Liquidmatrix Security Digest Podcast

Episode 11 -- Dave's Away

w00000000000000000t!

Hey Everyone, welcome to the Liquidmatrix Security Podcast - Episode 0x11 or the 18th recording for those who don’t start with zero and are not good at Hexadecimal - or math, like us.

Everyone showed up except Dave. Something about Canadian Thanksgiving causing a Turkey Coma. We manage to struggle through without him. Actually, we think the show turned out just fine. We don't need no stinkin' Dave.

And tonight, let us regale you with tales of:

1. LOTS OF NEWS
2. Breaches
3. SCADAs
4. Errata
5. …and then our discussion topic - the con report SecTor and Derbycon

And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.

DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.

ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.

In this episode:

• News
1. Why no Security for Obama Campaign Website? ((PCI-DSS FTW?))
2. Skeezy fake AV sellers get fined!
3. Criminals seeking botmasters (apparently that’s a word) for MiTM and/or trojan attacks against US banks
4. Practising the cybers in Europe
5. Maple Syrup Strategic Reserve returns to Quebec
6. Cell phones just keep getting more interesting
7. AuthN and Oracle = :(
• Breaches
1. World of Warcraft Catches The Plague and Matt laughs
2. University of Chicago - 9100 identities incl. SSN
• The SCADAs
1. Telvent compromised
2. Smart Meter Data Shared Far and Wide
• Errata
1. hakin9 - “Nmap: The Internet Considered Harmful - DARPA Inference Checking Kludge Scanning” DICKS!!!
• Commentary
1. Foot In The Door - SecTor
• Geist
• Miller
• Kellman
• Arlen
• Mortman/Bellis
• Trustwave - more and more and more malware
• Failpanel (we had the originator in the audience)
• thoughts on the echo chamber
2. Hardcore - DerbyCon
• The D's Talk
• The Hallway Track
• The Awesome AV
• The Corporate CTF
• Mailbag / Bizarro Land

1. Hey!

   I just watched Ben’s talking head on CTV news, what are your thoughts on Huawei, ZTE? What does this mean to Canada?

   Paranoidly,

   Jacques L, QC

2. Also, awesome feedback from @armorguy (master Martin Fisher of Southern Fried Security podcast) on episode F, he said we were awesome and other people should copy us (we’re looking at you Riskhose)
• In Closing
1. We do research too - Ben's running a survey and will publish results. Check it out!
2. The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: much is stored at http://myrcurial.com/conferences but you can totally trust that guy)
3. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
4. Upcoming appearances by the Liquidmatrix Crew at HouSecCon and HackFest.ca
5. It’s been rebooted! The Doing Infosec Right Sexy Defense team is off to a flying start with the Strategic Defense Execution Standard (#SDES)
6. The Seacrest says “We miss you Dave, please come back soon."

Creative Commons license: BY-NC-SA

Episode 10 -- It's Special

recorded live at SecTor 2012

There is no Matt. Again. So we found a replacement. As it turns out, pretty much any American who's name starts with "M" will do. Huge thanks to Mike Rothman for helping out with the madness.

This discussion has only the four topics:

1. Summer of Breaches
2. Cyber
3. authN / authZ
4. Compliancy

And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.

DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.

ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.

• Useful Links
1. Slides
2. Video of Presentation (low quality)
• In Closing
1. We do research too - Ben's running a survey and will publish results. Check it out!
2. The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: much is stored at http://myrcurial.com/conferences but you can totally trust that guy)
3. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
4. The Seacrest says “Move to Atlanta, there's no snow!"

Creative Commons license: BY-NC-SA

Episode F -- Aboot that

it's not a boot, it's just a really big shoe

Matt won’t be joining us tonight, it’s Ben’s fault. A quick shout out to Jimmy Vo, you will need approximately 15 or F shot glasses for this episode.

Aboot, Aboot, Aboot, Aboot!

And tonight, let us regale you with tales of:

1. More Malware
2. Less Malware
3. The SSL monsters
4. Ry-Hi
5. Twitter
6. GoDaddy
7. Breaches
8. SCADAs
9. …and then our discussion topic - what happens after the bad thing happens

And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.

DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.

ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.

In this episode:

• News
1. Blackhole 2.0 is out (aboot!)
2. Microsoft takes on Nitol (aboot!)
3. A story Aboot more SSL weaknesses, let’s introduce you to the CRIME attack
4. Aboot getting more skilled at Ryerson - there’s a Rainbow in Toronto for a Certificate in Computer Security and Digital Forensics
5. Twitter bows to subpoena, releases Occupy protester's tweets
6. GoDaddy, everyones favourite SOPA supporters goes down
• Breaches
1. Miami hospital hit by second patient breach this year
2. Ankit Fadia gets hacked
• The SCADAs
1. If Congress and the Senate can’t do it - by gosh, the PRESIDENT will -- Executive Order on Cyber Security in the works?
2. Interesting little bit on the side of Digital Bond’s website... “Schneider Has Not Removed Modicon FTP Backdoor Account In 2101 days”
• Errata
1. Every vendor that has been sitting on a known vuln for more than 1000 days. Jerks.
• Commentary
1. Foot In The Door - Aboot Investigations
• corporate policy
• lawyers are your friends
• purpose of the investigation (knowledge or action)
• http://it.toolbox.com/blogs/securitymonkey/
• http://www.sleuthkit.org/
• http://www.guidancesoftware.com/
2. Hardcore
• Defensible Methods
• Chain of Custody
• Judgement Day
• Mailbag / Bizarro Land

1. There is this website where I noticed that they display your login details after offering a quote in plaintext, ie. they display your username and a password on a http:// connection. So I called their call center and spoke with the manager, yeah, she will relay that information (but I kinda got the impression that she didn't understand what the problem is). Nothing happens for weeks. After maybe 2 months I go back to check and here you go, my username with password are still shown in plaintext on the site. So I sent them an email, clearly marked "to IT or IT security something" explaining it a little bit more technical. Nothing happens again. Since I raised the original issue, about 4 months have passed.

   The question is now - is it worth pursuing this further?

   Cheers

   T

   PS: Should anyone of you guys be once in London, pls ping me and I buy you a beer! Or two?

2. Ben says: http://www.ico.gov.uk/
• In Closing
1. We do research too - Ben's running a survey and will publish results. Check it out!
2. The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: much is stored at http://myrcurial.com/conferences but you can totally trust that guy)
3. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
4. Three Quarters of Liquidmatrix (with some Securosis added in) are doing a panel at SecTor If you're thinking of attending SecTor 2012, grab 10% off with discount code "liquidmatrix-2012" or if you can only make it to the expo floor, grab a free expo pass with code "liquidmatrix-Expo2012"
5. Vote Dave for ISC2 Board Ballot!
6. The Seacrest says “'Aboot' to Jimmy Vo, 'Shana Tova' or to our non-Jewish friends, that means 'have a good new year' and it’s time to party like it’s 5772 and then get yourself up and off to work because 5773 is going to be WILD."

Creative Commons license: BY-NC-SA

Episode E -- Just a bunch of hosers

Teh Podcast Warz Haz Begun!

It's another week in infosec. I can't get excited about it either. Too many news stories of note, breaches and a new section - the SCADAs. In the same way that we had too many breach stories so we broke them out, we're doing the same with SCADA. Expect a lot of derision from Dave and I -- there's a lot of bullshit and we're calling it.

We'd also like to wave hello to the team at Riskhose. We're sorry that you misinterpreted young Matt's question - we'll straighten you out when we do our Risk-tacular episode this fall. Also, we're starting to suspect that the Riskhose Utahian may be a closet Canadian - he knows too much about Canadian musicians and he does know all of the words to Romantic Traffic (and yes Alex, when you come to Toronto, we'll go visit all of the subway stations so that you can produce your fan version of the video.)

Interestingly, between the Riskhose podcast and some threats from the Southern Fried Security bunch, it's on - the Podcast Wars are here - expect that the next few months are going to be epic in the world of infosec podcasting. We may even take a swipe at NetSec!

1. Syria
2. SSL Certificate Hijinks
3. Cyber
4. Hackers
5. OSX
6. Canadianisms
7. The WIFIs
8. Google-ized
9. …and then our discussion topic - Dumb Stories

And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.

DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.

ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.

In this episode:

• News
1. Java.com SSL cert expired
2. Al-Jazeera websites hacked by Assad loyalist group
3. Cyber attacks grow increasingly "reckless", official says
4. 3 years later, hackers who hit Google continue string of potent attacks …and no one is looking out for the stuff that really matters.
5. New utility nabs OS X keychain passwords
6. Global virus downs N.S. computer system for a month
7. Sniffing open WiFi networks is not wiretapping, judge says:
8. VirusTotal acquired by Google
9. No shooting at protest? Police may block mobile devices via Apple
• Breaches
1. Guild Wars 2 officials say ongoing password attack affects 11,000 accounts
2. Antisec Leaks 1,000,001 UDIDs From A Trove Of 12 Million Allegedly Stolen From An FBI Laptop Or was it 12 million? ...or not? and some apps use IMEI as password!
3. NullCrew pillages Sony servers?
• The SCADAs
1. Secret account in mission-critical router opens power plants to tampering
2. Anonymous Hack Lukoil Bulgaria Site
• Errata
1. Vendor Cybercrime Stats
• Commentary
1. Foot In The Door - Your Dumbest Story EVAH!!!!
• Dave - VIEW SOURCE HACKERZ
• Jamie - our developer broke SSL -- that’s why we use proprietary encryption. But we’re not telling anyone what/how he did.
• Matt - SQL injected a DB to /dev/null
• Ben - I didn’t feel 3DES was secure because the source is available online, so I invented my own variant
2. Hardcore
• Skipping the hardcore because we've got a great Mailbag question.
• Mailbag / Bizarro Land

1. Love your podcast, even if you try to count in Hex :-) It would be great if you were able to dive deep into what modern defenders need to do to get ahead of attackers. Right now, attackers need to only make simple changes to their attacks and defenders are left on their kiesters. How do we change that pattern?

   Besides deploying antivirus :-)

   thanks,

   Paul of Seattle

2. Matt suggests a cool slide deck from Zane over at Etsy
3. Ben suggests you read Liquidmatrix ;)
4. … and thanks to Thomas Preissler for his comments about the show!
• In Closing
1. We do research too - Ben's running a survey and will publish results. Check it out!
2. The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: much is stored at http://myrcurial.com/conferences but you can totally trust that guy)
3. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
4. Three Quarters of Liquidmatrix (with some Securosis added in) are doing a panel at SecTor If you're thinking of attending SecTor 2012, grab 10% off with discount code "liquidmatrix-2012" or if you can only make it to the expo floor, grab a free expo pass with code "liquidmatrix-Expo2012"
5. Vote Dave for ISC2 Board Ballot!
6. The Seacrest says “I miss Gilmore Girls" and "Skerple"

Episode D -- The Boys of Summer

Good News Everybody!

This is the longest one we've recorded yet -- by 0:59 -- and we will try to get these back down under an hour. Pinky swear. We've also gone over 10000 downloads from 63 countries. That's kinda cool - and thank you all very much. Lots of good stuff in this episode, it's totally worth the 74 minutes.

1. Hackers
2. The SCADAs
3. Java
4. Lawyers
5. MOAR SCADAS!!!!
6. Apple, Microsoft
7. Stupid Employee Tricks
8. …and then our discussion topic - Employee Tricks

And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.

DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.

ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.

In this episode:

• News
1. Microsoft NZ exposes TechEd delegates' passwords
2. Hackers vent ire, deface Youth Congress site
3. Antisec Hackers Breach Globalcerts, Post Data Online
4. Oilsands a hacker target: RCMP
5. Particularly good article on impact of Java vulns on Mac users and
6. American Bar Association Ethics rules now require IT knowledge
7. Apple Genius Training Manual
8. Toyota hacked by ex-IT worker, sensitive info stolen
9. ZOMG ANOTHER SCADAS! RasGas computers are “aramco’d” and Who's responsible
• Breaches
1. 1 MILLION accounts leaked in megahack on banks, websites
2. Indianapolis based Cancer Care Group -- 55k medical records
3. Canada's Maple Syrup Strategic Reserve Stolen (no, not a joke)
• Errata
1. Something hinky going on with Aaron Portnoy (former TippingPoint ZDI manager)
• Commentary
1. Foot In The Door - Employee Tricks
• How to find the really great employees
2. Hardcore
• And how to get rid of the really bad ones
• Mailbag / Bizarro Land

1. Hi LSD crew

   REDACTED REDACTED REDACTED. What about REDACTED?

   ((We're taking this as "how to manage the need to communicate without being able to communicate" -- aka, the frieNDA.))

   thanks,

   Jimmy, Nova Scotia

• In Closing
1. The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: that link will send you to http://myrcurial.com/conferences but you can totally trust that guy)
2. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
3. Three Quarters of Liquidmatrix (with some Securosis added in) are doing a panel at SecTor
4. Vote Dave for ISC2 Board Ballot!
5. The Seacrest says “Everybody's working for the weekend"

Creative Commons license: BY-NC-SA

Episode C -- Brain Dump Semi-slow news week this week so we used the bulk of our time to talk about a topic most of us struggle with (even some of us on the show) productivity! A few stories and our opinions as usual and also a letter from a listener regarding our own Dave running for the ISC2 board. Again, if you have anything comments, questions, suggestions, hatred, bickering, cyberdouchery, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

• News
1. Stripe CTF
2. DropBox implementing 2-factor Auth!
3. More U.S. military hacking in Afghanistan
4. Yet another Java 0-day being exploited in the wild
   Exploit Code!
5. ISC-CERT issues warning on RuggedCom/Siemens gear
   ICS-Alert PDF
6. Gauss researchers trip over Kaspersky operated sinkhole
7. NIST releases a standard on secure BIOS
8. Aramco threatened with more breaches
• Breaches
1. University of South Carolina (34,000) of a total 81,000 since 2006) - ThreatPost Article
• Commentary
1. Errata
• Not much in Errata this week
2. Foot In The Door
• Infosec Productivity

• James posted about triple monitor setup and got a bunch of questions about how his work environment is set up.

  And productivity porn is always cool (don’t deny it, you’re all fetishistically interested in getting your to-do lists underway)
  
  - we’re getting around to the beginning of the school year here in Canada (we know that most americans have already started)
  - so it’s time for the annual trip to Staples for school/office supplies
  - How do you keep your stuff in order as you work through the life that many of us share:
  + multiple concurrent lives
  + “work” work
  + “volunteering” work
  + family / friends
  + professional development
  +
  - Do you trust your digital minions?
  - Do you commingle in a BYOD way?
  - What about people that you have relationships with (spouse uses paper?)
  - Covey? David Allen (GTD)?
  - “Time Management for System Administrators” (Thomas A. Limoncelli)
  - Getting Things Done

3. Hardcore
• Stuff We Each Use To Get By:
• James:
• Devices: MBA11 / iPad2 / iPhone4s
• Scanner to go paperless
• Sync: iCloud
• SpiderOak Here's my referral link
• Dropbox Here's my referral link
• Box.com
• Rsync w/ local duplicates
• Local Software:
• Mail
• Calendar
• Reminders
• OmniFocus (OSX / iPad)
• Evernote
• Web Stuff:
• Google for years - getting away from them now
• Remember The Milk - moved all of that into OmniFocus
• If This Then That
• Trello (because the Securosis boys require it and it comes from Joel)
• When I’m working at client sites, I generally have to use the things that they use.
• Dave ditto, James.
• Ben
• schedule, schedule, schedule - religiosity with my Outlook calendar
• task lists
• shared knowledge - team wiki
• team meetings & delegation
• risk tracking tools - e.g. RSAM/
• clear boundaries - turn your phone off - giant whiteboard
• Matt
• To-Do List App
• Pen & Paper!!!
• Keep yourself away from your screen Anti-RSI
• Save a few seconds a day if you are a multi-monitor user Stay App
• Mailbag

1. Hi Dave

   What’s the deal with running for the ISC2 board?

   
   JJ
• In Closing
1. Matt’s movie review...
2. There shall be LSD folk at TASK in Toronto next week.
3. University of Reddit - Open Security Training classes on malware analysis
4. Sector CFP selections Monday night.
5. Vote Dave! http://www.liquidmatrix.org/blog/vote-for-dave/
6. The Seacrest says “1st star to the left and straight ahead, Mr Armstrong”

Creative Commons license: BY-NC-SA

Episode B -- Artificial Intelligence Something pithy should probably be written here. All of us have so much on the go that we're saving our creativity for the podcast. Also, this one is pretty long. If you have thoughts or ideas, please send them to the MailBag (mailbag@liquidmatrix.org) and we'll talk about it here. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

• News
1. iOS SMS spoofing (a problem with SMS in general) and Apple’s response (use iMessage) - trust us it’s secure - via reddit
2. Court Rules That It's OK for Your Facebook Friends To Rat You Out to the FBI
3. Google helps vuln researchers make bank with Pwnium2 - get your sploits on (but not you Vupen)
4. NSS asked: Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities? - short answer, sorta, but not so much over SSL PDF Link
5. Some smart-ass talks about scada and cyberdouchery referencing the Rugged issue
6. Fidelis get’s bought by the military industrial complex
7. Artillery Threat Intelligence Feed
8. shamoon makes your day worse after stealing your data
• Breaches
1. Check out the Summer of Breaches "Scorecard"
2. AMD
3. Philips
• Commentary
1. Errata
• Dave had a chat with Dorsey Morrow at ISC2
• The Seacrest stands on an embassy balcony and tries to tell the world what do

Episode A -- The Revolving Absence No James this week. Apparently, he's afraid of the Cylon^WBen invasion. Also, don't forget to throw something in the old email for us (mailbag@liquidmatrix.org), we're getting lonely - don't you still love us? DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

• News
1. BeeF supports gmail phishing (great tool)
2. Georgia tech announces Titan via securityweek
3. Trapwire? what’s this? a secret government facial recognition program not run by the government
4. Dorifel and Gauss zee dutch! via reddit
5. FinFisher is everywhere!
• Breaches
1. Check out the Summer of Breaches "Scorecard"
2. Stanford hospital (again) - 2,500
3. Nepal gov - nepal?
4. Blizzard p0wned - ~2.4 million accountsand SRP is not going to save them - good analysis from opine.me
• Commentary
1. Errata
• Errata - Gregory Evans back in the news via Firechief
2. Foot In The Door
• Government trojans
• Finfisher
• German police
• Syrians
• DuquStuxnetFlameStarsMardiEtc…
3. Hardcore
• Anti-malware versus .gov
• Mailbag

1. nothing quality in the mailbag - still getting semi-naked pictures of Alex Hutton riding a risk fish in a banana hammock - while tasteful we’d appreciate it if you sent us actual questions

   BTW go check out risk fish

• In Closing
1. and now for Matt’s movie review
2. get your CFP on - SECORE.info - great site
3. shout out to HouSecCon
4. 7 minutes of hell and the Seacrest Science Laboratory has landed on NBC crater

Episode 9 -- No Need For Syncizationhron So we find ourselves again again Mattless. We skipped out last week cause of bad hair, bad mojo, conflu and bad karma -- and $19.95 hotel internet (we have no budget and Canadian telco’s suck for roaming. )Also, this episode is a week late. The blame lies entirely with Ben's computer/ISP issues. Either that or Ben is a closet Cylon and doesn't want us to know. Notes etc. to mailbag@liquidmatrix.org -- we love to hear from you! DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

• News
1. Getting nailed via iCloud
2. Canadian double agent out does the whole wikileaks scandal
3. Matasano gets sold
4. NIST release Common Misuse Scoring System (pdf link)
5. Blackberry gives up any sense of decency and agrees to hand over crypto keys (or not)
6. Yahoo sued for breach
• Breaches
1. Check out the Summer of Breaches "Scorecard"
2. Reuters hacked
3. Dropbox was actually breached
• Commentary
1. Errata
• The tale of Rahul Tyagi
2. Foot In The Door
• An intro to BH/DC
• being a goon / don’t be a douche
• DEF CON Comedy Jam V, V for Vendetta (The FAIL Panel)
• Misogyny Networks
• hacking all of the jukeboxes
• suitcase sword & rocket launcher
• waffles
• pentest failures
• 3 minutes of me talking about labour mobility
• Hacker Pyramid -- The usual fun-ness plus $1436 raised
• Ninja-Tel -- one of the coolest things going
3. Hardcore
• Diving in further - great talks
• Arsenal -- Smartphone Pentest Framework
• Sexydefense - maximizing the home field advantage
• Exploiting The Jemalloc Memory Allocator: Owning Firefox’s Heap
• Owning Bad Guys (And Mafia) with Javascript Botnets
• Mailbag

1. Gr33tz & Lulz LM crew

   What’s your take on this whole vuln selling thing?

   
   

   Some guy, The Internet

• In Closing
1. BH12 talks are out
2. Next week we’ll be launching a new section called Infosec at the movies - Matt will critique all the bad hacking in the movie he went to see the previous weekend
3. and Seacrest goes for the gold! (that’s an olympics reference)

Episode 8 -- Bikini Troubles So we find ourselves again Mattless. What is it with security professionals and Hawaii? Good stuff in here, sorry about botching last week's episode link - this one should work better, also, go back and download last weeks. Notes etc. to mailbag@liquidmatrix.org -- we love to hear from you! DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

• News
1. Madhi, more middle eastern spyware
2. good bye grum
3. crazy guy hacks ISP both online and with an axe - (Dave can relate)
4. Project 2020 launched ISCPA to help predict infosec trend spotting project
5. blackhole keeps getting “better”
6. elections Ontario can’t keep their data in their pants
• Breaches
1. Check out the Summer of Breaches "Scorecard"
2. Maplesoft
3. ITWallstreet.com - 50,000 accounts
4. Elections Ontario - 2.4 million records but 4 million affected
5. Pinterest - scrambling to figure out the breach
6. Yale - 1,200 usernames with password
• Commentary
1. Errata
• Oracle won't patch critical hole in Database (because it’s hard)
2. Foot In The Door
• safe computing at Defcon (or any hostile network like the internet)
• don’t use the wifi
• use a VPN
• patch, patch, patch
• shut down everything
3. Hardcore
• get p0wn3d on an untrusted network ((happens to lots of people, even smart ones, during their presentations - don’t take anything you can’t afford to lose))
• firesheep ((used to be the wall of sheep was a special thing, now it’s a browser extension... use encrypted protocols over an encrypted session))
• the mac store ((Quoting Prez Reagan: Trust but verify -- and there’s something wrong with the Apple purchasing/signing trust path right now -- in-app purchases in iOS have been MiTM’d))
• hotels ((Inverse correlation between cost of hotel room and quality of internet -- also, costs a freaking arm and a leg -- pay-as-you-go 3G data is cheaper.))
• Mailbag

1. Howdy Fellas

   Do you think online voting can be done safely? Also, what about you Canadian boys losing all those voter records?

   
   

   regards

   Al from big sky country

• In Closing
1. Bsides/BlackHat/DEF CON -- all but Ben / The Intern shall be there.
2. There are parties in Vegas
3. DEF CON is still cancelled - check status here
4. Hacker Pyramid!
5. Canadian CERT volunteers, email mailbag@liquidmatrix.org
6. Get thee to Securosis and get educated!
7. The Seacrest has landed. That’s one small p0wn for hackers, one giant p0wn for hackerkind