Rodney Campbell's Blog

The world of IT Security is changing so rapidly – it’s often just too hard to keep up. In an attempt to soak in just that little bit more general information I’ve recently started listening to various IT/Computer/Network Security podcasts. I listen to these in any ‘spare time’ I might have in my day (like travelling to and from work). Some of the PodCasts are quite professionally produced and perhaps have as much to do with entertainment as they do about content and security but that isn’t necessarily a bad thing if it helps make you listen to the PodCast and come back for more.

The following is my pick of the best ones that I’ve found so far and if you have any suggestions for others I should be listening to then please give me some feedback. With most of these PodCasts you can use iTunes to subscribe, however as I am not using an iPod I just download the MP3 file and load them onto my PocketPC phone.

• Security Now!

Steve Gibson and TechTV’s Leo Laporte take 30 to 60 minutes near the end of each week to discuss important issues of personal computer security. This stuff is fairly light on and is pitched at the general user with security in mind and as such is a good introduction to the space. Steve tends to talk way too much 🙂 but Leo tends to try and keep him on track. Currently up to Episode 56.

• Martin McKeay’s Network Security Podcast

Martin spends half-an-hour (or so) each week talking about the computer security issues that are relevant today. Currently up to Episode 42.

• PaulDotCom Security Weekly

Larry Pesce, Paul Asadoorian, Nick "Twitchy" Depetrillo, Joe Conlin bring you a podcast in a much more laid back youthful style. If you enjoy kicking back with a bunch of young techo guys having fun and chatting about all manner of stuff then this podcast is for you. Currently up to Episode 43.

• Crypto-Gram Security Podcast

Crypto-Gram is a monthly e-mail newsletter from security expert Bruce Schneier. For more than seven years Crypto-Gram has become one of the most widely read forums for free-wheeling discussions, pointed critiques, and serious debate about security. If you prefer to listen to Schneier’s newsletter rather than reading it then this is for you.

• Sploitcast

SploitCast is a podcast for hackers, geeks, and the security paranoid. Run by a group of students and IT professionals SploitCast discusses a wide variety of topics; including new vulnerabilities, exploit code, security and technology news roughly every two weeks. If you want dry technical discussions this is the podcast for you. Currently up to Episode 14.

• Security Catalyst

Michael Santarcangelo is a lead instructor for the CISSP exam and will take you on a 20-50 minute tour of the business and policy side of security rather than a techies view of the world. Currently up to Episode 35.

• Cyberspeak

Two former federal agents speak each week about computer forensics, network security and computer crime. This is down-to-earth with a focus on forensics and investigation. They have over 40 podcasts in the can already. If you are really interested in this field then the Liveammo: Digital Forensics & Hacking Investigations series may also be up your alley.

• Security Wire Weekly

TechTargets Security Wire Weekly podcast provides a short summary of the week’s top news in the world of information security, plus features interviews with newsmakers, experts and people like you.

• Blue Box: The VoIP Security Podcast

If VoIP security is your interest, this podcast is right up your alley. Blue Box is a 60-minute podcast  from Dan York and Jonathan Zar with news and commentary about security issues for Voice Over IP and IP Telephony. Currently up to Episode 37.

The World of Botnets (pdf)

With a Trojan horse on one compromised computer, you would be able to do whatever you wanted. That computer would be as good as your own. You would own it. Now imagine that you owned 100,000 such computers, scattered all over the world, each one running and being looked after in someone’s home, office, or school. Imagine that with just one command, you could tell all of these computers to do whatever you wanted.

When relationships end, so does security

When "Lucy" and "Ricky" exchanged wedding vows, they said nothing about email privacy. During their marriage, Lucy found it easy to guess Ricky’s email password. One day Lucy began to suspect that Ricky was being unfaithful to her, and reading his email confirmed her suspicion. She never told him that she was intercepting his email, and he never suspected that’s how she discovered his infidelity. Even after their divorce, she still keeps tabs on him by reading his email: he still doesn’t know.

Disclosure survey

Federico Biancuzzi surveys statements from some of the world’s largest software companies about vulnerability disclosure, interviews two security companies who pay for vulnerabilities, and then talks with three prominent, independent researchers about their thoughts on choosing a responsible disclosure process.

I Spy; Doesn’t Everyone?

FLIP open your husband’s cellphone and scroll down the log of calls received. Glance over your teenager’s shoulder at his screenful of instant messages. Type in a girlfriend’s password and rifle through her e-mail.

Insider warns of storage industry security flaws

A former government security advisor now in the employ of Hitachi Data systems claims major storage players, including his own company, have fundamental problems with securing their systems.

Insecure Magazine: Issue 1.8 (pdf)

Off-Site Backup for Home Users

A few musings about off-site backup for home users and the usefulness of TrueCrypt – NB: TrueCrypt is great (and free – as in beer) stuff – I use it myself and can wholeheartedly recommend it.

Money Bots: Hackers Cash In on Hijacked PCs

Researchers at the German Honeynet Project have discovered that a malicious hacker earned about $430 in a single day installing spyware on computers in the latest Windows worm attack. Within 24 hours, the IRC-controlled botnet hijacked more than 7,700 machines via the Windows Server Service vulnerability (MS06-040) and hosed the infected computers with the spyware from DollarRevenue. The botnet operator made between a penny and 30 cents for every piece of spyware installed. Add that to the spam rental and DDoS extortion money and we have a booming business.

DRM Hole Sets Patch Speed Record For Microsoft

If you really want to see Microsoft scramble to patch a hole in its software, don't look to vulnerabilities that impact countless Internet Explorer users or give intruders control of thousands of Windows machines. Just crack Redmond's DRM.

Microsoft Windows Vista Upgrade Advisor (Beta) 1 Release Build 1.0.0.54

Windows Vista Upgrade Advisor is a small application that you can run on your current Windows XP-based computer to find out if it's ready for an upgrade to Windows Vista. When you run the Upgrade Advisor, it will scan your computer and generate an easy-to-understand report of any known system and device compatibility issues, along with recommendations on how you can get your PC ready for Windows Vista.

New Apache Compliance Audit Policy

Tenable's research team has released a Nessus 3 audit policy file which can be used to audit the configuration of Apache web servers running on various UNIX platforms. The policy can be customized to your specific Apache distribution. It can audit many aspects of the httpd.conf file.

OpenSSL signatures can be forged

OpenSSL may fail to detect forged digital signatures under certain conditions due to an error in the implementation, a failure to check a certain condition while verifying the RSA signature. The flaw affects all systems that use the OpenSSL library, and in particular servers secured with SSL/TLS and VPNs based on SSL/TLS. OpenSSL versions 0.9.7k and 0.9.8c have eliminated the vulnerability. 

NIST Publication 800-94 Guide to Intrusion Detection and Prevention (IDP) Systems (Draft)

Securitycompass Web Application Analysis Tool (SWAAT)

SWAAT is a .Net command-line tool that searches through source code for potential vulnerabilities in Java, JSP, ASP.Net, and PHP.

Microsoft Word 0-day Vulnerability FAQ – September 2006, CVE-2006-4534 [UPDATED]

This is Frequently Asked Questions document about new zero-day vulnerability in Microsoft Word. The document describes related malwares as well.