Liquidmatrix Security Digest Podcast – Episode 15

Episode 0x15 — So Much News…

Pre-election Bets Are Off

Starting off this week with a couple of Con Reports – Ben, you go first… how was HackFest? ((wait)) and Dave – what was the high point of your HackFest experience? ((crickets))

Upcoming over the next hour…

1. Lots of News
2. Breaches
3. SCADAs
4. DERPs!!!
5. and then our discussion topic — Security in a Project Context

And if you’ve got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.

DISCLAIMER: It’s not that explicit, but you may want to use headphones if you’re at work.

ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don’t need to speak for anyone except themselves. Ok? Good.

In this episode:

• News

1. The Kremlin’s New Internet Surveillance Plan Goes Live Today
2. Coca-Cola hacked ahead of Huiyuan acquisition attempt, but didn’t tell shareholders
3. PayPal security holes expose customer card data, personal details  
   
4. Skype Gives Security Firm Details of Alleged PayPal Hacker Without Warrant
5. US gov says you don’t own your stuff if you put it in the cloud (via slashdot) 
   
6. The Georgians p0wn their p0wner
7. F-Secure Mobile Threat Report 2012 (pdf link)
8. NJ residents displaced by storm can vote by email
• Breaches – The never ending never ending story…
1. Lady Gaga web site hacked
2. Team Ghostshell Allegedly Spills 2.5 M Russian Records
• The SCADAs
1. Legal fears muffle warnings on cybersecurity threats
• Errata / DERP of the week award

1. Sorry US gov. It’s on you. For how long have you known about this?

2. Most U.S. Drones Openly Broadcast Secret Video Feeds
3. Inmarsat to furnish global broadband to Canadian navy
• Commentary
1. Foot In The Door – Security In a Project Context
1. why testing isn’t enough
2. how you can play in the SDLC
• Hardcore – How to change the system to suit your needs
1. building standardized methodology chunks
2. playing well with others (have the PMO do your job)
3. functional vs. non-functional specifications
• Mailbag / Bizarro Land

1. Hey guys. Love the podcast. Not sure if you saw, but the report from the investigation of DigiNotar, the Dutch CA that got violated last year, is out: PDF

   Given some of the things you highlight on the podcast it would probably be worth talking about on the show as an example of what not to do. Diginotar had a segmented network and good physical security but also a poorly configured firewall and IPS (managed by an external 3rd party) and no real procedures for examining logs from either.

   Despite these “defenses”, the intruder was able to compromise an external-facing server and use it to pivot to the internal network, get access to a machine that creates certificates, and issue over 500 rogue certificates, including one that was used to execute a MITM attack on Gmail users in Iran.

   ———

   Brian

• In Closing
1. Matt’s Movie Review No
2. We do research too – Ben’s running a survey and will publish results. Check it out!
3. The Security Conference Library 
4. If you’re interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
5. Contribute to the Strategic Defense Execution Standard (#SDES) and you’ll be Doing Infosec Right in no time.
6. Upcoming Appearances: James at SecurityZone in Cali, Colombia
7. Signing up for a SANS course? Be sure to use the code “Liquidmatrix_150” and save $150 off the course fee!
8. Seacrest Says: “vote for something”

Subscribe to us using plain old

Also, we’re now available through

Creative Commons license: BY-NC-SA