Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!In this episode... Pros examine mossack-fonseca breach: Wordpress plugin, Drupal likely suspectsPlug-ins seem to be a universal weaknessMany companies have this type of 3rd party security issueThe broader enterprise implications - how do you find these sites?http://www.scmagazine.com/pros-examine-mossack-fonseca-breach-wordpress-plugin-drupal-likely-suspects/article/488697/WordPress pushes free https encryption for all hosted sitesWhat's the problem we're trying to solve?2 separate issues, trust vs. authentication - know which you're solvinghttp://www.securityweek.com/wordpresscom-pushes-free-https-all-hosted-sitesIf you can't break crypto, break the clientBishop-Fox researcher finds webkit bug in iMessageJavaScript in iMessage, sure, why notSame-Origin-Policy (SOP) not enforced since it's a desktop apphttp://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/Executives - "We're not responsible for cyber security"Raf: This is squarely the fault of security professionals failing to make the security discussion a part of the enterprise vernacularMichael & James: What does this mean, and what do we do not? If anything.http://www.cnbc.com/2016/04/01/many-executives-say-theyre-not-responsible-for-cybersecurity-survey.html Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Intro song: "Josh Gabriel - Deep Down"; Intro/Outro v/o courtesy of @ToddHaverkosSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...BadLock bug (which now has a website, a graphic, and more hype than Bieber) is out thereIs the bug really worth all this hype?Is this anything more than a PR stunt, and a big marketing opportunity?Everyone has an opinion, but one thing is for certain, this bug is making big waveshttp://www.wired.com/2016/03/hype-around-mysterious-badlock-bug-raises-criticism/Your wireless mouse is probably a security risk... seriously.RF-based mice typically don't use encryption or mutual authenticationSome do (all of my Microsoft & Logitech mice tell me they mutually authenticate & encrypt... I think)How far up, or down, your risk register is this one; and how much should it matter to enterprise?http://www.thefiscaltimes.com/2016/03/23/Your-Wireless-Mouse-May-Be-Exposing-You-Cyber-HackersYour Node.js package manager could be an entry point for worms?Now that everything has functionality over our endpoints...Dependencies seem to be (at least partially) to blame here (who's surprised?)http://news.softpedia.com/news/node-js-package-manager-vulnerable-to-malicious-worm-packages-502216.shtmlRansomware is getting nastier (and more effective)Remember it's just a business model, so they actually are pretty good at unlocking, support, etc once you pay upWhat happens when a hospital system gets locked/encrypted -- real lives are at stake here!Enterprise advice? Backup, test, and take it all offline regularly so you can recoverThis is only going to get worse. Much, much worse.http://www.itsecurityplanet.com/experts-corner/hospital-hit-with-ransomware-contagion-declares-internal-emergencyhttp://www.healthitoutcomes.com/doc/backup-recovery-system-control-ransomware-attack-0001http://www.healthcareitnews.com/news/ransomware-wreak-havoc-2016-icit-study-says Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode I posed some questions to Joey, an InfoSec professional who had recently moved into a CISO role in a midwest retail company:Let's talk a little bit about the background you had before walking into your first day as a CISO...How long have you been in your role, and what do you think "so far"?What do you think were the biggest lessons you've learned in your time as a new CISO?What do you make of all the talk about CISO burn-out rates, and the average tenure of a CISO being less than 2 years?What do you see as the role of the CISO in today's business climate?How do you work with other IT leadership, and executive leadership to make your mark and do your job?From your experience, what do you think someone who is taking a new CISO role, or thinking about doing so, should know?Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode... The FTC is getting into providing guidance on password changesWell OK, this isn't really guidance, it's just a blogBut - does this mean that the FTC is getting into technical guidance?https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes Dwolla hit by CFPB and fined $100,000Who is the CFPB (Consumer Finance Protection Bureau)?This opening sentence is crucial: "The Consumer Financial Protection Bureau (Bureau) has reviewed certain acts and practices of Dwolla, Inc. (Respondent, as defined below) and has identified the following law violations: deceptive acts and practices relating to false representations regarding Respondent’s data-security practices in violation of Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010 (CFPA), 12 U.S.C. §§ 5531(a), 5536(a)(1)"http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdfhttp://blog.dwolla.com/we-are-never-done/ FTC To Study Credit Card Industry Data Security AuditingThe FTC is asking for specific information from a specific number of companies (9 of them in total)Studying "how companies and their assessors interact" - is that code for something?Interesting to see what the FTC will do with this?https://www.ftc.gov/news-events/press-releases/2016/03/ftc-study-credit-card-industry-data-security-auditing Bengladesh bank hackers steal ~$100MThere is definitely more to this storyLots of finger-pointing, failed/unknown processes in SWIFT clearinghouseWas this account compromise? System compromise? An insider threat? All of the above?http://www.bankinfosecurity.com/bangladesh-bank-hackers-steal-100-million-a-8958Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode, we wind down from RSA Conference 2016 and talk with Jonathan and Michael, both security executives and leaders at their respective companies whom were both out at RSA Conf and share with us some of their insights, lessons learned, and discuss some of the more interesting topics. Join James and I for an informative, insightful, and slightly unnerving conversation about the state of our industry. If you missed RSA Conference (or even if you were out there but wish you weren't) this is one you're going to want to listen to at least once.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!This is RSA Conference week, so while Rafal is out in San Francisco trying to make it through another one, James and Michael break down the news events that you may have missed. 300,000 Homes affected by security alarm bughttp://www.forbes.com/sites/thomasbrewster/2016/02/17/simplisafe-alarm-attacks/#3202d4e679a3According to Spokesperson, Alarm still alerts users' smart device when the alarm is armed or disarmed.Device is an alerting mechanism, not a lockTechnically, we’d consider this… wait for it… a ‘detective’ control. Appears to only intercept when pin is entered into the device.. does this effect if user arms/disarms via their device? 82 Percent of company boards are concerned about securityhttp://betanews.com/2016/02/29/82-percent-of-company-boards-are-concerned-about-cyber-security/Suggests that since CISOs don’t report to the CEO/Board, they companies aren’t serious. Ridiculous. This is myopic… Boards care. Executives care. In security - are you perceived as a leader? Or a technical resource?This is an opportunity.  See something suspicious online, Homeland Security wants to know about ithttp://m.nextgov.com/cybersecurity/2016/02/homeland-security-wants-see-something-say-something-campaign-internet/126008/We think this is rather unintelligent. That said, it’s the sign of the only part of an ‘awareness’ program that counts: people are comfortable reporting something that seems amissWhat’s amiss? And that’s what’s missing. We pretend it works at airports and in big cities. Does it? And what, exactly, are people reporting. And why?What’s the experience? Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Michael and I moderate what turns out to be an expert-filled panel discussion on the real issues of the Apple vs FBI debateShawn Tuma, our favorite cyber attorney, provides expert insights into the statutes, laws and applicable legislation in this caseDave Kennedy, Von Welch and Gary bring their technical expertise and background to discuss the issues from a technology and policy perspectiveWe think this is one of those landmark podcast episodes you'll want to listen to a few times. Lots of interesting content here, and we encourage you to share! Don't forget, #DtSR on Twitter!Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode Class action lawsuit against SuperValu dismissedNo damage (use of stolen information) so there's no case?As time passes, risk of use of stolen data, according to judge, decreasesThe precedent appears to be that in order to sue, you have to prove damage (imagine that?)http://legalnewsline.com/stories/510661014-data-breach-class-action-against-grocery-chain-dismissedNieman Marcus - breached again (with another lesson this time)http://www.bankinfosecurity.com/neiman-marcus-reports-new-breach-a-8843So is it official, not having MFA is weak authentication?Is someone accessing accounts through the web interface with stolen passwords a “breach”?Encryption would have done nothing to save any of this information as it was accessed through the interface.Did they have account lockout?  What's the rest of the story here?Hacker steals and releases information on 30,000 FBI and DHS employeesThe biggest weakness is always the human who wants to be helpfulWhat does this mean for the enterprise, when gov falls victim?http://dailycaller.com/2016/02/10/having-trouble-hacking-government-agencies-just-call-their-help-desks/Hacked toy company tries a different tacticVTec gets hacked, changes TOSNew TOS is "we'll be hacked, too bad so sad" is what it amounts toIs this realistic? Should this be the new standard?http://motherboard.vice.com/read/hacked-toy-company-vtech-tos-now-says-its-not-liable-for-hacks Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Andrew discusses a few of the key challenges making it difficult for the healthcare sector right nowRobb, Andrew and Raf discuss the importance of identity in the corporate environmentRobb and Andrew give some of their wisdom for the successes and failures of CISOs (and the broader security industry)We discuss the technical vs executive CISO approach (which is better?)Robb and Andrew provide some unfiltered advice for CISOs and those who want to become themGuestsRobb Reck ( @RobbReck ) - Chief Information Security Officer at Ping Identity, contributor to ISSA Denver with a long history as a successful security executive and leader.Andrew Labbo - Drew is the CISO at Denver Health and Hospital Authority and is the owner and principal of RMHG, which offers HIPAA consulting and HIPAA advisory services. Drew has over 15 years’ experience with information security and technology and over 10 years’ experience as a Privacy and Data Security Officer. He is an expert on HIPAA Privacy and Security Rule regulations as well as HITECH and Omnibus regulatory updates. Drew’s recommendations are guided by his education in health administration and experience and leadership integrating privacy and security controls with health information technology infrastructure and applications, as well as treatment, payment, operations, and human subjects research workflows and processes.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast