Network Security Podcast

The Network Security Podcast, Episode 161

By Rich

This week we wrap up our coverage of Defcon and Black Hat with a review of some of our favorite sessions, followed by a couple quick news items. But rather than a boring after-action report, we enlisted Chris Hoff to provide his psychic reviews. That's right, Chris couldn't make the event, but he was there with us in spirit, and on tonight's show he proves it. Chris also debuts his first single, "I Want to Be a Security Rock Star". Your ears will never be the same.

Network Security Podcast, Episode 161; Time: 41:22

Show Notes

• Chris Hoff's Psychic Review
• Fake ATM discovered at DefCon.
• Korean intelligence operatives pretending to be journalists at Black Hat?
• Cloud Security Podcast with Chris Hoff and Craig Balding
• Tonight's Music: I Want to Be a Security Rock Star

–Rich

The Network Security Podcast, Episode 156

By Rich

Martin is off in Japan this week, so I’m joined by our good friend Amrit Williams from BigFix and the Techbuddha blog. Amrit and I start off by talking about the rolling blackouts in California and disaster preparedness, before jumping into the week’s security news.

Network Security Podcast, Episode 156
Time:  41:28

Show Notes:

• The New York Times and Wikipedia censor reports of a captured reporter to protect him.
• Dave Shackleford on 10 things your auditor doesn’t want you to know.
• Trojan steals FTP credentials
• Juniper pulls ATM hacking talk from Black Hat
• Most systems have unpatched software. Is anyone surprised?
• Tonight’s Music:  Since I haven’t figured out how to get the podcasting rights to Jimmy Buffett’s entire collection, there’s no music for tonight’s close.

–Rich

Friday Summary: June 26, 2009

By Rich

Yesterday I had the opportunity to speak at a joint ISSA and ISACA event on cloud computing security down in Austin (for the record, when I travel I never expect it to be hotter AND more humid than Phoenix).

I'll avoid my snarky comments on the development and use of the term "cloud", since I think we are finally hitting a coherent consensus on what it means (thanks in large part to Chris Hoff). I've always thought the fundamental technologies now being lumped into the generic term are extremely important advances, but the marketing just kills me some days.

Since I flew in and out the same day, I missed a big chunk of the event before I hopped on stage to host a panel of cloud providers -- all of whom are also cloud consumers (mostly on the infrastructure side). One of the most fascinating conclusions of the panel was that if the data or application is critical, don't send it to a public cloud (private may be okay). Keep in mind, every one of these panelists sells external and/or public cloud services, and not a single one recommended sending something critical to the cloud (hopefully they're all still employed on Monday). By the end of a good Q&A session, we seemed to come to the following consensus, which aligns with a lot of the other work published on cloud computing security:

• In general, the cloud is immature. Internal virtualization and SaaS are higher on the maturity end, with PaaS and IaaS (especially public/external) on the bottom. This is consistent with what other groups, like the Cloud Security Alliance, have published.
• Treat external clouds like any other kind of outsourcing -- your SLAs and contracts are your first line of defense.
• Start with less-critical applications/uses to dip your toes in the water and learn the technologies.
• Everyone wants standards, especially for interoperability, but you'll be in the cloud long before the standards are standard. The market forces don't support independent development of standards, and you should expect standards-by-default to emerge from the larger vendors. If you can easily move from cloud to cloud it forces the providers to compete almost completely on price, so they'll be dragged in kicking and screaming. What you can expect is that once someone like Amazon becomes the de facto leader in a certain area, competitors will emulate their APIs to steal business, thus creating a standard of sorts.
• As much as we talk SLAs, a lot of users want some starting templates. Might be some opportunities for some open projects here.

I followed the panel with a presentation -- "Everything You Need to Know About Cloud Security in 30 Minutes or Less". Nothing Earth-shattering in it, but the attendees told me it was a good, practical summary for the day. It's no Hoff's Frogs, and is more at the tadpole level. I'll try and get it posted on Monday.

And one more time, in case you wanted to take the Project Quant survey and just have not had time: Stop what you are doing and hit the SurveyMonkey. We are over 70 responses, and will release the raw data when we hit 100.

-Rich

And now for the week in review:

Webcasts, Podcasts, Outside Writing, and Conferences

• Rich provides a quote on his use of AV for CSO magazine
• Rich & Martin on the Network Security Podcast #155.
• Rich hosted a panel and gave a talk at the Austin ISSA/ISACA meeting.
• Rich was quoted on database security over at Network Computing.

Favorite Securosis Posts

• Rich: Cyberskeptic: Cynicism vs. Skepticism. I've been addicted to The Skeptics' Guide to the Universe podcast for a while now, and am looking for more ways to apply scientific principles to the practice of security.
• Adrian: Rich's post on How I Use Social Media. I wish I could say I understood my own stance towards these media as well as Rich does. Appropriate use was the very subject Martin McKeay and I discussed one evening during RSA, and neither of us were totally comfortable for various reasons of privacy and paranoia. Good post!

Other Securosis Posts

• You Don't Own Yourself
• Database Patches, Ad Nauseum
• Mike Andrews Releases Free Web and Application Security Series
• SIEM, Today and Tomorrow
• Kindle and DRM Content
• Database Encryption: Fact vs. Fiction

Project Quant Posts

• Project Quant: Deploy Phase
• Project Quant: Create and Test Deployment Package
• Project Quant: Test and Approve Phase

Favorite Outside Posts

• Adrian: Adam's comment in The emergent chaos of fingerprinting at airports post: '... additional layers of "no" will expose conditions unimagined by their designers'. This statement describes most software and a great number of the processes I encounter. Brilliantly captured!
• Rich: Jack Daniel nails one of the biggest problems with security metrics. Remember, the answer is always 42-ish.

Top News and Posts

• TJX down another $9.75M in breach costs. Too bad they grew, like, a few billion dollars after the breach. I think they can pull $9.75M from the "need a penny/leave a penny" trays at the stores.
• Boaz talks about how Nevada mandates PCI -- even for non-credit-card data. I suppose it's a start, but we'll have to see the enforcement mechanism. Does this mean companies that collect private data, but not credit card data, have to use PCI assessors?
• The return of the all-powerful L0pht Heavy Industries.
• Microsoft releases a Beta of Morro- their free AV. I talked about this once before.
• Lori MacVittie on clickjacking protection using x-frame-options in Firefox. Once we put up something worth protecting, we'll have to enable that.
• German police totally freak out and clear off a street after finding a "nuke" made by two 6-year-olds.
• Critical Security Patch for Shockwave.
• Spam 'King' pleads guilty.
• Microsoft AntiVirus Beta Software was announced, and informally reviewed over at Digital Soapbox.
• Clear out of business, and they're selling all that biometric data.

Blog Comment of the Week

This week's best comment comes from Andrew in response to Science, Skepticism, and Security:

I'd love to see skepticism applied to the wide range of security controls that are proposed. Not that I believe they are wrong; but I suspect many don't really matter very much. If we can establish from evidence what controls have a significant impact, we can make much better use of our security budgets.

–Rich

Mildly Off Topic: How I Use Social Media

By Rich

This post doesn't have a whole heck of a lot to do with security, but it's a topic I suspect all of us think about from time to time.

With the continuing explosion of social media outlets, I've noticed myself (and most of you) bouncing around from app to app as we figure out which ones work best in which contexts, and which are even worth our time. The biggest challenge I've found is compartmentalization -- which tools to use for which jobs, and how to manage my personal and professional online lives. Again, I think it's something we all struggle with, but for those of us who use social media heavily as part of our jobs it's probably a little more challenging.

Here's my perspective as an industry analyst. I really believe I'd manage these differently if I were in a different line of work (or with a different analyst firm), so I won't claim my approach is the right one for anyone else.

Blogs: As an analyst, I use the Securosis blog as my primary mechanism for publishing research. I also think it's important to develop a relationship (platonic, of course) with readers, which is why I mix a little personal content and context in with the straighter security posts. For blogging I deliberately use an informal tone which I strip out of content that is later incorporated into research reports and such.

Our informal guidelines are that while not everything needs to be directly security related, over 90% of the content should be dedicated to our coverage areas. Of our research content, 80% should be focused on helping practitioners get their jobs done, with the remaining 20% split between news and more forward-looking thought leadership. We strive for a minimum of 1 post a day, with 3 "meaty" content posts each week, a handful of "drive-by" quick responses/news items a week, and our Friday summary. Yes, we really do think about this stuff that much.

I don't currently have a personal blog outside of the site due to time, and (as we'll get to) Twitter takes care of a lot of that. I also read a ton of other blogs, and try to comment and link to them as much as possible.

I also consider the blog the most powerful peer-review mechanism for our research on the face of the planet. It's the best way to be open and transparent about what we do, while getting important feedback and perspectives we never could otherwise. As an analyst, it's absolutely invaluable.

Podcasts: My primary podcast is co-hosting The Network Security Podcast with Martin McKeay. This isn't a Securosis-specific thing, and I try not to drag too much of my work onto the show. Adrian and I plan on doing some more podcasts/webcasts, but those will be oriented towards specific topics and filling out our other content. Running a regular podcast is darn hard. I like the NetSecPodcast since it's more informal and we get to talk about any off the wall topic (generally in the security realm) that comes to mind.

Twitter: After the blog, this is my single biggest outlet. I initially started using Twitter to communicate with a small community of friends and colleagues in the Mac and security communities, but as Twitter exploded I've had to change how I approach it. Initially I described Twitter as a water cooler where I could hang out and chat informally with friends, but with over 1200 followers (many of them PR, AR, and other marketing types) I've had to be a little more careful about what I say.

Generally, I'm still very informal on Twitter and fully mix in professional and personal content. I use it to share and interact with friends, highlight some content (but not too much, I hate people who use Twitter only to spam their blog posts), and push out my half-baked ideas. I've also found Twitter especially powerful to get instant feedback on things, or to rally people towards something interesting. I really enjoy being so informal on Twitter, and hope I don't have to tighten things down any more because too many professional types are watching.

It's my favorite way to participate in the wider online community, develop new collaboration, toss out random ideas, and just stay connected with the outside world as I hide in my home office day after day. The bad side is I've had to reduce using it to organize meeting up with people (too many random followers in any given area), and some PR types use it to spy on my personal life (not too many; some of them are also in the friends category, but it's happened).

The @Securosis Twitter account is designed for the corporate "voice", while the @rmogull account is my personal one. I tend to follow people I either know or who contribute positively to the community dialog. I only follow a few corporate accounts, and I can't possibly follow everyone who follows me. I follow people who are interesting and I want to read, rather than using it as a mass-networking tool. With @rmogull there's absolutely no split between my personal and professional lives; it's for whatever I'm doing at the moment, but I'm always aware of who is watching.

LinkedIn: I keep going back and forth on how I use LinkedIn, and recently decided to use it as my main business networking tool. To keep the network under control I generally only accept invitations from people I've directly connected with at some point. I feel bad turning down all the random connections, but I see social networks as having power based on quality rather than quantity (that's what groups are for). Thus I tend to turn down connections from people who randomly saw a presentation or listened to a podcast. It isn't an ego thing; it's that, for me, this is a tool to keep track of my professional network, and I've never been one of those business card collectors.

Facebook: Facebook is the toughest one of the bunch since it is a cross between Twitter, LinkedIn, Flickr, and so on. I very recently decided that Facebook is best for my friends and family, and thus I don't link in professional contacts that aren't also in that group. I like being able to keep in touch with people from back in high school, and the kinds of things they are interested in are very different than the people I meet in the security and Mac communities. Again, it isn't an ego thing, but we all have different communities of people we interact with and I think it's completely appropriate to have different outlets for each of them.

IM/Skype: This isn't social networking per se, but I leave them running as much as I can. I think they're great for private conversations.

MySpace, Photo Sites, and Other Outlets: I tend not to use too many other social media outlets -- between the blog, Twitter, Facebook, podcasts, and LinkedIn I can connect with nearly anyone in some sort of appropriate context. I do use a photo sharing mechanism, but that's very personal and I don't make it public. I have a MySpace account, which I never use since Facebook is more prevalent with the people I know. I'm debating linking to others with TripIt, and may limit that tightly to people I might actually want to see when our travel overlaps. I feel like I'm missing something, but can't think of what it is.

And that's it. My personal perspective is that the power of my social networks is in quality and correct context over quantity. I try and pick the right tools for the right job and community. If I were to break it out, the blog is our newsletter and peer review for our research, Twitter is the water cooler, IM is sticking my head in someone's office, LinkedIn is a rolodex and context/community Q&A mechanism, and Facebook is for keeping in touch with geographically dispersed friends and family. I also don't believe in manipulating social media -- I try to use it as honestly and openly as possible, rather than as a marketing tool. Yes, it probably builds my brand, but that's not what I'm thinking about when I fake-live-tweet the latest Star Trek, call for feedback on my latest wacky research idea, or write uninteresting dribble like this post.

–Rich

The Network Security Podcast, Episode 151

By Rich

We probably more the doubled the number of stories we talked about this week, but we only added about 8 minutes to the length of the podcast. You can consider this the "death by a thousand cuts" podcasts as we cover a string of shorter stories, ranging from a major IIS vulnerability, through breathalyzer spaghetti code, to how to get started in security.

We also spend a bit of time talking about Black Hat and Defcon, and celebrate hitting 500,000 downloads on episode 150. Someone call a numerologist!

Network Security Podcast, Episode 151, May 19, 2009

Show Notes:

• Breathalyzer source code released as part of a DUI defense... and it's a mess.
• A DHS system was hacked, but only a little information made it out.
• Secret questions for password resets are often weaker than passwords, and easy to guess.
• Does tokenization solve anything? Yep.
• Kaspersky finds malware installed on a brand new netbook.
• Malware inserts malicious links into Google searches.
• Google Chrome was vulnerable to Safari Pwn2Own bug. Both are WebKit-based, so we shouldn't be too surprised.
• Information on the IIS 6 vulnerability/0day.
• How to get started in information security by Paul Asadoorian.
• Tonight's Music: Liberate Your Mind by The Ginger Ninjas

–Rich

The Network Security Podcast Hits Episode 150 and 500K Downloads

By Rich

I first got to know Martin McKeay back when I started blogging. The Network Security Blog was one of the first blogs I found, and Martin and I got to know each other thanks to blogging. Eventually, we started the Security Blogger's Meetup together. After I left Gartner, Martin invited me to join him as a guest-host on the Network Security Podcast, and it eventually turned into a permanent position. I've really enjoyed both podcasting, and getting to know Martin better as we moved from acquaintances to friends.

Last night was fairly monumental for the show and for Martin. We recorded episode 150, and a few hours later hit 500,000 total downloads. No, we didn't do anything special (since we're both too busy), but I think it's pretty cool that some security guy with a computer and a microphone would eventually reach tens of thousands of individuals, with hundreds of hours of recordings, based on nothing more than a little internal motivation.

Congratulations Martin, and thanks for letting me participate.

Now on to the show:

This is one of those good news/bad news weeks. On the bad side, Rich messed up and now has to retake an EMT refresher course, despite almost 20 years of experience. Yes, it's important, but boy does it hurt to lose 2 full weekends learning things you already know. On the upside, this is, as you probably noticed from the title of the post, episode 150! No, we aren't doing a 12 hour podcast like Paul and Larry did (of PaulDotCom Security Weekly), but we do have the usual collection of interesting security stories.

Network Security Podcast, Episode 15, May 12, 2009

Time: 38:18

Show Notes

• UC Berkeley loses 160K healthcare records.
• Most people think they will be hacked. Duh.
• Heartland spends $12.6M on breach response. Possibly half going to MasterCard fines.
• Rich debuts the Data Breach Triangle, which Martin improves.
• Tonight's Music: Neko Case with People Got a Lotta Nerve. Who knew Neko Case had a podsafe MP3 available?

–Rich

Friday Summary: May 1, 2009

By Rich

Sometimes the most energizing thing you can do is absolutely nothing.

Last week at RSA was absolutely insane, in a good way. It's kind of like being a kid and going to summer camp. You get to see all the friends who live in other towns, you all go nuts for a week with minimal supervision, and then everyone staggers home all excited. Between the Recovery Breakfast, 4 official RSA panels, a Jericho panel, my 160+ slide Friday morning session with Chris Hoff, and the nonstop speed-dating during the day, and parties at night, I should really be in much worse shape. But I found this year's RSA to be incredibly motivating on multiple levels.

First, I think this is absolutely one of the best times to be in information security. Yes, major crap is hitting the fan all over the place, including massive national security, financial, and infrastructure breaches, but security is also hitting the front pages and reaching into the common consciousness. This is exactly the kind of environment true security professionals thrive on -- with challenges and opportunities on all sides. As someone who loves the practice and theory of security, I find these challenges to be absolutely energizing and I wouldn't want to be doing anything else. Well, except for maybe being an astronaut.

Next, RSA was extremely motivating from a corporate standpoint. I won't say much, but it validated what we're trying to do, and how we are positioning ourselves.

Finally, it was a very motivating week on a personal level. I used to have friends at work, and acquaintances in the industry. But these days I find some of my closest friends are scattered throughout the world in different jobs. I realized I spend more time interacting with many of you than I do with my local 'meatspace' friends outside of the industry. I especially appreciated the group that took me out for my birthday on Monday night -- it really eased the pain of spending yet another family event away from my wife and (new) daughter.

After RSA I took 4 days off, and the combination of intensity followed by relaxation was a major recharge, but didn't leave me much content for this week's summary. Except stay away from, like, every Adobe product on the planet since they are all full of 0days.

One reminder -- if you'd like to get our content via email instead of RSS, please head over and sign up for the Daily Digest (it goes out every night). We're also thinking of creating a Friday Summary-only version, so let us know if that would be of interest.

And now for the week in review:

Webcasts, Podcasts, Outside Writing, and Conferences

• Martin and Rich on the weekly Network Security Podcast.
• I did a series of three videos and an executive overview on DLP for Websense. It was kind of cool to go to a regular studio and have it professionally edited. The videos (all about 2 minutes long) and Executive Guide are designed to introduce technical or non-technical executives to DLP. It's all objective stuff, and cut-down versions of our more extensive materials.
• I show up in the Sydney Morning Herald, based on some TidBITS/Mac writing.
• Speaking of TidBITS, I wrote up some thoughts on how to read Mac security articles.
• I was quoted in a TechTarget article on cloud computing, based on my involvement in the Jericho panel.

Favorite Securosis Posts

• Rich: The latest Project Quant post -- we really need your feedback on the patch management cycle!
• Adrian: Rich's post on the Security Industry Anti-Disambiguation Movement. Having watched this first-hand at a couple of startups, I know how well the mere mention of a competing technology by one of the major competitors could halt your POC process in an instant.

Favorite Outside Posts

• Adrian: Favorite external was Greg Young's comment on Becoming the Threat ... An excellent analysis of something we see in society, and certainly something that is a problem here in Phoenix. Oddly, this is something I do NOT see with most corporate IT. Why is that?
• Rich: Chris Eng's Decoding the Verizon DBIR 2009 Cover. Very cool.

Top News and Posts

• Joint Strike fighter plans nicked. Will someone in charge WAKE THE FUCK UP!
• Good: Microsoft removes 'AutoRun' option for Memory sticks.
• Bad: Pushing 8 out through auto-update? What if I don't want it?
• Targetted worms and banking scams.
• Adobe is having a seriously bad run. More 0days.
• Interesting take on WAF+VA.
• The Black Hat call for papers is extended.

Blog Comment of the Week

This week's best comment was from Ant in response to Rich's post on Security Industry Disambiguation Movement.

Well I mint not have chosen those terms, but I personally* fully endorse the sentiment!

A different problem arises where a perfectly serviceable term is pressed into use in several different but not wholly dissimilar markets, leading to ambiguity and confusion -- e.g., identity management, policy management. So... it's not strictly anti-disambiguation, but it some vendors are guilty of disingenuously using a term which doesn't apply to them in their market.

-- Ant

* i.e., this is not (necessarily) the official view of my employer.

–Rich

The Network Security Podcast, Episode 146

By Rich

Things are so crazy this week, getting ready for RSA, that I nearly forgot we record this little podcast thing every week. Sure, I've only been doing it every week for over a year, but you'd think I'd learn to remember.

This week we start by reviewing all the happenings at RSA, before talking about the cable cuts in the Bay Area and the Twitter worm. Martin and I will be doing our best to push out shorter daily shows (usually interviews) every day at RSA, and these tend to be some of our more popular episodes.

The Network Security Podcast, Episode 146.

–Rich

Friday Summary: April 10, 2009

By Rich

–Rich

Dino Dai Zovi on The Network Security Podcast

By Rich

Just a quick note today since I'm totally distracted by having some family in town.

Episode 144 is up and features Dino Dai Zovi... co-author of The Mac Hackers Handbook. It's a great interview, especially if you are interested in Mac security issues. We also discuss the No More Free Bugs meme.

You can download the episode here...

–Rich

Network Security Podcast, Episode 143

By Rich

With the CanSecWest conference last week, right on the heels of Black Hat Europe, there have been many happenings in the security world. On top of that, our favorite investigative reporter managed to take down yet another group of bad guys by shining his flashlight in the right direction.

But before we delve into the week's security news, we spend a little time talking about my shiny new Mac Pro, as Martin gives me a few parenting tips (don't worry, we try not to bore you too much). I rant a bit on Apple's stupidity with their cord-length on the new 24" Cinema Display. Seriously, only 3'6"? With no extension available anywhere?!?

Sigh. And now, on to the show.

Network Security Podcast, Episode 143, March 24, 2009

Show Notes:

• Brian Krebs reveals the evil that is TrafficConverter.
• TrafficConverter is shut down. Coincidence? Nope.
• Is Conficker just a big April's Fools day joke? Yeah, right.
• Jeremiah Grossman is seeking quick hits in web application security.
• Core Security researchers reveal BIOS attack.
• All browsers go down at CanSecWest. Except Chrome, but no one really targeted it.

(Yes, Alan, I just cribbed my own show notes again.)

–Rich

Adrian Appears on the Network Security Podcast

By Rich

I can't believe I forgot to post this, but Martin was off in Chicago for work this week and Adrian joined me as guest host for the Network Security Podcast. We recorded live at my house, so the audio may sound a little different. If you listen really carefully, you can hear an appearance by Pepper the Wonder Cat, our Chief of Everything Officer here at Securosis.

The complete episode is here: Network Security Podcast, Episode 137, February 10, 2009 Time: 32:50

Show Notes:

• Arizona tracking drug prescriptions. I swear that stuff was from my shoulder surgery, officer!
• Kaspersky hacked. We mostly talk about the response.
• Metasploit to add an online service component. We can't wait to learn more about what they are going to offer beyond password cracking.
• Melissa Hathaway appointed head of White House office of cybersecurity.
• We talk about some new info we have on the Heartland breach that isn't in the press yet, so no link.

–Rich

The Network Security Podcast, Episode 136

By Rich

I managed to constrain my rants this week, staying focused on the issue as Martin and I covered our usual range of material. I think we were in top form in the first part of the show where we focus on the economics of breaches and discussed loss numbers, vs. breach notification statistics.

Here are the show notes, and as usual the episode is here: Network Security Podcast, Episode 136, January 27, 2009 Time: 27:43

Show Notes:

• Maine surveys banks to determine some of the losses associated with major data breaches. It isn't a small number.
• Monster.com loses some data. They don't tell us who's data they loss, or how or why, but they definitely lost some stuff.
• The White House homeland security agenda. There's a cyber section. Which is cool, because someone can at least spell cyber.
• Phishers change URLs. We're not sure why this is news, but we use it as an excuse to talk about other, more important things.
• A man buys a used MP3 player in New Zealand, with personal info on US soldiers in Iraq. WTF? Maybe it was a Zune?
• Tonight's Music: Mexicolas with Big in Japan

–Rich

The Network Security Podcast, Episode 134

By Rich

It's just Martin and myself on the podcast this week. Originally Martin sent out a bunch of stories and we figured, knowing our verbosity, that we would only get through about 3. But totally against our normal natures we managed to roll through them with nary a non-sequitur.

I suppose people really can change.

We think we've finally figured out our end of year audio problems, but please let me know if anything sounds off to you. Network Security Podcast, Episode 134, January 13, 2009 Time: 32:27

Show Notes:

• CWE/SANS Top 25 most dangerous programming errors
• SANS: How to Suck at Information Security
• The Air Force's rules of engagement for blogging - This is one that's worth sending to your marketing/PR departments
• Phishing scams for money? Don't bet on it.
• The High Stakes of Compliance
• Watchdogs bite IRS for continued security lapses
• Tonight's music: Details of the war by clap your hands say yeah

–Rich

The Hoff Co-Hosts The Network Security Podcast

By Rich

Martin was out of town this week and put our fine show into my trustworthy hands. A trust I quickly dashed as I invited Chris Hoff to join the show. We managed to avoid any significantly bad language, and both of use were completely sober. I think.

Chris and I started with a discussion of the latest national cybersecurity recommendations, moving on to the CheckFree attack, the DNSChanger trojan, DLP/DRM advances by Microsoft/EMC and McAfee/Liquid Machines, and finishing with one of our pontificating discussions about the cloud.

Here's the show, and the show notes: The Network Security Podcast, Episode 131, December 9, 2008.

Show Notes:

• The Commission on Cyber Security for the 44th Presidency releases their long-awaited report.
• CheckFree online bill payment redirected to a malicious site.
• The DNS Changer trojan starts it's own internal DHCP server.
• The future of DLP/information-centric security as Microsoft and EMC partner, then McAfee and Liquid Machines (and a few other vendors we talk about).

–Rich