Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!My apologies for some of the skips in this episode - we had some difficulty with the recording and ultimately I hope it doesn't take away from Joe's wonderful message.Thanks for your patience.In this episodeFrom CISO to CIO - making that leapDoes the CISO need to be technical? (answering that question, again)What types of things does a CIO need to know?Who should the CISO report to?Any chance the CISO reporting structure shifts around?A "Chief Data Officer"?Are there too many 'splintered' job titles in the security/risk role?Responsibility, accountability, and where the buck stopsWhat are 3 things security does right, and what are 3 things that we do terribly?How big should your security budget be? (trick question)What KPIs should security be reporting to the CIO? (the hardest question ever)What resources are there for CIOs? GuestJoe Riesberg ( @JoeRiesberg ) - Joe is currently the CIO of Drake University. Previos to his current role, he was the Senior Vice President, Global IT Security Services Director at Aviva plc. His LinkedIn profile can be found here: https://www.linkedin.com/pub/joe-riesberg/1/a81/931Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Note: Today, Kim Halavakoski joined us on the show to provide perspective all the way from Finland! We appreciate his international addition to the show, and hope the listeners enjoy the added brainpower. Topics coveredFacebook's next major update will turn your mobile device into an always-on listening tool for FaceBook. This is a good time to remind you that you are the product, not the customer - http://www.ibtimes.com/facebook-microphone-update-store-data-social-media-giant-confirms-new-feature-will-1588916In a blow to security professionals' ego everywhere, investors apparently aren't swayed by data breaches - http://www.businessweek.com/articles/2014-05-23/why-investors-just-dont-care-about-data-breachesThe US's indictment of 5 Chinese nationals for 'state sponsored industrial espionage' is apparently backfiring (or at least it is in the media) - http://www.bloomberg.com/news/2014-05-27/china-said-to-push-banks-to-remove-ibm-servers-in-spy-dispute.htmlNow that there is a hack to enable WinXP SP3 computers to masquerade as Point-of-Sale terminals and receiving updates ...should you even consider this? Hint: NO - http://blog.wh1t3rabbit.net/2014/05/hacking-registry-to-keep-windowsxp.htmlTarget's Audit Committee is under fire for the data breach, but who's really, really at fault? An interesting perspective from Forrester - http://blogs.forrester.com/renee_murphy/14-05-29-dont_blame_targets_audit_committee_for_the_sins_of_technology_managementSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeJeff explains the background of the relationship between the US government, ICANN and IANAWhat is the ITU and why is this $0 contract handoff to the ITU such a big deal?What impact did Edward Snowden's actions have on the issue?The potential issues with DNS, cross-border censorship and DNSThe importance of Tor, Freenet and challenges of implementationDiscussing the evolution of services like Tor through "nation-state firewalls"Changing the image of anonymous servicesMaking Tor and similar services more user-friendly, and more prevalentGuest:Jeff Moss ( @TheDarkTangent ) - Jeff, also known as The Dark Tangent, is an American hacker, computer security expert and internet security expert who founded the Black Hat and DEF CON computer Hacker conferences. His Wikipedia page can be found here.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Announcements:I want to thank Circle City Con as a sponsor for the show! I have one more ticket to give away ... so watch the #DtR hashtag on Twitter!Thanks to special guest Philip Beyer for sitting in James' seat this morning... Topics discussed"US charges China with cyber-spying on American firms" (Hello, pot? this is the kettle...) - http://www.nbcnews.com/news/us-news/u-s-charges-china-cyber-spying-american-firms-n108706Should we be thinking about security beyond win/lose (aka "oh no, hackers are winning!") - http://www.csoonline.com/article/2156104/security-leadership/thinking-about-security-beyond-winning-and-losing.htmlRetail Industry Leaders Association (RILA) has launched their own ISAC-like entity called Retail Cyber Intelligence Sharing Center (R-CISC) - http://associationsnow.com/2014/05/retail-group-launches-sharing-tool-cyber-threats/A recent survey tells us that a whopping 43% of all identity theft in 2013 happened in healthcare ( W O W ) - http://www.studentdoctor.net/2014/04/the-rise-of-medical-identity-theft-in-healthcare/Self-driving cars, making life-and-death decisions (this should terrify you) - http://www.wired.com/2014/05/the-robot-car-of-tomorrow-might-just-be-programmed-to-hit-you/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeDan gives us the reality of living in what is commonly termed "the post-breach" worldDan and Robin talk through the explosion in the numbers of malware samplesWe discuss the different approaches to malware, crimeware, and the cross-over between themDan explains what "rapid incident response" really means and why it's essentialDan and Robin give us some excellent examples of incident preparedness fundamentalsDan gives us a lesson on implementing 'powerful tools' (and forgetting about them)We talk through "who's doing it well?" (and we don't get a very hopeful answer)Is it time to learn from our own and others mistakes? (how?)Guests:Robin Jackson ( @rjacksix ) - Robin is an incident response and digital forensics specialist for HP Enterprise Security Services.Dan Moore - Dan is an incident response and digital forensics specialist for HP Enterprise Security Services.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics dicussedMicrosoft has issued a patch for the massive MS IE flaw - for WindowsXP! - http://arstechnica.com/security/2014/05/microsofts-decision-to-patch-windows-xp-is-a-mistake/Is Open Source Software more or less secure than closed-source? (in a post-Heartbleed era) - http://www.telegraph.co.uk/technology/internet-security/10769996/Heartbleed-the-beginning-of-the-end-for-open-source.htmlTarget's CEO has stepped down, but what's the real reason and is there now opportunity for change? - http://www.usatoday.com/story/money/business/2014/05/05/target-ceo-steps-down/8713847/ and http://www.latimes.com/business/money/la-fi-mo-target-ceo-resigns-20140505,0,4479532.storyBiometrics (specifically fingerprints) aren't as secure or unique as we'd like them to be, so ... paswords? - http://www.telegraph.co.uk/science/science-news/10775477/Why-your-fingerprints-may-not-be-unique.htmlSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeWe discuss some of the new techniques auto insurance companies are using to custom-tailor rates to driversOur guest discusses some of the capabilities of the widgets availableOur guest discusses the 'call home' functions, and potential mis-useWe use 'big data' seriouslyWe talk about 'big data' and security - for realOur guest gives us a realistic view about the type of data that's out there about your driving, habits, and trackingGuestOur guest is an industry insider, who for obvious reasons chose not to identify himself. We respect the guest's position, and kindly ask that our listeners do as well.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics discussedThe big story - "Heartbleed"http://www.csoonline.com/article/2142626/security-leadership/how-you-need-to-respond-to-heartbleed-and-how-you-can-explain-it-to-others.htmlhttp://www.csoonline.com/article/2146141/disaster-recovery/healthcare-gov-urges-password-resets-due-to-heartbleed.htmlhttp://xkcd.com/1354/http://rt.com/news/heartbleed-arrest-canada-security-016/The "hacker*" known as "Weev" is free ...on a technicality, and why this is bad, very very bad, for our industryhttp://techcrunch.com/2014/04/11/weev-is-free/"Ramshackle Glam" - how one blogger had to go to extraordinary lengths to get her site back, and what you can learn from ithttp://mashable.com/2014/04/02/ramshackle-glam-hacking/The FTP's lawsuit of Wyndham Hotels was allowed to proceed by a federal judge - and why this is a very dangerous precedenthttp://www.fiercegovernmentit.com/story/ftc-lawsuit-over-hotel-chain-data-breach-can-proceed/2014-04-14Data breach roundupMichaels [yes, again] - http://www.business-standard.com/article/news-ani/leading-us-art-store-admits-2-6-mln-credit-cards-at-risk-of-hacking-114041800569_1.htmlSouth Carolina data breach is getting costly (for tax payers) - http://www.therepublic.com/view/story/396a4be862cd485e9248cab7879a3a71/SC--Hacked-Tax-ReturnsHard drive maker LaCie was a victim ...for over a year - http://www.techtimes.com/articles/5672/20140416/lacie-latest-victim-data-theft-ironies-hard-drive-manufacturer-hacked.htm[UK] Cosmetic surgery group hacked, blackmail ensues (yikes!) - Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeAdvanced Threat Actors - more or less a threat right now than before? (how much is hype?)Advanced Persistent Threat - is it really THAT advanced? (a "what" or a "who"?)The distinction of what "APT" is ...and isn'tTouching on Mandiant APT-1 ...hype from realityA quick discourse on corporate espionage!How we respond to APTs ... is this just really "incident response" for a boogeyman?The snake oil salesman behind "Automated APT defense"Threat Intelligence - necessary, but what's the proper use?Threat Intelligence requires collaboration, how do we do it?Is our security failing, or is our perception of what we want it to do wrong?Key take-aways for the enterprise professionalGuestsSteve Santorelli ( @SteveSantorelli ) - Manager of outreach at Team CymruJohn Pirc ( @jopirc ) - CTO of NSS LabsJ. Oquendo ( @advancedthreat ) - veteran threat researcherRobin Jackson ( @rjacksix ) - veteran threat researcher, forensics expert at HP Enterprise Security ServicesSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredWindowsXP is officially, for real, definitely end of life - http://windows.microsoft.com/en-us/windows/end-support-helpGoogle Nest pushes update - examining the bigger picture - http://www.theregister.co.uk/2014/04/04/nest_waves_goodbye_to_alarm_switchoff_feature/South Carolina's agencies are still not any better after the massive breaches - http://www.wbtw.com/story/25149085/still-no-consistent-computer-security-plan-at-sc-agenciesNews flash - we trust the government and Internet companies less as a result of leaks - http://www.computerworld.com/s/article/9247441/Snowden_leaks_erode_trust_in_Internet_companies_governmentThe two banks which filed suit against TrustWave & Target have dropped their effort...sanity apparently prevailed but there's a bigger issue here at stake - http://www.securityweek.com/banks-drop-suit-against-target-trustwaveSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast