Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!In this episodeJason tells us why he isn't hating on complianceJason talks about how security people are often the source of the issuesJason gives us his perspective on compliance-driven securityJason correlates compliance to quality assurance in securityWe talk about security's unbroken streak of failing at the basicsWe lament poor metrics, why we suck at them, and what comes nextWe discuss how you can tell whether an investment in security 'is working'We discuss the need for repetitive and consistent securityJaason gives us his three things that he wants to leave you with GuestJason Oliver ( @jasonmoliver ) - Jason M Oliver, CISSP, CRISC is the Chief and CEO of Tikras Technology Solutions Corp, a Native American Owned Small Business, President at Arrow Ventures, a seasoned security industry veteran, leader, and lifelong pursuer of knowledge. His unique approach to solving security issues involves individualized plans tailored to meet each specific customer’s needs. His high level of unwavering integrity has been met by the highest regard from both customers and peers.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredSurvey shows CISOs still struggle for respect (from business peers)http://www.cio.com/article/2460165/security/cisos-still-struggle-for-respect-from-peers.htmlHold Security uncovers 1.2 billion password heist on Russian hacker sites (but something smells funny) - draw your own conclusions folks... I'd love to hear 'emhttp://www.theverge.com/2014/8/6/5973729/the-problem-with-the-new-york-times-biggest-hack-everhttp://www.youarenotpayingattention.com/2014/08/08/the-lie-behind-1-2-billion-stolen-passwords/https://identity.holdsecurity.com/Submit/http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/Yet another Android core software blunder, called "Fake ID", essentially gives "highly privileged malware" a free ride.http://arstechnica.com/security/2014/07/android-crypto-blunder-exposes-users-to-highly-privileged-malware/HP study says 70% of "Internet-of-Things" (IoT) vulnerable. There's a shock, we're carrying around legacy baggage? Perish the thought.http://h30499.www3.hp.com/t5/Fortify-Application-Security/HP-Study-Reveals-70-Percent-of-Internet-of-Things-Devices/ba-p/6556284Civilian sector is better than the military at Cyber-War exercise. *rollseyes*http://www.navytimes.com/article/20140804/NEWS04/308040019/In-supersecret-cyberwar-game-civilian-sector-techies-pummel-active-duty-cyberwarriors?sf29369064=1Target booking $148M due to data breachhttp://fortune.com/2014/08/05/target-data-breach-profit/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeWho is J.W. Goerlich (redux from episode - How did he get to where he is now?How does the security executive deal with the "moving finish line"?JW discusses how 'security' people can break down barriers between "us" and "them"We discuss why we still fail at the basics, and what all this means...JWG tries to talk about his favorite controls frameworkWe discuss what difference it makes where the CISO reports in the enterpriseWhat will the CISO be, or need to do, in ~3-5 years?We discuss hiring into InfoSec - from outside, or within ... and why?JW gives us the one thing you need to remember GuestJ.W. Goerlich ( @jwgoerlich ) - Results-driven IT management executive with a track record of building high performance teams and providing flawless execution. Leverages background in systems engineering, software development, and information security expertise to consistently lower operating costs and raise service levels. Designs solutions that support long-term strategic planning and create immediate impact throughout product lifecycle in process and efficiency gains.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredCertificate pinning back in the spotlight with the GMail iOS app having some difficulties, but there is a bigger issue here. We discuss.http://securityaffairs.co/wordpress/26577/hacking/gmail-app-flaw-mitm.htmlNearly 3 years later, the NASDAQ hack attributed to FSB/Russian 'state sponsored' hackers, via 2 "zero day malware'. Highlighting need for attribution, common language, and other issues in security.http://www.infosecurity-magazine.com/view/39397/nasdaq-hackers-used-two-zero-days-but-motives-a-mystery/Cyber insurance - is this a forcing function to improve overall security, or yet another carpet to sweet security problems under?http://www.reuters.com/article/2014/07/14/us-insurance-cybersecurity-idUSKBN0FJ0B820140714A judget has just ruled that your "GMail account" has the same legal (or lack thereof) protections as a hard drive you own. Dangerous precedent, or nothing new?http://nakedsecurity.sophos.com/2014/07/22/your-gmail-account-is-fair-game-for-cops-or-feds-says-us-judge/also relevant - http://nakedsecurity.sophos.com/2013/08/14/google-says-gmail-users-cant-expect-privacy/ Not discussed, but interesting reads:"Operation Emmental" is an assault against 2FA and online bankinghttp://secureidnews.com/news-item/operation-emmental-attacks-online-banking-and-2fa/Looks like healthcare is next on the list of verticals targetted... filed under things we all suspected, but will soon seehttp://healthitsecurity.com/2014/07/24/how-healthcare-can-learn-from-retails-it-security-mistakes/ h/t to Eric CowperthwaiteSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeJim Tiller - a few things you probably didn't know?In the last 15 years, what has changed, and what hasn't?Why isn't security moving forward?"Complexity is the camouflage for bad guys" -JimChasing the moving line of 'security'"Fixing the airplane as it flies"How do enterprise security organizations push away from playing 'prevent' permanently?Fundamentals, fundamentals, fundamentals ... you're still failingWhat things are CISOs doing that they're NOT right now?Where will security be, as a discipline, in 10 year?GuestJim Tiller ( @Real_Security ) - Jim has been in the security industry since the very early 90’s and has continued his mission in working with individuals, groups, organizations, and companies around the world to collaborate, develop, and implement business aligned security strategies and technologies. Through his career he's worked with and in numerous organizations for the advancement of information security technologies, practices, and standards and through these activities help organizations achieve their goals. Find Jim on LinkedIn here.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredFlorida Information Protection Acf of 2014 is in the books, and it brings "sweeping changes" to the data breach disclosure process in Florida. Good thing or bad? You decidehttp://www.scmagazine.com/fla-passes-sweeping-data-breach-notification-bill/article/357858/http://www.flsenate.gov/Session/Bill/2014/1526/?Tab=RelatedBillshttp://www.flsenate.gov/Session/Bill/2014/1524The DoJ has nabbed a 'prolific hacker'... a Russian national. Russia calls it kidnapping. Tensions flare. Again.http://mashable.com/2014/07/08/russian-man-hacking-retailers/Chinese man charged with industrial espionagehttp://arstechnica.com/tech-policy/2014/07/chinese-businessman-charged-with-hacking-boeing-and-lockheed/US Banks are calling for a "Cyber War Council" (so much wrong here, it's incredible...)http://www.businessweek.com/news/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council#p2The ultra-ultra-legacy code problem and why we're not getting security any higher up the ladder any time soonhttp://www.businessweek.com/articles/2014-06-25/the-talent-that-keeps-your-50-year-old-software-running-is-retiring-dot-now-whatPayroll processing company Paytime was hacked and breached. But in the midst of the rush to file law suits, at least one company is pledging to stand by Paytime in this rough time... sanity prevails?http://www.witf.org/news/2014/07/at-least-one-company-stands-by-paytime-after-data-breach.phpSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeWho is Dan Geer (just in case you live in a cave and don't know)Dan's definition of security - "The absence of unmitigatable surprise"What exactly is the pinnacle goal of security engineering?Responsibility, liability and when software fails as a result of security issuesIn a liability lawsuit - "What did you know, when did you know it?"The fraction of the population who could sign an "informed consent" is falling - so now what?Why ICANN is actually making all of this so much worseWhat do we do about "abandoned software"?Fixing security bugs in software is a tricky business...good, bad, worseAre things getting better [in security]?Dan talks about a "diversity re-compiler" and how we can make the exploit writer's job harder(from Jason White) -What "low hanging fruit" issues are we simply not addressing properly right now?(from Jason White) If the Internet were being built from scratch today, what would you keep and throw away?GuestDan Geer - Dan Geer is a computer security analyst and risk management specialist. He is recognized for raising awareness of critical computer and network security issues before the risks were widely understood, and for ground-breaking work on the economics of security.Geer is currently the chief information security officer for In-Q-Tel, a not-for-profit venture capital firm that invests in technology to support the Central Intelligence Agency.In 2003, Geer's 24-page report entitled "CyberInsecurity: The Cost of Monopoly" was released by the Computer and Communications Industry Association (CCIA). The paper argued that Microsoft's dominance of desktop computer operating systems is a threat to national security. Geer was fired (from consultancy @Stake) the day the report was made public. Geer has cited subsequent changes in the Vista operating system (notably a location-randomization feature) as evidence that Microsoft "accepted the paper." --http://en.wikipedia.org/wiki/Dan_GeerSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredYour server may have a hardware flaw that exposes your baseband management interface to the world - http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/Airports are getting hacked, APT involved, state-sponsored attackers! - http://www.nextgov.com/cybersecurity/2014/06/nation-state-sponsored-attackers-hacked-two-airports-report-says/86812/PayPal flaw renders 2-factor auth on mobile useless, disabled temporarily while they work on fix - http://www.darkreading.com/mobile/paypal-two-factor-authentication-broken/d/d-id/1278840?FTC vs. Wyndham: another shoe drops, the FTC takes a hit while Wyndham scores a win - http://www.mediapost.com/publications/article/228730/judge-authorizes-wyndham-to-appeal-data-security-r.htmlDilbert says it best - http://dilbert.com/strips/comic/2014-05-19/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeWhat exactly is "GRR"?What sorts of things can GRR do?What is a hunt, and how does it scale across tens of thousands of machines?How does GRR "hide" from malware?How does GRR keep some of the great power it has from being abused?Automating and integrating GRR with external sources and toolsFeatures, functions, capabilities and some magic from GregThe future features, requests, and direction of GRR GuestGreg Castle - Greg has 10 years experience working in computer security. In his current role as Senior Security Engineer at Google, he is a developer and user of the open-source GRR live-forensics system. He also has strong interest and involvement in OS X security, having been responsible for the security of Google's OS X fleet for two years. His pre-Google job roles have included pentester, incident responder, and forensic analyst.LinksGrr Rapid Response - https://code.google.com/p/grr/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Note: I want to thank Will Gragido for stopping by this morning to talk over the news with us. Always great to have someone with a fresh perspective, I hope you enjoy the show. Topics CoveredDon't like Google Glass (or similar devices) on your network? Kick them off - http://mashable.com/2014/06/04/glassholes-wifi-jamming/The FAA has issued an order for Boeing to 'protect the planes from computer hackers' ... but what is really going on here? - http://www.usatoday.com/story/news/nation/2014/06/06/faa-boeing-737/10066247/APT, APT, APT, APT ... evolved APT? - http://www.csoonline.com/article/2158775/security-leadership/why-you-need-to-embrace-the-evolution-of-apt.htmlAfter getting breached, PF Chang's goes "old school"; sounds legit, right? - http://krebsonsecurity.com/2014/06/p-f-changs-confirms-credit-card-breach/Why preparation is a good idea, even when it comes to 'cyber' - http://www.csoonline.com/article/2360748/security-leadership/using-a-cyber-war-exercise-to-improve-your-security-program.htmlFeed.ly gets DDoS'd, extorted and we're mad as hell - http://www.forbes.com/sites/jaymcgregor/2014/06/12/feedly-goes-down-again-in-second-ddos-attack/Target hires a (good) CISO, Brad Maiorino, so why are people getting all bent out of shape over where he reports in the organization? - http://blog.wh1t3rabbit.net/2014/06/getting-wrapped-around-ciso-reporting.html Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast