Spliced feed for Security Bloggers Network |
Risk Ostrich [Risktical Ramblings] Posted: 19 Sep 2008 07:37 AM CDT The recent “midwest wind storm” combined with some crazy work activities has hindered my ability to get in some blog postings. I took a few minutes this morning to quickly peruse some blogs and stumbled across this posting over at securosis. I think it is pretty irresponsible for someone to poo-poo an emerging discipline in our profession by comparing it to financial risk management. The motive of being able to quantify information security risk is to allow for better decision making and understanding the cost of risk to an organization- not to make a profit. More on this in a future posting. We all know that ostriches appear to bury their heads in the sand. However, apparently it is a myth because they do it because they are scared. They bury their eggs in the dirt or in a hole and once in a while, they stick their head in there to check up on the eggs or do whatever to them. So, to the blog post author, while you have you head under the dirt checking up on your investment eggs, take another look at those risk quantification eggs. |
The mother of all bailouts [StillSecure, After All These Years] Posted: 18 Sep 2008 08:54 PM CDT Well just when we thought we had seen it all comes word that the Secretary of the Treasury and the Fed Reserve Chairman are huddled with our Congressional leadership working out a bail out for the entire banking system in regard to bad mortgages. This one could put taxpayers on the line for upwards of a trillion dollars. That is right Trillion with a T. Jeez, is their a friggin' mortgage out there that is not in default? Similar to what we did with the Resolution Trust Company back in the Savings and Loan crisis (Does anyone remember the Keating 5? Extra points for naming who was the number one of the Keating 5), we will set up a company that banks can sell or transfer all of their bad mortgages too. This way they get all of the bad stuff off of their books and can get back to pillaging the little guys in this country. Speaking of the little guys, where is their bailout? Where is the government to help the people being put out of their homes everyday. It is OK to give trillions of dollars to Wall Street fat cats and bank presidents, but the families being tossed out of their homes get nothing. It just doesn't add up for me. If the banks and Wall Street need relief, so do the individual people who are already suffering from the greed and excess of the last years. I am waiting to see what comes next. In the meantime I am thinking of starting a bank to get my share of the bailout money. Related articles by ZemantaThis posting includes an audio/video/photo media file: Download Now |
NAC Interoperability - Man or Myth? [StillSecure, After All These Years] Posted: 18 Sep 2008 08:02 PM CDT Sean Michael Kerner at Internetnews.com is the latest in a long line of journalists to ask if NAC interoperability is a myth and ask when, if ever will it be achieved. Lately, whenever I hear this I am reminded of one of my favorite movies when I was a child. In my house during Easter/Passover time, a highlight for me was when when our family would gather around the TV and watch Charlton Heston in The 10 Commandments. They just don't make movies like that anymore. Anyway, there is a line when Sethi, Pharaoh of Eygpt tells Yul Brenner, who is Ramses, the future Pharaoh to find out the truth about the prophesied deliverer of the Hebrews. Sethi tells Ramses that if the deliverer is a myth bring him the myth in a bottle, but if he is a man bring him in chains. Of course Ramses returns with an empty bottle, for the Hebrew deliverer is no myth. Instead he has Charlton Heston as Moses in chains. Well here is my empty bottle about the myth of interoperability of NAC. The bottle is empty because NAC interoperability is no myth and is very much real. The problem is that most people are waiting for that golden moment when the Sun aligns, the angels sing and interoperability is proclaimed throughout the land. What does interoperability really mean? Does it mean one NAC solution is going to work with another and are interchangeable? I don't think so. Interoperability means to me that all of the moving parts involved in NAC work together across different vendors. My friends we have that now. Call off the hunt for the myth, the reality is here. What NAC interoperability means is can your NAC controller work with switches from different vendors to test and enforce for access control. What NAC interoperability means, is can NAC systems use a soon to be ubiquitous agent, such as the Microsoft NAP agent? If so, we have that today with any TCG compliant NAC. Can NAC systems use just about any DHCP or Radius server? Yes. SNMP or 802.1x? Check. Default supplicants? Yes again. Guys the systems and tools used to install NAC, the switches, VLANs, ACLs, Radius, AD, DHCP servers all work together today. Cisco works with NAP, TCG works with NAP, NAP works with everything else. Stop waiting for the mythical deliverer, the NAC promised land is right here before your eyes. It is just not a StillSecure thing either. Take a look at any of the leading NAC solutions with the exception of Cisco and you will see a high level of interoperability with the network infrastructure components that NAC needs to function. Cisco is another story. My personal belief is that they give lip service to wanting to be interoperable, but frankly they would rather see hell freeze over. With their dominant position in the network market, they want their stuff to work best on their own gear. They want to use that as a reason to use only their equipment and lock you into the Cisco mono-culture. Every other NAC vendor will work with a wide range of network switches and gear. So it is in Cisco's interests to sow myths and misconceptions. To drag their feet in working with other solutions. But other NAC solutions work just fine on Cisco gear. Make no mistake about it. NAC is interoperable right now! |
Untangle for Windows - Exploding the Myths [untangling the future...] Posted: 18 Sep 2008 07:34 PM CDT In the 48 hours since its release, several myths have already begun to emerge about “Untangle for Windows” and its patent-pending Re-router™ technology. I suppose that we should consider it a success of sorts that so many people are talking about it — and we do. But please allow me to set the record straight in several areas…. Here are some of the claims being made, along with my responses to them:
So that’s how we see it. We think that the “small business” market (10-100 users) will see it this way too. And their networks will be safer, more reliable, and less expensive to operate because of it.
|
Anonymous hacks Sarah Palin's Yahoo! account [Security Circus] Posted: 18 Sep 2008 04:39 PM CDT |
Sarah Palin, a yahoo email account, and something more shocking... [extern blog SensePost;] Posted: 18 Sep 2008 04:24 PM CDT By now everyone knows that John McCain's running mate Sarah Palin had her yahoo email account hacked. I guess a presidential candidate using yahoo for govt. related email was about as shocking as Sarah Palins nomination as possible future president ((unless of course you have ever heard of other govt. officials using yahoo/gmail/hotmail for serious business)(inside joke for south africans!)). People have been talking about secure password resets for a long time [1] and this was pretty shocking all around.. But even more shocking for me (as a totally removed observer), was the Errata Security post (authors of hamster, which we commented on [here]) ending their post with an endorsement of the McCain/Palin ticket.. i thought all (american) hax0rs leaned towards "the change" |
Posted: 18 Sep 2008 02:09 PM CDT This weeks Tim Greene NAC newsletter (Tim actually writes the most consistent NAC column there is, thanks Tim!) deals with an age old problem with NAC. That is the case of the wrong tool at the wrong time. Tim highlights a recent release of a new version by one of the smaller NAC vendors. The vendor is seeking to make lemonade out of lemons. Because they use traditional vulnerability testing in place of true NAC policy tests, the testing takes a long time to complete, by their own admission. Therefore they are advocating letting people on the network and scanning them in the background. If they fail they can then be dealt with. Of course this still leaves you open to a user coming on the network and doing something bad before they are discovered. In the case of this vendor, they say to only do it with "trusted" devices. That would work if you could say for sure who and what a trusted device is. In today's world there are no trusted devices, same as there are no trusted networks. The problem with vulnerability scanning is it is hard to do quickly before someone logs onto a network. That is the fundamental problem here and the same with other agent-less tests from other NAC vendors (think used car sales guys). In certain verticals, such as the edu space they are comfortable with testing a device once a semester or so and not testing again for a few weeks or months. That is a question of what your risk tolerance is though. Also don't be fooled by millisecond response times. The clock doesn't start until the vulnerability or malicious behavior is actually detected. By than it could be too late. Purpose built NAC products that don't just re-use vulnerability scanners provide superior solutions to this problem and should be what you look for. |
MindshaRE: Live Analysis Markup [DVLabs: Blogs] Posted: 18 Sep 2008 01:57 PM CDT Posted by Cody Pierce I have mentioned before that I am always trying to bridge the gap between static analysis and live analysis. I try to always reverse statically but lets face it, sometimes due to time constraints, complexity, or dynamic resolution of functions we need a little help from our favorite debugger. So today I'll demonstrate a little tool I use to help me easily pull the information I need from a debugger and still stay focused in IDA. My simple live analysis markup utility might help you in these situations as well. MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here by going through our blog history. Lets set up a scenario. You are reverse engineering calc.exe so you can patch its addition functionality. Maybe you want to make 2 + 2 equal 5. When you encounter the following snippet you feel the need to just take the easy route and use a debugger. .text:01011605 push edi .text:01011606 mov edi, [eax] .text:01011608 mov ecx, [edi+4] .text:0101160B mov eax, [edi+8]Normally, you would switch gears and open your debugger. Then you'd have to set a breakpoint at each address you are interested in. Once the breakpoint hits you would then inspect the register or memory address you need. Not exactly a quick and painless process. Thats why I wrote this simple markup script for IDA. It works like this. You add a comment on the address you are interested in. The comment contains the information you'd like the debugger to report. It supports three different types of information, Register, Operand, and Memory. Registers are self explainatory. Operand allows you to automatically resolve the type of data at that operand. For instance at 0x01011606 the script would understand a pointer is being dereferenced. Memory allows you to specify a memory address you want to read. Here is an example using the snippet from above. .text:01011605 push edi ; **LA R:eax .text:01011606 mov edi, [eax] ; **LA O:1 .text:01011608 mov ecx, [edi+4] ; **LA O:1 .text:0101160B mov eax, [edi+8]The comments tell our debugger that we want the contents of eax at 0x01011605, and the second operands at 0x01011606 and 0x01011608. In order to do this we run a script which outputs this into a list we can feed to our debugger. The output of this script follows. 1011605,r,4,EAX 1011606,p,4,2 1011608,o,4,2Simple enough. But what kind of debugger can actually read this in and give us what we want? I hope by now you've checked out PyDbg. A fully scriptable debugger implemented in Python. A perfect use for this little utility. My PyDbg script will read in this list and set all of our breakpoints. When a breakpoint is hit, it prints the info. Here is our run using the generated list of breakpoints. C:\Code\Python\live_analysis>live_analysis.py calc.exe la.conf [*] Trying to attach to existing calc.exe [*] Attaching to calc.exe (2932) [*] Setting bp @ 0x01011605 [*] Setting bp @ 0x01011606 [*] Setting bp @ 0x01011608 [*] 0x01011605 EAX [Reg ] is 0x7f7b8 [4] [*] 0x01011606 2 [Pointer] is 0xa8038 [4] [*] 0x01011608 2 [Offset ] is 0x1 [4] Not bad. Certainly this can help. We can also get more information. Check this out. .text:01011605 push edi ; **LA R:eax,R:ebx,R:ecx,O:0 .text:01011606 mov edi, [eax] ; **LA O:1,R:eax,R:edi .text:01011608 mov ecx, [edi+4] ; **LA O:1,O:0,R:ECX 1011605,r,4,EAX 1011605,r,4,EBX 1011605,r,4,ECX 1011605,r,4,EDI 1011606,p,4,2 1011606,r,4,EAX 1011606,r,4,EDI 1011608,o,4,2 1011608,r,4,ECX 1011608,r,4,ECX C:\Code\Python\live_analysis>live_analysis.py calc.exe la.conf [*] Trying to attach to existing calc.exe [*] Attaching to calc.exe (2188) [*] Setting bp @ 0x01011605 [*] Setting bp @ 0x01011606 [*] Setting bp @ 0x01011608 [*] 0x01011605 EAX [Reg ] is 0x7f7b8 [4] [*] 0x01011605 EBX [Reg ] is 0xa8038 [4] [*] 0x01011605 ECX [Reg ] is 0x7c8099fd [4] [*] 0x01011605 EDI [Reg ] is 0x0 [4] [*] 0x01011606 2 [Pointer] is 0xa8038 [4] [*] 0x01011606 EAX [Reg ] is 0x7f7b8 [4] [*] 0x01011606 EDI [Reg ] is 0x0 [4] [*] 0x01011608 2 [Offset ] is 0x1 [4] [*] 0x01011608 ECX [Reg ] is 0x7c8099fd [4] [*] 0x01011608 ECX [Reg ] is 0x7c8099fd [4] [*] 0x01011605 EAX [Reg ] is 0x7f7b8 [4] [*] 0x01011605 EBX [Reg ] is 0xb4410 [4] [*] 0x01011605 ECX [Reg ] is 0x7c8099fd [4] [*] 0x01011605 EDI [Reg ] is 0x0 [4] [*] 0x01011606 2 [Pointer] is 0xb4410 [4] [*] 0x01011606 EAX [Reg ] is 0x7f7b8 [4] [*] 0x01011606 EDI [Reg ] is 0x0 [4] [*] 0x01011608 2 [Offset ] is 0x1 [4] [*] 0x01011608 ECX [Reg ] is 0x7c8099fd [4] [*] 0x01011608 ECX [Reg ] is 0x7c8099fd [4] With this we can easily pull out interesting information and stay centered in IDA. In the future I will actually call PyDbg from within IDA. Thus making it even more simple. There also exists a method for exporting this data to an IDC for loading back in IDA, but it is not on by default. This is because breakpoints can get hit multiple times, and you may not want this to get convoluted. I always want to keep my concentration on IDA. For me it's always difficult to "switch gears" and go into debugger mode. I use this script for quick access to information without having to lose track of what I am currently doing. I hope this can be of some use to you when reverse engineering. I would love to hear how you personally bridge the static/live analysis gap. I know you can achieve some of this in IDA's debugger, if you do this hook us up with some scripts, or info. Like I have previously stated, one day I'll get use to IDA's debugger. The two scripts in this post have been bundled into live_analysis.zip.
-Cody |
How Sarah got her hack on [Errata Security] Posted: 18 Sep 2008 01:36 PM CDT When McCain chose Palin as his running mate, the US Secret Service descended upon her home in Wasilla, Alaska. They set up a perimeter around her house with 24 hour surveillance. They set up alarm equipment. They might've installed bullet proof windows. But they ignored her computer. And she got hacked. The news reports speak about shadowy cabals of hackers performing mysterious rites to break into her computer. It was much simpler than that. Her "secret question" in to reset a lost password was "Where did you meet your spouse?". The secret answer was an easily guessed "Wasilla high". The "hacker" saw the e-mail address "gov.sarah@yahoo.com" appear in a Washington Post story about the Governor. He tried the password recovery tool and found the question. He googled for information about the answer. After a few tries like "high school" he finally got the right one, "Wasilla high". This is an obvious flaw that most people have with their accounts. Look at your friends e-mails from services like Yahoo and Google. Go to the logon page, click on something about a "lost password", and check out their secret question. Chances are good that you can figure out the answer. Checking out their question isn't illegal, but successfully guessing the answer might be. This was how Paris Hilton got her account hacked. Her secret question was "What's your favorite pet's name?". The answer, Tinkerbell, was prominently in the news, so pretty much everyone knew the secret answer. After calling the Secret Service to get them protect the VP nominee, the first thing McCain should have done is call a cybersecurity consultancy (like Errata Security) to protect her computer and online accounts. Fixing the "secret question" would have been the first thing we did. This would be followed by changing all her passwords, especially fixing the fact that she probably uses the same password for all her accounts. Next, we would have fixed her home network, especially the insecure WiFi setup she probably has. We would have scanned her computer to see if she were already infected with malware/bots, and then reconfigured her (and her families) computers so that they couldn't accidentally be infected. We would have made sure that all appropriate data was encrypted, and that she could access her accounts in an encrypted fashion (to avoid pesky things such as Sidejacking). Depending on how paranoied the campaign wanted us to be, we probably would have just backed up everything and wiped all her computers and rebuilt them from the ground up to be secure. We also would have educated her on cybersecurity. The reason that Gov. Palin was using Yahoo mail to begin is probably because she found it inconvenient using the VPN software to logon to her office e-mail. We see that a lot in business: people use private e-mail services like Yahoo and Gmail to carry out corporate activities because they are annoyed with how their own computer staff have things set up. Yet, your computer people set things up this way precisely because there are obvious things that hackers can do to break into your data, such as guessing a poorly chosen "secret" question. It would be harsh to judge Gov. Palin as being stupid about cybersecurity. The risks she chose could be appropriate for a private citizen not in the spotlight. However, those risks changed the moment she became a VP candidate - her cybersecurity was not adequate to defend against the hightened hacking threat. BTW, most of us at Errata Security are a bit to the right of the political spectrum. Go McCain/Palin! PS: Yahoo Mail will give your secret question to anybody who asks for it. Gmail will only give out your secret question after 5 days of inactivity on the account. Yet again this shows why Gmail is more secure than Yahoo Mail. |
No Firefox EULA screen on Linux [Robert Penz Blog] Posted: 18 Sep 2008 01:10 PM CDT Today the Mozilla Foundation announced that here will be no EULA screen on Linux. Take a look at this post for details. It seams that our protest helped to convince them to remove that idea from the table. |
Reminder: Catalyst Live! Talkcast tomorrow, 2pm ET [The Security Catalyst] Posted: 18 Sep 2008 10:00 AM CDT I take the stage today to share some insights on “Awareness that Works” - live in Nashville, TN. In the event you were unable to join me in Nashville (or even if you did), we can keep the conversation going tomorrow during the first Catalyst Live! talkcast: Join me on Friday – September 19th – at 2pm ET (11am PT) for Catalyst Live! – a live chat hosted by Michael Santarcangelo. This week, we look deeper into my recent freeware experience and welcome Dave Cole from Symantec to the call. I'll be monitoring twitter and the talkshoe client during the call, allowing us to field live calls, chats and instant messages. Participate in the conversation! Join In!Join the conversation on TalkShoe by using the spiffy browser-only client. For the more adventurous, check out the shiny TalkShoe Pro Java client. To listen and join in – including to ask questions and engage in the conversation, launch your browser an click here: http://www.talkshoe.com/tc/25233 on Friday at 2pm ET. Call in on regular phone or VOIP lines: dial (724) 444-7444 and enter the talkcast ID, 25233. |
So Logically, If She Weighs The Same As A Duck…She’s A Witch! [RiskAnalys.is] Posted: 18 Sep 2008 09:59 AM CDT I usually try to stay far away from politics and current events, but my friend Rich has put up a blog post blaming the credit crisis on quantitative analysis, and then positing that because the economy sucks, Information Security should be only qualitative. Now I’ve been “accused” of being a quant in the past (hi rybolov!) but in reality the only dogs I have in this fight are the model and the application of scientific method - and really, ethically speaking, I have to be tied to the latter while applying the former. And I see a false dichotomy in this whole Quant vs. Qual thing. We, as a profession, tend to create a political divide between the two which, if it even exists, I’d say is based more on our ignorance rather than our expertise. After all, we are the profession that regularly multiplies across ordinal scales and uses wonderful models like R=VxTxI. As someone learning to deal in probabilities and rationalism, I have to recognize that this discussion is really just about the act of observation using different metrics of measurement. But how we’re going about observing does not change the fact that there is measurement based on observation. So if I’m working with you I can easily turn your qualitative scale into a quantitative one, and vice-versa. Yes, Shrdlu, if we had the time, even your most seemingly Qual things could be Quant! (This flexible world view, btw, is an outcome of that new-fangled Bayesian thing). COGNITIVE BIAS A-PLENTY But back to what Rich is saying there about information security and risk - and he isn’t/won’t be the only one saying these sorts of things - we should try to understand what’s really going on rather than get caught up in the emotional hurricane. Our profession suffers several forms of cognitive bias. The nature of our jobs and what we do can cause us to be focused on the outcome and not the quality of the decision at the time it was made. We want to bring in things from other professions that are useful, but at times we do view things outside our profession with false correlation to our own (unfortunately for those who write these sorts of articles, financial risk is completely different than operational risk). We also have the tendency to focus on negative outcomes without acknowledging the positive outcomes (For example, I hear that Alan Greenspan’s new firm is up a couple of $billion in all this mess since he joined them, short sellers are doing quite well - must be because they have qualitative models or something -grin-). The effect of these biases are compounded by the facts that proper correlation takes more work than we usually give it, and rational thought is not that easy when there’s a witch-hunt mentality. WHAT SHOULD WE BE THINKING ABOUT? So as you and I read opinions that seem to be the polar opposite of irrational exuberance (and there will be plenty between now and the election) we’ll have to ask ourselves, “what really failed here?” At the risk (pun) of over-simplification:
After all, Probability Science like all other fields of knowledge is always “advancing” as they say. So perhaps probability theory is wrong somehow? I’m personally disinclined to put the blame here, primarily because I would think that there would be evidence from other fields (like Quantum Mechanics) that something is amiss waaaaay before it hit a field like economics.
Some people who understand real estate valuation and complex derivatives and financial risk want to put the blame here. It’s a little too early to tell, but one thing is for sure - Financial risk is so different from operational risk I couldn’t begin to hazard an opinion on the subject. But it would seem that this is really somewhere we might look.
Honestly? I find it extremely difficult to understand how this could be the source of financial ruin.
What if all of the above were just fine, and the decision maker chose short term gain over long term stability? What if this was (to simplify the matter greatly) a choice of “heads” over “tails” and the coin landed on tails? What if the model represented the right risk (probability of negative outcome vs. positive outcome), but the complex derivative was sold to someone else who had poor “risk management” (ability to make a good decisions)? Now I have no clue about complex derivatives, and I’m oversimplifying to be sure - chances are like most things, there are several problems that helped create the primary cause. But it seems to me that as we go into incident response mode for the economy, it’s more helpful to do so in a rational, logical manner. Consider the Source I’m far from certain and subject to change, but these days I lean towards Robin Hanson & MIchael Lewis w/regards to placing blame. |
Is Nortel next? [StillSecure, After All These Years] Posted: 18 Sep 2008 09:09 AM CDT Story over at C/Net highlights that long troubled networking and telecommunications gear maker Nortel is again suffering. They are slashing their outlook and guidance and have announced that they will be looking to sell some business units. Could this be the beginning of the end for Nortel? Are they the next bailout candidate? Maybe Canada can bail them out. So, who will take on Cisco? Juniper seems to be gearing up. Sometimes I think if you took the next 3 or 4 network gear vendors and lumped them together, you might have a real Cisco killer. Until than there is not much on the horizon that will change the status quo on the network gear market |
Two weeks until PCI 1.2! [Branden Williams' Security Convergence Blog] Posted: 17 Sep 2008 05:14 PM CDT While the official release does not happen until two weeks from today, many key stakeholders now have a copy of the pre-release version. What can you expect? You can expect THIS blogger to honor his NDA! Seriously though, are you ready? Version 1.1 has been around for over two years now (birthday was September 7, 2006), and by now you should have been able to validate as compliant to that version of the standard. If you are still struggling with 1.1, there is good news along with the bad. The bad news is that in some cases your remediation targets may have shifted slightly in one direction. This will apply to you if you have been doing the absolute bare minimum to comply. VeriSign advises our customers to use PCI as a baseline, and pick certain areas to exceed in so that minor adjustments to the standard will not affect you. I'm pleased to say that our recommendations have been on track. The good news is that some requirements have been altered to more closely match existing risk management procedures. The bad news here is there is some room for interpretation (as always), that may once again cause some QSAs consternation. Sorry, I meant to say, cause some QSA's customers consternation. For those of you heading to the PCI Community Meeting in Orlando next week, please stop by our booth! We'll have a few leaders in our PCI consulting practice available to chat with you! |
Posted: 17 Sep 2008 05:13 PM CDT Eric Savitz at Barrons writes that eBay's (EBAY) business is "deteriorating" and is preparing big layoffs (like: 1500-employees big). Ina Steiner seems to agree, pointing out that "Meg Whitman and her inner circle of top executives are gone" --to which I say: good. And not a moment too soon. eBay is now a complete, unmitigated disaster zone:
Hat tip: Techmeme |
"Americans' fear of a terrorism could create a mass outbreak of a psychosomati..." [Security Circus] Posted: 17 Sep 2008 02:48 PM CDT Americans' fear of a terrorism could create a mass outbreak of a psychosomatic illness -- even in the absence of any real attack -- -- creating a fake epidemic that could overwhelm hospitals attempting to treat real victims. –Terrorism Fear Could Create Psychosomatic Epidemic |
Confusion and Delay [Room362.com] Posted: 17 Sep 2008 08:55 AM CDT Due to a PEBKAC error with the ID 10 T, I have had to retype parts 2 and 3, which were ready to go out the door. In the mean time while I fix myself, here are a couple sites that can keep you busy: Search google for exploits: Watch just about any TV show (and some movies) online: Play any NES game online: Start a blog without any signup?
|
Security Roundtable for September 13 [The Security Catalyst] Posted: 17 Sep 2008 06:30 AM CDT Martin McKeay and I are evolving the Security Roundtable: we'll be recording every other week at 7 am Pacific/10a Eastern on Saturday mornings. And we'll be streaming the recording live (http://hak5radio.com:8000/srt.mp3.m3u), opening a chat session and encouraging more bloggers and podcasters to join us. Our goal is simple: keep the program simple, under an hour and relevant while blending together the voices of the community. This is also an opportunity for members of the community to participate through segments. Rather than have a larger, static "panel" of people, we're exploring more voices, shorter segments and more interactive. We'd love to know what you think, what you want to hear and if you want to be involved. While we consider this recording to be an experiment – it is a show where I learned from the conversation. In fact, I look forward to listening to it again. Our guest for the show is Marc Massar, Principal Solutions Architect at Venafi. I had interviewed Venafi previously (and liked their approach) and was happy to welcome Marc to the program. Our rules are/were simple: no sales pitch. Marc didn't need the rules – he's got a solid background and jumped right into a meaty discussion about the industry and how we can improve our solutions. Security Roundtable for September 13th, 2008 The next SRT will be recorded on September 27th, 2008 at 7:00 a.m. PDT. I'll be in Las Vegas – so for me, it will actually be nice and early (and I'll find some Mountain Dew before we start – MD should sponsor me!). This posting includes an audio/video/photo media file: Download Now |
Reminder: OWASP NYC AppSec 2008 Infosec Conference Event - Next Week [NovaInfosecPortal.com] Posted: 16 Sep 2008 11:17 PM CDT Just a quick reminder that the OWASP NYC AppSec 2008 infosec conference event is next week. The agenda and speakers are ready and they’ve even made a recent venue change to the Park Central New York Hotel to accomodate more people. Unfortunately, we won’t be able to make it this year, but we’ll be scanning the blogosphere for updates and announcements. See our original post for more information about this conference. |
Posted: 16 Sep 2008 08:53 PM CDT Here is some information regarding this week’s Thursday ISSA - NoVA Chapter infosec meetup event. There seems to be lots of SCAP related training going on lately; the following week NIST is holding their IT Security Automation Conference, which seems to focus on SCAP as well.
For more information on the ISSA - NoVA Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup. |
You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment