Mon, 24 December 2012
Episode 0x1A -- Happy Holidays Everyone
Upcoming this week...
- SCREW THE NEWS!!!!!!!
- and then our discussion topic-- Predictions and Prognostication
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- Discussion topic -
- Dave's Point of view(cough cough sputter germs)
- Ben Says...looking back... weaponized stuff, and the lack of it looking forward... good enough security leads us to more awesome projects like security onion
- The Intern opines on conferences, human resources and infosec
- Matt is in denial about... Jamie and I quoted in an article together! Hack all the toasters! Breaches!! 2012 Web Vuln Stats super crazy chicken pants. SQLi What?! Passwords suck! (Password Reset sucks harder!) Bug Bounty! (Yandex)
- James gets the last word... THE FUCKING SCADAS
- no he doesn't... Ben wants to say something
- In Closing
- Seacrest Says: You'll see my ball dropping in a week!
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-1A.mp3
Category: LSD_Podcasts
-- posted at: 5:18pm EDT
|
|
Sun, 2 December 2012
In what can only be described as a collision of intergalactic import, the three bestest information security podcasts have come together and produced...
THE SOUTHERN MATRIX HOSE PODCAST
Have a listen for a half hour of:
Bringing you the infosec commentary that you crave from the Security Zone conference in beautiful Cali Columbia.
Since we're in a tropical paradise, there really isn't the patience for things like show notes. Have a listen and you'll be impressed, we swear.
Creative Commons license: BY-NC-SA
Direct download: slmrh1.mp3
Category: LSD_Podcasts
-- posted at: 5:21pm EDT
|
|
Fri, 30 November 2012
Episode 0x19 -- It's EARLY - and we like it!
No Matt. But Ben does a great Matt impression. In mashed potatoes.
It's another week in the wide wonderful world of Infosec. And every day feels like drinking from the firehose of Infosec Reactions. Seriously.
Upcoming this week...
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- and then our discussion topic-- You Got Half A Budget Now What?
And if you've got commentary, please sent it tomailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-19.mp3
Category: LSD_Podcasts
-- posted at: 12:58pm EDT
|
|
Tue, 27 November 2012
Episode 0x18-- How Do You Spell Aguardiente?
Beginning the end of 2012 - Because it's time to start making up lists of resolutions that we're not going to follow.
Dave developed a new giggity move, it's called "the kasperskian" - y'all should consider it a way to buy votes that this is an audio only podcast.
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- and then our discussion topic--
And if you've got commentary, please sent it tomailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-18.mp3
Category: LSD_Podcasts
-- posted at: 1:24pm EDT
|
|
Wed, 21 November 2012
Episode 0x17-- Turkey Time
We're going to try to keep this one relatively short. Seriously.
Of course, it's a day late because I did a boo boo on the recording. Don't ask.
Upcoming over the next hour...
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- and then our discussion topic--
And if you've got commentary, please sent it tomailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- Hack any skype account in 6 easy steps
- FACEBOOK SSL FOR EVERYONE
- Linux rootkit doing iFrame injections [Full Disclosure] [CrowdStrike]
- Dissecting a Facebook Scam
- Telstra - still can't get security right
- Killing 4G networks with a suitcase radio thingy
- Wikid Publishes free eGuide on adding 2factor
- Web Engineer's Online Toolbox
- Breaches - The never ending never ending story...
- FreeBSD intruded upon
- Skype
- Adobe
- NASA - good at going to Mars, not so much at keeping laptops safe
- Health facilities in Mass and RI lose tapes
- The SCADAs
- (WARNING: PDF) From Luigi Auriemma - ABB has problems that look like CoDeSys
- Obama signs secret directive to help thwart cyberattacks
- Errata / DERP of the week award
- United States on Brink of Major Cyber Attack, Industry Executive Predicts Deloitte Center for Cyber Innovation
- Mailbag / Bizarro Land
-
RE: Canadian Satellites
Hey guys. Thanks for the shout-out in Episode 14 regarding the Diginotar report. Unfortunately I'm going to have to award you guys a mini-derp award for your comments that same episode on the story about the Canadian Navy buying satellite services from Inmarsat as satellites just happen to be my area of expertise. Yes, Canada does have its own communications satellites. They are managed by a company called Telesat. However, they are not of use to the Canadian Navy because they are located in the wrong place, operate on the wrong frequencies, and provide the wrong types of services for what the Navy needs. Communications satellites of this type operate in the geostationary belt (GEO), an orbit around the Equator 36,000 km above the Earth. The radio spectrum in this orbit is pretty congested, so early on international regulation of the satellites in this orbit and the spectrum they use was given to an organization called the ITU. Countries apply to the ITU for specific orbital slots and frequencies in the GEO belt and then license those to their companies. Canada has slots over North America and associated frequencies that are used by Telesat for what's called Fixed Satellite Services (FSS) - mainly broadcast TV and a host of communications services to remote communities in northern Canada. But these frequencies and antenna patterns are not what's used for mobile communications, nor does Canada have any satellite slots in other locations to provide global coverage which is kinda important for ships. Inmarsat on the other hand has the slots and frequency allocations to specialize in Mobile Satellite Services (MSS). They have a fleet of satellites located at various points around the Equator to give global coverage and the types of frequencies and coverage to provide mobile services to ships. Pretty much if you're operating a ship you're going to buy services from Inmarsat. More: Telesat and Inmarsat
Brian W.
-
Skyrim Jokes
Hey guys, I don't have any Skyrim jokes but do have an odd anecdote for you. While playing Skyrim and listening to the LSD, I've found that I _have_ to turn off the xbox kinect controls or else bad things happen. Apparently Matt's voice is finely tuned as a Weirding Word. I'll be merrily bopping around a character in a dungeon of some type when, all of a sudden, a dragon shout get kicked off and kills all attempts at stealth that I've been trying to muster. It's only Matt's voice that kicks off the shouts. Take that for what you will. John D.
Fus Roh Dah!
-
Wrong questions being asked about security involvement in PMO/SDLC work
Hey guys, I'm listening to 0x15 and a question made in there really got in between my teeth. "Does making security part of the SDLC make the software more secure?" is the wrong question to be asking. Whether or not having risk evaluations or threat modeling part of the SDLC should be a concern but not the approach I've found work when I've introduced it into the SDLCs of which I've been involved. Let's break out of our security cliques for a moment and realize that ultimately many of use tell ourselves that what we do matters in order to justify the dissonance we have in our brains for putting up with the crap we do because we actually enjoy what we do, for the most part. By and large, we're not altruists. Having the guts to come out and say "Yeah, I know what I do for an organization rarely makes the world a better place, but gosh darn it I like/love what I do." can go a long way to asking the right questions to keep ourselves employed and pertinent to the business that pays us to do cool things. Once you get out of the "what I do is important, dammit" mindset, asking the following question better serves us as a whole. Does making security part of the SDLC/project/product make the business more money or save the business more money had it not been part of the SDLC/project/product as much as we're pushing? If you can justify the change, you can be relatively assured that someone in charge of playing with the moneys with listen. Phrasing the question that way also lends to promoting the idea to the money people that what they do is ultimately important and feeds their own dissonance hating mechanisms. John D. P.S. This approach has also saved me from the dreaded infosec burnout.
- In Closing
- Movie Review Matt saw Twilight - point and laugh!
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time.
- Upcoming Appearances: James at SecurityZone in Cali, Colombia
- Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee!
- Seacrest Says: "go do bad bad things to a turkey"
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-17.mp3
Category: LSD_Podcasts
-- posted at: 4:44pm EDT
|
|
Tue, 13 November 2012
Episode 0x16-- One Time, At Security Camp...
There's too much news. We need to do MORE podcasts!
Also, it's time to say goodbye Mitt!!! Can't say as we're sorry to see you go, but yaknow.
Upcoming over the next hour...
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- and then our discussion topic -- hunting dirty traitor rat bastids!!!
And if you've got commentary, please sent it tomailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- Coca-Cola hacked ahead of Huiyuan acquisition attempt, but didn’t tell shareholders
- SEC left computers vulnerable to cyber attacks, sources say
- Firm suing sites that use SSL / TLS
- Vuln in Call of Duty Modern Warefare 3
- Adobe 0day! in other news water is wet russian guy demos p0wnage using new adobe 0day - voice over provided by not a russian guy $50,000 for a fresh hot 0day
- Nike Fuelband rats out cheating two timing basterd that broke your heart with that skanky ho
- Secrets, Schemes, and Lots of Guns: Inside John McAfee’s Heart of Darkness
- Australian Telcos Declare SMS Unsafe For Bank Transactions
- Breaches - The never ending never ending story...
- Twitter All A-Flutter Over Possible Data Breach
- but Twitter says no to two factor auth
- Pizza Hut Australia Dishes Up A Data Breach As Hackers Slice In [Updated]
- The SCADAs
- Chevron was infected by stuxnet way back when but forgot to tell anyone
- Support Forums Reveal Soft Underbelly of Critical Infrastructure
- Errata / DERP of the week award
-
ENGAGE TINFOIL HATS EVERYONE...
- Here’s Enough Digital Espionage to Scare James Bond [INFOGRAPHIC]
- SQL Injection - it's a windows XP thing - REALLY - The Strange Tale of a Virus Called SQLi
- Foot In The Door
-tracking down a mole mole mole mole
- Cisco VP To Memo Leaker: Finding You Now 'My Hobby'
- It's not trivial to sort things out after the fact unless you have the logs and auditing turned on - go do that now.
- Mailbag / Bizarro Land
-
Hi,
thanks for your video with Dave, I really enjoyed that.
I am wondering and I think you mentioned something like that - but I would find it interesting if all of you guys could be on video like that... (hehe... enjoying it here, sitting in the first row...)
What about some questions from your audience? Not that I have some ready now, but I am sure I could make up some (not embarassing ones of course - ha!).
Just some thoughts - but keep up the good work!
Cheers Thomas P.
Hello guys, and thank you for the great show.
Referring to your second episode where you flamed Iran IrCERT, I just thought I would let you know that Libya now also has a CERT, it's called LY-CERT and you can find them online here http://cert.ly
Regards
Ahmed S.
Greetings from +52° 56' 58.92", -1° 9' 0.36" (approx),
As you all adore PCI-DSS so much, I figured I'd share this article with you: Silicon Republic
Some of my favourite quotes:
- "Fewer incidents of large-scale credit card data theft are a sign that PCI-DSS standards are finally having an effect among large retailers, the director of the group’s security standards council has claimed."
- "Mark Gallagher, keynote speaker at the Dublin event, drew parallels between Formula One and PCI-DSS in how they approach risk."
- "You’ve got to have defence in depth and PCI gives you that best defence."
I can already hear James Arlen screaming.
Keep up the good work and try not to have an aneurysm!
Cheers, Graham S
- In Closing
- Dave's Movie Review Life of Pi - he likes boats.
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time.
- Upcoming Appearances: James at SecurityZone in Cali, Colombia
- Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee!
- Seacrest Says: "I like cake, even though it's a lie."
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-16.mp3
Category: LSD_Podcasts
-- posted at: 5:34pm EDT
|
|
Mon, 12 November 2012
Television Episode 0x03 -- SecTor Interviews The Third
NFC with Charlie - IT'S MILLER TIME
Back again again - An interview with Charlie Miller at Sector during which you may want to hold your phone tightly in a tinfoil hat of it's own.
If you don't know the name Charlie Miller - you should head over and read his Wikipedia Page first and then come back and watch the video. Charlie has been doing some cool things with NFC on phones. He's goooooood at messing them up using only a passive NFC tag! You'll learn something if you pay attention, I swear.
There's more of these in the queue. Tell us what you think or what you'd like to see.
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones/cover the screen if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
Creative Commons license: BY-NC-SA
Direct download: LSD-TVEp0x03-med.m4v
Category: LSD_Television
-- posted at: 9:24pm EDT
|
|
Tue, 6 November 2012
Episode 0x15 -- So Much News...
Pre-election Bets Are Off
Starting off this week with a couple of Con Reports - Ben, you go first... how was HackFest? ((wait)) and Dave - what was the high point of your HackFest experience? ((crickets))
Upcoming over the next hour...
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- and then our discussion topic -- Security in a Project Context
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- The Kremlin’s New Internet Surveillance Plan Goes Live Today
- Coca-Cola hacked ahead of Huiyuan acquisition attempt, but didn’t tell shareholders
- PayPal security holes expose customer card data, personal details
- Skype Gives Security Firm Details of Alleged PayPal Hacker Without Warrant
- US gov says you don't own your stuff if you put it in the cloud (via slashdot)
- The Georgians p0wn their p0wner
- F-Secure Mobile Threat Report 2012 (pdf link)
- NJ residents displaced by storm can vote by email
- Breaches - The never ending never ending story...
- Lady Gaga web site hacked
- Team Ghostshell Allegedly Spills 2.5 M Russian Records
- The SCADAs
- Legal fears muffle warnings on cybersecurity threats
- Errata / DERP of the week award
-
Sorry US gov. It's on you. For how long have you known about this?
- Most U.S. Drones Openly Broadcast Secret Video Feeds
- Inmarsat to furnish global broadband to Canadian navy
- Commentary
- Foot In The Door - Security In a Project Context
- why testing isn't enough
- how you can play in the SDLC
- Hardcore - How to change the system to suit your needs
- building standardized methodology chunks
- playing well with others (have the PMO do your job)
- functional vs. non-functional specifications
- Mailbag / Bizarro Land
-
Hey guys. Love the podcast. Not sure if you saw, but the report from the investigation of DigiNotar, the Dutch CA that got violated last year, is out: PDF
Given some of the things you highlight on the podcast it would probably be worth talking about on the show as an example of what not to do. Diginotar had a segmented network and good physical security but also a poorly configured firewall and IPS (managed by an external 3rd party) and no real procedures for examining logs from either.
Despite these "defenses", the intruder was able to compromise an external-facing server and use it to pivot to the internal network, get access to a machine that creates certificates, and issue over 500 rogue certificates, including one that was used to execute a MITM attack on Gmail users in Iran.
---------
Brian
- In Closing
- Matt's Movie Review No
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time.
- Upcoming Appearances: James at SecurityZone in Cali, Colombia
- Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee!
- Seacrest Says: "vote for something"
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-15.mp3
Category: LSD_Podcasts
-- posted at: 3:14pm EDT
|
|
Wed, 31 October 2012
Episode 0x14-- Happy Birthday Mr. Gattaca... we'll vote for you too.
There's interesting things afoot. Y'all should pay attention.
This is the 21st episode for those of you that don't have 16 fingers. Not sure we should be revealing this yet, but it's going to be a wild winter solstice celebration this year. The southern folk at Southern Fried Security and this gang of teenage malcontents are up to no good. Well, actually extra special good. Let me sum up - it's Security Charity... Gangnam Style.
Stay tuned for the carnage.
Upcoming over the next hour...
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- and then our discussion topic--Disaster Recovery
And if you've got commentary, please sent it tomailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- Service Sells Access to Fortune 500 Firms
- U.S. looks to replace human surveillance with computers
- How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole CSO Online has an opinion too.
- Broadcom DoS on BCM4325 and BCM4329 devices
- Auditor General Report: Canada is sucking at the "cyber"
- The Kiwi .gov makes their internal network kiosk accessible
- China Unicom replaces Cisco devices over security concerns Huawei gives Australia peeks at its network hardware and code to regain trust
- Hire great infosec people (and keep them) !
- Breaches - The never ending never ending story...
- Billabong Hacked Again (yes, again), Hackers Claim to Have Obtained 37,000 Account Details
- Peru Domains Registrar hacked and 207116 Domain panel credentials leaked
- South Carolina Suffers Massive Data Breach
- Attacker grabs data for 3.6 million South Carolina taxpayers; governor wants to see culprit "brutalized"
- Hackers crack Texan bank, Experian credit records come flooding out
- Vermont credit union discards unencrypted data of 85,000
- Anonymous owns a police forum
- The SCADAs
- Critical flaw found in software used by many industrial control systems
- Cybergeddon now? Industrial control systems targeted
- Errata / DERP of the week award
-
Dear Sir/Madame,
My name is Jakub Walczak, and I work for Hakin9 – the magazine that reaches over 60 000 readers mainly in the USA, India, and Australia.
I have seen your website and I was wondering if you would like to cooperate with us. Please let me know.
I am looking forward to hearing from you.
Regards,
Jakub Walczak
- Sorry Jakub, perhaps you should listen to the show or read about our opinions of Hackin9 before you send email like this again. Just sayin.
- Commentary
Yeah, so we ran a little long... the commentary segment has been pulled out into a separate recording. It'll show up on the RSS feed tomorrow, but if you want it right now, you can grab it here.
- Foot In The Door - Disaster Recovery
- c, i and A <-- that="" one="" counts="" li="">
- RTO, RPO
practice, practice, practice
- Hardcore - Recovering from the Disaster you didn't plan for
- Do the post-mortem. Netflix's AWS outage post-mortem
- do security olde style- use the opportunties provided by the red-print report to get the thing fixed right.
- Make sure you've prepared yourself
- Including a "get home" bag at the office
- Don't make plans that require employees to run on infrastructure that might not be there
- Mailbag / Bizarro Land
-
The quick & dirty: Stroz Friedberg evaluated the technical watchdog (MarkMonitor) for the so-called ISP "Six Strikes", and gave it a thumbs-up. However, SF was also actively lobbying for the RIAA between 2004 and 2009.
I want to like this company - they're doing it less wrong than many other folks - and thus I find myself experiencing another bout of Infosec Depression.
Original article, albeit from a non-impartial source here
-Jim
- In Closing
- Matt's Movie Review Argo was so good - That Ben Affleck is DELICIOUS
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time.
- Upcoming Appearances: Ben and Dave at HackFest in Quebec City, James at SecurityZone in Cali, Colombia
- BSidesDave - held immediately after Hackfest, Dave will not be sleeping before his flight home, so keep him company
- Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee!
- Seacrest Says: "Why are my pants wet?" Hope everyone makes it through #Sandy safely
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-14.mp3
Category: LSD_Podcasts
-- posted at: 1:58pm EDT
|
|
Mon, 22 October 2012
Episode 0x13 -- the 20th episode for those of you that don't have 16 fingers
The Pirate Bay is in the clouds, but we got here first, so suck it!!!
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- and then our discussion topic - Responsible Disclosure
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-13.mp3
Category: LSD_Podcasts
-- posted at: 6:19pm EDT
|
|
Wed, 17 October 2012
Television Episode 0x02 -- SecTor Interviews The Second
A Full Dose of Rothman
Back again - and understand that we're serious this time.
Attempt to not learn something as I interview Mike Rothman (@securityincite), Analyst and The PRESIDENT of Securosis. Please try to pay attention. There's an awesome amount of information in there.
There's more of these in the queue. Tell us what you think or what you'd like to see.
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones/cover the screen if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
Download the m4v
Direct download: LSD-TVEp0x02-med.m4v
Category: LSD_Television
-- posted at: 12:49pm EDT
|
|
Tue, 16 October 2012
Episode 12 -- These are the Daves I know I know
He claims it's not his fault he missed an episode...
Yes, we're still doing a podcast. Lots of you listen. It's kinda awesome. We promise to be more awesome in the future.
And tonight, let us regale you with tales of:
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- …and then our discussion topic - IDS IS DEAD
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- Capital One targeted in CYBERATTACKS
- HTML5 Full Screen API Attack
- Firefox 16 gets pulled (just like the goalie) - exploit follows in 24 hours
- Lone packet takes out SS7 networks
- FX beats up on Huawei at HITB
- Myrcurial Complains: These Kids Today
- High Court in the Philippines Suspends Contentious Internet Law
- Panetta Warns of Dire Threat of Cyberattack on US
- Breaches
- Northwest Florida State College - 300,000
- Facebook - everyone on the internet!!!!!!!
- TD Bank (US - a subsidiary of TD Bank Canada) loses a tape IN MARCH!!!! - 260,000 records
- Nationwide Address book Android app - 760,000 via @WeldPond
- The SCADAs
- LittleBlackBox is a collection of thousands of private SSL and SSH keys extracted from various embedded devices. Thanks @lmacvittie
- What is Critical Infrastructure? A long twitter conversation on 2012-10-12 about the REAL rule-of-thumb criteria for what makes something critical infrastructure or not.
- Errata
- DERP of the week award: Samer Bishay said. “Network security lies ultimately with the service provider. So, if you can control your network well, then I don't see how any outside force could really override these controls.” (h/t @taosecurity)
- Commentary
- Foot In The Door - IDS IS DEAD
- I can't even come up with notes. Just listen.
- Hardcore - EXCEPT IT ISN'T
- Mailbag / Bizarro Land
- In Closing
- Matt reviews “Trouble with the Curve” - was there any infosec in it, nope, ok then
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: much is stored at http://myrcurial.com/conferences but you can totally trust that guy)
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- A moment of silence for Amanda Todd, sadly a victim to online bullying
- Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time.
- Upcoming Appearances: James at COUNTERMEASURE 2012 in Ottawa, Matt at AppSecUSA in TEXAS, Ben and Dave at HackFest in Quebec City, James at SecurityZone in Cali, Colombia
- The Seacrest says “Oh My G-d, I’m falllllling, why won’t this parachute open!?!?"
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-12.mp3
Category: LSD_Podcasts
-- posted at: 6:24pm EDT
|
|
Fri, 12 October 2012
Television Episode 0x01 -- SecTor Interviews The First
Video even - inorite!
We gave you a warning and then didn't follow through, so we understand the confusion. This is the first of many Liquidmatrix Security Television Episodes which we naively think you might enjoy.
To start off, we've got this delicious interview with Dave Mortman (@mortman), the Chief Security Architect of Enstratus. Watch as Dave regales you with tales of the way things where back when he was a boy ((It appears that he's still a boy, but that's all charm.))
There's more of these in the queue. Tell us what you think or what you'd like to see.
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones/cover the screen if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
Creative Commons license: BY-NC-SA
Direct download: LSD-TVEp0x01-med.m4v
Category: LSD_Television
-- posted at: 11:03am EDT
|
|
Tue, 9 October 2012
Episode 11 -- Dave's Away
w00000000000000000t!
Hey Everyone, welcome to the Liquidmatrix Security Podcast - Episode 0x11 or the 18th recording for those who don’t start with zero and are not good at Hexadecimal - or math, like us.
Everyone showed up except Dave. Something about Canadian Thanksgiving causing a Turkey Coma. We manage to struggle through without him. Actually, we think the show turned out just fine. We don't need no stinkin' Dave.
And tonight, let us regale you with tales of:
- LOTS OF NEWS
- Breaches
- SCADAs
- Errata
- …and then our discussion topic - the con report SecTor and Derbycon
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-11.mp3
Category: LSD_Podcasts
-- posted at: 5:48pm EDT
|
|
Thu, 4 October 2012
Episode 10 -- It's Special
recorded live at SecTor 2012
There is no Matt. Again. So we found a replacement. As it turns out, pretty much any American who's name starts with "M" will do. Huge thanks to Mike Rothman for helping out with the madness.
This discussion has only the four topics:
- Summer of Breaches
- Cyber
- authN / authZ
- Compliancy
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-10.mp3
Category: LSD_Podcasts
-- posted at: 6:47pm EDT
|
|
Tue, 18 September 2012
Episode F -- Aboot that
it's not a boot, it's just a really big shoe
Matt won’t be joining us tonight, it’s Ben’s fault. A quick shout out to Jimmy Vo, you will need approximately 15 or F shot glasses for this episode.
Aboot, Aboot, Aboot, Aboot!
And tonight, let us regale you with tales of:
- More Malware
- Less Malware
- The SSL monsters
- Ry-Hi
- Twitter
- GoDaddy
- Breaches
- SCADAs
- …and then our discussion topic - what happens after the bad thing happens
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- Blackhole 2.0 is out (aboot!)
- Microsoft takes on Nitol (aboot!)
- A story Aboot more SSL weaknesses, let’s introduce you to the CRIME attack
- Aboot getting more skilled at Ryerson - there’s a Rainbow in Toronto for a Certificate in Computer Security and Digital Forensics
- Twitter bows to subpoena, releases Occupy protester's tweets
- GoDaddy, everyones favourite SOPA supporters goes down
- Breaches
- Miami hospital hit by second patient breach this year
- Ankit Fadia gets hacked
- The SCADAs
- If Congress and the Senate can’t do it - by gosh, the PRESIDENT will -- Executive Order on Cyber Security in the works?
- Interesting little bit on the side of Digital Bond’s website... “Schneider Has Not Removed Modicon FTP Backdoor Account In 2101 days”
- Errata
- Every vendor that has been sitting on a known vuln for more than 1000 days. Jerks.
- Commentary
- Foot In The Door - Aboot Investigations
- Hardcore
- Defensible Methods
- Chain of Custody
- Judgement Day
- Mailbag / Bizarro Land
-
There is this website where I noticed that they display your login details after offering a quote in plaintext, ie. they display your username and a password on a http:// connection. So I called their call center and spoke with the manager, yeah, she will relay that information (but I kinda got the impression that she didn't understand what the problem is). Nothing happens for weeks. After maybe 2 months I go back to check and here you go, my username with password are still shown in plaintext on the site. So I sent them an email, clearly marked "to IT or IT security something" explaining it a little bit more technical. Nothing happens again. Since I raised the original issue, about 4 months have passed.
The question is now - is it worth pursuing this further?
Cheers
T
PS: Should anyone of you guys be once in London, pls ping me and I buy you a beer! Or two?
- Ben says: http://www.ico.gov.uk/
- In Closing
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: much is stored at http://myrcurial.com/conferences but you can totally trust that guy)
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- Three Quarters of Liquidmatrix (with some Securosis added in) are doing a panel at SecTor If you're thinking of attending SecTor 2012, grab 10% off with discount code "liquidmatrix-2012" or if you can only make it to the expo floor, grab a free expo pass with code "liquidmatrix-Expo2012"
- Vote Dave for ISC2 Board Ballot!
- The Seacrest says “'Aboot' to Jimmy Vo, 'Shana Tova' or to our non-Jewish friends, that means 'have a good new year' and it’s time to party like it’s 5772 and then get yourself up and off to work because 5773 is going to be WILD."
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-F.mp3
Category: LSD_Podcasts
-- posted at: 7:30pm EDT
|
|
Mon, 10 September 2012
Episode E -- Just a bunch of hosers
Teh Podcast Warz Haz Begun!
It's another week in infosec. I can't get excited about it either. Too many news stories of note, breaches and a new section - the SCADAs. In the same way that we had too many breach stories so we broke them out, we're doing the same with SCADA. Expect a lot of derision from Dave and I -- there's a lot of bullshit and we're calling it.
We'd also like to wave hello to the team at Riskhose. We're sorry that you misinterpreted young Matt's question - we'll straighten you out when we do our Risk-tacular episode this fall. Also, we're starting to suspect that the Riskhose Utahian may be a closet Canadian - he knows too much about Canadian musicians and he does know all of the words to Romantic Traffic (and yes Alex, when you come to Toronto, we'll go visit all of the subway stations so that you can produce your fan version of the video.)
Interestingly, between the Riskhose podcast and some threats from the Southern Fried Security bunch, it's on - the Podcast Wars are here - expect that the next few months are going to be epic in the world of infosec podcasting. We may even take a swipe at NetSec!
- Syria
- SSL Certificate Hijinks
- Cyber
- Hackers
- OSX
- Canadianisms
- The WIFIs
- Google-ized
- …and then our discussion topic - Dumb Stories
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- Java.com SSL cert expired
- Al-Jazeera websites hacked by Assad loyalist group
- Cyber attacks grow increasingly "reckless", official says
- 3 years later, hackers who hit Google continue string of potent attacks …and no one is looking out for the stuff that really matters.
- New utility nabs OS X keychain passwords
- Global virus downs N.S. computer system for a month
- Sniffing open WiFi networks is not wiretapping, judge says:
- VirusTotal acquired by Google
- No shooting at protest? Police may block mobile devices via Apple
- Breaches
- Guild Wars 2 officials say ongoing password attack affects 11,000 accounts
- Antisec Leaks 1,000,001 UDIDs From A Trove Of 12 Million Allegedly Stolen From An FBI Laptop Or was it 12 million? ...or not? and some apps use IMEI as password!
- NullCrew pillages Sony servers?
- The SCADAs
- Secret account in mission-critical router opens power plants to tampering
- Anonymous Hack Lukoil Bulgaria Site
- Errata
- Vendor Cybercrime Stats
- Commentary
- Foot In The Door - Your Dumbest Story EVAH!!!!
- Dave - VIEW SOURCE HACKERZ
- Jamie - our developer broke SSL -- that’s why we use proprietary encryption. But we’re not telling anyone what/how he did.
- Matt - SQL injected a DB to /dev/null
- Ben - I didn’t feel 3DES was secure because the source is available online, so I invented my own variant
- Hardcore
- Skipping the hardcore because we've got a great Mailbag question.
- Mailbag / Bizarro Land
-
Love your podcast, even if you try to count in Hex :-) It would be great if you were able to dive deep into what modern defenders need to do to get ahead of attackers. Right now, attackers need to only make simple changes to their attacks and defenders are left on their kiesters. How do we change that pattern?
Besides deploying antivirus :-)
thanks,
Paul of Seattle
- Matt suggests a cool slide deck from Zane over at Etsy
- Ben suggests you read Liquidmatrix ;)
- … and thanks to Thomas Preissler for his comments about the show!
- In Closing
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: much is stored at http://myrcurial.com/conferences but you can totally trust that guy)
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- Three Quarters of Liquidmatrix (with some Securosis added in) are doing a panel at SecTor If you're thinking of attending SecTor 2012, grab 10% off with discount code "liquidmatrix-2012" or if you can only make it to the expo floor, grab a free expo pass with code "liquidmatrix-Expo2012"
- Vote Dave for ISC2 Board Ballot!
- The Seacrest says “I miss Gilmore Girls" and "Skerple"
Direct download: LSDPodcast-E.mp3
Category: LSD_Podcasts
-- posted at: 12:36pm EDT
|
|
Sat, 1 September 2012
Episode D -- The Boys of Summer
Good News Everybody!
This is the longest one we've recorded yet -- by 0:59 -- and we will try to get these back down under an hour. Pinky swear. We've also gone over 10000 downloads from 63 countries. That's kinda cool - and thank you all very much. Lots of good stuff in this episode, it's totally worth the 74 minutes.
- Hackers
- The SCADAs
- Java
- Lawyers
- MOAR SCADAS!!!!
- Apple, Microsoft
- Stupid Employee Tricks
- …and then our discussion topic - Employee Tricks
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-D.mp3
Category: LSD_Podcasts
-- posted at: 3:13pm EDT
|
|
Mon, 27 August 2012
Episode C -- Brain Dump Semi-slow news week this week so we used the bulk of our time to talk about a topic most of us struggle with (even some of us on the show) productivity! A few stories and our opinions as usual and also a letter from a listener regarding our own Dave running for the ISC2 board. Again, if you have anything comments, questions, suggestions, hatred, bickering, cyberdouchery, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-C.mp3
Category: LSD_Podcasts
-- posted at: 2:33pm EDT
|
|
Wed, 22 August 2012
Episode B -- Artificial Intelligence Something pithy should probably be written here. All of us have so much on the go that we're saving our creativity for the podcast. Also, this one is pretty long. If you have thoughts or ideas, please send them to the MailBag (mailbag@liquidmatrix.org) and we'll talk about it here. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:
Direct download: LSDPodcast-B.mp3
Category: LSD_Podcasts
-- posted at: 3:29pm EDT
|
|
Wed, 15 August 2012
Episode A -- The Revolving Absence No James this week. Apparently, he's afraid of the Cylon^WBen invasion. Also, don't forget to throw something in the old email for us (mailbag@liquidmatrix.org), we're getting lonely - don't you still love us? DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:
Direct download: LSDPodcast-A.mp3
Category: LSD_Podcasts
-- posted at: 11:31am EDT
|
|
Wed, 15 August 2012
Episode 9 -- No Need For Syncizationhron So we find ourselves again again Mattless. We skipped out last week cause of bad hair, bad mojo, conflu and bad karma -- and $19.95 hotel internet (we have no budget and Canadian telco’s suck for roaming. )Also, this episode is a week late. The blame lies entirely with Ben's computer/ISP issues. Either that or Ben is a closet Cylon and doesn't want us to know. Notes etc. to mailbag@liquidmatrix.org -- we love to hear from you! DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:
Direct download: LSDPodcast-9.mp3
Category: LSD_Podcasts
-- posted at: 11:23am EDT
|
|
Sun, 22 July 2012
Episode 8 -- Bikini Troubles So we find ourselves again Mattless. What is it with security professionals and Hawaii? Good stuff in here, sorry about botching last week's episode link - this one should work better, also, go back and download last weeks. Notes etc. to mailbag@liquidmatrix.org -- we love to hear from you! DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:
- News
- Madhi, more middle eastern spyware
- good bye grum
- crazy guy hacks ISP both online and with an axe - (Dave can relate)
- Project 2020 launched ISCPA to help predict infosec trend spotting project
- blackhole keeps getting “better”
- elections Ontario can’t keep their data in their pants
- Breaches
- Check out the Summer of Breaches "Scorecard"
- Maplesoft
- ITWallstreet.com - 50,000 accounts
- Elections Ontario - 2.4 million records but 4 million affected
- Pinterest - scrambling to figure out the breach
- Yale - 1,200 usernames with password
- Commentary
- Errata
- Foot In The Door
- safe computing at Defcon (or any hostile network like the internet)
- don’t use the wifi
- use a VPN
- patch, patch, patch
- shut down everything
- Hardcore
- get p0wn3d on an untrusted network ((happens to lots of people, even smart ones, during their presentations - don’t take anything you can’t afford to lose))
- firesheep ((used to be the wall of sheep was a special thing, now it’s a browser extension... use encrypted protocols over an encrypted session))
- the mac store ((Quoting Prez Reagan: Trust but verify -- and there’s something wrong with the Apple purchasing/signing trust path right now -- in-app purchases in iOS have been MiTM’d))
- hotels ((Inverse correlation between cost of hotel room and quality of internet -- also, costs a freaking arm and a leg -- pay-as-you-go 3G data is cheaper.))
- Mailbag
-
Howdy Fellas
Do you think online voting can be done safely? Also, what about you Canadian boys losing all those voter records?
regards
Al from big sky country
- In Closing
- Bsides/BlackHat/DEF CON -- all but Ben / The Intern shall be there.
- There are parties in Vegas
- DEF CON is still cancelled - check status here
- Hacker Pyramid!
- Canadian CERT volunteers, email mailbag@liquidmatrix.org
- Get thee to Securosis and get educated!
- The Seacrest has landed. That’s one small p0wn for hackers, one giant p0wn for hackerkind
Direct download: LSDPodcast-8.mp3
Category: LSD_Podcasts
-- posted at: 4:44pm EDT
|
|
Mon, 16 July 2012
Episode 7 -- Breach Week Special! Perfectionism is the enemy of publishing on time. It's another week and we've got a solid hour of discussion about the stuff that's important in the world of infosec this week. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-7.mp3
Category: LSD_Podcasts
-- posted at: 10:30pm EDT
|
|
Tue, 10 July 2012
Episode 6 -- Anybody Know How Google Voice Works? MAGIC! Sorry for the delay in posting folks, someone (cough, @gattaca, cough) has a crappy ISP and someone (cough, SEACREST, cough) talks quietly and has a crappy mic, there's about 7 hours of editing and tweaking on this one -- and it still sounds like crap. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. In this episode:
- News
- BREAKING NEWS: Liquidmatrix Security Male Model on COVER of SCMag (also talks about Risk Management or something)
- Debit/credit card photos in tweets -- This Twitter account proves the infinite stupidity of humans (and other stupid shit ways to post pictures of your douchetacularness NSFW)
- Amazon talks about what went wrong in US East & Leap second makes availability pain (Check out the funny Twitter @AmazonStatus & CAP theorem)
- Phisher faces 50 years in the slammer
- Alaska Department of Health and Social Services fined for breach & Appeals court calls bank’s security “commercially unreasonable”
- Pornoscanners go mobile
- Wireless Hacking Suspected in Air Raid Siren Miscues
- Comodo blacklists itself (truth in Certificate Selling)
- Something bad happened in the iOS App Store... twice. Which (considering the relative sizes of the install base of iOS vs. well, everything) is still pretty awesome.
- Commentary
- Errata
- Foot In The Door
- hire the right auditors
- use them as a tool to raise issues up to the executive
- tell them the problem areas
- invest time in the auditors and point them to your pain
- feed them recommendation
- don’t let them position compliance as security
- Hardcore
- The box kicking story
- For example -- finding a way to get the answer they don’t want to give
- The prevarication story
- Another opportunity to learn from auditors/old people
- Asking questions into negative space -- to find answers you need to find the place in the middle where the facts have not coalesced.
- Peter Falk - Just one more thing...
- Matlock - How to get the jury to see it your way...
- Mailbag
-
mailbag@liquidmatrix.org
Long time listener, first time writing in...
I find myself compelled to write inasmuch as I found myself shouting at my iPod yesterday. I, of course, am referring to "Liquid Matrix Security Digest Podcast Episode 2" where a conversation about "What Should You Do If You Are The CISO Of A Breached Company?" occurred. Forgive me as I left the Post-It note with the timestamps of the offending speech on the mirror in my bathroom so that I may focus my Daily Rage upon it as I carefully shave "I da CISO, bitch!" into my scalp each morning.
In essence Ben argued that the role of the CISO in the event of a password breach is to stride confidently into the CEOs office and say "I told you this was going to happen, this is not my fault, and we need to force all users to change passwords - Damn The Consequences, Man!" (While this is not a direct quote it it was I very distinctly heard...)
While this is a nice gedankenexperiment in that it is very cool to imagine ourselves in the role of "Captain Astounding: Protector Of Users" but the reality of a breached company has certain rules..
1) If the breached company is a startup or new venture the Senior Management regards this event as an existential crisis. Not so much to the company itself - but to their exit plan (hey, who doesn't dream of being bought by Facebook or Microsoft for a billion dollars?) or to their about-to-be-so-far-underwater-they-implode stock options. Lose track of this fact and You Are Toast.
2) If the breached company is an older company the critical component is the quality of business leadership available. If they take counsel of their fears - see Rule 1. If they take a more mature view you can actually get effective response but know that you have almost no influence on that outcome.
3) If you were the CISO pre-breach you have to realize your credibility and professional competence is seriously in question by *everyone*. It matters not that you wrote 523 emails protesting storage of passwords in clear text, nor that you did not get the budget to keep your IPS under maintenance, nor that $Security_Requirement was ignored. If this offends your sensibilities I would simply refer you to the Book of Hezekiah, Chapter 9, Verse 27 where it is written "Yea, and the LORD spake unto the people, and the LORD spake "Life is not fair - never said it was, never said it will be - Get Over It!" and thus the people were greatly nonplussed".
4) If you are the successor to the CISO who ran the shop pre-breach you have to realize that nobody believes anything you say without the Incident Response Consultants agreeing with you. You have not been around long enough for anyone to trust you or to accept your influence. You will not be seen having the same "at-risk" quotient as everyone else (See Rule 1 above).
5) Almost everyone company that experiences a major breach turns a significant portion of the response and decision making to Outside Counsel and Incident Response Consultants. There are good and bad reasons for doing this - let's just accept that it happens. Fighting these folks - especially Outside Counsel - is generally a No Win situation (See Rule 3 & 4 above).
So what do you do?
You do what you can. You use whatever influence you have to try to do the right thing. But realize a breach response is *not* a Security Problem it is a Business Problem and that business folks are going to be in charge. If you cannot deal with that - you might want to become a Incident Response Consultant.
Love, Uncle @armorguy
- In Closing
- Tweetup - has to be pushed, sorry folks
- Bsides/BlackHat/DEF CON -- all but Ben / The Intern shall be there.
- Also, DEF CON has been cancelled - check status here
- Hacker Pyramid!
- Also, have a look at the Declaration of Internet Freedom. We like it. You should like it too. Although Liking it on Facebook shows that you don’t understand the fucking point of the Declaration.
- As of recording time, tomorrow is the day when the internet shuts down -- DNSchanger DNS servers are going down. So I guess you won’t ever hear this episode.
- THERE IS NO SEACREST.
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-6.mp3
Category: LSD_Podcasts
-- posted at: 2:06pm EDT
|
|
Fri, 29 June 2012
We've been threatening to do something interesting and cool...
We're happy to announce that we will be producing a bi-weekly video podcast edition - tightly edited to a broadcast friendly 22 minutes in length. Perfect to watch while having lunch or between an episode of M*A*S*H and Barney Miller.
Thanks for all of your support so far and we look forward to invading your space regularly to make some friends and maybe even learn a thing or two.
((PS: Based on comments from listeners, we're going to make some changes and give you a more granular set of RSS feeds so that you can select to receive exactly the version of our show that makes you the happiest. If you're subscribed to the general feed, this is the last full video episode you'll see.))
Direct download: LSD-TVepisode-1960x540.m4v
Category: LSD_Television
-- posted at: 1:45pm EDT
|
|
Fri, 29 June 2012
Episode 5 -- Everybody's Working For The Weekend (Canada Day Edition) The fun with the Liquidmatrix gang continues in this episode. Pay close attention and you'll notice that there aren't any edits in this one. That's right - one take and we've got it in the can. Lots of good stuff in here - let us know if we missed anything. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. In this episode:
- News
- Operation Card Shop - UGNazi and 23 others get silver bracelets for free from the feds
- Hotels misrepresent credit card data security measures, FTC is not happy
- Typo squatter gets spanked by law firm
- Bank settles with wire fraud victim
- DHS gives federal agencies threat detection packages and DHS demos cyber attack to help sway lawmakers to pass a cyber bill
- RSA securid key not so secure - it’s broken - no it isn’t - yes it is - Damn you people - it's the smartcard portion of a dual-use device that's 'broken', quit slamming multi-factor authN.
- Portswigger get’s new tricks
-
- Errata Charlatan of the Week
- Commentary
- Foot In The Door
- LM Team,
First off I want to say that I'm really enjoying the podcast. I'm still very early into my career and trying to transition into InfoSec. I would love to hear about all of your views on Information Security in colleges. I was thinking about it following some twitter chatter between some people and Chris Eng about this. I thought that there were some good conversations. I'm a little bit disappointed since I just finished my M.S in Computer Info Sys with a security concentration. In the classes I took we learned some basic network security concepts. Only touched a bit on web application security. I was hoping we would of done some offensive stuff, but we never did.
I compared my classes to pen testing classes out there and it seems to me they’re on a better track but what do I know.
Just some thoughts, Jimmy
- Hardcore
- Mailbag
- mailbag@liquidmatrix.org
- Hi there LiquidM,
Long-time listener, first time emailer!
I was wondering if you could help me with a small dilemma I'm facing. I've been working as one of those penetration tester types in the financial sector for a while now, and my company treats me right... but more and more I hear the calling of the darkside... no, not THAT darkside, the calls of those working for security companies and $vendor that get to do exciting things with exciting people! The ones that get to actually TALK about their research...
So, what's a guy to do? Please LiquidM help me, you're my only hope! Chris P.S: Love the show... but you guys are very Canadian O.o' ;) See you guys in Vegas I hope.... eh!
- Hey there fellow Canucks…
Over the years I've had many IT jobs, from network admin to system admin for small consulting firms in my area (nothing big). A common theme was the unwillingness to implement the most basic of security mechanisms, or acknowledge the possibility that the systems/networks we would implement for our clients were perhaps done in a un-secure fashion. As a security enthusiast this was very frustrating.
On a few occasions, I would prove this using a few simple demonstrations on how easy malware, or human, could compromise the network (malicious emails, word/pdf docs, ms08_067 for example). Every time my demonstrations were brushed off as "unlikely" or "impossible", requiring a level of technical knowledge that no employee possesses inside "client X". One such place was an ISP, where we would setup and host websites, providing clients with FTP access to upload and download content. I was actually instructed not to make the passwords too complicated, to ensure our clients were able to use it. Even after I had showed my boss a public exploit (from exploit-db) was available for the FTP software used. Again brushed off as "unlikely" seeing the exploit needed to be authenticated to properly function. This, of course, started the debate of weak passwords that lasted all of 2 seconds… At another spot, I actually showed the senior administrator (my supervisor), hosting a SSH server on port 80 was possible… funny. By now I think you get the picture on how security was handled, so I won't go any further.
My question is what would you say to the lonely sys-admin, in a small to mid sized firm, on how to handle an employer that doesn't seem concerned at all with security? How should the lonely admin tackle these types of issues without annoying "the boss" with this silly thing called "security", when it's obvious he or she is not willing to listen?
I'm fortunate enough to no longer be in this situation, but I'm sure there are many out there still living with these types of conditions. Steven ps.: hope all of this made sense, and good job on the podcast very much enjoying it so far
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-5.mp3
Category: LSD_Podcasts
-- posted at: 11:20am EDT
|
|
Mon, 25 June 2012
Episode 4 -- The Gang's all here. Matt has returned from the distant shores of the western USA... but he didn't listen to the podcast from last week - sucker. Lots of good stuff in here - let us know if we missed anything. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. In this episode:
Download the MP3 Listen: Subscribe to us using plain old Also, we're now available through Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-4.mp3
Category: LSD_Podcasts
-- posted at: 11:26am EDT
|
|
Mon, 18 June 2012
It's Episode 3 -- We Should Be So Committed. Your heroes find themselves completely Canadian this week as @mattjay is visiting the extreme west coast of America. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. In this episode:
Download the MP3 Subscribe to us using plain old Also, we're now available through Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-3.mp3
Category: LSD_Podcasts
-- posted at: 12:12pm EDT
|
|
Mon, 11 June 2012
It's Episode 2 -- and I'm sure you all know what that means... ... no more talk of midichlorians. And the continuing saga of 4 infosec nerds who will attempt to do what has never been done before... bring you a high quality information security related podcast that is not just a long series of injokes, ranting, personality disorders and hard drive snake oil. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. In this episode:
Download the MP3 Subscribe to us using plain old Also, we're now available through Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-2.mp3
Category: LSD_Podcasts
-- posted at: 11:30am EDT
|
|
Mon, 4 June 2012
Previously on the Liquidmatrix Security Digest Podcast... There was some talk, it was kinda nice. People said "do it again!" and now you're caught up. Welcome back to the Liquidmatrix Security Digest Podcast. The continuing saga of 4 infosec nerds who will attempt to do what has never been done before... bring you a high quality information security related podcast that is not just a long series of injokes, ranting, personality disorders and hard drive snake oil. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. In this episode:
Creative Commons license: BY-NC-SA Oh, and just because it's awesome... thanks to Bill Pennington!
Direct download: LSDPodcast-1.mp3
Category: LSD_Podcasts
-- posted at: 12:55pm EDT
|
|
Tue, 29 May 2012
You knew it was going to happen sooner or later... Welcome to the first Liquidmatrix Security Digest Podcast. In this series, we will attempt to do what has never been done before... bring you a high quality information security related podcast that is not just a long series of injokes, ranting, personality disorders and hard drive snake oil. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-0.mp3
Category: LSD_Podcasts
-- posted at: 1:28pm EDT
|
|