Network Security Podcast

Martin is off in the wonderland known as Madison, WI; home of The Onion. Which means, of course, that I did the recording this week and the audio isn’t quite up to Martin’s standards. I blame him though, since it was mostly his Skype connection.

There was a lot to talk about this week, from the great nation of Texas requiring private investigator licenses for PC techs, to sysadmins run amok in San Francisco, to cold boot encryption, and… what was it… oh yeah, some little DNS issue rearing its head again.

• Texas law may require PI license for PC techs.
• More on the San Francisco network administrator that closed out the city’s network.
• Cold boot encryption attack tool released.
• DNS vulnerability details accidentally released. Rich rants.

Network Security Podcast Episode 113, July 22, 2008

Tonight Rich and I are joined by Andrew Storms, Director of Security Operations at nCircle and fellow blogger. We continue talking about Dan Kaminsky’s DNS vulnerability and the role Rich continues to play. We also talk about lost laptops and new iPhones.

Show Notes:

• Patch your (non-DJBDNS) server now. Dan was right. I was wrong. Strong words from Thomas Ptacek.
• Dan Kaminsky disqualified from the most overhyped bug Pwnie Dino Dai Zovi
• Do 12,000 laptops go missing each week at US airports?
• I’ll leave it to you to look up any of the hundreds of iPhone 2.0 articles written this week.
• Tonight’s Music: Calvin Owens - Ladies Please Touch Me

Network Security Podcast, Episode 112, July 15, 2008

Time: 50:00

Today, CERT is issuing an advisory for a massive multivendor patch to resolve a major issue in DNS that could allow attackers to easily compromise any name server (it also affects clients). Dan Kaminsky discovered the flaw early this year and has been working with a large group of vendors on a coordinated patch.

The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediate reveal the vulnerability and reverse engineering isn’t directly possible.

Dan asked for some assistance in getting the word out and was kind enough to sit down with me for an interview. We discuss the importance of DNS, why this issue is such a problem, how he discovered it, and how such a large group of vendors was able to come together, decide on a fix, keep it secret, and all issue on the same day.

Dan, and the vendors, did an amazing job with this one. We’ve also attached the official CERT release and an Executive Overview document discussing the issue.

Executive Overview (pdf)

CERT Advisory (doc)

Update: Dan just released a “DNS Checker” on his site Doxpara.com to see if you are vulnerable to the issue.

Network Security Podcast, Episode 111, July 8, 2008

Ever have one of those days where just about nothing seems to go right? That just about describes today. Rich had to bail tonight due to family obligations, though it sounds like it’s the fun type of obligation, not like having dinner with Aunt Ethel or something. We had a guest lined up, but due to poor planning on our (read: my) part, we didn’t communicate the recording time well enough and that didn’t work out. Luckily Michael Santarcangelo was available to join me tonight as co-host, so you aren’t stuck listening to me drone on by myself for half an hour or so. I know that’s what I used to do every week, but it just seems so much harder than it used to.

Network Security Podcast, Episode 110

Time: 1:03:17

Show Notes:

• Why process trumps technology
• Blizzard’s Two-Factor Authentication
• Laptops lost like hot cakes at US airports
• Bag helps laptop pass air security
• Citibank ATM breach reveals PIN security problems
• ATM PIN Security
• Book: Zero Day Threat by Byron Acohido & Jon Swartz
• Book: Into the Breach by Michael Santarcangelo
• Tonight’s Music: Plan for Conquest by Ken Dirschl

Long podcast tonight! Rich and I are joined by Adam Shostack, bandleader of the Emergent Chaos Jazz Combo of the Blogosphere and co-author of The New School of Information Security. Oh yeah, he does this thing during the day where he does security stuff for some company called Microsoft. Adam’s been around a while, done more than a few things in his time, and has a lot to say about security. Funny thing is, Rich and I both agree with most of what he has to say; kinda scary isn’t it?

Show Notes:

• 90% of all statistics can be made to say anything … 50% of the time, aka my thoughts on the Verizon report
• At-work text messages are private, court rules
• Tonight’s Music: American Heartbreak with Last of the Superheros - Acoustic

Yes, even with only two articles, we almost went an hour.

Network Security Podcast, Episode 109, June 24, 2008

Time: 55:31

Back to just Rich and I this week. We’re both running around like chickens with out heads cut off, so we were lucky to be able to get a show in this week. Coordinating with a guest would have been more than we could handle. I’m sure we’ll be back to a more normal schedule next week. More ‘hoping’ than ’sure’, but only one way to find out.

Show Notes:

• Judge scuttles Ameritrade hacking settlement
• OpenOffice Integer overflow vulnerability
• Security Bonuses for Vista Programmers
• Vista’s big problem: 92% of developers ignoring it
• Verizon 2008 Data Breach Report - This is a must read
• Tonight’s Music: My Fathers Son by Jeremy Megert

Network Security Podcast, Episode 108, June 17, 2008

Time: 30:49

Long podcast today, but worth every moment of it. Author, blogger, podcaster and CTO of Cigital Software Security, Gary McGraw joined us on the podcast this week. This is the second time Gary has been on the podcast and in another 100 or so podcasts I’m sure we’ll be inviting him back.

Show notes:

• Report: Data breach disclosure laws don’t slow down identity theft - Because that’s not their purpose.
• Identity Theft: The aftermath 2007
• Rootkits are top of mind, bottom of pile, only they really aren’t
• Surprise ARP attack draws attention
• The inexact science behind DMCA Takedown notices
• Security firm asks for help cracking ransomware key - They should ask the NSA
• Tonight’s Music: Calvin Owens - The House is Burnin

Network Security Podcast, Episode 107, June 10, 2008

Time: 58:55

Rich is in Las Vegas and I’m buried under a pile of work. So no podcast tonight. We’ll return next week with a special guest.

Short show tonight folks, Rich is under the weather and our guest had to bail at the last minute due to a personal emergency. We’ll work at getting Jeremiah Grossman from White Hat on in the next couple of weeks. In the mean time Rich and I dug up a few news stories to talk about.

Show Notes:

• How LifeLock works - In their own words, they tell you most of what they do can be done by you for free.
• Announcing your social security number on national radio is a bad idea - That’s a no brainer.
• Legal experts wary of MySpace hacking charges
• Adobe Flash zero-day exploit in the wild
• NSS Labs PCI Suitability papers
• Tonight’s Music: With Arms Outstretched by Rilo Kiley

Network Security Podcast, Episode 106, May 27, 2008

Time: 25:47