Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!Hi everyone! Welcome to the very first episode of the Down the Security Rabbithole Podcast for 2015! On this opening episode, Jeff Man joins us to talk truth to power on PCI-DSS and shatters myths for us. In this episodeJeff tackles some common misunderstandings about PCIThe crew discusses PCI – what’s right about it and what’s wrong about itJeff tells us why he believes if you’re secure you’re compliant, but if you’re compliant you’re probably not secureThe $64M question- Isn’t EMV, P2PE, and tokenization going to spell the end of PCI?Jeff tells us what to look forward to with PCI DSS v3.0GuestJeff Man ( @MrJeffMan ) - Mr. Man has 13 years of DoD experience (10 at NSA as a Cryptanalyst/Information Security Analyst), 18 years of commercial consulting – pen testing, vulnerability assessments, security architecture reviews, and 10 years as a QSA doing PCI (and yet he's never conducted a PCI audit and never been a CISSP). As a QSA he's been involved with most of the major companies that experienced breaches in the mid-2000’s (Walmart, TJX, Heartland) so he can speak with some credibility about recent breaches in the past year or so.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Hey everyone! We're almost done with 2014 and another new year is right around the corner. We thought this was the perfect time to sit back, relax a little and reflect on the year that was...and boy was it ever!Jack Daniel & Allison Miller join Michael, James and I on the podcast to talk it all out, share a few chuckles and try to make sense of it all! Thanks for listening everyone, it's been an epic year and we look forward to more awesome things in 2015!Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeAttorney and CFAA expert Shawn Tuma joins us to talk about the US vs. Salinas case where Mr. Salinas was threatened with 440 years in jail, and now plead down to a misdemeanor. Prosecutorial discretion, or attorneys-gone-wild?Link: http://www.wired.com/2014/11/from-440-years-to-misdemeanor/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredThe unfolding case of the Sony Pictures Entertainment breachhttp://blog.wh1t3rabbit.net/2014/12/when-press-aids-enemy.htmlhttp://www.thedailybeast.com/articles/2014/12/12/shocking-new-reveals-from-sony-hack-j-law-pitt-clooney-and-comparing-fincher-to-hitler.htmlhttp://www.csoonline.com/article/2857455/business-continuity/fbi-says-theres-nothing-linking-north-korea-to-sony-hack.htmlhttp://www.csoonline.com/article/2854672/business-continuity/the-breach-at-sony-pictures-is-no-longer-just-an-it-issue.htmlThe phishing scam that succeeded at hitting a big chunk of Wall Street - it probably would have fooled you too. Here's what we've learnedhttp://arstechnica.com/security/2014/12/phishing-scam-that-penetrated-wall-street-just-might-work-against-you-too/Iranian hackers hit Las Vegas behemoth with a sophisticated attacked ... wait it was a Visual Basic base?!http://arstechnica.com/security/2014/12/iranian-hackers-used-visual-basic-malware-to-wipe-vegas-casinos-network/Judge refuses to dismiss case against Target, brought on by banks who are the ones who take the brunt of the losses-http://arstechnica.com/tech-policy/2014/12/judge-rules-that-banks-can-sue-target-for-2013-credit-card-hack/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeMichelle explains to us what Enterprise Architecture is, and what it isn'tMichelle gives her take on how both security and enterprise architecture both support each otherWe discuss the roll of standards, standards, standards - and why you can't have security without itWe talk about GRCWe talk through roles & responsibilities definition between security, architecture, and the rest of IT"Application Portfolio Rationalization" --the most impossible project. Ever.Michelle schools us on data, high-value assets, meta-data and the really hard topics for securityMichelle gives us a series of examples of "HOW" we can find high-value assets, and start security thereMichelle addresses the phrase "business alignment" since it's pivotal to enterprise architectureGuestMichelle-Marie Strah ( @CyberSlate ) - Director, Enterprise Architecture at NBCUniversal – recently joined the newly formed Strategy and Architecture team at NBCUniversal designed to drive enterprise architecture, solutions architecture and innovation management across all companies in the NBCUniversal global portfolio. Previously she was at Microsoft Corporation worldwide headquarters where she was responsible for leading emerging markets cloud deployments, go to market and compete strategies in Latin America for public, private and hybrid cloud offers (both Azure and partner hosted clouds). As part of her role on the Applied Incubation Team she worked closely with partners, CIOs and government officials as well as internal CTO, legal, and chief security officer teams in the region to ensure privacy and security standards for government and private sector cloud adoption in Latin America. As an enterprise architect, Michelle specializes in governance, risk, compliance, information security and enterprise information management and has decades of experience in highly regulated industries, government, defense and healthcare.Additional LinksIBM Security Framework: http://www.redbooks.ibm.com/abstracts/sg248100.html?OpenOSA: http://www.opensecurityarchitecture.orgTOGAF: The Open Group Architecture Framework: http://www.opengroup.org/togaf/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredSony Pictures is having a very, very bad couple of days - and it could keep getting worse.http://www.theverge.com/2014/11/24/7277451/sony-pictures-paralyzed-by-massive-security-compromisehttp://www.csoonline.com/article/2852982/data-breach/sales-contracts-and-other-data-published-by-sonys-attackers.htmlA newly discovered (but old) comment bug in Wordpress affects ~86% of sites. The story isn't what you think it is-http://www.consumeraffairs.com/news/newly-discovered-comment-security-bug-affects-86-of-wordpress-blogs-112414.htmlThe Australian government is blaming a data breach from February on ... "awareness"? Michael disagrees (and he's right).http://www.esecurityplanet.com/network-security/australian-government-data-breach-linked-to-poor-security-training.htmlThe public release of the research on Regin malware has it pegged as the most advanced thing since the computer - so what?http://money.cnn.com/2014/11/23/technology/security/regin-malware-symantec/index.html?hpt=hp_t2https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/Symantec whitepaper: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdfThe Justice Department is using a 225 year old law to tackle a modern problem of encrypted cell phones through the manufacturer.http://blogs.wsj.com/digits/2014/11/25/case-suggests-how-government-may-get-around-phone-encryption/The court system...works? 440 year jail threat down to a misdemeanor in no time flathttp://www.wired.com/2014/11/from-440-years-to-misdemeanor/Updates:Target doesn't feel like all the banks' losses are their problem, here's why - Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeWe revisit the 'human' side of hackingChris tells us all about the Defcon CTF his team has hostedWe discuss the role human nature plays in social engineering, or "Why the bad guys always win"Chris gives us his tips for making it harder for social engineersMichael and Chris talk metrics and measuring "getting better" GuestChris Hadnagy ( @HumanHacker ) - Chris Hadnagy (author of Social-Engineering: The Art of Human Hacking and Unmasking the Social Engineer: The Human Element of Security) is a speaker, teacher, pentester, and recognized expert in the field of social engineering and security.Chris Hadnagy is the President and CEO of Social-Engineer, Inc. He has spent the last 16 years in security and technology, specializing in understanding the ways in which malicious attackers are able to exploit human weaknesses to obtain access to information and resources through manipulation and deceit.Chris is a graduate of Dr. Paul Ekman’s courses in Microexpressions, having passed the certification requirements with an “Expert Level” grade. He also has significant experience in training and educating students in non-verbal communications. He hold certifications as an Offensive Security Certified Professional (OSCP) and an Offensive Security Wireless Professional (OSWP).Finally, Chris has launched a line of professional social engineering training and penetration testing services at Social-Engineer.Com. His goal is to assist companies in remaining secure by educating them on the methods used by malicious attackers. He accomplishes this by analyzing, studying, dissecting, then performing the very same attacks used during some of the most recent incidents (i.e. Sony, HB Gary, LockHeed Martin, Target, etc), Chris is able to help companies understand their vulnerabilities, mitigate issues, and maintain appropriate levels of education and security.Chris has developed one of the web’s most successful security podcasts, The Social-Engineer.Org Podcast, and the equally-popular SEORG Newsletter. Over the years, both have become a staple in most serious security practices and are used by Fortune 500 companies around the world to educate their staff.You can find Chris's articles for local, national, and international publications and journals, including Pentest Mag, EthicalHacker.net, and local and national Business Journals. Links:Social Engineer Org - Your one-stop place for podcast, newsletter, and all things social engineering from Chris's team - http://www.social-engineer.org/SECTF Report - http://wwSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Note: The hashtag for the show on Twitter has changed, please connect with us using #DtSR going forward. Thanks! Topics coveredUpdate: Home Depot breach (Hint: apparently it was a 3rd party entry point)Story: http://www.computerworld.com/article/2844491/home-depot-attackers-broke-in-using-a-vendors-stolen-credentials.htmlApparently as a reaction, all execs are being switched to iDevices (blame Windows? and why only execs?) - http://www.imore.com/home-depot-switches-execs-iphones-macbooks-it-blames-windows-massive-breachAlso, they lost ~53 Million email addresses too - http://online.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282American Express is pushing tokenization to their payment ecosystem, this is big news but leaves a lot more questions and concerns than answers (for example- what about chip & pin (sign)? )-Story: http://threatpost.com/american-express-brings-tokenization-to-payment-cards/109137Check out the standard itself: http://www.emvco.com/download_agreement.aspx?id=945Flaw found (in a lab) in the VISA EMV protocol, but is it realistic to do this kind of "immense fraud" in outside the lab, in real life?Story: http://www.cio.com/article/2842994/flaw-in-visa-cards-could-ring-up-a-very-large-fraud.htmlThe FTC further exerises its (Constitutional?) powers to take down fake "Support call scammers" and is on track to some public fanfare-Story: https://nakedsecurity.sophoSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeAdam and Dmitri discuss what is (and what isn't) threat intelligenceWe discuss strategic, tactical and operational security intelligenceWho is using threat intelligence, and how?Adam talks about the success factors, key points, and trendsMichael asks how an organization can know whether they're READY for a threat intelligence programAdam explains the term "finished intelligence"Adam describes tactical intelligence, while Dmitri gives his take on strategic intelligenceWe discuss the merits of education and awareness - firstHow important is attribution, really?3 critical things an enterprise *must be doing* before jumping into threat intelligence as a programGuestsAdam Meyers ( @adamcyber ) - Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of Intelligence. Within this role it is Adam’s responsibility to oversee all of CrowdStrike’s intelligence gathering and cyber-adversarial monitoring activities. Adam’s Global Intelligence Team supports both the Product and Services divisions at CrowdStrike and Adam manages these endeavors and expectations. Prior to joining CrowdStrike, Adam was the Director of Cyber Security Intelligence with the National Products and Offerings Division of SRA International. He served as a senior subject matter expert for cyber threat and cyber security matters for a variety of SRA projects. He also provided both technical expertise at the tactical level and strategic guidance on overall security program objectives. During his tenure at SRA International, Adam also served as the Product Manager for SRA’s dynamic malware analysis platform Cyberlock.Dmitri Alperovitch ( @dmitricyber ) - Dmitri Alperovitch is the Co-Founder and CTO of CrowdStrike Inc., leading its Intelligence, Technology and CrowdStrike Labs teams.  A renowned computer security researcher, he is a thought-leader on cybersecurity policies and state tradecraft.  Prior to founding CrowdStrike, Dmitri was a Vice President of Threat Research at McAfee, where he led company’s global Internet threat intelligence analysis and investigations. In 2010 and 2011, Alperovitch led the global team that investigated and brought to light Operation Aurora, Night Dragon and Shady RAT groundbreaking cyberespionage intrusions, and gave those incidents their names. In 2013, Alperovitch received the prestigious recognition of being selected as MIT Technology Review’s “Young Innovators under 35” (TR35), an award previously won by such technology luminaries as Larry Page and Sergey Brin, Mark Zuckerberg and Jonathan Ive. AlperovSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeJeff explains a little bit about who Norse is, and why they were potentially targeted with a DDoSWe discuss what a DDoS is, how it becomes effective, and what methods/tools attackers use (in this case SNMP v2 reflection)We talk about threat intelligence (reputational intelligence) and how companies and intelligence platforms can leverage this data to decrease risks activelyGuestJeff Harrell ( @jeffharrell ) - Jeff Harrell is the Vice President of Product Marketing at Norse, the leader in live attack intelligence. Jeff has over 15 years of experience in the IT Security industry leading product management and product marketing teams to build and market security solutions from end users to large enterprises. Jeff’s areas of expertise include cloud technology, threat intelligence, compliance, vulnerability management, configuration auditing, and encryption. Prior to Norse, Jeff worked for security and technology companies including nCircle, Qualys, McAfee, PGP, and eMusic. Additional LinksThe attack map Jeff talked about: http://map.ipviking.comBlog post from Norse on the DDoS: http://blog.norsecorp.com/category/featured/2014/11/06/video-norse-live-attack-map-hammered-by-1-5-gbps-ddos-attack/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast