Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!In this episode...Only about a third of companies know how many vendors accesstheir systemsnearly every company is at risk for a third party breachit's almost impossible to vet every third partydeveloping a strategy and being consistent, scaling is keyhttp://www.csoonline.com/article/3055012/techology-business/only-a-third-of-companies-know-how-many-vendors-access-their-systems.htmlNo firewall, second-hand $10 routers are to blame for Bengladeshbank heistwe talked about this initially in episode 185(Link: DtSREpisode 185 - NewsCast for March 15th 2016)it's almost unfathomable that this happenedSWIFT attacked, now the suspected malware is identifiedJim McKelvey's Launchcode is helping unconventional techtalentinternal mentorships could be the keywho out there is doing this, talk back to us using hashtag#DtSR on TwitterThe Simpson's math secret is the key to better security ...?http://www.csoonline.com/article/3054566/leadership-management/the-simpsons-math-secret-is-the-key-to-better-security.html Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode, James, Michael and I are live from InfoSec World 2016 and we get the pleasure of interviewing Lance James fresh off the keynote stage. In this intimate, fast-paced and bold interview we talk through some of the challenges InfoSec is facing today, and where Lance believes we should be going. If you haven't been to InfoSec World, we highly recommend going next year. The content team continues to provide a solid mix of technical, managerial and transitioning information security speakers. Make sure you have this one on your calendar for next year, and being the family!Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode... Pros examine mossack-fonseca breach: Wordpress plugin, Drupal likely suspectsPlug-ins seem to be a universal weaknessMany companies have this type of 3rd party security issueThe broader enterprise implications - how do you find these sites?http://www.scmagazine.com/pros-examine-mossack-fonseca-breach-wordpress-plugin-drupal-likely-suspects/article/488697/WordPress pushes free https encryption for all hosted sitesWhat's the problem we're trying to solve?2 separate issues, trust vs. authentication - know which you're solvinghttp://www.securityweek.com/wordpresscom-pushes-free-https-all-hosted-sitesIf you can't break crypto, break the clientBishop-Fox researcher finds webkit bug in iMessageJavaScript in iMessage, sure, why notSame-Origin-Policy (SOP) not enforced since it's a desktop apphttp://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/Executives - "We're not responsible for cyber security"Raf: This is squarely the fault of security professionals failing to make the security discussion a part of the enterprise vernacularMichael & James: What does this mean, and what do we do not? If anything.http://www.cnbc.com/2016/04/01/many-executives-say-theyre-not-responsible-for-cybersecurity-survey.html Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Intro song: "Josh Gabriel - Deep Down"; Intro/Outro v/o courtesy of @ToddHaverkosSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...BadLock bug (which now has a website, a graphic, and more hype than Bieber) is out thereIs the bug really worth all this hype?Is this anything more than a PR stunt, and a big marketing opportunity?Everyone has an opinion, but one thing is for certain, this bug is making big waveshttp://www.wired.com/2016/03/hype-around-mysterious-badlock-bug-raises-criticism/Your wireless mouse is probably a security risk... seriously.RF-based mice typically don't use encryption or mutual authenticationSome do (all of my Microsoft & Logitech mice tell me they mutually authenticate & encrypt... I think)How far up, or down, your risk register is this one; and how much should it matter to enterprise?http://www.thefiscaltimes.com/2016/03/23/Your-Wireless-Mouse-May-Be-Exposing-You-Cyber-HackersYour Node.js package manager could be an entry point for worms?Now that everything has functionality over our endpoints...Dependencies seem to be (at least partially) to blame here (who's surprised?)http://news.softpedia.com/news/node-js-package-manager-vulnerable-to-malicious-worm-packages-502216.shtmlRansomware is getting nastier (and more effective)Remember it's just a business model, so they actually are pretty good at unlocking, support, etc once you pay upWhat happens when a hospital system gets locked/encrypted -- real lives are at stake here!Enterprise advice? Backup, test, and take it all offline regularly so you can recoverThis is only going to get worse. Much, much worse.http://www.itsecurityplanet.com/experts-corner/hospital-hit-with-ransomware-contagion-declares-internal-emergencyhttp://www.healthitoutcomes.com/doc/backup-recovery-system-control-ransomware-attack-0001http://www.healthcareitnews.com/news/ransomware-wreak-havoc-2016-icit-study-says Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode I posed some questions to Joey, an InfoSec professional who had recently moved into a CISO role in a midwest retail company:Let's talk a little bit about the background you had before walking into your first day as a CISO...How long have you been in your role, and what do you think "so far"?What do you think were the biggest lessons you've learned in your time as a new CISO?What do you make of all the talk about CISO burn-out rates, and the average tenure of a CISO being less than 2 years?What do you see as the role of the CISO in today's business climate?How do you work with other IT leadership, and executive leadership to make your mark and do your job?From your experience, what do you think someone who is taking a new CISO role, or thinking about doing so, should know?Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode... The FTC is getting into providing guidance on password changesWell OK, this isn't really guidance, it's just a blogBut - does this mean that the FTC is getting into technical guidance?https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes Dwolla hit by CFPB and fined $100,000Who is the CFPB (Consumer Finance Protection Bureau)?This opening sentence is crucial: "The Consumer Financial Protection Bureau (Bureau) has reviewed certain acts and practices of Dwolla, Inc. (Respondent, as defined below) and has identified the following law violations: deceptive acts and practices relating to false representations regarding Respondent’s data-security practices in violation of Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010 (CFPA), 12 U.S.C. §§ 5531(a), 5536(a)(1)"http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdfhttp://blog.dwolla.com/we-are-never-done/ FTC To Study Credit Card Industry Data Security AuditingThe FTC is asking for specific information from a specific number of companies (9 of them in total)Studying "how companies and their assessors interact" - is that code for something?Interesting to see what the FTC will do with this?https://www.ftc.gov/news-events/press-releases/2016/03/ftc-study-credit-card-industry-data-security-auditing Bengladesh bank hackers steal ~$100MThere is definitely more to this storyLots of finger-pointing, failed/unknown processes in SWIFT clearinghouseWas this account compromise? System compromise? An insider threat? All of the above?http://www.bankinfosecurity.com/bangladesh-bank-hackers-steal-100-million-a-8958Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode, we wind down from RSA Conference 2016 and talk with Jonathan and Michael, both security executives and leaders at their respective companies whom were both out at RSA Conf and share with us some of their insights, lessons learned, and discuss some of the more interesting topics. Join James and I for an informative, insightful, and slightly unnerving conversation about the state of our industry. If you missed RSA Conference (or even if you were out there but wish you weren't) this is one you're going to want to listen to at least once.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!This is RSA Conference week, so while Rafal is out in San Francisco trying to make it through another one, James and Michael break down the news events that you may have missed. 300,000 Homes affected by security alarm bughttp://www.forbes.com/sites/thomasbrewster/2016/02/17/simplisafe-alarm-attacks/#3202d4e679a3According to Spokesperson, Alarm still alerts users' smart device when the alarm is armed or disarmed.Device is an alerting mechanism, not a lockTechnically, we’d consider this… wait for it… a ‘detective’ control. Appears to only intercept when pin is entered into the device.. does this effect if user arms/disarms via their device? 82 Percent of company boards are concerned about securityhttp://betanews.com/2016/02/29/82-percent-of-company-boards-are-concerned-about-cyber-security/Suggests that since CISOs don’t report to the CEO/Board, they companies aren’t serious. Ridiculous. This is myopic… Boards care. Executives care. In security - are you perceived as a leader? Or a technical resource?This is an opportunity.  See something suspicious online, Homeland Security wants to know about ithttp://m.nextgov.com/cybersecurity/2016/02/homeland-security-wants-see-something-say-something-campaign-internet/126008/We think this is rather unintelligent. That said, it’s the sign of the only part of an ‘awareness’ program that counts: people are comfortable reporting something that seems amissWhat’s amiss? And that’s what’s missing. We pretend it works at airports and in big cities. Does it? And what, exactly, are people reporting. And why?What’s the experience? Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Michael and I moderate what turns out to be an expert-filled panel discussion on the real issues of the Apple vs FBI debateShawn Tuma, our favorite cyber attorney, provides expert insights into the statutes, laws and applicable legislation in this caseDave Kennedy, Von Welch and Gary bring their technical expertise and background to discuss the issues from a technology and policy perspectiveWe think this is one of those landmark podcast episodes you'll want to listen to a few times. Lots of interesting content here, and we encourage you to share! Don't forget, #DtSR on Twitter!Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast