An Information Security Place Podcast – 01-22-14 [ 33:53 ] Play Now
Jim, Dan, and Michael have a lot of catching up to do. We talk about a lot of stuff because a lot of stuff has been happening. From RSA, NSA, QSAs… security is busy! Show notes below!
Show Notes: Infosec News Update
123456 is the new best of the worst –
RSA Conf and those skipping it this year – Link
Fixing a flawed VA medical records system: Tenacity pays off for a researcher – Link
Do you believe the Obamacare website is secure? These guys don’t – Link1, Link2, Link3 Discussion Topic – The Failure Themes of the Target Breach
Massive Props to Brian Krebs on his coverage of the whole debacle –
AntiVirus Takes it on the Chin …Again – Link
E gress Filter Much? – Link
Credit Card Processing Fundamentally flawed – Link
EMPHATIC POINT OF THE PODCAST!! Complacent with Compliance … again PCI!= security
Special Thanks to the guys at RivetHead for use of their tracks“
Hmmm Lets see if I even remember how to enter this stuff anymore… Yeap you guessed it, we finally recorded another episode – WOOT!
InfoSec News Update –
Howard Schmidt is Retiring –
Link Here Vulnerability Stats of Publicly Traded Companies –
Link Here Tool Update – Threadfix from Denim Group –
Link Here The Mission Impossible Self-Destructing SATA SSD Drive –
Link Here The WAF Wars –
Link 1 / Link 2 / Link 3 PwnieExpress Releases PwnPlugUI/OS 1.1 –
Link Here App for scanning faces to gauge age at bars –
Link Here Business Logic Testing defined –
Link 1 ErrataSec – Wants your hotel PCAP Files –
Link 1 / Link 2
Discussion Topic –
Should specific security efforts be validated when the program as a whole is crap?
Special Thanks to the guys at RivetHead for use of their tracks – http://www.rivetheadonline.com/
June 1 – Dallas – Curtain Club
Intro – RivetHead – “The 13th Step”
News Bed – RivetHead - “Beautiful Disaster”
Discussion Bed – RivetHead - “Difference”
Outro – RivetHead – “Zero Gravity”
Wow! Six Months…and two job changes later, we are finally back to recording! YEAH!….Here the latest show from our intrepid hosts.
InfoSec News Update –
Discussion Topic – 2012 Breach Report
Care2 Discloses Breach; Company Has Nearly 18 Million Members
AntiSec hit California and NY Law Enforcement Sites
Anonymous Nabs 50,000 Credit Card Numbers From Security Think Tank
Music Notes: Special Thanks to the guys at RivetHead for use of their tracks
Intro – RivetHead –
“The 13th Step” News Bed – RivetHead –
“Beautiful Disaster” Discussion Bed – RivetHead –
“Difference” Outro – RivetHead –
Jan 6 – Dallas – Curtain Club
Jan 27 – Dallas – Trees
Jan 28 – Dallas – Trees
Mar 2 – Dallas – Curtain Club –
7th Album CD Release Party Mar 3 – Houston – BFE Rock Club
Mar 24 – Fort Worth – The Rail Club
May 5 – Dallas – Renos Chop Shop
Sorry I missed last week, this one will cover the last two weeks.
NT OBJECTives Releases SQL Invader – NTO SQL Invader finally makes it easy to exploit a SQL Injection vuln from a clean graphical interface. Check out the video demonstration.
Santa’s CISO failed him! – Another major data leak for 2011
MySQL.com Once again Compromised using Sql Flaw – The article says it well “MySql website is pretty embarrassed for not securing its own database’s properly”. HTML5
It’s ba-ack. Exploit revives slain browser history bug – Im glad to see this type of research being done, because sometimes we assume one style of change will fix a thing, but thats rarely the case in the end.
OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection – Great write up on making sure the transport layer is secured, and how to recognize when its not.
Critical Zero-day Vulnerability in Adobe Reader – Another week, another critical flow in adobe.
Yahoo Messenger 0-Day Exploit allow status message hijacking – This is cool because its basically an XSS attack against the yahoo messenger.
Millions of printers open to devastating hack attack – Said best by Steve Tornio on twitter “My HP all-in-one printer barely even works. Asking them to code securely is not likely to end well.”
Cross-Site Scripting vulnerabilities in HP Network Node Manager i 9.10 – While on the topic of HP, heres an Interesting application XSS filter in the GET request evaded by new line characters %0D%0A and XSS filter didn’t exist for POST request. Good bypass!!
DNS cache poisoning attack on Google, Gmail, YouTube, Yahoo, Apple – Nothing new, but a reminder of how much we trust in DNS and how easy it is to screw with.
I hope that all of you in the US had a great Happy Thanksgiving.
As is normal for a holiday weekend, the new is a bit light, but here is what I was able to gather for this week.