Link to MP3

Link to MP3

Link to MP3

Episode 25 is here.  Today’s podcast is different than our usual.  Instead of having Jim, Dan, and me spout off and pontificate, I am interviewing Wesley McGrew from McGrew Security.  Wesley is a security researcher at Mississippi State University’s Critical Infrastructure Protection Center, where he works to find vulnerabilities in SCADA software.  He also operates mcgrewsecurity.com , where he blogs about information security topics.

Wesley caught a script-kiddie back in June trying to do some pretty weak SCADA hacking at a Dallas-area hospital.  He and I talked about the incident and also discussed some of Wesley’s future plan (not much since he couldn’t divulge a lot – oooo, mysterious!).  So enjoy the show.  Links to the blog posts from Wesley’s script kiddie adventure are below.

http://www.mcgrewsecurity.com/2009/06/30/ghostexodus-the-eta-and-a-control-systems-incident-at-carrell-clinic-part-1/

http://www.mcgrewsecurity.com/2009/07/02/ghostexodus-part2/

http://www.mcgrewsecurity.com/2009/07/06/ghostexodus-the-eta-and-a-control-systems-incident-at-carrell-clinic-part-3/

http://www.mcgrewsecurity.com/2009/07/07/ghostexodus-part4/

Vet

Link to MP3

Link to MP3

We’re back with episode 23.  Jim is back (you can decide if that is good news or bad news), and Dan Kuykendall is joining us again (calls himself the guest that won’t leave the couch).  Thanks for listening…

Show notes:

InfoSec News Update -

• Big Thank You to all our Clients and the folks that stopped by thebBooth and our party at BlackHat!
• UK ID card Hacked/Cloned in 12 Minutes – Link Here
• “Mega breaches” use preventable attacks – Link Here
• Hackers target outsourced app development – Link Here
• National Retail Federation still struggling with PCI – Link Here
• Reset Password problems, and reusing passwords in general:
  • Wordpress Password hack – Link Here / Link2
  • The Twitter hack – Link Here
• “FILE UNDER DUH” – Study warns of cyberwarfare during military conflicts – Link Here

Discusstion Topic - Web Security On Cell Phones – Link Here

Geek Toyz –

• SheevaPlug PC
• Dual Geforce GTX 295s for the Win!!
  • GPU Acceleration for Cracking Galore -
    • Rainbowcrack
    • Pyrit
    • CUDA MultiForcer
    • ElcomSoft
• G2 / MyTouch Review from Dan
• Hitting up your local Surplus Dealer
• How To Quite down high end gear – PCI slot fan / 4MM Fans
• Good Source for parts and tools

Music Notes:

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – Megaphone – “Write it Down”
• Segway 2 – Patent Pending – “Los Angeles”
• Segway 3 – Devo Spice – “Platform Wars”

Link to MP3

Episode 22 is here. Jim was not available to join me this time (been traveling and real busy), so Dan Kuykendall from NT Objectives was kind enough to fill in as co-host for today. We had some good discussion, and a show that I thought would be a little shorter ended up being pretty long. But it is good stuff. Here are the show notes:

InfoSec News Update -

• Vulnerable web servers on webcams, NAS, etc – Link Here
• Obama’s cybersecurity Czar quits – Link Here

People familiar with the matter said Ms. Hathaway has been “spinning her wheels” in the White House, where the president’s economic advisers sought to marginalize her

politically.

In February, the White House tapped Ms. Hathaway, a senior intelligence official who had launched President George W. Bush’s cybersecurity initiative, to lead a 60-day

cybersecurity policy review. Ms. Hathaway completed her review in April, but the White House spent another 60 days debating the wording of her report and how to structure the

White House cyber post. National Economic Adviser Larry Summers argued forcefully that his team should have a say in the work of the new cyber official.

• SSL Under attack this year at BlackHat/Defcon. These attacks don’t attack the math, they attack the (mis)usage of the clients and cert authorities

New Tricks For Defeating SSL In Practice (sslstrip) -Link Here

Researcher Exposes Flaws In Certificate Authority Web Applications – Link Here

• Defcon goon “Priest” is everywhere – Links Here and Here

Discussion Topic - The ol’ security guidelines / best practices discussion

Consultants Corner – Varied BlackHat / Defcon points -

• SSL issues
• Unmasking You talk by Joshua “Jabra” Abraham and Robert “RSnake” Hansen
• Dan’s general Opinions about web security talks – he was underwhelmed

Music Notes:

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – AllofaSudden – “disAppear”
• Segway 2 – Battery Life – “Double Wide”
• Segway 3 – Rocket Propelled Geeks – “Sarlac”

Link to MP3

Episode 21 is up and going. Looks like Jim and I are back on a regular cycle again. Hopefully it stays that way! Here are the show notes:

InfoSec News Update -

• Goldman Sachs looses its secret sauce online – Link Here
• Fed gets and F on Physical Security – Link Here
• North Korea Blamed in Cyber Attacks over July 4th – Link Here
• Juniper Pulls ATM hacking preso from BH – Link Here
• Month of Twitter Bugs – Link Here
• 10 Things Your Auditor Isn’t Telling Your – Link Here
• New head of MI6 wears Speedos on Facebook – Link Here
• Algorithm for Predicting and guessing SSNs – Link Here
• Iphone SMS Vulnerability – Link Here
• Study – Oracle Users struggle with patch management – Link Here

Discussion Topic - Cloud Computing – is it a security nightmare waiting to happen? – Link Here

Consultants Corner - Developing an offering before going public!

Music Notes:

• Intro/Outro – Digital Breaks – "Therapy"
• Segway 1 – Eric Kauschen – "Speed of Light"
• Segway 2 – The WaterMarks – "Shut Down"
• Segway 3 – Megaphone – "Not your enemy"

Vet

Link to MP3

The long-awaited episode 20 is finally here. Sorry for the crazy long wait!

InfoSec News Update –

• Data Breach Suit Targets Auditor – Link Here
• Exobox data leak detection coming out – Link Here
• "CloudBurst" allows attackers to break VM guest OS and attack Host – Link Here
• Obama creates the office of Cyber Czar – Link Here
• Twitter and Iran – Link Here
• IOSCAT talk from SANS – Link Here
• Tmobile Breached….Maybe? – Link 1 / Link 2
• Wireless Keyboard sniffing just got alot easier – Link Here
• LC6 is Officially Released – Link Here
• Trojan Attack on ATMs – Link Here
• Patch Your Blackberry Servers – Link Here

Discussion Topic -Whats the difference between an Auditor and a Assessor?

Consultant’s Corner - To Scope or Not to Scope

Music Notes:

• Intro/Outro – Digital Breaks – "Therapy"
• Segway 1 – PawnShop Diamonds – "High Road Low Down"
• Segway 2 – Woodfish – "Melody"
• Segway 3 – The WaterMarks – "Shut Down"

Link to MP3

So, we officially have our first lost episode. I recorded episode 18 a while back with Michael Santarcangelo, but we had some crazy technical problems. When I tried to get everything edited together to make it work, I started having some major problems. Without getting into all the details, the recording was not salvageable. Sorry to Michael for this since I know he took his valuable time to record with me.

So know we have episode 19. I guess we could have just said this one was episode 18 and went on, but we are honest people over here at An Information Security Place Podcast. And as far as episode 19 goes, Jim and I have been balls-to-the-wall busy lately, and I have had a crazy schedule for over a month. Jim got a break in his schedule (probably more like forced a break) and coerced Kirk Greene to help him out in my place. And then Jim had some technical problems as well and ended up recording the last 15 minutes by himself (or Kirk pissed him off – not sure which). Yes, it has been a crazy time for us. But we are back, and hopefully we will get back on a regular schedule.

Now, here are the show notes for episode 19:

InfoSec News Update –

• Warm Fuzzy Story – Many Users say they’d sell company info for the right price! – Link Here
• Another Twitter Admin Account Compromised – Link Here
• New Tools Emerge To Ease Enterprise Fear Of Firewall Swapping – Link Here
• Acrobat with Yet Another 0-day – Link Here
• Feb Bank Worker charged with Data Theft – Link Here
• More Federal Reg ‘a’ Coming for Power companies – Link Here
• Thats gonna leave a mark! – Multiple Vulns found on Mcaffee’s website – Link Here
• Hacker’s demand: $10M for Virginia prescriptions database – Link Here
• Economy Note – Security Suffers Cuts but fares better than most – Link Here

Geek Toys -

• Interceptor – Hak5 Episode – DigiNinja’s Page
• Acer Aspire One 10.1 Netbook
• Wifi Card of Choice – Alfa Network AWUS036H
• Need a second NIC on a laptop? – Apple USB Ethernet is rather inexpensive and works with Windows / Linux / and OSX (duh). / Windows Driver
• NAS From Heaven – QNAP TS-809

Consultants Corner - DIY Security Testing Lab

Music Notes:

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – Dave Stanley Band – “Lights Out”
• Segway 2 – John Taglieri – ” Make A Mistake With Me”
• Segway 3 – Junior – “What Was I Thinking?”

Vet

1. If you have 200 external IPs and you want to have those scanned for vulnerabilities, and then you want to have those vulnerabilities used for penetration testing, I have to know that in order to scope.
2. If you have some applications on those servers, I need to know if I will have credentials or if this is going to be totally black-box testing.  I also need to have SOME idea of how many apps I am going to run up against.
3. If you want me to scan your internal network for vulnerabilities, I have to know how many machines I am going to be scanning.
4. Etc, etc, etc

If you would provide this quantity type of information up front, I would not have to write up a bunch of questions and send them to you.  You would not have to take the time to answer these questions (and probably send them to me 2 days before the responses are due).  It really is simple: if I don’t have this information, I have to guess, and you are going to get an inaccurate response (of course, you might be looking for a completely black-box test where I am blind to any information – the effectiveness and efficiency of that is for another blog post on another day).

Of course, many people will tell you that RFP’s are often written in such a way to discourage responses because the company writing the RFP already has a partner in mind, and that partner probably already has the answers to any questions.  The RFP writer is simply going through the motions because of company policy.  I get that.

But if you are writing an honest RFP, one that is simply inspired by a need and is seeking multiple responses from which the best is chosen, then please include the information needed in the RFP itself so things can proceed smoothly.  Thank you for your consideration.

Vet