Down The Security Rabbithole

St. Jude, MedSec and the FDA FDA, St. Jude go through disclosure/fix cycle No mention of MedSec - interesting for discussion; did they have an impact? St. Jude does a fairly great job of notification, updating “Benefits outweigh the risks”... that’s a big statement http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm http://www.businesswire.com/news/home/20170109005921/en/St.-Jude-Medical-Announces-Cybersecurity-Updates http://www.medsec.com/entries/stj-lawsuit-response.html http://podcast.developsec.com/ep-56-security-contacts   New York financial regulator to delay cyber security rules Originally supposed to go into effect Jan 1.. New Date is March 1 We discussed in passing in a previous episode There are final adjustments being made, of course http://www.reuters.com/article/us-cyber-new-york-idUSKBN14A224   Massachusetts makes data breach reports available online http://turnto10.com/news/local/massachusetts-makes-data-breach-reports-available-online-01-04-2017 Seems less like a

Welcome to the first Down the Security Rabbithole Podcast episode of 2017! We would like to kick off this year, and the run to episode 250 with an episode that dissects the facts from the fiction on the topic of "Advanced Threats". With all the talk in the news about the Russians "hacking the US election" (yes, that's absolutely silly to call it that) and talk of retaliation, it's important to have a frank discussion on the merits of the concept of advanced threats. Sit back, grab a coffee and listen. I know you'll want to listen to this one more than once!   If you have a moment, and you actually read the show notes, we would love it if you could give us a rating on iTunes or actually leave a comment on the podcast page. Get engaged on Twitter, using the hashtag #DtSR!   Guest Biography Sergio Caltagirone hunts evil.  He spends his days hunting hackers and his evenings hunting human traffickers.  After 9 years with the US Government, over 3 years at Microsoft and now at Dragos, Sergio not only hunted the mos

Merry Christmas, Happy New Year everyone!   May your holidays be filled with joy, love and family. From Michael, James and myself we wish you the very best and a healthy, prosperous and fulfilling 2017. We will be back in 2017 with another great DtSR Episode... but before we go - here's one last NewsCast for 2016.   Yahoo - setting records again - biggest hack ever It happened again: Yahoo says 1 billion user accounts stolen in what could be biggest hack ever 1 billion accounts.. But 1 billion users? Probably not It was 2013… does it even matter? Bigger issue - secret questions/answers can't be changed easily (if you're honest, which you shouldn't be) What about the integrity of the Yahoo! brand? Netgear Routers - Simple fix, Difficult fix As with most devices that weren’t designed to be updated… The software fix (firmware) is quite easy according to Netgear Problem is … how to get users to install it http://kb.netgear.com/000036386/CVE-2016-582384 Microsoft Patches dangerous backdoor in skype for Mac OS

On this episode of Down the Security Rabbithole we tackle the question head on. Whose responsibility is security? Is it the end user who should be responsible for patching the devices they own? Is it the vendor who sells the wares? Is it the manufacturer who sells things with security issues? What if it was everyone's problem? How do we police, legislate and ultimately assign blame? Should we be assigning blame, and more importantly what gives with this fascination for blaming the victim? Lots of questions are asked and we start to tackle some of the answers...maybe. Guests: Shawn Tuma - @shawnetuma Jonathan Nichols - @wvualphasoldier Dave Dittrich - @davedittrich Mark Zelcer - @markzelcer

Federal Government Disproves the Myth of Cyber Talent Shortage If the government can find and hire them - they exist What does that mean for the rest of us hiring? https://cio.gov/how-to-snag-talent-to-fill-critical-cybersecurity-positions-at-your-agency/ 5 Mistakes to Avoid to Hire Qualified Application Security Talent Not understanding current needs Ignoring existing resources Not sharing the workload Not defining the role Overly broad job requirements General Idea: We say we need security talent, but we don’t step back to really understand what we actually need given our current status and resources https://www.jardinesoftware.com/5-mistakes-to-avoid-to-hire-qualified-application-security-talent/ Obama Cyber Security Commission to [Finally] Present Its Report Seems like lots of fluff. But is there any actual substance here? Protect, defend, and secure today’s information infrastructure and digital networks Innovate and accelerate investment for the security and growth of digital networks and the dig

This week, after a long wait, we have John Kindervag on the show! John talks us through the concept of "Zero Trust Security" and where and how it's implemented. It's a concept everyone should be familiar with by now - but I bet you aren't! Join us, and as always provide feedback to the team using the hashtag #DtSR on Twitter, and you can always ping John directly at @Kindervag as well.

DHS Releases Strategic Principles for Securing the Internet of Things https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL....pdf These seem to be the same principles that we have been saying for all software (web, mobile, etc.) NIST also has a more generic publication 800-160 What is the implication for the enterprise? Do we prioritize anything differently as a result What about the “need” for IoT legislation? Is the marketplace “broken?” If “we’ve told people before” but “they didn’t listen,” does that actually mean they are wrong? This is an area where we need to think about what we’re actually asking for http://thehill.com/policy/cybersecurity/306418-house-subcommittee-chair-regulation-of-internet-connected-devices-not Facebook buys black market passwords to keep your accounts safe Password reuse is the single greatest cause of harm? Really? Sounds too much like a lab experiment, rather than a legitimate use of capital https:

This week, Patrick Dennis - the CEO of Guidance Software - joins us to talk about the Enterprise Security world's fascination with blaming the breach victim. We talk through some of the key issues and look for a way off the hamster wheel. As always, #DtSR on Twitter to join in our conversation.

It is election day.. Have you voted?   Beware, IPhone Users: Fake retail apps are surging before the holidays The issue of brand protection and knock-off websites, apps and such is real Spilling over into digital world, from physical What is your company doing to protect yourself and your customers? http://www.nytimes.com/2016/11/07/technology/more-iphone-fake-retail-apps-before-holidays.html?_r=0   Moving Beyond EMET EMET is going away … in a while Most of the features are now built into Windows 10 This is a great thing (built in vs bolted on security) https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/   Tesco Bank blames ‘systematic sophisticated attack’ for account losses Fraud system appears to be working - good ~40,000 accounts affected, ½ of those lost money Tesco is putting funds back, making things right Core banking assets don’t appear compromised, ATMs and such still work Potentially an issue with website, fixable http://www.bbc.com/news/business-37891742   Google Discloses “Cri

This week on DtSR Chad Boeckmann - President of Secure Digital Solutions - joins us to talk about the business of security. While the "bad guys" are running their criminal enterprise, security teams have struggled to be business-relevant. This discussion starts to dive into how to align security and business goals, answering the "how much is enough?" question and so much more. Thanks to Chad for joining us. We encourage you to ask questions and leave comments here in the comments section or on Twitter at #DtSR. You can talk to Chad directly at @cboeckm on Twitter.

The Massive DDoS That Hit Dyn.Org Massive DDoS disrupts a ton of popular websites (Netflix, Twitter, etc) IoT used to amplify attack What does this mean for corporate users, home users, and vendors? https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/ Verizon Reviewing Terms of Yahoo Deal As Revenue Slides Is this really the result of the breach or did someone just get cold feet? We’re speculating, but we’ve heard this type of talk before To be honest, Yahoo! saw a rise in earnings over what was projected http://www.wsj.com/articles/verizon-revenue-falls-below-views-1476966420 Passwords - We’re Still Giving Out Horrible Advice Why are companies still making their end-users follow ridiculous policies? Selfies? Is that a viable replacement? http://www.wsj.com/articles/companies-try-out-selfies-as-password-alternatives-1476661046 What about SMS as an OTP replacement that NIST ‘deprecated’? https://threatpost.com/nist-recommends-sms-two-factor-authenticati

This week, #DtSR takes a trip down Software Security lane or as some call it "How are we still writing code with bugs that we found relatively concrete fixes for in the late 90's?" (I may have been watching too many John Oliver episodes...)   Jeff Williams ( @Planetlevel ) and Tyler Shields ( @txs ) join me to talk this topic over from where we've been, to what we're doing now, to what the solution to this mess will be one day in the future. It's an interesting conversation that should stir up some emotion if you've been in AppSec or software security as there really are no docile opinions on this topic (or many others in security, unfortunately).   Plug in, listen and enjoy.

‘Security Fatigue’ Can Cause Computer Users to Feel Hopeless and Act Recklessly, New Study Suggests https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly Is this indicative of the broader population? (Someone check the sample size?) What does this tell us about enterprise vs. consumer security thinking? Is security to blame?   Our insulin pumps could be hacked, warns Johnson & Johnson http://www.welivesecurity.com/2016/10/06/insulin-pumps-hacked-warns-johnson-johnson/ Big hat-tip to Jay Radcliffe ( @jradcliffe02 ) for what appears to be a very well-orchestrated and sane disclosure What is the added cost of proper authentication and secure communication? Let's use this as a teachable, but minus the typical FUD, moment for product development teams   FBI arrests NSA contractor who stole sensitive data https://www.justice.gov/usao-md/pr/government-contractor-charged-removal-classified-materials-and-theft-government-property Doesn’t ap

Grab a cup of coffee, jack in your earphones and listen up. DtSR Episode 214 is addressing the issue of breaches, and their material financial impact to an organization. The premise is simple - when you have a breach, are you going to see massive stock price drop, client exodus and so on? We sit down with legal expert and DtSR regular Shawn Tuma and researcher Jon Nichols to talk this through with James, Michael and yours truly.   Check this episode out. It may sting a bit, but once you come to grips with its reality - the world looks a little different.

Quick update and invitation from Michael: starting to explore rolling out services and improving the Straight Talk Framework. If you’re up to discuss with me - I’ll offer a brief overview and then a “setup for Straight Talk”  review to explore how to get you started. It’s a real offer because I know we’ll both learn. And then I’ll get a better sense of where to focus and how to help more people in our industry. Note on yahoo: we’ll talk to Shawn later   How are Healthcare Data Breach Victims Affected by Attacks? It opens with some hype: “Healthcare cybersecurity attacks are much more prevalent and common because the industry typically has weaker approaches to data security, states” What’s to like? Maybe? → someone is working to explore the potential actual harm from breaches This article, however, is just an attack Why it matters? People read this stuff. They reinforce it. Fiction becomes fact because it gets repeated so much http://healthitsecurity.com/news/how-are-healthcare-data-breach-victims-affected-b

In this episode, we talk with Mike Tierney, who is the brand-new CEO at Veriato. In our conversation we talk through a primer on insider threat, and use the great example of hosting a dinner party. Mike has loads of nuggets of wisdom from his experience and we're certain that if you're a seasoned insider threat professional, or just thinking about the topic and wondering if you can do anything to protect your company - this show will be a good primer for furthering your discussion and learning. Listen in, comment and share with your colleagues! Our show is always safe for the office and educational.   Talk back! Use our Twitter hashtag #DtSR to discuss this episode, ask questions, or suggest other topics or guests for the future!

Chrome to label more sites as insecure in 2017 Link: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html Focus on sites that transmit passwords or credit card info over HTTP A USB Device is all it takes to steal credentials from locked PCs Link: http://www.pcworld.com/article/3117793/security/a-usb-device-is-all-it-takes-to-steal-credentials-from-locked-pcs.html This is actually pretty interesting, but a little trickier than it sounds Still - it's quite fascinating that a USB attack works cross-platform, based on network activity and default USB behaviors DHS chief: 'Very difficult' for hackers to skew vote Link: http://thehill.com/policy/national-security/294956-homeland-head-very-difficult-for-hackers-to-skew-vote Instead of dismissing the claim, let’s explore the merits Then let’s consider what, if anything, it means for enterprise security “It would be very difficult through any sort of cyber intrusion to alter the ballot count, simply because it is so decentralized and so

In this episode James and I invite Vlad Klasnja from Optiv's Office of the CISO, and Hudson Harris, Chief Privacy Officer at HarrisLOGIC, to talk about data protection. From defining the concept to providing some insight into how we can actually protect confidential information - we talk through a lot of complex issues in this segment. Join us!   Guests Hudson Harris - Chief Privacy Officer at HarrisLOGIC Vlad Klasnja - Data Protection and Privacy Manager at Optiv

NewsCast for Tuesday August 30th, 2016   Clinic Won’t pay breach protection for victims http://www.zdnet.com/article/clinic-wont-pay-breach-protection-for-victims-ceo-says-it-would-be-death-of-company/ Are companies required to pay for credit protection?  It is common, but is it required? Can a class action suit succeed to force it? Will that matter if they just declare bankruptcy? If not.. What is the purpose to filing the suit? California Bill would add security standards to data breach law https://bol.bna.com/california-bill-would-add-security-standards-to-data-breach-law/ But what is reasonable… it can’t just be what a reasonable company would implement. Bill Text - https://legiscan.com/CA/text/AB83/2015 Is this going too far?  Is it too broad?  Is it enforceable? St. Jude stock shorted on heart device hacking fears http://www.reuters.com/article/us-stjude-cyber-idUSKCN1101YV We were trying to build a relationship between testers and organizations.. This is a step backwards for building that trus

This week Michael and I chat with Jamison Utter of Infoblox on one of the more interesting topics at hand - the economy of ransomware. We talk through the sudden popularity of the attack vector, the way the underground "criminal enterprise" has scaled and grown and the future of being a bad guy. If you have occasion to talk to your organization's leadership on the ransomware epidemic, you need to listen to this podcast first.