Down The Security Rabbithole

Quick note from Michael about the Straight Talk Framework & Program -- > Get your free copy at https://securitycatalyst.com/straight-talk-framework/ Launched a new program last week… boy, did I learn a lot. Mostly, it’s my failure to explain. I’m going to chronicle some of the lessons over the next few days and share them If you’ve already downloaded the questions - I’d love to chat with you about your experience… If you find yourself in a situation like this, let’s chat. 25 minutes on the phone and we’ll both benefit Until Monday, August 22nd, chance to get on board early and benefit yourself; i’ve got a lot to share this week and into the future. We’re at the start of something big! Microsoft Accidentally Leaks 'Golden Keys' That Unlock Secure Boot-Protected Windows Devices: Oops? http://www.techtimes.com/articles/173282/20160811/microsoft-accidentally-leaks-golden-keys-that-unlock-secure-boot-protected-windows-devices-oops.htm Bottom line: backdoors are always discovered, compromised Another tak

In this episode we chat with Steve Christey Coley currently the Principal Information Security Engineer over at MITRE Corp. In this episode we talk through our industry's obsession with vulnerabilities, dive headlong into the thorny issue of security research, talk through the various issues with disclosure and even delve into some ethics issues. This episode is content-packed with some content that you will likely want to talk to us about. So here's how to find us: Steve on Twitter: @SushiDude Hashtag for the show: #DtSR   Steve's Bio (from LinkedIn - https://www.linkedin.com/in/steve-christey-coley-66aa1826): Editor / Technical Lead for the Common Vulnerabilities and Exposures (CVE) project; Technical Lead for the Common Weakness Enumeration (CWE); co-author of the "Responsible Vulnerability Disclosure Process" IETF draft with Chris Wysopal in 2002; participant in Common Vulnerability Scoring System (CVSS) and NIST's Static Analysis Tool Exposition (SATE). My primary interests include secure software develo

Quick note from Michael about the Straight Talk Framework -- > I’ve separated the framework from the programs; the framework is free and available for download from my website. More on the way! To support both the framework and the programs, I’ve just finished a video that introduces the 5 questions; I have an optional workbook available and make a special offer at the end of the video I’m about to launch an online offering… stay tuned for details   $2.7 Million HIPAA Penalty For Two Smaller Breaches http://www.healthcareinfosecurity.com/27-million-hipaa-penalty-for-two-smaller-breaches-a-9270?rf=2016-07-18-eh&mkt_tok=eyJpIjoiWW1GaE5ERmtNR05oTldRMiIsInQiOiJ5YWd6dDg4cW84TXVCR0NCVkJ0KytQTnVwOHQ2UHBON0FMeWVZRDVleE82d3Zpdyt2S1RwNWFmZEs0aVRyQ3lMTlk3YWdaa0VmbnV4djVIOVVxczFUYkdsTHBKRGpld3h5bXU3aHRoNnhUaz0ifQ%3D%3D Interesting the info about the use of Google and lack of contract. How many other health companies are using Google or Microsoft to store some data?  Do they have the contracts in place? Is the GO

This week, Chris Romeo joins Michael, James and I to talk about changing the security posture of an organization by changing culture. This episode talks through tough issues like incentives, measurements and success factors. This episode with Chris is of particular interest for leaders and those who are working hard to change companies at their core, for the long term.   Chris Romeo's bio: Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring application security awareness to all organizations, large and small. He was the Chief Security Advocate at Cisco Systems for five years, where he guided Cisco’s Secure Development Life Cycle program, empowering engineers to "build security in" to all products at Cisco. He led the creation of Cisco’s internal, end-to-end application security awareness program launched in 2012. Chris has twenty years of experience in security, holding positions in application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP cer

Ransomware that's 100% pure JavaScript? Sort of... Slightly misleading article Generally a Windows-based attack (go where the users are) https://nakedsecurity.sophos.com/2016/06/20/ransomware-thats-100-pure-javascript-no-download-required/ Researchers have come up with a 'cure' for ransomware Based on some interesting things like file-type changes, similarity measurements and entropy Interesting but not perfect ... do we even think perfect is reachable? Average of 10 files before an identification was made http://www.scmagazineuk.com/florida-researchers-claim-to-discover-cure-for-the-common-ransomware/article/509147/ The government has officially issued a 'fact sheet' on randomware Yes, it's a reportable breach Lots of interesting misconceptions (or half-truths) in this guidance Good for them for asking us to 'do better' but it's not enough Go read for yourself! http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf Pokemon Go! - a neat idea with big issues potentially First there are the pri

This week on the Down the Security Rabbithole podcast, Brandon Dunlap is back for his second show. Following up on Episode 158 where we discussed outsourced security, this time around we talk through the next iteration of what "Managed Security" and outsourcing means to security. You're not going to want to miss this episode! As always, hit up our hashtag on Twitter at #DtSR and you can find Brandon on Twitter as well at @bsdunlap if you want to talk to him directly.

** Our 200th numbered episode! **   A note from Raf:  Thanks to everyone who has been listening to us, tweeting us, and sharing the links to our podcast. We are absolutely floored with the support and listenership we've received. The average show now gets just under 2,500 downloads when released in the first week, and that number goes up every week. So from the bottom of my heart, I humbly thank you and hope you'll continue to listen, share, and comment. This week's episode is titled "Privacy, Security, Risk and Law Collide" as we host Dr. Chris Pierson and our recurring legal eagle from the great state of Texas, Shawn Tuma. If you don't have Shawn added on Twitter, you should go follow him right now. In this week's episode we discuss the increasingly overlapping world of what was once "IT security" which has now started coming together with privacy, risk and law. Chris is uniquely poised to talk on the subject, as you will hear his credentials speak for themselves. You'll want to get comfortable, pay attenti

In this episode..   The "Nuclear Bomb" analogy isn't working, stop using it" http://thebulletin.org/flawed-analogy-between-nuclear-and-cyber-deterrence9179 This is important with respect to how security people talk to real-life issues Here is another example: http://insight.kellogg.northwestern.edu/article/is-reading-someones-emails-like-entering-their-home/   iOS apps will require secure https connections by 2017 http://www.cnet.com/news/ios-apps-will-require-secure-https-connections-by-2017/ We have seen this push on the web before Michael wrote about this topic back in March 2015 (https://www.developsec.com/2015/03/17/is-http-being-left-behind-for-https/) Saw the government push this for all public facing websites (https://https.cio.gov/)   Inside Sierra: How apple watch “auto unlock” will let you jump straight into MacOS http://appleinsider.com/articles/16/06/16/inside-sierra-how-apple-watch-auto-unlock-will-let-you-jump-straight-into-macos Interesting idea here..  Thoughts?   FICO to Offer

On this episode of the Down the Security Rabbithole podcast, Dawn-Marie Hutchinson, currently an Executive Director within the Optiv Office of the CISO joins us and we talk about the things that she's learned over her career working with legal counsel, CISOs and solving problems. A fantastic episode with lessons learned, and executive leadership crammed into less than an hour. Give it a listen!   Find Rie on Twitter at @CISO_Advantage   UPDATE: Thanks to Sean Jackson (@74rku5) who has hand-transcribed the show. I haven't read this, personally, so if there if he slipped any humor I can't be held accountable! http://pastebin.com/JMk0rpFQ  

In this episode...     Are people "going offline" as a result of increasing dangers of the Internet? This article makes the case for yes: http://www.techspot.com/news/64839-increasing-number-internet-dangers-driving-millions-americans-offline.html But ... "millions"? We collectively call BS As the world moves more to mobile and digital, who thinks they have 'control' of their own data anyway?   "Sandjacking" allows attackers to install evil iOS apps IF that attacker is physically holding your device AND your device is unlocked AND it takes a while because you have to backup, and restore a phone ... one app at a time SO this isn't something you do to infiltrate someone's phone while they walk away for a few minutes to the restroom Cool trick bro, but where on the spectrum of critical things does this fall? The technique is called "Su-A-Cyder" ... awful name, lose points http://www.securityweek.com/sandjacking-attack-allows-hackers-install-evil-ios-apps   Dropbox takes heat for a breach, that wasn't their

On this episode of the Down the Security Rabbithole podcast, I get the pleasure of sitting down with one of my all-time favorite Chief Security Executives, Mr. Jason Witty. He's had a long career of successful security leadership, and in this podcast he sits down with us to talk about risk, threats and words we often confuse. You're not going to want to miss this episode.

This week the gang's all here to talk about some news happenings. Michael, James and I talk through some of the stories we've been tracking. Have something you've been reading and want to talk about? Hit us on Twitter with hashtag #DtSR and suggest a topic/story for the next NewsCast!   Tennessee Amends Breach Notification Statute http://www.natlawreview.com/article/tennessee-amends-breach-notification-statute Removes the exception for encrypted data. Will this raise the costs to companies?   Encrypted or not, will credit monitoring be the norm? More lawsuits (even if the data is encrypted) Do we run the risk of notification overload? What do people do with these notifications anyway? FFIEC’s New Mobile Security Guidance: An Assessment http://www.bankinfosecurity.com/ffiecs-new-mobile-security-guidance-assessment-a-9104 Interesting how they discuss some of the risks (SMS, mobile enabled website) but also talk about ways to mitigate the risk. Software “glitch” kills Formula1 car mid-race Does no

In this episode...   Michael and I welcome back Shawn Tuma, our resident Cyber Law Expert from the great state of Texas. We discuss some of the recent cases (unlocking an iPhone!) and some of the tough issues facing the court systems today. Shawn provides insights into the use of the finger (not joking) and some amusing and frustrating aspects of cyber law as the courts continue to evolve. Join us!

In this episode..   ImageTragick - major flaw in open source image processing toolkit ImageTragick is CVE-2016-3714 Logo & Website: https://imagetragick.com Has a logo, so it must be yuge Is this really that big of a deal? How many are impacted potentially? https://blog.sucuri.net/2016/05/imagemagick-remote-command-execution-vulnerability.html Remote code execution, with minor caveats - likely darn near everywhere Detroit company loses $495k to wire fraud Source was a faked email to make a wire transfer Why didn’t someone verify this?! http://www.detroitnews.com/story/news/local/oakland-county/2016/05/03/troy-investment-company-hacked/83879240/ Will insurance pay out? Is the policy change too little too late? How can other companies learn from this? The Ransomware Epidemic (Optiv blog) Is there an epidemic at play here? Why the switch to ransoming people’s data Is this a viable business model for cyber criminals? https://www.optiv.com/blog/ransomware-part-1-is-this-an-epidemic Undetectable flaw i

In this episode... Join our guest Larry Whiteside, Michael and I as we record live from InfoSec World 2016 in sunny Orlando, Florida! We talk through the life of a CISO, and the challenges of being in the Healthcare and Critical Infrastructure spaces and the similarities and differences. Larry has had a very diverse and successful career leading some of the most challenging organizations, so we dig into some of the things he's faced, how he's addressed some of those bigger leadership-level challenges, and just the mess that healthcare and critical infrastructure are in right now.   Don't miss this episode!   Guest Larry Whiteside Jr. ( @LarryWhiteside ) - Larry is the VP of Healthcare and Critical Infrastructure at Optiv, and he's tasked with creating innovative solutions to some of the industry's most challenging problems. More info here: https://www.optiv.com/about-us/press-releases/optiv-security-increases-focus-on-holistic-cyber-security-solutions-for-healthcare-and-critical-infrastructure-industries No

In this episode... Only about a third of companies know how many vendors access their systems nearly every company is at risk for a third party breach it's almost impossible to vet every third party developing a strategy and being consistent, scaling is key http://www.csoonline.com/article/3055012/techology-business/only-a-third-of-companies-know-how-many-vendors-access-their-systems.html No firewall, second-hand $10 routers are to blame for Bengladesh bank heist we talked about this initially in episode 185 (Link: DtSR Episode 185 - NewsCast for March 15th 2016) it's almost unfathomable that this happened SWIFT attacked, now the suspected malware is identified Jim McKelvey's Launchcode is helping unconventional tech talent internal mentorships could be the key who out there is doing this, talk back to us using hashtag #DtSR on Twitter The Simpson's math secret is the key to better security ... ? http://www.csoonline.com/article/3054566/leadership-management/the-simpsons-math-secret-is-the-key-to-bet

In this episode, James, Michael and I are live from InfoSec World 2016 and we get the pleasure of interviewing Lance James fresh off the keynote stage. In this intimate, fast-paced and bold interview we talk through some of the challenges InfoSec is facing today, and where Lance believes we should be going.   If you haven't been to InfoSec World, we highly recommend going next year. The content team continues to provide a solid mix of technical, managerial and transitioning information security speakers. Make sure you have this one on your calendar for next year, and being the family!

In this episode...   Pros examine mossack-fonseca breach: Wordpress plugin, Drupal likely suspects Plug-ins seem to be a universal weakness Many companies have this type of 3rd party security issue The broader enterprise implications - how do you find these sites? http://www.scmagazine.com/pros-examine-mossack-fonseca-breach-wordpress-plugin-drupal-likely-suspects/article/488697/ WordPress pushes free https encryption for all hosted sites What's the problem we're trying to solve? 2 separate issues, trust vs. authentication - know which you're solving http://www.securityweek.com/wordpresscom-pushes-free-https-all-hosted-sites If you can't break crypto, break the client Bishop-Fox researcher finds webkit bug in iMessage JavaScript in iMessage, sure, why not Same-Origin-Policy (SOP) not enforced since it's a desktop app http://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/ Executives - "We're not responsible for cyber security" Raf: This is sq

Intro song: "Josh Gabriel - Deep Down"; Intro/Outro v/o courtesy of @ToddHaverkos

In this episode... BadLock bug (which now has a website, a graphic, and more hype than Bieber) is out there Is the bug really worth all this hype? Is this anything more than a PR stunt, and a big marketing opportunity? Everyone has an opinion, but one thing is for certain, this bug is making big waves http://www.wired.com/2016/03/hype-around-mysterious-badlock-bug-raises-criticism/ Your wireless mouse is probably a security risk... seriously. RF-based mice typically don't use encryption or mutual authentication Some do (all of my Microsoft & Logitech mice tell me they mutually authenticate & encrypt... I think) How far up, or down, your risk register is this one; and how much should it matter to enterprise? http://www.thefiscaltimes.com/2016/03/23/Your-Wireless-Mouse-May-Be-Exposing-You-Cyber-Hackers Your Node.js package manager could be an entry point for worms? Now that everything has functionality over our endpoints... Dependencies seem to be (at least partially) to blame here (who's surpri