Down The Security Rabbithole

In this episode Will gives us a lay of the land on the state of "state sponsored" and advanced threats We discuss collective advances in malware We discuss the persistence of 'old' malware, and code re-use We discuss enterprise defense and strategy Will gives us some wisdom from his experiencein helping clients defend themselves Guest Will Gragido ( @wgragido ) - Will is currently a senior manager in the Threat Research Intelligence organization at RSA NetWitness. Will is an information security and risk management professional with over 18 year’s professional industry experience, Mr.Gragido brings a wealth of knowledge and experience to bear. Working in a variety of roles, Mr.Gragido has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and business development within the information security industry. You cn get more information on Will on his LinkedIn page.

Hello! This is a special episode in that it's our year-end wrap-up. We bring together 3 of the industry's best to talk about the year that was, the things that made were on your mind, and maybe give us a hint at what is to come... Guests Will Gragido ( @wgragido ) - Will is the Sr. Manager of threat Research Intelligence for RSA NetWitness and a lightweight with the cold medicine. John Pirc ( @jopirc ) - John is the Vice President of Research at NSS Labs, with very strong hair. David Marcus ( @DaveMarcus ) - David is the Director and Chief Architect of the Federal Advanced Program Group at McAfee and a kettle bell monster! Notably absent, but invited, were Dave Lewis ("fell asleep") and Dave Kennedy ("was on an airplane") ...apparently because I thought it would be fun to invite every Dave I know....... but seriously next time guys :) James and I would like to wish all our listeners a very merry holiday season, and a happy, healthy and prosperous 2014.

Folks, if you work with, design, or implement embedded systems this is one episode you don't want to miss. Fair warning, it's a little bit long at just over 50 minutes total. I hope you find the extra time worth the effort of listening, I know we sure did! In this episode The quirky things that Josh's organization gets to work on and deconstruct The methodology of breaking foreign things Android and why it's "horribly interesting" beyond just the OS everyone sees Hacking Android at the very, very, very basic hardware interface(s) Copy/Paste software development and it's pitfalls Embedded devices as pivot points for intrusion The importance of embedded systems, and why no one is writing secure code (still) Guest Josh Thomas ( @m0nk_dot ) - Chief Breaking Officer for Atredis, Security researcher, mobile phone geek, mesh networking evangelist and general breaker of things electronic. Typical projects of interest span the hardware / software barrier and rarely have a UI. m0nk has spent the last year or two dig

Special thanks to Steve Ragan ( @SteveD3 ) for sitting in this morning and providing his perspective as a journalist. Topics Covered "Leaked" FBI memo to government agencies says "there's a hacking spree on government websites, and it's Anonymous!" (we have to chuckle, a little) - http://www.theregister.co.uk/2013/11/18/anon_us_gov_hack_warning/ , http://www.thewire.com/national/2013/11/fbi-anonymous-hackers-stole-over-100000-employees-information/71675/ Fokirtor is a very interesting new piece of malware that targetted Linux systems, but by slipping into SSH comms - http://www.theregister.co.uk/2013/11/15/stealthy_linux_backdoor/ ( and a related piece of malware - http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices ) The Healthcare.gov website is a case study in how not to release a web app, or complex system; and it's not even a partisan issue anymore - http://arstechnica.com/security/2013/11/healthcare-gov-targeted-by-more-than-a-dozen-hacking-attempts/ Ahead of the G20 meeting to b

I want to thank Carolyn Kopprasch and the @BufferApp team for getting back to me, and agreeing to not only join the podcast, but also field questions from "anyone" ...what a cool group of people! In this episode Carolyn gives us some of the insider's perspective on what really happened, when Buffer got hacked Carolyn and I discuss triage methodology, and how Buffer's small team responded In-depth conversation on the communications strategy and implemented plan to be totally transparent We discuss that point where it's time to "shut it down" and the need to have the ability and information to make the decision Buffer's team did when they shut down the service temporarily Carolyn talks about some of the non-typical ways that her team detects potential security issues Caroly dispenses some solid advice for anyone in a small shop that may be operating ultra-lean Finally, Carolyn and I talk about software security and what role it (or the lack thereof) played in the Buffer incident Guest Carolyn Kopprasch ( @Ca

I'm back! Maybe a little sleep-deprived and a tad grumpier than usual, but back to talk news! Topics Covered Microsoft unveils the new Digital Crime Unit, and it is quite the statement - http://www.darkreading.com/attacks-breaches/microsoft-unveils-state-of-the-art-cyber/240163924 http://www.microsoft.com/en-us/news/presskits/dcu/ CME Group hacked, claims platform and trades unaffected ...let's hope so - http://www.businessweek.com/news/2013-11-15/cme-group-says-its-computers-were-hacked-no-trades-affected Jeremy Hammond, Chicago's very own romanticized criminal - http://www.nbcnews.com/technology/hacker-tied-anonymous-gets-10-years-prison-cyberattacks-2D11603760 The FBI says there's a "hacking spree" on government webites by Anonymous hackers. You don't say ... - http://arstechnica.com/security/2013/11/fbi-warns-hacking-spree-on-government-agencies-is-a-widespread-problem/ There's an apparent zero-day in vBulletin, and it's serious enough that Def-Con's forums were taken down pro-actively ... - http://www.

In this episode... We revisit some of the topics Eric & I talked about nearly 2 years ago at ISSA International, Baltimore. Eric discusses the paradigm shift that needs to happen in security We talk about shifting resources (in the defensive) from "everything" to something more reasonable Eric and I discuss how CISOs must re-allocate resources to survive in a post-breach reality Guest Eric Cowperthwaite ( @e_cowperthwaite ) - Vice President, Advanced Security and Strategy at CORE Security, a Boston-based security vendor. CORE is the leading provider of predictive security intelligence solutions for enterprises and government organizations. We help more than 1,400 customers worldwide preempt critical security threats throughout their IT environments, and communicate the risk the threats pose to the business. Our patented, proven, award-winning enterprise solutions are backed by more than 15 years of applied expertise from CoreLabs, the company's innovative security research center.Eric was formerly the

Hey all - Raf here and I wanted to thank James for flying solo as my wife and I celebrate the brith of Niccolai and Isabella our new twins! I'll be back in our next episode... Topics Covered The buzz over calling yourself a 'hacker' - http://www.theguardian.com/technology/2013/oct/24/hacker-computer-seized-us-open-source (Raf's note - I personally think the way this has been spun is largely to gain clicks/readers, it was very well analyzed here - http://theprez98.blogspot.com/2013/10/omg-call-yourself-hacker-lose-your-4th.html A follow-up on Dick Cheney's pacemaker paranoia - http://www.dotmed.com/news/story/22298 Big name limo service hacked, discloses info on big-name clients - http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/ Look out, hackers may be targeting SAP users - http://www.computerworld.com/s/article/9243727/New_malware_variant_suggests_cybercriminals_targeting_SAP_users?taxonomyId=17 Java patching lagging, attackers exploiting, story at 11 - https://www.securityweek

Special thank you to the US District Attorney's office for the Southern District of California for a fantastic interview and for letting us pick Sabrina's mind for the podcast...  In this episode... Hackers, carders, and the disturbing trend of them pairing up with the traditional mafia The challenge of VPSes in cyber-crime Evangelizing the truths about cyber-crime to businesses, average person An insight into the way that 'bad guys' specialize in the criminal underground An insight into (bottom-up) investigative models available to law enforcement, as it pertains to hackers Are cyber criminals fleeing or hacking from non-extradition countries? The delicate dance of involving the government in a hacking or breach case Seeking the white whale - an organization that hasn't been breached (yet) 3rd party data sharing and your privacy - do you have any left? Guest Sabrina Feve - Sabrina is an Assistant US Attorney (AUSA) for the Southern District of California, specializing in hacking and cybercrime cases.

In this episode We get a peek into the first member of English Royalty that we've ever had on the podcast Baroness Neville-Jones discusses the difficulties in cybersecurity at the government level We discuss the challenges of policy, compliance and implementing real-life security The Baroness discusses her efforts to raise both the awareness and collective security of business The Baroness discusses a bit about critical infrastructure protection I ask the uncomfortable question in the wake of the Snowden disclosures - privacy vs. security... Guest Rt Hon Baroness Neville-Jones - Baroness Neville-Jones is a long-time political figure in the UK Parliament, House of Lords. She recently retired from public service and now focuses on the public-private partnership for cybersecurity in the UK. She has an amazing history and rather than try to summarize it here, I simply point you to her biography page at http://www.conservatives.com/People/Peers/Neville-Jones_Pauline.aspx

Thanks to Josh Corman for joining us this morning ... always nice to have Josh's experience and brain power on the show. Topics Covered Gargantuan Oracle CPU (Critical Patch Update) including -51- Java security fixes! - http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html Huawei calling for "independent cybersecurity assurance lab" framework, an interesting but difficult thing - http://www.informationweek.com/security/application-security/huawei-proposes-independent-cybersecurit/240162840 Dick Cheney, fearing an assassination attempt, had wireless pacemaker removed in 2007 - http://www.theguardian.com/world/2013/oct/19/dick-cheney-heart-assassination-fear Chesapeake hospice suffers breach, but there's a lesson in the tragedy - http://www.hispanicbusiness.com/2013/10/19/hospice_of_chesapeake_shut_down_computer.htm NPI research shows companies will overpay $10.1 billion for IT security solutions in 2013, worse in 2014 - http://www.prweb.com/releases/2013/10/prweb11239951.htm Minor Verizon

In this episode... James and I host legitimate Polynesian royalty (a princess....) really! Katie gives us the skinny on Microsoft's 10 year progression to get to a bug bounty program We discuss the merits of bug bounties and execution in a very large enterprise Katie gives us as many details as she can about the recent $100,000 payout Much... much ... more! Guest Katie Moussouris ( @k8em0 ) - Katie runs the Security Community Outreach and Strategy team for Microsoft as part of the Microsoft Security Response Center (MSRC) team to help drive crucial elements of our security community strategy effort. She is a Senior Security Strategist Lead, and let's not sell her short - she is royalty!She created and drove the first ever Microsoft security bounty programs (www.microsoft.com/bountyprograms). Which received 18 vulnerabilities and a new attack technique that will help Microsoft build stronger defenses that will protect the entire platform from this new class of attack.She serves as lead subject matter exper

Big thanks to the soon-to-be-regular peanut gallery ... @JoeKnape and @BeauWoods for jumping in this morning and breaking it down with James and I. As a personal message to those of you who listen and our community - please ...remember we all live in a giant glass house, and throwing rocks is a bad, bad idea. I've said it before and I'm looking right at the media for this one (ahem...) - unless you've been in a high-stress environment and have successfully thwarted every attack, please don't go trying to personally attack those out there who work hard at it every day. It just makes you look like an idiot. Nobody wins when we name and shame and attack people personally. Remember that when it's your turn to stand in the spotlight. Topics Covered Adobe got popped. Bad. ~2.9 users' information, encrypted credit card details, source code. The only thing worse than this story is the kind of media trolls it brought out... - http://www.computerworld.com/s/article/9242963/Hackers_steal_data_on_2.9_million_Adobe_custo

In this episode... Dave Kennedy wraps up DerbyCon 2013, and gives us the statistic you don't want to tell your management Dave announces the top secret guest for DerbyCon 4 Chris & Gabe discuss risk modeling using REAL automated tools Gabe introduces us to his concept of using a 'big data' approach to risk modeling We discuss risks, network segmentation, and other things you're doing wrong Guests Dave Kennedy ( @Dave_Rel1k ) - Dave Kennedy is the founder of TrustedSec, and the brain behind DerbyCon. Chris G ( @SecbitChris ) - Chris is one of the brains behind the SecuraBit podcast Gabe B ( @gdbassett ) - Gabe is an industry expert

I want to thank Mr. Josh Corman ( @JoshCorman ) for guest-commentating today's episode, and lending his expertise and industry leadership point of view. Topics Covered UK's GCHQ has been using Prism (Courtesy of the NSA) to spy on you ... the revelation continues - http://www.telegraph.co.uk/news/uknews/law-and-order/10106507/GCHQ-has-been-accessing-intelligence-through-internet-firms.html Wisconsin trucker vs. Koch Industries, just what is a "direct loss"? - http://www.kfdi.com/news/local/Wisconsin-man-pleads-guilty-in-cyber-attack-on-Koch-Industries-223365221.html iPhone, fingerprint reader, #IsTouchIDHacked - http://www.forbes.com/sites/markrogowsky/2013/09/22/iphone-fingerprint-scanner-hacked-should-you-care/ Can the FTC (and other government entities) go after companeis who fail to do reasonable security? (also, what does that mean?) - http://www.computerworld.com/s/article/9242531/FTC_lacks_data_breach_authority_says_accused_medical_lab?taxonomyId=17&pageNumber=2 The gang that popped Bit9 is at it

For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website. I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security...  Episode 3 - Vikas Bhatia (CEO of Kalki Consulting) and Anton Goncharov (Managing Principal of MetaNet, LLC) - In this discussion, we just barely scratched the surface on the challenges SMEs face with integrating security into business processes and developing security solutions on a shoestring. This discu

For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website. I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security...  Episode 2 - Wasif Shakeel, Program Director Information Security, General Dynamics - Wasif and I discovered that we have entierly too much in common, and talked about the need for a sane, process and measurement approach to security and handling the "needle in a haystack" problem many Security Operations

For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website. I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security...  Episode 1 - Ian Beckford, Senior Product Manager, TELUS Security Solutions - Ian and I had a lively discussion around the service-provider use of the analytics and network security devices (currently ArcSight and TippingPoint) to provide customers with security solutions which benefit them, while remaini

In this episode... Mike explains once and for all how the BSides namesake came to be We talk about how the industry has evolved over the last 10+ years Mike dispenses a little of his philosophy on how to better the industry We talk burnout and why it exists, and possibly how to get through it Guest Mike Dahn ( @MikD ) - Mike Dahn is one of the original co-founders of the Security BSides conference many of you have attended, spoken at, or heard of. In addition to that, Michael Dahn is an information security and organizational design strategist responsible for the management of data strategies, project engagements, and cost modeling. With over 12 years of information security experience, Mr. Dahn has managed teams of 50 people and budgets of up to $30m annually for Fortune 500 companies. Today he focuses on leading mobile security strategies and industry relations.He is an industry leader in regulatory compliance issues who previously worked for Visa, Pricewaterhouse Coopers, and Verizon Business, created P

Today I had the pleasure of sitting down with one old friend, and one new. As a speaker at the HTCIA International conference, and the CISO Summit - I had the opportunity to gain some valuable insight, meet lots of excellent leaders, and force some new relationships. As a wonderful side-effect I had the pleasure of sitting down with Mike Murray of Mad Security, and Vince Skinner an attendee of the conference and security leader of his enterprise. We talked about a range of topics from history of the information security industry, to our experiences and the current lack of direction and strategy in much of the enterprise space. We also discussed some topics that dated us quite a bit ...so don't judge! Guests Mike Murray ( @MMurray ) - Mike is the co-founder of Mad Security, an industry veteran and mentor, and an all-around fantastic friend. Vince Skinner ( @SkinnerVince )  - Vince is the Informatino Security and Business Continuity Manager, AVP of D.A. Davidson & Co.