Yesterday, after reading a post in which I cautioned about a popular security podcast, someone asked me what cyber security podcasts I do listen to. I wrote this up a long time ago and never posted it for some reason, so now I’m correcting the oversight. Here’s my collection of the best of the best security podcasts.
These are the security podcasts I’ve been listening to for several years now and continue to recommend. Security podcasts are a good way to keep in touch with current issues, and also a good way to get continuing education.
Josh Drake, the researcher who discovered the Stagefright vulnerability in Android that lets an attacker hack into an Android device by sending a specially crafted picture or video in a text message, was on the Risky Business security podcast this week to talk about it. What he had to say was interesting.
Patrick Gray, the host, tends to be a pretty outspoken critic of Android and isn’t shy about talking up Apple. He tried to get Drake to say Android is a trainwreck, security-wise, but Drake wouldn’t say it. Drake actually went as far as to say he thinks Android and IOS are fairly close, security wise.
So why do we see so many more Android bugs? Drake had an answer.
To me, the Sony breach is noteworthy not just because of its magnitude, but because it doesn’t appear to be driven by profit, unlike the other big breaches in recent memory. Instead, it’s a return of vigilante hacktivism, and entertainment companies are particularly vulnerable because, the Washington Post argues, all movies have an element of politics in them.
That’s a problem for U.S. companies in an interconnected world, because much of the world doesn’t value free speech as the United States does. The plot of the movie “Red Dawn” was changed–China, not North Korea, was the original aggressor–to avoid offending the Chinese government, for example. Search Google for “movies that offended foreign governments” sometime. It’s amazing how many you’ll find.
Slashdot ran a story about executives being targets in high-end hotels in the Far East. I didn’t realize this was a new phenomenon; perhaps I just assumed it’s been going on all along.
At any rate, it’s possible to protect against it.
One myth that I hear over and over is that having a router on your Internet connection makes you invisible, and makes you somehow invincible. I even heard someone say recently that if you have a router/firewall, you don’t need to run antivirus software.
Security researcher HD Moore appeared last week on Risky Business and he talked about ways that entire classes of routers can be compromised. Give it a listen. Read more
Patrick Gray and Darren Pauli of The Register blasted the continued use of XP on Risky Business last week.
But I think their criticism is based on an assumption that may not be correct. Read more
Years ago I heard a joke that reminds me of the situation Microsoft found itself in last week with its latest IE vulnerability:
If a man is alone in a forest, and there’s no woman there to hear him, is he still wrong?
I was as shocked as anyone when Microsoft released just one last Internet Explorer patch for Windows XP on May 1. I can argue either side of the issue, but I don’t think I can argue either side convincingly enough to get a simple 50.1% majority of people to agree with me, because I’m not sure I can argue either side of the issue convincingly enough that Iwould agree with myself.
I think it’s important that 26% of all web traffic is still coming from Windows XP today, nearly three weeks after it went end of life. That likely played into the decision. Microsoft was in a no-win situation here, and they had to decide whether they wanted to lose 1-0 or 24-1. So I don’t think it matters all that much, but here are the pros and cons of each side, as I see them. Read more
On the Risky Business podcast last week, Andrew Wilson, the CEO of Australian cryptography gear maker Senetas, stated that many businesses see the bad things that happen from poor IT security as just a cost of doing business.
Nothing revolutionary there. We’ve all seen it. Target is paying a steep price right now, but what about Michaels and Nieman Marcus? They got breached at the same time as Target, and nobody’s talking about them. Maybe Target thinks the cost of doing business got too high, and they’ve hired a CISO and I hear they’re hiring lots of new security personnel–I have coworkers and former coworkers in the Minneapolis area who tell me as much–but for Michaels and Nieman Marcus, the cost, at least so far, appears to have been manageable.
But Wilson added something that I hadn’t heard anywhere else before. Fifty years ago, he said, construction workers dying while building a large building was considered a cost of doing business. Fifty years ago that was normal. Today it’s unacceptable.
I was listening to the excellent Risky Business analysis of the Droidpocalypse this week, and I’m happy to report that the vulnerability that affects 90% of Android devices ever made, while serious, is vastly overstated. Read more
I bought a new radio for my venerable 2002 Honda Civic this weekend. I want to be able to listen to security podcasts on my commute, which wasn’t practical with my factory radio. So, off to the nearest car audio shop (Custom Sounds) I went. I looked at a couple of $119 decks, then the salesman mentioned an Alpine HD radio deck for $129, and a Sony deck with Bluetooth for $149. Bluetooth didn’t really interest me much, but HD radio seemed worth the extra $10. To me, the secondary HD stations seem more interesting than the primary ones. Then again, I’m the guy who skips right past the hits on U2’s The Joshua Tree and cues up “Red Hill Mining Town.” The stuff I really like generally doesn’t do all that well on mainstream radio.
But my main motivation was to get a radio with a USB port, so I can snarf down a few hours’ worth of podcasts every week to a USB thumb drive, plug it in, and stay in touch with the security world. Total overkill for an Alpine, but like the salesman said, Alpines aren’t crazy expensive anymore like I remember them being in the early 1990s. Read more