Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!In this episode, we talk with Mike Tierney, who is the brand-new CEO at Veriato. In our conversation we talk through a primer on insider threat, and use the great example of hosting a dinner party. Mike has loads of nuggets of wisdom from his experience and we're certain that if you're a seasoned insider threat professional, or just thinking about the topic and wondering if you can do anything to protect your company - this show will be a good primer for furthering your discussion and learning. Listen in, comment and share with your colleagues! Our show is always safe for the office and educational.   Talk back! Use our Twitter hashtag #DtSR to discuss this episode, ask questions, or suggest other topics or guests for the future!Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Chrome to label more sites as insecure in 2017 Link: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html Focus on sites that transmit passwords or credit card info over HTTP A USB Device is all it takes to steal credentials from locked PCs Link: http://www.pcworld.com/article/3117793/security/a-usb-device-is-all-it-takes-to-steal-credentials-from-locked-pcs.html This is actually pretty interesting, but a little trickier than it sounds Still - it's quite fascinating that a USB attack works cross-platform, based on network activity and default USB behaviors DHS chief: 'Very difficult' for hackers to skew vote Link: http://thehill.com/policy/national-security/294956-homeland-head-very-difficult-for-hackers-to-skew-vote Instead of dismissing the claim, let’s explore the merits Then let’s consider what, if anything, it means for enterprise security “It would be very difficult through any sort of cyber intrusion to alter the ballot count, simply because it is so decentralized and so vast,” he said, noting the series of state, local and county systems involved in running elections. “It would be very difficult to alter the count.” Decentralized and vast - the merits How many companies make the systems - so is it as decentralized as we’d like How much of what you do in the enterprise is decentralized? What are your points of failure - or the easy pathways to attack? If someone did alter the vote… would we know? How would we know? What’s the impact of appearing to alter the vote? Depending on your organization… how would you hSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode James and I invite Vlad Klasnja from Optiv's Office of the CISO, and Hudson Harris, Chief Privacy Officer at HarrisLOGIC, to talk about data protection. From defining the concept to providing some insight into how we can actually protect confidential information - we talk through a lot of complex issues in this segment. Join us!   Guests Hudson Harris - Chief Privacy Officer at HarrisLOGIC Vlad Klasnja - Data Protection and Privacy Manager at Optiv Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!NewsCast for Tuesday August 30th, 2016   Clinic Won’t pay breach protection for victims http://www.zdnet.com/article/clinic-wont-pay-breach-protection-for-victims-ceo-says-it-would-be-death-of-company/ Are companies required to pay for credit protection?  It is common, but is it required? Can a class action suit succeed to force it? Will that matter if they just declare bankruptcy? If not.. What is the purpose to filing the suit? California Bill would add security standards to data breach law https://bol.bna.com/california-bill-would-add-security-standards-to-data-breach-law/ But what is reasonable… it can’t just be what a reasonable company would implement. Bill Text - https://legiscan.com/CA/text/AB83/2015 Is this going too far?  Is it too broad?  Is it enforceable? St. Jude stock shorted on heart device hacking fears http://www.reuters.com/article/us-stjude-cyber-idUSKCN1101YV We were trying to build a relationship between testers and organizations.. This is a step backwards for building that trust. A Temperature-check on the state of application security http://www.darkreading.com/application-security/a-temperature-check-on-the-state-of-application-security/d/d-id/1326727 Where should appsec budget be?  With responsibility being in the application teams, should much of it be therSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!This week Michael and I chat with Jamison Utter of Infoblox on one of the more interesting topics at hand - the economy of ransomware. We talk through the sudden popularity of the attack vector, the way the underground "criminal enterprise" has scaled and grown and the future of being a bad guy. If you have occasion to talk to your organization's leadership on the ransomware epidemic, you need to listen to this podcast first.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Quick note from Michael about the Straight Talk Framework & Program -- > Get your free copy at https://securitycatalyst.com/straight-talk-framework/ Launched a new program last week… boy, did I learn a lot. Mostly, it’s my failure to explain. I’m going to chronicle some of the lessons over the next few days and share them If you’ve already downloaded the questions - I’d love to chat with you about your experience… If you find yourself in a situation like this, let’s chat. 25 minutes on the phone and we’ll both benefit Until Monday, August 22nd, chance to get on board early and benefit yourself; i’ve got a lot to share this week and into the future. We’re at the start of something big! Microsoft Accidentally Leaks 'Golden Keys' That Unlock Secure Boot-Protected Windows Devices: Oops? http://www.techtimes.com/articles/173282/20160811/microsoft-accidentally-leaks-golden-keys-that-unlock-secure-boot-protected-windows-devices-oops.htm Bottom line: backdoors are always discovered, compromised Another take away: key management… sounds easy, is rarely so. If you have the need to manage keys in your enterprise, don't try to do this yourself The Future Of ATM Hacking http://www.darkreading.com/endpoint/the-future-of-atm-hacking/d/d-id/1326549 We didn’t have a problem, but we went ahead with the solution. Looking back on it, imagine some straight talk on this fiasco? Yes, I realize some of you like the elegance of chip + pin; do you like the UX? Because it sucks. And if you lament the mag stripe, does that mean you stopped using a terrestrial radio, too? Our need as leaders - in the enterprise and across the industry - is to focus limited energy and assets on the areas that create the most value Apple will reward hackers with "bug bounty" to find flaws Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode we chat with Steve Christey Coley currently the Principal Information Security Engineer over at MITRE Corp. In this episode we talk through our industry's obsession with vulnerabilities, dive headlong into the thorny issue of security research, talk through the various issues with disclosure and even delve into some ethics issues. This episode is content-packed with some content that you will likely want to talk to us about. So here's how to find us: Steve on Twitter: @SushiDude Hashtag for the show: #DtSR   Steve's Bio (from LinkedIn - https://www.linkedin.com/in/steve-christey-coley-66aa1826): Editor / Technical Lead for the Common Vulnerabilities and Exposures (CVE) project; Technical Lead for the Common Weakness Enumeration (CWE); co-author of the "Responsible Vulnerability Disclosure Process" IETF draft with Chris Wysopal in 2002; participant in Common Vulnerability Scoring System (CVSS) and NIST's Static Analysis Tool Exposition (SATE). My primary interests include secure software development and testing, understanding the strengths and limitations of automated code analysis tools, the theoretical underpinnings of vulnerabilities, making software security accessible to the general public, vulnerability information management including post-disclosure analysis, and vulnerability research. Specialties: Vulnerability research, vulnerability management, software security.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Quick note from Michael about the Straight Talk Framework -- > I’ve separated the framework from the programs; the framework is free and available for download from my website. More on the way! To support both the framework and the programs, I’ve just finished a video that introduces the 5 questions; I have an optional workbook available and make a special offer at the end of the video I’m about to launch an online offering… stay tuned for details   $2.7 Million HIPAA Penalty For Two Smaller Breaches http://www.healthcareinfosecurity.com/27-million-hipaa-penalty-for-two-smaller-breaches-a-9270?rf=2016-07-18-eh&mkt_tok=eyJpIjoiWW1GaE5ERmtNR05oTldRMiIsInQiOiJ5YWd6dDg4cW84TXVCR0NCVkJ0KytQTnVwOHQ2UHBON0FMeWVZRDVleE82d3Zpdyt2S1RwNWFmZEs0aVRyQ3lMTlk3YWdaa0VmbnV4djVIOVVxczFUYkdsTHBKRGpld3h5bXU3aHRoNnhUaz0ifQ%3D%3D Interesting the info about the use of Google and lack of contract. How many other health companies are using Google or Microsoft to store some data?  Do they have the contracts in place? Is the GOP seriously considering endorsing vigilante hacking?! The wording here is dangerous, and could encourage vigilante justice So much could go wrong here, so much collateral damage You’ll likely hear a re-start of the hack back debate http://www.inforisktoday.com/blogs/gop-platform-suggests-hack-back-suitable-cyber-defense-p-2186 What if we just called it “forward looking research in a kinetic state?” NIST declares the age of SMS based 2-factor authentication over Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!This week, Chris Romeo joins Michael, James and I to talk about changing the security posture of an organization by changing culture. This episode talks through tough issues like incentives, measurements and success factors. This episode with Chris is of particular interest for leaders and those who are working hard to change companies at their core, for the long term.   Chris Romeo's bio: Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring application security awareness to all organizations, large and small. He was the Chief Security Advocate at Cisco Systems for five years, where he guided Cisco’s Secure Development Life Cycle program, empowering engineers to "build security in" to all products at Cisco. He led the creation of Cisco’s internal, end-to-end application security awareness program launched in 2012. Chris has twenty years of experience in security, holding positions in application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications, and is a frequent conference speaker at RSA and AppSec.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Ransomware that's 100% pure JavaScript? Sort of... Slightly misleading article Generally a Windows-based attack (go where the users are) https://nakedsecurity.sophos.com/2016/06/20/ransomware-thats-100-pure-javascript-no-download-required/ Researchers have come up with a 'cure' for ransomware Based on some interesting things like file-type changes, similarity measurements and entropy Interesting but not perfect ... do we even think perfect is reachable? Average of 10 files before an identification was made http://www.scmagazineuk.com/florida-researchers-claim-to-discover-cure-for-the-common-ransomware/article/509147/ The government has officially issued a 'fact sheet' on randomware Yes, it's a reportable breach Lots of interesting misconceptions (or half-truths) in this guidance Good for them for asking us to 'do better' but it's not enough Go read for yourself! http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf Pokemon Go! - a neat idea with big issues potentially First there are the privacy and security implications Then there is the app that wants every permission known to man Physical security and well-being issues? http://abcnews.go.com/Business/hit-app-pokemon-raises-security-concerns-google-account/story?id=40524454 FDIC hacked but covered it up, didn't report Perfect example of "the cobbler's children have no shoes" The FDIC is consistently terrible, and does little to close the gaps Obviously, it was China http://thehill.com/policy/cybersecurity/287561-chinese-government-likely-hacked-fdic-report The Fiat/Chrysler bug bounty program They will only pay you $1,500 Lots of uproar about how the pay-out isn't enough but there is so much more her Lots to unpack, including issues with complexity on enterprise side https://www.wired.com/2016/07/chrysler-launches-detroits-first-bug-bounty-hackers/  Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast