Down The Security Rabbithole

Announcements: I want to thank Circle City Con as a sponsor for the show! I have one more ticket to give away ... so watch the #DtR hashtag on Twitter! Thanks to special guest Philip Beyer for sitting in James' seat this morning...   Topics discussed "US charges China with cyber-spying on American firms" (Hello, pot? this is the kettle...) - http://www.nbcnews.com/news/us-news/u-s-charges-china-cyber-spying-american-firms-n108706 Should we be thinking about security beyond win/lose (aka "oh no, hackers are winning!") - http://www.csoonline.com/article/2156104/security-leadership/thinking-about-security-beyond-winning-and-losing.html Retail Industry Leaders Association (RILA) has launched their own ISAC-like entity called Retail Cyber Intelligence Sharing Center (R-CISC) - http://associationsnow.com/2014/05/retail-group-launches-sharing-tool-cyber-threats/ A recent survey tells us that a whopping 43% of all identity theft in 2013 happened in healthcare ( W O W ) - http://www.studentdoctor.net/2014/04/the-ri

In this episode Dan gives us the reality of living in what is commonly termed "the post-breach" world Dan and Robin talk through the explosion in the numbers of malware samples We discuss the different approaches to malware, crimeware, and the cross-over between them Dan explains what "rapid incident response" really means and why it's essential Dan and Robin give us some excellent examples of incident preparedness fundamentals Dan gives us a lesson on implementing 'powerful tools' (and forgetting about them) We talk through "who's doing it well?" (and we don't get a very hopeful answer) Is it time to learn from our own and others mistakes? (how?) Guests: Robin Jackson ( @rjacksix ) - Robin is an incident response and digital forensics specialist for HP Enterprise Security Services. Dan Moore - Dan is an incident response and digital forensics specialist for HP Enterprise Security Services.

Topics dicussed Microsoft has issued a patch for the massive MS IE flaw - for WindowsXP! - http://arstechnica.com/security/2014/05/microsofts-decision-to-patch-windows-xp-is-a-mistake/ Is Open Source Software more or less secure than closed-source? (in a post-Heartbleed era) - http://www.telegraph.co.uk/technology/internet-security/10769996/Heartbleed-the-beginning-of-the-end-for-open-source.html Target's CEO has stepped down, but what's the real reason and is there now opportunity for change? - http://www.usatoday.com/story/money/business/2014/05/05/target-ceo-steps-down/8713847/ and http://www.latimes.com/business/money/la-fi-mo-target-ceo-resigns-20140505,0,4479532.story Biometrics (specifically fingerprints) aren't as secure or unique as we'd like them to be, so ... paswords? - http://www.telegraph.co.uk/science/science-news/10775477/Why-your-fingerprints-may-not-be-unique.html

In this episode We discuss some of the new techniques auto insurance companies are using to custom-tailor rates to drivers Our guest discusses some of the capabilities of the widgets available Our guest discusses the 'call home' functions, and potential mis-use We use 'big data' seriously We talk about 'big data' and security - for real Our guest gives us a realistic view about the type of data that's out there about your driving, habits, and tracking Guest Our guest is an industry insider, who for obvious reasons chose not to identify himself. We respect the guest's position, and kindly ask that our listeners do as well.

Topics discussed The big story - "Heartbleed" http://www.csoonline.com/article/2142626/security-leadership/how-you-need-to-respond-to-heartbleed-and-how-you-can-explain-it-to-others.html http://www.csoonline.com/article/2146141/disaster-recovery/healthcare-gov-urges-password-resets-due-to-heartbleed.html http://xkcd.com/1354/ http://rt.com/news/heartbleed-arrest-canada-security-016/ The "hacker*" known as "Weev" is free ...on a technicality, and why this is bad, very very bad, for our industry http://techcrunch.com/2014/04/11/weev-is-free/ "Ramshackle Glam" - how one blogger had to go to extraordinary lengths to get her site back, and what you can learn from it http://mashable.com/2014/04/02/ramshackle-glam-hacking/ The FTP's lawsuit of Wyndham Hotels was allowed to proceed by a federal judge - and why this is a very dangerous precedent http://www.fiercegovernmentit.com/story/ftc-lawsuit-over-hotel-chain-data-breach-can-proceed/2014-04-14 Data breach roundup Michaels [yes, again] - http://www.bu

In this episode Advanced Threat Actors - more or less a threat right now than before? (how much is hype?) Advanced Persistent Threat - is it really THAT advanced? (a "what" or a "who"?) The distinction of what "APT" is ...and isn't Touching on Mandiant APT-1 ...hype from reality A quick discourse on corporate espionage! How we respond to APTs ... is this just really "incident response" for a boogeyman? The snake oil salesman behind "Automated APT defense" Threat Intelligence - necessary, but what's the proper use? Threat Intelligence requires collaboration, how do we do it? Is our security failing, or is our perception of what we want it to do wrong? Key take-aways for the enterprise professional Guests Steve Santorelli ( @SteveSantorelli ) - Manager of outreach at Team Cymru John Pirc ( @jopirc ) - CTO of NSS Labs J. Oquendo ( @advancedthreat ) - veteran threat researcher Robin Jackson ( @rjacksix ) - veteran threat researcher, forensics expert at HP Enterprise Security Services

Topics covered WindowsXP is officially, for real, definitely end of life - http://windows.microsoft.com/en-us/windows/end-support-help Google Nest pushes update - examining the bigger picture - http://www.theregister.co.uk/2014/04/04/nest_waves_goodbye_to_alarm_switchoff_feature/ South Carolina's agencies are still not any better after the massive breaches - http://www.wbtw.com/story/25149085/still-no-consistent-computer-security-plan-at-sc-agencies News flash - we trust the government and Internet companies less as a result of leaks - http://www.computerworld.com/s/article/9247441/Snowden_leaks_erode_trust_in_Internet_companies_government The two banks which filed suit against TrustWave & Target have dropped their effort...sanity apparently prevailed but there's a bigger issue here at stake - http://www.securityweek.com/banks-drop-suit-against-target-trustwave

In this episode Rise of DDoS Where did it come from What's next Why does it work Spoofer project 3-DOS attacks Quantum computing What is it How is it different than what we commonly use today What problems does it solve How practical is it The dark web Where did it come from Legitimate uses, turn into nefarious use-cases Alternatives, adoption and options Guest Prof. Alan Woodward ( @ProfWoodward ) - Alan is not only a subject matter expert in computing, computer security and the impact technology has on business but brings to his roles a very broad range of experience in business management, technical management and project management.Whilst he has particular expertise in covert communications, forensic computing and image/signal processing, Alan is primarily a particularly good communicator, be it with clients, staff or investors. He is known for his ability to communicate complex ideas in a simple, yet passionate manner. He not only publishes in the academic and trade journals but has articles

Topics covered The FTC jumps into the breech (pun intended) and may try and levy fines against Target, and future breach victims - http://ww2.cfo.com/technology/2014/03/ftc-urges-data-breach-penalties/ http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/?oref=ng-channelriver Could the Barclays Bank breach of Feb 2014 have been test data? Richard Bishop thinks so - http://blog.trustiv.co.uk/2014/03/barclays-data-breach-%E2%80%93-could-it-be-test-data http://www.theregister.co.uk/2014/02/10/barclays_investigates_gold_mine_client_data_breach/ US Commerce Dept not renewing ICANN contract, moving control to ITU - http://www.bloomberg.com/news/2014-03-15/u-s-to-relinquish-control-of-internet-address-system.html http://www.businessweek.com/articles/2014-03-17/the-u-dot-s-dot-ends-control-of-icann-gives-up-backing-of-the-free-speech-internet With Microsoft officially, and finally, stopping support for WinXP (after 14yrs!), is there a "breach cri

In this episode what is the promise of automation, and where did we go wrong (or right?) the problems with 'volume' (of logging) and the loss of expressiveness a dive into 'exploratory based monitoring' how does log-based data analysis scale? baselines, and why 'anomaly detection' has failed us does machine learning solve the 'hands on keyboard' (continuous tuning) problem with SIEM? does today's 'threat intelligence' provide value, and is it really useful? decrying the tools - and blaming the victims what is machine learning good at, and what won't it be great at? log everything!   Guest Alex Pinto ( @alexcpsec ) - Alex has almost 15 years dedicated to Information Security solutions architecture, strategic advisory and security monitoring. He has been a speaker at major conferences such as BlackHat USA, DefCon, BSides Las Vegas and BayThreat.He has been researching and exploring the applications of machine learning and predictive analytics into information security data sources, such as logs and threat in

Topics covered Target CIO resigns, new central CISO and CCO roles created; but what's really going on here? - http://www.darkreading.com/attacks-breaches/target-begins-security-and-compliance-ma/240166451 & http://pressroom.target.com/news/target-reports-third-quarter-2013-earnings City of Detroit employees' information (including SSNs, DoB, etc) are "at risk" because someone clicked something they shouldn't have - http://www.freep.com/article/20140303/NEWS01/303030085/Detroit-computer-security-breach ComiXology was [big time] hacked, but it's all good because the passwords were 'cryptographically secured' but where's the transparency? - http://www.theregister.co.uk/2014/03/07/comixologys_phantom_zone_breached_by_evil_haxxor/ A North Dakota University System was hacked and now 290k students, employees and faculty (yes including SSNs) data is at risk ... or is it? - http://www.greenfieldreporter.com/view/story/8f909740809e48e9a5669de333418134/US--University-System-Hacked NC State researchers have a genius

In this episode Does is make sense, in a mathematical and practical senes, to look for 'probability of exploit'? How does 'game theory' apply here? How do intelligent adversaries figure into these mathematical models? Is probabilistic risk analysis compatible with a game theory approach? Discussing how adaptive adversaries figure into our mathematical models of predictability... How do we use any of this to figure out path priorities in the enterprise space? An interesting analogy to the credit scoring systems we all use today An interesting discussion of 'unknowns' and 'black swans' Fantastic *practical* advice for getting this data-science-backed analysis to work for YOUR organization Guests Lisa Leet - Lisa is a wife of 17 years, a mother of 5 years to boy/girl twins, and an employee of 7 years on the Information Security team at a Minneapolis-based financial services firm. She is also an intern at Stamford Risk Analytics (Stamford, CT), pursuing studies at Stanford University, prepping for her CISSP Ex

Topics covered Apple had a "Goto Fail" failure - yes people at Apple Computer still use Goto statements in 2014 - http://www.computerworld.com/s/article/9246533/Apple_encryption_mistake_puts_many_desktop_applications_at_risk and Adam Langley's awesome blog - https://www.imperialviolet.org/2014/02/22/applebug.html Look out Terps, Univ of Maryland has lost 309,000+ staff members, students and faculty worth of personal information including social security numbers ... OUCH - http://www.washingtonpost.com/local/college-park-shady-grove-campuses-affected-by-university-of-maryland-security-breach/2014/02/19/ce438108-99bd-11e3-80ac-63a8ba7f7942_story.html ICS-CERT has a new report out that bemoans the Industrial Control sector's inability to detect and respond to incidents ...mainly due to inadequate logging - http://www.govinfosecurity.com/report-cyberthreat-detection-lacking-a-6516 and the report https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Oct-Dec2013.pdf Websense has done a massiv

In this episode Jay and Bob talk about their new book A discussion on using data as 'supporting evidence' rather than gut feelings Do we have actuarial quality data to answer key security questions? A discussion on "asking the right question", and why it's THE single most important thing to do Bob attempts to ask security professionals to use data we already have, to be data-driven Jay tells us why he wouldn't consider "SQL Injection" a "HIGH" risk ranking - and why data challenges what you THINK you know Quick shout out to Allison Miller on finding the little needles in the big, big haystack We think about why security as an industry needs to start looking outside of itself to get its data - now Jay discusses how there is a definite skills shortage in working with large data sets, and doing analysis I ask whether there is a chicken and egg problem in large-scale data analysis Bob brings up the "kill chain" and whether we really need real-time data analysis for attacks Bob makes a pitch for having a "Cyber

Topics covered In the wake of the Target & Nieman Marcus breaches - is chip+pin really a priority right now, and does it solve the real problem? - http://blogs.csoonline.com/security-leadership/2977/does-chip-and-pin-actually-solve-problem-find-out-asking-these-questions Speaking of Target ... it turns out that 3rd parties really are a problem and still a blind spot in many organizations' risk matrices, who knew - http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ Apparently NBC News doesn't believe it's stretching the news at all, when it virtually makes up a story then gets called out by Robert Graham, hilarity ensues - http://news.cnet.com/8301-1009_3-57618533-83/sochi-hack-report-fraudulent-security-researcher-charges/ Something bad, very, very bad just happened over at Barclays in the UK ... although jury seems to still be out on what exactly is going on; you can bet we're going to keep an eye on this - http://www.theregister.co.uk/2014/02/10/barclays_investigates_gold_mine

In this episode David discusses what it's like working for a law firm (in the UK) A quick wade through the UK Data Protection Act (mostly Principle 7) "When lawyers get to interpret the laws" Law firms as targets for data breaches The new regulations in the UK, fines between 2%-5% of your REVENUE? Ouch. Defining "adequate measures" in regulations A brief chat on fines, regulations, and risk management I trail off on a Princess Bride quote, and get ranty on "risk" Dealing with personal devices, public WiFi to work and security James asks the inevitable question on training Good vs. "best" practice Your security as a competitive advantage. really. Guest David Prince ( @riskobscurity ) - A dedicated and well-respected Technical Information Security Professional with several years’ experience and demonstrated success leading information security initiatives, in a variety of organizations. Initiatives which are in direct support of business-objectives to maintain the confidentiality, integrity, and availabili

Special thanks to Michael Santarcangelo ( @catalyst ) for stopping by the show and guest-hosting with James and I! We had fun, and I think you'll all enjoy Michael's perspective and humor. Topics Covered Nieman Marcus breach - all new, same as before, or is it? - http://www.wired.com/threatlevel/2014/01/neiman-marcus-hack/ Coca-Cola loses laptops ... sort of ... but no worries, no evidence of wrongdoing - http://www.ajc.com/news/business/coca-cola-tells-thousands-of-employees-of-security/nc2NB/ Breach over at Microsoft, law enforcement documents "likely stolen", but what does that really mean? - http://www.pcworld.com/article/2091480/microsoft-says-law-enforcement-documents-likely-stolen-by-hackers.html The (San Jose) police want to use your home surveillence system cameras, I'm not kidding - http://news.cnet.com/8301-17852_3-57617809-71/police-want-to-use-your-home-security-cameras-for-surveillance/

In this episode Did the Target/Neiman/? breach finally create a catalyst for change? The card system, payment processing infrastructure clearly wasn't designed with defensibility in mind ... who should be changing that? Are today's fraud rates finally getting high enough such that card processors, issuers, banks need to depart from the status quo? Are the days of "zero fraud liability" to the end consumer coming to an end? What about chip & pin? Is the risk less? What kinds of pains will the industry go through to make security on payment systems better? How is the commercial payments industry different from the consumer? Do end users of credit accounts ultimately care about breaches? Guests Laura Claytor ( @the.hgic ) - Laura is a security specialist and veteran within a large US-based banking organization, and is based in the southwest United States Alfred Portengen - ( @alfredportengen ) - Alfred has a deep bredth of experience in architecture and security specialty within a multi-national banking o

I can't believe it's 2014 already, and we're rolling through our 3rd calendar year! As we grow and you "regulars" mount, James and I want to thank you for listening, bookmarking, sharing and talking about the podcast. Your patronage has really made a us smile, and you're the reason we do this. Topics covered Reuters: Retail community may be ready for a change in the payment card system and processes - http://uk.reuters.com/article/2014/01/13/uk-target-databreach-retailers-idUKBREA0B01A20140113 More Snowden fallout: French/UAE Intel satellite deal may be scuttled because of US-made components - http://www.defensenews.com/article/20140105/DEFREG04/301050006 Ransomware CryptoLocker's uglier, meaner cousin now available for $100... look out! - http://arstechnica.com/security/2014/01/researchers-warn-of-new-meaner-ransomware-with-unbreakable-crypto/ Schneier: "The Internet of Things" is very vulnerable ...and there's no good way to patch it all - http://www.wired.com/opinion/2014/01/theres-no-good-way-to-patch-t

In this episode Chris Wysopal - who is that masked man? Putting some reality to the state-sponsored backdoors (Huawei) and supply-chain compromise The risks coming through the door with the products you buy The case for setting up an independent testing lab for mitigating 'backdoor' accusations Chris does an interesting assessment on software security practices in the enterprise Chris discusses holding your vendor to the same standards you hold yourself What does it mean that enterprises are doing a "good job" in SwSec Chris goes there, open-source components as part of supply chain risk James asks "How do smaller buyers leverage scale to hold their suppliers accountable?" Why do we still see SQL Injection?! Are we ever going to get rid of it? Guest Chris Wysopal ( @Weldpond ) - Chris is the Founder, CTO and CISO of VeraCode, a company dedicated to software security as-a-service. Chris has a long and storied history in the security industry dating back to L0pht Heavy Industries. His bio and profile can be