music Notes:

Dec 112008


Link to MP3

Show Notes:

Segment 1: InfoSec News Update (Michael gets to do a little talkin’ here – and he promptly screws it up):

  • New Security Awareness video on YouTube – kinda cheesey, but a pretty good production
  • Digittrade HD Encryption Broken– “in our test, unscrewing the housing took longer than cracking its encryption mechanism.”
  • Lenovo’s new Facial recognition software defeated by printed photo
  • Massachusetts new law – 201 CRM 17.00 – “Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information” – a civil penalty of $5,000 may be awarded for each violation of 93H. In addition, under the portion of 93H concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal. Requires – Regular Monitoring, Documenting responsive actions taken during breach, and reasonable monitors of systems.
  • File Under DUH!Symantec Discovers Cybercrime makes money – estimates value around $1.7Bil
  • Really simple PCI FAQ that you should be aware of
  • Apple and the AntiVirus Debate – In a written statement sent to security news site Securityfocus.com, Apple explained their decision to pull the document: “We have removed the KnowledgeBase article because it was old and inaccurate,” Apple said in a statement sent to SecurityFocus. “The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, running antivirus software may offer additional protection.”

Discussion: BLATANT FUDPatching at the Enterprise level – Securina “virtually every Windows PC is at risk” – 98% of Windows computers are missing patches – 46% were missing more than 11 patches

Segment 2: Geek Toys and Consultants Corner

  • Geek Toys – Kensington Portable Power outlet – AS SEEN ON REGIS AND KELLY!!!!
  • Consultants Corner – Helping client dealing with a breach (specifically as how it relates to compliance issues)