Down the Security Rabbithole Podcast (DtSR)

Topics coveredBanks urging shoppers not to avoid breached retailers - Companies that get breached impact card holders minimally, at least as far as we can tell, right?http://www.kcentv.com/story/26887771/local-bank-leaders-no-need-to-avoid-hacked-retailers-during-holidaysFederal officials (FBI, US SS) are making a big push to be your source for cyber-security help - Interesting that this comes up at a time when everyone is fighting back against government meddling/surveillencehttp://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecuurity/17615029/The FCC flexes its muscle in a pair of fines totalling a paltry $10m for egregious security violations - Of course, the people who have had their privacy and security violated see none of this big-telco pocket-change...http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/24/with-a-10-million-fine-the-fcc-is-leaping-into-data-security-for-the-first-time/Congress doesn't crant FBI ability to prevent mobile encryption .. undoubtedly ushering us into "a very dark place" - for once, Congress did something useful by doing what it's famous for, nothinghttp://www.theregister.co.uk/2014/10/22/fbi_apple_grapple_congress_kills_cupertino_crypto_kibosh/Insurance companies fighting to get data breach coverage removed from general liability policies - isn't this obvious? I think this is one of the last shoes to drop before things move forward, finallyhttp://www.businessinsurance.com/article/20141026/NEWS07/141029850Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this episodeChris attempts to explain the consternation with 'security research' right nowKevin gives his perspective and why he doesn't quite understand why people don't see they're "breakin' the law"Shawn discusses what parts of the CFAA he would like to see reformedJames drops the question - "What is a security researcher?" ..and rants a littleKevin talks about why the security industry needs to self-regulate w/exampleChris and Kevin debate intent, and "stepping over the line"Chris brings up the issue of bug intake at a large companySpirited discussion about intent, regulation, actions and separating emotion from factsGuestsChris John Riley - ( @ChrisJohnRiley ) - Chris John Riley is a senior penetration tester and part-time security researcher working in the Austrian financial sector. With over 15 years of experience in various aspects of Information Technology, Chris now focuses full time on Information Security with an eye for the often overlooked edge-case scenario. Chris is one of the founding members of the PTES (Penetration Testing Execution Standard), regular conference attendee, avid blogger/podcaster (blog.c22.cc / eurotrashsecurity.eu), as well as being a frequent contributor to the open-source Metasploit project and generally getting in trouble in some way or another. When not working to break one technology or another, Chris enjoys long walks in the woods, candle light dinners and talking far too much on the Eurotrash Security podcast.Shawn Tuma - ( @ShawnETuma ) - Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual property, privacy, and litigation. He's a Texan, Christian, family man, author & speaker - and an all-around awesome guy.Kevin Johnson - ( @SecureIdeas ) - Kevin is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is an instructor and author for the SANS Institute and a faculty member at IANS. He is also a contributing blogger at TheMobilityHub.Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Topics coveredThe FBI paid a visit to the "researcher" who revealed (and tinkered with) the hacked Yahoo! servers - we discuss the various aspects of this case, which we've been going round and round on latelyhttp://www.wired.com/2014/10/shellshockresearcher/US Cyber Security Czar Michael Daniel wants us passwords gone, replaced by .... "selfies"; We wish we were making this one up or the link was to an Onion article, but sometimes the jokes write themselves in a sad, sad wayhttp://www.theregister.co.uk/2014/10/15/forget_passwords_lets_use_selfies_says_obamas_cyber_tsar/Pres. Obama has issued an executive order that all government payment cards now must be "chip & pin"; once again underscoring that "just do something" may be worse than actually doing nothing -- we'd love to hear your thoughts?http://www.whitehouse.gov/the-press-office/2014/10/17/executive-order-improving-security-consumer-financial-transactionsNotable data breaches discussed:K-Mart - http://www.theregister.co.uk/2014/10/12/kmart_cyber_attach/Dairy Queen - http://www.theregister.co.uk/2014/10/10/dairy_queen_restaurants_hacked/POODLE, the latest OMG SSL vulnerability; is this really that big a deal that there is a public vulnerability in a protocol that should have become extinct at the turn of the century? (Hint: Sadly, yes)http://www.theregister.co.uk/2014/10/10/dairy_queen_restaurants_hacked/Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this episodeRon gives us a brief history of Tenable and TVM for the enterpriseRon answers "How do you make network security obtainable and defendable?"We discuss TVM as a fundamental principle to many other security program itemsRon tells us what the modern definition of "policy" isWe discuss some hurdles and challenges of TVM programs in an enterpriseWe note that security scanning can always break stuff - so how do you get around that?Ron tells us why TVM is so much more than scanningMichael asks "Why are so many companies stuck in a Prince song (1999)?"We attempt to tackle - compliance, risk, and managing to a goalRon answers the question - "Are we getting any better?"GuestRon Gula ( @RonGula ) - CEO and CTO at Tenable Ron co-founded Tenable Network Security, Inc. in 2002 and serves as its Chief Executive Officer and Chief Technology Officer. Mr. Gula served as the President of Tenable Network Security, Inc. He served as the Chief Technology Officer of Network Security Wizards which was acquired by Enterasys Networks. Mr. Gula served as Vice President of IDS Products and worked with many top financial, government, security service providers and commercial companies to help deploy and monitor large IDS installations. Mr. Gula served as Director of Risk Mitigation for US Internetworking and was responsible for intrusion detection and vulnerability detection for one of the first application service providers. Mr. Gula worked at BBN and GTE Internetworking where he conducted security assessments as a consultant, helped to develop one of the first commercial network honeypots and helped develop security policies for large carrier-class networks. Mr. Gula began his career in information security while working at the National Security Agency conducting penetration tests of government networks and performing advanced vulnerability research. He was the original author of the Dragon IDS. Mr. Gula has a BS from Clarkson University and a MSEE from University of Southern Illinois.Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Topics coveredThe petition on WhiteHouse.gov titled "Unlock public access to research on software safety through DMCA and CFAA reform" and ...well we talk about it with an attorney and some necessary skepticismhttps://petitions.whitehouse.gov/petition/unlock-public-access-research-software-safety-through-dmca-and-cfaa-reform/DHzwhzLDMy take: http://blog.wh1t3rabbit.net/2014/10/to-reform-and-institutionalize-research.htmlA Marriott property in Nashville (Gaylord Opryland) will pay $600,000 in an FCC settlement for jamming/blocking guests' personal WiFi hotspotshttp://www.fcc.gov/document/marriott-pay-600k-resolve-wifi-blocking-investigationA Pakistani man has been indicted in Virginia for selling "StealthGenie", an app designed specifically as spywarehttp://www.justice.gov/opa/pr/pakistani-man-indicted-selling-stealthgenie-spyware-appThe code for the badUSB attack was published and released at DerbyCon - we discuss implicationshttp://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/Cedars-Sinai Medical Center loss of data is much worse than they thought, but it's actually worse than that - a teachable moment here-http://www.latimes.com/business/la-fi-cedars-data-breach-20141002-story.htmlHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Thank you to Shawn Tuma - an attorney specializing in CFAA and a good friend of our show - for stopping by and lending his expertise on this episode. If you enjoy Shawn's insights, consider following him on Twitter ( @ShawnETuma ) or just saying hello! In this episodeWe discuss the CFAA in regards to Robert Graham's brilliantly written blog post on the topic - http://blog.erratasec.com/2014/09/do-shellshock-scans-violate-cfaa.htmlShawn gives some key insights on the CFAA including historical contextMichael asks some tough questions on the discretion and applicability of CFAA prosecutionJames goes on a rant about "security researchers" (it's a gem)I'm pretty sure Shawn goes on the record saying security researchers should be credentialed..or was that me?We get some advise from Shawn on where this topic goes next, and how to avoid being a target of prosectionGuestShawn Tuma - ( @ShawnETuma ) - Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual property, privacy, and litigation. He's a Texan, Christian, family man, author & speaker - and an all-around awesome guy.Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this episodeDREAMR: What is it, and why is it so important to Enterprise Security today?Examples of aligning business and security requirements and winning hearts & mindsHow does a security organization get around "see I told you so!" securityAn example of how to make the framework work for youWe discuss the importance of listening, then listening, then listening some moreJessica and Ben explain "accomodating" the businessJessica and Ben give us "One critical piece of advice"GuestsJessica Hebenstreit ( @secitup ) - Jessica Hebenstreit has been a member of the Information Security community for over a decade. Having worked on both the technical and business sides of various enterprises, Hebenstreit has a unique perspective that allows for more understanding when balancing competing interests. She is a successful and results-oriented Information Security expert with hands-on information security experience in security monitoring, incident response, risk assessment, analysis, and architecture and solution design. She holds the following certifications, CISSP, GIAC-GSEC, CRISC and SFCP. In March 2012, she earned her Masters of Science in IT (MSIT) specializing in Information Assurance and Security. She is currently the Manager of Security Informatics - Threat Analysis and Response at Mayo Clinic.  She is building a smart response architecture for incident response from the ground up.Ben Meader ( @blmeader ) - Ben Meader is a Senior Security professional with a unique blend of technical acumen and business know-how. Meader’s security thought leadership has been battle tested at multi-national firms over the past 13 years ranging from network security and operational security to performing detailed risk assessments and implementing a firm-wide privacy program. He remains up to date in both security and business having received his M.B.A. from DePaul University and has a current CISSP. He is also active in the entrepreneurial community and is Co-Founder of a mobile application company on the side. His education and range of experiences in working with firms both large and small have given him a unique perspective on the role of security within different business cultures and how competing philosophies can collide.Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Topics coveredHacker flees US for non-extradition country - why?http://blog.erratasec.com/2014/09/hacker-weev-has-left-united-states.htmlhttp://www.newrepublic.com/article/117477/andrew-weev-auernheimers-tro-llc-could-send-him-back-prisonClass-action lawsuit againt Onity lock company ("easily hackable hotel lock") rejectd by judgehttps://www.techdirt.com/articles/20140903/14134528408/onity-wins-hotels-that-bought-their-easily-hacked-door-lock-cant-sue-according-to-court.shtmlhttp://www.extremetech.com/computing/133448-black-hat-hacker-gains-access-to-4-million-hotel-rooms-with-arduino-microcontrollerhttp://www.forbes.com/sites/andygreenberg/2012/12/06/lock-firm-onity-starts-to-shell-out-for-security-fixes-to-hotels-hackable-locks/Home Depot - the dirt start to flyhttp://arstechnica.com/security/2014/09/home-depot-ignored-security-warnings-for-years-employees-say/https://privacyassociation.org/news/a/following-breach-report-shows-home-depot-has-105-million-in-coverage/https://privacyassociation.org/news/a/2013-05-01-supreme-court-wiretap-ruling-upholds-stringent-standing-to-sue/Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this episodeSeparating the hype from reality of the Chinese hacking threatThe escalation of economic tensions between US & China, over hackingWhat is the advice for the enterprise regarding state-sponsored attacks?The challenge with the uni-directional intelligence flow for government/enterpriseThe challenge with nation-state hacking of critical infrastructureThe worst-case scenario (quietly happening?)Directly addressing the various APT reports (specifically APT1)Does a cyber attack warrant a kinetic response?Attribution is hard. Is it more than black-magic, and is anyone doing it right?The great disconnect between the keyboard jockey and real-life consequencesGuestBill Hagestad II ( @RedDragon1949 ) - Internationally recognized cyber-intelligence & counter-intelligence professional. Technical, cultural, historical and linguistic analysis of foreign nation state cyber warfare capabilities, intents & methodologies... Listed on Forbes Magazine as : "20 Cyber Policy Experts To Follow On Twitter". Bill can be found on LinkedIn at - www.linkedin.com/in/reddragon1949Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Topics coveredApple has been making news, issuing guidance, and refuting a hack - all around iCloudhttp://www.padgadget.com/2014/09/03/apple-warns-developers-not-to-store-health-data-in-icloud/http://www.padgadget.com/2014/09/03/apple-says-celebrity-photo-leak-was-not-due-to-icloud-breach/http://www.cio-today.com/article/index.php?story_id=94027HealthCare.gov was hacked, but no worries it was only a test server and no 'data was taken/viewed'. Does this sound like something you've faced in the enterprise ... hmmmm?If only there was someone warning them about the insecurity of that site! h/t to Dave Kennedy for standing up and taking political heat.http://www.nationalreview.com/article/387182/healthcaregov-hack-reminiscent-earlier-vermont-exchange-attack-jillian-kay-melchiorhttp://www.computerworld.com/article/2603929/healthcare-gov-hacked-if-only-someone-had-warned-it-was-hackable-oh-wait.htmlHome Depot apparently has suffered a massive breach, much like Target. Interesting? Or ho-hum? (did you Buy The Dip? h/t @DearestLeader )http://seekingalpha.com/article/2478055-home-depot-potential-data-breach-may-have-presented-a-good-opportunity-to-buy-the-stockhttp://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/http://www.csoonline.com/article/2601082/security-leadership/are-you-prepared-to-handle-the-rising-tide-of-ransomware.htmlNorway's Oil & Gas industry is now the target of hackers, seeking to get intelligence on production, exploration - and that all-important state-sponsored competitive edge.http://www.thelocal.no/20140827/norwegian-oil-companies-hackedGoogle is deprecatinHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast