Network Security Blog

I m off in the cheese capital of the world, Wisconsin. And unluckily, that means my audio sounds like crap. We ll work on something better for next week, but this was the best we could do tonight. Show Notes: Network Security Podcast Episode 113, July 22, 2008

Tonight Rich and I are joined by Andrew Storms, Director of Security Operations at nCircle and fellow blogger. We continue talking about Dan Kaminsky s DNS vulnerability and the role Rich continues to play. We also talk about lost laptops and new iPhones. Show Notes: Network Security Podcast, Episode 112, July 15, 2008 Time: 50:00

Michael Santarcangelo has posted this month s Security Roundtable, Battling Botnets with Botnets. We had a lot of fun recording this episode, even though we barely talked about the main subject at all. I took away a lot to think about, especially the law of unintended consequences: there s what you meant it to do, what it does, and what effects a system has on other systems around it. Phalanx is a great example of that. This is a long one, by the way. That always seems to happen when Michael and I get together to talk. Colin Dixon | http://www.cs.washington.edu/homes/ckd/ Andrew Hay | http://www.andrewhay.ca/ Martin McKeay | www.mckeay.net Michael Santarcangelo | www.securitycatalyst.com & www.intothebreach.com

If you re using DNS, and we all are, prepare to patch every system you have. Not just your name servers, but any and all systems using DNS, which means virtually everything! This is a flaw discovered by Dan Kaminsky that affects the basic technology underlying DNS and effects all vendors. Dan took the road of responsible disclosure and worked with a large group of vendors to coordinate this patch. This may be one of the first successful examples of a large multivendor patch, and if ever there was a need for it, this is it. Rich was able to get an interview in anticipation of today s announcement and you can hear about it straight from Dan himself. There are not a lot of technical details concerning the vulnerability in the interview and every effort is being made to give us as much time to patch before reverse engineering gives the bad guys the secret sauce to make this a weaponized vulnerability. Check the show notes for the CERT advisory and additional information. Network Security Podcasdt, Episode 111, July 8, 2008

Ever have one of those days where just about nothing seems to go right? That just about describes today. Rich had to bail tonight due to family obligations, though it sounds like it s the fun type of obligation, not like having dinner with Aunt Ethel or something. We had a guest lined up, but due to poor planning on our (read: my) part, we didn t communicate the recording time well enough and that didn t work out. Luckily Michael Santarcangelo was available to join me tonight as co-host, so you aren t stuck listening to me drone on by myself for half an hour or so. I know that s what I used to do every week, but it just seems so much harder than it used to. Network Security Podcast, Episode 110 Time: 1:03:17 Show Notes

Long podcast tonight! Rich and I are joined by Adam Shostack, bandleader of the Emergent Chaos Jazz Combo of the Blogosphere and co-author of The New School of Information Security. Oh yeah, he does this thing during the day where he does security stuff for some company called Microsoft. Adam s been around a while, done more than a few things in his time, and has a lot to say about security. Funny thing is, Rich and I both agree with most of what he has to say; kinda scary isn t it? Show Notes: 90% of all statistics can be made to say anything 50% of the time, aka my thoughts on the Verizon report At-work text messages are private, court rules Tonight s Music: American Heartbreak with Last of the Superheros - Acoustic Yes, even with only two articles, we almost went an hour. Network Security Podcast, Episode 109, June 24, 2008 Time: 55:31

Last year Michael Santarcangelo and I organized a Security Roundtable with Dan York to discuss OpenID. All three of us like the technology, we like the idea, but we decided that OpenID is only for sites and systems where a compromise would be of little or no concern. In other words, it s a great project for verifying commenter s ID s when posting to your website, but it s not such a great authentication method for logging into your blog yourself. And now Dana Epp has discovered that Six Apart (makers of Movable Type) feel the same way. I understand Dana s desire to use OpenID as an authentication for his blog, but that s not what it was meant for.  After all, the setup of an OpenID account is fairly simple and merely requires putting a code snippet on a website or blog you control (Please correct me if I m wrong, I haven t setup or used an OpenID account in over a year.  Which is a telling stat in itself).  Given the rate of web server compromises, that s not a very high bar for a hacker to have to hurdle to compromise an ID.  If all you re using your ID for is commenting on various blogs, that s not a big deal, but when you start using it for more serious authentication, that becomes a much more important concern. I m glad that an organization like Movable Type understands the limitations of OpenID.  While I m sure some comment spammers are trying to break OpenID, the majority of the bad guys are probably ignoring it as a low impact authentication method.  It would be nice to have a way to verify your identity across the Internet, but the reality is any identification method that becomes used in more important targets is going to become the target of intense attack.  I d rather see the people behind OpenID understanding the limitations of their project and treat it appropriately.  There are already too many projects that shoot for the stars and end up falling flat on their faces.

Back to just Rich and I this week. We re both running around like chickens with out heads cut off, so we were lucky to be able to get a show in this week. Coordinating with a guest would have been more than we could handle. I m sure we ll be back to a more normal schedule next week. More hoping than sure , but only one way to find out. Show Notes: Judge scuttles Ameritrade hacking settlement OpenOffice Integer overflow vulnerability Security Bonuses for Vista Programmers Vista s big problem: 92% of developers ignoring it Verizon 2008 Data Breach Report - This is a must read Tonight s Music: My Fathers Son by Jeremy Megert Network Security Podcast, Episode 108, June 17, 2008 Time: 30:49

At RSA Michael Santarcangelo and I had a chance to attend a seminar on the Jericho Forum briefly.  Neither of us had heard much about the Jericho Forum before so we invited them to participate in a podcast with us.  And since I didn t know much about Jericho, I found someone who does:  Chris Hoff.  We were joined by one of the founders of the Jericho Forum, Paul Simmonds, and the CEO of Rohati Systems, Shane Buckley.  You can find the full show notes on the Security Roundtable blog.

Long podcast today, but worth every moment of it. Author, blogger, podcaster and CTO of Cigital Software Security, Gary McGrew joined us on the podcast this week. This is the second time Gary has been on the podcast and in another 100 or so podcasts I m sure we ll be inviting him back. I m releasing this week s podcast early mostly because it was done early. And I ll be on a plane tonight when I normally release the podcast. Portland, here I come. Show notes: Report: Data breach disclosure laws don t slow down identity theft - Because that s not their purpose. Identity Theft: The aftermath 2007 Rootkits are top of mind, bottom of pile, only they really aren t Surprise ARP attack draws attention The inexact science behind DMCA Takedown notices Security firm asks for help cracking ransomware key - They should ask the NSA Tonight s Music: Calvin Owens - The House is Burnin Network Security Podcast, Episode 107, June 10, 2008 Time: 58:55

Short show tonight folks, Rich is under the weather and our guest had to bail at the last minute due to a personal emergency. We ll work at getting Jeremiah Grossman from White Hat on in the next couple of weeks. In the mean time Rich and I dug up a few news stories to talk about. Show Notes: How LifeLock works - In their own words, they tell you most of what they do can be done by you for free. Announcing your social security number on national radio is a bad idea - That s a no brainer. Legal experts wary of MySpace hacking charges Adobe Flash zero-day exploit in the wild NSS Labs PCI Suitability papers Tonight s Music: With Arms Outstretched by Rilo Kiley Network Security Podcast, Episode 106, May 27, 2008 Time: 25:47

Rich and I were joined tonight by a Phoenix local and fellow security blogger, Adrian Lane. Adrian is the CTO at IPLocks and blogs about data security at Information Centric Security. We had a lot of topics to talk about tonight and wrapped up by spending a few minutes discussing security at the information level. Go figure. Adrian brought two decades worth of security experience (and network hair ) to tonight s podcast. And to no one s surprise, we had a privacy issue that we spent more time on than we probably should have. Show Notes:

Shortly after the end of RSA 2008, Michael Santarcangelo organized the latest Security Roundtable podcast. We were joined by a varied crowd of characters in the form of Dr. Anton Chauvakin, James Costell, and Jennifer Leggio. We had a lot of fun recording this conversation, even if poor Anton fell off fairly early due to phone problems. Luckily we let him get some of his shots in early. Rich and I talked about this on an episode of the NSP, but there were no real themes to this years RSA. There were a lot of interesting things going on, but it wasn t on the showroom floor or in the key note presentations. I m hoping that this means the industry is maturing, but it may just mean we re in a lull between waves of marketing hype. Guess you ll have to tune into next year s SRT RSA podcast to find out. Security Roundtable for May 2008 | RSA Conference - Beyond the Hype

Rich and I got a chance to talk to Ron Gula, CEO of Tenable Network Security about the changes that were made today the the changes in the Nessus licensing model. This is a follow up to the post I wrote this morning and explains the reasoning behind the changes straight from the man in charge.

We re back, me from being ill, Rich from some alone time with his wife. Nothing really interesting to talk about other than what s in the show notes, so I m not going to waste a lot of time writing about it. Show Notes: Hacker splashes data from six million Chileans on Internet Three charged in Dave s Blog, Supplemental - PCI is dead, long live PCI! The (ISC)2 Blog Tonight s music: Sunday Eyes by Amee Chapman and the Velvet Tumbleweeds Network Security Podcast, Episode 104, May 13, 2008 Time: 33:12

A few weeks ago I had a chance to have lunch with Mike Smith,author of the Guerilla CISO, in Washington, DC. Mike s area of expertise is FISMA and he s an experienced educator in the area. Mike feels about FISMA much like I do about PCI: it s not perfect, but it s a heck of a lot better than what came before. NSP Microcast: Mike Smith, Guerilla CISO Time: 9:00

There were more than a few technical difficulties in recording tonight s show. Thanks to Paul Asadoorian from PaulDotCom Security Weekly for hanging with us and getting a show recorded despite it all. If it hadn t been for some quick thinking on his and Rich s parts, I don t think we could have had a show this week. I m still working on my DSL line, but I m pretty certain the wiring in my office is bad; the DSL has been fine since I moved the modem to a different wall plug in the bedroom. I just hope my wife is willing to ignore the bright yellow cable stretching across the hall until I can get a new telephone cable run. Show Notes Network Security Podcast, Episode 103, April 29, 2008

Rich and I tried to make up for last week s podcast by keeping things a little shorter tonight. The operative term of course is tried ; we managed to shave a couple of minutes off the podcast, but that s about it. Tonight s theme was vulnerabilities in web sites, ranging from the Obama site being hacked to Dan Kaminsky s latest DNS issues and on to PCI requirement 6.6. There was a lot going on tonight and we could have almost made a show from any one of these topics. Show Notes Network Security Podast, Episode 102, April 22, 2008

Rich was able to corral Andrew Jaquith for a few minutes between sessions, no easy task considering his packed RSA schedule. Andrew is one of the top analysts out there, and the author of Security Metrics. NSP-RSA2008-AndrewJaquith.mp3

Rich and I review some of the events that went on at RSA, including Rich s Analyst panel and Thursday morning s Avoiding the Security Groundhog Day panel. Neither of us were all that impressed with the showroom floor or the keynote speeches given at RSA, but we both enjoyed getting reacquainted with the security professionals we tend to only catch up with at events like this. Finally we talked about what events we d go to in pursuit of furthering a burgeoning security career. And just in case you re wondering where Episode 100 is, it was the live video we took last week at the Security Bloggers Meetup. Not that anyone could have missed it, given the amount we ve been talking about it lately. Tonight s Music: Pride by Paula Toledo Network Security Podcast, Episode 101, April 15th, 2008 Time: 42:26

Rich caught up with David Mortman, the CSO in Residence at Echelon One. David talks about some of our conclusions from the Security Groundhog Day panel that we were all on. nsp-RSA2008-DavidMortman.mp3

Brian Smith, Chief Architect of TippingPoint takes a few minutes to talk about the different priorities of an IDS versus an IPS, and about the possible convergence of markets like firewall and NAC. nsp-RSA2008-BrianSmith.mp3

NSS Labs is an independent testing lab that certifies firewalls, UTM s and a host of other products for compliance with programs such as PCI. I had a chance to talk to Rick Moy for a few minutes and talk about the proper use of these reports. nsp-RSA2008-RickMoy.mp3

Rich and I take a few minutes at the end of the first real day of the RSA convention. We were both surprised at the lack of a cohesive technology or driver to the show, while we both had a lot of fun meeting friends and contacts we only meet at RSA. NSP-RSA2008-TuesdayWrapup.mp3

I had lunch with some of the folks at F-secure and managed to corral Mikko Hypponen for a few minutes to talk about banking trojans and some of the more recent issues with malware. nsp_RSA2008_MikkoHypponen.mp3

Rich had a chance to catch up with Rob Newby today at RSA 2008. This is the first of our micropodcasts from RSA, so please excuse us if it’s a little bit rough. NSP-RSA2008-RobNewby.mp3

Wow, episode 99. It really didn t sound like all that much until Rich said it while we were recording. But it s really been over two years since I started talking into a mic in the vague hope someone would listen to what I say on a weekly basis. And now there are approximately 2000 people who listen on a regular basis. Thank you very much for coming back week after week. There won t be a podcast next week since I ll be on the road in Chicago. The week of RSA Rich and I will be doing some micropodcasting, but the real episode 100 will be the live video feed from RSA. I m nervous, because I know that if anything can go wrong, this is the place it ll happen. So wish us luck. Show Notes

The countdown to episode 100 continues! Tonight Rich and I were joined by one of the main organizers of this years RSA Security Bloggers Meetup, none other than the Mediaphyter herself, Jennifer Leggio. She and Rich were at SOURCE Boston last week and I was able to follow at least some of their exploits via twitter. This whole social media thing is starting to take on a life of it s own and it seems that security professionals are a disproportionately large part of it. I m looking forward to seeing both Jennifer and Rich again at RSA and you ll be able to see it yourself, seeing as we plan on having a live video stream from the Meetup. Show Notes Network Security Podcast, Episode 98, March 18, 2008

Well, despite technical difficulties and an overactive noise removal tool, Episode 97 of the Network Security Podcast is up and available for download. Rich and I are joined tonight by Tim Krabek, who adds his own wit and wisdom to tonights podcast. And now I m going to bed, since it s been a very long day. Show Notes Network Security Podcast, Episode 97, March 11 2007

Well, if you listen to the first thirty seconds of the podcast you ll realize I wasn t firing on all cylinders tonight, though Rich was pretty coherent. Actually, we had a fun time with tonight s podcast, so hopefully you ll have a fun time listening to it. Rich will be in Boston next week at SOURCE and I ll be on the road, so we ll be recording early and posting it on Tuesday. I m actually going to be on the road a lot in the near future, so expect Rich to get a chance to stretch his audio editing muscles in the near future. That s why I have a co-host: so someone else can do the heavy lifting while I m on the road. Show Notes Network Security Podcast, Episode 96, March 4, 2006 .. er 2008