We're joined today by Glenn Fleishman to talk about our own recent past and the recent cracks in the WPA armor.  Rich recently got to visit Russia to participate in a talk on Data Leak Prevention, while Martin got his own sit down with DHS Secretary Michael Chertoff.  Glenn had a little excitement of his own, with a detailed article on the recently revealed vulnerabilities in WPA using TKIP.  It's a small vulnerabilty, but both Rich and Glenn suspect it's just a precursor to bigger, badder things to come. And somewhere in there, a three year anniversary for the podcast slipped by.

Network Security Podcast, Episode 128, November 18, 2008

Show Notes:

• Battered but not broken:  understanding the WPA crack 
• Practical attacks against WEP and WPA 

No time for any music or fancy stuff like that. 

We’re joined today by Glenn Fleishman to talk about our own recent past and the recent cracks in the WPA armor.  Rich recently got to visit Russia to participate in a talk on Data Leak Prevention, while Martin got his own sit down with DHS Secretary Michael Chertoff.  Glenn had a little excitement of his [...]

I spent the last day helping my friends Jason and April get hitched.  I think there's some work to be done on it, but you can see some of the video on their site.

I spent the last day helping my friends Jason and April get hitched.  I think there’s some work to be done on it, but you can see some of the video on their site.

I just got some pictures from Tuesday that were taken by Secretary Chertoff's photographer.  If you look at my Mac Book Pro, you'll see several stickers rather prominently displayed, but the most obvious one is "Hack Naked" from PauldotCom Security Weekly!  I really wasn't thinking about what I was carrying around, since the bag I was using that day was a Black Hat 2008 bag.  I'm glad they knew enough about me not to be worried about my hacking skills. 

George Ou has done a good job of writing up his experience from Tuesday.  George and I have different priorities, so it was good for him to ask questions I wouldn't have thought of.  We were all impressed by the statistics concerning the no-fly list:  there are only approximately 2500 names on the true ‘no-fly' list and another 20,000 on the extra security list.  And of those, only 10% are American citizens according to Secretary Chertoff.  For such a small list, it sure has created a big stir.

Added:  Of course, minutes after I posted this, I found out that Andrew Storms, the guy pictured to the right of me, wrote up his own experience.  I think between the excellent posts by Andrew and and George, I don't need to feel guilty about not having time to write up my own experience. 

I just got some pictures from Tuesday that were taken by Secretary Chertoff’s photographer.  If you look at my Mac Book Pro, you’ll see several stickers rather prominently displayed, but the most obvious one is “Hack Naked” from PauldotCom Security Weekly!  I really wasn’t thinking about what I was carrying around, since the bag I [...]

I'm not sure if this is something I'd missed before, but you can look up you're Qualified Security Assessor (QSA) and see if they're in good standing.  All you need is their last name and the name of their company and you can know for certain that they're on the up and up and have had their annual training.  This is something you should take the five minutes to do to check out the QSA's who'll be working with you.  I don't have specific examples, but I've heard rumors that there are some folks out there representing themselves to Level 3 and level 4 merchants as QSA's when they're not.  Take the 5 minutes to verify your assessor, you owe it too yourself.

I’m not sure if this is something I’d missed before, but you can look up you’re Qualified Security Assessor (QSA) and see if they’re in good standing.  All you need is their last name and the name of their company and you can know for certain that they’re on the up and up and have [...]

I'm still digesting yesterday's talk with DHS Secretary Michael Chertoff.  Thanks to Mr. Chertoff and his press folks for inviting me to the event.  I never thought I'd invited to talk to one of the highest level security professionals in the country, it wasn't even something I had as a 'some day, possibly' goal.  I don't agree with everything Mr. Chertoff said, but I still enjoyed talking to him and learning about his point of view.  You can listen to the audio in the latest podcast.

Deborah Gage at SFGate wrote up her impression of the conversation, which captured most of the points of the conversation rather well.  I'm just disappointed she referred to us as ‘Silicon Valley bloggers' instead of mentioning names and blogs.  Plus, technically, only George Ou is a Silicon Valley blogger, I'm over 100 miles away in the North Bay and Andrew Storms isn't much closer.  Still a good write up.  I have to wonder if SFGate.com has something against linking out to bloggers since we're sometimes direct competition. 

I only took a couple of pictures as I was much more interested in taking part in the conversation and live tweeting it.  Luckily Andrew Storms caught a number of good shots of Secretary Chertoff.  And the back of my head, definitely not my most photogenic parts.  I hope to see Andrew's take on the conversation soon.  Here are a couple of the photo's I took of Mr. Chertoff, Andrew Storms and George Ou.  I'll post a bit more on the meeting as time allows.  Which probably means not today.

I’m still digesting yesterday’s talk with DHS Secretary Michael Chertoff.  Thanks to Mr. Chertoff and his press folks for inviting me to the event.  I never thought I’d invited to talk to one of the highest level security professionals in the country, it wasn’t even something I had as a ’some day, possibly’ goal.  I [...]

When I first got an invitation to attend a roundtable discussion with Department of Homeland Security Secretary Michael Chertoff, I thought thought it was a hoax, as did some of the people I asked about it.  A little fact checking revealed that it was the real deal, but the meeting was in Washington, DC.  Traveling cross country for an hour meeting isn't in my budget, so I regretfully passed on the opportunity.  Fast forward a month and the invite comes again, but this time it's happening at Stanford University.  There's no way I could pass that by.  Andrew Storms and George Ou expressed interest in going and Secretary Chertoff's Press Secretary, Caroline Dieker, made the arrangements and we were all invited to attend.

I was impressed by Secretary Chertoff; he speaks plainly, with only a little of the evasion I'd expected from someone in a position like his.  I don't agree with all his arguments and ideas, but he was very open to discussing them publicly.  I almost feel bad that he's going to be gone come January.  I tried to tweet the whole thing as much as possible, but it's easy to get distracted in a situation like this.  I captured the entire conversation on my little iRiver 795 and here it is so you can listen for yourself. 

Network Security Podcast, Episode 127, November 11, 2008 - Blogger Roundtable with DHS Secretary Michael Chertoff

I'm posting a copy of the live tweets in the comments, along with the replies.

When I first got an invitation to attend a roundtable discussion with Department of Homeland Security Secretary Michael Chertoff, I thought thought it was a hoax, as did some of the people I asked about it.  A little fact checking revealed that it was the real deal, but the meeting was in Washington, DC.  Traveling [...]

We're all busy and the more stories I accumulate in my browser, the less time it seems I have to do anything with them.  So in order to clear out some of the open tabs, here's some of the stories I've been reading lately:

• Express Scritps warns of potential large data breach tied to threat - Extortion, plan and simple.  
• A Crazy idea regarding the Obama administration and security - If you're abut change, lets make some that might have impact
• Chinese hack into White House Network - No wonder the WH staff can't manage to keep any email for judges to review
• Wanted:  New Antispam tactics - Aren't the one's we're using working?
• Study shows how spammers cash in - Making money on one fool in 12.5 million
• I can haz TCG IF-MAP support in your security product, please... - Where's my secret acronym decoder ring when I need it?
• A privacy agenda for the new administration - Hey, maybe the next Prez will be okay with me having some privacy
• DHS Blog Round table - Rocky came up with some of the best questions for DHS Secretary Chertoff.
• Don't leave a trace:  Private browsing in Firefox 
• Bonehead moves - I've never done anything like this, honest.  I'll share my bonehead story later this week.
• The Security Chef's ‘Better Bird Turkey' - Ask a question on twitter and you get answers.  Funny how that works.  Grilled turkey for Thanksgiving!

Is that enough?  I think so.

We’re all busy and the more stories I accumulate in my browser, the less time it seems I have to do anything with them.  So in order to clear out some of the open tabs, here’s some of the stories I’ve been reading lately: Express Scritps warns of potential large data breach tied to threat - [...]

Michael Chertoff, the Secretary of the Department of Homeland Security, will be here in California tomorrow.  He's hosting a blogger roundtable on Cybersecurity and I'm one of an unknown number of security bloggers who'll be attending the event and talking to Mr. Chertoff face to face.  Quite frankly I was surprised that the Department of Homeland Security was even aware of blogs, let alone willing to step out of Washington to talk to us in person.  I probably shouldn't be, since the TSA has had a blog for months now, even if I rarely agree with what they post there and never take it at face value.

Mr. Chertoff is on his way out due to the change in leadership our country is going through, but he's held a highly political and thankless job for some time now.  He has a unique view of the security of not only our nation, but every nation in the world.  So what would you ask the man who's been responsible for ‘homeland security'?  What do you want to know about how we're doing security at the highest levels?  What burning questions about the TSA and your shoes are eating away at you?  If it was you going to talk to Mr. Chertoff tomorrow, what's the one question you'ld ask?

I have a number of my own questions, but I know that you can come up with even better.  Leave a comment on this post with the question you'd ask.  Keep it short and concise, make it topical to cybersecurity.  I won't be asking any ‘attack' questions, but I'm perfectly willing to ask some of the hard questions.  Personally, I want to know what it's like to be placed in charge of Homeland Security without any real power to affect change?  Except that most security managers already know what that's like.

We're allowed to bring cameras and audio equipment, but no video.  Most of my equipment is for close up interviews, but I'll do the best I can with what I have.  I'm just hoping the Secret Service doesn't decide that some of my equipment isn't acceptable.  Or decide that I'm a security risk at the last minute.

Michael Chertoff, the Secretary of the Department of Homeland Security, will be here in California tomorrow.  He’s hosting a blogger roundtable on Cybersecurity and I’m one of an unknown number of security bloggers who’ll be attending the event and talking to Mr. Chertoff face to face.  Quite frankly I was surprised that the Department of [...]

Congratulations to Jason, the winner of the free pass to CSI.  Here's his story about how a minor change to a script almost caused a major disaster.  I have my own war story about scripts I'll share later this week.  Here's a hint:  Always make sure you're in the proper directory when running your scripts.

This happened when I was first learning to admin UNIX boxes. Another
SysAdmin and I were working on a shell script to lowercase the file
names of 30-40 million image files. They were on an NFS mount that was
used by several servers. These images were part of detail listings of a
relatively busy web site and we were right in the middle of the day.

Now that the background of the mess are fully explained, the story
gets going. We went through several revisions and were testing against
a directory on a desktop system. Nothing destructive happened during
testing and we were getting fairly comfortable with the ?safety? of the
script.

We finally thought we had a working script, so we moved it to the
prod server. Then we noticed a ?minor? change that needed to be made on
it. We made the change then decided that since this was a such a small,
little tweak we could run it on the live NFS mount without any further
testing. Fire in the hole!

The script took off and we watched it run. All was well. Then my
phone rang from the NOC. A panicked operator was on the phone saying,
?Hey what?s happening with listing images from xyz.com? They are all
coming up as 404s!? I killed the script while thinking some thing like
?oh crap, oh crap, oh crap!? Sure enough the script had wiped out about
50% of the images. Amazing how fast a shell script can delete when it
goes haywire.

We pointed the web servers to a backup copy of the images, then
started to recover to the production mount. The backup was a couple
days old, so our image processing guys had to re-upload the missing
work. I was lucky that the online backup was there. I had taken it for
reasons unrelated to this event. The next day I got to explain to the
CIO what had happened.

The moral of the story was backup first and test your script until
it is golden before going live. Then test it again and again and again.
Make sure you are doing at the proper time, then go to production. We
didn?t have change control, so I?d add get all the approvals now too.
Cover your butt.

It was a good lesson. I?ve never done anything like that again in the last 7 years.

Congratulations to Jason, the winner of the free pass to CSI.  Here’s his story about how a minor change to a script almost caused a major disaster.  I have my own war story about scripts I’ll share later this week.  Here’s a hint:  Always make sure you’re in the proper directory when running your scripts. This [...]

If you're already using Nessus and you need an internal scanning engine for PCI compliance, then you need to be checking out the three new PCI-DSS plugins that the folks over at Tenable have created.  These are still beta and should not be treated as proof of compliance yet, but they'll still give you a very good idea of what your current status is.  They're lookin for your feedback, so play with the plugins a little and let them know what you're experience is like.

If you’re already using Nessus and you need an internal scanning engine for PCI compliance, then you need to be checking out the three new PCI-DSS plugins that the folks over at Tenable have created.  These are still beta and should not be treated as proof of compliance yet, but they’ll still give you a [...]