Network Security Blog

It’s been a bit of a strange week on the security front, with good guys hacking a botnet, a major security vendor called to the carpet for some vulnerabilities, and yet another set of Adobe 0days. But being Cinco de Mayo, we can just margarita our worries away.

In this episode we review some of the bigger stories of the week, and spend a smidge of time pimping for a (relatively) new site started by some of our security friends, and a new project Rich is involved with.

Network Security Podcast, Episode 149, May 5, 2009

Time:  34:08

Show Notes:

• The Social Security Awards video is up!
• Yet more Adobe zero day exploits. Now it’s just annoying.
• McAfee afflicted with XSS and CSRF vulnerabilities.
• Torpig botnet hijacked by researchers.
• New School of Information Security blog launched.
• Project Quant patch management project seeking feedback.
• Tonight’s Music: Wound up Tight by Hal Newman & the Mystics of Time

That’s right, the video recorded at the 2009 Security Bloggers Meetup is available for your viewing pleasure.  You can watch Alan Shimel present the Social Security Awards, with a little help from Rich and myself.  This was the highlight of the night and the culmination of a lot of work by the people who put the event together.  I got to put Alan in his place (literally) several times during the ceremony and Mike Rothman was as close to speechless as he’s ever likely to be.

In this week’s episode of the FIRST Podcast, I interviewed Gib Sorebo, who will be presenting “Content: The Next Generation of Incident Response” at the FIRST convention in Kyoto this summer.  Gib Sorebo is the Chief Security Engineer and Assistant Vice President for Technology at SAIC.  We talk about his presentation at the conference, DLP and extrustion detection.  I suspect Gib and Rich Mogull would have a lot to talk about in the DLP arena.  This was a little bit longer talk than previous interviews and I think it was time well spent.

FIRST Podcast, Episode 3:  Gib Sorebo, Chief Security Engineer for SAIC

Rich and I are back from RSA, rested and ready to go!  Baah, who am I kidding; here it is four days later and we’re both still so tired we’re barely able to talk coherently.  Not that we’d let that stop us from recording a podcast.  Never has and probably never will.  In any case, we start tonight with a recap of some of our observations of the 2009 RSA Conference and move on to the current media hype over the swine flu.  Use the swine flu as a learning exercise in how to cope with media hype, a good excuse for reviewing your own disaster preparedness plans and a way to get some of the same issues dealt with by your management.  The hours you spend looking at your options today may save you hours or days down the line.

Network Security Podcast, Episode 148, April 28, 2009
Time:  40:06

Show Notes:

• World Health Organization
• Center for Disease Control and Prevention
• Tonight’s music:  Johnny Citizen with Painful Tired

Bill Pennington did an excellent job of taking pictures at the Security Bloggers Meetup last night.  You can view them on Flickr or on Facebook.  And just in case you can’t recognize the people in the pictures at a glance, they’ll be tagged with right names over the next day or two.  Gee, I’m surprised most of the pictures of me include a mic in my hand.  Go figure.

This is me letting go a huge sigh of relief.  The Security Bloggers Meetup is the one event I look forward to more than any other at RSA and at least as much as any event at the security conferences I attend.  But it’s a huge amount of work, a lot of stress and when it’s all done, there’s a huge burden lifted from my shoulders.  Which is why one of my first thoughts after the party was over is to begin the planning for the RSAC 2010 Security Bloggers Meetup.

The Meetup went almost flawlessly, with the exception of the streaming video of the Social Security Awards; for various reasons I was unable to log into uStream or reset my password, therefore the video had to be scrapped at the last minute.  However, we were able to catch all of the event on high quality video and will be putting the Social Security Awards and over a dozen other video interviews up on YouTube over the next few weeks. 

I don’t know what the official count on attendees was, but we had nearly four times the space this year that we had last year and we were still fairly crowded together.  There was enough room for people to separate a little for private conversations, but not much more. Most importantly though was the fact that everyone I’ve talked to so far who went had a great time at the event.

A huge congratulations to the winners of the Social Security Awards last night!  PaulDotCom won the Best Podcast Award, the crew at the SANS Internet Storm Center won the best Technical Blog award, the best Non-Technical Blog went to Richard Bejtlich of the TaoSecurity Blog, Sunbelt Security won the Best Corporate Blog and Mike Rothman from Security Incite won the Most Entertaining blog.  Now we just need to get Mr. Rothman to start posting again.

A big thanks to my fellow committee members who made last night possible.  Rich Mogul, Sonya Caprio, Alan Shimel and Jeanne Friedman all put in a lot of hours making this happen.  But the woman who deserves the lion’s share of the credit is  Jennifer Leggio.  Without Jennifer, the Security Bloggers Meetup wouldn’t have happened!  So if you see Jen somewhere at RSA or encounter her elsewhere, give her a big thank you for putting on the Security Bloggers Meetup. 

I caught up with Gary Palgon, VP of Product Management at  from nuBridges.  nuBridges is a tokenization vendor, meaning that they provide a way for a business to use a value that is hashed from the original data but can’t be reversed to discover what the original value is.  In the case of many of the people I deal with regularly, this would mean credit card numbers.  The merchant supplies the card number to the tokenization server, the server stores the card number in a safe, encrypted fashion and a token is used in place of the original card number anywhere it’s needed in the enterprise.  Because only the token is stored in most places throughout the enterprise, the scope of a PCI assessment is greatly reduced and cardholder data is much more secure than if it was in each of the datababases.

nuBridges has announced Format Preserving Tokenization, which allows the user to create a token that meets a wide variety of needs, such as keeping the string length or preserving the last four digits of a card number as part of the token.  This allows for uses such as allowing a customer’s ID to be verified by asking the last four digits of a social security number without revealing the whole number. 

NSP Microcast RSAC 2009 - Gary Palgon from nuBridges

Rich and I tried our best to get a podcast recorded and posted last night, and we were partially successful; at least we got the podcast recorded.  But the editing and posting part was well beyond my capabilities once I got back to the hotel room last night.  But it’s here, bright, shiny and new first thing in the morning.

RSA has been a hectic and exhilarating event so far, and the best part is yet to come!  Rich and I had just finished our panel discussion, Avoiding Security Groundhog Day, and were joined by Rich’s partner at Securosis, Adriane Lane.  We found the quietest spot possible at RSA, which happened to be the near the top of the escalators.  Yes, quiet space really is that rare at RSA. 

Network Security Podcast, Episide 147, April 21, 2009
 

I’m getting to talk to a lot of interesting people from parts of our industry that I might never have had access to before, thanks to the Forum of Incident Response and Security Teams.  This week’s example is Jeff Carpenter the technical manager at the CERT Coordination Center.  Jeff is also one of the people responsible for organizing this year’s FIRST Best Practices Contest.  This year the topic is Detect, which is a topic near and dear to Jeff’s heart, since that’s a large part of what he does in his day to day life.  We talk about last year’s contest, what’s going to be happening at the event in June and what it’s like to work at one of the oldest CERT teams.

The deadline for submissions to the FIRST Best Practices Contest 2009 has been moved to May 11, 2009.  It’s $5000 for first prize, so if you have a paper you think might be worthy, take the time to enter.

FIRST Podcast, Episode 2:  Jeff Carpenter, CERT-CC and Coordinator of the FIRST Best Practices Contest

One of my security contacts pinged me via IM this morning and asked “Where can I find a list of security podcasts?”  I couldn’t think of a list immediately, so I moved to one of the other dozen windows open on my desktop and tweeted the question.  The first reply was a list that I’ve known of for a long time, the Getmon IT Security Podcast Links.  The second reply was to look at the nominees list for the Social Security Awards, a list I helped work on myself.  All I can say in my defense is that it’s still early and my third cup of coffee hadn’t kicked in yet.  

Of course, start by subscribing to the Network Security Podcast and moving on from there. 


Update:  Another list to add to the list of lists:  http://www.securitycast.net/secpods-opml.xml