Down The Security Rabbithole

Thank you to Shawn Tuma - an attorney specializing in CFAA and a good friend of our show - for stopping by and lending his expertise on this episode. If you enjoy Shawn's insights, consider following him on Twitter ( @ShawnETuma ) or just saying hello!   In this episode We discuss the CFAA in regards to Robert Graham's brilliantly written blog post on the topic - http://blog.erratasec.com/2014/09/do-shellshock-scans-violate-cfaa.html Shawn gives some key insights on the CFAA including historical context Michael asks some tough questions on the discretion and applicability of CFAA prosecution James goes on a rant about "security researchers" (it's a gem) I'm pretty sure Shawn goes on the record saying security researchers should be credentialed..or was that me? We get some advise from Shawn on where this topic goes next, and how to avoid being a target of prosection Guest Shawn Tuma - ( @ShawnETuma ) - Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual prope

In this episode DREAMR: What is it, and why is it so important to Enterprise Security today? Examples of aligning business and security requirements and winning hearts & minds How does a security organization get around "see I told you so!" security An example of how to make the framework work for you We discuss the importance of listening, then listening, then listening some more Jessica and Ben explain "accomodating" the business Jessica and Ben give us "One critical piece of advice" Guests Jessica Hebenstreit ( @secitup ) - Jessica Hebenstreit has been a member of the Information Security community for over a decade. Having worked on both the technical and business sides of various enterprises, Hebenstreit has a unique perspective that allows for more understanding when balancing competing interests. She is a successful and results-oriented Information Security expert with hands-on information security experience in security monitoring, incident response, risk assessment, analysis, and architecture

Topics covered Hacker flees US for non-extradition country - why? http://blog.erratasec.com/2014/09/hacker-weev-has-left-united-states.html http://www.newrepublic.com/article/117477/andrew-weev-auernheimers-tro-llc-could-send-him-back-prison Class-action lawsuit againt Onity lock company ("easily hackable hotel lock") rejectd by judge https://www.techdirt.com/articles/20140903/14134528408/onity-wins-hotels-that-bought-their-easily-hacked-door-lock-cant-sue-according-to-court.shtml http://www.extremetech.com/computing/133448-black-hat-hacker-gains-access-to-4-million-hotel-rooms-with-arduino-microcontroller http://www.forbes.com/sites/andygreenberg/2012/12/06/lock-firm-onity-starts-to-shell-out-for-security-fixes-to-hotels-hackable-locks/ Home Depot - the dirt start to fly http://arstechnica.com/security/2014/09/home-depot-ignored-security-warnings-for-years-employees-say/ https://privacyassociation.org/news/a/following-breach-report-shows-home-depot-has-105-million-in-coverage/ https://privacyassociat

In this episode Separating the hype from reality of the Chinese hacking threat The escalation of economic tensions between US & China, over hacking What is the advice for the enterprise regarding state-sponsored attacks? The challenge with the uni-directional intelligence flow for government/enterprise The challenge with nation-state hacking of critical infrastructure The worst-case scenario (quietly happening?) Directly addressing the various APT reports (specifically APT1) Does a cyber attack warrant a kinetic response? Attribution is hard. Is it more than black-magic, and is anyone doing it right? The great disconnect between the keyboard jockey and real-life consequences Guest Bill Hagestad II ( @RedDragon1949 ) - Internationally recognized cyber-intelligence & counter-intelligence professional. Technical, cultural, historical and linguistic analysis of foreign nation state cyber warfare capabilities, intents & methodologies... Listed on Forbes Magazine as : "20 Cyber Policy Experts To Foll

Topics covered Apple has been making news, issuing guidance, and refuting a hack - all around iCloud http://www.padgadget.com/2014/09/03/apple-warns-developers-not-to-store-health-data-in-icloud/ http://www.padgadget.com/2014/09/03/apple-says-celebrity-photo-leak-was-not-due-to-icloud-breach/ http://www.cio-today.com/article/index.php?story_id=94027 HealthCare.gov was hacked, but no worries it was only a test server and no 'data was taken/viewed'. Does this sound like something you've faced in the enterprise ... hmmmm?If only there was someone warning them about the insecurity of that site! h/t to Dave Kennedy for standing up and taking political heat. http://www.nationalreview.com/article/387182/healthcaregov-hack-reminiscent-earlier-vermont-exchange-attack-jillian-kay-melchior http://www.computerworld.com/article/2603929/healthcare-gov-hacked-if-only-someone-had-warned-it-was-hackable-oh-wait.html Home Depot apparently has suffered a massive breach, much like Target. Interesting? Or ho-hum? (did you

In this episode We discuss the largest challenges in the state government sector Brian discusses balancing the need for openness versus security/secrecy Phil talks about the challenge of balancing policy with agency needs in state government Michael asks how state-level security justifies and prioritizes security requirements Raf asks how policy is created that can be both effective, and broad The group talks about metrics, policy implementation, and showing value to protecting citizens The guys answer "What's the best piece of advice you've gotten in your career? Guests Philip Beyer ( @pjbeyer ) - Philip is a security professional with more than 12 years progressive experience. Currently leading information security for an organization as a function of business goals and risk profile. Consummate generalist with background in multi-client consulting and specialization in risk management, incident handling, security operations, software assurance (OpenSAMM, BSIMM), and technical compliance testing (ISO 2700

Topics covered Community health systems and UPS Stores breached - an analysis and contrast of the two breaches, the data, and the common message http://regmedia.co.uk/2014/08/18/community_health_systems_8k.pdf http://blogs.wsj.com/cio/2014/08/20/the-morning-download-community-health-systems-breach-stirs-up-heartbleed-fears/ http://time.com/3151681/ups-hack/ The case of the pre-mature declaration of BYOD death, via an over-hyped court case? http://www.cio.com/article/2466010/byod/court-ruling-could-bring-down-byod.html "Shadow clouds" (cloud services consumed by enterprises, not approved by security) are on the rise. No one on the show is shocked, and you aren't either. http://www.computerworld.com/s/article/9250606/Shadow_cloud_services_pose_a_growing_risk_to_enterprises FaceBook gives the $50,000.00 away for the "Internet Defense Prize" joining Microsoft in trying to make being defensive-minded (and actually solving some security problems, rather than continuing to point them out) sexy http://thre

In this episode Jason tells us why he isn't hating on compliance Jason talks about how security people are often the source of the issues Jason gives us his perspective on compliance-driven security Jason correlates compliance to quality assurance in security We talk about security's unbroken streak of failing at the basics We lament poor metrics, why we suck at them, and what comes next We discuss how you can tell whether an investment in security 'is working' We discuss the need for repetitive and consistent security Jaason gives us his three things that he wants to leave you with   Guest Jason Oliver ( @jasonmoliver ) - Jason M Oliver, CISSP, CRISC is the Chief and CEO of Tikras Technology Solutions Corp, a Native American Owned Small Business, President at Arrow Ventures, a seasoned security industry veteran, leader, and lifelong pursuer of knowledge. His unique approach to solving security issues involves individualized plans tailored to meet each specific customer’s needs. His high level of unwaverin

Topics covered Survey shows CISOs still struggle for respect (from business peers) http://www.cio.com/article/2460165/security/cisos-still-struggle-for-respect-from-peers.html Hold Security uncovers 1.2 billion password heist on Russian hacker sites (but something smells funny) - draw your own conclusions folks... I'd love to hear 'em http://www.theverge.com/2014/8/6/5973729/the-problem-with-the-new-york-times-biggest-hack-ever http://www.youarenotpayingattention.com/2014/08/08/the-lie-behind-1-2-billion-stolen-passwords/ https://identity.holdsecurity.com/Submit/ http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/ Yet another Android core software blunder, called "Fake ID", essentially gives "highly privileged malware" a free ride. http://arstechnica.com/security/2014/07/android-crypto-blunder-exposes-users-to-highly-privileged-malware/ HP study says 70% of "Internet-of-Things" (IoT) vulnerable. There's a shock, we're carrying around legacy baggage? Perish the thought

In this episode Who is J.W. Goerlich (redux from episode -  How did he get to where he is now? How does the security executive deal with the "moving finish line"? JW discusses how 'security' people can break down barriers between "us" and "them" We discuss why we still fail at the basics, and what all this means... JWG tries to talk about his favorite controls framework We discuss what difference it makes where the CISO reports in the enterprise What will the CISO be, or need to do, in ~3-5 years? We discuss hiring into InfoSec - from outside, or within ... and why? JW gives us the one thing you need to remember   Guest J.W. Goerlich ( @jwgoerlich ) - Results-driven IT management executive with a track record of building high performance teams and providing flawless execution. Leverages background in systems engineering, software development, and information security expertise to consistently lower operating costs and raise service levels. Designs solutions that support long-term strategic planning and cre

Topics covered Certificate pinning back in the spotlight with the GMail iOS app having some difficulties, but there is a bigger issue here. We discuss. http://securityaffairs.co/wordpress/26577/hacking/gmail-app-flaw-mitm.html Nearly 3 years later, the NASDAQ hack attributed to FSB/Russian 'state sponsored' hackers, via 2 "zero day malware'. Highlighting need for attribution, common language, and other issues in security. http://www.infosecurity-magazine.com/view/39397/nasdaq-hackers-used-two-zero-days-but-motives-a-mystery/ Cyber insurance - is this a forcing function to improve overall security, or yet another carpet to sweet security problems under? http://www.reuters.com/article/2014/07/14/us-insurance-cybersecurity-idUSKBN0FJ0B820140714 A judget has just ruled that your "GMail account" has the same legal (or lack thereof) protections as a hard drive you own. Dangerous precedent, or nothing new? http://nakedsecurity.sophos.com/2014/07/22/your-gmail-account-is-fair-game-for-cops-or-feds-says-us-

In this episode Jim Tiller - a few things you probably didn't know? In the last 15 years, what has changed, and what hasn't? Why isn't security moving forward? "Complexity is the camouflage for bad guys" -Jim Chasing the moving line of 'security' "Fixing the airplane as it flies" How do enterprise security organizations push away from playing 'prevent' permanently? Fundamentals, fundamentals, fundamentals ... you're still failing What things are CISOs doing that they're NOT right now? Where will security be, as a discipline, in 10 year? Guest Jim Tiller ( @Real_Security ) - Jim has been in the security industry since the very early 90’s and has continued his mission in working with individuals, groups, organizations, and companies around the world to collaborate, develop, and implement business aligned security strategies and technologies. Through his career he's worked with and in numerous organizations for the advancement of information security technologies, practices, and standards and through these ac

Topics covered Florida Information Protection Acf of 2014 is in the books, and it brings "sweeping changes" to the data breach disclosure process in Florida. Good thing or bad? You decide http://www.scmagazine.com/fla-passes-sweeping-data-breach-notification-bill/article/357858/ http://www.flsenate.gov/Session/Bill/2014/1526/?Tab=RelatedBills http://www.flsenate.gov/Session/Bill/2014/1524 The DoJ has nabbed a 'prolific hacker'... a Russian national. Russia calls it kidnapping. Tensions flare. Again. http://mashable.com/2014/07/08/russian-man-hacking-retailers/ Chinese man charged with industrial espionage http://arstechnica.com/tech-policy/2014/07/chinese-businessman-charged-with-hacking-boeing-and-lockheed/ US Banks are calling for a "Cyber War Council" (so much wrong here, it's incredible...) http://www.businessweek.com/news/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council#p2 The ultra-ultra-legacy code problem and why we're not getting security any higher up the ladder any t

In this episode Who is Dan Geer (just in case you live in a cave and don't know) Dan's definition of security - "The absence of unmitigatable surprise" What exactly is the pinnacle goal of security engineering? Responsibility, liability and when software fails as a result of security issues In a liability lawsuit - "What did you know, when did you know it?" The fraction of the population who could sign an "informed consent" is falling - so now what? Why ICANN is actually making all of this so much worse What do we do about "abandoned software"? Fixing security bugs in software is a tricky business...good, bad, worse Are things getting better [in security]? Dan talks about a "diversity re-compiler" and how we can make the exploit writer's job harder (from Jason White) -What "low hanging fruit" issues are we simply not addressing properly right now? (from Jason White) If the Internet were being built from scratch today, what would you keep and throw away? Guest Dan Geer - Dan Geer is a computer security anal

Topics covered Your server may have a hardware flaw that exposes your baseband management interface to the world - http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/ Airports are getting hacked, APT involved, state-sponsored attackers! - http://www.nextgov.com/cybersecurity/2014/06/nation-state-sponsored-attackers-hacked-two-airports-report-says/86812/ PayPal flaw renders 2-factor auth on mobile useless, disabled temporarily while they work on fix - http://www.darkreading.com/mobile/paypal-two-factor-authentication-broken/d/d-id/1278840? FTC vs. Wyndham: another shoe drops, the FTC takes a hit while Wyndham scores a win - http://www.mediapost.com/publications/article/228730/judge-authorizes-wyndham-to-appeal-data-security-r.html Dilbert says it best - http://dilbert.com/strips/comic/2014-05-19/

In this episode What exactly is "GRR"? What sorts of things can GRR do? What is a hunt, and how does it scale across tens of thousands of machines? How does GRR "hide" from malware? How does GRR keep some of the great power it has from being abused? Automating and integrating GRR with external sources and tools Features, functions, capabilities and some magic from Greg The future features, requests, and direction of GRR   Guest Greg Castle - Greg has 10 years experience working in computer security. In his current role as Senior Security Engineer at Google, he is a developer and user of the open-source GRR live-forensics system. He also has strong interest and involvement in OS X security, having been responsible for the security of Google's OS X fleet for two years. His pre-Google job roles have included pentester, incident responder, and forensic analyst. Links Grr Rapid Response - https://code.google.com/p/grr/

Note: I want to thank Will Gragido for stopping by this morning to talk over the news with us. Always great to have someone with a fresh perspective, I hope you enjoy the show.   Topics Covered Don't like Google Glass (or similar devices) on your network? Kick them off - http://mashable.com/2014/06/04/glassholes-wifi-jamming/ The FAA has issued an order for Boeing to 'protect the planes from computer hackers' ... but what is really going on here? - http://www.usatoday.com/story/news/nation/2014/06/06/faa-boeing-737/10066247/ APT, APT, APT, APT ... evolved APT? - http://www.csoonline.com/article/2158775/security-leadership/why-you-need-to-embrace-the-evolution-of-apt.html After getting breached, PF Chang's goes "old school"; sounds legit, right? - http://krebsonsecurity.com/2014/06/p-f-changs-confirms-credit-card-breach/ Why preparation is a good idea, even when it comes to 'cyber' - http://www.csoonline.com/article/2360748/security-leadership/using-a-cyber-war-exercise-to-improve-your-security-program.html F

My apologies for some of the skips in this episode - we had some difficulty with the recording and ultimately I hope it doesn't take away from Joe's wonderful message. Thanks for your patience. In this episode From CISO to CIO - making that leap Does the CISO need to be technical? (answering that question, again) What types of things does a CIO need to know? Who should the CISO report to? Any chance the CISO reporting structure shifts around? A "Chief Data Officer"? Are there too many 'splintered' job titles in the security/risk role? Responsibility, accountability, and where the buck stops What are 3 things security does right, and what are 3 things that we do terribly? How big should your security budget be? (trick question) What KPIs should security be reporting to the CIO? (the hardest question ever) What resources are there for CIOs?   Guest Joe Riesberg ( @JoeRiesberg ) - Joe is currently the CIO of Drake University. Previos to his current role, he was the Senior Vice President, Global IT Security Se

Note: Today, Kim Halavakoski joined us on the show to provide perspective all the way from Finland! We appreciate his international addition to the show, and hope the listeners enjoy the added brainpower.   Topics covered Facebook's next major update will turn your mobile device into an always-on listening tool for FaceBook. This is a good time to remind you that you are the product, not the customer - http://www.ibtimes.com/facebook-microphone-update-store-data-social-media-giant-confirms-new-feature-will-1588916 In a blow to security professionals' ego everywhere, investors apparently aren't swayed by data breaches - http://www.businessweek.com/articles/2014-05-23/why-investors-just-dont-care-about-data-breaches The US's indictment of 5 Chinese nationals for 'state sponsored industrial espionage' is apparently backfiring (or at least it is in the media) - http://www.bloomberg.com/news/2014-05-27/china-said-to-push-banks-to-remove-ibm-servers-in-spy-dispute.html Now that there is a hack to enable WinXP SP3

In this episode Jeff explains the background of the relationship between the US government, ICANN and IANA What is the ITU and why is this $0 contract handoff to the ITU such a big deal? What impact did Edward Snowden's actions have on the issue? The potential issues with DNS, cross-border censorship and DNS The importance of Tor, Freenet and challenges of implementation Discussing the evolution of services like Tor through "nation-state firewalls" Changing the image of anonymous services Making Tor and similar services more user-friendly, and more prevalent Guest: Jeff Moss ( @TheDarkTangent ) - Jeff, also known as The Dark Tangent, is an American hacker, computer security expert and internet security expert who founded the Black Hat and DEF CON computer Hacker conferences. His Wikipedia page can be found here.