Down the Security Rabbithole Podcast (DtSR)

In this episode...John discusses some of the foundational principles of Threat ModelingWe talk about why threat modeling is like your time in high schoolWe discuss why threat modeling is such an incredibly important tool to the enterpriseJohn gives us some nuggets of his experience with threat modeling enterprise applicationsGuestJohn Steven ( @m1splacedsoul ) - John Steven is the Internal CTO at Cigital with over a decade of hands-on experience in software security. John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John’s keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.John is known for his in-depth work in software security, his expertise in the field of threat modeling, and his snarkcasm. If you don't follow John on Twitter or haven't attended one of the talks he's been known to give occasionally - I recommend you do so. Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Welcome to Monday, May 20th 2013 as James and I discuss the last 2 weeks' worth of Information Security news and relate it (attemptively) to your enterprise day-job. This week was a bit on the lighter side, with the quote of the year (as far as I'm concerned) winner going to the Washington State Administrative Office of the Court for ...well, you'll just have to read the rest of the show notes and listen to the podcast.Also ... we are now on the Zune store. So ...to the 2 new Zune listeners - HELLO!Topics CoveredResearches at Trend Micro uncover new cyberespionage campaign call it SafeNet (in unrelated news SafeNet the security company had nothing to do with this...). Yet another cyberespionage campaign targeting users with revolutionary new technique called "phishing", and using a vulnerability in Microsoft software patched in April 2012, originating from ... China! -  http://www.computerworld.com/s/article/9239342/Researchers_uncover_SafeNet_a_new_global_cyberespionage_operationDomain registrar, Name.com hacked, customer information including potentially usernames, email addresses, encrypted passwords (just how encrypted are we talking here? ROT13? double-XOR?), and encrypted (same question as before) credit card information potentially stolen. Again, the vector of choice is this revolutionary new tequnique called ... phishing - http://www.pcworld.com/article/2038263/namecom-forces-customers-to-reset-passwords-following-security-breach.htmlGodzilla hacked EC-Council (this needs no explanation) - http://www.esecurityplanet.com/hackers/ec-council-hacked.htmlFour former LulzSec members (former?) sentenced for their roles in the 2011 attacks on companies such as Sony, Nintendo, News Corp, the CIA and many others. Sentences range from a 30-month prison term for "Kayla" to 200 hours of community services for T-Flow. Justice? Interested to hear what you think - http://www.computerworld.com/s/article/9239302/Four_former_LulzSec_members_sentenced_to_prison_in_the_UKWashington State's court system has been compromised, exposing 160,000 social security numbers and a million drivers' license numbers - basically everything you'd ever need to steal someone's identity. Luckily officials have determined that only 94 of those were definitely obtained by the attacker (what?!). Also, ridiculous quote of the year honors go tHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this episode...Kevin, James and I discuss why penetration testing reports are often so worthlessKevin and I disagree. Then we agree, sort of.We discuss the major differences between the 'builder' and 'breaker' mindset, and whether they're actually different peopleKevin gives some fantastic examples of how context and experience is critical in penetration testingWe provide guidance no how someone can 'break into' (no pun intended) penetration testing and be effectiveKevin gives an example of how someone can be a great penetration tester, but be of little value beyond thatWe wrap by disussing how enterprises can gain value from penetration testing- and Kevin provides an interesting strategyGuestKevin Johnson ( @SecureIdeas ) - Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is an instructor and author for the SANS Institute and a faculty member at IANS. He is also a contributing blogger at TheMobilityHub.  Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer.Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

It's another beautiful Monday (somewhere) and we've got the news of the last 2 weeks covered, and we're breaking it down for you. The news this week is, well, quite frankly kind of dark. Everything tells us we're in for a rough ride for the rest of the year, and it's only getting worse.If I sound a little funny, it's because I'm talking through a massive sinus infection and it's making me talk funny and stuffy.  Also the recording you hear is take 2 ... I had a major technology fail so we had to re-record, with less sadness.Topics CoveredWe are happy to report that Justin Beiber is in fact, not coming out of the closet and E! Online was only hacked by those wacky military hackers from the Syrian Electronic Army. Apparently they've been on quite the hacking spree of media outlets and even put a major - albeit brief - dent in the stock market! - http://www.nydailynews.com/entertainment/e-online-twitter-account-hacked-article-1.1335214The US Department of Labor was hacked, in what appears to be a very targeted 'watering hole' attack aimed at Nuclear employees. The attackers, if the stories are true, burned an IE8 0-day on this one, and of course they are Chinese - http://www.eweek.com/security/zero-day-exploit-enabled-cyber-attack-on-us-labor-department/Anonymous is threatening a massive attack against the White House (the political entity not the ...nevermind), Bank of America, Citibank and other targets on May 7th. Are these folks just becoming part of the 'background noise' of the Internet? Are security professionals just starting to become numb to the DDoS attacks? - http://pastebin.com/TyvAK20FChinese hackers have apparently ransacked QinetiQ, a defense contractor with ties to global cyber intelligence operations, spooks,and other interesting things. Bloomberg's write-up was not kind to these guys - http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-seHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this episode...Live (live-to-tape) from 44Con, London, England.It's amazing, listening to this episode recorded at 44Con last fall, how little the landscape of enterprise security has changed. I took some time during the busy conference to sit down with Ian Amit and Dennis Groves to discuss Ian and my talks (which were perfectly aligned, and completely unplanned!) on the state of security in the enterprise. It's always interesting to get the perspective from 2 industry-well-known speakers and thinkers.We discuss the topics of #SecBiz including the role of security in the enterprise, the challenges business security professionals face, metrics and why we have some of the crazy change management failures in security. We laugh, we almost start to cry - but ultimately come to the realization that we need change. Ian and Dennis and I are working on driving that change!GuestsIftach Ian Amit ( @iiamit ) - Seasoned manager in the security and software industry with vast experience in a myriad areas of software (from enterprise security, through retail oriented, to end user software and large back-end systems). Highly experienced in leading marketing opportunities, and translating technical innovation into marketable concepts that increase sales and exposure. Information Security expert with vast experience ranging from low level technical expertise and up to corporate security policy, regulatory compliance and strategy. BlackHat and DefCon speaker, with vast experience in public speaking and private customer focused seminars. Founding member of the PTES (Penetration Testing Execution Standard), IL-CERT, and the Tel-Aviv DefCon group (DC9723).Dennis Groves - Dennis's work focuses on a multidisciplinary approach to risk management. He is particularly interested in risk, randomness, and uncertainty. He holds an MSc in Information Security from the University of Royal Holloway where his thesis received a distinction. He is currently a UK expert for the UK mirror of ISO subcommittee 27, IT Security Techniques, working group 4, Security Controls and Services at the British Standards Institute. He is most well known for co-founding OWASP.Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

It's Monday April 22nd, 2013, and here are the topics from the last 2 weeks James ( @jardinesoftware ) and I ( @Wh1t3Rabbit ) will be talking about as we Monday-morning-quarterback the last 2 weeks in Information Security... Fair warning, we have way too many topics to fit into 20 minutes... so went a little bit longer but both feel it's well worth your time. Laugh, cry, and be informed.Topics CoveredMicrosoft rolls out 2-factor authentication - James points out that Microsoft has rolled out authenticator-agnostic, robust 2-factor authentication... if only I could figure out how to use it? If you have any experiences with this, please share with us on Twitter, using the #DtR hashtag - http://nakedsecurity.sophos.com/2013/04/11/microsoft-look-like-being-next-with-2fa/Oracle dumps a 42-patch bundle - Oracle has dropped a massive patch bundle, many of these are remotely exploitable Java issues, and it's not a walk in the part for Enterprise Security folks. Also ... we chuckle a little bit about the absolutely mindless new 'shape-coded' warnings - http://krebsonsecurity.com/2013/04/java-update-plugs-42-security-holes/US and China to work on cyber security? - In what James and I both thought was a botched April Fools' joke, it appears as though China & US have come together to decide who the real vicim in this 'cyber hacking' problem is, and what they're going to do about it going forward. Are we absolutely sure this isn't a farse? - http://www.reuters.com/article/2013/04/13/us-china-us-cyber-idUSBRE93C05T20130413?irpc=932Hacking a plane with an Android app? - A hacker has demonstrated (at the HitB Conference) that it is possible to remotely control a plane, in the setting of a lab. James and I talk about what the implications of this are... more to come - http://www.theatlanticwire.com/technology/2013/04/no-german-hacker-probably-cant-hijack-airplane-software/64158/Louisville Credit card processor HACKED - Another credit card processor hacked...and the notification comes from, you guessed it, a 3rd party - http://www.wave3.com/story/21911646/louisville-credit-card-processor-hacked-card-numbers-stolenHacking ring targeting...video games? - A hacking ring was uncovered by Kaspersky that has, for a number of years, been targeting video games, their source code, and other components. To What end? we discuss - Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this episode...A critical discussion on the available 'cyber intelligence' reports from various vendorsHow hard is attribution in cyber space, really?"Alternative analysis" - why isn't it being used enough in cyber intelligence reporting?Discussion on 'degrees of certainty' and its apparent lack of application to cyber intelligenceExtensive discussion on avoiding confirmation bias, critically reviewing intelligence work, and peer reviewing processesKinetic responses to cyber threats and other outrageous rhetoricHacking back? but hacking whom?GuestJeffrey Carr ( @JeffreyCarr ) - Jeffrey Carr is a cybersecurity analyst and expert.He lives in Seattle Washington. He is founder and CEO of Taia Global inc. He is also the founder and principal investigator of Project Grey Goose, an open source investigation into cyber conflicts including the Russian cyber attacks on Georgia, the Indian Eastern Railway Website defacement and the Israeli-Palestinian war in 2008 to 2009. He is also a government contractor who is consulted on Russian and Chinese cyber warfare strategy and tactics. [ http://en.wikipedia.org/wiki/Jeffrey_Carr ]Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this second episode of our Monday morning InfoSec quarterbacking, James and I actually got through the news items we had lined up in just about 20 minutes. I count this as a win.Topics CoveredChoice Escrow & Land Title, LLC vs. BancorpSouth, Inc. | At issue is the Uniform Commercial Code (UCC) as it applies to commercial entities taking "commericially reasonable methods" to secure their transactions. This one is going to have a major ripple effect, keep an eye out for further developments - http://krebsonsecurity.com/2013/03/missouri-court-rules-against-440000-cyberheist-victim/"The biggest cyber attack ever" | Or really, a DDoS feud between a known spammer (CyberBunker) and a spam fighter (SpamHaus) which actually did impact Internet traffic in Europe, but was effectively a tempest in a teapot for most everyone else - http://www.cnn.com/2013/03/27/tech/massive-internet-attack/index.html?hpt=hp_t2Schnuck's gets hacker by "computer code", but it's OK now | Short version of this story, be careful how hard you play up the 'reputation' angle with your business ...turns out people may not care so much - http://www.stltoday.com/business/local/schnucks-says-credit-card-fraud-source-found-and-contained/article_605469bd-db5d-5a1b-94cf-100f4eabc58f.htmlDarkleech affects huge amount of Apache servers, silently installs iFrame-based malware selectively | People who name these things come up with some of the coolest names ...seriously! Interesting story. - http://www.h-online.com/security/news/item/Darkleech-infects-scores-of-Apache-servers-1834311.htmlBitCoin wallet service InstaWallet hacked, shuts down "indefinitely" | Oh, another BitCoin tragedy as the currency suffers yet another blow to its viability as hackers target a wallet service, value bounces. - http://venturebeat.com/2013/04/03/bitcoin-wallet-instawallet-hacked/Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

First ...a milestone.I want to take this time to formally welcome Mr. James Jardine, of SecureIdeas, as my permanent co-host to the podcast. James has experience podcasting as he already co-pilots the Professionally Evil Podcast, and he's witty, knowledgeable, and awesome to work with on the microphone. I ask that you all give James a warm welcome!In this episode...Overview of what cyber liability insurance is and what it isn'tWe ask "Why would we need a security program, when you can just buy insurance?"How do [cyber] under-writers figure out how to insure you, and how much of a liability your organization and its practices is?The types of costs and coverages available in some of the different policies at the various carriersWe pull on the 'reputation' thread ... againWe try to divine the magic formula used to calculate how to calculate a 'liability' or coverage requirementWe try and figure out how an enterprise can drive down their cyber liability insurance premiumsChristine touches on mobility, encryption, and some interesting tidbits for the modern enterpriseGuestChristine Marciano ( @DataPrivacyRisk ) - Christine Marciano is President of Cyber Data Risk Managers, an Independent Insurance Agency specializing in Cyber Risk/Data Breach insurance, Directors & Officers insurance and (IP) Intellectual Property protection. Christine has over 17 years of experience working in various roles within the Insurance and Financial Services industry. Prior to establishing Cyber Data Risk Managers, Christine has held positions at CIBC Oppenheimer, Axa Advisors and Allstate Insurance Company.LinksChristine's Blog - http://databreachinsurancequote.com/blog/My 2013 Data Privacy, InfoSec & Cyber Insurance Trends report - http://databreachinsurancequote.com/wp-content/uploads/2013/02/2013-Data-Privacy-Information-Security-and-Cyber-Insurance-Trends-Report.pdfChristine's free weekly newsletter signup page - http://databreachinsurancequote.com/subscribe-data-breach-weekly-newsletter/Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Welcome to the Down the Rabbithole NewsCast!Join me in welcoming James Jardine ( @JardineSoftware) of Secure Ideas to the show as a permanent co-host! The NewsCast is a bi-weekly (2nd and 4th Monday of the month) release where we'll discuss the news and events of the past 2 weeks, and attempt to analyze, break down, and generally make sense of the madness of the Security industry and real world at large.Also a big thanks to Todd Haverkos, the voice behind the hilarious intro you'll hear on this podcast, and all the others ...Topics We CoveredApple's new 2-Factor Authentication went liveCisco made passwords weaker (whoops!) in their IOSThe US Government struck out twice (SAM security issue, and a contractor "buys" warez)Celebrities get their credit info jackedS. Korea gets whacked with a nasty bug, wipes out 32,000 machines in one swoopHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast