Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!In this episodeDid the Target/Neiman/? breach finally create a catalyst for change?The card system, payment processing infrastructure clearly wasn't designed with defensibility in mind ... who should be changing that?Are today's fraud rates finally getting high enough such that card processors, issuers, banks need to depart from the status quo?Are the days of "zero fraud liability" to the end consumer coming to an end?What about chip & pin? Is the risk less?What kinds of pains will the industry go through to make security on payment systems better?How is the commercial payments industry different from the consumer?Do end users of credit accounts ultimately care about breaches?GuestsLaura Claytor ( @the.hgic ) - Laura is a security specialist and veteran within a large US-based banking organization, and is based in the southwest United StatesAlfred Portengen - ( @alfredportengen ) - Alfred has a deep bredth of experience in architecture and security specialty within a multi-national banking organization, he is based in the NetherlandsSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!I can't believe it's 2014 already, and we're rolling through our 3rd calendar year! As we grow and you "regulars" mount, James and I want to thank you for listening, bookmarking, sharing and talking about the podcast. Your patronage has really made a us smile, and you're the reason we do this.Topics coveredReuters: Retail community may be ready for a change in the payment card system and processes - http://uk.reuters.com/article/2014/01/13/uk-target-databreach-retailers-idUKBREA0B01A20140113More Snowden fallout: French/UAE Intel satellite deal may be scuttled because of US-made components - http://www.defensenews.com/article/20140105/DEFREG04/301050006Ransomware CryptoLocker's uglier, meaner cousin now available for $100... look out! - http://arstechnica.com/security/2014/01/researchers-warn-of-new-meaner-ransomware-with-unbreakable-crypto/Schneier: "The Internet of Things" is very vulnerable ...and there's no good way to patch it all - http://www.wired.com/opinion/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem/Lawsuit filed in the "FaceBook reads my private messages" case - http://money.cnn.com/2014/01/03/technology/facebook-privacy-lawsuit/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeChris Wysopal - who is that masked man?Putting some reality to the state-sponsored backdoors (Huawei) and supply-chain compromiseThe risks coming through the door with the products you buyThe case for setting up an independent testing lab for mitigating 'backdoor' accusationsChris does an interesting assessment on software security practices in the enterpriseChris discusses holding your vendor to the same standards you hold yourselfWhat does it mean that enterprises are doing a "good job" in SwSecChris goes there, open-source components as part of supply chain riskJames asks "How do smaller buyers leverage scale to hold their suppliers accountable?"Why do we still see SQL Injection?! Are we ever going to get rid of it?GuestChris Wysopal ( @Weldpond ) - Chris is the Founder, CTO and CISO of VeraCode, a company dedicated to software security as-a-service. Chris has a long and storied history in the security industry dating back to L0pht Heavy Industries. His bio and profile can be found on LinkedIn.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeWill gives us a lay of the land on the state of "state sponsored" and advanced threatsWe discuss collective advances in malwareWe discuss the persistence of 'old' malware, and code re-useWe discuss enterprise defense and strategyWill gives us some wisdom from his experiencein helping clients defend themselvesGuestWill Gragido ( @wgragido ) - Will is currently a senior manager in the Threat Research Intelligence organization at RSA NetWitness. Will is an information security and risk management professional with over 18 year’s professional industry experience, Mr.Gragido brings a wealth of knowledge and experience to bear. Working in a variety of roles, Mr.Gragido has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and business development within the information security industry. You cn get more information on Will on his LinkedIn page.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Hello! This is a special episode in that it's our year-end wrap-up. We bring together 3 of the industry's best to talk about the year that was, the things that made were on your mind, and maybe give us a hint at what is to come...GuestsWill Gragido ( @wgragido ) - Will is the Sr. Manager of threat Research Intelligence for RSA NetWitness and a lightweight with the cold medicine.John Pirc ( @jopirc ) - John is the Vice President of Research at NSS Labs, with very strong hair.David Marcus ( @DaveMarcus ) - David is the Director and Chief Architect of the Federal Advanced Program Group at McAfee and a kettle bell monster!Notably absent, but invited, were Dave Lewis ("fell asleep") and Dave Kennedy ("was on an airplane") ...apparently because I thought it would be fun to invite every Dave I know....... but seriously next time guys :)James and I would like to wish all our listeners a very merry holiday season, and a happy, healthy and prosperous 2014.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Folks, if you work with, design, or implement embedded systems this is one episode you don't want to miss. Fair warning, it's a little bit long at just over 50 minutes total. I hope you find the extra time worth the effort of listening, I know we sure did!In this episodeThe quirky things that Josh's organization gets to work on and deconstructThe methodology of breaking foreign thingsAndroid and why it's "horribly interesting" beyond just the OS everyone seesHacking Android at the very, very, very basic hardware interface(s)Copy/Paste software development and it's pitfallsEmbedded devices as pivot points for intrusionThe importance of embedded systems, and why no one is writing secure code (still)GuestJosh Thomas ( @m0nk_dot ) - Chief Breaking Officer for Atredis, Security researcher, mobile phone geek, mesh networking evangelist and general breaker of things electronic. Typical projects of interest span the hardware / software barrier and rarely have a UI. m0nk has spent the last year or two digging deep into Android and iOS internals, with a major focus on both the network stack implementation and the driver and below hardware interfaces. He uses IDA more frequently than Eclipse (and a soldering iron more that both). His life dreams are to ride a robot unicorn on a moonlit beach and make the world a better place, but mostly the unicorn thing...Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Special thanks to Steve Ragan ( @SteveD3 ) for sitting in this morning and providing his perspective as a journalist.Topics Covered"Leaked" FBI memo to government agencies says "there's a hacking spree on government websites, and it's Anonymous!" (we have to chuckle, a little) - http://www.theregister.co.uk/2013/11/18/anon_us_gov_hack_warning/ , http://www.thewire.com/national/2013/11/fbi-anonymous-hackers-stole-over-100000-employees-information/71675/Fokirtor is a very interesting new piece of malware that targetted Linux systems, but by slipping into SSH comms - http://www.theregister.co.uk/2013/11/15/stealthy_linux_backdoor/ ( and a related piece of malware - http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices )The Healthcare.gov website is a case study in how not to release a web app, or complex system; and it's not even a partisan issue anymore - http://arstechnica.com/security/2013/11/healthcare-gov-targeted-by-more-than-a-dozen-hacking-attempts/Ahead of the G20 meeting to be held there in 2014, the city of Brisbane, Australia performs a penetration test on their physical city infrastructure, finds major flaws. A plot from "The Italian Job"? - Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!I want to thank Carolyn Kopprasch and the @BufferApp team for getting back to me, and agreeing to not only join the podcast, but also field questions from "anyone" ...what a cool group of people!In this episodeCarolyn gives us some of the insider's perspective on what really happened, when Buffer got hackedCarolyn and I discuss triage methodology, and how Buffer's small team respondedIn-depth conversation on the communications strategy and implemented plan to be totally transparentWe discuss that point where it's time to "shut it down" and the need to have the ability and information to make the decision Buffer's team did when they shut down the service temporarilyCarolyn talks about some of the non-typical ways that her team detects potential security issuesCaroly dispenses some solid advice for anyone in a small shop that may be operating ultra-leanFinally, Carolyn and I talk about software security and what role it (or the lack thereof) played in the Buffer incidentGuestCarolyn Kopprasch ( @CaroKopp ) - Carolyn is currently Buffer's "Chief Happiness Officer". Her role is to make sure that Buffer's customers are, in fact, happy. Also she has a web presence right here: http://CaroKopp.comLinks!Buffer's communications page: http://open.bufferapp.com/buffer-has-been-hacked-here-is-whats-going-on/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!I'm back! Maybe a little sleep-deprived and a tad grumpier than usual, but back to talk news!Topics CoveredMicrosoft unveils the new Digital Crime Unit, and it is quite the statement - http://www.darkreading.com/attacks-breaches/microsoft-unveils-state-of-the-art-cyber/240163924 http://www.microsoft.com/en-us/news/presskits/dcu/CME Group hacked, claims platform and trades unaffected ...let's hope so - http://www.businessweek.com/news/2013-11-15/cme-group-says-its-computers-were-hacked-no-trades-affectedJeremy Hammond, Chicago's very own romanticized criminal - http://www.nbcnews.com/technology/hacker-tied-anonymous-gets-10-years-prison-cyberattacks-2D11603760The FBI says there's a "hacking spree" on government webites by Anonymous hackers. You don't say ... - http://arstechnica.com/security/2013/11/fbi-warns-hacking-spree-on-government-agencies-is-a-widespread-problem/There's an apparent zero-day in vBulletin, and it's serious enough that Def-Con's forums were taken down pro-actively ... - http://www.computerworld.com/s/article/9244109/Hackers_use_zero_day_vulnerability_to_breach_vBulletin_support_forumIf you use SnapChat to send questionable selfies hoping they'll just evaporate...you're in for a bad time - http://www.sidhtech.com/news/snapchat-android-hack-iphone/10024107/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...We revisit some of the topics Eric & I talked about nearly 2 years ago at ISSA International, Baltimore.Eric discusses the paradigm shift that needs to happen in securityWe talk about shifting resources (in the defensive) from "everything" to something more reasonableEric and I discuss how CISOs must re-allocate resources to survive in a post-breach realityGuestEric Cowperthwaite ( @e_cowperthwaite ) - Vice President, Advanced Security and Strategy at CORE Security, a Boston-based security vendor. CORE is the leading provider of predictive security intelligence solutions for enterprises and government organizations. We help more than 1,400 customers worldwide preempt critical security threats throughout their IT environments, and communicate the risk the threats pose to the business. Our patented, proven, award-winning enterprise solutions are backed by more than 15 years of applied expertise from CoreLabs, the company's innovative security research center.Eric was formerly the CSO of Providence Health & Services, a healthcare delivery organization with $12.5 billion in revenue, 32 hospitals and more than 65,000 employees, headquartered in Seattle, WA. Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast