Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!Welcome down the rabbithole as we hit EPISODE 50! I'm thrilled that we've made it this far, and look forward to having you along for the ride into the future! At this point, I'd like to encourage you to listen to some of the fascinating guests we've had on this show, people I'm proud to have had a chat with, in the past archives... suggest guests, or just leave us a comment./Wh1t3RabbitIn this episode...We try and discuss 'defense in depth' on the geopolitical scale@packetknife drops the truth about 'geopolitics experts' in InfoSecAli explains navigating the undocumented security requirements in emerging marketsWe talk about whether all this stolen data from enterprise has actually made a differenceAli discusses the 'western sense of intellectual property' (eye-opening!)Deperimeterization - why #InfoSec must adapt this RIGHT NOW, but seems allergic to itAli drops 'lawfare' on us - and why #InfoSec must know its optionsWwe discuss why people 'generally just don't get it' when it comes to moving to triage over 'secure'Ali decides he wants to be Frank, or is that frank? :-)GuestAli-Reza Anghaie ( @PacketKnife ) - Ali is a resident expert (or as much as one can be) on geopolitics from his unique background, experience and perspective. He's a well-known figure in the community and has deep insight into the things that most of us read in the media, and pretend to understand. He's the perfect guest for Episode 50!Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics Covered9 Years After Shadowcrew, Feds Get Their Hands on Fugitive Cybercrookhttp://www.wired.com/threatlevel/2013/07/bulgarian-shadowcrew-arrestvBulletin Forums compromised (~15-~150k) to serve malwarehttp://news.softpedia.com/news/Around-150-000-vBulletin-Forums-Compromised-Abused-to-Serve-Malware-366442.shtmlAmerica's EAS (Emergency Alert System) is open to compromise (still)http://www.wired.com/threatlevel/2013/07/eas-holes/Mobile malware up 614% y/y says Juniper, but mostly Androidhttp://www.computerworld.com/s/article/9240772/Mobile_malware_mainly_aimed_at_Android_devices_jumps_614_in_a_yearBlue Box Security finds "master key" issue with Android - but there's more to ithttp://www.zdnet.com/android-oems-slow-to-roll-out-bluebox-security-patch-7000018012/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...We get a little insight into the mind of Tomer, and how he thinks about securityWe get an insight into what HP Software IT Management is doing to ensure security in the products they releaseWe discuss making security more than just a security line-item, and a business requirementThere are many "uncomfortable pauses" :)We discuss Tomer's risk-focused approach to software qualityWe ask "Is HP drinking it's own champagne?"Tomer gives us his feeling on DevOpsGuestTomer Gershoni - Tomer is the Information Security Officer responsible for product security for a select part of HP Software known as IT Management. Previous to that he was the CISO for HP Software-as-a-Service for over 3 years based out of Yehud, Israel. Tomer has over 10 years experience in Information Security and a background in software security. He is a very interesting individual, and his public profile can be found on LinkedIn here: http://il.linkedin.com/in/tomergershoniSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!*Apologies for this very important episode getting out a bit late ladies and gents, experienced a loss in the family so things were a little slow to re-start, we should be back on track for next week's episode.Topics CoveredPolitical hacktivism is making a big splash in international news - http://www.ilovechile.cl/2013/06/17/chile-democratic-partys-official-site-hacked/87737http://www.kjrh.com/dpp/news/local_news/jenks/jenks-chamber-of-commerce-website-hacked-for-second-time-within-a-monthhttp://www.publicnewshub.com/zimbabwean-hackers-hailed-for-attacking-ancs-website/http://www.bignewsnetwork.com/index.php/sid/215436810/scat/b8de8e630faf3631/ht/South-and-North-Korea-close-website-amid-hacking-alertshttp://www.business-standard.com/article/pti-stories/syria-s-online-troops-wage-counter-revolutionary-cyber-war-113060900065_1.htmlhttp://www.ehackingnews.com/2013/06/turkish-ministry-of-interior-website.htmlGoogle Published their epic Transparency Report datahttp://krebsonsecurity.com/2013/06/web-badness-knows-no-bounds/http://www.google.com/transparencyreport/European Union issues new data breach laws for telecommunications industryhttp://www.infosecurity-magazine.com/view/33109/eu-announces-new-data-breach-rules-for-telecoms/Critical vulnerabilities found in CROWD single sign-on producthttp://www.computerworld.com/s/article/9240487/Critical_vulnerabilities_found_in_Atlassian_Crowd_enterprise_single_sign_on_toolFacebook offers (pays!) $20,000 flaw for brilliant business-logic bughttp://www.eweek.com/security/facebook-patches-mobile-text-vulnerability-rewards-flaw-discoverer/Microsoft launchges a bug bountSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...The gang discusses the issues with the rapid escalation of connectivity in modern-day industrial control systemsWhat specialized skills are needed to be a SCADA or ICS hackerA nervous pause as vulnerabilities in ICS systems which could affect the adult beverage industry are touched uponDiscussion on how to deal with 25 year patch cyclesWhy is it that embedded devices simply don't get patched like your other systems?What are the real issues with ICS systems, and why they're not getting enough attention...yetGuestMr. Billy Rios ( @XSSniper ) - In addition to being a long-time friend of mine, and one of the most knowledgable and humble people in the hacking space, Billy is currently a Technical Director and the Director of Consulting for Cylance. Billy is an accomplished web application hacker releasing an XSS tool which is currently his Twitter handle. While being a "big picture" guy, Billy also tackles some of the most complex large-scale ICS issues, and with his team works to identify and remediate threats to his clients.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!This week, James is flying solo on the microphone catching you up on all the latest news and BIG stories since I'm at HP Discover, Las Vegas and Suits and Spooks in La Jolla, CA. A busy week all the way around, some pretty earth-shattering news coming out!Topics CoveredWe couldn't be the only ones NOT covering the big NSA leak and revelations of spying and other surveillance. Somewhere in the hype, though, is the enterprise story of insider threat - http://www.guardian.co.uk/world/2013/jun/09/nsa-secret-surveillance-lawmakers-liveGoogle Glass is in the news, again, this time from an enterprise perspective. In light of the slight insider threat problem revealed lately, how will Google's glasses impact security, and society in general for good or evil? - http://www.computerworld.com/s/article/9240077/Google_Glass_could_get_a_look_at_the_enterpriseApple made the news with iOS7 and the big "kill switch" feature, is this really a good idea that actually works or a desperate gimmick to demonstrate innovation? (especially in light of the lock screen bypass in iOS7 beta! - http://www.cnn.com/2013/06/11/tech/mobile/iphone-ios7-kill-switchhttp://www.forbes.com/sites/andygreenberg/2013/06/12/bug-in-ios-7-beta-lets-anyone-bypass-iphone-lockscreen-to-access-photos/Google noticed a significant spike in phishing traffic to GMail around the Iranian "election" (and I use that in quotes on purpose), an interesting developing story - http://money.cnn.com/2013/06/14/technology/security/google-phishing-iran/index.htmlLast but certainly not least, how about that 2+ year old Adobe Flash bug that's being exploited in Chrome to allow attackers (or just perverts) to spy on you using your webcam... creepy! - http://www.forbes.com/sites/andygreenberg/2013/06/14/two-year-old-flash-bug-still-allows-webcam-spying-on-chrome-users/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...We discuss the true nature of many of the security products decisions CISOs have to make every dayFrank and Raf make very poorly thought-out sports analogiesThere are uncomfortable length of silence (mostly edited out)The crew discusses NSS Labs, and what they do to help the CISOs out there make smarter decisions"Someone" asks about anti-virus...[ More info on NSS Labs and the two guests today can be found here: https://www.nsslabs.com/analysts and https://www.nsslabs.com/ ]GuestsFrank Artes ( @franklyfranc ) - Research Director Francisco Artes is a recognized information security executive who has helped form some of the motion picture & television industry’s best practices for securing intellectual property.  Artes is also know for his work with on cybercrime, hacking and forensic security issues with various federal, state and local government and law enforcement agencies such as the US Dept. of Homeland Security, the FBI, the Texas Rangers, US Marshals and several others.  Mr. Artes most recently served as Vice President, Chief Architect / Content Protection for Trace3, and as Vice President, Security Worldwide for Deluxe Entertainment Services Group. Artes has presented on six of the seven continents, serves on several boards and is a Trusted Adviser for The Security Consortium.John Pirc ( @jopirc ) - Research Vice President John Pirc is a noted security intelligence and cybercrime expert, an author and a renowned speaker, with more than 15 years of experience across all areas of security. The co-author of two books, “Blackhatonomics: An Inside Look at the Economics of Cybercrime” (published in December 2012), and “Cyber Crime and Espionage” (published in February 2011), Pirc has been named a security thought leader from the SANS Institute and speaks at top tier security conferences worldwide. Mr. Pirc’s extensive expertise in the security field includes roles in cybersecurity research and development for the Central Intelligence Agency, Chief Technology Officer at CSG LTD, Product Manager at Cisco, Product Line Executive for Security Products at IBM Internet Security Systems, Director of McAfee's Network Defense Business Unit and, most recently, Director of Security Intelligence at HP Enterprise Security Products, where he led the strategy for next generation security products. In addition to a bachelor's degree in Business Administration, Pirc holds the NSA-IAM and CEH certifications.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!It's June already?! Where has the first half of 2013 gone? James and I break down the last 2 weeks of interesting InfoSec news in a short "Monday morning quarterback" style... enjoy!Topics CoveredEvernote adds 2-step veficication for their authentication, and follows suit with just about every other 'modern' app. Following on the hells of Twitter, LinkedIn, FaceBook, Apple and the one that started it all, Google - we're now getting multi-step authentication from Evernote. Free users not welcome ...yet? - http://blog.evernote.com/blog/2013/05/30/evernotes-three-new-security-features/Dropbox down for more than an hour, but it wasn't a security bug (we don't think), it's just that they had 'technical difficulty'. If you depend on Dropbox for your file synchronization services, you knew this happened - http://www.computerworld.com/s/article/9239648/Dropbox_goes_down_for_more_than_an_hourNIST 500-299 "Cloud COmputing Security Reference Architecture" document is released. There's a bit of irony here, as the document itself is a whopping 299 pages! - http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Reference_Architecture_2013.05.15_v1.0.pdfDrupal.org has been hacked, and it appears 2013 just isn't a good year for the folks over at Drupal. Apparently about 1 million accounts have been compromised/affected, and all accounts had their passwords reset - I apparently had a Drupal account I don't remember anymore and my password was reset too - http://techcrunch.com/2013/05/29/drupal-org-hacked-user-details-exposed-and-reset/Google changed its disclosure policy for critical issues that are actively being exploited from the standard 60 days, to 7. A week. 7 days down from 60 ... this needs more reading and discussion - http://www.csoonline.com/article/734286/google-zero-day-disclosure-change-slammed-praisedHackers are exploiting Ruby on Rails vulnerability that was patched this past January, so zero-day no longer applies... the lesson here is to patch in a timely fashion! - http://www.computerworld.com/s/article/9239588/Hackers_exploit_Ruby_on_Rails_vulnerability_to_compromise_servers_create_botnet?taxonomyId=17Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...John discusses some of the foundational principles of Threat ModelingWe talk about why threat modeling is like your time in high schoolWe discuss why threat modeling is such an incredibly important tool to the enterpriseJohn gives us some nuggets of his experience with threat modeling enterprise applicationsGuestJohn Steven ( @m1splacedsoul ) - John Steven is the Internal CTO at Cigital with over a decade of hands-on experience in software security. John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John’s keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.John is known for his in-depth work in software security, his expertise in the field of threat modeling, and his snarkcasm. If you don't follow John on Twitter or haven't attended one of the talks he's been known to give occasionally - I recommend you do so. Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Welcome to Monday, May 20th 2013 as James and I discuss the last 2 weeks' worth of Information Security news and relate it (attemptively) to your enterprise day-job. This week was a bit on the lighter side, with the quote of the year (as far as I'm concerned) winner going to the Washington State Administrative Office of the Court for ...well, you'll just have to read the rest of the show notes and listen to the podcast.Also ... we are now on the Zune store. So ...to the 2 new Zune listeners - HELLO!Topics CoveredResearches at Trend Micro uncover new cyberespionage campaign call it SafeNet (in unrelated news SafeNet the security company had nothing to do with this...). Yet another cyberespionage campaign targeting users with revolutionary new technique called "phishing", and using a vulnerability in Microsoft software patched in April 2012, originating from ... China! -  http://www.computerworld.com/s/article/9239342/Researchers_uncover_SafeNet_a_new_global_cyberespionage_operationDomain registrar, Name.com hacked, customer information including potentially usernames, email addresses, encrypted passwords (just how encrypted are we talking here? ROT13? double-XOR?), and encrypted (same question as before) credit card information potentially stolen. Again, the vector of choice is this revolutionary new tequnique called ... phishing - http://www.pcworld.com/article/2038263/namecom-forces-customers-to-reset-passwords-following-security-breach.htmlGodzilla hacked EC-Council (this needs no explanation) - http://www.esecurityplanet.com/hackers/ec-council-hacked.htmlFour former LulzSec members (former?) sentenced for their roles in the 2011 attacks on companies such as Sony, Nintendo, News Corp, the CIA and many others. Sentences range from a 30-month prison term for "Kayla" to 200 hours of community services for T-Flow. Justice? Interested to hear what you think - http://www.computerworld.com/s/article/9239302/Four_former_LulzSec_members_sentenced_to_prison_in_the_UKWashington State's court system has been compromised, exposing 160,000 social security numbers and a million drivers' license numbers - basically everything you'd ever need to steal someone's identity. Luckily officials have determined that only 94 of those were definitely obtained by the attacker (what?!). Also, ridiculous quote of the yeSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast