Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!In this episode--Law firm hit and crippled by ransomware, decides it's not paying the ransom.They aren't quite sure what got encryptedBut they have backups.....and data was likely not exfiltratedhttp://news.softpedia.com/news/Ransomware-Hits-Law-Firm-Encrypts-Workstation-and-Server-474788.shtmlMajor law firms for ISAC to fight off adversaries, share intelligenceCatching up to the threat they're facingLaw firms are major targets, given the data they have ("secrets!")Downside: exclusive to a handful of major firmshttp://thehill.com/policy/cybersecurity/234722-law-firms-to-share-info-about-cyber-threatsBig kerfuffle about Anthem's refusal of a 3rd party audieThey were under no legal obligation...Who out there would submit to a 3rd party audit/test?Sounds like publish shaming, big headline, little storyhttp://www.healthcareinfosecurity.com/anthem-refuses-full-security-audit-a-7980Apple Pay being attacked, sort ofWhen technology becomes 'good enough' attackers attack processes, peopleLesson -- nothing is "unhackable" even if the tech is greathttp://www.theguardian.com/technology/2015/mar/02/apple-pay-mobile-payment-system-scammers[Slightly-old-but-relevant] Victor Valley College suspends entire IT staff to investigate a vague breach in protocolVery little actually said in disclosure"We don't have any reason to believe we've been hacked by outside hackers"Entire computer system was taken down for nearly 3 hoursEmphasizing "no private student or employee information has been compromised"Stay tuned...weirdhttp://www.vvdailypress.com/article/20150130/NEWS/150139991Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...We learn the origins of "RSnake" as told by Rob himselfRob gives us a peek into the dark side, from his contacts and experiencesWe discuss the black-hat economy as it's verticalized, specialized, and maturedRob discusses the balancing act of the good vs. bad and why the situation is as bad as it needs to beWe discuss some of the things businesses and defenders really need to worry aboutRob gives us his view of the inevitability of security from SMB to enterprise -- and why things are so good, or bad, or just rightWe discuss the different ways security is being understood, implemented and matured and why it's futile to chase absolutesMichael and Rob dive into the labor shortage in security - real, perceived, or misunderstood?Rob gives us his outlook on where things are going over the next decade or so GuestRobert "RSnake" Hansen - ( @RSnake ) - Strategic. Web security expert. Visionary. Robert brings more than 20 years of web application and browser security experience, innovation, and vision to the WhiteHat Security team. Under Robert’s leadership, WhiteHat Labs successfully launched Aviator, the most secure browser available, for Mac and Windows, quickly racking up more than 170,000 downloads in less than six months. When asked about WhiteHat Labs’ mission, Hansen said, “Labs will strive to provide prototypes that go beyond customer expectations, to delight the user.” Before WhiteHat, Robert was the CEO of SecTheory and Falling Rock Networks. Robert has co-authored several books including XSS Exploits and Website Security for Dummies. Robert is also the author of Detecting Malice. He is a member of WASC, APWG, IACSP, ISSA, APWG and has contributed to several OWASP projects, including originating the XSS Cheat Sheet. When he is not breaking the web to make it stronger, Robert enjoys watching Formula One racing.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode--Would you be OK with your credit card company tracking you, to decrease fraud rates? Visa wants to track your smartphone.http://triblive.com/business/headlines/7774328-74/visa-card-fraudYour stolen healthcare data is increasingly being sold on the black markethttp://www.ihealthbeat.org/articles/2015/2/19/security-experts-health-data-increasingly-being-sold-on-black-marketLenovo has shipped software that performs a man-in-the-middle (MITM) attack against all SSL connections on some of its consumer laptops. This is really, really, really bad, but Lenovo doesn't seem to get it.http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/http://blog.erratasec.com/2015/02/extracting-superfish-certificate.htmlThe web browser is totally broken, and a haven for malware. Long live the web browser?http://securityintelligence.com/broken-web-browsers-malwares-new-address/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeTraveler's Insurance files suit against a web developmeent company for failing to provide adequate security, resulting in a breach of one of its customershttp://www.law360.com/articles/614158/travelers-blames-web-designer-in-bank-website-data-breachWe discuss whether security standards are now "implied"?Does Traveler's have any standing to sue? (Shawn thinks not)FTC goes after LabMD for a data breachhttp://healthitsecurity.com/2015/01/23/ftc-healthcare-data-breach-case-v-labmd-continues/Is the FTC over-reaching?We discuss this statement from the FTC website: "[LabMD failed to] ..reasonably protect the security of consumers’ personal data, including medical information"Social media company TopFace pays a ransom to hackershttp://www.forbes.com/sites/davelewis/2015/01/31/topface-facepalms-as-it-surrenders-to-data-breach-hacker-blackmail/Face + Palm.We lament why this absolutely terrible decision may have far-reaching repercussionsGuestShawn Tuma ( @ShawnETuma ) - In addition to being a perennial favorite on this show, Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual property, privacy, and litigation. He's a Texan, a Christian, a family man, an author & and speaker - and an all-around awesome guy.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredMassive breach at American Health Insurer Anthem - from the "haven't we done this once before?" department as Queen - Another One Bites the Dust plays in the backgroundhttps://gigaom.com/2015/02/05/oops-another-big-data-breach-this-time-at-anthem/http://money.cnn.com/2015/02/05/investing/anthem-hack-stocks/index.html?sr=twmoney020615anthemwallst0600story(Obligatory OMG China! hype link) http://krebsonsecurity.com/2015/02/china-to-blame-in-anthem-hack/Hackers target brokers, financial advisors -- SEC "does something"http://thehill.com/policy/cybersecurity/231649-hackers-targeting-brokerages-and-financial-advisersSEC weighs cybersecurity disclosure rules (why SEC?) - http://thehill.com/policy/cybersecurity/229431-sec-weighs-cybersecurity-disclosure-rulesA promising new technology which detects hacks in - milliseconds? -but what's the use-case?http://www.bloomberg.com/news/articles/2015-02-03/new-technology-detects-hacks-in-millisecondsGoogle launches vulnerability research grants program - because bug bounties just aren't enoughhttp://www.scmagazine.com/google-launches-vulnerability-research-grants-program/article/395694/Sony Pictures Entertainment (the company that was so thoroughly hacked) CEO Amy Pascal is out! But is this proof of anything, for security? Ask Michael...http://www.csoonline.com/article/2880600/security-leadership/the-conversation-security-leaders-need-to-have-about-amy-pascal-s-departure.htmlSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!This is the 7th installment (call it a rebirth) of the MicroCast. Short and to the point, Michael and James talk about the phrase breached companies use - "We take your security seriously..." .. join the conversation at #DtSR on Twitter!Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Fans - If you haven't booked your ticket for InfoSec World 2015 in sunny Orlando, FL check this out. Register using our code CLD15/RABBIT for 15% off.If you want a chance to go for FREE, listen to Episode 127 for your chance! In this episode...John gives us a little lesson on markets, and why they move up/down, commentary for the information security professionalJohn discusses what #BTFD meansJohn uses the Target example of why security professionals, marketers, and much of the media got it completely wrongJohn educates us on insurance, compliance and liabilityMy head explodes...GuestJohn Foster ( @dearestleader ) - Mr. Foster has 19 years of technology experience but left technical infosec in 2003 to pursue a career in Compliance and Ethics. He now focuses on bribery & corruption, environmental issues, and other interesting topics, but infosec keeps appearing in compliance and finance. He is an investor with experience in stock, foreign exchange, options, and futures which allows him to see past the data breach hype. He is a Certified Treasury Professional, Six Sigma Black Belt, and holds certificates in ISO 9001, 14001, 20000, 22301, 27001, & 28000 from PECB. He is a partner at Bianco Foster Group, LLC which provides training and education services in ISO standards and an investor in several early stage startups.LinksShort portfolio http://dearestleader.me/2015/01/portfolio-update/S&P no material impact http://dearestleader.me/2015/01/standard-poors-says-breaches-have-no-material-impact/Home Depot earnings call analysis http://dearestleader.me/2014/12/home-depot-earnings-indicate-there-is-no-fear/Target sales up 40% over last year http://dearestleader.me/2014/11/target-continues-to-conquer-all/Initial Target analysis http://dearestleader.me/2014/03/target-data-breach-not-a-disaster/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!** There is a special gift for our listeners in this episode, from our friends at InfoSec World 2015! Listen to find out how you can go for free. We have a promo code!CLD15/RABBIT – 15% off for “Down the Rabbit Hole” listenersTopics CoveredGoogle picks up really big rocks, but lives in a glass house. As Google drops zero-day on Apple and Microsoft they respond with a lame excuse as to why they aren't patching a vulnerability that puts north of 60% of all Android users at risk.http://m.v3.co.uk/v3-uk/news/2389839/google-puts-60-percent-of-android-users-at-risk-with-webview-security-changeshttp://www.extremetech.com/mobile/197346-google-throws-nearly-a-billion-android-users-under-the-bus-refuses-to-patch-os-vulnerabilityhttp://www.eweek.com/security/google-project-zero-continues-its-microsoft-zero-day-assault.htmlhttp://www.zdnet.com/article/googles-project-zero-reveals-three-apple-os-x-zero-day-vulnerabilities/Marriott reverses its decision to block guests' personal WiFi devices at their propertieshttp://threatpost.com/marriott-agrees-to-stop-blocking-guest-wifi-devices/110441LabMD's request to have an enforcement action against them by the Federal Trade Commission is denied. While this doesn't necessarily mean anything serious, yet, it's definitely one to watch.http://healthitsecurity.com/2015/01/23/ftc-healthcare-data-breach-case-v-labmd-continues/Heartland Payment Systems - yes the company that was the posted child for nearly going out of business because of a horrible breach - is continuing to reinvent itself around security, this time making headlines with an offer of a data breach warranty. Strings, as you may suspect, attached.http://www.cspnet.com/industry-news-analysis/technology/articles/heartland-offering-data-breach-warrantyhttp://www.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...The blog post that started it all - http://blog.norsecorp.com/2014/11/10/the-new-reality-in-security-offense-always-wins-and-defense-always-loses/Vince, tells us what he means by "Offense always wins, defense always loses"We disagree over this snip from his blog post: "To “win” in cyber security, defense must be right 100% of the time, while offense only has to be right once. We must wake up to the reality that defense is an impossible task; no matter what actions we take, we will lose."We discuss how we get away from being Eeyore defeatists?Vince give us security strategies he is advocating knowing that defense is better equipped, and better fundedWe briefly mention high-value assets, and why it's even more critical today than it has ever been before, and why we still stink at itWe challenge Vince to give us some tangible steps to managing risk better, to get away from winning/losing?We discuss how we compress delivery time lines for security competencies? (Average time to deliver a technical control is months, plus budget cycle - maybe years)We close with lessons learned from your Vince's rich experience that he'd like to share with the listeners, to change the nature of the win/lose conversationGuestVince Crisler - Vince has done some very interesting things in his background including former Communications Officer with the US Air Force, who also worked at the White House as Presidential Communications Officerm backed security start-ups, and chairing a Washington DC OSINT group. He's definitely one of the people you should get to know.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Welcome to a new year of the Down the Security Rabbithole Podcast! We are kicking off this year with a guest on this morning's program, Phil Beyer joined us to talk about the last few weeks that have been a wild, wild ride in the security indsutry!Thanks for your support so far, and we promise a fantastic 2015 to come. Topics CoveredSony. Sony. Sony. It's all anyone can talk about! They got hacked. They released a movie. They apparently aren't in dire straits. Fascinating.http://www.cbc.ca/m/news/world/sony-pictures-ceo-michael-lynton-says-hackers-burned-down-the-house-1.2894997http://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hackhttp://www.washingtonpost.com/world/national-security/fbi-director-offers-new-evidence-to-back-claim-north-korea-hacked-sony/2015/01/07/ce667980-969a-11e4-8005-1924ede3e54a_story.htmlMeanwhile, an iron plant in Germany was attacked (via cyber) and caused some very serious, and real, damagehttp://blogs.wsj.com/cio/2014/12/18/cyberattack-on-german-iron-plant-causes-widespread-damage-report/Microsoft abruptly cut off patch Tuesday public notifications, unless you're paying extrahttp://www.computerworld.com/article/2866996/microsoft-abruptly-dumps-public-patch-tuesday-alerts.htmlOn January 11th, 2015 a 90-day window expired and Google's new Project Zero disclosed on the world a Windows 8.1 privilege elevation flaw. Microsoft had not yet patched it. War of words is on.https://code.google.com/p/google-security-research/issues/detail?id=123http://www.pcworld.com/article/2867533/google-reveals-windows-81-flaw-mere-days-before-patch-tuesday-fix-irking-microsoft.htmlSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast