Tue, 9 October 2012
Episode 11 -- Dave's Away
w00000000000000000t!
Hey Everyone, welcome to the Liquidmatrix Security Podcast - Episode 0x11 or the 18th recording for those who don’t start with zero and are not good at Hexadecimal - or math, like us.
Everyone showed up except Dave. Something about Canadian Thanksgiving causing a Turkey Coma. We manage to struggle through without him. Actually, we think the show turned out just fine. We don't need no stinkin' Dave.
And tonight, let us regale you with tales of:
- LOTS OF NEWS
- Breaches
- SCADAs
- Errata
- …and then our discussion topic - the con report SecTor and Derbycon
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-11.mp3
Category: LSD_Podcasts
-- posted at: 5:48pm EDT
|
|
Thu, 4 October 2012
Episode 10 -- It's Special
recorded live at SecTor 2012
There is no Matt. Again. So we found a replacement. As it turns out, pretty much any American who's name starts with "M" will do. Huge thanks to Mike Rothman for helping out with the madness.
This discussion has only the four topics:
- Summer of Breaches
- Cyber
- authN / authZ
- Compliancy
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-10.mp3
Category: LSD_Podcasts
-- posted at: 6:47pm EDT
|
|
Tue, 18 September 2012
Episode F -- Aboot that
it's not a boot, it's just a really big shoe
Matt won’t be joining us tonight, it’s Ben’s fault. A quick shout out to Jimmy Vo, you will need approximately 15 or F shot glasses for this episode.
Aboot, Aboot, Aboot, Aboot!
And tonight, let us regale you with tales of:
- More Malware
- Less Malware
- The SSL monsters
- Ry-Hi
- Twitter
- GoDaddy
- Breaches
- SCADAs
- …and then our discussion topic - what happens after the bad thing happens
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- Blackhole 2.0 is out (aboot!)
- Microsoft takes on Nitol (aboot!)
- A story Aboot more SSL weaknesses, let’s introduce you to the CRIME attack
- Aboot getting more skilled at Ryerson - there’s a Rainbow in Toronto for a Certificate in Computer Security and Digital Forensics
- Twitter bows to subpoena, releases Occupy protester's tweets
- GoDaddy, everyones favourite SOPA supporters goes down
- Breaches
- Miami hospital hit by second patient breach this year
- Ankit Fadia gets hacked
- The SCADAs
- If Congress and the Senate can’t do it - by gosh, the PRESIDENT will -- Executive Order on Cyber Security in the works?
- Interesting little bit on the side of Digital Bond’s website... “Schneider Has Not Removed Modicon FTP Backdoor Account In 2101 days”
- Errata
- Every vendor that has been sitting on a known vuln for more than 1000 days. Jerks.
- Commentary
- Foot In The Door - Aboot Investigations
- Hardcore
- Defensible Methods
- Chain of Custody
- Judgement Day
- Mailbag / Bizarro Land
-
There is this website where I noticed that they display your login details after offering a quote in plaintext, ie. they display your username and a password on a http:// connection. So I called their call center and spoke with the manager, yeah, she will relay that information (but I kinda got the impression that she didn't understand what the problem is). Nothing happens for weeks. After maybe 2 months I go back to check and here you go, my username with password are still shown in plaintext on the site. So I sent them an email, clearly marked "to IT or IT security something" explaining it a little bit more technical. Nothing happens again. Since I raised the original issue, about 4 months have passed.
The question is now - is it worth pursuing this further?
Cheers
T
PS: Should anyone of you guys be once in London, pls ping me and I buy you a beer! Or two?
- Ben says: http://www.ico.gov.uk/
- In Closing
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: much is stored at http://myrcurial.com/conferences but you can totally trust that guy)
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- Three Quarters of Liquidmatrix (with some Securosis added in) are doing a panel at SecTor If you're thinking of attending SecTor 2012, grab 10% off with discount code "liquidmatrix-2012" or if you can only make it to the expo floor, grab a free expo pass with code "liquidmatrix-Expo2012"
- Vote Dave for ISC2 Board Ballot!
- The Seacrest says “'Aboot' to Jimmy Vo, 'Shana Tova' or to our non-Jewish friends, that means 'have a good new year' and it’s time to party like it’s 5772 and then get yourself up and off to work because 5773 is going to be WILD."
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-F.mp3
Category: LSD_Podcasts
-- posted at: 7:30pm EDT
|
|
Mon, 10 September 2012
Episode E -- Just a bunch of hosers
Teh Podcast Warz Haz Begun!
It's another week in infosec. I can't get excited about it either. Too many news stories of note, breaches and a new section - the SCADAs. In the same way that we had too many breach stories so we broke them out, we're doing the same with SCADA. Expect a lot of derision from Dave and I -- there's a lot of bullshit and we're calling it.
We'd also like to wave hello to the team at Riskhose. We're sorry that you misinterpreted young Matt's question - we'll straighten you out when we do our Risk-tacular episode this fall. Also, we're starting to suspect that the Riskhose Utahian may be a closet Canadian - he knows too much about Canadian musicians and he does know all of the words to Romantic Traffic (and yes Alex, when you come to Toronto, we'll go visit all of the subway stations so that you can produce your fan version of the video.)
Interestingly, between the Riskhose podcast and some threats from the Southern Fried Security bunch, it's on - the Podcast Wars are here - expect that the next few months are going to be epic in the world of infosec podcasting. We may even take a swipe at NetSec!
- Syria
- SSL Certificate Hijinks
- Cyber
- Hackers
- OSX
- Canadianisms
- The WIFIs
- Google-ized
- …and then our discussion topic - Dumb Stories
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- Java.com SSL cert expired
- Al-Jazeera websites hacked by Assad loyalist group
- Cyber attacks grow increasingly "reckless", official says
- 3 years later, hackers who hit Google continue string of potent attacks …and no one is looking out for the stuff that really matters.
- New utility nabs OS X keychain passwords
- Global virus downs N.S. computer system for a month
- Sniffing open WiFi networks is not wiretapping, judge says:
- VirusTotal acquired by Google
- No shooting at protest? Police may block mobile devices via Apple
- Breaches
- Guild Wars 2 officials say ongoing password attack affects 11,000 accounts
- Antisec Leaks 1,000,001 UDIDs From A Trove Of 12 Million Allegedly Stolen From An FBI Laptop Or was it 12 million? ...or not? and some apps use IMEI as password!
- NullCrew pillages Sony servers?
- The SCADAs
- Secret account in mission-critical router opens power plants to tampering
- Anonymous Hack Lukoil Bulgaria Site
- Errata
- Vendor Cybercrime Stats
- Commentary
- Foot In The Door - Your Dumbest Story EVAH!!!!
- Dave - VIEW SOURCE HACKERZ
- Jamie - our developer broke SSL -- that’s why we use proprietary encryption. But we’re not telling anyone what/how he did.
- Matt - SQL injected a DB to /dev/null
- Ben - I didn’t feel 3DES was secure because the source is available online, so I invented my own variant
- Hardcore
- Skipping the hardcore because we've got a great Mailbag question.
- Mailbag / Bizarro Land
-
Love your podcast, even if you try to count in Hex :-) It would be great if you were able to dive deep into what modern defenders need to do to get ahead of attackers. Right now, attackers need to only make simple changes to their attacks and defenders are left on their kiesters. How do we change that pattern?
Besides deploying antivirus :-)
thanks,
Paul of Seattle
- Matt suggests a cool slide deck from Zane over at Etsy
- Ben suggests you read Liquidmatrix ;)
- … and thanks to Thomas Preissler for his comments about the show!
- In Closing
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: much is stored at http://myrcurial.com/conferences but you can totally trust that guy)
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- Three Quarters of Liquidmatrix (with some Securosis added in) are doing a panel at SecTor If you're thinking of attending SecTor 2012, grab 10% off with discount code "liquidmatrix-2012" or if you can only make it to the expo floor, grab a free expo pass with code "liquidmatrix-Expo2012"
- Vote Dave for ISC2 Board Ballot!
- The Seacrest says “I miss Gilmore Girls" and "Skerple"
Direct download: LSDPodcast-E.mp3
Category: LSD_Podcasts
-- posted at: 12:36pm EDT
|
|
Sat, 1 September 2012
Episode D -- The Boys of Summer
Good News Everybody!
This is the longest one we've recorded yet -- by 0:59 -- and we will try to get these back down under an hour. Pinky swear. We've also gone over 10000 downloads from 63 countries. That's kinda cool - and thank you all very much. Lots of good stuff in this episode, it's totally worth the 74 minutes.
- Hackers
- The SCADAs
- Java
- Lawyers
- MOAR SCADAS!!!!
- Apple, Microsoft
- Stupid Employee Tricks
- …and then our discussion topic - Employee Tricks
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-D.mp3
Category: LSD_Podcasts
-- posted at: 3:13pm EDT
|
|
Mon, 27 August 2012
Episode C -- Brain Dump Semi-slow news week this week so we used the bulk of our time to talk about a topic most of us struggle with (even some of us on the show) productivity! A few stories and our opinions as usual and also a letter from a listener regarding our own Dave running for the ISC2 board. Again, if you have anything comments, questions, suggestions, hatred, bickering, cyberdouchery, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-C.mp3
Category: LSD_Podcasts
-- posted at: 2:33pm EDT
|
|
Wed, 22 August 2012
Episode B -- Artificial Intelligence Something pithy should probably be written here. All of us have so much on the go that we're saving our creativity for the podcast. Also, this one is pretty long. If you have thoughts or ideas, please send them to the MailBag (mailbag@liquidmatrix.org) and we'll talk about it here. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:
Direct download: LSDPodcast-B.mp3
Category: LSD_Podcasts
-- posted at: 3:29pm EDT
|
|
Wed, 15 August 2012
Episode A -- The Revolving Absence No James this week. Apparently, he's afraid of the Cylon^WBen invasion. Also, don't forget to throw something in the old email for us (mailbag@liquidmatrix.org), we're getting lonely - don't you still love us? DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:
Direct download: LSDPodcast-A.mp3
Category: LSD_Podcasts
-- posted at: 11:31am EDT
|
|
Wed, 15 August 2012
Episode 9 -- No Need For Syncizationhron So we find ourselves again again Mattless. We skipped out last week cause of bad hair, bad mojo, conflu and bad karma -- and $19.95 hotel internet (we have no budget and Canadian telco’s suck for roaming. )Also, this episode is a week late. The blame lies entirely with Ben's computer/ISP issues. Either that or Ben is a closet Cylon and doesn't want us to know. Notes etc. to mailbag@liquidmatrix.org -- we love to hear from you! DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:
Direct download: LSDPodcast-9.mp3
Category: LSD_Podcasts
-- posted at: 11:23am EDT
|
|
Sun, 22 July 2012
Episode 8 -- Bikini Troubles So we find ourselves again Mattless. What is it with security professionals and Hawaii? Good stuff in here, sorry about botching last week's episode link - this one should work better, also, go back and download last weeks. Notes etc. to mailbag@liquidmatrix.org -- we love to hear from you! DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:
- News
- Madhi, more middle eastern spyware
- good bye grum
- crazy guy hacks ISP both online and with an axe - (Dave can relate)
- Project 2020 launched ISCPA to help predict infosec trend spotting project
- blackhole keeps getting “better”
- elections Ontario can’t keep their data in their pants
- Breaches
- Check out the Summer of Breaches "Scorecard"
- Maplesoft
- ITWallstreet.com - 50,000 accounts
- Elections Ontario - 2.4 million records but 4 million affected
- Pinterest - scrambling to figure out the breach
- Yale - 1,200 usernames with password
- Commentary
- Errata
- Foot In The Door
- safe computing at Defcon (or any hostile network like the internet)
- don’t use the wifi
- use a VPN
- patch, patch, patch
- shut down everything
- Hardcore
- get p0wn3d on an untrusted network ((happens to lots of people, even smart ones, during their presentations - don’t take anything you can’t afford to lose))
- firesheep ((used to be the wall of sheep was a special thing, now it’s a browser extension... use encrypted protocols over an encrypted session))
- the mac store ((Quoting Prez Reagan: Trust but verify -- and there’s something wrong with the Apple purchasing/signing trust path right now -- in-app purchases in iOS have been MiTM’d))
- hotels ((Inverse correlation between cost of hotel room and quality of internet -- also, costs a freaking arm and a leg -- pay-as-you-go 3G data is cheaper.))
- Mailbag
-
Howdy Fellas
Do you think online voting can be done safely? Also, what about you Canadian boys losing all those voter records?
regards
Al from big sky country
- In Closing
- Bsides/BlackHat/DEF CON -- all but Ben / The Intern shall be there.
- There are parties in Vegas
- DEF CON is still cancelled - check status here
- Hacker Pyramid!
- Canadian CERT volunteers, email mailbag@liquidmatrix.org
- Get thee to Securosis and get educated!
- The Seacrest has landed. That’s one small p0wn for hackers, one giant p0wn for hackerkind
Direct download: LSDPodcast-8.mp3
Category: LSD_Podcasts
-- posted at: 4:44pm EDT
|
|