Down The Security Rabbithole

This is the 7th installment (call it a rebirth) of the MicroCast. Short and to the point, Michael and James talk about the phrase breached companies use - "We take your security seriously..."  .. join the conversation at #DtSR on Twitter!

Fans - If you haven't booked your ticket for InfoSec World 2015 in sunny Orlando, FL check this out. Register using our code CLD15/RABBIT for 15% off. If you want a chance to go for FREE, listen to Episode 127 for your chance!   In this episode... John gives us a little lesson on markets, and why they move up/down, commentary for the information security professional John discusses what #BTFD means John uses the Target example of why security professionals, marketers, and much of the media got it completely wrong John educates us on insurance, compliance and liability My head explodes... Guest John Foster ( @dearestleader ) - Mr. Foster has 19 years of technology experience but left technical infosec in 2003 to pursue a career in Compliance and Ethics. He now focuses on bribery & corruption, environmental issues, and other interesting topics, but infosec keeps appearing in compliance and finance. He is an investor with experience in stock, foreign exchange, options, and futures which allows him to see

** There is a special gift for our listeners in this episode, from our friends at InfoSec World 2015! Listen to find out how you can go for free.  We have a promo code! CLD15/RABBIT – 15% off for “Down the Rabbit Hole” listeners Topics Covered Google picks up really big rocks, but lives in a glass house. As Google drops zero-day on Apple and Microsoft they respond with a lame excuse as to why they aren't patching a vulnerability that puts north of 60% of all Android users at risk. http://m.v3.co.uk/v3-uk/news/2389839/google-puts-60-percent-of-android-users-at-risk-with-webview-security-changes http://www.extremetech.com/mobile/197346-google-throws-nearly-a-billion-android-users-under-the-bus-refuses-to-patch-os-vulnerability http://www.eweek.com/security/google-project-zero-continues-its-microsoft-zero-day-assault.html http://www.zdnet.com/article/googles-project-zero-reveals-three-apple-os-x-zero-day-vulnerabilities/ Marriott reverses its decision to block guests' personal WiFi devices at their propertie

In this episode... The blog post that started it all - http://blog.norsecorp.com/2014/11/10/the-new-reality-in-security-offense-always-wins-and-defense-always-loses/ Vince, tells us what he means by "Offense always wins, defense always loses" We disagree over this snip from his blog post: "To “win” in cyber security, defense must be right 100% of the time, while offense only has to be right once. We must wake up to the reality that defense is an impossible task; no matter what actions we take, we will lose." We discuss how we get away from being Eeyore defeatists? Vince give us security strategies he is advocating knowing that defense is better equipped, and better funded We briefly mention high-value assets, and why it's even more critical today than it has ever been before, and why we still stink at it We challenge Vince to give us some tangible steps to managing risk better, to get away from winning/losing? We discuss how we compress delivery time lines for security competencies? (Average time to deliver

Welcome to a new year of the Down the Security Rabbithole Podcast! We are kicking off this year with a guest on this morning's program, Phil Beyer joined us to talk about the last few weeks that have been a wild, wild ride in the security indsutry! Thanks for your support so far, and we promise a fantastic 2015 to come.   Topics Covered Sony. Sony. Sony. It's all anyone can talk about! They got hacked. They released a movie. They apparently aren't in dire straits. Fascinating. http://www.cbc.ca/m/news/world/sony-pictures-ceo-michael-lynton-says-hackers-burned-down-the-house-1.2894997 http://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack http://www.washingtonpost.com/world/national-security/fbi-director-offers-new-evidence-to-back-claim-north-korea-hacked-sony/2015/01/07/ce667980-969a-11e4-8005-1924ede3e54a_story.html Meanwhile, an iron plant in Germany was attacked (via cyber) and caused some very serious, and real, damage http://blogs.wsj.com/cio/2014/12/18/cyberattack-on-german-iron-plant-cause

Hi everyone! Welcome to the very first episode of the Down the Security Rabbithole Podcast for 2015! On this opening episode, Jeff Man joins us to talk truth to power on PCI-DSS and shatters myths for us.   In this episode Jeff tackles some common misunderstandings about PCI The crew discusses PCI – what’s right about it and what’s wrong about it Jeff tells us why he believes if you’re secure you’re compliant, but if you’re compliant you’re probably not secure The $64M question- Isn’t EMV, P2PE, and tokenization going to spell the end of PCI? Jeff tells us what to look forward to with PCI DSS v3.0 Guest Jeff Man ( @MrJeffMan ) - Mr. Man has 13 years of DoD experience (10 at NSA as a Cryptanalyst/Information Security Analyst), 18 years of commercial consulting – pen testing, vulnerability assessments, security architecture reviews, and 10 years as a QSA doing PCI (and yet he's never conducted a PCI audit and never been a CISSP). As a QSA he's been involved with most of the major companies that experienced b

Hey everyone! We're almost done with 2014 and another new year is right around the corner. We thought this was the perfect time to sit back, relax a little and reflect on the year that was...and boy was it ever! Jack Daniel & Allison Miller join Michael, James and I on the podcast to talk it all out, share a few chuckles and try to make sense of it all!   Thanks for listening everyone, it's been an epic year and we look forward to more awesome things in 2015!

In this episode Attorney and CFAA expert Shawn Tuma joins us to talk about the US vs. Salinas case where Mr. Salinas was threatened with 440 years in jail, and now plead down to a misdemeanor. Prosecutorial discretion, or attorneys-gone-wild? Link: http://www.wired.com/2014/11/from-440-years-to-misdemeanor/

Topics covered The unfolding case of the Sony Pictures Entertainment breach http://blog.wh1t3rabbit.net/2014/12/when-press-aids-enemy.html http://www.thedailybeast.com/articles/2014/12/12/shocking-new-reveals-from-sony-hack-j-law-pitt-clooney-and-comparing-fincher-to-hitler.html http://www.csoonline.com/article/2857455/business-continuity/fbi-says-theres-nothing-linking-north-korea-to-sony-hack.html http://www.csoonline.com/article/2854672/business-continuity/the-breach-at-sony-pictures-is-no-longer-just-an-it-issue.html The phishing scam that succeeded at hitting a big chunk of Wall Street - it probably would have fooled you too. Here's what we've learned http://arstechnica.com/security/2014/12/phishing-scam-that-penetrated-wall-street-just-might-work-against-you-too/ Iranian hackers hit Las Vegas behemoth with a sophisticated attacked ... wait it was a Visual Basic base?! http://arstechnica.com/security/2014/12/iranian-hackers-used-visual-basic-malware-to-wipe-vegas-casinos-network/ Judge refuses

In this episode Michelle explains to us what Enterprise Architecture is, and what it isn't Michelle gives her take on how both security and enterprise architecture both support each other We discuss the roll of standards, standards, standards - and why you can't have security without it We talk about GRC We talk through roles & responsibilities definition between security, architecture, and the rest of IT "Application Portfolio Rationalization" --the most impossible project. Ever. Michelle schools us on data, high-value assets, meta-data and the really hard topics for security Michelle gives us a series of examples of "HOW" we can find high-value assets, and start security there Michelle addresses the phrase "business alignment" since it's pivotal to enterprise architecture Guest Michelle-Marie Strah ( @CyberSlate ) - Director, Enterprise Architecture at NBCUniversal – recently joined the newly formed Strategy and Architecture team at NBCUniversal designed to drive enterprise architecture, solutions a

Topics covered Sony Pictures is having a very, very bad couple of days - and it could keep getting worse. http://www.theverge.com/2014/11/24/7277451/sony-pictures-paralyzed-by-massive-security-compromise http://www.csoonline.com/article/2852982/data-breach/sales-contracts-and-other-data-published-by-sonys-attackers.html A newly discovered (but old) comment bug in Wordpress affects ~86% of sites. The story isn't what you think it is- http://www.consumeraffairs.com/news/newly-discovered-comment-security-bug-affects-86-of-wordpress-blogs-112414.html The Australian government is blaming a data breach from February on ... "awareness"? Michael disagrees (and he's right). http://www.esecurityplanet.com/network-security/australian-government-data-breach-linked-to-poor-security-training.html The public release of the research on Regin malware has it pegged as the most advanced thing since the computer - so what? http://money.cnn.com/2014/11/23/technology/security/regin-malware-symantec/index.html?hpt=hp_t2

In this episode We revisit the 'human' side of hacking Chris tells us all about the Defcon CTF his team has hosted We discuss the role human nature plays in social engineering, or "Why the bad guys always win" Chris gives us his tips for making it harder for social engineers Michael and Chris talk metrics and measuring "getting better"   Guest Chris Hadnagy ( @HumanHacker ) - Chris Hadnagy (author of Social-Engineering: The Art of Human Hacking and Unmasking the Social Engineer: The Human Element of Security) is a speaker, teacher, pentester, and recognized expert in the field of social engineering and security.Chris Hadnagy is the President and CEO of Social-Engineer, Inc. He has spent the last 16 years in security and technology, specializing in understanding the ways in which malicious attackers are able to exploit human weaknesses to obtain access to information and resources through manipulation and deceit.Chris is a graduate of Dr. Paul Ekman’s courses in Microexpressions, having passed the certifica

Note: The hashtag for the show on Twitter has changed, please connect with us using #DtSR going forward. Thanks!   Topics covered Update: Home Depot breach (Hint: apparently it was a 3rd party entry point) Story: http://www.computerworld.com/article/2844491/home-depot-attackers-broke-in-using-a-vendors-stolen-credentials.html Apparently as a reaction, all execs are being switched to iDevices (blame Windows? and why only execs?) - http://www.imore.com/home-depot-switches-execs-iphones-macbooks-it-blames-windows-massive-breach Also, they lost ~53 Million email addresses too - http://online.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282 American Express is pushing tokenization to their payment ecosystem, this is big news but leaves a lot more questions and concerns than answers (for example- what about chip & pin (sign)? )- Story: http://threatpost.com/american-express-brings-tokenization-to-payment-cards/109137 Check out the standard itself: http://www.emvco.com/downloa

In this episode Adam and Dmitri discuss what is (and what isn't) threat intelligence We discuss strategic, tactical and operational security intelligence Who is using threat intelligence, and how? Adam talks about the success factors, key points, and trends Michael asks how an organization can know whether they're READY for a threat intelligence program Adam explains the term "finished intelligence" Adam describes tactical intelligence, while Dmitri gives his take on strategic intelligence We discuss the merits of education and awareness - first How important is attribution, really? 3 critical things an enterprise *must be doing* before jumping into threat intelligence as a program Guests Adam Meyers ( @adamcyber ) - Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of Intelligence. Within this

In this episode Jeff explains a little bit about who Norse is, and why they were potentially targeted with a DDoS We discuss what a DDoS is, how it becomes effective, and what methods/tools attackers use (in this case SNMP v2 reflection) We talk about threat intelligence (reputational intelligence) and how companies and intelligence platforms can leverage this data to decrease risks actively Guest Jeff Harrell ( @jeffharrell ) - Jeff Harrell is the Vice President of Product Marketing at Norse, the leader in live attack intelligence. Jeff has over 15 years of experience in the IT Security industry leading product management and product marketing teams to build and market security solutions from end users to large enterprises. Jeff’s areas of expertise include cloud technology, threat intelligence, compliance, vulnerability management, configuration auditing, and encryption. Prior to Norse, Jeff worked for security and technology companies including nCircle, Qualys, McAfee, PGP, and eMusic.   Additional Lin

Topics covered Banks urging shoppers not to avoid breached retailers - Companies that get breached impact card holders minimally, at least as far as we can tell, right? http://www.kcentv.com/story/26887771/local-bank-leaders-no-need-to-avoid-hacked-retailers-during-holidays Federal officials (FBI, US SS) are making a big push to be your source for cyber-security help - Interesting that this comes up at a time when everyone is fighting back against government meddling/surveillence http://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecuurity/17615029/ The FCC flexes its muscle in a pair of fines totalling a paltry $10m for egregious security violations - Of course, the people who have had their privacy and security violated see none of this big-telco pocket-change... http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/24/with-a-10-million-fine-the-fcc-is-leaping-into-data-security-for-the-first-time/ Congress doesn't crant FBI ability to prevent mobile encryption

In this episode Chris attempts to explain the consternation with 'security research' right now Kevin gives his perspective and why he doesn't quite understand why people don't see they're "breakin' the law" Shawn discusses what parts of the CFAA he would like to see reformed James drops the question - "What is a security researcher?" ..and rants a little Kevin talks about why the security industry needs to self-regulate w/example Chris and Kevin debate intent, and "stepping over the line" Chris brings up the issue of bug intake at a large company Spirited discussion about intent, regulation, actions and separating emotion from facts Guests Chris John Riley - ( @ChrisJohnRiley ) - Chris John Riley is a senior penetration tester and part-time security researcher working in the Austrian financial sector. With over 15 years of experience in various aspects of Information Technology, Chris now focuses full time on Information Security with an eye for the often overlooked edge-case scenario. Chris is one of the

Topics covered The FBI paid a visit to the "researcher" who revealed (and tinkered with) the hacked Yahoo! servers - we discuss the various aspects of this case, which we've been going round and round on lately http://www.wired.com/2014/10/shellshockresearcher/ US Cyber Security Czar Michael Daniel wants us passwords gone, replaced by .... "selfies"; We wish we were making this one up or the link was to an Onion article, but sometimes the jokes write themselves in a sad, sad way http://www.theregister.co.uk/2014/10/15/forget_passwords_lets_use_selfies_says_obamas_cyber_tsar/ Pres. Obama has issued an executive order that all government payment cards now must be "chip & pin"; once again underscoring that "just do something" may be worse than actually doing nothing -- we'd love to hear your thoughts? http://www.whitehouse.gov/the-press-office/2014/10/17/executive-order-improving-security-consumer-financial-transactions Notable data breaches discussed: K-Mart - http://www.theregister.co.uk/2014/1

In this episode Ron gives us a brief history of Tenable and TVM for the enterprise Ron answers "How do you make network security obtainable and defendable?" We discuss TVM as a fundamental principle to many other security program items Ron tells us what the modern definition of "policy" is We discuss some hurdles and challenges of TVM programs in an enterprise We note that security scanning can always break stuff - so how do you get around that? Ron tells us why TVM is so much more than scanning Michael asks "Why are so many companies stuck in a Prince song (1999)?" We attempt to tackle - compliance, risk, and managing to a goal Ron answers the question - "Are we getting any better?" Guest Ron Gula ( @RonGula ) - CEO and CTO at Tenable Ron co-founded Tenable Network Security, Inc. in 2002 and serves as its Chief Executive Officer and Chief Technology Officer. Mr. Gula served as the President of Tenable Network Security, Inc. He served as the Chief Technology Officer of Network Security Wizards which was ac

Topics covered The petition on WhiteHouse.gov titled "Unlock public access to research on software safety through DMCA and CFAA reform" and ...well we talk about it with an attorney and some necessary skepticism https://petitions.whitehouse.gov/petition/unlock-public-access-research-software-safety-through-dmca-and-cfaa-reform/DHzwhzLD My take: http://blog.wh1t3rabbit.net/2014/10/to-reform-and-institutionalize-research.html A Marriott property in Nashville (Gaylord Opryland) will pay $600,000 in an FCC settlement for jamming/blocking guests' personal WiFi hotspots http://www.fcc.gov/document/marriott-pay-600k-resolve-wifi-blocking-investigation A Pakistani man has been indicted in Virginia for selling "StealthGenie", an app designed specifically as spyware http://www.justice.gov/opa/pr/pakistani-man-indicted-selling-stealthgenie-spyware-app The code for the badUSB attack was published and released at DerbyCon - we discuss implications http://www.wired.com/2014/10/code-published-for-unfixable-usb-at