Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website.I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security... Episode 1 - Ian Beckford, Senior Product Manager, TELUS Security Solutions - Ian and I had a lively discussion around the service-provider use of the analytics and network security devices (currently ArcSight and TippingPoint) to provide customers with security solutions which benefit them, while remaining cost effective.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Mike explains once and for all how the BSides namesake came to beWe talk about how the industry has evolved over the last 10+ yearsMike dispenses a little of his philosophy on how to better the industryWe talk burnout and why it exists, and possibly how to get through itGuestMike Dahn ( @MikD ) - Mike Dahn is one of the original co-founders of the Security BSides conference many of you have attended, spoken at, or heard of. In addition to that, Michael Dahn is an information security and organizational design strategist responsible for the management of data strategies, project engagements, and cost modeling. With over 12 years of information security experience, Mr. Dahn has managed teams of 50 people and budgets of up to $30m annually for Fortune 500 companies. Today he focuses on leading mobile security strategies and industry relations.He is an industry leader in regulatory compliance issues who previously worked for Visa, Pricewaterhouse Coopers, and Verizon Business, created PCI training for and trained over 10,000 assessors, merchants, and vendors globally. He contributes regularly to the continued development of the global PCI guidelines.During his tenure Mr. Dahn has presented to a variety of financial and banking associations (FDIC and NCUA), including regulatory bodies such as the PCI Council, and information security groups on topics including mobile security, compliance, information security programs, auditing and network security, and computer hackers. He has been published in several news articles and TV spots on information security.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Today I had the pleasure of sitting down with one old friend, and one new. As a speaker at the HTCIA International conference, and the CISO Summit - I had the opportunity to gain some valuable insight, meet lots of excellent leaders, and force some new relationships. As a wonderful side-effect I had the pleasure of sitting down with Mike Murray of Mad Security, and Vince Skinner an attendee of the conference and security leader of his enterprise.We talked about a range of topics from history of the information security industry, to our experiences and the current lack of direction and strategy in much of the enterprise space. We also discussed some topics that dated us quite a bit ...so don't judge!GuestsMike Murray ( @MMurray ) - Mike is the co-founder of Mad Security, an industry veteran and mentor, and an all-around fantastic friend.Vince Skinner ( @SkinnerVince )  - Vince is the Informatino Security and Business Continuity Manager, AVP of D.A. Davidson & Co.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!I want to thank our guests - Beau Woods and Joe Knape for joining us this morning. It was great to have these two well-versed commentators on the show ...vote with your downloads folks - if you want to make this a regular thing leave us a comment!Topics CoveredRedHack 'hacks' Turkish police website, stops border traffic? - http://www.hurriyetdailynews.com/redhack-hacks-turkish-police-website-as-border-traffic-grounds-to-a-halt.aspx?pageID=238&nID=53904&NewsCatID=341A few thoughts on the NSA/Crypto from Matthew Green's blog - http://blog.cryptographyengineering.com/2013/09/on-nsa.htmlThe FTC settles with TRENDnet (the webcam shouting obscenities at the 2yr old story) - http://www.bostonglobe.com/business/2013/09/04/ftc-settles-complaint-over-hacked-security-cameras/uYjAuRcb4uCz51Zt1HSGbP/story.htmlCiti ordered to pay $10.86/record, more harm than good - http://www.infosecurity-magazine.com/view/34328/citi-ordered-to-pay-55k-to-connecticut-over-2011-data-breachNY Times hacked (again) but this time it's DNS ...DNS is baaaaack - http://www.thestreet.com/story/12020336/1/new-york-times-website-hacked-in-likely-malicious-external-attack.html"This is why we can't have nice websites" - http://www.reddit.com/r/PHP/comments/1l7baq/creating_a_user_from_the_web_problem/Other LinksFTC FAQ (Thanks to Beau Woods) - http://business.ftc.gov/documents/bus35-advertising-faqs-guide-small-businessSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Every once in a while this podcast has a guest who makes us truly feel blessed to be doing this - Rob Dubois is one of those people. If you don't know anything about Rob, go read his website, listen to this podcast and check out his book. He is a real American hero, a fantastic human being, and a true patriot. On behalf of James and I - I want to extend a hearty thank you for the time Rob spent, and wisdom he's imparted.In this episode...Rob Dubois on being a 'badass'the parable of the blind wise men and the elephantbe reachable and teachable (be a RAT)the collision of boots, bits, and threatsthe arrogance of security professionals are a weaknessfail early, fail often - learn from itwhy plans are useless, and planning is essentiala George Carlin quote, and a "The Office" referencea brutal lesson from PoW trainingGuestRob Dubois ( @RobDubois ) - Rob is currently best-known for his book "Powerful Peace - A Navy SEAL's Lessons on Peace from a Lifetime at War". I can't possibly do Rob justice but to call him a true, powerful, "badass"... check him, his book, and his powerful message out for yourself on his blog SEAL of Peace.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Since James is out this week with something called "work", I've pulled in two friends (affectionately known as "The Joshes") Josh Marpet and Josh C. Big thanks for these fine gentlemen for stepping in and co-chairing this Monday morning quarterback session... I hope you enjoy!Topics CoveredFraudsters target "wire payment switch" at banks to steal millions - http://www.scmagazine.com/fraudsters-target-wire-payment-switch-at-banks-to-steal-millions/article/307755/#Insurer to Schnucks: We won't pay for lawsuits related to your breach - http://www.scmagazine.com/insurer-to-schnucks-we-wont-pay-for-lawsuits-related-to-your-breach/article/307960/#NASDAQ has a "technical glitch" ... halts trading in the middle of the day - http://www.eweek.com/security/nasdaq-trading-halted-by-technical-issue/Apple App Store infiltrated by researchers' Jeckyll malware - http://www.nbcnews.com/technology/apple-app-store-infiltrated-researchers-jekyll-malware-6C10945771Hacker takes over baby-monitoring IP cam, shouts obscenities... world put on alert - http://www.bbc.co.uk/news/technology-23693460Other linksLink to the now-defunct'ish "CamWar" maintained by @Viss - http://atenlabs.com/camwar/Josh Brashars' talk at BayThreat 2011 was called "Inagada Davida (Or, Scary **** on Cellular Modems)"Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Rob gives us a little history lessonRob keeps going on the history lesson, IDS, open vs. closed circuitsWe discuss "defense in depth" from back-in-the-dayJames re-introduces us to the "security onion"Rob talks about "programming for super-high-speed" and scaleConstructing things to truly "build scalability in"...Designing networks as a front-end vs. back-end architectureRob points out that network diagrams are always wrongGuestRobert Graham ( @ErrataRob ) - No, this is not Robert Graham the clothing designer, this is Robert Graham the guy who pioneered the IDS. In Robert's own words ... "I am a well-known security research (aka. "white-hat" hacker). I created the BlackICE personal firewall in 1998. I invented the first network intrusion prevention system (IPS) "BlackICE Guard" in 1999, which is now sold as "Proventia" by IBM."Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics CoveredThe trash bin that stalked me (seriously, only in London) - http://arstechnica.com/security/2013/08/no-this-isnt-a-scene-from-minority-report-this-trash-can-is-stalking-you/ and a follow-up as we recorded today: http://www.bbc.co.uk/news/technology-23665490No data breach in Indianapolis, after laptop stolen/recovered - http://www.theindychannel.com/news/call-6-investigators/state-no-data-breach-after-stolen-laptop-traced-to-indy-homeDDoS blackmail in Manchester (UK) FAIL - http://www.manchestereveningnews.co.uk/news/greater-manchester-news/two-held-over-attempted-blackmail-5680548US national health push ("Obamacare") falling behind on security testing...who's surprised? - http://au.news.yahoo.com/technology/news/article/-/18390597/obamacare-months-behind-in-testing-it-data-security-government/Weird password 'feature' in Chrome... - http://blog.elliottkember.com/chromes-insane-password-security-strategySupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Dave reminisces a bit...Dave discusses 'digitall signed malware' and that it meansWe discuss whether it's true that 'all networks are compromised'We discuss consumer-grade vs. corporate-grade threats, and why they're differentAn interesting point by Dave about why enterprises aren't learning from their compromisesWe discuss customized malware, with specific and targeted payloads for specific systemsDave talks about whether 'compat the criminal, hire the criminal' is trueGuestDave Marcus ( @DaveMarcus ) - Dave is currently the Chief Architect, Advanced Research and Threat Intelligence McAfee Federal Advanced Programs Group. He's been around the industry for a long time, and has influenced countless numbers of researchers. He is well known as a fantastic speaker, subject-matter expert and generally a badass, and I feel lucky enough to call him my friend.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Ladies and gentlemen, we are over the 50 episodes mark!  If you've enjoyed the podcast, please go rate us in the iTunes store, or leave us a note here. Have you checked out past episodes?! There are some gems in there, I promise, and worth your time.Topics CoveredCharlie Miller and Chris Valasek demonstrated (and will disclose code to) the hack which allows complete (tethered) remote control of a modern vehicle. You need to watch this video, and if you develop code for transport vehicles and aren't thinking about securing your code - it's time to adjust course before you actually kill someone - http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/ and this is how the UK 'muzzled' a researcher who did something similar - http://www.theregister.co.uk/2013/07/28/birmingham_uni_car_cracker_muzzled_by_lords/Apple demonstrates how not to do breach disclosure, while Ibrahim Balic demonstrates how to jump into the spotlight (and put foot in mouth before thinking) by disclosing, video-recording, and telling the world of his 'ethical test' of Apple's forums - http://www.news.com.au/technology/ibrahim-balic-breaks-silence-on-hacking-apple-developer-site/story-e6frfro0-1226684484916 and http://gigaom.com/2013/07/22/researcher-comes-forward-to-claim-responsibility-for-intrusion-on-apple-developer-site/After many years on the run Russian super-hackers involved in the biggest breach of all time are caught - because they broke the first few rules of hiding - http://www.reuters.com/article/2013/07/26/us-usa-hackers-creditcards-arrests-idUSBRE96P02Z20130726Exciting news for those of you who are sick of Android App Developers' over-reaching nature in the permissions arena, with the release of 4.3 there is a glimmer of hope in reigning in those games that for some unknown reason require access to your contacts and 'premium services' and such - http://www.androidpolice.com/2013/07/25/app-ops-android-4-3s-hidden-app-permission-manager-control-permissions-for-individual-apps/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast