Down The Security Rabbithole

It's Monday April 22nd, 2013, and here are the topics from the last 2 weeks James ( @jardinesoftware ) and I ( @Wh1t3Rabbit ) will be talking about as we Monday-morning-quarterback the last 2 weeks in Information Security... Fair warning, we have way too many topics to fit into 20 minutes... so went a little bit longer but both feel it's well worth your time. Laugh, cry, and be informed. Topics Covered Microsoft rolls out 2-factor authentication - James points out that Microsoft has rolled out authenticator-agnostic, robust 2-factor authentication... if only I could figure out how to use it? If you have any experiences with this, please share with us on Twitter, using the #DtR hashtag - http://nakedsecurity.sophos.com/2013/04/11/microsoft-look-like-being-next-with-2fa/ Oracle dumps a 42-patch bundle - Oracle has dropped a massive patch bundle, many of these are remotely exploitable Java issues, and it's not a walk in the part for Enterprise Security folks. Also ... we chuckle a little bit about the absolutel

In this episode... A critical discussion on the available 'cyber intelligence' reports from various vendors How hard is attribution in cyber space, really? "Alternative analysis" - why isn't it being used enough in cyber intelligence reporting? Discussion on 'degrees of certainty' and its apparent lack of application to cyber intelligence Extensive discussion on avoiding confirmation bias, critically reviewing intelligence work, and peer reviewing processes Kinetic responses to cyber threats and other outrageous rhetoric Hacking back? but hacking whom? Guest Jeffrey Carr ( @JeffreyCarr ) - Jeffrey Carr is a cybersecurity analyst and expert.He lives in Seattle Washington. He is founder and CEO of Taia Global inc. He is also the founder and principal investigator of Project Grey Goose, an open source investigation into cyber conflicts including the Russian cyber attacks on Georgia, the Indian Eastern Railway Website defacement and the Israeli-Palestinian war in 2008 to 2009. He is also a government contracto

In this second episode of our Monday morning InfoSec quarterbacking, James and I actually got through the news items we had lined up in just about 20 minutes. I count this as a win. Topics Covered Choice Escrow & Land Title, LLC vs. BancorpSouth, Inc. | At issue is the Uniform Commercial Code (UCC) as it applies to commercial entities taking "commericially reasonable methods" to secure their transactions. This one is going to have a major ripple effect, keep an eye out for further developments - http://krebsonsecurity.com/2013/03/missouri-court-rules-against-440000-cyberheist-victim/ "The biggest cyber attack ever" | Or really, a DDoS feud between a known spammer (CyberBunker) and a spam fighter (SpamHaus) which actually did impact Internet traffic in Europe, but was effectively a tempest in a teapot for most everyone else - http://www.cnn.com/2013/03/27/tech/massive-internet-attack/index.html?hpt=hp_t2 Schnuck's gets hacker by "computer code", but it's OK now | Short version of this story, be careful h

First ...a milestone. I want to take this time to formally welcome Mr. James Jardine, of SecureIdeas, as my permanent co-host to the podcast. James has experience podcasting as he already co-pilots the Professionally Evil Podcast, and he's witty, knowledgeable, and awesome to work with on the microphone. I ask that you all give James a warm welcome! In this episode... Overview of what cyber liability insurance is and what it isn't We ask "Why would we need a security program, when you can just buy insurance?" How do [cyber] under-writers figure out how to insure you, and how much of a liability your organization and its practices is? The types of costs and coverages available in some of the different policies at the various carriers We pull on the 'reputation' thread ... again We try to divine the magic formula used to calculate how to calculate a 'liability' or coverage requirement We try and figure out how an enterprise can drive down their cyber liability insurance premiums Christine touches on mobility,

Welcome to the Down the Rabbithole NewsCast! Join me in welcoming James Jardine ( @JardineSoftware) of Secure Ideas to the show as a permanent co-host! The NewsCast is a bi-weekly (2nd and 4th Monday of the month) release where we'll discuss the news and events of the past 2 weeks, and attempt to analyze, break down, and generally make sense of the madness of the Security industry and real world at large. Also a big thanks to Todd Haverkos, the voice behind the hilarious intro you'll hear on this podcast, and all the others ... Topics We Covered Apple's new 2-Factor Authentication went live Cisco made passwords weaker (whoops!) in their IOS The US Government struck out twice (SAM security issue, and a contractor "buys" warez) Celebrities get their credit info jacked S. Korea gets whacked with a nasty bug, wipes out 32,000 machines in one swoop

In this episode... We discuss "big data", what the heck it really is, and whether it's something new, something old, or something marketing made up Marcus does interpretive dance, and makes up new words Alex (shockingly) disagrees with Marcus, and actually describes 'data science' We hear Marcus talk about "NBS - never before seen" detection and why it's so critical We collectively agree (it's OK to be shocked) that "big data" is not a product Marcus discusses why you should be defending against the sniper The guests disagree on whether we have too little data, or whether we just don't know how to make it work for us Alex puts on a tinfoil hat ... Guests Marcus Ranum ( @mjranum ) - Marcus J. Ranum is a world-renowned expert on security system design and implementation. He is a pioneer in security technology who was one of the early innovators in firewall, VPN, and intrusion detection systems. Since the late 1980s, Marcus designed a number of groundbreaking security products including the DEC SEAL, the TIS

Synopsis This timely podcast is right on the heels of the US vs. Cotterman decision from the 9th Circuit Court of Appeals. One of the watershed decisions on privacy and digital law, this is an extremely important case that touches on whether government agents can take and search your digital property while crossing the border with or without cause or suspicion. Michael and Shawn give their analysis, and we get some critical information for international business travelers, as well as those of us in the security community who regularly cross the US border with sensitive, potentially encrypted or password-protected information. Link to the original 9th Circuit Court of Appeals decision: http://cdn.ca9.uscourts.gov/datastore/opinions/2013/03/08/09-10139.pdf You're not going to want to miss this podcast. Guests Michael Schearer ( @theprez98 ) - Security consultant and penetration tester by day, law student and hacker by night, proud Navy veteran, writer, promoter of civility in political discourse, Philadelphia

Synopsis Security has an interesting view on "business decisions", and in this podcast episode recorded at GrrCon 2012 in Grand Rapids, MI I sit down with some of the talent behind MISEC and we discuss #SecBiz topics of interest including the ugly phrase "it's a business decision" and why we say that. We also dive into how decisions are made, and why security and business are still often at odds on goals and acceptable 'risks'... and why our recommendations and guidance still falls on seemingly deaf ears. We sample some of the sage wisdom of J.W. Goerlich as he runs his IT and security organization, and how he asks his security employees to think business, and put themselves into the frame of reference of the business when making decisions. Jen Fox brings up Miller's Law, and teachs us to ask "What is that true of?" when framing discussions in the business context with non-technologists. Jen makes us think about frames of reference. She tells us that we must assume that a statement someone makes is true ... f

Synopsis Shawn and I have been trying to get together to record an episode for what seems like forever. We first started talking about the CFAA (Computer Fraud and Abuse Act) when it was ruled that a person could not be charged as a 'hacked' under the CFAA by their employer when they accessed information improperly if the employed did not restrict that access appropriately. Shawn's expert insight here as an attorney dealing with the CFAA shines as we talk about hacking, vulnerability research, and other critical topics to the hacker culture, information security industry and security professionals. You're not going to want to miss what Shawn has to say... I want to thank him for his time, and encourage anyone who needs the sort of advice Shawn has to give him a call, or send him a Tweet. Guest Shawn E. Tuma - Shawn E. Tuma is an experienced business, litigation, and intellectual property attorney at BrittonTuma who helps businesses and individuals assess, avoid, and resolve business and legal issues. Shawn ha

Synopsis I sat down with Bill at ISSA International in Anaheim, CA in the fall of 2012 to discuss what it's like, and what types of challenges he faces in the fast-paced, hybrid world of security at Netflix. We talked about some of the challenges his environment faces, and more generic issues that are endemic to the evolving security landscape. It's fascinating to hear Bill's take on what the big picture items are, and how security is really in a state of evolution right now. Join us, I tihnk you'll love this episode. Guest Bill Burns - Director of IT Security and Networking, Netflix - Bill is a silicon valley titan, his name is associated with the likes of Infoblox, Riverbed and Netflix. Currently he's the Director of IT Security and networking at Netflix managing security in a hybrid cloud, traditional IT world, and facing some of the most complicated challenges in today's tough security landscape.

Synopsis To kick off January on the Down the Rabbithole podcast I have Mikko Hypponen, the "malware adventurer" and Chief Resarch Officer from F-Secure Corp and we're talking about the state of malware and 'viruses' digging into the modern threat landscape and maybe digging up a bit of nostalgia from the late 90's. This is a fascinating conversation so I invite you to break out your old boot sector and COM viruses and join us for some interesting discussion! Guest Mikko Hypponen - Chief Research Officer at F-Secure Corp., TED speaker, and self-professed "malware adventurer". He can be found on Twitter at @Mikko

Synopsis This microcast episode was recorded live from hackfest.ca 2012, on location in Quebec. The conference is a phenomenal success for the challenges they face (primarily non-English speaking region, small market, etc) but they've managed to attract a ridiculous amount of people to this conference, awesome speakers, and have one of the best 'War games' scenarios I've ever seen... listen to these two guys talk about how they make this happen. Guests Steven McElrea (@Longferret) - contributed and supporting organizer, key cog in the hackfest.ca wheel! "Martin" - he's responsible for a lot of the design and infrastructure behind the War Games that were conducted here.

Synopsis This episode is special because it's been a long-time-in-the-making interview with Brad Arkin of Adobe. This is the organization that many of the hacker community like to hate, and pick on - without realizing the monumental task of securing the software that Brad's team is responsible for. Brad's official title at Adobe is Engineering Senior Director but in real life one of the responsibilities his team is tasked with is doing product security for products like Adobe Flash and Reader ... Brad's take on software security and how he got the bug problem under control at Adobe is worth a listen! Guest Brad Arkin - Engineering Senior Director at Adobe - Brad has a long history of being involved in the Information Security world, particularly software security and has held many interesting roles from Cigital, to a technical director at @Stake, to working his way through Adobe since 2008. Brad can be found on LinkedIn, here: http://www.linkedin.com/pub/brad-arkin/1/2a8/4.

Synopsis LIVE from day 2 of the ISSA International conference 2012, in Anaheim, California I cornered Eric Cowperthwaite after a much-anticipated year-long wait... and we talked about his prediction that in the next 2 years many of the traditional IT employees will be employed as either business-IT resources in the enterprise, or IT-technical resources at an IT outsource or cloud provider... Eric's predictions tend to be right on the money so it'll be interesting if some of the things he advocates in this microcast come true!  Only time will tell. Guest Eric Cowperthwaite - Eric is the Chief Security Officer at Providence Health & Services, and a strong advocate of pragmatic security.  Eric has a long history from Army Recruiter, to outsource services delivery with EDS, to his many years of service to the ISSA and Providence Health & Services.  In addition to being a good friend and colleague, Eric has a snarky sense of humor, and tends to be not afraid of speaking his mind ... and as it turns out h

Syhopsis When I caught up with these two gentlemen in Amsterdam over the week of Black Hat 2012, I knew we wouldn't run out of things to talk about!  We ended up chatting for quite some time, and I think you'll find this conversation interesting from hearing of David's recent work with Oracle, and Jim's perspective on "the fix"... I kept the conversation going and am probably at last partially responsible for how long this podcast ended up being.  It's well worth the time, in my opinion, as we cover the following topics: Attacking Oracle (David's talk had to be shelved, but he talks about ways to attack Oracle via putting a string into a numeric query - by manipulating the meta-environment) Jim & David talk about how to do sane SQL Injection protection (bind everything!) David talks about some contrived ways of hacking Oracle databases, that are 'outside the business logic' and explains why validation is still important Jim brings up structural validation of inputs (useful white-listing) David brings up

Synopsis This week we went free-form with two of my favorite InfoSec insiders ...people you probably follow on Twitter but can't quite place.  Here are some of the topics covered this week: The Apple UDID theft - what really happened, why, and what more is there to this story? Information vs. DISinformation...the battle for online trust Speaking of distrust - where do you go post-breach? InfoSec intelligence is a lot harder to do than just reading mailing lists and Twitter, there's a ton to this (scratching the surface) Change management's impact and possible salvation for IT and InfoSec Legacy systems and why they are the ball and chain, and why we can't nuke them The user ... how do we get past just hating on the user in InfoSec? Guests @DarthNull - David is a mobile hacked with Intrepidus Group, and active puzzle-solver extraordinaire @InfoJanitor - He's a long-time InfoSec guy, working for a 'big company' ...and if he told you more than that, well ...you know.

Synopsis Today's podcast discussion is with someone who has one of the toughest jobs in the security world... Patrick helps organizations that generate and deliver the power that runs our gadgets and critical systems that maintain life as we know it.  The power grid is not only surprisingly vulnerable due to it's age-old infrastructure, but also surprisingly resilient due to the complex nature of power distribution and generation... there's just a lot more to it than most people realize. Patrick separates fact from fiction and goes into the pragmatic approach on national electric grid security - where we realize that it's really worse than we believed from a cyber security perspective, but better than we know because as you read this the electric grid is under constant attack, but it's still transmitting clean power. I urge you to listen to this podcast, and then engage Patrick (@PatrickCMiller) or I in discussion...  Guest Patrick C. Miller -  President & CEO of EnergySec Principal Investigator of Na

Synopsis This episode is a mini-episode recorded live from the social media lounge at HP Discover Las Vegas 2012.  It was an incredible show, where I caught up with Marc and Matt - two guys who are really from opposite side of today's deploy vs. secure coin.  Somehow we quickly dove into DevOps and picked up right where my conversation with the incomprable Gene Kim left off in episode 20.  Ironically, we discussed how to deploy faster (sound familiar?) and still get security and quality into the scope of delivery... this isn't a product pitch but it's two HP guys talking about how products impact software quality, security and overall delivery speed. Guests Marc Blackmer  - Senior Solutions Marketing Manager (HP Enterprise Security Products) - Marc is a seasoned veteran of the Information Security industry with experience going back to high technician days in 1998.  Since 2006 Marc has held various technical and engineering roles at ArcSight and has come to learn the SEIM industry better than anyone I know.

Synopsis In this episode we ask the big question of "Can security be a part of the 'build/deploy faster!' culture?"  We discuss the need to separate out high/low risk code, understanding how to deploy dormant components of the applications, proper testing strategies and branching/merging in a world where faster isn't just an ask, it's a need to stay competitive. A huge thank you to all my guests for their time and expert insight.  The combined talent and experience of my 3 guests is something you should absolutely take a listen to, as these gentlemen really know what they're talking about - whether it's Information/Application Security, or DevOps ... this is a discussion that bridges both with expert precision. Guests Nick Galbreath - Nick's Linked-In profile says he's been at 5 early to very early startups, all sold, IPO'd or huge - all dealing with massive scaling in load and large data sets.  FaceBook now owns a half-dozen of his patents on social graphs, and Google is using some of his code in Chrome!  O

Synopsis This episode was recorded in June '12, live from the show floor at HP Discover Las Vegas, 2012 and the talk of the town was once again DevOps.  Gene and I have had 2 prior conversations on the topic, but we're once again tackling the impact of DevOps on the IT and security relationship and overall business value.  We tip our hats to several people including Josh Corman (Rugged DevOps), David Mortman, James Wickett, Nick Galbreath and Mr. Daniel Blander for their prior contributions and supporting work on the topic.  Gene talks about some of the mechanisms we have available to us to bridge that IT Security-to-developer-to-operations gap that's holding us back from true business value.  Fun fact- studies have found that when you wake up a developer at 2am to solve an issue, problem resolution times plummet! Enjoy the podcast, and go grab Gene's books when they're available... comments are welcome! Guest Gene Kim - Gene is finishing up the third and fourth books, "When IT Fails: The Novel" and "The Dev