Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!In this episode...A join Ponemon Institute & IBM Security study shows that, surprise surprise, developers are "neglecting security"The study only looked at mobile apps and app developersLess than half (of their study) test the mobile apps they buildAbout 33% never test their appshttp://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.htmlIllinois Bill SB1833 expands the definition of PII to include almost everythingRequires notification in the event of a breach of...Online browsing history, online search history, or purchasing historyIs this absurd, or just protecting our privacy?http://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.htmlThe DOJ has jumped in and issued some sound fundamental breach guidance!4 sections: what to do before, during and after a breach plus what NOT to do after a breachFantastic fundamentals... great ideaThe push to fundamentals is critical!http://www.alstonprivacy.com/doj-issues-data-breach-guidance/http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdfMozilla is phasing out non-secure HTTPHTTPS only is the way forward, so Mozilla (champions of liberty and all that) are leading the wayhttps://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/First foreign hacker is convicted in the USCanadian kid who hacked and stole trade secrets and other sensitive info from video game companiesHe pled guity in September 2014, maximum of 5yr prison sentencehttp://blogs.orrick.com/trade-secrets-watch/2015/04/30/first-foreign-hacker-is-convicted-in-the-united-states-of-hacking-crimes-involving-theft-of-trade-secrets-from-american-companies/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...What about public safety, where do we draw the line on open research?Self-regulation? Disclosure? What are our options…What makes a researcher? We discuss“Chilling security research”A quick dive into bug bounty programs; do they help?Ethics vs. moral compass …we discussHacker movies, and what they’re doing for our professionGuestsKeren Elezari ( @K3r3n3 ) - brings years of experience in the international cyber security industry to the stage. Since 2000, Keren has worked with leading Israeli security firms, government organizations, Global Big 4 and Fortune 500 companies. Keren holds a CISSP security certification, a BA in History and Philosophy of Science and is currently a senior research fellow with the prestigious Security & Technology workshop at Tel Aviv University. In 2012, Keren held the position of Security Teaching Fellow with Singularity University, a private think tank, founded by Dr. Ray Kurzweil and sponsored by Google & NASA amongst others. Since 2013, Keren covers emerging security technologies and trends as a security industry analyst with GIGAOM research, a leading independent media hub. In 2014, Keren became the first Israeli woman to be invited to speak at the prestigious international annual TED conference. Keren’s TED talk has been viewed by 1.2 million people, translated to more than 20 languages and selected for TED’s list of ‘Most Powerful Ideas in 2014’ and for Inc.com’s list of ‘Top TED Talks of 2014’.Kellman Meghu ( @kellman ) - heads up a team of Security Architects for CheckPoint Software Technologies Inc., the worldwide leader in securing the Internet. His background includes almost 20 years of experience deploying application protection and network-based security. Since 1996 Mr. Meghu has been involved with consultation on various network security strategies to protect ISP's in Southern Ontario as well as security audits and security infrastructure deployments for various Commercial and Governmental entities across Canada and the Central United States. Kellman has delivered security talks in private corporate focused events, at school internet safety classes for students and teachers, as well as public events such as, SecureWorld Seattle, The Check Point Experience, Bsides St. Johns, Bsides San Francisco, Bsides Iowa, Bsides Detroit, Secure360, Trilateral Conference, and Sector lunch keynote for 2014. Kellman has contributed to live TV interviews in the Toronto area with CP24, CityNews, and CHCH TV, as well as radio statiSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Friend and security researcher Chris Roberts steps into it... A poorly-conceived tweet, followed by mass hysteriaMost everyone talking about this is missing the point entirelyOf course, the EFF jumps in to keep from "chilling research" (roll eyes)http://www.usatoday.com/story/tech/2015/04/19/chris-roberts-one-world-labs-united-rsa-computer-security-tweets/26036397/The EFF take: https://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-securityCorporate threat intelligence teams opting to go anonymous?New company, making intelligence sharing work, anonymously?Many questions on whether anonymity is workable in the intelligence spacehttps://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-securityTarget settles with Mastercard for $19M USDMastercard trying to settle this out, as alternative payout option for victims (this time the issuers, not card holders)http://www.theregister.co.uk/2015/04/16/target_settles_with_mastercard_for_us19_million/The looming security threat no one is talking aboutWe're talking about it!Windows 2003 is going out of service... after 12 yrs?Final deadlines is July 14thPanic? Compensating security controls?http://www.healthcaredive.com/news/himss15-the-looming-it-security-threat-that-no-one-is-talking-about/386754/HTTP "ping of death" coming to a Windows IIS web-server near youPatch now... people are actively exploiting this flaw to knock over web serversQuick turn-around from "patch released" to "patch reverse-engineered to attack IIS servers"http://www.theregister.co.uk/2015/04/16/http_sys_exploit_wild_ms15_034/JPMC algorithmn knowns you're an insider threat, before you doFascinating, applies to the financial worldUses behavioral indicatorshttp://www.blSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Where do you even start with “threat intelligence”?Ryan talks about context, and why it’s *the* most important thing when it comes to threat intelHow does a SME make use of a “luxury item” like threat intelligence?Michael asks what are 1-2 things you can do *immediately* as an SME?What are the basics, beyond the basics of security? Where do you make your first investment?Getting your own house in order is harder than it sounds, so what then?Michael drops some #RiskCatnipMichael breaks down the “feedback loop” and his basic questions to ask/answerDown the rabbit hole of shiny boxes, standards, and productized threat intelligenceThe overlap of data on commercial threat intelligence providers GuestRyan Trost - Ryan is the CIO of ThreatQuotient and knowledgeable on matters of intelligence with his extensive background and history in the community.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...TrueCrypt security audit results are good news, right? Why are some of the most depended-upon http://arstechnica.com/security/2015/04/truecrypt-security-audit-is-good-news-so-why-all-the-glum-faces/At Aetna, CyberSecurity is a matter of business riskJim Routh talks about how he runs a security programSecurity is a matter of business risk, if not you're doing it wronghttp://blogs.wsj.com/cio/2015/03/30/cybersecurity-at-aetna-is-a-matter-of-business-risk/Why aren't you vulnerability scanning more often?Wrong question.Simple answer -- because scanning doesn't matter if you can't fix the issues you findExample of how security misses the pointhttp://www.csoonline.com/article/2901472/vulnerabilities/why-aren-t-you-vulnerability-scanning-more-often.htmlSecurityScorecard - a new startup that is exposing 3rd party risks to you -- or is it?Interesting business modelHow legitimate is this, and what are the risks?http://www.businessinsider.com/securityscorecard-raises-125-million-led-by-sequoia-2015-3Does removing Windows administrator permission really mitigate 97% of vulnerabilities?!Is this real? If so -- why isn't everyone doing it?Local administrator privileges are starting to fade, but why so slowly?http://blog.norsecorp.com/2015/04/02/removing-admin-privileges-mitigates-97-of-critical-microsoft-vulnerabilities/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Jon Callas gives a little of his background and his current roleWe talk through why cryptography is so hard, and so broken todayJon overviews compatibility, audit and making cryptography usefulJon brings up open source, security, and why "open is more secure" is bunkWe talk through "barn builders" vs. "barn kickers" and why security isn't improvingWe talk through how to do privacy, active vs. passive surveillanceWe talk through anonymous VPN providers, anonymization services, and how they're legally boundJon talks about appropriate threat modeling and knowing what we're protectingWe talk through patching -- how to do patching for Joe Average UserBonus-- Mobile is as secure (or more) than what we're used to on the desktopGuestJon Callas ( @JonCallas ) - Jon Callas is an American computer security expert, software engineer, user experience designer, and technologist who is the co-founder and CTO of the global encrypted communications service Silent Circle. He has held major positions at Digital Equipment Corporation, Apple, PGP, and Entrust, and is considered “one of the most respected and well-known names in the mobile security industry.” Callas is credited with creating several Internet Engineering Task Force (IETF) standards, including OpenPGP, DKIM, and ZRTP, which he wrote. Prior to his work at Entrust, he was Chief Technical Officer and co-founder of PGP Corporation and the former Chief Technical Officer of Entrust.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Remember folks, as you listen reach out to us on Twitter and hit the hashtag #DtSR to continue the conversation, and speak your mind! Let's hear what your take is on the stories we discuss...maybe you have a unique angle we've not considered?In this episode--Target settled class-action lawsuit over its data breach - for $10M USDWho wins? Lawyers, clearly the lawyersBurden of proof on the victims to show they've suffered a loss to get up to $10,000.00.If you can't prove loss, you can still try to get part of settlement of what's left-overhttp://www.usatoday.com/story/money/2015/03/19/target-breach-settlement-details/25012949/Federal judge dismisses suit against Paytime -- "simply no compensable injury yet"Leaves door open for future suits if someone were to suffer a compensable injury"Once a hacker does misuse a person's information for personal gain...there is a clear injury and one that can be fully compensated with money damages." -- Judge John E. Jones IIIWatch this case, read the story for yourselfhttp://www.securityinfowatch.com/news/11883806/federal-judge-dismisses-lawsuits-over-paytime-inc-data-breachSacred Heath Health System victim-by-proxy of a data breachHappened at a 3rd partySo why is only Sacred Heart in the news?~40 individuals SSN and patient information"deceptive technique" known as phishinghttp://pensacolatoday.com/2015/03/sacred-heart-informs-patients-of-billing-information-disclosure/Premera Blue Cross "warned about security flaws before breach"Lots to talk about here -- starting with is 3 weeks enough time?OPM audit finds issues, is this a systemic failure or examplary of an enterprise doing its best in a difficult security climate?Before you judge, measure up your own security posture against this articlehttp://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/Advantage Dental notifies patients of breach3 days from initial breach to discoveryAmazingly fast detection, but was it adversary or malware?Is this a feel-good, or something else?https://secure.advantagedental.com/index.asp?din=598Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Michael C and the team talk bout "going back to basics" and the need for security fundamentalsMichael C talks a little about why we (security professionals) fail at fixing problems at scaleWe dive into the need for automation, and Michael C talks about why creating more work for security professionals is a bad thingMichael C and the crew talk through why many of our metrics fail, highlighting the need to get away from the typical dashboard approach of "bigger numbers is better"We discuss the balance between false positives and false negatives -- a super critical topicRafal brings up the role security professionals play in software security, and why we can't be expected to drive the daily tasksWe talk through centralized vs. de-centralized security, and how to understand which works better, and whereMichael C gives us his 3 key take-aways for listeners (don't miss these!)We talk through "assume breach", and what it means for securityGuestMichael Coates ( @_mwc ) - Currently, Michael is the Trust and Security Officer at Twitter where he leads the information security team and drives overall security efforts across the organization to a common goal and objective. Michael is a staple of the OWASP community now serving on its board and having contributed countless hours and lines of code to the effort. Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode--Law firm hit and crippled by ransomware, decides it's not paying the ransom.They aren't quite sure what got encryptedBut they have backups.....and data was likely not exfiltratedhttp://news.softpedia.com/news/Ransomware-Hits-Law-Firm-Encrypts-Workstation-and-Server-474788.shtmlMajor law firms for ISAC to fight off adversaries, share intelligenceCatching up to the threat they're facingLaw firms are major targets, given the data they have ("secrets!")Downside: exclusive to a handful of major firmshttp://thehill.com/policy/cybersecurity/234722-law-firms-to-share-info-about-cyber-threatsBig kerfuffle about Anthem's refusal of a 3rd party audieThey were under no legal obligation...Who out there would submit to a 3rd party audit/test?Sounds like publish shaming, big headline, little storyhttp://www.healthcareinfosecurity.com/anthem-refuses-full-security-audit-a-7980Apple Pay being attacked, sort ofWhen technology becomes 'good enough' attackers attack processes, peopleLesson -- nothing is "unhackable" even if the tech is greathttp://www.theguardian.com/technology/2015/mar/02/apple-pay-mobile-payment-system-scammers[Slightly-old-but-relevant] Victor Valley College suspends entire IT staff to investigate a vague breach in protocolVery little actually said in disclosure"We don't have any reason to believe we've been hacked by outside hackers"Entire computer system was taken down for nearly 3 hoursEmphasizing "no private student or employee information has been compromised"Stay tuned...weirdhttp://www.vvdailypress.com/article/20150130/NEWS/150139991Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...We learn the origins of "RSnake" as told by Rob himselfRob gives us a peek into the dark side, from his contacts and experiencesWe discuss the black-hat economy as it's verticalized, specialized, and maturedRob discusses the balancing act of the good vs. bad and why the situation is as bad as it needs to beWe discuss some of the things businesses and defenders really need to worry aboutRob gives us his view of the inevitability of security from SMB to enterprise -- and why things are so good, or bad, or just rightWe discuss the different ways security is being understood, implemented and matured and why it's futile to chase absolutesMichael and Rob dive into the labor shortage in security - real, perceived, or misunderstood?Rob gives us his outlook on where things are going over the next decade or so GuestRobert "RSnake" Hansen - ( @RSnake ) - Strategic. Web security expert. Visionary. Robert brings more than 20 years of web application and browser security experience, innovation, and vision to the WhiteHat Security team. Under Robert’s leadership, WhiteHat Labs successfully launched Aviator, the most secure browser available, for Mac and Windows, quickly racking up more than 170,000 downloads in less than six months. When asked about WhiteHat Labs’ mission, Hansen said, “Labs will strive to provide prototypes that go beyond customer expectations, to delight the user.” Before WhiteHat, Robert was the CEO of SecTheory and Falling Rock Networks. Robert has co-authored several books including XSS Exploits and Website Security for Dummies. Robert is also the author of Detecting Malice. He is a member of WASC, APWG, IACSP, ISSA, APWG and has contributed to several OWASP projects, including originating the XSS Cheat Sheet. When he is not breaking the web to make it stronger, Robert enjoys watching Formula One racing.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast