StoreSecurity SalonInto The BreachContact

Archive for netcast

Security Catalyst Show for 23 July 2008 | Breach Breakdown with Adam Dodge

July 23, 2008 · by SecurityCatalyst

With Into the Breach about to go to print, it is time to start looking at what we can learn from security and privacy breaches. Adam Dodge and I — along with some guests — are going to take a monthly look at a noteable breach or two in an effort to learn and share insights. We plan to keep these episodes short, and peppered with insights that make the breaches real. We will cut through the hype and present useful information.

PS: Hardcover books are scheduled to be available September 16th. Preview copies are available today and I’ll have a stack at Blackhat and during the next Catalyst onTour trip!

Meantime, check out Adam’s excellent site: http://www.adamdodge.com/esi/

Breach Breakdown Show 1 - Ohio University
Note: until the fix for podpress is released, please note the direct link for the program. iTunes listeners should not be affected: http://www.securitycatalyst.com/podcast/TSC-20080723.mp3

Story of the breach
The story is not just about one single breach, but a group of security incidents discovered by Ohio University within weeks of each other.
 - The first breach was discovered on April 21st when the FBI notified the university that a computer in the Technology Transfer Department had been compromised. The FBI had been investigating another unrelated crime when they discovered the compromised computer. The university discovered that the Technology Transfer server contained personal information on 35 individuals.
- The second breach was discovered on April 24th when the IT staff noticed that an Alumni database server was being used to launch a Denial of Service attack against an external target. This alumni server contained the personal information on 300,000 individuals and organizations including over 137,000 SSNs. When investigating this incident, the university discovered that alumni server had been compromised as far back as 2005 and had been accessed by domestic and international IP addresses. This server should have been removed more then a year before the breach was discovered and it was assumed by the IT department that it had been. This means the server had not received any updates or patches for more then a year.
- The third breach was discovered on May 4th when the university noticed that someone gained unauthorized access to server housing information used by the university’s Hudson Health Center. The compromised server contained personal information on 60,000 individuals.
- The fourth and fifth breaches were discovered on May 23rd when a forensic scan detected that a server housing IRS 1099 forms for vendors and contractors and a server used for online business transactions containing personal and credit card information had been compromised. 

In the end, 5 servers were found to be affected. All told, 367,000 personal files containing 173,000 SSNs were compromised. Emergency repair and notifications cost the university over $800,000.

The university fired 2 IT administrators and the CIO resigned.

What was the response
Ohio University’s response this series of breaches has been, for the most part, outstanding. As one would expect, all of the affected servers were immediately taken offline and investigations launched. However, there is much more to the university’s response then simple rote take down and investigate. 
- The university spent a large amount of time and money notifying those affected. The university utilized web pages, e-mail and postal mail to alert over 300,000 individuals about the different breaches. The result, the university received over 8,000 calls to the information hotline, 800 e-mails and letters of complaint and over 35,000 hits to the web site about the breaches. 
- The university spent nearly $100,000  on breach notifications
- The university formed an IT-oversight committee
- The university hired consultant firms to perform full risk assessments 
 - The findings were that the IT office was significantly understaffed and the outsourcing the university had was doing was not a good option for the future.
- From these findings that committee put together a 20-point action plan titled “Blueprint for Building a World-Class IT Function at Ohio University”
- Within three weeks of the breaches the university had spent $750,000 on emergency response fixes and will likely need an additional 7-10 million based on the consultants report.
- Ohio University has continued to talk about this breach openly and honestly.
 - OU President Roderick McDavis wrote an essay for the Chronicle of Higher Education titled “What Ohio U. Learned From a Major IT Crisis”. In this eassy McDavis is candid and open about the breaches and states that the Ohio University community did not take IT seriously enough. As for one of the key lessons learned by Ohio University, McDavis states that continuity is key and that it is important to openly share positive and negative information.
- These are more then just words in an essay. Ohio University has taken the opportunity to speak publicly about these breaches including a seminar at the 2008 educause security professionals conference.

What went wrong
- There were several issues at work causing these breaches, but all of them come down to McDavis’ statement that the university did not take IT seriously. 
 - In 2004, Stephen Kopp then the provost wrote to the Chronicle of Higher education that the computer services had grown through “spontaneous mushrooming of IT people on campus”. A report from a consultant confrimed this view describing the IT departments on campus as an “adhocarcy” characterized by poor communications and genderal mistrust among administrators, duplicated tasks and resources, and a lock of a unified strategic decision making. 
- Thomas Reid  director of communication-network services who was fired from the university after these breaches said he had tried repeatedly to warn supervisors about the security risks since 1998. According to Mr. Reid much of the blame can be tied to a significant reduction in IT budget, 1 million in 2 years and lack of clear IT management. Mr Reid had 13 bosses in 22 years. 
- In the end, this same exact environment can be found at many educational institutions. Ohio University was not unique in these issues.

Links for more information
OU news release about the breaches
http://www.ohio.edu/outlook/05-06/May/485n-056.cfm
An excellent breakdown of the incident (Subscription required) 
Wasley, Paula. “More Holes Than a Pound of Swiss Cheese” The Chronicle of Higher Education <http://chronicle.com/weekly/v53/i06/06a03901.htm
Articles about the breaches
Sandoval, Greg “University server in hackers’ hands for a year” CNet News.com <http://ecoustics-cnet.com.com/University+server+in+hackers+hands+for+a+year/2100-7349_3-6074739.html>
Vijayan, Jalkumar “Ohio University reports two separate security breaches” Computerworld <http://www.computerworld.com/databasetopics/data/story/0,10801,111113,00.html>
OU President McDavis’ essay about the breaches (Subscription Required)
McDavis, Roderick J. “What Ohio U. Learned From a Major IT Crisis” The Chronicle of Higher Education <http://chronicle.com/weekly/v54/i30/30b00501.htm>
A good wright-up of President McDavis’ essay
Heck, Richard “McDavis writes of computer breach in national publication” The Athens Messenger <http://www.athensmessenger.com/main.asp?SectionID=1&SubSectionID=273&ArticleID=9592&TM=42628.33>
Ohio University data theft web site
http://www.ohio.edu/datatheft/index.cfm

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Information Protection, Into the Breach, netcast | Print this post Print this post | | Comments (1)

Security Catalyst Show - Pop Culture Security Edition - July 2008

July 16, 2008 · by SecurityCatalyst

Whether responsible for security awareness training — or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information.

This month James Costello and I break down – in less than 20 minutes — how to use Pop Culture references and examples to explain two simple security concepts: trojan horse and social engineering.

Time is tight - so we work fast to get rid of the boring and plain ways to explain concepts and share the insights we use to connect with people and make a difference. Listen, learn and contribute!

Direct Link: TSC-20080716.mp3

Call for challenges

 Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com

 Phone number is 206-350-8346

== Detailed Show Notes After the Break ==

(and by detailed, I mean… wow. Detailed - Thanks to James for pulling the links together!!)

Read the rest of this entry »

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Information Protection, Security Awareness Training, netcast | Print this post Print this post | | Comments

The July Security Rountable is available: Battling Botnets with Botnets

July 9, 2008 · by SecurityCatalyst

Complete details are available here: http://www.securityroundtable.com/2008/07/security-roundtable-for-july-2008-battling-botnets-with-botnets/

The discussion ran a bit longer than we alloted, yet even on our review listen proved worth every minute. We raised some interesting questions and look forward to sharing the conversation with you. This is only the beginning and we invite you to share your ideas, insights and feedback in the Security Catalyst Community. 

Thanks to the panel:

Joining the conversation in the Security Catalyst Community

Share your ideas in the Security Catalyst Community. Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

 
icon for podpress  Standard Podcast [68:41m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Security Catalyst Community, netcast | Print this post Print this post | | Comments

netcast for this week: I was the (surprise) guest host on the Netsec Podcast

July 3, 2008 · by SecurityCatalyst

One of the true benefits of sharing thoughts through spoken and written word is the ability to meet quality people. I thrive on conversation - especially discourse that leads to new understanding. I am a firm believer that through purposeful conversation, honest intentions and open minds we can solve a lot of challenges we face.

So when Martin McKeay and I were “chatting” online Tuesday night, he popped in with “Hey - no pressure, but do you want to cohost tonight?” It took about a minute to decide. He shared some links to stories to talk about and I took 30 minutes to read them and write down some ideas - and then boom - we recorded.

I really enjoyed the conversation and was really amped at the end. It took me a while to get ready for bed - my mind was still engaged. I hope you have a similar experience when listening!

Find the show notes here: http://netsecpodcast.com/?p=48

And the direct link to the program here: http://media.libsyn.com/media/mckeay/nsp-070108-ep110.mp3

 

(PS: I hope you still chose to listen to the programming on The Security Catalyst; however, somewhere in the feedchange, we seem to have confused iTunes. If it doesn’t look like we have new shows - you may want to unsubscribe and resubscribe.)

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Into the Breach, netcast | Print this post Print this post | | Comments

Security Roundtable for June 2008: Clarion Call of the Jericho Forum

June 12, 2008 · by SecurityCatalyst

If you believe the Jericho Forum has called for the end to firewalls, then you need to stop what you’re doing and take a listen to this month’s Security Roundtable.

After attending an interesting discussion during RSA, Martin and I invited the Jericho Forum to join us at the roundtable to talk more about what Jericho Forum is, an what it does. We learned a lot and share the discussion with you…

Joining us on the program:

 

 

 

Learn more about Jericho Forum: http://www.opengroup.org/jericho/

 

 

Paul Simmonds, Co-founder and board of management Jericho Forum  & former CISO, ICI
Until May 2008 Paul Simmonds was the CISO at ICI (www.ici.com). Paul’s varied career has included Electronic counter-measures, Theatre Lighting, North Sea Oil control systems, JET (Nuclear Fusion Research) and commercial radio. Prior to joining ICI in 2001 he was Head of Information Security with a high security web hosting company and before that spent seven years with Motorola, as global information security manager. 

Paul was awarded European Chief Security Officer of the year at the 2005 SC Magazine Awards and is listed in both the 2004 & 2005 global top 50 most powerful people in networking by the US publication Network World.  Paul sits on the management board of the Jericho Forum and the Executive Advisory Board of ISSA UK. He also is a British Canoe Union Level 3 Kayak Coach.

 

Shane Buckley, President & CEO, Rohati Systems, Inc.

Shane Buckley is the President and Chief Executive Officer at Rohati Systems, Inc. Buckley comes to Rohati with more than 20 years of global executive and general management expertise, having held senior executive positions in the United States, Europe, the Middle East and Asia-Pacific.

 

Before taking the helm at Rohati, Buckley served as Chief Operating Officer at Nevis Networks, Inc. a leader in network access control. Previously, he was Vice President of Worldwide Enterprises for Juniper Networks. Prior to that, he served as the International President of Peribit Networks, the leader in Network Optimization. Juniper Networks purchased Peribit in June 2005 for $380M. Before Peribit, Buckley served as Chief Executive Officer of Conduit Software, a provider of Directory Assistance and Wireless Applications solutions. Previously, he was Vice President, EMEA at 3Com. In this role, he managed a $2.2 billion business unit and was responsible for 3Com’s distribution strategy, OEM partnerships and reseller channels. Buckley also chaired 3Com’s Global Distribution Council, was a member of the company’s worldwide OEM steering team, and served as 3Com’s head of operations for the Asia-Pacific Region based in Hong Kong and Tokyo. 

 

Buckley is a frequent speaker at high-level industry trade shows and events such as Gitex, CeBIT and The Wall Street Journal Europe conference. He has also contributed to a number of magazines and news programs including MSNBC, SABC and Middle East Business news. He holds an engineering degree from the Cork Institute of Technology in Ireland.

 

 
icon for podpress  SRT June 2008: Jericho Forum [54:21m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Information Protection, netcast | Print this post Print this post | | Comments (1)

Security Catalyst Show - Pop Culture Security (debut): Night at the Museum

May 28, 2008 · by SecurityCatalyst

Welcome to the debut of the Pop Culture Security program - a monthly installment of the Security Catalyst Show. Please also welcome James Costello - the man with the idea for this program and my cohost on this effort. This program explores and explains how to use pop culture to communicate security concepts to those around you. We explain by doing, and respond to your challenges.

This podcast is based, to a large extent, on the work James did in preparing for and delivering a peer to peer session at the RSA conference this year. While sitting at Mel’s the morning of his presentation, we enjoyed a conversation about the topic that kept on going, and immediately decided the best way to extend the conversation and build on his efforts was to produce a monthly program.

For our first piece of Pop Culture to use as a reference point to better explain security, we selected Night at the Museum - a comedy with Ben Stiller that is currently (or was) running on Home Box Office (HBO). 

Movie at IMDB (including synopsis): http://www.imdb.com/title/tt0477347/

Movie Trailer: http://www.imdb.com/video/screenplay/vi2459500825/

This movie held many lessons for those responsible for security in addition to providing some excellent examples for us to anchor our points to. We will work to keep the program short, informative and useful - especially if you are interested in building a security awareness training program that works!

To participate in the monthly challenge:

  • call  206-350-8346 and leave us a message with your challenge
  • email popculturesecurity &at& securitycatalyst dot com

 

PS: I recently purchased a snowball microphone in an effort to streamline my audio programs and preserve quality. So far, I am disappointed with the quality of the unit - and feel that my sound is hollow and tinny; as such, I’ll be exploring how to restore the sound quality I appreciate in the coming days. The challenge is capturing sound in a way that works with Skype for many of this interviews, but is still portable. If you have experiences, ideas and suggestions for something functional, portable and reliable - shoot me a note. In the meantime, enjoy the programs. More to come next week, with an “Author Interview.”

 
icon for podpress  Security Catalyst Show | Pop Culture Security: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Information Protection, Security Awareness Training, compliance, netcast | Print this post Print this post | | Comments (3)

TSC May 21 2008 | The Right Way to Address the Debian OpenSSL Vulnerability

May 21, 2008 · by SecurityCatalyst

It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector.

Plenty of specific details and analysis can be found in different places, including:

http://wiki.debian.org/SSLkeys

http://www.us-cert.gov/cas/techalerts/TA08-137A.html

http://www.kb.cert.org/vuls/id/925211

http://secunia.com/advisories/30220/

For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the “start of summer”) here in the United States.

Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As soon as you have to manage many of these encrypted connections, the process gains some complication – and is ripe for error. Step in Venafi.

When the debian vulnerability was announced, I immediately asked if Venafi would be willing to share some insights about how organizations should be handling this issue. This is bigger than patching (remember code red?) – and I wanted a discussion that provided insights into how to manage this in a way that brought immediate results but also good long-term gain.

During this program, Paul (from Venafi) and I start by exploring how to engage business users in the conversation. We progress to tactical and strategic ways to address this challenge while realizing this is an opportunity to make some improvements that bring better future results.

It comes from planning and following a process informed by experience – and we’ll share the insights with you in 30 minutes or less!

In the wrap-up, I suggest following the approach of plan-do-review, outlined in this podcast: http://www.securitycatalyst.com/blog/2008/01/31/the-security-catalyst-show-plan-do-review-your-way-to-success/

Tune in next week for the debut of the Pop Culture Security podcast – your monthly “how-to” for Security Awareness Training.

 
icon for podpress  Security Catalyst May 21 2008 [33:06m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Information Protection, Professional Speaking, Security Awareness Training, netcast | Print this post Print this post | | Comments (3)

May 2008 Security Round Table | RSA - Going Beyond the Hype

May 14, 2008 · by SecurityCatalyst

I had a great time at RSA 2008 this year, but didn’t attend any keynotes and only saw some snippets of sessions. Yet I took several *quality* briefings during the course of the week — and will be interviewing, profiling and sharing my impressions over the coming months. I started the week a bit sad — after walking the show floor, it felt to me that the industry was, en masse, running in entirely the wrong direction. I ended the week not only with renewed hope, but with new and powerful insights.

RSA carries a lot of hype. Now that the conference is over, Martin and I wanted to go beyond the hype and invited a panel with mixed experience to share with us their impressions, opinions and lessons learned. During this SRT, we cover the role of bloggers as media, the *real* value of RSA and a whole bunch of other interesting issues and perspectives.

I also share, near the end, what I thought the theme should have been. Thinking about it now, it is a good choice for next year, or even for a SCC conference!

This marks the return of the SRT. We already have the June SRT recorded — a great show with the Jericho Forum, dispelling a lot of myths and providing some good insight into how they are helping to drive change in the industry. In July we’ll tackle the issue of using botnets to fight botnets and August will revisit a topic raised during the May SRT — the responsibility of security bloggers and the role of new media.

Happy Listening.

 

 

 
icon for podpress  SRT May 2008 [54:34m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in netcast | Print this post Print this post | | Comments

Introduction a brave new program - Driving the Digital Revolution

February 13, 2008 · by SecurityCatalyst

I am excited to introduce to you a new program that I host and produce for Cornell University called “Driving the Digital Revolution.

Driving the Digital Revolution is a simple, but powerful, way to consider the changes taking place around us every day. The digital revolution has led cultures from poverty, literally changed the face of global business, local business and even impacted on the family structure. Without question, the digital revolution both counts on and plays an active role in shaping how people protect information.

Cornell takes its role in driving the digital revolution seriously. In both education and research, emphasis is placed not only on the field of study, but in how that subject is being transformed by advances in computing and information resources. It realizes that as ideas and technologies are advanced, we have an obligation to not only consider the consequences, but to study and anticipate the unintended consequences.

I am sharing this with you for two reasons:

(1) I am passionate about this series and the opportunity to work with other experts to dig deeper and uncover important concepts that are driving the digital revolution; their words have a lasting impact on me, and I believe they will on you, too.

(2) We are at a place in our industry when we need change. We need to grab on to a vision of hope and drive change. Studying how Cornell participates in driving the digital revolution is a blueprint for our success.

So sit back, plug in and consider the words — and passion — of Dean Constable and how they apply to what you do. Working together, we can change the way people protect information.

There are three ways to listen and subscribe (so you get every episode)
1. Each episode incorporates the ability to listen on the website! Simply point your browser to http://www.cis.cornell.edu/alumniblog/ and press play
2. You can download this episode directly: http://www.cis.cornell.edu/alumniblog/podcast/cornell-ddr-01.mp3
3. If you prefer to use and subscribe using RSS, here is the feed: http://www.cis.cornell.edu/alumniblog/feed/

 
icon for podpress  Driving the Digital Revolution [30:16m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Information Protection, netcast | Print this post Print this post | | Comments off

The Security Catalyst Show | Plan - Do - Review your way to success

January 31, 2008 · by SecurityCatalyst

Into the Breach is really taking shape - but I have been eager to get back behind the microphone and share the ideas and concepts I have been working on. You witnessed my transition to The Security Catalyst last year, and with it, my focus on changing the way people protect information.

In this podcast, I share a simple and powerful concept that can be applied to anything you do: PLAN - DO - REVIEW

I first learned about PLAN - DO - REVIEW a few years back when it was time to learn about nursery schools, and one of the schools followed the HIGH/SCOPE method. Curious, I went to explore and learn more. Since then, I have tested and adapted the approach for my own use - with excellent results.

Now I share my experience with you.

Here are three links if you would like to learn more:

http://www.highscope.org/

http://en.wikipedia.org/wiki/High/Scope

http://www.perpetualpreschool.com/highscope/highscope_info.htm

 
icon for podpress  Standard Podcast [13:04m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Information Protection, netcast | Print this post Print this post | | Comments (1)

« Previous entries