Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!In this episodeRise of DDoSWhere did it come fromWhat's nextWhy does it workSpoofer project3-DOS attacksQuantum computingWhat is itHow is it different than what we commonly use todayWhat problems does it solveHow practical is itThe dark webWhere did it come fromLegitimate uses, turn into nefarious use-casesAlternatives, adoption and optionsGuestProf. Alan Woodward ( @ProfWoodward ) - Alan is not only a subject matter expert in computing, computer security and the impact technology has on business but brings to his roles a very broad range of experience in business management, technical management and project management.Whilst he has particular expertise in covert communications, forensic computing and image/signal processing, Alan is primarily a particularly good communicator, be it with clients, staff or investors. He is known for his ability to communicate complex ideas in a simple, yet passionate manner. He not only publishes in the academic and trade journals but has articles in the national press and appears on TV and radio. Despite the length of his experience, his hands-on ability with emerging technologies contributes significantly to the respect he is repeatedly shown when he leads teams where technology is involved.Alan has been involved in some of the most significant advances in computer technology and, although he continues to work in industry, he is actively involved with academia as a visiting Professor in the Department of Computing which is part of the Faculty of Engineering and Physical Sciences at the University of Surrey.His achievements have resulted in him rising to become a Fellow of various institutions including British Computer Society, Institute of Physics and Royal Statistical Society.Did you catch all that? DtR is giving away a free ticket to Source Boston - if you're interested in being the lucky recipient - be the first to @Wh1t3Rabbit with "I just won a ticket to @SOURCEConf Boston courtesy of the #DtR Podcast!"Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredThe FTC jumps into the breech (pun intended) and may try and levy fines against Target, and future breach victims - http://ww2.cfo.com/technology/2014/03/ftc-urges-data-breach-penalties/ http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/?oref=ng-channelriverCould the Barclays Bank breach of Feb 2014 have been test data? Richard Bishop thinks so - http://blog.trustiv.co.uk/2014/03/barclays-data-breach-%E2%80%93-could-it-be-test-data http://www.theregister.co.uk/2014/02/10/barclays_investigates_gold_mine_client_data_breach/US Commerce Dept not renewing ICANN contract, moving control to ITU - http://www.bloomberg.com/news/2014-03-15/u-s-to-relinquish-control-of-internet-address-system.html http://www.businessweek.com/articles/2014-03-17/the-u-dot-s-dot-ends-control-of-icann-gives-up-backing-of-the-free-speech-internetWith Microsoft officially, and finally, stopping support for WinXP (after 14yrs!), is there a "breach crisis" around the bend? - http://www.pcmag.com/article2/0,2817,2455206,00.aspMicrosoft can read your Hotmail/webmail ...so can Google, Apple and Yahoo! hype or crisis? - http://www.theverge.com/2014/3/21/5533814/google-yahoo-apple-all-share-microsofts-troubling-email-privacy-policy(bonus) "eGovernment" is something many governments globally and locally are moving ahead with - is this rainbows or rain clouds? I joined Discover Performance Weekly to briefly discuss - http://youtu.be/bAfP-jc0x6QSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodewhat is the promise of automation, and where did we go wrong (or right?)the problems with 'volume' (of logging) and the loss of expressivenessa dive into 'exploratory based monitoring'how does log-based data analysis scale?baselines, and why 'anomaly detection' has failed usdoes machine learning solve the 'hands on keyboard' (continuous tuning) problem with SIEM?does today's 'threat intelligence' provide value, and is it really useful?decrying the tools - and blaming the victimswhat is machine learning good at, and what won't it be great at?log everything! GuestAlex Pinto ( @alexcpsec ) - Alex has almost 15 years dedicated to Information Security solutions architecture, strategic advisory and security monitoring. He has been a speaker at major conferences such as BlackHat USA, DefCon, BSides Las Vegas and BayThreat.He has been researching and exploring the applications of machine learning and predictive analytics into information security data sources, such as logs and threat intelligence feeds.He launched MLSec Project (https://www.mlsecproject.org) in 2013 to develop and provide practical implementations of machine learning algorithms to support the information security monitoring practice. The goal is to use algoritmic automation to fight the challenges that we currently face in trying to make sense of day-to-day usage of SIEM solutions.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredTarget CIO resigns, new central CISO and CCO roles created; but what's really going on here? - http://www.darkreading.com/attacks-breaches/target-begins-security-and-compliance-ma/240166451 & http://pressroom.target.com/news/target-reports-third-quarter-2013-earningsCity of Detroit employees' information (including SSNs, DoB, etc) are "at risk" because someone clicked something they shouldn't have - http://www.freep.com/article/20140303/NEWS01/303030085/Detroit-computer-security-breachComiXology was [big time] hacked, but it's all good because the passwords were 'cryptographically secured' but where's the transparency? - http://www.theregister.co.uk/2014/03/07/comixologys_phantom_zone_breached_by_evil_haxxor/A North Dakota University System was hacked and now 290k students, employees and faculty (yes including SSNs) data is at risk ... or is it? - http://www.greenfieldreporter.com/view/story/8f909740809e48e9a5669de333418134/US--University-System-HackedNC State researchers have a genius new way to detect Android malware (hint: you look for C code) - http://www.computerworld.com/s/article/9246825/N.C._State_researchers_devise_tool_that_detects_Android_malwareThe AARP (yes, that AARP) has decided that now is the time to post a bulletin to their system to teach retired persons how to make good passwords - http://www.aarp.org/home-family/personal-technology/info-2014/create-password-avoid-hacks-kirchheimer.viewall.htmlSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeDoes is make sense, in a mathematical and practical senes, to look for 'probability of exploit'?How does 'game theory' apply here?How do intelligent adversaries figure into these mathematical models?Is probabilistic risk analysis compatible with a game theory approach?Discussing how adaptive adversaries figure into our mathematical models of predictability...How do we use any of this to figure out path priorities in the enterprise space?An interesting analogy to the credit scoring systems we all use todayAn interesting discussion of 'unknowns' and 'black swans'Fantastic *practical* advice for getting this data-science-backed analysis to work for YOUR organizationGuestsLisa Leet - Lisa is a wife of 17 years, a mother of 5 years to boy/girl twins, and an employee of 7 years on the Information Security team at a Minneapolis-based financial services firm. She is also an intern at Stamford Risk Analytics (Stamford, CT), pursuing studies at Stanford University, prepping for her CISSP Exam on July 15th, taking MOOCs, and reading at least twelve books concurrently including a 1600-pager on Python. In her free time she volunteers on the Board of Directors for SIRA (Society of Information Risk Analysts) and participates in awesome podcasts like DtR.Russell Thomas ( @MrMeritology ) - Russell is a Security Data Scientist in financial services, and a PhD student in Computational Social Sciences.  His focus is on the intersection of information security and business and economic decision making.  He’s “MrMeritology” on Twitter, and blogs at “Exploring Possibility Space” (http://exploringpossibilityspace.blogspot.com/).Bob Blakley - Bob has been in the security industry for more than 35 years.  He's led the OMG CORBAsecurity, SAML, and OATH standardization efforts, and currently chairs the NSTIC Identity Ecosystem Steering Group.  He's in the drama department at a large multinational financial institution.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredApple had a "Goto Fail" failure - yes people at Apple Computer still use Goto statements in 2014 - http://www.computerworld.com/s/article/9246533/Apple_encryption_mistake_puts_many_desktop_applications_at_risk and Adam Langley's awesome blog - https://www.imperialviolet.org/2014/02/22/applebug.htmlLook out Terps, Univ of Maryland has lost 309,000+ staff members, students and faculty worth of personal information including social security numbers ... OUCH - http://www.washingtonpost.com/local/college-park-shady-grove-campuses-affected-by-university-of-maryland-security-breach/2014/02/19/ce438108-99bd-11e3-80ac-63a8ba7f7942_story.htmlICS-CERT has a new report out that bemoans the Industrial Control sector's inability to detect and respond to incidents ...mainly due to inadequate logging - http://www.govinfosecurity.com/report-cyberthreat-detection-lacking-a-6516 and the report https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Oct-Dec2013.pdfWebsense has done a massive analysis of Dr. Watson (MS Windows crash files) file and determined there is some new kind of APT, POS attack afoot - http://www.darkreading.com/attacks-breaches/microsoft-windows-crash-reports-reveal-n/240166207Many different outlets are reporting this in various ways but consumer endpoints (at this point lots of Linksys home routers) are being infected with a new worm targetting a flaw mainly because people choose to expose their management interfaces to the outside, why? - http://krebsonsecurity.com/2014/02/time-to-harden-your-hardware/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeJay and Bob talk about their new bookA discussion on using data as 'supporting evidence' rather than gut feelingsDo we have actuarial quality data to answer key security questions?A discussion on "asking the right question", and why it's THE single most important thing to doBob attempts to ask security professionals to use data we already have, to be data-drivenJay tells us why he wouldn't consider "SQL Injection" a "HIGH" risk ranking - and why data challenges what you THINK you knowQuick shout out to Allison Miller on finding the little needles in the big, big haystackWe think about why security as an industry needs to start looking outside of itself to get its data - nowJay discusses how there is a definite skills shortage in working with large data sets, and doing analysisI ask whether there is a chicken and egg problem in large-scale data analysisBob brings up the "kill chain" and whether we really need real-time data analysis for attacksBob makes a pitch for having a "Cyber CDC" ... stop laughingJay laments the absolute bonkers problems dealing with information sharing (when you don't have any to share)Jay urges you to "count and compare" GuestsJay Jacobs ( @JayJacobs ) - www.linkedin.com/pub/jay-jacobs/3/896/4b0, Jay is currently a Principal at Verizon BusinessBob Rudis ( @hrbrmstr ) - www.linkedin.com/in/hrbrmstr, Director. Enterprise Security, IT Risk Management at Liberty Mutual Insurance & Co-author of Data-Driven SecuritySupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredIn the wake of the Target & Nieman Marcus breaches - is chip+pin really a priority right now, and does it solve the real problem? - http://blogs.csoonline.com/security-leadership/2977/does-chip-and-pin-actually-solve-problem-find-out-asking-these-questionsSpeaking of Target ... it turns out that 3rd parties really are a problem and still a blind spot in many organizations' risk matrices, who knew - http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/Apparently NBC News doesn't believe it's stretching the news at all, when it virtually makes up a story then gets called out by Robert Graham, hilarity ensues - http://news.cnet.com/8301-1009_3-57618533-83/sochi-hack-report-fraudulent-security-researcher-charges/Something bad, very, very bad just happened over at Barclays in the UK ... although jury seems to still be out on what exactly is going on; you can bet we're going to keep an eye on this - http://www.theregister.co.uk/2014/02/10/barclays_investigates_gold_mine_client_data_breach/In a "You can't make this stuff up, folks" moment, the FBI is asking for malware and they're willing to pay for it; and they'll send you all the info in a .docx file?! - http://www.nextgov.com/cybersecurity/cybersecurity-report/2014/02/fbi-market-malware/78218/Is your next new vehicle going to be part of the mesh-network which keeps cars from crashing into each other? It will if the government has it's ways - complete with wildly-made-up-sounding statistics and ridiculous news story and all (somewhere, Flo from Progressive is mad they stole her schtick)- http://www.usatoday.com/story/money/cars/2014/02/03/nhtsa-vehicle-to-vehicle-communication/5184773/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeDavid discusses what it's like working for a law firm (in the UK)A quick wade through the UK Data Protection Act (mostly Principle 7)"When lawyers get to interpret the laws"Law firms as targets for data breachesThe new regulations in the UK, fines between 2%-5% of your REVENUE? Ouch.Defining "adequate measures" in regulationsA brief chat on fines, regulations, and risk managementI trail off on a Princess Bride quote, and get ranty on "risk"Dealing with personal devices, public WiFi to work and securityJames asks the inevitable question on trainingGood vs. "best" practiceYour security as a competitive advantage. really.GuestDavid Prince ( @riskobscurity ) - A dedicated and well-respected Technical Information Security Professional with several years’ experience and demonstrated success leading information security initiatives, in a variety of organizations. Initiatives which are in direct support of business-objectives to maintain the confidentiality, integrity, and availability of organizational assets and improve business efficiency, and effectiveness.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Special thanks to Michael Santarcangelo ( @catalyst ) for stopping by the show and guest-hosting with James and I! We had fun, and I think you'll all enjoy Michael's perspective and humor.Topics CoveredNieman Marcus breach - all new, same as before, or is it? - http://www.wired.com/threatlevel/2014/01/neiman-marcus-hack/Coca-Cola loses laptops ... sort of ... but no worries, no evidence of wrongdoing - http://www.ajc.com/news/business/coca-cola-tells-thousands-of-employees-of-security/nc2NB/Breach over at Microsoft, law enforcement documents "likely stolen", but what does that really mean? - http://www.pcworld.com/article/2091480/microsoft-says-law-enforcement-documents-likely-stolen-by-hackers.htmlThe (San Jose) police want to use your home surveillence system cameras, I'm not kidding - http://news.cnet.com/8301-17852_3-57617809-71/police-want-to-use-your-home-security-cameras-for-surveillance/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast