Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!In this episode...Netflix launched FIDO (not that one, or that one, no the other one)Focused on automating incident response practicesFIDO is an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats.If you don't use it, at least they provide a structured framework for response and IR workflowhttp://techblog.netflix.com/2015/05/introducing-fido-automated-security.htmlIT Chief leaves sensitive data in car- spoiler: it gets stolenSomething smells like a fish market in the July heat on this storyMaybe it's time to check in on YOUR off-site handling procedures?http://www.thestarpress.com/story/news/local/2015/05/10/chief-left-hard-drives-car/27083031/Crowdstrike discovers, names "Venom"Massive security vulnerability within the floppy disk emulator in virtual machine hypervisorsEven if you disable floppy disk emulation, separate bug lets you enable itThis has a graphic and everything!http://www.csoonline.com/article/2921589/application-security/significant-virtual-machine-vulnerability-has-been-hiding-in-floppy-disk-code-for-11-years.htmlUnited Airlines launches bug bountyDoes this have anything to do with the now infamous (alleged) airplane hacker?Seems like some contradictory statements in the description(see below on United's response to our inquiry)http://www.united.com/web/en-US/content/contact/bugbounty.aspx Note back from United Bug Bounty Team:Posted with permission--"Rafal:            Thank you for the question.  We want researchers to be able to notify of potential issues they find while still protecting customers who are not participating in the program.  If a researcher launched a brute force attack and locked the accounts of 10,000 customers through already existing security measures this would negatively affect our customers and the program.            If any researchers believe they may have found a brute force condition, they can feel free to submit it to us without testing.  We will check on our end and if we confirm a bug exists we will gladly reward them for their effort.  Does that make sense?Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...A quick walk-through of Rob’s talk (“Hacker ghost stories”), and why it’s completely relevant todaySimple things that workblocking java (externally)effectively blocking “uncategorized” sites in your forwarding proxies(not) resolving DNS internally(not) default routing to the Internet from insidecanaries in the coal mine, or evil canariesGuestsJames Robinson ( @0xJames ) - https://www.linkedin.com/in/0xjames Currently the Director, Threat and Risk Management at Accuvant-Fishnet Security and part of the Office of the CISO. He has a long and storied career of success as an enterprise defender across various industries. Rob Fuller ( @mubix ) - Rob is an experienced InfoSec industry insider, with many interesting achievements and accomplishments. He's easily findable, as are his many public doings.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...A join Ponemon Institute & IBM Security study shows that, surprise surprise, developers are "neglecting security"The study only looked at mobile apps and app developersLess than half (of their study) test the mobile apps they buildAbout 33% never test their appshttp://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.htmlIllinois Bill SB1833 expands the definition of PII to include almost everythingRequires notification in the event of a breach of...Online browsing history, online search history, or purchasing historyIs this absurd, or just protecting our privacy?http://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.htmlThe DOJ has jumped in and issued some sound fundamental breach guidance!4 sections: what to do before, during and after a breach plus what NOT to do after a breachFantastic fundamentals... great ideaThe push to fundamentals is critical!http://www.alstonprivacy.com/doj-issues-data-breach-guidance/http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdfMozilla is phasing out non-secure HTTPHTTPS only is the way forward, so Mozilla (champions of liberty and all that) are leading the wayhttps://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/First foreign hacker is convicted in the USCanadian kid who hacked and stole trade secrets and other sensitive info from video game companiesHe pled guity in September 2014, maximum of 5yr prison sentencehttp://blogs.orrick.com/trade-secrets-watch/2015/04/30/first-foreign-hacker-is-convicted-in-the-united-states-of-hacking-crimes-involving-theft-of-trade-secrets-from-american-companies/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...What about public safety, where do we draw the line on open research?Self-regulation? Disclosure? What are our options…What makes a researcher? We discuss“Chilling security research”A quick dive into bug bounty programs; do they help?Ethics vs. moral compass …we discussHacker movies, and what they’re doing for our professionGuestsKeren Elezari ( @K3r3n3 ) - brings years of experience in the international cyber security industry to the stage. Since 2000, Keren has worked with leading Israeli security firms, government organizations, Global Big 4 and Fortune 500 companies. Keren holds a CISSP security certification, a BA in History and Philosophy of Science and is currently a senior research fellow with the prestigious Security & Technology workshop at Tel Aviv University. In 2012, Keren held the position of Security Teaching Fellow with Singularity University, a private think tank, founded by Dr. Ray Kurzweil and sponsored by Google & NASA amongst others. Since 2013, Keren covers emerging security technologies and trends as a security industry analyst with GIGAOM research, a leading independent media hub. In 2014, Keren became the first Israeli woman to be invited to speak at the prestigious international annual TED conference. Keren’s TED talk has been viewed by 1.2 million people, translated to more than 20 languages and selected for TED’s list of ‘Most Powerful Ideas in 2014’ and for Inc.com’s list of ‘Top TED Talks of 2014’.Kellman Meghu ( @kellman ) - heads up a team of Security Architects for CheckPoint Software Technologies Inc., the worldwide leader in securing the Internet. His background includes almost 20 years of experience deploying application protection and network-based security. Since 1996 Mr. Meghu has been involved with consultation on various network security strategies to protect ISP's in Southern Ontario as well as security audits and security infrastructure deployments for various Commercial and Governmental entities across Canada and the Central United States. Kellman has delivered security talks in private corporate focused events, at school internet safety classes for students and teachers, as well as public events such as, SecureWorld Seattle, The Check Point Experience, Bsides St. Johns, Bsides San Francisco, Bsides Iowa, Bsides Detroit, Secure360, Trilateral Conference, and Sector lunch keynote for 2014. Kellman has contributed to live TV interviews in the Toronto area with CP24, CityNews, and CHCH TV, as well as radio statiSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Friend and security researcher Chris Roberts steps into it... A poorly-conceived tweet, followed by mass hysteriaMost everyone talking about this is missing the point entirelyOf course, the EFF jumps in to keep from "chilling research" (roll eyes)http://www.usatoday.com/story/tech/2015/04/19/chris-roberts-one-world-labs-united-rsa-computer-security-tweets/26036397/The EFF take: https://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-securityCorporate threat intelligence teams opting to go anonymous?New company, making intelligence sharing work, anonymously?Many questions on whether anonymity is workable in the intelligence spacehttps://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-securityTarget settles with Mastercard for $19M USDMastercard trying to settle this out, as alternative payout option for victims (this time the issuers, not card holders)http://www.theregister.co.uk/2015/04/16/target_settles_with_mastercard_for_us19_million/The looming security threat no one is talking aboutWe're talking about it!Windows 2003 is going out of service... after 12 yrs?Final deadlines is July 14thPanic? Compensating security controls?http://www.healthcaredive.com/news/himss15-the-looming-it-security-threat-that-no-one-is-talking-about/386754/HTTP "ping of death" coming to a Windows IIS web-server near youPatch now... people are actively exploiting this flaw to knock over web serversQuick turn-around from "patch released" to "patch reverse-engineered to attack IIS servers"http://www.theregister.co.uk/2015/04/16/http_sys_exploit_wild_ms15_034/JPMC algorithmn knowns you're an insider threat, before you doFascinating, applies to the financial worldUses behavioral indicatorshttp://www.blSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Where do you even start with “threat intelligence”?Ryan talks about context, and why it’s *the* most important thing when it comes to threat intelHow does a SME make use of a “luxury item” like threat intelligence?Michael asks what are 1-2 things you can do *immediately* as an SME?What are the basics, beyond the basics of security? Where do you make your first investment?Getting your own house in order is harder than it sounds, so what then?Michael drops some #RiskCatnipMichael breaks down the “feedback loop” and his basic questions to ask/answerDown the rabbit hole of shiny boxes, standards, and productized threat intelligenceThe overlap of data on commercial threat intelligence providers GuestRyan Trost - Ryan is the CIO of ThreatQuotient and knowledgeable on matters of intelligence with his extensive background and history in the community.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...TrueCrypt security audit results are good news, right? Why are some of the most depended-upon http://arstechnica.com/security/2015/04/truecrypt-security-audit-is-good-news-so-why-all-the-glum-faces/At Aetna, CyberSecurity is a matter of business riskJim Routh talks about how he runs a security programSecurity is a matter of business risk, if not you're doing it wronghttp://blogs.wsj.com/cio/2015/03/30/cybersecurity-at-aetna-is-a-matter-of-business-risk/Why aren't you vulnerability scanning more often?Wrong question.Simple answer -- because scanning doesn't matter if you can't fix the issues you findExample of how security misses the pointhttp://www.csoonline.com/article/2901472/vulnerabilities/why-aren-t-you-vulnerability-scanning-more-often.htmlSecurityScorecard - a new startup that is exposing 3rd party risks to you -- or is it?Interesting business modelHow legitimate is this, and what are the risks?http://www.businessinsider.com/securityscorecard-raises-125-million-led-by-sequoia-2015-3Does removing Windows administrator permission really mitigate 97% of vulnerabilities?!Is this real? If so -- why isn't everyone doing it?Local administrator privileges are starting to fade, but why so slowly?http://blog.norsecorp.com/2015/04/02/removing-admin-privileges-mitigates-97-of-critical-microsoft-vulnerabilities/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Jon Callas gives a little of his background and his current roleWe talk through why cryptography is so hard, and so broken todayJon overviews compatibility, audit and making cryptography usefulJon brings up open source, security, and why "open is more secure" is bunkWe talk through "barn builders" vs. "barn kickers" and why security isn't improvingWe talk through how to do privacy, active vs. passive surveillanceWe talk through anonymous VPN providers, anonymization services, and how they're legally boundJon talks about appropriate threat modeling and knowing what we're protectingWe talk through patching -- how to do patching for Joe Average UserBonus-- Mobile is as secure (or more) than what we're used to on the desktopGuestJon Callas ( @JonCallas ) - Jon Callas is an American computer security expert, software engineer, user experience designer, and technologist who is the co-founder and CTO of the global encrypted communications service Silent Circle. He has held major positions at Digital Equipment Corporation, Apple, PGP, and Entrust, and is considered “one of the most respected and well-known names in the mobile security industry.” Callas is credited with creating several Internet Engineering Task Force (IETF) standards, including OpenPGP, DKIM, and ZRTP, which he wrote. Prior to his work at Entrust, he was Chief Technical Officer and co-founder of PGP Corporation and the former Chief Technical Officer of Entrust.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Remember folks, as you listen reach out to us on Twitter and hit the hashtag #DtSR to continue the conversation, and speak your mind! Let's hear what your take is on the stories we discuss...maybe you have a unique angle we've not considered?In this episode--Target settled class-action lawsuit over its data breach - for $10M USDWho wins? Lawyers, clearly the lawyersBurden of proof on the victims to show they've suffered a loss to get up to $10,000.00.If you can't prove loss, you can still try to get part of settlement of what's left-overhttp://www.usatoday.com/story/money/2015/03/19/target-breach-settlement-details/25012949/Federal judge dismisses suit against Paytime -- "simply no compensable injury yet"Leaves door open for future suits if someone were to suffer a compensable injury"Once a hacker does misuse a person's information for personal gain...there is a clear injury and one that can be fully compensated with money damages." -- Judge John E. Jones IIIWatch this case, read the story for yourselfhttp://www.securityinfowatch.com/news/11883806/federal-judge-dismisses-lawsuits-over-paytime-inc-data-breachSacred Heath Health System victim-by-proxy of a data breachHappened at a 3rd partySo why is only Sacred Heart in the news?~40 individuals SSN and patient information"deceptive technique" known as phishinghttp://pensacolatoday.com/2015/03/sacred-heart-informs-patients-of-billing-information-disclosure/Premera Blue Cross "warned about security flaws before breach"Lots to talk about here -- starting with is 3 weeks enough time?OPM audit finds issues, is this a systemic failure or examplary of an enterprise doing its best in a difficult security climate?Before you judge, measure up your own security posture against this articlehttp://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/Advantage Dental notifies patients of breach3 days from initial breach to discoveryAmazingly fast detection, but was it adversary or malware?Is this a feel-good, or something else?https://secure.advantagedental.com/index.asp?din=598Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Michael C and the team talk bout "going back to basics" and the need for security fundamentalsMichael C talks a little about why we (security professionals) fail at fixing problems at scaleWe dive into the need for automation, and Michael C talks about why creating more work for security professionals is a bad thingMichael C and the crew talk through why many of our metrics fail, highlighting the need to get away from the typical dashboard approach of "bigger numbers is better"We discuss the balance between false positives and false negatives -- a super critical topicRafal brings up the role security professionals play in software security, and why we can't be expected to drive the daily tasksWe talk through centralized vs. de-centralized security, and how to understand which works better, and whereMichael C gives us his 3 key take-aways for listeners (don't miss these!)We talk through "assume breach", and what it means for securityGuestMichael Coates ( @_mwc ) - Currently, Michael is the Trust and Security Officer at Twitter where he leads the information security team and drives overall security efforts across the organization to a common goal and objective. Michael is a staple of the OWASP community now serving on its board and having contributed countless hours and lines of code to the effort. Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast