Category Archives: Podcasts (AppSec)

Information Security Podcast

An Information Security Place Podcast – 01-22-14

Jim, Dan, and Michael have a lot of catching up to do. We talk about a lot of stuff because a lot of stuff has been happening. From RSA, NSA, QSAs… security is busy! Show notes below!

Show Notes:

Infosec News Update

  • 123456 is the new best of the worst – Link
  • RSA Conf and those skipping it this year – Link
  • Fixing a flawed VA medical records system: Tenacity pays off for a researcher – Link
  • Do you believe the Obamacare website is secure? These guys don’t – Link1, Link2, Link3

Discussion Topic – The Failure Themes of the Target Breach

  • Massive Props to Brian Krebs on his coverage of the whole debacle – Krebsonsecurity.com
  • AntiVirus Takes it on the Chin …Again – Link
  • Egress Filter Much? – Link
  • Credit Card Processing Fundamentally flawed – Link

EMPHATIC POINT OF THE PODCAST!! Complacent with Compliance … again PCI!= security

Music Notes

Special Thanks to the guys at RivetHead for use of their tracks“ http://www.rivetheadonline.com/

  • Intro: “Stay Alive“ – Rivethead
  • Segment 1: “Synchroncity II“ – RivetHead
  • Segment 2: “Burn Us Down“ – Early Morning Rebel
  • Outro: “Zero Gravity“ – RivetHead
HO-FFL-Logo

HO-FFL Update

We are now in the middle of week 4, but I want to catch everyone up on whats been happening. HO-FFL-Logo

First of all, I am currently ranked 10th in our 12 team league. Wow, that’s embarrassing! Fortunately for me its early in the season and I am going to win my matchup this week, which will jump me up in the rankings a bit.

Week 1) I got off to a good start as I crushed my opponent @frenchdc and expected the trend to continue. However the best team in week 1 was @billyaustintx who was our first top scoring team and earned the first $10 prize.

Week 2) This week I faced Chad @ChadCollins10 and expected an easy win which I was projected to get. However as it goes with fantasy football, you never know… Chad had Julio Jones who had a monster game, and I had 3 players from the 49ers who bombed out. Between Kaepernick, Anquan Boldin and Vernon Davis I got 13.75 (big ouch) and Chad nearly doubled my score. This week’s top scoring team was Spicy Thai Peanuts (@spicythaipeanut) as he beat the Has Crackers,

Week 3) Once again I go down to defeat because of the 49ers imploding. I sadly lost by a mere 3 points  to @SecBarbie. We both had a bad week, but mine was just slightly worse. At this point I have now dropped to 10th place. Our top scoring team of the week is Drew’s Whamtastic. Congrats One other interesting fact at this point is that @ChadCollins10 team False Positives is the top ranked team, yet has not won any money yet from being the top or 2nd best point earner for the week. I guess he is playing the slow steady game to make sure he wins the league trophy prize.

Week 4) We are now in the middle of week 4, and we have one game left for Monday Night Football. From the looks of it, I should win my week and can at least move up to the middle of the pack. I have alot of work to do to make sure I make it to the playoffs and then have structured a winning team this season!

Good luck everyone. I’m having fun and I hope those that are playing it are having fun, as well as those watching the league.

 

Information Security Podcast

An Information Security Place Podcast – 8-20-13

The podcasting returns! This is the first new episode of InfoSec Place and in a few days will be the return of my web security podcast here on Man Vs Webapp (formerly Mightyseek).

Show Notes:

InfoSec News Update

Discussion Topic

  • The Threat of Social Engineering – Jigsaw FTW
  • Link 1
  • Link 2

Music Notes: Special Thanks to the guys at RivetHead for use of their tracks – http://www.rivetheadonline.com/

  • Intro – Stay Alive – Rivethead
  • Segment 1 – – RivetHead
  • Segment 2 – – RivetHead
  • Outro – Zero Gravity – RivetHead
B-sides san francisco logo

Security B-Sides SF 2013: The Pineapple Express: Live mobile application hacking demo…

pineapple express

All aboard the Pineapple Express, its a speeding bullet to the mobile backend! I’m looking forward to speaking at the upcoming B-Sides San Francisco. Most of the mobile security research has been focused on the apps on devices, but I have been more interested in the services and back-ends that power mobile apps.

B-sides san francisco logo

I’m excited about the new wifi Pineapple software that I have discovered while doing my research on mobile application security and I’m leveraging it to create a wifi hotspot during my talk.

In this talk, we’ll go beyond the typical discussion points on mobile security to delve into the vulnerable back-ends mobile applications. I will demonstrate how easy it is to find vulnerabilities and attack the service calls in social media, banking and payment applications.

These applications leverage new formats like JSON, AJAX and REST to deliver a rich user experience, but unfortunately they are too often exposing the same familiar vulnerabilities like SQL and Command injection. During this talk, I will demonstrate just how vulnerable these back-ends can be and how easy it is to watch the traffic and attack these interfaces.

The first step in learning to attack these mobile applications is understanding the formats used. Participants learn how to break-down these new formats, where to attack them and which tools and techniques make it easy to attack these back-end interfaces.

The audience will have the opportunity to connect to my Wifi Pineapple and use their real apps, which I will snoop and demonstrate how to hack the backends. While they won’t actually hack applications, the group will watch the live traffic and the discuss techniques that can be used to hack those applications.

An Information Security Place Podcast – Episode 04 for 2012

Hmmm Lets see if I even remember how to enter this stuff anymore… Yeap you guessed it, we finally recorded another episode – WOOT!
Show Notes:

InfoSec News Update – 


  • Howard Schmidt is Retiring – Link Here
  • Vulnerability Stats of Publicly Traded Companies – Link Here
  • Tool Update – Threadfix from Denim Group – Link Here
  • The Mission Impossible Self-Destructing SATA SSD Drive – Link Here
  • The WAF Wars – Link 1 / Link 2 / Link 3
  • PwnieExpress Releases PwnPlugUI/OS 1.1 – Link Here
  • App for scanning faces to gauge age at bars – Link Here
  • Business Logic Testing defined – Link 1
  • ErrataSec – Wants your hotel PCAP Files – Link 1 / Link 2

Discussion Topic –

  1. Should specific security efforts be validated when the program as a whole is crap? Link Here

Music Notes:

Special Thanks to the guys at RivetHead for use of their tracks –http://www.rivetheadonline.com/

Tour Dates:

  1. June 1 – Dallas – Curtain Club

Intro – RivetHead – The 13th Step”
News Bed – RivetHead - “Beautiful Disaster” 
Discussion Bed – RivetHead - “Difference” 
Outro – RivetHead – “Zero Gravity”

An Information Security Place Podcast – Episode 03 for 2012

Today’s show is Michael interviewing Kevin Riggins. Kevin is an Enterprise Security Architect for a Fortune 500 financial services company. Kevin and Michael have some great conversation about Kevin’s job, what he is doing at RSA, where he blogs, the book he coauthored, etc. (look below in the show notes for links to everything).

Then a fun discussion starts about cloud, risk, mobility, risk in the cloud, risk in mobility, risk of mobility integrated with the cloud, and so on. Good stuff all around.

Here’s some links to stuff about Kevin and other stuff we talked about in the show.

  • Management Team Member for the Society of Information Risk Analysis – link
  • Coauthor on The Cloud Security Rules – link
  • Kevin blogs at Infosecramblings – link
  • Twitter pages – link and link and link

An Information Security Place Podcast – Episode 02 for 2012

Thanks go to Jeremiah Grossman for sitting down with Michael for some great discussion. Jeremiah is the CTO at Whitehat Security and a very well known figure in the InfoSec industry. Jeremiah and Michael talk about Hawaii, sharks, security philosophy, RSA, stage fright, Jeremiah’s TED talk (not published as of the posting of this entry), and the age of the InfoSec industry and whether young folks are coming into the fold.

You can find Jeremiah at Whitehat (link above) and his blog, and you can follow him and on Twitter as well. Jeremiah will be giving a talk and participating on panel at RSA as well, so be sure to attend those if you are going to the RSA Conference 2012.

An Information Security Place Podcast – Episode 01 for 2012 – Breach Report

Wow! Six Months…and two job changes later, we are finally back to recording! YEAH!….Here the latest show from our intrepid hosts.

Show Notes:

InfoSec News Update –

Discussion Topic – 2012 Breach Report

  1. Care2 Discloses Breach; Company Has Nearly 18 Million Members
  2. AntiSec hit California and NY Law Enforcement Sites
  3. Anonymous Nabs 50,000 Credit Card Numbers From Security Think Tank

Music Notes: Special Thanks to the guys at RivetHead for use of their tracks

  • Intro – RivetHead – The 13th Step”
  • News Bed – RivetHead – “Beautiful Disaster”
  • Discussion Bed – RivetHead – “Difference”
  • Outro – RivetHead – “Zero Gravity”
  • Tour Dates:
    1. Jan 6 – Dallas – Curtain Club
    2. Jan 27 – Dallas – Trees
    3. Jan 28 – Dallas – Trees
    4. Mar 2 – Dallas – Curtain Club – 7th Album CD Release Party
    5. Mar 3 – Houston – BFE Rock Club
    6. Mar 24 – Fort Worth – The Rail Club
    7. May 5 – Dallas – Renos Chop Shop

 

Introducing Jim Broome

We caught a big one!
I’m proud to announce that my buddy Jim Broome has joined the NT OBJECTives team and will be a contributing to the blog and podcast.

Jim Broome, CISSP
Jim, an information security veteran with two decades of experience in the security industry, is joining as VP of Security Services. Jim’s role is to provide world-class SaaS based web security services through NTOSpider On-Demand while also providing leadership to the NTOLabs research and consulting teams.

Experience
Practice Manager – Accuvant LABS – Accuvant, Inc.
As one of Accuvant’s most seasoned security assessors, Mr. Broome performed innumerable consultative engagements including enterprise security strategy planning, risk assessments, threat analysis, application assessments, network assessments, penetration testing, and wireless security assessments for a large number of Fortune 500 clients. These clients came from a variety of markets, including manufacturers, telecommunications (cellular and traditional), public utilities, healthcare, financial services, and state governments.

Principal Security Consultant – ISS X-Force

Prior to joining Accuvant, Jim was a principal security consultant for Internet Security Systems (ISS) and a member of the X-Force penetration testing team. At ISS, he was responsible for providing technical leadership to the Western region consulting practice while performing his day-to-day duties of network assessments and penetration testing.

Directory of Network and Security Operations – Cavion.com

Before X-Force, he was the director of network operations for Cavion.com, a managed service provider exclusively for credit unions. At Cavion.com, Jim was responsible for managing the network operations staff and security organization while maintaining 99.999% uptime.

Introducing Man Vs WebApp

mva_logo_black

I’m Dan Kuykendall and I’m going to show you what it takes to hack into some of the most dangerous places on the web.

I’ve got to make it through a weak set of defenses in the sort of places you would think would have the right survival skills.

This week I’m in the dense objects of AMF, one of the least understood parts of the web. Its an environment full of hidden dangers. The decoders are unforgiving. Even the applets can push you to the limit. And every step forward, you can take two steps back.

As I prepare to re-launch my Podcast I am doing so with a new name and new concept. I will cover the news and random web app sec that comes up, but mostly will focus on the actual how to’s for attacking and defending in as many shows as possible.
The show and this Blog will be renamed to “Man Vs WebApp”, and should take another week or so to get the migration completed and for me to start posting shows. All the existing content should stay in place. I appreciate your patient as the site goes through the changes and there may be some odd behavior/broken_pages for a few days.