Down the Security Rabbithole Podcast (DtSR)

In this episode...Dave reminisces a bit...Dave discusses 'digitall signed malware' and that it meansWe discuss whether it's true that 'all networks are compromised'We discuss consumer-grade vs. corporate-grade threats, and why they're differentAn interesting point by Dave about why enterprises aren't learning from their compromisesWe discuss customized malware, with specific and targeted payloads for specific systemsDave talks about whether 'compat the criminal, hire the criminal' is trueGuestDave Marcus ( @DaveMarcus ) - Dave is currently the Chief Architect, Advanced Research and Threat Intelligence McAfee Federal Advanced Programs Group. He's been around the industry for a long time, and has influenced countless numbers of researchers. He is well known as a fantastic speaker, subject-matter expert and generally a badass, and I feel lucky enough to call him my friend.Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Ladies and gentlemen, we are over the 50 episodes mark!  If you've enjoyed the podcast, please go rate us in the iTunes store, or leave us a note here. Have you checked out past episodes?! There are some gems in there, I promise, and worth your time.Topics CoveredCharlie Miller and Chris Valasek demonstrated (and will disclose code to) the hack which allows complete (tethered) remote control of a modern vehicle. You need to watch this video, and if you develop code for transport vehicles and aren't thinking about securing your code - it's time to adjust course before you actually kill someone - http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/ and this is how the UK 'muzzled' a researcher who did something similar - http://www.theregister.co.uk/2013/07/28/birmingham_uni_car_cracker_muzzled_by_lords/Apple demonstrates how not to do breach disclosure, while Ibrahim Balic demonstrates how to jump into the spotlight (and put foot in mouth before thinking) by disclosing, video-recording, and telling the world of his 'ethical test' of Apple's forums - http://www.news.com.au/technology/ibrahim-balic-breaks-silence-on-hacking-apple-developer-site/story-e6frfro0-1226684484916 and http://gigaom.com/2013/07/22/researcher-comes-forward-to-claim-responsibility-for-intrusion-on-apple-developer-site/After many years on the run Russian super-hackers involved in the biggest breach of all time are caught - because they broke the first few rules of hiding - http://www.reuters.com/article/2013/07/26/us-usa-hackers-creditcards-arrests-idUSBRE96P02Z20130726Exciting news for those of you who are sick of Android App Developers' over-reaching nature in the permissions arena, with the release of 4.3 there is a glimmer of hope in reigning in those games that for some unknown reason require access to your contacts and 'premium services' and such - http://www.androidpolice.com/2013/07/25/app-ops-android-4-3s-hidden-app-permission-manager-control-permissions-for-individual-apps/Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Welcome down the rabbithole as we hit EPISODE 50! I'm thrilled that we've made it this far, and look forward to having you along for the ride into the future! At this point, I'd like to encourage you to listen to some of the fascinating guests we've had on this show, people I'm proud to have had a chat with, in the past archives... suggest guests, or just leave us a comment./Wh1t3RabbitIn this episode...We try and discuss 'defense in depth' on the geopolitical scale@packetknife drops the truth about 'geopolitics experts' in InfoSecAli explains navigating the undocumented security requirements in emerging marketsWe talk about whether all this stolen data from enterprise has actually made a differenceAli discusses the 'western sense of intellectual property' (eye-opening!)Deperimeterization - why #InfoSec must adapt this RIGHT NOW, but seems allergic to itAli drops 'lawfare' on us - and why #InfoSec must know its optionsWwe discuss why people 'generally just don't get it' when it comes to moving to triage over 'secure'Ali decides he wants to be Frank, or is that frank? :-)GuestAli-Reza Anghaie ( @PacketKnife ) - Ali is a resident expert (or as much as one can be) on geopolitics from his unique background, experience and perspective. He's a well-known figure in the community and has deep insight into the things that most of us read in the media, and pretend to understand. He's the perfect guest for Episode 50!Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Topics Covered9 Years After Shadowcrew, Feds Get Their Hands on Fugitive Cybercrookhttp://www.wired.com/threatlevel/2013/07/bulgarian-shadowcrew-arrestvBulletin Forums compromised (~15-~150k) to serve malwarehttp://news.softpedia.com/news/Around-150-000-vBulletin-Forums-Compromised-Abused-to-Serve-Malware-366442.shtmlAmerica's EAS (Emergency Alert System) is open to compromise (still)http://www.wired.com/threatlevel/2013/07/eas-holes/Mobile malware up 614% y/y says Juniper, but mostly Androidhttp://www.computerworld.com/s/article/9240772/Mobile_malware_mainly_aimed_at_Android_devices_jumps_614_in_a_yearBlue Box Security finds "master key" issue with Android - but there's more to ithttp://www.zdnet.com/android-oems-slow-to-roll-out-bluebox-security-patch-7000018012/Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this episode...We get a little insight into the mind of Tomer, and how he thinks about securityWe get an insight into what HP Software IT Management is doing to ensure security in the products they releaseWe discuss making security more than just a security line-item, and a business requirementThere are many "uncomfortable pauses" :)We discuss Tomer's risk-focused approach to software qualityWe ask "Is HP drinking it's own champagne?"Tomer gives us his feeling on DevOpsGuestTomer Gershoni - Tomer is the Information Security Officer responsible for product security for a select part of HP Software known as IT Management. Previous to that he was the CISO for HP Software-as-a-Service for over 3 years based out of Yehud, Israel. Tomer has over 10 years experience in Information Security and a background in software security. He is a very interesting individual, and his public profile can be found on LinkedIn here: http://il.linkedin.com/in/tomergershoniHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

*Apologies for this very important episode getting out a bit late ladies and gents, experienced a loss in the family so things were a little slow to re-start, we should be back on track for next week's episode.Topics CoveredPolitical hacktivism is making a big splash in international news - http://www.ilovechile.cl/2013/06/17/chile-democratic-partys-official-site-hacked/87737http://www.kjrh.com/dpp/news/local_news/jenks/jenks-chamber-of-commerce-website-hacked-for-second-time-within-a-monthhttp://www.publicnewshub.com/zimbabwean-hackers-hailed-for-attacking-ancs-website/http://www.bignewsnetwork.com/index.php/sid/215436810/scat/b8de8e630faf3631/ht/South-and-North-Korea-close-website-amid-hacking-alertshttp://www.business-standard.com/article/pti-stories/syria-s-online-troops-wage-counter-revolutionary-cyber-war-113060900065_1.htmlhttp://www.ehackingnews.com/2013/06/turkish-ministry-of-interior-website.htmlGoogle Published their epic Transparency Report datahttp://krebsonsecurity.com/2013/06/web-badness-knows-no-bounds/http://www.google.com/transparencyreport/European Union issues new data breach laws for telecommunications industryhttp://www.infosecurity-magazine.com/view/33109/eu-announces-new-data-breach-rules-for-telecoms/Critical vulnerabilities found in CROWD single sign-on producthttp://www.computerworld.com/s/article/9240487/Critical_vulnerabilities_found_in_Atlassian_Crowd_enterprise_single_sign_on_toolFacebook offers (pays!) $20,000 flaw for brilliant business-logic bughttp://www.eweek.com/security/facebook-patches-mobile-text-vulnerability-rewards-flaw-discoverer/Microsoft launchges a bug bounty program, forHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this episode...The gang discusses the issues with the rapid escalation of connectivity in modern-day industrial control systemsWhat specialized skills are needed to be a SCADA or ICS hackerA nervous pause as vulnerabilities in ICS systems which could affect the adult beverage industry are touched uponDiscussion on how to deal with 25 year patch cyclesWhy is it that embedded devices simply don't get patched like your other systems?What are the real issues with ICS systems, and why they're not getting enough attention...yetGuestMr. Billy Rios ( @XSSniper ) - In addition to being a long-time friend of mine, and one of the most knowledgable and humble people in the hacking space, Billy is currently a Technical Director and the Director of Consulting for Cylance. Billy is an accomplished web application hacker releasing an XSS tool which is currently his Twitter handle. While being a "big picture" guy, Billy also tackles some of the most complex large-scale ICS issues, and with his team works to identify and remediate threats to his clients.Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

This week, James is flying solo on the microphone catching you up on all the latest news and BIG stories since I'm at HP Discover, Las Vegas and Suits and Spooks in La Jolla, CA. A busy week all the way around, some pretty earth-shattering news coming out!Topics CoveredWe couldn't be the only ones NOT covering the big NSA leak and revelations of spying and other surveillance. Somewhere in the hype, though, is the enterprise story of insider threat - http://www.guardian.co.uk/world/2013/jun/09/nsa-secret-surveillance-lawmakers-liveGoogle Glass is in the news, again, this time from an enterprise perspective. In light of the slight insider threat problem revealed lately, how will Google's glasses impact security, and society in general for good or evil? - http://www.computerworld.com/s/article/9240077/Google_Glass_could_get_a_look_at_the_enterpriseApple made the news with iOS7 and the big "kill switch" feature, is this really a good idea that actually works or a desperate gimmick to demonstrate innovation? (especially in light of the lock screen bypass in iOS7 beta! - http://www.cnn.com/2013/06/11/tech/mobile/iphone-ios7-kill-switchhttp://www.forbes.com/sites/andygreenberg/2013/06/12/bug-in-ios-7-beta-lets-anyone-bypass-iphone-lockscreen-to-access-photos/Google noticed a significant spike in phishing traffic to GMail around the Iranian "election" (and I use that in quotes on purpose), an interesting developing story - http://money.cnn.com/2013/06/14/technology/security/google-phishing-iran/index.htmlLast but certainly not least, how about that 2+ year old Adobe Flash bug that's being exploited in Chrome to allow attackers (or just perverts) to spy on you using your webcam... creepy! - http://www.forbes.com/sites/andygreenberg/2013/06/14/two-year-old-flash-bug-still-allows-webcam-spying-on-chrome-users/Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this episode...We discuss the true nature of many of the security products decisions CISOs have to make every dayFrank and Raf make very poorly thought-out sports analogiesThere are uncomfortable length of silence (mostly edited out)The crew discusses NSS Labs, and what they do to help the CISOs out there make smarter decisions"Someone" asks about anti-virus...[ More info on NSS Labs and the two guests today can be found here: https://www.nsslabs.com/analysts and https://www.nsslabs.com/ ]GuestsFrank Artes ( @franklyfranc ) - Research Director Francisco Artes is a recognized information security executive who has helped form some of the motion picture & television industry’s best practices for securing intellectual property.  Artes is also know for his work with on cybercrime, hacking and forensic security issues with various federal, state and local government and law enforcement agencies such as the US Dept. of Homeland Security, the FBI, the Texas Rangers, US Marshals and several others.  Mr. Artes most recently served as Vice President, Chief Architect / Content Protection for Trace3, and as Vice President, Security Worldwide for Deluxe Entertainment Services Group. Artes has presented on six of the seven continents, serves on several boards and is a Trusted Adviser for The Security Consortium.John Pirc ( @jopirc ) - Research Vice President John Pirc is a noted security intelligence and cybercrime expert, an author and a renowned speaker, with more than 15 years of experience across all areas of security. The co-author of two books, “Blackhatonomics: An Inside Look at the Economics of Cybercrime” (published in December 2012), and “Cyber Crime and Espionage” (published in February 2011), Pirc has been named a security thought leader from the SANS Institute and speaks at top tier security conferences worldwide. Mr. Pirc’s extensive expertise in the security field includes roles in cybersecurity research and development for the Central Intelligence Agency, Chief Technology Officer at CSG LTD, Product Manager at Cisco, Product Line Executive for Security Products at IBM Internet Security Systems, Director of McAfee's Network Defense Business Unit and, most recently, Director of Security Intelligence at HP Enterprise Security Products, where he led the strategy for next generation security products. In addition to a bachelor's degree in Business Administration, Pirc holds the NSA-IAM and CEH certifications.Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

It's June already?! Where has the first half of 2013 gone? James and I break down the last 2 weeks of interesting InfoSec news in a short "Monday morning quarterback" style... enjoy!Topics CoveredEvernote adds 2-step veficication for their authentication, and follows suit with just about every other 'modern' app. Following on the hells of Twitter, LinkedIn, FaceBook, Apple and the one that started it all, Google - we're now getting multi-step authentication from Evernote. Free users not welcome ...yet? - http://blog.evernote.com/blog/2013/05/30/evernotes-three-new-security-features/Dropbox down for more than an hour, but it wasn't a security bug (we don't think), it's just that they had 'technical difficulty'. If you depend on Dropbox for your file synchronization services, you knew this happened - http://www.computerworld.com/s/article/9239648/Dropbox_goes_down_for_more_than_an_hourNIST 500-299 "Cloud COmputing Security Reference Architecture" document is released. There's a bit of irony here, as the document itself is a whopping 299 pages! - http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Reference_Architecture_2013.05.15_v1.0.pdfDrupal.org has been hacked, and it appears 2013 just isn't a good year for the folks over at Drupal. Apparently about 1 million accounts have been compromised/affected, and all accounts had their passwords reset - I apparently had a Drupal account I don't remember anymore and my password was reset too - http://techcrunch.com/2013/05/29/drupal-org-hacked-user-details-exposed-and-reset/Google changed its disclosure policy for critical issues that are actively being exploited from the standard 60 days, to 7. A week. 7 days down from 60 ... this needs more reading and discussion - http://www.csoonline.com/article/734286/google-zero-day-disclosure-change-slammed-praisedHackers are exploiting Ruby on Rails vulnerability that was patched this past January, so zero-day no longer applies... the lesson here is to patch in a timely fashion! - http://www.computerworld.com/s/article/9239588/Hackers_exploit_Ruby_on_Rails_vulnerability_to_compromise_servers_create_botnet?taxonomyId=17Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast