Down the Security Rabbithole
Security. Some assembly required. Security is HARD, and 'real security' is a compromise between usability and security while knowing you're still accepting risk. This podcast alternates between interesting interviews and news analysis every other week - tune in, subscribe and join the conversation on REAL security issues relevant to your enterprise. Follow us on Twitter: @DtSR_Podcast Check out Rafal's SecurityWeek column: http://www.securityweek.com/authors/rafal-los
DtSR Episode 359 - Mind the Diversity GapAug 20, 2019 30:00
This week, in the 2nd of two installments recorded live at Black Hat 2019, Alyssa Miller joins Rafal live to talk about some of the talks she's giving, and takes us back in time.
Highlights from this week's show include...Rafal and Alyssa discuss the very real problems the lack of diversity in technology creates A jab is taken at the TSA ...because it's just too easy Alyssa revisits the 'castle analogy' for InfoSec and why it's so tough to get right Much more fun... you'll have to listen in!
GuestAlyssa Miller ( @AlyssaM_Infosec ) - Alyssa's bio and website is here: https://alyssasec.com/
DtSR Episode 358 - No More Crappy Job HuntsAug 15, 2019 32:58
This week on another jammed-packed episode, Rafal takes to Black Hat 2019 to interview some interesting guests that have something unique to tell you. We start with Deidre Diamond, the lady behind CyberSN - and why she's reinventing the way you get your next InfoSec job.
Highlights from this week's show include...Deidre tells us a little bit about what's new at CyberSN Rafal & Deidre discuss the insane InfoSec job market Deidre explains why how she's planning on eliminating hiring bias in the InfoSec workforce The last time Deidre joined us was episode 337 - http://ftwr.libsyn.com/dtsr-episode-337-insights-on-cyber-talent For more, go to www.cyberSN.com/ and click the "Know More" icon in the top-right corner and get started!
GuestDeidre Diamond ( @Cyber_SN ) - With over 20 years spent leading technology and cybersecurity organizations, Deidre Diamond offers a great perspective on the issues that matter most in our industry. Her vision, “to transform employment searching” has remained constant since she founded CyberSN in 2014. Find her on LinkedIn: https://www.linkedin.com/in/deidrediamond/
DtSR Episode 357 - Hacker Summer Camp 2019Aug 5, 2019 32:16
This week, James and I sit down to think (and talk) through Black Hat (and Defcon) 2019. "Hacker Summer Camp" as it's affectionately known in the industry, is a rite of every summer...but is it delivering value to attendees, do we have the right audience, and is the content worthwhile? This and more...
Highlights from this week's show include...Raf and James reminisce about summer camp days gone by Rafal addresses Dino's excellent-sounding keynote (abstract) Raf & James discuss the hype (or more precisely, the lack thereof) of this year's conference and why it's nice for a change All this and more...so tune in!
DtSR Episode 356 - Its Been a While AndyJul 30, 2019 39:07
Welcome down the security rabbithole friends! This week, Andy Kalat takes a few minutes off from recovering to chat and comment on the state of security, and what's different since we first met back in... 2003? Fun episode... It's been a while, Andy!
Highlights from this week's show include...Andy and Rafal try and figure out when they first met...in real life Andy points out the problem vendors suffer from "problem-scope-limiting" (this is an interesting one...) Are things getting better? The guys discuss...snark ensues Rafal asks Andy to predict what will change in the next ~5yrs
GuestAndrew Kalat ( @LERG ) - Andy is an IT Security Executive, Co-Host of the Defensive Security Podcast, Speaker, Writer...according to his LinkedIn profile, here.
DtSR Episode 355 - Threat Modeling Rides AgainJul 23, 2019 49:19
My dear listeners - we have John Steven back on this episode! If you don't remember his first appearance, it's OK, it was a little while ago back on episode 42 ... http://podcast.wh1t3rabbit.net/dt-r-episode-42-threat-modeling so it's been a while!
Highlights from this week's show include...John gives us a run-down on the new things since the last episode James & John talk OWASP Top 10 The guys try to understand what happened to Threat Modeling, and security overall, over the last decade So much more, you'll have to listen
DtSR Episode 354 - Pragmatic Azure SecurityJul 18, 2019 45:57
Fans & Listeners!
This week we have a treat for you... as this episode is recorded LIVE from Microsoft's Inspire 2019 in Las Vegas (where it was 117F) but the conversation here is way hotter.
Highlights from this week's show include...What is Microsoft releasing to help guide secure Azure deployment? Mark and Jeff debate "What exactly is the value of "best practices"?" So much more packed into this extended episode!
Guests:Mark Simos ( @MarkSimos ) - Lead Architect, Cybersecurity Solutions Group, Microsoft Jeff Collins - Chief Strategy Officer, Lightstream
File Progress DtSR Episode 353 - Ira Winkler on PointJul 9, 2019 56:00
Yes, DtSR took a week off ... we were due.
This week, Ira Winkler joins Rafal to go down the rabbithole and talk about his career, opinions on our profession, and other important stuff. Sit back, take notes, and enjoy.
Highlights from this week's show include...Ira gives a run-through on his career and what's gotten him "here" Ira and Rafal discuss "breaking into security" and how it's being sold now, versus what reality should be Ira gives us his take on training, certifications, career paths and the like Yeah, so much more...
GuestIra Winkler ( @IraWinkler ) - This guy: https://www.linkedin.com/in/irawinkler/
DtSR Episode 352 - AWS REInforce Warm Up EpisodeJun 24, 2019 47:46
This week, ahead of AWS RE:INFORCE 2019 (the first one) Rafal gets a conversation with buddy Mark for a candid talk about the top 3 public cloud providers, and a little insight into the evolution of the industry ... or not...
Highlights from this week's show include...What are we expecting from AWS RE:INFORCE this inaugural year? Mark gives us his take on the security in the three major public cloud providers Rafal and Mark reminisce about how things were...and where they are in terms of cloud, and security Mark and Rafal laugh about the opportunity security teams have right now...or may be missing
Guest:Mark Nunnikhoven ( @marknca ) - Mark's awesome. He's also the Vice President of Cloud Research at Trend Micro. Other stuff he does here: https://www.linkedin.com/in/marknca/
DtSR Episode 351 - Deeper Into the Microsoft Security EcosystemJun 19, 2019 38:41
Thank you to Microsoft for sponsoring this show, and our podcast over the years...
Highlights from this week's show include...Rob discusses what "Microsoft Threat Protection" is, isn't, and why it's relevant today Rob gives us some context to "trillions of signals" - what does that mean? Rob provides perspective on the pillars of operational excellence required to make Microsoft's vision a reality in damn-near-real-time Rafal and Rob discuss what the ecosystem looks like, and how it's being released into production
Rob answers whether Microsoft consumes its own tools… the answer may surprise you
Guest:Rob Lefferts - @rob_lefferts -
Microsoft Responsibilities/Contributions – As corporate vice president for M365 Security within Experiences and Devices, Rob Lefferts is responsible for ensuring that Microsoft 365 provides a comprehensive and cohesive security experience for our all of our customers. Prior to this role, he led the Windows Enterprise & Security team, where he was responsible for hardening the Windows platform, building intelligent security agents, and driving commercial adoption of Windows 10. Since joining Microsoft in 1997, Lefferts has been instrumental in shaping key products and technologies, from helping develop the original SharePoint Portal Server to leading extensibility efforts for the Office platform to championing the vision for Microsoft 365.
Pre-Microsoft Work Experience – Rob began his career at Claritech, a startup that was born from a Carnegie Mellon research project. He then consulted with the Government of Namibia, Africa.
Education – He earned a bachelor’s degree in logic and computation, as well as a master’s degree in computation linguistics, from Carnegie Mellon University.
Family/Other Interests – Rob and his wife have two children and live in the Seattle area.
DtSR Episode 350 - Deep Learning on Deep PacketsJun 11, 2019 47:56
Show Note: As most of you know, this show has long refused to use advertisements, or ad revenue to keep itself going. That said, I openly welcome organizations who have something interesting to say and some extra marketing dollars to give, to sponsor an episode while still going through the same vetting process as everyone else. This is one of those shows.
This week James and Rafal are joined by Saumitra Das, the Chief Technology Officer for an interesting little start-up called Blue Hexagon. If you find yourself nodding along and interested in hearing more, we encourage you to go check out their website and let them know you hear of them on this show.
Highlights from this week's show include...Saumitra shares his insights on AI, machine learning, and the limitations and mis-uses of them We discuss the challenges of finding 'malice' at extremely high volumes, at extremely high rates of speed, and in extremely diverse environments Saumitra previews the methods Blue Hexagon use to approach this problem and potentially start to draw a viable approach
GuestSaumitra Das - CTO at Blue Hexagon - https://www.linkedin.com/in/saumitramdas/ Fun fact, Saumitra has over 330 granted patents...how many you got?
DtSR Episode 349 - Verizon 2019 DBIR Double-Live Part 2Jun 4, 2019 39:35
Friends & listeners - welcome to the 2nd half of the 2019 Verizon DBIR 2-part extravaganza. Gabe Bassett, one of the authors of the DBIR, joins Rafal & James to talk stats and lessons we can take away from the report.
Highlights from this week's show include...We all talk patching... why it's hard, what we can do about it, and realities of patching Gabe does more live data analysis We get an insight into how long and how hard this report is to produce
GuestGabriel Bassett ( @gdbassett ) - Gabe is one of the writers and data scientists behind the Verizon DBIR. His LinkedIn is here: https://www.linkedin.com/in/gabriel-bassett/
DtSR Episode 348 - Verizon 2019 DBIR Double-Live Part 1May 29, 2019 32:42
Friends & listeners - welcome to the 2019 Verizon DBIR 2-part extravaganza. Gabe Bassett, one of the authors of the DBIR, joins Rafal & James to talk stats and lessons we can take away from the report.
Highlights from this week's show include...Gabe distinguishes between an incident and a breach - for those of you who need the refresher Gabe dives into the stats to talk about small businesses, and the impact of breaches on them Gabs does some live data science for us, pulling in stats on-the-fly We avoid the 'patching' discussion (that's for the 2nd half)
GuestGabriel Bassett ( @gdbassett ) - Gabe is one of the writers and data scientists behind the Verizon DBIR. His LinkedIn is here: https://www.linkedin.com/in/gabriel-bassett/
DtSR Episode 347 - Inside the RH-ISACMay 21, 2019 37:10
This week, Tommy McDowell who is the Vice President at the Retail and Hospitality Information Sharing and Analysis Center, joins Rafal in person, in Dallas.
Highlights from this week's show include...Tommy gives us a background on himself, and the RH-ISAC (and it's mission statement, and such) Tommy & Rafal discuss the difficulty in setting up an information sharing center Tommy gives us insights into why retail and hospitality need their own unique threat sharing network
Guest:Tommy McDowell - https://www.linkedin.com/in/tommy-mcdowell-97184116/ - It's easier to just let you go look at Tommy's page on LinkedIn. He's got a storied, and very interesting, career that we could not possibly do justice to here.
DtSR Episode 346 - Green Waxes Mostly AcademicallyMay 14, 2019 46:53
This week, Rafal gets the rare occasion of sitting down face-to-face with someone and do an interview in person. Andy Green is a great if not sharky fellow, who helped me get over my PG rating for this podcast. So ... it's probably PG-13.
Highlights from this week's show include...Andy talks about BSides Atlanta and the labor of love that is getting a conference stood up We talk about conference drama - because we all need more of that in our lives Andy discusses academic programs, shaping young minds, and being a universally beloved professor (not)
Guest:Mr. Andy Green ( @SecProfGreen ) - Andy is a lecturer of Information Security at Georgia's Kennesaw State University. When he's not running Atlanta's BSides ATL he teaches classes in the Information Security and Assurance degree program, in the Information Systems department of the Michael J. Coles College of Business at Kennesaw State University.
DtSR Episode 345 - RaffCon the PodcastMay 7, 2019 41:30
This week on the podcast, Rafal gets some one on one time with Raffael Marty ... and it's #RaffCon.
Highlights from this week's show include...Raf & Raffy discuss the origins of #RaffCon Raffy talks through Artificial Intelligence...in security Raf and Raffy dive into "risk management"
Guest:Raffael Marty - ( @raffaelmarty ) - Data analytics and visualization enthusiast. Interested in large-scale big data and cloud infrastructures to support cyber security use-cases. "How can we assist users to gain deep insight into large amounts of data?" I have spent a lot of time building and defining the security visualization space through open. I oversee Forcepoint's X-Labs, a specialized department within Forcepoint that is responsible for behavior-based security research and the development of predictive intelligence. In addition to traditional threat and security intelligence, we are the home of data science, machine learning, and artificial intelligence within Forcepoint.
DtSR Episode 344 - You've Probably Been PwnedMay 1, 2019 40:58
This week, Rafal is joined by the man, the myth, the Aussie legend - Troy Hunt. We basically talk about whatever is on his mind - which, as it turns out is a lot. Take a listen, we may publish an English translation later (joking, Troy!).
Highlights from this week's show include...Troy gives a run-down on HaveIBeenPwned We talk through some of the interesting use-cases for HaveIBeenPwned data Troy gives perspective on usernames, passwords, and other important things technology/security related
GuestTroy Hunt ( @TroyHunt ) - Troy is a Microsoft Regional Director and Most Valuable Professionalawardee for Developer Security, blogger at troyhunt.com, international speaker on web security and the author of many top-rating security courses for web developers on Pluralsight.
I created HIBP as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach. I wanted to keep it dead simple to use and entirely free so that it could be of maximum benefit to the community.
Short of the odd donation, all costs for building, running and keeping the service currently come directly out of my own pocket. Fortunately, today's modern cloud services like Microsoft Azure make it possible to do this without breaking the bank!
DtSR Episode 343 - The 31st Human RightApr 23, 2019 39:46
This week, on a riveting edition of Down the Security Rabbithole Podcast Raf sits down with Richie Etwaru, a human data ethicist and Founder and CEO of Hu-manity.co.
What's a human data ethicist, you ask? Listen to the podcast, and find out.
Highlights from this week's show include...Richie walks us through data ownership as a fundamental human right, including why now is the right time in history Raf and Richie discuss the principles of data ownership and how they're different from privacy or security Richie discusses data ownership as a great leveling factor for society SO much more...
GuestRichie Etwaru - Richie Etwaru is a human data ethicist and the Founder & CEO at Hu-manity.co where he is responsible for vision, strategy and execution focus for the company. He is driven to reshape the world by creating a new data economy, where inherent human data is legally human property.
He has held c-level roles at Fortune 500 companies for two decades, and serves as advisor to venture capitalists, startups, governments, academia, and large organizations on transitioning to Trust Companies.
Richie’s book Blockchain Trust Companies, Every Company is at Risk of Being Disrupted by a Trusted Version of Itself (2017) is used by universities, consulting organizations, and governments, and his TEDx talk Blockchain Massively Simplified has been viewed almost 1 million times.
DtSR Episode 342 - Michael Coates Has Things to SayApr 16, 2019 36:23
This week on episode 342, Michael Coates joins Rafal & James for the 2nd time. Michael's first episode was way, way back in 2015 on episode 134 titled "Fundamental Security". Looks like things haven't changed much.
We highly recommend you check out episode 134 first, then listen to this one. Trust us, you want the context.
Highlights from this week's show include...Michael gives us an opinion on "what's changed" in the last decade or so Michael discusses "risk", "technical risk", and the Enigo Montoya problem in security Michael gives an overview of what he thinks the profile of the CISO should be Michael gives his take on why he thinks low false-positive rates are important and automation is the future
GuestMichael Coates: ( @_mwc ) All you need to know is here, on his LinkedIn page: https://www.linkedin.com/in/mcoates/
DtSR Episode 341 - Discussing Security Reference ArchitectureApr 9, 2019 32:23
This week, in the final installment of "Live from RSA Conference 2019" Rafal interviews Mark Simos, who is the definitive source for reference architectures at Microsoft. He's the Lead Architect in the Enterprise Security Group and he's doing some amazing things for the community with regards to the Azure cloud and other Microsoft-related security things. Give this episode a listen and share it ...maybe listen again and take good notes!
Highlights from this week's show include...Mark discusses security reference architectures (in general) Mark and Raf rap on the shared responsibility model for the cloud...again Mark answers "What's different about security in the cloud?" Mark raises the concept of "raising the cost to the adversary" for defenders...
GuestMark Simos - ( @MarkSimos ) - Mark is Lead Architect in Microsoft’s Enterprise Cybersecurity Group where he is part of a group of cybersecurity experts who create and deliver unique cybersecurity services and solutions to Microsoft’s customers.
Mark has contributed to a significant amount of Microsoft cybersecurity guidance - most of which can be found on Mark's List (http://aka.ms/markslist)
Mark focuses on cybersecurity guidance to help customers manage cybersecurity threats with Microsoft technology and our partner solutions. Mark's current focus is on security assessments and roadmaps that span the spectrum of security topics including privileged access, high value asset protection, security strategies and operations, datacenter security, and information worker protection.
DtSR Episode 340 - Diana Kelley from RSA 2019Apr 2, 2019 38:20
This week, Down the Security Rabbithole Podcast is publishing episode 3 of 4 which were recorded LIVE at RSA Conference 2019. This episode features Diana Kelley, of Microsoft, talking about the latest security report and other goodies.
Highlights from this week's show include...Diana discusses the highlights from the latest Microsoft Security Intelligence Report Raf provides an opinion on how Microsoft could totally own the endpoint space Rafal & Diana dive back into passwords...apparently, we just can't get away from them Diana tells a really interesting story about Microsoft Windows Hello and twins
GuestDiana Kelley - @DianaKelley14 - Microsoft Enterprise Cybersecurity Group Leadership team member. Represent Microsoft at global security conferences, author-industry analysis, white papers, and blogs on Microsoft security strategy and response to cyber threats. Contribute to the all up security messaging and provide insight into the strategic vision and direction for the company in close partnership with marketing, business groups, and engineering, as well as working closing with the security PR and AR teams.
DtSR Episode 339 - Insuring Against Acts of Cyber WarMar 28, 2019 47:48
This week, driven by the news cycle, and an interesting story... Rafal & James invite George and Shawn, as actual experts, onto the show.
Highlights from this week's show include...This news story - https://www.infosecurity-magazine.com/news/zurich-refuses-to-pay-out-for/ George & Shawn discuss the language of cyber policies We discuss language, inclusions, exclusions, and such George brings up Information vs Cyber, security
Other links related to this podcast:https://www.hstoday.us/subject-matter-areas/cybersecurity/perspective-economic-strength-and-cybersecurity-interplay-in-u-s-china-trade-policy/ https://www.hstoday.us/subject-matter-areas/cybersecurity/perspective-5g-and-the-scrutiny-of-huawei-could-herald-cybersecurity-shift/ https://www.bizcatalyst360.com/tearing-us-apart-at-ludicrous-speed/ https://www.bizcatalyst360.com/economic-leverage-a-smarter-user-two-things-to-improve-cybersecurity/ https://www.itspmagazine.com/from-the-newsroom/command-of-the-cyber-sea
DtSR Episode 338 - Failure of Risk ManagementMar 19, 2019 35:26
This week, part 2 of a four-episode set recorded live from RSA Conference 2019. This time, it's Phil Beyer's turn to have a turn at the microphone...
Highlights from this week's show include...Phil talks up "The failure of risk management" We discuss the realities of risk management Raf asks "How do we make more informed risk decisions?" Raf and Phil talk through thread models and why they're relevant ...and so much more
GuestPhil Beyer - https://www.linkedin.com/in/pjbeyer/
DtSR Episode 337 - Insights on Cyber TalentMar 12, 2019 40:25
This week, in the first of a four-part "Live from RSA Conference 2019" series, Rafal interviews Deidre Diamond. Deidre knows a little something about cybersecurity talent having worked in the field most of her professional career. We discuss all kinds of interesting and relevant topics...
Highlights from this week's show include...Deidre presents her new "human model" for hiring, staffing, and retaining excellent talent We discuss the difference between a good leader, and just a good manager and why those aren't the same We discuss the pay gap, why it's still a thing, and what's to be done about it Deidre discusses the challenges women face in cybersecurity, and what's changing
Guest:Deidre Diamond: (@DeidreDiamond) - https://www.linkedin.com/in/deidrediamond/ in her own words:
Combining my 21 years of experience working in technology and staffing, my love for the cybersecurity community, and a genuine enthusiasm for people; I created Cyber Security Network (http://www.cybersn.com), a company transforming the way Cyber Security Professionals approach job searches. CyberSN.com will remove the frustration from job-hunting, and aid in interpersonal connections and education.
Throughout my career, I have built large-scale sales and operations teams that achieved high performances. Creating cultures based on an anything is possible attitude allows people to achieve above and beyond the usual. By establishing an open communication framework throughout an organization; I have created cultures of positive energy, career advancement, and kindness, that enables teams to reach beyond peak performance and have fun at work.
DtSR Episode 336 - Energy Sector Security Update Q1-2019Feb 26, 2019 40:34
This week, Patrick Miller joins Rafal to provide an update on the energy sector, and what's different (or not). Another episode with a returning guest who continues to provide timely and important updates on key "big picture" security issues.
Highlights from this week's show include...Patrick gives us a "state of the union" update on what's going on in the power industry with security Raf asks "are we getting better... or worse?" Patrick discusses IoT, IIoT, and "everything has an IP address" Patrick tells a story about his recent encounter with a 386 & DOS 2.2 (if you know what this is, you're old)
DtSR Episode 335 - Ranking the AdversariesFeb 19, 2019 31:48
This week, in a special episode, Dmitri Alperovitch of Crowdstrike joins Rafal to talk about a brand new report that Crowdstrike is releasing. The Crowdstrike 2019 Global Threat Report is a must-read with some very interesting topics covered. Dmitri joins Rafal to talk specifically about the ranking of threat actors, and what it means to you.
Highlights from this week's show include...Dmitri explains "breakout time" and why it's important Dmitri gives a walk-through of the methodology used to rank your global adversaries Dmitri & Rafal talk through who's on first, and what's up with China Rafal & Dmitri talk about what this report means to you sitting at your desk playing defender
DtSR Episode 334 - Compliance and Operational ProcessFeb 12, 2019 38:23
This week, on the DtSR Podcast, Rafal is joined by Matt Herring, long time listener, and first-time caller. We talk through Matt's career path, and how he got to head up a global security operations team. It's a pretty interesting story - you should listen.
Highlights from this week's show include...Matt talks us through how he got into being an auditor Matt and Raf compare and contrast compliance and security (yes, really) An uncomfortable discussion on market consolidation ensues Matt gets put on the spot for leading and trailing indicators, provides some insights
Guest:Matthew Herring - @MatthewDHerring - Found on LinkedIn here: https://www.linkedin.com/in/matthew-herring-cissp-63277038/
DtSR Episode 333 - Security Evolution and TrendsFeb 5, 2019 48:19
This week James and Rafal talk to Sean Martin, one of the people who have been quietly making a difference in the security industry for almost three decades. Sean is credited with many innovations, ideas, and trends...and he spends some time discussing that with us.
Highlights from this week's show include...We collectively quickly make fun of the SIEM (yesterday, today, and next decade) Sean talks through the "feature companies" that are hitting the market in a recent couple of years Raf brings up the idea that we really don't understand the impact of the technology we create for 10+ years - what does that mean for security?
DtSR Episode 332 - Security in TransformationJan 30, 2019 40:02
This week, long-time friend and colleague Jenn Black (doer of interesting things) joins James and Rafal on the podcast to talk about the role of security leaders in the digital transformation efforts of enterprise shops. Interesting conversation ensues.
Highlights from this week's show include...Jenn, James, and Rafal discuss the role of the security lead in enterprise digital transformation Jenn shares some of her experience in aiding CISOs with building security programs to support 'the business' We make light of the fact that it's a million degrees below zero up north
GuestJenn R. Black ( @JennRBlack ) - With over 18 years of experience within IT and cybersecurity managed services, Jenn helps companies manage their cybersecurity threats, vulnerabilities, and risks to meet regulatory and business needs, while driving process efficiency. As a consultant in a cybersecurity practice, she works closely with clients to define their cyber strategy, create roadmaps and solutions to meet the company’s security objectives.
DtSR Episode 331 - Incident Response and CounterfactualsJan 23, 2019 41:01
This week second-timer Jon Hawes is back for another trip to the microphone to talk about his interesting take on risk, response, and the security world we live and breathe. With interesting anecdotes and a firm grasp on real-world risk discussions, Jon and Raf have a pretty enlightening chat you will benefit from.
Highlights from this week's show include...Jon discusses the concept of a "counterfactual" Jon discusses feedback loops in how incidents are handled Jon and Raf talk through how security professionals discuss 'risk' and what we can do to better the conversation
Guest:Jon Hawes - https://www.linkedin.com/in/jonhawes/
DtSR Episode 330 - Biometrics for AuthenticationJan 15, 2019 36:42
This week, James and I sit down to discuss biometric authentication and some of the FUD around ways it can be broken. This ends pretty much the way you think it does.
Highlights from this week's show include...James & Raf talk about how hackers used a "wax hand" to fool a vein auth system Link: https://www.theverge.com/2018/12/31/18162541/vein-authentication-wax-hand-hack-starbug Fingerprint authentication to start your car?! We take this discussion to task Link: https://www.forbes.com/sites/jeanbaptiste/2018/12/27/hyundai-motor-lets-drivers-use-fingerprints-to-unlock-and-start-new-car/ James & Raf deconstruct the argument for and against biometric security We ask "Does it matter that biometric auth is hackable?"
DtSR Episode 329 - Volunteering Your CareerJan 9, 2019 40:08
This week, on the DtSR Podcast recorded way too early on a Monday morning, we talk volunteering in InfoSec with Kathleen Smith. Kathleen is the CMO of ClearedJobs.net and CyberJobs.com - and she recently ran a volunteerism survey (link: https://cybersecjobs.com/cyber-security-community-volunteering-report) you should probably check out too.
Highlights of this week's show include...Kathleen discusses some of the highlights of the survey We discuss some of the things volunteers learn, and why this is critical to our community Several jokes are made We discuss the value of volunteering and its impact on your career and much, much more
GuestKathleen Smith - @YesItsKathleen - CMO, ClearedJobs.Net/CyberSecJobs.Com, both veteran-owned companies, she spearheads the community-building, and communications outreach initiatives catering to the both organizations’ many audiences including security cleared job seekers, cybersecurity candidates, and military personnel. Kathleen has presented at several security conferences on recruiting and job search within the cybersecurity world to include BSidesLV, BSidesTampa, BSidesDE, FedCyber. Kathleen volunteers in the cybersecurity community; she is the Director, HireGround, BSidesLV’s 2-day career track. Kathleen is well respected within the recruiting community, is the co-founder and current President of recruitDC, the largest community of recruiters in the Washington DC area
DtSR Episode 328 - Who Who Who Are YouJan 2, 2019 52:48
This week, James and Rafal welcome in 2019 with a look at the fundamentally fatalistic argument that "everyone gets hacked" - with Richard Bird. They discuss whether that's even a valid statement, and if so, what can we do about it?
Highlights from this week's show include...Richard addresses the question of whether we've addressed a fundamentally fatalistic attitude towards security The guys discuss whether the real perimeter, as we go into 2019 Richard schools the guys on identity - and what it's not the perimeter, but something else
GuestRichard Bird - Chief Customer Information Officer at Ping Identity - Link: https://www.linkedin.com/in/rbird/
(Yes, Richard is the guy with the smashingly handsome bowties!)
DtSR Episode 327 - Experienced Security LeadershipDec 19, 2018 45:47
This week James is back on the microphone with Rafal as they interview 2 industry veterans to talk about the right approach to security leadership, and developing that talent pool. We talk to Yaron and Setu to get a sense of what their thoughts are on where good security leaders come from, and the hallmarks of that experience.
Highlights from this week's show include...the curious case of the cyber head who doesn't computer Yaron and Setu give us their thoughts on developing security leaders Yaron shares some of his experience building a security program, across industries Yaron and Setu give us a few pieces of insight for current and future security leaders
DtSR Episode 326 - MidMarket SecurityDec 11, 2018 40:48
This week, go down the security rabbit hole with someone who has been working on security in the mid-market (likely the kind of company you work at, statistically) for a long time. Bob has some great lessons learned and is willing to share. Listen in
Highlights from this week's show include...Bob gives a quick history of how he "hacked into hacking" A discussion of breaking into security Bob & Raf discuss security in the mid-market, and how it's fundamentally different than other market segments Bob discusses hiring, talent acquisition and "working from home" in today's job market
DtSR Episode 325 - A CISO at AWS reInvent 2018Dec 5, 2018 16:28
In another episode LIVE'ish from AWS re:Invent 2018 I catch perennial favorite and long-time friend Dustin Wilcox as he wandered the vendor show floor.
Highlights from this week's show include...Raf asks Dustin the obvious question - what's a CISO doing at a cloud expo? Dustin discusses some of the cloud transformation challenges for security teams Dustin unveils the three things he is currently concerned most about for security, in the cloud Dustin imparts a final piece of wisdom you won't want to miss...
Rafal's Guest:Dustin Wilcox - Vice President and Chief Information Security Officer at Anthem, Inc. - https://www.linkedin.com/in/dustin-wilcox-4896614/
DtSR Episode 324-1 - AWS reInvent 2018 Delivering SecurityNov 28, 2018 10:36
At day 2 of re:Invent 2018 I tracked down Arash Marzban, Armor's head of product to talk about his stage session and where the market is going for security - at a developer/builder focused cloud conference. This short conversation is quite interesting...
DtSR Episode 324 - AWS reInvent 2018 PreambleNov 27, 2018 24:09
This episode of the Down the Security Rabbithole Podcast is sponsored in part by Armor Cloud Security. Go check us out at www.armor.com!
This week's show is a multi-part release from AWS re:Invent 2018. We sit down with two of Armor's solutions consultants to discuss trends, insights from day 0, and discuss anticipated moves and market shifts.
Expect this to be an insightful episode where we dive into cloud security from a development and security perspective.
DtSR Episode 323 - Security of a Global EnterpriseNov 20, 2018 01:00:45
On episode 323, Richard Rushing (aka the "Security Ninua") joins us to talk about being the CISO of a global organization, and multi-national enterprise.
Highlights from this week's show include...Richard talks to us about his background We discuss the unique challenges of a multinational enterprise Richard gives us some wisdom on how to approach "the business" Richard provides some advice for keeping prioritization and sanity
DtSR Episode 322 - The Ethics of Cyber Security PanelNov 15, 2018 50:41
This week #DtSR tackles the topic no one else wants to - ethics in cybersecurity. There are a lot of things to be said, so rather than writing them down here, go listen to the episode. Repeatedly.
Highlights from this week's show include...A base platform for the discussion on ethics Moral relativism, applied to cyber Law vs ethics Cultural ethics and relativism "Hacking back" - yes we went there
DtSR Episode 321 - Putting Threats In PerspectiveNov 6, 2018 48:10
** Go Vote **
Do your civic duty, and go vote. Heck, while you're standing in that long line to vote, listen to the podcast, we're not picky.
This week, Rob Graham joins Rafal and James (who's back!) to talk about various topics related to threats. We start with the hacking voting machines, and it go from there.
Highlights from this week's show include...We ask Rob to tell us what he knows about the Georgia 'hacking the election' case going on right now We discuss what the real threat to our elections is We ask Rob to tell us what he thinks the biggest threats are, and how we should approach them
DtSR Episode 320 - Specializing in ForensicsNov 2, 2018 40:51
This week, James Habben joins me in studio for what turns out to be an introspective walk through the evolving world of forensics.
Highlights from this week's show include...James gives us some background on how he got where he is We talk through some nostalgia James answers the "Is APT trying to get me" question, sort of We talk about things companies should be doing to prepare...
DtSR Episode 319 - Striking Out On Your OwnOct 23, 2018 47:48
This week, my good friend and entrepreneur Rock Lambros (of the newly formed Rock Cyber) joins me to talk about getting the itch to go out on your own and actually doing it. Many of us have thought about it, daydreamed, but very few do it. So hear an episode from someone who did...
Highlights of this week's show include...What motivates and drives someone to jump the safety net of corporate life and go off on their own? Rock gives us the secret to "How you know it's time" We discuss how you can avoid the failings of the typical "consultant" We talk through some very interesting strategy and advisory questions... (lots of gems in here!) Rock drops his list of things to think about/remember We discuss how to make security more than just a cost center
Links:Rock's new company - Rock Cyber "Navigating Security in a Brave New World" (www.rockcyber.com)
DtSR Episode 318 - War, Cyber and PolicyOct 18, 2018 38:20
This week the DtSR podcast tackles one of the thornier issues going around in the news. As the accusations of Russsian hacking continue to mount, international leaders are speaking out and making bold statements that impact policy on a global level.
This topic needed to be addressed with some folks who have actual expertise in the matter - and with the understanding that what we have here are opinions and interpretations.
Highlights from this week's show include:A lively discussion on the implications of the term "cyber war" Jon and Dennis discuss the tone, and context of the article in question: https://nltimes.nl/2018/10/15/netherlands-cyber-war-russia-defense-minister-says Rafal, Patrick, and Jon go a few rounds on other cyber matters as it pertains to the term "war" and its implications
If you listen to this episode and have a strong opinion - get on Twitter and use the hashtag #DtSR and let's discuss it! There is already a lively discussion started here: https://twitter.com/Wh1t3Rabbit/status/1051928507884875776
DtSR Episode 317 - Protecting Higher EducationOct 9, 2018 39:22
While James is away, Raf will podcast all day ...or something like that.
Highlights from this week's show include:Bill talks about what it's like to jump into a higher education system and try and play defense We discuss the role of governance, centralized policy, and management in higher education environments Bill discusses his view on the appropriate places to work in security, in a college/higher education environment We compare and contrast the experience of security in higher education against very large enterprise (the comparison may shock you)
GuestWilliam Reyor - ( @WilliamReyor ) - William is Fairfield University’s first CISO, is a former penetration tester, and has more than a decade of security and network engineering experience. He is also the Security BSides Connecticut co-founder. You can find Bill on LinkedIn here: https://www.linkedin.com/in/wreyor/
DtSR Episode 316 - NCSAM 2018Oct 3, 2018 39:13
So, it's October 2018, and it's National Cyber Security Awareness Month. Again.
James and I have a bit of an issue with this, as you'd guess. Why are we still talking about awareness when we need action? Are there really people out there that are saying "If only I was aware that there are bad people trying to do bad things, I'd had done it differently"?
Highlights from this week's show include...We riff on the thing we talk about once a year (and not anymore) James takes a shot at passwords... fish, meet the barrel Raf gets a little upset that we're talking about awareness, since 2004 and nothing really changes Raf & James ask you to take action this year and tell us about it! Hashtag it #DtSR and tell us what you're doing for NCSAM 2018 that's going to make an actual difference
DtSR Episode 315 - Women in Cybersecurity-Mary CheneySep 25, 2018 51:38
On this episode of the Down the Security Rabbithole Podcast, Mary Cheney joins us fresh off her talk to the North Texas ISSA Women in Security group. She has such a colorful background and such great stories to tell - we just had to have her on the show.
Highlights from this week's show include...A walk-through of Mary's colorful and extremely diverse background Mary talks about burnout as we pick up the topic from our conversation with Ann Johnson's episode Mary talks about corporate "tools efficacy" and security's cry for wolves ...so much more!
DtSR Episode 314 - None of This Crap is SecureSep 18, 2018 54:11
This week, on DtSR Episode 314, the infamous (that's more than famous) John Strand joins us. No, not the male model ...the guy who's been an InfoSec legend since before you could walk.
Highlights from this week's show include...We take a stroll down memory lane We discuss the challenges with more complexity in development John takes us through what he thinks some of the faults are
DtSR Episode 313 - Cyber Law Update Sept 2018Sep 11, 2018 43:04
Friends welcome to yet another edition of the Down the Security Rabbithole Podcast - as we invite perennial favorite, Shawn Tuma onto the show! Shawn has a new office, a new law firm, and is giving us his take on what's new in the world of cyber and law. Listen in!
Highlights from this week's episode include...Shawn brings up "The GDPR" and the self-imposed disaster that it has become We dive into the problem with "all the data" Shawn explains the idea of "necessary and proper" and case-law for data breaches Shawn tells us about cyber insurance and the scariest word in the vernacular ... "negligence"
DtSR Episode 312 - Ann Johnson on Mental HealthSep 5, 2018 41:59
This week Down the Security Rabbithole Podcast welcomes two very cool ladies from the InfoSec realm. First Ann Johnson of Microsoft (if you don't know Ann, you're living under a rock, honestly) is here to discuss a tweet she put out a while ago ( https://twitter.com/ajohnsocyber/status/1033934334720278528 ) on mental health in high-pressure jobs in InfoSec. If that wasn't enough, Jennifer Duman from Armor joins us as a guest-host to provide her experienced perspective as a road warrior.
Highlights from this week's episode include...Ann discusses the big deal with working from the road, in a high-pressure InfoSec job We discuss the impact of being a road warrior has on mental health, families, and career Ann gives us some insight from the teams and companies she's worked with Ann gives us some thoughts on how to mitigate mental health impact for InfoSec professionals
GuestAnn Johnson - Corporate VP, Cybersecurity Solutions @ Microsoft Twitter: @ajohnsocyber LinkedIn: https://www.linkedin.com/in/ann-johnsons/
Guest HostJennifer Duman - Director of North American Channels @ Armor LinkedIn: https://www.linkedin.com/in/jduman/
DtSR Episode 311 - Further the BrowserAug 29, 2018 39:47
This week we dive into the world of the web browser. A brief history, some discussion about what's wrong and how it's broken - and a few suggestions for what to do next. This is a complicated discussion - so you can bet we'll come back to it with your feedback!
Highlights from this week's show include...A brief walk-through of the history of browsing Solutions that tried, but ultimately failed, to solve the challenges An approach we've seen before - the "remote browser" Discussion on challenges and opportunities of the remote browser concept Discussion on Authentic8's approach and innovations
DtSR Episode 310 - RFP POC OMGAug 23, 2018 33:04
This week, Rafal & James discuss one of the bigger challenges that an enterprise security team faces today - evaluating new/replacement security tools and services. Listen close if you're on the enterprise side, and listen closer if you're selling to them.
Highlights from this week's show include...We address the difficulties of evaluating or replacing technologies or services Rafal takes you into the "better" trap, and how you can avoid it We discuss defining concrete problem statements James & Rafal talk through the challenges of defining good requirements and evaluating We address how to pick a winner - or not
DtSR Episode 309 - Digital Transformation, Take 2Aug 14, 2018 38:25
This week Nate Smolenski - Director, Cloud Architecture Services - joins us for an insightful discussion on the concept of digital transformation for the enterprise. Many companies are undergoing a digital transformation, or have done so already, and it's up to security to once again, catch up.
Nate brings a truckload of experience and evidence into the conversation and as a security professional and practitioner - you should absolutely listen to this episode. Twice.
Highlights from this week's show include...Answering: What in the world is "digital transformation"? Discussion around the seemingly "take 2" we're embarking on, as security professionals Enterprise security's role, or not, in digital transformation
File Progress DtSR Episode 308 - Theoretical and Applied FuturismAug 8, 2018 45:01
Friends, this week's episode is truly unique. We talk to a gentleman whose job it is to think big, and into the future in a big way.
Jeremy Nulik is the "Evangelist Prime" at Big Wide Sky - an organization that looks to think big, and solve big problems, in big ways. This is an incredible journey into problem-solving on a grand scale.
Highlights from this week's show include...An overview of futurism, as an abstract tool for problem-solving A discussion on the roots of futurism Overview of how futurism is applied today The four key approaches in applied futurism Applying futurism to problem-solving in information security
Links you need to check out:https://medium.com/@bigwidesky/create-a-culture-that-embraces-vision-8557ad03d55 https://www.linkedin.com/in/jeremynulik/ https://bigwidesky.com/#Jeremy-Nulik
DtSR Episode 307 - Building and Teaching in ChicagoAug 1, 2018 33:34
On this episode of the Down the Security Rabbithole Podcast, Rafal is in Chicago for a few days and visiting with a long-time friend and colleague, Don Donzal. Don has some great history in the Chicago hacking and security professional scene, so we take a stroll down memory lane, talk about what he's doing now, and take a long look ahead. Join us!
Highlights from this week's show include...Don gives us a little insight into where Ethical Hacker Network got started A history of Chicago Con - anyone been? Life, family, career - and how balancing all of that and still doing what you love is important A look into the future of the new venture!
DtSR Episode 306 - Balancing Family and CareerJul 25, 2018 46:35
This week, we tackle a topic that should not have taken 306 episodes to get to - balancing family and work while growing a career in Information Security. Britney hits the high points with us, and takes us down the road of what it's like being a mother and security leader - as we explore the topic for everyone who is in our field.
Highlights from this week's show include:Who does this apply to? Are you being asked to choose? Becoming adaptive When you should bend and when you should concede Creating your own space Confidence Benefits of Blending
DtSR Episode 305 - Security for the Mid-marketJul 17, 2018 42:49
Do you work at a company that's too big to be "small business" but too small to be "large enterprise"? You're probably in that place known as the "mid-market". Many of the large vendors don't pay attention to you, and yet you still have all of the same problems big companies do - just without all the budget. What do you do? Listen to this episode of DtSR and find out what we think.
Highlights from this week's show include...Addressing the "tool" or "staff" conundrum Who's manning all those dashboards? Staff to dashboard ratio How do you prioritize, when you can't multi-thread? Giving up isn't an option, so what do you do?
DtSR Episode 304 - Transforming SecurityJul 11, 2018 41:37
This week, James and I interview a former Optiv colleague and advisor to many Fortune 250 CISOs in his long career, our friend Ron Kurisczak. Ron's long and successful career has included time spent truly transforming the way security functions, and how it's seen in the boardroom. Spend 35 minutes and hear his take on where we've been, and why right now is so crucial to our future.
Highlights from this week's show include...Why are we transforming security? Data classification, operation policies Tracking key performance indicators (KPIs) to the new rules of security Who's getting through, how long did they have, what did you do to eradicate? What are we measuring - how do we define "maturity" in security programs Understanding how we understand and measure long-term losses from security failures Moving into a truly risk-based security program, and away from "how much are my peers spending?"
DtSR Episode 303 - Advising Security LeadershipJul 3, 2018 38:19
Thanks to my friend Brian Wrozek for joining us this week on Down the Security Rabbithole Podcast. Brian's long career as a CISO has broken several 'typical' molds... so he's a fantastic person to join us to talk about the things CISOs should be thinking about.
Highlights from this week's show include...Prioritizing projects as the CISO Getting support from the outside because "we hired you to know this" Refreshing and revisiting completed projects/tools to optimize and see a value Security is additive, we never really take anything away - is this a problem? Red team, blue team, purple team ... what happened to penetration testing? Automation, orchestration, automated response to bad Risk management, and "back to the basics" is still broken Breach after breach after breach - and nothing's changing
DtSR Episode 302 - InfoSec Superhero SyndromeJun 26, 2018 38:31
This week, as DtSR rolls on to Episode 302, we talk with John Svazic who is a Cloud Security Architect for a day job and runs the Purple Squad Security Podcast in his spare time. His perspective on the idea of an "infosec army of one" is one that many of us share, and it needs to be solved.
Highlights from this week's show include...Trying to solve everything, on our own... burn out or flame on Working as a lone wolf can be detrimental to your career, and sanity Working as an individual within an enterprise team Perspective for the business requires others Case in point - Application security jobs Purple teams - the ultimate collaboration, not me vs you
DtSR Episode 301 - Julie Conroy on eFraud and IdentityJun 19, 2018 41:09
This week on Episode 301, James is off and I take a one on one conversation with Julie Conroy from Aite group on the topic of global fraud. It's a fascinating conversation that winds through the fringes and often unexplored corners of enterprise security. Check it out, and special thanks to Julie for taking the time out of her busy schedule.
Highlights from this week's show include...A brief glimpse into the impact of enterprise security on global fraud Julie talks through identity, and how enterprise security can positively impact fraud Account takeovers - the thing we all fear but struggle to solve Balancing security and usability, convenience
GuestJulie Conroy - ( https://www.linkedin.com/in/julie-conroy-6997/ ): Julie is an experienced product management executive with a proven track record of revenue growth and innovation.
DtSR Episode 300 - ReminiscingJun 14, 2018 54:37
Thank you, listeners!
Down the Security Rabbithole has reached milestone episode #300.
In this episode, James and Rafal sit down with the nothing more than an open mic and talk through topics the podcast has previously covered, and others we still have yet to cover.
Join us. And a personal thank you to all of our guests over the past 300+ episodes... we are looking forward to much more great content to come!
DtSR Episode 299 - Leadership Lessons w Chris AbramsonJun 5, 2018 41:29
Special thanks to Chris for doing this in-person. It was a fun conversation and always a pleasure!
Highlights from this week's show include...Chris and I talk about measuring 'risk' We discuss 'brittle systems' which apparently are still alive and kicking Risk analysis, cloud computing, and your business
GuestChris Abramson ( @cabramson50 ) - Director, Information Security Delivery & Engineering; Team oriented Enterprise Information Security Management professional seeking to improve the security of organizations through education and practice. Qualifications include a bachelors degree in computer science; CISM, CISA, CEH and ECSA certification. Understanding of Industry, State and Federal regulatory standards. Ten years of experience in the creation and deployment of Information Security solutions for protecting the networks, systems and data assets of a fortune 50 company.
DtSR Episode 298 - Overcoming the Language BarrierMay 29, 2018 50:36
Two more episodes until we hit #300...what a crazy ride it's been! Thanks for taking the journey with us, and we're looking forward to having you along for another 300 (maybe).
Highlights from this week's show include...Applications of DoD security in a non-DoD world The meaning and elements of the risk equation Understanding (making sense of) the risk equation Swimming in the swamp of marketing literature AppSec as an area of expertise (again, and again, and again)
Go see Jeff at Circle City Con if you're attending. He's giving a talk ( https://circlecitycon.com/talks/rethinking_cyber_security_given_the_spectre_of_a_meltdown_someone_hold_my_beer/ ) titled "(Re)Thinking Cyber Security Given the Spectre of a Meltdown: (Someone Hold My Beer)"
DtSR Episode 297 - A Model for Prioritizing Patching EffortsMay 22, 2018 48:46
Before you listen to this podcast ... go grab this report: https://www.kennasecurity.com/prioritization-to-prediction-report/ from Kenna Security and the Cyentia Institute. Read it. Think about it. Then listen to this show.
Highlights from this week's show include...A high-level walkthrough of the model that authors developed, and the many interesting insights Why what you're doing now is probably as good as random chance A deeper discussion on cause and effect of patches, and trying to do everything
So much more! While you're listening to the show, hit us up on Twitter using the hashtag #DtSR or tweet to @DtSR_Podcast!
GuestsJay Jacobs ( @JayJacobs ) Wade Baker ( @WadeBaker ) Michael Roytman ( @MRoytman )
DtSR Episode 296 - Hype Machine Off the RailsMay 15, 2018 52:35
This week, former analyst and security industry veteran Adrian Sanabria joins James & Rafal to talk about some of the hype in our industry. From current events, to learning lessons, to the on-going master-class in bullsh*t we convince ourselves of - this podcast is a riveting (although slightly longer) episode of free-flowing discussion.
Highlights from this week's show include...We discuss #eFail - and the circus maximus of ridiculousness that it currently is Adrian gives us some views on believing our own nonsense We attempt to discuss how we got to this point Much more!
DtSR Episode 295 - DevSecOps is Not a ThingMay 9, 2018 47:37
This week, Mark Nunnikhoven joins us from the great white North. All the way from Ottawa, Canada - Mark talks with James and Raf about cloud computing, DevOps, and some silly things security folks are doing to undermine themselves in the brave new world.
Highlights from this week's show include...A brief discussion on moose and Canada Why none of us believe "DevSecOps" is a thing Deploying security into modern code development practices Much, much, much more
GuestMark Nunnikhoven ( @MarkNCA ) - Vice President, Cloud Research at Trend Micro. Mark has way too many credentials and accolades to list here, go read his LinkedIn page, or check out "Mornings with Mark" on his Twitter feed daily. [Mark on LinkedIn]
DtSR Episode 294 - Securing AzureMay 2, 2018 40:39
* Special thanks to Microsoft for giving DtSR access to fantastic guests, and printing t-shirts & stickers for RSA Conference 2018. Please help us say thank you and check out all of the MS announcements at https://microsoft.com/rsa and if you really want to check out something amazing where IoT and cloud collide, check out https://microsoft.com/azure-sphere.
On this second special episode of the podcast live from RSA 2018, Raf sits down at RSA Conference 2018 with a gentleman you may not know but you should, Avi Ben-Menahem. We discuss what it's like in terms of effort, scope, and sheer talent, to take on the monumental task of securing the Azure public cloud platform. Avi shares his insights, and drops us some interesting tidbits on the day in the life of someone working at truly hyper scale.
Again, special thanks to Jessica and the Microsoft team for some truly unprecedented access.
DtSR Episode 293 - Diana Kelley from RSA 2018Apr 24, 2018 39:29
* Special thanks to Microsoft for giving DtSR access to fantastic guests, and printing t-shirts & stickers for RSA Conference 2018. Please help us say thank you and check out all of the MS announcements at https://microsoft.com/rsa and if you really want to check out something amazing where IoT and cloud collide, check out https://microsoft.com/azure-sphere.
On this very special episode of the podcast, Raf sits down at RSA Conference 2018 with the one and only Diana Kelley to talk data integrity, crisis communication, and fear-based selling in security.
Again, special thanks to Jessica and the Microsoft.
GuestDiana Kelley ( @DianaKelley14 ) - Diana is the Cybersecurity Field CTO for Microsoft, a cybersecurity thought leader, practitioner, executive advisor, architect, speaker, author and co-founder of SecurityCurve. More here: https://www.linkedin.com/in/dianakelleysecuritycurve/
DtSR Episode 292 - Navigating Industry Conferences (RSA)Apr 17, 2018 42:38
This week, James is back and he and Raf sit down for a discussion on navigating the big industry conferences, as RSA Conference kicks off in San Francisco. We add just the right bit of snark to your day, and provide some much-needed commentary on the industry, conferences, and survival.
Highlights from this week's show include...A quick overview of RSA Conference Getting value, learning something, or whatever else Buzzwords, and navigating marketing speak Attendee personas: buyer, attendee, vendor - there is a huge difference in how you experience a conference from these angles Feature, product, or startup (sometimes they're the same thing!) Tips, tricks and ideas for having a successful experience
DtSR Episode 291 - A New Perspective On Endpoint (Nyotron)Apr 10, 2018 39:06
[This week's episode and fantastic discussion on endpoint security is sponsored by Nyotron]. DtSR listeners already know we don't do advertisements or traditional sponsorship - so when we bring in a sponsored guest it's because we believe the topic is interesting and the guests have a genuinely interesting point of view.
On that note...
The topic this week is the endpoint. Yes, the endpoint - the place where security started, and was subsequently abandoned, and reborn. Whether you're talking about virtual cloud workloads, laptops or other types of endpoints - we can all agree on the fact that there are too many buzz words, too many tools, and too many 'solutions' to the various ailments of the endpoint. This week we dive down the rabbit hole with Rene and Nir, from Nyotron, to hear their unique perspective and get an understanding on why they think their approach to this very difficult problem is worthy of your time.
I invite you to give this episode a listen, as it's a bit of a pilot for us. If you all enjoy it, we will do 1-2 of these per quarter ... if the audience votes that these add no value, we will give it more thought.
If you're coming out to RSA 2018, come see demos of live attacks (including Rubber Ducky) and learn more about Nyotron's technology at the RSA Conference - South Hall, booth #1639.
More information on Nyotron which we invite you to check out are here:Nyotron's latest OilRig report - https://nyotron.com/oilrig/ Background on Nyotron's technology - https://nyotron.com/wp-content/uploads/2017/01/Nyotron-Positive-White-Paper_1-10-2018.pdf Endpoint security assessment - https://nyotron.com/bpt/
Don't forget the hashtag #DtSR on Twitter and you can find us on LinkedIn as well!
Thanks for Rene and Nir of Nyotron for the discussion and recognition of the DtSR audience!
DtSR Episode 290 - What Ails the CMSApr 3, 2018 42:00
This week on the Down the Security Rabbithole Podcast, Tony Perez stops by for an early morning chat about the content management systems we in InfoSec love to hate on. We talk about Drupal, Wordpress and all the other CMSes out there that have similar issues.
Highlights from this week's show include...Why start a company that does CMS security (they're hopeless anyway right?) How many of the most popular CMSes are actually not as bad as you may think, security wise The core, the plug-in infrastructure, and plug-ins Finding, responding to, and fixing bugs in the modern software world
GuestTony Perez ( @Perezbox ) - [Tony has perhaps one of the coolest LinkedIn write-ups, so I'm pasting it here.] Tony is a proven business leader and operator. He is a former US Marine (2000 - 2005), and former CEO of Sucuri (2011 - 2017), a website security platform that was acquired by GoDaddy in April 2017. He has proven experience taking a security product from startup to a global, multi-national, organization.
His core competency revolves around: leadership, management, marketing, product position, product pricing, sales, business institutionalization, revenue and organizational strategy.
He believes that our greatest responsibility in sales and marketing is to bridge the gap between the value a customer expects from your product, and the value you assume you are delivering.
He brings with him an intoxicating level of energy, work ethic and passion. Excelling in high-tempo environments, and executing flawlessly against strategies. He is adamant about self-reflection and self-actualization, placing energy on learning his weaknesses and building on them.
He is horrible at spelling, but amazing at motivating people. He is known for challenging people to be better, to strive for more, to never settle for the cards they've been dealt. He was a leader of Marines, and today he's a leader of people, technology and industry.
DtSR Episode 289 - Neither Security Nor PrivacyMar 27, 2018 49:38
This week, join DtSR as Rafal sits down across the virtual table with the one and only Robert Hansen. Rob (aka @Rsnake ) discusses his roots of being an almost-bad-guy, to the security of browsers, and privacy. Plus we get to reveal something pretty awesome...
Highlights from this week's show include...Rob's fascination with alien conspiracy theories A back history of browsers you've never heard of, that you benefit from today Google... Security vs. Privacy - why you don't actually get either A secret reveal from Rob about his exciting new venture
DtSR Episode 288 - Experienced OpinionsMar 20, 2018 50:24
This week, while James was out on family duty, I sat down on a Saturday morning with my good friend Will Gragido to talk security. Will is an industry old-timer (sorry buddy, we're old) and has some seriously valid opinions on many things. We discuss some interesting topics, and apologize for nothing.
Highlights from this week's show include...It's conference season again... and time for more buzzword bingo Marketing people are the worst...except we're all complicit Threat Intelligence. Again. Still. Yep. Let's go hunting for threats - who should have a threat hunt team, and why Mergers, acquisitions, and the future of our industry
GuestWill Gragido ( @WGragido ) - Will Gragido is a seasoned security professional with over 20 years’ experience in networking and information security. Will’s extensive background is the result of his service as a United States Marine, a consultant with the world renowned International Network Services, Internet Security Systems (now IBM ISS), McAfee, Damballa, Cassandra Security, RSA Netwitness, Carbon Black, Digital Shadows and now Digital Guardian where he leads the organization’s Advanced Threat Protection Product Line as its Director.
DtSR Episode 287 - Armored and Battle TestedMar 13, 2018 46:19
In case y'all don't read LinkedIn or Twitter - Rafal recently joined Armor (Armor.com), so what better time to interview the CEO Chris Drake than right now.
So this week, Chris Drake joins us in the studio to talk about his background (which is quite interesting, by the way) and how he got to start a fast-paced cloud security-as-a-service company.
Highlights from this week's show include...The road starts with jumping out of airplanes The Butterball story More discussion on challenges with existing security models Security-as-a-Service vs. Managed Security (MSS) - differences and big differences
Guest:Chris Drake, Founder and CEO of Armor ( @ChrisDrake ) - Chris is currently the founder and CEO of Armor, a fast-paced cloud Security-as-a-Service provider. If you want more on Chris, you'll have to listen to the podcast.
DtSR Episode 286 - Breach vs Incident vs LawyersMar 6, 2018 44:53
This week's DtSR Podcast sits down in the offices of Shawn Tuma to discuss an update on the law with regards to data breaches, or incidents - and what the differences between. We talk through current events, past history and look into the future a bit.
Highlights from this week's show include...the legal differences in the words we use (breach vs. incident) notification and disclosure in a global economy planning, preparation, and the big day costs - specifically around insurance - when things go badly right to sue for current, and future, damages (did they really happen?) overview of GDPR, and the cornucopia of other local, regional, national, and international laws as they are evolving
GuestShawn Tuma ( @ShawnETuma )
DtSR Episode 285 - Alt-Tab Alt-Tab Swivel-ChairFeb 28, 2018 48:28
We have a treat for you folks this week!
On episode 285 of the podcast I'm joined by three well repected, forward thinking, and entrepreneurial-minded security executives to talk about about some of the challenges they see in the industry and what they're doing to solve them.
From cloud, to threat intelligence, staffing, and other scaling issues - we address the issues head-on, and provide some insight into what these three are thinking going forward.
*The audio quality isn't the usual high-quality I expect to publish, so my apologies for that in advance. Somewhere the recording tool I use had an issue, but I did my best to make sure you could hear the speakers clearly. Apologies for the background noise on this recording.
Guests:Susan Magee Dustin Wilcox Jason Clark
If you've noticed the new logo, it's courtesy of a phenomenal artist, whose name is Peter Czaplarski. Yes, you too can hire him to draw amazing things for you, you can find him here: http://fb.com/CzaplarskiArt. Peter is also the artist behind Vengence Nevada (found here, for you comic lovers: https://www.comixology.eu/Vengeance-Nevada-1/digital-comic/593731 ) and has been an artist in many other venues. We highly encourage you to give his Facebook page a like!
DtSR Episode 284 - MSS SOSFeb 20, 2018 50:47
This week on the Down the Security Rabbithole Podcast, Raf and James welcome long-time friend of Rafal's - Scott Stanton - to the microphone. Scott's able to join Raf in person in Atlanta, while James is predictably on the other end of a Howdy Doodie (you'll get this if you listen).
This week, we tackle the MSS issue (Managed Security Services providers) again, but with a fresh angle where we aren't just spending the entire time bashing something we all rely on - but rather providing some constructive feedback into MSS providers from an enterprise perspective. And reminiscing a little. A lot.
Join us! And spread the word!
Guest:Scott Stanton ( @Scott_Stanton ) - Information Security leader with experience in the High Tech, Manufacturing, Engineering, Services, and Energy industries. My technical depth includes application development, IP networking, operating systems, virtualization, and storage systems. Scott is currently the Senior Manager of Infrastructure Security at a medical technology company.
If you've noticed the new logo, it's courtesy of a phenomenal artist, whose name is Peter Czaplarski. Yes, you too can hire him to draw amazing things for you, you can find him here: http://fb.com/CzaplarskiArt. Peter is also the artist behind Vengence Nevada (found here, for you comic lovers: https://www.comixology.eu/Vengeance-Nevada-1/digital-comic/593731 ) and has been an artist in many other venues. We highly encourage you to give his Facebook page a like!
DtSR Episode 283 - Testing Security Into ApplicationsFeb 13, 2018 49:46
This week an old friend, Vinnie Liu of Bishop Fox, joins Raf and James to talk about the history of App Sec. We started trying to test ourselves secure, and we continue to come back to it - so this episode is a walk down memory lane and a glimpse into the future of application security.
Don't forget to like us on iTunes and share with your colleagues!
GuestVinnie Liu ( @VinnieLiu ) - Vincent Liu (CISSP) is a Partner at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. With nearly two decades of experience, Vincent is an expert in security strategy, red teaming, and product security; and at Bishop Fox, he oversees firm strategy and client relationships.
DtSR Episode 282 - DDoS - Past, Present, and FutureFeb 7, 2018 43:26
Join us this week on Down the Security Rabbithole as Barrett Lyon (who knows a thing or two about DDoS) is our guest to talk about the evolution of the art and science of kicking people off of a network. Barrett is the authority on DDoS, with over 20 years in the field, going back to when angry teenagers flooded each other off of IRC servers.
This is a fun episode that walks through DDoS - where it came from, how it evolved, and what we can expect in the future. TLDR; yes ...your fridge may one day DDoS your toaster.
Barrett Lyon ( @BarrettLyon ) -Barrett Lyon is the Vice President of Research and Development for the Neustar Security Solutions’ portfolio. He spearheads the development of innovative new products and solutions for the company’s industry-leading DDoS, DNS and cybersecurity solutions. Mr. Lyon is a serial entrepreneur and a well-respected cybersecurity thought leader with experience building leading edge network services and infrastructure. Prior to Neustar, Mr. Lyon founded Defense.net and served as its Chief Technology Officer. In 2009, he co-founded XDN, Inc. and served as its CEO. As Chief Technology Officer, he led the strategy and technical operations at BitGravity, a company he co-founded. Previously, Mr. Lyon founded Prolexic Technologies and served as its Chief Technology Officer, where he created the first successfully managed service to defend enterprises from Distributed Denial of Service (DDoS) attacks. His authority and over 20 years of experience in the network security space has led to numerous collaborations with a majority of the tier-one and tier-two carriers in North America and Europe, and at National Security Agencies in Europe and the U.S. Outside of the security field, he has been active proponent in the advancement of the Internet. Mr. Lyon was responsible for the Opte Project, often referred to as the Internet Mapping Project and he formed AlphaLinux.org. He has been published in several security and non-security related books.
Linkshttps://www.home.neustar/about-us/leadership/innovators/ https://en.wikipedia.org/wiki/Barrett_Lyon/ https://www.linkedin.com/in/blyon/
DtSR Episode 281 - Exploiting and Defending Human BehaviorJan 30, 2018 49:00
This week, go Down the Security Rabbithole with James and Raf as they host Robert Sell. Robert took 3rd place at the Defcon SECTF (Social Engineering Capture-the-Flag) in 2017 and he has some lessons to you in the enterprise.
"Social Engineering" (while a ridiculous and non-descriptive term) is a real attack vector. How are you defending your enterprise?
Listen in. Then talk back on Twitter at #DtSR or LinkedIn!
Guest:Robert Sell ( @RobertESell & https://www.linkedin.com/in/robertsell/ )
DtSR Episode 280 - A Cloud Container Security PrimerJan 22, 2018 45:50
This week, Chris Rosen from IBM joins us to talk about cloud containers - and the security (or lack thereof) of them. There is a paradigm change coming which significantly impacts security - if we're ready for it. Chris talks us through the dramatic changes (or maybe not) of doing cloud security with containers and the impact to the shared responsibility model.
Join us, and let us know what you think by leaving us a comment, either here or on iTunes.
GuestChris Rosen - https://www.linkedin.com/in/chris-rosen-71790513/
DtSR Episode 279 - Deeper Down the SDP RabbitholeJan 17, 2018 44:29
This week, Jason Garbis re-joins the podcast to go past the Primer (Episode 257) and dive deeper into SDP (Software Defined Perimeter) with a discussion on cloud and relevance to the re-invention of the data center and related infrastructure.
Related DtSR listening:Zero Trust Model w/ John Kindervag: http://podcast.wh1t3rabbit.net/dtsr-episode-222-zero-trust-security-model Software Ate the Perimeter w/Jason Garbis: http://podcast.wh1t3rabbit.net/dtsr-episode-257-software-ate-the-perimeter
DtSR Episode 278 - The Meltdown Over SpectreJan 9, 2018 43:38
Welcome Down the Security Rabbithole. This week we bring Jeff Schilling from Armor to talk about Spectre and Meltdown - the two hottest topics of the security right now and for the foreseeable future.
While you listen to us talk, check out these links:http://uproxx.com/technology/what-are-meltdown-spectre-computer-bugs-explained/ http://bgr.com/2018/01/04/intel-chip-security-flaw-how-slow-mac-pc/ https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
And the obligatory "I patched and things got worse" post:https://twitter.com/timgostony/status/948682862844248065
DtSR Episode 277 - An Outside In Look at Security and InnovationJan 3, 2018 46:42
Happy New Year, 2018.
Friends, thanks for listening! I can't believe this podcast is still going strong after all these years and 277 episodes. I started this podcast with an idea - give you something to listen to that was office-friendly, informative, and focused on advancing our trade. Over the years I've gotten some encouraging comments from people ranging from those trying to get into our industry, to those who are leading large organizations' security practices. I'm encouraged by you all, and thank you for supporting us.
Now, let's get on with 2018.
On this first episode of 2018, James and I welcome Ben Kepes who is a long-time friend of mine and and industry analyst. Ben isn't your typical analyst though, because he has a healthy dose of skepticism, an eye for bullsh**, and he's trusted by vendor and buyer alike. Oh, also, he's a Kiwi so he's got that going for him too.
Sit back, enjoy, and leave us a comment if you are so moved.
DtSR Episode 276 - Game Changer in ICS (no FUD edition)Dec 27, 2017 44:05
What: In this episode we get the facts on the recent game-changing malware/attacks that appear to be nation-state sponsored attacking critical safety systems in industrial controls (ICS).
Why: You've probably read about it, and depending on what you read you may only have the hype or half the story.
Who: As always, Sergio Caltagirone from Dragos is the master at telling a great story, from just the facts. He's part of the team that did the analysis, wrote the narrative, and then ended up on countless phone calls explaining it to executives and national security types. He knows his craft.
Links:Dragos blog about the topic: https://dragos.com/blog/trisis/ Fireeye's version: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
We invited him on this special episode to give you the inside story, to separate some of the hyperbole from reality - so listen up.
DtSR Episode 275 - Beyond 2017 A New HopeDec 19, 2017 44:05
For episode 275 we are once again joined by the one and only Haroon Meer ( @haroonmeer ) to follow up on his conversation from September 2016 titled "What will get us there". If you've not had a chance to listen to that show, you absolutely should do that first.
Haroon shares his perspective including..."The cloud has won" Fundamentals are still hard, we're still largely failing at them Hackers make the best engineers when you give them a problem to solve Where do we go from here, into 2018, is there hope?
DtSR Episode 274 - Let's Talk Power GridDec 14, 2017 38:48
This week, Patrick Miller returns (another boomerang guest from the way-back machine) to talk about the energy grid. It turn out, things aren't super different from 5 years ago, but some things have changed.
Patrick and I discuss resiliency (over actual security) in the grid, and focus on transmission, generation, and "getting it all working again" from a life safety perspective. It's a fascinating discussion, don't miss it!
** Apologies for some of the audio quality, we had "choppy" issues on Skype and I edited the best I could.
DtSR Episode 273 - Automate or Die (w/Demisto)Dec 5, 2017 29:08
Join James and Rafal, one last time, live from Enfuse Conference (Las Vegas, NV) this past summer.
In this episode, we track down a personal friend of Raf's - Bob Kruse, Demisto, VP Sales & Alliances, and talk about the need for the enterprise to automate and orchestrate.
Oh, also, Bob pretty much said by 1 year from the recording of that episode he would get an "Automate or Die" tattoo. So just to be on the safe side, we'll give him until next year, about this time. Game on, Bob.
DtSR Episode 272 - Innovation, Startups, and the Security BubbleNov 29, 2017 42:30
This week, Grant and Mark join me live and in person in Las Vegas at the Amazon AWS re:Invent conference to talk about the security marketplace, innovation, "the bubble" and more.
Here's the announcement we talked about at the opening of the showMcAfee announces agreement to buy SkyHigh Networks: https://www.skyhighnetworks.com/mcafee-and-skyhigh/
Guests:Mark Arnold ( @lotusebhat ) Grant Sewell ( @GrantSewell )
DtSR Episode 271 - The Secrets of Influence Through CommunicationNov 21, 2017 45:03
This week James and I are fortunate enough to have one of the best keynote speakers I've ever seen on the show. He's an amazing speaker, a brilliant magician and a sharp dresser - this guy is the real deal.
Straight off the keynote stage at the Security Advisor Alliance (SAA) Summit in Denver ... ok maybe not straight off, Vinh Giang joins us to talk about how to influence people while you're up there giving a talk or speech.
Grab something to take notes with - trust me, this one is chock full of brilliant nuggets.
DtSR Episode 270 - Secrets of InfoSec at ScaleNov 15, 2017 50:51
Ladies and gentlemen - we have our first 3-time guest! Brandon Dunlap, my good friend and industry titan, joins the podcast for his third trip down the rabbit hole.
In this episode Brandon Dunlap (@bsdunlap) and I talk through the challenges of security at scale, in person and live from Seattle. In the previous two episodes that Brandon has done on this show we've talked about the challenges of scaling information security teams, and this time we go deep into the strategies that work, where the lines are drawn and some lessons learned form a very successful career doing exactly this - infused at scale.
The previous two appearances of Brandon on this show are:Outsourced by Better - DtSR Episode 202 - Outsourced but Better Managing Security with Outsourced IT - DtSR Episode 158 - Managing Security with Outsourced IT
We invite you to listen, take notes, and converse with us on #DtSR on Twitter, or on this post on LinkedIn.
DtSR Episode 269 - Industrial Internet of Things (IIOT)Nov 7, 2017 48:11
This week, we have a repeat guess with Robert M. Lee joining our show to talk about the Industrial Internet of Things. Rob's just finished a conference his company, Dragos, Inc, just started to educate and help increase awareness and research for the Industrial Internet of Things.
Whether you think you know what the IIOT is, or whether you can admit to yourself you need to be know more - this podcast will have it all.
We also reference a podcast with Dr. Timothy Chou (link: DtSR Episode 250 - Deconstructing the Internet of Things ). If you haven't read his book, "Precision" (link: https://www.amazon.com/Precision-Principles-Practices-Solutions-Internet/dp/1329843568 ) it's the basis for a lot of this discussion.
Thanks to Rob again for being on the show!
DtSR Episode 268 - CISOs Survival GuideNov 1, 2017 55:01
Welcome down the Security Rabbithole, friends and colleagues!
This week, my guest is Larry Whiteside, Jr. (we know him as the best dressed man in InfoSec). Larry joins the podcast while James is out to discuss the life and times of a CISO. He has extensive experience as a CISO and security leader, working across multiple market verticals from energy to healthcare, in addition to being a former colleague advising CISOs.
Larry dispenses his brand of knowledge with a little bit of an edge, a little dose of realism, and a lot of fun. If you've never had the pleasure of working with Larry - it's something I advise you do at some point in your career. He's even been referred to as the "CISO Whisperer" by people who know and have worked with him. All else failing, Larry can always give you fashion advice, and up your sock game.
DtSR Episode 267 - Cyber Security Awareness Month WrapOct 24, 2017 36:31
This week, James and Raf cover the tail-end of Cyber Security Awareness Month. It's been an interesting week of news and of course let's talk about awareness.
Have you completed your mandatory training?
-- This weeks' talking points
Namaste Health Care security incident, announcementPay attention to how this article is worded, we've covered this before with Sean and Michael too When you don't know, you have to report the worst-case Focuses spotlight on knowing what's in your environment, and having a plan for not only technical IR but communications How would your organization report? Are you ready to be better? http://www.abc17news.com/news/namaste-health-care-reports-data-breach-unsure-if-the-attacker-had-access-to-files/642247970
DHS Imposes DMARC on Federal AgenciesAny time we can add to the security measures over email, bonus We already know email is the #1 way bad things get disseminated This is not set-and-forget, you need to make sure it's working! https://www.bankinfosecurity.com/dhs-imposes-email-security-measures-on-federal-agencies-a-10386
Cyber Security Awareness TrainingAre we over it yet? Raf says he's always late, and it's always the same thing... does it work? What are some better alternatives? (there have to be better) Does your job offer/mandate awareness training? Does it WORK?! How would you even know??
DtSR Episode 266 - Leadership Perspective with MichaelOct 17, 2017 57:01
This week we're getting the band back together!
Michael Santarcangelo joins us for a segment we'll be featuring regularly (look for is every 6 weeks or so) on the leadership perspective. Security could use some leadership, and we will be enlisting Michael to talk about current events and lessons for leadership.
Tune in, and you may just end up with something you can use in your day job.
DtSR Episode 265 - Privacy and ParanoiaOct 10, 2017 47:07
This week's Down the Security Rabbithole Podcast asks - "Are you paranoid enough about your privacy? or do you simply not have any?" with a couple of gentlemen who would know.
Join James and Raf as we go down the rabbit hole one more time, this time talking about the breadcrumbs, fingerprints, and digital privacy violations you voluntarily give up in your everyday life. It's a little scary, but the trade-off we make for the sake of convenience is very real.
Grab your tinfoil hat and your burner phone and enjoy!
DtSR Episode 264 - Windows Forensics Then and NowOct 3, 2017 41:39
This week, Harlan Carvey joins James and I to talk about the evolution of Windows forensics over the last decade and half or so. Harlan has more experience than most when it comes to diving into the Windows machine from a forensics perspective and is a well-spoken author of many books and blogs.
GuestHarlan Carvey ( @keydet89 ) - Digital forensics and incident response analyst with past experience in vulnerability assessments and penetration testing. Conducts research into identifying and parsing various digital artifacts from Windows systems, and has developed several innovative tools and investigative processes specific to the digital forensics analysis field. Developer of RegRipper, one of the most widely used tools for Windows Registry analysis. Has developed and teaches several courses, including Windows Forensics, Registry, and Timeline Analysis.
Harlan's Blog: http://windowsir.blogspot.com Harlan on LinkedIn: https://www.linkedin.com/in/harlan-carvey-86a8694b/
DtSR Episode 263 - Legal Update Q3 2017Sep 27, 2017 45:05
On this episode of Down the Security Rabbithole Podcast James and I get an update on the legal issues that have been talked about from our legal-eagle Shawn Tuma!
We're continuing our policy of not piling on to data breach hysteria, but will be covering some of the legal ramifications of recent disclosures, a possible national data breach law and a few other things that will make this show a must-listen. Shawn's unique perspective and true expert insights give you talking points and a download of facts that you wouldn't get listening to the talking heads and mainstream media.
Enjoy, share with your colleagues, subscribe via RSS, and don't forget to talk back to us on Twitter using the hashtag #DtSR.
Thanks for listening!
DtSR Episode 262 - Deeper Down the Cyber Liability Insurance RabbitholeSep 20, 2017 50:51
This episode, in conjunction with the Security Advisor Alliance ( https://www.securityadvisoralliance.org/ ) we dive into a third round of Cyber Liability Insurance. This fascinating discussion dives deeper into the things security leaders need to know as Travis and Stephen get right to the heart of matters.
Check out the first episode (way back in the archives) on DtSR Episode 34 - The Inside Scoop on Cyber Liability Insurance ( http://podcast.wh1t3rabbit.net/episode-34-the-inside-scoop-on-cyber-liability-insurance ) with Christine Marciano ( @DataPrivacyRisk ).
Then, go grab episode 172, our 2nd foray into this topic titled "The Truth on Cyber Insurance" ( http://podcast.wh1t3rabbit.net/dtsr-episode-172-the-truth-on-cyber-insurance ) with Eran Kahana and L. Keith Burkhardt and dive a little deeper.
As always, thoughts and comments are more than welcome and discussion using the hashtag #DtSR is encouraged!
DtSR Episode 261 - Deeper Down the ML Rabbit HoleSep 14, 2017 54:52
Welcome to another Down the Security Rabbithole episode folks!
This week, Alex and Sven are baaaaaaack for a deeper dive into machine learning and the shenanigans that surround it. We talk through what ML is, some use-cases and further dispell some common myths. We even have a little fun, who knew.
Guests:Alex Pinto ( @Alexcpsec ) Sven Krasser, Ph.D ( @SvenKrasser )
DtSR Episode 260 - The Immense Challenge of Protecting Office 365Sep 5, 2017 42:05
This week, on Down the Security Rabbithole, Rudra "Rudy" Mitra joins us from Redmond to talk about what it's like to defend Office 365 at scale. On this episode we cover:What we mean by at scale in regards to Office 365 Some pros and cons of the Office 365 platform as it pertains to security and safety Eary warning, early detection, and how easy it is to really break things
There's so much more too! We even skipped talking about current events to give this show maximum run-time. Sit back, grab something to take notes with, and listen up. The lesson begins now.
GuestRudra "Rudy" Mitra - ( @rudramitra ) Rudra is the Director of Information Protection for the Office 365 platform. He works on extremely large-scale projects to ensure the safety and security of client data and the platform itself. LinkedIn profile is here: https://www.linkedin.com/in/rudramitra/
DtSR Episode 259 - Risk Communication PrimerAug 31, 2017 49:15
As we go once again down the security rabbithole, Raf and James meet up with Claire Tills who gives us a primer on "risk communication". Communicating 'risk' is a nuanced, subtle and often time-based endeavor so we feel like everyone should have at least some background in it.
Sit back, relax, and again...start taking notes furiously.
GuestClaire Tille ( @ClaireTills ) - Communication researcher trying to get into information security. I write about applying comm theory to infosec and case studies in my blog (http://cliretills.com).
DtSR Episode 258 - Big Scary NumbersAug 23, 2017 51:52
This week on the Down the Security Rabbithole Podcast, Dave Bittner of The CyberWire (podcast) joins us to talk about some of the ways that we believe security goes awry when it comes to 'big, scary numbers'. Listen in...
-- Top NewsMaersk says it's going to lose between $200M and $300M from notPetya Depending on which headline you read this is either a catastrophe - or not that big of a deal Seems to be about perspective in their overall guidance to investors, in light of industry trends https://www.cnbc.com/2017/08/16/maersk-says-notpetya-cyberattack-could-cost-300-million.html https://theloadstar.co.uk/maersk-shrugs-off-300m-cost-cyber-attack-freight-rates-soar/ Bottom line, perspective matters Uber is in trouble. Again. FTC has Uber in hot water over less-than strict security of drivers' information Lack of security, privacy and finally a chief security exec Speaks to a broader issue with how start-ups treat security in the overall scheme of "making it" https://www.forbes.com/sites/thomasbrewster/2017/08/15/uber-settles-ftc-complaint-over-secuirty-and-privacy/#5dc3d58b88da
DtSR Episode 257 - Software Ate the PerimeterAug 17, 2017 49:26
This episode of Down the Security Rabbithole Podcast was recorded live and in person in Las Vegas at the Black Hat Conference 2017. Raf had a chance to sit down across the microphone from Jason Garbis of Cryptzone to talk about a the software defined perimeter.
SDP is a relatively new space many of us in security aren't familiar with, so we decided we'd record a primer on the topic, narrated by someone who is expertly involved in the practitioner side (through the CSA, Cloud Security Alliance) developing the standards and the provider side (Cryptzone) developing products and services towards the specification.
This is a more technical-focused podcast than many of our others, so sit back, grab a notepad and get ready to learn something.
For more of Jason's work, check out this link: https://insight.cryptzone.com/author/jason-garbis/
GuestJason Garbis - Vice President of Products for Cryptzone, where he's responsible for the company's product strategy and product management. Garbis has over 25 years of experience with technology vendors, including roles in engineering , professional services, product management, and marketing. Jason joined Cryptzone from RSA, and holds a CISSP certification.
DtSR Episode 256 - Rick Howard on the RecordAug 9, 2017 49:47
This week - Rick Howard joins us and goes on the record to talk about the Security Canon and a few other interesting things you're just going to have to listen to, in order to find out.— Top News Adobe is end-of-life'ing Flash I'll pause while you catch your breath Wait, it's not until 2020 Also there's more http://www.businessinsider.com/adobe-flash-killed-by-2020-2017-7 Developers targeted by malicious Chrome extension https://www.forbes.com/sites/leemathews/2017/08/03/over-a-million-coders-targeted-by-chrome-extension-hack/#7b6849359c9d Just like security people and "commoners" developers fall for it At least it was caught, and removed... Here's what we talked about with Rick Howard... The Cyber Security Canon Check it out Reading material for newbies and others of us Patrolling Cyberspace — my homework The Cyber Threat Alliance Sharing intelligence - amongst competing vendors Palo Alto leading the endeavor, with a group of 6 Some things are above competition — that’s worthy of a clap If your vendors isn’t part of this alliance, ask them why not?
Rick Howard - Currently the Chief Security Officer at Palo Alto Networks. More here: https://www.linkedin.com/in/rickhoward/
DtSR Episode 255 - Security and Human NatureAug 2, 2017 46:10
This week on the Down the Security Rabbithole Podcast, John Nye ( @EndIsNye_Com ) to talk about the human aspect of the cyber security equation. Getting away from blaming the user, we talk through the human nature side of the business with a focus on social aspects and behavior modification.
A fascinating discussion you'll want to listen to over and over again, for sure!
DtSR Episode 254 - Lowdown and Dirty ICSJul 25, 2017 01:02:26
This week Sergio Caltagirone joins James and I to talk about Industrial Controls networks and systems and some of the dangers that go undiscussed. Sergio is a 2nd timer, and we take the opportunity to catch up and discuss one of his favorite topics.
Additionally, we talk about a some of the topics that were discussed the week this podcast was recorded, a few weeks ago.
Whether you're in Las Vegas for Black Hat Conference 2017 or not, take a listen to this sobering discussion about industrial controls and some of the more clear and present dangers facing us in that sector.
Thanks again for joining us, Sergio!
DtSR Episode 253 - Defending the Small-to-Medium EnterpriseJul 18, 2017 52:08
On this podcast - James and I welcome Shon Gerber as we talk through a pair of current events and the topic of the day.
Blue Cross Blue Shield of Alabama sends out USB sticks Security elitists up in arms We've taught people to be suspicious - don't click, don't open docs, and don't use USB -- So how do we get our clients content? To my fellow security professionals- it's reckless to continue to stand with a firm "no" while offering no alternatives So what do we suggest? More important - what threat model vector are we saying that blocking the sending out of USB sticks would defend against? https://www.theregister.co.uk/2017/07/12/blue_cross_usb_card_mailers/ MySpace has a major account password reset flaw, allowing account take-over Wait ... MySpace is still around? But seriously, to exploit this last ditch feature for those who've forgotten everything else all you need is the listed name, date of birth, and username How many of our sites have this problem, or worse? https://www.wired.com/story/myspace-security-account-takeover/
This week we bring Shon Gerber onto the show to talk about defending the SMB and SME. Here are some of our talking points:SMBs/SMEs are uniquely challenged in that they can't afford good security any more than they can accord lack of security -- what's the answer? How do we achieve scale, in an area of industry with razor thing margins and tiny profit margins SMBs/SMEs are more likely to be catastrophically affected by an attack such as ransomware than big companies -- agree or disagree (#DtSR on twitter to talk back) Other challenges - including how to achieve scale
Guest:Shon Gerber Current CISO for multinational chemical company with approximately 10K employees Recent Past Security Operations Supervisor for multi-national company 100K employees Senior Security Architect with multi-national Air Force Red Team - Squadron Commander Multi-Disciplinary (Physical / Network Penetration Testing of Critical Systems)
DtSR Episode 252 - DFIR with Lesley CarhartJul 11, 2017 51:41
In this smasher of an episode James and I are joined by Lesley Carhart live from Enfuse Conference in Las Vegas to talk about the DFIR (Digital Forensics and Incident Response) as a broad field. There is SO much to talk about here, you'll want to listen twice.
Make sure that if you missed Enfuse this past year, you don't miss 2018. It's a great conference where you get to meet and talk with folks like Lesley and many others in this field.
DtSR Episode 251 - General Data Protection Regulation (GDPR)Jun 28, 2017 50:38
This week on Down the Security Rabbithole Episode 251 (wow, can you believe we've published 251 full episodes?!) James and I host a roundtable of privacy and data protection experts and talk about the looming EU regulation known affectionately as GDPR.
The Global Data Protection Regulation (GDPR for short) impacts all companies that either do business with EU citizens, or operate in the EU. Basically, everyone. It's a huge deal and there really isn't a "wait and see" option.
Listen in, and if you have feedback provide it!
Does anyone really read these show notes? Reply on Twitter with #DtSR!
Guests:James Keese - https://www.linkedin.com/in/james-keese/ Dawn-Marie Hutchinson - https://www.linkedin.com/in/dawn-marie-hutchinson-mba-06780314/ Stephen Edmonds - https://www.linkedin.com/in/stephen-edmonds-547176/
DtSR Episode 250 - Deconstructing the Internet of ThingsJun 20, 2017 56:14
Fresh off of his closing keynote at Enfuse Conference 2017 in Las Vegas, Dr. Timothy Chou joins us to talk about the difference between the Internet of People and the Internet of Things.
Even though many people talk about the IoT we still fail to understand the gravity and enormity of the problem we face and how information security professionals are so far behind the 8-ball here. Dr. Chou spend some time with us to dispense wisdom interlaced with humor to make it stick.
Guest:Dr Timothy Chou is a technologist, a lecturer, and published author. He has written a book called "Precision: Principles, Practices and Solutions for the Internet of Things" that delves into an Internet of Things many don't really understand yet. While most of us focus on the Internet of People (gadgets and things meant to be operated by people) Dr. Chou focuses on the IoT where people aren't just optional, they're unnecessary.
DtSR Episode 249 - Finding a WayJun 13, 2017 51:39
This week, James and i try out a new format for the show. We hope you enjoy the blend of news commentary and an interview.
NewsMore car vulnerabilities - this time in a Subaru No stunt hacking involved A repeat vulnerability means there's potentially a bigger SDLC issue Responsibly disclosed, fixed ... if a tree falls... Link: http://www.bankinfosecurity.com/exclusive-vulnerabilities-could-unlock-brand-new-subarus-a-9970 The 5th Amendment and your phone passcode This issue is sticky Passcodes, fingerprints, etc - all need consistent law We need a lawyer Link: http://thehackernews.com/2017/06/unlock-iphone-passcode.html
GuestKevin Pope ( @screamingbyte ) - Kevin is a long-time friend of the show, and someone who has a fantastic story only he can tell. From struggling to thriving and the story to get there.
DtSR Episode 248 - Nick Hyatt On RansomwareJun 6, 2017 51:25
This podcast episode was recorded live to tape from Enfuse Conference 2017 from Las Vegas. If you didn't get a chance go get out this year to one of the premier DFIR (Digital Forensics and Incident Response) conferences you missed a heck of an event.
James and I want to thank Guidance Software for the invitation, for having us out, and for access to some truly amazing guests for this series of recordings.
For #248 sit back and listen to Nick Hyatt talk with James and Raf about ransomware - fresh from his Enfuse Conference talk to your ears.
Enjoy and as always please hit us up on Twitter at #DtSR.
Guest:Nick Hyatt ( @Skelet0wn3d ) - Nick is currently the Senior Incident Management Consultant at Optiv Security, Inc. responsible for incident response, threat hunting, digital forensics, and malware forensics using a variety of skills and tools. He has hands-on knowledge and understanding of malware forensics, observation, removal, and threat hunting. Additionally, Nick has hands-on experience with digital forensics, malware forensics, data mapping, threat hunting, and e-discovery in different scales, from start-up and SMB environments to Fortune 500 environments.
DtSR Episode 247 - Internet of Things ForensicsMay 31, 2017 45:50
Live once again from Enfuse Conference 2017 in Las Vegas, James and I interview Amber Schroader, the President and CEO of Paraben. This interview happened because you all voted and asked for it..ok and because she's a fantastic person to interview.
Be prepared for a little humor and a lot of knowledge.
Special thanks again to Enfuse and the Guidance Software team for having us out and getting us access to some downright amazing guests!
DtSR FeatureCast - Enfuse Conf 2017 - Theresa PaytonMay 27, 2017 18:04
As James and I continue to publish our Enfuse Conference 2017 series of episodes we are this week joined by Theresa Payton. Theresa is the former CIO of the George W. Bush White House Administration, and now on the show Hunted where she runs a team of cyber trackers.
Guest:Theresa Payton ( @TrackerPayton) - Theresa Payton is one of the nation’s leading experts in cybersecurity and IT strategy. As CEO of Fortalice Solutions, an industry-leading security consulting company, and co-founder of Dark Cubed, a cybersecurity product company, Theresa is a proven leader and influencer who works with clients and colleagues to uncover strategic opportunities and identify new and emerging threats.
Theresa began her career in financial services, where she coupled her deep understanding of technology systems with visionary leadership, executing complex IT strategies and winning new business. Following executive roles Bank of America and Wachovia, Theresa served as the first female chief information officer at the White House, overseeing IT operations for President George W. Bush and his staff.
In 2015 Theresa was named a William J. Clinton distinguished lecturer by the Clinton School of Public Service. She is the author of several publications on IT strategy and cybersecurity and a frequent speaker on IT risk. In 2014 she co-authored, with Ted Claypoole, the book Privacy in the Age of Big Data: Recognizing Threats, Defending Your Rights, and Protecting Your Family, which was subsequently featured on the Daily Show with John Stewart.
Among her numerous accolades and recognitions, Theresa was named one of the top 25 Most Influential People in Security by Security Magazine and One of Infosec’s Rising Stars and Hidden Gems by Tripwire. In 2005 she was honored as Charlotte, NC’s Woman of the Year.
DtSR FeatureCast - Enfuse Conf 2017 - DFIR StudentsMay 25, 2017 30:38
Continuing our series recorded live at Enfuse Conference 2017 in Law Vegas, this episode features two USC students who are part of a large contingent here to learn and make connections.
Tatiana and Ayman join us to talk about how they got here, what they are planning for their future along with some general thoughts on DFIR and our industry!
Guests:Tatiana Santos ( @tatitasantita ) Ayman Siraj ( @aymansiraj )
DtSR FeatureCast - Enfuse Conf 2017 - Keynote Patrick DennisMay 25, 2017 23:02
Today, CEO Patrick Dennis joins the Down the Security Rabbithole Podcast right after his keynote to talk about the conference, what's going on at Guidance, and the state of defense.
This is a FeatureCast so we get right to the point in an easy-to-listen format.
Thanks for listening!
DtSR FeatureCast - Enfuse Conf 2017 - PreambleMay 24, 2017 18:14
We kick off a week of on-the-scene podcasts live'ish from Enfuse Conference 2017, hosted by Guidance Software in Las Vegas, Nevada with Lori Chavez VP of Corporate Marketing. She is the brains responsible for the amazing conference including speakers, content and everything else.
Lori gives YOU an insider preview of Enfuse 2017, and tells us a little about what we can expect and some history of the conference - and we can't wait to give you MORE!
Stay tuned in all week as we bring you more fantastic content from Enfuse Conference 2017. And as always, use the hashtag #DtSR to talk back to James and I or #EnfuseCon17 to interact with speakers and attendees!
Just for DtSR listeners - we will post a special coupon code for next year's registration... just for listening. Don't miss it later this week!
DtSR Episode 246 - Finding and Responding to BadnessMay 23, 2017 46:36
This week we are live from Enfuse Conference 2017 in Las Vegas, Nevada.
Special thanks to Guidance Software for having us out and getting us access to a whole host of fantastic speakers.
On this episode Greg Hoglund and Ryan Butterworth of Outlier Security join us to talk about the DFIR space with all it's problems including a shortage of qualified labor and sub-optimal tools. This fantastic discussion wanders all over the DFIR space including the "data problem" and tools, tools, tools.
That tool that Greg mentions, which is free, is right here: http://unbouncepages.com/supertimelines-free/
GuestsGreg Hoglund - Founder and CEO, Outlier Security, Inc. Ryan Butterworth - Principal Software Engineer, Outlier Security, Inc.
DtSR Episode 245 - NewsCast for March 16th 2017May 16, 2017 49:54
Description:Microsoft warns ransomware cyber-attack is a wakeup call As of recording, it is reported that 200,000 computers were infected. Patch for flaw was released in March, 2017 Microsoft has since released a patch for older systems Lots to discuss on this - including Microsoft's letter to the NSA Link: http://www.bbc.com/news/technology-39915440 Link: https://www.infosecurity-magazine.com/news/microsoft-xp-patch-wannacry/ Link: http://www.bbc.com/news/uk-39921479 United flight attendant accidentally leaked door codes online Flight attendant somehow posted the codes online Insider threat? Multiple layers of security needed and additional controls here Link: https://www.infosecurity-magazine.com/news/united-flight-attendant-door-codes/ Link: https://www.wsj.com/articles/uniteds-cockpit-door-security-codes-inadvertently-revealed-1494794444
Keylogger discovered preinstalled on some HP laptopsAudio driver inspected keystrokes looking for events like Mute, Unmute, etc.. but also stored keystrokes in a file. Log file was overwritten after each reboot. Was this just a debugging issue that wasn’t disabled before release? Link: https://www.cnet.com/news/keylogger-discovered-on-some-hp-laptops-conexant/
DtSR Episode 244 - A Government CISOs PerspectiveMay 10, 2017 45:06
This week - live and in person from Denver, Colorado and the RMISC Conference I interview Stephen E. Coury the CISO of the County and City of Denver. The conversation leads off with Stephen's journey through cloud computing and weaves through some of the challenges municipalities and city governments are facing. It's a fantastic conversation that is readily applied to both public and private organizations - you need to check this out.
Thanks Stephen for coming out and talking to us!
GuestStephen E. Coury - CISO of the County and City of Denver, CO.
DtSR Episode 243 - NewsCast for May 2nd 2017May 3, 2017 48:23
Description:Chrome to mark more HTTP pages ‘Not Secure’ In October, 2017, all HTTP sites will be marked ‘Not Secure’ while in incognito mode. Incognito mode allows surfing the internet without saving your browsing history. Enterprise: Have you seen any negative feedback from the previous changes to show not secure? Does this change your priority for moving to always HTTPS for all sites? Link: https://threatpost.com/chrome-to-mark-more-http-pages-not-secure/125255/
2017 Verizon DBIR Highlights: Analyzing the Latest Breach Data in 10 Years of Incident Trends Oh, the headlines. Slow the roll, folks. Stop the password hate and turn the mirror around Let’s talk about people… and why they are not the weakest link. Grow up. So many obvious points, yet so much insight not being talked about - why? Hint: It dispells the doom and gloom and asks tough questions Example: Page 13 - patching ... looks like after 2 weeks "If it's not patched, it's not getting patched". Ask yourself, what patch percentage you're at after 2 weeks - and are you OK with that? Link: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/highlights-of-the-2017-verizon-dbir-analyzing-the-latest-breach-data-in-10-years-of-incident-trends/ Link: http://www.infoworld.com/article/3193028/security/annual-verizon-security-report-says-sloppiness-causes-most-data-breaches.html
Hacker leaks episodes from Netflix show and threatens other networks Importance of digital supply chain The ‘peril’ of cyber Link: https://www.nytimes.com/2017/04/29/business/media/netflix-hack-orange-is-the-new-black.html?_r=1 Link: http://hosted.ap.org/dynamic/stories/U/US_NETFLIX_HACKING_THREAT?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2017-04-29-22-50-55 “Earlier, Netflix said that a small production vendor that works with several major TV studios suffered a breach. The Los Gatos, California, company described it as an "active situation" that's being investigated by the FBI and other authorities.” “Netflix is counting on "Orange" to help it add 3.2 million subscribers from April through June. That's substantially higher than the company's average gain of 1.8 million subscribers in the same period over the past five years.”
DtSR Episode 242 - Management and LeadershipApr 27, 2017 49:25
This week the team gets together to talk Management and Leadership in the security industry and in general. Our very own Michael Santarcangelo joins us as our featured guest to dispense knowledge on leadership by the truckload. So grab a cup of coffee, something to take notes and listen in.
DtSR Episode 241 - NewsCast for April 18th 2017Apr 18, 2017 46:22
Description:NewsCast for Tuesday April 18th, 2017
Dallas Tornado Sirens Hijacked Tornado sirens in Dallas all simultaneously went off Suspected hijacking of the emergency system, lots of speculation of how this happened Now believed to be a radio hijack Link: http://content.govdelivery.com/bulletins/gd/TXDALLAS-1936de1
Two Inmates in Ohio Jail Hacked it From the Inside Talk about an “insider threat”! These were made from spare parts, hidden in ceiling, concealed well Unauthorized access to network (no NAC?) made infiltration possible Link: https://qz.com/958503/two-ohio-inmates-hacked-their-prison-from-the-inside-using-makeshift-computers-built-from-spare-parts/
SWIFT Launches New Anti-Fraud Controls in Wake of Wire Frauds New tools to ‘detect suspicious transactions’ Appears to be free in addition to other fraud-detection tools Link: https://www.swift.com/news-events/news/swift-launches-new-anti-fraud-payment-control-service-for-customers Huge Adobe Security Update Just Released 59 total vulnerabilities - Flash still a big chunk of that (surprise!) 44 are considered critical - “code execution bugs” Enterprises should download, test and deploy -- how are you handling these? Link: https://threatpost.com/adobe-patches-59-vulnerabilities-across-flash-reader-photoshop/124914/ Insider Threat - Engineer Arrested for Stealing Code High-volume algo financial trading company These are literally their trade secrets - the way they make money No abuse of privilege - this was hacking (unathorized access) Link: http://www.justice.gov/usao-sdny/pr/computer-engineer-arrested-theft-proprietary-trading-code-his-employer
DtSR Episode 240 - The Truth About Machine LearningApr 11, 2017 53:54
This week the Down the Security Rabbithole podcast hosts Sven Krasser of CrowdStrike. Sven is an actual machine learning data science expert (as opposed to an "expert") who has been dabbling in machine learning, artificial intelligence and other forms of advanced computational science for a long while before it was popular in security. This week we James and Raf sit him down for 45 or so minutes to discuss the real facts and separate them from the fiction of what machine learning really is and the promise that it may hold for the enterprise security world.
As always, join us, share, and engage our crew using the hashtag #DtSR on Twitter.
We'd like to take a moment to thank Sven and Crowdstrike for the time and expertise to our show.
Guest:Sven Krasser ( @SvenKrasser ) - Dr. Sven Krasser currently serves as Chief Scientist at CrowdStrike where he leads the machine learning efforts utilizing CrowdStrike’s Big Data information security platform. He has productized machine learning-based systems for over a decade and most recently led the research and development of the first fully machine learning-based anti-malware engine featured on VirusTotal. Dr. Krasser has authored numerous peer-reviewed publications and is co-inventor of more than two dozen patented network and host security technologies.
DtSR Episode 239 - NewsCast for April 4th 2017Apr 7, 2017 59:29
Description:Pew Center Survey Finds Americans Lack Understanding of Cybersecurity Measures Most ‘typical’ users simply don’t understand security because it’s “magic” to them Basics must be understood by average Jane - attackers count on you not knowing How do you take knowledge and push to enterprise, while keeping up with consumers? Link: http://www.pewinternet.org/2017/03/22/what-the-public-knows-about-cybersecurity/
Suspect Charged in USD 100m Whaling Scheme $100 Million dollar - from just two companies How would your executives (and those supporting staff) fare against this attack? More importantly, how does your “awareness” program deal with this? Link: https://www.justice.gov/usao-sdny/pr/lithuanian-man-arrested-theft-over-100-million-fraudulent-email-compromise-scheme
Google's Android Security 2016 Year in Review Report: Android Security Improving Overall, Google is making great strides The fragmentation problem isn’t getting better for legacy devices that have long life-spans Going forward, things appear to be set up for faster, more OTA updates regularly - but that’s only for NEW stuff What is the state of your enterprise mobile policy? Link: http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2016_Report_Final.pdf
U.S., U.K. warn airports, nuclear facilities of cyberattacks Confusing - threat to airports seems to be from hiding explosives in laptops/mobile devices Threat to Nuclear Plants (ICS) seems to be of a cyber nature to legacy systems Big picture issue works for enterprises too - legacy systems are a target Link: https://www.scmagazine.com/us-uk-warn-airports-nuclear-facilities-of-cyberattacks/article/648163/
Neiman Marcus data breach settlement tells us plenty about the ROI of security We’ve been saying this for a while - proportional security is what’s needed There is no such thing as “secure” - why do many CISOs still push for it? A settlement of $1.6M is likely cheaper than total cost of big security program What would $1.6M spending on security mean? Can you define “good enough” security?
DtSR Episode 238 - March 2017 Update with Shawn TumaMar 28, 2017 59:45
This week, on the Down the Security Rabbithole Podcast, Michael and I are back with perennial favorite Shawn Tuma. Shawn, our legal eagle friend from Dallas, breaks down the latest issues that affect Cyber Security and the Law - with that business perspective you've come to expect from our podcast.
As always, we love hearing from you and if you have questions don't hesitate to hit us up on Twitter using hashtag #DtSR or you can always hit up Michael (@catalyst), myself (@Wh1t3Rabbit) or Shawn (@ShawnETuma) directly!
Thanks for listening and spread the word!
DtSR Episode 237 - NewsCast for March 21st 2017Mar 21, 2017 49:19
Description:The Cost of Cybercrime - Let’s Take a Different Perspective Cybercrime is reported as a $450B drag on the economy; the absolute number sounds big The question to ask: “How big is the global economy?” Turns out that this is only 0.57% of the global economy, in 2014 (nominal) By way of contrast - how many minutes are in a day? What is 0.57% of your day? What it means - we’re doing a good job. Fraud is low. Cybercrime might be on the rise, but for now, it’s at low relative percentages Does it mean we don’t matter? No. Don’t be silly. Our efforts are why the numbers are low Keep up the good work http://www.en.netralnews.com/news/business/read/1249/cybercrime.costs.the.global.economy..450.billion https://en.wikipedia.org/wiki/Gross_world_product Home Depot to Pay Banks $25 Million in Data Breach Settlement New settlement with banks http://fortune.com/2017/03/09/home-depot-data-breach-banks/http://www.cnbc.com/2017/02/21/home-depot-earnings-q4-2016.html → has autoplay with the same video Survey: Experience Preferred Over Education When Hiring For Cybersecurity The survey of 350 IT security professionals gauged their attitudes toward the skills shortage in cybersecurity. Some 93 percent agreed that experience is more important than qualifications. A further 73 percent claimed that it didn't matter whether IT staff were college graduates when it came to getting the job done. Qualifications are considered degrees and certifications The rub -- and what they didn’t ask -- is how do you assess the experience and capability of professionals to solve the sorts of problems you have? Straight Talk on hiring… check it out. Split results on whether communication or technical skill was more important; hint - it’s communication. You can be the smartest one in the room, but if no one understands you… But it’s also awkward to suggest that you can’t have both good technical and good communication skills. You can. Period. http://www.channelpartnersonline.com/news/2017/03/survey-experience-preferred-over-education-when-h.aspx How Risk Modeling Propels the Cyber Insurance Market Forward Blend: security, risk, and insurance… and use threat modeling? Excellent. Claims that we struggle to calculate and manage risk from cyber incidents; maybe. Some loose assumptions here on the nature of insurance… but it’s a step forward http://www.propertycasualty360.com/2017/03/16/how-risk-modeling-propels-the-cyber-insurance-mark
!! Michael is putting together a series on Cyber Insurance; it starts with a brief survey - 5 multiple choice and 3 open-ended questions. Please take 3-5 minutes to share your experiences, insights, and questions!! http://www.csoonline.com/article/3182697/leadership-management/got-cyber-insurance-share-your-thoughts-to-lead-security-change.html Survey link: https://securitycatalyst.typeform.com/to/VKsoDB
DtSR Episode 236 - Enterprise Architecture 2017Mar 14, 2017 44:54
Check out episode 236 with Marie-Michelle Strah who is a repeat offender here on the podcast with her first appearance back in 2014 on Episode 122 ( http://podcast.wh1t3rabbit.net/dtsr-episode-122-enterprise-architectures-role-in-security ).
This episode is a revisitation on Enterprise Architecture and it's importance to security with a perspective on enterprise tech stack, business segmentation and micro services in a modern distributed enterprise. Marie-Michelle's experience and extensive insight into the topic should give you something to think about as you go back to your day job in security.
Guest: Marie-Michelle Strah ( @CyberSlate ) - Marie-Michelle Strah. PhD is currently Senior Principal in the Enterprise Architecture Group at Infosys Ltd and based in New York City. A highly collaborative, diplomatic and inspiring thought leader Michelle is able to effectively drive business and technology strategy and business insights across corporate boundaries and departmental silos. A seasoned management and technology consultant, she specializes in strategy development, cloud transformation enterprise information modernization and innovation management efforts to drive global growth while minimizing cost and risk in complex organizations. She has PhD from Cornell University, was a Javits Fellow and is a US Army veteran. Connect with Michelle on Skype/Twitter/Instagram/Snapchat @cyberslate | http://cyberslate.me
DtSR Episode 235 - NewsCast for March 7th 2017Mar 8, 2017 48:54
Description:A Note on the Passing of a Legend Howard Schmidt passed away this week Long, distinguished career as one of the CISOs who “got it” He will be missed in government and private industry - he was on our show too (December 2015) http://podcast.wh1t3rabbit.net/dtsr-episode-166-cyber-security-from-board-room-to-white-house Are SysAdmins Violating the CFAA? This is, by all accounts, an insane criminal defense...or is it? Can what sounds like a stretch logically, be used maliciously by employers? The law is about intent - does this invalidate his claim? Link: https://nakedsecurity.sophos.com/2017/02/27/it-admin-was-authorized-to-trash-employers-network-he-says/ Yahoo Board Sends Message That Echoes After a string of breaches, the board conducted an investigation CEO will not receive 2016 bonus or 2017 equity award Top lawyer resigns (or was asked to, which ever) Is this THE event that will put CEOs on notice? Link: https://www.nytimes.com/2017/03/01/technology/yahoo-hack-lawyer-resigns-ceo-bonus.html?_r=0 Cloud-connected toys The example of “CloudPets” and Spiral Toys is a doozy Bluetooth + web (“cloud”) back-end Great idea, allow parents to interact with kids through a toy Execution is about as bad as it gets Dispute over disclosure 3rd party developer, apparently little security Silly statements in their discloure/release Link: http://www.bankinfosecurity.com/yes-unicorns-bluetooth-problems-really-do-exist-a-9746 Link: http://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201520160AB2828 So … AWS S3 Went Dead, You’ll Never Guess Why It was a typo Many sites went dead, some degraded performance - people freaked out Are you ready for a multi-cloud strategy? What about security of, for, and from the cloud? Link: https://www.wsj.com/articles/amazon-grapples-with-outage-at-aws-cloud-service-1488323097 Link: https://aws.amazon.com/message/41926/ Link: https://www.technologyreview.com/s/603784/amazons-150-million-typo-is-a-lightning-rod-for-a-big-cloud-problem/
DtSR Episode 234 - Straight Talk on National SecurityMar 1, 2017 52:16
This week, the interview is extra special because we have a guest I've personally been following for a long while, and I finally got a chance to virtually sit down and talk through his considerable areas of expertise.
I'm pleasured to say we had a chance to sit down virtually with Professor Tom Nichols and talk international affairs, foreign policy and all the important things getting lost in the off-color political arguments lately. These are important issues to cyber security professionals that impact our daily lives - but rarely get discussed by someone with actual, credentialed expertise.
Enjoy this one, friends, I know we did recording it. I want to thank Tom for being an awesome guest and lending his time to our show.
If you want to read Tom's latest book, you can get it on Amazon, link HERE.
GuestTom Nichols ( @RadioFreeTom ):
Dr. Thomas M. Nichols is a Professor in the Department of National Security Affairs at the U.S. Naval War College and at the Harvard Extension School, where he worked with the U.S. Air Force to create the program for the Certificate in Nuclear Deterrence Studies. He is a former Secretary of the Navy Fellow, and held the Naval War College's Forrest Sherman Chair of Public Diplomacy. Dr. Nichols was previously the chairman of the Strategy and Policy Department at the Naval War College. Before coming to Newport, he taught international relations and Soviet/Russian affairs at Dartmouth College and Georgetown University.
Dr. Nichols was personal staff for defense and security affairs in the United States Senate to the late Sen. John Heinz of Pennsylvania, and was a Fellow at the Center for Strategic and International Studies in Washington, DC. He is currently a Senior Associate of the Carnegie Council on Ethics and International Affairs in New York City. He was recently a Fellow in the International Security Program at the John F. Kennedy School at Harvard University.
He is the author of several books and articles, including Eve of Destruction: The Coming of Age of Preventive War (University of Pennsylvania Press, 2008), and No Use: Nuclear Weapons and U.S. National Security (University of Pennsylvania, 2014). His most recent book, The Death of Expertise: The Campaign Against Established Knowledge and Why It Matters was released by Oxford in 2017.
Dr. Nichols holds a PhD from Georgetown, an MA from Columbia University, the Certificate of the Harriman Institute for Advanced Study of the Soviet Union at Columbia, and a BA from Boston University.
DtSR Episode 233 - Reflecting on RSA Conference 2017Feb 21, 2017 46:02
This week, fresh on the close of RSA Conference 2017 James, Michael and I discuss the happenings of the conference, lessons, and features along with some inside anecdotes you won't get from anywhere else. Of course, we add our own unique blend of snark and humor - but that's what gets you listening and coming back for more.
We'd like to say a big thank you to everyone who voted for us in the RSA Social Security (Security Bloggers) Awards. We didn't win, but we feel good about the audience we've acquired and will keep working hard to spread the message. So to all of you, thank you.
Let's get on with the show!
DtSR Episode 232 - Security, Fraud, Digital PaymentsFeb 16, 2017 58:04
This week, while the security world congregates at RSA Conference 2017 we present to you Neira Jones, discussing digital payments, fraud and the world of security as it applies to this domain. In a fascinating discussion, we discuss many of the topics security executives and leaders are talking about right now - but as you have come to expect this is less about 'security' and more about protecting what matters.
We want to thank Neira for taking the time out of her busy schedule to join us on the show, and encourage discussion on the topics we covered - if you listen, and you have an opinion (I know you do) then let's discuss using the hashtag #DtSR on twitter.
GuestNeira Jones (@NeiraJones) - Independent Advisor & International Speaker| Payments | Digital Innovation | Information Security | Fraud
Non-Executive Director, Cognosec
Chairman Advisory Board, Ensygnia
Advisory Board Member & Ambassador, Emerging Payments Association
Partner, Global Cyber Alliance Neira can also be found on LinkedIn: http://www.linkedin.com/in/neirajones
DtSR Episode 231 - NewsCast for February 7th 2017Feb 8, 2017 42:51
It is that time of year of W-2 ScamsThere have been multiple reports of companies releasing W-2s through email scams. Link: http://cbs4indy.com/2017/01/31/scammer-gets-copy-of-w-2-form-for-every-scottys-brewhouse-employee-after-data-breach/
Facebook rolls out 2FA HardwareA move that goes past SMS. Not the first time we have seen this technique (many sites support Yubikey). What type of adoption will we see? Can we check to see if facebook has stock in hardware key companies? Or what was that selection process like? Enterprise: how does this work in your organization? Do/did you block USB and other methods? Do you block facebook? - by policy or actual? How do you educate people about this? Link: https://www.infosecurity-magazine.com/news/facebook-rolls-out-2fa-hardware/
5 Cybersecurity Tools Your Company Should Have This is aimed at SMBs; as such, not sure these are the right suggestions HOWEVER - most enterprises work with SMBs - how are you helping them level their game up? Which of these can/do you do to help them get where they need to be? How does helping them help you, benefit the industry? Link: https://www.entrepreneur.com/article/286698
Appeals Court Blocks Target Data Breach Settlement “The ruling from the U.S. Court of Appeals for the Eighth Circuit sets up a debate over one of the thorniest issues in data breach cases—whether and how to compensate individuals for the theft of personal information when it cannot be tied to financial injury.” Need to create an account to see more Link: http://www.nationallawjournal.com/id=1202778345349/Appeals-Court-Blocks-Target-Data-Breach-Settlement?slreturn=20170106093808
DtSR Episode 230 - The IoT You Got for ChristmasJan 31, 2017 01:00:19
On this Down the Security Rabbithole podcast we're joined by Stephen A. Ridley & Jamison Utter (yes, again with this guy) for a discussion on the finer points of Internet of Things (IoT) security ... or complete lack thereof.
If you own gadgets that are 'connected' or you are ever around them (hint: you're surrounded by things that pull IP addresses right now) then you need to listen to this podcast. Some great discussion in what was the very first podcast we recorded in 2017.
Guests:Stephen A. Ridley aka "@S7ephen" Jamison Utter aka "@jamison_utter"
DtSR Episode 229 - NewsCast for January 24th 2017Jan 26, 2017 45:23
Hi friends! We're honored to be finalists for the Security Blogger Awards 2017 "Best Security Podcast" so if you listen, go vote for "Wh1t3Rabbit" (as we're labeled)
Digital transformation forces businesses to rethink cybersecurityA change where operations are being held accountable for security James has commented on this before. In order to get better security, it needs to be embedded in the teams within the organization, not just the security team. Link:http://www.cio.com/article/3157478/security/digital-transformation-forces-businesses-to-rethink-cybersecurity.html
Mobile is still the safest place for your dataMost breaches are taking place in physical mediums, or traditional platforms Mobile was designed in the midst of the discussion on ‘digital threats’ - designed with security Mobile platforms are encrypted, more secure by default Link:http://www.infoworld.com/article/3155946/data-security/mobile-is-still-the-safest-place-for-your-data.html
The WhatsApp Backdoor That Isn’tEveryone freaked out that this is a government backdoor But - check your threat model - are you really worried about this (even if it was?) This is a design variation (if you freak out about this, you don’t understand the problem) Link: https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages Link: https://www.theregister.co.uk/2017/01/13/whatsapp_encryption_concerns/ Link: https://www.schneier.com/blog/archives/2017/01/whatsapp_securi.html
Organizational complexity is the greatest threat to cybersecurityThis article is in a healthcare IT publication, not security - interesting? We know the enemy of security is complexity Why does it feel like security tends to make things complex?
DtSR Episode 228 - Another Look at Endpoint SecurityJan 18, 2017 51:11
This week, Paul Hershberger joins us to talk about taking a fresh look at endpoint security for the new year. Paul has some insights into balancing risk/usability and how some of the things you've heard about endpoint may simply be ... wrong.
Join James and I as we let Paul endow us with his wisdom and experience... take some notes, this one's going to be good.
GuestPaul Hershberger - @pjhersh13 - Director IT Global Security Risk and Compliance at The Mosaic Company.
DtSR Episode 227 - NewsCast for January 10th 2017Jan 13, 2017 47:42
St. Jude, MedSec and the FDAFDA, St. Jude go through disclosure/fix cycle No mention of MedSec - interesting for discussion; did they have an impact? St. Jude does a fairly great job of notification, updating “Benefits outweigh the risks”... that’s a big statement http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm http://www.businesswire.com/news/home/20170109005921/en/St.-Jude-Medical-Announces-Cybersecurity-Updates http://www.medsec.com/entries/stj-lawsuit-response.html http://podcast.developsec.com/ep-56-security-contacts
New York financial regulator to delay cyber security rulesOriginally supposed to go into effect Jan 1.. New Date is March 1 We discussed in passing in a previous episode There are final adjustments being made, of course http://www.reuters.com/article/us-cyber-new-york-idUSKBN14A224
Massachusetts makes data breach reports available onlinehttp://turnto10.com/news/local/massachusetts-makes-data-breach-reports-available-online-01-04-2017 Seems less like a report and more of just the quick details of the notification http://www.mass.gov/ocabr/data-privacy-and-security/data/data-breach-notification-archive.html How much value does this provide? Finding a company on the list doesn’t indicate its current security posture. Identifying that you did business with a company on the list.. Not much you can do anyway. Still no indications of what happened, or who was actually affected Wouldn’t you get an email or snail mail during the original notification procedures? New Hampshire has done this for a while, except they provide the submitted letters, not just statistics (http://doj.nh.gov/consumer/security-breaches/) Another article talking about a few other states that do this as well https://www.wired.com/2017/01/states-now-actually-help-figure-youve-hacked/ Washington, Indiana, California
California passes law making ransomware illegalWasn’t it already illegal under the CFAA? The purpose is to make it easier to prosecute rather than being forced to prosecute under other extortion or laundering laws How does this affect the enterprise? More apt to follow up or file with FBI or other law enforcement? Will we see more laws like this, where they target specific acts? http://www.computerweekly.com/news/450410402/California-legislates-against-ransomware
Online databases dropping like flies, with >10K falling to ransomware groupsThis was reported earlier in the week (last monday or Tuesday) and has grown to more than 10K infected in less than a week. Mongo Blog post outlining steps to protect your installation - https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data The security checklist for mongoDB - https://docs.mongodb.com/manual/administration/security-checklist/ http://arstechnica.com/security/2017/01/more-than-10000-online-databases-taken-hostage-by-ransomware-attackers/
TV anchor says live on-air ‘Alexa, order me a dollhouse’ - guess what happens nextSecure Defaults? Apparently Voice ordering is on by default.. https://www.amazon.com/gp/help/customer/display.html?nodeId=201952610 You can turn voice ordering on or off You can optionally set a confirmation code The issue here is it is vocal. Couldn’t your kids or someone else close by hear the code? Manage your 1-click settings Are people bringing these sorts of technologies into your enterprise? How are you handling it? How does this impact your security? How are you handling it? http://www.theregister.co.uk/2017/01/07/tv_anchor_says_alexa_buy_me_a_dollhouse_and_she_does/
Othershttp://ww2.cfo.com/risk-management/2016/12/quantifying-cyber-risks/ http://healthitsecurity.com/news/health-it-overconfident-in-data-breach-detection-remediation https://hbr.org/2016/12/the-darknet-a-quick-introduction-for-business-leaders Appropriate for coverage or do you think just providing a quick mention and the link in the show notes?
DtSR Episode 226 - Targeted Threats Facts From FictionJan 4, 2017 57:53
Welcome to the first Down the Security Rabbithole Podcast episode of 2017!
We would like to kick off this year, and the run to episode 250 with an episode that dissects the facts from the fiction on the topic of "Advanced Threats". With all the talk in the news about the Russians "hacking the US election" (yes, that's absolutely silly to call it that) and talk of retaliation, it's important to have a frank discussion on the merits of the concept of advanced threats.
Sit back, grab a coffee and listen. I know you'll want to listen to this one more than once!
If you have a moment, and you actually read the show notes, we would love it if you could give us a rating on iTunes or actually leave a comment on the podcast page. Get engaged on Twitter, using the hashtag #DtSR!
Sergio Caltagirone hunts evil. He spends his days hunting hackers and his evenings hunting human traffickers. After 9 years with the US Government, over 3 years at Microsoft and now at Dragos, Sergio not only hunted the most sophisticated targeted hackers in the world but also applied that intelligence to protect billions of users worldwide and safeguarding civilization through the protection of critical infrastructure and industrial control systems. He co-created the Diamond Model of Intrusion Analysis proudly helping thousands of others bring more pain to adversaries by strengthening hunters and intelligence analysts. He also proudly serves as the Technical Director of the Global Emancipation Network, a Non-Governmental Organization, leading a world-class all-volunteer team hunting human traffickers and finding their victims through data science and analytics working towards saving tens of millions of lives.
You can find Sergio on Twitter at @cnoanalysis
LinksGlobal Emancipation Network (NGO) - http://www.globalemancipation.ngo/ http://www.activeresponse.org/
DtSR Episode 225 - NewsCast for December 20th 2016Dec 21, 2016 44:37
Merry Christmas, Happy New Year everyone!
May your holidays be filled with joy, love and family. From Michael, James and myself we wish you the very best and a healthy, prosperous and fulfilling 2017.
We will be back in 2017 with another great DtSR Episode... but before we go - here's one last NewsCast for 2016.
Yahoo - setting records again - biggest hack everIt happened again: Yahoo says 1 billion user accounts stolen in what could be biggest hack ever 1 billion accounts.. But 1 billion users? Probably not It was 2013… does it even matter? Bigger issue - secret questions/answers can't be changed easily (if you're honest, which you shouldn't be) What about the integrity of the Yahoo! brand?
Netgear Routers - Simple fix, Difficult fixAs with most devices that weren’t designed to be updated… The software fix (firmware) is quite easy according to Netgear Problem is … how to get users to install it http://kb.netgear.com/000036386/CVE-2016-582384
Microsoft Patches dangerous backdoor in skype for Mac OSXIssue on Mac only Use of an unused or outdated API that provided access http://www.darkreading.com/vulnerabilities---threats/microsoft-patches-dangerous-backdoor-in-skype-for-mac-os-x-/d/d-id/1327712
Flash being relegated by MS’s Edge browser… is it time?So many vulnerabilities in Adobe Flash, exploitable Chrome already has click-to-run Next version of Edge will do click-to-run Should we just nuke Flash? Isn’t HTML5 prime-time already? http://arstechnica.com/information-technology/2016/12/flash-will-become-click-to-run-in-edge-chrome-in-2017/
DtSR Episode 224 - Pointing the Finger of ResponsibilityDec 14, 2016 01:07:23
On this episode of Down the Security Rabbithole we tackle the question head on. Whose responsibility is security? Is it the end user who should be responsible for patching the devices they own? Is it the vendor who sells the wares? Is it the manufacturer who sells things with security issues?
What if it was everyone's problem? How do we police, legislate and ultimately assign blame? Should we be assigning blame, and more importantly what gives with this fascination for blaming the victim?
Lots of questions are asked and we start to tackle some of the answers...maybe.
Guests:Shawn Tuma - @shawnetuma Jonathan Nichols - @wvualphasoldier Dave Dittrich - @davedittrich Mark Zelcer - @markzelcer
DtSR Episode 223 - NewsCast for December 6th 2016Dec 7, 2016 48:52
Federal Government Disproves the Myth of Cyber Talent ShortageIf the government can find and hire them - they exist What does that mean for the rest of us hiring? https://cio.gov/how-to-snag-talent-to-fill-critical-cybersecurity-positions-at-your-agency/
5 Mistakes to Avoid to Hire Qualified Application Security TalentNot understanding current needs Ignoring existing resources Not sharing the workload Not defining the role Overly broad job requirements General Idea: We say we need security talent, but we don’t step back to really understand what we actually need given our current status and resources https://www.jardinesoftware.com/5-mistakes-to-avoid-to-hire-qualified-application-security-talent/
Obama Cyber Security Commission to [Finally] Present Its ReportSeems like lots of fluff. But is there any actual substance here? Protect, defend, and secure today’s information infrastructure and digital networks Innovate and accelerate investment for the security and growth of digital networks and the digital economy Prepare consumers to thrive in a digital age Build cybersecurity workforce capabilities Better equip government to function effectively and securely in the digital age Ensure an open, fair, competitive, and secure global digital economy http://thehill.com/policy/cybersecurity/308332-presidential-commission-on-cybersecurity-to-present-final-report-friday
The First Question Security Leaders Need to Ask Before the Breach HappensArticle by Michael, gets to the heart of the matter Turns out, figuring out what matters is hard work http://www.csoonline.com/article/3146560/leadership-management/the-first-question-security-leaders-need-to-ask-before-a-breach-happens.html
Amazon Unveils Anti-DDoS Service for CustomersThe company is offering two levels of protection AWS Shield Standard monitors incoming web traffic for customers and uses anomaly algorithms and other analysis techniques to detect malicious traffic in real-time The company also announced AWS Shield Advanced, a version designed to protect against more aggressive and sophisticated attacks This is big news - because DDoS has become an effective tool of cyber extortionists http://www.wsj.com/articles/amazon-cloud-computing-division-unveils-new-cyber-security-service-1480620359
DtSR Episode 222 - Zero Trust Security ModelNov 30, 2016 54:26
This week, after a long wait, we have John Kindervag on the show! John talks us through the concept of "Zero Trust Security" and where and how it's implemented. It's a concept everyone should be familiar with by now - but I bet you aren't!
Join us, and as always provide feedback to the team using the hashtag #DtSR on Twitter, and you can always ping John directly at @Kindervag as well.
DtSR Episode 221 - NewsCast for Nov 22 2016Nov 23, 2016 45:27
DHS Releases Strategic Principles for Securing the Internet of Thingshttps://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL....pdf These seem to be the same principles that we have been saying for all software (web, mobile, etc.) NIST also has a more generic publication 800-160 What is the implication for the enterprise? Do we prioritize anything differently as a result What about the “need” for IoT legislation? Is the marketplace “broken?” If “we’ve told people before” but “they didn’t listen,” does that actually mean they are wrong? This is an area where we need to think about what we’re actually asking for http://thehill.com/policy/cybersecurity/306418-house-subcommittee-chair-regulation-of-internet-connected-devices-not
Facebook buys black market passwords to keep your accounts safePassword reuse is the single greatest cause of harm? Really? Sounds too much like a lab experiment, rather than a legitimate use of capital https://www.cnet.com/news/facebook-chief-security-officer-alex-stamos-web-summit-lisbon-hackers/
Michael just got back from Boston, hosting a CISO Leadership Conferences. We discuss the trends that came up…
→ just the trends…Importance of a shared vision between the business and information security Placing a higher value on skillsets vs. specific certifications/experience when seeking team members How to enable the business and minimize asset loss Creating a roadmap and measuring metrics/progress Importance of reputational risk within an organization Educating the board on your roadmap progress and threats, while keeping communication functional Many organizations are placing a higher value on selecting the right cyber insurance Challenges around third party vendor management
DtSR Episode 220 - Blaming the Breach VictimNov 15, 2016 44:45
This week, Patrick Dennis - the CEO of Guidance Software - joins us to talk about the Enterprise Security world's fascination with blaming the breach victim. We talk through some of the key issues and look for a way off the hamster wheel.
As always, #DtSR on Twitter to join in our conversation.
DtSR Episode 219 - NewsCast for Nov 8th 2016Nov 9, 2016 47:57
It is election day.. Have you voted?
Beware, IPhone Users: Fake retail apps are surging before the holidaysThe issue of brand protection and knock-off websites, apps and such is real Spilling over into digital world, from physical What is your company doing to protect yourself and your customers? http://www.nytimes.com/2016/11/07/technology/more-iphone-fake-retail-apps-before-holidays.html?_r=0
Moving Beyond EMETEMET is going away … in a while Most of the features are now built into Windows 10 This is a great thing (built in vs bolted on security) https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/
Tesco Bank blames ‘systematic sophisticated attack’ for account lossesFraud system appears to be working - good ~40,000 accounts affected, ½ of those lost money Tesco is putting funds back, making things right Core banking assets don’t appear compromised, ATMs and such still work Potentially an issue with website, fixable http://www.bbc.com/news/business-37891742
Google Discloses “Critical Flaw” in Microsoft OS 10 Days After NotifyingMicrosoft upset at Google Google says it meets their 7-days-to-disclosure policy from 2013 How do you even patch an issue in 7 days - or write up a mitigation if there is none? Is your company prepared to deal with this type of thing? http://www.computerworld.com/article/3137192/security/google-clashes-with-microsoft-over-windows-flaw-disclosure.html
DtSR Episode 218 - The Business of SecurityNov 1, 2016 51:49
This week on DtSR Chad Boeckmann - President of Secure Digital Solutions - joins us to talk about the business of security. While the "bad guys" are running their criminal enterprise, security teams have struggled to be business-relevant. This discussion starts to dive into how to align security and business goals, answering the "how much is enough?" question and so much more.
Thanks to Chad for joining us. We encourage you to ask questions and leave comments here in the comments section or on Twitter at #DtSR. You can talk to Chad directly at @cboeckm on Twitter.
DtSR Episode 217 - NewsCast for October 25th 2016Oct 25, 2016 47:35
The Massive DDoS That Hit Dyn.OrgMassive DDoS disrupts a ton of popular websites (Netflix, Twitter, etc) IoT used to amplify attack What does this mean for corporate users, home users, and vendors? https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
Verizon Reviewing Terms of Yahoo Deal As Revenue SlidesIs this really the result of the breach or did someone just get cold feet? We’re speculating, but we’ve heard this type of talk before To be honest, Yahoo! saw a rise in earnings over what was projected http://www.wsj.com/articles/verizon-revenue-falls-below-views-1476966420 Passwords - We’re Still Giving Out Horrible Advice Why are companies still making their end-users follow ridiculous policies? Selfies? Is that a viable replacement? http://www.wsj.com/articles/companies-try-out-selfies-as-password-alternatives-1476661046 What about SMS as an OTP replacement that NIST ‘deprecated’? https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/
St. Jude Medical to Create Cybersecurity Advisory Board; Muddy Waters Releases More Vulnerability AllegationsThe ‘fight’ between the short-sell firm and St. Jude Medical is back Smack in the middle is "MedSec" St. Jude in middle of acquisition by Abbott Labs What’s the real goal, this is starting to feel ugly When vendors and researchers fight, patients lose - end of story What is the happy ending here? http://www.bloomberg.com/news/articles/2016-10-19/st-jude-faces-new-safety-charges-from-muddy-waters-capital
DtSR Episode 216 - Why Software Insecurity is Still a ThingOct 20, 2016 46:46
This week, #DtSR takes a trip down Software Security lane or as some call it "How are we still writing code with bugs that we found relatively concrete fixes for in the late 90's?" (I may have been watching too many John Oliver episodes...)
Jeff Williams ( @Planetlevel ) and Tyler Shields ( @txs ) join me to talk this topic over from where we've been, to what we're doing now, to what the solution to this mess will be one day in the future. It's an interesting conversation that should stir up some emotion if you've been in AppSec or software security as there really are no docile opinions on this topic (or many others in security, unfortunately).
Plug in, listen and enjoy.
DtSR Episode 215 - NewsCast for October 11th 2016Oct 12, 2016 58:38
Description:‘Security Fatigue’ Can Cause Computer Users to Feel Hopeless and Act Recklessly, New Study Suggests https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly Is this indicative of the broader population? (Someone check the sample size?) What does this tell us about enterprise vs. consumer security thinking? Is security to blame?
Our insulin pumps could be hacked, warns Johnson & Johnson http://www.welivesecurity.com/2016/10/06/insulin-pumps-hacked-warns-johnson-johnson/ Big hat-tip to Jay Radcliffe ( @jradcliffe02 ) for what appears to be a very well-orchestrated and sane disclosure What is the added cost of proper authentication and secure communication? Let's use this as a teachable, but minus the typical FUD, moment for product development teams
FBI arrests NSA contractor who stole sensitive data https://www.justice.gov/usao-md/pr/government-contractor-charged-removal-classified-materials-and-theft-government-property Doesn’t appear to be any links to Shadowbrokers We recently did a podcast on insider threat - more relevant now than ever? Do you trust your employees? How do you spin this to protect your company in your culture?
DtSR Episode 214 - Financial Impact of BreachesOct 4, 2016 50:17
Grab a cup of coffee, jack in your earphones and listen up.
DtSR Episode 214 is addressing the issue of breaches, and their material financial impact to an organization.
The premise is simple - when you have a breach, are you going to see massive stock price drop, client exodus and so on? We sit down with legal expert and DtSR regular Shawn Tuma and researcher Jon Nichols to talk this through with James, Michael and yours truly.
Check this episode out. It may sting a bit, but once you come to grips with its reality - the world looks a little different.
DtSR Episode 213 - NewsCast for September 27th 2016Sep 27, 2016 51:03
Quick update and invitation from Michael: starting to explore rolling out services and improving the Straight Talk Framework. If you’re up to discuss with me - I’ll offer a brief overview and then a “setup for Straight Talk” review to explore how to get you started. It’s a real offer because I know we’ll both learn. And then I’ll get a better sense of where to focus and how to help more people in our industry.
Note on yahoo: we’ll talk to Shawn later
How are Healthcare Data Breach Victims Affected by Attacks? It opens with some hype: “Healthcare cybersecurity attacks are much more prevalent and common because the industry typically has weaker approaches to data security, states” What’s to like? Maybe? → someone is working to explore the potential actual harm from breaches This article, however, is just an attack Why it matters? People read this stuff. They reinforce it. Fiction becomes fact because it gets repeated so much http://healthitsecurity.com/news/how-are-healthcare-data-breach-victims-affected-by-attacks
We're told data breaches cost millions on average - but this security study disagreesI routinely push back on the ponemon $$ thrown around each year The conclusion here concerns me - feels like we lept too far -- that now no one will invest in security? Stop it. That’s not what it means. It means we have to seek better alignment, understand and measure our value better, and focus on creating value instead of just doing things It also means maybe the regulations need to slow down a bit. They do nothing but distract focus and waste money. And yeah, I get it - this sort of “research” is a call for more regulation because otherwise, no incentive. That’s rubbish. http://www.zdnet.com/article/were-told-data-breaches-cost-millions-on-average-but-this-security-study-disagrees/ http://www.csoonline.com/article/3120851/leadership-management/security-leaders-need-to-stop-chasing-risk-catnip.html
NIST launches self-assessment tool for cybersecurity
Boosters say the document will help specialists explain the importance of cybersecurity to the company's bottom line — the "holy grail" of business cybersecurity. But some critics have questioned how useful it will be to smaller companies. “NIST Cybersecurity Framework — a document that catalogues the five areas of cybersecurity every company needs to know: identify, protect, detect, respond and recover.” I like these five. Need to check out the process itself. It’s open for comment. Personally, I’d love to hear from our audience Using the NIST framework? Checking out the tool? Planning to make comments? http://fedscoop.com/nist-launches-self-assessment-tool-for-cybersecurity
House to vote on cyber bill for small businesses Like the concept, skeptical of the implementation SBDC is a mixed bag for businesses and startups What sort of “cyber” are they offering, and why? http://thehill.com/policy/cybersecurity/296612-small-business-cyber-bill-to-house-floor-wednesday
DtSR Episode 212 - Insider Threat PrimerSep 20, 2016 51:29
In this episode, we talk with Mike Tierney, who is the brand-new CEO at Veriato. In our conversation we talk through a primer on insider threat, and use the great example of hosting a dinner party.
Mike has loads of nuggets of wisdom from his experience and we're certain that if you're a seasoned insider threat professional, or just thinking about the topic and wondering if you can do anything to protect your company - this show will be a good primer for furthering your discussion and learning.
Listen in, comment and share with your colleagues! Our show is always safe for the office and educational.
Talk back! Use our Twitter hashtag #DtSR to discuss this episode, ask questions, or suggest other topics or guests for the future!
DtSR Episode 211 - NewsCast for Sept 13th 2016Sep 15, 2016 48:02
Chrome to label more sites as insecure in 2017Link: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html Focus on sites that transmit passwords or credit card info over HTTP
A USB Device is all it takes to steal credentials from locked PCsLink: http://www.pcworld.com/article/3117793/security/a-usb-device-is-all-it-takes-to-steal-credentials-from-locked-pcs.html This is actually pretty interesting, but a little trickier than it sounds Still - it's quite fascinating that a USB attack works cross-platform, based on network activity and default USB behaviors
DHS chief: 'Very difficult' for hackers to skew voteLink: http://thehill.com/policy/national-security/294956-homeland-head-very-difficult-for-hackers-to-skew-vote Instead of dismissing the claim, let’s explore the merits Then let’s consider what, if anything, it means for enterprise security “It would be very difficult through any sort of cyber intrusion to alter the ballot count, simply because it is so decentralized and so vast,” he said, noting the series of state, local and county systems involved in running elections. “It would be very difficult to alter the count.” Decentralized and vast - the merits How many companies make the systems - so is it as decentralized as we’d like How much of what you do in the enterprise is decentralized? What are your points of failure - or the easy pathways to attack? If someone did alter the vote… would we know? How would we know? What’s the impact of appearing to alter the vote? Depending on your organization… how would you handle the same sort of situation? How would you convey confidence to the executives and board?
Big business worried more about data loss than hackers – surveyLink: http://www.ibamag.com/news/cyber/big-business-worried-more-about-data-loss-than-hackers--survey-37489.aspx This might feel like a “surprise” or a “shake your head” moment; but maybe it’s a signal of where we need to focus If you’re in the enterprise, where (and how) would you rank the concerns? What is the impact from data loss? Relative to a “breach” And then note: “But 15% of the companies Wells Fargo surveyed don’t require any employee training on cyber security, according to the report.” That’s because the industry still botches this; I’m finally going to write up a series on this - and I’ll time it for October - make something productive out of security awareness month Overall, this signals a need to seek better alignment with the executives and board; might I say… you need some straight talk
Obama Names Retired Air Force General as First Federal CISOLink: http://www.bankinfosecurity.com/obama-names-retired-air-force-general-as-first-federal-ciso-a-9387 Position so broad… is it even useful? Some notes of interest General Officer (1 star) Among Touhill's past positions was a 2-year stint as CIO and director of C4 systems, the nation's military transportation combatant command. He also served for nearly 1½ years as CIO and director for communications and information for the air mobility command. He retired from the Air Force in 2005 after nearly 22 years of service. Reports to Federal CIO -- based in White House Office of Management & Budget So they see this as a tech play only? “...in the blog, say Touhill will leverage his considerable experience in managing a range of complex and diverse technical solutions with his strong knowledge of civilian and military best practices, capabilities and human capital training, development and retention strategies.” So basically… we have no idea what he’s doing or why Only has 4 months Window dressing?
DtSR Episode 210 - Data Protection PrimerSep 7, 2016 51:48
In this episode James and I invite Vlad Klasnja from Optiv's Office of the CISO, and Hudson Harris, Chief Privacy Officer at HarrisLOGIC, to talk about data protection. From defining the concept to providing some insight into how we can actually protect confidential information - we talk through a lot of complex issues in this segment. Join us!
GuestsHudson Harris - Chief Privacy Officer at HarrisLOGIC Vlad Klasnja - Data Protection and Privacy Manager at Optiv
DtSR Episode 209 - NewsCast for August 29th 2016Aug 30, 2016 59:44
NewsCast for Tuesday August 30th, 2016
Clinic Won’t pay breach protection for victimshttp://www.zdnet.com/article/clinic-wont-pay-breach-protection-for-victims-ceo-says-it-would-be-death-of-company/ Are companies required to pay for credit protection? It is common, but is it required? Can a class action suit succeed to force it? Will that matter if they just declare bankruptcy? If not.. What is the purpose to filing the suit?
California Bill would add security standards to data breach lawhttps://bol.bna.com/california-bill-would-add-security-standards-to-data-breach-law/ But what is reasonable… it can’t just be what a reasonable company would implement. Bill Text - https://legiscan.com/CA/text/AB83/2015 Is this going too far? Is it too broad? Is it enforceable?
St. Jude stock shorted on heart device hacking fearshttp://www.reuters.com/article/us-stjude-cyber-idUSKCN1101YV We were trying to build a relationship between testers and organizations.. This is a step backwards for building that trust.
A Temperature-check on the state of application securityhttp://www.darkreading.com/application-security/a-temperature-check-on-the-state-of-application-security/d/d-id/1326727 Where should appsec budget be? With responsibility being in the application teams, should much of it be there and not accounted for in security? Training, tools, etc?
Important Apple patch for ‘Trident’http://www.zdnet.com/article/apple-releases-important-security-update-for-iphone-after-malware-found/ Key in on: “install spyware and remotely jailbreak without user knowledge” … oye The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.
DtSR Episode 208 - Beyond the Ransomware EconomyAug 23, 2016 41:55
This week Michael and I chat with Jamison Utter of Infoblox on one of the more interesting topics at hand - the economy of ransomware. We talk through the sudden popularity of the attack vector, the way the underground "criminal enterprise" has scaled and grown and the future of being a bad guy.
If you have occasion to talk to your organization's leadership on the ransomware epidemic, you need to listen to this podcast first.
DtSR Episode 207 - NewsCast for August 16th 2016Aug 18, 2016 47:55
Quick note from Michael about the Straight Talk Framework & Program -- >Get your free copy at https://securitycatalyst.com/straight-talk-framework/ Launched a new program last week… boy, did I learn a lot. Mostly, it’s my failure to explain. I’m going to chronicle some of the lessons over the next few days and share them If you’ve already downloaded the questions - I’d love to chat with you about your experience… If you find yourself in a situation like this, let’s chat. 25 minutes on the phone and we’ll both benefit Until Monday, August 22nd, chance to get on board early and benefit yourself; i’ve got a lot to share this week and into the future. We’re at the start of something big!
Microsoft Accidentally Leaks 'Golden Keys' That Unlock Secure Boot-Protected Windows Devices: Oops?http://www.techtimes.com/articles/173282/20160811/microsoft-accidentally-leaks-golden-keys-that-unlock-secure-boot-protected-windows-devices-oops.htm Bottom line: backdoors are always discovered, compromised Another take away: key management… sounds easy, is rarely so. If you have the need to manage keys in your enterprise, don't try to do this yourself
The Future Of ATM Hackinghttp://www.darkreading.com/endpoint/the-future-of-atm-hacking/d/d-id/1326549 We didn’t have a problem, but we went ahead with the solution. Looking back on it, imagine some straight talk on this fiasco? Yes, I realize some of you like the elegance of chip + pin; do you like the UX? Because it sucks. And if you lament the mag stripe, does that mean you stopped using a terrestrial radio, too? Our need as leaders - in the enterprise and across the industry - is to focus limited energy and assets on the areas that create the most value
Apple will reward hackers with "bug bounty" to find flawshttp://www.smartbrief.com/s/2016/08/apple-will-reward-hackers-bug-bounty-find-flaws-1 The more we press on it, the more that we understand bug bounties and the like are just externally sourced (on spec) testing. If you caught our last interview, we continued to explore the distinctions between research and testing; and rest assured, we’ll continue. When it comes to bug bounties, then, how does Apple do relative to structuring the deal of testing their software and devices?
Turbulence Ahead: Delta Computer Outage Is Just The Start, Say Expertshttp://www.fastcompany.com/3062831/turbulence-ahead-delta-computer-outage-is-just-the-start-say-experts Have you noticed the recent reaction to just about anything? Hacking? Terrorists? Terrorists hacking? The reality? Our landscape and demands continue to evolve Why does it matter to security? Well, aside from getting blamed? We have an opportunity to proactively address these challenges
Risk vs reward – when good data becomes dangeroushttp://www.information-age.com/technology/data-centre-and-it-infrastructure/123461821/risk-vs-reward-when-good-data-becomes-dangerous I like this article because it lays out some facts and figures - useful when engaging in discussions on topic It does make the mistake of focusing on the breach - in words; the examples chosen do not make the same mistake… The balancing act is capturing what is necessary for the organization to improve, to grow; then it needs to be protected accordingly
Chief Security Officer May Be The Job Of The Future That No One Wantshttp://www.fastcompany.com/3060778/the-future-of-work/companies-are-scrambling-to-fill-data-security-jobs-that-no-one-wants-to- Stop with Target. Just stop. The solution? Leadership. This is where Michael spends just about all his time. I actually just wrote about this: https://securitycatalyst.com/ready-improve-security-earn-respect-leadership/ Security leaders face 3 challenges: Leadership challenges Security complexity Organizational friction
DtSR Episode 206 - Vulnerabilities, Disclosure, Ethics, Research and SecurityAug 10, 2016 01:01:22
In this episode we chat with Steve Christey Coley currently the Principal Information Security Engineer over at MITRE Corp. In this episode we talk through our industry's obsession with vulnerabilities, dive headlong into the thorny issue of security research, talk through the various issues with disclosure and even delve into some ethics issues.
This episode is content-packed with some content that you will likely want to talk to us about. So here's how to find us:
Steve on Twitter: @SushiDude
Hashtag for the show: #DtSR
Steve's Bio (from LinkedIn - https://www.linkedin.com/in/steve-christey-coley-66aa1826):
Editor / Technical Lead for the Common Vulnerabilities and Exposures (CVE) project; Technical Lead for the Common Weakness Enumeration (CWE); co-author of the "Responsible Vulnerability Disclosure Process" IETF draft with Chris Wysopal in 2002; participant in Common Vulnerability Scoring System (CVSS) and NIST's Static Analysis Tool Exposition (SATE). My primary interests include secure software development and testing, understanding the strengths and limitations of automated code analysis tools, the theoretical underpinnings of vulnerabilities, making software security accessible to the general public, vulnerability information management including post-disclosure analysis, and vulnerability research.
Specialties: Vulnerability research, vulnerability management, software security.
DtSR Episode 205 - NewsCast for August 2nd 2016Aug 6, 2016 42:47
Quick note from Michael about the Straight Talk Framework -- >I’ve separated the framework from the programs; the framework is free and available for download from my website. More on the way! To support both the framework and the programs, I’ve just finished a video that introduces the 5 questions; I have an optional workbook available and make a special offer at the end of the video I’m about to launch an online offering… stay tuned for details
$2.7 Million HIPAA Penalty For Two Smaller Breacheshttp://www.healthcareinfosecurity.com/27-million-hipaa-penalty-for-two-smaller-breaches-a-9270?rf=2016-07-18-eh&mkt_tok=eyJpIjoiWW1GaE5ERmtNR05oTldRMiIsInQiOiJ5YWd6dDg4cW84TXVCR0NCVkJ0KytQTnVwOHQ2UHBON0FMeWVZRDVleE82d3Zpdyt2S1RwNWFmZEs0aVRyQ3lMTlk3YWdaa0VmbnV4djVIOVVxczFUYkdsTHBKRGpld3h5bXU3aHRoNnhUaz0ifQ%3D%3D Interesting the info about the use of Google and lack of contract. How many other health companies are using Google or Microsoft to store some data? Do they have the contracts in place?
Is the GOP seriously considering endorsing vigilante hacking?!The wording here is dangerous, and could encourage vigilante justice So much could go wrong here, so much collateral damage You’ll likely hear a re-start of the hack back debate http://www.inforisktoday.com/blogs/gop-platform-suggests-hack-back-suitable-cyber-defense-p-2186 What if we just called it “forward looking research in a kinetic state?”
NIST declares the age of SMS based 2-factor authentication overhttps://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/ Recommendation use app (like google authenticator), RSA token or something similar rather than SMS How will this effect all of the financial institutions that have sms based 2-factor? Even google supports SMS and App based. This is an interesting change. Apparently just being released as part of their call for comments. It’s not a ban; it’s a realization that through VoIP and the general approach to build our phone system, out of band isn’t as out of band as we’d think/like http://krebsonsecurity.com/2016/08/social-security-administration-now-requires-two-factor-authentication/
The ninth circuit holds that accessing a website after receiving a cease and desist order does violate CFAAhttp://www.lexology.com/library/detail.aspx?g=b042e35f-c9af-4bf4-a3bd-82204189be55 Curious if the reverse is true, then. And how bug bounties and other programs might create the invitation for people
A “famed hacker” is Grading Thousands of programshttps://theintercept.com/2016/07/29/a-famed-hacker-is-grading-thousands-of-programs-and-may-revolutionize-software-in-the-process/
DtSR Episode 204 - On Changing CultureJul 27, 2016 44:09
This week, Chris Romeo joins Michael, James and I to talk about changing the security posture of an organization by changing culture. This episode talks through tough issues like incentives, measurements and success factors. This episode with Chris is of particular interest for leaders and those who are working hard to change companies at their core, for the long term.
Chris Romeo's bio:
Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring application security awareness to all organizations, large and small. He was the Chief Security Advocate at Cisco Systems for five years, where he guided Cisco’s Secure Development Life Cycle program, empowering engineers to "build security in" to all products at Cisco. He led the creation of Cisco’s internal, end-to-end application security awareness program launched in 2012. Chris has twenty years of experience in security, holding positions in application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications, and is a frequent conference speaker at RSA and AppSec.
DtSR Episode 203 - NewsCast for July 19th 2016Jul 19, 2016 52:06
Researchers have come up with a 'cure' for ransomwareBased on some interesting things like file-type changes, similarity measurements and entropy Interesting but not perfect ... do we even think perfect is reachable? Average of 10 files before an identification was made http://www.scmagazineuk.com/florida-researchers-claim-to-discover-cure-for-the-common-ransomware/article/509147/
The government has officially issued a 'fact sheet' on randomwareYes, it's a reportable breach Lots of interesting misconceptions (or half-truths) in this guidance Good for them for asking us to 'do better' but it's not enough Go read for yourself! http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
Pokemon Go! - a neat idea with big issues potentiallyFirst there are the privacy and security implications Then there is the app that wants every permission known to man Physical security and well-being issues? http://abcnews.go.com/Business/hit-app-pokemon-raises-security-concerns-google-account/story?id=40524454
FDIC hacked but covered it up, didn't reportPerfect example of "the cobbler's children have no shoes" The FDIC is consistently terrible, and does little to close the gaps Obviously, it was China http://thehill.com/policy/cybersecurity/287561-chinese-government-likely-hacked-fdic-report
The Fiat/Chrysler bug bounty programThey will only pay you $1,500 Lots of uproar about how the pay-out isn't enough but there is so much more her Lots to unpack, including issues with complexity on enterprise side https://www.wired.com/2016/07/chrysler-launches-detroits-first-bug-bounty-hackers/
DtSR Episode 202 - Outsourced but BetterJul 13, 2016 45:53
This week on the Down the Security Rabbithole podcast, Brandon Dunlap is back for his second show. Following up on Episode 158 where we discussed outsourced security, this time around we talk through the next iteration of what "Managed Security" and outsourcing means to security.
You're not going to want to miss this episode!
As always, hit up our hashtag on Twitter at #DtSR and you can find Brandon on Twitter as well at @bsdunlap if you want to talk to him directly.
DtSR Episode 200 - Privacy, Security, Risk and Law CollideJun 28, 2016 01:10:12
** Our 200th numbered episode! **
A note from Raf:
Thanks to everyone who has been listening to us, tweeting us, and sharing the links to our podcast. We are absolutely floored with the support and listenership we've received. The average show now gets just under 2,500 downloads when released in the first week, and that number goes up every week. So from the bottom of my heart, I humbly thank you and hope you'll continue to listen, share, and comment.
This week's episode is titled "Privacy, Security, Risk and Law Collide" as we host Dr. Chris Pierson and our recurring legal eagle from the great state of Texas, Shawn Tuma. If you don't have Shawn added on Twitter, you should go follow him right now.
In this week's episode we discuss the increasingly overlapping world of what was once "IT security" which has now started coming together with privacy, risk and law. Chris is uniquely poised to talk on the subject, as you will hear his credentials speak for themselves. You'll want to get comfortable, pay attention, and give this episode a careful listen as we take you down the security rabbithole for the 200th time.
Guest:Dr. Chris Pierson, CSO and General Counsel, Viewpost
Dr. Chris Pierson is the EVP, Chief Security Officer & General Counsel for Viewpost. Dr. Pierson serves on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee and is a Distinguished Fellow of the Ponemon Institute. Previously, Chris was the first Chief Privacy Officer, SVP for the Royal Bank of Scotland’s U.S. banking operations leading its privacy and data protection program. Chris was also a corporate attorney for Lewis and Roca where he established it’s Cybersecurity Practice representing companies on security and data breach matters. Chris is a graduate of Boston College (B.A., M.A.) and The University of Iowa (Ph.D., J.D.) and gives keynotes/speaks at national events and is frequently quoted on cybersecurity.
DtSR Episode 199 - NewsCast for June 21st 2016Jun 21, 2016 51:36
In this episode..
The "Nuclear Bomb" analogy isn't working, stop using it"http://thebulletin.org/flawed-analogy-between-nuclear-and-cyber-deterrence9179 This is important with respect to how security people talk to real-life issues Here is another example: http://insight.kellogg.northwestern.edu/article/is-reading-someones-emails-like-entering-their-home/
iOS apps will require secure https connections by 2017http://www.cnet.com/news/ios-apps-will-require-secure-https-connections-by-2017/ We have seen this push on the web before Michael wrote about this topic back in March 2015 (https://www.developsec.com/2015/03/17/is-http-being-left-behind-for-https/) Saw the government push this for all public facing websites (https://https.cio.gov/)
Inside Sierra: How apple watch “auto unlock” will let you jump straight into MacOShttp://appleinsider.com/articles/16/06/16/inside-sierra-how-apple-watch-auto-unlock-will-let-you-jump-straight-into-macos Interesting idea here.. Thoughts?
FICO to Offer 'Enterprise Security Scores'http://www.fico.com/en/fraud-security/cyber-security http://www.fico.com/en/products/fico-enterprise-security-scoring Is this something you’d do? Do you trust it? Breakthrough we’ve been waiting for? Or mysterious approach that ultimately creates complexity, but little benefit
Why don't banks care more about credit card security?This suggests that if banks really cared, we’d go all chip and pin, not just chip and sign Ranty time: morons http://thehill.com/blogs/congress-blog/economy-budget/282778-why-dont-banks-care-more-about-credit-card-security
Cisco launches $10 million scholarship to tackle cybersecurity talent shortagehttp://venturebeat.com/2016/06/14/cisco-launches-10-million-scholarship-to-tackle-cybersecurity-talent-shortage/ Newsflash: everyone has a hiring shortage; in all industries People we’ve worked with… no problems -- because they know what to look for Still, this is helpful We're just tired of “we can’t find enough people” → yet not a lot of technology advances, ways to educate/train, etc.
DtSR Episode 198 - What Legal Counsel Wishes CISOs KnewJun 15, 2016 48:32
On this episode of the Down the Security Rabbithole podcast, Dawn-Marie Hutchinson, currently an Executive Director within the Optiv Office of the CISO joins us and we talk about the things that she's learned over her career working with legal counsel, CISOs and solving problems. A fantastic episode with lessons learned, and executive leadership crammed into less than an hour. Give it a listen!
Find Rie on Twitter at @CISO_Advantage
UPDATE: Thanks to Sean Jackson (@74rku5) who has hand-transcribed the show. I haven't read this, personally, so if there if he slipped any humor I can't be held accountable!
DtSR Episode 197 - NewsCast for June 7th 2016Jun 8, 2016 48:17
In this episode...
Are people "going offline" as a result of increasing dangers of the Internet?This article makes the case for yes: http://www.techspot.com/news/64839-increasing-number-internet-dangers-driving-millions-americans-offline.html But ... "millions"? We collectively call BS As the world moves more to mobile and digital, who thinks they have 'control' of their own data anyway?
"Sandjacking" allows attackers to install evil iOS appsIF that attacker is physically holding your device AND your device is unlocked AND it takes a while because you have to backup, and restore a phone ... one app at a time SO this isn't something you do to infiltrate someone's phone while they walk away for a few minutes to the restroom Cool trick bro, but where on the spectrum of critical things does this fall? The technique is called "Su-A-Cyder" ... awful name, lose points http://www.securityweek.com/sandjacking-attack-allows-hackers-install-evil-ios-apps
Dropbox takes heat for a breach, that wasn't their breachSo what happens when you get blamed for a breach that you don't have anything to do with? http://krebsonsecurity.com/2016/06/dropbox-smeared-in-week-of-megabreaches/ What would YOUR company do if you were Dropbox?
Lenovo's asking people to uninstall it's bloatware "Accelerator" app...because it's a massive security breach waiting to happen Of all the bloatware vendors install, I'm willing to be this isn't unique [Michael] Hey, at least they're admitting defeat here, right? http://www.zdnet.com/article/lenovo-begs-users-to-uninstall-accelerator-app-in-the-name-of-security/ [Raf] Does no one sense the delicious irony of a Chinese PC maker riddled with security issues in their product?
DtSR Episode 196 - Jason WittyMay 31, 2016 43:55
On this episode of the Down the Security Rabbithole podcast, I get the pleasure of sitting down with one of my all-time favorite Chief Security Executives, Mr. Jason Witty. He's had a long career of successful security leadership, and in this podcast he sits down with us to talk about risk, threats and words we often confuse.
You're not going to want to miss this episode.
DtSR Episode 195 - NewsCast for May 24th 2016May 24, 2016 54:49
This week the gang's all here to talk about some news happenings. Michael, James and I talk through some of the stories we've been tracking.
Have something you've been reading and want to talk about? Hit us on Twitter with hashtag #DtSR and suggest a topic/story for the next NewsCast!
Tennessee Amends Breach Notification Statutehttp://www.natlawreview.com/article/tennessee-amends-breach-notification-statute Removes the exception for encrypted data. Will this raise the costs to companies? Encrypted or not, will credit monitoring be the norm? More lawsuits (even if the data is encrypted) Do we run the risk of notification overload? What do people do with these notifications anyway?
FFIEC’s New Mobile Security Guidance: An Assessmenthttp://www.bankinfosecurity.com/ffiecs-new-mobile-security-guidance-assessment-a-9104 Interesting how they discuss some of the risks (SMS, mobile enabled website) but also talk about ways to mitigate the risk.
Software “glitch” kills Formula1 car mid-raceDoes not take a rocket surgeon to figure out the real-world applications here Sure this time it was a 'glitch' but could just as well have been a security bug, exploited by an attacker? Many vehicles are now ‘smart’ and phone home, make decision and drive for you http://news.filehippo.com/2016/05/software-glitch-kills-formula-1-car-mid-race/
LinkedIn plays down 117 million user breach of data salehttp://www.theregister.co.uk/2016/05/19/linkedin_breach/ From 2012 breach... coming back to us
Does this show how a breach can linger on? Alternate theory: attacker has been using credentials stolen, and now that they're not useful anymore he/she is dumping them to the public?
DtSR Episode 194 - Update on Cyberlaw w Shawn TumaMay 17, 2016 46:30
In this episode...
Michael and I welcome back Shawn Tuma, our resident Cyber Law Expert from the great state of Texas. We discuss some of the recent cases (unlocking an iPhone!) and some of the tough issues facing the court systems today. Shawn provides insights into the use of the finger (not joking) and some amusing and frustrating aspects of cyber law as the courts continue to evolve. Join us!
DtSR Episode 193 - NewsCast for May 10th, 2016May 11, 2016 57:28
In this episode..
ImageTragick - major flaw in open source image processing toolkitImageTragick is CVE-2016-3714 Logo & Website: https://imagetragick.com Has a logo, so it must be yuge Is this really that big of a deal? How many are impacted potentially? https://blog.sucuri.net/2016/05/imagemagick-remote-command-execution-vulnerability.html Remote code execution, with minor caveats - likely darn near everywhere
Detroit company loses $495k to wire fraudSource was a faked email to make a wire transfer Why didn’t someone verify this?! http://www.detroitnews.com/story/news/local/oakland-county/2016/05/03/troy-investment-company-hacked/83879240/ Will insurance pay out? Is the policy change too little too late? How can other companies learn from this?
The Ransomware Epidemic (Optiv blog)Is there an epidemic at play here? Why the switch to ransoming people’s data Is this a viable business model for cyber criminals? https://www.optiv.com/blog/ransomware-part-1-is-this-an-epidemic
Undetectable flaw in Qualcomm-powered Android phones is a huge dealInput sanitization flaw (again?!) At risk is 34% users running Android 4.3 and earlier Text messages and call histories accessible in plain text An "undetectable" software flaw in Qualcomm Snapdragon-powered Android smartphones could lay bare users' text messages and call histories to hackers http://www.computing.co.uk/ctg/news/2457217/undetectable-qualcomm-code-vulnerability-lays-bare-android-users-text-messages-and-call-histori
White Hat hacker sent to the clink for going too farFound (accidentally?) a SQL Injection flaw then used a tool to pull data out Obviously went too far, right? Where was the 'responsible' or 'reasonable' notification to victim? This headline is deceptive, and misrepresents the story: http://www.infosecurity-magazine.com/news/white-hat-researcher-jailed Hat-tip to Troy Hunt for a sane evaluation: http://windowsitpro.com/troy-hunts-security-sense/security-sense-when-security-researcher-arrested-there-s-usually-good-reas
DtSR Episode 192 - Healthcare and Critical Infrastructure SecurityMay 5, 2016 45:08
In this episode...
Join our guest Larry Whiteside, Michael and I as we record live from InfoSec World 2016 in sunny Orlando, Florida! We talk through the life of a CISO, and the challenges of being in the Healthcare and Critical Infrastructure spaces and the similarities and differences. Larry has had a very diverse and successful career leading some of the most challenging organizations, so we dig into some of the things he's faced, how he's addressed some of those bigger leadership-level challenges, and just the mess that healthcare and critical infrastructure are in right now.
Don't miss this episode!
GuestLarry Whiteside Jr. ( @LarryWhiteside ) - Larry is the VP of Healthcare and Critical Infrastructure at Optiv, and he's tasked with creating innovative solutions to some of the industry's most challenging problems. More info here: https://www.optiv.com/about-us/press-releases/optiv-security-increases-focus-on-holistic-cyber-security-solutions-for-healthcare-and-critical-infrastructure-industries
Note: I'm blessed with being able to work with Larry on a daily basis at Optiv. I highly encourage you to listen to this podcast and share with your friends and colleagues in the healthcare and critical infrastructure space.
DtSR Episode 191 - NewsCast for April 26th 2016Apr 26, 2016 35:37
In this episode...
Only about a third of companies know how many vendors access their systemsnearly every company is at risk for a third party breach it's almost impossible to vet every third party developing a strategy and being consistent, scaling is key http://www.csoonline.com/article/3055012/techology-business/only-a-third-of-companies-know-how-many-vendors-access-their-systems.html
No firewall, second-hand $10 routers are to blame for Bengladesh bank heistwe talked about this initially in episode 185 (Link: DtSR Episode 185 - NewsCast for March 15th 2016) it's almost unfathomable that this happened SWIFT attacked, now the suspected malware is identified
Jim McKelvey's Launchcode is helping unconventional tech talentinternal mentorships could be the key who out there is doing this, talk back to us using hashtag #DtSR on Twitter
The Simpson's math secret is the key to better security ... ?http://www.csoonline.com/article/3054566/leadership-management/the-simpsons-math-secret-is-the-key-to-better-security.html
DtSR Episode 190 - Interview with Lance JamesApr 20, 2016 44:43
In this episode, James, Michael and I are live from InfoSec World 2016 and we get the pleasure of interviewing Lance James fresh off the keynote stage. In this intimate, fast-paced and bold interview we talk through some of the challenges InfoSec is facing today, and where Lance believes we should be going.
If you haven't been to InfoSec World, we highly recommend going next year. The content team continues to provide a solid mix of technical, managerial and transitioning information security speakers. Make sure you have this one on your calendar for next year, and being the family!
DtSR Episode 189 - NewsCast for April 12th 2016Apr 12, 2016 50:28
In this episode...
Pros examine mossack-fonseca breach: Wordpress plugin, Drupal likely suspectsPlug-ins seem to be a universal weakness Many companies have this type of 3rd party security issue The broader enterprise implications - how do you find these sites? http://www.scmagazine.com/pros-examine-mossack-fonseca-breach-wordpress-plugin-drupal-likely-suspects/article/488697/
WordPress pushes free https encryption for all hosted sitesWhat's the problem we're trying to solve? 2 separate issues, trust vs. authentication - know which you're solving http://www.securityweek.com/wordpresscom-pushes-free-https-all-hosted-sites
Executives - "We're not responsible for cyber security"Raf: This is squarely the fault of security professionals failing to make the security discussion a part of the enterprise vernacular Michael & James: What does this mean, and what do we do not? If anything. http://www.cnbc.com/2016/04/01/many-executives-say-theyre-not-responsible-for-cybersecurity-survey.html
DtSR Episode 188 - Security Talent TruthsApr 5, 2016 48:36
Intro song: "Josh Gabriel - Deep Down"; Intro/Outro v/o courtesy of @ToddHaverkos
DtSR Episode 187 - NewsCast for March 29th, 2016Mar 29, 2016 40:06
In this episode...BadLock bug (which now has a website, a graphic, and more hype than Bieber) is out there Is the bug really worth all this hype? Is this anything more than a PR stunt, and a big marketing opportunity? Everyone has an opinion, but one thing is for certain, this bug is making big waves http://www.wired.com/2016/03/hype-around-mysterious-badlock-bug-raises-criticism/ Your wireless mouse is probably a security risk... seriously. RF-based mice typically don't use encryption or mutual authentication Some do (all of my Microsoft & Logitech mice tell me they mutually authenticate & encrypt... I think) How far up, or down, your risk register is this one; and how much should it matter to enterprise? http://www.thefiscaltimes.com/2016/03/23/Your-Wireless-Mouse-May-Be-Exposing-You-Cyber-Hackers Your Node.js package manager could be an entry point for worms? Now that everything has functionality over our endpoints... Dependencies seem to be (at least partially) to blame here (who's surprised?) http://news.softpedia.com/news/node-js-package-manager-vulnerable-to-malicious-worm-packages-502216.shtml Ransomware is getting nastier (and more effective) Remember it's just a business model, so they actually are pretty good at unlocking, support, etc once you pay up What happens when a hospital system gets locked/encrypted -- real lives are at stake here! Enterprise advice? Backup, test, and take it all offline regularly so you can recover This is only going to get worse. Much, much worse. http://www.itsecurityplanet.com/experts-corner/hospital-hit-with-ransomware-contagion-declares-internal-emergency http://www.healthitoutcomes.com/doc/backup-recovery-system-control-ransomware-attack-0001 http://www.healthcareitnews.com/news/ransomware-wreak-havoc-2016-icit-study-says
DtSR Episode 186 - Becoming a CISOMar 23, 2016 42:27
In this episode
I posed some questions to Joey, an InfoSec professional who had recently moved into a CISO role in a midwest retail company:Let's talk a little bit about the background you had before walking into your first day as a CISO... How long have you been in your role, and what do you think "so far"? What do you think were the biggest lessons you've learned in your time as a new CISO? What do you make of all the talk about CISO burn-out rates, and the average tenure of a CISO being less than 2 years? What do you see as the role of the CISO in today's business climate? How do you work with other IT leadership, and executive leadership to make your mark and do your job? From your experience, what do you think someone who is taking a new CISO role, or thinking about doing so, should know?
DtSR Episode 185 - NewsCast for March 15th 2016Mar 21, 2016 42:28
In this episode...
The FTC is getting into providing guidance on password changesWell OK, this isn't really guidance, it's just a blog But - does this mean that the FTC is getting into technical guidance? https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
Dwolla hit by CFPB and fined $100,000Who is the CFPB (Consumer Finance Protection Bureau)? This opening sentence is crucial: "The Consumer Financial Protection Bureau (Bureau) has reviewed certain acts and practices of Dwolla, Inc. (Respondent, as defined below) and has identified the following law violations: deceptive acts and practices relating to false representations regarding Respondent’s data-security practices in violation of Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010 (CFPA), 12 U.S.C. §§ 5531(a), 5536(a)(1)" http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf http://blog.dwolla.com/we-are-never-done/
FTC To Study Credit Card Industry Data Security AuditingThe FTC is asking for specific information from a specific number of companies (9 of them in total) Studying "how companies and their assessors interact" - is that code for something? Interesting to see what the FTC will do with this? https://www.ftc.gov/news-events/press-releases/2016/03/ftc-study-credit-card-industry-data-security-auditing
Bengladesh bank hackers steal ~$100MThere is definitely more to this story Lots of finger-pointing, failed/unknown processes in SWIFT clearinghouse Was this account compromise? System compromise? An insider threat? All of the above? http://www.bankinfosecurity.com/bangladesh-bank-hackers-steal-100-million-a-8958
DtSR Episode 184 - A CISO Post-RSA WrapUpMar 16, 2016 42:02
In this episode, we wind down from RSA Conference 2016 and talk with Jonathan and Michael, both security executives and leaders at their respective companies whom were both out at RSA Conf and share with us some of their insights, lessons learned, and discuss some of the more interesting topics.
Join James and I for an informative, insightful, and slightly unnerving conversation about the state of our industry. If you missed RSA Conference (or even if you were out there but wish you weren't) this is one you're going to want to listen to at least once.
DtSR Episode 183 - NewsCast for March 1st 2016Mar 2, 2016 40:46
This is RSA Conference week, so while Rafal is out in San Francisco trying to make it through another one, James and Michael break down the news events that you may have missed.
300,000 Homes affected by security alarm bughttp://www.forbes.com/sites/thomasbrewster/2016/02/17/simplisafe-alarm-attacks/#3202d4e679a3 According to Spokesperson, Alarm still alerts users' smart device when the alarm is armed or disarmed. Device is an alerting mechanism, not a lock Technically, we’d consider this… wait for it… a ‘detective’ control. Appears to only intercept when pin is entered into the device.. does this effect if user arms/disarms via their device?
82 Percent of company boards are concerned about securityhttp://betanews.com/2016/02/29/82-percent-of-company-boards-are-concerned-about-cyber-security/ Suggests that since CISOs don’t report to the CEO/Board, they companies aren’t serious. Ridiculous. This is myopic… Boards care. Executives care. In security - are you perceived as a leader? Or a technical resource? This is an opportunity.
See something suspicious online, Homeland Security wants to know about ithttp://m.nextgov.com/cybersecurity/2016/02/homeland-security-wants-see-something-say-something-campaign-internet/126008/ We think this is rather unintelligent. That said, it’s the sign of the only part of an ‘awareness’ program that counts: people are comfortable reporting something that seems amiss What’s amiss? And that’s what’s missing. We pretend it works at airports and in big cities. Does it? And what, exactly, are people reporting. And why? What’s the experience?
Hospital pays $17,000 ransom after crooks hold data hostageNo matter what your take on this, this put real people's lives at risk http://sanfrancisco.cbslocal.com/2016/02/18/california-hospital-ransomware-attack-hackers/ Additional insights: http://www.csoonline.com/article/3037018/leadership-management/are-you-prepared-to-respond-to-ransomware-the-right-way.html Do you have current backups to protect agains this? Does this set a precedent for criminals?
DtSR Episode 182 - Apple Versus the FBIFeb 24, 2016 55:02
In this episode...Michael and I moderate what turns out to be an expert-filled panel discussion on the real issues of the Apple vs FBI debate Shawn Tuma, our favorite cyber attorney, provides expert insights into the statutes, laws and applicable legislation in this case Dave Kennedy, Von Welch and Gary bring their technical expertise and background to discuss the issues from a technology and policy perspective
We think this is one of those landmark podcast episodes you'll want to listen to a few times. Lots of interesting content here, and we encourage you to share!
Don't forget, #DtSR on Twitter!
DtSR Episode 181 - NewsCast for Feb 16 2016Feb 16, 2016 48:43
In this episode
Class action lawsuit against SuperValu dismissedNo damage (use of stolen information) so there's no case? As time passes, risk of use of stolen data, according to judge, decreases The precedent appears to be that in order to sue, you have to prove damage (imagine that?) http://legalnewsline.com/stories/510661014-data-breach-class-action-against-grocery-chain-dismissed
Nieman Marcus - breached again (with another lesson this time)http://www.bankinfosecurity.com/neiman-marcus-reports-new-breach-a-8843 So is it official, not having MFA is weak authentication? Is someone accessing accounts through the web interface with stolen passwords a “breach”? Encryption would have done nothing to save any of this information as it was accessed through the interface. Did they have account lockout? What's the rest of the story here?
Hacker steals and releases information on 30,000 FBI and DHS employeesThe biggest weakness is always the human who wants to be helpful What does this mean for the enterprise, when gov falls victim? http://dailycaller.com/2016/02/10/having-trouble-hacking-government-agencies-just-call-their-help-desks/
Hacked toy company tries a different tacticVTec gets hacked, changes TOS New TOS is "we'll be hacked, too bad so sad" is what it amounts to Is this realistic? Should this be the new standard? http://motherboard.vice.com/read/hacked-toy-company-vtech-tos-now-says-its-not-liable-for-hacks
DtSR Episode 180 - From the CISO PerspectiveFeb 9, 2016 42:45
In this episode...Andrew discusses a few of the key challenges making it difficult for the healthcare sector right now Robb, Andrew and Raf discuss the importance of identity in the corporate environment Robb and Andrew give some of their wisdom for the successes and failures of CISOs (and the broader security industry) We discuss the technical vs executive CISO approach (which is better?) Robb and Andrew provide some unfiltered advice for CISOs and those who want to become them
GuestsRobb Reck ( @RobbReck ) - Chief Information Security Officer at Ping Identity, contributor to ISSA Denver with a long history as a successful security executive and leader. Andrew Labbo - Drew is the CISO at Denver Health and Hospital Authority and is the owner and principal of RMHG, which offers HIPAA consulting and HIPAA advisory services. Drew has over 15 years’ experience with information security and technology and over 10 years’ experience as a Privacy and Data Security Officer. He is an expert on HIPAA Privacy and Security Rule regulations as well as HITECH and Omnibus regulatory updates. Drew’s recommendations are guided by his education in health administration and experience and leadership integrating privacy and security controls with health information technology infrastructure and applications, as well as treatment, payment, operations, and human subjects research workflows and processes.
DtSR Episode 179 - NewsCast for Feb 2nd 2016Feb 2, 2016 53:24
In this episode
Employees may face penalties if they misinterpret security policies?Human behavior still seen as the biggest weakness Employers are growing less tolerant of misbehaving employees If you "invite a data breach" you could be held liable http://www.welivesecurity.com/2016/01/14/employees-face-penalties-misinterpreting-security-policies/
New lawsuit filed blaming Twitter for ISIS attackShould social media filter content from terror groups like ISIS? Can social media companies be held liable, why or why not? http://blogs.wsj.com/digits/2016/01/14/lawsuit-blames-twitter-for-isis-terrorist-attack/
SCADA/ICS make incident response more complicatedTypical IR activities are complicated by the nature of ICS systems Differences are there, but strategy still possible What is the path forward? http://www.darkreading.com/perimeter/how-incident-response-fails-in-industrial-control-system-networks/d/d-id/1324094
Only in NYC: Dept of Consumer Affairs warns parents of baby monitor hacksThese issues seem to come down to default passwords What can the general population do about this? How can we eliminate this behavior in consumer products? http://www.nbcnews.com/tech/security/hack-alert-nyc-regulators-warn-parents-secure-their-baby-monitors-n505391
DtSR Episode 178 - What Will Get Us ThereJan 27, 2016 56:19
In this episodeWhat goes us here - so where are we? Where do we go, and how? (addressing stunt hacking) We discuss how we can influence outcomes, without hand waving and endangering lives What about truly understanding risk, versus ‘security stuff’? Michael breaks out the “risk catnip” Raf asks Haroon - “What are the 2-3 things security does right now, that we should just quit?” We discuss some of the breakers that are turning into builders, and implications With the rate of bad vastly outpacing the rate of good - what’s the solution?
GuestHaroon Meer ( @haroonmeer ) - Haroon is an internationally acclaimed long-time industry insider and is working hard to change the "how we've always done it" dynamics. His talk "What got us here, won't get us there" is now world famous. He works over at Thinkst and does some pretty amazing things you should check out.
DtSR Episode 177 - NewsCast for January 19th, 2016Jan 19, 2016 52:18
In this episode
FTC imposes a $250,000 fine for "false advertising" of encryptionInteresting case, where there really was 'false advertising' Would this even have been a 'security issue'? https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-provider-settles-ftc-charges-it-misled
NY wants to ban encrypted smart phone salesAnother clear case of legislators being clueless? What about all the existing technology, and kit you can buy across state lines? http://www.zdnet.com/article/apple-iphone-ban-new-york-looks-to-outlaw-sale-of-encrypted-smartphones/
Las Vegas casino is suing cybersecurity firm over "woefully inadequate" workAre there ethical implications here of a competitor defining negligence? Burden of proof is on casino to prove "woefully inadequate" - but against what standard? Does this ultimately raise quality, price or both for IR services? http://thehackernews.com/2016/01/casino-hacker.html
The FDA issues draft guidance of security guidelinesIf everyone is doing it, why not the FDA? As James points out, why does every industry need their own unique (exactly the same issues as everyone else) guidelines? Interesting mention of "full lifecycle" and disclosure of vulnerabilities Of course it's all non-enforceable http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf
OpenSSH bug found, fixedOpenSSH bug creates a "malicious server" scenario User has to successfully authenticate first, then server can read/steal memory Can be used to compromise SSH private key from host Great pivot method if you've compromised an SSH server w/this bug, to compromise the users of the server http://arstechnica.com/security/2016/01/bug-that-can-leak-crypto-keys-just-fixed-in-widely-used-openssh/
DtSR Episode 176 - 2015 InfoSec Legal ReviewJan 13, 2016 01:16:50
We open up our 2016 year interviewing Shawn Tuma on the show. Shawn is our legal eagle, and a regular contributor to the podcast. This episode ran a little bit long (OK a lot long) but I think you'll enjoy the show...
In this episode...Most important cybersecurity-related legal developments of 2015 Tectonic Shift that occurred with “standing” in consumer data breach claims Discussion of law prior to Neiman Marcus case, and post Neiman Marcus Does this now apply to all consumer data breach cases? Immediate impact? Companies now liable? Lesson is in seeing the trend and how incrementalism works Regulatory Trends FTC & SEC gave hints in 2014, post-emergence of Target details Wyndham challenged authority – came to fruition in August 2015 SEC not far behind – significant case in September 2015 Aggressiveness of FTC is substantial – FTC v. LabMD … all over LimeWire Officer & Director Liability 2014 – SEC Comm. fired the warning shot … pointed the finger Shareholder derivative litigation Individual liability of IT / Compliance / Privacy “officers” Major 2016 Legal Trends Regulatory enforcement … which, by the way, is why NIST is becoming default Shareholder Derivative – much more likely than consumer class actions at this time Lessons from both of these: when you need to persuade the “money folks” that they need to act, mention D&O Liability (especially Caremark) and Regulatory focus on individuals … now they're in the cross-hairs Realization that cybersecurity is more of a legal issue than anything else (IT or business) b/c it is the legal requirements and consequences that ultimately drive everything
DtSR Episode 175 - NewsCast for January 5th 2016Jan 5, 2016 52:47
In this episode...
Juniper has a backdoor problem2 separate issues, auth bypass & VPN weakness backdoor discovered in Juniper devices lots of speculation on who put it there, but it was meant to be disguised as ‘debug code’ enterprise implications - same as before (what's the bigger picture?) https://isc.sans.edu/forums/diary/Infocon+Yellow+Juniper+Backdoor+CVE20157755+and+CVE20157756/20521/
Iranians broke into New York dam in 2013 and “had a look around”no direct damage done US has largest number of ICS connected to Internet critical infrastructure is vulnerable, being probed this is not a ‘government problem’ - every company has some ICS on their network http://www.theregister.co.uk/2015/12/21/iranian_hackers_target_new_york_dam/
Facebook announced it’s dumping Adobe Flashis this a bigger deal than it sounds like HTML5 has its own vulnerabilities and issues though… right? *only* for videos, games still in Flash Facebook will work with Adobe (really?) to improve security of Flash http://www.scmagazine.com/facebook-ditches-flash-videos-to-boost-security/article/461040/
191 Million US voter records found ‘unprotected’ by a researcherguy from Texas found the data on an unprotected database “Vickery told Databreaches.net he was able to poke around the public-internet-facing database because it is poorly configured: no authentication or password is required to query all 300-plus gigabytes stored within.” ← What the hell? legailty and ethics … again … but that aside is this REALLY an issue? same person who discovered Hello Kitty leak.. interesting. http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html http://www.theregister.co.uk/2015/12/28/security_researcher_spots_191_millionrecord_us_voter_database_online/
PayPal rolls out the welcome mat for hackerseven if you have an OTP key fob, attackers can get into your account apparently they use static identifier info, cannot be changed this should probably trouble you http://boingboing.net/2016/01/03/paypal-rolls-out-the-welcome-m.html
PCI Council extends encryption deadlinegood thing, bad thing, or something else? http://www.bankinfosecurity.com/interviews/pci-council-extends-encryption-deadline-i-3019
DtSR Episode 174 - Health Check on Healthcare InfoSecDec 28, 2015 36:09
In this episode...We discuss what in the world is going on in the healthcare space, and why they’re such a target for attackers Dustin discusses why the explosion in digitalization in health care is both amazing and terrifying We discuss future-proofing “smart” healthcare I stumble on “the fundamentals” Dustin discusses the security of “data analytics” in the healthcare space I ask how we can make health care professionals better security people, without making them security people I ask Dustin what the healthcare industry should be doing, going forward into 2016
Guest"Dustin" is a progressive CISO at a Fortune 250 Healthcare organization
DtSR Episode 173 - NewsCast for December 14th 2015Dec 14, 2015 52:39
In this episode...Vizio is getting sued, over data their TVs collect? James provided security tips on the local news station and one of those tips was around the privacy details of your gadgets Companies need to be considering what they are doing with their data At what point does data go from an asset to a liability? Do companies understand the difference? http://www.consumerreports.org/lcd-led-oled-tvs/vizio-sued-for-smart-tv-data-sharing Wyndham settles (caves to) the FTC Agrees to legally be bound to do things they should already be doing .. ? 20 years of audits Interesting ending to the long saga, assuming the courts approve https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment The US Federal Bureau of Investigation (FBI) admits to using 0day vulnerabilities Why is anyone surprised? Goes to a question of trust, and that's it. Are these being found anyway through programs like bug bounties? http://searchsecurity.techtarget.com/news/4500260464/FBI-admits-to-using-zero-day-exploits-not-disclosing-them Google introduces DLP into Google Apps So far it's just for their Unlimited customers Are we reaching a tipping point where security becomes a feature and not a stand-alone discipline? Definitely a game-changer Basic patterns and detection built-in FREE http://techcrunch.com/2015/12/09/new-google-apps-feature-helps-businesses-keep-sensitive-information-out-of-emails/ Black boxes on ships can be hacked Could be worse, someone could be claiming to make the boat float sideways? Is this a big deal, probably; is it a bigger deal than other things wrong? Who is exploiting this, and how do the good guys fix the problem? http://arstechnica.com/information-technology/2015/12/hacked-at-sea-researchers-find-ships-data-recorders-vulnerable-to-attack/
DtSR Episode 172 - The Truth on Cyber InsuranceDec 8, 2015 45:20
Thanks for joining us! This is a very important episode with true experts on the topic of cyber insurance. I was lucky enough to get an attorney and a VP of an insurance firm who specialize in the topic and their depth of knowledge and candor may shock you.
The net is that cyber insurance is a positive for our industry.
In this episode..
Eran says that if you don’t do good security, the courts will frown down upon that Keith tells us why insurance covers security, but it does not cover negligence We start back on the discussion on the importance of knowing your critical assets Keith discusses why the insurance market is essentially a mirror of your program Eran talks about how his team dissect and investigate breaches to improve understanding Keith and Eran discuss how the process of buying cyber insurance can actually lead to improved security
GuestsEran Kahana ( https://www.linkedin.com/in/erankahana ) - Attorney, Maslon, LLP with extensive data security experience and an expert in cyber insurance marketplace. L.Keith Burkhardt ( https://www.linkedin.com/in/keith-burkhardt-587b3772 ) - VP, Kraus-Anderson Insurance where he works towards innovative products and services for the industry and has been addressing the cyber insurance market for about two years.
DtSR Episode 171 - When the FTC AttacksNov 30, 2015 55:55
In this episode
I interview Mike Daugherty - author of The Devil Inside the Beltway [Amazon.com link] live from the Security Advisor Alliance first-ever Summit in Dallas, TX. Mike was kind enough to sit down with me (twice, thanks to a tech failure) and tell his absolutely surreal story of what happened to him, his company at the hands of what can only be described as an insane situation.
If you own a business, or manage a business, or work in enterprise -- you need to hear Mike's story. If it wasn't documented and video recorded, you'd never believe it's true.
Truth be told, I've been a supporter of the FTC as an advocate for the victims of breaches - the person who's information is stolen. After hearing Mike's story... I have had my mind completely changed.
DtSR Episode 170 - Minneapolis CISO Summit Roundtable 1Nov 23, 2015 43:47
In this episodeWe start a constructive discussion addressing the problem of the ‘talent shortage’ The panel discusses the general lack of understanding of the big picture challenge from both sides: business and security The panel discusses basic security issues in an expanding ecosystem of Internet connected things The panel discusses some real potential solutions to our talent issue
GuestsBryce Austin ( @BryceA ) Holly Miller ( @OPSEC_Girl ) Jeff Man ( @MrJeffMan ) Mike Kearn ( @MichaelKearn )
DtSR Episode 169 - NewsCast for November 16th 2015Nov 16, 2015 41:16
In this episode...Is this seriously the FBI suggestion to companies hit with ransomware? http://thehackernews.com/2015/10/fbi-ransomware-malware.html Sets an awful precedent ... or does it? What other options are there? Would you take this advice? Microsoft is opening a data center in the UK ...why? http://thehill.com/policy/cybersecurity/259656-microsoft-opens-uk-only-data-center-following-eu-ruling Have the US spying revelations finally hit home? What about EU Safe Harbor? What do you think, if you're a multi-national Internet company? Is healthcare really that far behind enterprise security? http://www.cnbc.com/2015/11/11/us-health-care-way-behind-on-data-security-says-forrester.html Forrester calling out the healthcare sector for being far behind on security Is there more pressure, less attention, or more legacy? (or all?) How do you fix this situation? Disheartening (but predictable) state of human weakness http://www.scmagazineuk.com/many-uk-workers-willing-to-sell-their-companys-ip-study/article/452428/ Are your employees willing to sell your company's intellectual property? What can you do about it? YikYak not so anonymous, can reveal user data to cops http://bigstory.ap.org/article/8535dd899f554fb3b5dd1c9498d610b5/yik-yak-social-media-service-can-reveal-user-data-police Is there any anonymous social media, really?
DtSR Episode 168 - Practical Enterprise Threat IntelligenceNov 9, 2015 49:13
In this episodeRob & Liam discuss the practical applications of threat intelligence for today's enterprise We discuss what enterprise threat intelligence really is (and also what it isn't) We discuss the place of feeds, tools, processes and people in the mechanics of the program We discuss the need to conduct a program-based intelligence approach for the enterprise
GuestsLiam Randall ( @hectaman ) - With a career spanning 20 years, Liam Randall has worked at every level of the information systems pipeline- from building and operating large networks, developing and maintaining large 100M+ e-commerce solutions, to designing and implementing global network security monitoring sensor grids. A frequent speaker and trainer at security conferences Liam has trained over 1000 students on advanced incident response with a focus on leveraging the open source Bro Platform. https://www.linkedin.com/in/hectaman Robert M. Lee ( @RobertMLee ) - Robert M. Lee is the founder and CEO at Dragos Security LLC where he helped design and build CyberLens - a cyber situational awareness software tool for critical infrastructure networks. He is also a non-resident National Cybersecurity Fellow at New America focusing on policy issues relating to the cyber security of critical infrastructure. For his research and focus areas, Robert was named one of Passcode’s Influencers and awarded EnergySec's 2015 Cyber Security Professional of the Year. https://www.linkedin.com/in/robert-m-lee-b2096532
DtSR Episode 167 - NewsCast for Nov 2nd 2015Nov 2, 2015 42:04
In this episode...Turn any old car into a "smart car" for $200 with this new miracle device
"BACKED BY FROGVENTURES, VOYOMOTIVE IS TACKLING THE BURGEONING CONNECTED-CAR SPACE" Could be a fantastic idea Could be an awful idea Has anyone considered the security ramifications? What about privacy? http://www.fastcodesign.com/3052012/this-device-will-turn-your-clunker-into-a-smart-car-for-200?utm_source#4 OMB preps cyber sprint follow-up Michael's take on "gap focus": http://www.csoonline.com/article/2992553/security-leadership/stop-focusing-on-gaps-to-gain-influence-as-a-security-leader.html Hoping for 75% authentication for 2FA - not exactly great Lots of challenges here, but is this the right thing to do? TalkTalk breached, 3 teenagers arrested, CEO goes tone deaf CEO says they "were not legally required to encrypt client information" Teenagers arrested in breach The poster child for having a breach preparedness plan, before the cameras start rolling and media starts calling https://hacked.com/british-police-arrest-15-year-old-telecom-hack-ransom-demanded-bitcoin/ http://www.theregister.co.uk/2015/02/27/talktalk_admits_massive_data_breach/ Lots of talk on security - but is anyone talking to each other? http://www.eenews.net/stories/1060026736 http://cjonline.com/news/2015-10-25/bbb-small-business-cybersecurity-hackers-are-not-just-trick-or-treaters
DtSR Episode 166 - Cyber Security From Board Room to White HouseOct 26, 2015 24:10
In this episode...Raf sits down with Howard Shmidt to talk about Cyber Security from the public to private sectors and everything in between. Howard & Raf talk through challenges of cyber security in the board room Howard gives us some of the challenges that government faces, from his experience Don't miss this episode!
GuestHoward A. Schmidt ( @HowardAS ) - Former Supervisory Special Agent,Director of Computer Crime and Information Warfare, AF OSI, Former CSO Microsoft Corp. Former Chairman of White House Critical Infrastructure Protection Board, VP, CISO eBay Inc. Special Agent, US Army CID (Reserves). Law Enforcement Officer Chandler Police Department, AZ
DtSR Episode 165 - NewsCast for October 19th, 2015Oct 19, 2015 36:25
In this episode...Standard & Poor's Adding Cybersecurity to Ratings The headline In a report issued this week, the rating agency says it could issue a downgrade before a cyberattack if a bank looked ill-prepared, or following a breach that causes significant damage to a bank's reputation or which leads to substantial monetary losses or legal damages. Behind the curve? Stop.
Michael wrote about it this week - stop calling it gaps… 16 questions… good start? How long has it typically taken to detect a cyberattack? What containment procedures are in place if the bank is breached? How many times was the business the target of a high-level attack during the past year, and how far did it reach in the system? What's the internal phishing success rate? What kind of expertise about cyberattacks exists on the board of directors? How much does the bank spend on cybersecurity, what resources does it devote, and what is the total tech budget this year versus last? Including security in the ratings - and we’re crying? Claim this leads to more insurance… how about that… http://www.bankinfosecurity.com/sps-cybersecurity-warning-late-to-game-a-8556 Crisis Services Top Insurers’ Cyber Claims Payouts; Average Claim at $674K This is interesting; and it’s a good data point, too -- in contrast to the “costs” we hear about in briefings all the time. Saw other stories that suggested the insurance is going to get jacked… of course they are. More insurance, more insight, more claims, more data…. this is all good http://www.insurancejournal.com/news/national/2015/10/05/383785.htm New California law requires warrants for online data Same warrant requirements as files in your filing cabinet Doesn’t change Federal law capabilities to not have warrant. Worth remembering: feds can compel your biometric, but not your password Do you encrypt? policies? practices? http://www.cnet.com/uk/news/new-california-law-requires-police-to-get-warrants-for-online-data/ Obama administration opts not to force firms to decrypt data (for now) for now…. opportunity for involvement great chance to connect with your legal and other groups; what is the best way for your organization to handle it
https://www.washingtonpost.com/world/national-security/obama-administration-opts-not-to-force-firms-to-decrypt-data--for-now/2015/10/08/1d6a6012-6dca-11e5-aa5b-f78a98956699_story.html Apple removes several apps from store, they could be spying on you Key issue: root certificates installed http://arstechnica.com/security/2015/10/apple-removes-several-apps-that-could-spy-on-encrypted-traffic/
DtSR Episode 164 - 3rd Party and Supply Chain RisksOct 12, 2015 31:04
In this episode...Raf asks why we talking about global supply chain, 3rd party risk again Josh discusses what little things we are not thinking about today, that we should Josh discusses what happens as companies move critical data to the cloud We discuss regional IT in a global data world Raf opens up the “tiny company 3rd party” can of worms We discuss the cyber crime survey and CISO board reporting results; link:
What about supply-chain issues with electronic components, software?
Guest:Josh Douglas - CTO for Raytheon Cyber Products – has nearly two decades of experience in helping global enterprises and government agencies secure their most prized business/mission assets. During his past 9 years at Raytheon, he has overseen Raytheon’s Cyber Security Intelligence Operations, Malware Concepts, Security Infrastructure Operations and Research Technologies tasked to produce effective forward-looking cyber software solutions to contain and control advanced threats. These solutions are used to help commercial and government entities protect their enterprises and the global cyber supply chain from ever-changing advanced persistent threats and malware.
Prior to joining Raytheon, Joshua has a successful track record in network security operations and engineering management positions, securing enterprise environments while promoting contextual response. Prior employers include Enterasys Networks, Kronos, Genuity, MIT Lincoln Laboratory and other prominent enterprises. Joshua earned a Bachelor of Science Degree in Computer Science from Appalachian State University and currently holds a number of technical computer and network security certifications. LinkedIn: https://www.linkedin.com/in/jdouglas
DtSR Episode 163 - NewsCast for October 5th, 2015Oct 5, 2015 50:23
In this episode...Patreon got hacked, but it's OK This is a lesson in how to do security in a reasonable manner Great response, good security https://www.patreon.com/posts/important-notice-3457485 The double-edged blade of the DMCA could have helped VW cheat emissions Reverse-engineering illegal Definitions of 'researcher' and further 'independent researcher' are interestingly defined - lots of room for discussion http://www.itworld.com/article/2986856/enterprise-software/how-the-dmca-may-have-let-carmakers-cheat-clean-air-standards.html CFOs are getting involved in security whether they want to or not Good to-do checklist for CFOs http://ww2.cfo.com/accounting-tax/2015/09/deals-demand-prior-cfo-involvement-data-security/ Lawsuits preventing disclosure of vulnerabilities in the news We're "chilling security research" again Good points made, on top of bad points and half-truths Stems from the Fireeye vs ERNW fight http://ww2.cfo.com/accounting-tax/2015/09/deals-demand-prior-cfo-involvement-data-security/ Verizon reports on the state of network transformation security still an issue, and top priority human talent is still a problem lots of leadership opportunities here http://www.enterprisenetworkingplanet.com/netsysm/verizon-reports-on-the-state-of-digital-network-transformation.html
DtSR Episode 162 - OSINT and Privacy in a Digital WorldSep 28, 2015 33:05
In this episode...Kirby tells us what OSINT is We discuss how much we are giving away on digital channels? We discuss if there is such a thing as anonymity anymore Location sharing in apps — the bad, the ugly, the scary Kirby and Michael discuss “checking up on your executives” Raf talks about “logo pages” — why do these still exist?! Kirby gives us some thoughts on OPSEC Kirby leaves us with a dose of reality about privacy in today’s world
GuestKirby Plessas ( @kirbstr ) - Kirby is the CEO of Plessas Experts Network, Inc. She did some things before this too, but we can't tell you about them or we'd have to black-bag you and send you to Gitmo. You can get her LinkedIn bio here: https://www.linkedin.com/in/kirbyp.
DtSR Episode 161 - NewsCast for Sept 21st, 2015Sep 21, 2015 43:36
On this episode of the NewsCastIntel forms new Automotive Security Research Board (ASRB) to focus on security of their automotive platform http://newsroom.intel.com/community/intel_newsroom/blog/2015/09/13/intel-commits-to-mitigating-automotive-cybersecurity-risks Good security as a competitive advantage? Interesting development in the effort to secure cars as a technology platform Appeals court forces the issue of 'fair use' in DMCA case http://www.engadget.com/2015/09/14/appeals-court-copyright-holders-must-consider-fair-use-before/ Interesting development in the case against Universal Music Group's malicious prosecution and nonsense take-down orders Bitpay sues their insurance company after giving away $1.8M http://www.coindesk.com/bitpay-sues-insurer-after-losing-1-8-million-in-phishing-attack/ Interesting argument in court - indirect loss Company exec got phished for credentials Execs fall for "transfer large quantity of money" scam Follow this case! China making demands of US tech companies
http://www.engadget.com/2015/09/17/china-us-tech-companies-security-policies/ This has happened before...US companies found ways around this once Essentially it appears as though China is asking for 'backdoors' and secret access to source code, etc in order to do business in China Talk about anti-competitive! The Kardashian train wreck exposes fans' information due to web flaw http://techcrunch.com/2015/09/16/kardashian-website-security-issue-exposes-names-emails-of-over-half-a-million-subscribers-payment-info-safe/#.gofm76:EZbS Some 'developer' wanted to see how the site worked, poked around and found an interesting flaw and posed it to owners ~500,000 subscribers info exposed
DtSR Episode 160 - Leadership from a Navy SEALSep 14, 2015 36:09
In this episode...Brandon, Michael and I discuss the challenges of leadership and how leadership is more than just telling people what to do. Brandon gives us some of his back-stories and anecdotes to illustrate his points on leadership along the way. I promise you'll love this episode, and I highly encourage you to go donate what you're able to, to Red Circle Foundation (http://redcirclefoundation.org).
GuestBrandon Webb ( @BrandonTWebb ) - Brandon is a former Navy SEAL, bestselling author and CEO of Force12 Media. He founded Red Circle Foundation as a way to give back to the families of the Special Ops community in a meaningful way.
LinksRed Circle Foundation - http://redcirclefoundation.org/ SOFREP - http://sofrep.com Brandon's website - http://brandontylerwebb.com/
DtSR Episode 159 - NewsCast for Sept 7th 2015Sep 7, 2015 44:13
In this episodeCourt strikes down Wyndham's challenge to FTC power We have covered this before Wyndham argued due proces and lack of case law - asked for dismissal Court said no dismissal, FTC has standing FTC is arguing that Wyndham made promises it did not keep Should be interesting to watch this go to court (or likely not) http://www.csoonline.com/article/2975915/data-breach/wyndham-vs-ftc-corporate-security-pros-need-to-lawyer-up-about-data-breach-protection-experts-say.html Ashley Madison hauled into court by class-action suit Lots of thorny issues here, must separate out moral from legal Shines light on the continued bias for breach prevention Interesting Streisand effect here http://www.csoonline.com/article/2975755/data-breach/ashley-madison-hauled-to-court-in-class-action-suits-over-data-breach.html Verizon launches Hum OBD port vehicle monitor and communication tool In light of the stunt-hacking against Chrysler/Jeep is Verizon tone deaf? ..or are they simply that confident in their security? There is no mention, by the way, of security of the device on the web site http://www.macnn.com/articles/15/08/26/service.not.reliant.on.verizons.network.uses.any.ios.or.android.phone.130118/ The move to EMV cards (chip & sign) in America is changing how fraud happens EMV cards cost a fortune to implement Solving a problem the finance industry did not have http://www.bankinfosecurity.com/interviews/emv-shift-preparing-for-fraud-migration-i-2850#
DtSR MicroCast 08 - Conference EngagementSep 2, 2015 08:44
In this MicroCast, live from HTCIA Conference 2015 in Orlando, FL, Michael and I quickly set the stage for a conversation on conference speaker/attendee engagement.
[Raf] One of my biggest pet peeves as a speaker is getting a room-full of people who watch (and listen) me speak, wait for me to finish, and leave when I'm done.
[Michael] As an attendee, you need to know what you "do" and what you're looking for from the conference.
--> Here's the link to the article Michael mentions: http://paulsohn.org/how-to-connect-with-anyone-you-just-met-with-5-questions/
We welcome the discussion on this topic, #DtSR on Twitter!
DtSR Episode 158 - Managing Security with Outsourced ITAug 31, 2015 45:18
In this episode...We discuss what life is like as the CISO when you have all the responsibility for, but no administrative access (or hands on keyboard) Brandon tells his story about how his IT organization went from in-house, to out-house, and how they got where they are Brandon tells us the process and strategy he uses to get a handle on his security We discuss why visibility is one of the most important things to outsourced IT (and security) Brandon tells a story of an incident where things went very sideways We discuss the balance between outsourcer scalability and customer deviations Brandon tells us why sometimes it takes 3 months to scan your environment for a vulnerability ( your head will explode ) …and so much more
GuestBrandon Dunlap ( @bsdunlap ) - Brandon is the global Chief Information Security Officer for a an employee-owned, global leader in building critical infrastructure in energy, water, telecommunications and government services currently operating in more than 100 countries through consulting, engineering, construction, operations and program management.
DtSR Episode 157 - NewsCast for Aug 24th, 2015Aug 24, 2015 49:20
In this episode...Just when you thought America's neutered "chip & sign" was a safe
http://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/ Admittedly we put these stories in here just to get Michael all fired up Ashley Madison's data and source code and CEO's email spool now released and public http://www.theregister.co.uk/2015/08/20/ashley_madison_email_dump/ http://www.csoonline.com/article/2973575/business-continuity/ashley-madison-self-assessments-highlight-security-fears-and-failures.html So much to talk about that's just wrong with this story... Uber is hiring people for security http://www.ibtimes.com/uber-boost-security-staff-after-data-privacy-concerns-2055903 Does more headcount equal better security? Where will these people come from given the shortage of talent? That gadget you attached to your OBD2 port on your car to "save on car insurance" may be used to kill you Seriously The dangers of all these wireless & connected devices is scary Risk assessment anyone? http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/ Someone get Flo on the phone... Windows 2003 which is now expired still has 609,000 public servers on the Internet Translates into roughly 175M websites (Netcraft) Why are thse out there? Is there really a risk or is this hype? http://www.zdnet.com/article/windows-server-2003-servers-insecure-unpatched/ ATC systems go down as they were ... being updated! Common problem of ancient systems going down due to upgrade ATC has ZERO patch window ..also close to ZERO ability to test patches/updates in "lab" environment Complex, ancient systems fail when they're upgraded, sometimes catastrophically http://thehill.com/policy/cybersecurity/251310-software-limits-exposed-in-air-traffic-outage
DtSR Episode 156 - Leadership Defined Measured and DiscussedAug 17, 2015 43:15
In this episode...We discuss the ever-growing need for strong leadership in security I ask whether experience and longevity in a position naturally brings leadership qualities We talk through how leadership interplays with other competencies Michael asks whether the security leader has a place at the executive table (the "big kids table") Michael asks if the MBA has value in security leadership We discuss the model my team uses for leadership and how we build them Michael and Heath discuss various competency models for leadership We discuss measuring, KPIs and relative distance We discuss how leaders can make better decisions Heath leaves us with an Alex Hutton quote
DtSR Episode 155 - NewsCast for Aug 10th, 2015Aug 10, 2015 45:45
In this episode...The Belgian government's internal phishing test has "gone off the rails" a bit Used a legitimate entity to test against Panic and hilarity ensued, but mostly panic http://www.networkworld.com/article/2951514/security/belgian-government-phishing-test-goes-offtrack.html British ICO makes a 180,000 pound fine Disconnect between policy and reality Was anything lost? 2 big failures lead to a fine https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/08/ico-fines-nationwide-money-lender-the-money-shop-180-000/ McAfee and Black Hat attendee surveys wildly different Answers you get depend on who and how you ask Interesting answert though... Lesson: The more experience you have, the less confidence? http://www.slate.com/blogs/future_tense/2015/07/21/two_surveys_of_cybersecurity_professionals_show_starkly_different_attitudes.html
DtSR Episode 154 - Enterprise Software Security ReloadedAug 3, 2015 49:59
In this episodeRaf asks - Why haven’t we solved the same old software security bugs? James asks how a security team gets out of the way and still get better security? We discuss threat modeling, and channel a bit of John Steven Jeff talks about the OWASP ESAPI and standard security libraries and controls Jeff talks about “libraries with known vulnerabilities” and the role of open source components Raf brings up the ugly side of enterprise outsourcing - code development by committee We discuss static, dynamic and run-time security tools Raf asks Jeff what the RIGHT approach to creating a software program looks like
GuestJeff Williams ( @PlanetLevel ) - Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. In 2002, Jeff co-founded and became CEO of Aspect Security, a successful and innovative consulting company focused on application security. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.
DtSR Episode 153 - NewsCast for July 27th, 2015Jul 27, 2015 49:54
DtSR Episode 152 - The Great InfoSec Talent ShortageJul 20, 2015 41:20
In this episodeTalent shortage - is it real, and how bad is it? We discuss: what does negative unemployment actually mean? Michael asks- ecurity is still relatively new, how do we determined what “qualified” means? What skills are necessary to be a good security professional? Hiring - we discuss how we get better at screening potentially qualified employees We discuss how we can vet out real experience, versus resume skills Mark and Michael discuss specialization, automation, and optimizing our workforce Mark shares his thoughts on growing and retaining top talent
GuestMark Orlando ( @MarkAOrlando ) - As the Director of Cyber Operations, Mark is responsible for Foreground’s Federal practice as well as the Virtual Security Operations Center (V-SOC) managed service. He leads a national team of analysts, engineers, incident responders, and managers who secure some of the most high profile networks in the Federal, financial, commercial, and power and utilities industries. As the senior operations subject matter expert, he is also responsible for security services strategy and advises on strategic Foreground initiatives such as threat intelligence analysis, custom analytics development. Mark is also a key advisor to the company’s award-winning educational unit, Foreground University. Prior to joining Foreground Security, Mark advanced through the technical ranks as a Security Analyst and Technical Lead in a variety of operations environments. In his 13+ years of experience, he has built and led security operations teams at the White House, the Department of Energy, the Pentagon, and numerous commercial organizations. He has also managed the operations division of a major Managed Security Service Provider supporting hundreds of private and public sector clients. Mark enjoys teaching and learning from others. He has presented on security operations and assessment at the Institute for Applied Network Security Forum and RSA Conference. Mark has earned the CISSP, PMP, CEH, ITIL, and multiple SANS GIAC certifications and holds a B.S. In Advanced Information Technology from George Mason University. Mark served in the US Marine Corp where he was a Marine Artillery NCO.
Foreground Security (http://foregroundsecurity.com/)
DtSR FeatureCast - HTCIA International Conference 2015 PreviewJul 15, 2015 22:27
In this episode...
Peter Morin joins us to talk through the upcoming HTCIA International 2015 Conference in sunny Orlando, Florida. We talk through a preview of talks, events, and some interesting reasons you should be going to HTCIA Int'l Check out the incredible lineup of keynotes, speakers and talks - http://www.htciaconference.org/ Come see the #DtSR crew live and in person as we record and broadcast from the conference
DtSR Episode 151 - NewsCast for July 13th, 2015Jul 13, 2015 46:13
In this episode...Appears as though Windows 10 WiFi Sense could have some issues with WiFi -- more on this as it develops Why is the default opt-in, and why in the world do I have to change my SSID to opt out?! Is it really a good idea to use an SSID to describe security constraints on your network? (Hint: NO) http://www.computing.co.uk/ctg/news/2415787/windows-10-wi-fi-sense-security-warning-over-automatically-shared-passwords "Washington Post will encrypt the news" Ridiculous click-bait headline Is this a good idea? Should everything be HTTPS? What about ads, are we defeating ourselves? https://hacked.com/washington-post-encrypt-news/ OPM hackers stole 21.5 million people worth of records That's all government employees, past, present, and under-cover (possibly) 1.1 million biometrics (fingerprints) -- quick! go reset your fingerprints... oh wait Bad --> worse --> catastrophic --> now what? http://www.computerworld.com/article/2946031/cybercrime-hacking/opm-hackers-stole-data-on-215m-people-including-11m-fingerprints.html Katherine Archuletta, Director of OPM, resigns Shock. Awe. Not. Did everyone else see this one coming? Does this change anything? Does her departure make anything better or is she the sacrificial lamb, the way Washington operates? http://www.nytimes.com/2015/07/11/us/katherine-archuleta-director-of-office-of-personnel-management-resigns.html
DtSR Episode 150 - A CEOs PerspectiveJul 6, 2015 50:13
In this episodeWe take a little peek inside the mind of a CEO, from the security perspective We discuss the state of information security in the last decade Dan shares his wisdom on how the role of a security professional and security leadership has changed over the course of his career We discuss about the talent shortage - and get an in-depth look at solving some of this problem Dan shares with us his views on balancing people, processes and technology resources to achieve meaningful security We talk strategy, and Dan and the guys talk through why it's so vital We get Dan's "closing remark" (something you won't want to miss)
GuestDan Burns, CEO Optiv, Inc. - Dan Burns brings more than 23 years of business, technology and security industry experience to his role as chief executive officer. In this role he is responsible for the development and implementation of high-level strategies and direction of the company’s growth. Being able to provide clear insight into navigating the complex information security landscape is a priority for Burns. His philosophy is to focus on building long-term relationships with clients, working with them to simplify their lives and becoming a trusted information security partner rather than a reseller or outside consultant.
From 2002 when he co-founded Accuvant, until 2012 when he assumed his position as the company’s first CEO, Burns served as senior vice president of Accuvant’s sales organization. In that role, he was responsible for strategic planning, sales growth and problem resolution. Burns co-developed and helped to successfully execute on Accuvant’s initial vision – to build a company with the breadth, depth and capabilities to address the information security needs of organizations worldwide. He launched the sales force and grew it to a national powerhouse organization within a 10-year period, conducting business with nearly half of the Fortune 500, and driving $740M in revenue in 2014.
Prior to his achievements with Accuvant, Burns was the regional vice president of sales for the western region of OneSecure. He played an integral role in transitioning the organization from a managed security services (MSS) provider to a product company, delivering to the marketplace the first intrusion prevention system (IPS) and generating $40M in product sales in the first year.
Previously, as the western region vice president for Exault, an integrator, consulting organization and reseller, Burns secured some of the largest enterprise clients in the Rocky Mountain region and helped grow revenues to nearly $150M in two years. He also held positions at Access Graphics, Arrowpoint, and Netrex where he supported some of the largest telecommunication companies in building their information security programs, implementing technology and taking advantage of Netrex’s world-class MSS.
Burns earned a bachelor’s degree in economics from San Jose State University
DtSR Episode 149 - NewsCast for June 29th 2015Jun 29, 2015 50:50
In this episode
With me gone, James and Michael run feral!It's June, so here are the top 3 security priorities for CISOs for 2015 (yes in June) http://www.information-age.com/technology/security/123459699/top-3-security-priorities-cios-2015 Boils down to: patch faster, improve credentials, code better Is this the right list? It mentioned side-stepping cloud and mobility. What if migrating to the cloud offers the opportunity to not worry about patching or code, and improve your credentials? Someone pointed out to me that this matches the OPM hack; perhaps this is just content driven from that? Does that make it more or less valid? Let us know… #DTSR Cybersecurity tops advisors's compliance worries: poll http://www.thinkadvisor.com/2015/06/24/cybersecurity-tops-advisors-compliance-worries-pol More people concerned. This directly undercuts the notion that people don’t care. They do care. They care about their money. The advisors entrusted with their money care. People care. The question for us: what are we doing? How are we helping? Why it's worth divorcing information security from IT http://www.forbes.com/sites/frontline/2015/06/22/why-its-worth-divorcing-information-security-from-it/ No. No it’s not. We don’t need more silos, we need less. This feels a bit like “we’re not getting what we want… so the answer is reorg.” Keeping your kids safe (online) this summer -- with our very own TV star, James! http://www.news4jax.com/news/summer-online-safety-for-kids/33747246 James, tell us about the experience - and how you don’t have nearly the control you think you’ll have What did you do to prep? What was your one big take away? Now that you did the interview, any new thoughts? Folks… what do you do? #DTSR - congratulate James on a great interview, then share your ideas (and yes, this is an enterprise play -- you can AND SHOULD share this with your employees)
DtSR Episode 148 - Focus on the CISOJun 22, 2015 32:20
In this episode...What is the Security Advisor Alliance? We discuss some of the issues facing CISOs today Clayton gives us his perspective on how to solve some of those issues Clayton tells us about the mission of the SAA If your'e a CISO, are you signed up for the SAA Summit? Shoot Clayton an email
GuestClayton Pummill ( @cp48isme ) - https://www.linkedin.com/pub/clayton-pummill/10/32a/44a - Clayton is the executive director of the Security Advisor Alliance. He also has a storied background so I encourage you to give it a check!
DtSR Episode 147 - NewsCast for June 15th, 2015Jun 15, 2015 56:04
In this episode...Facebook has released PGP-encryption-enabled email communications The anti-privacy platform will now encrypt emails to you if you give them your PGP public key Does no one see the insane irony here? http://www.theregister.co.uk/2015/06/01/facebook_pgp_support/ White House issues mandate for HTTPS (by default) for all federal websites "By the end of 2016" Is this a good thing? A bad thing? Or does it even matter? http://www.huffingtonpost.com/2015/06/08/https-federal-websites_n_7539164.html Attackers are using medical devices to pivot into health care networks The Internet of Medical Things is insecure There are challenges here, but the risks of moving faster aren't negligible Lots to be thought about here http://www.csoonline.com/article/2931474/data-breach/attackers-targeting-medical-devices-to-bypass-hospital-security.html Kaspersky gets popped, cue the typical verbiage "Three previously unknown techniques" "..highly sophisticated attack used up to three zero-day exploits.." http://www.bbc.com/news/technology-33083050 PwC healthcare spending study is disturbing Predicts a 6.5% dip Security is one factor in increasing cost http://hitconsultant.net/2015/06/10/pwc-healthcare-spending-growth-rate-to-dip/ http://www.csoonline.com/article/2934929/security-leadership/why-the-dip-in-healthcare-spending-is-actually-a-risky-opportunity-for-security-leaders.html
DtSR Episode 146 - State of Enterprise Incident ResponseJun 8, 2015 46:22
In this episode...Defenders are set up to fail? how and why How do we fill forensics and IR positions?What skills and qualifications do forensics/IR need to have? How can enterprises get better at IR from where they are today? How do we solve some of the problems plaguing the security industry?
GuestAndrew Case ( @attrc ) - Andrew Case is a senior incident response handler and malware analyst.He has conducted numerous large-scale investigations that span enterprises and industries. Andrew's previous experience includes penetration tests, source code audits, and binary analysis. He is a core developer on the Volatility memory analysis framework and co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory".
DtSR Episode 145 - NewsCast for June 1st, 2015Jun 1, 2015 49:16
Apologies to anyone who is having issues downloading this episode!
In this episode...The ACLU encourages the government to get into bug bounties Read the original letter: https://www.aclu.org/sites/default/files/field_document/aclu_-_iptf_recommendations_submitted.pdf Points 1 & 2 are at sane Point 3 makes a hard left into into crazy-town http://thehill.com/policy/technology/243265-aclu-says-government-should-offer-rewards-for-finding-security-flaws-on-its The massive taxpayer data fraud (not really a breach) is believed to be the work of Russia, says the IRS Does it really matter? Was this a breach or an abuse of functionality? Would your company have caught this? http://www.cnn.com/2015/05/27/politics/irs-cyber-breach-russia/index.html CareFirst says their recent breach affects only about 1.1M people Healthcare is clearly in the "bad guys" target zone Quick to point out what the attackers did not get access to Of course it was a sophisticated cyberattack http://abcnews.go.com/Technology/wireStory/carefirst-data-breach-affects-11m-people-31187250 CNA Financial business unit refusing to pay out claim to Cottage Health System Claims hospital "failed to continuously implement procedures and risk controls identified" CNA unit alleges many failures -- but is this fair? http://www.businessinsurance.com/article/20150515/NEWS06/150519893
DtSR Episode 144 - Insights from the ISC2 2015 SurveyMay 25, 2015 42:01
In this episode...David Shearer, Executive Director for ISC2 joins us to talk about the results of the ISC2 2015 Information Security Workforce Study We ask David to highlight some of the results We discuss how malware and application security were identified as top threats 3 years in a row -- and what's to be done about this We discuss the major discrepancy between priorities from this survey and recent CIO surveys We discuss the importance of communication skills (identified in the survey) while leadership and business management are far down the scale We discuss with David how under his leadership ISC2 can build a much tighter alignment to business -- not just more security certifications
GuestDavid Shearer - David Shearer has more than 27 years of business experience including the chief operating officer for (ISC)², associate chief information officer for International Technology Services at the U.S. Department of Agriculture, the deputy chief information officer at the U.S. Department of the Interior, and the executive for architecture, engineering and technical services at the U.S. Patent and Trademark Office. Shearer has been responsible for managing and providing services via international IT infrastructures, and he has implemented large-scale SAP Enterprise Resource Planning (ERP) projects. Shearer holds a B.S. from Park College, a M.S. from Syracuse University, management and technical certificates from the U.S. National Defense University, and he is a U.S. federal executive presidential rank award recipient. As (ISC)² Executive Director, Shearer is responsible for the overall direction and management of the organization.
DtSR Episode 143 - NewsCast for May 18th, 2015May 18, 2015 47:47
In this episode...Netflix launched FIDO (not that one, or that one, no the other one) Focused on automating incident response practices FIDO is an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats. If you don't use it, at least they provide a structured framework for response and IR workflow http://techblog.netflix.com/2015/05/introducing-fido-automated-security.html IT Chief leaves sensitive data in car- spoiler: it gets stolen Something smells like a fish market in the July heat on this story Maybe it's time to check in on YOUR off-site handling procedures? http://www.thestarpress.com/story/news/local/2015/05/10/chief-left-hard-drives-car/27083031/ Crowdstrike discovers, names "Venom" Massive security vulnerability within the floppy disk emulator in virtual machine hypervisors Even if you disable floppy disk emulation, separate bug lets you enable it This has a graphic and everything! http://www.csoonline.com/article/2921589/application-security/significant-virtual-machine-vulnerability-has-been-hiding-in-floppy-disk-code-for-11-years.html United Airlines launches bug bounty Does this have anything to do with the now infamous (alleged) airplane hacker? Seems like some contradictory statements in the description (see below on United's response to our inquiry) http://www.united.com/web/en-US/content/contact/bugbounty.aspx
Note back from United Bug Bounty Team:
Posted with permission--
Thank you for the question. We want researchers to be able to notify of potential issues they find while still protecting customers who are not participating in the program. If a researcher launched a brute force attack and locked the accounts of 10,000 customers through already existing security measures this would negatively affect our customers and the program.
If any researchers believe they may have found a brute force condition, they can feel free to submit it to us without testing. We will check on our end and if we confirm a bug exists we will gladly reward them for their effort. Does that make sense?
United Bug Bounty Team"
DtSR Episode 142 - Basics and Fundamentals, That WinMay 11, 2015 26:34
In this episode...A quick walk-through of Rob’s talk (“Hacker ghost stories”), and why it’s completely relevant today Simple things that work blocking java (externally) effectively blocking “uncategorized” sites in your forwarding proxies (not) resolving DNS internally (not) default routing to the Internet from inside canaries in the coal mine, or evil canaries
GuestsJames Robinson ( @0xJames ) - https://www.linkedin.com/in/0xjames Currently the Director, Threat and Risk Management at Accuvant-Fishnet Security and part of the Office of the CISO. He has a long and storied career of success as an enterprise defender across various industries. Rob Fuller ( @mubix ) - Rob is an experienced InfoSec industry insider, with many interesting achievements and accomplishments. He's easily findable, as are his many public doings.
DtSR Episode 141 - NewsCast for May 4th, 2015May 5, 2015 46:20
In this episode...A join Ponemon Institute & IBM Security study shows that, surprise surprise, developers are "neglecting security" The study only looked at mobile apps and app developers Less than half (of their study) test the mobile apps they build About 33% never test their apps http://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.html Illinois Bill SB1833 expands the definition of PII to include almost everything Requires notification in the event of a breach of... Online browsing history, online search history, or purchasing history Is this absurd, or just protecting our privacy? http://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.html The DOJ has jumped in and issued some sound fundamental breach guidance! 4 sections: what to do before, during and after a breach plus what NOT to do after a breach Fantastic fundamentals... great idea The push to fundamentals is critical! http://www.alstonprivacy.com/doj-issues-data-breach-guidance/ http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdf Mozilla is phasing out non-secure HTTP HTTPS only is the way forward, so Mozilla (champions of liberty and all that) are leading the way https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ First foreign hacker is convicted in the US Canadian kid who hacked and stole trade secrets and other sensitive info from video game companies He pled guity in September 2014, maximum of 5yr prison sentence http://blogs.orrick.com/trade-secrets-watch/2015/04/30/first-foreign-hacker-is-convicted-in-the-united-states-of-hacking-crimes-involving-theft-of-trade-secrets-from-american-companies/
DtSR Episode 140 - Ethics of Hacking Live from AtlSecCon 2015Apr 27, 2015 38:37
In this episode...What about public safety, where do we draw the line on open research? Self-regulation? Disclosure? What are our options… What makes a researcher? We discuss “Chilling security research” A quick dive into bug bounty programs; do they help? Ethics vs. moral compass …we discuss Hacker movies, and what they’re doing for our profession
GuestsKeren Elezari ( @K3r3n3 ) - brings years of experience in the international cyber security industry to the stage. Since 2000, Keren has worked with leading Israeli security firms, government organizations, Global Big 4 and Fortune 500 companies. Keren holds a CISSP security certification, a BA in History and Philosophy of Science and is currently a senior research fellow with the prestigious Security & Technology workshop at Tel Aviv University. In 2012, Keren held the position of Security Teaching Fellow with Singularity University, a private think tank, founded by Dr. Ray Kurzweil and sponsored by Google & NASA amongst others. Since 2013, Keren covers emerging security technologies and trends as a security industry analyst with GIGAOM research, a leading independent media hub. In 2014, Keren became the first Israeli woman to be invited to speak at the prestigious international annual TED conference. Keren’s TED talk has been viewed by 1.2 million people, translated to more than 20 languages and selected for TED’s list of ‘Most Powerful Ideas in 2014’ and for Inc.com’s list of ‘Top TED Talks of 2014’. Kellman Meghu ( @kellman ) - heads up a team of Security Architects for CheckPoint Software Technologies Inc., the worldwide leader in securing the Internet. His background includes almost 20 years of experience deploying application protection and network-based security. Since 1996 Mr. Meghu has been involved with consultation on various network security strategies to protect ISP's in Southern Ontario as well as security audits and security infrastructure deployments for various Commercial and Governmental entities across Canada and the Central United States. Kellman has delivered security talks in private corporate focused events, at school internet safety classes for students and teachers, as well as public events such as, SecureWorld Seattle, The Check Point Experience, Bsides St. Johns, Bsides San Francisco, Bsides Iowa, Bsides Detroit, Secure360, Trilateral Conference, and Sector lunch keynote for 2014. Kellman has contributed to live TV interviews in the Toronto area with CP24, CityNews, and CHCH TV, as well as radio station interviews and news articles across Canada and the US. Mark Nunnikhoven ( @marknca ) - focuses on helping organizations as they move from the data centre to hybrid environments to working fully in the cloud. Bringing over 15 years of practical experience to the table, he is regularly sought after to speak on cloud computing, usable security systems, and modernizing security practices.
DtSR Episode 139 - NewsCast for April 20th, 2015Apr 20, 2015 39:45
In this episode...Friend and security researcher Chris Roberts steps into it... A poorly-conceived tweet, followed by mass hysteria Most everyone talking about this is missing the point entirely Of course, the EFF jumps in to keep from "chilling research" (roll eyes) http://www.usatoday.com/story/tech/2015/04/19/chris-roberts-one-world-labs-united-rsa-computer-security-tweets/26036397/ The EFF take: https://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-security Corporate threat intelligence teams opting to go anonymous? New company, making intelligence sharing work, anonymously? Many questions on whether anonymity is workable in the intelligence space https://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-security Target settles with Mastercard for $19M USD Mastercard trying to settle this out, as alternative payout option for victims (this time the issuers, not card holders) http://www.theregister.co.uk/2015/04/16/target_settles_with_mastercard_for_us19_million/ The looming security threat no one is talking about We're talking about it! Windows 2003 is going out of service... after 12 yrs? Final deadlines is July 14th Panic? Compensating security controls? http://www.healthcaredive.com/news/himss15-the-looming-it-security-threat-that-no-one-is-talking-about/386754/ HTTP "ping of death" coming to a Windows IIS web-server near you Patch now... people are actively exploiting this flaw to knock over web servers Quick turn-around from "patch released" to "patch reverse-engineered to attack IIS servers" http://www.theregister.co.uk/2015/04/16/http_sys_exploit_wild_ms15_034/ JPMC algorithmn knowns you're an insider threat, before you do Fascinating, applies to the financial world Uses behavioral indicators http://www.bloomberg.com/news/articles/2015-04-08/jpmorgan-algorithm-knows-you-re-a-rogue-employee-before-you-do
DtSR Episode 138 - Useful Knowledge on IntelligenceApr 13, 2015 48:51
In this episode...Where do you even start with “threat intelligence”? Ryan talks about context, and why it’s *the* most important thing when it comes to threat intel How does a SME make use of a “luxury item” like threat intelligence? Michael asks what are 1-2 things you can do *immediately* as an SME? What are the basics, beyond the basics of security? Where do you make your first investment? Getting your own house in order is harder than it sounds, so what then? Michael drops some #RiskCatnip Michael breaks down the “feedback loop” and his basic questions to ask/answer Down the rabbit hole of shiny boxes, standards, and productized threat intelligence The overlap of data on commercial threat intelligence providers
GuestRyan Trost - Ryan is the CIO of ThreatQuotient and knowledgeable on matters of intelligence with his extensive background and history in the community.
DtSR Episode 137 - NewsCast for April 6th, 2015Apr 6, 2015 46:20
In this episode...TrueCrypt security audit results are good news, right? Why are some of the most depended-upon http://arstechnica.com/security/2015/04/truecrypt-security-audit-is-good-news-so-why-all-the-glum-faces/ At Aetna, CyberSecurity is a matter of business risk Jim Routh talks about how he runs a security program Security is a matter of business risk, if not you're doing it wrong http://blogs.wsj.com/cio/2015/03/30/cybersecurity-at-aetna-is-a-matter-of-business-risk/ Why aren't you vulnerability scanning more often? Wrong question. Simple answer -- because scanning doesn't matter if you can't fix the issues you find Example of how security misses the point http://www.csoonline.com/article/2901472/vulnerabilities/why-aren-t-you-vulnerability-scanning-more-often.html SecurityScorecard - a new startup that is exposing 3rd party risks to you -- or is it? Interesting business model How legitimate is this, and what are the risks? http://www.businessinsider.com/securityscorecard-raises-125-million-led-by-sequoia-2015-3 Does removing Windows administrator permission really mitigate 97% of vulnerabilities?! Is this real? If so -- why isn't everyone doing it? Local administrator privileges are starting to fade, but why so slowly? http://blog.norsecorp.com/2015/04/02/removing-admin-privileges-mitigates-97-of-critical-microsoft-vulnerabilities/
DtSR Episode 136 - Crypto and Privacy with Jon CallasMar 30, 2015 49:49
In this episode...Jon Callas gives a little of his background and his current role We talk through why cryptography is so hard, and so broken today Jon overviews compatibility, audit and making cryptography useful Jon brings up open source, security, and why "open is more secure" is bunk We talk through "barn builders" vs. "barn kickers" and why security isn't improving We talk through how to do privacy, active vs. passive surveillance We talk through anonymous VPN providers, anonymization services, and how they're legally bound Jon talks about appropriate threat modeling and knowing what we're protecting We talk through patching -- how to do patching for Joe Average User Bonus-- Mobile is as secure (or more) than what we're used to on the desktop
GuestJon Callas ( @JonCallas ) - Jon Callas is an American computer security expert, software engineer, user experience designer, and technologist who is the co-founder and CTO of the global encrypted communications service Silent Circle. He has held major positions at Digital Equipment Corporation, Apple, PGP, and Entrust, and is considered “one of the most respected and well-known names in the mobile security industry.” Callas is credited with creating several Internet Engineering Task Force (IETF) standards, including OpenPGP, DKIM, and ZRTP, which he wrote. Prior to his work at Entrust, he was Chief Technical Officer and co-founder of PGP Corporation and the former Chief Technical Officer of Entrust.
DtSR Episode 135 - NewsCast for March 23rd, 2015Mar 23, 2015 51:40
Remember folks, as you listen reach out to us on Twitter and hit the hashtag #DtSR to continue the conversation, and speak your mind! Let's hear what your take is on the stories we discuss...maybe you have a unique angle we've not considered?
In this episode--Target settled class-action lawsuit over its data breach - for $10M USD Who wins? Lawyers, clearly the lawyers Burden of proof on the victims to show they've suffered a loss to get up to $10,000.00. If you can't prove loss, you can still try to get part of settlement of what's left-over http://www.usatoday.com/story/money/2015/03/19/target-breach-settlement-details/25012949/ Federal judge dismisses suit against Paytime -- "simply no compensable injury yet" Leaves door open for future suits if someone were to suffer a compensable injury "Once a hacker does misuse a person's information for personal gain...there is a clear injury and one that can be fully compensated with money damages." -- Judge John E. Jones III Watch this case, read the story for yourself http://www.securityinfowatch.com/news/11883806/federal-judge-dismisses-lawsuits-over-paytime-inc-data-breach Sacred Heath Health System victim-by-proxy of a data breach Happened at a 3rd party So why is only Sacred Heart in the news? ~40 individuals SSN and patient information "deceptive technique" known as phishing http://pensacolatoday.com/2015/03/sacred-heart-informs-patients-of-billing-information-disclosure/ Premera Blue Cross "warned about security flaws before breach" Lots to talk about here -- starting with is 3 weeks enough time? OPM audit finds issues, is this a systemic failure or examplary of an enterprise doing its best in a difficult security climate? Before you judge, measure up your own security posture against this article http://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/ Advantage Dental notifies patients of breach 3 days from initial breach to discovery Amazingly fast detection, but was it adversary or malware? Is this a feel-good, or something else? https://secure.advantagedental.com/index.asp?din=598 NYC Auxiliary Officer charged with hacking NYPD & FBI systems Insider threat poster child Smart enough to do some interesting things Yet, one of the dumbest criminals we've seen in a long time http://www.fbi.gov/newyork/press-releases/2015/new-york-city-police-department-auxiliary-officer-charged-with-hacking-into-nypd-computer-and-fbi-database
DtSR Episode 134 - Fundamental SecurityMar 16, 2015 48:04
In this episode...Michael C and the team talk bout "going back to basics" and the need for security fundamentals Michael C talks a little about why we (security professionals) fail at fixing problems at scale We dive into the need for automation, and Michael C talks about why creating more work for security professionals is a bad thing Michael C and the crew talk through why many of our metrics fail, highlighting the need to get away from the typical dashboard approach of "bigger numbers is better" We discuss the balance between false positives and false negatives -- a super critical topic Rafal brings up the role security professionals play in software security, and why we can't be expected to drive the daily tasks We talk through centralized vs. de-centralized security, and how to understand which works better, and where Michael C gives us his 3 key take-aways for listeners (don't miss these!) We talk through "assume breach", and what it means for security
GuestMichael Coates ( @_mwc ) - Currently, Michael is the Trust and Security Officer at Twitter where he leads the information security team and drives overall security efforts across the organization to a common goal and objective. Michael is a staple of the OWASP community now serving on its board and having contributed countless hours and lines of code to the effort.
DtSR Episode 133 - NewsCast for March 9th, 2015Mar 9, 2015 36:46
In this episode--Law firm hit and crippled by ransomware, decides it's not paying the ransom. They aren't quite sure what got encrypted But they have backups... ..and data was likely not exfiltrated http://news.softpedia.com/news/Ransomware-Hits-Law-Firm-Encrypts-Workstation-and-Server-474788.shtml Major law firms for ISAC to fight off adversaries, share intelligence Catching up to the threat they're facing Law firms are major targets, given the data they have ("secrets!") Downside: exclusive to a handful of major firms http://thehill.com/policy/cybersecurity/234722-law-firms-to-share-info-about-cyber-threats Big kerfuffle about Anthem's refusal of a 3rd party audie They were under no legal obligation... Who out there would submit to a 3rd party audit/test? Sounds like publish shaming, big headline, little story http://www.healthcareinfosecurity.com/anthem-refuses-full-security-audit-a-7980 Apple Pay being attacked, sort of When technology becomes 'good enough' attackers attack processes, people Lesson -- nothing is "unhackable" even if the tech is great http://www.theguardian.com/technology/2015/mar/02/apple-pay-mobile-payment-system-scammers [Slightly-old-but-relevant] Victor Valley College suspends entire IT staff to investigate a vague breach in protocol Very little actually said in disclosure "We don't have any reason to believe we've been hacked by outside hackers" Entire computer system was taken down for nearly 3 hours Emphasizing "no private student or employee information has been compromised" Stay tuned...weird http://www.vvdailypress.com/article/20150130/NEWS/150139991
DtSR Episode 132 - Good Guys, Bad Guys, and RealityMar 2, 2015 58:20
In this episode...We learn the origins of "RSnake" as told by Rob himself Rob gives us a peek into the dark side, from his contacts and experiences We discuss the black-hat economy as it's verticalized, specialized, and matured Rob discusses the balancing act of the good vs. bad and why the situation is as bad as it needs to be We discuss some of the things businesses and defenders really need to worry about Rob gives us his view of the inevitability of security from SMB to enterprise -- and why things are so good, or bad, or just right We discuss the different ways security is being understood, implemented and matured and why it's futile to chase absolutes Michael and Rob dive into the labor shortage in security - real, perceived, or misunderstood? Rob gives us his outlook on where things are going over the next decade or so
GuestRobert "RSnake" Hansen - ( @RSnake ) - Strategic. Web security expert. Visionary. Robert brings more than 20 years of web application and browser security experience, innovation, and vision to the WhiteHat Security team. Under Robert’s leadership, WhiteHat Labs successfully launched Aviator, the most secure browser available, for Mac and Windows, quickly racking up more than 170,000 downloads in less than six months. When asked about WhiteHat Labs’ mission, Hansen said, “Labs will strive to provide prototypes that go beyond customer expectations, to delight the user.” Before WhiteHat, Robert was the CEO of SecTheory and Falling Rock Networks. Robert has co-authored several books including XSS Exploits and Website Security for Dummies. Robert is also the author of Detecting Malice. He is a member of WASC, APWG, IACSP, ISSA, APWG and has contributed to several OWASP projects, including originating the XSS Cheat Sheet. When he is not breaking the web to make it stronger, Robert enjoys watching Formula One racing.
DtSR Episode 131 - NewsCast for February 23rd, 2015Feb 23, 2015 42:28
In this episode--Would you be OK with your credit card company tracking you, to decrease fraud rates? Visa wants to track your smartphone. http://triblive.com/business/headlines/7774328-74/visa-card-fraud Your stolen healthcare data is increasingly being sold on the black market http://www.ihealthbeat.org/articles/2015/2/19/security-experts-health-data-increasingly-being-sold-on-black-market Lenovo has shipped software that performs a man-in-the-middle (MITM) attack against all SSL connections on some of its consumer laptops. This is really, really, really bad, but Lenovo doesn't seem to get it. http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/ http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html The web browser is totally broken, and a haven for malware. Long live the web browser? http://securityintelligence.com/broken-web-browsers-malwares-new-address/
DtSR Episode 130 - Where Law and Cyber CollideFeb 16, 2015 49:22
In this episodeTraveler's Insurance files suit against a web developmeent company for failing to provide adequate security, resulting in a breach of one of its customers http://www.law360.com/articles/614158/travelers-blames-web-designer-in-bank-website-data-breach We discuss whether security standards are now "implied"? Does Traveler's have any standing to sue? (Shawn thinks not) FTC goes after LabMD for a data breach http://healthitsecurity.com/2015/01/23/ftc-healthcare-data-breach-case-v-labmd-continues/ Is the FTC over-reaching? We discuss this statement from the FTC website: "[LabMD failed to] ..reasonably protect the security of consumers’ personal data, including medical information" Social media company TopFace pays a ransom to hackers http://www.forbes.com/sites/davelewis/2015/01/31/topface-facepalms-as-it-surrenders-to-data-breach-hacker-blackmail/ Face + Palm. We lament why this absolutely terrible decision may have far-reaching repercussions
GuestShawn Tuma ( @ShawnETuma ) - In addition to being a perennial favorite on this show, Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual property, privacy, and litigation. He's a Texan, a Christian, a family man, an author & and speaker - and an all-around awesome guy.
DtSR Episode 129 - NewsCast for February 9th, 2015Feb 9, 2015 51:25
Topics coveredMassive breach at American Health Insurer Anthem - from the "haven't we done this once before?" department as Queen - Another One Bites the Dust plays in the background https://gigaom.com/2015/02/05/oops-another-big-data-breach-this-time-at-anthem/ http://money.cnn.com/2015/02/05/investing/anthem-hack-stocks/index.html?sr=twmoney020615anthemwallst0600story (Obligatory OMG China! hype link) http://krebsonsecurity.com/2015/02/china-to-blame-in-anthem-hack/ Hackers target brokers, financial advisors -- SEC "does something" http://thehill.com/policy/cybersecurity/231649-hackers-targeting-brokerages-and-financial-advisers SEC weighs cybersecurity disclosure rules (why SEC?) - http://thehill.com/policy/cybersecurity/229431-sec-weighs-cybersecurity-disclosure-rules A promising new technology which detects hacks in - milliseconds? -but what's the use-case? http://www.bloomberg.com/news/articles/2015-02-03/new-technology-detects-hacks-in-milliseconds Google launches vulnerability research grants program - because bug bounties just aren't enough http://www.scmagazine.com/google-launches-vulnerability-research-grants-program/article/395694/ Sony Pictures Entertainment (the company that was so thoroughly hacked) CEO Amy Pascal is out! But is this proof of anything, for security? Ask Michael... http://www.csoonline.com/article/2880600/security-leadership/the-conversation-security-leaders-need-to-have-about-amy-pascal-s-departure.html
DtSR MicroCast 07 - Taking Security SeriouslyFeb 8, 2015 05:58
This is the 7th installment (call it a rebirth) of the MicroCast. Short and to the point, Michael and James talk about the phrase breached companies use - "We take your security seriously..."
.. join the conversation at #DtSR on Twitter!
DtSR Episode 128 - When Breach, Buy the DipFeb 2, 2015 01:00:32
Fans - If you haven't booked your ticket for InfoSec World 2015 in sunny Orlando, FL check this out. Register using our code CLD15/RABBIT for 15% off.
If you want a chance to go for FREE, listen to Episode 127 for your chance!
In this episode...John gives us a little lesson on markets, and why they move up/down, commentary for the information security professional John discusses what #BTFD means John uses the Target example of why security professionals, marketers, and much of the media got it completely wrong John educates us on insurance, compliance and liability My head explodes...
GuestJohn Foster ( @dearestleader ) - Mr. Foster has 19 years of technology experience but left technical infosec in 2003 to pursue a career in Compliance and Ethics. He now focuses on bribery & corruption, environmental issues, and other interesting topics, but infosec keeps appearing in compliance and finance. He is an investor with experience in stock, foreign exchange, options, and futures which allows him to see past the data breach hype. He is a Certified Treasury Professional, Six Sigma Black Belt, and holds certificates in ISO 9001, 14001, 20000, 22301, 27001, & 28000 from PECB. He is a partner at Bianco Foster Group, LLC which provides training and education services in ISO standards and an investor in several early stage startups.
LinksShort portfolio http://dearestleader.me/2015/01/portfolio-update/ S&P no material impact http://dearestleader.me/2015/01/standard-poors-says-breaches-have-no-material-impact/ Home Depot earnings call analysis http://dearestleader.me/2014/12/home-depot-earnings-indicate-there-is-no-fear/ Target sales up 40% over last year http://dearestleader.me/2014/11/target-continues-to-conquer-all/ Initial Target analysis http://dearestleader.me/2014/03/target-data-breach-not-a-disaster/
DtSR Episode 127 - NewsCast for January 26th, 2015Jan 27, 2015 38:45
** There is a special gift for our listeners in this episode, from our friends at InfoSec World 2015! Listen to find out how you can go for free.
We have a promo code!
CLD15/RABBIT – 15% off for “Down the Rabbit Hole” listeners
Topics CoveredGoogle picks up really big rocks, but lives in a glass house. As Google drops zero-day on Apple and Microsoft they respond with a lame excuse as to why they aren't patching a vulnerability that puts north of 60% of all Android users at risk. http://m.v3.co.uk/v3-uk/news/2389839/google-puts-60-percent-of-android-users-at-risk-with-webview-security-changes http://www.extremetech.com/mobile/197346-google-throws-nearly-a-billion-android-users-under-the-bus-refuses-to-patch-os-vulnerability http://www.eweek.com/security/google-project-zero-continues-its-microsoft-zero-day-assault.html http://www.zdnet.com/article/googles-project-zero-reveals-three-apple-os-x-zero-day-vulnerabilities/ Marriott reverses its decision to block guests' personal WiFi devices at their properties http://threatpost.com/marriott-agrees-to-stop-blocking-guest-wifi-devices/110441 LabMD's request to have an enforcement action against them by the Federal Trade Commission is denied. While this doesn't necessarily mean anything serious, yet, it's definitely one to watch. http://healthitsecurity.com/2015/01/23/ftc-healthcare-data-breach-case-v-labmd-continues/ Heartland Payment Systems - yes the company that was the posted child for nearly going out of business because of a horrible breach - is continuing to reinvent itself around security, this time making headlines with an offer of a data breach warranty. Strings, as you may suspect, attached. http://www.cspnet.com/industry-news-analysis/technology/articles/heartland-offering-data-breach-warranty http://www.businesswire.com/news/home/20150112005260/en/Heartland-Offer-Comprehensive-Merchant-Breach-Warranty
Watch this podcast page later this week for that freebie Michael told you about!
DtSR Episode 126 - The Defense Always LosesJan 19, 2015 49:33
In this episode...The blog post that started it all - http://blog.norsecorp.com/2014/11/10/the-new-reality-in-security-offense-always-wins-and-defense-always-loses/ Vince, tells us what he means by "Offense always wins, defense always loses" We disagree over this snip from his blog post: "To “win” in cyber security, defense must be right 100% of the time, while offense only has to be right once. We must wake up to the reality that defense is an impossible task; no matter what actions we take, we will lose." We discuss how we get away from being Eeyore defeatists? Vince give us security strategies he is advocating knowing that defense is better equipped, and better funded We briefly mention high-value assets, and why it's even more critical today than it has ever been before, and why we still stink at it We challenge Vince to give us some tangible steps to managing risk better, to get away from winning/losing? We discuss how we compress delivery time lines for security competencies? (Average time to deliver a technical control is months, plus budget cycle - maybe years) We close with lessons learned from your Vince's rich experience that he'd like to share with the listeners, to change the nature of the win/lose conversation
GuestVince Crisler - Vince has done some very interesting things in his background including former Communications Officer with the US Air Force, who also worked at the White House as Presidential Communications Officerm backed security start-ups, and chairing a Washington DC OSINT group. He's definitely one of the people you should get to know.
DtSR Episode 125 - NewsCast for January 12th, 2015Jan 13, 2015 34:20
Welcome to a new year of the Down the Security Rabbithole Podcast! We are kicking off this year with a guest on this morning's program, Phil Beyer joined us to talk about the last few weeks that have been a wild, wild ride in the security indsutry!
Thanks for your support so far, and we promise a fantastic 2015 to come.
Topics CoveredSony. Sony. Sony. It's all anyone can talk about! They got hacked. They released a movie. They apparently aren't in dire straits. Fascinating. http://www.cbc.ca/m/news/world/sony-pictures-ceo-michael-lynton-says-hackers-burned-down-the-house-1.2894997 http://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack http://www.washingtonpost.com/world/national-security/fbi-director-offers-new-evidence-to-back-claim-north-korea-hacked-sony/2015/01/07/ce667980-969a-11e4-8005-1924ede3e54a_story.html Meanwhile, an iron plant in Germany was attacked (via cyber) and caused some very serious, and real, damage http://blogs.wsj.com/cio/2014/12/18/cyberattack-on-german-iron-plant-causes-widespread-damage-report/ Microsoft abruptly cut off patch Tuesday public notifications, unless you're paying extra http://www.computerworld.com/article/2866996/microsoft-abruptly-dumps-public-patch-tuesday-alerts.html On January 11th, 2015 a 90-day window expired and Google's new Project Zero disclosed on the world a Windows 8.1 privilege elevation flaw. Microsoft had not yet patched it. War of words is on. https://code.google.com/p/google-security-research/issues/detail?id=123 http://www.pcworld.com/article/2867533/google-reveals-windows-81-flaw-mere-days-before-patch-tuesday-fix-irking-microsoft.html
DtSR Episode 124 - PCI DSS and Security (Yes, Really)Jan 5, 2015 57:27
Hi everyone! Welcome to the very first episode of the Down the Security Rabbithole Podcast for 2015! On this opening episode, Jeff Man joins us to talk truth to power on PCI-DSS and shatters myths for us.
In this episodeJeff tackles some common misunderstandings about PCI The crew discusses PCI – what’s right about it and what’s wrong about it Jeff tells us why he believes if you’re secure you’re compliant, but if you’re compliant you’re probably not secure The $64M question- Isn’t EMV, P2PE, and tokenization going to spell the end of PCI? Jeff tells us what to look forward to with PCI DSS v3.0
GuestJeff Man ( @MrJeffMan ) - Mr. Man has 13 years of DoD experience (10 at NSA as a Cryptanalyst/Information Security Analyst), 18 years of commercial consulting – pen testing, vulnerability assessments, security architecture reviews, and 10 years as a QSA doing PCI (and yet he's never conducted a PCI audit and never been a CISSP). As a QSA he's been involved with most of the major companies that experienced breaches in the mid-2000’s (Walmart, TJX, Heartland) so he can speak with some credibility about recent breaches in the past year or so.
DtSR FeatureCast - 2014 Year in ReviewDec 29, 2014 52:40
Hey everyone! We're almost done with 2014 and another new year is right around the corner. We thought this was the perfect time to sit back, relax a little and reflect on the year that was...and boy was it ever!
Thanks for listening everyone, it's been an epic year and we look forward to more awesome things in 2015!
DtSR FeatureCast - US vs. Salinas ft. Shawn TumaDec 22, 2014 29:04
In this episode
Attorney and CFAA expert Shawn Tuma joins us to talk about the US vs. Salinas case where Mr. Salinas was threatened with 440 years in jail, and now plead down to a misdemeanor. Prosecutorial discretion, or attorneys-gone-wild?
DtSR Episode 123 - NewsCast for December 15th, 2014Dec 16, 2014 43:17
Topics coveredThe unfolding case of the Sony Pictures Entertainment breach http://blog.wh1t3rabbit.net/2014/12/when-press-aids-enemy.html http://www.thedailybeast.com/articles/2014/12/12/shocking-new-reveals-from-sony-hack-j-law-pitt-clooney-and-comparing-fincher-to-hitler.html http://www.csoonline.com/article/2857455/business-continuity/fbi-says-theres-nothing-linking-north-korea-to-sony-hack.html http://www.csoonline.com/article/2854672/business-continuity/the-breach-at-sony-pictures-is-no-longer-just-an-it-issue.html The phishing scam that succeeded at hitting a big chunk of Wall Street - it probably would have fooled you too. Here's what we've learned http://arstechnica.com/security/2014/12/phishing-scam-that-penetrated-wall-street-just-might-work-against-you-too/ Iranian hackers hit Las Vegas behemoth with a sophisticated attacked ... wait it was a Visual Basic base?! http://arstechnica.com/security/2014/12/iranian-hackers-used-visual-basic-malware-to-wipe-vegas-casinos-network/ Judge refuses to dismiss case against Target, brought on by banks who are the ones who take the brunt of the losses- http://arstechnica.com/tech-policy/2014/12/judge-rules-that-banks-can-sue-target-for-2013-credit-card-hack/
DtSR Episode 122 - Enterprise Architecture's Role in SecurityDec 8, 2014 51:14
In this episodeMichelle explains to us what Enterprise Architecture is, and what it isn't Michelle gives her take on how both security and enterprise architecture both support each other We discuss the roll of standards, standards, standards - and why you can't have security without it We talk about GRC We talk through roles & responsibilities definition between security, architecture, and the rest of IT "Application Portfolio Rationalization" --the most impossible project. Ever. Michelle schools us on data, high-value assets, meta-data and the really hard topics for security Michelle gives us a series of examples of "HOW" we can find high-value assets, and start security there Michelle addresses the phrase "business alignment" since it's pivotal to enterprise architecture
GuestMichelle-Marie Strah ( @CyberSlate ) - Director, Enterprise Architecture at NBCUniversal – recently joined the newly formed Strategy and Architecture team at NBCUniversal designed to drive enterprise architecture, solutions architecture and innovation management across all companies in the NBCUniversal global portfolio. Previously she was at Microsoft Corporation worldwide headquarters where she was responsible for leading emerging markets cloud deployments, go to market and compete strategies in Latin America for public, private and hybrid cloud offers (both Azure and partner hosted clouds). As part of her role on the Applied Incubation Team she worked closely with partners, CIOs and government officials as well as internal CTO, legal, and chief security officer teams in the region to ensure privacy and security standards for government and private sector cloud adoption in Latin America. As an enterprise architect, Michelle specializes in governance, risk, compliance, information security and enterprise information management and has decades of experience in highly regulated industries, government, defense and healthcare.
Additional LinksIBM Security Framework: http://www.redbooks.ibm.com/abstracts/sg248100.html?Open OSA: http://www.opensecurityarchitecture.org TOGAF: The Open Group Architecture Framework: http://www.opengroup.org/togaf/
DtSR Episode 121 - NewsCast for December 1st, 2014Dec 2, 2014 44:10
Topics coveredSony Pictures is having a very, very bad couple of days - and it could keep getting worse. http://www.theverge.com/2014/11/24/7277451/sony-pictures-paralyzed-by-massive-security-compromise http://www.csoonline.com/article/2852982/data-breach/sales-contracts-and-other-data-published-by-sonys-attackers.html A newly discovered (but old) comment bug in Wordpress affects ~86% of sites. The story isn't what you think it is- http://www.consumeraffairs.com/news/newly-discovered-comment-security-bug-affects-86-of-wordpress-blogs-112414.html The Australian government is blaming a data breach from February on ... "awareness"? Michael disagrees (and he's right). http://www.esecurityplanet.com/network-security/australian-government-data-breach-linked-to-poor-security-training.html The public release of the research on Regin malware has it pegged as the most advanced thing since the computer - so what? http://money.cnn.com/2014/11/23/technology/security/regin-malware-symantec/index.html?hpt=hp_t2 https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/ Symantec whitepaper: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf The Justice Department is using a 225 year old law to tackle a modern problem of encrypted cell phones through the manufacturer. http://blogs.wsj.com/digits/2014/11/25/case-suggests-how-government-may-get-around-phone-encryption/ The court system...works? 440 year jail threat down to a misdemeanor in no time flat http://www.wired.com/2014/11/from-440-years-to-misdemeanor/ Updates: Target doesn't feel like all the banks' losses are their problem, here's why - http://arstechnica.com/tech-policy/2014/11/target-to-judge-banks-losses-in-our-card-breach-arent-our-problem/ In spite of the massive breach, Home Depot financial outlook is bright - http://www.forbes.com/sites/maggiemcgrath/2014/11/18/home-depot-outlook-bright-despite-data-breach/
DtSR Episode 120 - Hacking the Human (again)Nov 24, 2014 46:43
In this episodeWe revisit the 'human' side of hacking Chris tells us all about the Defcon CTF his team has hosted We discuss the role human nature plays in social engineering, or "Why the bad guys always win" Chris gives us his tips for making it harder for social engineers Michael and Chris talk metrics and measuring "getting better"
GuestChris Hadnagy ( @HumanHacker ) - Chris Hadnagy (author of Social-Engineering: The Art of Human Hacking and Unmasking the Social Engineer: The Human Element of Security) is a speaker, teacher, pentester, and recognized expert in the field of social engineering and security.
Chris Hadnagy is the President and CEO of Social-Engineer, Inc. He has spent the last 16 years in security and technology, specializing in understanding the ways in which malicious attackers are able to exploit human weaknesses to obtain access to information and resources through manipulation and deceit.
Chris is a graduate of Dr. Paul Ekman’s courses in Microexpressions, having passed the certification requirements with an “Expert Level” grade. He also has significant experience in training and educating students in non-verbal communications. He hold certifications as an Offensive Security Certified Professional (OSCP) and an Offensive Security Wireless Professional (OSWP).
Finally, Chris has launched a line of professional social engineering training and penetration testing services at Social-Engineer.Com. His goal is to assist companies in remaining secure by educating them on the methods used by malicious attackers. He accomplishes this by analyzing, studying, dissecting, then performing the very same attacks used during some of the most recent incidents (i.e. Sony, HB Gary, LockHeed Martin, Target, etc), Chris is able to help companies understand their vulnerabilities, mitigate issues, and maintain appropriate levels of education and security.
Chris has developed one of the web’s most successful security podcasts, The Social-Engineer.Org Podcast, and the equally-popular SEORG Newsletter. Over the years, both have become a staple in most serious security practices and are used by Fortune 500 companies around the world to educate their staff.
You can find Chris's articles for local, national, and international publications and journals, including Pentest Mag, EthicalHacker.net, and local and national Business Journals.
Links:Social Engineer Org - Your one-stop place for podcast, newsletter, and all things social engineering from Chris's team - http://www.social-engineer.org/ SECTF Report - http://www.social-engineer.org/ctf/social-engineer-inc-releases-annual-report-def-con-22-social-engineering-capture-flag-sectf-contest/ Social Engineer, Chris's company - http://www.social-engineer.com/
DtR Episode 119 - NewsCast for November 17th, 2014Nov 18, 2014 41:12
Note: The hashtag for the show on Twitter has changed, please connect with us using #DtSR going forward. Thanks!
Topics coveredUpdate: Home Depot breach (Hint: apparently it was a 3rd party entry point) Story: http://www.computerworld.com/article/2844491/home-depot-attackers-broke-in-using-a-vendors-stolen-credentials.html Apparently as a reaction, all execs are being switched to iDevices (blame Windows? and why only execs?) - http://www.imore.com/home-depot-switches-execs-iphones-macbooks-it-blames-windows-massive-breach Also, they lost ~53 Million email addresses too - http://online.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282 American Express is pushing tokenization to their payment ecosystem, this is big news but leaves a lot more questions and concerns than answers (for example- what about chip & pin (sign)? )- Story: http://threatpost.com/american-express-brings-tokenization-to-payment-cards/109137 Check out the standard itself: http://www.emvco.com/download_agreement.aspx?id=945 Flaw found (in a lab) in the VISA EMV protocol, but is it realistic to do this kind of "immense fraud" in outside the lab, in real life? Story: http://www.cio.com/article/2842994/flaw-in-visa-cards-could-ring-up-a-very-large-fraud.html The FTC further exerises its (Constitutional?) powers to take down fake "Support call scammers" and is on track to some public fanfare- Story: https://nakedsecurity.sophos.com/2014/10/26/ftc-takes-down-fake-support-scammers-upbeat-about-getting-consumers-money-back-poll/ Connecticut Supreme Court paves the way for class-action suit in HIPAA breach/violation. Big question- is this good for anyone other than the lawyers? Will it just add to the rising cost of healthcare, or is this doing some good? Story: http://www.ctlawtribune.com/home/id=1202676138225/Conn-Supreme-Court-HIPAA-Decision-Likely-to-Spawn-More-Litigation A "spying software" that can spot a phone theft in "2 minutes"? Call us skeptical, and leary- Story: http://www.fastcodesign.com/3038031/spying-software-spots-phone-theft-in-2-minutes-no-password-needed Starwood Hotels is going keyless with iPhone & iWatch integration for room entry. A great idea, if it's free of the usual security bugs. Story: http://www.theipadfan.com/starwood-hotel-rooms-now-keyless-with-iphone-and-apple-watch-app-integration/ Michael's take on the story: http://www.csoonline.com/article/2691383/security-leadership/what-did-you-expect-to-happen-when-you-bought-the-electronic-lock.html Episode 111, where we briefly cover this topic in detail via the Onity court case: http://podcast.wh1t3rabbit.net/dtr-episode-111-newscast-for-september-22nd-2014 Breaches BrowserStack goes down, gets transparent and honest, promises to come back stronger - http://www.browserstack.com/attack-and-downtime-on-9-November "Massive" USPS data breach identified, hits customers and employees (cue the lawsuits!) - http://www.cnn.com/2014/11/10/politics/postal-service-security-breach/index.html?hpt=hp_t2 NOAA breached by .... China! - http://www.eweek.com/security/noaa-other-u.s.-agency-security-breaches-connecting-the-dots.html State Department shuts down unclassified email system, after spotting "activity of concern" - http://www.nytimes.com/2014/11/17/us/politics/state-department-targeted-by-hackers-in-4th-agency-computer-breach.html?_r=0
DtR Episode 118 - Demystifying Threat IntelligenceNov 10, 2014 52:45
In this episodeAdam and Dmitri discuss what is (and what isn't) threat intelligence We discuss strategic, tactical and operational security intelligence Who is using threat intelligence, and how? Adam talks about the success factors, key points, and trends Michael asks how an organization can know whether they're READY for a threat intelligence program Adam explains the term "finished intelligence" Adam describes tactical intelligence, while Dmitri gives his take on strategic intelligence We discuss the merits of education and awareness - first How important is attribution, really? 3 critical things an enterprise *must be doing* before jumping into threat intelligence as a program
GuestsAdam Meyers ( @adamcyber ) - Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of Intelligence. Within this role it is Adam’s responsibility to oversee all of CrowdStrike’s intelligence gathering and cyber-adversarial monitoring activities. Adam’s Global Intelligence Team supports both the Product and Services divisions at CrowdStrike and Adam manages these endeavors and expectations. Prior to joining CrowdStrike, Adam was the Director of Cyber Security Intelligence with the National Products and Offerings Division of SRA International. He served as a senior subject matter expert for cyber threat and cyber security matters for a variety of SRA projects. He also provided both technical expertise at the tactical level and strategic guidance on overall security program objectives. During his tenure at SRA International, Adam also served as the Product Manager for SRA’s dynamic malware analysis platform Cyberlock. Dmitri Alperovitch ( @dmitricyber ) - Dmitri Alperovitch is the Co-Founder and CTO of CrowdStrike Inc., leading its Intelligence, Technology and CrowdStrike Labs teams. A renowned computer security researcher, he is a thought-leader on cybersecurity policies and state tradecraft. Prior to founding CrowdStrike, Dmitri was a Vice President of Threat Research at McAfee, where he led company’s global Internet threat intelligence analysis and investigations. In 2010 and 2011, Alperovitch led the global team that investigated and brought to light Operation Aurora, Night Dragon and Shady RAT groundbreaking cyberespionage intrusions, and gave those incidents their names. In 2013, Alperovitch received the prestigious recognition of being selected as MIT Technology Review’s “Young Innovators under 35” (TR35), an award previously won by such technology luminaries as Larry Page and Sergey Brin, Mark Zuckerberg and Jonathan Ive. Alperovitch was named Foreign Policy Magazine’s Leading Global Thinker for 2013, an award shared with Secretary of State John Kerry, Elon Musk and Jeff Bezos. He was the recipient of the prestigious Federal 100 Award for his contributions to the federal information security in 2011 and recognized in 2013 as one Washingtonian’s Tech Titans for his accomplishments in the field of cybersecurity. With more than a decade of experience in the field of information security, Alperovitch is an inventor of eighteen patented technologies and has conducted extensive research on reputation systems, spam detection, web security, public-key and identity-based cryptography, malware and intrusion detection and prevention. Alperovitch holds a master's degree in Information Security and a bachelor's degree in Computer Science, both from Georgia Institute of Technology.
DtR FeatureCast - Norse Corp DDoS - Nov 7 2014Nov 8, 2014 25:25
In this episodeJeff explains a little bit about who Norse is, and why they were potentially targeted with a DDoS We discuss what a DDoS is, how it becomes effective, and what methods/tools attackers use (in this case SNMP v2 reflection) We talk about threat intelligence (reputational intelligence) and how companies and intelligence platforms can leverage this data to decrease risks actively
GuestJeff Harrell ( @jeffharrell ) - Jeff Harrell is the Vice President of Product Marketing at Norse, the leader in live attack intelligence. Jeff has over 15 years of experience in the IT Security industry leading product management and product marketing teams to build and market security solutions from end users to large enterprises. Jeff’s areas of expertise include cloud technology, threat intelligence, compliance, vulnerability management, configuration auditing, and encryption. Prior to Norse, Jeff worked for security and technology companies including nCircle, Qualys, McAfee, PGP, and eMusic.
Additional LinksThe attack map Jeff talked about: http://map.ipviking.com Blog post from Norse on the DDoS: http://blog.norsecorp.com/category/featured/2014/11/06/video-norse-live-attack-map-hammered-by-1-5-gbps-ddos-attack/
DtR Episode 117 - NewsCast for November 3, 2014Nov 3, 2014 44:15
Topics coveredBanks urging shoppers not to avoid breached retailers - Companies that get breached impact card holders minimally, at least as far as we can tell, right? http://www.kcentv.com/story/26887771/local-bank-leaders-no-need-to-avoid-hacked-retailers-during-holidays Federal officials (FBI, US SS) are making a big push to be your source for cyber-security help - Interesting that this comes up at a time when everyone is fighting back against government meddling/surveillence http://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecuurity/17615029/ The FCC flexes its muscle in a pair of fines totalling a paltry $10m for egregious security violations - Of course, the people who have had their privacy and security violated see none of this big-telco pocket-change... http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/24/with-a-10-million-fine-the-fcc-is-leaping-into-data-security-for-the-first-time/ Congress doesn't crant FBI ability to prevent mobile encryption .. undoubtedly ushering us into "a very dark place" - for once, Congress did something useful by doing what it's famous for, nothing http://www.theregister.co.uk/2014/10/22/fbi_apple_grapple_congress_kills_cupertino_crypto_kibosh/ Insurance companies fighting to get data breach coverage removed from general liability policies - isn't this obvious? I think this is one of the last shoes to drop before things move forward, finally http://www.businessinsurance.com/article/20141026/NEWS07/141029850
DtR Episode 116 - Lines in the Sand on Security ResearchOct 27, 2014 54:15
In this episodeChris attempts to explain the consternation with 'security research' right now Kevin gives his perspective and why he doesn't quite understand why people don't see they're "breakin' the law" Shawn discusses what parts of the CFAA he would like to see reformed James drops the question - "What is a security researcher?" ..and rants a little Kevin talks about why the security industry needs to self-regulate w/example Chris and Kevin debate intent, and "stepping over the line" Chris brings up the issue of bug intake at a large company Spirited discussion about intent, regulation, actions and separating emotion from facts
GuestsChris John Riley - ( @ChrisJohnRiley ) - Chris John Riley is a senior penetration tester and part-time security researcher working in the Austrian financial sector. With over 15 years of experience in various aspects of Information Technology, Chris now focuses full time on Information Security with an eye for the often overlooked edge-case scenario. Chris is one of the founding members of the PTES (Penetration Testing Execution Standard), regular conference attendee, avid blogger/podcaster (blog.c22.cc / eurotrashsecurity.eu), as well as being a frequent contributor to the open-source Metasploit project and generally getting in trouble in some way or another. When not working to break one technology or another, Chris enjoys long walks in the woods, candle light dinners and talking far too much on the Eurotrash Security podcast. Shawn Tuma - ( @ShawnETuma ) - Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual property, privacy, and litigation. He's a Texan, Christian, family man, author & speaker - and an all-around awesome guy. Kevin Johnson - ( @SecureIdeas ) - Kevin is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is an instructor and author for the SANS Institute and a faculty member at IANS. He is also a contributing blogger at TheMobilityHub.
DtR Episode 115 - NewsCast for October 20th, 2014Oct 21, 2014 38:19
Topics coveredThe FBI paid a visit to the "researcher" who revealed (and tinkered with) the hacked Yahoo! servers - we discuss the various aspects of this case, which we've been going round and round on lately http://www.wired.com/2014/10/shellshockresearcher/ US Cyber Security Czar Michael Daniel wants us passwords gone, replaced by .... "selfies"; We wish we were making this one up or the link was to an Onion article, but sometimes the jokes write themselves in a sad, sad way http://www.theregister.co.uk/2014/10/15/forget_passwords_lets_use_selfies_says_obamas_cyber_tsar/ Pres. Obama has issued an executive order that all government payment cards now must be "chip & pin"; once again underscoring that "just do something" may be worse than actually doing nothing -- we'd love to hear your thoughts? http://www.whitehouse.gov/the-press-office/2014/10/17/executive-order-improving-security-consumer-financial-transactions Notable data breaches discussed: K-Mart - http://www.theregister.co.uk/2014/10/12/kmart_cyber_attach/ Dairy Queen - http://www.theregister.co.uk/2014/10/10/dairy_queen_restaurants_hacked/ POODLE, the latest OMG SSL vulnerability; is this really that big a deal that there is a public vulnerability in a protocol that should have become extinct at the turn of the century? (Hint: Sadly, yes) http://www.theregister.co.uk/2014/10/10/dairy_queen_restaurants_hacked/
DtR Episode 114 - Threat and Vulnerability ManagementOct 13, 2014 45:20
In this episodeRon gives us a brief history of Tenable and TVM for the enterprise Ron answers "How do you make network security obtainable and defendable?" We discuss TVM as a fundamental principle to many other security program items Ron tells us what the modern definition of "policy" is We discuss some hurdles and challenges of TVM programs in an enterprise We note that security scanning can always break stuff - so how do you get around that? Ron tells us why TVM is so much more than scanning Michael asks "Why are so many companies stuck in a Prince song (1999)?" We attempt to tackle - compliance, risk, and managing to a goal Ron answers the question - "Are we getting any better?"
Ron Gula ( @RonGula ) - CEO and CTO at Tenable Ron co-founded Tenable Network Security, Inc. in 2002 and serves as its Chief Executive Officer and Chief Technology Officer. Mr. Gula served as the President of Tenable Network Security, Inc. He served as the Chief Technology Officer of Network Security Wizards which was acquired by Enterasys Networks. Mr. Gula served as Vice President of IDS Products and worked with many top financial, government, security service providers and commercial companies to help deploy and monitor large IDS installations. Mr. Gula served as Director of Risk Mitigation for US Internetworking and was responsible for intrusion detection and vulnerability detection for one of the first application service providers. Mr. Gula worked at BBN and GTE Internetworking where he conducted security assessments as a consultant, helped to develop one of the first commercial network honeypots and helped develop security policies for large carrier-class networks. Mr. Gula began his career in information security while working at the National Security Agency conducting penetration tests of government networks and performing advanced vulnerability research. He was the original author of the Dragon IDS. Mr. Gula has a BS from Clarkson University and a MSEE from University of Southern Illinois.
DtR Episode 113 - NewsCast for October 6th, 2014Oct 7, 2014 47:28
Topics coveredThe petition on WhiteHouse.gov titled "Unlock public access to research on software safety through DMCA and CFAA reform" and ...well we talk about it with an attorney and some necessary skepticism https://petitions.whitehouse.gov/petition/unlock-public-access-research-software-safety-through-dmca-and-cfaa-reform/DHzwhzLD My take: http://blog.wh1t3rabbit.net/2014/10/to-reform-and-institutionalize-research.html A Marriott property in Nashville (Gaylord Opryland) will pay $600,000 in an FCC settlement for jamming/blocking guests' personal WiFi hotspots http://www.fcc.gov/document/marriott-pay-600k-resolve-wifi-blocking-investigation A Pakistani man has been indicted in Virginia for selling "StealthGenie", an app designed specifically as spyware http://www.justice.gov/opa/pr/pakistani-man-indicted-selling-stealthgenie-spyware-app The code for the badUSB attack was published and released at DerbyCon - we discuss implications http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/ Cedars-Sinai Medical Center loss of data is much worse than they thought, but it's actually worse than that - a teachable moment here- http://www.latimes.com/business/la-fi-cedars-data-breach-20141002-story.html
DtR FeatureCast - CFAA, Shellshock and Security Research - October 2nd 2014Oct 3, 2014 39:55
Thank you to Shawn Tuma - an attorney specializing in CFAA and a good friend of our show - for stopping by and lending his expertise on this episode. If you enjoy Shawn's insights, consider following him on Twitter ( @ShawnETuma ) or just saying hello!
In this episode
GuestShawn Tuma - ( @ShawnETuma ) - Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual property, privacy, and litigation. He's a Texan, Christian, family man, author & speaker - and an all-around awesome guy.
DtR Episode 112 - DREAMR FrameworkSep 29, 2014 41:41
In this episodeDREAMR: What is it, and why is it so important to Enterprise Security today? Examples of aligning business and security requirements and winning hearts & minds How does a security organization get around "see I told you so!" security An example of how to make the framework work for you We discuss the importance of listening, then listening, then listening some more Jessica and Ben explain "accomodating" the business Jessica and Ben give us "One critical piece of advice"
GuestsJessica Hebenstreit ( @secitup ) - Jessica Hebenstreit has been a member of the Information Security community for over a decade. Having worked on both the technical and business sides of various enterprises, Hebenstreit has a unique perspective that allows for more understanding when balancing competing interests. She is a successful and results-oriented Information Security expert with hands-on information security experience in security monitoring, incident response, risk assessment, analysis, and architecture and solution design. She holds the following certifications, CISSP, GIAC-GSEC, CRISC and SFCP. In March 2012, she earned her Masters of Science in IT (MSIT) specializing in Information Assurance and Security. She is currently the Manager of Security Informatics - Threat Analysis and Response at Mayo Clinic. She is building a smart response architecture for incident response from the ground up. Ben Meader ( @blmeader ) - Ben Meader is a Senior Security professional with a unique blend of technical acumen and business know-how. Meader’s security thought leadership has been battle tested at multi-national firms over the past 13 years ranging from network security and operational security to performing detailed risk assessments and implementing a firm-wide privacy program. He remains up to date in both security and business having received his M.B.A. from DePaul University and has a current CISSP. He is also active in the entrepreneurial community and is Co-Founder of a mobile application company on the side. His education and range of experiences in working with firms both large and small have given him a unique perspective on the role of security within different business cultures and how competing philosophies can collide.
DtR Episode 111 - NewsCast for September 22nd, 2014Sep 23, 2014 47:20
Topics coveredHacker flees US for non-extradition country - why? http://blog.erratasec.com/2014/09/hacker-weev-has-left-united-states.html http://www.newrepublic.com/article/117477/andrew-weev-auernheimers-tro-llc-could-send-him-back-prison Class-action lawsuit againt Onity lock company ("easily hackable hotel lock") rejectd by judge https://www.techdirt.com/articles/20140903/14134528408/onity-wins-hotels-that-bought-their-easily-hacked-door-lock-cant-sue-according-to-court.shtml http://www.extremetech.com/computing/133448-black-hat-hacker-gains-access-to-4-million-hotel-rooms-with-arduino-microcontroller http://www.forbes.com/sites/andygreenberg/2012/12/06/lock-firm-onity-starts-to-shell-out-for-security-fixes-to-hotels-hackable-locks/ Home Depot - the dirt start to fly http://arstechnica.com/security/2014/09/home-depot-ignored-security-warnings-for-years-employees-say/ https://privacyassociation.org/news/a/following-breach-report-shows-home-depot-has-105-million-in-coverage/ https://privacyassociation.org/news/a/2013-05-01-supreme-court-wiretap-ruling-upholds-stringent-standing-to-sue/
DtR Episode 110 - Red Dragon RisingSep 15, 2014 39:36
In this episodeSeparating the hype from reality of the Chinese hacking threat The escalation of economic tensions between US & China, over hacking What is the advice for the enterprise regarding state-sponsored attacks? The challenge with the uni-directional intelligence flow for government/enterprise The challenge with nation-state hacking of critical infrastructure The worst-case scenario (quietly happening?) Directly addressing the various APT reports (specifically APT1) Does a cyber attack warrant a kinetic response? Attribution is hard. Is it more than black-magic, and is anyone doing it right? The great disconnect between the keyboard jockey and real-life consequences
GuestBill Hagestad II ( @RedDragon1949 ) - Internationally recognized cyber-intelligence & counter-intelligence professional. Technical, cultural, historical and linguistic analysis of foreign nation state cyber warfare capabilities, intents & methodologies...
Listed on Forbes Magazine as : "20 Cyber Policy Experts To Follow On Twitter". Bill can be found on LinkedIn at - www.linkedin.com/in/reddragon1949
DtR Episode 109 - NewsCast for September 8th, 2014Sep 9, 2014 49:53
Topics coveredApple has been making news, issuing guidance, and refuting a hack - all around iCloud
http://www.padgadget.com/2014/09/03/apple-warns-developers-not-to-store-health-data-in-icloud/ http://www.padgadget.com/2014/09/03/apple-says-celebrity-photo-leak-was-not-due-to-icloud-breach/ http://www.cio-today.com/article/index.php?story_id=94027 HealthCare.gov was hacked, but no worries it was only a test server and no 'data was taken/viewed'. Does this sound like something you've faced in the enterprise ... hmmmm?
If only there was someone warning them about the insecurity of that site! h/t to Dave Kennedy for standing up and taking political heat. http://www.nationalreview.com/article/387182/healthcaregov-hack-reminiscent-earlier-vermont-exchange-attack-jillian-kay-melchior http://www.computerworld.com/article/2603929/healthcare-gov-hacked-if-only-someone-had-warned-it-was-hackable-oh-wait.html Home Depot apparently has suffered a massive breach, much like Target. Interesting? Or ho-hum? (did you Buy The Dip? h/t @DearestLeader ) http://seekingalpha.com/article/2478055-home-depot-potential-data-breach-may-have-presented-a-good-opportunity-to-buy-the-stock http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/ http://www.csoonline.com/article/2601082/security-leadership/are-you-prepared-to-handle-the-rising-tide-of-ransomware.html Norway's Oil & Gas industry is now the target of hackers, seeking to get intelligence on production, exploration - and that all-important state-sponsored competitive edge. http://www.thelocal.no/20140827/norwegian-oil-companies-hacked Google is deprecating (in a big way) the use of SHA-1 in certificate way ahead of the set schedule. Is this "Google the game-changer" or "Google the bully"? You decide - tweet us at #DtR http://www.csoonline.com/article/2602108/security-leadership/do-you-agree-with-googles-tactics-to-speed-adoption-of-sha-2-certificates.html http://www.zdnet.com/google-accelerates-end-of-sha-1-support-certificate-authorities-nervous-7000033159/
DtR Episode 108 - Security in State GovernmentSep 1, 2014 41:01
In this episodeWe discuss the largest challenges in the state government sector Brian discusses balancing the need for openness versus security/secrecy Phil talks about the challenge of balancing policy with agency needs in state government Michael asks how state-level security justifies and prioritizes security requirements Raf asks how policy is created that can be both effective, and broad The group talks about metrics, policy implementation, and showing value to protecting citizens The guys answer "What's the best piece of advice you've gotten in your career?
GuestsPhilip Beyer ( @pjbeyer ) - Philip is a security professional with more than 12 years progressive experience. Currently leading information security for an organization as a function of business goals and risk profile. Consummate generalist with background in multi-client consulting and specialization in risk management, incident handling, security operations, software assurance (OpenSAMM, BSIMM), and technical compliance testing (ISO 27002, PCI-DSS, HIPAA). Confident leader, problem solver, relationship builder, technical communicator, public speaker, presenter, and security evangelist. Fast-paced learner with a strong work ethic and self-starter attitude. Brian Engle ( @brianaengle ) - Currently the Chief Information Security Officer & Texas Cybersecurity Coordinator who is a results-oriented executive and leader with over 20 years of progressive experience in Information Technology and Information Security across the government, healthcare, manufacturing, financial services, technology, telecommunications and retail verticals. His specialties include risk management, project management, and cost effective delivery of appropriate security solutions within organizational risk tolerances. Consummate generalist with a background in effective incident management, security and network operations, vulnerability and threat management, as well as technical compliance evaluation and gap analysis.
DtR Episode 107 - NewsCast for August 25, 2014Aug 26, 2014 45:29
Topics coveredCommunity health systems and UPS Stores breached - an analysis and contrast of the two breaches, the data, and the common message
http://regmedia.co.uk/2014/08/18/community_health_systems_8k.pdf http://blogs.wsj.com/cio/2014/08/20/the-morning-download-community-health-systems-breach-stirs-up-heartbleed-fears/ http://time.com/3151681/ups-hack/ The case of the pre-mature declaration of BYOD death, via an over-hyped court case? http://www.cio.com/article/2466010/byod/court-ruling-could-bring-down-byod.html "Shadow clouds" (cloud services consumed by enterprises, not approved by security) are on the rise. No one on the show is shocked, and you aren't either. http://www.computerworld.com/s/article/9250606/Shadow_cloud_services_pose_a_growing_risk_to_enterprises FaceBook gives the $50,000.00 away for the "Internet Defense Prize" joining Microsoft in trying to make being defensive-minded (and actually solving some security problems, rather than continuing to point them out) sexy http://threatpost.com/new-facebook-internet-defense-prize-pays-out-50000-award
DtR Episode 106 - My Compliance is Better Than Your SecurityAug 18, 2014 41:28
In this episodeJason tells us why he isn't hating on compliance Jason talks about how security people are often the source of the issues Jason gives us his perspective on compliance-driven security Jason correlates compliance to quality assurance in security We talk about security's unbroken streak of failing at the basics We lament poor metrics, why we suck at them, and what comes next We discuss how you can tell whether an investment in security 'is working' We discuss the need for repetitive and consistent security Jaason gives us his three things that he wants to leave you with
GuestJason Oliver ( @jasonmoliver ) - Jason M Oliver, CISSP, CRISC is the Chief and CEO of Tikras Technology Solutions Corp, a Native American Owned Small Business, President at Arrow Ventures, a seasoned security industry veteran, leader, and lifelong pursuer of knowledge. His unique approach to solving security issues involves individualized plans tailored to meet each specific customer’s needs. His high level of unwavering integrity has been met by the highest regard from both customers and peers.
DtR Episode 105 - NewsCast for August 11, 2014Aug 12, 2014 44:57
Topics coveredSurvey shows CISOs still struggle for respect (from business peers) http://www.cio.com/article/2460165/security/cisos-still-struggle-for-respect-from-peers.html Hold Security uncovers 1.2 billion password heist on Russian hacker sites (but something smells funny) - draw your own conclusions folks... I'd love to hear 'em http://www.theverge.com/2014/8/6/5973729/the-problem-with-the-new-york-times-biggest-hack-ever http://www.youarenotpayingattention.com/2014/08/08/the-lie-behind-1-2-billion-stolen-passwords/ https://identity.holdsecurity.com/Submit/ http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/ Yet another Android core software blunder, called "Fake ID", essentially gives "highly privileged malware" a free ride. http://arstechnica.com/security/2014/07/android-crypto-blunder-exposes-users-to-highly-privileged-malware/ HP study says 70% of "Internet-of-Things" (IoT) vulnerable. There's a shock, we're carrying around legacy baggage? Perish the thought. http://h30499.www3.hp.com/t5/Fortify-Application-Security/HP-Study-Reveals-70-Percent-of-Internet-of-Things-Devices/ba-p/6556284 Civilian sector is better than the military at Cyber-War exercise. *rollseyes* http://www.navytimes.com/article/20140804/NEWS04/308040019/In-supersecret-cyberwar-game-civilian-sector-techies-pummel-active-duty-cyberwarriors?sf29369064=1 Target booking $148M due to data breach http://fortune.com/2014/08/05/target-data-breach-profit/ http://investors.target.com/phoenix.zhtml?c=65828&p=irol-sec PF Chang's does an astonishingly good job at being transparent about their breach(es) http://www.bankinfosecurity.com/pf-changs-breach-33-locations-hit-a-7153/op-1
DtR Episode 104 - JW Goerlich - Security Leaders SeriesAug 4, 2014 34:40
In this episodeWho is J.W. Goerlich (redux from episode - How did he get to where he is now? How does the security executive deal with the "moving finish line"? JW discusses how 'security' people can break down barriers between "us" and "them" We discuss why we still fail at the basics, and what all this means... JWG tries to talk about his favorite controls framework We discuss what difference it makes where the CISO reports in the enterprise What will the CISO be, or need to do, in ~3-5 years? We discuss hiring into InfoSec - from outside, or within ... and why? JW gives us the one thing you need to remember
GuestJ.W. Goerlich ( @jwgoerlich ) - Results-driven IT management executive with a track record of building high performance teams and providing flawless execution. Leverages background in systems engineering, software development, and information security expertise to consistently lower operating costs and raise service levels. Designs solutions that support long-term strategic planning and create immediate impact throughout product lifecycle in process and efficiency gains.
DtR Episode 103 - NewsCast for July 28th, 2014Jul 29, 2014 39:49
Topics coveredCertificate pinning back in the spotlight with the GMail iOS app having some difficulties, but there is a bigger issue here. We discuss. http://securityaffairs.co/wordpress/26577/hacking/gmail-app-flaw-mitm.html Nearly 3 years later, the NASDAQ hack attributed to FSB/Russian 'state sponsored' hackers, via 2 "zero day malware'. Highlighting need for attribution, common language, and other issues in security. http://www.infosecurity-magazine.com/view/39397/nasdaq-hackers-used-two-zero-days-but-motives-a-mystery/ Cyber insurance - is this a forcing function to improve overall security, or yet another carpet to sweet security problems under? http://www.reuters.com/article/2014/07/14/us-insurance-cybersecurity-idUSKBN0FJ0B820140714 A judget has just ruled that your "GMail account" has the same legal (or lack thereof) protections as a hard drive you own. Dangerous precedent, or nothing new? http://nakedsecurity.sophos.com/2014/07/22/your-gmail-account-is-fair-game-for-cops-or-feds-says-us-judge/ also relevant - http://nakedsecurity.sophos.com/2013/08/14/google-says-gmail-users-cant-expect-privacy/
Not discussed, but interesting reads:"Operation Emmental" is an assault against 2FA and online banking http://secureidnews.com/news-item/operation-emmental-attacks-online-banking-and-2fa/ Looks like healthcare is next on the list of verticals targetted... filed under things we all suspected, but will soon see http://healthitsecurity.com/2014/07/24/how-healthcare-can-learn-from-retails-it-security-mistakes/ h/t to Eric Cowperthwaite
DtR Episode 102 - Security Leaders Series - Jim TillerJul 21, 2014 41:53
In this episodeJim Tiller - a few things you probably didn't know? In the last 15 years, what has changed, and what hasn't? Why isn't security moving forward? "Complexity is the camouflage for bad guys" -Jim Chasing the moving line of 'security' "Fixing the airplane as it flies" How do enterprise security organizations push away from playing 'prevent' permanently? Fundamentals, fundamentals, fundamentals ... you're still failing What things are CISOs doing that they're NOT right now? Where will security be, as a discipline, in 10 year?
GuestJim Tiller ( @Real_Security ) - Jim has been in the security industry since the very early 90’s and has continued his mission in working with individuals, groups, organizations, and companies around the world to collaborate, develop, and implement business aligned security strategies and technologies. Through his career he's worked with and in numerous organizations for the advancement of information security technologies, practices, and standards and through these activities help organizations achieve their goals. Find Jim on LinkedIn here.
DtR Episode 101 - NewsCast for July 14th, 2014Jul 15, 2014 45:46
Topics coveredFlorida Information Protection Acf of 2014 is in the books, and it brings "sweeping changes" to the data breach disclosure process in Florida. Good thing or bad? You decide http://www.scmagazine.com/fla-passes-sweeping-data-breach-notification-bill/article/357858/ http://www.flsenate.gov/Session/Bill/2014/1526/?Tab=RelatedBills http://www.flsenate.gov/Session/Bill/2014/1524 The DoJ has nabbed a 'prolific hacker'... a Russian national. Russia calls it kidnapping. Tensions flare. Again. http://mashable.com/2014/07/08/russian-man-hacking-retailers/ Chinese man charged with industrial espionage http://arstechnica.com/tech-policy/2014/07/chinese-businessman-charged-with-hacking-boeing-and-lockheed/ US Banks are calling for a "Cyber War Council" (so much wrong here, it's incredible...) http://www.businessweek.com/news/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council#p2 The ultra-ultra-legacy code problem and why we're not getting security any higher up the ladder any time soon http://www.businessweek.com/articles/2014-06-25/the-talent-that-keeps-your-50-year-old-software-running-is-retiring-dot-now-what Payroll processing company Paytime was hacked and breached. But in the midst of the rush to file law suits, at least one company is pledging to stand by Paytime in this rough time... sanity prevails? http://www.witf.org/news/2014/07/at-least-one-company-stands-by-paytime-after-data-breach.php
DtR Episode 100 - Security Wisdom from Dan GeerJul 7, 2014 01:00:31
In this episodeWho is Dan Geer (just in case you live in a cave and don't know) Dan's definition of security - "The absence of unmitigatable surprise" What exactly is the pinnacle goal of security engineering? Responsibility, liability and when software fails as a result of security issues In a liability lawsuit - "What did you know, when did you know it?" The fraction of the population who could sign an "informed consent" is falling - so now what? Why ICANN is actually making all of this so much worse What do we do about "abandoned software"? Fixing security bugs in software is a tricky business...good, bad, worse Are things getting better [in security]? Dan talks about a "diversity re-compiler" and how we can make the exploit writer's job harder (from Jason White) -What "low hanging fruit" issues are we simply not addressing properly right now? (from Jason White) If the Internet were being built from scratch today, what would you keep and throw away?
GuestDan Geer - Dan Geer is a computer security analyst and risk management specialist. He is recognized for raising awareness of critical computer and network security issues before the risks were widely understood, and for ground-breaking work on the economics of security.
Geer is currently the chief information security officer for In-Q-Tel, a not-for-profit venture capital firm that invests in technology to support the Central Intelligence Agency.
In 2003, Geer's 24-page report entitled "CyberInsecurity: The Cost of Monopoly" was released by the Computer and Communications Industry Association (CCIA). The paper argued that Microsoft's dominance of desktop computer operating systems is a threat to national security. Geer was fired (from consultancy @Stake) the day the report was made public. Geer has cited subsequent changes in the Vista operating system (notably a location-randomization feature) as evidence that Microsoft "accepted the paper." --http://en.wikipedia.org/wiki/Dan_Geer
DtR Episode 99 - NewsCast for June 30th, 2014Jul 1, 2014 48:16
Topics coveredYour server may have a hardware flaw that exposes your baseband management interface to the world - http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/ Airports are getting hacked, APT involved, state-sponsored attackers! - http://www.nextgov.com/cybersecurity/2014/06/nation-state-sponsored-attackers-hacked-two-airports-report-says/86812/ PayPal flaw renders 2-factor auth on mobile useless, disabled temporarily while they work on fix - http://www.darkreading.com/mobile/paypal-two-factor-authentication-broken/d/d-id/1278840? FTC vs. Wyndham: another shoe drops, the FTC takes a hit while Wyndham scores a win - http://www.mediapost.com/publications/article/228730/judge-authorizes-wyndham-to-appeal-data-security-r.html Dilbert says it best - http://dilbert.com/strips/comic/2014-05-19/
DtR Episode 98 - Grr (Grr Rapid Response)Jun 23, 2014 46:18
In this episodeWhat exactly is "GRR"? What sorts of things can GRR do? What is a hunt, and how does it scale across tens of thousands of machines? How does GRR "hide" from malware? How does GRR keep some of the great power it has from being abused? Automating and integrating GRR with external sources and tools Features, functions, capabilities and some magic from Greg The future features, requests, and direction of GRR
GuestGreg Castle - Greg has 10 years experience working in computer security. In his current role as Senior Security Engineer at Google, he is a developer and user of the open-source GRR live-forensics system. He also has strong interest and involvement in OS X security, having been responsible for the security of Google's OS X fleet for two years. His pre-Google job roles have included pentester, incident responder, and forensic analyst.
LinksGrr Rapid Response - https://code.google.com/p/grr/
DtR Episode 97 - NewsCast for June 16th, 2014Jun 17, 2014 51:58
Note: I want to thank Will Gragido for stopping by this morning to talk over the news with us. Always great to have someone with a fresh perspective, I hope you enjoy the show.
Topics CoveredDon't like Google Glass (or similar devices) on your network? Kick them off - http://mashable.com/2014/06/04/glassholes-wifi-jamming/ The FAA has issued an order for Boeing to 'protect the planes from computer hackers' ... but what is really going on here? - http://www.usatoday.com/story/news/nation/2014/06/06/faa-boeing-737/10066247/ APT, APT, APT, APT ... evolved APT? - http://www.csoonline.com/article/2158775/security-leadership/why-you-need-to-embrace-the-evolution-of-apt.html After getting breached, PF Chang's goes "old school"; sounds legit, right? - http://krebsonsecurity.com/2014/06/p-f-changs-confirms-credit-card-breach/ Why preparation is a good idea, even when it comes to 'cyber' - http://www.csoonline.com/article/2360748/security-leadership/using-a-cyber-war-exercise-to-improve-your-security-program.html Feed.ly gets DDoS'd, extorted and we're mad as hell - http://www.forbes.com/sites/jaymcgregor/2014/06/12/feedly-goes-down-again-in-second-ddos-attack/ Target hires a (good) CISO, Brad Maiorino, so why are people getting all bent out of shape over where he reports in the organization? - http://blog.wh1t3rabbit.net/2014/06/getting-wrapped-around-ciso-reporting.html
DtR Episode 96 - A CIO Talks About CISOsJun 9, 2014 37:05
My apologies for some of the skips in this episode - we had some difficulty with the recording and ultimately I hope it doesn't take away from Joe's wonderful message.
Thanks for your patience.
In this episodeFrom CISO to CIO - making that leap Does the CISO need to be technical? (answering that question, again) What types of things does a CIO need to know? Who should the CISO report to? Any chance the CISO reporting structure shifts around? A "Chief Data Officer"? Are there too many 'splintered' job titles in the security/risk role? Responsibility, accountability, and where the buck stops What are 3 things security does right, and what are 3 things that we do terribly? How big should your security budget be? (trick question) What KPIs should security be reporting to the CIO? (the hardest question ever) What resources are there for CIOs?
GuestJoe Riesberg ( @JoeRiesberg ) - Joe is currently the CIO of Drake University. Previos to his current role, he was the Senior Vice President, Global IT Security Services Director at Aviva plc. His LinkedIn profile can be found here: https://www.linkedin.com/pub/joe-riesberg/1/a81/931
DtR Episode 95 - NewsCast for June 2nd, 2014Jun 3, 2014 47:23
Note: Today, Kim Halavakoski joined us on the show to provide perspective all the way from Finland! We appreciate his international addition to the show, and hope the listeners enjoy the added brainpower.
Topics coveredFacebook's next major update will turn your mobile device into an always-on listening tool for FaceBook. This is a good time to remind you that you are the product, not the customer - http://www.ibtimes.com/facebook-microphone-update-store-data-social-media-giant-confirms-new-feature-will-1588916 In a blow to security professionals' ego everywhere, investors apparently aren't swayed by data breaches - http://www.businessweek.com/articles/2014-05-23/why-investors-just-dont-care-about-data-breaches The US's indictment of 5 Chinese nationals for 'state sponsored industrial espionage' is apparently backfiring (or at least it is in the media) - http://www.bloomberg.com/news/2014-05-27/china-said-to-push-banks-to-remove-ibm-servers-in-spy-dispute.html Now that there is a hack to enable WinXP SP3 computers to masquerade as Point-of-Sale terminals and receiving updates ...should you even consider this? Hint: NO - http://blog.wh1t3rabbit.net/2014/05/hacking-registry-to-keep-windowsxp.html Target's Audit Committee is under fire for the data breach, but who's really, really at fault? An interesting perspective from Forrester - http://blogs.forrester.com/renee_murphy/14-05-29-dont_blame_targets_audit_committee_for_the_sins_of_technology_management
DtR Episode 94 - ICANN, Tor, and Internet FreedomMay 26, 2014 41:35
In this episodeJeff explains the background of the relationship between the US government, ICANN and IANA What is the ITU and why is this $0 contract handoff to the ITU such a big deal? What impact did Edward Snowden's actions have on the issue? The potential issues with DNS, cross-border censorship and DNS The importance of Tor, Freenet and challenges of implementation Discussing the evolution of services like Tor through "nation-state firewalls" Changing the image of anonymous services Making Tor and similar services more user-friendly, and more prevalent
Guest:Jeff Moss ( @TheDarkTangent ) - Jeff, also known as The Dark Tangent, is an American hacker, computer security expert and internet security expert who founded the Black Hat and DEF CON computer Hacker conferences. His Wikipedia page can be found here.
DtR Episode 93 - NewsCast for May 19th, 2014May 20, 2014 41:49
Announcements:I want to thank Circle City Con as a sponsor for the show! I have one more ticket to give away ... so watch the #DtR hashtag on Twitter! Thanks to special guest Philip Beyer for sitting in James' seat this morning...
Topics discussed"US charges China with cyber-spying on American firms" (Hello, pot? this is the kettle...) - http://www.nbcnews.com/news/us-news/u-s-charges-china-cyber-spying-american-firms-n108706 Should we be thinking about security beyond win/lose (aka "oh no, hackers are winning!") - http://www.csoonline.com/article/2156104/security-leadership/thinking-about-security-beyond-winning-and-losing.html Retail Industry Leaders Association (RILA) has launched their own ISAC-like entity called Retail Cyber Intelligence Sharing Center (R-CISC) - http://associationsnow.com/2014/05/retail-group-launches-sharing-tool-cyber-threats/ A recent survey tells us that a whopping 43% of all identity theft in 2013 happened in healthcare ( W O W ) - http://www.studentdoctor.net/2014/04/the-rise-of-medical-identity-theft-in-healthcare/ Self-driving cars, making life-and-death decisions (this should terrify you) - http://www.wired.com/2014/05/the-robot-car-of-tomorrow-might-just-be-programmed-to-hit-you/
DtR Episode 92 - Rapid Incident Response [Guests: Robin Jackson, Dan Moore]May 12, 2014 31:34
In this episodeDan gives us the reality of living in what is commonly termed "the post-breach" world Dan and Robin talk through the explosion in the numbers of malware samples We discuss the different approaches to malware, crimeware, and the cross-over between them Dan explains what "rapid incident response" really means and why it's essential Dan and Robin give us some excellent examples of incident preparedness fundamentals Dan gives us a lesson on implementing 'powerful tools' (and forgetting about them) We talk through "who's doing it well?" (and we don't get a very hopeful answer) Is it time to learn from our own and others mistakes? (how?)
Guests:Robin Jackson ( @rjacksix ) - Robin is an incident response and digital forensics specialist for HP Enterprise Security Services. Dan Moore - Dan is an incident response and digital forensics specialist for HP Enterprise Security Services.
DtR Episode 91 - NewsCast for May 5th, 2014May 6, 2014 40:47
Topics dicussedMicrosoft has issued a patch for the massive MS IE flaw - for WindowsXP! - http://arstechnica.com/security/2014/05/microsofts-decision-to-patch-windows-xp-is-a-mistake/ Is Open Source Software more or less secure than closed-source? (in a post-Heartbleed era) - http://www.telegraph.co.uk/technology/internet-security/10769996/Heartbleed-the-beginning-of-the-end-for-open-source.html Target's CEO has stepped down, but what's the real reason and is there now opportunity for change? - http://www.usatoday.com/story/money/business/2014/05/05/target-ceo-steps-down/8713847/ and http://www.latimes.com/business/money/la-fi-mo-target-ceo-resigns-20140505,0,4479532.story Biometrics (specifically fingerprints) aren't as secure or unique as we'd like them to be, so ... paswords? - http://www.telegraph.co.uk/science/science-news/10775477/Why-your-fingerprints-may-not-be-unique.html
DtR Episode 90 - Things Your Auto Insurance Knows [Anonymous guest]Apr 28, 2014 26:24
In this episodeWe discuss some of the new techniques auto insurance companies are using to custom-tailor rates to drivers Our guest discusses some of the capabilities of the widgets available Our guest discusses the 'call home' functions, and potential mis-use We use 'big data' seriously We talk about 'big data' and security - for real Our guest gives us a realistic view about the type of data that's out there about your driving, habits, and tracking
GuestOur guest is an industry insider, who for obvious reasons chose not to identify himself. We respect the guest's position, and kindly ask that our listeners do as well.
Administrivia - April 27th 2014Apr 28, 2014
Thanks to everyone who's put us in their RSS feed and regularly grabs the latest content. I just ran a running average of the last 20 episodes, and as of right now we're averaging ~802 downloads/episode. That's awesome, and so much more than I ever thought this show would grow to! It's all thanks to you, for listening, spreading the word, and being fans.
As we near episode 100 I promise you an episode you'll want to listen to, and share with those you know. James and I are working hard to make it special, with a guest that's ... well ... you'll see.
Thanks for being a fan.
/Raf & James
DtR Episode 89 - NewsCast for April 21st, 2014Apr 22, 2014 33:49
Topics discussedThe big story - "Heartbleed" http://www.csoonline.com/article/2142626/security-leadership/how-you-need-to-respond-to-heartbleed-and-how-you-can-explain-it-to-others.html http://www.csoonline.com/article/2146141/disaster-recovery/healthcare-gov-urges-password-resets-due-to-heartbleed.html http://xkcd.com/1354/ http://rt.com/news/heartbleed-arrest-canada-security-016/ The "hacker*" known as "Weev" is free ...on a technicality, and why this is bad, very very bad, for our industry http://techcrunch.com/2014/04/11/weev-is-free/ "Ramshackle Glam" - how one blogger had to go to extraordinary lengths to get her site back, and what you can learn from it http://mashable.com/2014/04/02/ramshackle-glam-hacking/ The FTP's lawsuit of Wyndham Hotels was allowed to proceed by a federal judge - and why this is a very dangerous precedent http://www.fiercegovernmentit.com/story/ftc-lawsuit-over-hotel-chain-data-breach-can-proceed/2014-04-14 Data breach roundup Michaels [yes, again] - http://www.business-standard.com/article/news-ani/leading-us-art-store-admits-2-6-mln-credit-cards-at-risk-of-hacking-114041800569_1.html South Carolina data breach is getting costly (for tax payers) - http://www.therepublic.com/view/story/396a4be862cd485e9248cab7879a3a71/SC--Hacked-Tax-Returns Hard drive maker LaCie was a victim ...for over a year - http://www.techtimes.com/articles/5672/20140416/lacie-latest-victim-data-theft-ironies-hard-drive-manufacturer-hacked.htm [UK] Cosmetic surgery group hacked, blackmail ensues (yikes!) - http://www.dailymail.co.uk/news/article-2604805/Cosmetic-surgeons-targeted-hackers-personal-details-500-000-people-enquiries-clinic-stolen.html Pittsburgh's UPMC hacked, sees 788 fraudulent tax returns as a result - http://www.witf.org/news/2014/04/27k-upmc-worker-hit-by-data-breach-788-by-fraud.php
DtR Episode 88 - Advanced Threat Actors [Panel Discussion]Apr 14, 2014 54:23
In this episodeAdvanced Threat Actors - more or less a threat right now than before? (how much is hype?) Advanced Persistent Threat - is it really THAT advanced? (a "what" or a "who"?) The distinction of what "APT" is ...and isn't Touching on Mandiant APT-1 ...hype from reality A quick discourse on corporate espionage! How we respond to APTs ... is this just really "incident response" for a boogeyman? The snake oil salesman behind "Automated APT defense" Threat Intelligence - necessary, but what's the proper use? Threat Intelligence requires collaboration, how do we do it? Is our security failing, or is our perception of what we want it to do wrong? Key take-aways for the enterprise professional
GuestsSteve Santorelli ( @SteveSantorelli ) - Manager of outreach at Team Cymru John Pirc ( @jopirc ) - CTO of NSS Labs J. Oquendo ( @advancedthreat ) - veteran threat researcher Robin Jackson ( @rjacksix ) - veteran threat researcher, forensics expert at HP Enterprise Security Services
DtR Episode 87 - NewsCast for April 7th, 2014Apr 9, 2014 33:00
Topics coveredWindowsXP is officially, for real, definitely end of life - http://windows.microsoft.com/en-us/windows/end-support-help Google Nest pushes update - examining the bigger picture - http://www.theregister.co.uk/2014/04/04/nest_waves_goodbye_to_alarm_switchoff_feature/ South Carolina's agencies are still not any better after the massive breaches - http://www.wbtw.com/story/25149085/still-no-consistent-computer-security-plan-at-sc-agencies News flash - we trust the government and Internet companies less as a result of leaks - http://www.computerworld.com/s/article/9247441/Snowden_leaks_erode_trust_in_Internet_companies_government The two banks which filed suit against TrustWave & Target have dropped their effort...sanity apparently prevailed but there's a bigger issue here at stake - http://www.securityweek.com/banks-drop-suit-against-target-trustwave
DtR Episode 86 - From DDoS to Quantum Computing [Guest: Prof Alan Woodward]Mar 31, 2014 46:59
In this episodeRise of DDoS Where did it come from What's next Why does it work Spoofer project 3-DOS attacks Quantum computing What is it How is it different than what we commonly use today What problems does it solve How practical is it The dark web Where did it come from Legitimate uses, turn into nefarious use-cases Alternatives, adoption and options
GuestProf. Alan Woodward ( @ProfWoodward ) - Alan is not only a subject matter expert in computing, computer security and the impact technology has on business but brings to his roles a very broad range of experience in business management, technical management and project management.
Whilst he has particular expertise in covert communications, forensic computing and image/signal processing, Alan is primarily a particularly good communicator, be it with clients, staff or investors. He is known for his ability to communicate complex ideas in a simple, yet passionate manner. He not only publishes in the academic and trade journals but has articles in the national press and appears on TV and radio. Despite the length of his experience, his hands-on ability with emerging technologies contributes significantly to the respect he is repeatedly shown when he leads teams where technology is involved.
Alan has been involved in some of the most significant advances in computer technology and, although he continues to work in industry, he is actively involved with academia as a visiting Professor in the Department of Computing which is part of the Faculty of Engineering and Physical Sciences at the University of Surrey.
His achievements have resulted in him rising to become a Fellow of various institutions including British Computer Society, Institute of Physics and Royal Statistical Society.
Did you catch all that? DtR is giving away a free ticket to Source Boston - if you're interested in being the lucky recipient - be the first to @Wh1t3Rabbit with "I just won a ticket to @SOURCEConf Boston courtesy of the #DtR Podcast!"
DtR Episode 85 - NewsCast for March 24th, 2014Mar 25, 2014 46:09
Topics coveredThe FTC jumps into the breech (pun intended) and may try and levy fines against Target, and future breach victims - http://ww2.cfo.com/technology/2014/03/ftc-urges-data-breach-penalties/ http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/?oref=ng-channelriver Could the Barclays Bank breach of Feb 2014 have been test data? Richard Bishop thinks so - http://blog.trustiv.co.uk/2014/03/barclays-data-breach-%E2%80%93-could-it-be-test-data http://www.theregister.co.uk/2014/02/10/barclays_investigates_gold_mine_client_data_breach/ US Commerce Dept not renewing ICANN contract, moving control to ITU - http://www.bloomberg.com/news/2014-03-15/u-s-to-relinquish-control-of-internet-address-system.html http://www.businessweek.com/articles/2014-03-17/the-u-dot-s-dot-ends-control-of-icann-gives-up-backing-of-the-free-speech-internet With Microsoft officially, and finally, stopping support for WinXP (after 14yrs!), is there a "breach crisis" around the bend? - http://www.pcmag.com/article2/0,2817,2455206,00.asp Microsoft can read your Hotmail/webmail ...so can Google, Apple and Yahoo! hype or crisis? - http://www.theverge.com/2014/3/21/5533814/google-yahoo-apple-all-share-microsofts-troubling-email-privacy-policy (bonus) "eGovernment" is something many governments globally and locally are moving ahead with - is this rainbows or rain clouds? I joined Discover Performance Weekly to briefly discuss - http://youtu.be/bAfP-jc0x6Q
DtR Episode 84 - Rise of the Security Machines [Guest: Alex Pinto]Mar 17, 2014 48:53
In this episodewhat is the promise of automation, and where did we go wrong (or right?) the problems with 'volume' (of logging) and the loss of expressiveness a dive into 'exploratory based monitoring' how does log-based data analysis scale? baselines, and why 'anomaly detection' has failed us does machine learning solve the 'hands on keyboard' (continuous tuning) problem with SIEM? does today's 'threat intelligence' provide value, and is it really useful? decrying the tools - and blaming the victims what is machine learning good at, and what won't it be great at? log everything!
GuestAlex Pinto ( @alexcpsec ) - Alex has almost 15 years dedicated to Information Security solutions architecture, strategic advisory and security monitoring. He has been a speaker at major conferences such as BlackHat USA, DefCon, BSides Las Vegas and BayThreat.
He has been researching and exploring the applications of machine learning and predictive analytics into information security data sources, such as logs and threat intelligence feeds.
He launched MLSec Project (https://www.mlsecproject.org) in 2013 to develop and provide practical implementations of machine learning algorithms to support the information security monitoring practice. The goal is to use algoritmic automation to fight the challenges that we currently face in trying to make sense of day-to-day usage of SIEM solutions.
DtR Episode 83 - NewsCast for March 10th, 2014Mar 11, 2014 34:37
Topics coveredTarget CIO resigns, new central CISO and CCO roles created; but what's really going on here? - http://www.darkreading.com/attacks-breaches/target-begins-security-and-compliance-ma/240166451 & http://pressroom.target.com/news/target-reports-third-quarter-2013-earnings City of Detroit employees' information (including SSNs, DoB, etc) are "at risk" because someone clicked something they shouldn't have - http://www.freep.com/article/20140303/NEWS01/303030085/Detroit-computer-security-breach ComiXology was [big time] hacked, but it's all good because the passwords were 'cryptographically secured' but where's the transparency? - http://www.theregister.co.uk/2014/03/07/comixologys_phantom_zone_breached_by_evil_haxxor/ A North Dakota University System was hacked and now 290k students, employees and faculty (yes including SSNs) data is at risk ... or is it? - http://www.greenfieldreporter.com/view/story/8f909740809e48e9a5669de333418134/US--University-System-Hacked NC State researchers have a genius new way to detect Android malware (hint: you look for C code) - http://www.computerworld.com/s/article/9246825/N.C._State_researchers_devise_tool_that_detects_Android_malware The AARP (yes, that AARP) has decided that now is the time to post a bulletin to their system to teach retired persons how to make good passwords - http://www.aarp.org/home-family/personal-technology/info-2014/create-password-avoid-hacks-kirchheimer.viewall.html
DtR Episode 82 - Likely Threats [Guests: Lisa Leet, Russell Thomas, Bob Blakley]Mar 3, 2014 43:12
In this episodeDoes is make sense, in a mathematical and practical senes, to look for 'probability of exploit'? How does 'game theory' apply here? How do intelligent adversaries figure into these mathematical models? Is probabilistic risk analysis compatible with a game theory approach? Discussing how adaptive adversaries figure into our mathematical models of predictability... How do we use any of this to figure out path priorities in the enterprise space? An interesting analogy to the credit scoring systems we all use today An interesting discussion of 'unknowns' and 'black swans' Fantastic *practical* advice for getting this data-science-backed analysis to work for YOUR organization
GuestsLisa Leet - Lisa is a wife of 17 years, a mother of 5 years to boy/girl twins, and an employee of 7 years on the Information Security team at a Minneapolis-based financial services firm. She is also an intern at Stamford Risk Analytics (Stamford, CT), pursuing studies at Stanford University, prepping for her CISSP Exam on July 15th, taking MOOCs, and reading at least twelve books concurrently including a 1600-pager on Python. In her free time she volunteers on the Board of Directors for SIRA (Society of Information Risk Analysts) and participates in awesome podcasts like DtR. Russell Thomas ( @MrMeritology ) - Russell is a Security Data Scientist in financial services, and a PhD student in Computational Social Sciences. His focus is on the intersection of information security and business and economic decision making. He’s “MrMeritology” on Twitter, and blogs at “Exploring Possibility Space” (http://exploringpossibilityspace.blogspot.com/). Bob Blakley - Bob has been in the security industry for more than 35 years. He's led the OMG CORBAsecurity, SAML, and OATH standardization efforts, and currently chairs the NSTIC Identity Ecosystem Steering Group. He's in the drama department at a large multinational financial institution.
DtR Episode 81 - NewsCast for February 24th, 2014Feb 25, 2014 26:28
Topics coveredApple had a "Goto Fail" failure - yes people at Apple Computer still use Goto statements in 2014 - http://www.computerworld.com/s/article/9246533/Apple_encryption_mistake_puts_many_desktop_applications_at_risk and Adam Langley's awesome blog - https://www.imperialviolet.org/2014/02/22/applebug.html Look out Terps, Univ of Maryland has lost 309,000+ staff members, students and faculty worth of personal information including social security numbers ... OUCH - http://www.washingtonpost.com/local/college-park-shady-grove-campuses-affected-by-university-of-maryland-security-breach/2014/02/19/ce438108-99bd-11e3-80ac-63a8ba7f7942_story.html ICS-CERT has a new report out that bemoans the Industrial Control sector's inability to detect and respond to incidents ...mainly due to inadequate logging - http://www.govinfosecurity.com/report-cyberthreat-detection-lacking-a-6516 and the report https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Oct-Dec2013.pdf Websense has done a massive analysis of Dr. Watson (MS Windows crash files) file and determined there is some new kind of APT, POS attack afoot - http://www.darkreading.com/attacks-breaches/microsoft-windows-crash-reports-reveal-n/240166207 Many different outlets are reporting this in various ways but consumer endpoints (at this point lots of Linksys home routers) are being infected with a new worm targetting a flaw mainly because people choose to expose their management interfaces to the outside, why? - http://krebsonsecurity.com/2014/02/time-to-harden-your-hardware/
DtR Episode 80 - Lies, Damned Lies, and #InfoSec Statistics [Guests: Jay Jacobs, Bob Rudis]Feb 18, 2014 58:28
In this episodeJay and Bob talk about their new book A discussion on using data as 'supporting evidence' rather than gut feelings Do we have actuarial quality data to answer key security questions? A discussion on "asking the right question", and why it's THE single most important thing to do Bob attempts to ask security professionals to use data we already have, to be data-driven Jay tells us why he wouldn't consider "SQL Injection" a "HIGH" risk ranking - and why data challenges what you THINK you know Quick shout out to Allison Miller on finding the little needles in the big, big haystack We think about why security as an industry needs to start looking outside of itself to get its data - now Jay discusses how there is a definite skills shortage in working with large data sets, and doing analysis I ask whether there is a chicken and egg problem in large-scale data analysis Bob brings up the "kill chain" and whether we really need real-time data analysis for attacks Bob makes a pitch for having a "Cyber CDC" ... stop laughing Jay laments the absolute bonkers problems dealing with information sharing (when you don't have any to share) Jay urges you to "count and compare"
GuestsJay Jacobs ( @JayJacobs ) - www.linkedin.com/pub/jay-jacobs/3/896/4b0, Jay is currently a Principal at Verizon Business Bob Rudis ( @hrbrmstr ) - www.linkedin.com/in/hrbrmstr, Director. Enterprise Security, IT Risk Management at Liberty Mutual Insurance & Co-author of Data-Driven Security
DtR Episode 79 - NewsCast for February 10th, 2014Feb 11, 2014 38:16
Topics coveredIn the wake of the Target & Nieman Marcus breaches - is chip+pin really a priority right now, and does it solve the real problem? - http://blogs.csoonline.com/security-leadership/2977/does-chip-and-pin-actually-solve-problem-find-out-asking-these-questions Speaking of Target ... it turns out that 3rd parties really are a problem and still a blind spot in many organizations' risk matrices, who knew - http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ Apparently NBC News doesn't believe it's stretching the news at all, when it virtually makes up a story then gets called out by Robert Graham, hilarity ensues - http://news.cnet.com/8301-1009_3-57618533-83/sochi-hack-report-fraudulent-security-researcher-charges/ Something bad, very, very bad just happened over at Barclays in the UK ... although jury seems to still be out on what exactly is going on; you can bet we're going to keep an eye on this - http://www.theregister.co.uk/2014/02/10/barclays_investigates_gold_mine_client_data_breach/ In a "You can't make this stuff up, folks" moment, the FBI is asking for malware and they're willing to pay for it; and they'll send you all the info in a .docx file?! - http://www.nextgov.com/cybersecurity/cybersecurity-report/2014/02/fbi-market-malware/78218/ Is your next new vehicle going to be part of the mesh-network which keeps cars from crashing into each other? It will if the government has it's ways - complete with wildly-made-up-sounding statistics and ridiculous news story and all (somewhere, Flo from Progressive is mad they stole her schtick)- http://www.usatoday.com/story/money/cars/2014/02/03/nhtsa-vehicle-to-vehicle-communication/5184773/
DtR Episode 78 - Legal Professional Privilege [Guest: David Prince]Feb 4, 2014 41:32
In this episodeDavid discusses what it's like working for a law firm (in the UK) A quick wade through the UK Data Protection Act (mostly Principle 7) "When lawyers get to interpret the laws" Law firms as targets for data breaches The new regulations in the UK, fines between 2%-5% of your REVENUE? Ouch. Defining "adequate measures" in regulations A brief chat on fines, regulations, and risk management I trail off on a Princess Bride quote, and get ranty on "risk" Dealing with personal devices, public WiFi to work and security James asks the inevitable question on training Good vs. "best" practice Your security as a competitive advantage. really.
GuestDavid Prince ( @riskobscurity ) - A dedicated and well-respected Technical Information Security Professional with several years’ experience and demonstrated success leading information security initiatives, in a variety of organizations. Initiatives which are in direct support of business-objectives to maintain the confidentiality, integrity, and availability of organizational assets and improve business efficiency, and effectiveness.
DtR Episode 77 - NewsCast for January 27th, 2014Jan 28, 2014 35:49
Special thanks to Michael Santarcangelo ( @catalyst ) for stopping by the show and guest-hosting with James and I! We had fun, and I think you'll all enjoy Michael's perspective and humor.
Topics CoveredNieman Marcus breach - all new, same as before, or is it? - http://www.wired.com/threatlevel/2014/01/neiman-marcus-hack/ Coca-Cola loses laptops ... sort of ... but no worries, no evidence of wrongdoing - http://www.ajc.com/news/business/coca-cola-tells-thousands-of-employees-of-security/nc2NB/ Breach over at Microsoft, law enforcement documents "likely stolen", but what does that really mean? - http://www.pcworld.com/article/2091480/microsoft-says-law-enforcement-documents-likely-stolen-by-hackers.html The (San Jose) police want to use your home surveillence system cameras, I'm not kidding - http://news.cnet.com/8301-17852_3-57617809-71/police-want-to-use-your-home-security-cameras-for-surveillance/
DtR Episode 76 - Payment Industry Turmoil [Guests: Laura Claytor & Alfred Portengen]Jan 21, 2014 39:39
In this episodeDid the Target/Neiman/? breach finally create a catalyst for change? The card system, payment processing infrastructure clearly wasn't designed with defensibility in mind ... who should be changing that? Are today's fraud rates finally getting high enough such that card processors, issuers, banks need to depart from the status quo? Are the days of "zero fraud liability" to the end consumer coming to an end? What about chip & pin? Is the risk less? What kinds of pains will the industry go through to make security on payment systems better? How is the commercial payments industry different from the consumer? Do end users of credit accounts ultimately care about breaches?
GuestsLaura Claytor ( @the.hgic ) - Laura is a security specialist and veteran within a large US-based banking organization, and is based in the southwest United States Alfred Portengen - ( @alfredportengen ) - Alfred has a deep bredth of experience in architecture and security specialty within a multi-national banking organization, he is based in the Netherlands
DtR Episode 75 - NewsCast for January 13th, 2014Jan 14, 2014 41:57
I can't believe it's 2014 already, and we're rolling through our 3rd calendar year! As we grow and you "regulars" mount, James and I want to thank you for listening, bookmarking, sharing and talking about the podcast. Your patronage has really made a us smile, and you're the reason we do this.
Topics coveredReuters: Retail community may be ready for a change in the payment card system and processes - http://uk.reuters.com/article/2014/01/13/uk-target-databreach-retailers-idUKBREA0B01A20140113 More Snowden fallout: French/UAE Intel satellite deal may be scuttled because of US-made components - http://www.defensenews.com/article/20140105/DEFREG04/301050006 Ransomware CryptoLocker's uglier, meaner cousin now available for $100... look out! - http://arstechnica.com/security/2014/01/researchers-warn-of-new-meaner-ransomware-with-unbreakable-crypto/ Schneier: "The Internet of Things" is very vulnerable ...and there's no good way to patch it all - http://www.wired.com/opinion/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem/ Lawsuit filed in the "FaceBook reads my private messages" case - http://money.cnn.com/2014/01/03/technology/facebook-privacy-lawsuit/
DtR Episode 74 - Supply Chain [In]SecurityJan 6, 2014 48:18
In this episodeChris Wysopal - who is that masked man? Putting some reality to the state-sponsored backdoors (Huawei) and supply-chain compromise The risks coming through the door with the products you buy The case for setting up an independent testing lab for mitigating 'backdoor' accusations Chris does an interesting assessment on software security practices in the enterprise Chris discusses holding your vendor to the same standards you hold yourself What does it mean that enterprises are doing a "good job" in SwSec Chris goes there, open-source components as part of supply chain risk James asks "How do smaller buyers leverage scale to hold their suppliers accountable?" Why do we still see SQL Injection?! Are we ever going to get rid of it?
GuestChris Wysopal ( @Weldpond ) - Chris is the Founder, CTO and CISO of VeraCode, a company dedicated to software security as-a-service. Chris has a long and storied history in the security industry dating back to L0pht Heavy Industries. His bio and profile can be found on LinkedIn.
DtR Episode 72 - Applied Threat Research and DefenseDec 23, 2013 47:16
In this episodeWill gives us a lay of the land on the state of "state sponsored" and advanced threats We discuss collective advances in malware We discuss the persistence of 'old' malware, and code re-use We discuss enterprise defense and strategy Will gives us some wisdom from his experiencein helping clients defend themselves
GuestWill Gragido ( @wgragido ) - Will is currently a senior manager in the Threat Research Intelligence organization at RSA NetWitness. Will is an information security and risk management professional with over 18 year’s professional industry experience, Mr.Gragido brings a wealth of knowledge and experience to bear. Working in a variety of roles, Mr.Gragido has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and business development within the information security industry. You cn get more information on Will on his LinkedIn page.
DtR Episode 71 - The 2013 Year in ReviewDec 17, 2013 01:28:03
Hello! This is a special episode in that it's our year-end wrap-up. We bring together 3 of the industry's best to talk about the year that was, the things that made were on your mind, and maybe give us a hint at what is to come...
GuestsWill Gragido ( @wgragido ) - Will is the Sr. Manager of threat Research Intelligence for RSA NetWitness and a lightweight with the cold medicine. John Pirc ( @jopirc ) - John is the Vice President of Research at NSS Labs, with very strong hair. David Marcus ( @DaveMarcus ) - David is the Director and Chief Architect of the Federal Advanced Program Group at McAfee and a kettle bell monster!
Notably absent, but invited, were Dave Lewis ("fell asleep") and Dave Kennedy ("was on an airplane") ...apparently because I thought it would be fun to invite every Dave I know....... but seriously next time guys :)
James and I would like to wish all our listeners a very merry holiday season, and a happy, healthy and prosperous 2014.
DtR Episode 70 - Embedded Systems ShenanigansDec 9, 2013 51:00
Folks, if you work with, design, or implement embedded systems this is one episode you don't want to miss. Fair warning, it's a little bit long at just over 50 minutes total. I hope you find the extra time worth the effort of listening, I know we sure did!
In this episodeThe quirky things that Josh's organization gets to work on and deconstruct The methodology of breaking foreign things Android and why it's "horribly interesting" beyond just the OS everyone sees Hacking Android at the very, very, very basic hardware interface(s) Copy/Paste software development and it's pitfalls Embedded devices as pivot points for intrusion The importance of embedded systems, and why no one is writing secure code (still)
GuestJosh Thomas ( @m0nk_dot ) - Chief Breaking Officer for Atredis, Security researcher, mobile phone geek, mesh networking evangelist and general breaker of things electronic. Typical projects of interest span the hardware / software barrier and rarely have a UI. m0nk has spent the last year or two digging deep into Android and iOS internals, with a major focus on both the network stack implementation and the driver and below hardware interfaces. He uses IDA more frequently than Eclipse (and a soldering iron more that both). His life dreams are to ride a robot unicorn on a moonlit beach and make the world a better place, but mostly the unicorn thing...
DtR Episode 69 - NewsCast for December 2nd, 2013Dec 3, 2013 34:57
Special thanks to Steve Ragan ( @SteveD3 ) for sitting in this morning and providing his perspective as a journalist.
Topics Covered"Leaked" FBI memo to government agencies says "there's a hacking spree on government websites, and it's Anonymous!" (we have to chuckle, a little) - http://www.theregister.co.uk/2013/11/18/anon_us_gov_hack_warning/ , http://www.thewire.com/national/2013/11/fbi-anonymous-hackers-stole-over-100000-employees-information/71675/ Fokirtor is a very interesting new piece of malware that targetted Linux systems, but by slipping into SSH comms - http://www.theregister.co.uk/2013/11/15/stealthy_linux_backdoor/ ( and a related piece of malware - http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices ) The Healthcare.gov website is a case study in how not to release a web app, or complex system; and it's not even a partisan issue anymore - http://arstechnica.com/security/2013/11/healthcare-gov-targeted-by-more-than-a-dozen-hacking-attempts/ Ahead of the G20 meeting to be held there in 2014, the city of Brisbane, Australia performs a penetration test on their physical city infrastructure, finds major flaws. A plot from "The Italian Job"? - http://www.qao.qld.gov.au/files/file/Reports%20and%20publications/Reports%20to%20Parliament%202013-14/RTP5Trafficmanagementsystems.pdf [Scary] Renesys says someone is hijacking the Internet ... but is it on purpose, or just mistakes? (Does it matter?) - http://www.nbcnews.com/technology/wheres-your-data-going-hacks-redirect-traffic-through-distant-lands-2D11624570 A new piece of software quietly turns you into a bitcoin mine for the developer (and you agree to it in the EULA!) - http://www.networkworld.com/news/2013/120213-sneaky-software-turns-your-pc-276490.html?source=nww_rss
DtR Episode 68 - Buffer's Big HackNov 25, 2013 38:17
I want to thank Carolyn Kopprasch and the @BufferApp team for getting back to me, and agreeing to not only join the podcast, but also field questions from "anyone" ...what a cool group of people!
In this episodeCarolyn gives us some of the insider's perspective on what really happened, when Buffer got hacked Carolyn and I discuss triage methodology, and how Buffer's small team responded In-depth conversation on the communications strategy and implemented plan to be totally transparent We discuss that point where it's time to "shut it down" and the need to have the ability and information to make the decision Buffer's team did when they shut down the service temporarily Carolyn talks about some of the non-typical ways that her team detects potential security issues Caroly dispenses some solid advice for anyone in a small shop that may be operating ultra-lean Finally, Carolyn and I talk about software security and what role it (or the lack thereof) played in the Buffer incident
GuestCarolyn Kopprasch ( @CaroKopp ) - Carolyn is currently Buffer's "Chief Happiness Officer". Her role is to make sure that Buffer's customers are, in fact, happy. Also she has a web presence right here: http://CaroKopp.com
Links!Buffer's communications page: http://open.bufferapp.com/buffer-has-been-hacked-here-is-whats-going-on/
DtR Episode 67 - NewsCast for November 18th, 2013Nov 19, 2013 29:12
I'm back! Maybe a little sleep-deprived and a tad grumpier than usual, but back to talk news!
Topics CoveredMicrosoft unveils the new Digital Crime Unit, and it is quite the statement - http://www.darkreading.com/attacks-breaches/microsoft-unveils-state-of-the-art-cyber/240163924 http://www.microsoft.com/en-us/news/presskits/dcu/ CME Group hacked, claims platform and trades unaffected ...let's hope so - http://www.businessweek.com/news/2013-11-15/cme-group-says-its-computers-were-hacked-no-trades-affected Jeremy Hammond, Chicago's very own romanticized criminal - http://www.nbcnews.com/technology/hacker-tied-anonymous-gets-10-years-prison-cyberattacks-2D11603760 The FBI says there's a "hacking spree" on government webites by Anonymous hackers. You don't say ... - http://arstechnica.com/security/2013/11/fbi-warns-hacking-spree-on-government-agencies-is-a-widespread-problem/ There's an apparent zero-day in vBulletin, and it's serious enough that Def-Con's forums were taken down pro-actively ... - http://www.computerworld.com/s/article/9244109/Hackers_use_zero_day_vulnerability_to_breach_vBulletin_support_forum If you use SnapChat to send questionable selfies hoping they'll just evaporate...you're in for a bad time - http://www.sidhtech.com/news/snapchat-android-hack-iphone/10024107/
DtR Episode 66 - ISSA International 2013 - Cowperthwaite Weighs InNov 11, 2013 36:30
In this episode...We revisit some of the topics Eric & I talked about nearly 2 years ago at ISSA International, Baltimore. Eric discusses the paradigm shift that needs to happen in security We talk about shifting resources (in the defensive) from "everything" to something more reasonable Eric and I discuss how CISOs must re-allocate resources to survive in a post-breach reality
GuestEric Cowperthwaite ( @e_cowperthwaite ) - Vice President, Advanced Security and Strategy at CORE Security, a Boston-based security vendor. CORE is the leading provider of predictive security intelligence solutions for enterprises and government organizations. We help more than 1,400 customers worldwide preempt critical security threats throughout their IT environments, and communicate the risk the threats pose to the business. Our patented, proven, award-winning enterprise solutions are backed by more than 15 years of applied expertise from CoreLabs, the company's innovative security research center.
Eric was formerly the CSO of Providence Health & Services, a healthcare delivery organization with $12.5 billion in revenue, 32 hospitals and more than 65,000 employees, headquartered in Seattle, WA.
DtR Episode 65 - NewsCast for November 4th, 2013Nov 6, 2013 21:43
Hey all - Raf here and I wanted to thank James for flying solo as my wife and I celebrate the brith of Niccolai and Isabella our new twins! I'll be back in our next episode...
Topics CoveredThe buzz over calling yourself a 'hacker' - http://www.theguardian.com/technology/2013/oct/24/hacker-computer-seized-us-open-source (Raf's note - I personally think the way this has been spun is largely to gain clicks/readers, it was very well analyzed here - http://theprez98.blogspot.com/2013/10/omg-call-yourself-hacker-lose-your-4th.html A follow-up on Dick Cheney's pacemaker paranoia - http://www.dotmed.com/news/story/22298 Big name limo service hacked, discloses info on big-name clients - http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/ Look out, hackers may be targeting SAP users - http://www.computerworld.com/s/article/9243727/New_malware_variant_suggests_cybercriminals_targeting_SAP_users?taxonomyId=17 Java patching lagging, attackers exploiting, story at 11 - https://www.securityweek.com/java-attacks-jump-user-patching-lags-kaspersky-lab It just got real. Real 2010, that is, as Yahoo unleashes bug bounty program - http://www.tripwire.com/state-of-security/top-security-stories/yahoo-unleashes-new-bug-bounty-program/
DtR Episode 64 - A US Attorney's Perspective on CybercrimeOct 28, 2013 49:18
Special thank you to the US District Attorney's office for the Southern District of California for a fantastic interview and for letting us pick Sabrina's mind for the podcast...
In this episode...Hackers, carders, and the disturbing trend of them pairing up with the traditional mafia The challenge of VPSes in cyber-crime Evangelizing the truths about cyber-crime to businesses, average person An insight into the way that 'bad guys' specialize in the criminal underground An insight into (bottom-up) investigative models available to law enforcement, as it pertains to hackers Are cyber criminals fleeing or hacking from non-extradition countries? The delicate dance of involving the government in a hacking or breach case Seeking the white whale - an organization that hasn't been breached (yet) 3rd party data sharing and your privacy - do you have any left?
GuestSabrina Feve - Sabrina is an Assistant US Attorney (AUSA) for the Southern District of California, specializing in hacking and cybercrime cases.
DtR FeatureCast - Rt Hon Baroness Neville-Jones on CyberSecurityOct 26, 2013 28:48
In this episodeWe get a peek into the first member of English Royalty that we've ever had on the podcast Baroness Neville-Jones discusses the difficulties in cybersecurity at the government level We discuss the challenges of policy, compliance and implementing real-life security The Baroness discusses her efforts to raise both the awareness and collective security of business The Baroness discusses a bit about critical infrastructure protection I ask the uncomfortable question in the wake of the Snowden disclosures - privacy vs. security...
GuestRt Hon Baroness Neville-Jones - Baroness Neville-Jones is a long-time political figure in the UK Parliament, House of Lords. She recently retired from public service and now focuses on the public-private partnership for cybersecurity in the UK. She has an amazing history and rather than try to summarize it here, I simply point you to her biography page at http://www.conservatives.com/People/Peers/Neville-Jones_Pauline.aspx
DtR Episode 63 - NewsCast for October 21st, 2013Oct 22, 2013 44:17
Thanks to Josh Corman for joining us this morning ... always nice to have Josh's experience and brain power on the show.
Topics CoveredGargantuan Oracle CPU (Critical Patch Update) including -51- Java security fixes! - http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html Huawei calling for "independent cybersecurity assurance lab" framework, an interesting but difficult thing - http://www.informationweek.com/security/application-security/huawei-proposes-independent-cybersecurit/240162840 Dick Cheney, fearing an assassination attempt, had wireless pacemaker removed in 2007 - http://www.theguardian.com/world/2013/oct/19/dick-cheney-heart-assassination-fear Chesapeake hospice suffers breach, but there's a lesson in the tragedy - http://www.hispanicbusiness.com/2013/10/19/hospice_of_chesapeake_shut_down_computer.htm NPI research shows companies will overpay $10.1 billion for IT security solutions in 2013, worse in 2014 - http://www.prweb.com/releases/2013/10/prweb11239951.htm Minor Verizon security bug, issues with coordinated disclosure, fix timelines, and the much bigger white elephant in the room - http://prvsec.com/verizon-wireless-message-detail-disclosure.html
Hat-tips this week go to...Brian Katz ( @bmkatz ) because we borrowed your 'crapplications' example Alex Hutton ( @AlexHutton ) - Josh borrowed your "Alex head asplode" Wendy Nather ( @451Wendy ) because we mentioned your 'security poverty line' concept
DtR Episode 62 - A Peek Behind the Blue CurtainOct 14, 2013 44:06
In this episode...James and I host legitimate Polynesian royalty (a princess....) really! Katie gives us the skinny on Microsoft's 10 year progression to get to a bug bounty program We discuss the merits of bug bounties and execution in a very large enterprise Katie gives us as many details as she can about the recent $100,000 payout Much... much ... more!
GuestKatie Moussouris ( @k8em0 ) - Katie runs the Security Community Outreach and Strategy team for Microsoft as part of the Microsoft Security Response Center (MSRC) team to help drive crucial elements of our security community strategy effort. She is a Senior Security Strategist Lead, and let's not sell her short - she is royalty!
She created and drove the first ever Microsoft security bounty programs (www.microsoft.com/bountyprograms). Which received 18 vulnerabilities and a new attack technique that will help Microsoft build stronger defenses that will protect the entire platform from this new class of attack.
She serves as lead subject matter expert in the US National Body for the ISO work item 29147 "Vulnerability Disclosure", scheduled for publication in 2013, and does countless other efforts associated with the ISO standards body and various other industry groups.
DtR Episode 61 - NewsCast for October 7th, 2013Oct 8, 2013 45:58
As a personal message to those of you who listen and our community - please ...remember we all live in a giant glass house, and throwing rocks is a bad, bad idea. I've said it before and I'm looking right at the media for this one (ahem...) - unless you've been in a high-stress environment and have successfully thwarted every attack, please don't go trying to personally attack those out there who work hard at it every day. It just makes you look like an idiot. Nobody wins when we name and shame and attack people personally. Remember that when it's your turn to stand in the spotlight.
Topics CoveredAdobe got popped. Bad. ~2.9 users' information, encrypted credit card details, source code. The only thing worse than this story is the kind of media trolls it brought out... - http://www.computerworld.com/s/article/9242963/Hackers_steal_data_on_2.9_million_Adobe_customers?taxonomyId=82&pageNumber=2 and this unfortunate mess from Richi Jennings https://plus.google.com/117220625678034723010/posts/EjP4JjKFd6w 13 Anonymous 'members' indicted for DDoS attacks - http://www.computerworld.com/s/article/9242969/US_indicts_13_Anonymous_members_for_DDoS_attacks LA schools gave out "locked down" iPads. Students circumvented. Hilarity ensued. http://blogs.computerworld.com/mobile-security/22929/what-la-schools-forgot-boneheaded-ipad-hand-out Senior Iranian Cyber official killed (assasinated?) - http://www.matthewaid.com/post/63207233044/the-mystery-surrounding-the-killing-of-a-senior-iranian Proof that the fist people to get paid should be the ones who hold the keys to your doors - http://nycfreshmarket.com/ (as long as the page stands, then check out the tweet I re-posted https://twitter.com/Wh1t3Rabbit/status/387076594407575552 )
So ... does anyone actually read these? If so, let me know on Twitter? Hashtag #DtR
DtR Episode 60 - Conversations from DerbyCon 3Sep 30, 2013 43:24
In this episode...Dave Kennedy wraps up DerbyCon 2013, and gives us the statistic you don't want to tell your management Dave announces the top secret guest for DerbyCon 4 Chris & Gabe discuss risk modeling using REAL automated tools Gabe introduces us to his concept of using a 'big data' approach to risk modeling We discuss risks, network segmentation, and other things you're doing wrong
GuestsDave Kennedy ( @Dave_Rel1k ) - Dave Kennedy is the founder of TrustedSec, and the brain behind DerbyCon. Chris G ( @SecbitChris ) - Chris is one of the brains behind the SecuraBit podcast Gabe B ( @gdbassett ) - Gabe is an industry expert
DtR Episode 58 - NewsCast for September 23rd, 2013Sep 24, 2013 41:23
I want to thank Mr. Josh Corman ( @JoshCorman ) for guest-commentating today's episode, and lending his expertise and industry leadership point of view.
Topics CoveredUK's GCHQ has been using Prism (Courtesy of the NSA) to spy on you ... the revelation continues - http://www.telegraph.co.uk/news/uknews/law-and-order/10106507/GCHQ-has-been-accessing-intelligence-through-internet-firms.html Wisconsin trucker vs. Koch Industries, just what is a "direct loss"? - http://www.kfdi.com/news/local/Wisconsin-man-pleads-guilty-in-cyber-attack-on-Koch-Industries-223365221.html iPhone, fingerprint reader, #IsTouchIDHacked - http://www.forbes.com/sites/markrogowsky/2013/09/22/iphone-fingerprint-scanner-hacked-should-you-care/ Can the FTC (and other government entities) go after companeis who fail to do reasonable security? (also, what does that mean?) - http://www.computerworld.com/s/article/9242531/FTC_lacks_data_breach_authority_says_accused_medical_lab?taxonomyId=17&pageNumber=2 The gang that popped Bit9 is at it again, IE 0-day in the wild - http://www.computerworld.com/s/article/9242570/Security_org_raises_Internet_threat_level_after_seeing_expanded_IE_attacks
More information on The Cavalry
The talk: "The Cavalry Isn't Coming: Starting the Revolution to FSCK it all!"
The video of the more mellow, smaller BSides "warm-up before DEF CON 21" is here: http://www.irongeek.com/i.php?page=videos/bsideslasvegas2013/1-2-2-the-cavalry-isnt-coming-starting-the-revolution-to-fsck-it-all-nicholas-j-percoco-and-joshua-corman
google group: https://groups.google.com/d/forum/iamthecavalry
Josh Corman's Bio:
Joshua Corman is the Director of Security Intelligence for Akamai. Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across sectors to the core security challenges and toward emerging technologies and shifting incentives.
A staunch advocate for CISOs, Corman also serves as a Fellow with the Ponemon Institute, on the Faculty for IANS, co-founder of Rugged Software and was a 2009 Top Influencer of IT in NetworkWorld. Corman received his bachelor’s degree in philosophy, graduating summa cum laude, from the University of New Hampshire.
DtR FeatureCast - HP Protect 2013 - Episode 3Sep 19, 2013 29:49
For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website.
I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security...
Episode 3 - Vikas Bhatia (CEO of Kalki Consulting) and Anton Goncharov (Managing Principal of MetaNet, LLC) - In this discussion, we just barely scratched the surface on the challenges SMEs face with integrating security into business processes and developing security solutions on a shoestring. This discussion focuse entirely on processes and the need for business integration and insight - and is likely the starting point for many further conversations to come.
DtR FeatureCast - HP Protect 2013 - Episode 2Sep 19, 2013 23:30
For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website.
I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security...
Episode 2 - Wasif Shakeel, Program Director Information Security, General Dynamics - Wasif and I discovered that we have entierly too much in common, and talked about the need for a sane, process and measurement approach to security and handling the "needle in a haystack" problem many Security Operations Centers are faced with.
DtR FeatureCast - HP Protect 2013 - Episode 1Sep 18, 2013 20:05
For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website.
I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security...
Episode 1 - Ian Beckford, Senior Product Manager, TELUS Security Solutions - Ian and I had a lively discussion around the service-provider use of the analytics and network security devices (currently ArcSight and TippingPoint) to provide customers with security solutions which benefit them, while remaining cost effective.
DtR Episode 58 - Of BSides and Bettering InfosecSep 16, 2013 35:44
In this episode...Mike explains once and for all how the BSides namesake came to be We talk about how the industry has evolved over the last 10+ years Mike dispenses a little of his philosophy on how to better the industry We talk burnout and why it exists, and possibly how to get through it
GuestMike Dahn ( @MikD ) - Mike Dahn is one of the original co-founders of the Security BSides conference many of you have attended, spoken at, or heard of. In addition to that, Michael Dahn is an information security and organizational design strategist responsible for the management of data strategies, project engagements, and cost modeling. With over 12 years of information security experience, Mr. Dahn has managed teams of 50 people and budgets of up to $30m annually for Fortune 500 companies. Today he focuses on leading mobile security strategies and industry relations.
He is an industry leader in regulatory compliance issues who previously worked for Visa, Pricewaterhouse Coopers, and Verizon Business, created PCI training for and trained over 10,000 assessors, merchants, and vendors globally. He contributes regularly to the continued development of the global PCI guidelines.
During his tenure Mr. Dahn has presented to a variety of financial and banking associations (FDIC and NCUA), including regulatory bodies such as the PCI Council, and information security groups on topics including mobile security, compliance, information security programs, auditing and network security, and computer hackers. He has been published in several news articles and TV spots on information security.
DtR FeatureCast - HTCIA International 2013Sep 13, 2013 44:06
Today I had the pleasure of sitting down with one old friend, and one new. As a speaker at the HTCIA International conference, and the CISO Summit - I had the opportunity to gain some valuable insight, meet lots of excellent leaders, and force some new relationships. As a wonderful side-effect I had the pleasure of sitting down with Mike Murray of Mad Security, and Vince Skinner an attendee of the conference and security leader of his enterprise.
We talked about a range of topics from history of the information security industry, to our experiences and the current lack of direction and strategy in much of the enterprise space. We also discussed some topics that dated us quite a bit ...so don't judge!
GuestsMike Murray ( @MMurray ) - Mike is the co-founder of Mad Security, an industry veteran and mentor, and an all-around fantastic friend. Vince Skinner ( @SkinnerVince ) - Vince is the Informatino Security and Business Continuity Manager, AVP of D.A. Davidson & Co.
DtR Episode 57 - NewsCast for September 9th, 2013Sep 10, 2013 42:30
I want to thank our guests - Beau Woods and Joe Knape for joining us this morning. It was great to have these two well-versed commentators on the show ...vote with your downloads folks - if you want to make this a regular thing leave us a comment!
Topics CoveredRedHack 'hacks' Turkish police website, stops border traffic? - http://www.hurriyetdailynews.com/redhack-hacks-turkish-police-website-as-border-traffic-grounds-to-a-halt.aspx?pageID=238&nID=53904&NewsCatID=341 A few thoughts on the NSA/Crypto from Matthew Green's blog - http://blog.cryptographyengineering.com/2013/09/on-nsa.html The FTC settles with TRENDnet (the webcam shouting obscenities at the 2yr old story) - http://www.bostonglobe.com/business/2013/09/04/ftc-settles-complaint-over-hacked-security-cameras/uYjAuRcb4uCz51Zt1HSGbP/story.html Citi ordered to pay $10.86/record, more harm than good - http://www.infosecurity-magazine.com/view/34328/citi-ordered-to-pay-55k-to-connecticut-over-2011-data-breach NY Times hacked (again) but this time it's DNS ...DNS is baaaaack - http://www.thestreet.com/story/12020336/1/new-york-times-website-hacked-in-likely-malicious-external-attack.html "This is why we can't have nice websites" - http://www.reddit.com/r/PHP/comments/1l7baq/creating_a_user_from_the_web_problem/
Other LinksFTC FAQ (Thanks to Beau Woods) - http://business.ftc.gov/documents/bus35-advertising-faqs-guide-small-business
DtR Episode 56 - Understanding the [InfoSec] ElephantSep 4, 2013 49:53
Every once in a while this podcast has a guest who makes us truly feel blessed to be doing this - Rob Dubois is one of those people. If you don't know anything about Rob, go read his website, listen to this podcast and check out his book. He is a real American hero, a fantastic human being, and a true patriot. On behalf of James and I - I want to extend a hearty thank you for the time Rob spent, and wisdom he's imparted.
In this episode...Rob Dubois on being a 'badass' the parable of the blind wise men and the elephant be reachable and teachable (be a RAT) the collision of boots, bits, and threats the arrogance of security professionals are a weakness fail early, fail often - learn from it why plans are useless, and planning is essential a George Carlin quote, and a "The Office" reference a brutal lesson from PoW training
GuestRob Dubois ( @RobDubois ) - Rob is currently best-known for his book "Powerful Peace - A Navy SEAL's Lessons on Peace from a Lifetime at War". I can't possibly do Rob justice but to call him a true, powerful, "badass"... check him, his book, and his powerful message out for yourself on his blog SEAL of Peace.
DtR Episode 55 - NewsCast for August 26th, 2013Aug 27, 2013 31:52
Since James is out this week with something called "work", I've pulled in two friends (affectionately known as "The Joshes") Josh Marpet and Josh C. Big thanks for these fine gentlemen for stepping in and co-chairing this Monday morning quarterback session... I hope you enjoy!
Topics CoveredFraudsters target "wire payment switch" at banks to steal millions - http://www.scmagazine.com/fraudsters-target-wire-payment-switch-at-banks-to-steal-millions/article/307755/# Insurer to Schnucks: We won't pay for lawsuits related to your breach - http://www.scmagazine.com/insurer-to-schnucks-we-wont-pay-for-lawsuits-related-to-your-breach/article/307960/# NASDAQ has a "technical glitch" ... halts trading in the middle of the day - http://www.eweek.com/security/nasdaq-trading-halted-by-technical-issue/ Apple App Store infiltrated by researchers' Jeckyll malware - http://www.nbcnews.com/technology/apple-app-store-infiltrated-researchers-jekyll-malware-6C10945771 Hacker takes over baby-monitoring IP cam, shouts obscenities... world put on alert - http://www.bbc.co.uk/news/technology-23693460
Other linksLink to the now-defunct'ish "CamWar" maintained by @Viss - http://atenlabs.com/camwar/ Josh Brashars' talk at BayThreat 2011 was called "Inagada Davida (Or, Scary **** on Cellular Modems)"
DtR Episode 54 - Evolution of InfoSec with The Godfather of IPSAug 19, 2013 44:53
In this episode...Rob gives us a little history lesson Rob keeps going on the history lesson, IDS, open vs. closed circuits We discuss "defense in depth" from back-in-the-day James re-introduces us to the "security onion" Rob talks about "programming for super-high-speed" and scale Constructing things to truly "build scalability in"... Designing networks as a front-end vs. back-end architecture Rob points out that network diagrams are always wrong
GuestRobert Graham ( @ErrataRob ) - No, this is not Robert Graham the clothing designer, this is Robert Graham the guy who pioneered the IDS. In Robert's own words ... "I am a well-known security research (aka. "white-hat" hacker). I created the BlackICE personal firewall in 1998. I invented the first network intrusion prevention system (IPS) "BlackICE Guard" in 1999, which is now sold as "Proventia" by IBM."
DtR Episode 53 - NewsCast for August 12, 2013Aug 13, 2013 25:35
Topics CoveredThe trash bin that stalked me (seriously, only in London) - http://arstechnica.com/security/2013/08/no-this-isnt-a-scene-from-minority-report-this-trash-can-is-stalking-you/ and a follow-up as we recorded today: http://www.bbc.co.uk/news/technology-23665490 No data breach in Indianapolis, after laptop stolen/recovered - http://www.theindychannel.com/news/call-6-investigators/state-no-data-breach-after-stolen-laptop-traced-to-indy-home DDoS blackmail in Manchester (UK) FAIL - http://www.manchestereveningnews.co.uk/news/greater-manchester-news/two-held-over-attempted-blackmail-5680548 US national health push ("Obamacare") falling behind on security testing...who's surprised? - http://au.news.yahoo.com/technology/news/article/-/18390597/obamacare-months-behind-in-testing-it-data-security-government/ Weird password 'feature' in Chrome... - http://blog.elliottkember.com/chromes-insane-password-security-strategy
DtR Episode 52 - Advanced threats, remedial defenses, broken recordAug 5, 2013 42:31
In this episode...Dave reminisces a bit... Dave discusses 'digitall signed malware' and that it means We discuss whether it's true that 'all networks are compromised' We discuss consumer-grade vs. corporate-grade threats, and why they're different An interesting point by Dave about why enterprises aren't learning from their compromises We discuss customized malware, with specific and targeted payloads for specific systems Dave talks about whether 'compat the criminal, hire the criminal' is true
GuestDave Marcus ( @DaveMarcus ) - Dave is currently the Chief Architect, Advanced Research and Threat Intelligence McAfee Federal Advanced Programs Group. He's been around the industry for a long time, and has influenced countless numbers of researchers. He is well known as a fantastic speaker, subject-matter expert and generally a badass, and I feel lucky enough to call him my friend.
DtR Episode 51 - NewsCast for July 29th, 2013Jul 30, 2013 28:53
Ladies and gentlemen, we are over the 50 episodes mark! If you've enjoyed the podcast, please go rate us in the iTunes store, or leave us a note here. Have you checked out past episodes?! There are some gems in there, I promise, and worth your time.
Topics CoveredCharlie Miller and Chris Valasek demonstrated (and will disclose code to) the hack which allows complete (tethered) remote control of a modern vehicle. You need to watch this video, and if you develop code for transport vehicles and aren't thinking about securing your code - it's time to adjust course before you actually kill someone - http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/ and this is how the UK 'muzzled' a researcher who did something similar - http://www.theregister.co.uk/2013/07/28/birmingham_uni_car_cracker_muzzled_by_lords/ Apple demonstrates how not to do breach disclosure, while Ibrahim Balic demonstrates how to jump into the spotlight (and put foot in mouth before thinking) by disclosing, video-recording, and telling the world of his 'ethical test' of Apple's forums - http://www.news.com.au/technology/ibrahim-balic-breaks-silence-on-hacking-apple-developer-site/story-e6frfro0-1226684484916 and http://gigaom.com/2013/07/22/researcher-comes-forward-to-claim-responsibility-for-intrusion-on-apple-developer-site/ After many years on the run Russian super-hackers involved in the biggest breach of all time are caught - because they broke the first few rules of hiding - http://www.reuters.com/article/2013/07/26/us-usa-hackers-creditcards-arrests-idUSBRE96P02Z20130726 Exciting news for those of you who are sick of Android App Developers' over-reaching nature in the permissions arena, with the release of 4.3 there is a glimmer of hope in reigning in those games that for some unknown reason require access to your contacts and 'premium services' and such - http://www.androidpolice.com/2013/07/25/app-ops-android-4-3s-hidden-app-permission-manager-control-permissions-for-individual-apps/
* DtR Episode 50 - The Emergence of Geopolitics in InfoSecJul 22, 2013 42:23
Welcome down the rabbithole as we hit EPISODE 50! I'm thrilled that we've made it this far, and look forward to having you along for the ride into the future! At this point, I'd like to encourage you to listen to some of the fascinating guests we've had on this show, people I'm proud to have had a chat with, in the past archives... suggest guests, or just leave us a comment.
In this episode...We try and discuss 'defense in depth' on the geopolitical scale @packetknife drops the truth about 'geopolitics experts' in InfoSec Ali explains navigating the undocumented security requirements in emerging markets We talk about whether all this stolen data from enterprise has actually made a difference Ali discusses the 'western sense of intellectual property' (eye-opening!) Deperimeterization - why #InfoSec must adapt this RIGHT NOW, but seems allergic to it Ali drops 'lawfare' on us - and why #InfoSec must know its options Wwe discuss why people 'generally just don't get it' when it comes to moving to triage over 'secure' Ali decides he wants to be Frank, or is that frank? :-)
GuestAli-Reza Anghaie ( @PacketKnife ) - Ali is a resident expert (or as much as one can be) on geopolitics from his unique background, experience and perspective. He's a well-known figure in the community and has deep insight into the things that most of us read in the media, and pretend to understand. He's the perfect guest for Episode 50!
DtR Episode 49 - NewsCast for July 15th, 2013Jul 15, 2013 28:23
Topics Covered9 Years After Shadowcrew, Feds Get Their Hands on Fugitive Cybercrook http://www.wired.com/threatlevel/2013/07/bulgarian-shadowcrew-arrest vBulletin Forums compromised (~15-~150k) to serve malware http://news.softpedia.com/news/Around-150-000-vBulletin-Forums-Compromised-Abused-to-Serve-Malware-366442.shtml America's EAS (Emergency Alert System) is open to compromise (still) http://www.wired.com/threatlevel/2013/07/eas-holes/ Mobile malware up 614% y/y says Juniper, but mostly Android http://www.computerworld.com/s/article/9240772/Mobile_malware_mainly_aimed_at_Android_devices_jumps_614_in_a_year Blue Box Security finds "master key" issue with Android - but there's more to it http://www.zdnet.com/android-oems-slow-to-roll-out-bluebox-security-patch-7000018012/
DtR Episode 48 - Securing HP SoftwareJul 8, 2013 45:26
In this episode...We get a little insight into the mind of Tomer, and how he thinks about security We get an insight into what HP Software IT Management is doing to ensure security in the products they release We discuss making security more than just a security line-item, and a business requirement There are many "uncomfortable pauses" :) We discuss Tomer's risk-focused approach to software quality We ask "Is HP drinking it's own champagne?" Tomer gives us his feeling on DevOps
GuestTomer Gershoni - Tomer is the Information Security Officer responsible for product security for a select part of HP Software known as IT Management. Previous to that he was the CISO for HP Software-as-a-Service for over 3 years based out of Yehud, Israel. Tomer has over 10 years experience in Information Security and a background in software security. He is a very interesting individual, and his public profile can be found on LinkedIn here: http://il.linkedin.com/in/tomergershoni
DtR Episode 47 - NewsCast for July 1st, 2013Jul 3, 2013 32:10
*Apologies for this very important episode getting out a bit late ladies and gents, experienced a loss in the family so things were a little slow to re-start, we should be back on track for next week's episode.
Topics CoveredPolitical hacktivism is making a big splash in international news - http://www.ilovechile.cl/2013/06/17/chile-democratic-partys-official-site-hacked/87737 http://www.kjrh.com/dpp/news/local_news/jenks/jenks-chamber-of-commerce-website-hacked-for-second-time-within-a-month http://www.publicnewshub.com/zimbabwean-hackers-hailed-for-attacking-ancs-website/ http://www.bignewsnetwork.com/index.php/sid/215436810/scat/b8de8e630faf3631/ht/South-and-North-Korea-close-website-amid-hacking-alerts http://www.business-standard.com/article/pti-stories/syria-s-online-troops-wage-counter-revolutionary-cyber-war-113060900065_1.html http://www.ehackingnews.com/2013/06/turkish-ministry-of-interior-website.html Google Published their epic Transparency Report data http://krebsonsecurity.com/2013/06/web-badness-knows-no-bounds/ http://www.google.com/transparencyreport/ European Union issues new data breach laws for telecommunications industry http://www.infosecurity-magazine.com/view/33109/eu-announces-new-data-breach-rules-for-telecoms/ Critical vulnerabilities found in CROWD single sign-on product http://www.computerworld.com/s/article/9240487/Critical_vulnerabilities_found_in_Atlassian_Crowd_enterprise_single_sign_on_tool Facebook offers (pays!) $20,000 flaw for brilliant business-logic bug http://www.eweek.com/security/facebook-patches-mobile-text-vulnerability-rewards-flaw-discoverer/ Microsoft launchges a bug bounty program, for IE11 and more http://www.microsoft.com/security/msrc/report/bountyprograms.aspx# http://www.wired.com/threatlevel/2013/06/microsoft-bug-bounty-program/ Opera code signing certificate stolen and used to sign malware http://www.eweek.com/security/opera-data-breach-exposes-legions-of-windows-users-to-malware-attack/
DtR Episode 46 - Serious Problems with Industrial Control SystemJun 24, 2013 39:38
In this episode...The gang discusses the issues with the rapid escalation of connectivity in modern-day industrial control systems What specialized skills are needed to be a SCADA or ICS hacker A nervous pause as vulnerabilities in ICS systems which could affect the adult beverage industry are touched upon Discussion on how to deal with 25 year patch cycles Why is it that embedded devices simply don't get patched like your other systems? What are the real issues with ICS systems, and why they're not getting enough attention...yet
GuestMr. Billy Rios ( @XSSniper ) - In addition to being a long-time friend of mine, and one of the most knowledgable and humble people in the hacking space, Billy is currently a Technical Director and the Director of Consulting for Cylance. Billy is an accomplished web application hacker releasing an XSS tool which is currently his Twitter handle. While being a "big picture" guy, Billy also tackles some of the most complex large-scale ICS issues, and with his team works to identify and remediate threats to his clients.
DtR Episode 45 - NewsCast for June 17th, 2013Jun 17, 2013 20:16
This week, James is flying solo on the microphone catching you up on all the latest news and BIG stories since I'm at HP Discover, Las Vegas and Suits and Spooks in La Jolla, CA. A busy week all the way around, some pretty earth-shattering news coming out!
Topics CoveredWe couldn't be the only ones NOT covering the big NSA leak and revelations of spying and other surveillance. Somewhere in the hype, though, is the enterprise story of insider threat - http://www.guardian.co.uk/world/2013/jun/09/nsa-secret-surveillance-lawmakers-live Google Glass is in the news, again, this time from an enterprise perspective. In light of the slight insider threat problem revealed lately, how will Google's glasses impact security, and society in general for good or evil? - http://www.computerworld.com/s/article/9240077/Google_Glass_could_get_a_look_at_the_enterprise Apple made the news with iOS7 and the big "kill switch" feature, is this really a good idea that actually works or a desperate gimmick to demonstrate innovation? (especially in light of the lock screen bypass in iOS7 beta! - http://www.cnn.com/2013/06/11/tech/mobile/iphone-ios7-kill-switch
http://www.forbes.com/sites/andygreenberg/2013/06/12/bug-in-ios-7-beta-lets-anyone-bypass-iphone-lockscreen-to-access-photos/ Google noticed a significant spike in phishing traffic to GMail around the Iranian "election" (and I use that in quotes on purpose), an interesting developing story - http://money.cnn.com/2013/06/14/technology/security/google-phishing-iran/index.html Last but certainly not least, how about that 2+ year old Adobe Flash bug that's being exploited in Chrome to allow attackers (or just perverts) to spy on you using your webcam... creepy! - http://www.forbes.com/sites/andygreenberg/2013/06/14/two-year-old-flash-bug-still-allows-webcam-spying-on-chrome-users/
DtR Epsiode 44 - Unmasking Security ProductsJun 10, 2013 47:21
In this episode...We discuss the true nature of many of the security products decisions CISOs have to make every day Frank and Raf make very poorly thought-out sports analogies There are uncomfortable length of silence (mostly edited out) The crew discusses NSS Labs, and what they do to help the CISOs out there make smarter decisions "Someone" asks about anti-virus...
GuestsFrank Artes ( @franklyfranc ) - Research Director Francisco Artes is a recognized information security executive who has helped form some of the motion picture & television industry’s best practices for securing intellectual property. Artes is also know for his work with on cybercrime, hacking and forensic security issues with various federal, state and local government and law enforcement agencies such as the US Dept. of Homeland Security, the FBI, the Texas Rangers, US Marshals and several others. Mr. Artes most recently served as Vice President, Chief Architect / Content Protection for Trace3, and as Vice President, Security Worldwide for Deluxe Entertainment Services Group. Artes has presented on six of the seven continents, serves on several boards and is a Trusted Adviser for The Security Consortium. John Pirc ( @jopirc ) - Research Vice President John Pirc is a noted security intelligence and cybercrime expert, an author and a renowned speaker, with more than 15 years of experience across all areas of security. The co-author of two books, “Blackhatonomics: An Inside Look at the Economics of Cybercrime” (published in December 2012), and “Cyber Crime and Espionage” (published in February 2011), Pirc has been named a security thought leader from the SANS Institute and speaks at top tier security conferences worldwide. Mr. Pirc’s extensive expertise in the security field includes roles in cybersecurity research and development for the Central Intelligence Agency, Chief Technology Officer at CSG LTD, Product Manager at Cisco, Product Line Executive for Security Products at IBM Internet Security Systems, Director of McAfee's Network Defense Business Unit and, most recently, Director of Security Intelligence at HP Enterprise Security Products, where he led the strategy for next generation security products. In addition to a bachelor's degree in Business Administration, Pirc holds the NSA-IAM and CEH certifications.
DtR Episode 43 - NewsCast for June 3rd, 2013Jun 3, 2013 27:01
It's June already?! Where has the first half of 2013 gone? James and I break down the last 2 weeks of interesting InfoSec news in a short "Monday morning quarterback" style... enjoy!
Topics CoveredEvernote adds 2-step veficication for their authentication, and follows suit with just about every other 'modern' app. Following on the hells of Twitter, LinkedIn, FaceBook, Apple and the one that started it all, Google - we're now getting multi-step authentication from Evernote. Free users not welcome ...yet? - http://blog.evernote.com/blog/2013/05/30/evernotes-three-new-security-features/ Dropbox down for more than an hour, but it wasn't a security bug (we don't think), it's just that they had 'technical difficulty'. If you depend on Dropbox for your file synchronization services, you knew this happened - http://www.computerworld.com/s/article/9239648/Dropbox_goes_down_for_more_than_an_hour NIST 500-299 "Cloud COmputing Security Reference Architecture" document is released. There's a bit of irony here, as the document itself is a whopping 299 pages! - http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Reference_Architecture_2013.05.15_v1.0.pdf Drupal.org has been hacked, and it appears 2013 just isn't a good year for the folks over at Drupal. Apparently about 1 million accounts have been compromised/affected, and all accounts had their passwords reset - I apparently had a Drupal account I don't remember anymore and my password was reset too - http://techcrunch.com/2013/05/29/drupal-org-hacked-user-details-exposed-and-reset/ Google changed its disclosure policy for critical issues that are actively being exploited from the standard 60 days, to 7. A week. 7 days down from 60 ... this needs more reading and discussion - http://www.csoonline.com/article/734286/google-zero-day-disclosure-change-slammed-praised Hackers are exploiting Ruby on Rails vulnerability that was patched this past January, so zero-day no longer applies... the lesson here is to patch in a timely fashion! - http://www.computerworld.com/s/article/9239588/Hackers_exploit_Ruby_on_Rails_vulnerability_to_compromise_servers_create_botnet?taxonomyId=17
DtR Episode 42 - Threat ModelingMay 28, 2013 47:26
In this episode...John discusses some of the foundational principles of Threat Modeling We talk about why threat modeling is like your time in high school We discuss why threat modeling is such an incredibly important tool to the enterprise John gives us some nuggets of his experience with threat modeling enterprise applications
GuestJohn Steven ( @m1splacedsoul ) - John Steven is the Internal CTO at Cigital with over a decade of hands-on experience in software security. John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John’s keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.
John is known for his in-depth work in software security, his expertise in the field of threat modeling, and his snarkcasm. If you don't follow John on Twitter or haven't attended one of the talks he's been known to give occasionally - I recommend you do so.
DtR Episode 41 - NewsCast for May 20th, 2013May 20, 2013 26:48
Welcome to Monday, May 20th 2013 as James and I discuss the last 2 weeks' worth of Information Security news and relate it (attemptively) to your enterprise day-job. This week was a bit on the lighter side, with the quote of the year (as far as I'm concerned) winner going to the Washington State Administrative Office of the Court for ...well, you'll just have to read the rest of the show notes and listen to the podcast.
Also ... we are now on the Zune store. So ...to the 2 new Zune listeners - HELLO!
Topics CoveredResearches at Trend Micro uncover new cyberespionage campaign call it SafeNet (in unrelated news SafeNet the security company had nothing to do with this...). Yet another cyberespionage campaign targeting users with revolutionary new technique called "phishing", and using a vulnerability in Microsoft software patched in April 2012, originating from ... China! - http://www.computerworld.com/s/article/9239342/Researchers_uncover_SafeNet_a_new_global_cyberespionage_operation Domain registrar, Name.com hacked, customer information including potentially usernames, email addresses, encrypted passwords (just how encrypted are we talking here? ROT13? double-XOR?), and encrypted (same question as before) credit card information potentially stolen. Again, the vector of choice is this revolutionary new tequnique called ... phishing - http://www.pcworld.com/article/2038263/namecom-forces-customers-to-reset-passwords-following-security-breach.html Godzilla hacked EC-Council (this needs no explanation) - http://www.esecurityplanet.com/hackers/ec-council-hacked.html Four former LulzSec members (former?) sentenced for their roles in the 2011 attacks on companies such as Sony, Nintendo, News Corp, the CIA and many others. Sentences range from a 30-month prison term for "Kayla" to 200 hours of community services for T-Flow. Justice? Interested to hear what you think - http://www.computerworld.com/s/article/9239302/Four_former_LulzSec_members_sentenced_to_prison_in_the_UK Washington State's court system has been compromised, exposing 160,000 social security numbers and a million drivers' license numbers - basically everything you'd ever need to steal someone's identity. Luckily officials have determined that only 94 of those were definitely obtained by the attacker (what?!). Also, ridiculous quote of the year honors go to the "officials" for this: ".. officials at first believed no confidential information was leaked even though a large amount of data was downloaded from the website, the Washington State Administrative Office of the Courts said." - http://tech2.in.com/news/general/up-to-160000-social-security-numbers-exposed-in-washington-state-court-hack/872700
DtR Episode 40 - Breakers, Builders, and the EnterpriseMay 13, 2013 45:34
In this episode...Kevin, James and I discuss why penetration testing reports are often so worthless Kevin and I disagree. Then we agree, sort of. We discuss the major differences between the 'builder' and 'breaker' mindset, and whether they're actually different people Kevin gives some fantastic examples of how context and experience is critical in penetration testing We provide guidance no how someone can 'break into' (no pun intended) penetration testing and be effective Kevin gives an example of how someone can be a great penetration tester, but be of little value beyond that We wrap by disussing how enterprises can gain value from penetration testing- and Kevin provides an interesting strategy
GuestKevin Johnson ( @SecureIdeas ) - Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is an instructor and author for the SANS Institute and a faculty member at IANS. He is also a contributing blogger at TheMobilityHub. Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer.
DtR Episode 39 - NewsCast for May 6th, 2013May 6, 2013 29:00
It's another beautiful Monday (somewhere) and we've got the news of the last 2 weeks covered, and we're breaking it down for you. The news this week is, well, quite frankly kind of dark. Everything tells us we're in for a rough ride for the rest of the year, and it's only getting worse.
If I sound a little funny, it's because I'm talking through a massive sinus infection and it's making me talk funny and stuffy. Also the recording you hear is take 2 ... I had a major technology fail so we had to re-record, with less sadness.
Topics CoveredWe are happy to report that Justin Beiber is in fact, not coming out of the closet and E! Online was only hacked by those wacky military hackers from the Syrian Electronic Army. Apparently they've been on quite the hacking spree of media outlets and even put a major - albeit brief - dent in the stock market! - http://www.nydailynews.com/entertainment/e-online-twitter-account-hacked-article-1.1335214 The US Department of Labor was hacked, in what appears to be a very targeted 'watering hole' attack aimed at Nuclear employees. The attackers, if the stories are true, burned an IE8 0-day on this one, and of course they are Chinese - http://www.eweek.com/security/zero-day-exploit-enabled-cyber-attack-on-us-labor-department/ Anonymous is threatening a massive attack against the White House (the political entity not the ...nevermind), Bank of America, Citibank and other targets on May 7th. Are these folks just becoming part of the 'background noise' of the Internet? Are security professionals just starting to become numb to the DDoS attacks? - http://pastebin.com/TyvAK20F Chinese hackers have apparently ransacked QinetiQ, a defense contractor with ties to global cyber intelligence operations, spooks,and other interesting things. Bloomberg's write-up was not kind to these guys - http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html In the perfect illustration of the fact that insider threats are real a systems manager returned to the company he was no longer employed at and wreaked havok. Folks, there is no magic 1U box that will stop this sort of attack, be vigiland and have good auditing and processes! - http://www.computerworld.com/s/article/9238874/Systems_manager_arrested_for_hacking_former_employer_39_s_network
DtR Episode 38 - Enterprise Security in the Real WorldApr 29, 2013 36:49
In this episode...
Live (live-to-tape) from 44Con, London, England.
It's amazing, listening to this episode recorded at 44Con last fall, how little the landscape of enterprise security has changed. I took some time during the busy conference to sit down with Ian Amit and Dennis Groves to discuss Ian and my talks (which were perfectly aligned, and completely unplanned!) on the state of security in the enterprise. It's always interesting to get the perspective from 2 industry-well-known speakers and thinkers.
We discuss the topics of #SecBiz including the role of security in the enterprise, the challenges business security professionals face, metrics and why we have some of the crazy change management failures in security. We laugh, we almost start to cry - but ultimately come to the realization that we need change. Ian and Dennis and I are working on driving that change!
GuestsIftach Ian Amit ( @iiamit ) - Seasoned manager in the security and software industry with vast experience in a myriad areas of software (from enterprise security, through retail oriented, to end user software and large back-end systems). Highly experienced in leading marketing opportunities, and translating technical innovation into marketable concepts that increase sales and exposure. Information Security expert with vast experience ranging from low level technical expertise and up to corporate security policy, regulatory compliance and strategy. BlackHat and DefCon speaker, with vast experience in public speaking and private customer focused seminars. Founding member of the PTES (Penetration Testing Execution Standard), IL-CERT, and the Tel-Aviv DefCon group (DC9723). Dennis Groves - Dennis's work focuses on a multidisciplinary approach to risk management. He is particularly interested in risk, randomness, and uncertainty. He holds an MSc in Information Security from the University of Royal Holloway where his thesis received a distinction. He is currently a UK expert for the UK mirror of ISO subcommittee 27, IT Security Techniques, working group 4, Security Controls and Services at the British Standards Institute. He is most well known for co-founding OWASP.
DtR Episode 37 - NewsCast for April 22nd 2013Apr 22, 2013 33:15
It's Monday April 22nd, 2013, and here are the topics from the last 2 weeks James ( @jardinesoftware ) and I ( @Wh1t3Rabbit ) will be talking about as we Monday-morning-quarterback the last 2 weeks in Information Security... Fair warning, we have way too many topics to fit into 20 minutes... so went a little bit longer but both feel it's well worth your time. Laugh, cry, and be informed.
Topics CoveredMicrosoft rolls out 2-factor authentication - James points out that Microsoft has rolled out authenticator-agnostic, robust 2-factor authentication... if only I could figure out how to use it? If you have any experiences with this, please share with us on Twitter, using the #DtR hashtag - http://nakedsecurity.sophos.com/2013/04/11/microsoft-look-like-being-next-with-2fa/ Oracle dumps a 42-patch bundle - Oracle has dropped a massive patch bundle, many of these are remotely exploitable Java issues, and it's not a walk in the part for Enterprise Security folks. Also ... we chuckle a little bit about the absolutely mindless new 'shape-coded' warnings - http://krebsonsecurity.com/2013/04/java-update-plugs-42-security-holes/ US and China to work on cyber security? - In what James and I both thought was a botched April Fools' joke, it appears as though China & US have come together to decide who the real vicim in this 'cyber hacking' problem is, and what they're going to do about it going forward. Are we absolutely sure this isn't a farse? - http://www.reuters.com/article/2013/04/13/us-china-us-cyber-idUSBRE93C05T20130413?irpc=932 Hacking a plane with an Android app? - A hacker has demonstrated (at the HitB Conference) that it is possible to remotely control a plane, in the setting of a lab. James and I talk about what the implications of this are... more to come - http://www.theatlanticwire.com/technology/2013/04/no-german-hacker-probably-cant-hijack-airplane-software/64158/ Louisville Credit card processor HACKED - Another credit card processor hacked...and the notification comes from, you guessed it, a 3rd party - http://www.wave3.com/story/21911646/louisville-credit-card-processor-hacked-card-numbers-stolen Hacking ring targeting...video games? - A hacking ring was uncovered by Kaspersky that has, for a number of years, been targeting video games, their source code, and other components. To What end? we discuss - http://www.gamepolitics.com/2013/04/12/kaspersky-chinese-hacking-ring-has-hacked-multiple-mmo-game-servers US President Obama seeks a slight increase in technology spending - Does a 2% increase (which is actually a decrease) mean anything without context? Nope... - http://www.nextgov.com/cio-briefing/2013/04/tech-spending-projected-rise-fiscal-2014/62405/?oref=ng-HPtopstory FCC issues fines to 2 enterprises employing cell jammers - Apparently, importing, using cell phone jammes is actually against federal law, but we already know that. The FCC came down relatively easy on these two companies... - http://transition.fcc.gov/Daily_Releases/Daily_Business/2013/db0409/FCC-13-47A1.pdf
DtR Episode 36 - Unmasking Cyber Intelligence with Jeffrey CarrApr 15, 2013 40:43
In this episode...A critical discussion on the available 'cyber intelligence' reports from various vendors How hard is attribution in cyber space, really? "Alternative analysis" - why isn't it being used enough in cyber intelligence reporting? Discussion on 'degrees of certainty' and its apparent lack of application to cyber intelligence Extensive discussion on avoiding confirmation bias, critically reviewing intelligence work, and peer reviewing processes Kinetic responses to cyber threats and other outrageous rhetoric Hacking back? but hacking whom?
GuestJeffrey Carr ( @JeffreyCarr ) - Jeffrey Carr is a cybersecurity analyst and expert.He lives in Seattle Washington. He is founder and CEO of Taia Global inc. He is also the founder and principal investigator of Project Grey Goose, an open source investigation into cyber conflicts including the Russian cyber attacks on Georgia, the Indian Eastern Railway Website defacement and the Israeli-Palestinian war in 2008 to 2009. He is also a government contractor who is consulted on Russian and Chinese cyber warfare strategy and tactics. [ http://en.wikipedia.org/wiki/Jeffrey_Carr ]
DtR Epsiode 35 - NewsCast April 8th, 2013Apr 8, 2013 22:08
In this second episode of our Monday morning InfoSec quarterbacking, James and I actually got through the news items we had lined up in just about 20 minutes. I count this as a win.
Topics CoveredChoice Escrow & Land Title, LLC vs. BancorpSouth, Inc. | At issue is the Uniform Commercial Code (UCC) as it applies to commercial entities taking "commericially reasonable methods" to secure their transactions. This one is going to have a major ripple effect, keep an eye out for further developments - http://krebsonsecurity.com/2013/03/missouri-court-rules-against-440000-cyberheist-victim/ "The biggest cyber attack ever" | Or really, a DDoS feud between a known spammer (CyberBunker) and a spam fighter (SpamHaus) which actually did impact Internet traffic in Europe, but was effectively a tempest in a teapot for most everyone else - http://www.cnn.com/2013/03/27/tech/massive-internet-attack/index.html?hpt=hp_t2 Schnuck's gets hacker by "computer code", but it's OK now | Short version of this story, be careful how hard you play up the 'reputation' angle with your business ...turns out people may not care so much - http://www.stltoday.com/business/local/schnucks-says-credit-card-fraud-source-found-and-contained/article_605469bd-db5d-5a1b-94cf-100f4eabc58f.html Darkleech affects huge amount of Apache servers, silently installs iFrame-based malware selectively | People who name these things come up with some of the coolest names ...seriously! Interesting story. - http://www.h-online.com/security/news/item/Darkleech-infects-scores-of-Apache-servers-1834311.html BitCoin wallet service InstaWallet hacked, shuts down "indefinitely" | Oh, another BitCoin tragedy as the currency suffers yet another blow to its viability as hackers target a wallet service, value bounces. - http://venturebeat.com/2013/04/03/bitcoin-wallet-instawallet-hacked/
DtR Episode 34 - The Inside Scoop on Cyber Liability InsuranceApr 1, 2013 00
First ...a milestone.
I want to take this time to formally welcome Mr. James Jardine, of SecureIdeas, as my permanent co-host to the podcast. James has experience podcasting as he already co-pilots the Professionally Evil Podcast, and he's witty, knowledgeable, and awesome to work with on the microphone. I ask that you all give James a warm welcome!
In this episode...Overview of what cyber liability insurance is and what it isn't We ask "Why would we need a security program, when you can just buy insurance?" How do [cyber] under-writers figure out how to insure you, and how much of a liability your organization and its practices is? The types of costs and coverages available in some of the different policies at the various carriers We pull on the 'reputation' thread ... again We try to divine the magic formula used to calculate how to calculate a 'liability' or coverage requirement We try and figure out how an enterprise can drive down their cyber liability insurance premiums Christine touches on mobility, encryption, and some interesting tidbits for the modern enterprise
GuestChristine Marciano ( @DataPrivacyRisk ) - Christine Marciano is President of Cyber Data Risk Managers, an Independent Insurance Agency specializing in Cyber Risk/Data Breach insurance, Directors & Officers insurance and (IP) Intellectual Property protection. Christine has over 17 years of experience working in various roles within the Insurance and Financial Services industry. Prior to establishing Cyber Data Risk Managers, Christine has held positions at CIBC Oppenheimer, Axa Advisors and Allstate Insurance Company.
LinksChristine's Blog - http://databreachinsurancequote.com/blog/ My 2013 Data Privacy, InfoSec & Cyber Insurance Trends report - http://databreachinsurancequote.com/wp-content/uploads/2013/02/2013-Data-Privacy-Information-Security-and-Cyber-Insurance-Trends-Report.pdf Christine's free weekly newsletter signup page - http://databreachinsurancequote.com/subscribe-data-breach-weekly-newsletter/
DtR Episode 33 - NewsCast March 25th, 2013Mar 25, 2013 00
Welcome to the Down the Rabbithole NewsCast!
Join me in welcoming James Jardine ( @JardineSoftware) of Secure Ideas to the show as a permanent co-host! The NewsCast is a bi-weekly (2nd and 4th Monday of the month) release where we'll discuss the news and events of the past 2 weeks, and attempt to analyze, break down, and generally make sense of the madness of the Security industry and real world at large.
Also a big thanks to Todd Haverkos, the voice behind the hilarious intro you'll hear on this podcast, and all the others ...
Topics We CoveredApple's new 2-Factor Authentication went live Cisco made passwords weaker (whoops!) in their IOS The US Government struck out twice (SAM security issue, and a contractor "buys" warez) Celebrities get their credit info jacked S. Korea gets whacked with a nasty bug, wipes out 32,000 machines in one swoop
DtR Episode 32 - Big Data in Little InfoSecMar 18, 2013 00
In this episode...We discuss "big data", what the heck it really is, and whether it's something new, something old, or something marketing made up Marcus does interpretive dance, and makes up new words Alex (shockingly) disagrees with Marcus, and actually describes 'data science' We hear Marcus talk about "NBS - never before seen" detection and why it's so critical We collectively agree (it's OK to be shocked) that "big data" is not a product Marcus discusses why you should be defending against the sniper The guests disagree on whether we have too little data, or whether we just don't know how to make it work for us Alex puts on a tinfoil hat ...
GuestsMarcus Ranum ( @mjranum ) - Marcus J. Ranum is a world-renowned expert on security system design and implementation. He is a pioneer in security technology who was one of the early innovators in firewall, VPN, and intrusion detection systems. Since the late 1980s, Marcus designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer to founder and CEO of NFR. In SC Magazine's 20th Anniversary Edition, Marcus was named as one of the top industry pioneers over the last 20 years. Marcus is currently the CSO at Tenable. Alex Hutton ( @alexhutton ) - Alex is the Director of Operations Risk & Governance for a very, very large financial, so he has to stay incognito. Frankly, it doesn't matter much whether he says where he works, the dude's one of the smartest people I know, and lives, breathes, and often excretes 'risk' knowledge.
DtR Episode 31 - Analyzing US vs. Cotterman (Cyber Law)Mar 11, 2013 00
This timely podcast is right on the heels of the US vs. Cotterman decision from the 9th Circuit Court of Appeals. One of the watershed decisions on privacy and digital law, this is an extremely important case that touches on whether government agents can take and search your digital property while crossing the border with or without cause or suspicion. Michael and Shawn give their analysis, and we get some critical information for international business travelers, as well as those of us in the security community who regularly cross the US border with sensitive, potentially encrypted or password-protected information.
Link to the original 9th Circuit Court of Appeals decision: http://cdn.ca9.uscourts.gov/datastore/opinions/2013/03/08/09-10139.pdf
You're not going to want to miss this podcast.
GuestsMichael Schearer ( @theprez98 ) - Security consultant and penetration tester by day, law student and hacker by night, proud Navy veteran, writer, promoter of civility in political discourse, Philadelphia and Penn State sports fanatic, practicing philomath, and last but certainly not least, Dad and Husband. Michael maintains a fantastic blog at http://theprez98.blogspot.com. Shawn E. Tuma ( @shawnetuma ) - Partner at the law firm BrittonTuma and an attorney with a broad based business, litigation, and intellectual property litigation experience combined with his unique expertise with cutting-edge legal issues such as computer fraud, data security, privacy, and social media law. Shawn is a member of the Information Security Committee of the Section of Science & Technology Law for the American Bar Association and the Privacy, Data Security, and e-Commerce Committee of the State Bar of Texas. Shawn maintains a great resource for analysis on legal decisions http://www.shawnetuma.com.
DtR Episode 30 - It's Always a Business Decision [MISEC edition]Mar 9, 2013 00
Security has an interesting view on "business decisions", and in this podcast episode recorded at GrrCon 2012 in Grand Rapids, MI I sit down with some of the talent behind MISEC and we discuss #SecBiz topics of interest including the ugly phrase "it's a business decision" and why we say that. We also dive into how decisions are made, and why security and business are still often at odds on goals and acceptable 'risks'... and why our recommendations and guidance still falls on seemingly deaf ears.
We sample some of the sage wisdom of J.W. Goerlich as he runs his IT and security organization, and how he asks his security employees to think business, and put themselves into the frame of reference of the business when making decisions.
Jen Fox brings up Miller's Law, and teachs us to ask "What is that true of?" when framing discussions in the business context with non-technologists. Jen makes us think about frames of reference. She tells us that we must assume that a statement someone makes is true ... from their frame of reference and we simply must get inside their frame of reference to understand their thinking.
Steven Fox gives us a little bit of a glimpse into the government world where you can't always go sit down with the decision maker, and have to depend on your relationships, cooperation, and sometimes back-room politics to get things done.
I invite you to listen in, this is a timeless discussion that everyone should participate in.
GuestsJ.W. Goerlich - @JWGoerlich - Information Systems and Information Security Manager. Regular InfoSec practitioner, occasional speaker and writer. INTJ. #MiSec, #BSidesDetroit, #CSA, #Owasp Jen Fox - @J_Fox - Making security accessible to the end user. Independent consultant, biz analyst, tech-to-biz translator, and diplomat. CIPP/IT and locksport enthusiast. Steven Fox - @Securelexicon - I am a Security Architect at the U.S. Dept of the Treasury & Penetration Tester passionate about security as a business value and differentiator.
DtR Episode 29 - Shawn Tuma - The Law and the HackerFeb 5, 2013 00
Shawn and I have been trying to get together to record an episode for what seems like forever. We first started talking about the CFAA (Computer Fraud and Abuse Act) when it was ruled that a person could not be charged as a 'hacked' under the CFAA by their employer when they accessed information improperly if the employed did not restrict that access appropriately. Shawn's expert insight here as an attorney dealing with the CFAA shines as we talk about hacking, vulnerability research, and other critical topics to the hacker culture, information security industry and security professionals.
You're not going to want to miss what Shawn has to say... I want to thank him for his time, and encourage anyone who needs the sort of advice Shawn has to give him a call, or send him a Tweet.
Shawn E. Tuma - Shawn E. Tuma is an experienced business, litigation, and intellectual property attorney at BrittonTuma who helps businesses and individuals assess, avoid, and resolve business and legal issues. Shawn has spent his career handling cases before state and federal courts alike and is well versed in both traditional and emerging areas of the law. In addition to his career-long business law and litigation practice, he has developed a niche practice as a thought-leader in emerging areas of such as computer fraud, data breach, privacy, and social media law, with a strong command of the Computer Fraud and Abuse Act. Shawn enjoys handling highly complex commercial, technological, and intellectual property matters as much as he does those that are more traditional. Shawn can be found on Twitter as @shawnetuma.
DtR Episode 28 - Bill Burns - InfoSec in a Cloud of Constant FluxJan 30, 2013 00
I sat down with Bill at ISSA International in Anaheim, CA in the fall of 2012 to discuss what it's like, and what types of challenges he faces in the fast-paced, hybrid world of security at Netflix. We talked about some of the challenges his environment faces, and more generic issues that are endemic to the evolving security landscape. It's fascinating to hear Bill's take on what the big picture items are, and how security is really in a state of evolution right now. Join us, I tihnk you'll love this episode.
Bill Burns - Director of IT Security and Networking, Netflix - Bill is a silicon valley titan, his name is associated with the likes of Infoblox, Riverbed and Netflix. Currently he's the Director of IT Security and networking at Netflix managing security in a hybrid cloud, traditional IT world, and facing some of the most complicated challenges in today's tough security landscape.
DtR Episode 27 - Guest: Mikko Hypponen - Way beyond virusesJan 7, 2013 00
To kick off January on the Down the Rabbithole podcast I have Mikko Hypponen, the "malware adventurer" and Chief Resarch Officer from F-Secure Corp and we're talking about the state of malware and 'viruses' digging into the modern threat landscape and maybe digging up a bit of nostalgia from the late 90's. This is a fascinating conversation so I invite you to break out your old boot sector and COM viruses and join us for some interesting discussion!
Mikko Hypponen - Chief Research Officer at F-Secure Corp., TED speaker, and self-professed "malware adventurer". He can be found on Twitter at @Mikko
DtR MicroCast 06 - Guests: Steven & Martin - Hacking in Quebec (Hackfest.ca)Dec 21, 2012 00
This microcast episode was recorded live from hackfest.ca 2012, on location in Quebec. The conference is a phenomenal success for the challenges they face (primarily non-English speaking region, small market, etc) but they've managed to attract a ridiculous amount of people to this conference, awesome speakers, and have one of the best 'War games' scenarios I've ever seen... listen to these two guys talk about how they make this happen.
GuestsSteven McElrea (@Longferret) - contributed and supporting organizer, key cog in the hackfest.ca wheel! "Martin" - he's responsible for a lot of the design and infrastructure behind the War Games that were conducted here.
DtR Episode 26 - Guest: Brad Arkin of Adobe - Software Security Under PressureDec 19, 2012 39:52
This episode is special because it's been a long-time-in-the-making interview with Brad Arkin of Adobe. This is the organization that many of the hacker community like to hate, and pick on - without realizing the monumental task of securing the software that Brad's team is responsible for. Brad's official title at Adobe is Engineering Senior Director but in real life one of the responsibilities his team is tasked with is doing product security for products like Adobe Flash and Reader ... Brad's take on software security and how he got the bug problem under control at Adobe is worth a listen!
Brad Arkin - Engineering Senior Director at Adobe - Brad has a long history of being involved in the Information Security world, particularly software security and has held many interesting roles from Cigital, to a technical director at @Stake, to working his way through Adobe since 2008. Brad can be found on LinkedIn, here: http://www.linkedin.com/pub/brad-arkin/1/2a8/4.
DtR MicroCast 05 - Guest: Eric Cowperthwaite - The Rise and Fall of Enterprise ITOct 27, 2012 00
LIVE from day 2 of the ISSA International conference 2012, in Anaheim, California I cornered Eric Cowperthwaite after a much-anticipated year-long wait... and we talked about his prediction that in the next 2 years many of the traditional IT employees will be employed as either business-IT resources in the enterprise, or IT-technical resources at an IT outsource or cloud provider... Eric's predictions tend to be right on the money so it'll be interesting if some of the things he advocates in this microcast come true! Only time will tell.
Eric Cowperthwaite - Eric is the Chief Security Officer at Providence Health & Services, and a strong advocate of pragmatic security. Eric has a long history from Army Recruiter, to outsource services delivery with EDS, to his many years of service to the ISSA and Providence Health & Services. In addition to being a good friend and colleague, Eric has a snarky sense of humor, and tends to be not afraid of speaking his mind ... and as it turns out his predictions become reality in the near future. Eric can be found on Twitter as @e_cowperthwaite, and on LinkedIn.
DtR Episode 25 - Guests: Jim Manico, David Litchfield - From Black Hat 2012 with SQLiOct 23, 2012 00
When I caught up with these two gentlemen in Amsterdam over the week of Black Hat 2012, I knew we wouldn't run out of things to talk about! We ended up chatting for quite some time, and I think you'll find this conversation interesting from hearing of David's recent work with Oracle, and Jim's perspective on "the fix"... I kept the conversation going and am probably at last partially responsible for how long this podcast ended up being. It's well worth the time, in my opinion, as we cover the following topics:Attacking Oracle (David's talk had to be shelved, but he talks about ways to attack Oracle via putting a string into a numeric query - by manipulating the meta-environment) Jim & David talk about how to do sane SQL Injection protection (bind everything!) David talks about some contrived ways of hacking Oracle databases, that are 'outside the business logic' and explains why validation is still important Jim brings up structural validation of inputs (useful white-listing) David brings up that his exploits from 2007 are STILL working in 2012 - terrifying "Parameterize it, or jeopardize it" - Jim's campaign to rid the world of SQL Injection David talks about unconventional database forensics that identify attacks via weblogs Vendors have upped their game to protect applications, developers are still writing bad code Jim Manico "We are entering the golden age of hackers" ... does this mean better security?! David discusses how if MS had stopped development of NEW features, WinNT4 would be 'secure' by now... but innovation & features will continue to drive forward - security suffers Jim asks "does the [development] framework of the future, consider security as a built-in?"
GuestsJim Manico - One of the people who holds OWASP together, Jim is an enthusiastic espouser of the Web App Security word. You can find him providing training, practical advice, and code knowledge all over the place, particularly for the OWASP organization. David Litchfield - David has been taking Oracle to task over their claims of database security for years, and continues to be a driving force behind penetration testing, database forensics, and all things Oracle security.
DtR Episode 24 - Guests: DarthNull & InfoJanitor - All the Things InfoSecOct 5, 2012 00
This week we went free-form with two of my favorite InfoSec insiders ...people you probably follow on Twitter but can't quite place. Here are some of the topics covered this week:The Apple UDID theft - what really happened, why, and what more is there to this story? Information vs. DISinformation...the battle for online trust Speaking of distrust - where do you go post-breach? InfoSec intelligence is a lot harder to do than just reading mailing lists and Twitter, there's a ton to this (scratching the surface) Change management's impact and possible salvation for IT and InfoSec Legacy systems and why they are the ball and chain, and why we can't nuke them The user ... how do we get past just hating on the user in InfoSec?
Guests@DarthNull - David is a mobile hacked with Intrepidus Group, and active puzzle-solver extraordinaire @InfoJanitor - He's a long-time InfoSec guy, working for a 'big company' ...and if he told you more than that, well ...you know.
DtR Episode 23 - Guest: Patrick C. Miller - Energy Sector, SmartGrid and ResiliencySep 25, 2012 41:38
Today's podcast discussion is with someone who has one of the toughest jobs in the security world... Patrick helps organizations that generate and deliver the power that runs our gadgets and critical systems that maintain life as we know it. The power grid is not only surprisingly vulnerable due to it's age-old infrastructure, but also surprisingly resilient due to the complex nature of power distribution and generation... there's just a lot more to it than most people realize.
Patrick separates fact from fiction and goes into the pragmatic approach on national electric grid security - where we realize that it's really worse than we believed from a cyber security perspective, but better than we know because as you read this the electric grid is under constant attack, but it's still transmitting clean power.
I urge you to listen to this podcast, and then engage Patrick (@PatrickCMiller) or I in discussion...
GuestPatrick C. Miller -
President & CEO of EnergySec
Principal Investigator of National Electric Sector CyberSecurity Organization (NESCO)
Links:NESCO - US Dept. of Energy (DoE) Office of Electricy Delivery & Energy Reiliability - http://energy.gov/oe/services/cybersecurity/nesco EnergySec - A 501(c)(3) not-for-profit organization formed to support organizations within the energy sector in securing their critical technology infrastructures - http://www.energysec.org/
DtR Episode 22 - Guests: Marc Blackmer, Matt Morgan - Security + App Lifecycle viewpointsSep 21, 2012 00
This episode is a mini-episode recorded live from the social media lounge at HP Discover Las Vegas 2012. It was an incredible show, where I caught up with Marc and Matt - two guys who are really from opposite side of today's deploy vs. secure coin. Somehow we quickly dove into DevOps and picked up right where my conversation with the incomprable Gene Kim left off in episode 20. Ironically, we discussed how to deploy faster (sound familiar?) and still get security and quality into the scope of delivery... this isn't a product pitch but it's two HP guys talking about how products impact software quality, security and overall delivery speed.
GuestsMarc Blackmer - Senior Solutions Marketing Manager (HP Enterprise Security Products) - Marc is a seasoned veteran of the Information Security industry with experience going back to high technician days in 1998. Since 2006 Marc has held various technical and engineering roles at ArcSight and has come to learn the SEIM industry better than anyone I know. Marc is one of the rare people who 'gets' how products solve actual problems. Matt Morgan Vice President and General Manager, HP Software Cloud and Hybrid IT - Matthew Morgan is the vice president and general manager of product marketing for the HP Software Cloud and Hybrid IT software organization, a $2.5B software business delivering solutions used by 100,000s of users to successfully define, deliver, and manage business software in a cloud and mobile world. Matt has 20 years of experience in the Internet and IT business application industry. In his time at HP Software, he had held multiple executive roles including leading the commercialization of HP Application Lifecycle Management, launching HP's first mobile testing and monitoring solutions, and leading a shift to digital marketing operations.
DtR Episode 21 - Guests: Wickett, Galbreath, Saudan - "Deploy faster, safer"Aug 30, 2012 45:02
In this episode we ask the big question of "Can security be a part of the 'build/deploy faster!' culture?" We discuss the need to separate out high/low risk code, understanding how to deploy dormant components of the applications, proper testing strategies and branching/merging in a world where faster isn't just an ask, it's a need to stay competitive.
A huge thank you to all my guests for their time and expert insight. The combined talent and experience of my 3 guests is something you should absolutely take a listen to, as these gentlemen really know what they're talking about - whether it's Information/Application Security, or DevOps ... this is a discussion that bridges both with expert precision.
GuestsNick Galbreath - Nick's Linked-In profile says he's been at 5 early to very early startups, all sold, IPO'd or huge - all dealing with massive scaling in load and large data sets. FaceBook now owns a half-dozen of his patents on social graphs, and Google is using some of his code in Chrome! On top of that, he's written a book on cryptography too... when he's not out building start-ups, Nick's speaking/teaching or hacking away at code to find better, bigger exploits and fixes. James Wickett - James is an innovative thought leader in the DevOps and Information Security communities, and has a passion for helping big companies work like start-ups to deliver products in the cloud. He got his start in technology when he ran a web startup company as a student, and James is currently employed as a Senior DevOps Engineer working on launching cloud-based products for the Embedded Software division of Mentor Graphics. James' bio is linked here. Olivier Saudan - Olivier is a software security analyst with 10 yeras experience in operations (including Information Security) and a significant development background. He keeps his identity and employer a mystery due to the nature of his work, and the need for discretion.
Links:Recent podcast on DevOps with Gene Kim (part 1 [Episode 10], part 2 [Episode 20]) Nick Galbreath's "Client9" - http://www.client9.com James Wickett's blog - http://blog.wickett.me
DtR Episode 20 - Guest: Gene Kim - DevOps live from HP Discover Las VegasAug 6, 2012 00
This episode was recorded in June '12, live from the show floor at HP Discover Las Vegas, 2012 and the talk of the town was once again DevOps. Gene and I have had 2 prior conversations on the topic, but we're once again tackling the impact of DevOps on the IT and security relationship and overall business value. We tip our hats to several people including Josh Corman (Rugged DevOps), David Mortman, James Wickett, Nick Galbreath and Mr. Daniel Blander for their prior contributions and supporting work on the topic. Gene talks about some of the mechanisms we have available to us to bridge that IT Security-to-developer-to-operations gap that's holding us back from true business value. Fun fact- studies have found that when you wake up a developer at 2am to solve an issue, problem resolution times plummet!
Enjoy the podcast, and go grab Gene's books when they're available... comments are welcome!
GuestGene Kim - Gene is finishing up the third and fourth books, "When IT Fails: The Novel" and "The DevOps Cookbook," [highly recommended reads for any IT professional who aspires to high performance] scheduled to be published in August 2012. Both are the culmination of over 13 years of researching both high-performing and low-performing IT organizations, as well as benchmarking over 1500 IT organizations to help inform what behaviors simultaneously advance business and information security objectives. LinkedIn profile, just in case you have never had the pleasure -http://realgenekim.me.
Gene Kim's publisher website (mentioned in the podcast) - ITRevolution.com
DtR - Episode 19 - Bob Arno: The world's foremost legal pickpocketJul 11, 2012 36:18
This episode is special, not because it's more Info Security stuff, but because we take a far departure from the world of bits and bugs to the world of the pick-pocket and thief. Sitting down with Bob Arno is a real pleasure, as he has the storytelling ability and knowledge to educate and open your eyes to a world where nothing is as it seems and anyone can be separated from their valuables. Yes - this extends into the world of Information Security, and there are lessons to learn.
In this episode Bob and I talk about picking pockets, keeping yourself safe, and the world of criminal activity in the physical and digital world... Bob is also speaking at Hacker Halted, Miami 2012 so if you listen to this episode and are thinking about going ... there's a contest coming! Stay tuned... and you can win an excusive, private dinner with Bob in Miami!
Bob Arno is widely known as the "World's foremost legal pick-pocket". He's performed on stage, on television and has provided advice to travelers on how to keep from being roused... Bob is a speaker, entertainer, author, and special lecturer to law enforcement agencies. He has been profiled or quoted on NPR, CNN, MSNBC, ABC’s 20/20, The Travel Channel, The Learning Channel, Discovery, Court TV, in The New York Times, USA Today, Fortune, Kiplinger’s, National Geographic Traveler, Law and Order, and others. He has lectured for the Police Departments of Chicago, San Diego, Houston, Las Vegas, Detroit, Honolulu, Anaheim, and many abroad; for the California Tourism Safety & Security Conference, the International Tourism Safety and Security Conference, and many others; for Kroll & Associates, RSA Security Conference and Expo, and more. He taught an accredited course at the Connecticut State Police Training Academy.
LinksBob's main site: http://www.bobarno.com Amazing YouTube video - Traveling Europe (Naples, Italy) and unmasking the pickpocket tactics: http://www.youtube.com/watch?v=mUHAQnyVveg Travel advice from Bob Arno: http://www.justluxe.com/travel/luxury-vacations/feature-1702026.php
Down the Rabbithole - Episode 18 - Kellman Meghu: Chaos, Resiliency, and moreJul 2, 2012 00
I caught up with my friend Kellman Meghu at BSides Detroit as the conference was coming to a close and we finally got to sit down and have a fun conversation about chaos, and what sorts of things enterprises can realistically do to increase security today. We both work for vendors so we talked about "shiny blinky boxes", when things fail, and the notion of resiliency. Fun conversation ensues ... with a random sprinkling of security buzzwords.
Kellman's famous quote is from this episode is "I can hand you this tool, and that doesn't suddenly make you any more secure than if you hand me a hammer I suddenly become a carpenter." Wise words to live by folks, wise words indeed. Spend a few minutes with Kellman and I, and see why he's one of my favorite people to interview.
GuestsKellman Meghu - Kellman Meghu is Head of Security Engineering (Canada and Central US) for Check Point Software Technologies Inc., the worldwide leader in securing the Internet. His background includes over 15 years of experience deploying application protection and network-based security. Since 1996 Mr. Meghu has been involved with consultation on various network security strategies to protect ISP's in Southern Ontario as well as security audits and security infrastructure deployments for various Commercial and Governmental entities across Canada and the Central United States. You can find him on Twitter and LinkedIn ... I highly recommend a conversation, he's a very smart guy.
Down the Rabbithole - Episode 17 - Adam Shostack on New School SecurityJun 19, 2012 36:24
Greetings fans, this episode promises to be a great one with the likes of Adam Shostack starting off talking about what the whole concept of "New School Security" is all about, and how it differs from the way we've all done it for the past 15+ years. Adam and I talked through some new interesting ideas for moving the information security community and discipline forward, and even commented on how we can start to overcome the security community's focus on 'secrecy' when things go wrong. How do security professionals understand what the desired outcomes should be, then start to move towards implemting pragmatic approaches to move closer to those desired outcomes - because in the end it's really about business and getting it done, not about 'security'.
You will be sorry if you miss this episode!
GuestAdam Shostack - Adam Shostack is a principal program manager on the Usable Security team in Trustworthy Computing. As part of ongoing research into classifying and quantifying how Windows machines get compromised, he recently led the drive to change Autorun functionality on pre-Win7 machines; the update has so far improved the protection of nearly 400 million machines from attack via USB. Prior to Usable Security, he drove the SDL Threat Modeling Tool and the Elevation of Privilege threat modeling game as a member of the SDL core team. Before joining Microsoft, Adam was a leader of successful information security and privacy startups, and helped found the CVE, the Privacy Enhancing Technologies Symposium and the International Financial Cryptography Association. He is co-author of the widely acclaimed book, The New School of Information Security.
LinksAdam on Twitter: @AdamShostack The New School Security blog: http://newschoolsecurity.com/
MicroCast 04 - Kevin Riggins & Kenneth Johnson - QA + Security Software TestingJun 15, 2012 00
Last winter, on a frigid afternoon I got a chance to sit down with 2 of my favorite Iowa locals, Kevin and Kenneth to talk about the tenuous relationship between QA and Information Security. Earlier in the day I had given a workshop on software security testing (of the web variety) to a ViViT user group, and with that topic and their questions/concerns fresh in my mind I settled down for a 30 minute conversation with Kevin and Kenneth ... we essentially continued the conversation from Episode 3 (please give that a listen if you haven't yet to get a background).
Some of the questions we tackled included "Which team within the software development or security organization is best positioned to test the security of applications?", and "Can Information Security ever really thoroughly test an application without the full context?" ...and much more.
Give this episode a listen!
GuestsKevin Riggins - @kriggins - Kevin is a veteran of the Information Security community with many years experience in vast IT systems and a quality, development and systems background as well. Kenneth Johnson - @patories - Kenneth has been in the Information Security field for the last six years, with five of those years working as an IT Analyst for Principal Financial Group. He graduated in 2007 with a BS degree in Information Systems Security from ITT Tech, and he is currently attending Iowa State to pursue a Ph.D in Information Assurance, with a specialization in Digital Forensics, Incident Response and Malware Analysis.
Feature - Welcome to HP Discover Las Vegas 2012Jun 5, 2012 00
Greetings friends! I am taking some time to do something a little out of the ordinary right now... I'm coming to you from beautiful Las Vegas, Nevada and HP Discover 2012 where the theme is Make it matter.
Rather than doing yet another blog post on how beautiful the show floor is, and how amazing the content is going to be, I've recorded a little bit of audio, about 6:30 miutes or so to give you a feel for what we're up to, what's going on, and why I'm downright giddy with excitement.
Down the Rabbithole - MicroCast 3 - Paul Elwell + Albert School - Measuring SecurityMay 30, 2012 00
This episode of Down the Rabbithole microcast (~15 minutes length) was recorded live at the Ohio Information Security Summit.
Albert and Paul were kind enough to sit down with me and discuss metrics and process - and essentially what demonstrating "good security" means to an enterprise. "Can we ever get there?" Where is there? Understanding the basics of security, measurement, and whether if we really do a great job, Information Security can work itself out of a job ... those are some heavy topics for a mini-podcast. Enjoy!
Feedback is always welcome
GuestsPaul Elwell - Security Specialist for a Fortune 500 company Albert School - Application Security Specialist and Penetration Tester at a Fortune 500 company
Down the Rabbithole - Episode 16 - Spacerog and Shpantzer talk CyberPocalypseMay 26, 2012 00
In this episode, streamed live and recorded for your listening pleasure, I'm joined by @SpaceRog and @Shpantzer from Security BSides Delaware. What started out as an off-the-cuff discussion on the 'Cyber Apocalypse' quickly materialized into a much longer discussionw which dove into various aspects of infrastructure security, critical protection and even the inability to separate the physical from the cyber worlds. Join us for a little bit of nostalgia, a little bit of knowledge and a lot of commentary from these two very smart staples of the security community.
This is one of those conversations which I barely edited... it was free-flowing, entertaining and insightful. I hope you enjoy it!
Guests@Spacerog - Spacerog is one of the founders of L0pht, and founder of the HNN (Hacker News Network) way, way back in "the day"... He has a full profile here.
@Shpantzer - Shpantzer is a veteran of the security industry and describes himself as "Information security and risk management consultant. Strong project manager with interdisciplinary skillset to solve complex business and technical problems." He also writes for the "Shpantzer on Security" blog (which you should be following).
Down the Rabbithole - Episode 15 - Backstage at THOTCON 0x3May 8, 2012 00
It's rare that I get to be a spectator at a podcast, but in this case I was listening to some of the conversations and talks being given at Chicago's very own THOTCON 0x3, and decided it would be valueable to you to get some of the conversation movers on the microphone. We started talking about the applicability of information security conferences to your "day job", got into a discussion on "hallway con" and then went down the rabbithole on some interesting tangential topics ... and of course the fresh rap from DualCore was awesome. I hope you enjoy the episode ...
GuestsGeorgia Weidman - Georgia is a independent consultant, penetration tester and mobile device hacker. Ken Swick - Ken is a security manager from the Financial Services vertical with many years experience in defending corporate networks, and bringing business value to information security programs. DualCore - DualCore ... what can I say - dropping raps like packets straight to your ears ... DualCore music is what you should hear.
Down the Rabbithole - Microcast - THOTCON 0x3_1Apr 28, 2012 16:24
In this short microcast we rap about the THOTCON 0x3 experience, why we think the Chicago community has taken off so much, and what sorts of interesting things make THOTCON, and the local hacker con here in Chicago, so attractive to people from around the world. Yes, there is comedy involved...
GuestsTodd - Audio genius, InfoSec luminary, pen tester ...better known to his Twitter fans as @Phoobar Ben - Ben is a Chicago suburban staple, first time on the microphone, otherwise known on Twitter as @Ben0xA
Down the Rabbithole - Episode 14 - Dave Frederickson on Cloud RealityApr 25, 2012 40:57
This episode I sit down with Dave Frederickon who has a unique viewpoint on cloud computing from a Canadian point of view, as well as a VP of the HP Canada business. I pose some tough questions to Dave including "Is 'cloud' just marketing hype?" and other discussion topics and we have a good chat on the reality of cloud computing, who's adopting it and how it's changing and revolutionizing Information Technology at the pace of business. This is another great podcast in the cloud series, and you should not miss it!
GuestDave Frederickson - (Vice President & General Manager Enetrprise Servers, Storage & Networking Business at HP Canada) - Dave Frederickson is the VP of the ESSN group and is located in HP Canada's HQ in Mississauga, Ontario. He is responsible for leading sales, pre-sales, channels, marketing and product management teams, achieving top and bottom line and market share objectives. His role also includes responsibility for Enterprise marketing for HP and linking HP services and software. He is a board member of Sharcnet and Schulich Corporate and Social Reponsibility.
Down the Rabbithole - Episode 13 - Mark Radcliffe - The Ts and Cs of Cloud ComputingApr 2, 2012 18:48
On this episode of Down the Rabbithole I get the distinct pleasure of sitting down with one of Silicon Valley's top attorneys to talk Cloud Computing T's and C's ...and let me tell you this was a wild ride. I learned a lot, including the fact that I know a famous legal court case about a tugboat captain and the use of radar ... and what all that CAPSLOCK PRINT ON SOFTWARE LICENSE AGREEMENTS means ...and so very much more. Join me, and learn a little bit more about the legal aspects of cloud, before you find out the hard way. This is a do not miss episode.
Mark Radcliffe [DLA Piper] - Mark F. Radcliffe concentrates in strategic intellectual property advice, private financing, corporate partnering, software licensing, Internet licensing and copyright and trademark.
Leading international legal publishers consistently rank Mr. Radcliffe among the top lawyers in his profession. The respected English publishers Chambers and Partners has repeatedly named him in Chambers USA: America's Leading Lawyers for Business, and has described him as "outstanding" and "a leader in open source-related matters." Legal 500 also recognizes him, commenting: "His expertise in providing strategic IP advice, with particular specialism in open-source matters, has won him plaudits. Indeed, one client describes him as 'probably the best lawyer in his field.'"
More on Mark on his profile page: http://www.dlapiper.com/mark_radcliffe/
Special - Cloud Legal Panel - Chicago Cloud Security Alliance Chapter Meeting March 7th, 2012Mar 21, 2012 01:00:18
This 1 hour podcast was recorded live at the March 7th, Chicago Cloud Security Alliance chapter meeting, where we were fortunate enough to have a panel of attorneys discuss the issues with cloud security from a legal perspective. I hope you find the content stimulating, if not a little bit worrisome.
Apologies for some of the flaws in the audio, but this was an ad-hoc recording and I didn't have time to clean up the taps and paper shuffling that the super-sensitive microphone picked up.
This was the first recording using the mobile Zoom H4n, and I think you'll agree it's an amazing piece of tech.
This podcast is posted as-is, and hosting is provided courtesy of HP.
Down the Rabbithole - Episode 12 - Chris Hadnagy - Hacking the Human (mind)Mar 6, 2012 39:36
The guest on this podcast will blow your mind ... literally. He is none other than the "human hacker" himself, Christopher Hadnagy, who has written a book and now runs social-engineer.org. Chris is a long-time friend of mine and an invaluable resource in the psy-ops James Bond style social engineering world. Chris knows his stuff, and he's willing to teach you if you're willing to listen... so buckle down and get educated on social engineering background, tricks and even the 6 things your company must do to prevent being a victim of social engineering attacks. Oh ... and let's not forget, somewhere in this episode Chris makes you an offer you can't refuse, just for you Down the Rabbithole listeners, how cool is that? If you've ever thought about taking a class, or having your organization fortified against social engineering attacks but didn't think it was within your budget - listen to this podcast ...
Christopher Hadnagy - Chris, or as his friends on Twitter know him - @HumanHacker - is a fountain of knowledge on social engineering and the art and science behind corporate-level offense and defense using the human mind. Chris has written a book called Social Engineering: The art of human hacking, and runs social-engineer.org contributing to community through teaching, speaking and writing as well as hosting a heck of a podcast on the fascinating topic of social engineering. Chris's organization offers SE penetration testing, education and is at the forefront of social engineering tactics for the defensive good.
LinksThe official social engineering portal - Social-Engineer.org Register for social engineering training & services through Chris's organization here
Down the Rabbithole - Episode 11 - Nathaniel Dean discusses software security red teamsMar 1, 2012 26:05
I had the pleasure of sitting down with Nathaniel Dean, someone I had met through a mutual colleague's introduction, and hear about a neat concept that takes the software security program to a new level. Interestingly enough, Nathaniel runs a red team but it's guaranteed to be unlike any red team you've probably ever worked with. The crazy thing? It's working. We talk through the mechanics, psychology, and business implications of what he's driving, and how he's rollig up his sleeves and getting it done which is probably more important than anything else.
Jack in and get a 25-minute does of knowledge from someone I know you'll learn something from.
GuestNathaniel Dean - Business Information Security Officer at a major financial institution. Nathaniel has been managing and building programs in this space for a long time, and his experience shows.
Down the Rabbithole - Special - "Master the Cloud" Calgary (w/celebrity guest Adam Growe)Feb 11, 2012 31:26
We were "live to tape" (as Adam says) from HP's Master the Cloud event in Calgary. As we wrap up the road tour in the frozen city of Calgary I had the pleasure of sitting down with a comedian and celebrity, a technical expert on virtualization from HP, and the manager of Intel's advanced server technologies team. This was a wild, off-the-rails discussion and you can really tell we were just having a good time and excited to wrap up the tour. Great topics of discussion...
Topics covered in this episode include...Hypervisors and their value to cloud computing, virtualization and hacking Why are hypervisors critical to cloud computing? Will Intel build a hypervisor into the silicone? How robust driver stacks keep hypervisors 'safe' on the software level... "Raising the bar" on security (analogies of a department store) Virtualization of compute resources & BYOD ...slightly off the rails Federation of identities, and applied to social media
Special GuestsJake Smith (Advanced Server Technologies Manager at Intel Corp.) - Jake was a keynote speaker at HP's "Master the Cloud" tour across Canada speaking about Intel's vision for a more connected, more virtualized, and more secure Cloud Computing environment; including Intel's partnerships with HP and some of the advancements they have embarked on together. Jake can be found on LinkedIn here: http://www.linkedin.com/in/jakesmith42 Adam Growe (Celebrity host of Cash Cab Canada) - Adam is the host of Canada's "Cash Cab" show on the Discovery Channel. Additionally, Adam has his own quiz show ("The Adam Growe Quiz Show") and is a recognized celebrity, accomplished comedian and emcee, and has the uncanny gift to derail any boring IT conversation! Adam can be found on FaceBook here: http://fb.com/AdamGrowe and on his own site: http://adamgrowe.com - on behalf of HP I wish to thank Adam for his presence and making us all chuckle. Emrah Alpa (HP TippingPoint technical specialist) - Emrah in addition to being an accomplished DJ is the Northwest Canada regional HP TippingPoint technical expert.
LinksHP TippingPoint Secure Virtualization Framework (SVF) - http://h17007.www1.hp.com/us/en/solutions/security/svf/index.aspx Federation (federated identity) - http://en.wikipedia.org/wiki/Federated_identity
Down the Rabbithole - Episode 10 - "The real Gene Kim" on DevOps, KPIs & high performance ITFeb 6, 2012 39:59
World-renowned author, researcher, speaker and founder of legendary TripWire joins me semi-live from LASCON in Austin, Texas to talk about his current project(s) [The DevOps Cookbook, and When IT Fails: A Novel], and his book Visible Ops and how this can all be applied to security in today's tough business climate. Gene and I discuss what in the DNA of well-performing (or "agile") IT organizations, based on Gene's research and experience, enables them to not only perform better, but also serve the business faster. These high-performing organizations all have things in common, and you may be shocked to hear it's not heaps of money, or resources, or "powerful" CISOs. The experience was a pleasure and I guarantee you'll learn something from this podcast, and I highly encourage you to add Gene's books as a staple of your career-building library.
Guest"The real" Gene Kim - I am working on my third and fourth books, "When IT Fails: The Novel" and "The DevOps Cookbook," scheduled to be published in June 2012. Both are the culmination of over 13 years of researching both high-performing and low-performing IT organizations, as well as benchmarking over 1500 IT organizations to help inform what behaviors simultaneously advance business and information security objectives. LinkedIn profile, just in case you have never had the pleasure - http://realgenekim.me.
Down the Rabbithole - Special - "Master the Cloud" TorontoFeb 1, 2012 21:24
I sat down at the HP Master the Cloud (hp.com/go/cloud) event in Toronto, Canada to answer some Twitter-based questions, talk about the trade show, and listen to some of the fantastic things Victor and his team are working on right now in their incubator ... and it was a really great 20 minutes. We covered the questions below (posted directly from Twitter, special thanks to all who participated) and talked about technology, the evolution of security, and how organizations can take advantage of this shift as technology turns the corner in a new operating and delivery paradigm. Is cloud right for everyone? Probably not. Is cloud right in every situation? Probably not. This is exactly why you need to listen to Victor ... this is definitely a worthwhile way to spend 20 minutes of your time.
Questions from Twitter"What's your perspective on letting the entire Internet pen test your service in a sandboxed environment?" -- HackBlat (@HackBlat) Virtual processing is great, but how are we supposed to layer on data privacy? IoW - w/the "To the Cloud!" rush, why aren't there any (effective) integration patterns emerging? Lift & Drop is bad for data. -- awpiii (@awpiii) How does one establish bandwidth requirements when establishing a pipe to a cloud service? -- RonService (@RonService) Vendor routinely sell something not using themselves. What percentage of HP infrastructure is running in public cloud offering? -- brew_ninja (@brew_ninja)
GuestVictor Garcia (CTO HP Canada) - Victor is the Chief Technology Officer for HP's Canada business, leading the business in technology & business strategy, incubation and commercialization of new technologies, strategic alliances, and systems integration as well as business management. Victor's LinkedIn profile is here.
Links"The security poverty line" from Wendy Nather of the 451 Group (podcast with Alan Shimel) - https://gpodder.net/podcast/securityexe-powered-by-the-ciso-group-with-alan-shimel-1/security-below-the-poverty-line-with-wendy-nather-of-the-451-group
Down the Rabbithole - Special - "Master the Cloud" MontréalJan 27, 2012 22:10
This special episode of Down the Rabbithole is sponsored exclusively by HP Canada, and I wanted to thank them for hosting this fantastic event! In this episode I sat down with Charlie Bess and EG Nadhan to talk about Cloud Computing. Now, this isn't your standard cloud discussion ... no my friends, these are two of the top technologists HP has to offer from the labs and services organizations talking about the paradigm shifts in computing that "the cloud" offers. We talk through business adoption, getting over the "it's cheaper" mentatlity, security ... and even some of the things learned here at the event in Montreal.
What a fantastic opportunity to pick the brains of some extremely smart people, and hear their responses to one of the most difficult and rewarding business shifts in technology in the last 10 years. You're not going to want to miss this.
GuestsEG Nadhan - Distinguished Technologist, HP Enterprise Services
Charlie Bess - Fellow, HP Labs
SecBiz Monthly Call - January - "Eating our own dogfood"Jan 26, 2012 40:18
This month's cal lkicks off 2012 with a big question - "Do security professionals follow their own policies?" ... and as we talk through this issue we discover that there are other subtleties to this question. Does it make sense for Information Security to have separate accounts for general and administrative access? Does a securit policy fail if it does not account for 'exceptions' to that policy - legitimate exceptions? What about an exception policy that allows information security professionals to navigate complex policy issues and receive 'allowances' to do their jobs without being limited by the general user policy?
These are complex questions that we tackle, and offer some guidance for ... and in the end, things aren't as simple and black-and-white as we'd all like ... you'll just have to listen to hear the advice we dispense!
Guest[Co-Host] Michelle Klinger of EMC Consulting joins me to co-moderate the first SecBiz 2012 monthly call. Michelle is currently a consultant with EMC.
Down the Rabbithole - Episode 09 - Jeff Reich Explains "Table Stakes" and Other InfoSec GeniusJan 16, 2012 40:25
This episode with Jeff was awesome, recorded at the OWASP LASCON security conference, I got a chance to sit down with Jeff in person and talk shop. I always learn something, but in this podcast Jeff dispensed his usual wisdom in buckets, I could barely write this stuff down fast enough. We covered the raising of the "information security table stakes", and what the last 15 years have meant to the information security profession in terms of evolution. We went into a discussion on how information security can avoid being a cost center and feeling the traditional expansion and contraction with workload and economic times, and I learned what the phrase "it was a business decision" really means. In case you need one more compelling reason, Jeff brought up yet another gem when he discussed how the business pushes the boulder off the cliff, then expects information security to change its trajectory mid-fall ... you're not going to want to miss this. I had a wonderful time catching up with Mr. Reich, and you'll enjoy this podcast, that's a promise.
GuestJeff Reich - (hint: it's prounounced "rich") - A solid history of developing and providing expertise and leadership on information security and all associated disciplines by integrating Managed Risk into the business in the energy, manufacturing, technology and financial services industries. Successfully created and implemented comprehensive Security and Risk Management Infrastructure for a large oil and gas company as well as four of the largest Internet and e commerce providers in their respective industries. Holds a national reputation of excellence through results, publications and presentations of value. Known for ability to hire, train and inspire high performance teams that support and help drive the core business structures. [LinkedIn: http://www.linkedin.com/in/jreich]
In addition to that, I've known Jeff for a very, very long time throughout his illustrious career, and have always been amazed by his ability to dispense one-liner wisdom, like this one on a recent blog post on "The compliance hamster wheel": "I have been saying for years that simply chasing compliance is like chasing your tail. You probably won't catch it and if you do, it will hurt."
Down the Rabbithole - Holiday 2011 Year End Wrap-Up Episode (Part 3)Jan 10, 2012 30:59
This is the third and final part of a 3-part (3 x 30 minute segments) holiday episode that was aired LIVE, where Will, Scott and I talk about what significant things happened in 2011, and what we should be looking forward to in 2012. No predictions, no propaganda, just hard-hitting, amusing, and often nostalgic discussion about the realities of living in an ever-more connected world as we go into 2012. I hope you enjoy the podcast series if you missed it live. In the future, look for announcements of live episodes on my (@Wh1t3rabbit) podcast feed and join in the discussion!
If you're a fan of the dirty world of cyber-crime, botnets, and the seedy underbelly of polymorphic, crypto-virological (I think Will made that word up...) code, you need to hear this episode. A great opportunity to hear Will share he experience as we talk through some of the nasty threats, real dangers and critical problems with the way we deal with the continuing digital criminal enterprise. Enjoy the epside!
GuestsWill Gragido: In addition to being a great guy, and a personal friend of mine ...An information security and risk management professional with over 17 year’s professional industry experience, Mr.Gragido brings a wealth of knowledge and experience to bear. Working in a variety of roles, Mr.Gragido has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and business development within the information security industry. Will currently serves as the Senior product-line manager for HP Enterprise Security TippingPoint. Scott Clark: Scott Clark brings more than 16 years of leadership experience to Vyatta as its Senior Director of Worldwide Channels. In this role, he is responsible for creating and managing Vyatta’s emerging Worldwide channel, as well as evaluating future channel opportunities. In addition to his role at Vyatta, Scott also serves as the Chapter President of the Cloud Security Alliance in Chicago.
Down the Rabbithole - Holiday 2011 Year End Wrap-Up Episode (Part 2)Dec 29, 2011 30:39
This is the second part of a 3-part (3 x 30 minute segments) holiday episode that was aired LIVE, where Will, Scott and I talk about what significant things happened in 2011, and what we should be looking forward to in 2012. No predictions, no propaganda, just hard-hitting, amusing, and often nostalgic discussion about the realities of living in an ever-more connected world as we go into 2012. I hope you enjoy the podcast series if you missed it live. In the future, look for announcements of live episodes on my (@Wh1t3rabbit) podcast feed and join in the discussion!
I'm a particular fan of this segment because we tackle education... and the ever-popular how do we train or educate people to be good Info Security people ...and also get into "hacker worship" and other thorny topics. Listen in, this one is especially fun.
GuestsWill Gragido: In addition to being a great guy, and a personal friend of mine ...An information security and risk management professional with over 17 year’s professional industry experience, Mr.Gragido brings a wealth of knowledge and experience to bear. Working in a variety of roles, Mr.Gragido has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and business development within the information security industry. Will currently serves as the Senior product-line manager for HP Enterprise Security TippingPoint. Scott Clark: Scott Clark brings more than 16 years of leadership experience to Vyatta as its Senior Director of Worldwide Channels. In this role, he is responsible for creating and managing Vyatta’s emerging Worldwide channel, as well as evaluating future channel opportunities. In addition to his role at Vyatta, Scott also serves as the Chapter President of the Cloud Security Alliance in Chicago.
Down the Rabbithole - Holiday 2011 Year End Wrap-Up Episode (Part 1)Dec 27, 2011 28:32
This is the first part of a 3-part (3 x 30 minute segments) holiday episode that was aired LIVE, where Will, Scott and I talk about what significant things happened in 2011, and what we should be looking forward to in 2012. No predictions, no propaganda, just hard-hitting, amusing, and often nostalgic discussion about the realities of living in an ever-more connected world as we go into 2012. I hope you enjoy the podcast series if you missed it live. In the future, look for announcements of live episodes on my (@Wh1t3rabbit) podcast feed and join in the discussion!
GuestsWill Gragido: In addition to being a great guy, and a personal friend of mine ...An information security and risk management professional with over 17 year’s professional industry experience, Mr.Gragido brings a wealth of knowledge and experience to bear. Working in a variety of roles, Mr.Gragido has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and business development within the information security industry. Will currently serves as the Senior product-line manager for HP Enterprise Security TippingPoint. Scott Clark: Scott Clark brings more than 16 years of leadership experience to Vyatta as its Senior Director of Worldwide Channels. In this role, he is responsible for creating and managing Vyatta’s emerging Worldwide channel, as well as evaluating future channel opportunities. In addition to his role at Vyatta, Scott also serves as the Chapter President of the Cloud Security Alliance in Chicago.
Down the Rabbithole - Episode 08 - Kris Herrin: Surviving and Thriving with Data BreachesDec 20, 2011 35:33
On this edition of the podcast, Kris Herrin joins me from the ISSA International Conference to talk about his unenviable role as Chief Information Security Officer of Heartland Payment Systems during one of the most epic data breaches in history. For those of you who didn't live in a cave - Kris and his organization turned the ship around ...not only that - this incident was used to help the organization find religion in Information Security and sound risk management practices. Now as Heartland leads the payment industry in security - Kris talks about his ascention through the tanks to CTO, and how getting in front of the bull made all the difference.
You do not want to miss this episode!
GuestKris Herrin: Mr. Herrin is a recognized technology and security executive with international leadership experience in large and small publically traded companies. Leveraging an extensive history of security, audit, and governance, he brings high energy and a risk-based view to delivering secure and reliable technology solutions to business problems. Mr. Herrin’s experience includes transforming traditional IT into a mature, ITIL-oriented service organization, building domestic and Asia-based organizations, and IT crisis management.
Down the Rabbithole - Episode 07 - David Elfering's "As the Security Lightbulb Turns"Dec 7, 2011 33:53
My guest David Elfering (@icxc on Twitter) and I go all over the map covering various SecBiz related topic, and come up with a fantastic set of quotes including: "No matter how long you hold the light bulb up, the world will not revolve around InfoSec" and other gems. We talk through how to present to a business group or executive, the communication and written skills required and various other topics related with bridging the business - security gap. This is a great episode to listen to - we cover a lot of ground.
GuestDavid Elfering (@icxc) - David is the Senior Director of Information Security over at Werner Enterprises out of Omaha, NB. David is a verteran of the IT industry providing leadership at corporate level, building and leading the security program and infrastructure for a two billion dollar, multi-national corporation. Experience at community, state and national levels with FBI Infragard, Nebraska Infrastructure Protection Council and the SANS Institute. Able to translate information security practices to business advantage. Experienced speaker, instructor and mentor. Member ISSA CISO Executive Forum. CRISC #1115272
Down the Rabbithole - Episode 06 - Jeff Moss Talks Internet EvolutionNov 22, 2011 32:39
In this edition of the podcast, I sit down with Jeff Moss (@TheDarkTangent) to talk about all of the interesting evolutions currently going on in the Internet age. As one of the people who has watched the cyber punk culture evolve from the dark culture of hacking for curiosity, through the "dot com boom" and now into mainstream business, and he has some interesting commentary on how we've evolved as a culture and a group. We also talk through some interesting hacker vs. government regulation topics, and IPv6 of course! Listen in, and hear all the really exciting things Jeff has to say.
GuestJeff Moss (@TheDarkTangent) - In addition to being the founder of the Black Hat and Defcon hacker conferences, Jeff is now a part of the Department of Homeland Security Advisory Council since 2009. Currently Jeff is the Chief Security officer at ICANN, the Internet names and assigned numbers authority.
Down the Rabbithole - Feature MicroCast 02 - "The Erosion of Privacy"Nov 15, 2011 43:07
This is perhaps the most important podcast I've recorded to date, and probably will record for some time. The guests on my show in this episodes are not only privacy experts, but people who deal with digital privacy every day ...and are just as appalled as I am about the rapid erosion of privacy in the modern digital age. From 4Square to the automated toll collection system - you're being tracked when you tweet, drive, and buy discount paper towels at your local market ...and technology is facilitating the privacy you're willfully giving up.
STOP the madness! This episode just scratches the surface on all the different methods we're giving away our reasonable expectation of privacy, and how corporations and governments are hastening its demise.
My guests on this podcast wished to remain anonymous (lower-case A) except for their Twitter handles. Join me in thanking them for their time, thought, and insight.theprez98 grecs infojanitor
LinksOnStar spying on drivers/passengers - http://www.autoblog.com/2011/09/21/gms-onstar-now-spying-on-your-car-for-profit-even-after-you-uns/ Divorce cases swayed by FaceBook, social media - http://www.knoxnews.com/news/2010/jul/25/in-the-age-of-facebook-divorce-battles-go/?print=1
Down the Rabbithole - Episode 05 - Bryan Stiekes Says InfoSecurity is Fundamentally BrokenNov 7, 2011 40:17
This week I host Bryan Stiekes, a distinguished technologist with HP ...and not a security guy by trade. Bryan has been a part of IT for a very long and distinguished career, with a background in networking and architecture. Bryan's premise is that Information Security is at its core fundamentelly broken ...and I can't say I disagree. We discuss the different aspects of what's been wrong with modern information security, and whether this is a good time to be in the 'business' of IT.
This is a fascinating conversation for anyone who's feeling lost in IT Security ...and looking for some light at the end of the dark tunnel we've managed to wander into.
GuestBryan Stiekes - Distinguished Technologist Hewlett Packard - Bryan Stiekes is an HP Distinguished Technologist with a focus on network strategy and cloud services architecture. Bryan has deep experience in secure networking and in multi-tenant services architecture to this role. Recently he's been focusing on the emerging 'as-a-Service' ecosystem and how that ecosystem impacts enterprise network and security models... and a Jedi Master.
Down the Rabbithole - MicroCast 01 - Security is Just Good ITNov 1, 2011 15:34
This is the first MicroCast, a new 15-minute format jammed packed with a series of great topics. This time around, Jack Nichelson joins me and tells us how Bruce Lee feels about IT Security (this is a great quote!), why really good IT Security is just really good IT, and whether we will all be replaced by "Cyber-Insurance" policies. Yikes ... this is definitely 15 minutes you'll be happy you listened.
Guest:Jack Nichelson - Jack is an information security officer at a very large industrial enterprise. Jack's background is not IT Security, but he is a venteran of technology, and a master story-teller. Jack can be found on Twitter as "@jack0lope".
Down the Rabbithole - Episode 4 - Effective Small Business SecurityOct 25, 2011 43:35
This is a special episode for anyone who's feeling like "Information Security" in their small business is impossible. My guests and I talk through how to make information security a proper entity that can both serve the business need, and be respected; more than just survival, it's about making security thrive in the small business. Michael potificates on what makes the security community such a valuable resource to security managers in his position, and we go into what advice you could give a vendor selling into a small business ... what a fascinating discussion!
GuestsJ.W. Goerlich - Network and Security Manager for a midwestern financial organization
Wolfgang has 15 years in IT, with a InfoSec focus for the past 5 years. He has a deep background in risk management and business continuity for SMB firms. Michael Allen - Information Systems Security Officer for a Jamaican-based financial Institution. Michael has over 8 years experience in IT, with a focus on Infosec during the last 4 years. He has a strong background in application development with a keen interest in penetration testing, software security assurance and network security.
LinksThe "SecBiz" group on LinkedIn: http://www.linkedin.com/groups/SecBiz-4001160?gid=4001160&trk=hb_side_g
Down the Rabbithole - Episode 3 - "QA and Security, Can we make it work?"Oct 11, 2011 30:04
Over the past year and a half of so, I've been pushing hard to change the paradigm around secure software - specifically the testing aspect of it to incorporate a much heavier emphasis on quality assurance. That conversation spilled over into an OWASP conversation, which lead Glenn, Rohit and I to sit down and record this conversation we had - as we appear to be of like mind. While it's not trivial to incorporate security testing into quality assurance, it's not impossible, and in fact, more practical than you may think.
In this segment we discuss what security testing in a QA team looks like, how it's potentially split up, and whether we can really and truly make it work. Glenn provides his practical perspective being an implementer of this methodology, while Rohit and I provide an across-the-industry discussion and commentary.
I think you'll find this podcast episode fascinating, especially if you're struggling with the QA/Security relationship.
GuestsRohit Sethi - VP Product Development at SD Elements (http://www.sdelements.com)
Rohit Sethi is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project. Glenn Leifheit - Lead Information Security Consultant at FICO (http://www.fico.com)
Glenn Leifheit, CISSP, CSSLP is a Senior Security Architect at FICO. He has worked in developing, managing, architecting and securing large scale applications for over 15 years. His day is spent rolling out an Enterprise secure software development lifecycle and managing PCI requirements as well as secure software reviews. Glenn is active in the Technology community as the Co-Chair of (ISC)2 Application Security Advisory Board, President of TechMasters Twin Cities, as an active member of IASA (International Association of Software Architects) and OWASP (Open Web Application Security Project) as well as a regional speaker evangelizing secure software. Glenn's blog is located at www.glennleifheit.com.
LinksNo links for this podcast...
Down the Rabbithole - Episode 2 - "Can You Be Hacked Out of Business?"Sep 29, 2011 35:31
This edition of the podcast doesn't hold back. We ask "Can someone be hacked out of business?" and as usual we don't really like the answers we come up with. While Martin, Rob and I have been in most every aspect of security for just over a combined 3 decades, we end up with a conslusion that I don't think any of us are comfortable with ...at least not that we were willing to say out loud, until now. So is it possible? Is DigiNotar being "hacked out of business" as Dark Reading suggests all FUD? Listen and find out where we go with this topic!
GuestsRob Hale (UK) - An entrepreneur and industry commentator, Rob has over 12 years of experience working in the Security industry, with integrators, channel partners and vendors, providing advice and solutions for Enterprises & Government agencies to secure their networks, systems and data from internal and external threats. Martin McKeay - Security Evangelist, Akamai Rafal Los (aka the "Wh1t3 Rabbit) - HP Enterprise & Cloud Security Strategist
LinksThe DarkReading story that started us thinking: http://www.darkreading.com/authentication/167901072/security/attacks-breaches/231601790/diginotar-hacked-out-of-business.html The company Rob brought up which actually was hacked out of business (Distribute IT)- http://risky.biz/distributeit
Down the Rabbithole - Episode 1 - "Everyone's getting hacked, is it time to panic?"Sep 17, 2011 38:26
This is the inaugural podcast episode of Down the Rabbithole.
Our podcast focuses on security, but from a business perspective and shines a light on the often misunderstood connection between Information Security and "business".
Today's guests were:Chris Nickerson - Founder, Lares Consulting Will Gragido - Lead Researcher, HP TippingPoint DV Labs Martin McKeay - Security Evangelist, Akamai
The topic for today's podcast was the question: "Everyone's getting hacked, should I panic?" ...and we also mention the HP TippingPoint DVLabs 1st Half 2011 Cyber Threat Report.
Links:Chris Nickerson mentions his "12-step blog post" > http://www.laresblog.com/2010/04/confessions-of-secaddict.html Martin McKeay mentions Sony's "lawyer approach" > http://arstechnica.com/gaming/news/2011/09/mandatory-ps3-update-removes-right-to-join-in-a-class-action-lawsuit.ars HP TippingPoing DV Labs 2011 Mid-Year Top Cyber Security Risks Report > http://www.hpenterprisesecurity.com/collateral/report/CyberSecurityRisksReport.pdf
The #SecBiz Podcast - Talking "Cloud Security" with Phil CoxSep 14, 2011 51:49
Phil Cox joins Rafal (aka Wh1t3 Rabbit) and Martin McKeay and a gallery of others dicussing the issues with the very nebulous term "Cloud Security", and what it means, and how we as vendors can realistically help the consumers of cloud get a handle on what the heck this all means.
Fascinating conversation ensues.