Mon, 24 December 2012
Episode 0x1A -- Happy Holidays Everyone
Upcoming this week...
- SCREW THE NEWS!!!!!!!
- and then our discussion topic-- Predictions and Prognostication
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- Discussion topic -
- Dave's Point of view(cough cough sputter germs)
- Ben Says...looking back... weaponized stuff, and the lack of it looking forward... good enough security leads us to more awesome projects like security onion
- The Intern opines on conferences, human resources and infosec
- Matt is in denial about... Jamie and I quoted in an article together! Hack all the toasters! Breaches!! 2012 Web Vuln Stats super crazy chicken pants. SQLi What?! Passwords suck! (Password Reset sucks harder!) Bug Bounty! (Yandex)
- James gets the last word... THE FUCKING SCADAS
- no he doesn't... Ben wants to say something
- In Closing
- Seacrest Says: You'll see my ball dropping in a week!
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-1A.mp3
Category: LSD_Podcasts
-- posted at: 5:18pm EDT
|
|
Sun, 2 December 2012
In what can only be described as a collision of intergalactic import, the three bestest information security podcasts have come together and produced...
THE SOUTHERN MATRIX HOSE PODCAST
Have a listen for a half hour of:
Bringing you the infosec commentary that you crave from the Security Zone conference in beautiful Cali Columbia.
Since we're in a tropical paradise, there really isn't the patience for things like show notes. Have a listen and you'll be impressed, we swear.
Creative Commons license: BY-NC-SA
Direct download: slmrh1.mp3
Category: LSD_Podcasts
-- posted at: 5:21pm EDT
|
|
Fri, 30 November 2012
Episode 0x19 -- It's EARLY - and we like it!
No Matt. But Ben does a great Matt impression. In mashed potatoes.
It's another week in the wide wonderful world of Infosec. And every day feels like drinking from the firehose of Infosec Reactions. Seriously.
Upcoming this week...
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- and then our discussion topic-- You Got Half A Budget Now What?
And if you've got commentary, please sent it tomailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-19.mp3
Category: LSD_Podcasts
-- posted at: 12:58pm EDT
|
|
Tue, 27 November 2012
Episode 0x18-- How Do You Spell Aguardiente?
Beginning the end of 2012 - Because it's time to start making up lists of resolutions that we're not going to follow.
Dave developed a new giggity move, it's called "the kasperskian" - y'all should consider it a way to buy votes that this is an audio only podcast.
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- and then our discussion topic--
And if you've got commentary, please sent it tomailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-18.mp3
Category: LSD_Podcasts
-- posted at: 1:24pm EDT
|
|
Wed, 21 November 2012
Episode 0x17-- Turkey Time
We're going to try to keep this one relatively short. Seriously.
Of course, it's a day late because I did a boo boo on the recording. Don't ask.
Upcoming over the next hour...
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- and then our discussion topic--
And if you've got commentary, please sent it tomailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- Hack any skype account in 6 easy steps
- FACEBOOK SSL FOR EVERYONE
- Linux rootkit doing iFrame injections [Full Disclosure] [CrowdStrike]
- Dissecting a Facebook Scam
- Telstra - still can't get security right
- Killing 4G networks with a suitcase radio thingy
- Wikid Publishes free eGuide on adding 2factor
- Web Engineer's Online Toolbox
- Breaches - The never ending never ending story...
- FreeBSD intruded upon
- Skype
- Adobe
- NASA - good at going to Mars, not so much at keeping laptops safe
- Health facilities in Mass and RI lose tapes
- The SCADAs
- (WARNING: PDF) From Luigi Auriemma - ABB has problems that look like CoDeSys
- Obama signs secret directive to help thwart cyberattacks
- Errata / DERP of the week award
- United States on Brink of Major Cyber Attack, Industry Executive Predicts Deloitte Center for Cyber Innovation
- Mailbag / Bizarro Land
-
RE: Canadian Satellites
Hey guys. Thanks for the shout-out in Episode 14 regarding the Diginotar report. Unfortunately I'm going to have to award you guys a mini-derp award for your comments that same episode on the story about the Canadian Navy buying satellite services from Inmarsat as satellites just happen to be my area of expertise. Yes, Canada does have its own communications satellites. They are managed by a company called Telesat. However, they are not of use to the Canadian Navy because they are located in the wrong place, operate on the wrong frequencies, and provide the wrong types of services for what the Navy needs. Communications satellites of this type operate in the geostationary belt (GEO), an orbit around the Equator 36,000 km above the Earth. The radio spectrum in this orbit is pretty congested, so early on international regulation of the satellites in this orbit and the spectrum they use was given to an organization called the ITU. Countries apply to the ITU for specific orbital slots and frequencies in the GEO belt and then license those to their companies. Canada has slots over North America and associated frequencies that are used by Telesat for what's called Fixed Satellite Services (FSS) - mainly broadcast TV and a host of communications services to remote communities in northern Canada. But these frequencies and antenna patterns are not what's used for mobile communications, nor does Canada have any satellite slots in other locations to provide global coverage which is kinda important for ships. Inmarsat on the other hand has the slots and frequency allocations to specialize in Mobile Satellite Services (MSS). They have a fleet of satellites located at various points around the Equator to give global coverage and the types of frequencies and coverage to provide mobile services to ships. Pretty much if you're operating a ship you're going to buy services from Inmarsat. More: Telesat and Inmarsat
Brian W.
-
Skyrim Jokes
Hey guys, I don't have any Skyrim jokes but do have an odd anecdote for you. While playing Skyrim and listening to the LSD, I've found that I _have_ to turn off the xbox kinect controls or else bad things happen. Apparently Matt's voice is finely tuned as a Weirding Word. I'll be merrily bopping around a character in a dungeon of some type when, all of a sudden, a dragon shout get kicked off and kills all attempts at stealth that I've been trying to muster. It's only Matt's voice that kicks off the shouts. Take that for what you will. John D.
Fus Roh Dah!
-
Wrong questions being asked about security involvement in PMO/SDLC work
Hey guys, I'm listening to 0x15 and a question made in there really got in between my teeth. "Does making security part of the SDLC make the software more secure?" is the wrong question to be asking. Whether or not having risk evaluations or threat modeling part of the SDLC should be a concern but not the approach I've found work when I've introduced it into the SDLCs of which I've been involved. Let's break out of our security cliques for a moment and realize that ultimately many of use tell ourselves that what we do matters in order to justify the dissonance we have in our brains for putting up with the crap we do because we actually enjoy what we do, for the most part. By and large, we're not altruists. Having the guts to come out and say "Yeah, I know what I do for an organization rarely makes the world a better place, but gosh darn it I like/love what I do." can go a long way to asking the right questions to keep ourselves employed and pertinent to the business that pays us to do cool things. Once you get out of the "what I do is important, dammit" mindset, asking the following question better serves us as a whole. Does making security part of the SDLC/project/product make the business more money or save the business more money had it not been part of the SDLC/project/product as much as we're pushing? If you can justify the change, you can be relatively assured that someone in charge of playing with the moneys with listen. Phrasing the question that way also lends to promoting the idea to the money people that what they do is ultimately important and feeds their own dissonance hating mechanisms. John D. P.S. This approach has also saved me from the dreaded infosec burnout.
- In Closing
- Movie Review Matt saw Twilight - point and laugh!
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time.
- Upcoming Appearances: James at SecurityZone in Cali, Colombia
- Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee!
- Seacrest Says: "go do bad bad things to a turkey"
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-17.mp3
Category: LSD_Podcasts
-- posted at: 4:44pm EDT
|
|
Tue, 13 November 2012
Episode 0x16-- One Time, At Security Camp...
There's too much news. We need to do MORE podcasts!
Also, it's time to say goodbye Mitt!!! Can't say as we're sorry to see you go, but yaknow.
Upcoming over the next hour...
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- and then our discussion topic -- hunting dirty traitor rat bastids!!!
And if you've got commentary, please sent it tomailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- Coca-Cola hacked ahead of Huiyuan acquisition attempt, but didn’t tell shareholders
- SEC left computers vulnerable to cyber attacks, sources say
- Firm suing sites that use SSL / TLS
- Vuln in Call of Duty Modern Warefare 3
- Adobe 0day! in other news water is wet russian guy demos p0wnage using new adobe 0day - voice over provided by not a russian guy $50,000 for a fresh hot 0day
- Nike Fuelband rats out cheating two timing basterd that broke your heart with that skanky ho
- Secrets, Schemes, and Lots of Guns: Inside John McAfee’s Heart of Darkness
- Australian Telcos Declare SMS Unsafe For Bank Transactions
- Breaches - The never ending never ending story...
- Twitter All A-Flutter Over Possible Data Breach
- but Twitter says no to two factor auth
- Pizza Hut Australia Dishes Up A Data Breach As Hackers Slice In [Updated]
- The SCADAs
- Chevron was infected by stuxnet way back when but forgot to tell anyone
- Support Forums Reveal Soft Underbelly of Critical Infrastructure
- Errata / DERP of the week award
-
ENGAGE TINFOIL HATS EVERYONE...
- Here’s Enough Digital Espionage to Scare James Bond [INFOGRAPHIC]
- SQL Injection - it's a windows XP thing - REALLY - The Strange Tale of a Virus Called SQLi
- Foot In The Door
-tracking down a mole mole mole mole
- Cisco VP To Memo Leaker: Finding You Now 'My Hobby'
- It's not trivial to sort things out after the fact unless you have the logs and auditing turned on - go do that now.
- Mailbag / Bizarro Land
-
Hi,
thanks for your video with Dave, I really enjoyed that.
I am wondering and I think you mentioned something like that - but I would find it interesting if all of you guys could be on video like that... (hehe... enjoying it here, sitting in the first row...)
What about some questions from your audience? Not that I have some ready now, but I am sure I could make up some (not embarassing ones of course - ha!).
Just some thoughts - but keep up the good work!
Cheers Thomas P.
Hello guys, and thank you for the great show.
Referring to your second episode where you flamed Iran IrCERT, I just thought I would let you know that Libya now also has a CERT, it's called LY-CERT and you can find them online here http://cert.ly
Regards
Ahmed S.
Greetings from +52° 56' 58.92", -1° 9' 0.36" (approx),
As you all adore PCI-DSS so much, I figured I'd share this article with you: Silicon Republic
Some of my favourite quotes:
- "Fewer incidents of large-scale credit card data theft are a sign that PCI-DSS standards are finally having an effect among large retailers, the director of the group’s security standards council has claimed."
- "Mark Gallagher, keynote speaker at the Dublin event, drew parallels between Formula One and PCI-DSS in how they approach risk."
- "You’ve got to have defence in depth and PCI gives you that best defence."
I can already hear James Arlen screaming.
Keep up the good work and try not to have an aneurysm!
Cheers, Graham S
- In Closing
- Dave's Movie Review Life of Pi - he likes boats.
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time.
- Upcoming Appearances: James at SecurityZone in Cali, Colombia
- Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee!
- Seacrest Says: "I like cake, even though it's a lie."
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-16.mp3
Category: LSD_Podcasts
-- posted at: 5:34pm EDT
|
|
Mon, 12 November 2012
Television Episode 0x03 -- SecTor Interviews The Third
NFC with Charlie - IT'S MILLER TIME
Back again again - An interview with Charlie Miller at Sector during which you may want to hold your phone tightly in a tinfoil hat of it's own.
If you don't know the name Charlie Miller - you should head over and read his Wikipedia Page first and then come back and watch the video. Charlie has been doing some cool things with NFC on phones. He's goooooood at messing them up using only a passive NFC tag! You'll learn something if you pay attention, I swear.
There's more of these in the queue. Tell us what you think or what you'd like to see.
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones/cover the screen if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
Creative Commons license: BY-NC-SA
Direct download: LSD-TVEp0x03-med.m4v
Category: LSD_Television
-- posted at: 9:24pm EDT
|
|
Tue, 6 November 2012
Episode 0x15 -- So Much News...
Pre-election Bets Are Off
Starting off this week with a couple of Con Reports - Ben, you go first... how was HackFest? ((wait)) and Dave - what was the high point of your HackFest experience? ((crickets))
Upcoming over the next hour...
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- and then our discussion topic -- Security in a Project Context
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- The Kremlin’s New Internet Surveillance Plan Goes Live Today
- Coca-Cola hacked ahead of Huiyuan acquisition attempt, but didn’t tell shareholders
- PayPal security holes expose customer card data, personal details
- Skype Gives Security Firm Details of Alleged PayPal Hacker Without Warrant
- US gov says you don't own your stuff if you put it in the cloud (via slashdot)
- The Georgians p0wn their p0wner
- F-Secure Mobile Threat Report 2012 (pdf link)
- NJ residents displaced by storm can vote by email
- Breaches - The never ending never ending story...
- Lady Gaga web site hacked
- Team Ghostshell Allegedly Spills 2.5 M Russian Records
- The SCADAs
- Legal fears muffle warnings on cybersecurity threats
- Errata / DERP of the week award
-
Sorry US gov. It's on you. For how long have you known about this?
- Most U.S. Drones Openly Broadcast Secret Video Feeds
- Inmarsat to furnish global broadband to Canadian navy
- Commentary
- Foot In The Door - Security In a Project Context
- why testing isn't enough
- how you can play in the SDLC
- Hardcore - How to change the system to suit your needs
- building standardized methodology chunks
- playing well with others (have the PMO do your job)
- functional vs. non-functional specifications
- Mailbag / Bizarro Land
-
Hey guys. Love the podcast. Not sure if you saw, but the report from the investigation of DigiNotar, the Dutch CA that got violated last year, is out: PDF
Given some of the things you highlight on the podcast it would probably be worth talking about on the show as an example of what not to do. Diginotar had a segmented network and good physical security but also a poorly configured firewall and IPS (managed by an external 3rd party) and no real procedures for examining logs from either.
Despite these "defenses", the intruder was able to compromise an external-facing server and use it to pivot to the internal network, get access to a machine that creates certificates, and issue over 500 rogue certificates, including one that was used to execute a MITM attack on Gmail users in Iran.
---------
Brian
- In Closing
- Matt's Movie Review No
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time.
- Upcoming Appearances: James at SecurityZone in Cali, Colombia
- Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee!
- Seacrest Says: "vote for something"
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-15.mp3
Category: LSD_Podcasts
-- posted at: 3:14pm EDT
|
|
Wed, 31 October 2012
Episode 0x14-- Happy Birthday Mr. Gattaca... we'll vote for you too.
There's interesting things afoot. Y'all should pay attention.
This is the 21st episode for those of you that don't have 16 fingers. Not sure we should be revealing this yet, but it's going to be a wild winter solstice celebration this year. The southern folk at Southern Fried Security and this gang of teenage malcontents are up to no good. Well, actually extra special good. Let me sum up - it's Security Charity... Gangnam Style.
Stay tuned for the carnage.
Upcoming over the next hour...
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- and then our discussion topic--Disaster Recovery
And if you've got commentary, please sent it tomailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- Service Sells Access to Fortune 500 Firms
- U.S. looks to replace human surveillance with computers
- How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole CSO Online has an opinion too.
- Broadcom DoS on BCM4325 and BCM4329 devices
- Auditor General Report: Canada is sucking at the "cyber"
- The Kiwi .gov makes their internal network kiosk accessible
- China Unicom replaces Cisco devices over security concerns Huawei gives Australia peeks at its network hardware and code to regain trust
- Hire great infosec people (and keep them) !
- Breaches - The never ending never ending story...
- Billabong Hacked Again (yes, again), Hackers Claim to Have Obtained 37,000 Account Details
- Peru Domains Registrar hacked and 207116 Domain panel credentials leaked
- South Carolina Suffers Massive Data Breach
- Attacker grabs data for 3.6 million South Carolina taxpayers; governor wants to see culprit "brutalized"
- Hackers crack Texan bank, Experian credit records come flooding out
- Vermont credit union discards unencrypted data of 85,000
- Anonymous owns a police forum
- The SCADAs
- Critical flaw found in software used by many industrial control systems
- Cybergeddon now? Industrial control systems targeted
- Errata / DERP of the week award
-
Dear Sir/Madame,
My name is Jakub Walczak, and I work for Hakin9 – the magazine that reaches over 60 000 readers mainly in the USA, India, and Australia.
I have seen your website and I was wondering if you would like to cooperate with us. Please let me know.
I am looking forward to hearing from you.
Regards,
Jakub Walczak
- Sorry Jakub, perhaps you should listen to the show or read about our opinions of Hackin9 before you send email like this again. Just sayin.
- Commentary
Yeah, so we ran a little long... the commentary segment has been pulled out into a separate recording. It'll show up on the RSS feed tomorrow, but if you want it right now, you can grab it here.
- Foot In The Door - Disaster Recovery
- c, i and A <-- that="" one="" counts="" li="">
- RTO, RPO
practice, practice, practice
- Hardcore - Recovering from the Disaster you didn't plan for
- Do the post-mortem. Netflix's AWS outage post-mortem
- do security olde style- use the opportunties provided by the red-print report to get the thing fixed right.
- Make sure you've prepared yourself
- Including a "get home" bag at the office
- Don't make plans that require employees to run on infrastructure that might not be there
- Mailbag / Bizarro Land
-
The quick & dirty: Stroz Friedberg evaluated the technical watchdog (MarkMonitor) for the so-called ISP "Six Strikes", and gave it a thumbs-up. However, SF was also actively lobbying for the RIAA between 2004 and 2009.
I want to like this company - they're doing it less wrong than many other folks - and thus I find myself experiencing another bout of Infosec Depression.
Original article, albeit from a non-impartial source here
-Jim
- In Closing
- Matt's Movie Review Argo was so good - That Ben Affleck is DELICIOUS
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time.
- Upcoming Appearances: Ben and Dave at HackFest in Quebec City, James at SecurityZone in Cali, Colombia
- BSidesDave - held immediately after Hackfest, Dave will not be sleeping before his flight home, so keep him company
- Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee!
- Seacrest Says: "Why are my pants wet?" Hope everyone makes it through #Sandy safely
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-14.mp3
Category: LSD_Podcasts
-- posted at: 1:58pm EDT
|
|
Mon, 22 October 2012
Episode 0x13 -- the 20th episode for those of you that don't have 16 fingers
The Pirate Bay is in the clouds, but we got here first, so suck it!!!
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- and then our discussion topic - Responsible Disclosure
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-13.mp3
Category: LSD_Podcasts
-- posted at: 6:19pm EDT
|
|