Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!Hey all - Raf here and I wanted to thank James for flying solo as my wife and I celebrate the brith of Niccolai and Isabella our new twins! I'll be back in our next episode...Topics CoveredThe buzz over calling yourself a 'hacker' - http://www.theguardian.com/technology/2013/oct/24/hacker-computer-seized-us-open-source (Raf's note - I personally think the way this has been spun is largely to gain clicks/readers, it was very well analyzed here - http://theprez98.blogspot.com/2013/10/omg-call-yourself-hacker-lose-your-4th.htmlA follow-up on Dick Cheney's pacemaker paranoia - http://www.dotmed.com/news/story/22298Big name limo service hacked, discloses info on big-name clients - http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/Look out, hackers may be targeting SAP users - http://www.computerworld.com/s/article/9243727/New_malware_variant_suggests_cybercriminals_targeting_SAP_users?taxonomyId=17Java patching lagging, attackers exploiting, story at 11 - https://www.securityweek.com/java-attacks-jump-user-patching-lags-kaspersky-labIt just got real. Real 2010, that is, as Yahoo unleashes bug bounty program - http://www.tripwire.com/state-of-security/top-security-stories/yahoo-unleashes-new-bug-bounty-program/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Special thank you to the US District Attorney's office for the Southern District of California for a fantastic interview and for letting us pick Sabrina's mind for the podcast... In this episode...Hackers, carders, and the disturbing trend of them pairing up with the traditional mafiaThe challenge of VPSes in cyber-crimeEvangelizing the truths about cyber-crime to businesses, average personAn insight into the way that 'bad guys' specialize in the criminal undergroundAn insight into (bottom-up) investigative models available to law enforcement, as it pertains to hackersAre cyber criminals fleeing or hacking from non-extradition countries?The delicate dance of involving the government in a hacking or breach caseSeeking the white whale - an organization that hasn't been breached (yet)3rd party data sharing and your privacy - do you have any left?GuestSabrina Feve - Sabrina is an Assistant US Attorney (AUSA) for the Southern District of California, specializing in hacking and cybercrime cases.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeWe get a peek into the first member of English Royalty that we've ever had on the podcastBaroness Neville-Jones discusses the difficulties in cybersecurity at the government levelWe discuss the challenges of policy, compliance and implementing real-life securityThe Baroness discusses her efforts to raise both the awareness and collective security of businessThe Baroness discusses a bit about critical infrastructure protectionI ask the uncomfortable question in the wake of the Snowden disclosures - privacy vs. security...GuestRt Hon Baroness Neville-Jones - Baroness Neville-Jones is a long-time political figure in the UK Parliament, House of Lords. She recently retired from public service and now focuses on the public-private partnership for cybersecurity in the UK. She has an amazing history and rather than try to summarize it here, I simply point you to her biography page at http://www.conservatives.com/People/Peers/Neville-Jones_Pauline.aspxSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Thanks to Josh Corman for joining us this morning ... always nice to have Josh's experience and brain power on the show.Topics CoveredGargantuan Oracle CPU (Critical Patch Update) including -51- Java security fixes! - http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.htmlHuawei calling for "independent cybersecurity assurance lab" framework, an interesting but difficult thing - http://www.informationweek.com/security/application-security/huawei-proposes-independent-cybersecurit/240162840Dick Cheney, fearing an assassination attempt, had wireless pacemaker removed in 2007 - http://www.theguardian.com/world/2013/oct/19/dick-cheney-heart-assassination-fearChesapeake hospice suffers breach, but there's a lesson in the tragedy - http://www.hispanicbusiness.com/2013/10/19/hospice_of_chesapeake_shut_down_computer.htmNPI research shows companies will overpay $10.1 billion for IT security solutions in 2013, worse in 2014 - http://www.prweb.com/releases/2013/10/prweb11239951.htmMinor Verizon security bug, issues with coordinated disclosure, fix timelines, and the much bigger white elephant in the room - http://prvsec.com/verizon-wireless-message-detail-disclosure.htmlHat-tips this week go to...Brian Katz ( @bmkatz ) because we borrowed your 'crapplications' exampleAlex Hutton ( @AlexHutton ) - Josh borrowed your "Alex head asplode"Wendy Nather ( @451Wendy ) because we mentioned your 'security poverty line' conceptSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...James and I host legitimate Polynesian royalty (a princess....) really!Katie gives us the skinny on Microsoft's 10 year progression to get to a bug bounty programWe discuss the merits of bug bounties and execution in a very large enterpriseKatie gives us as many details as she can about the recent $100,000 payoutMuch... much ... more!GuestKatie Moussouris ( @k8em0 ) - Katie runs the Security Community Outreach and Strategy team for Microsoft as part of the Microsoft Security Response Center (MSRC) team to help drive crucial elements of our security community strategy effort. She is a Senior Security Strategist Lead, and let's not sell her short - she is royalty!She created and drove the first ever Microsoft security bounty programs (www.microsoft.com/bountyprograms). Which received 18 vulnerabilities and a new attack technique that will help Microsoft build stronger defenses that will protect the entire platform from this new class of attack.She serves as lead subject matter expert in the US National Body for the ISO work item 29147 "Vulnerability Disclosure", scheduled for publication in 2013, and does countless other efforts associated with the ISO standards body and various other industry groups. Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Big thanks to the soon-to-be-regular peanut gallery ... @JoeKnape and @BeauWoods for jumping in this morning and breaking it down with James and I.As a personal message to those of you who listen and our community - please ...remember we all live in a giant glass house, and throwing rocks is a bad, bad idea. I've said it before and I'm looking right at the media for this one (ahem...) - unless you've been in a high-stress environment and have successfully thwarted every attack, please don't go trying to personally attack those out there who work hard at it every day. It just makes you look like an idiot. Nobody wins when we name and shame and attack people personally. Remember that when it's your turn to stand in the spotlight.Topics CoveredAdobe got popped. Bad. ~2.9 users' information, encrypted credit card details, source code. The only thing worse than this story is the kind of media trolls it brought out... - http://www.computerworld.com/s/article/9242963/Hackers_steal_data_on_2.9_million_Adobe_customers?taxonomyId=82&pageNumber=2 and this unfortunate mess from Richi Jennings https://plus.google.com/117220625678034723010/posts/EjP4JjKFd6w13 Anonymous 'members' indicted for DDoS attacks - http://www.computerworld.com/s/article/9242969/US_indicts_13_Anonymous_members_for_DDoS_attacksLA schools gave out "locked down" iPads. Students circumvented. Hilarity ensued. http://blogs.computerworld.com/mobile-security/22929/what-la-schools-forgot-boneheaded-ipad-hand-outSenior Iranian Cyber official killed (assasinated?) - http://www.matthewaid.com/post/63207233044/the-mystery-surrounding-the-killing-of-a-senior-iranianProof that the fist people to get paid should be the ones who hold the keys to your doors - http://nycfreshmarket.com/ (as long as the page stands, then check out the tweet I re-posted https://twitter.com/Wh1t3Rabbit/status/387076594407575552 )So ... does anyone actually read these? If so, let me know on Twitter? Hashtag #DtRSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Dave Kennedy wraps up DerbyCon 2013, and gives us the statistic you don't want to tell your managementDave announces the top secret guest for DerbyCon 4Chris & Gabe discuss risk modeling using REAL automated toolsGabe introduces us to his concept of using a 'big data' approach to risk modelingWe discuss risks, network segmentation, and other things you're doing wrongGuestsDave Kennedy ( @Dave_Rel1k ) - Dave Kennedy is the founder of TrustedSec, and the brain behind DerbyCon.Chris G ( @SecbitChris ) - Chris is one of the brains behind the SecuraBit podcastGabe B ( @gdbassett ) - Gabe is an industry expertSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!I want to thank Mr. Josh Corman ( @JoshCorman ) for guest-commentating today's episode, and lending his expertise and industry leadership point of view.Topics CoveredUK's GCHQ has been using Prism (Courtesy of the NSA) to spy on you ... the revelation continues - http://www.telegraph.co.uk/news/uknews/law-and-order/10106507/GCHQ-has-been-accessing-intelligence-through-internet-firms.htmlWisconsin trucker vs. Koch Industries, just what is a "direct loss"? - http://www.kfdi.com/news/local/Wisconsin-man-pleads-guilty-in-cyber-attack-on-Koch-Industries-223365221.htmliPhone, fingerprint reader, #IsTouchIDHacked - http://www.forbes.com/sites/markrogowsky/2013/09/22/iphone-fingerprint-scanner-hacked-should-you-care/Can the FTC (and other government entities) go after companeis who fail to do reasonable security? (also, what does that mean?) - http://www.computerworld.com/s/article/9242531/FTC_lacks_data_breach_authority_says_accused_medical_lab?taxonomyId=17&pageNumber=2The gang that popped Bit9 is at it again, IE 0-day in the wild - http://www.computerworld.com/s/article/9242570/Security_org_raises_Internet_threat_level_after_seeing_expanded_IE_attacksMore information on The CavalryThe talk: "The Cavalry Isn't Coming: Starting the Revolution to FSCK it all!"The video of the more mellow, smaller BSides "warm-up before DEF CON 21" is here: http://www.irongeek.com/i.php?page=videos/bsideslasvegas2013/1-2-2-the-cavalry-isnt-coming-starting-the-revolution-to-fsck-it-all-nicholas-j-percoco-and-joshua-cormanTwitter: @iamthecavalryURL: http://iamthecavalry.orgemail info@iamthecavalry.orggoogle group: https://groups.google.com/d/forum/iamthecavalryJosh Corman's Bio:Joshua Corman is the Director of Security IntelligSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website.I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security... Episode 3 - Vikas Bhatia (CEO of Kalki Consulting) and Anton Goncharov (Managing Principal of MetaNet, LLC) - In this discussion, we just barely scratched the surface on the challenges SMEs face with integrating security into business processes and developing security solutions on a shoestring. This discussion focuse entirely on processes and the need for business integration and insight - and is likely the starting point for many further conversations to come.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website.I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security... Episode 2 - Wasif Shakeel, Program Director Information Security, General Dynamics - Wasif and I discovered that we have entierly too much in common, and talked about the need for a sane, process and measurement approach to security and handling the "needle in a haystack" problem many Security Operations Centers are faced with.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast