Wed, 17 October 2012
Television Episode 0x02 -- SecTor Interviews The Second
A Full Dose of Rothman
Back again - and understand that we're serious this time.
Attempt to not learn something as I interview Mike Rothman (@securityincite), Analyst and The PRESIDENT of Securosis. Please try to pay attention. There's an awesome amount of information in there.
There's more of these in the queue. Tell us what you think or what you'd like to see.
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones/cover the screen if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
Download the m4v
Direct download: LSD-TVEp0x02-med.m4v
Category: LSD_Television
-- posted at: 12:49pm EDT
|
|
Tue, 16 October 2012
Episode 12 -- These are the Daves I know I know
He claims it's not his fault he missed an episode...
Yes, we're still doing a podcast. Lots of you listen. It's kinda awesome. We promise to be more awesome in the future.
And tonight, let us regale you with tales of:
- Lots of News
- Breaches
- SCADAs
- DERPs!!!
- …and then our discussion topic - IDS IS DEAD
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- Capital One targeted in CYBERATTACKS
- HTML5 Full Screen API Attack
- Firefox 16 gets pulled (just like the goalie) - exploit follows in 24 hours
- Lone packet takes out SS7 networks
- FX beats up on Huawei at HITB
- Myrcurial Complains: These Kids Today
- High Court in the Philippines Suspends Contentious Internet Law
- Panetta Warns of Dire Threat of Cyberattack on US
- Breaches
- Northwest Florida State College - 300,000
- Facebook - everyone on the internet!!!!!!!
- TD Bank (US - a subsidiary of TD Bank Canada) loses a tape IN MARCH!!!! - 260,000 records
- Nationwide Address book Android app - 760,000 via @WeldPond
- The SCADAs
- LittleBlackBox is a collection of thousands of private SSL and SSH keys extracted from various embedded devices. Thanks @lmacvittie
- What is Critical Infrastructure? A long twitter conversation on 2012-10-12 about the REAL rule-of-thumb criteria for what makes something critical infrastructure or not.
- Errata
- DERP of the week award: Samer Bishay said. “Network security lies ultimately with the service provider. So, if you can control your network well, then I don't see how any outside force could really override these controls.” (h/t @taosecurity)
- Commentary
- Foot In The Door - IDS IS DEAD
- I can't even come up with notes. Just listen.
- Hardcore - EXCEPT IT ISN'T
- Mailbag / Bizarro Land
- In Closing
- Matt reviews “Trouble with the Curve” - was there any infosec in it, nope, ok then
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: much is stored at http://myrcurial.com/conferences but you can totally trust that guy)
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- A moment of silence for Amanda Todd, sadly a victim to online bullying
- Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time.
- Upcoming Appearances: James at COUNTERMEASURE 2012 in Ottawa, Matt at AppSecUSA in TEXAS, Ben and Dave at HackFest in Quebec City, James at SecurityZone in Cali, Colombia
- The Seacrest says “Oh My G-d, I’m falllllling, why won’t this parachute open!?!?"
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-12.mp3
Category: LSD_Podcasts
-- posted at: 6:24pm EDT
|
|
Fri, 12 October 2012
Television Episode 0x01 -- SecTor Interviews The First
Video even - inorite!
We gave you a warning and then didn't follow through, so we understand the confusion. This is the first of many Liquidmatrix Security Television Episodes which we naively think you might enjoy.
To start off, we've got this delicious interview with Dave Mortman (@mortman), the Chief Security Architect of Enstratus. Watch as Dave regales you with tales of the way things where back when he was a boy ((It appears that he's still a boy, but that's all charm.))
There's more of these in the queue. Tell us what you think or what you'd like to see.
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones/cover the screen if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
Creative Commons license: BY-NC-SA
Direct download: LSD-TVEp0x01-med.m4v
Category: LSD_Television
-- posted at: 11:03am EDT
|
|
Tue, 9 October 2012
Episode 11 -- Dave's Away
w00000000000000000t!
Hey Everyone, welcome to the Liquidmatrix Security Podcast - Episode 0x11 or the 18th recording for those who don’t start with zero and are not good at Hexadecimal - or math, like us.
Everyone showed up except Dave. Something about Canadian Thanksgiving causing a Turkey Coma. We manage to struggle through without him. Actually, we think the show turned out just fine. We don't need no stinkin' Dave.
And tonight, let us regale you with tales of:
- LOTS OF NEWS
- Breaches
- SCADAs
- Errata
- …and then our discussion topic - the con report SecTor and Derbycon
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-11.mp3
Category: LSD_Podcasts
-- posted at: 5:48pm EDT
|
|
Thu, 4 October 2012
Episode 10 -- It's Special
recorded live at SecTor 2012
There is no Matt. Again. So we found a replacement. As it turns out, pretty much any American who's name starts with "M" will do. Huge thanks to Mike Rothman for helping out with the madness.
This discussion has only the four topics:
- Summer of Breaches
- Cyber
- authN / authZ
- Compliancy
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-10.mp3
Category: LSD_Podcasts
-- posted at: 6:47pm EDT
|
|
Tue, 18 September 2012
Episode F -- Aboot that
it's not a boot, it's just a really big shoe
Matt won’t be joining us tonight, it’s Ben’s fault. A quick shout out to Jimmy Vo, you will need approximately 15 or F shot glasses for this episode.
Aboot, Aboot, Aboot, Aboot!
And tonight, let us regale you with tales of:
- More Malware
- Less Malware
- The SSL monsters
- Ry-Hi
- Twitter
- GoDaddy
- Breaches
- SCADAs
- …and then our discussion topic - what happens after the bad thing happens
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- Blackhole 2.0 is out (aboot!)
- Microsoft takes on Nitol (aboot!)
- A story Aboot more SSL weaknesses, let’s introduce you to the CRIME attack
- Aboot getting more skilled at Ryerson - there’s a Rainbow in Toronto for a Certificate in Computer Security and Digital Forensics
- Twitter bows to subpoena, releases Occupy protester's tweets
- GoDaddy, everyones favourite SOPA supporters goes down
- Breaches
- Miami hospital hit by second patient breach this year
- Ankit Fadia gets hacked
- The SCADAs
- If Congress and the Senate can’t do it - by gosh, the PRESIDENT will -- Executive Order on Cyber Security in the works?
- Interesting little bit on the side of Digital Bond’s website... “Schneider Has Not Removed Modicon FTP Backdoor Account In 2101 days”
- Errata
- Every vendor that has been sitting on a known vuln for more than 1000 days. Jerks.
- Commentary
- Foot In The Door - Aboot Investigations
- Hardcore
- Defensible Methods
- Chain of Custody
- Judgement Day
- Mailbag / Bizarro Land
-
There is this website where I noticed that they display your login details after offering a quote in plaintext, ie. they display your username and a password on a http:// connection. So I called their call center and spoke with the manager, yeah, she will relay that information (but I kinda got the impression that she didn't understand what the problem is). Nothing happens for weeks. After maybe 2 months I go back to check and here you go, my username with password are still shown in plaintext on the site. So I sent them an email, clearly marked "to IT or IT security something" explaining it a little bit more technical. Nothing happens again. Since I raised the original issue, about 4 months have passed.
The question is now - is it worth pursuing this further?
Cheers
T
PS: Should anyone of you guys be once in London, pls ping me and I buy you a beer! Or two?
- Ben says: http://www.ico.gov.uk/
- In Closing
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: much is stored at http://myrcurial.com/conferences but you can totally trust that guy)
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- Three Quarters of Liquidmatrix (with some Securosis added in) are doing a panel at SecTor If you're thinking of attending SecTor 2012, grab 10% off with discount code "liquidmatrix-2012" or if you can only make it to the expo floor, grab a free expo pass with code "liquidmatrix-Expo2012"
- Vote Dave for ISC2 Board Ballot!
- The Seacrest says “'Aboot' to Jimmy Vo, 'Shana Tova' or to our non-Jewish friends, that means 'have a good new year' and it’s time to party like it’s 5772 and then get yourself up and off to work because 5773 is going to be WILD."
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-F.mp3
Category: LSD_Podcasts
-- posted at: 7:30pm EDT
|
|
Mon, 10 September 2012
Episode E -- Just a bunch of hosers
Teh Podcast Warz Haz Begun!
It's another week in infosec. I can't get excited about it either. Too many news stories of note, breaches and a new section - the SCADAs. In the same way that we had too many breach stories so we broke them out, we're doing the same with SCADA. Expect a lot of derision from Dave and I -- there's a lot of bullshit and we're calling it.
We'd also like to wave hello to the team at Riskhose. We're sorry that you misinterpreted young Matt's question - we'll straighten you out when we do our Risk-tacular episode this fall. Also, we're starting to suspect that the Riskhose Utahian may be a closet Canadian - he knows too much about Canadian musicians and he does know all of the words to Romantic Traffic (and yes Alex, when you come to Toronto, we'll go visit all of the subway stations so that you can produce your fan version of the video.)
Interestingly, between the Riskhose podcast and some threats from the Southern Fried Security bunch, it's on - the Podcast Wars are here - expect that the next few months are going to be epic in the world of infosec podcasting. We may even take a swipe at NetSec!
- Syria
- SSL Certificate Hijinks
- Cyber
- Hackers
- OSX
- Canadianisms
- The WIFIs
- Google-ized
- …and then our discussion topic - Dumb Stories
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
- News
- Java.com SSL cert expired
- Al-Jazeera websites hacked by Assad loyalist group
- Cyber attacks grow increasingly "reckless", official says
- 3 years later, hackers who hit Google continue string of potent attacks …and no one is looking out for the stuff that really matters.
- New utility nabs OS X keychain passwords
- Global virus downs N.S. computer system for a month
- Sniffing open WiFi networks is not wiretapping, judge says:
- VirusTotal acquired by Google
- No shooting at protest? Police may block mobile devices via Apple
- Breaches
- Guild Wars 2 officials say ongoing password attack affects 11,000 accounts
- Antisec Leaks 1,000,001 UDIDs From A Trove Of 12 Million Allegedly Stolen From An FBI Laptop Or was it 12 million? ...or not? and some apps use IMEI as password!
- NullCrew pillages Sony servers?
- The SCADAs
- Secret account in mission-critical router opens power plants to tampering
- Anonymous Hack Lukoil Bulgaria Site
- Errata
- Vendor Cybercrime Stats
- Commentary
- Foot In The Door - Your Dumbest Story EVAH!!!!
- Dave - VIEW SOURCE HACKERZ
- Jamie - our developer broke SSL -- that’s why we use proprietary encryption. But we’re not telling anyone what/how he did.
- Matt - SQL injected a DB to /dev/null
- Ben - I didn’t feel 3DES was secure because the source is available online, so I invented my own variant
- Hardcore
- Skipping the hardcore because we've got a great Mailbag question.
- Mailbag / Bizarro Land
-
Love your podcast, even if you try to count in Hex :-) It would be great if you were able to dive deep into what modern defenders need to do to get ahead of attackers. Right now, attackers need to only make simple changes to their attacks and defenders are left on their kiesters. How do we change that pattern?
Besides deploying antivirus :-)
thanks,
Paul of Seattle
- Matt suggests a cool slide deck from Zane over at Etsy
- Ben suggests you read Liquidmatrix ;)
- … and thanks to Thomas Preissler for his comments about the show!
- In Closing
- We do research too - Ben's running a survey and will publish results. Check it out!
- The Security Conference Library -- is a copy of the conferences amassed by @helpmerob and we’re adding more. If you’ve got pix/pdfs/slides/code/video of a security conference and you want to add to an attempt at the largest/bestest/least dickish security conference library -- send us a note (mailbag) and we’ll take your bits and file them. (NOTE: much is stored at http://myrcurial.com/conferences but you can totally trust that guy)
- If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
- Three Quarters of Liquidmatrix (with some Securosis added in) are doing a panel at SecTor If you're thinking of attending SecTor 2012, grab 10% off with discount code "liquidmatrix-2012" or if you can only make it to the expo floor, grab a free expo pass with code "liquidmatrix-Expo2012"
- Vote Dave for ISC2 Board Ballot!
- The Seacrest says “I miss Gilmore Girls" and "Skerple"
Direct download: LSDPodcast-E.mp3
Category: LSD_Podcasts
-- posted at: 12:36pm EDT
|
|
Sat, 1 September 2012
Episode D -- The Boys of Summer
Good News Everybody!
This is the longest one we've recorded yet -- by 0:59 -- and we will try to get these back down under an hour. Pinky swear. We've also gone over 10000 downloads from 63 countries. That's kinda cool - and thank you all very much. Lots of good stuff in this episode, it's totally worth the 74 minutes.
- Hackers
- The SCADAs
- Java
- Lawyers
- MOAR SCADAS!!!!
- Apple, Microsoft
- Stupid Employee Tricks
- …and then our discussion topic - Employee Tricks
And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.
DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.
ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.
In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-D.mp3
Category: LSD_Podcasts
-- posted at: 3:13pm EDT
|
|
Mon, 27 August 2012
Episode C -- Brain Dump Semi-slow news week this week so we used the bulk of our time to talk about a topic most of us struggle with (even some of us on the show) productivity! A few stories and our opinions as usual and also a letter from a listener regarding our own Dave running for the ISC2 board. Again, if you have anything comments, questions, suggestions, hatred, bickering, cyberdouchery, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:
Creative Commons license: BY-NC-SA
Direct download: LSDPodcast-C.mp3
Category: LSD_Podcasts
-- posted at: 2:33pm EDT
|
|
Wed, 22 August 2012
Episode B -- Artificial Intelligence Something pithy should probably be written here. All of us have so much on the go that we're saving our creativity for the podcast. Also, this one is pretty long. If you have thoughts or ideas, please send them to the MailBag (mailbag@liquidmatrix.org) and we'll talk about it here. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:
Direct download: LSDPodcast-B.mp3
Category: LSD_Podcasts
-- posted at: 3:29pm EDT
|
|