Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!In this episode Employees may face penalties if they misinterpret security policies?Human behavior still seen as the biggest weaknessEmployers are growing less tolerant of misbehaving employeesIf you "invite a data breach" you could be held liablehttp://www.welivesecurity.com/2016/01/14/employees-face-penalties-misinterpreting-security-policies/New lawsuit filed blaming Twitter for ISIS attackShould social media filter content from terror groups like ISIS?Can social media companies be held liable, why or why not?http://blogs.wsj.com/digits/2016/01/14/lawsuit-blames-twitter-for-isis-terrorist-attack/SCADA/ICS make incident response more complicatedTypical IR activities are complicated by the nature of ICS systemsDifferences are there, but strategy still possibleWhat is the path forward?http://www.darkreading.com/perimeter/how-incident-response-fails-in-industrial-control-system-networks/d/d-id/1324094Only in NYC: Dept of Consumer Affairs warns parents of baby monitor hacksThese issues seem to come down to default passwordsWhat can the general population do about this?How can we eliminate this behavior in consumer products?http://www.nbcnews.com/tech/security/hack-alert-nyc-regulators-warn-parents-secure-their-baby-monitors-n505391 Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeWhat goes us here - so where are we?Where do we go, and how? (addressing stunt hacking)We discuss how we can influence outcomes, without hand waving and endangering livesWhat about truly understanding risk, versus ‘security stuff’?Michael breaks out the “risk catnip”Raf asks Haroon - “What are the 2-3 things security does right now, that we should just quit?”We discuss some of the breakers that are turning into builders, and implicationsWith the rate of bad vastly outpacing the rate of good - what’s the solution?GuestHaroon Meer ( @haroonmeer ) - Haroon is an internationally acclaimed long-time industry insider and is working hard to change the "how we've always done it" dynamics. His talk "What got us here, won't get us there" is now world famous. He works over at Thinkst and does some pretty amazing things you should check out.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeFTC imposes a $250,000 fine for "false advertising" of encryptionInteresting case, where there really was 'false advertising'Would this even have been a 'security issue'?https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-provider-settles-ftc-charges-it-misledNY wants to ban encrypted smart phone salesAnother clear case of legislators being clueless?What about all the existing technology, and kit you can buy across state lines?http://www.zdnet.com/article/apple-iphone-ban-new-york-looks-to-outlaw-sale-of-encrypted-smartphones/Las Vegas casino is suing cybersecurity firm over "woefully inadequate" workAre there ethical implications here of a competitor defining negligence?Burden of proof is on casino to prove "woefully inadequate" - but against what standard?Does this ultimately raise quality, price or both for IR services?http://thehackernews.com/2016/01/casino-hacker.htmlThe FDA issues draft guidance of security guidelinesIf everyone is doing it, why not the FDA?As James points out, why does every industry need their own unique (exactly the same issues as everyone else) guidelines?Interesting mention of "full lifecycle" and disclosure of vulnerabilitiesOf course it's all non-enforceablehttp://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdfOpenSSH bug found, fixedOpenSSH bug creates a "malicious server" scenarioUser has to successfully authenticate first, then server can read/steal memoryCan be used to compromise SSH private key from hostGreat pivot method if you've compromised an SSH server w/this bug, to compromise the users of the serverhttp://arstechnica.com/security/2016/01/bug-that-can-leak-crypto-keys-just-fixed-in-widely-used-openssh/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!We open up our 2016 year interviewing Shawn Tuma on the show. Shawn is our legal eagle, and a regular contributor to the podcast. This episode ran a little bit long (OK a lot long) but I think you'll enjoy the show...  In this episode...Most important cybersecurity-related legal developments of 2015Tectonic Shift that occurred with “standing” in consumer data breach claimsDiscussion of law prior to Neiman Marcus case, and post Neiman MarcusDoes this now apply to all consumer data breach cases?Immediate impact? Companies now liable?Lesson is in seeing the trend and how incrementalism worksRegulatory TrendsFTC & SEC gave hints in 2014, post-emergence of Target detailsWyndham challenged authority – came to fruition in August 2015SEC not far behind – significant case in September 2015Aggressiveness of FTC is substantial – FTC v. LabMD … all over LimeWireOfficer & Director Liability2014 – SEC Comm. fired the warning shot … pointed the fingerShareholder derivative litigationIndividual liability of IT / Compliance / Privacy “officers”Major 2016 Legal TrendsRegulatory enforcement … which, by the way, is why NIST is becoming defaultShareholder Derivative – much more likely than consumer class actions at this timeLessons from both of these: when you need to persuade the “money folks” that they need to act, mention D&O Liability (especially Caremark) and Regulatory focus on individuals … now they're in the cross-hairsRealization that cybersecurity is more of a legal issue than anything else (IT or business) b/c it is the legal requirements and consequences that ultimately drive everythingSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode... Juniper has a backdoor problem2 separate issues, auth bypass & VPN weaknessbackdoor discovered in Juniper deviceslots of speculation on who put it there, but it was meant to be disguised as ‘debug code’enterprise implications - same as before (what's the bigger picture?)https://isc.sans.edu/forums/diary/Infocon+Yellow+Juniper+Backdoor+CVE20157755+and+CVE20157756/20521/Iranians broke into New York dam in 2013 and “had a look around”no direct damage doneUS has largest number of ICS connected to Internetcritical infrastructure is vulnerable, being probedthis is not a ‘government problem’ - every company has some ICS on their networkhttp://www.theregister.co.uk/2015/12/21/iranian_hackers_target_new_york_dam/ Facebook announced it’s dumping Adobe Flashis this a bigger deal than it sounds likeHTML5 has its own vulnerabilities and issues though… right?*only* for videos, games still in FlashFacebook will work with Adobe (really?) to improve security of Flashhttp://www.scmagazine.com/facebook-ditches-flash-videos-to-boost-security/article/461040/ 191 Million US voter records found ‘unprotected’ by a researcherguy from Texas found the data on an unprotected database“Vickery told Databreaches.net he was able to poke around the public-internet-facing database because it is poorly configured: no authentication or password is requSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...We discuss what in the world is going on in the healthcare space, and why they’re such a target for attackersDustin discusses why the explosion in digitalization in health care is both amazing and terrifyingWe discuss future-proofing “smart” healthcareI stumble on “the fundamentals”Dustin discusses the security of “data analytics” in the healthcare spaceI ask how we can make health care professionals better security people, without making them security peopleI ask Dustin what the healthcare industry should be doing, going forward into 2016Guest"Dustin" is a progressive CISO at a Fortune 250 Healthcare organizationSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Vizio is getting sued, over data their TVs collect?James provided security tips on the local news station and one of those tips was around the privacy details of your gadgetsCompanies need to be considering what they are doing with their dataAt what point does data go from an asset to a liability?Do companies understand the difference?http://www.consumerreports.org/lcd-led-oled-tvs/vizio-sued-for-smart-tv-data-sharingWyndham settles (caves to) the FTCAgrees to legally be bound to do things they should already be doing .. ?20 years of auditsInteresting ending to the long saga, assuming the courts approvehttps://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-paymentThe US Federal Bureau of Investigation (FBI) admits to using 0day vulnerabilitiesWhy is anyone surprised?Goes to a question of trust, and that's it.Are these being found anyway through programs like bug bounties?http://searchsecurity.techtarget.com/news/4500260464/FBI-admits-to-using-zero-day-exploits-not-disclosing-themGoogle introduces DLP into Google AppsSo far it's just for their Unlimited customersAre we reaching a tipping point where security becomes a feature and not a stand-alone discipline?Definitely a game-changerBasic patterns and detection built-in FREEhttp://techcrunch.com/2015/12/09/new-google-apps-feature-helps-businesses-keep-sensitive-information-out-of-emails/Black boxes on ships can be hackedCould be worse, someone could be claiming to make the boat float sideways?Is this a big deal, probably; is it a bigger deal than other things wrong?Who is exploiting this, and how do the good guys fix the problem?http://arstechnica.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Thanks for joining us! This is a very important episode with true experts on the topic of cyber insurance. I was lucky enough to get an attorney and a VP of an insurance firm who specialize in the topic and their depth of knowledge and candor may shock you.The net is that cyber insurance is a positive for our industry. In this episode.. Eran says that if you don’t do good security, the courts will frown down upon thatKeith tells us why insurance covers security, but it does not cover negligenceWe start back on the discussion on the importance of knowing your critical assetsKeith discusses why the insurance market is essentially a mirror of your programEran talks about how his team dissect and investigate breaches to improve understandingKeith and Eran discuss how the process of buying cyber insurance can actually lead to improved securityGuestsEran Kahana ( https://www.linkedin.com/in/erankahana ) - Attorney, Maslon, LLP with extensive data security experience and an expert in cyber insurance marketplace.L.Keith Burkhardt ( https://www.linkedin.com/in/keith-burkhardt-587b3772 ) - VP, Kraus-Anderson Insurance where he works towards innovative products and services for the industry and has been addressing the cyber insurance market for about two years.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeI interview Mike Daugherty - author of The Devil Inside the Beltway [Amazon.com link] live from the Security Advisor Alliance first-ever Summit in Dallas, TX. Mike was kind enough to sit down with me (twice, thanks to a tech failure) and tell his absolutely surreal story of what happened to him, his company at the hands of what can only be described as an insane situation.If you own a business, or manage a business, or work in enterprise -- you need to hear Mike's story. If it wasn't documented and video recorded, you'd never believe it's true.Truth be told, I've been a supporter of the FTC as an advocate for the victims of breaches - the person who's information is stolen. After hearing Mike's story... I have had my mind completely changed.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeWe start a constructive discussion addressing the problem of the ‘talent shortage’The panel discusses the general lack of understanding of the big picture challenge from both sides: business and securityThe panel discusses basic security issues in an expanding ecosystem of Internet connected thingsThe panel discusses some real potential solutions to our talent issue GuestsBryce Austin ( @BryceA )Holly Miller ( @OPSEC_Girl )Jeff Man ( @MrJeffMan )Mike Kearn ( @MichaelKearn )Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast