The return of the Exploring Information Security podcast

A year ago, I started an information security podcast that explores different topics and disciplines within the field. I stopped producing the podcast because I had too many things going on at the time and my final year of school was about to start. I was overwhelmed and that was an easy project to stop doing. A year later and I've found myself with more time and a desire to continue the project I started a year ago.

This week I have two interviews lined up with more expected in the coming weeks. My plan is to launch in early August. I will be putting the first three episodes I did last year up on iTunes and then begin releasing the episodes weekly. All seven episodes I did last year can be found at http://www.timothydeblock.com/eis/. I will continue to release episodes there, as well as on your favorite podcast directory.

What I learned about information security in 2014

PVCSec Podcast logo

PVCSec Podcast logo

On New Years Eve the PVC Security podcast had a very impromptu recording session. We decided, on Twitter, five hours before the New Year to record our weekly podcast and discuss what we learned about security in 2014. I was hosting a party at the exact same time of the recording so I didn’t pipe in with what I learned in security last year, so instead I’ll write about it here.

The biggest thing I learned about security in 2014 is that it’s very important to have a solid background in IT. Understanding how a network is put together and how computers and servers work goes a long way in helping to secure them.

It is also extremely helpful in getting security implemented in an organization. Implementing security should not be about telling people their systems or applications are broken and that THEY need to go fix them. It should be about working together to finding the best most secure way of doing things. Understanding the limitations of a network, computer or server is going to help in finding the best solution to an insecure problem.

 KONICA MINOLTA DIGITAL CAMERA

I’ve been working in information technology since 2002. I’ve done everything from moving phone lines to pulling cable to soldering to workstation troubleshooting to inventorying to server management to network management to now security. I’ve got a very broad IT background and I’m starting to realize that it is helping me become a good security professional. That’s not to say that one can’t jump into security or take another route to security, but I think I’ve benefited from having experience in the areas that I now find myself trying to secure and keep secure.

Happy New Year! I am looking forward to all the new things I will learn in 2015.

Hacking infosec links December 29, 2014

Hacker Lexicon: What Is an Air Gap? - Kim Zetter - WIRED

Air gaps generally are implemented where the system or network requires extra security, such as classified military networks, the payment networks that process credit and debit card transactions for retailers, or industrial control systems that operate critical infrastructure. To maintain security, payment and industrial control systems should only be on internal networks that are not connected to the company’s business network, thus preventing intruders from entering the corporate network through the internet and working their way to sensitive systems.

Hacker Lexicon: What Is a Backdoor? - Kim Zetter - WIRED

Generally this kind of backdoor is undocumented and is used for the maintenance and upkeep of software or a system. Some administrative backdoors are protected with a hardcoded username and password that cannot be changed; though some use credentials that can be altered. Often, the backdoor’s existence is unknown to the system owner and is known only to the software maker. Built-in administrative backdoors create a vulnerability in the software or system that intruders can use to gain access to a system or data.

Marketing Just Isn't Ready for Hackers - Peter Herzog - Dark Matters

The infosec staff that came through had been talking about it being a potential toehold in the company to reach other systems. But when they saw the compromises didn’t go further than a few servers in marketing, they concluded it was just an employee who brought the infection in from home and that they caught it in time.

But did they?

Policed infosec links December 24, 2014

Pirate Bay Has Been Raided and Taken Down: Here's What We Know - Kim Zetter - WIRED

“There were a number of police officers and digital forensics experts there. This took place during the morning and continued until this afternoon. Several servers and computers were seized, but I cannot say exactly how many,” Swedish prosecutor Fredrik Ingblad told Radio Sweden.

The FBI Used the Web's Favorite Hacking Tool to Unmask Tor Users - Kevin Poulsen - WIRED

Now Metasploit has a new and surprising fan: the FBI. WIRED has learned that FBI agents relied on Flash code from an abandoned Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of  suspects hiding behind the Tor anonymity network.

The Limits of Polic Subterfuge - Bruce Schneier - Schneier on Security

The facts are these. In June, Two wealthy Macau residents stayed at Caesar's Palace in Las Vegas. The hotel suspected that they were running an illegal gambling operation out of their room. They enlisted the police and the FBI, but could not provide enough evidence for them to get a warrant. So instead they repeatedly cut the guests' Internet connection. When the guests complained to the hotel, FBI agents wearing hidden cameras and recorders pretended to be Internet repair technicians and convinced the guests to let them in. They filmed and recorded everything under the pretense of fixing the Internet, and then used the information collected from that to get an actual search warrant. To make matters even worse, they lied to the judge about how they got their evidence.

More on the Experian breach

On Saturday I posted about Experian's breach of costumer data not being the hack that the media seems to think it is. It's actually much worse than that. Apparently, I wasn't alone in identifying the inaccuracies of the Experian breach and Experian themselves went to set the record straight. Except they really didn't, and Brian Krebs broke their statements with factual information.

If you liked Krebs article, then I would suggest reading the post he did last month that looked at whether or not credit monitoring services are really worth it. Even if you don't use a credit monitoring service, there are some good tips on how to protect yourself from identity theft in the article.

And in-case you're wondering who Brian Krebs is, he's kind of a big deal. Sony pictures is planning on making a movie about Brian Krebs' life.