Security News

My appearance on OWASP Podcast 61 is available.

The .mp3 is 36 MB. Thanks to Jim Manico for inviting me to participate.

We recorded the podcast in late January. Jim asked me the following questions:

1. Would you care to tell us how did you get into IT and what lead you into a career in information security? What keeps you busy these days?
2. What’s the difference between focusing on threats vs focusing on vulnerabilities?
3. What is your problem with the “protect the data” mindset?
4. What do you mean by “building visibility in”?
5. What is your take on the Aurora/Google hack?
6. You just tweeted that “Network Security Monitoring ideology is the proper mechanism to combat APT/APA”. Do you think network IPS/IDS/WAF can help defend insecure web applications? What are the limits of Network Security Monitoring?
7. How important a role do you think secure coding and secure software development life-cycle play in defending the enterprise?
8. Have HIPAA, PCI, SOX and other regulations helped reduce risk in the average enterprise?
9. Is seems pretty clear that attackers have a clear advantage. Why is that? How can we turn the tide?
10. Any thoughts on OWASP? Are we helping the cause?
11. Where are we going to be as an industry in 10 years?
12. You blogged that “The trustworthiness of a digital asset is limited by the owner’s capability to detect incidents compromising the integrity of that asset.” Given that we don’t have any high integrity database, identities or application servers – how do you detect a breach of integrity when there is no verifiable integrity in the system in the first place?

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Good legal paper on the limits of identity cards: Stephen Mason and Nick Bohm, “Identity and its Verification,” in Computer Law & Security Review, Volume 26, Number 1, Jan 2010. Those faced with the problem of how to verify a person’s identity would be well advised to ask themselves the question, ‘Identity with what?’ An enquirer equipped with the answer…

A hardware appliance that provides many different security features rolled into one appliance.

Can you hear that? That’s the sound of air escaping as we all finally recover from the RSA conference. Rich and Martin are back, and Zach… never left (but did celebrate a birthday last week). We do a quick recap of RSA and then dig into the security news… much of which had nothing to do with the conference. Weird.

Network Security Podcast, Episode 188, March 9, 2010
Time:  32:01

Show Notes:

• Great coverage of Martin’s RSA panel on disclosure. One of the first with an actual user on the panel.
• Government declassifies parts of the Comprehensive National Cybersecurity Initiative.
• Police get webcam pictures in school spy cases.
• Experts dismiss end to end encryption claims. Bunch of gross generalizations.
• Oops- Vodaphone distributes infected phone.
• … and Energizer distributes malware in USB battery software.
• Tonight’s music: 

Security vendors sending out misleading information, claims Secunia.

Fake anti-virus scams extracting millions from unwary users.

Company gives details on IE attack along with Office fixes.

Spanish customer buys HTC Magic preloaded with Mariposa botnet client.

IT admins warned to upgrade immediately.

Change in Focus