<HE-Kurtz> Pleasure to be here.
<netsecurityadm> George Kurtz is the co-founder and CEO Foundstone- an information security software, services and education provider
<netsecurityadm> Prior to starting Foundstone Mr. Kurtz was with Ernst & Young as a leader of the Security Profiling Services Group.
<Simo> hello
<netsecurityadm> With his co-authors Stuart McClure (who will be joining us at 9pm) and Joel Scambray he has written four editions of the popular Hacking Exposed book which is the core of the Hacking Exposed series of books.
<netsecurityadm> With that, I will let the questions begin. If you have questions on information security, the Hacking Exposed books, how Mr. Kurtz got involved in information security or whatever feel free to ask.
<netsecurityadm> Please keep things civil and take turns asking questions so we can all follow the dialogue easier.
<Simo> ahhh hes here
<Simo> great
<netsecurityadm> Does anyone have anything they would like to ask, or do you want me to get the ball rolling?
<Simo> you go
<Guest503> Mr. McClure, what are the most common vulnerabilities your company finds?
<Guest503> that is mr. Kurtz
<netsecurityadm> Mr McClure is not here yet- he will join us at 9pm
<netsecurityadm> :-)
<HE-Kurtz> This is Mr. Kurtz, but I will answer
<HE-Kurtz> The most common vul - are related to web applications
<HE-Kurtz> That is, home grown applications that use a web server, and backend database
<Charlie> Mr. Kurtz with that in mind, which is more vulnerable, CGI, PHP, Perl scripts?
<HE-Kurtz> Many are riddled with sql injectioni problems, and just down right poorly written
<Charlie> in your experience
<HE-Kurtz> I can't point to one or another, they all can be made sure. It is really a function of how the programmer constructed the script
<Charlie> thank you
<Guest503> what do you think of the web security products from sanctum and spi dynamics
<HE-Kurtz> There are many products on the market. Tools from sanctum and spi dynamics are good, but you need to know what you are doing when you use them.
<HE-Kurtz> If you just fire away and think you will get usefull information, you are mistaken.
<netsecurityadm> That is a common issue. People debate whether this OS or that OS is more secure- would you agree that the user's knowledge is more important than the choice of platform?
<HE-Kurtz> I would definitely agree. If you misconfigure your system or don't take the time to secure it, it will be hacked
<HE-Kurtz> I happen to like openBSD for security...but that is just me
<netsecurityadm> What operating system do you use on your primary personal computer?
<HE-Kurtz> At work I run 2000, but at home I run many O/S. Linux, OpenBSD, windows... my new love is OS X
<netsecurityadm> OS X is alleged to be quite secure and you constantly here that Linux is more secure than Microsoft
<HE-Kurtz> OS X is decent, but I am sure you will start seeing more and more issues
<HE-Kurtz> Anyway, it is a very nice O/S, with a very good UNIX core
<netsecurityadm> It seems to me that Linux has its share of flaws and vulnerabilities, but the media choose to highlight the MS issues more
<HE-Kurtz> People seem to like to pick on MS. They both can be made very secure. Esp when you bolt on other packages
<Charlie> I believe that goes back to Mr Kurtz earlier statement about configuration
<HE-Kurtz> Sure does.
<Charlie> Most Linux users are more educated on configuration MS are not known for telling all
<netsecurityadm> Agreed. I happen to know my way around Microsoft platforms quite well and I only dabble in Linux
<netsecurityadm> I guarantee my MS systems are more secure
<HE-Kurtz> Most home users plug and don't have a clue about security
<HE-Kurtz> Wifi is all over my neighborhood, and nobody bothers to use WEP
<HE-Kurtz> People just don't get it, because they just want to use computers without thinking about security
<HE-Kurtz> Most of them anyway...except for the people that read our books. : )
<netsecurityadm> With broadband and 24/7 connections it seems that these home users are becoming a VERY large weakest link in the Internet security chain
<Charlie> Again education education education. New users dont use virus scanners until they are hit by one
<HE-Kurtz> they become victims on the information superhighway
<HE-Kurtz> Drive by shootings as I like to say
<netsecurityadm> home users in general want to use a computer like they do their microwave or their TV- turn it on and use it
<Simo> haha
<HE-Kurtz> wrong IP address at the wrong time...
<HE-Kurtz> Yes, that is why OS X is so nice. ; ) Just turn it on and go.
<Guest503> there seems to be a lot of buzz around intrusion prevention. are these products a cure for some of the IDS issues?
<HE-Kurtz> I really like IPS. I have been a big fan of Entercept - now NAI for years. It just plain stops the attacks even if your system is not patched.