We open up our 2016 year interviewing Shawn Tuma on the show. Shawn is our legal eagle, and a regular contributor to the podcast. This episode ran a little bit long (OK a lot long) but I think you'll enjoy the show... 

In this episode...

• Most important cybersecurity-related legal developments of 2015
  • Tectonic Shift that occurred with “standing” in consumer data breach claims
    • Discussion of law prior to Neiman Marcus case, and post Neiman Marcus
    • Does this now apply to all consumer data breach cases?
    • Immediate impact? Companies now liable?
    • Lesson is in seeing the trend and how incrementalism works
• Regulatory Trends
  • FTC & SEC gave hints in 2014, post-emergence of Target details
  • Wyndham challenged authority – came to fruition in August 2015
  • SEC not far behind – significant case in September 2015
  • Aggressiveness of FTC is substantial – FTC v. LabMD … all over LimeWire
• Officer & Director Liability
  • 2014 – SEC Comm. fired the warning shot … pointed the finger
  • Shareholder derivative litigation
  • Individual liability of IT / Compliance / Privacy “officers”
• Major 2016 Legal Trends
  • Regulatory enforcement … which, by the way, is why NIST is becoming default
  • Shareholder Derivative – much more likely than consumer class actions at this time
  • Lessons from both of these: when you need to persuade the “money folks” that they need to act, mention D&O Liability (especially Caremark) and Regulatory focus on individuals … now they're in the cross-hairs
  • Realization that cybersecurity is more of a legal issue than anything else (IT or business) b/c it is the legal requirements and consequences that ultimately drive everything

In this episode...

Juniper has a backdoor problem

• 2 separate issues, auth bypass & VPN weakness
• backdoor discovered in Juniper devices
• lots of speculation on who put it there, but it was meant to be disguised as ‘debug code’
• enterprise implications - same as before (what's the bigger picture?)
• https://isc.sans.edu/forums/diary/Infocon+Yellow+Juniper+Backdoor+CVE20157755+and+CVE20157756/20521/

Iranians broke into New York dam in 2013 and “had a look around”

• no direct damage done
• US has largest number of ICS connected to Internet
• critical infrastructure is vulnerable, being probed
• this is not a ‘government problem’ - every company has some ICS on their network
• http://www.theregister.co.uk/2015/12/21/iranian_hackers_target_new_york_dam/

Facebook announced it’s dumping Adobe Flash

• is this a bigger deal than it sounds like
• HTML5 has its own vulnerabilities and issues though… right?
• *only* for videos, games still in Flash
• Facebook will work with Adobe (really?) to improve security of Flash
• http://www.scmagazine.com/facebook-ditches-flash-videos-to-boost-security/article/461040/

191 Million US voter records found ‘unprotected’ by a researcher

• guy from Texas found the data on an unprotected database
• “Vickery told Databreaches.net he was able to poke around the public-internet-facing database because it is poorly configured: no authentication or password is required to query all 300-plus gigabytes stored within.” ← What the hell?
• legailty and ethics … again … but that aside is this REALLY an issue?
• same person who discovered Hello Kitty leak.. interesting.
• http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html
• http://www.theregister.co.uk/2015/12/28/security_researcher_spots_191_millionrecord_us_voter_database_online/

PayPal rolls out the welcome mat for hackers

• even if you have an OTP key fob, attackers can get into your account
• apparently they use static identifier info, cannot be changed
• this should probably trouble you
• http://boingboing.net/2016/01/03/paypal-rolls-out-the-welcome-m.html

PCI Council extends encryption deadline

• good thing, bad thing, or something else?
• http://www.bankinfosecurity.com/interviews/pci-council-extends-encryption-deadline-i-3019

In this episode...

• We discuss what in the world is going on in the healthcare space, and why they’re such a target for attackers
• Dustin discusses why the explosion in digitalization in health care is both amazing and terrifying
• We discuss future-proofing “smart” healthcare
• I stumble on “the fundamentals”
• Dustin discusses the security of “data analytics” in the healthcare space
• I ask how we can make health care professionals better security people, without making them security people
• I ask Dustin what the healthcare industry should be doing, going forward into 2016

Guest

• "Dustin" is a progressive CISO at a Fortune 250 Healthcare organization

In this episode...

1. Vizio is getting sued, over data their TVs collect?
   • James provided security tips on the local news station and one of those tips was around the privacy details of your gadgets
   • Companies need to be considering what they are doing with their data
   • At what point does data go from an asset to a liability?
   • Do companies understand the difference?
   • http://www.consumerreports.org/lcd-led-oled-tvs/vizio-sued-for-smart-tv-data-sharing
2. Wyndham settles (caves to) the FTC
   • Agrees to legally be bound to do things they should already be doing .. ?
   • 20 years of audits
   • Interesting ending to the long saga, assuming the courts approve
   • https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment
3. The US Federal Bureau of Investigation (FBI) admits to using 0day vulnerabilities
   • Why is anyone surprised?
   • Goes to a question of trust, and that's it.
   • Are these being found anyway through programs like bug bounties?
   • http://searchsecurity.techtarget.com/news/4500260464/FBI-admits-to-using-zero-day-exploits-not-disclosing-them
4. Google introduces DLP into Google Apps
   • So far it's just for their Unlimited customers
   • Are we reaching a tipping point where security becomes a feature and not a stand-alone discipline?
   • Definitely a game-changer
   • Basic patterns and detection built-in FREE
   • http://techcrunch.com/2015/12/09/new-google-apps-feature-helps-businesses-keep-sensitive-information-out-of-emails/
5. Black boxes on ships can be hacked
   • Could be worse, someone could be claiming to make the boat float sideways?
   • Is this a big deal, probably; is it a bigger deal than other things wrong?
   • Who is exploiting this, and how do the good guys fix the problem?
   • http://arstechnica.com/information-technology/2015/12/hacked-at-sea-researchers-find-ships-data-recorders-vulnerable-to-attack/

Thanks for joining us! This is a very important episode with true experts on the topic of cyber insurance. I was lucky enough to get an attorney and a VP of an insurance firm who specialize in the topic and their depth of knowledge and candor may shock you.

The net is that cyber insurance is a positive for our industry.

In this episode..

• Eran says that if you don’t do good security, the courts will frown down upon that
• Keith tells us why insurance covers security, but it does not cover negligence
• We start back on the discussion on the importance of knowing your critical assets
• Keith discusses why the insurance market is essentially a mirror of your program
• Eran talks about how his team dissect and investigate breaches to improve understanding
• Keith and Eran discuss how the process of buying cyber insurance can actually lead to improved security

Guests

• Eran Kahana ( https://www.linkedin.com/in/erankahana ) - Attorney, Maslon, LLP with extensive data security experience and an expert in cyber insurance marketplace.
• L.Keith Burkhardt ( https://www.linkedin.com/in/keith-burkhardt-587b3772 ) - VP, Kraus-Anderson Insurance where he works towards innovative products and services for the industry and has been addressing the cyber insurance market for about two years.

In this episode

I interview Mike Daugherty - author of The Devil Inside the Beltway [Amazon.com link] live from the Security Advisor Alliance first-ever Summit in Dallas, TX. Mike was kind enough to sit down with me (twice, thanks to a tech failure) and tell his absolutely surreal story of what happened to him, his company at the hands of what can only be described as an insane situation.

If you own a business, or manage a business, or work in enterprise -- you need to hear Mike's story. If it wasn't documented and video recorded, you'd never believe it's true.

Truth be told, I've been a supporter of the FTC as an advocate for the victims of breaches - the person who's information is stolen. After hearing Mike's story... I have had my mind completely changed.

In this episode

• We start a constructive discussion addressing the problem of the ‘talent shortage’
• The panel discusses the general lack of understanding of the big picture challenge from both sides: business and security
• The panel discusses basic security issues in an expanding ecosystem of Internet connected things
• The panel discusses some real potential solutions to our talent issue

Guests

• Bryce Austin ( @BryceA )
• Holly Miller ( @OPSEC_Girl )
• Jeff Man ( @MrJeffMan )
• Mike Kearn ( @MichaelKearn )

In this episode...

• Is this seriously the FBI suggestion to companies hit with ransomware?
  • http://thehackernews.com/2015/10/fbi-ransomware-malware.html
  • Sets an awful precedent ... or does it?
  • What other options are there?
  • Would you take this advice?
• Microsoft is opening a data center in the UK ...why?
  • http://thehill.com/policy/cybersecurity/259656-microsoft-opens-uk-only-data-center-following-eu-ruling
  • Have the US spying revelations finally hit home?
  • What about EU Safe Harbor?
  • What do you think, if you're a multi-national Internet company?
• Is healthcare really that far behind enterprise security?
  • http://www.cnbc.com/2015/11/11/us-health-care-way-behind-on-data-security-says-forrester.html
  • Forrester calling out the healthcare sector for being far behind on security
  • Is there more pressure, less attention, or more legacy? (or all?)
  • How do you fix this situation?
• Disheartening (but predictable) state of human weakness
  • http://www.scmagazineuk.com/many-uk-workers-willing-to-sell-their-companys-ip-study/article/452428/
  • Are your employees willing to sell your company's intellectual property?
  • What can you do about it?
• YikYak not so anonymous, can reveal user data to cops
  • http://bigstory.ap.org/article/8535dd899f554fb3b5dd1c9498d610b5/yik-yak-social-media-service-can-reveal-user-data-police
  • Is there any anonymous social media, really?

In this episode

• Rob & Liam discuss the practical applications of threat intelligence for today's enterprise
• We discuss what enterprise threat intelligence really is (and also what it isn't)
• We discuss the place of feeds, tools, processes and people in the mechanics of the program
• We discuss the need to conduct a program-based intelligence approach for the enterprise

Guests

• Liam Randall ( @hectaman ) - With a career spanning 20 years, Liam Randall has worked at every level of the information systems pipeline- from building and operating large networks, developing and maintaining large 100M+ e-commerce solutions, to designing and implementing global network security monitoring sensor grids. A frequent speaker and trainer at security conferences Liam has trained over 1000 students on advanced incident response with a focus on leveraging the open source Bro Platform. 
  • https://www.linkedin.com/in/hectaman
• Robert M. Lee ( @RobertMLee ) - Robert M. Lee is the founder and CEO at Dragos Security LLC where he helped design and build CyberLens - a cyber situational awareness software tool for critical infrastructure networks. He is also a non-resident National Cybersecurity Fellow at New America focusing on policy issues relating to the cyber security of critical infrastructure. For his research and focus areas, Robert was named one of Passcode’s Influencers and awarded EnergySec's 2015 Cyber Security Professional of the Year.
  • https://www.linkedin.com/in/robert-m-lee-b2096532

In this episode...

• Turn any old car into a "smart car" for $200 with this new miracle device
  
  • "BACKED BY FROGVENTURES, VOYOMOTIVE IS TACKLING THE BURGEONING CONNECTED-CAR SPACE"
  • Could be a fantastic idea
  • Could be an awful idea
  • Has anyone considered the security ramifications?
  • What about privacy?
  • http://www.fastcodesign.com/3052012/this-device-will-turn-your-clunker-into-a-smart-car-for-200?utm_source#4
• OMB preps cyber sprint follow-up
  • Michael's take on "gap focus": http://www.csoonline.com/article/2992553/security-leadership/stop-focusing-on-gaps-to-gain-influence-as-a-security-leader.html
  • Hoping for 75% authentication for 2FA - not exactly great
  • Lots of challenges here, but is this the right thing to do?
• TalkTalk breached, 3 teenagers arrested, CEO goes tone deaf
  • CEO says they "were not legally required to encrypt client information"
  • Teenagers arrested in breach
  • The poster child for having a breach preparedness plan, before the cameras start rolling and media starts calling
  • https://hacked.com/british-police-arrest-15-year-old-telecom-hack-ransom-demanded-bitcoin/
  • http://www.theregister.co.uk/2015/02/27/talktalk_admits_massive_data_breach/
• Lots of talk on security - but is anyone talking to each other?
  • http://www.eenews.net/stories/1060026736
  • http://cjonline.com/news/2015-10-25/bbb-small-business-cybersecurity-hackers-are-not-just-trick-or-treaters

In this episode...

• Raf sits down with Howard Shmidt to talk about Cyber Security from the public to private sectors and everything in between.
• Howard & Raf talk through challenges of cyber security in the board room
• Howard gives us some of the challenges that government faces, from his experience
• Don't miss this episode!

Guest

• Howard A. Schmidt ( @HowardAS ) - Former Supervisory Special Agent,Director of Computer Crime and Information Warfare, AF OSI, Former CSO Microsoft Corp. Former Chairman of White House Critical Infrastructure Protection Board, VP, CISO eBay Inc. Special Agent, US Army CID (Reserves). Law Enforcement Officer Chandler Police Department, AZ

In this episode...

• Standard & Poor's Adding Cybersecurity to Ratings
  • The headline
    • In a report issued this week, the rating agency says it could issue a downgrade before a cyberattack if a bank looked ill-prepared, or following a breach that causes significant damage to a bank's reputation or which leads to substantial monetary losses or legal damages.
  • Behind the curve? Stop.
    
    • Michael wrote about it this week - stop calling it gaps…
  • 16 questions… good start?
    • How long has it typically taken to detect a cyberattack?
    • What containment procedures are in place if the bank is breached?
    • How many times was the business the target of a high-level attack during the past year, and how far did it reach in the system?
    • What's the internal phishing success rate?
    • What kind of expertise about cyberattacks exists on the board of directors?
    • How much does the bank spend on cybersecurity, what resources does it devote, and what is the total tech budget this year versus last?
  • Including security in the ratings - and we’re crying?
  • Claim this leads to more insurance… how about that…
  • http://www.bankinfosecurity.com/sps-cybersecurity-warning-late-to-game-a-8556
• Crisis Services Top Insurers’ Cyber Claims Payouts; Average Claim at $674K
  • This is interesting; and it’s a good data point, too -- in contrast to the “costs” we hear about in briefings all the time.
  • Saw other stories that suggested the insurance is going to get jacked… of course they are.
  • More insurance, more insight, more claims, more data…. this is all good
  • http://www.insurancejournal.com/news/national/2015/10/05/383785.htm
• New California law requires warrants for online data
  • Same warrant requirements as files in your filing cabinet
  • Doesn’t change Federal law capabilities to not have warrant.
  • Worth remembering: feds can compel your biometric, but not your password
  • Do you encrypt? policies? practices?
  • http://www.cnet.com/uk/news/new-california-law-requires-police-to-get-warrants-for-online-data/
• Obama administration opts not to force firms to decrypt data (for now)
  • for now….
  • opportunity for involvement
  • great chance to connect with your legal and other groups; what is the best way for your organization to handle it
    
  • https://www.washingtonpost.com/world/national-security/obama-administration-opts-not-to-force-firms-to-decrypt-data--for-now/2015/10/08/1d6a6012-6dca-11e5-aa5b-f78a98956699_story.html
• Apple removes several apps from store, they could be spying on you
  • Key issue: root certificates installed
  • http://arstechnica.com/security/2015/10/apple-removes-several-apps-that-could-spy-on-encrypted-traffic/

In this episode...

• Raf asks why we talking about global supply chain, 3rd party risk again
• Josh discusses what little things we are not thinking about today, that we should
• Josh discusses what happens as companies move critical data to the cloud
• We discuss regional IT in a global data world
• Raf opens up the “tiny company 3rd party” can of worms
• We discuss the cyber crime survey and CISO board reporting results; link:
  http://www.csoonline.com/article/2978020/security-leadership/do-boards-of-directors-actually-care-about-cybersecurity.html
  
• What about supply-chain issues with electronic components, software?

Guest:

• Josh Douglas - CTO for Raytheon Cyber Products – has nearly two decades of experience in helping global enterprises and government agencies secure their most prized business/mission assets. During his past 9 years at Raytheon, he has overseen Raytheon’s Cyber Security Intelligence Operations, Malware Concepts, Security Infrastructure Operations and Research Technologies tasked to produce effective forward-looking cyber software solutions to contain and control advanced threats. These solutions are used to help commercial and government entities protect their enterprises and the global cyber supply chain from ever-changing advanced persistent threats and malware.
  
  Prior to joining Raytheon, Joshua has a successful track record in network security operations and engineering management positions, securing enterprise environments while promoting contextual response. Prior employers include Enterasys Networks, Kronos, Genuity, MIT Lincoln Laboratory and other prominent enterprises. Joshua earned a Bachelor of Science Degree in Computer Science from Appalachian State University and currently holds a number of technical computer and network security certifications. LinkedIn: https://www.linkedin.com/in/jdouglas

In this episode...

• Patreon got hacked, but it's OK
  • This is a lesson in how to do security in a reasonable manner
  • Great response, good security
  • https://www.patreon.com/posts/important-notice-3457485
• The double-edged blade of the DMCA could have helped VW cheat emissions
  • Reverse-engineering illegal
  • Definitions of 'researcher' and further 'independent researcher' are interestingly defined - lots of room for discussion
  • http://www.itworld.com/article/2986856/enterprise-software/how-the-dmca-may-have-let-carmakers-cheat-clean-air-standards.html
• CFOs are getting involved in security whether they want to or not
  • Good to-do checklist for CFOs
  • http://ww2.cfo.com/accounting-tax/2015/09/deals-demand-prior-cfo-involvement-data-security/
• Lawsuits preventing disclosure of vulnerabilities in the news
  • We're "chilling security research" again
  • Good points made, on top of bad points and half-truths
  • Stems from the Fireeye vs ERNW fight
  • http://ww2.cfo.com/accounting-tax/2015/09/deals-demand-prior-cfo-involvement-data-security/
• Verizon reports on the state of network transformation
  • security still an issue, and top priority
  • human talent is still a problem
  • lots of leadership opportunities here
  • http://www.enterprisenetworkingplanet.com/netsysm/verizon-reports-on-the-state-of-digital-network-transformation.html

In this episode...

• Kirby tells us what OSINT is
• We discuss how much we are giving away on digital channels?
• We discuss if there is such a thing as anonymity anymore
• Location sharing in apps — the bad, the ugly, the scary
• Kirby and Michael discuss “checking up on your executives”
• Raf talks about “logo pages” — why do these still exist?!
• Kirby gives us some thoughts on OPSEC
• Kirby leaves us with a dose of reality about privacy in today’s world

Guest

• Kirby Plessas ( @kirbstr ) - Kirby is the CEO of Plessas Experts Network, Inc. She did some things before this too, but we can't tell you about them or we'd have to black-bag you and send you to Gitmo. You can get her LinkedIn bio here: https://www.linkedin.com/in/kirbyp.

On this episode of the NewsCast

• Intel forms new Automotive Security Research Board (ASRB) to focus on security of their automotive platform
  • http://newsroom.intel.com/community/intel_newsroom/blog/2015/09/13/intel-commits-to-mitigating-automotive-cybersecurity-risks
  • Good security as a competitive advantage?
  • Interesting development in the effort to secure cars as a technology platform
• Appeals court forces the issue of 'fair use' in DMCA case
  • http://www.engadget.com/2015/09/14/appeals-court-copyright-holders-must-consider-fair-use-before/
  • Interesting development in the case against Universal Music Group's malicious prosecution and nonsense take-down orders
• Bitpay sues their insurance company after giving away $1.8M
  • http://www.coindesk.com/bitpay-sues-insurer-after-losing-1-8-million-in-phishing-attack/
  • Interesting argument in court - indirect loss
  • Company exec got phished for credentials
  • Execs fall for "transfer large quantity of money" scam
  • Follow this case!
• China making demands of US tech companies
  
  • http://www.engadget.com/2015/09/17/china-us-tech-companies-security-policies/
  • This has happened before...US companies found ways around this once
  • Essentially it appears as though China is asking for 'backdoors' and secret access to source code, etc in order to do business in China
  • Talk about anti-competitive!
• The Kardashian train wreck exposes fans' information due to web flaw
  • http://techcrunch.com/2015/09/16/kardashian-website-security-issue-exposes-names-emails-of-over-half-a-million-subscribers-payment-info-safe/#.gofm76:EZbS
  • Some 'developer' wanted to see how the site worked, poked around and found an interesting flaw and posed it to owners
  • ~500,000 subscribers info exposed

In this episode...

• Brandon, Michael and I discuss the challenges of leadership and how leadership is more than just telling people what to do. Brandon gives us some of his back-stories and anecdotes to illustrate his points on leadership along the way.
• I promise you'll love this episode, and I highly encourage you to go donate what you're able to, to Red Circle Foundation (http://redcirclefoundation.org).

Guest

• Brandon Webb ( @BrandonTWebb ) - Brandon is a former Navy SEAL, bestselling author and CEO of Force12 Media. He founded Red Circle Foundation as a way to give back to the families of the Special Ops community in a meaningful way.

Links

• Red Circle Foundation - http://redcirclefoundation.org/ 
• SOFREP - http://sofrep.com
• Brandon's website - http://brandontylerwebb.com/

In this episode

• Court strikes down Wyndham's challenge to FTC power
  • We have covered this before
  • Wyndham argued due proces and lack of case law - asked for dismissal
  • Court said no dismissal, FTC has standing
  • FTC is arguing that Wyndham made promises it did not keep
  • Should be interesting to watch this go to court (or likely not)
  • http://www.csoonline.com/article/2975915/data-breach/wyndham-vs-ftc-corporate-security-pros-need-to-lawyer-up-about-data-breach-protection-experts-say.html
• Ashley Madison hauled into court by class-action suit
  • Lots of thorny issues here, must separate out moral from legal
  • Shines light on the continued bias for breach prevention
  • Interesting Streisand effect here
  • http://www.csoonline.com/article/2975755/data-breach/ashley-madison-hauled-to-court-in-class-action-suits-over-data-breach.html
• Verizon launches Hum OBD port vehicle monitor and communication tool
  • In light of the stunt-hacking against Chrysler/Jeep is Verizon tone deaf?
  • ..or are they simply that confident in their security?
  • There is no mention, by the way, of security of the device on the web site
  • http://www.macnn.com/articles/15/08/26/service.not.reliant.on.verizons.network.uses.any.ios.or.android.phone.130118/
• The move to EMV cards (chip & sign) in America is changing how fraud happens
  • EMV cards cost a fortune to implement
  • Solving a problem the finance industry did not have
  • http://www.bankinfosecurity.com/interviews/emv-shift-preparing-for-fraud-migration-i-2850#

In this MicroCast, live from HTCIA Conference 2015 in Orlando, FL, Michael and I quickly set the stage for a conversation on conference speaker/attendee engagement. 

[Raf] One of my biggest pet peeves as a speaker is getting a room-full of people who watch (and listen) me speak, wait for me to finish, and leave when I'm done.

[Michael] As an attendee, you need to know what you "do" and what you're looking for from the conference.

--> Here's the link to the article Michael mentions: http://paulsohn.org/how-to-connect-with-anyone-you-just-met-with-5-questions/

We welcome the discussion on this topic, #DtSR on Twitter!

In this episode...

• We discuss what life is like as the CISO when you have all the responsibility for, but no administrative access (or hands on keyboard)
• Brandon tells his story about how his IT organization went from in-house, to out-house, and how they got where they are
• Brandon tells us the process and strategy he uses to get a handle on his security
• We discuss why visibility is one of the most important things to outsourced IT (and security)
• Brandon tells a story of an incident where things went very sideways
• We discuss the balance between outsourcer scalability and customer deviations
• Brandon tells us why sometimes it takes 3 months to scan your environment for a vulnerability ( your head will explode )
• …and so much more

Guest

• Brandon Dunlap ( @bsdunlap ) - Brandon is the global Chief Information Security Officer for a an employee-owned, global leader in building critical infrastructure in energy, water, telecommunications and government services currently operating in more than 100 countries through consulting, engineering, construction, operations and program management.

In this episode...

• Just when you thought America's neutered "chip & sign" was a safe
  
  • http://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/
  • Admittedly we put these stories in here just to get Michael all fired up
• Ashley Madison's data and source code and CEO's email spool now released and public
  • http://www.theregister.co.uk/2015/08/20/ashley_madison_email_dump/
  • http://www.csoonline.com/article/2973575/business-continuity/ashley-madison-self-assessments-highlight-security-fears-and-failures.html
  • So much to talk about that's just wrong with this story...
• Uber is hiring people for security
  • http://www.ibtimes.com/uber-boost-security-staff-after-data-privacy-concerns-2055903
  • Does more headcount equal better security?
  • Where will these people come from given the shortage of talent? <snark>
• That gadget you attached to your OBD2 port on your car to "save on car insurance" may be used to kill you
  • Seriously
  • The dangers of all these wireless & connected devices is scary
  • Risk assessment anyone?
  • http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/
  • Someone get Flo on the phone...
• Windows 2003 which is now expired still has 609,000 public servers on the Internet
  • Translates into roughly 175M websites (Netcraft)
  • Why are thse out there?
  • Is there really a risk or is this hype?
  • http://www.zdnet.com/article/windows-server-2003-servers-insecure-unpatched/
• ATC systems go down as they were ...<drumroll> being updated!
  • Common problem of ancient systems going down due to upgrade
  • ATC has ZERO patch window
  • ..also close to ZERO ability to test patches/updates in "lab" environment
  • Complex, ancient systems fail when they're upgraded, sometimes catastrophically
  • http://thehill.com/policy/cybersecurity/251310-software-limits-exposed-in-air-traffic-outage

In this episode...

• We discuss the ever-growing need for strong leadership in security
• I ask whether experience and longevity in a position naturally brings leadership qualities
• We talk through how leadership interplays with other competencies
• Michael asks whether the security leader has a place at the executive table (the "big kids table")
• Michael asks if the MBA has value in security leadership
• We discuss the model my team uses for leadership and how we build them
• Michael and Heath discuss various competency models for leadership
• We discuss measuring, KPIs and relative distance
• We discuss how leaders can make better decisions
• Heath leaves us with an Alex Hutton quote

In this episode...

• The Belgian government's internal phishing test has "gone off the rails" a bit
  • Used a legitimate entity to test against
  • Panic and hilarity ensued, but mostly panic
  • http://www.networkworld.com/article/2951514/security/belgian-government-phishing-test-goes-offtrack.html
• British ICO makes a 180,000 pound fine
  • Disconnect between policy and reality
  • Was anything lost?
  • 2 big failures lead to a fine
  • https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/08/ico-fines-nationwide-money-lender-the-money-shop-180-000/
• McAfee and Black Hat attendee surveys wildly different
  • Answers you get depend on who and how you ask
  • Interesting answert though...
  • Lesson: The more experience you have, the less confidence?
  • http://www.slate.com/blogs/future_tense/2015/07/21/two_surveys_of_cybersecurity_professionals_show_starkly_different_attitudes.html

In this episode

• Raf asks - Why haven’t we solved the same old software security bugs?
• James asks how a security team gets out of the way and still get better security?
• We discuss threat modeling, and channel a bit of John Steven
• Jeff talks about the OWASP ESAPI and standard security libraries and controls
• Jeff talks about “libraries with known vulnerabilities” and the role of open source components
• Raf brings up the ugly side of enterprise outsourcing - code development by committee
• We discuss static, dynamic and run-time security tools
• Raf asks Jeff what the RIGHT approach to creating a software program looks like

Guest

• Jeff Williams ( @PlanetLevel ) - Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. In 2002, Jeff co-founded and became CEO of Aspect Security, a successful and innovative consulting company focused on application security. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

In this episode...

• "Hackers remotely kill a Jeep!"
  • Lots to talk about
  • Basics of segmentation weren't followed, aren't followed
  • Discussion on software 'fitness' and liability
  • http://www.cato.org/blog/hackers-remotely-kill-jeep
• Firefox blocks Flash and FaceBook calls for its death
  • Should it concern you that FireFox can change your config without your permission or an update?
  • How helpful is this? Does the message/pop-up actually DO anything to stop users from clicking YES?
  • http://money.cnn.com/2015/07/14/technology/flash-firefox-facebook/index.html
• Ashley Madison (the cheating website) breached!
  • Check their privacy policy - is it consistent with actions?
  • Did this event delay or possibly end the company's aspirations of going public?
  • The morality of AM's business model shouldn't be an issue here - but it keeps coming up
  • http://www.csmonitor.com/World/Passcode/2015/0722/Ashley-Madison-breach-a-painful-reminder-of-online-data-s-permanence
• British Gas bows to criticism over blocking password managers
  • http://www.scmagazineuk.com/british-gas-bows-to-criticism-over-blocking-password-managers/article/426463/
• US Court says "pocket dialed" called are NOT private
  • http://www.itworld.com/article/2951715/security/us-court-says-pocketdialed-calls-are-not-private.html

In this episode

• Talent shortage - is it real, and how bad is it?
• We discuss: what does negative unemployment actually mean?
• Michael asks- ecurity is still relatively new, how do we determined what “qualified” means?
• What skills are necessary to be a good security professional?
• Hiring - we discuss how we get better at screening potentially qualified employees
• We discuss how we can vet out real experience, versus resume skills
• Mark and Michael discuss specialization, automation, and optimizing our workforce
• Mark shares his thoughts on growing and retaining top talent

Guest

• Mark Orlando ( @MarkAOrlando )  - As the Director of Cyber Operations, Mark is responsible for Foreground’s Federal practice as well as the Virtual Security Operations Center (V-SOC) managed service. He leads a national team of analysts, engineers, incident responders, and managers who secure some of the most high profile networks in the Federal, financial, commercial, and power and utilities industries. As the senior operations subject matter expert, he is also responsible for security services strategy and advises on strategic Foreground initiatives such as threat intelligence analysis, custom analytics development. Mark is also a key advisor to the company’s award-winning educational unit, Foreground University. Prior to joining Foreground Security, Mark advanced through the technical ranks as a Security Analyst and Technical Lead in a variety of operations environments. In his 13+ years of experience, he has built and led security operations teams at the White House, the Department of Energy, the Pentagon, and numerous commercial organizations. He has also managed the operations division of a major Managed Security Service Provider supporting hundreds of private and public sector clients. Mark enjoys teaching and learning from others. He has presented on security operations and assessment at the Institute for Applied Network Security Forum and RSA Conference. Mark has earned the CISSP, PMP, CEH, ITIL, and multiple SANS GIAC certifications and holds a B.S. In Advanced Information Technology from George Mason University. Mark served in the US Marine Corp where he was a Marine Artillery NCO.
  
  Foreground Security (http://foregroundsecurity.com/)

In this episode...

• Peter Morin joins us to talk through the upcoming HTCIA International 2015 Conference in sunny Orlando, Florida.
• We talk through a preview of talks, events, and some interesting reasons you should be going to HTCIA Int'l
• Check out the incredible lineup of keynotes, speakers and talks - http://www.htciaconference.org/
• Come see the #DtSR crew live and in person as we record and broadcast from the conference

In this episode...

• Appears as though Windows 10 WiFi Sense could have some issues with WiFi -- more on this as it develops
  • Why is the default opt-in, and why in the world do I have to change my SSID to opt out?!
  • Is it really a good idea to use an SSID to describe security constraints on your network? (Hint: NO)
  • http://www.computing.co.uk/ctg/news/2415787/windows-10-wi-fi-sense-security-warning-over-automatically-shared-passwords
• "Washington Post will encrypt the news"
  • Ridiculous click-bait headline
  • Is this a good idea? Should everything be HTTPS?
  • What about ads, are we defeating ourselves?
  • https://hacked.com/washington-post-encrypt-news/
• OPM hackers stole 21.5 million people worth of records
  • That's all government employees, past, present, and under-cover (possibly)
  • 1.1 million biometrics (fingerprints) -- quick! go reset your fingerprints... oh wait
  • Bad --> worse --> catastrophic --> now what?
  • http://www.computerworld.com/article/2946031/cybercrime-hacking/opm-hackers-stole-data-on-215m-people-including-11m-fingerprints.html
• Katherine Archuletta, Director of OPM, resigns
  • Shock. Awe. Not.
  • Did everyone else see this one coming?
  • Does this change anything? Does her departure make anything better or is she the sacrificial lamb, the way Washington operates?
  • http://www.nytimes.com/2015/07/11/us/katherine-archuleta-director-of-office-of-personnel-management-resigns.html

In this episode

• We take a little peek inside the mind of a CEO, from the security perspective
• We discuss the state of information security in the last decade
• Dan shares his wisdom on how the role of a security professional and security leadership has changed over the course of his career
• We discuss about the talent shortage - and get an in-depth look at solving some of this problem
• Dan shares with us his views on balancing people, processes and technology resources to achieve meaningful security
• We talk strategy, and Dan and the guys talk through why it's so vital
• We get Dan's "closing remark" (something you won't want to miss)

Guest

• Dan Burns, CEO Optiv, Inc. -  Dan Burns brings more than 23 years of business, technology and security industry experience to his role as chief executive officer. In this role he is responsible for the development and implementation of high-level strategies and direction of the company’s growth. Being able to provide clear insight into navigating the complex information security landscape is a priority for Burns. His philosophy is to focus on building long-term relationships with clients, working with them to simplify their lives and becoming a trusted information security partner rather than a reseller or outside consultant.
  From 2002 when he co-founded Accuvant, until 2012 when he assumed his position as the company’s first CEO, Burns served as senior vice president of Accuvant’s sales organization. In that role, he was responsible for strategic planning, sales growth and problem resolution. Burns co-developed and helped to successfully execute on Accuvant’s initial vision – to build a company with the breadth, depth and capabilities to address the information security needs of organizations worldwide. He launched the sales force and grew it to a national powerhouse organization within a 10-year period, conducting business with nearly half of the Fortune 500, and driving $740M in revenue in 2014.
  Prior to his achievements with Accuvant, Burns was the regional vice president of sales for the western region of OneSecure. He played an integral role in transitioning the organization from a managed security services (MSS) provider to a product company, delivering to the marketplace the first intrusion prevention system (IPS) and generating $40M in product sales in the first year.
  Previously, as the western region vice president for Exault, an integrator, consulting organization and reseller, Burns secured some of the largest enterprise clients in the Rocky Mountain region and helped grow revenues to nearly $150M in two years. He also held positions at Access Graphics, Arrowpoint, and Netrex where he supported some of the largest telecommunication companies in building their information security programs, implementing technology and taking advantage of Netrex’s world-class MSS.
  Burns earned a bachelor’s degree in economics from San Jose State University

In this episode

With me gone, James and Michael run feral!

• It's June, so here are the top 3 security priorities for CISOs for 2015 (yes in June)
  • http://www.information-age.com/technology/security/123459699/top-3-security-priorities-cios-2015
  • Boils down to: patch faster, improve credentials, code better
  • Is this the right list? 
  • It mentioned side-stepping cloud and mobility. What if migrating to the cloud offers the opportunity to not worry about patching or code, and improve your credentials? 
  • Someone pointed out to me that this matches the OPM hack; perhaps this is just content driven from that? Does that make it more or less valid?
  • Let us know… #DTSR
• Cybersecurity tops advisors's compliance worries: poll
  • http://www.thinkadvisor.com/2015/06/24/cybersecurity-tops-advisors-compliance-worries-pol
  • More people concerned. 
  • This directly undercuts the notion that people don’t care. They do care. They care about their money. The advisors entrusted with their money care. People care. 
  • The question for us: what are we doing? How are we helping?
• Why it's worth divorcing information security from IT
  • http://www.forbes.com/sites/frontline/2015/06/22/why-its-worth-divorcing-information-security-from-it/
  • No. No it’s not. We don’t need more silos, we need less. 
  • This feels a bit like “we’re not getting what we want… so the answer is reorg.”
• Keeping your kids safe (online) this summer -- with our very own TV star, James!
  • http://www.news4jax.com/news/summer-online-safety-for-kids/33747246
  • James, tell us about the experience - and how you don’t have nearly the control you think you’ll have
  • What did you do to prep?
  • What was your one big take away?
  • Now that you did the interview, any new thoughts?
  • Folks… what do you do? #DTSR - congratulate James on a great interview, then share your ideas (and yes, this is an enterprise play -- you can AND SHOULD share this with your employees)

In this episode...

• What is the Security Advisor Alliance?
• We discuss some of the issues facing CISOs today
• Clayton gives us his perspective on how to solve some of those issues
• Clayton tells us about the mission of the SAA
• If your'e a CISO, are you signed up for the SAA Summit?  Shoot Clayton an email

Guest

• Clayton Pummill ( @cp48isme ) - https://www.linkedin.com/pub/clayton-pummill/10/32a/44a - Clayton is the executive director of the Security Advisor Alliance. He also has a storied background so I encourage you to give it a check!

In this episode...

• Facebook has released PGP-encryption-enabled email communications
  • The anti-privacy platform will now encrypt emails to you if you give them your PGP public key
  • Does no one see the insane irony here?
  • http://www.theregister.co.uk/2015/06/01/facebook_pgp_support/
• White House issues mandate for HTTPS (by default) for all federal websites
  • "By the end of 2016"
  • Is this a good thing? A bad thing? Or does it even matter?
  • http://www.huffingtonpost.com/2015/06/08/https-federal-websites_n_7539164.html
• Attackers are using medical devices to pivot into health care networks
  • The Internet of Medical Things is insecure
  • There are challenges here, but the risks of moving faster aren't negligible
  • Lots to be thought about here
  • http://www.csoonline.com/article/2931474/data-breach/attackers-targeting-medical-devices-to-bypass-hospital-security.html
• Kaspersky gets popped, cue the typical verbiage
  • "Three previously unknown techniques"
  • "..highly sophisticated attack used up to three zero-day exploits.."
  • http://www.bbc.com/news/technology-33083050
• PwC healthcare spending study is disturbing
  • Predicts a 6.5% dip
  • Security is one factor in increasing cost
  • http://hitconsultant.net/2015/06/10/pwc-healthcare-spending-growth-rate-to-dip/
  • http://www.csoonline.com/article/2934929/security-leadership/why-the-dip-in-healthcare-spending-is-actually-a-risky-opportunity-for-security-leaders.html

In this episode...

• Defenders are set up to fail? how and why
• How do we fill forensics and IR positions?What skills and qualifications do forensics/IR need to have?
• How can enterprises get better at IR from where they are today?
• How do we solve some of the problems plaguing the security industry?

Guest

• Andrew Case ( @attrc ) - Andrew Case is a senior incident response handler and malware analyst.He has conducted numerous large-scale investigations that span enterprises and industries. Andrew's previous experience includes penetration tests, source code audits, and binary analysis.  He is a core developer on the Volatility memory analysis framework and co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory".

Apologies to anyone who is having issues downloading this episode!

In this episode...

• The ACLU encourages the government to get into bug bounties
  • Read the original letter: https://www.aclu.org/sites/default/files/field_document/aclu_-_iptf_recommendations_submitted.pdf
  • Points 1 & 2 are at sane
  • Point 3 makes a hard left into into crazy-town
  • http://thehill.com/policy/technology/243265-aclu-says-government-should-offer-rewards-for-finding-security-flaws-on-its
• The massive taxpayer data fraud (not really a breach) is believed to be the work of Russia, says the IRS
  • Does it really matter?
  • Was this a breach or an abuse of functionality?
  • Would your company have caught this?
  • http://www.cnn.com/2015/05/27/politics/irs-cyber-breach-russia/index.html
• CareFirst says their recent breach affects only about 1.1M people
  • Healthcare is clearly in the "bad guys" target zone
  • Quick to point out what the attackers did not get access to
  • Of course it was a sophisticated cyberattack
  • http://abcnews.go.com/Technology/wireStory/carefirst-data-breach-affects-11m-people-31187250
• CNA Financial business unit refusing to pay out claim to Cottage Health System
  • Claims hospital "failed to continuously implement procedures and risk controls identified"
  • CNA unit alleges many failures -- but is this fair?
  • http://www.businessinsurance.com/article/20150515/NEWS06/150519893

In this episode...

• David Shearer, Executive Director for ISC2 joins us to talk about the results of the ISC2 2015 Information Security Workforce Study
• We ask David to highlight some of the results
• We discuss how malware and application security were identified as top threats 3 years in a row -- and what's to be done about this
• We discuss the major discrepancy between priorities from this survey and recent CIO surveys
• We discuss the importance of communication skills (identified in the survey) while leadership and business management are far down the scale
• We discuss with David how under his leadership ISC2 can build a much tighter alignment to business -- not just more security certifications

Guest

• David Shearer - David Shearer has more than 27 years of business experience including the chief operating officer for (ISC)², associate chief information officer for International Technology Services at the U.S. Department of Agriculture, the deputy chief information officer at the U.S. Department of the Interior, and the executive for architecture, engineering and technical services at the U.S. Patent and Trademark Office. Shearer has been responsible for managing and providing services via international IT infrastructures, and he has implemented large-scale SAP Enterprise Resource Planning (ERP) projects. Shearer holds a B.S. from Park College, a M.S. from Syracuse University, management and technical certificates from the U.S. National Defense University, and he is a U.S. federal executive presidential rank award recipient. As (ISC)² Executive Director, Shearer is responsible for the overall direction and management of the organization.

   

In this episode...

• Netflix launched FIDO (not that one, or that one, no the other one)
  • Focused on automating incident response practices
  • FIDO is an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats.
  • If you don't use it, at least they provide a structured framework for response and IR workflow
  • http://techblog.netflix.com/2015/05/introducing-fido-automated-security.html
• IT Chief leaves sensitive data in car- spoiler: it gets stolen
  • Something smells like a fish market in the July heat on this story
  • Maybe it's time to check in on YOUR off-site handling procedures?
  • http://www.thestarpress.com/story/news/local/2015/05/10/chief-left-hard-drives-car/27083031/
• Crowdstrike discovers, names "Venom"
  • Massive security vulnerability within the floppy disk emulator in virtual machine hypervisors
  • Even if you disable floppy disk emulation, separate bug lets you enable it
  • This has a graphic and everything!
  • http://www.csoonline.com/article/2921589/application-security/significant-virtual-machine-vulnerability-has-been-hiding-in-floppy-disk-code-for-11-years.html
• United Airlines launches bug bounty
  • Does this have anything to do with the now infamous (alleged) airplane hacker?
  • Seems like some contradictory statements in the description
  • (see below on United's response to our inquiry)
  • http://www.united.com/web/en-US/content/contact/bugbounty.aspx

Note back from United Bug Bounty Team:

Posted with permission--

"Rafal:

            Thank you for the question.  We want researchers to be able to notify of potential issues they find while still protecting customers who are not participating in the program.  If a researcher launched a brute force attack and locked the accounts of 10,000 customers through already existing security measures this would negatively affect our customers and the program.

            If any researchers believe they may have found a brute force condition, they can feel free to submit it to us without testing.  We will check on our end and if we confirm a bug exists we will gladly reward them for their effort.  Does that make sense?

Best,

United Bug Bounty Team"

In this episode...

• A quick walk-through of Rob’s talk (“Hacker ghost stories”), and why it’s completely relevant today
• Simple things that work
  • blocking java (externally)
  • effectively blocking “uncategorized” sites in your forwarding proxies
  • (not) resolving DNS internally
  • (not) default routing to the Internet from inside
  • canaries in the coal mine, or evil canaries

Guests

• James Robinson ( @0xJames ) - https://www.linkedin.com/in/0xjames Currently the Director, Threat and Risk Management at Accuvant-Fishnet Security and part of the Office of the CISO. He has a long and storied career of success as an enterprise defender across various industries. 
• Rob Fuller ( @mubix ) - Rob is an experienced InfoSec industry insider, with many interesting achievements and accomplishments. He's easily findable, as are his many public doings.

In this episode...

• A join Ponemon Institute & IBM Security study shows that, surprise surprise, developers are "neglecting security"
  • The study only looked at mobile apps and app developers
  • Less than half (of their study) test the mobile apps they build
  • About 33% never test their apps
  • http://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.html
• Illinois Bill SB1833 expands the definition of PII to include almost everything
  • Requires notification in the event of a breach of...
  • Online browsing history, online search history, or purchasing history
  • Is this absurd, or just protecting our privacy?
  • http://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.html
• The DOJ has jumped in and issued some sound fundamental breach guidance!
  • 4 sections: what to do before, during and after a breach plus what NOT to do after a breach
  • Fantastic fundamentals... great idea
  • The push to fundamentals is critical!
  • http://www.alstonprivacy.com/doj-issues-data-breach-guidance/
  • http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdf
• Mozilla is phasing out non-secure HTTP
  • HTTPS only is the way forward, so Mozilla (champions of liberty and all that) are leading the way
  • https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
• First foreign hacker is convicted in the US
  • Canadian kid who hacked and stole trade secrets and other sensitive info from video game companies
  • He pled guity in September 2014, maximum of 5yr prison sentence
  • http://blogs.orrick.com/trade-secrets-watch/2015/04/30/first-foreign-hacker-is-convicted-in-the-united-states-of-hacking-crimes-involving-theft-of-trade-secrets-from-american-companies/

In this episode...

• What about public safety, where do we draw the line on open research?
• Self-regulation? Disclosure? What are our options…
• What makes a researcher? We discuss
• “Chilling security research”
• A quick dive into bug bounty programs; do they help?
• Ethics vs. moral compass …we discuss
• Hacker movies, and what they’re doing for our profession

Guests

• Keren Elezari ( @K3r3n3 ) - brings years of experience in the international cyber security industry to the stage. Since 2000, Keren has worked with leading Israeli security firms, government organizations, Global Big 4 and Fortune 500 companies. Keren holds a CISSP security certification, a BA in History and Philosophy of Science and is currently a senior research fellow with the prestigious Security & Technology workshop at Tel Aviv University. In 2012, Keren held the position of Security Teaching Fellow with Singularity University, a private think tank, founded by Dr. Ray Kurzweil and sponsored by Google & NASA amongst others. Since 2013, Keren covers emerging security technologies and trends as a security industry analyst with GIGAOM research, a leading independent media hub. In 2014, Keren became the first Israeli woman to be invited to speak at the prestigious international annual TED conference. Keren’s TED talk has been viewed by 1.2 million people, translated to more than 20 languages and selected for TED’s list of ‘Most Powerful Ideas in 2014’ and for Inc.com’s list of ‘Top TED Talks of 2014’.
• Kellman Meghu ( @kellman ) - heads up a team of Security Architects for CheckPoint Software Technologies Inc., the worldwide leader in securing the Internet. His background includes almost 20 years of experience deploying application protection and network-based security. Since 1996 Mr. Meghu has been involved with consultation on various network security strategies to protect ISP's in Southern Ontario as well as security audits and security infrastructure deployments for various Commercial and Governmental entities across Canada and the Central United States. Kellman has delivered security talks in private corporate focused events, at school internet safety classes for students and teachers, as well as public events such as, SecureWorld Seattle, The Check Point Experience, Bsides St. Johns, Bsides San Francisco, Bsides Iowa, Bsides Detroit, Secure360, Trilateral Conference, and Sector lunch keynote for 2014. Kellman has contributed to live TV interviews in the Toronto area with CP24, CityNews, and CHCH TV, as well as radio station interviews and news articles across Canada and the US.
• Mark Nunnikhoven ( @marknca ) - focuses on helping organizations as they move from the data centre to hybrid environments to working fully in the cloud. Bringing over 15 years of practical experience to the table, he is regularly sought after to speak on cloud computing, usable security systems, and modernizing security practices.

In this episode...

• Friend and security researcher Chris Roberts steps into it... 
  • A poorly-conceived tweet, followed by mass hysteria
  • Most everyone talking about this is missing the point entirely
  • Of course, the EFF jumps in to keep from "chilling research" (roll eyes)
  • http://www.usatoday.com/story/tech/2015/04/19/chris-roberts-one-world-labs-united-rsa-computer-security-tweets/26036397/
  • The EFF take: https://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-security
• Corporate threat intelligence teams opting to go anonymous?
  • New company, making intelligence sharing work, anonymously?
  • Many questions on whether anonymity is workable in the intelligence space
  • https://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-security
• Target settles with Mastercard for $19M USD
  • Mastercard trying to settle this out, as alternative payout option for victims (this time the issuers, not card holders)
  • http://www.theregister.co.uk/2015/04/16/target_settles_with_mastercard_for_us19_million/
• The looming security threat no one is talking about
  • We're talking about it!
  • Windows 2003 is going out of service... after 12 yrs?
  • Final deadlines is July 14th
  • Panic? Compensating security controls?
  • http://www.healthcaredive.com/news/himss15-the-looming-it-security-threat-that-no-one-is-talking-about/386754/
• HTTP "ping of death" coming to a Windows IIS web-server near you
  • Patch now... people are actively exploiting this flaw to knock over web servers
  • Quick turn-around from "patch released" to "patch reverse-engineered to attack IIS servers"
  • http://www.theregister.co.uk/2015/04/16/http_sys_exploit_wild_ms15_034/
• JPMC algorithmn knowns you're an insider threat, before you do
  • Fascinating, applies to the financial world
  • Uses behavioral indicators
  • http://www.bloomberg.com/news/articles/2015-04-08/jpmorgan-algorithm-knows-you-re-a-rogue-employee-before-you-do

In this episode...

• Where do you even start with “threat intelligence”?
• Ryan talks about context, and why it’s *the* most important thing when it comes to threat intel
• How does a SME make use of a “luxury item” like threat intelligence?
• Michael asks what are 1-2 things you can do *immediately* as an SME?
• What are the basics, beyond the basics of security? Where do you make your first investment?
• Getting your own house in order is harder than it sounds, so what then?
• Michael drops some #RiskCatnip
• Michael breaks down the “feedback loop” and his basic questions to ask/answer
• Down the rabbit hole of shiny boxes, standards, and productized threat intelligence
• The overlap of data on commercial threat intelligence providers

Guest

• Ryan Trost - Ryan is the CIO of ThreatQuotient and knowledgeable on matters of intelligence with his extensive background and history in the community.

In this episode...

• TrueCrypt security audit results are good news, right? 
  • Why are some of the most depended-upon 
  • http://arstechnica.com/security/2015/04/truecrypt-security-audit-is-good-news-so-why-all-the-glum-faces/
• At Aetna, CyberSecurity is a matter of business risk
  • Jim Routh talks about how he runs a security program
  • Security is a matter of business risk, if not you're doing it wrong
  • http://blogs.wsj.com/cio/2015/03/30/cybersecurity-at-aetna-is-a-matter-of-business-risk/
• Why aren't you vulnerability scanning more often?
  • Wrong question.
  • Simple answer -- because scanning doesn't matter if you can't fix the issues you find
  • Example of how security misses the point
  • http://www.csoonline.com/article/2901472/vulnerabilities/why-aren-t-you-vulnerability-scanning-more-often.html
• SecurityScorecard - a new startup that is exposing 3rd party risks to you -- or is it?
  • Interesting business model
  • How legitimate is this, and what are the risks?
  • http://www.businessinsider.com/securityscorecard-raises-125-million-led-by-sequoia-2015-3
• Does removing Windows administrator permission really mitigate 97% of vulnerabilities?!
  • Is this real? If so -- why isn't everyone doing it?
  • Local administrator privileges are starting to fade, but why so slowly?
  • http://blog.norsecorp.com/2015/04/02/removing-admin-privileges-mitigates-97-of-critical-microsoft-vulnerabilities/

In this episode...

• Jon Callas gives a little of his background and his current role
• We talk through why cryptography is so hard, and so broken today
• Jon overviews compatibility, audit and making cryptography useful
• Jon brings up open source, security, and why "open is more secure" is bunk
• We talk through "barn builders" vs. "barn kickers" and why security isn't improving
• We talk through how to do privacy, active vs. passive surveillance
• We talk through anonymous VPN providers, anonymization services, and how they're legally bound
• Jon talks about appropriate threat modeling and knowing what we're protecting
• We talk through patching -- how to do patching for Joe Average User
• Bonus-- Mobile is as secure (or more) than what we're used to on the desktop

Guest

• Jon Callas ( @JonCallas ) - Jon Callas is an American computer security expert, software engineer, user experience designer, and technologist who is the co-founder and CTO of the global encrypted communications service Silent Circle. He has held major positions at Digital Equipment Corporation, Apple, PGP, and Entrust, and is considered “one of the most respected and well-known names in the mobile security industry.” Callas is credited with creating several Internet Engineering Task Force (IETF) standards, including OpenPGP, DKIM, and ZRTP, which he wrote. Prior to his work at Entrust, he was Chief Technical Officer and co-founder of PGP Corporation and the former Chief Technical Officer of Entrust.
  

Remember folks, as you listen reach out to us on Twitter and hit the hashtag #DtSR to continue the conversation, and speak your mind! Let's hear what your take is on the stories we discuss...maybe you have a unique angle we've not considered?

In this episode--

• Target settled class-action lawsuit over its data breach - for $10M USD
  • Who wins? Lawyers, clearly the lawyers
  • Burden of proof on the victims to show they've suffered a loss to get up to $10,000.00.
  • If you can't prove loss, you can still try to get part of settlement of what's left-over
  • http://www.usatoday.com/story/money/2015/03/19/target-breach-settlement-details/25012949/
• Federal judge dismisses suit against Paytime -- "simply no compensable injury yet"
  • Leaves door open for future suits if someone were to suffer a compensable injury
  • "Once a hacker does misuse a person's information for personal gain...there is a clear injury and one that can be fully compensated with money damages." -- Judge John E. Jones III
  • Watch this case, read the story for yourself
  • http://www.securityinfowatch.com/news/11883806/federal-judge-dismisses-lawsuits-over-paytime-inc-data-breach
• Sacred Heath Health System victim-by-proxy of a data breach
  • Happened at a 3rd party
  • So why is only Sacred Heart in the news?
  • ~40 individuals SSN and patient information
  • "deceptive technique" known as phishing
  • http://pensacolatoday.com/2015/03/sacred-heart-informs-patients-of-billing-information-disclosure/
• Premera Blue Cross "warned about security flaws before breach"
  • Lots to talk about here -- starting with is 3 weeks enough time?
  • OPM audit finds issues, is this a systemic failure or examplary of an enterprise doing its best in a difficult security climate?
  • Before you judge, measure up your own security posture against this article
  • http://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/
• Advantage Dental notifies patients of breach
  • 3 days from initial breach to discovery
  • Amazingly fast detection, but was it adversary or malware?
  • Is this a feel-good, or something else?
  • https://secure.advantagedental.com/index.asp?din=598
• NYC Auxiliary Officer charged with hacking NYPD & FBI systems
  • Insider threat poster child
  • Smart enough to do some interesting things
  • Yet, one of the dumbest criminals we've seen in a long time
  • http://www.fbi.gov/newyork/press-releases/2015/new-york-city-police-department-auxiliary-officer-charged-with-hacking-into-nypd-computer-and-fbi-database

In this episode...

• Michael C and the team talk bout "going back to basics" and the need for security fundamentals
• Michael C talks a little about why we (security professionals) fail at fixing problems at scale
• We dive into the need for automation, and Michael C talks about why creating more work for security professionals is a bad thing
• Michael C and the crew talk through why many of our metrics fail, highlighting the need to get away from the typical dashboard approach of "bigger numbers is better"
• We discuss the balance between false positives and false negatives -- a super critical topic
• Rafal brings up the role security professionals play in software security, and why we can't be expected to drive the daily tasks
• We talk through centralized vs. de-centralized security, and how to understand which works better, and where
• Michael C gives us his 3 key take-aways for listeners (don't miss these!)
• We talk through "assume breach", and what it means for security

Guest

• Michael Coates ( @_mwc ) - Currently, Michael is the Trust and Security Officer at Twitter where he leads the information security team and drives overall security efforts across the organization to a common goal and objective. Michael is a staple of the OWASP community now serving on its board and having contributed countless hours and lines of code to the effort. 

In this episode--

• Law firm hit and crippled by ransomware, decides it's not paying the ransom.
  • They aren't quite sure what got encrypted
  • But they have backups...
  • ..and data was likely not exfiltrated
  • http://news.softpedia.com/news/Ransomware-Hits-Law-Firm-Encrypts-Workstation-and-Server-474788.shtml
• Major law firms for ISAC to fight off adversaries, share intelligence
  • Catching up to the threat they're facing
  • Law firms are major targets, given the data they have ("secrets!")
  • Downside: exclusive to a handful of major firms
  • http://thehill.com/policy/cybersecurity/234722-law-firms-to-share-info-about-cyber-threats
• Big kerfuffle about Anthem's refusal of a 3rd party audie
  • They were under no legal obligation...
  • Who out there would submit to a 3rd party audit/test?
  • Sounds like publish shaming, big headline, little story
  • http://www.healthcareinfosecurity.com/anthem-refuses-full-security-audit-a-7980
• Apple Pay being attacked, sort of
  • When technology becomes 'good enough' attackers attack processes, people
  • Lesson -- nothing is "unhackable" even if the tech is great
  • http://www.theguardian.com/technology/2015/mar/02/apple-pay-mobile-payment-system-scammers
• [Slightly-old-but-relevant] Victor Valley College suspends entire IT staff to investigate a vague breach in protocol
  • Very little actually said in disclosure
  • "We don't have any reason to believe we've been hacked by outside hackers"
  • Entire computer system was taken down for nearly 3 hours
  • Emphasizing "no private student or employee information has been compromised"
  • Stay tuned...weird
  • http://www.vvdailypress.com/article/20150130/NEWS/150139991

In this episode...

• We learn the origins of "RSnake" as told by Rob himself
• Rob gives us a peek into the dark side, from his contacts and experiences
• We discuss the black-hat economy as it's verticalized, specialized, and matured
• Rob discusses the balancing act of the good vs. bad and why the situation is as bad as it needs to be
• We discuss some of the things businesses and defenders really need to worry about
• Rob gives us his view of the inevitability of security from SMB to enterprise -- and why things are so good, or bad, or just right
• We discuss the different ways security is being understood, implemented and matured and why it's futile to chase absolutes
• Michael and Rob dive into the labor shortage in security - real, perceived, or misunderstood?
• Rob gives us his outlook on where things are going over the next decade or so

Guest

• Robert "RSnake" Hansen - ( @RSnake ) - Strategic. Web security expert. Visionary. Robert brings more than 20 years of web application and browser security experience, innovation, and vision to the WhiteHat Security team. Under Robert’s leadership, WhiteHat Labs successfully launched Aviator, the most secure browser available, for Mac and Windows, quickly racking up more than 170,000 downloads in less than six months. When asked about WhiteHat Labs’ mission, Hansen said, “Labs will strive to provide prototypes that go beyond customer expectations, to delight the user.” Before WhiteHat, Robert was the CEO of SecTheory and Falling Rock Networks. Robert has co-authored several books including XSS Exploits and Website Security for Dummies. Robert is also the author of Detecting Malice. He is a member of WASC, APWG, IACSP, ISSA, APWG and has contributed to several OWASP projects, including originating the XSS Cheat Sheet. When he is not breaking the web to make it stronger, Robert enjoys watching Formula One racing.

In this episode--

• Would you be OK with your credit card company tracking you, to decrease fraud rates? Visa wants to track your smartphone.
  • http://triblive.com/business/headlines/7774328-74/visa-card-fraud
• Your stolen healthcare data is increasingly being sold on the black market
  • http://www.ihealthbeat.org/articles/2015/2/19/security-experts-health-data-increasingly-being-sold-on-black-market
• Lenovo has shipped software that performs a man-in-the-middle (MITM) attack against all SSL connections on some of its consumer laptops. This is really, really, really bad, but Lenovo doesn't seem to get it.
  • http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
  • http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html
• The web browser is totally broken, and a haven for malware. Long live the web browser?
  • http://securityintelligence.com/broken-web-browsers-malwares-new-address/

In this episode

• Traveler's Insurance files suit against a web developmeent company for failing to provide adequate security, resulting in a breach of one of its customers
  • http://www.law360.com/articles/614158/travelers-blames-web-designer-in-bank-website-data-breach
  • We discuss whether security standards are now "implied"?
  • Does Traveler's have any standing to sue? (Shawn thinks not)
• FTC goes after LabMD for a data breach
  • http://healthitsecurity.com/2015/01/23/ftc-healthcare-data-breach-case-v-labmd-continues/
  • Is the FTC over-reaching?
  • We discuss this statement from the FTC website: "[LabMD failed to] ..reasonably protect the security of consumers’ personal data, including medical information"
• Social media company TopFace pays a ransom to hackers
  • http://www.forbes.com/sites/davelewis/2015/01/31/topface-facepalms-as-it-surrenders-to-data-breach-hacker-blackmail/
  • Face + Palm.
  • We lament why this absolutely terrible decision may have far-reaching repercussions

Guest

• Shawn Tuma ( @ShawnETuma ) - In addition to being a perennial favorite on this show, Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual property, privacy, and litigation. He's a Texan, a Christian, a family man, an author & and speaker - and an all-around awesome guy.

Topics covered

• Massive breach at American Health Insurer Anthem - from the "haven't we done this once before?" department as Queen - Another One Bites the Dust plays in the background
  • https://gigaom.com/2015/02/05/oops-another-big-data-breach-this-time-at-anthem/
  • http://money.cnn.com/2015/02/05/investing/anthem-hack-stocks/index.html?sr=twmoney020615anthemwallst0600story
  • (Obligatory OMG China! hype link) http://krebsonsecurity.com/2015/02/china-to-blame-in-anthem-hack/
• Hackers target brokers, financial advisors -- SEC "does something"
  • http://thehill.com/policy/cybersecurity/231649-hackers-targeting-brokerages-and-financial-advisers
  • SEC weighs cybersecurity disclosure rules (why SEC?) - http://thehill.com/policy/cybersecurity/229431-sec-weighs-cybersecurity-disclosure-rules
• A promising new technology which detects hacks in - milliseconds? -but what's the use-case?
  • http://www.bloomberg.com/news/articles/2015-02-03/new-technology-detects-hacks-in-milliseconds
• Google launches vulnerability research grants program - because bug bounties just aren't enough
  • http://www.scmagazine.com/google-launches-vulnerability-research-grants-program/article/395694/
• Sony Pictures Entertainment (the company that was so thoroughly hacked) CEO Amy Pascal is out! But is this proof of anything, for security? Ask Michael...
  • http://www.csoonline.com/article/2880600/security-leadership/the-conversation-security-leaders-need-to-have-about-amy-pascal-s-departure.html

This is the 7th installment (call it a rebirth) of the MicroCast. Short and to the point, Michael and James talk about the phrase breached companies use - "We take your security seriously..."

 .. join the conversation at #DtSR on Twitter!

Fans - If you haven't booked your ticket for InfoSec World 2015 in sunny Orlando, FL check this out. Register using our code CLD15/RABBIT for 15% off.

If you want a chance to go for FREE, listen to Episode 127 for your chance!

In this episode...

• John gives us a little lesson on markets, and why they move up/down, commentary for the information security professional
• John discusses what #BTFD means
• John uses the Target example of why security professionals, marketers, and much of the media got it completely wrong
• John educates us on insurance, compliance and liability
• My head explodes...

Guest

• John Foster ( @dearestleader ) - Mr. Foster has 19 years of technology experience but left technical infosec in 2003 to pursue a career in Compliance and Ethics. He now focuses on bribery & corruption, environmental issues, and other interesting topics, but infosec keeps appearing in compliance and finance. He is an investor with experience in stock, foreign exchange, options, and futures which allows him to see past the data breach hype. He is a Certified Treasury Professional, Six Sigma Black Belt, and holds certificates in ISO 9001, 14001, 20000, 22301, 27001, & 28000 from PECB. He is a partner at Bianco Foster Group, LLC which provides training and education services in ISO standards and an investor in several early stage startups.

Links

• Short portfolio http://dearestleader.me/2015/01/portfolio-update/
• S&P no material impact http://dearestleader.me/2015/01/standard-poors-says-breaches-have-no-material-impact/
• Home Depot earnings call analysis http://dearestleader.me/2014/12/home-depot-earnings-indicate-there-is-no-fear/
• Target sales up 40% over last year http://dearestleader.me/2014/11/target-continues-to-conquer-all/
• Initial Target analysis http://dearestleader.me/2014/03/target-data-breach-not-a-disaster/

** There is a special gift for our listeners in this episode, from our friends at InfoSec World 2015! Listen to find out how you can go for free.

 We have a promo code!

CLD15/RABBIT – 15% off for “Down the Rabbit Hole” listeners

Topics Covered

• Google picks up really big rocks, but lives in a glass house. As Google drops zero-day on Apple and Microsoft they respond with a lame excuse as to why they aren't patching a vulnerability that puts north of 60% of all Android users at risk.
  • http://m.v3.co.uk/v3-uk/news/2389839/google-puts-60-percent-of-android-users-at-risk-with-webview-security-changes
  • http://www.extremetech.com/mobile/197346-google-throws-nearly-a-billion-android-users-under-the-bus-refuses-to-patch-os-vulnerability
  • http://www.eweek.com/security/google-project-zero-continues-its-microsoft-zero-day-assault.html
  • http://www.zdnet.com/article/googles-project-zero-reveals-three-apple-os-x-zero-day-vulnerabilities/
• Marriott reverses its decision to block guests' personal WiFi devices at their properties
  • http://threatpost.com/marriott-agrees-to-stop-blocking-guest-wifi-devices/110441
• LabMD's request to have an enforcement action against them by the Federal Trade Commission is denied. While this doesn't necessarily mean anything serious, yet, it's definitely one to watch.
  • http://healthitsecurity.com/2015/01/23/ftc-healthcare-data-breach-case-v-labmd-continues/
• Heartland Payment Systems - yes the company that was the posted child for nearly going out of business because of a horrible breach - is continuing to reinvent itself around security, this time making headlines with an offer of a data breach warranty. Strings, as you may suspect, attached.
  • http://www.cspnet.com/industry-news-analysis/technology/articles/heartland-offering-data-breach-warranty
  • http://www.businesswire.com/news/home/20150112005260/en/Heartland-Offer-Comprehensive-Merchant-Breach-Warranty

Watch this podcast page later this week for that freebie Michael told you about!

In this episode...

• The blog post that started it all - http://blog.norsecorp.com/2014/11/10/the-new-reality-in-security-offense-always-wins-and-defense-always-loses/
• Vince, tells us what he means by "Offense always wins, defense always loses"
• We disagree over this snip from his blog post: "To “win” in cyber security, defense must be right 100% of the time, while offense only has to be right once. We must wake up to the reality that defense is an impossible task; no matter what actions we take, we will lose."
• We discuss how we get away from being Eeyore defeatists?
• Vince give us security strategies he is advocating knowing that defense is better equipped, and better funded
• We briefly mention high-value assets, and why it's even more critical today than it has ever been before, and why we still stink at it
• We challenge Vince to give us some tangible steps to managing risk better, to get away from winning/losing?
• We discuss how we compress delivery time lines for security competencies? (Average time to deliver a technical control is months, plus budget cycle - maybe years)
• We close with lessons learned from your Vince's rich experience that he'd like to share with the listeners, to change the nature of the win/lose conversation

Guest

• Vince Crisler - Vince has done some very interesting things in his background including former Communications Officer with the US Air Force, who also worked at the White House as Presidential Communications Officerm backed security start-ups, and chairing a Washington DC OSINT group. He's definitely one of the people you should get to know.

Welcome to a new year of the Down the Security Rabbithole Podcast! We are kicking off this year with a guest on this morning's program, Phil Beyer joined us to talk about the last few weeks that have been a wild, wild ride in the security indsutry!

Thanks for your support so far, and we promise a fantastic 2015 to come.

Topics Covered

• Sony. Sony. Sony. It's all anyone can talk about! They got hacked. They released a movie. They apparently aren't in dire straits. Fascinating.
  • http://www.cbc.ca/m/news/world/sony-pictures-ceo-michael-lynton-says-hackers-burned-down-the-house-1.2894997
  • http://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack
  • http://www.washingtonpost.com/world/national-security/fbi-director-offers-new-evidence-to-back-claim-north-korea-hacked-sony/2015/01/07/ce667980-969a-11e4-8005-1924ede3e54a_story.html
• Meanwhile, an iron plant in Germany was attacked (via cyber) and caused some very serious, and real, damage
  • http://blogs.wsj.com/cio/2014/12/18/cyberattack-on-german-iron-plant-causes-widespread-damage-report/
• Microsoft abruptly cut off patch Tuesday public notifications, unless you're paying extra
  • http://www.computerworld.com/article/2866996/microsoft-abruptly-dumps-public-patch-tuesday-alerts.html
• On January 11th, 2015 a 90-day window expired and Google's new Project Zero disclosed on the world a Windows 8.1 privilege elevation flaw. Microsoft had not yet patched it. War of words is on.
  • https://code.google.com/p/google-security-research/issues/detail?id=123
  • http://www.pcworld.com/article/2867533/google-reveals-windows-81-flaw-mere-days-before-patch-tuesday-fix-irking-microsoft.html

Hi everyone! Welcome to the very first episode of the Down the Security Rabbithole Podcast for 2015! On this opening episode, Jeff Man joins us to talk truth to power on PCI-DSS and shatters myths for us.

In this episode

• Jeff tackles some common misunderstandings about PCI
• The crew discusses PCI – what’s right about it and what’s wrong about it
• Jeff tells us why he believes if you’re secure you’re compliant, but if you’re compliant you’re probably not secure
• The $64M question- Isn’t EMV, P2PE, and tokenization going to spell the end of PCI?
• Jeff tells us what to look forward to with PCI DSS v3.0

Guest

• Jeff Man ( @MrJeffMan ) - Mr. Man has 13 years of DoD experience (10 at NSA as a Cryptanalyst/Information Security Analyst), 18 years of commercial consulting – pen testing, vulnerability assessments, security architecture reviews, and 10 years as a QSA doing PCI (and yet he's never conducted a PCI audit and never been a CISSP). As a QSA he's been involved with most of the major companies that experienced breaches in the mid-2000’s (Walmart, TJX, Heartland) so he can speak with some credibility about recent breaches in the past year or so.

Hey everyone! We're almost done with 2014 and another new year is right around the corner. We thought this was the perfect time to sit back, relax a little and reflect on the year that was...and boy was it ever!

Jack Daniel & Allison Miller join Michael, James and I on the podcast to talk it all out, share a few chuckles and try to make sense of it all!

Thanks for listening everyone, it's been an epic year and we look forward to more awesome things in 2015!

In this episode

Attorney and CFAA expert Shawn Tuma joins us to talk about the US vs. Salinas case where Mr. Salinas was threatened with 440 years in jail, and now plead down to a misdemeanor. Prosecutorial discretion, or attorneys-gone-wild?

Link: http://www.wired.com/2014/11/from-440-years-to-misdemeanor/

Topics covered

• The unfolding case of the Sony Pictures Entertainment breach
  • http://blog.wh1t3rabbit.net/2014/12/when-press-aids-enemy.html
  • http://www.thedailybeast.com/articles/2014/12/12/shocking-new-reveals-from-sony-hack-j-law-pitt-clooney-and-comparing-fincher-to-hitler.html
  • http://www.csoonline.com/article/2857455/business-continuity/fbi-says-theres-nothing-linking-north-korea-to-sony-hack.html
  • http://www.csoonline.com/article/2854672/business-continuity/the-breach-at-sony-pictures-is-no-longer-just-an-it-issue.html
• The phishing scam that succeeded at hitting a big chunk of Wall Street - it probably would have fooled you too. Here's what we've learned
  • http://arstechnica.com/security/2014/12/phishing-scam-that-penetrated-wall-street-just-might-work-against-you-too/
• Iranian hackers hit Las Vegas behemoth with a sophisticated attacked ... wait it was a Visual Basic base?!
  • http://arstechnica.com/security/2014/12/iranian-hackers-used-visual-basic-malware-to-wipe-vegas-casinos-network/
• Judge refuses to dismiss case against Target, brought on by banks who are the ones who take the brunt of the losses-
  • http://arstechnica.com/tech-policy/2014/12/judge-rules-that-banks-can-sue-target-for-2013-credit-card-hack/

In this episode

• Michelle explains to us what Enterprise Architecture is, and what it isn't
• Michelle gives her take on how both security and enterprise architecture both support each other
• We discuss the roll of standards, standards, standards - and why you can't have security without it
• We talk about GRC
• We talk through roles & responsibilities definition between security, architecture, and the rest of IT
• "Application Portfolio Rationalization" --the most impossible project. Ever.
• Michelle schools us on data, high-value assets, meta-data and the really hard topics for security
• Michelle gives us a series of examples of "HOW" we can find high-value assets, and start security there
• Michelle addresses the phrase "business alignment" since it's pivotal to enterprise architecture

Guest

• Michelle-Marie Strah ( @CyberSlate ) - Director, Enterprise Architecture at NBCUniversal – recently joined the newly formed Strategy and Architecture team at NBCUniversal designed to drive enterprise architecture, solutions architecture and innovation management across all companies in the NBCUniversal global portfolio. Previously she was at Microsoft Corporation worldwide headquarters where she was responsible for leading emerging markets cloud deployments, go to market and compete strategies in Latin America for public, private and hybrid cloud offers (both Azure and partner hosted clouds). As part of her role on the Applied Incubation Team she worked closely with partners, CIOs and government officials as well as internal CTO, legal, and chief security officer teams in the region to ensure privacy and security standards for government and private sector cloud adoption in Latin America. As an enterprise architect, Michelle specializes in governance, risk, compliance, information security and enterprise information management and has decades of experience in highly regulated industries, government, defense and healthcare.

Additional Links

• IBM Security Framework: http://www.redbooks.ibm.com/abstracts/sg248100.html?Open
• OSA: http://www.opensecurityarchitecture.org
• TOGAF: The Open Group Architecture Framework: http://www.opengroup.org/togaf/

Topics covered

• Sony Pictures is having a very, very bad couple of days - and it could keep getting worse.
  • http://www.theverge.com/2014/11/24/7277451/sony-pictures-paralyzed-by-massive-security-compromise
  • http://www.csoonline.com/article/2852982/data-breach/sales-contracts-and-other-data-published-by-sonys-attackers.html
• A newly discovered (but old) comment bug in Wordpress affects ~86% of sites. The story isn't what you think it is-
  • http://www.consumeraffairs.com/news/newly-discovered-comment-security-bug-affects-86-of-wordpress-blogs-112414.html
• The Australian government is blaming a data breach from February on ... "awareness"? Michael disagrees (and he's right).
  • http://www.esecurityplanet.com/network-security/australian-government-data-breach-linked-to-poor-security-training.html
• The public release of the research on Regin malware has it pegged as the most advanced thing since the computer - so what?
  • http://money.cnn.com/2014/11/23/technology/security/regin-malware-symantec/index.html?hpt=hp_t2
  • https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/
  • Symantec whitepaper: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf
• The Justice Department is using a 225 year old law to tackle a modern problem of encrypted cell phones through the manufacturer.
  • http://blogs.wsj.com/digits/2014/11/25/case-suggests-how-government-may-get-around-phone-encryption/
• The court system...works? 440 year jail threat down to a misdemeanor in no time flat
  • http://www.wired.com/2014/11/from-440-years-to-misdemeanor/
• Updates:
  • Target doesn't feel like all the banks' losses are their problem, here's why - http://arstechnica.com/tech-policy/2014/11/target-to-judge-banks-losses-in-our-card-breach-arent-our-problem/
  • In spite of the massive breach, Home Depot financial outlook is bright - http://www.forbes.com/sites/maggiemcgrath/2014/11/18/home-depot-outlook-bright-despite-data-breach/

In this episode

• We revisit the 'human' side of hacking
• Chris tells us all about the Defcon CTF his team has hosted
• We discuss the role human nature plays in social engineering, or "Why the bad guys always win"
• Chris gives us his tips for making it harder for social engineers
• Michael and Chris talk metrics and measuring "getting better"

Guest

• Chris Hadnagy ( @HumanHacker ) - Chris Hadnagy (author of Social-Engineering: The Art of Human Hacking and Unmasking the Social Engineer: The Human Element of Security) is a speaker, teacher, pentester, and recognized expert in the field of social engineering and security.
  
  Chris Hadnagy is the President and CEO of Social-Engineer, Inc. He has spent the last 16 years in security and technology, specializing in understanding the ways in which malicious attackers are able to exploit human weaknesses to obtain access to information and resources through manipulation and deceit.
  
  Chris is a graduate of Dr. Paul Ekman’s courses in Microexpressions, having passed the certification requirements with an “Expert Level” grade. He also has significant experience in training and educating students in non-verbal communications. He hold certifications as an Offensive Security Certified Professional (OSCP) and an Offensive Security Wireless Professional (OSWP).
  
  Finally, Chris has launched a line of professional social engineering training and penetration testing services at Social-Engineer.Com. His goal is to assist companies in remaining secure by educating them on the methods used by malicious attackers. He accomplishes this by analyzing, studying, dissecting, then performing the very same attacks used during some of the most recent incidents (i.e. Sony, HB Gary, LockHeed Martin, Target, etc), Chris is able to help companies understand their vulnerabilities, mitigate issues, and maintain appropriate levels of education and security.
  
  Chris has developed one of the web’s most successful security podcasts, The Social-Engineer.Org Podcast, and the equally-popular SEORG Newsletter. Over the years, both have become a staple in most serious security practices and are used by Fortune 500 companies around the world to educate their staff.
  
  You can find Chris's articles for local, national, and international publications and journals, including Pentest Mag, EthicalHacker.net, and local and national Business Journals.

Links:

• Social Engineer Org - Your one-stop place for podcast, newsletter, and all things social engineering from Chris's team - http://www.social-engineer.org/
• SECTF Report - http://www.social-engineer.org/ctf/social-engineer-inc-releases-annual-report-def-con-22-social-engineering-capture-flag-sectf-contest/
• Social Engineer, Chris's company - http://www.social-engineer.com/

Note: The hashtag for the show on Twitter has changed, please connect with us using #DtSR going forward. Thanks!

Topics covered

• Update: Home Depot breach (Hint: apparently it was a 3rd party entry point)
  • Story: http://www.computerworld.com/article/2844491/home-depot-attackers-broke-in-using-a-vendors-stolen-credentials.html
  • Apparently as a reaction, all execs are being switched to iDevices (blame Windows? and why only execs?) - http://www.imore.com/home-depot-switches-execs-iphones-macbooks-it-blames-windows-massive-breach
  • Also, they lost ~53 Million email addresses too - http://online.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282
• American Express is pushing tokenization to their payment ecosystem, this is big news but leaves a lot more questions and concerns than answers (for example- what about chip & pin (sign)? )-
  • Story: http://threatpost.com/american-express-brings-tokenization-to-payment-cards/109137
  • Check out the standard itself: http://www.emvco.com/download_agreement.aspx?id=945
• Flaw found (in a lab) in the VISA EMV protocol, but is it realistic to do this kind of "immense fraud" in outside the lab, in real life?
  • Story: http://www.cio.com/article/2842994/flaw-in-visa-cards-could-ring-up-a-very-large-fraud.html
• The FTC further exerises its (Constitutional?) powers to take down fake "Support call scammers" and is on track to some public fanfare-
  • Story: https://nakedsecurity.sophos.com/2014/10/26/ftc-takes-down-fake-support-scammers-upbeat-about-getting-consumers-money-back-poll/
• Connecticut Supreme Court paves the way for class-action suit in HIPAA breach/violation. Big question- is this good for anyone other than the lawyers? Will it just add to the rising cost of healthcare, or is this doing some good?
  • Story: http://www.ctlawtribune.com/home/id=1202676138225/Conn-Supreme-Court-HIPAA-Decision-Likely-to-Spawn-More-Litigation
• A "spying software" that can spot a phone theft in "2 minutes"? Call us skeptical, and leary-
  • Story: http://www.fastcodesign.com/3038031/spying-software-spots-phone-theft-in-2-minutes-no-password-needed
• Starwood Hotels is going keyless with iPhone & iWatch integration for room entry. A great idea, if it's free of the usual security bugs.
  • Story: http://www.theipadfan.com/starwood-hotel-rooms-now-keyless-with-iphone-and-apple-watch-app-integration/
  • Michael's take on the story: http://www.csoonline.com/article/2691383/security-leadership/what-did-you-expect-to-happen-when-you-bought-the-electronic-lock.html
  • Episode 111, where we briefly cover this topic in detail via the Onity court case: http://podcast.wh1t3rabbit.net/dtr-episode-111-newscast-for-september-22nd-2014
• Breaches
  • BrowserStack goes down, gets transparent and honest, promises to come back stronger - http://www.browserstack.com/attack-and-downtime-on-9-November
  • "Massive" USPS data breach identified, hits customers and employees (cue the lawsuits!) - http://www.cnn.com/2014/11/10/politics/postal-service-security-breach/index.html?hpt=hp_t2
  • NOAA breached by .... China! - http://www.eweek.com/security/noaa-other-u.s.-agency-security-breaches-connecting-the-dots.html
  • State Department shuts down unclassified email system, after spotting "activity of concern" - http://www.nytimes.com/2014/11/17/us/politics/state-department-targeted-by-hackers-in-4th-agency-computer-breach.html?_r=0

In this episode

• Adam and Dmitri discuss what is (and what isn't) threat intelligence
• We discuss strategic, tactical and operational security intelligence
• Who is using threat intelligence, and how?
• Adam talks about the success factors, key points, and trends
• Michael asks how an organization can know whether they're READY for a threat intelligence program
• Adam explains the term "finished intelligence"
• Adam describes tactical intelligence, while Dmitri gives his take on strategic intelligence
• We discuss the merits of education and awareness - first
• How important is attribution, really?
• 3 critical things an enterprise *must be doing* before jumping into threat intelligence as a program

Guests

• Adam Meyers ( @adamcyber ) - Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of Intelligence. Within this role it is Adam’s responsibility to oversee all of CrowdStrike’s intelligence gathering and cyber-adversarial monitoring activities. Adam’s Global Intelligence Team supports both the Product and Services divisions at CrowdStrike and Adam manages these endeavors and expectations. Prior to joining CrowdStrike, Adam was the Director of Cyber Security Intelligence with the National Products and Offerings Division of SRA International. He served as a senior subject matter expert for cyber threat and cyber security matters for a variety of SRA projects. He also provided both technical expertise at the tactical level and strategic guidance on overall security program objectives. During his tenure at SRA International, Adam also served as the Product Manager for SRA’s dynamic malware analysis platform Cyberlock.
• Dmitri Alperovitch ( @dmitricyber ) - Dmitri Alperovitch is the Co-Founder and CTO of CrowdStrike Inc., leading its Intelligence, Technology and CrowdStrike Labs teams.  A renowned computer security researcher, he is a thought-leader on cybersecurity policies and state tradecraft.  Prior to founding CrowdStrike, Dmitri was a Vice President of Threat Research at McAfee, where he led company’s global Internet threat intelligence analysis and investigations. In 2010 and 2011, Alperovitch led the global team that investigated and brought to light Operation Aurora, Night Dragon and Shady RAT groundbreaking cyberespionage intrusions, and gave those incidents their names. In 2013, Alperovitch received the prestigious recognition of being selected as MIT Technology Review’s “Young Innovators under 35” (TR35), an award previously won by such technology luminaries as Larry Page and Sergey Brin, Mark Zuckerberg and Jonathan Ive. Alperovitch was named Foreign Policy Magazine’s Leading Global Thinker for 2013, an award shared with Secretary of State John Kerry, Elon Musk and Jeff Bezos. He was the recipient of the prestigious Federal 100 Award for his contributions to the federal information security in 2011 and recognized in 2013 as one Washingtonian’s Tech Titans for his accomplishments in the field of cybersecurity. With more than a decade of experience in the field of information security, Alperovitch is an inventor of eighteen patented technologies and has conducted extensive research on reputation systems, spam detection, web security, public-key and identity-based cryptography, malware and intrusion detection and prevention. Alperovitch holds a master's degree in Information Security and a bachelor's degree in Computer Science, both from Georgia Institute of Technology.

In this episode

• Jeff explains a little bit about who Norse is, and why they were potentially targeted with a DDoS
• We discuss what a DDoS is, how it becomes effective, and what methods/tools attackers use (in this case SNMP v2 reflection)
• We talk about threat intelligence (reputational intelligence) and how companies and intelligence platforms can leverage this data to decrease risks actively

Guest

• Jeff Harrell ( @jeffharrell ) - Jeff Harrell is the Vice President of Product Marketing at Norse, the leader in live attack intelligence. Jeff has over 15 years of experience in the IT Security industry leading product management and product marketing teams to build and market security solutions from end users to large enterprises. Jeff’s areas of expertise include cloud technology, threat intelligence, compliance, vulnerability management, configuration auditing, and encryption. Prior to Norse, Jeff worked for security and technology companies including nCircle, Qualys, McAfee, PGP, and eMusic.

Additional Links

• The attack map Jeff talked about: http://map.ipviking.com
• Blog post from Norse on the DDoS: http://blog.norsecorp.com/category/featured/2014/11/06/video-norse-live-attack-map-hammered-by-1-5-gbps-ddos-attack/

Topics covered

• Banks urging shoppers not to avoid breached retailers - Companies that get breached impact card holders minimally, at least as far as we can tell, right?
  • http://www.kcentv.com/story/26887771/local-bank-leaders-no-need-to-avoid-hacked-retailers-during-holidays
• Federal officials (FBI, US SS) are making a big push to be your source for cyber-security help - Interesting that this comes up at a time when everyone is fighting back against government meddling/surveillence
  • http://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecuurity/17615029/
• The FCC flexes its muscle in a pair of fines totalling a paltry $10m for egregious security violations - Of course, the people who have had their privacy and security violated see none of this big-telco pocket-change...
  • http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/24/with-a-10-million-fine-the-fcc-is-leaping-into-data-security-for-the-first-time/
• Congress doesn't crant FBI ability to prevent mobile encryption .. undoubtedly ushering us into "a very dark place" - for once, Congress did something useful by doing what it's famous for, nothing
  • http://www.theregister.co.uk/2014/10/22/fbi_apple_grapple_congress_kills_cupertino_crypto_kibosh/
• Insurance companies fighting to get data breach coverage removed from general liability policies - isn't this obvious? I think this is one of the last shoes to drop before things move forward, finally
  • http://www.businessinsurance.com/article/20141026/NEWS07/141029850

In this episode

• Chris attempts to explain the consternation with 'security research' right now
• Kevin gives his perspective and why he doesn't quite understand why people don't see they're "breakin' the law"
• Shawn discusses what parts of the CFAA he would like to see reformed
• James drops the question - "What is a security researcher?" ..and rants a little
• Kevin talks about why the security industry needs to self-regulate w/example
• Chris and Kevin debate intent, and "stepping over the line"
• Chris brings up the issue of bug intake at a large company
• Spirited discussion about intent, regulation, actions and separating emotion from facts

Guests

• Chris John Riley - ( @ChrisJohnRiley ) - Chris John Riley is a senior penetration tester and part-time security researcher working in the Austrian financial sector. With over 15 years of experience in various aspects of Information Technology, Chris now focuses full time on Information Security with an eye for the often overlooked edge-case scenario. Chris is one of the founding members of the PTES (Penetration Testing Execution Standard), regular conference attendee, avid blogger/podcaster (blog.c22.cc / eurotrashsecurity.eu), as well as being a frequent contributor to the open-source Metasploit project and generally getting in trouble in some way or another. When not working to break one technology or another, Chris enjoys long walks in the woods, candle light dinners and talking far too much on the Eurotrash Security podcast.
• Shawn Tuma - ( @ShawnETuma ) - Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual property, privacy, and litigation. He's a Texan, Christian, family man, author & speaker - and an all-around awesome guy.
• Kevin Johnson - ( @SecureIdeas ) - Kevin is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is an instructor and author for the SANS Institute and a faculty member at IANS. He is also a contributing blogger at TheMobilityHub.

Topics covered

• The FBI paid a visit to the "researcher" who revealed (and tinkered with) the hacked Yahoo! servers - we discuss the various aspects of this case, which we've been going round and round on lately
  • http://www.wired.com/2014/10/shellshockresearcher/
• US Cyber Security Czar Michael Daniel wants us passwords gone, replaced by <drumroll please> .... "selfies"; We wish we were making this one up or the link was to an Onion article, but sometimes the jokes write themselves in a sad, sad way
  • http://www.theregister.co.uk/2014/10/15/forget_passwords_lets_use_selfies_says_obamas_cyber_tsar/
• Pres. Obama has issued an executive order that all government payment cards now must be "chip & pin"; once again underscoring that "just do something" may be worse than actually doing nothing -- we'd love to hear your thoughts?
  • http://www.whitehouse.gov/the-press-office/2014/10/17/executive-order-improving-security-consumer-financial-transactions
• Notable data breaches discussed:
  • K-Mart - http://www.theregister.co.uk/2014/10/12/kmart_cyber_attach/
  • Dairy Queen - http://www.theregister.co.uk/2014/10/10/dairy_queen_restaurants_hacked/
• POODLE, the latest OMG SSL vulnerability; is this really that big a deal that there is a public vulnerability in a protocol that should have become extinct at the turn of the century? (Hint: Sadly, yes)
  • http://www.theregister.co.uk/2014/10/10/dairy_queen_restaurants_hacked/

In this episode

• Ron gives us a brief history of Tenable and TVM for the enterprise
• Ron answers "How do you make network security obtainable and defendable?"
• We discuss TVM as a fundamental principle to many other security program items
• Ron tells us what the modern definition of "policy" is
• We discuss some hurdles and challenges of TVM programs in an enterprise
• We note that security scanning can always break stuff - so how do you get around that?
• Ron tells us why TVM is so much more than scanning
• Michael asks "Why are so many companies stuck in a Prince song (1999)?"
• We attempt to tackle - compliance, risk, and managing to a goal
• Ron answers the question - "Are we getting any better?"

Guest

• 
  Ron Gula ( @RonGula ) - CEO and CTO at Tenable Ron co-founded Tenable Network Security, Inc. in 2002 and serves as its Chief Executive Officer and Chief Technology Officer. Mr. Gula served as the President of Tenable Network Security, Inc. He served as the Chief Technology Officer of Network Security Wizards which was acquired by Enterasys Networks. Mr. Gula served as Vice President of IDS Products and worked with many top financial, government, security service providers and commercial companies to help deploy and monitor large IDS installations. Mr. Gula served as Director of Risk Mitigation for US Internetworking and was responsible for intrusion detection and vulnerability detection for one of the first application service providers. Mr. Gula worked at BBN and GTE Internetworking where he conducted security assessments as a consultant, helped to develop one of the first commercial network honeypots and helped develop security policies for large carrier-class networks. Mr. Gula began his career in information security while working at the National Security Agency conducting penetration tests of government networks and performing advanced vulnerability research. He was the original author of the Dragon IDS. Mr. Gula has a BS from Clarkson University and a MSEE from University of Southern Illinois.

Topics covered

• The petition on WhiteHouse.gov titled "Unlock public access to research on software safety through DMCA and CFAA reform" and ...well we talk about it with an attorney and some necessary skepticism
  • https://petitions.whitehouse.gov/petition/unlock-public-access-research-software-safety-through-dmca-and-cfaa-reform/DHzwhzLD
  • My take: http://blog.wh1t3rabbit.net/2014/10/to-reform-and-institutionalize-research.html
• A Marriott property in Nashville (Gaylord Opryland) will pay $600,000 in an FCC settlement for jamming/blocking guests' personal WiFi hotspots
  • http://www.fcc.gov/document/marriott-pay-600k-resolve-wifi-blocking-investigation
• A Pakistani man has been indicted in Virginia for selling "StealthGenie", an app designed specifically as spyware
  • http://www.justice.gov/opa/pr/pakistani-man-indicted-selling-stealthgenie-spyware-app
• The code for the badUSB attack was published and released at DerbyCon - we discuss implications
  • http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/
• Cedars-Sinai Medical Center loss of data is much worse than they thought, but it's actually worse than that - a teachable moment here-
  • http://www.latimes.com/business/la-fi-cedars-data-breach-20141002-story.html

Thank you to Shawn Tuma - an attorney specializing in CFAA and a good friend of our show - for stopping by and lending his expertise on this episode. If you enjoy Shawn's insights, consider following him on Twitter ( @ShawnETuma ) or just saying hello!

In this episode

• We discuss the CFAA in regards to Robert Graham's brilliantly written blog post on the topic - http://blog.erratasec.com/2014/09/do-shellshock-scans-violate-cfaa.html
• Shawn gives some key insights on the CFAA including historical context
• Michael asks some tough questions on the discretion and applicability of CFAA prosecution
• James goes on a rant about "security researchers" (it's a gem)
• I'm pretty sure Shawn goes on the record saying security researchers should be credentialed..or was that me?
• We get some advise from Shawn on where this topic goes next, and how to avoid being a target of prosection

Guest

• Shawn Tuma - ( @ShawnETuma ) - Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual property, privacy, and litigation. He's a Texan, Christian, family man, author & speaker - and an all-around awesome guy.

In this episode

• DREAMR: What is it, and why is it so important to Enterprise Security today?
• Examples of aligning business and security requirements and winning hearts & minds
• How does a security organization get around "see I told you so!" security
• An example of how to make the framework work for you
• We discuss the importance of listening, then listening, then listening some more
• Jessica and Ben explain "accomodating" the business
• Jessica and Ben give us "One critical piece of advice"

Guests

• Jessica Hebenstreit ( @secitup ) - Jessica Hebenstreit has been a member of the Information Security community for over a decade. Having worked on both the technical and business sides of various enterprises, Hebenstreit has a unique perspective that allows for more understanding when balancing competing interests. She is a successful and results-oriented Information Security expert with hands-on information security experience in security monitoring, incident response, risk assessment, analysis, and architecture and solution design. She holds the following certifications, CISSP, GIAC-GSEC, CRISC and SFCP. In March 2012, she earned her Masters of Science in IT (MSIT) specializing in Information Assurance and Security. She is currently the Manager of Security Informatics - Threat Analysis and Response at Mayo Clinic.  She is building a smart response architecture for incident response from the ground up.
• Ben Meader ( @blmeader ) - Ben Meader is a Senior Security professional with a unique blend of technical acumen and business know-how. Meader’s security thought leadership has been battle tested at multi-national firms over the past 13 years ranging from network security and operational security to performing detailed risk assessments and implementing a firm-wide privacy program. He remains up to date in both security and business having received his M.B.A. from DePaul University and has a current CISSP. He is also active in the entrepreneurial community and is Co-Founder of a mobile application company on the side. His education and range of experiences in working with firms both large and small have given him a unique perspective on the role of security within different business cultures and how competing philosophies can collide.

Topics covered

• Hacker flees US for non-extradition country - why?
  • http://blog.erratasec.com/2014/09/hacker-weev-has-left-united-states.html
  • http://www.newrepublic.com/article/117477/andrew-weev-auernheimers-tro-llc-could-send-him-back-prison
• Class-action lawsuit againt Onity lock company ("easily hackable hotel lock") rejectd by judge
  • https://www.techdirt.com/articles/20140903/14134528408/onity-wins-hotels-that-bought-their-easily-hacked-door-lock-cant-sue-according-to-court.shtml
  • http://www.extremetech.com/computing/133448-black-hat-hacker-gains-access-to-4-million-hotel-rooms-with-arduino-microcontroller
  • http://www.forbes.com/sites/andygreenberg/2012/12/06/lock-firm-onity-starts-to-shell-out-for-security-fixes-to-hotels-hackable-locks/
• Home Depot - the dirt start to fly
  • http://arstechnica.com/security/2014/09/home-depot-ignored-security-warnings-for-years-employees-say/
  • https://privacyassociation.org/news/a/following-breach-report-shows-home-depot-has-105-million-in-coverage/
  • https://privacyassociation.org/news/a/2013-05-01-supreme-court-wiretap-ruling-upholds-stringent-standing-to-sue/

In this episode

• Separating the hype from reality of the Chinese hacking threat
• The escalation of economic tensions between US & China, over hacking
• What is the advice for the enterprise regarding state-sponsored attacks?
• The challenge with the uni-directional intelligence flow for government/enterprise
• The challenge with nation-state hacking of critical infrastructure
• The worst-case scenario (quietly happening?)
• Directly addressing the various APT reports (specifically APT1)
• Does a cyber attack warrant a kinetic response?
• Attribution is hard. Is it more than black-magic, and is anyone doing it right?
• The great disconnect between the keyboard jockey and real-life consequences

Guest

• Bill Hagestad II ( @RedDragon1949 ) - Internationally recognized cyber-intelligence & counter-intelligence professional. Technical, cultural, historical and linguistic analysis of foreign nation state cyber warfare capabilities, intents & methodologies...
  Listed on Forbes Magazine as : "20 Cyber Policy Experts To Follow On Twitter". Bill can be found on LinkedIn at - www.linkedin.com/in/reddragon1949

Topics covered

• Apple has been making news, issuing guidance, and refuting a hack - all around iCloud
  
  • http://www.padgadget.com/2014/09/03/apple-warns-developers-not-to-store-health-data-in-icloud/
  • http://www.padgadget.com/2014/09/03/apple-says-celebrity-photo-leak-was-not-due-to-icloud-breach/
  • http://www.cio-today.com/article/index.php?story_id=94027
• HealthCare.gov was hacked, but no worries it was only a test server and no 'data was taken/viewed'. Does this sound like something you've faced in the enterprise ... hmmmm?
  If only there was someone warning them about the insecurity of that site! h/t to Dave Kennedy for standing up and taking political heat.
  • http://www.nationalreview.com/article/387182/healthcaregov-hack-reminiscent-earlier-vermont-exchange-attack-jillian-kay-melchior
  • http://www.computerworld.com/article/2603929/healthcare-gov-hacked-if-only-someone-had-warned-it-was-hackable-oh-wait.html
• Home Depot apparently has suffered a massive breach, much like Target. Interesting? Or ho-hum? (did you Buy The Dip? h/t @DearestLeader )
  • http://seekingalpha.com/article/2478055-home-depot-potential-data-breach-may-have-presented-a-good-opportunity-to-buy-the-stock
  • http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/
  • http://www.csoonline.com/article/2601082/security-leadership/are-you-prepared-to-handle-the-rising-tide-of-ransomware.html
• Norway's Oil & Gas industry is now the target of hackers, seeking to get intelligence on production, exploration - and that all-important state-sponsored competitive edge.
  • http://www.thelocal.no/20140827/norwegian-oil-companies-hacked
• Google is deprecating (in a big way) the use of SHA-1 in certificate way ahead of the set schedule. Is this "Google the game-changer" or "Google the bully"? You decide - tweet us at #DtR
  • http://www.csoonline.com/article/2602108/security-leadership/do-you-agree-with-googles-tactics-to-speed-adoption-of-sha-2-certificates.html
  • http://www.zdnet.com/google-accelerates-end-of-sha-1-support-certificate-authorities-nervous-7000033159/

In this episode

• We discuss the largest challenges in the state government sector
• Brian discusses balancing the need for openness versus security/secrecy
• Phil talks about the challenge of balancing policy with agency needs in state government
• Michael asks how state-level security justifies and prioritizes security requirements
• Raf asks how policy is created that can be both effective, and broad
• The group talks about metrics, policy implementation, and showing value to protecting citizens
• The guys answer "What's the best piece of advice you've gotten in your career?

Guests

• Philip Beyer ( @pjbeyer ) - Philip is a security professional with more than 12 years progressive experience. Currently leading information security for an organization as a function of business goals and risk profile. Consummate generalist with background in multi-client consulting and specialization in risk management, incident handling, security operations, software assurance (OpenSAMM, BSIMM), and technical compliance testing (ISO 27002, PCI-DSS, HIPAA). Confident leader, problem solver, relationship builder, technical communicator, public speaker, presenter, and security evangelist. Fast-paced learner with a strong work ethic and self-starter attitude.
• Brian Engle ( @brianaengle ) - Currently the Chief Information Security Officer & Texas Cybersecurity Coordinator who is a results-oriented executive and leader with over 20 years of progressive experience in Information Technology and Information Security across the government, healthcare, manufacturing, financial services, technology, telecommunications and retail verticals. His specialties include risk management, project management, and cost effective delivery of appropriate security solutions within organizational risk tolerances. Consummate generalist with a background in effective incident management, security and network operations, vulnerability and threat management, as well as technical compliance evaluation and gap analysis.

Topics covered

• Community health systems and UPS Stores breached - an analysis and contrast of the two breaches, the data, and the common message
  
  • http://regmedia.co.uk/2014/08/18/community_health_systems_8k.pdf
  • http://blogs.wsj.com/cio/2014/08/20/the-morning-download-community-health-systems-breach-stirs-up-heartbleed-fears/
  • http://time.com/3151681/ups-hack/
• The case of the pre-mature declaration of BYOD death, via an over-hyped court case?
  • http://www.cio.com/article/2466010/byod/court-ruling-could-bring-down-byod.html
• "Shadow clouds" (cloud services consumed by enterprises, not approved by security) are on the rise. No one on the show is shocked, and you aren't either.
  • http://www.computerworld.com/s/article/9250606/Shadow_cloud_services_pose_a_growing_risk_to_enterprises
• FaceBook gives the $50,000.00 away for the "Internet Defense Prize" joining Microsoft in trying to make being defensive-minded (and actually solving some security problems, rather than continuing to point them out) sexy
  • http://threatpost.com/new-facebook-internet-defense-prize-pays-out-50000-award

In this episode

• Jason tells us why he isn't hating on compliance
• Jason talks about how security people are often the source of the issues
• Jason gives us his perspective on compliance-driven security
• Jason correlates compliance to quality assurance in security
• We talk about security's unbroken streak of failing at the basics
• We lament poor metrics, why we suck at them, and what comes next
• We discuss how you can tell whether an investment in security 'is working'
• We discuss the need for repetitive and consistent security
• Jaason gives us his three things that he wants to leave you with

Guest

• Jason Oliver ( @jasonmoliver ) - Jason M Oliver, CISSP, CRISC is the Chief and CEO of Tikras Technology Solutions Corp, a Native American Owned Small Business, President at Arrow Ventures, a seasoned security industry veteran, leader, and lifelong pursuer of knowledge. His unique approach to solving security issues involves individualized plans tailored to meet each specific customer’s needs. His high level of unwavering integrity has been met by the highest regard from both customers and peers.

Topics covered

• Survey shows CISOs still struggle for respect (from business peers)
  • http://www.cio.com/article/2460165/security/cisos-still-struggle-for-respect-from-peers.html
• Hold Security uncovers 1.2 billion password heist on Russian hacker sites (but something smells funny) - draw your own conclusions folks... I'd love to hear 'em
  • http://www.theverge.com/2014/8/6/5973729/the-problem-with-the-new-york-times-biggest-hack-ever
  • http://www.youarenotpayingattention.com/2014/08/08/the-lie-behind-1-2-billion-stolen-passwords/
  • https://identity.holdsecurity.com/Submit/
  • http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/
• Yet another Android core software blunder, called "Fake ID", essentially gives "highly privileged malware" a free ride.
  • http://arstechnica.com/security/2014/07/android-crypto-blunder-exposes-users-to-highly-privileged-malware/
• HP study says 70% of "Internet-of-Things" (IoT) vulnerable. There's a shock, we're carrying around legacy baggage? Perish the thought.
  • http://h30499.www3.hp.com/t5/Fortify-Application-Security/HP-Study-Reveals-70-Percent-of-Internet-of-Things-Devices/ba-p/6556284
• Civilian sector is better than the military at Cyber-War exercise. *rollseyes*
  • http://www.navytimes.com/article/20140804/NEWS04/308040019/In-supersecret-cyberwar-game-civilian-sector-techies-pummel-active-duty-cyberwarriors?sf29369064=1
• Target booking $148M due to data breach
  • http://fortune.com/2014/08/05/target-data-breach-profit/
  • http://investors.target.com/phoenix.zhtml?c=65828&p=irol-sec
• PF Chang's does an astonishingly good job at being transparent about their breach(es)
  • http://www.bankinfosecurity.com/pf-changs-breach-33-locations-hit-a-7153/op-1

In this episode

• Who is J.W. Goerlich (redux from episode - 
• How did he get to where he is now?
• How does the security executive deal with the "moving finish line"?
• JW discusses how 'security' people can break down barriers between "us" and "them"
• We discuss why we still fail at the basics, and what all this means...
• JWG tries to talk about his favorite controls framework
• We discuss what difference it makes where the CISO reports in the enterprise
• What will the CISO be, or need to do, in ~3-5 years?
• We discuss hiring into InfoSec - from outside, or within ... and why?
• JW gives us the one thing you need to remember

Guest

• J.W. Goerlich ( @jwgoerlich ) - Results-driven IT management executive with a track record of building high performance teams and providing flawless execution. Leverages background in systems engineering, software development, and information security expertise to consistently lower operating costs and raise service levels. Designs solutions that support long-term strategic planning and create immediate impact throughout product lifecycle in process and efficiency gains.

Topics covered

• Certificate pinning back in the spotlight with the GMail iOS app having some difficulties, but there is a bigger issue here. We discuss.
  • http://securityaffairs.co/wordpress/26577/hacking/gmail-app-flaw-mitm.html
• Nearly 3 years later, the NASDAQ hack attributed to FSB/Russian 'state sponsored' hackers, via 2 "zero day malware'. Highlighting need for attribution, common language, and other issues in security.
  • http://www.infosecurity-magazine.com/view/39397/nasdaq-hackers-used-two-zero-days-but-motives-a-mystery/
• Cyber insurance - is this a forcing function to improve overall security, or yet another carpet to sweet security problems under?
  • http://www.reuters.com/article/2014/07/14/us-insurance-cybersecurity-idUSKBN0FJ0B820140714
• A judget has just ruled that your "GMail account" has the same legal (or lack thereof) protections as a hard drive you own. Dangerous precedent, or nothing new?
  • http://nakedsecurity.sophos.com/2014/07/22/your-gmail-account-is-fair-game-for-cops-or-feds-says-us-judge/
  • also relevant - http://nakedsecurity.sophos.com/2013/08/14/google-says-gmail-users-cant-expect-privacy/

Not discussed, but interesting reads:

• "Operation Emmental" is an assault against 2FA and online banking
  • http://secureidnews.com/news-item/operation-emmental-attacks-online-banking-and-2fa/
• Looks like healthcare is next on the list of verticals targetted... filed under things we all suspected, but will soon see
  • http://healthitsecurity.com/2014/07/24/how-healthcare-can-learn-from-retails-it-security-mistakes/ h/t to Eric Cowperthwaite

In this episode

• Jim Tiller - a few things you probably didn't know?
• In the last 15 years, what has changed, and what hasn't?
• Why isn't security moving forward?
• "Complexity is the camouflage for bad guys" -Jim
• Chasing the moving line of 'security'
• "Fixing the airplane as it flies"
• How do enterprise security organizations push away from playing 'prevent' permanently?
• Fundamentals, fundamentals, fundamentals ... you're still failing
• What things are CISOs doing that they're NOT right now?
• Where will security be, as a discipline, in 10 year?

Guest

• Jim Tiller ( @Real_Security ) - Jim has been in the security industry since the very early 90’s and has continued his mission in working with individuals, groups, organizations, and companies around the world to collaborate, develop, and implement business aligned security strategies and technologies. Through his career he's worked with and in numerous organizations for the advancement of information security technologies, practices, and standards and through these activities help organizations achieve their goals. Find Jim on LinkedIn here.

Topics covered

• Florida Information Protection Acf of 2014 is in the books, and it brings "sweeping changes" to the data breach disclosure process in Florida. Good thing or bad? You decide
  • http://www.scmagazine.com/fla-passes-sweeping-data-breach-notification-bill/article/357858/
  • http://www.flsenate.gov/Session/Bill/2014/1526/?Tab=RelatedBills
  • http://www.flsenate.gov/Session/Bill/2014/1524
• The DoJ has nabbed a 'prolific hacker'... a Russian national. Russia calls it kidnapping. Tensions flare. Again.
  • http://mashable.com/2014/07/08/russian-man-hacking-retailers/
• Chinese man charged with industrial espionage
  • http://arstechnica.com/tech-policy/2014/07/chinese-businessman-charged-with-hacking-boeing-and-lockheed/
• US Banks are calling for a "Cyber War Council" (so much wrong here, it's incredible...)
  • http://www.businessweek.com/news/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council#p2
• The ultra-ultra-legacy code problem and why we're not getting security any higher up the ladder any time soon
  • http://www.businessweek.com/articles/2014-06-25/the-talent-that-keeps-your-50-year-old-software-running-is-retiring-dot-now-what
• Payroll processing company Paytime was hacked and breached. But in the midst of the rush to file law suits, at least one company is pledging to stand by Paytime in this rough time... sanity prevails?
  • http://www.witf.org/news/2014/07/at-least-one-company-stands-by-paytime-after-data-breach.php

In this episode

• Who is Dan Geer (just in case you live in a cave and don't know)
• Dan's definition of security - "The absence of unmitigatable surprise"
• What exactly is the pinnacle goal of security engineering?
• Responsibility, liability and when software fails as a result of security issues
• In a liability lawsuit - "What did you know, when did you know it?"
• The fraction of the population who could sign an "informed consent" is falling - so now what?
• Why ICANN is actually making all of this so much worse
• What do we do about "abandoned software"?
• Fixing security bugs in software is a tricky business...good, bad, worse
• Are things getting better [in security]?
• Dan talks about a "diversity re-compiler" and how we can make the exploit writer's job harder
• (from Jason White) -What "low hanging fruit" issues are we simply not addressing properly right now?
• (from Jason White) If the Internet were being built from scratch today, what would you keep and throw away?

Guest

• Dan Geer - Dan Geer is a computer security analyst and risk management specialist. He is recognized for raising awareness of critical computer and network security issues before the risks were widely understood, and for ground-breaking work on the economics of security.
  
  Geer is currently the chief information security officer for In-Q-Tel, a not-for-profit venture capital firm that invests in technology to support the Central Intelligence Agency.
  
  In 2003, Geer's 24-page report entitled "CyberInsecurity: The Cost of Monopoly" was released by the Computer and Communications Industry Association (CCIA). The paper argued that Microsoft's dominance of desktop computer operating systems is a threat to national security. Geer was fired (from consultancy @Stake) the day the report was made public. Geer has cited subsequent changes in the Vista operating system (notably a location-randomization feature) as evidence that Microsoft "accepted the paper." --http://en.wikipedia.org/wiki/Dan_Geer

Topics covered

• Your server may have a hardware flaw that exposes your baseband management interface to the world - http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/
• Airports are getting hacked, APT involved, state-sponsored attackers! - http://www.nextgov.com/cybersecurity/2014/06/nation-state-sponsored-attackers-hacked-two-airports-report-says/86812/
• PayPal flaw renders 2-factor auth on mobile useless, disabled temporarily while they work on fix - http://www.darkreading.com/mobile/paypal-two-factor-authentication-broken/d/d-id/1278840?
• FTC vs. Wyndham: another shoe drops, the FTC takes a hit while Wyndham scores a win - http://www.mediapost.com/publications/article/228730/judge-authorizes-wyndham-to-appeal-data-security-r.html
• Dilbert says it best - http://dilbert.com/strips/comic/2014-05-19/

In this episode

• What exactly is "GRR"?
• What sorts of things can GRR do?
• What is a hunt, and how does it scale across tens of thousands of machines?
• How does GRR "hide" from malware?
• How does GRR keep some of the great power it has from being abused?
• Automating and integrating GRR with external sources and tools
• Features, functions, capabilities and some magic from Greg
• The future features, requests, and direction of GRR

Guest

• Greg Castle - Greg has 10 years experience working in computer security. In his current role as Senior Security Engineer at Google, he is a developer and user of the open-source GRR live-forensics system. He also has strong interest and involvement in OS X security, having been responsible for the security of Google's OS X fleet for two years. His pre-Google job roles have included pentester, incident responder, and forensic analyst.

Links

• Grr Rapid Response - https://code.google.com/p/grr/

Note: I want to thank Will Gragido for stopping by this morning to talk over the news with us. Always great to have someone with a fresh perspective, I hope you enjoy the show.

Topics Covered

• Don't like Google Glass (or similar devices) on your network? Kick them off - http://mashable.com/2014/06/04/glassholes-wifi-jamming/
• The FAA has issued an order for Boeing to 'protect the planes from computer hackers' ... but what is really going on here? - http://www.usatoday.com/story/news/nation/2014/06/06/faa-boeing-737/10066247/
• APT, APT, APT, APT ... evolved APT? - http://www.csoonline.com/article/2158775/security-leadership/why-you-need-to-embrace-the-evolution-of-apt.html
• After getting breached, PF Chang's goes "old school"; sounds legit, right? - http://krebsonsecurity.com/2014/06/p-f-changs-confirms-credit-card-breach/
• Why preparation is a good idea, even when it comes to 'cyber' - http://www.csoonline.com/article/2360748/security-leadership/using-a-cyber-war-exercise-to-improve-your-security-program.html
• Feed.ly gets DDoS'd, extorted and we're mad as hell - http://www.forbes.com/sites/jaymcgregor/2014/06/12/feedly-goes-down-again-in-second-ddos-attack/
• Target hires a (good) CISO, Brad Maiorino, so why are people getting all bent out of shape over where he reports in the organization? - http://blog.wh1t3rabbit.net/2014/06/getting-wrapped-around-ciso-reporting.html

My apologies for some of the skips in this episode - we had some difficulty with the recording and ultimately I hope it doesn't take away from Joe's wonderful message.

Thanks for your patience.

In this episode

• From CISO to CIO - making that leap
• Does the CISO need to be technical? (answering that question, again)
• What types of things does a CIO need to know?
• Who should the CISO report to?
• Any chance the CISO reporting structure shifts around?
• A "Chief Data Officer"?
• Are there too many 'splintered' job titles in the security/risk role?
• Responsibility, accountability, and where the buck stops
• What are 3 things security does right, and what are 3 things that we do terribly?
• How big should your security budget be? (trick question)
• What KPIs should security be reporting to the CIO? (the hardest question ever)
• What resources are there for CIOs?

Guest

• Joe Riesberg ( @JoeRiesberg ) - Joe is currently the CIO of Drake University. Previos to his current role, he was the Senior Vice President, Global IT Security Services Director at Aviva plc. His LinkedIn profile can be found here: https://www.linkedin.com/pub/joe-riesberg/1/a81/931

Note: Today, Kim Halavakoski joined us on the show to provide perspective all the way from Finland! We appreciate his international addition to the show, and hope the listeners enjoy the added brainpower.

Topics covered

• Facebook's next major update will turn your mobile device into an always-on listening tool for FaceBook. This is a good time to remind you that you are the product, not the customer - http://www.ibtimes.com/facebook-microphone-update-store-data-social-media-giant-confirms-new-feature-will-1588916
• In a blow to security professionals' ego everywhere, investors apparently aren't swayed by data breaches - http://www.businessweek.com/articles/2014-05-23/why-investors-just-dont-care-about-data-breaches
• The US's indictment of 5 Chinese nationals for 'state sponsored industrial espionage' is apparently backfiring (or at least it is in the media) - http://www.bloomberg.com/news/2014-05-27/china-said-to-push-banks-to-remove-ibm-servers-in-spy-dispute.html
• Now that there is a hack to enable WinXP SP3 computers to masquerade as Point-of-Sale terminals and receiving updates ...should you even consider this? Hint: NO - http://blog.wh1t3rabbit.net/2014/05/hacking-registry-to-keep-windowsxp.html
• Target's Audit Committee is under fire for the data breach, but who's really, really at fault? An interesting perspective from Forrester - http://blogs.forrester.com/renee_murphy/14-05-29-dont_blame_targets_audit_committee_for_the_sins_of_technology_management

In this episode

• Jeff explains the background of the relationship between the US government, ICANN and IANA
• What is the ITU and why is this $0 contract handoff to the ITU such a big deal?
• What impact did Edward Snowden's actions have on the issue?
• The potential issues with DNS, cross-border censorship and DNS
• The importance of Tor, Freenet and challenges of implementation
• Discussing the evolution of services like Tor through "nation-state firewalls"
• Changing the image of anonymous services
• Making Tor and similar services more user-friendly, and more prevalent

Guest:

• Jeff Moss ( @TheDarkTangent ) - Jeff, also known as The Dark Tangent, is an American hacker, computer security expert and internet security expert who founded the Black Hat and DEF CON computer Hacker conferences. His Wikipedia page can be found here.

Announcements:

• I want to thank Circle City Con as a sponsor for the show! I have one more ticket to give away ... so watch the #DtR hashtag on Twitter!
• Thanks to special guest Philip Beyer for sitting in James' seat this morning...

Topics discussed

• "US charges China with cyber-spying on American firms" (Hello, pot? this is the kettle...) - http://www.nbcnews.com/news/us-news/u-s-charges-china-cyber-spying-american-firms-n108706
• Should we be thinking about security beyond win/lose (aka "oh no, hackers are winning!") - http://www.csoonline.com/article/2156104/security-leadership/thinking-about-security-beyond-winning-and-losing.html
• Retail Industry Leaders Association (RILA) has launched their own ISAC-like entity called Retail Cyber Intelligence Sharing Center (R-CISC) - http://associationsnow.com/2014/05/retail-group-launches-sharing-tool-cyber-threats/
• A recent survey tells us that a whopping 43% of all identity theft in 2013 happened in healthcare ( W O W ) - http://www.studentdoctor.net/2014/04/the-rise-of-medical-identity-theft-in-healthcare/
• Self-driving cars, making life-and-death decisions (this should terrify you) - http://www.wired.com/2014/05/the-robot-car-of-tomorrow-might-just-be-programmed-to-hit-you/

In this episode

• Dan gives us the reality of living in what is commonly termed "the post-breach" world
• Dan and Robin talk through the explosion in the numbers of malware samples
• We discuss the different approaches to malware, crimeware, and the cross-over between them
• Dan explains what "rapid incident response" really means and why it's essential
• Dan and Robin give us some excellent examples of incident preparedness fundamentals
• Dan gives us a lesson on implementing 'powerful tools' (and forgetting about them)
• We talk through "who's doing it well?" (and we don't get a very hopeful answer)
• Is it time to learn from our own and others mistakes? (how?)

Guests:

• Robin Jackson ( @rjacksix ) - Robin is an incident response and digital forensics specialist for HP Enterprise Security Services.
• Dan Moore - Dan is an incident response and digital forensics specialist for HP Enterprise Security Services.

Topics dicussed

• Microsoft has issued a patch for the massive MS IE flaw - for WindowsXP! - http://arstechnica.com/security/2014/05/microsofts-decision-to-patch-windows-xp-is-a-mistake/
• Is Open Source Software more or less secure than closed-source? (in a post-Heartbleed era) - http://www.telegraph.co.uk/technology/internet-security/10769996/Heartbleed-the-beginning-of-the-end-for-open-source.html
• Target's CEO has stepped down, but what's the real reason and is there now opportunity for change? - http://www.usatoday.com/story/money/business/2014/05/05/target-ceo-steps-down/8713847/ and http://www.latimes.com/business/money/la-fi-mo-target-ceo-resigns-20140505,0,4479532.story
• Biometrics (specifically fingerprints) aren't as secure or unique as we'd like them to be, so ... paswords? - http://www.telegraph.co.uk/science/science-news/10775477/Why-your-fingerprints-may-not-be-unique.html

In this episode

• We discuss some of the new techniques auto insurance companies are using to custom-tailor rates to drivers
• Our guest discusses some of the capabilities of the widgets available
• Our guest discusses the 'call home' functions, and potential mis-use
• We use 'big data' seriously
• We talk about 'big data' and security - for real
• Our guest gives us a realistic view about the type of data that's out there about your driving, habits, and tracking

Guest

• Our guest is an industry insider, who for obvious reasons chose not to identify himself. We respect the guest's position, and kindly ask that our listeners do as well.

Hey listeners!

Thanks to everyone who's put us in their RSS feed and regularly grabs the latest content. I just ran a running average of the last 20 episodes, and as of right now we're averaging ~802 downloads/episode. That's awesome, and so much more than I ever thought this show would grow to! It's all thanks to you, for listening, spreading the word, and being fans.

As we near episode 100 I promise you an episode you'll want to listen to, and share with those you know. James and I are working hard to make it special, with a guest that's ... well ... you'll see.

Thanks for being a fan.

/Raf & James

Topics discussed

• The big story - "Heartbleed"
  • http://www.csoonline.com/article/2142626/security-leadership/how-you-need-to-respond-to-heartbleed-and-how-you-can-explain-it-to-others.html
  • http://www.csoonline.com/article/2146141/disaster-recovery/healthcare-gov-urges-password-resets-due-to-heartbleed.html
  • http://xkcd.com/1354/
  • http://rt.com/news/heartbleed-arrest-canada-security-016/
• The "hacker*" known as "Weev" is free ...on a technicality, and why this is bad, very very bad, for our industry
  • http://techcrunch.com/2014/04/11/weev-is-free/
• "Ramshackle Glam" - how one blogger had to go to extraordinary lengths to get her site back, and what you can learn from it
  • http://mashable.com/2014/04/02/ramshackle-glam-hacking/
• The FTP's lawsuit of Wyndham Hotels was allowed to proceed by a federal judge - and why this is a very dangerous precedent
  • http://www.fiercegovernmentit.com/story/ftc-lawsuit-over-hotel-chain-data-breach-can-proceed/2014-04-14
• Data breach roundup
  • Michaels [yes, again] - http://www.business-standard.com/article/news-ani/leading-us-art-store-admits-2-6-mln-credit-cards-at-risk-of-hacking-114041800569_1.html
  • South Carolina data breach is getting costly (for tax payers) - http://www.therepublic.com/view/story/396a4be862cd485e9248cab7879a3a71/SC--Hacked-Tax-Returns
  • Hard drive maker LaCie was a victim ...for over a year - http://www.techtimes.com/articles/5672/20140416/lacie-latest-victim-data-theft-ironies-hard-drive-manufacturer-hacked.htm
  • [UK] Cosmetic surgery group hacked, blackmail ensues (yikes!) - http://www.dailymail.co.uk/news/article-2604805/Cosmetic-surgeons-targeted-hackers-personal-details-500-000-people-enquiries-clinic-stolen.html
  • Pittsburgh's UPMC hacked, sees 788 fraudulent tax returns as a result - http://www.witf.org/news/2014/04/27k-upmc-worker-hit-by-data-breach-788-by-fraud.php

In this episode

• Advanced Threat Actors - more or less a threat right now than before? (how much is hype?)
• Advanced Persistent Threat - is it really THAT advanced? (a "what" or a "who"?)
• The distinction of what "APT" is ...and isn't
• Touching on Mandiant APT-1 ...hype from reality
• A quick discourse on corporate espionage!
• How we respond to APTs ... is this just really "incident response" for a boogeyman?
• The snake oil salesman behind "Automated APT defense"
• Threat Intelligence - necessary, but what's the proper use?
• Threat Intelligence requires collaboration, how do we do it?
• Is our security failing, or is our perception of what we want it to do wrong?
• Key take-aways for the enterprise professional

Guests

• Steve Santorelli ( @SteveSantorelli ) - Manager of outreach at Team Cymru
• John Pirc ( @jopirc ) - CTO of NSS Labs
• J. Oquendo ( @advancedthreat ) - veteran threat researcher
• Robin Jackson ( @rjacksix ) - veteran threat researcher, forensics expert at HP Enterprise Security Services

Topics covered

• WindowsXP is officially, for real, definitely end of life - http://windows.microsoft.com/en-us/windows/end-support-help
• Google Nest pushes update - examining the bigger picture - http://www.theregister.co.uk/2014/04/04/nest_waves_goodbye_to_alarm_switchoff_feature/
• South Carolina's agencies are still not any better after the massive breaches - http://www.wbtw.com/story/25149085/still-no-consistent-computer-security-plan-at-sc-agencies
• News flash - we trust the government and Internet companies less as a result of leaks - http://www.computerworld.com/s/article/9247441/Snowden_leaks_erode_trust_in_Internet_companies_government
• The two banks which filed suit against TrustWave & Target have dropped their effort...sanity apparently prevailed but there's a bigger issue here at stake - http://www.securityweek.com/banks-drop-suit-against-target-trustwave

In this episode

• Rise of DDoS
  • Where did it come from
  • What's next
  • Why does it work
  • Spoofer project
  • 3-DOS attacks
• Quantum computing
  • What is it
  • How is it different than what we commonly use today
  • What problems does it solve
  • How practical is it
• The dark web
  • Where did it come from
  • Legitimate uses, turn into nefarious use-cases
  • Alternatives, adoption and options

Guest

• Prof. Alan Woodward ( @ProfWoodward ) - Alan is not only a subject matter expert in computing, computer security and the impact technology has on business but brings to his roles a very broad range of experience in business management, technical management and project management.
  Whilst he has particular expertise in covert communications, forensic computing and image/signal processing, Alan is primarily a particularly good communicator, be it with clients, staff or investors. He is known for his ability to communicate complex ideas in a simple, yet passionate manner. He not only publishes in the academic and trade journals but has articles in the national press and appears on TV and radio. Despite the length of his experience, his hands-on ability with emerging technologies contributes significantly to the respect he is repeatedly shown when he leads teams where technology is involved.
  Alan has been involved in some of the most significant advances in computer technology and, although he continues to work in industry, he is actively involved with academia as a visiting Professor in the Department of Computing which is part of the Faculty of Engineering and Physical Sciences at the University of Surrey.
  His achievements have resulted in him rising to become a Fellow of various institutions including British Computer Society, Institute of Physics and Royal Statistical Society.

Did you catch all that? DtR is giving away a free ticket to Source Boston - if you're interested in being the lucky recipient - be the first to @Wh1t3Rabbit with "I just won a ticket to @SOURCEConf Boston courtesy of the #DtR Podcast!"

Topics covered

• The FTC jumps into the breech (pun intended) and may try and levy fines against Target, and future breach victims - http://ww2.cfo.com/technology/2014/03/ftc-urges-data-breach-penalties/ http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/?oref=ng-channelriver
• Could the Barclays Bank breach of Feb 2014 have been <drumroll> test data? Richard Bishop thinks so - http://blog.trustiv.co.uk/2014/03/barclays-data-breach-%E2%80%93-could-it-be-test-data http://www.theregister.co.uk/2014/02/10/barclays_investigates_gold_mine_client_data_breach/
• US Commerce Dept not renewing ICANN contract, moving control to ITU - http://www.bloomberg.com/news/2014-03-15/u-s-to-relinquish-control-of-internet-address-system.html http://www.businessweek.com/articles/2014-03-17/the-u-dot-s-dot-ends-control-of-icann-gives-up-backing-of-the-free-speech-internet
• With Microsoft officially, and finally, stopping support for WinXP (after 14yrs!), is there a "breach crisis" around the bend? - http://www.pcmag.com/article2/0,2817,2455206,00.asp
• Microsoft can read your Hotmail/webmail ...so can Google, Apple and Yahoo! hype or crisis? - http://www.theverge.com/2014/3/21/5533814/google-yahoo-apple-all-share-microsofts-troubling-email-privacy-policy
• (bonus) "eGovernment" is something many governments globally and locally are moving ahead with - is this rainbows or rain clouds? I joined Discover Performance Weekly to briefly discuss - http://youtu.be/bAfP-jc0x6Q

In this episode

• what is the promise of automation, and where did we go wrong (or right?)
• the problems with 'volume' (of logging) and the loss of expressiveness
• a dive into 'exploratory based monitoring'
• how does log-based data analysis scale?
• baselines, and why 'anomaly detection' has failed us
• does machine learning solve the 'hands on keyboard' (continuous tuning) problem with SIEM?
• does today's 'threat intelligence' provide value, and is it really useful?
• decrying the tools - and blaming the victims
• what is machine learning good at, and what won't it be great at?
• log everything!

Guest

• Alex Pinto ( @alexcpsec ) - Alex has almost 15 years dedicated to Information Security solutions architecture, strategic advisory and security monitoring. He has been a speaker at major conferences such as BlackHat USA, DefCon, BSides Las Vegas and BayThreat.
  He has been researching and exploring the applications of machine learning and predictive analytics into information security data sources, such as logs and threat intelligence feeds.
  He launched MLSec Project (https://www.mlsecproject.org) in 2013 to develop and provide practical implementations of machine learning algorithms to support the information security monitoring practice. The goal is to use algoritmic automation to fight the challenges that we currently face in trying to make sense of day-to-day usage of SIEM solutions.

Topics covered

• Target CIO resigns, new central CISO and CCO roles created; but what's really going on here? - http://www.darkreading.com/attacks-breaches/target-begins-security-and-compliance-ma/240166451 & http://pressroom.target.com/news/target-reports-third-quarter-2013-earnings
• City of Detroit employees' information (including SSNs, DoB, etc) are "at risk" because someone clicked something they shouldn't have - http://www.freep.com/article/20140303/NEWS01/303030085/Detroit-computer-security-breach
• ComiXology was [big time] hacked, but it's all good because the passwords were 'cryptographically secured' but where's the transparency? - http://www.theregister.co.uk/2014/03/07/comixologys_phantom_zone_breached_by_evil_haxxor/
• A North Dakota University System was hacked and now 290k students, employees and faculty (yes including SSNs) data is at risk ... or is it? - http://www.greenfieldreporter.com/view/story/8f909740809e48e9a5669de333418134/US--University-System-Hacked
• NC State researchers have a genius new way to detect Android malware (hint: you look for C code) - http://www.computerworld.com/s/article/9246825/N.C._State_researchers_devise_tool_that_detects_Android_malware
• The AARP (yes, that AARP) has decided that now is the time to post a bulletin to their system to teach retired persons how to make good passwords - http://www.aarp.org/home-family/personal-technology/info-2014/create-password-avoid-hacks-kirchheimer.viewall.html

In this episode

• Does is make sense, in a mathematical and practical senes, to look for 'probability of exploit'?
• How does 'game theory' apply here?
• How do intelligent adversaries figure into these mathematical models?
• Is probabilistic risk analysis compatible with a game theory approach?
• Discussing how adaptive adversaries figure into our mathematical models of predictability...
• How do we use any of this to figure out path priorities in the enterprise space?
• An interesting analogy to the credit scoring systems we all use today
• An interesting discussion of 'unknowns' and 'black swans'
• Fantastic *practical* advice for getting this data-science-backed analysis to work for YOUR organization

Guests

• Lisa Leet - Lisa is a wife of 17 years, a mother of 5 years to boy/girl twins, and an employee of 7 years on the Information Security team at a Minneapolis-based financial services firm. She is also an intern at Stamford Risk Analytics (Stamford, CT), pursuing studies at Stanford University, prepping for her CISSP Exam on July 15th, taking MOOCs, and reading at least twelve books concurrently including a 1600-pager on Python. In her free time she volunteers on the Board of Directors for SIRA (Society of Information Risk Analysts) and participates in awesome podcasts like DtR.
• Russell Thomas ( @MrMeritology ) - Russell is a Security Data Scientist in financial services, and a PhD student in Computational Social Sciences.  His focus is on the intersection of information security and business and economic decision making.  He’s “MrMeritology” on Twitter, and blogs at “Exploring Possibility Space” (http://exploringpossibilityspace.blogspot.com/).
• Bob Blakley - Bob has been in the security industry for more than 35 years.  He's led the OMG CORBAsecurity, SAML, and OATH standardization efforts, and currently chairs the NSTIC Identity Ecosystem Steering Group.  He's in the drama department at a large multinational financial institution.

Topics covered

• Apple had a "Goto Fail" failure - yes people at Apple Computer still use Goto statements in 2014 - http://www.computerworld.com/s/article/9246533/Apple_encryption_mistake_puts_many_desktop_applications_at_risk and Adam Langley's awesome blog - https://www.imperialviolet.org/2014/02/22/applebug.html
• Look out Terps, Univ of Maryland has lost 309,000+ staff members, students and faculty worth of personal information including social security numbers ... OUCH - http://www.washingtonpost.com/local/college-park-shady-grove-campuses-affected-by-university-of-maryland-security-breach/2014/02/19/ce438108-99bd-11e3-80ac-63a8ba7f7942_story.html
• ICS-CERT has a new report out that bemoans the Industrial Control sector's inability to detect and respond to incidents ...mainly due to <dumroll please> inadequate logging - http://www.govinfosecurity.com/report-cyberthreat-detection-lacking-a-6516 and the report https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Oct-Dec2013.pdf
• Websense has done a massive analysis of Dr. Watson (MS Windows crash files) file and determined there is some new kind of APT, POS attack afoot - http://www.darkreading.com/attacks-breaches/microsoft-windows-crash-reports-reveal-n/240166207
• Many different outlets are reporting this in various ways but consumer endpoints (at this point lots of Linksys home routers) are being infected with a new worm targetting a flaw mainly because people choose to expose their management interfaces to the outside, why? - http://krebsonsecurity.com/2014/02/time-to-harden-your-hardware/

In this episode

• Jay and Bob talk about their new book
• A discussion on using data as 'supporting evidence' rather than gut feelings
• Do we have actuarial quality data to answer key security questions?
• A discussion on "asking the right question", and why it's THE single most important thing to do
• Bob attempts to ask security professionals to use data we already have, to be data-driven
• Jay tells us why he wouldn't consider "SQL Injection" a "HIGH" risk ranking - and why data challenges what you THINK you know
• Quick shout out to Allison Miller on finding the little needles in the big, big haystack
• We think about why security as an industry needs to start looking outside of itself to get its data - now
• Jay discusses how there is a definite skills shortage in working with large data sets, and doing analysis
• I ask whether there is a chicken and egg problem in large-scale data analysis
• Bob brings up the "kill chain" and whether we really need real-time data analysis for attacks
• Bob makes a pitch for having a "Cyber CDC" ... stop laughing
• Jay laments the absolute bonkers problems dealing with information sharing (when you don't have any to share)
• Jay urges you to "count and compare"

Guests

• Jay Jacobs ( @JayJacobs ) - www.linkedin.com/pub/jay-jacobs/3/896/4b0, Jay is currently a Principal at Verizon Business
• Bob Rudis ( @hrbrmstr ) - www.linkedin.com/in/hrbrmstr, Director. Enterprise Security, IT Risk Management at Liberty Mutual Insurance & Co-author of Data-Driven Security

Topics covered

• In the wake of the Target & Nieman Marcus breaches - is chip+pin really a priority right now, and does it solve the real problem? - http://blogs.csoonline.com/security-leadership/2977/does-chip-and-pin-actually-solve-problem-find-out-asking-these-questions
• Speaking of Target ... it turns out that 3rd parties really are a problem and still a blind spot in many organizations' risk matrices, who knew - http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
• Apparently NBC News doesn't believe it's stretching the news at all, when it virtually makes up a story then gets called out by Robert Graham, hilarity ensues - http://news.cnet.com/8301-1009_3-57618533-83/sochi-hack-report-fraudulent-security-researcher-charges/
• Something bad, very, very bad just happened over at Barclays in the UK ... although jury seems to still be out on what exactly is going on; you can bet we're going to keep an eye on this - http://www.theregister.co.uk/2014/02/10/barclays_investigates_gold_mine_client_data_breach/
• In a "You can't make this stuff up, folks" moment, the FBI is asking for malware and they're willing to pay for it; and they'll send you all the info in a .docx file?! - http://www.nextgov.com/cybersecurity/cybersecurity-report/2014/02/fbi-market-malware/78218/
• Is your next new vehicle going to be part of the mesh-network which keeps cars from crashing into each other? It will if the government has it's ways - complete with wildly-made-up-sounding statistics and ridiculous news story and all (somewhere, Flo from Progressive is mad they stole her schtick)- http://www.usatoday.com/story/money/cars/2014/02/03/nhtsa-vehicle-to-vehicle-communication/5184773/

In this episode

• David discusses what it's like working for a law firm (in the UK)
• A quick wade through the UK Data Protection Act (mostly Principle 7)
• "When lawyers get to interpret the laws"
• Law firms as targets for data breaches
• The new regulations in the UK, fines between 2%-5% of your REVENUE? Ouch.
• Defining "adequate measures" in regulations
• A brief chat on fines, regulations, and risk management
• I trail off on a Princess Bride quote, and get ranty on "risk"
• Dealing with personal devices, public WiFi to work and security
• James asks the inevitable question on training
• Good vs. "best" practice
• Your security as a competitive advantage. really.

Guest

• David Prince ( @riskobscurity ) - A dedicated and well-respected Technical Information Security Professional with several years’ experience and demonstrated success leading information security initiatives, in a variety of organizations. Initiatives which are in direct support of business-objectives to maintain the confidentiality, integrity, and availability of organizational assets and improve business efficiency, and effectiveness.

Special thanks to Michael Santarcangelo ( @catalyst ) for stopping by the show and guest-hosting with James and I! We had fun, and I think you'll all enjoy Michael's perspective and humor.

Topics Covered

• Nieman Marcus breach - all new, same as before, or is it? - http://www.wired.com/threatlevel/2014/01/neiman-marcus-hack/
• Coca-Cola loses laptops ... sort of ... but no worries, no evidence of wrongdoing - http://www.ajc.com/news/business/coca-cola-tells-thousands-of-employees-of-security/nc2NB/
• Breach over at Microsoft, law enforcement documents "likely stolen", but what does that really mean? - http://www.pcworld.com/article/2091480/microsoft-says-law-enforcement-documents-likely-stolen-by-hackers.html
• The (San Jose) police want to use your home surveillence system cameras, I'm not kidding - http://news.cnet.com/8301-17852_3-57617809-71/police-want-to-use-your-home-security-cameras-for-surveillance/

In this episode

• Did the Target/Neiman/? breach finally create a catalyst for change?
• The card system, payment processing infrastructure clearly wasn't designed with defensibility in mind ... who should be changing that?
• Are today's fraud rates finally getting high enough such that card processors, issuers, banks need to depart from the status quo?
• Are the days of "zero fraud liability" to the end consumer coming to an end?
• What about chip & pin? Is the risk less?
• What kinds of pains will the industry go through to make security on payment systems better?
• How is the commercial payments industry different from the consumer?
• Do end users of credit accounts ultimately care about breaches?

Guests

• Laura Claytor ( @the.hgic ) - Laura is a security specialist and veteran within a large US-based banking organization, and is based in the southwest United States
• Alfred Portengen - ( @alfredportengen ) - Alfred has a deep bredth of experience in architecture and security specialty within a multi-national banking organization, he is based in the Netherlands

I can't believe it's 2014 already, and we're rolling through our 3rd calendar year! As we grow and you "regulars" mount, James and I want to thank you for listening, bookmarking, sharing and talking about the podcast. Your patronage has really made a us smile, and you're the reason we do this.

Topics covered

• Reuters: Retail community may be ready for a change in the payment card system and processes - http://uk.reuters.com/article/2014/01/13/uk-target-databreach-retailers-idUKBREA0B01A20140113
• More Snowden fallout: French/UAE Intel satellite deal may be scuttled because of US-made components - http://www.defensenews.com/article/20140105/DEFREG04/301050006
• Ransomware CryptoLocker's uglier, meaner cousin now available for $100... look out! - http://arstechnica.com/security/2014/01/researchers-warn-of-new-meaner-ransomware-with-unbreakable-crypto/
• Schneier: "The Internet of Things" is very vulnerable ...and there's no good way to patch it all - http://www.wired.com/opinion/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem/
• Lawsuit filed in the "FaceBook reads my private messages" case - http://money.cnn.com/2014/01/03/technology/facebook-privacy-lawsuit/

In this episode

• Chris Wysopal - who is that masked man?
• Putting some reality to the state-sponsored backdoors (Huawei) and supply-chain compromise
• The risks coming through the door with the products you buy
• The case for setting up an independent testing lab for mitigating 'backdoor' accusations
• Chris does an interesting assessment on software security practices in the enterprise
• Chris discusses holding your vendor to the same standards you hold yourself
• What does it mean that enterprises are doing a "good job" in SwSec
• Chris goes there, open-source components as part of supply chain risk
• James asks "How do smaller buyers leverage scale to hold their suppliers accountable?"
• Why do we still see SQL Injection?! Are we ever going to get rid of it?

Guest

• Chris Wysopal ( @Weldpond ) - Chris is the Founder, CTO and CISO of VeraCode, a company dedicated to software security as-a-service. Chris has a long and storied history in the security industry dating back to L0pht Heavy Industries. His bio and profile can be found on LinkedIn.

In this episode

• Will gives us a lay of the land on the state of "state sponsored" and advanced threats
• We discuss collective advances in malware
• We discuss the persistence of 'old' malware, and code re-use
• We discuss enterprise defense and strategy
• Will gives us some wisdom from his experiencein helping clients defend themselves

Guest

• Will Gragido ( @wgragido ) - Will is currently a senior manager in the Threat Research Intelligence organization at RSA NetWitness. Will is an information security and risk management professional with over 18 year’s professional industry experience, Mr.Gragido brings a wealth of knowledge and experience to bear. Working in a variety of roles, Mr.Gragido has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and business development within the information security industry. You cn get more information on Will on his LinkedIn page.

Hello! This is a special episode in that it's our year-end wrap-up. We bring together 3 of the industry's best to talk about the year that was, the things that made were on your mind, and maybe give us a hint at what is to come...

Guests

• Will Gragido ( @wgragido ) - Will is the Sr. Manager of threat Research Intelligence for RSA NetWitness and a lightweight with the cold medicine.
• John Pirc ( @jopirc ) - John is the Vice President of Research at NSS Labs, with very strong hair.
• David Marcus ( @DaveMarcus ) - David is the Director and Chief Architect of the Federal Advanced Program Group at McAfee and a kettle bell monster!

Notably absent, but invited, were Dave Lewis ("fell asleep") and Dave Kennedy ("was on an airplane") ...apparently because I thought it would be fun to invite every Dave I know....... but seriously next time guys :)

James and I would like to wish all our listeners a very merry holiday season, and a happy, healthy and prosperous 2014.

Folks, if you work with, design, or implement embedded systems this is one episode you don't want to miss. Fair warning, it's a little bit long at just over 50 minutes total. I hope you find the extra time worth the effort of listening, I know we sure did!

In this episode

• The quirky things that Josh's organization gets to work on and deconstruct
• The methodology of breaking foreign things
• Android and why it's "horribly interesting" beyond just the OS everyone sees
• Hacking Android at the very, very, very basic hardware interface(s)
• Copy/Paste software development and it's pitfalls
• Embedded devices as pivot points for intrusion
• The importance of embedded systems, and why no one is writing secure code (still)

Guest

• Josh Thomas ( @m0nk_dot ) - Chief Breaking Officer for Atredis, Security researcher, mobile phone geek, mesh networking evangelist and general breaker of things electronic. Typical projects of interest span the hardware / software barrier and rarely have a UI. m0nk has spent the last year or two digging deep into Android and iOS internals, with a major focus on both the network stack implementation and the driver and below hardware interfaces. He uses IDA more frequently than Eclipse (and a soldering iron more that both). His life dreams are to ride a robot unicorn on a moonlit beach and make the world a better place, but mostly the unicorn thing...

Special thanks to Steve Ragan ( @SteveD3 ) for sitting in this morning and providing his perspective as a journalist.

Topics Covered

• "Leaked" FBI memo to government agencies says "there's a hacking spree on government websites, and it's Anonymous!" (we have to chuckle, a little) - http://www.theregister.co.uk/2013/11/18/anon_us_gov_hack_warning/ , http://www.thewire.com/national/2013/11/fbi-anonymous-hackers-stole-over-100000-employees-information/71675/
• Fokirtor is a very interesting new piece of malware that targetted Linux systems, but by slipping into SSH comms - http://www.theregister.co.uk/2013/11/15/stealthy_linux_backdoor/ ( and a related piece of malware - http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices )
• The Healthcare.gov website is a case study in how not to release a web app, or complex system; and it's not even a partisan issue anymore - http://arstechnica.com/security/2013/11/healthcare-gov-targeted-by-more-than-a-dozen-hacking-attempts/
• Ahead of the G20 meeting to be held there in 2014, the city of Brisbane, Australia performs a penetration test on their physical city infrastructure, finds major flaws. A plot from "The Italian Job"? - http://www.qao.qld.gov.au/files/file/Reports%20and%20publications/Reports%20to%20Parliament%202013-14/RTP5Trafficmanagementsystems.pdf
• [Scary] Renesys says someone is hijacking the Internet ... but is it on purpose, or just mistakes? (Does it matter?) - http://www.nbcnews.com/technology/wheres-your-data-going-hacks-redirect-traffic-through-distant-lands-2D11624570
• A new piece of software quietly turns you into a bitcoin mine for the developer (and you agree to it in the EULA!) - http://www.networkworld.com/news/2013/120213-sneaky-software-turns-your-pc-276490.html?source=nww_rss

I want to thank Carolyn Kopprasch and the @BufferApp team for getting back to me, and agreeing to not only join the podcast, but also field questions from "anyone" ...what a cool group of people!

In this episode

• Carolyn gives us some of the insider's perspective on what really happened, when Buffer got hacked
• Carolyn and I discuss triage methodology, and how Buffer's small team responded
• In-depth conversation on the communications strategy and implemented plan to be totally transparent
• We discuss that point where it's time to "shut it down" and the need to have the ability and information to make the decision Buffer's team did when they shut down the service temporarily
• Carolyn talks about some of the non-typical ways that her team detects potential security issues
• Caroly dispenses some solid advice for anyone in a small shop that may be operating ultra-lean
• Finally, Carolyn and I talk about software security and what role it (or the lack thereof) played in the Buffer incident

Guest

• Carolyn Kopprasch ( @CaroKopp ) - Carolyn is currently Buffer's "Chief Happiness Officer". Her role is to make sure that Buffer's customers are, in fact, happy. Also she has a web presence right here: http://CaroKopp.com

Links!

• Buffer's communications page: http://open.bufferapp.com/buffer-has-been-hacked-here-is-whats-going-on/

I'm back! Maybe a little sleep-deprived and a tad grumpier than usual, but back to talk news!

Topics Covered

• Microsoft unveils the new Digital Crime Unit, and it is quite the statement - http://www.darkreading.com/attacks-breaches/microsoft-unveils-state-of-the-art-cyber/240163924 http://www.microsoft.com/en-us/news/presskits/dcu/
• CME Group hacked, claims platform and trades unaffected ...let's hope so - http://www.businessweek.com/news/2013-11-15/cme-group-says-its-computers-were-hacked-no-trades-affected
• Jeremy Hammond, Chicago's very own romanticized criminal - http://www.nbcnews.com/technology/hacker-tied-anonymous-gets-10-years-prison-cyberattacks-2D11603760
• The FBI says there's a "hacking spree" on government webites by Anonymous hackers. You don't say ... - http://arstechnica.com/security/2013/11/fbi-warns-hacking-spree-on-government-agencies-is-a-widespread-problem/
• There's an apparent zero-day in vBulletin, and it's serious enough that Def-Con's forums were taken down pro-actively ... - http://www.computerworld.com/s/article/9244109/Hackers_use_zero_day_vulnerability_to_breach_vBulletin_support_forum
• If you use SnapChat to send questionable selfies hoping they'll just evaporate...you're in for a bad time - http://www.sidhtech.com/news/snapchat-android-hack-iphone/10024107/

In this episode...

• We revisit some of the topics Eric & I talked about nearly 2 years ago at ISSA International, Baltimore.
• Eric discusses the paradigm shift that needs to happen in security
• We talk about shifting resources (in the defensive) from "everything" to something more reasonable
• Eric and I discuss how CISOs must re-allocate resources to survive in a post-breach reality

Guest

• Eric Cowperthwaite ( @e_cowperthwaite ) - Vice President, Advanced Security and Strategy at CORE Security, a Boston-based security vendor. CORE is the leading provider of predictive security intelligence solutions for enterprises and government organizations. We help more than 1,400 customers worldwide preempt critical security threats throughout their IT environments, and communicate the risk the threats pose to the business. Our patented, proven, award-winning enterprise solutions are backed by more than 15 years of applied expertise from CoreLabs, the company's innovative security research center.
  
  Eric was formerly the CSO of Providence Health & Services, a healthcare delivery organization with $12.5 billion in revenue, 32 hospitals and more than 65,000 employees, headquartered in Seattle, WA. 

Hey all - Raf here and I wanted to thank James for flying solo as my wife and I celebrate the brith of Niccolai and Isabella our new twins! I'll be back in our next episode...

Topics Covered

• The buzz over calling yourself a 'hacker' - http://www.theguardian.com/technology/2013/oct/24/hacker-computer-seized-us-open-source (Raf's note - I personally think the way this has been spun is largely to gain clicks/readers, it was very well analyzed here - http://theprez98.blogspot.com/2013/10/omg-call-yourself-hacker-lose-your-4th.html
• A follow-up on Dick Cheney's pacemaker paranoia - http://www.dotmed.com/news/story/22298
• Big name limo service hacked, discloses info on big-name clients - http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/
• Look out, hackers may be targeting SAP users - http://www.computerworld.com/s/article/9243727/New_malware_variant_suggests_cybercriminals_targeting_SAP_users?taxonomyId=17
• Java patching lagging, attackers exploiting, story at 11 - https://www.securityweek.com/java-attacks-jump-user-patching-lags-kaspersky-lab
• It just got real. Real 2010, that is, as Yahoo unleashes bug bounty program - http://www.tripwire.com/state-of-security/top-security-stories/yahoo-unleashes-new-bug-bounty-program/

Special thank you to the US District Attorney's office for the Southern District of California for a fantastic interview and for letting us pick Sabrina's mind for the podcast... 

In this episode...

• Hackers, carders, and the disturbing trend of them pairing up with the traditional mafia
• The challenge of VPSes in cyber-crime
• Evangelizing the truths about cyber-crime to businesses, average person
• An insight into the way that 'bad guys' specialize in the criminal underground
• An insight into (bottom-up) investigative models available to law enforcement, as it pertains to hackers
• Are cyber criminals fleeing or hacking from non-extradition countries?
• The delicate dance of involving the government in a hacking or breach case
• Seeking the white whale - an organization that hasn't been breached (yet)
• 3rd party data sharing and your privacy - do you have any left?

Guest

• Sabrina Feve - Sabrina is an Assistant US Attorney (AUSA) for the Southern District of California, specializing in hacking and cybercrime cases.

In this episode

• We get a peek into the first member of English Royalty that we've ever had on the podcast
• Baroness Neville-Jones discusses the difficulties in cybersecurity at the government level
• We discuss the challenges of policy, compliance and implementing real-life security
• The Baroness discusses her efforts to raise both the awareness and collective security of business
• The Baroness discusses a bit about critical infrastructure protection
• I ask the uncomfortable question in the wake of the Snowden disclosures - privacy vs. security...

Guest

• Rt Hon Baroness Neville-Jones - Baroness Neville-Jones is a long-time political figure in the UK Parliament, House of Lords. She recently retired from public service and now focuses on the public-private partnership for cybersecurity in the UK. She has an amazing history and rather than try to summarize it here, I simply point you to her biography page at http://www.conservatives.com/People/Peers/Neville-Jones_Pauline.aspx

Thanks to Josh Corman for joining us this morning ... always nice to have Josh's experience and brain power on the show.

Topics Covered

• Gargantuan Oracle CPU (Critical Patch Update) including -51- Java security fixes! - http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
• Huawei calling for "independent cybersecurity assurance lab" framework, an interesting but difficult thing - http://www.informationweek.com/security/application-security/huawei-proposes-independent-cybersecurit/240162840
• Dick Cheney, fearing an assassination attempt, had wireless pacemaker removed in 2007 - http://www.theguardian.com/world/2013/oct/19/dick-cheney-heart-assassination-fear
• Chesapeake hospice suffers breach, but there's a lesson in the tragedy - http://www.hispanicbusiness.com/2013/10/19/hospice_of_chesapeake_shut_down_computer.htm
• NPI research shows companies will overpay $10.1 billion for IT security solutions in 2013, worse in 2014 - http://www.prweb.com/releases/2013/10/prweb11239951.htm
• Minor Verizon security bug, issues with coordinated disclosure, fix timelines, and the much bigger white elephant in the room - http://prvsec.com/verizon-wireless-message-detail-disclosure.html

Hat-tips this week go to...

• Brian Katz ( @bmkatz ) because we borrowed your 'crapplications' example
• Alex Hutton ( @AlexHutton ) - Josh borrowed your "Alex head asplode"
• Wendy Nather ( @451Wendy ) because we mentioned your 'security poverty line' concept

In this episode...

• James and I host legitimate Polynesian royalty (a princess....) really!
• Katie gives us the skinny on Microsoft's 10 year progression to get to a bug bounty program
• We discuss the merits of bug bounties and execution in a very large enterprise
• Katie gives us as many details as she can about the recent $100,000 payout
• Much... much ... more!

Guest

• Katie Moussouris ( @k8em0 ) - Katie runs the Security Community Outreach and Strategy team for Microsoft as part of the Microsoft Security Response Center (MSRC) team to help drive crucial elements of our security community strategy effort. She is a Senior Security Strategist Lead, and let's not sell her short - she is royalty!
  She created and drove the first ever Microsoft security bounty programs (www.microsoft.com/bountyprograms). Which received 18 vulnerabilities and a new attack technique that will help Microsoft build stronger defenses that will protect the entire platform from this new class of attack.
  She serves as lead subject matter expert in the US National Body for the ISO work item 29147 "Vulnerability Disclosure", scheduled for publication in 2013, and does countless other efforts associated with the ISO standards body and various other industry groups.
   

Big thanks to the soon-to-be-regular peanut gallery ... @JoeKnape and @BeauWoods for jumping in this morning and breaking it down with James and I.

As a personal message to those of you who listen and our community - please ...remember we all live in a giant glass house, and throwing rocks is a bad, bad idea. I've said it before and I'm looking right at the media for this one (ahem...) - unless you've been in a high-stress environment and have successfully thwarted every attack, please don't go trying to personally attack those out there who work hard at it every day. It just makes you look like an idiot. Nobody wins when we name and shame and attack people personally. Remember that when it's your turn to stand in the spotlight.

Topics Covered

• Adobe got popped. Bad. ~2.9 users' information, encrypted credit card details, source code. The only thing worse than this story is the kind of media trolls it brought out... - http://www.computerworld.com/s/article/9242963/Hackers_steal_data_on_2.9_million_Adobe_customers?taxonomyId=82&pageNumber=2 and this unfortunate mess from Richi Jennings https://plus.google.com/117220625678034723010/posts/EjP4JjKFd6w
• 13 Anonymous 'members' indicted for DDoS attacks - http://www.computerworld.com/s/article/9242969/US_indicts_13_Anonymous_members_for_DDoS_attacks
• LA schools gave out "locked down" iPads. Students circumvented. Hilarity ensued. http://blogs.computerworld.com/mobile-security/22929/what-la-schools-forgot-boneheaded-ipad-hand-out
• Senior Iranian Cyber official killed (assasinated?) - http://www.matthewaid.com/post/63207233044/the-mystery-surrounding-the-killing-of-a-senior-iranian
• Proof that the fist people to get paid should be the ones who hold the keys to your doors - http://nycfreshmarket.com/ (as long as the page stands, then check out the tweet I re-posted https://twitter.com/Wh1t3Rabbit/status/387076594407575552 )

So ... does anyone actually read these? If so, let me know on Twitter? Hashtag #DtR

In this episode...

• Dave Kennedy wraps up DerbyCon 2013, and gives us the statistic you don't want to tell your management
• Dave announces the top secret guest for DerbyCon 4
• Chris & Gabe discuss risk modeling using REAL automated tools
• Gabe introduces us to his concept of using a 'big data' approach to risk modeling
• We discuss risks, network segmentation, and other things you're doing wrong

Guests

• Dave Kennedy ( @Dave_Rel1k ) - Dave Kennedy is the founder of TrustedSec, and the brain behind DerbyCon.
• Chris G ( @SecbitChris ) - Chris is one of the brains behind the SecuraBit podcast
• Gabe B ( @gdbassett ) - Gabe is an industry expert

I want to thank Mr. Josh Corman ( @JoshCorman ) for guest-commentating today's episode, and lending his expertise and industry leadership point of view.

Topics Covered

• UK's GCHQ has been using Prism (Courtesy of the NSA) to spy on you ... the revelation continues - http://www.telegraph.co.uk/news/uknews/law-and-order/10106507/GCHQ-has-been-accessing-intelligence-through-internet-firms.html
• Wisconsin trucker vs. Koch Industries, just what is a "direct loss"? - http://www.kfdi.com/news/local/Wisconsin-man-pleads-guilty-in-cyber-attack-on-Koch-Industries-223365221.html
• iPhone, fingerprint reader, #IsTouchIDHacked - http://www.forbes.com/sites/markrogowsky/2013/09/22/iphone-fingerprint-scanner-hacked-should-you-care/
• Can the FTC (and other government entities) go after companeis who fail to do reasonable security? (also, what does that mean?) - http://www.computerworld.com/s/article/9242531/FTC_lacks_data_breach_authority_says_accused_medical_lab?taxonomyId=17&pageNumber=2
• The gang that popped Bit9 is at it again, IE 0-day in the wild - http://www.computerworld.com/s/article/9242570/Security_org_raises_Internet_threat_level_after_seeing_expanded_IE_attacks

More information on The Cavalry

The talk: "The Cavalry Isn't Coming: Starting the Revolution to FSCK it all!"

The video of the more mellow, smaller BSides "warm-up before DEF CON 21" is here: http://www.irongeek.com/i.php?page=videos/bsideslasvegas2013/1-2-2-the-cavalry-isnt-coming-starting-the-revolution-to-fsck-it-all-nicholas-j-percoco-and-joshua-corman

Twitter: @iamthecavalry

URL: http://iamthecavalry.org

email info@iamthecavalry.org

google group: https://groups.google.com/d/forum/iamthecavalry

Josh Corman's Bio:

Joshua Corman is the Director of Security Intelligence for Akamai.  Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across sectors to the core security challenges and toward emerging technologies and shifting incentives. 

A staunch advocate for CISOs, Corman also serves as a Fellow with the Ponemon Institute, on the Faculty for IANS, co-founder of Rugged Software and was a 2009 Top Influencer of IT in NetworkWorld. Corman received his bachelor’s degree in philosophy, graduating summa cum laude, from the University of New Hampshire.

For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website.

I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security... 

Episode 3 - Vikas Bhatia (CEO of Kalki Consulting) and Anton Goncharov (Managing Principal of MetaNet, LLC) - In this discussion, we just barely scratched the surface on the challenges SMEs face with integrating security into business processes and developing security solutions on a shoestring. This discussion focuse entirely on processes and the need for business integration and insight - and is likely the starting point for many further conversations to come.

For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website.

I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security... 

Episode 2 - Wasif Shakeel, Program Director Information Security, General Dynamics - Wasif and I discovered that we have entierly too much in common, and talked about the need for a sane, process and measurement approach to security and handling the "needle in a haystack" problem many Security Operations Centers are faced with.

For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website.

I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security... 

Episode 1 - Ian Beckford, Senior Product Manager, TELUS Security Solutions - Ian and I had a lively discussion around the service-provider use of the analytics and network security devices (currently ArcSight and TippingPoint) to provide customers with security solutions which benefit them, while remaining cost effective.

In this episode...

• Mike explains once and for all how the BSides namesake came to be
• We talk about how the industry has evolved over the last 10+ years
• Mike dispenses a little of his philosophy on how to better the industry
• We talk burnout and why it exists, and possibly how to get through it

Guest

• Mike Dahn ( @MikD ) - Mike Dahn is one of the original co-founders of the Security BSides conference many of you have attended, spoken at, or heard of. In addition to that, Michael Dahn is an information security and organizational design strategist responsible for the management of data strategies, project engagements, and cost modeling. With over 12 years of information security experience, Mr. Dahn has managed teams of 50 people and budgets of up to $30m annually for Fortune 500 companies. Today he focuses on leading mobile security strategies and industry relations.
  
  He is an industry leader in regulatory compliance issues who previously worked for Visa, Pricewaterhouse Coopers, and Verizon Business, created PCI training for and trained over 10,000 assessors, merchants, and vendors globally. He contributes regularly to the continued development of the global PCI guidelines.
  
  During his tenure Mr. Dahn has presented to a variety of financial and banking associations (FDIC and NCUA), including regulatory bodies such as the PCI Council, and information security groups on topics including mobile security, compliance, information security programs, auditing and network security, and computer hackers. He has been published in several news articles and TV spots on information security.

Today I had the pleasure of sitting down with one old friend, and one new. As a speaker at the HTCIA International conference, and the CISO Summit - I had the opportunity to gain some valuable insight, meet lots of excellent leaders, and force some new relationships. As a wonderful side-effect I had the pleasure of sitting down with Mike Murray of Mad Security, and Vince Skinner an attendee of the conference and security leader of his enterprise.

We talked about a range of topics from history of the information security industry, to our experiences and the current lack of direction and strategy in much of the enterprise space. We also discussed some topics that dated us quite a bit ...so don't judge!

Guests

• Mike Murray ( @MMurray ) - Mike is the co-founder of Mad Security, an industry veteran and mentor, and an all-around fantastic friend.
• Vince Skinner ( @SkinnerVince )  - Vince is the Informatino Security and Business Continuity Manager, AVP of D.A. Davidson & Co.

I want to thank our guests - Beau Woods and Joe Knape for joining us this morning. It was great to have these two well-versed commentators on the show ...vote with your downloads folks - if you want to make this a regular thing leave us a comment!

Topics Covered

• RedHack 'hacks' Turkish police website, stops border traffic? - http://www.hurriyetdailynews.com/redhack-hacks-turkish-police-website-as-border-traffic-grounds-to-a-halt.aspx?pageID=238&nID=53904&NewsCatID=341
• A few thoughts on the NSA/Crypto from Matthew Green's blog - http://blog.cryptographyengineering.com/2013/09/on-nsa.html
• The FTC settles with TRENDnet (the webcam shouting obscenities at the 2yr old story) - http://www.bostonglobe.com/business/2013/09/04/ftc-settles-complaint-over-hacked-security-cameras/uYjAuRcb4uCz51Zt1HSGbP/story.html
• Citi ordered to pay $10.86/record, more harm than good - http://www.infosecurity-magazine.com/view/34328/citi-ordered-to-pay-55k-to-connecticut-over-2011-data-breach
• NY Times hacked (again) but this time it's DNS ...DNS is baaaaack - http://www.thestreet.com/story/12020336/1/new-york-times-website-hacked-in-likely-malicious-external-attack.html
• "This is why we can't have nice websites" - http://www.reddit.com/r/PHP/comments/1l7baq/creating_a_user_from_the_web_problem/

Other Links

• FTC FAQ (Thanks to Beau Woods) - http://business.ftc.gov/documents/bus35-advertising-faqs-guide-small-business

Every once in a while this podcast has a guest who makes us truly feel blessed to be doing this - Rob Dubois is one of those people. If you don't know anything about Rob, go read his website, listen to this podcast and check out his book. He is a real American hero, a fantastic human being, and a true patriot. On behalf of James and I - I want to extend a hearty thank you for the time Rob spent, and wisdom he's imparted.

In this episode...

• Rob Dubois on being a 'badass'
• the parable of the blind wise men and the elephant
• be reachable and teachable (be a RAT)
• the collision of boots, bits, and threats
• the arrogance of security professionals are a weakness
• fail early, fail often - learn from it
• why plans are useless, and planning is essential
• a George Carlin quote, and a "The Office" reference
• a brutal lesson from PoW training

Guest

• Rob Dubois ( @RobDubois ) - Rob is currently best-known for his book "Powerful Peace - A Navy SEAL's Lessons on Peace from a Lifetime at War". I can't possibly do Rob justice but to call him a true, powerful, "badass"... check him, his book, and his powerful message out for yourself on his blog SEAL of Peace.

Since James is out this week with something called "work", I've pulled in two friends (affectionately known as "The Joshes") Josh Marpet and Josh C. Big thanks for these fine gentlemen for stepping in and co-chairing this Monday morning quarterback session... I hope you enjoy!

Topics Covered

• Fraudsters target "wire payment switch" at banks to steal millions - http://www.scmagazine.com/fraudsters-target-wire-payment-switch-at-banks-to-steal-millions/article/307755/#
• Insurer to Schnucks: We won't pay for lawsuits related to your breach - http://www.scmagazine.com/insurer-to-schnucks-we-wont-pay-for-lawsuits-related-to-your-breach/article/307960/#
• NASDAQ has a "technical glitch" ... halts trading in the middle of the day - http://www.eweek.com/security/nasdaq-trading-halted-by-technical-issue/
• Apple App Store infiltrated by researchers' Jeckyll malware - http://www.nbcnews.com/technology/apple-app-store-infiltrated-researchers-jekyll-malware-6C10945771
• Hacker takes over baby-monitoring IP cam, shouts obscenities... world put on alert - http://www.bbc.co.uk/news/technology-23693460

Other links

• Link to the now-defunct'ish "CamWar" maintained by @Viss - http://atenlabs.com/camwar/
• Josh Brashars' talk at BayThreat 2011 was called "Inagada Davida (Or, Scary **** on Cellular Modems)"

In this episode...

• Rob gives us a little history lesson
• Rob keeps going on the history lesson, IDS, open vs. closed circuits
• We discuss "defense in depth" from back-in-the-day
• James re-introduces us to the "security onion"
• Rob talks about "programming for super-high-speed" and scale
• Constructing things to truly "build scalability in"...
• Designing networks as a front-end vs. back-end architecture
• Rob points out that network diagrams are always wrong

Guest

• Robert Graham ( @ErrataRob ) - No, this is not Robert Graham the clothing designer, this is Robert Graham the guy who pioneered the IDS. In Robert's own words ... "I am a well-known security research (aka. "white-hat" hacker). I created the BlackICE personal firewall in 1998. I invented the first network intrusion prevention system (IPS) "BlackICE Guard" in 1999, which is now sold as "Proventia" by IBM."

Topics Covered

• The trash bin that stalked me (seriously, only in London) - http://arstechnica.com/security/2013/08/no-this-isnt-a-scene-from-minority-report-this-trash-can-is-stalking-you/ and a follow-up as we recorded today: http://www.bbc.co.uk/news/technology-23665490
• No data breach in Indianapolis, after laptop stolen/recovered - http://www.theindychannel.com/news/call-6-investigators/state-no-data-breach-after-stolen-laptop-traced-to-indy-home
• DDoS blackmail in Manchester (UK) FAIL - http://www.manchestereveningnews.co.uk/news/greater-manchester-news/two-held-over-attempted-blackmail-5680548
• US national health push ("Obamacare") falling behind on security testing...who's surprised? - http://au.news.yahoo.com/technology/news/article/-/18390597/obamacare-months-behind-in-testing-it-data-security-government/
• Weird password 'feature' in Chrome... - http://blog.elliottkember.com/chromes-insane-password-security-strategy

In this episode...

• Dave reminisces a bit...
• Dave discusses 'digitall signed malware' and that it means
• We discuss whether it's true that 'all networks are compromised'
• We discuss consumer-grade vs. corporate-grade threats, and why they're different
• An interesting point by Dave about why enterprises aren't learning from their compromises
• We discuss customized malware, with specific and targeted payloads for specific systems
• Dave talks about whether 'compat the criminal, hire the criminal' is true

Guest

• Dave Marcus ( @DaveMarcus ) - Dave is currently the Chief Architect, Advanced Research and Threat Intelligence McAfee Federal Advanced Programs Group. He's been around the industry for a long time, and has influenced countless numbers of researchers. He is well known as a fantastic speaker, subject-matter expert and generally a badass, and I feel lucky enough to call him my friend.

Ladies and gentlemen, we are over the 50 episodes mark!  If you've enjoyed the podcast, please go rate us in the iTunes store, or leave us a note here. Have you checked out past episodes?! There are some gems in there, I promise, and worth your time.

Topics Covered

• Charlie Miller and Chris Valasek demonstrated (and will disclose code to) the hack which allows complete (tethered) remote control of a modern vehicle. You need to watch this video, and if you develop code for transport vehicles and aren't thinking about securing your code - it's time to adjust course before you actually kill someone - http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/ and this is how the UK 'muzzled' a researcher who did something similar - http://www.theregister.co.uk/2013/07/28/birmingham_uni_car_cracker_muzzled_by_lords/
• Apple demonstrates how not to do breach disclosure, while Ibrahim Balic demonstrates how to jump into the spotlight (and put foot in mouth before thinking) by disclosing, video-recording, and telling the world of his 'ethical test' of Apple's forums - http://www.news.com.au/technology/ibrahim-balic-breaks-silence-on-hacking-apple-developer-site/story-e6frfro0-1226684484916 and http://gigaom.com/2013/07/22/researcher-comes-forward-to-claim-responsibility-for-intrusion-on-apple-developer-site/
• After many years on the run Russian super-hackers involved in the biggest breach of all time are caught - because they broke the first few rules of hiding - http://www.reuters.com/article/2013/07/26/us-usa-hackers-creditcards-arrests-idUSBRE96P02Z20130726
• Exciting news for those of you who are sick of Android App Developers' over-reaching nature in the permissions arena, with the release of 4.3 there is a glimmer of hope in reigning in those games that for some unknown reason require access to your contacts and 'premium services' and such - http://www.androidpolice.com/2013/07/25/app-ops-android-4-3s-hidden-app-permission-manager-control-permissions-for-individual-apps/

Welcome down the rabbithole as we hit EPISODE 50! I'm thrilled that we've made it this far, and look forward to having you along for the ride into the future! At this point, I'd like to encourage you to listen to some of the fascinating guests we've had on this show, people I'm proud to have had a chat with, in the past archives... suggest guests, or just leave us a comment.

/Wh1t3Rabbit

In this episode...

• We try and discuss 'defense in depth' on the geopolitical scale
• @packetknife drops the truth about 'geopolitics experts' in InfoSec
• Ali explains navigating the undocumented security requirements in emerging markets
• We talk about whether all this stolen data from enterprise has actually made a difference
• Ali discusses the 'western sense of intellectual property' (eye-opening!)
• Deperimeterization - why #InfoSec must adapt this RIGHT NOW, but seems allergic to it
• Ali drops 'lawfare' on us - and why #InfoSec must know its options
• Wwe discuss why people 'generally just don't get it' when it comes to moving to triage over 'secure'
• Ali decides he wants to be Frank, or is that frank? :-)

Guest

• Ali-Reza Anghaie ( @PacketKnife ) - Ali is a resident expert (or as much as one can be) on geopolitics from his unique background, experience and perspective. He's a well-known figure in the community and has deep insight into the things that most of us read in the media, and pretend to understand. He's the perfect guest for Episode 50!

Topics Covered

• 9 Years After Shadowcrew, Feds Get Their Hands on Fugitive Cybercrook
• http://www.wired.com/threatlevel/2013/07/bulgarian-shadowcrew-arrest
• vBulletin Forums compromised (~15-~150k) to serve malware
• http://news.softpedia.com/news/Around-150-000-vBulletin-Forums-Compromised-Abused-to-Serve-Malware-366442.shtml
• America's EAS (Emergency Alert System) is open to compromise (still)
• http://www.wired.com/threatlevel/2013/07/eas-holes/
• Mobile malware up 614% y/y says Juniper, but mostly Android
• http://www.computerworld.com/s/article/9240772/Mobile_malware_mainly_aimed_at_Android_devices_jumps_614_in_a_year
• Blue Box Security finds "master key" issue with Android - but there's more to it
• http://www.zdnet.com/android-oems-slow-to-roll-out-bluebox-security-patch-7000018012/

In this episode...

• We get a little insight into the mind of Tomer, and how he thinks about security
• We get an insight into what HP Software IT Management is doing to ensure security in the products they release
• We discuss making security more than just a security line-item, and a business requirement
• There are many "uncomfortable pauses" :)
• We discuss Tomer's risk-focused approach to software quality
• We ask "Is HP drinking it's own champagne?"
• Tomer gives us his feeling on DevOps

Guest

• Tomer Gershoni - Tomer is the Information Security Officer responsible for product security for a select part of HP Software known as IT Management. Previous to that he was the CISO for HP Software-as-a-Service for over 3 years based out of Yehud, Israel. Tomer has over 10 years experience in Information Security and a background in software security. He is a very interesting individual, and his public profile can be found on LinkedIn here: http://il.linkedin.com/in/tomergershoni

*Apologies for this very important episode getting out a bit late ladies and gents, experienced a loss in the family so things were a little slow to re-start, we should be back on track for next week's episode.

Topics Covered

• Political hacktivism is making a big splash in international news - 
• http://www.ilovechile.cl/2013/06/17/chile-democratic-partys-official-site-hacked/87737
• http://www.kjrh.com/dpp/news/local_news/jenks/jenks-chamber-of-commerce-website-hacked-for-second-time-within-a-month
• http://www.publicnewshub.com/zimbabwean-hackers-hailed-for-attacking-ancs-website/
• http://www.bignewsnetwork.com/index.php/sid/215436810/scat/b8de8e630faf3631/ht/South-and-North-Korea-close-website-amid-hacking-alerts
• http://www.business-standard.com/article/pti-stories/syria-s-online-troops-wage-counter-revolutionary-cyber-war-113060900065_1.html
• http://www.ehackingnews.com/2013/06/turkish-ministry-of-interior-website.html
• Google Published their epic Transparency Report data
• http://krebsonsecurity.com/2013/06/web-badness-knows-no-bounds/
• http://www.google.com/transparencyreport/
• European Union issues new data breach laws for telecommunications industry
• http://www.infosecurity-magazine.com/view/33109/eu-announces-new-data-breach-rules-for-telecoms/
• Critical vulnerabilities found in CROWD single sign-on product
• http://www.computerworld.com/s/article/9240487/Critical_vulnerabilities_found_in_Atlassian_Crowd_enterprise_single_sign_on_tool
• Facebook offers (pays!) $20,000 flaw for brilliant business-logic bug
• http://www.eweek.com/security/facebook-patches-mobile-text-vulnerability-rewards-flaw-discoverer/
• Microsoft launchges a bug bounty program, for IE11 and more
• http://www.microsoft.com/security/msrc/report/bountyprograms.aspx#
• http://www.wired.com/threatlevel/2013/06/microsoft-bug-bounty-program/
• Opera code signing certificate stolen and used to sign malware
• http://www.eweek.com/security/opera-data-breach-exposes-legions-of-windows-users-to-malware-attack/

In this episode...

• The gang discusses the issues with the rapid escalation of connectivity in modern-day industrial control systems
• What specialized skills are needed to be a SCADA or ICS hacker
• A nervous pause as vulnerabilities in ICS systems which could affect the adult beverage industry are touched upon
• Discussion on how to deal with 25 year patch cycles
• Why is it that embedded devices simply don't get patched like your other systems?
• What are the real issues with ICS systems, and why they're not getting enough attention...yet

Guest

• Mr. Billy Rios ( @XSSniper ) - In addition to being a long-time friend of mine, and one of the most knowledgable and humble people in the hacking space, Billy is currently a Technical Director and the Director of Consulting for Cylance. Billy is an accomplished web application hacker releasing an XSS tool which is currently his Twitter handle. While being a "big picture" guy, Billy also tackles some of the most complex large-scale ICS issues, and with his team works to identify and remediate threats to his clients.

This week, James is flying solo on the microphone catching you up on all the latest news and BIG stories since I'm at HP Discover, Las Vegas and Suits and Spooks in La Jolla, CA. A busy week all the way around, some pretty earth-shattering news coming out!

Topics Covered

• We couldn't be the only ones NOT covering the big NSA leak and revelations of spying and other surveillance. Somewhere in the hype, though, is the enterprise story of insider threat - http://www.guardian.co.uk/world/2013/jun/09/nsa-secret-surveillance-lawmakers-live
• Google Glass is in the news, again, this time from an enterprise perspective. In light of the slight insider threat problem revealed lately, how will Google's glasses impact security, and society in general for good or evil? - http://www.computerworld.com/s/article/9240077/Google_Glass_could_get_a_look_at_the_enterprise
• Apple made the news with iOS7 and the big "kill switch" feature, is this really a good idea that actually works or a desperate gimmick to demonstrate innovation? (especially in light of the lock screen bypass in iOS7 beta! - http://www.cnn.com/2013/06/11/tech/mobile/iphone-ios7-kill-switch
  http://www.forbes.com/sites/andygreenberg/2013/06/12/bug-in-ios-7-beta-lets-anyone-bypass-iphone-lockscreen-to-access-photos/
• Google noticed a significant spike in phishing traffic to GMail around the Iranian "election" (and I use that in quotes on purpose), an interesting developing story - http://money.cnn.com/2013/06/14/technology/security/google-phishing-iran/index.html
• Last but certainly not least, how about that 2+ year old Adobe Flash bug that's being exploited in Chrome to allow attackers (or just perverts) to spy on you using your webcam... creepy! - http://www.forbes.com/sites/andygreenberg/2013/06/14/two-year-old-flash-bug-still-allows-webcam-spying-on-chrome-users/

In this episode...

• We discuss the true nature of many of the security products decisions CISOs have to make every day
• Frank and Raf make very poorly thought-out sports analogies
• There are uncomfortable length of silence (mostly edited out)
• The crew discusses NSS Labs, and what they do to help the CISOs out there make smarter decisions
• "Someone" asks about anti-virus...

[ More info on NSS Labs and the two guests today can be found here: https://www.nsslabs.com/analysts and https://www.nsslabs.com/ ]

Guests

• Frank Artes ( @franklyfranc ) - Research Director Francisco Artes is a recognized information security executive who has helped form some of the motion picture & television industry’s best practices for securing intellectual property.  Artes is also know for his work with on cybercrime, hacking and forensic security issues with various federal, state and local government and law enforcement agencies such as the US Dept. of Homeland Security, the FBI, the Texas Rangers, US Marshals and several others.  Mr. Artes most recently served as Vice President, Chief Architect / Content Protection for Trace3, and as Vice President, Security Worldwide for Deluxe Entertainment Services Group. Artes has presented on six of the seven continents, serves on several boards and is a Trusted Adviser for The Security Consortium.
• John Pirc ( @jopirc ) - Research Vice President John Pirc is a noted security intelligence and cybercrime expert, an author and a renowned speaker, with more than 15 years of experience across all areas of security. The co-author of two books, “Blackhatonomics: An Inside Look at the Economics of Cybercrime” (published in December 2012), and “Cyber Crime and Espionage” (published in February 2011), Pirc has been named a security thought leader from the SANS Institute and speaks at top tier security conferences worldwide. Mr. Pirc’s extensive expertise in the security field includes roles in cybersecurity research and development for the Central Intelligence Agency, Chief Technology Officer at CSG LTD, Product Manager at Cisco, Product Line Executive for Security Products at IBM Internet Security Systems, Director of McAfee's Network Defense Business Unit and, most recently, Director of Security Intelligence at HP Enterprise Security Products, where he led the strategy for next generation security products. In addition to a bachelor's degree in Business Administration, Pirc holds the NSA-IAM and CEH certifications.

It's June already?! Where has the first half of 2013 gone? James and I break down the last 2 weeks of interesting InfoSec news in a short "Monday morning quarterback" style... enjoy!

Topics Covered

• Evernote adds 2-step veficication for their authentication, and follows suit with just about every other 'modern' app. Following on the hells of Twitter, LinkedIn, FaceBook, Apple and the one that started it all, Google - we're now getting multi-step authentication from Evernote. Free users not welcome ...yet? - http://blog.evernote.com/blog/2013/05/30/evernotes-three-new-security-features/
• Dropbox down for more than an hour, but it wasn't a security bug (we don't think), it's just that they had 'technical difficulty'. If you depend on Dropbox for your file synchronization services, you knew this happened - http://www.computerworld.com/s/article/9239648/Dropbox_goes_down_for_more_than_an_hour
• NIST 500-299 "Cloud COmputing Security Reference Architecture" document is released. There's a bit of irony here, as the document itself is a whopping 299 pages! - http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Reference_Architecture_2013.05.15_v1.0.pdf
• Drupal.org has been hacked, and it appears 2013 just isn't a good year for the folks over at Drupal. Apparently about 1 million accounts have been compromised/affected, and all accounts had their passwords reset - I apparently had a Drupal account I don't remember anymore and my password was reset too - http://techcrunch.com/2013/05/29/drupal-org-hacked-user-details-exposed-and-reset/
• Google changed its disclosure policy for critical issues that are actively being exploited from the standard 60 days, to 7. A week. 7 days down from 60 ... this needs more reading and discussion - http://www.csoonline.com/article/734286/google-zero-day-disclosure-change-slammed-praised
• Hackers are exploiting Ruby on Rails vulnerability that was patched this past January, so zero-day no longer applies... the lesson here is to patch in a timely fashion! - http://www.computerworld.com/s/article/9239588/Hackers_exploit_Ruby_on_Rails_vulnerability_to_compromise_servers_create_botnet?taxonomyId=17

In this episode...

• John discusses some of the foundational principles of Threat Modeling
• We talk about why threat modeling is like your time in high school
• We discuss why threat modeling is such an incredibly important tool to the enterprise
• John gives us some nuggets of his experience with threat modeling enterprise applications

Guest

• John Steven ( @m1splacedsoul ) - John Steven is the Internal CTO at Cigital with over a decade of hands-on experience in software security. John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John’s keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.
  
  John is known for his in-depth work in software security, his expertise in the field of threat modeling, and his snarkcasm. If you don't follow John on Twitter or haven't attended one of the talks he's been known to give occasionally - I recommend you do so. 

Welcome to Monday, May 20th 2013 as James and I discuss the last 2 weeks' worth of Information Security news and relate it (attemptively) to your enterprise day-job. This week was a bit on the lighter side, with the quote of the year (as far as I'm concerned) winner going to the Washington State Administrative Office of the Court for ...well, you'll just have to read the rest of the show notes and listen to the podcast.

Also ... we are now on the Zune store. So ...to the 2 new Zune listeners - HELLO!

Topics Covered

• Researches at Trend Micro uncover new cyberespionage campaign call it SafeNet (in unrelated news SafeNet the security company had nothing to do with this...). Yet another cyberespionage campaign targeting users with revolutionary new technique called "phishing", and using a vulnerability in Microsoft software patched in April 2012, originating from ... <wait for it> China! -  http://www.computerworld.com/s/article/9239342/Researchers_uncover_SafeNet_a_new_global_cyberespionage_operation
• Domain registrar, Name.com hacked, customer information including potentially usernames, email addresses, encrypted passwords (just how encrypted are we talking here? ROT13? double-XOR?), and encrypted (same question as before) credit card information potentially stolen. Again, the vector of choice is this revolutionary new tequnique called ... <wait for it> phishing - http://www.pcworld.com/article/2038263/namecom-forces-customers-to-reset-passwords-following-security-breach.html
• Godzilla hacked EC-Council (this needs no explanation) - http://www.esecurityplanet.com/hackers/ec-council-hacked.html
• Four former LulzSec members (former?) sentenced for their roles in the 2011 attacks on companies such as Sony, Nintendo, News Corp, the CIA and many others. Sentences range from a 30-month prison term for "Kayla" to 200 hours of community services for T-Flow. Justice? Interested to hear what you think - http://www.computerworld.com/s/article/9239302/Four_former_LulzSec_members_sentenced_to_prison_in_the_UK
• Washington State's court system has been compromised, exposing 160,000 social security numbers and a million drivers' license numbers - basically everything you'd ever need to steal someone's identity. Luckily officials have determined that only 94 of those were definitely obtained by the attacker (what?!). Also, ridiculous quote of the year honors go to the "officials" for this: ".. officials at first believed no confidential information was leaked even though a large amount of data was downloaded from the website, the Washington State Administrative Office of the Courts said." - http://tech2.in.com/news/general/up-to-160000-social-security-numbers-exposed-in-washington-state-court-hack/872700

In this episode...

• Kevin, James and I discuss why penetration testing reports are often so worthless
• Kevin and I disagree. Then we agree, sort of.
• We discuss the major differences between the 'builder' and 'breaker' mindset, and whether they're actually different people
• Kevin gives some fantastic examples of how context and experience is critical in penetration testing
• We provide guidance no how someone can 'break into' (no pun intended) penetration testing and be effective
• Kevin gives an example of how someone can be a great penetration tester, but be of little value beyond that
• We wrap by disussing how enterprises can gain value from penetration testing- and Kevin provides an interesting strategy

Guest

• Kevin Johnson ( @SecureIdeas ) - Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is an instructor and author for the SANS Institute and a faculty member at IANS. He is also a contributing blogger at TheMobilityHub.  Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer.

It's another beautiful Monday (somewhere) and we've got the news of the last 2 weeks covered, and we're breaking it down for you. The news this week is, well, quite frankly kind of dark. Everything tells us we're in for a rough ride for the rest of the year, and it's only getting worse.

If I sound a little funny, it's because I'm talking through a massive sinus infection and it's making me talk funny and stuffy.  Also the recording you hear is take 2 ... I had a major technology fail so we had to re-record, with less sadness.

Topics Covered

• We are happy to report that Justin Beiber is in fact, not coming out of the closet and E! Online was only hacked by those wacky military hackers from the Syrian Electronic Army. Apparently they've been on quite the hacking spree of media outlets and even put a major - albeit brief - dent in the stock market! - http://www.nydailynews.com/entertainment/e-online-twitter-account-hacked-article-1.1335214
• The US Department of Labor was hacked, in what appears to be a very targeted 'watering hole' attack aimed at Nuclear employees. The attackers, if the stories are true, burned an IE8 0-day on this one, and of course they are Chinese - http://www.eweek.com/security/zero-day-exploit-enabled-cyber-attack-on-us-labor-department/
• Anonymous is threatening a massive attack against the White House (the political entity not the ...nevermind), Bank of America, Citibank and other targets on May 7th. Are these folks just becoming part of the 'background noise' of the Internet? Are security professionals just starting to become numb to the DDoS attacks? - http://pastebin.com/TyvAK20F
• Chinese hackers have apparently ransacked QinetiQ, a defense contractor with ties to global cyber intelligence operations, spooks,and other interesting things. Bloomberg's write-up was not kind to these guys - http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html
• In the perfect illustration of the fact that insider threats are real a systems manager returned to the company he was no longer employed at and wreaked havok. Folks, there is no magic 1U box that will stop this sort of attack, be vigiland and have good auditing and processes! - http://www.computerworld.com/s/article/9238874/Systems_manager_arrested_for_hacking_former_employer_39_s_network

In this episode...

Live (live-to-tape) from 44Con, London, England.

It's amazing, listening to this episode recorded at 44Con last fall, how little the landscape of enterprise security has changed. I took some time during the busy conference to sit down with Ian Amit and Dennis Groves to discuss Ian and my talks (which were perfectly aligned, and completely unplanned!) on the state of security in the enterprise. It's always interesting to get the perspective from 2 industry-well-known speakers and thinkers.

We discuss the topics of #SecBiz including the role of security in the enterprise, the challenges business security professionals face, metrics and why we have some of the crazy change management failures in security. We laugh, we almost start to cry - but ultimately come to the realization that we need change. Ian and Dennis and I are working on driving that change!

Guests

• Iftach Ian Amit ( @iiamit ) - Seasoned manager in the security and software industry with vast experience in a myriad areas of software (from enterprise security, through retail oriented, to end user software and large back-end systems). Highly experienced in leading marketing opportunities, and translating technical innovation into marketable concepts that increase sales and exposure. Information Security expert with vast experience ranging from low level technical expertise and up to corporate security policy, regulatory compliance and strategy. BlackHat and DefCon speaker, with vast experience in public speaking and private customer focused seminars. Founding member of the PTES (Penetration Testing Execution Standard), IL-CERT, and the Tel-Aviv DefCon group (DC9723).
• Dennis Groves - Dennis's work focuses on a multidisciplinary approach to risk management. He is particularly interested in risk, randomness, and uncertainty. He holds an MSc in Information Security from the University of Royal Holloway where his thesis received a distinction. He is currently a UK expert for the UK mirror of ISO subcommittee 27, IT Security Techniques, working group 4, Security Controls and Services at the British Standards Institute. He is most well known for co-founding OWASP.

It's Monday April 22nd, 2013, and here are the topics from the last 2 weeks James ( @jardinesoftware ) and I ( @Wh1t3Rabbit ) will be talking about as we Monday-morning-quarterback the last 2 weeks in Information Security... Fair warning, we have way too many topics to fit into 20 minutes... so went a little bit longer but both feel it's well worth your time. Laugh, cry, and be informed.

Topics Covered

• Microsoft rolls out 2-factor authentication - James points out that Microsoft has rolled out authenticator-agnostic, robust 2-factor authentication... if only I could figure out how to use it? If you have any experiences with this, please share with us on Twitter, using the #DtR hashtag - http://nakedsecurity.sophos.com/2013/04/11/microsoft-look-like-being-next-with-2fa/
• Oracle dumps a 42-patch bundle - Oracle has dropped a massive patch bundle, many of these are remotely exploitable Java issues, and it's not a walk in the part for Enterprise Security folks. Also ... we chuckle a little bit about the absolutely mindless new 'shape-coded' warnings - http://krebsonsecurity.com/2013/04/java-update-plugs-42-security-holes/
• US and China to work on cyber security? - In what James and I both thought was a botched April Fools' joke, it appears as though China & US have come together to decide who the real vicim in this 'cyber hacking' problem is, and what they're going to do about it going forward. Are we absolutely sure this isn't a farse? - http://www.reuters.com/article/2013/04/13/us-china-us-cyber-idUSBRE93C05T20130413?irpc=932
• Hacking a plane with an Android app? - A hacker has demonstrated (at the HitB Conference) that it is possible to remotely control a plane, in the setting of a lab. James and I talk about what the implications of this are... more to come - http://www.theatlanticwire.com/technology/2013/04/no-german-hacker-probably-cant-hijack-airplane-software/64158/
• Louisville Credit card processor HACKED - Another credit card processor hacked...and the notification comes from, you guessed it, a 3rd party - http://www.wave3.com/story/21911646/louisville-credit-card-processor-hacked-card-numbers-stolen
• Hacking ring targeting...video games? - A hacking ring was uncovered by Kaspersky that has, for a number of years, been targeting video games, their source code, and other components. To What end? we discuss - http://www.gamepolitics.com/2013/04/12/kaspersky-chinese-hacking-ring-has-hacked-multiple-mmo-game-servers
• US President Obama seeks a slight increase in technology spending - Does a 2% increase (which is actually a decrease) mean anything without context? Nope... - http://www.nextgov.com/cio-briefing/2013/04/tech-spending-projected-rise-fiscal-2014/62405/?oref=ng-HPtopstory
• FCC issues fines to 2 enterprises employing cell jammers - Apparently, importing, using cell phone jammes is actually against federal law, but we already know that. The FCC came down relatively easy on these two companies... - http://transition.fcc.gov/Daily_Releases/Daily_Business/2013/db0409/FCC-13-47A1.pdf

In this episode...

• A critical discussion on the available 'cyber intelligence' reports from various vendors
• How hard is attribution in cyber space, really?
• "Alternative analysis" - why isn't it being used enough in cyber intelligence reporting?
• Discussion on 'degrees of certainty' and its apparent lack of application to cyber intelligence
• Extensive discussion on avoiding confirmation bias, critically reviewing intelligence work, and peer reviewing processes
• Kinetic responses to cyber threats and other outrageous rhetoric
• Hacking back? but hacking whom?

Guest

• Jeffrey Carr ( @JeffreyCarr ) - Jeffrey Carr is a cybersecurity analyst and expert.He lives in Seattle Washington. He is founder and CEO of Taia Global inc. He is also the founder and principal investigator of Project Grey Goose, an open source investigation into cyber conflicts including the Russian cyber attacks on Georgia, the Indian Eastern Railway Website defacement and the Israeli-Palestinian war in 2008 to 2009. He is also a government contractor who is consulted on Russian and Chinese cyber warfare strategy and tactics. [ http://en.wikipedia.org/wiki/Jeffrey_Carr ]

In this second episode of our Monday morning InfoSec quarterbacking, James and I actually got through the news items we had lined up in just about 20 minutes. I count this as a win.

Topics Covered

• Choice Escrow & Land Title, LLC vs. BancorpSouth, Inc. | At issue is the Uniform Commercial Code (UCC) as it applies to commercial entities taking "commericially reasonable methods" to secure their transactions. This one is going to have a major ripple effect, keep an eye out for further developments - http://krebsonsecurity.com/2013/03/missouri-court-rules-against-440000-cyberheist-victim/
• "The biggest cyber attack ever" | Or really, a DDoS feud between a known spammer (CyberBunker) and a spam fighter (SpamHaus) which actually did impact Internet traffic in Europe, but was effectively a tempest in a teapot for most everyone else - http://www.cnn.com/2013/03/27/tech/massive-internet-attack/index.html?hpt=hp_t2
• Schnuck's gets hacker by "computer code", but it's OK now | Short version of this story, be careful how hard you play up the 'reputation' angle with your business ...turns out people may not care so much - http://www.stltoday.com/business/local/schnucks-says-credit-card-fraud-source-found-and-contained/article_605469bd-db5d-5a1b-94cf-100f4eabc58f.html
• Darkleech affects huge amount of Apache servers, silently installs iFrame-based malware selectively | People who name these things come up with some of the coolest names ...seriously! Interesting story. - http://www.h-online.com/security/news/item/Darkleech-infects-scores-of-Apache-servers-1834311.html
• BitCoin wallet service InstaWallet hacked, shuts down "indefinitely" | Oh, another BitCoin tragedy as the currency suffers yet another blow to its viability as hackers target a wallet service, value bounces. - http://venturebeat.com/2013/04/03/bitcoin-wallet-instawallet-hacked/

First ...a milestone.

I want to take this time to formally welcome Mr. James Jardine, of SecureIdeas, as my permanent co-host to the podcast. James has experience podcasting as he already co-pilots the Professionally Evil Podcast, and he's witty, knowledgeable, and awesome to work with on the microphone. I ask that you all give James a warm welcome!

In this episode...

• Overview of what cyber liability insurance is and what it isn't
• We ask "Why would we need a security program, when you can just buy insurance?"
• How do [cyber] under-writers figure out how to insure you, and how much of a liability your organization and its practices is?
• The types of costs and coverages available in some of the different policies at the various carriers
• We pull on the 'reputation' thread ... again
• We try to divine the magic formula used to calculate how to calculate a 'liability' or coverage requirement
• We try and figure out how an enterprise can drive down their cyber liability insurance premiums
• Christine touches on mobility, encryption, and some interesting tidbits for the modern enterprise

Guest

• Christine Marciano ( @DataPrivacyRisk ) - Christine Marciano is President of Cyber Data Risk Managers, an Independent Insurance Agency specializing in Cyber Risk/Data Breach insurance, Directors & Officers insurance and (IP) Intellectual Property protection. Christine has over 17 years of experience working in various roles within the Insurance and Financial Services industry. Prior to establishing Cyber Data Risk Managers, Christine has held positions at CIBC Oppenheimer, Axa Advisors and Allstate Insurance Company.

Links

• Christine's Blog - http://databreachinsurancequote.com/blog/
• My 2013 Data Privacy, InfoSec & Cyber Insurance Trends report - http://databreachinsurancequote.com/wp-content/uploads/2013/02/2013-Data-Privacy-Information-Security-and-Cyber-Insurance-Trends-Report.pdf
• Christine's free weekly newsletter signup page - http://databreachinsurancequote.com/subscribe-data-breach-weekly-newsletter/

Welcome to the Down the Rabbithole NewsCast!

Join me in welcoming James Jardine ( @JardineSoftware) of Secure Ideas to the show as a permanent co-host! The NewsCast is a bi-weekly (2nd and 4th Monday of the month) release where we'll discuss the news and events of the past 2 weeks, and attempt to analyze, break down, and generally make sense of the madness of the Security industry and real world at large.

Also a big thanks to Todd Haverkos, the voice behind the hilarious intro you'll hear on this podcast, and all the others ...

Topics We Covered

• Apple's new 2-Factor Authentication went live
• Cisco made passwords weaker (whoops!) in their IOS
• The US Government struck out twice (SAM security issue, and a contractor "buys" warez)
• Celebrities get their credit info jacked
• S. Korea gets whacked with a nasty bug, wipes out 32,000 machines in one swoop

In this episode...

• We discuss "big data", what the heck it really is, and whether it's something new, something old, or something marketing made up
• Marcus does interpretive dance, and makes up new words
• Alex (shockingly) disagrees with Marcus, and actually describes 'data science'
• We hear Marcus talk about "NBS - never before seen" detection and why it's so critical
• We collectively agree (it's OK to be shocked) that "big data" is not a product
• Marcus discusses why you should be defending against the sniper
• The guests disagree on whether we have too little data, or whether we just don't know how to make it work for us
• Alex puts on a tinfoil hat ...

Guests

• Marcus Ranum ( @mjranum ) - Marcus J. Ranum is a world-renowned expert on security system design and implementation. He is a pioneer in security technology who was one of the early innovators in firewall, VPN, and intrusion detection systems. Since the late 1980s, Marcus designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer to founder and CEO of NFR. In SC Magazine's 20th Anniversary Edition, Marcus was named as one of the top industry pioneers over the last 20 years. Marcus is currently the CSO at Tenable.
• Alex Hutton ( @alexhutton ) - Alex is the Director of Operations Risk & Governance for a very, very large financial, so he has to stay incognito. Frankly, it doesn't matter much whether he says where he works, the dude's one of the smartest people I know, and lives, breathes, and often excretes 'risk' knowledge.

Synopsis

This timely podcast is right on the heels of the US vs. Cotterman decision from the 9th Circuit Court of Appeals. One of the watershed decisions on privacy and digital law, this is an extremely important case that touches on whether government agents can take and search your digital property while crossing the border with or without cause or suspicion. Michael and Shawn give their analysis, and we get some critical information for international business travelers, as well as those of us in the security community who regularly cross the US border with sensitive, potentially encrypted or password-protected information.

Link to the original 9th Circuit Court of Appeals decision: http://cdn.ca9.uscourts.gov/datastore/opinions/2013/03/08/09-10139.pdf

You're not going to want to miss this podcast.

Guests

1. Michael Schearer ( @theprez98 ) - Security consultant and penetration tester by day, law student and hacker by night, proud Navy veteran, writer, promoter of civility in political discourse, Philadelphia and Penn State sports fanatic, practicing philomath, and last but certainly not least, Dad and Husband. Michael maintains a fantastic blog at http://theprez98.blogspot.com.
2. Shawn E. Tuma ( @shawnetuma ) - Partner at the law firm BrittonTuma and an attorney with a broad based business, litigation, and intellectual property litigation experience combined with his unique expertise with cutting-edge legal issues such as computer fraud, data security, privacy, and social media law. Shawn is a member of the Information Security Committee of the Section of Science & Technology Law for the American Bar Association and the Privacy, Data Security, and e-Commerce Committee of the State Bar of Texas. Shawn maintains a great resource for analysis on legal decisions http://www.shawnetuma.com.

Synopsis

Security has an interesting view on "business decisions", and in this podcast episode recorded at GrrCon 2012 in Grand Rapids, MI I sit down with some of the talent behind MISEC and we discuss #SecBiz topics of interest including the ugly phrase "it's a business decision" and why we say that. We also dive into how decisions are made, and why security and business are still often at odds on goals and acceptable 'risks'... and why our recommendations and guidance still falls on seemingly deaf ears.

We sample some of the sage wisdom of J.W. Goerlich as he runs his IT and security organization, and how he asks his security employees to think business, and put themselves into the frame of reference of the business when making decisions.

Jen Fox brings up Miller's Law, and teachs us to ask "What is that true of?" when framing discussions in the business context with non-technologists. Jen makes us think about frames of reference. She tells us that we must assume that a statement someone makes is true ... from their frame of reference and we simply must get inside their frame of reference to understand their thinking.

Steven Fox gives us a little bit of a glimpse into the government world where you can't always go sit down with the decision maker, and have to depend on your relationships, cooperation, and sometimes back-room politics to get things done.

I invite you to listen in, this is a timeless discussion that everyone should participate in.

Guests

• J.W. Goerlich - @JWGoerlich - Information Systems and Information Security Manager. Regular InfoSec practitioner, occasional speaker and writer. INTJ. #MiSec, #BSidesDetroit, #CSA, #Owasp
• Jen Fox - @J_Fox - Making security accessible to the end user. Independent consultant, biz analyst, tech-to-biz translator, and diplomat. CIPP/IT and locksport enthusiast.
• Steven Fox - @Securelexicon - I am a Security Architect at the U.S. Dept of the Treasury & Penetration Tester passionate about security as a business value and differentiator.

Synopsis

Shawn and I have been trying to get together to record an episode for what seems like forever. We first started talking about the CFAA (Computer Fraud and Abuse Act) when it was ruled that a person could not be charged as a 'hacked' under the CFAA by their employer when they accessed information improperly if the employed did not restrict that access appropriately. Shawn's expert insight here as an attorney dealing with the CFAA shines as we talk about hacking, vulnerability research, and other critical topics to the hacker culture, information security industry and security professionals.

You're not going to want to miss what Shawn has to say... I want to thank him for his time, and encourage anyone who needs the sort of advice Shawn has to give him a call, or send him a Tweet.

Guest

Shawn E. Tuma - Shawn E. Tuma is an experienced business, litigation, and intellectual property attorney at BrittonTuma who helps businesses and individuals assess, avoid, and resolve business and legal issues. Shawn has spent his career handling cases before state and federal courts alike and is well versed in both traditional and emerging areas of the law. In addition to his career-long business law and litigation practice, he has developed a niche practice as a thought-leader in emerging areas of such as computer fraud, data breach, privacy, and social media law, with a strong command of the Computer Fraud and Abuse Act. Shawn enjoys handling highly complex commercial, technological, and intellectual property matters as much as he does those that are more traditional. Shawn can be found on Twitter as @shawnetuma.

Synopsis

I sat down with Bill at ISSA International in Anaheim, CA in the fall of 2012 to discuss what it's like, and what types of challenges he faces in the fast-paced, hybrid world of security at Netflix. We talked about some of the challenges his environment faces, and more generic issues that are endemic to the evolving security landscape. It's fascinating to hear Bill's take on what the big picture items are, and how security is really in a state of evolution right now. Join us, I tihnk you'll love this episode.

Guest

Bill Burns - Director of IT Security and Networking, Netflix - Bill is a silicon valley titan, his name is associated with the likes of Infoblox, Riverbed and Netflix. Currently he's the Director of IT Security and networking at Netflix managing security in a hybrid cloud, traditional IT world, and facing some of the most complicated challenges in today's tough security landscape.

Synopsis

To kick off January on the Down the Rabbithole podcast I have Mikko Hypponen, the "malware adventurer" and Chief Resarch Officer from F-Secure Corp and we're talking about the state of malware and 'viruses' digging into the modern threat landscape and maybe digging up a bit of nostalgia from the late 90's. This is a fascinating conversation so I invite you to break out your old boot sector and COM viruses and join us for some interesting discussion!

Guest

Mikko Hypponen - Chief Research Officer at F-Secure Corp., TED speaker, and self-professed "malware adventurer". He can be found on Twitter at @Mikko

Synopsis

This microcast episode was recorded live from hackfest.ca 2012, on location in Quebec. The conference is a phenomenal success for the challenges they face (primarily non-English speaking region, small market, etc) but they've managed to attract a ridiculous amount of people to this conference, awesome speakers, and have one of the best 'War games' scenarios I've ever seen... listen to these two guys talk about how they make this happen.

Guests

• Steven McElrea (@Longferret) - contributed and supporting organizer, key cog in the hackfest.ca wheel!
• "Martin" - he's responsible for a lot of the design and infrastructure behind the War Games that were conducted here.

Synopsis

This episode is special because it's been a long-time-in-the-making interview with Brad Arkin of Adobe. This is the organization that many of the hacker community like to hate, and pick on - without realizing the monumental task of securing the software that Brad's team is responsible for. Brad's official title at Adobe is Engineering Senior Director but in real life one of the responsibilities his team is tasked with is doing product security for products like Adobe Flash and Reader ... Brad's take on software security and how he got the bug problem under control at Adobe is worth a listen!

Guest

Brad Arkin - Engineering Senior Director at Adobe - Brad has a long history of being involved in the Information Security world, particularly software security and has held many interesting roles from Cigital, to a technical director at @Stake, to working his way through Adobe since 2008. Brad can be found on LinkedIn, here: http://www.linkedin.com/pub/brad-arkin/1/2a8/4.

Synopsis

LIVE from day 2 of the ISSA International conference 2012, in Anaheim, California I cornered Eric Cowperthwaite after a much-anticipated year-long wait... and we talked about his prediction that in the next 2 years many of the traditional IT employees will be employed as either business-IT resources in the enterprise, or IT-technical resources at an IT outsource or cloud provider... Eric's predictions tend to be right on the money so it'll be interesting if some of the things he advocates in this microcast come true!  Only time will tell.

Guest

• 
  Eric Cowperthwaite - Eric is the Chief Security Officer at Providence Health & Services, and a strong advocate of pragmatic security.  Eric has a long history from Army Recruiter, to outsource services delivery with EDS, to his many years of service to the ISSA and Providence Health & Services.  In addition to being a good friend and colleague, Eric has a snarky sense of humor, and tends to be not afraid of speaking his mind ... and as it turns out his predictions become reality in the near future.  Eric can be found on Twitter as @e_cowperthwaite, and on LinkedIn.

Syhopsis

When I caught up with these two gentlemen in Amsterdam over the week of Black Hat 2012, I knew we wouldn't run out of things to talk about!  We ended up chatting for quite some time, and I think you'll find this conversation interesting from hearing of David's recent work with Oracle, and Jim's perspective on "the fix"... I kept the conversation going and am probably at last partially responsible for how long this podcast ended up being.  It's well worth the time, in my opinion, as we cover the following topics:

• Attacking Oracle (David's talk had to be shelved, but he talks about ways to attack Oracle via putting a string into a numeric query - by manipulating the meta-environment)
• Jim & David talk about how to do sane SQL Injection protection (bind everything!)
• David talks about some contrived ways of hacking Oracle databases, that are 'outside the business logic' and explains why validation is still important
• Jim brings up structural validation of inputs (useful white-listing)
• David brings up that his exploits from 2007 are STILL working in 2012 - terrifying
• "Parameterize it, or jeopardize it" - Jim's campaign to rid the world of SQL Injection
• David talks about unconventional database forensics that identify attacks via weblogs
• Vendors have upped their game to protect applications, developers are still writing bad code
• Jim Manico "We are entering the golden age of hackers" ... does this mean better security?!
• David discusses how if MS had stopped development of NEW features, WinNT4 would be 'secure' by now... but innovation & features will continue to drive forward - security suffers
• Jim asks "does the [development] framework of the future, consider security as a built-in?"

Guests

• Jim Manico - One of the people who holds OWASP together, Jim is an enthusiastic espouser of the Web App Security word.  You can find him providing training, practical advice, and code knowledge all over the place, particularly for the OWASP organization.
• David Litchfield - David has been taking Oracle to task over their claims of database security for years, and continues to be a driving force behind penetration testing, database forensics, and all things Oracle security.

Synopsis

This week we went free-form with two of my favorite InfoSec insiders ...people you probably follow on Twitter but can't quite place.  Here are some of the topics covered this week:

• The Apple UDID theft - what really happened, why, and what more is there to this story?
• Information vs. DISinformation...the battle for online trust
• Speaking of distrust - where do you go post-breach?
• InfoSec intelligence is a lot harder to do than just reading mailing lists and Twitter, there's a ton to this (scratching the surface)
• Change management's impact and possible salvation for IT and InfoSec
• Legacy systems and why they are the ball and chain, and why we can't nuke them
• The user ... how do we get past just hating on the user in InfoSec?

Guests

• @DarthNull - David is a mobile hacked with Intrepidus Group, and active puzzle-solver extraordinaire
• @InfoJanitor - He's a long-time InfoSec guy, working for a 'big company' ...and if he told you more than that, well ...you know.

Synopsis

Today's podcast discussion is with someone who has one of the toughest jobs in the security world... Patrick helps organizations that generate and deliver the power that runs our gadgets and critical systems that maintain life as we know it.  The power grid is not only surprisingly vulnerable due to it's age-old infrastructure, but also surprisingly resilient due to the complex nature of power distribution and generation... there's just a lot more to it than most people realize.

Patrick separates fact from fiction and goes into the pragmatic approach on national electric grid security - where we realize that it's really worse than we believed from a cyber security perspective, but better than we know because as you read this the electric grid is under constant attack, but it's still transmitting clean power.

I urge you to listen to this podcast, and then engage Patrick (@PatrickCMiller) or I in discussion... 

Guest

• Patrick C. Miller - 

President & CEO of EnergySec

Principal Investigator of National Electric Sector CyberSecurity Organization (NESCO)

Links:

• NESCO - US Dept. of Energy (DoE) Office of Electricy Delivery & Energy Reiliability - http://energy.gov/oe/services/cybersecurity/nesco
• EnergySec - A 501(c)(3) not-for-profit organization formed to support organizations within the energy sector in securing their critical technology infrastructures -  http://www.energysec.org/

Synopsis

This episode is a mini-episode recorded live from the social media lounge at HP Discover Las Vegas 2012.  It was an incredible show, where I caught up with Marc and Matt - two guys who are really from opposite side of today's deploy vs. secure coin.  Somehow we quickly dove into DevOps and picked up right where my conversation with the incomprable Gene Kim left off in episode 20.  Ironically, we discussed how to deploy faster (sound familiar?) and still get security and quality into the scope of delivery... this isn't a product pitch but it's two HP guys talking about how products impact software quality, security and overall delivery speed.

Guests

• Marc Blackmer  - Senior Solutions Marketing Manager (HP Enterprise Security Products) - Marc is a seasoned veteran of the Information Security industry with experience going back to high technician days in 1998.  Since 2006 Marc has held various technical and engineering roles at ArcSight and has come to learn the SEIM industry better than anyone I know.  Marc is one of the rare people who 'gets' how products solve actual problems.
• Matt Morgan Vice President and General Manager, HP Software Cloud and Hybrid IT - Matthew Morgan is the vice president and general manager of product marketing for the HP Software Cloud and Hybrid IT software organization, a $2.5B software business delivering solutions used by 100,000s of users to successfully define, deliver, and manage business software in a cloud and mobile world.  Matt has 20 years of experience in the Internet and IT business application industry. In his time at HP Software, he had held multiple executive roles including leading the commercialization of HP Application Lifecycle Management, launching HP's first mobile testing and monitoring solutions, and leading a shift to digital marketing operations.

Synopsis

In this episode we ask the big question of "Can security be a part of the 'build/deploy faster!' culture?"  We discuss the need to separate out high/low risk code, understanding how to deploy dormant components of the applications, proper testing strategies and branching/merging in a world where faster isn't just an ask, it's a need to stay competitive.

A huge thank you to all my guests for their time and expert insight.  The combined talent and experience of my 3 guests is something you should absolutely take a listen to, as these gentlemen really know what they're talking about - whether it's Information/Application Security, or DevOps ... this is a discussion that bridges both with expert precision.

Guests

• Nick Galbreath - Nick's Linked-In profile says he's been at 5 early to very early startups, all sold, IPO'd or huge - all dealing with massive scaling in load and large data sets.  FaceBook now owns a half-dozen of his patents on social graphs, and Google is using some of his code in Chrome!  On top of that, he's written a book on cryptography too... when he's not out building start-ups, Nick's speaking/teaching or hacking away at code to find better, bigger exploits and fixes.
• James Wickett - James is an innovative thought leader in the DevOps and Information Security communities, and has a passion for helping big companies work like start-ups to deliver products in the cloud.  He got his start in technology when he ran a web startup company as a student, and James is currently employed as a Senior DevOps Engineer working on launching cloud-based products for the Embedded Software division of Mentor Graphics.  James' bio is linked here.
• Olivier Saudan - Olivier is a software security analyst with 10 yeras experience in operations (including Information Security) and a significant development background.  He keeps his identity and employer a mystery due to the nature of his work, and the need for discretion.

Links:

• Recent podcast on DevOps with Gene Kim (part 1 [Episode 10], part 2 [Episode 20])
• Nick Galbreath's "Client9" - http://www.client9.com
• James Wickett's blog - http://blog.wickett.me

Synopsis

This episode was recorded in June '12, live from the show floor at HP Discover Las Vegas, 2012 and the talk of the town was once again DevOps.  Gene and I have had 2 prior conversations on the topic, but we're once again tackling the impact of DevOps on the IT and security relationship and overall business value.  We tip our hats to several people including Josh Corman (Rugged DevOps), David Mortman, James Wickett, Nick Galbreath and Mr. Daniel Blander for their prior contributions and supporting work on the topic.  Gene talks about some of the mechanisms we have available to us to bridge that IT Security-to-developer-to-operations gap that's holding us back from true business value.  Fun fact- studies have found that when you wake up a developer at 2am to solve an issue, problem resolution times plummet!

Enjoy the podcast, and go grab Gene's books when they're available... comments are welcome!

Guest

• Gene Kim - Gene is finishing up the third and fourth books, "When IT Fails: The Novel" and "The DevOps Cookbook," [highly recommended reads for any IT professional who aspires to high performance] scheduled to be published in August 2012. Both are the culmination of over 13 years of researching both high-performing and low-performing IT organizations, as well as benchmarking over 1500 IT organizations to help inform what behaviors simultaneously advance business and information security objectives.  LinkedIn profile, just in case you have never had the pleasure -http://realgenekim.me.

Links

• 
  Gene Kim's publisher website (mentioned in the podcast) - ITRevolution.com

Synopsis

This episode is special, not because it's more Info Security stuff, but because we take a far departure from the world of bits and bugs to the world of the pick-pocket and thief.  Sitting down with Bob Arno is a real pleasure, as he has the storytelling ability and knowledge to educate and open your eyes to a world where nothing is as it seems and anyone can be separated from their valuables.  Yes - this extends into the world of Information Security, and there are lessons to learn.

In this episode Bob and I talk about picking pockets, keeping yourself safe, and the world of criminal activity in the physical and digital world... Bob is also speaking at Hacker Halted, Miami 2012 so if you listen to this episode and are thinking about going ... there's a contest coming!  Stay tuned... and you can win an excusive, private dinner with Bob in Miami!

Guest

Bob Arno is widely known as the "World's foremost legal pick-pocket".  He's performed on stage, on television and has provided advice to travelers on how to keep from being roused... Bob is a speaker, entertainer, author, and special lecturer to law enforcement agencies. He has been profiled or quoted on NPR, CNN, MSNBC, ABC’s 20/20, The Travel Channel, The Learning Channel, Discovery, Court TV, in The New York Times, USA Today, Fortune, Kiplinger’s, National Geographic Traveler, Law and Order, and others. He has lectured for the Police Departments of Chicago, San Diego, Houston, Las Vegas, Detroit, Honolulu, Anaheim, and many abroad; for the California Tourism Safety & Security Conference, the International Tourism Safety and Security Conference, and many others; for Kroll & Associates, RSA Security Conference and Expo, and more. He taught an accredited course at the Connecticut State Police Training Academy.

Links

• Bob's main site: http://www.bobarno.com
• Amazing YouTube video - Traveling Europe (Naples, Italy) and unmasking the pickpocket tactics: http://www.youtube.com/watch?v=mUHAQnyVveg
• Travel advice from Bob Arno: http://www.justluxe.com/travel/luxury-vacations/feature-1702026.php

Synopsis

I caught up with my friend Kellman Meghu at BSides Detroit as the conference was coming to a close and we finally got to sit down and have a fun conversation about chaos, and what sorts of things enterprises can realistically do to increase security today.  We both work for vendors so we talked about "shiny blinky boxes", when things fail, and the notion of resiliency.  Fun conversation ensues ... with a random sprinkling of security buzzwords.

Kellman's famous quote is from this episode is "I can hand you this tool, and that doesn't suddenly make you any more secure than if you hand me a hammer I suddenly become a carpenter."  Wise words to live by folks, wise words indeed.  Spend a few minutes with Kellman and I, and see why he's one of my favorite people to interview.

Guests

• Kellman Meghu - Kellman Meghu is Head of Security Engineering (Canada and Central US) for Check Point Software Technologies Inc., the worldwide leader in securing the Internet. His background includes over 15 years of experience deploying application protection and network-based security. Since 1996 Mr. Meghu has been involved with consultation on various network security strategies to protect ISP's in Southern Ontario as well as security audits and security infrastructure deployments for various Commercial and Governmental entities across Canada and the Central United States.  You can find him on Twitter and LinkedIn ... I highly recommend a conversation, he's a very smart guy.
  

Links

Synopsis

Greetings fans, this episode promises to be a great one with the likes of Adam Shostack starting off talking about what the whole concept of "New School Security" is all about, and how it differs from the way we've all done it for the past 15+ years.  Adam and I talked through some new interesting ideas for moving the information security community and discipline forward, and even commented on how we can start to overcome the security community's focus on 'secrecy' when things go wrong.  How do security professionals understand what the desired outcomes should be, then start to move towards implemting pragmatic approaches to move closer to those desired outcomes - because in the end it's really about business and getting it done, not about 'security'.

You will be sorry if you miss this episode!

Guest

• Adam Shostack - Adam Shostack is a principal program manager on the Usable Security team in Trustworthy Computing. As part of ongoing research into classifying and quantifying how Windows machines get compromised, he recently led the drive to change Autorun functionality on pre-Win7 machines; the update has so far improved the protection of nearly 400 million machines from attack via USB. Prior to Usable Security, he drove the SDL Threat Modeling Tool and the Elevation of Privilege threat modeling game as a member of the SDL core team. Before joining Microsoft, Adam was a leader of successful information security and privacy startups, and helped found the CVE, the Privacy Enhancing Technologies Symposium and the International Financial Cryptography Association. He is co-author of the widely acclaimed book, The New School of Information Security.

Links

• Adam on Twitter: @AdamShostack
• The New School Security blog: http://newschoolsecurity.com/

Synopsis

Last winter, on a frigid afternoon I got a chance to sit down with 2 of my favorite Iowa locals, Kevin and Kenneth to talk about the tenuous relationship between QA and Information Security.  Earlier in the day I had given a workshop on software security testing (of the web variety) to a ViViT user group, and with that topic and their questions/concerns fresh in my mind I settled down for a 30 minute conversation with Kevin and Kenneth ... we essentially continued the conversation from Episode 3 (please give that a listen if you haven't yet to get a background).

Some of the questions we tackled included "Which team within the software development or security organization is best positioned to test the security of applications?", and "Can Information Security ever really thoroughly test an application without the full context?" ...and much more.

Give this episode a listen!

Guests

• Kevin Riggins - @kriggins - Kevin is a veteran of the Information Security community with many years experience in vast IT systems and a quality, development and systems background as well.
• Kenneth Johnson - @patories - Kenneth has been in the Information Security field for the last six years, with five of those years working as an IT Analyst for Principal Financial Group. He graduated in 2007 with a BS degree in Information Systems Security from ITT Tech, and he is currently attending Iowa State to pursue a Ph.D in Information Assurance, with a specialization in Digital Forensics, Incident Response and Malware Analysis.

Greetings friends!  I am taking some time to do something a little out of the ordinary right now... I'm coming to you from beautiful Las Vegas, Nevada and HP Discover 2012 where the theme is Make it matter.

Rather than doing yet another blog post on how beautiful the show floor is, and how amazing the content is going to be, I've recorded a little bit of audio, about 6:30 miutes or so to give you a feel for what we're up to, what's going on, and why I'm downright giddy with excitement.

Synopsis

This episode of Down the Rabbithole microcast (~15 minutes length) was recorded live at the Ohio Information Security Summit.

Albert and Paul were kind enough to sit down with me and discuss metrics and process - and essentially what demonstrating "good security" means to an enterprise.  "Can we ever get there?"  Where is there?  Understanding the basics of security, measurement, and whether if we really do a great job, Information Security can work itself out of a job ... those are some heavy topics for a mini-podcast.  Enjoy!

Feedback is always welcome

Guests

• Paul Elwell - Security Specialist for a Fortune 500 company
• Albert School - Application Security Specialist and Penetration Tester at a Fortune 500 company

Synopsis

In this episode, streamed live and recorded for your listening pleasure, I'm joined by @SpaceRog and @Shpantzer from Security BSides Delaware.  What started out as an off-the-cuff discussion on the 'Cyber Apocalypse' quickly materialized into a much longer discussionw which dove into various aspects of infrastructure security, critical protection and even the inability to separate the physical from the cyber worlds.  Join us for a little bit of nostalgia, a little bit of knowledge and a lot of commentary from these two very smart staples of the security community.

This is one of those conversations which I barely edited... it was free-flowing, entertaining and insightful.  I hope you enjoy it!

Guests

• @Spacerog - Spacerog is one of the founders of L0pht, and founder of the HNN (Hacker News Network) way, way back in "the day"... He has a full profile here.
  
• @Shpantzer - Shpantzer is a veteran of the security industry and describes himself as "Information security and risk management consultant. Strong project manager with interdisciplinary skillset to solve complex business and technical problems."  He also writes for the "Shpantzer on Security" blog (which you should be following).

Synopsis

It's rare that I get to be a spectator at a podcast, but in this case I was listening to some of the conversations and talks being given at Chicago's very own THOTCON 0x3, and decided it would be valueable to you to get some of the conversation movers on the microphone.  We started talking about the applicability of information security conferences to your "day job", got into a discussion on "hallway con" and then went down the rabbithole on some interesting tangential topics ... and of course the fresh rap from DualCore was awesome.  I hope you enjoy the episode ...

Guests

• Georgia Weidman - Georgia is a independent consultant, penetration tester and mobile device hacker.
• Ken Swick - Ken is a security manager from the Financial Services vertical with many years experience in defending corporate networks, and bringing business value to information security programs.
• DualCore - DualCore ... what can I say - dropping raps like packets straight to your ears ... DualCore music is what you should hear.

Synopsis

In this short microcast we rap about the THOTCON 0x3 experience, why we think the Chicago community has taken off so much, and what sorts of interesting things make THOTCON, and the local hacker con here in Chicago, so attractive to people from around the world.  Yes, there is comedy involved...

Guests

• Todd - Audio genius, InfoSec luminary, pen tester ...better known to his Twitter fans as @Phoobar
• Ben - Ben is a Chicago suburban staple, first time on the microphone, otherwise known on Twitter as @Ben0xA

Synopsis

This episode I sit down with Dave Frederickon who has a unique viewpoint on cloud computing from a Canadian point of view, as well as a VP of the HP Canada business.  I pose some tough questions to Dave including "Is 'cloud' just marketing hype?" and other discussion topics and we have a good chat on the reality of cloud computing, who's adopting it and how it's changing and revolutionizing Information Technology at the pace of business.  This is another great podcast in the cloud series, and you should not miss it!

Guest

• Dave Frederickson - (Vice President & General Manager Enetrprise Servers, Storage & Networking Business at HP Canada) - Dave Frederickson is the VP of the ESSN group and is located in HP Canada's HQ in Mississauga, Ontario.  He is responsible for leading sales, pre-sales, channels, marketing and product management teams, achieving top and bottom line and market share objectives.  His role also includes responsibility for Enterprise marketing for HP and linking HP services and software.  He is a board member of Sharcnet and Schulich Corporate and Social Reponsibility.

Synopsis

On this episode of Down the Rabbithole I get the distinct pleasure of sitting down with one of Silicon Valley's top attorneys to talk Cloud Computing T's and C's ...and let me tell you this was a wild ride.  I learned a lot, including the fact that I know a famous legal court case about a tugboat captain and the use of radar ... and what all that CAPSLOCK PRINT ON SOFTWARE LICENSE AGREEMENTS means ...and so very much more.  Join me, and learn a little bit more about the legal aspects of cloud, before you find out the hard way.  This is a do not miss episode.

Guest

Mark Radcliffe [DLA Piper] - Mark F. Radcliffe concentrates in strategic intellectual property advice, private financing, corporate partnering, software licensing, Internet licensing and copyright and trademark.

Leading international legal publishers consistently rank Mr. Radcliffe among the top lawyers in his profession. The respected English publishers Chambers and Partners has repeatedly named him in Chambers USA: America's Leading Lawyers for Business, and has described him as "outstanding" and "a leader in open source-related matters." Legal 500 also recognizes him, commenting: "His expertise in providing strategic IP advice, with particular specialism in open-source matters, has won him plaudits. Indeed, one client describes him as 'probably the best lawyer in his field.'"

More on Mark on his profile page: http://www.dlapiper.com/mark_radcliffe/

Summary

This 1 hour podcast was recorded live at the March 7th, Chicago Cloud Security Alliance chapter meeting, where we were fortunate enough to have a panel of attorneys discuss the issues with cloud security from a legal perspective.  I hope you find the content stimulating, if not a little bit worrisome.

Apologies for some of the flaws in the audio, but this was an ad-hoc recording and I didn't have time to clean up the taps and paper shuffling that the super-sensitive microphone picked up.

This was the first recording using the mobile Zoom H4n, and I think you'll agree it's an amazing piece of tech.

This podcast is posted as-is, and hosting is provided courtesy of HP.

Synopsis

The guest on this podcast will blow your mind ... literally.  He is none other than the "human hacker" himself, Christopher Hadnagy, who has written a book and now runs social-engineer.org.  Chris is a long-time friend of mine and an invaluable resource in the psy-ops James Bond style social engineering world.  Chris knows his stuff, and he's willing to teach you if you're willing to listen... so buckle down and get educated on social engineering background, tricks and even the 6 things your company must do to prevent being a victim of social engineering attacks.  Oh ... and let's not forget, somewhere in this episode Chris makes you an offer you can't refuse, just for you Down the Rabbithole listeners, how cool is that?  If you've ever thought about taking a class, or having your organization fortified against social engineering attacks but didn't think it was within your budget - listen to this podcast ... 

Guest

 Christopher Hadnagy - Chris, or as his friends on Twitter know him - @HumanHacker - is a fountain of knowledge on social engineering and the art and science behind corporate-level offense and defense using the human mind.  Chris has written a book called Social Engineering: The art of human hacking, and runs social-engineer.org contributing to community through teaching, speaking and writing as well as hosting a heck of a podcast on the fascinating topic of social engineering.  Chris's organization offers SE penetration testing, education and is at the forefront of social engineering tactics for the defensive good.

Links

• The official social engineering portal - Social-Engineer.org
• Register for social engineering training & services through Chris's organization here

Synopsis

I had the pleasure of sitting down with Nathaniel Dean, someone I had met through a mutual colleague's introduction, and hear about a neat concept that takes the software security program to a new level.  Interestingly enough, Nathaniel runs a red team but it's guaranteed to be unlike any red team you've probably ever worked with.  The crazy thing?  It's working.  We talk through the mechanics, psychology, and business implications of what he's driving, and how he's rollig up his sleeves and getting it done which is probably more important than anything else.

Jack in and get a 25-minute does of knowledge from someone I know you'll learn something from.

Guest

• Nathaniel Dean - Business Information Security Officer at a major financial institution.  Nathaniel has been managing and building programs in this space for a long time, and his experience shows.

Synopsis

  We were "live to tape" (as Adam says) from HP's Master the Cloud event in Calgary.  As we wrap up the road tour in the frozen city of Calgary I had the pleasure of sitting down with a comedian and celebrity, a technical expert on virtualization from HP, and the manager of Intel's advanced server technologies team.  This was a wild, off-the-rails discussion and you can really tell we were just having a good time and excited to wrap up the tour.  Great topics of discussion...

Topics covered in this episode include...

• Hypervisors and their value to cloud computing, virtualization and hacking
• Why are hypervisors critical to cloud computing?
• Will Intel build a hypervisor into the silicone?
• How robust driver stacks keep hypervisors 'safe' on the software level...
• "Raising the bar" on security (analogies of a department store)
• Virtualization of compute resources & BYOD ...slightly off the rails
• Federation of identities, and applied to social media

Special Guests

• Jake Smith (Advanced Server Technologies Manager at Intel Corp.) - Jake was a keynote speaker at HP's "Master the Cloud" tour across Canada speaking about Intel's vision for a more connected, more virtualized, and more secure Cloud Computing environment; including Intel's partnerships with HP and some of the advancements they have embarked on together.  Jake can be found on LinkedIn here: http://www.linkedin.com/in/jakesmith42
• Adam Growe (Celebrity host of Cash Cab Canada) - Adam is the host of Canada's "Cash Cab" show on the Discovery Channel.  Additionally, Adam has his own quiz show ("The Adam Growe Quiz Show") and is a recognized celebrity, accomplished comedian and emcee, and has the uncanny gift to derail any boring IT conversation! Adam can be found on FaceBook here: http://fb.com/AdamGrowe and on his own site: http://adamgrowe.com - on behalf of HP I wish to thank Adam for his presence and making us all chuckle.
• Emrah Alpa (HP TippingPoint technical specialist) - Emrah in addition to being an accomplished DJ is the Northwest Canada regional HP TippingPoint technical expert.

Links

• HP TippingPoint Secure Virtualization Framework (SVF) - http://h17007.www1.hp.com/us/en/solutions/security/svf/index.aspx
• Federation (federated identity) - http://en.wikipedia.org/wiki/Federated_identity

Synopsis

World-renowned author, researcher, speaker and founder of legendary TripWire joins me semi-live from LASCON in Austin, Texas to talk about his current project(s) [The DevOps Cookbook, and When IT Fails: A Novel], and his book Visible Ops and how this can all be applied to security in today's tough business climate.  Gene and I discuss what in the DNA of well-performing (or "agile") IT organizations, based on Gene's research and experience, enables them to not only perform better, but also serve the business faster.  These high-performing organizations all have things in common, and you may be shocked to hear it's not heaps of money, or resources, or "powerful" CISOs.  The experience was a pleasure and I guarantee you'll learn something from this podcast, and I highly encourage you to add Gene's books as a staple of your career-building library.

Guest

• "The real" Gene Kim - I am working on my third and fourth books, "When IT Fails: The Novel" and "The DevOps Cookbook," scheduled to be published in June 2012. Both are the culmination of over 13 years of researching both high-performing and low-performing IT organizations, as well as benchmarking over 1500 IT organizations to help inform what behaviors simultaneously advance business and information security objectives.  LinkedIn profile, just in case you have never had the pleasure - http://realgenekim.me.

Links

Synopsis

I sat down at the HP Master the Cloud (hp.com/go/cloud) event in Toronto, Canada to answer some Twitter-based questions, talk about the trade show, and listen to some of the fantastic things Victor and his team are working on right now in their incubator ... and it was a really great 20 minutes.  We covered the questions below (posted directly from Twitter, special thanks to all who participated) and talked about technology, the evolution of security, and how organizations can take advantage of this shift as technology turns the corner in a new operating and delivery paradigm.  Is cloud right for everyone?  Probably not.  Is cloud right in every situation?  Probably not.  This is exactly why you need to listen to Victor ... this is definitely a worthwhile way to spend 20 minutes of your time.

Questions from Twitter

1. "What's your perspective on letting the entire Internet pen test your service in a sandboxed environment?" -- HackBlat (@HackBlat)
2. Virtual processing is great, but how are we supposed to layer on data privacy? IoW - w/the "To the Cloud!" rush, why aren't there any (effective) integration patterns emerging? Lift & Drop is bad for data. -- awpiii (@awpiii)
3. How does one establish bandwidth requirements when establishing a pipe to a cloud service? -- RonService (@RonService)
4. Vendor routinely sell something not using themselves. What percentage of HP infrastructure is running in public cloud offering? -- brew_ninja (@brew_ninja)
   

Guest

• Victor Garcia (CTO HP Canada) - Victor is the Chief Technology Officer for HP's Canada business, leading the business in technology & business strategy, incubation and commercialization of new technologies, strategic alliances, and systems integration as well as business management.  Victor's LinkedIn profile is here.
  

Links

• "The security poverty line" from Wendy Nather of the 451 Group (podcast with Alan Shimel) - https://gpodder.net/podcast/securityexe-powered-by-the-ciso-group-with-alan-shimel-1/security-below-the-poverty-line-with-wendy-nather-of-the-451-group
• <Links to whitepapers Victor mentioned will be here shortly>

Synopsis

  This special episode of Down the Rabbithole is sponsored exclusively by HP Canada, and I wanted to thank them for hosting this fantastic event!  In this episode I sat down with Charlie Bess and EG Nadhan to talk about Cloud Computing.  Now, this isn't your standard cloud discussion ... no my friends, these are two of the top technologists HP has to offer from the labs and services organizations talking about the paradigm shifts in computing that "the cloud" offers.  We talk through business adoption, getting over the "it's cheaper" mentatlity, security ... and even some of the things learned here at the event in Montreal.

  What a fantastic opportunity to pick the brains of some extremely smart people, and hear their responses to one of the most difficult and rewarding business shifts in technology in the last 10 years.  You're not going to want to miss this.

Guests

• EG Nadhan - Distinguished Technologist, HP Enterprise Services
  
• Charlie Bess - Fellow, HP Labs

Synopsis

  This month's cal lkicks off 2012 with a big question - "Do security professionals follow their own policies?" ... and as we talk through this issue we discover that there are other subtleties to this question.  Does it make sense for Information Security to have separate accounts for general and administrative access?  Does a securit policy fail if it does not account for 'exceptions' to that policy - legitimate exceptions?  What about an exception policy that allows information security professionals to navigate complex policy issues and receive 'allowances' to do their jobs without being limited by the general user policy?

  These are complex questions that we tackle, and offer some guidance for ... and in the end, things aren't as simple and black-and-white as we'd all like ... you'll just  have to listen to hear the advice we dispense!

Guest

• [Co-Host] Michelle Klinger of EMC Consulting joins me to co-moderate the first SecBiz 2012 monthly call.  Michelle is currently a consultant with EMC.
  

Synopsis

This episode with Jeff was awesome, recorded at the OWASP LASCON security conference, I got a chance to sit down with Jeff in person and talk shop.  I always learn something, but in this podcast Jeff dispensed his usual wisdom in buckets, I could barely write this stuff down fast enough.  We covered the raising of the "information security table stakes", and what the last 15 years have meant to the information security profession in terms of evolution.  We went into a discussion on how information security can avoid being a cost center and feeling the traditional expansion and contraction with workload and economic times, and I learned what the phrase "it was a business decision" really means.  In case you need one more compelling reason, Jeff brought up yet another gem when he discussed how the business pushes the boulder off the cliff, then expects information security to change its trajectory mid-fall ... you're not going to want to miss this.  I had a wonderful time catching up with Mr. Reich, and you'll enjoy this podcast, that's a promise.

Guest

• Jeff Reich - (hint: it's prounounced "rich") - A solid history of developing and providing expertise and leadership on information security and all associated disciplines by integrating Managed Risk into the business in the energy, manufacturing, technology and financial services industries. Successfully created and implemented comprehensive Security and Risk Management Infrastructure for a large oil and gas company as well as four of the largest Internet and e commerce providers in their respective industries. Holds a national reputation of excellence through results, publications and presentations of value. Known for ability to hire, train and inspire high performance teams that support and help drive the core business structures. [LinkedIn: http://www.linkedin.com/in/jreich]
  
  In addition to that, I've known Jeff for a very, very long time throughout his illustrious career, and have always been amazed by his ability to dispense one-liner wisdom, like this one on a recent blog post on "The compliance hamster wheel": "I have been saying for years that simply chasing compliance is like chasing your tail.  You probably won't catch it and if you do, it will hurt."

Synopsis

  This is the first part of a 3-part (3 x 30 minute segments) holiday episode that was aired LIVE, where Will, Scott and I talk about what significant things happened in 2011, and what we should be looking forward to in 2012.  No predictions, no propaganda, just hard-hitting, amusing, and often nostalgic discussion about the realities of living in an ever-more connected world as we go into 2012.  I hope you enjoy the podcast series if you missed it live.  In the future, look for announcements of live episodes on my (@Wh1t3rabbit) podcast feed and join in the discussion!

Guests

• Will Gragido: In addition to being a great guy, and a personal friend of mine ...An information security and risk management professional with over 17 year’s professional industry experience, Mr.Gragido brings a wealth of knowledge and experience to bear. Working in a variety of roles, Mr.Gragido has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and business development within the information security industry.  Will currently serves as the Senior product-line manager for HP Enterprise Security TippingPoint.
• Scott Clark: Scott Clark brings more than 16 years of leadership experience to Vyatta as its Senior Director of Worldwide Channels. In this role, he is responsible for creating and managing Vyatta’s emerging Worldwide channel, as well as evaluating future channel opportunities. In addition to his role at Vyatta, Scott also serves as the Chapter President of the Cloud Security Alliance in Chicago.

Synopsis

  On this edition of the podcast, Kris Herrin joins me from the ISSA International Conference to talk about his unenviable role as Chief Information Security Officer of Heartland Payment Systems during one of the most epic data breaches in history.  For those of you who didn't live in a cave - Kris and his organization turned the ship around ...not only that - this incident was used to help the organization find religion in Information Security and sound risk management practices.  Now as Heartland leads the payment industry in security - Kris talks about his ascention through the tanks to CTO, and how getting in front of the bull made all the difference.

  You do not want to miss this episode!

Guest

• Kris Herrin:  Mr. Herrin is a recognized technology and security executive with international leadership experience in large and small publically traded companies. Leveraging an extensive history of security, audit, and governance, he brings high energy and a risk-based view to delivering secure and reliable technology solutions to business problems. Mr. Herrin’s experience includes transforming traditional IT into a mature, ITIL-oriented service organization, building domestic and Asia-based organizations, and IT crisis management.

Synopsis

  My guest David Elfering (@icxc on Twitter) and I go all over the map covering various SecBiz related topic, and come up with a fantastic set of quotes including: "No matter how long you hold the light bulb up, the world will not revolve around InfoSec" and other gems.  We talk through how to present to a business group or executive, the communication and written skills required and various other topics related with bridging the business - security gap.  This is a great episode to listen to - we cover a lot of ground.

Guest

• David Elfering (@icxc) - David is the Senior Director of Information Security over at Werner Enterprises out of Omaha, NB.  David is a verteran of the IT industry providing leadership at corporate level, building and leading the security program and infrastructure for a two billion dollar, multi-national corporation. Experience at community, state and national levels with FBI Infragard, Nebraska Infrastructure Protection Council and the SANS Institute. Able to translate information security practices to business advantage. Experienced speaker, instructor and mentor. Member ISSA CISO Executive Forum. CRISC #1115272

Synopsis

  In this edition of the podcast, I sit down with Jeff Moss (@TheDarkTangent) to talk about all of the interesting evolutions currently going on in the Internet age.  As one of the people who has watched the cyber punk culture evolve from the dark culture of hacking for curiosity, through the "dot com boom" and now into mainstream business, and he has some interesting commentary on how we've evolved as a culture and a group.  We also talk through some interesting hacker vs. government regulation topics, and IPv6 of course!  Listen in, and hear all the really exciting things Jeff has to say.

Guest

• Jeff Moss (@TheDarkTangent) - In addition to being the founder of the Black Hat and Defcon hacker conferences, Jeff is now a part of the Department of Homeland Security Advisory Council since 2009.  Currently Jeff is the Chief Security officer at ICANN, the Internet names and assigned numbers authority.

Synopsis

  This is perhaps the most important podcast I've recorded to date, and probably will record for some time.  The guests on my show in this episodes are not only privacy experts, but people who deal with digital privacy every day ...and are just as appalled as I am about the rapid erosion of privacy in the modern digital age.  From 4Square to the automated toll collection system - you're being tracked when you tweet, drive, and buy discount paper towels at your local market ...and technology is facilitating the privacy you're willfully giving up.

  STOP the madness!  This episode just scratches the surface on all the different methods we're giving away our reasonable expectation of privacy, and how corporations and governments are hastening its demise.

Guests

My guests on this podcast wished to remain anonymous (lower-case A) except for their Twitter handles.  Join me in thanking them for their time, thought, and insight.

• theprez98
• grecs
• infojanitor

Links

• OnStar spying on drivers/passengers - http://www.autoblog.com/2011/09/21/gms-onstar-now-spying-on-your-car-for-profit-even-after-you-uns/
• Divorce cases swayed by FaceBook, social media - http://www.knoxnews.com/news/2010/jul/25/in-the-age-of-facebook-divorce-battles-go/?print=1

Synopsis

  This week I host Bryan Stiekes, a distinguished technologist with HP ...and not a security guy by trade.  Bryan has been a part of IT for a very long and distinguished career, with a background in networking and architecture.  Bryan's premise is that Information Security is at its core fundamentelly broken ...and I can't say I disagree.  We discuss the different aspects of what's been wrong with modern information security, and whether this is a good time to be in the 'business' of IT.

  This is a fascinating conversation for anyone who's feeling lost in IT Security ...and looking for some light at the end of the dark tunnel we've managed to wander into.

Guest

• Bryan Stiekes - Distinguished Technologist Hewlett Packard - Bryan Stiekes is an HP Distinguished Technologist with a focus on network strategy and cloud services architecture. Bryan has deep experience in secure networking and in multi-tenant services architecture to this role. Recently he's been focusing on the emerging 'as-a-Service' ecosystem and how that ecosystem impacts enterprise network and security models... and a Jedi Master.

Synopsis

  This is the first MicroCast, a new 15-minute format jammed packed with a series of great topics.  This time around, Jack Nichelson joins me and tells us how Bruce Lee feels about IT Security (this is a great quote!), why really good IT Security is just really good IT, and whether we will all be replaced by "Cyber-Insurance" policies.  Yikes ... this is definitely 15 minutes you'll be happy you listened.

Guest:

• Jack Nichelson - Jack is an information security officer at a very large industrial enterprise.  Jack's background is not IT Security, but he is a venteran of technology, and a master story-teller.  Jack can be found on Twitter as "@jack0lope".
  

Synopsis

  This is a special episode for anyone who's feeling like "Information Security" in their small business is impossible.  My guests and I talk through how to make information security a proper entity that can both serve the business need, and be respected; more than just survival, it's about making security thrive in the small business.  Michael potificates on what makes the security community such a valuable resource to security managers in his position, and we go into what advice you could give a vendor selling into a small business ... what a fascinating discussion!

Guests

• J.W. Goerlich - Network and Security Manager for a midwestern financial organization
  Wolfgang has 15 years in IT, with a InfoSec focus for the past 5 years. He has a deep background in risk management and business continuity for SMB firms.
• Michael Allen - Information Systems Security Officer for a Jamaican-based financial Institution. Michael has over 8 years experience in IT, with a focus on Infosec during the last 4 years. He has a strong background in application development with a keen interest in penetration testing, software security assurance and network security.

Links

• The "SecBiz" group on LinkedIn: http://www.linkedin.com/groups/SecBiz-4001160?gid=4001160&trk=hb_side_g
  

Synopsis

  Over the past year and a half of so, I've been pushing hard to change the paradigm around secure software - specifically the testing aspect of it to incorporate a much heavier emphasis on quality assurance.  That conversation spilled over into an OWASP conversation, which lead Glenn, Rohit and I to sit down and record this conversation we had - as we appear to be of like mind.  While it's not trivial to incorporate security testing into quality assurance, it's not impossible, and in fact, more practical than you may think.

  In this segment we discuss what security testing in a QA team looks like, how it's potentially split up, and whether we can really and truly make it work.  Glenn provides his practical perspective being an implementer of this methodology, while Rohit and I provide an across-the-industry discussion and commentary.

  I think you'll find this podcast episode fascinating, especially if you're struggling with the QA/Security relationship.

Guests

• Rohit Sethi - VP Product Development at SD Elements (http://www.sdelements.com)
  Rohit Sethi is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project. 
• Glenn Leifheit - Lead Information Security Consultant at FICO (http://www.fico.com)
  Glenn Leifheit, CISSP, CSSLP is a Senior Security Architect at FICO. He has worked in developing, managing, architecting and securing large scale applications for over 15 years. His day is spent rolling out an Enterprise secure software development lifecycle and managing PCI requirements as well as secure software reviews. Glenn is active in the Technology community as the Co-Chair of (ISC)2 Application Security Advisory Board, President of TechMasters Twin Cities, as an active member of IASA (International Association of Software Architects) and OWASP (Open Web Application Security Project) as well as a regional speaker evangelizing secure software. Glenn's blog is located at www.glennleifheit.com. 

Links

• No links for this podcast...

Synopsis

This edition of the podcast doesn't hold back.  We ask "Can someone be hacked out of business?" and as usual we don't really like the answers we come up with.  While Martin, Rob and I have been in most every aspect of security for just over a combined 3 decades, we end up with a conslusion that I don't think any of us are comfortable with ...at least not that we were willing to say out loud, until now.  So is it possible?  Is DigiNotar being "hacked out of business" as Dark Reading suggests all FUD?  Listen and find out where we go with this topic!

Guests

• Rob Hale (UK) - An entrepreneur and industry commentator, Rob has over 12 years of experience working in the Security industry, with integrators, channel partners and vendors, providing advice and solutions for Enterprises & Government agencies to secure their networks, systems and data from internal and external threats.
• Martin McKeay - Security Evangelist, Akamai
• Rafal Los (aka the "Wh1t3 Rabbit) - HP Enterprise & Cloud Security Strategist

Links

• The DarkReading story that started us thinking: http://www.darkreading.com/authentication/167901072/security/attacks-breaches/231601790/diginotar-hacked-out-of-business.html
• The company Rob brought up which actually was hacked out of business (Distribute IT)- http://risky.biz/distributeit

This is the inaugural podcast episode of Down the Rabbithole.

Our podcast focuses on security, but from a business perspective and shines a light on the often misunderstood connection between Information Security and "business".

Today's guests were:

• Chris Nickerson - Founder, Lares Consulting
• Will Gragido - Lead Researcher, HP TippingPoint DV Labs
• Martin McKeay - Security Evangelist, Akamai

The topic for today's podcast was the question: "Everyone's getting hacked, should I panic?" ...and we also mention the HP TippingPoint DVLabs 1st Half 2011 Cyber Threat Report.

Links:

• Chris Nickerson mentions his "12-step blog post" > http://www.laresblog.com/2010/04/confessions-of-secaddict.html
• Martin McKeay mentions Sony's "lawyer approach" > http://arstechnica.com/gaming/news/2011/09/mandatory-ps3-update-removes-right-to-join-in-a-class-action-lawsuit.ars
• HP TippingPoing DV Labs 2011 Mid-Year Top Cyber Security Risks Report > http://www.hpenterprisesecurity.com/collateral/report/CyberSecurityRisksReport.pdf

Phil Cox joins Rafal (aka Wh1t3 Rabbit) and Martin McKeay and a gallery of others dicussing the issues with the very nebulous term "Cloud Security", and what it means, and how we as vendors can realistically help the consumers of cloud get a handle on what the heck this all means.

Fascinating conversation ensues.