Drunken Security News – Episode 325

This was rant week here at Security Weekly. The guys didn't really get into depth in too many articles, in large part because they went into a lot of depth on a few stories. We'll have more on that in a minute. Paul did announce that he has a new contact email address. You can get in touch with him at [email protected]. Also in the announcements, a quick reminder that we added a third track to BSides Rhode Island and calling it 0day (we added the Friday before the Saturday conference, get it?) and we have an open CFP. So if you'd like to present at BSides RI on Friday, June 14 in Providence, let us know at [email protected]. You can see all about the conference at http://securitybsides.com/BSidesRI You can read the stories discussed, on this week's show notes. Ok, let's get to this. The first story of the week is from DarkReading and called "Too Scared to Scan." Jack and Paul get going here and how too many businesses are afraid of scanning their own systems for a number of reasons. Is the problem that they're afraid of knowing just how vulnerable their systems are? Because once you get that report, if you don't fix it, then your ass could really be on the line. If you're told of the vulnerabilities and problems and don't fix them, that's pretty indefensible. But if you don't scan and you don't have that report in writing, you've created what we call plausible deniability. Another big fear with scanning is that the system is going to fall over. Paul brings up the point that tools like Tenable's Nessus are very carefully engineered to have settings that will not knock over systems on your network. If you're using this "safe" mode of scanning and systems fall over? You've got some really serious problems. Because if you're not scanning your systems, you can pretty well bet that someone else is going to do it for you. And very likely they'll be doing it at a time that isn't convenient for you. The other big rant of the week was from John who openly challenged McAfee and NSS Labs to come explain their testing methods in a recent report. The main problem that John had with this report is that the lab allowed McAfee to make tweaks to their testing tool to help it better detect the malware presented. Are you allowed to do this in the wild too? When someone comes up with a new anti-virus bypass, are they going to come to you, show you the methods, allow you to tweak your AV client and then try to attack your system? Hell no, of course they're not going to do that. But for some reason, that type of methodology seemed to make sense in this "study". In some other quicker hits, engineer Steve gets to explain whether $5,000 is a lot of money in doing a documentary, as "Code2600" is filming in Uganda about Johnny Long's Hackers for Charity. Jack also has a couple other stories about kids changing their grades and getting expelled as well as a new free online intro to computer science course. Next week on Security Weekly, you won't want to miss Bill "Ches" Cheswick, founder of the Internet Mapping Project as well as Mark Baggett to talk about Python for Pentesters. Don't miss it, Thursday, April 4th starting at 6 pm EDT.