Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!On this episode of the NewsCastIntel forms new Automotive Security Research Board (ASRB) to focus on security of their automotive platformhttp://newsroom.intel.com/community/intel_newsroom/blog/2015/09/13/intel-commits-to-mitigating-automotive-cybersecurity-risksGood security as a competitive advantage?Interesting development in the effort to secure cars as a technology platformAppeals court forces the issue of 'fair use' in DMCA casehttp://www.engadget.com/2015/09/14/appeals-court-copyright-holders-must-consider-fair-use-before/Interesting development in the case against Universal Music Group's malicious prosecution and nonsense take-down ordersBitpay sues their insurance company after giving away $1.8Mhttp://www.coindesk.com/bitpay-sues-insurer-after-losing-1-8-million-in-phishing-attack/Interesting argument in court - indirect lossCompany exec got phished for credentialsExecs fall for "transfer large quantity of money" scamFollow this case!China making demands of US tech companieshttp://www.engadget.com/2015/09/17/china-us-tech-companies-security-policies/This has happened before...US companies found ways around this onceEssentially it appears as though China is asking for 'backdoors' and secret access to source code, etc in order to do business in ChinaTalk about anti-competitive!The Kardashian train wreck exposes fans' information due to web flawhttp://techcrunch.com/2015/09/16/kardashian-website-security-issue-exposes-names-emails-of-over-half-a-million-subscribers-payment-info-safe/#.gofm76:EZbSSome 'developer' wanted to see how the site worked, poked around and found an interesting flaw and posed it to owners~500,000 subscribers info exposedSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Brandon, Michael and I discuss the challenges of leadership and how leadership is more than just telling people what to do. Brandon gives us some of his back-stories and anecdotes to illustrate his points on leadership along the way.I promise you'll love this episode, and I highly encourage you to go donate what you're able to, to Red Circle Foundation (http://redcirclefoundation.org).GuestBrandon Webb ( @BrandonTWebb ) - Brandon is a former Navy SEAL, bestselling author and CEO of Force12 Media. He founded Red Circle Foundation as a way to give back to the families of the Special Ops community in a meaningful way.LinksRed Circle Foundation - http://redcirclefoundation.org/  SOFREP - http://sofrep.comBrandon's website - http://brandontylerwebb.com/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeCourt strikes down Wyndham's challenge to FTC powerWe have covered this beforeWyndham argued due proces and lack of case law - asked for dismissalCourt said no dismissal, FTC has standingFTC is arguing that Wyndham made promises it did not keepShould be interesting to watch this go to court (or likely not)http://www.csoonline.com/article/2975915/data-breach/wyndham-vs-ftc-corporate-security-pros-need-to-lawyer-up-about-data-breach-protection-experts-say.htmlAshley Madison hauled into court by class-action suitLots of thorny issues here, must separate out moral from legalShines light on the continued bias for breach preventionInteresting Streisand effect herehttp://www.csoonline.com/article/2975755/data-breach/ashley-madison-hauled-to-court-in-class-action-suits-over-data-breach.htmlVerizon launches Hum OBD port vehicle monitor and communication toolIn light of the stunt-hacking against Chrysler/Jeep is Verizon tone deaf?..or are they simply that confident in their security?There is no mention, by the way, of security of the device on the web sitehttp://www.macnn.com/articles/15/08/26/service.not.reliant.on.verizons.network.uses.any.ios.or.android.phone.130118/The move to EMV cards (chip & sign) in America is changing how fraud happensEMV cards cost a fortune to implementSolving a problem the finance industry did not havehttp://www.bankinfosecurity.com/interviews/emv-shift-preparing-for-fraud-migration-i-2850#Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this MicroCast, live from HTCIA Conference 2015 in Orlando, FL, Michael and I quickly set the stage for a conversation on conference speaker/attendee engagement. [Raf] One of my biggest pet peeves as a speaker is getting a room-full of people who watch (and listen) me speak, wait for me to finish, and leave when I'm done.[Michael] As an attendee, you need to know what you "do" and what you're looking for from the conference. --> Here's the link to the article Michael mentions: http://paulsohn.org/how-to-connect-with-anyone-you-just-met-with-5-questions/ We welcome the discussion on this topic, #DtSR on Twitter!Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...We discuss what life is like as the CISO when you have all the responsibility for, but no administrative access (or hands on keyboard)Brandon tells his story about how his IT organization went from in-house, to out-house, and how they got where they areBrandon tells us the process and strategy he uses to get a handle on his securityWe discuss why visibility is one of the most important things to outsourced IT (and security)Brandon tells a story of an incident where things went very sidewaysWe discuss the balance between outsourcer scalability and customer deviationsBrandon tells us why sometimes it takes 3 months to scan your environment for a vulnerability ( your head will explode )…and so much moreGuestBrandon Dunlap ( @bsdunlap ) - Brandon is the global Chief Information Security Officer for a an employee-owned, global leader in building critical infrastructure in energy, water, telecommunications and government services currently operating in more than 100 countries through consulting, engineering, construction, operations and program management.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Just when you thought America's neutered "chip & sign" was a safehttp://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/Admittedly we put these stories in here just to get Michael all fired upAshley Madison's data and source code and CEO's email spool now released and publichttp://www.theregister.co.uk/2015/08/20/ashley_madison_email_dump/http://www.csoonline.com/article/2973575/business-continuity/ashley-madison-self-assessments-highlight-security-fears-and-failures.htmlSo much to talk about that's just wrong with this story...Uber is hiring people for securityhttp://www.ibtimes.com/uber-boost-security-staff-after-data-privacy-concerns-2055903Does more headcount equal better security?Where will these people come from given the shortage of talent? That gadget you attached to your OBD2 port on your car to "save on car insurance" may be used to kill youSeriouslyThe dangers of all these wireless & connected devices is scaryRisk assessment anyone?http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/Someone get Flo on the phone...Windows 2003 which is now expired still has 609,000 public servers on the InternetTranslates into roughly 175M websites (Netcraft)Why are thse out there?Is there really a risk or is this hype?http://www.zdnet.com/article/windows-server-2003-servers-insecure-unpatched/ATC systems go down as they were ... being updated!Common problem of ancient systems going down due to upgradeATC has ZERO patch window..also close to ZERO ability to test patches/updates in "lab" environmentComplex, ancient systems fail when they're upgraded, sometimes catastrophicallyhttp://thehill.com/policy/cybersecurity/251310-software-limits-exposed-in-air-traffic-outageSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...We discuss the ever-growing need for strong leadership in securityI ask whether experience and longevity in a position naturally brings leadership qualitiesWe talk through how leadership interplays with other competenciesMichael asks whether the security leader has a place at the executive table (the "big kids table")Michael asks if the MBA has value in security leadershipWe discuss the model my team uses for leadership and how we build themMichael and Heath discuss various competency models for leadershipWe discuss measuring, KPIs and relative distanceWe discuss how leaders can make better decisionsHeath leaves us with an Alex Hutton quoteSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...The Belgian government's internal phishing test has "gone off the rails" a bitUsed a legitimate entity to test againstPanic and hilarity ensued, but mostly panichttp://www.networkworld.com/article/2951514/security/belgian-government-phishing-test-goes-offtrack.htmlBritish ICO makes a 180,000 pound fineDisconnect between policy and realityWas anything lost?2 big failures lead to a finehttps://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/08/ico-fines-nationwide-money-lender-the-money-shop-180-000/McAfee and Black Hat attendee surveys wildly differentAnswers you get depend on who and how you askInteresting answert though...Lesson: The more experience you have, the less confidence?http://www.slate.com/blogs/future_tense/2015/07/21/two_surveys_of_cybersecurity_professionals_show_starkly_different_attitudes.htmlSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeRaf asks - Why haven’t we solved the same old software security bugs?James asks how a security team gets out of the way and still get better security?We discuss threat modeling, and channel a bit of John StevenJeff talks about the OWASP ESAPI and standard security libraries and controlsJeff talks about “libraries with known vulnerabilities” and the role of open source componentsRaf brings up the ugly side of enterprise outsourcing - code development by committeeWe discuss static, dynamic and run-time security toolsRaf asks Jeff what the RIGHT approach to creating a software program looks like GuestJeff Williams ( @PlanetLevel ) - Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. In 2002, Jeff co-founded and became CEO of Aspect Security, a successful and innovative consulting company focused on application security. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode..."Hackers remotely kill a Jeep!"Lots to talk aboutBasics of segmentation weren't followed, aren't followedDiscussion on software 'fitness' and liabilityhttp://www.cato.org/blog/hackers-remotely-kill-jeepFirefox blocks Flash and FaceBook calls for its deathShould it concern you that FireFox can change your config without your permission or an update?How helpful is this? Does the message/pop-up actually DO anything to stop users from clicking YES?http://money.cnn.com/2015/07/14/technology/flash-firefox-facebook/index.htmlAshley Madison (the cheating website) breached!Check their privacy policy - is it consistent with actions?Did this event delay or possibly end the company's aspirations of going public?The morality of AM's business model shouldn't be an issue here - but it keeps coming uphttp://www.csmonitor.com/World/Passcode/2015/0722/Ashley-Madison-breach-a-painful-reminder-of-online-data-s-permanenceBritish Gas bows to criticism over blocking password managershttp://www.scmagazineuk.com/british-gas-bows-to-criticism-over-blocking-password-managers/article/426463/US Court says "pocket dialed" called are NOT privatehttp://www.itworld.com/article/2951715/security/us-court-says-pocketdialed-calls-are-not-private.htmlSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast