Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!In this episode--Would you be OK with your credit card company tracking you, to decrease fraud rates? Visa wants to track your smartphone.http://triblive.com/business/headlines/7774328-74/visa-card-fraudYour stolen healthcare data is increasingly being sold on the black markethttp://www.ihealthbeat.org/articles/2015/2/19/security-experts-health-data-increasingly-being-sold-on-black-marketLenovo has shipped software that performs a man-in-the-middle (MITM) attack against all SSL connections on some of its consumer laptops. This is really, really, really bad, but Lenovo doesn't seem to get it.http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/http://blog.erratasec.com/2015/02/extracting-superfish-certificate.htmlThe web browser is totally broken, and a haven for malware. Long live the web browser?http://securityintelligence.com/broken-web-browsers-malwares-new-address/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeTraveler's Insurance files suit against a web developmeent company for failing to provide adequate security, resulting in a breach of one of its customershttp://www.law360.com/articles/614158/travelers-blames-web-designer-in-bank-website-data-breachWe discuss whether security standards are now "implied"?Does Traveler's have any standing to sue? (Shawn thinks not)FTC goes after LabMD for a data breachhttp://healthitsecurity.com/2015/01/23/ftc-healthcare-data-breach-case-v-labmd-continues/Is the FTC over-reaching?We discuss this statement from the FTC website: "[LabMD failed to] ..reasonably protect the security of consumers’ personal data, including medical information"Social media company TopFace pays a ransom to hackershttp://www.forbes.com/sites/davelewis/2015/01/31/topface-facepalms-as-it-surrenders-to-data-breach-hacker-blackmail/Face + Palm.We lament why this absolutely terrible decision may have far-reaching repercussionsGuestShawn Tuma ( @ShawnETuma ) - In addition to being a perennial favorite on this show, Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual property, privacy, and litigation. He's a Texan, a Christian, a family man, an author & and speaker - and an all-around awesome guy.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredMassive breach at American Health Insurer Anthem - from the "haven't we done this once before?" department as Queen - Another One Bites the Dust plays in the backgroundhttps://gigaom.com/2015/02/05/oops-another-big-data-breach-this-time-at-anthem/http://money.cnn.com/2015/02/05/investing/anthem-hack-stocks/index.html?sr=twmoney020615anthemwallst0600story(Obligatory OMG China! hype link) http://krebsonsecurity.com/2015/02/china-to-blame-in-anthem-hack/Hackers target brokers, financial advisors -- SEC "does something"http://thehill.com/policy/cybersecurity/231649-hackers-targeting-brokerages-and-financial-advisersSEC weighs cybersecurity disclosure rules (why SEC?) - http://thehill.com/policy/cybersecurity/229431-sec-weighs-cybersecurity-disclosure-rulesA promising new technology which detects hacks in - milliseconds? -but what's the use-case?http://www.bloomberg.com/news/articles/2015-02-03/new-technology-detects-hacks-in-millisecondsGoogle launches vulnerability research grants program - because bug bounties just aren't enoughhttp://www.scmagazine.com/google-launches-vulnerability-research-grants-program/article/395694/Sony Pictures Entertainment (the company that was so thoroughly hacked) CEO Amy Pascal is out! But is this proof of anything, for security? Ask Michael...http://www.csoonline.com/article/2880600/security-leadership/the-conversation-security-leaders-need-to-have-about-amy-pascal-s-departure.htmlSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!This is the 7th installment (call it a rebirth) of the MicroCast. Short and to the point, Michael and James talk about the phrase breached companies use - "We take your security seriously..." .. join the conversation at #DtSR on Twitter!Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Fans - If you haven't booked your ticket for InfoSec World 2015 in sunny Orlando, FL check this out. Register using our code CLD15/RABBIT for 15% off.If you want a chance to go for FREE, listen to Episode 127 for your chance! In this episode...John gives us a little lesson on markets, and why they move up/down, commentary for the information security professionalJohn discusses what #BTFD meansJohn uses the Target example of why security professionals, marketers, and much of the media got it completely wrongJohn educates us on insurance, compliance and liabilityMy head explodes...GuestJohn Foster ( @dearestleader ) - Mr. Foster has 19 years of technology experience but left technical infosec in 2003 to pursue a career in Compliance and Ethics. He now focuses on bribery & corruption, environmental issues, and other interesting topics, but infosec keeps appearing in compliance and finance. He is an investor with experience in stock, foreign exchange, options, and futures which allows him to see past the data breach hype. He is a Certified Treasury Professional, Six Sigma Black Belt, and holds certificates in ISO 9001, 14001, 20000, 22301, 27001, & 28000 from PECB. He is a partner at Bianco Foster Group, LLC which provides training and education services in ISO standards and an investor in several early stage startups.LinksShort portfolio http://dearestleader.me/2015/01/portfolio-update/S&P no material impact http://dearestleader.me/2015/01/standard-poors-says-breaches-have-no-material-impact/Home Depot earnings call analysis http://dearestleader.me/2014/12/home-depot-earnings-indicate-there-is-no-fear/Target sales up 40% over last year http://dearestleader.me/2014/11/target-continues-to-conquer-all/Initial Target analysis http://dearestleader.me/2014/03/target-data-breach-not-a-disaster/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!** There is a special gift for our listeners in this episode, from our friends at InfoSec World 2015! Listen to find out how you can go for free. We have a promo code!CLD15/RABBIT – 15% off for “Down the Rabbit Hole” listenersTopics CoveredGoogle picks up really big rocks, but lives in a glass house. As Google drops zero-day on Apple and Microsoft they respond with a lame excuse as to why they aren't patching a vulnerability that puts north of 60% of all Android users at risk.http://m.v3.co.uk/v3-uk/news/2389839/google-puts-60-percent-of-android-users-at-risk-with-webview-security-changeshttp://www.extremetech.com/mobile/197346-google-throws-nearly-a-billion-android-users-under-the-bus-refuses-to-patch-os-vulnerabilityhttp://www.eweek.com/security/google-project-zero-continues-its-microsoft-zero-day-assault.htmlhttp://www.zdnet.com/article/googles-project-zero-reveals-three-apple-os-x-zero-day-vulnerabilities/Marriott reverses its decision to block guests' personal WiFi devices at their propertieshttp://threatpost.com/marriott-agrees-to-stop-blocking-guest-wifi-devices/110441LabMD's request to have an enforcement action against them by the Federal Trade Commission is denied. While this doesn't necessarily mean anything serious, yet, it's definitely one to watch.http://healthitsecurity.com/2015/01/23/ftc-healthcare-data-breach-case-v-labmd-continues/Heartland Payment Systems - yes the company that was the posted child for nearly going out of business because of a horrible breach - is continuing to reinvent itself around security, this time making headlines with an offer of a data breach warranty. Strings, as you may suspect, attached.http://www.cspnet.com/industry-news-analysis/technology/articles/heartland-offering-data-breach-warrantyhttp://www.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...The blog post that started it all - http://blog.norsecorp.com/2014/11/10/the-new-reality-in-security-offense-always-wins-and-defense-always-loses/Vince, tells us what he means by "Offense always wins, defense always loses"We disagree over this snip from his blog post: "To “win” in cyber security, defense must be right 100% of the time, while offense only has to be right once. We must wake up to the reality that defense is an impossible task; no matter what actions we take, we will lose."We discuss how we get away from being Eeyore defeatists?Vince give us security strategies he is advocating knowing that defense is better equipped, and better fundedWe briefly mention high-value assets, and why it's even more critical today than it has ever been before, and why we still stink at itWe challenge Vince to give us some tangible steps to managing risk better, to get away from winning/losing?We discuss how we compress delivery time lines for security competencies? (Average time to deliver a technical control is months, plus budget cycle - maybe years)We close with lessons learned from your Vince's rich experience that he'd like to share with the listeners, to change the nature of the win/lose conversationGuestVince Crisler - Vince has done some very interesting things in his background including former Communications Officer with the US Air Force, who also worked at the White House as Presidential Communications Officerm backed security start-ups, and chairing a Washington DC OSINT group. He's definitely one of the people you should get to know.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Welcome to a new year of the Down the Security Rabbithole Podcast! We are kicking off this year with a guest on this morning's program, Phil Beyer joined us to talk about the last few weeks that have been a wild, wild ride in the security indsutry!Thanks for your support so far, and we promise a fantastic 2015 to come. Topics CoveredSony. Sony. Sony. It's all anyone can talk about! They got hacked. They released a movie. They apparently aren't in dire straits. Fascinating.http://www.cbc.ca/m/news/world/sony-pictures-ceo-michael-lynton-says-hackers-burned-down-the-house-1.2894997http://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hackhttp://www.washingtonpost.com/world/national-security/fbi-director-offers-new-evidence-to-back-claim-north-korea-hacked-sony/2015/01/07/ce667980-969a-11e4-8005-1924ede3e54a_story.htmlMeanwhile, an iron plant in Germany was attacked (via cyber) and caused some very serious, and real, damagehttp://blogs.wsj.com/cio/2014/12/18/cyberattack-on-german-iron-plant-causes-widespread-damage-report/Microsoft abruptly cut off patch Tuesday public notifications, unless you're paying extrahttp://www.computerworld.com/article/2866996/microsoft-abruptly-dumps-public-patch-tuesday-alerts.htmlOn January 11th, 2015 a 90-day window expired and Google's new Project Zero disclosed on the world a Windows 8.1 privilege elevation flaw. Microsoft had not yet patched it. War of words is on.https://code.google.com/p/google-security-research/issues/detail?id=123http://www.pcworld.com/article/2867533/google-reveals-windows-81-flaw-mere-days-before-patch-tuesday-fix-irking-microsoft.htmlSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Hi everyone! Welcome to the very first episode of the Down the Security Rabbithole Podcast for 2015! On this opening episode, Jeff Man joins us to talk truth to power on PCI-DSS and shatters myths for us. In this episodeJeff tackles some common misunderstandings about PCIThe crew discusses PCI – what’s right about it and what’s wrong about itJeff tells us why he believes if you’re secure you’re compliant, but if you’re compliant you’re probably not secureThe $64M question- Isn’t EMV, P2PE, and tokenization going to spell the end of PCI?Jeff tells us what to look forward to with PCI DSS v3.0GuestJeff Man ( @MrJeffMan ) - Mr. Man has 13 years of DoD experience (10 at NSA as a Cryptanalyst/Information Security Analyst), 18 years of commercial consulting – pen testing, vulnerability assessments, security architecture reviews, and 10 years as a QSA doing PCI (and yet he's never conducted a PCI audit and never been a CISSP). As a QSA he's been involved with most of the major companies that experienced breaches in the mid-2000’s (Walmart, TJX, Heartland) so he can speak with some credibility about recent breaches in the past year or so.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Hey everyone! We're almost done with 2014 and another new year is right around the corner. We thought this was the perfect time to sit back, relax a little and reflect on the year that was...and boy was it ever!Jack Daniel & Allison Miller join Michael, James and I on the podcast to talk it all out, share a few chuckles and try to make sense of it all! Thanks for listening everyone, it's been an epic year and we look forward to more awesome things in 2015!Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast