Liquidmatrix Security Digest Podcast (lsd_podcasts)

Episode E -- Just a bunch of hosers

Teh Podcast Warz Haz Begun!

It's another week in infosec. I can't get excited about it either. Too many news stories of note, breaches and a new section - the SCADAs. In the same way that we had too many breach stories so we broke them out, we're doing the same with SCADA. Expect a lot of derision from Dave and I -- there's a lot of bullshit and we're calling it.

We'd also like to wave hello to the team at Riskhose. We're sorry that you misinterpreted young Matt's question - we'll straighten you out when we do our Risk-tacular episode this fall. Also, we're starting to suspect that the Riskhose Utahian may be a closet Canadian - he knows too much about Canadian musicians and he does know all of the words to Romantic Traffic (and yes Alex, when you come to Toronto, we'll go visit all of the subway stations so that you can produce your fan version of the video.)

Interestingly, between the Riskhose podcast and some threats from the Southern Fried Security bunch, it's on - the Podcast Wars are here - expect that the next few months are going to be epic in the world of infosec podcasting. We may even take a swipe at NetSec!

1. Syria
2. SSL Certificate Hijinks
3. Cyber
4. Hackers
5. OSX
6. Canadianisms
7. The WIFIs
8. Google-ized
9. …and then our discussion topic - Dumb Stories

And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.

DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.

ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.

In this episode:

• News
1. Java.com SSL cert expired
2. Al-Jazeera websites hacked by Assad loyalist group
3. Cyber attacks grow increasingly "reckless", official says
4. 3 years later, hackers who hit Google continue string of potent attacks …and no one is looking out for the stuff that really matters.
5. New utility nabs OS X keychain passwords
6. Global virus downs N.S. computer system for a month
7. Sniffing open WiFi networks is not wiretapping, judge says:
8. VirusTotal acquired by Google
9. No shooting at protest? Police may block mobile devices via Apple
• Breaches
1. Guild Wars 2 officials say ongoing password attack affects 11,000 accounts
2. Antisec Leaks 1,000,001 UDIDs From A Trove Of 12 Million Allegedly Stolen From An FBI Laptop Or was it 12 million? ...or not? and some apps use IMEI as password!
3. NullCrew pillages Sony servers?
• The SCADAs
1. Secret account in mission-critical router opens power plants to tampering
2. Anonymous Hack Lukoil Bulgaria Site
• Errata
1. Vendor Cybercrime Stats
• Commentary
1. Foot In The Door - Your Dumbest Story EVAH!!!!
• Dave - VIEW SOURCE HACKERZ
• Jamie - our developer broke SSL -- that’s why we use proprietary encryption. But we’re not telling anyone what/how he did.
• Matt - SQL injected a DB to /dev/null
• Ben - I didn’t feel 3DES was secure because the source is available online, so I invented my own variant
2. Hardcore
• Skipping the hardcore because we've got a great Mailbag question.
• Mailbag / Bizarro Land

1. Love your podcast, even if you try to count in Hex :-) It would be great if you were able to dive deep into what modern defenders need to do to get ahead of attackers. Right now, attackers need to only make simple changes to their attacks and defenders are left on their kiesters. How do we change that pattern?

   Besides deploying antivirus :-)

   thanks,

   Paul of Seattle

2. Matt suggests a cool slide deck from Zane over at Etsy
3. Ben suggests you read Liquidmatrix ;)
4. … and thanks to Thomas Preissler for his comments about the show!
• In Closing
1. We do research too - Ben's running a survey and will publish results. Check it out!
2. The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: much is stored at http://myrcurial.com/conferences but you can totally trust that guy)
3. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
4. Three Quarters of Liquidmatrix (with some Securosis added in) are doing a panel at SecTor If you're thinking of attending SecTor 2012, grab 10% off with discount code "liquidmatrix-2012" or if you can only make it to the expo floor, grab a free expo pass with code "liquidmatrix-Expo2012"
5. Vote Dave for ISC2 Board Ballot!
6. The Seacrest says “I miss Gilmore Girls" and "Skerple"

Episode D -- The Boys of Summer

Good News Everybody!

This is the longest one we've recorded yet -- by 0:59 -- and we will try to get these back down under an hour. Pinky swear. We've also gone over 10000 downloads from 63 countries. That's kinda cool - and thank you all very much. Lots of good stuff in this episode, it's totally worth the 74 minutes.

1. Hackers
2. The SCADAs
3. Java
4. Lawyers
5. MOAR SCADAS!!!!
6. Apple, Microsoft
7. Stupid Employee Tricks
8. …and then our discussion topic - Employee Tricks

And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.

DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.

ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.

In this episode:

• News
1. Microsoft NZ exposes TechEd delegates' passwords
2. Hackers vent ire, deface Youth Congress site
3. Antisec Hackers Breach Globalcerts, Post Data Online
4. Oilsands a hacker target: RCMP
5. Particularly good article on impact of Java vulns on Mac users and
6. American Bar Association Ethics rules now require IT knowledge
7. Apple Genius Training Manual
8. Toyota hacked by ex-IT worker, sensitive info stolen
9. ZOMG ANOTHER SCADAS! RasGas computers are “aramco’d” and Who's responsible
• Breaches
1. 1 MILLION accounts leaked in megahack on banks, websites
2. Indianapolis based Cancer Care Group -- 55k medical records
3. Canada's Maple Syrup Strategic Reserve Stolen (no, not a joke)
• Errata
1. Something hinky going on with Aaron Portnoy (former TippingPoint ZDI manager)
• Commentary
1. Foot In The Door - Employee Tricks
• How to find the really great employees
2. Hardcore
• And how to get rid of the really bad ones
• Mailbag / Bizarro Land

1. Hi LSD crew

   REDACTED REDACTED REDACTED. What about REDACTED?

   ((We're taking this as "how to manage the need to communicate without being able to communicate" -- aka, the frieNDA.))

   thanks,

   Jimmy, Nova Scotia

• In Closing
1. The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: that link will send you to http://myrcurial.com/conferences but you can totally trust that guy)
2. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
3. Three Quarters of Liquidmatrix (with some Securosis added in) are doing a panel at SecTor
4. Vote Dave for ISC2 Board Ballot!
5. The Seacrest says “Everybody's working for the weekend"

Creative Commons license: BY-NC-SA

Episode C -- Brain Dump Semi-slow news week this week so we used the bulk of our time to talk about a topic most of us struggle with (even some of us on the show) productivity! A few stories and our opinions as usual and also a letter from a listener regarding our own Dave running for the ISC2 board. Again, if you have anything comments, questions, suggestions, hatred, bickering, cyberdouchery, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

• News
1. Stripe CTF
2. DropBox implementing 2-factor Auth!
3. More U.S. military hacking in Afghanistan
4. Yet another Java 0-day being exploited in the wild
   Exploit Code!
5. ISC-CERT issues warning on RuggedCom/Siemens gear
   ICS-Alert PDF
6. Gauss researchers trip over Kaspersky operated sinkhole
7. NIST releases a standard on secure BIOS
8. Aramco threatened with more breaches
• Breaches
1. University of South Carolina (34,000) of a total 81,000 since 2006) - ThreatPost Article
• Commentary
1. Errata
• Not much in Errata this week
2. Foot In The Door
• Infosec Productivity

• James posted about triple monitor setup and got a bunch of questions about how his work environment is set up.

  And productivity porn is always cool (don’t deny it, you’re all fetishistically interested in getting your to-do lists underway)
  
  - we’re getting around to the beginning of the school year here in Canada (we know that most americans have already started)
  - so it’s time for the annual trip to Staples for school/office supplies
  - How do you keep your stuff in order as you work through the life that many of us share:
  + multiple concurrent lives
  + “work” work
  + “volunteering” work
  + family / friends
  + professional development
  +
  - Do you trust your digital minions?
  - Do you commingle in a BYOD way?
  - What about people that you have relationships with (spouse uses paper?)
  - Covey? David Allen (GTD)?
  - “Time Management for System Administrators” (Thomas A. Limoncelli)
  - Getting Things Done

3. Hardcore
• Stuff We Each Use To Get By:
• James:
• Devices: MBA11 / iPad2 / iPhone4s
• Scanner to go paperless
• Sync: iCloud
• SpiderOak Here's my referral link
• Dropbox Here's my referral link
• Box.com
• Rsync w/ local duplicates
• Local Software:
• Mail
• Calendar
• Reminders
• OmniFocus (OSX / iPad)
• Evernote
• Web Stuff:
• Google for years - getting away from them now
• Remember The Milk - moved all of that into OmniFocus
• If This Then That
• Trello (because the Securosis boys require it and it comes from Joel)
• When I’m working at client sites, I generally have to use the things that they use.
• Dave ditto, James.
• Ben
• schedule, schedule, schedule - religiosity with my Outlook calendar
• task lists
• shared knowledge - team wiki
• team meetings & delegation
• risk tracking tools - e.g. RSAM/
• clear boundaries - turn your phone off - giant whiteboard
• Matt
• To-Do List App
• Pen & Paper!!!
• Keep yourself away from your screen Anti-RSI
• Save a few seconds a day if you are a multi-monitor user Stay App
• Mailbag

1. Hi Dave

   What’s the deal with running for the ISC2 board?

   
   JJ
• In Closing
1. Matt’s movie review...
2. There shall be LSD folk at TASK in Toronto next week.
3. University of Reddit - Open Security Training classes on malware analysis
4. Sector CFP selections Monday night.
5. Vote Dave! http://www.liquidmatrix.org/blog/vote-for-dave/
6. The Seacrest says “1st star to the left and straight ahead, Mr Armstrong”

Creative Commons license: BY-NC-SA

Episode B -- Artificial Intelligence Something pithy should probably be written here. All of us have so much on the go that we're saving our creativity for the podcast. Also, this one is pretty long. If you have thoughts or ideas, please send them to the MailBag (mailbag@liquidmatrix.org) and we'll talk about it here. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

• News
1. iOS SMS spoofing (a problem with SMS in general) and Apple’s response (use iMessage) - trust us it’s secure - via reddit
2. Court Rules That It's OK for Your Facebook Friends To Rat You Out to the FBI
3. Google helps vuln researchers make bank with Pwnium2 - get your sploits on (but not you Vupen)
4. NSS asked: Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities? - short answer, sorta, but not so much over SSL PDF Link
5. Some smart-ass talks about scada and cyberdouchery referencing the Rugged issue
6. Fidelis get’s bought by the military industrial complex
7. Artillery Threat Intelligence Feed
8. shamoon makes your day worse after stealing your data
• Breaches
1. Check out the Summer of Breaches "Scorecard"
2. AMD
3. Philips
• Commentary
1. Errata
• Dave had a chat with Dorsey Morrow at ISC2
• The Seacrest stands on an embassy balcony and tries to tell the world what do

Episode A -- The Revolving Absence No James this week. Apparently, he's afraid of the Cylon^WBen invasion. Also, don't forget to throw something in the old email for us (mailbag@liquidmatrix.org), we're getting lonely - don't you still love us? DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

• News
1. BeeF supports gmail phishing (great tool)
2. Georgia tech announces Titan via securityweek
3. Trapwire? what’s this? a secret government facial recognition program not run by the government
4. Dorifel and Gauss zee dutch! via reddit
5. FinFisher is everywhere!
• Breaches
1. Check out the Summer of Breaches "Scorecard"
2. Stanford hospital (again) - 2,500
3. Nepal gov - nepal?
4. Blizzard p0wned - ~2.4 million accountsand SRP is not going to save them - good analysis from opine.me
• Commentary
1. Errata
• Errata - Gregory Evans back in the news via Firechief
2. Foot In The Door
• Government trojans
• Finfisher
• German police
• Syrians
• DuquStuxnetFlameStarsMardiEtc…
3. Hardcore
• Anti-malware versus .gov
• Mailbag

1. nothing quality in the mailbag - still getting semi-naked pictures of Alex Hutton riding a risk fish in a banana hammock - while tasteful we’d appreciate it if you sent us actual questions

   BTW go check out risk fish

• In Closing
1. and now for Matt’s movie review
2. get your CFP on - SECORE.info - great site
3. shout out to HouSecCon
4. 7 minutes of hell and the Seacrest Science Laboratory has landed on NBC crater

Episode 9 -- No Need For Syncizationhron So we find ourselves again again Mattless. We skipped out last week cause of bad hair, bad mojo, conflu and bad karma -- and $19.95 hotel internet (we have no budget and Canadian telco’s suck for roaming. )Also, this episode is a week late. The blame lies entirely with Ben's computer/ISP issues. Either that or Ben is a closet Cylon and doesn't want us to know. Notes etc. to mailbag@liquidmatrix.org -- we love to hear from you! DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

• News
1. Getting nailed via iCloud
2. Canadian double agent out does the whole wikileaks scandal
3. Matasano gets sold
4. NIST release Common Misuse Scoring System (pdf link)
5. Blackberry gives up any sense of decency and agrees to hand over crypto keys (or not)
6. Yahoo sued for breach
• Breaches
1. Check out the Summer of Breaches "Scorecard"
2. Reuters hacked
3. Dropbox was actually breached
• Commentary
1. Errata
• The tale of Rahul Tyagi
2. Foot In The Door
• An intro to BH/DC
• being a goon / don’t be a douche
• DEF CON Comedy Jam V, V for Vendetta (The FAIL Panel)
• Misogyny Networks
• hacking all of the jukeboxes
• suitcase sword & rocket launcher
• waffles
• pentest failures
• 3 minutes of me talking about labour mobility
• Hacker Pyramid -- The usual fun-ness plus $1436 raised
• Ninja-Tel -- one of the coolest things going
3. Hardcore
• Diving in further - great talks
• Arsenal -- Smartphone Pentest Framework
• Sexydefense - maximizing the home field advantage
• Exploiting The Jemalloc Memory Allocator: Owning Firefox’s Heap
• Owning Bad Guys (And Mafia) with Javascript Botnets
• Mailbag

1. Gr33tz & Lulz LM crew

   What’s your take on this whole vuln selling thing?

   
   

   Some guy, The Internet

• In Closing
1. BH12 talks are out
2. Next week we’ll be launching a new section called Infosec at the movies - Matt will critique all the bad hacking in the movie he went to see the previous weekend
3. and Seacrest goes for the gold! (that’s an olympics reference)

Episode 8 -- Bikini Troubles So we find ourselves again Mattless. What is it with security professionals and Hawaii? Good stuff in here, sorry about botching last week's episode link - this one should work better, also, go back and download last weeks. Notes etc. to mailbag@liquidmatrix.org -- we love to hear from you! DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

• News
1. Madhi, more middle eastern spyware
2. good bye grum
3. crazy guy hacks ISP both online and with an axe - (Dave can relate)
4. Project 2020 launched ISCPA to help predict infosec trend spotting project
5. blackhole keeps getting “better”
6. elections Ontario can’t keep their data in their pants
• Breaches
1. Check out the Summer of Breaches "Scorecard"
2. Maplesoft
3. ITWallstreet.com - 50,000 accounts
4. Elections Ontario - 2.4 million records but 4 million affected
5. Pinterest - scrambling to figure out the breach
6. Yale - 1,200 usernames with password
• Commentary
1. Errata
• Oracle won't patch critical hole in Database (because it’s hard)
2. Foot In The Door
• safe computing at Defcon (or any hostile network like the internet)
• don’t use the wifi
• use a VPN
• patch, patch, patch
• shut down everything
3. Hardcore
• get p0wn3d on an untrusted network ((happens to lots of people, even smart ones, during their presentations - don’t take anything you can’t afford to lose))
• firesheep ((used to be the wall of sheep was a special thing, now it’s a browser extension... use encrypted protocols over an encrypted session))
• the mac store ((Quoting Prez Reagan: Trust but verify -- and there’s something wrong with the Apple purchasing/signing trust path right now -- in-app purchases in iOS have been MiTM’d))
• hotels ((Inverse correlation between cost of hotel room and quality of internet -- also, costs a freaking arm and a leg -- pay-as-you-go 3G data is cheaper.))
• Mailbag

1. Howdy Fellas

   Do you think online voting can be done safely? Also, what about you Canadian boys losing all those voter records?

   
   

   regards

   Al from big sky country

• In Closing
1. Bsides/BlackHat/DEF CON -- all but Ben / The Intern shall be there.
2. There are parties in Vegas
3. DEF CON is still cancelled - check status here
4. Hacker Pyramid!
5. Canadian CERT volunteers, email mailbag@liquidmatrix.org
6. Get thee to Securosis and get educated!
7. The Seacrest has landed. That’s one small p0wn for hackers, one giant p0wn for hackerkind

Episode 7 -- Breach Week Special! Perfectionism is the enemy of publishing on time. It's another week and we've got a solid hour of discussion about the stuff that's important in the world of infosec this week. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

• News
1. Instagram patches a hole - kinda gets their response wrong
2. Anonymous gets Syrian - 2.4 Million emails leaked
3. ENISA (EU) tells the banks to assume PCs not secure - via Krebs
4. iOS hacker figures out to get free stuff on the app store (at least through in App purchases)
5. Plesk 0day for sale
6. Obama gets emergency powers over the internet
7. The chinese own the telcos
• Breaches
1. Yahoo - 453K passwords
2. formspring - 1 million passwords
3. Phandroid forums - 1 million passwords
4. Billabong - 35000 accounts
5. Nvidia forums compromised - Nvidia also shut down its online store
• Commentary
1. Errata
• Symantec Malfunction
2. Foot In The Door
• CERT at the national level
• Why Canada .gov sucks
• CanCERT is not a CERT (get in touch with sales@ for details on pricing)
• Also, CCIRC is not a CERT (unless you’re in critical infrastructure)
• CERT vs RISS
• Brian Honan Schools You - Source Barcelona 2010
3. Hardcore
• How to do it right inside your company and outside
• CIRT/CERT - industry, national, internal
• practice, practice, practice
• How to share
• Mailbag

1. mailbag@liquidmatrix.org

   So this is the summer of breaches, the hits keep on rolling, my running total of stolen passwords is now at over 10 million accounts. I’ve got a small website (redacted) and I don’t know if I’m doing security right. Help a lady out will ya? Also, will this ever end?

   
   

   Cheers

   Mary K, NZ

• In Closing
1. Bsides/BlackHat/DEF CON -- all but Ben / The Intern shall be there.
2. There are parties in Vegas
3. DEF CON is still cancelled - check status here
4. Hacker Pyramid!
5. BsidesLV schedule is up
6. Spiderlabs wants you to survive
7. don’t be a sexist jerk at BH/DC
8. Tonight, the part of Seacrest will be played by 'elephant shoes'.

Creative Commons license: BY-NC-SA

Episode 6 -- Anybody Know How Google Voice Works? MAGIC! Sorry for the delay in posting folks, someone (cough, @gattaca, cough) has a crappy ISP and someone (cough, SEACREST, cough) talks quietly and has a crappy mic, there's about 7 hours of editing and tweaking on this one -- and it still sounds like crap. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. In this episode:

• News
1. BREAKING NEWS: Liquidmatrix Security Male Model on COVER of SCMag (also talks about Risk Management or something)
2. Debit/credit card photos in tweets -- This Twitter account proves the infinite stupidity of humans (and other stupid shit ways to post pictures of your douchetacularness NSFW)
3. Amazon talks about what went wrong in US East & Leap second makes availability pain (Check out the funny Twitter @AmazonStatus & CAP theorem)
4. Phisher faces 50 years in the slammer
5. Alaska Department of Health and Social Services fined for breach & Appeals court calls bank’s security “commercially unreasonable”
6. Pornoscanners go mobile
7. Wireless Hacking Suspected in Air Raid Siren Miscues
8. Comodo blacklists itself (truth in Certificate Selling)
9. Something bad happened in the iOS App Store... twice. Which (considering the relative sizes of the install base of iOS vs. well, everything) is still pretty awesome.
• Commentary
1. Errata
• No, seriously, you need to use the cloud to manage the thing that connects you to the cloud - Cisco jumps the shark on Cloud-washing and treating customers like crap.
2. Foot In The Door
• hire the right auditors
• use them as a tool to raise issues up to the executive
• tell them the problem areas
• invest time in the auditors and point them to your pain
• feed them recommendation
• don’t let them position compliance as security
3. Hardcore
• The box kicking story
• For example -- finding a way to get the answer they don’t want to give
• The prevarication story
• Another opportunity to learn from auditors/old people
• Asking questions into negative space -- to find answers you need to find the place in the middle where the facts have not coalesced.
• Peter Falk - Just one more thing...
• Matlock - How to get the jury to see it your way...
• Mailbag

1. mailbag@liquidmatrix.org

   Long time listener, first time writing in...

   I find myself compelled to write inasmuch as I found myself shouting at my iPod yesterday. I, of course, am referring to "Liquid Matrix Security Digest Podcast Episode 2" where a conversation about "What Should You Do If You Are The CISO Of A Breached Company?" occurred. Forgive me as I left the Post-It note with the timestamps of the offending speech on the mirror in my bathroom so that I may focus my Daily Rage upon it as I carefully shave "I da CISO, bitch!" into my scalp each morning.

   In essence Ben argued that the role of the CISO in the event of a password breach is to stride confidently into the CEOs office and say "I told you this was going to happen, this is not my fault, and we need to force all users to change passwords - Damn The Consequences, Man!" (While this is not a direct quote it it was I very distinctly heard...)

   While this is a nice gedankenexperiment in that it is very cool to imagine ourselves in the role of "Captain Astounding: Protector Of Users" but the reality of a breached company has certain rules..

   1) If the breached company is a startup or new venture the Senior Management regards this event as an existential crisis. Not so much to the company itself - but to their exit plan (hey, who doesn't dream of being bought by Facebook or Microsoft for a billion dollars?) or to their about-to-be-so-far-underwater-they-implode stock options. Lose track of this fact and You Are Toast.

   2) If the breached company is an older company the critical component is the quality of business leadership available. If they take counsel of their fears - see Rule 1. If they take a more mature view you can actually get effective response but know that you have almost no influence on that outcome.

   3) If you were the CISO pre-breach you have to realize your credibility and professional competence is seriously in question by *everyone*. It matters not that you wrote 523 emails protesting storage of passwords in clear text, nor that you did not get the budget to keep your IPS under maintenance, nor that $Security_Requirement was ignored. If this offends your sensibilities I would simply refer you to the Book of Hezekiah, Chapter 9, Verse 27 where it is written "Yea, and the LORD spake unto the people, and the LORD spake "Life is not fair - never said it was, never said it will be - Get Over It!" and thus the people were greatly nonplussed".

   4) If you are the successor to the CISO who ran the shop pre-breach you have to realize that nobody believes anything you say without the Incident Response Consultants agreeing with you. You have not been around long enough for anyone to trust you or to accept your influence. You will not be seen having the same "at-risk" quotient as everyone else (See Rule 1 above).

   5) Almost everyone company that experiences a major breach turns a significant portion of the response and decision making to Outside Counsel and Incident Response Consultants. There are good and bad reasons for doing this - let's just accept that it happens. Fighting these folks - especially Outside Counsel - is generally a No Win situation (See Rule 3 & 4 above).

   So what do you do?

   You do what you can. You use whatever influence you have to try to do the right thing. But realize a breach response is *not* a Security Problem it is a Business Problem and that business folks are going to be in charge. If you cannot deal with that - you might want to become a Incident Response Consultant.

   Love, Uncle @armorguy

• In Closing
1. Tweetup - has to be pushed, sorry folks
2. Bsides/BlackHat/DEF CON -- all but Ben / The Intern shall be there.
3. Also, DEF CON has been cancelled - check status here
4. Hacker Pyramid!
5. Also, have a look at the Declaration of Internet Freedom. We like it. You should like it too. Although Liking it on Facebook shows that you don’t understand the fucking point of the Declaration.
6. As of recording time, tomorrow is the day when the internet shuts down -- DNSchanger DNS servers are going down. So I guess you won’t ever hear this episode.
7. THERE IS NO SEACREST.

Creative Commons license: BY-NC-SA

Episode 5 -- Everybody's Working For The Weekend (Canada Day Edition) The fun with the Liquidmatrix gang continues in this episode. Pay close attention and you'll notice that there aren't any edits in this one. That's right - one take and we've got it in the can. Lots of good stuff in here - let us know if we missed anything. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. In this episode:

• News
1. Operation Card Shop - UGNazi and 23 others get silver bracelets for free from the feds
2. Hotels misrepresent credit card data security measures, FTC is not happy
3. Typo squatter gets spanked by law firm
4. Bank settles with wire fraud victim
5. DHS gives federal agencies threat detection packages and DHS demos cyber attack to help sway lawmakers to pass a cyber bill
6. RSA securid key not so secure - it’s broken - no it isn’t - yes it is - Damn you people - it's the smartcard portion of a dual-use device that's 'broken', quit slamming multi-factor authN.
7. Portswigger get’s new tricks
-
8. Errata Charlatan of the Week
• Commentary
1. Foot In The Door
• LM Team,
  

  First off I want to say that I'm really enjoying the podcast. I'm still very early into my career and trying to transition into InfoSec. I would love to hear about all of your views on Information Security in colleges. I was thinking about it following some twitter chatter between some people and Chris Eng about this. I thought that there were some good conversations. I'm a little bit disappointed since I just finished my M.S in Computer Info Sys with a security concentration. In the classes I took we learned some basic network security concepts. Only touched a bit on web application security. I was hoping we would of done some offensive stuff, but we never did.

  I compared my classes to pen testing classes out there and it seems to me they’re on a better track but what do I know.

  Just some thoughts,
  Jimmy

2. Hardcore
• From a Black Hat to Black Suit - The Last Hope (2008)
• Black Hat to a Black Suit - The Econopocalypse NOW Edition - Notacon (2009)
• The Black Suit Plan Isn't Working - Now What? - The Next Hope (2010)
• Mailbag
1. mailbag@liquidmatrix.org
2. Hi there LiquidM,
   

   Long-time listener, first time emailer!

   I was wondering if you could help me with a small dilemma I'm facing. I've been working as one of those penetration tester types in the financial sector for a while now, and my company treats me right... but more and more I hear the calling of the darkside... no, not THAT darkside, the calls of those working for security companies and $vendor that get to do exciting things with exciting people! The ones that get to actually TALK about their research...

   So, what's a guy to do? Please LiquidM help me, you're my only hope!
   Chris
   
   P.S: Love the show... but you guys are very Canadian O.o' ;) See you guys in Vegas I hope.... eh!

3. Hey there fellow Canucks…
   

   Over the years I've had many IT jobs, from network admin to system admin for small consulting firms in my area (nothing big). A common theme was the unwillingness to implement the most basic of security mechanisms, or acknowledge the possibility that the systems/networks we would implement for our clients were perhaps done in a un-secure fashion. As a security enthusiast this was very frustrating.

   On a few occasions, I would prove this using a few simple demonstrations on how easy malware, or human, could compromise the network (malicious emails, word/pdf docs, ms08_067 for example). Every time my demonstrations were brushed off as "unlikely" or "impossible", requiring a level of technical knowledge that no employee possesses inside "client X". One such place was an ISP, where we would setup and host websites, providing clients with FTP access to upload and download content. I was actually instructed not to make the passwords too complicated, to ensure our clients were able to use it. Even after I had showed my boss a public exploit (from exploit-db) was available for the FTP software used. Again brushed off as "unlikely" seeing the exploit needed to be authenticated to properly function. This, of course, started the debate of weak passwords that lasted all of 2 seconds… At another spot, I actually showed the senior administrator (my supervisor), hosting a SSH server on port 80 was possible… funny. By now I think you get the picture on how security was handled, so I won't go any further.

   My question is what would you say to the lonely sys-admin, in a small to mid sized firm, on how to handle an employer that doesn't seem concerned at all with security? How should the lonely admin tackle these types of issues without annoying "the boss" with this silly thing called "security", when it's obvious he or she is not willing to listen?

   I'm fortunate enough to no longer be in this situation, but I'm sure there are many out there still living with these types of conditions.
   Steven
   
   ps.: hope all of this made sense, and good job on the podcast very much enjoying it so far

Creative Commons license: BY-NC-SA