Tonight Martin, Joseph, and Steve touch on some fun topics tonight, revisiting some of our conversations from about this time last year in Episode 43. Without further ado – our stories for the evening:

It’s the breaches of the week!

http://www.dreamhoststatus.com/2012/01/20/changing-ftpshell-passwords-due-to-security-issue/

http://www.thetechherald.com/articles/24-million-customer-accounts-exposed-in-Zappos-hack/16025/

And for the second half of our podcast, we discussed a return to Offensive Security, thanks to this article by George Hulme:

http://www.csoonline.com/article/698237/enough-defense-is-it-time-for-an-it-security-offensive-

And for your bonus image for the day, we ma have dug up an image of Alex Hutton during his college days:

I'm not saying this is Alex, but it's probably Alex

As always, you can find the podcast here: http://sfspodcast.libsyn.com/rss

And if you have any feedback, drop us a comment or find us at @SFSPodcast on twitter.

A happy new year to all our listeners! The boys are back in town, as it were. There are some big changes that came up this year, the first of which being a slight change to our format. We’ll be moving to a bi-weekly schedule, with interviews or other format episodes on the alternate weeks.

Also, it’s with great regret that we have to announce that our good friend, Andy Willingham, will no longer be on the podcast with us for a while. Life can be a little crazy, and he’s going to take a break for a little while, and we wish him all the best.

So this week, Martin, Steve, and Joseph dug into the password leak from the STRATFOR breach, and what the implications could be for passwords, and how we should look at the breach, based off of Steve’s article: http://www.thetechherald.com/articles/Report-Analysis-of-the-Stratfor-Password-List

Join us next week as we have a special interview with Alex Hutton.

As always, you can find the podcast here: http://sfspodcast.libsyn.com/rss

And if you have any feedback, drop us a comment or find us at @SFSPodcast on twitter.

Episode 62 – Leaders and Experts

This week, for two weeks in a row, the whole gang is back. We hit two articles that provoked a lot of thought amongst us, so without further ado:

Security 101: Security in 140 Characters or Less

http://isc.sans.edu/diary.html?storyid=11725&rss

Are you an IT security leader – really?

http://www.networkworld.com/news/2011/100311-are-you-an-it-security-251503.htm

Join us next week, as we continue to put right what once went wrong, and hope each time that our next leap will be the leap home.

This evening, it was just Martin and Joseph covering some of the big
news of the past week: Diginotar and Sony.

Diginotar, a Certificate Authority from Holland was breached over this
past week, and the fallout just seems to keep growing:

http://www.thetechherald.com/article.php/201136/7580/DigiNotar-security-incident-goes-from-bad-to-worse?utm_source=twitterfeed&utm_medium=twitter
http://www.f-secure.com/weblog/archives/00002231.html

Back in the spotlight again is Sony, but for good (we hope) reasons
this time, as they’ve announced their new CISO:
http://www.1up.com/news/sony-hires-dhs-official-chief-information-security-officer

Also, as we said on the podcast, for people with a high signal to
noise ratio on Twitter, try starting with these folks.

@CSOonline @mikkohypponen @uscert_gov @HDMoore @rwestervelt @WeldPond
@riskybusiness

As always, you can find the podcast here: http://sfspodcast.libsyn.com/rss

And if you have any feedback, drop us a comment or find us at @SFSPodcast on twitter.

This week, we’ve actually got the whole gang together, and then some! The illustrious Josh Corman joins the crew as they hit a couple stories, then we get into some discussion of everyone’s favorite “monsters”.

First up: Tabletop Exercises Scenarios and Tips: http://www.csoonline.com/article/print/221132

Then, One Third of Security Professionals not Practicing What They Preach: http://www.darkreading.com/advanced-threats/167901091/security/security-management/231600409/one-third-of-security-pros-not-practicing-what-they-preach.html

And in our discussion with Josh, a few different stories came up, so I’ll go ahead and link them, and you can pull them up as you listen:

http://pastebin.com/WYJS303d

http://pastebin.com/raw.php?i=4vprKdXH

http://pastebin.com/SCdpTr2d

As always, you can find the podcast here: http://sfspodcast.libsyn.com/rss

And if you have any feedback, drop us a comment or find us at @SFSPodcast on twitter.

This week, we have a fantastic interview with Andy Ellis of Akamai, and we even managed to discuss a story!

First, we discussed this whole “Shady Rat” business.

http://www.informationweek.com/news/security/attacks/231300162
http://www.symantec.com/connect/blogs/truth-behind-shady-rat

Then we launch into our interview with Andy Ellis (@CSOAndy) about hiring and the interview process.

Join us next week, same Bat time, same Bat channel as we discuss our Defcon/Blackhat/BSidesLV thoughts.

As always, you can find the podcast here: http://sfspodcast.libsyn.com/rss

And if you have any feedback, drop us a comment or find us at @SFSPodcast on twitter.

The boys are back from hiatus, and getting back into the swing of things.

Our first (and only) story this week was found from the netsec reddit, and it’s been making the rounds:

Our Security Auditor is an idiot, how do I give him the information he wants?
http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants

We then go into Martin and Rich Mogull’s interview on  how to evaluate and select technologies and how to effectively manage vendors.

As always, you can find the podcast here: http://sfspodcast.libsyn.com/rss

And if you have any feedback, drop us a comment or find us at @SFSPodcast on twitter.

Just Andy and Joseph this week, but we hit some fairly hefty topics, particularly the breaches that seem to keep springing up every day lately.

First, Derek Newton has discovered a very interesting flaw in Dropbox’s host authentication.

http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/

Then, we discussed the breaches of the week: Barracuda, Hartford, and US Airways.

http://www.theregister.co.uk/2011/04/11/barracuda_networks_attack/

https://www.threatpost.com/en_us/blogs/hartford-hacked-040711

https://www.threatpost.com/en_us/blogs/insider-allegedly-leaked-data-belonging-3000-us-airways-pilots-041111

And in the “too close to home for comfort” category, we finished up with the Texas Comptroller breach:

http://www.statesman.com/blogs/content/shared-gen/blogs/austin/politics/entries/2011/04/11/comptroller_personal_id_inform.html

http://blogs.chron.com/texaspolitics/archives/2011/04/personal_inform.html

As always, you can find the podcast here: http://sfspodcast.libsyn.com/rss

And if you have any feedback, drop us a comment or find us at @SFSPodcast on twitter.

We’re joined by our newest team member – Zach Lanier!

The crew discusses the recent events at RSA in the context of “What Should A CISO DO?”

Here are some of the stories we found…

Calm

http://www.govinfosecurity.com/podcasts.php?podcastID=1050

http://www.scmagazineuk.com/the-impact-of-the-rsa-token-data-breach-is-still

-undetermined/article/198935/

Panic

http://www.channelregister.co.uk/2011/03/24/rsa_securid_news_blackout/

http://blogs.computerworlduk.com/jericho-forum/2011/03/after-the-breach—ho

w-secure-is-rsas-securid/

http://www.americanbanker.com/bulletins/-1034737-1.html

FUD

http://www.digitalidnews.com/2011/03/23/ironkey-protects-banks-and-their-cus

tomers-from-rsa-securid-data-breach
(alt)

http://www.istockanalyst.com/business/news/4990527/ironkey-introduces-protec

tion-for-banks-and-their-customers-from-rsa-securid-data-breach

http://www.networkworld.com/news/2011/032311-rsa-securid-backdoor.html?page=

1

http://www.businesswire.com/news/home/20110322006389/en/Swivel-Secure-Authen

tication-Expert-Comments-RSA-Security

http://www.microscope.co.uk/news/rivals-move-to-plug-gap-left-by-rsa-uncerta

inty/

We’ll be back next time with more fun and stories!

You can find the episode here, as always.