Rafal Los (Wh1t3Rabbit) - Podcast Details

Shows

Down the Security RabbitholeDtSR Episode 253 - Defending the Small-to-Medium EnterpriseOn this podcast - James and I welcome Shon Gerber as we talk through a pair of current events and the topic of the day. Blue Cross Blue Shield of Alabama sends out USB sticks Security elitists up in arms We've taught people to be suspicious - don't click, don't open docs, and don't use USB -- So how do we get our clients content? To my fellow security professionals- it's reckless to continue to stand with a firm "no" while offering no alternatives So what do we suggest? More important - what threat model vector ar...2017-07-1852 min

Down the Security RabbitholeDtSR Episode 252 - DFIR with Lesley CarhartIn this smasher of an episode James and I are joined by Lesley Carhart live from Enfuse Conference in Las Vegas to talk about the DFIR (Digital Forensics and Incident Response) as a broad field. There is SO much to talk about here, you'll want to listen twice. Make sure that if you missed Enfuse this past year, you don't miss 2018. It's a great conference where you get to meet and talk with folks like Lesley and many others in this field.2017-07-1151 min

Down the Security RabbitholeDtSR Episode 251 - General Data Protection Regulation (GDPR)This week on Down the Security Rabbithole Episode 251 (wow, can you believe we've published 251 full episodes?!) James and I host a roundtable of privacy and data protection experts and talk about the looming EU regulation known affectionately as GDPR. The Global Data Protection Regulation (GDPR for short) impacts all companies that either do business with EU citizens, or operate in the EU. Basically, everyone. It's a huge deal and there really isn't a "wait and see" option. Listen in, and if you have feedback provide it! Does anyone really read these sho...2017-06-2750 min

Down the Security RabbitholeDtSR Episode 250 - Deconstructing the Internet of ThingsFresh off of his closing keynote at Enfuse Conference 2017 in Las Vegas, Dr. Timothy Chou joins us to talk about the difference between the Internet of People and the Internet of Things. Even though many people talk about the IoT we still fail to understand the gravity and enormity of the problem we face and how information security professionals are so far behind the 8-ball here. Dr. Chou spend some time with us to dispense wisdom interlaced with humor to make it stick. Guest: Dr Timothy Chou is a technologist, a lecturer, a...2017-06-2056 min

Down the Security RabbitholeDtSR Episode 249 - Finding a WayThis week, James and i try out a new format for the show. We hope you enjoy the blend of news commentary and an interview. News More car vulnerabilities - this time in a Subaru No stunt hacking involved A repeat vulnerability means there's potentially a bigger SDLC issue Responsibly disclosed, fixed ... if a tree falls... Link: http://www.bankinfosecurity.com/exclusive-vulnerabilities-could-unlock-brand-new-subarus-a-9970 The 5th Amendment and your phone passcode This issue is sticky Passcodes, fingerprints, etc - all need consistent law We need a lawyer Link: http://thehackernews.com/2017/06/unlock-iphone-passcode.html Guest Kevin...2017-06-1351 min

Down the Security RabbitholeDtSR Episode 248 - Nick Hyatt On RansomwareThis podcast episode was recorded live to tape from Enfuse Conference 2017 from Las Vegas. If you didn't get a chance go get out this year to one of the premier DFIR (Digital Forensics and Incident Response) conferences you missed a heck of an event. James and I want to thank Guidance Software for the invitation, for having us out, and for access to some truly amazing guests for this series of recordings. For #248 sit back and listen to Nick Hyatt talk with James and Raf about ransomware - fresh from his Enfuse Conference talk to yo...2017-06-0651 min

Down the Security RabbitholeDtSR Episode 247 - Internet of Things ForensicsLive once again from Enfuse Conference 2017 in Las Vegas, James and I interview Amber Schroader, the President and CEO of Paraben. This interview happened because you all voted and asked for it..ok and because she's a fantastic person to interview. Be prepared for a little humor and a lot of knowledge. Special thanks again to Enfuse and the Guidance Software team for having us out and getting us access to some downright amazing guests!2017-05-3045 min

Down the Security RabbitholeDtSR FeatureCast - Enfuse Conf 2017 - Theresa PaytonAs James and I continue to publish our Enfuse Conference 2017 series of episodes we are this week joined by Theresa Payton. Theresa is the former CIO of the George W. Bush White House Administration, and now on the show Hunted where she runs a team of cyber trackers. Guest: Theresa Payton ( @TrackerPayton) - Theresa Payton is one of the nation’s leading experts in cybersecurity and IT strategy. As CEO of Fortalice Solutions, an industry-leading security consulting company, and co-founder of Dark Cubed, a cybersecurity product company, Theresa is a proven leader and influencer who wo...2017-05-2618 min

Down the Security RabbitholeDtSR FeatureCast - Enfuse Conf 2017 - DFIR StudentsContinuing our series recorded live at Enfuse Conference 2017 in Law Vegas, this episode features two USC students who are part of a large contingent here to learn and make connections. Tatiana and Ayman join us to talk about how they got here, what they are planning for their future along with some general thoughts on DFIR and our industry! Guests: Tatiana Santos ( @tatitasantita ) Ayman Siraj ( @aymansiraj ) 2017-05-2530 min

Down the Security RabbitholeDtSR FeatureCast - Enfuse Conf 2017 - Keynote Patrick DennisToday, CEO Patrick Dennis joins the Down the Security Rabbithole Podcast right after his keynote to talk about the conference, what's going on at Guidance, and the state of defense. This is a FeatureCast so we get right to the point in an easy-to-listen format. Thanks for listening!2017-05-2423 min

Down the Security RabbitholeDtSR FeatureCast - Enfuse Conf 2017 - PreambleWe kick off a week of on-the-scene podcasts live'ish from Enfuse Conference 2017, hosted by Guidance Software in Las Vegas, Nevada with Lori Chavez VP of Corporate Marketing. She is the brains responsible for the amazing conference including speakers, content and everything else. Lori gives YOU an insider preview of Enfuse 2017, and tells us a little about what we can expect and some history of the conference - and we can't wait to give you MORE! Stay tuned in all week as we bring you more fantastic content from Enfuse Conference 2017. And as always, use the ha...2017-05-2318 min

Down the Security RabbitholeDtSR Episode 246 - Finding and Responding to BadnessThis week we are live from Enfuse Conference 2017 in Las Vegas, Nevada. Special thanks to Guidance Software for having us out and getting us access to a whole host of fantastic speakers. On this episode Greg Hoglund and Ryan Butterworth of Outlier Security join us to talk about the DFIR space with all it's problems including a shortage of qualified labor and sub-optimal tools. This fantastic discussion wanders all over the DFIR space including the "data problem" and tools, tools, tools. That tool that Greg mentions, which is free, is right here: http://un...2017-05-2346 min

Down the Security RabbitholeDtSR Episode 245 - NewsCast for March 16th 2017Microsoft warns ransomware cyber-attack is a wakeup call As of recording, it is reported that 200,000 computers were infected. Patch for flaw was released in March, 2017 Microsoft has since released a patch for older systems Lots to discuss on this - including Microsoft's letter to the NSA Link: http://www.bbc.com/news/technology-39915440 Link: https://www.infosecurity-magazine.com/news/microsoft-xp-patch-wannacry/ Link: http://www.bbc.com/news/uk-39921479 United flight attendant accidentally leaked door codes online Flight attendant somehow posted the codes online Insider threat? Multiple layers of security needed and additional controls here Link: https://www...2017-05-1649 min

Down the Security RabbitholeDtSR Episode 244 - A Government CISOs PerspectiveThis week - live and in person from Denver, Colorado and the RMISC Conference I interview Stephen E. Coury the CISO of the County and City of Denver. The conversation leads off with Stephen's journey through cloud computing and weaves through some of the challenges municipalities and city governments are facing. It's a fantastic conversation that is readily applied to both public and private organizations - you need to check this out. Thanks Stephen for coming out and talking to us! Guest Stephen E. Coury - CISO of the County and City of...2017-05-1045 min

Down the Security RabbitholeDtSR Episode 243 - NewsCast for May 2nd 2017Chrome to mark more HTTP pages ‘Not Secure’ In October, 2017, all HTTP sites will be marked ‘Not Secure’ while in incognito mode. Incognito mode allows surfing the internet without saving your browsing history. Enterprise: Have you seen any negative feedback from the previous changes to show not secure? Does this change your priority for moving to always HTTPS for all sites? Link: https://threatpost.com/chrome-to-mark-more-http-pages-not-secure/125255/ 2017 Verizon DBIR Highlights: Analyzing the Latest Breach Data in 10 Years of Incident Trends Oh, the headlines. Slow the roll, folks. Stop the password hate and turn the mirror around Le...2017-05-0248 min

Down the Security RabbitholeDtSR Episode 242 - Management and LeadershipThis week the team gets together to talk Management and Leadership in the security industry and in general. Our very own Michael Santarcangelo joins us as our featured guest to dispense knowledge on leadership by the truckload. So grab a cup of coffee, something to take notes and listen in.2017-04-2649 min

Down the Security RabbitholeDtSR Episode 241 - NewsCast for April 18th 2017NewsCast for Tuesday April 18th, 2017 Dallas Tornado Sirens Hijacked Tornado sirens in Dallas all simultaneously went off Suspected hijacking of the emergency system, lots of speculation of how this happened Now believed to be a radio hijack Link: http://content.govdelivery.com/bulletins/gd/TXDALLAS-1936de1 Two Inmates in Ohio Jail Hacked it From the Inside Talk about an “insider threat”! These were made from spare parts, hidden in ceiling, concealed well Unauthorized access to network (no NAC?) made infiltration possible Link: https://qz.com/958503/two-ohio-inmates-hacked-their-prison-from-the-inside-using-makeshift-computers-built-from-spare-parts/ SWIFT Launche...2017-04-1846 min

Down the Security RabbitholeDtSR Episode 240 - The Truth About Machine LearningThis week the Down the Security Rabbithole podcast hosts Sven Krasser of CrowdStrike. Sven is an actual machine learning data science expert (as opposed to an "expert") who has been dabbling in machine learning, artificial intelligence and other forms of advanced computational science for a long while before it was popular in security. This week we James and Raf sit him down for 45 or so minutes to discuss the real facts and separate them from the fiction of what machine learning really is and the promise that it may hold for the enterprise security world. As always, j...2017-04-1153 min

Down the Security RabbitholeDtSR Episode 239 - NewsCast for April 4th 2017Pew Center Survey Finds Americans Lack Understanding of Cybersecurity Measures Most ‘typical’ users simply don’t understand security because it’s “magic” to them Basics must be understood by average Jane - attackers count on you not knowing How do you take knowledge and push to enterprise, while keeping up with consumers? Link: http://www.pewinternet.org/2017/03/22/what-the-public-knows-about-cybersecurity/ Suspect Charged in USD 100m Whaling Scheme $100 Million dollar - from just two companies How would your executives (and those supporting staff) fare against this attack? More importantly, how does your “awareness” program deal with this? Link: https://ww...2017-04-0659 min

Down the Security RabbitholeDtSR Episode 238 - March 2017 Update with Shawn TumaThis week, on the Down the Security Rabbithole Podcast, Michael and I are back with perennial favorite Shawn Tuma. Shawn, our legal eagle friend from Dallas, breaks down the latest issues that affect Cyber Security and the Law - with that business perspective you've come to expect from our podcast. As always, we love hearing from you and if you have questions don't hesitate to hit us up on Twitter using hashtag #DtSR or you can always hit up Michael (@catalyst), myself (@Wh1t3Rabbit) or Shawn (@ShawnETuma) directly! Thanks for listening and spread the w...2017-03-2859 min

Down the Security RabbitholeDtSR Episode 237 - NewsCast for March 21st 2017The Cost of Cybercrime - Let’s Take a Different Perspective Cybercrime is reported as a $450B drag on the economy; the absolute number sounds big The question to ask: “How big is the global economy?” Turns out that this is only 0.57% of the global economy, in 2014 (nominal) By way of contrast - how many minutes are in a day? What is 0.57% of your day? What it means - we’re doing a good job. Fraud is low. Cybercrime might be on the rise, but for now, it’s at low relative percentages Does it mean we don’t matter? No...2017-03-2149 min

Down the Security RabbitholeDtSR Episode 236 - Enterprise Architecture 2017Check out episode 236 with Marie-Michelle Strah who is a repeat offender here on the podcast with her first appearance back in 2014 on Episode 122 ( http://podcast.wh1t3rabbit.net/dtsr-episode-122-enterprise-architectures-role-in-security ). This episode is a revisitation on Enterprise Architecture and it's importance to security with a perspective on enterprise tech stack, business segmentation and micro services in a modern distributed enterprise. Marie-Michelle's experience and extensive insight into the topic should give you something to think about as you go back to your day job in security. Guest: Marie-Michelle Strah ( @CyberSlate ) - Marie-Michelle Strah. PhD i...2017-03-1444 min

Down the Security RabbitholeDtSR Episode 235 - NewsCast for March 7th 2017A Note on the Passing of a Legend Howard Schmidt passed away this week Long, distinguished career as one of the CISOs who “got it” He will be missed in government and private industry - he was on our show too (December 2015) http://podcast.wh1t3rabbit.net/dtsr-episode-166-cyber-security-from-board-room-to-white-house Are SysAdmins Violating the CFAA? This is, by all accounts, an insane criminal defense...or is it? Can what sounds like a stretch logically, be used maliciously by employers? The law is about intent - does this invalidate his claim? Link: https://nakedsecurity.sophos.com/2017/02/27/it-admin-was-authorized-to-trash-employers-network-he-says/ Y...2017-03-0848 min

Down the Security RabbitholeDtSR Episode 234 - Straight Talk on National SecurityThis week, the interview is extra special because we have a guest I've personally been following for a long while, and I finally got a chance to virtually sit down and talk through his considerable areas of expertise. I'm pleasured to say we had a chance to sit down virtually with Professor Tom Nichols and talk international affairs, foreign policy and all the important things getting lost in the off-color political arguments lately. These are important issues to cyber security professionals that impact our daily lives - but rarely get discussed by someone with actual, credentialed expertise.2017-03-0152 min

Down the Security RabbitholeDtSR Episode 233 - Reflecting on RSA Conference 2017This week, fresh on the close of RSA Conference 2017 James, Michael and I discuss the happenings of the conference, lessons, and features along with some inside anecdotes you won't get from anywhere else. Of course, we add our own unique blend of snark and humor - but that's what gets you listening and coming back for more. We'd like to say a big thank you to everyone who voted for us in the RSA Social Security (Security Bloggers) Awards. We didn't win, but we feel good about the audience we've acquired and will keep working hard to spre...2017-02-2146 min

Down the Security RabbitholeDtSR Episode 232 - Security, Fraud, Digital PaymentsThis week, while the security world congregates at RSA Conference 2017 we present to you Neira Jones, discussing digital payments, fraud and the world of security as it applies to this domain. In a fascinating discussion, we discuss many of the topics security executives and leaders are talking about right now - but as you have come to expect this is less about 'security' and more about protecting what matters. We want to thank Neira for taking the time out of her busy schedule to join us on the show, and encourage discussion on the topics we covered...2017-02-1558 min

Down the Security RabbitholeDtSR Episode 231 - NewsCast for February 7th 2017It is that time of year of W-2 Scams There have been multiple reports of companies releasing W-2s through email scams. Link: http://cbs4indy.com/2017/01/31/scammer-gets-copy-of-w-2-form-for-every-scottys-brewhouse-employee-after-data-breach/ Cops use pacemaker data to charge homeowner with arson, insurance fraud Becoming a common occurance with IoT devices. If you are creating these devices, are you considering: Storage of the data Privacy policy Education around how data is stored and could be used From an enterprise perspective: How many of these devices are inside your organization How do any of these tools factor into your ow...2017-02-0842 min

Down the Security RabbitholeDtSR Episode 230 - The IoT You Got for ChristmasOn this Down the Security Rabbithole podcast we're joined by Stephen A. Ridley & Jamison Utter (yes, again with this guy) for a discussion on the finer points of Internet of Things (IoT) security ... or complete lack thereof. If you own gadgets that are 'connected' or you are ever around them (hint: you're surrounded by things that pull IP addresses right now) then you need to listen to this podcast. Some great discussion in what was the very first podcast we recorded in 2017. Guests: Stephen A. Ridley aka "@S7ephen" Jamison Utter aka "@j...2017-01-311h 00

Down the Security RabbitholeDtSR Episode 229 - NewsCast for January 24th 2017Hi friends! We're honored to be finalists for the Security Blogger Awards 2017 "Best Security Podcast" so if you listen, go vote for "Wh1t3Rabbit" (as we're labeled) Link: https://devops.com/2017-social-security-blogger-awards-open-voting/ Digital transformation forces businesses to rethink cybersecurity A change where operations are being held accountable for security James has commented on this before. In order to get better security, it needs to be embedded in the teams within the organization, not just the security team. Link:http://www.cio.com/article/3157478/security/digital-transformation-forces-businesses-to-rethink-cybersecurity.html Mobile is sti...2017-01-2545 min

Down the Security RabbitholeDtSR Episode 228 - Another Look at Endpoint SecurityThis week, Paul Hershberger joins us to talk about taking a fresh look at endpoint security for the new year. Paul has some insights into balancing risk/usability and how some of the things you've heard about endpoint may simply be ... wrong. Join James and I as we let Paul endow us with his wisdom and experience... take some notes, this one's going to be good. Guest Paul Hershberger - @pjhersh13 - Director IT Global Security Risk and Compliance at The Mosaic Company. 2017-01-1851 min

Down the Security RabbitholeDtSR Episode 227 - NewsCast for January 10th 2017St. Jude, MedSec and the FDA FDA, St. Jude go through disclosure/fix cycle No mention of MedSec - interesting for discussion; did they have an impact? St. Jude does a fairly great job of notification, updating “Benefits outweigh the risks”... that’s a big statement http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm http://www.businesswire.com/news/home/20170109005921/en/St.-Jude-Medical-Announces-Cybersecurity-Updates http://www.medsec.com/entries/stj-lawsuit-response.html http://podcast.developsec.com/ep-56-security-contacts New York financial regulator to delay cyber security rules Originally supposed to go into effect Jan 1.. New Date is...2017-01-1247 min

Down the Security RabbitholeDtSR Episode 226 - Targeted Threats Facts From FictionWelcome to the first Down the Security Rabbithole Podcast episode of 2017! We would like to kick off this year, and the run to episode 250 with an episode that dissects the facts from the fiction on the topic of "Advanced Threats". With all the talk in the news about the Russians "hacking the US election" (yes, that's absolutely silly to call it that) and talk of retaliation, it's important to have a frank discussion on the merits of the concept of advanced threats. Sit back, grab a coffee and listen. I know you'll want to listen t...2017-01-0357 min

Down the Security RabbitholeDtSR Episode 225 - NewsCast for December 20th 2016Merry Christmas, Happy New Year everyone! May your holidays be filled with joy, love and family. From Michael, James and myself we wish you the very best and a healthy, prosperous and fulfilling 2017. We will be back in 2017 with another great DtSR Episode... but before we go - here's one last NewsCast for 2016. Yahoo - setting records again - biggest hack ever It happened again: Yahoo says 1 billion user accounts stolen in what could be biggest hack ever 1 billion accounts.. But 1 billion users? Probably not It was 2013… does it e...2016-12-2044 min

Down the Security RabbitholeDtSR Episode 224 - Pointing the Finger of ResponsibilityOn this episode of Down the Security Rabbithole we tackle the question head on. Whose responsibility is security? Is it the end user who should be responsible for patching the devices they own? Is it the vendor who sells the wares? Is it the manufacturer who sells things with security issues? What if it was everyone's problem? How do we police, legislate and ultimately assign blame? Should we be assigning blame, and more importantly what gives with this fascination for blaming the victim? Lots of questions are asked and we start to tackle some of...2016-12-131h 07

Down the Security RabbitholeDtSR Episode 223 - NewsCast for December 6th 2016Federal Government Disproves the Myth of Cyber Talent Shortage If the government can find and hire them - they exist What does that mean for the rest of us hiring? https://cio.gov/how-to-snag-talent-to-fill-critical-cybersecurity-positions-at-your-agency/ 5 Mistakes to Avoid to Hire Qualified Application Security Talent Not understanding current needs Ignoring existing resources Not sharing the workload Not defining the role Overly broad job requirements General Idea: We say we need security talent, but we don’t step back to really understand what we actually need given our current status and resources https://www.jardinesoftware.com/5-mistakes-to-avoid-to-hire-qualified-application-security-talent/ Obama Cy...2016-12-0648 min

Down the Security RabbitholeDtSR Episode 222 - Zero Trust Security ModelThis week, after a long wait, we have John Kindervag on the show! John talks us through the concept of "Zero Trust Security" and where and how it's implemented. It's a concept everyone should be familiar with by now - but I bet you aren't! Join us, and as always provide feedback to the team using the hashtag #DtSR on Twitter, and you can always ping John directly at @Kindervag as well.2016-11-3054 min

Down the Security RabbitholeDtSR Episode 221 - NewsCast for Nov 22 2016DHS Releases Strategic Principles for Securing the Internet of Things https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL....pdf These seem to be the same principles that we have been saying for all software (web, mobile, etc.) NIST also has a more generic publication 800-160 What is the implication for the enterprise? Do we prioritize anything differently as a result What about the “need” for IoT legislation? Is the marketplace “broken?” If “we’ve told people before” but “they didn’t listen,” does that actually mean they are wrong? This is an ar...2016-11-2245 min

Down the Security RabbitholeDtSR Episode 220 - Blaming the Breach VictimThis week, Patrick Dennis - the CEO of Guidance Software - joins us to talk about the Enterprise Security world's fascination with blaming the breach victim. We talk through some of the key issues and look for a way off the hamster wheel. As always, #DtSR on Twitter to join in our conversation.2016-11-1544 min

Down the Security RabbitholeDtSR Episode 219 - NewsCast for Nov 8th 2016It is election day.. Have you voted? Beware, IPhone Users: Fake retail apps are surging before the holidays The issue of brand protection and knock-off websites, apps and such is real Spilling over into digital world, from physical What is your company doing to protect yourself and your customers? http://www.nytimes.com/2016/11/07/technology/more-iphone-fake-retail-apps-before-holidays.html?_r=0 Moving Beyond EMET EMET is going away … in a while Most of the features are now built into Windows 10 This is a great thing (built in vs bolted on security) https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/ Tes...2016-11-0847 min

Down the Security RabbitholeDtSR Episode 218 - The Business of SecurityThis week on DtSR Chad Boeckmann - President of Secure Digital Solutions - joins us to talk about the business of security. While the "bad guys" are running their criminal enterprise, security teams have struggled to be business-relevant. This discussion starts to dive into how to align security and business goals, answering the "how much is enough?" question and so much more. Thanks to Chad for joining us. We encourage you to ask questions and leave comments here in the comments section or on Twitter at #DtSR. You can talk to Chad directly at @cboeckm on...2016-11-0151 min

Down the Security RabbitholeDtSR Episode 217 - NewsCast for October 25th 2016The Massive DDoS That Hit Dyn.Org Massive DDoS disrupts a ton of popular websites (Netflix, Twitter, etc) IoT used to amplify attack What does this mean for corporate users, home users, and vendors? https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/ Verizon Reviewing Terms of Yahoo Deal As Revenue Slides Is this really the result of the breach or did someone just get cold feet? We’re speculating, but we’ve heard this type of talk before To be honest, Yahoo! saw a rise in earnings over what was projected http://www.wsj.com/articles/verizon-revenue-falls-below-views-1476966420 Passwords - We’re Stil...2016-10-2547 min

Down the Security RabbitholeDtSR Episode 216 - Why Software Insecurity is Still a ThingThis week, #DtSR takes a trip down Software Security lane or as some call it "How are we still writing code with bugs that we found relatively concrete fixes for in the late 90's?" (I may have been watching too many John Oliver episodes...) Jeff Williams ( @Planetlevel ) and Tyler Shields ( @txs ) join me to talk this topic over from where we've been, to what we're doing now, to what the solution to this mess will be one day in the future. It's an interesting conversation that should stir up some emotion if you've been in A...2016-10-1946 min

Down the Security RabbitholeDtSR Episode 215 - NewsCast for October 11th 2016‘Security Fatigue’ Can Cause Computer Users to Feel Hopeless and Act Recklessly, New Study Suggests https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly Is this indicative of the broader population? (Someone check the sample size?) What does this tell us about enterprise vs. consumer security thinking? Is security to blame? Our insulin pumps could be hacked, warns Johnson & Johnson http://www.welivesecurity.com/2016/10/06/insulin-pumps-hacked-warns-johnson-johnson/ Big hat-tip to Jay Radcliffe ( @jradcliffe02 ) for what appears to be a very well-orchestrated and sane disclosure What is the added cost of proper authentication and secure communication? Let's use this as a t...2016-10-1158 min

Down the Security RabbitholeDtSR Episode 214 - Financial Impact of BreachesGrab a cup of coffee, jack in your earphones and listen up. DtSR Episode 214 is addressing the issue of breaches, and their material financial impact to an organization. The premise is simple - when you have a breach, are you going to see massive stock price drop, client exodus and so on? We sit down with legal expert and DtSR regular Shawn Tuma and researcher Jon Nichols to talk this through with James, Michael and yours truly. Check this episode out. It may sting a bit, but once you come to gr...2016-10-0450 min

Down the Security RabbitholeDtSR Episode 213 - NewsCast for September 27th 2016Quick update and invitation from Michael: starting to explore rolling out services and improving the Straight Talk Framework. If you’re up to discuss with me - I’ll offer a brief overview and then a “setup for Straight Talk” review to explore how to get you started. It’s a real offer because I know we’ll both learn. And then I’ll get a better sense of where to focus and how to help more people in our industry. Note on yahoo: we’ll talk to Shawn later How are Healthcare Data Breach Victim...2016-09-2751 min

Down the Security RabbitholeDtSR Episode 212 - Insider Threat PrimerIn this episode, we talk with Mike Tierney, who is the brand-new CEO at Veriato. In our conversation we talk through a primer on insider threat, and use the great example of hosting a dinner party. Mike has loads of nuggets of wisdom from his experience and we're certain that if you're a seasoned insider threat professional, or just thinking about the topic and wondering if you can do anything to protect your company - this show will be a good primer for furthering your discussion and learning. Listen in, comment and share with your...2016-09-2051 min

Down the Security RabbitholeDtSR Episode 211 - NewsCast for Sept 13th 2016Chrome to label more sites as insecure in 2017 Link: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html Focus on sites that transmit passwords or credit card info over HTTP A USB Device is all it takes to steal credentials from locked PCs Link: http://www.pcworld.com/article/3117793/security/a-usb-device-is-all-it-takes-to-steal-credentials-from-locked-pcs.html This is actually pretty interesting, but a little trickier than it sounds Still - it's quite fascinating that a USB attack works cross-platform, based on network activity and default USB behaviors DHS chief: 'Very difficult' for hackers to skew vote Link: http://thehill.com/policy/natio...2016-09-1548 min

Down the Security RabbitholeDtSR Episode 210 - Data Protection PrimerIn this episode James and I invite Vlad Klasnja from Optiv's Office of the CISO, and Hudson Harris, Chief Privacy Officer at HarrisLOGIC, to talk about data protection. From defining the concept to providing some insight into how we can actually protect confidential information - we talk through a lot of complex issues in this segment. Join us! Guests Hudson Harris - Chief Privacy Officer at HarrisLOGIC Vlad Klasnja - Data Protection and Privacy Manager at Optiv 2016-09-0751 min

Down the Security RabbitholeDtSR Episode 209 - NewsCast for August 29th 2016NewsCast for Tuesday August 30th, 2016 Clinic Won’t pay breach protection for victims http://www.zdnet.com/article/clinic-wont-pay-breach-protection-for-victims-ceo-says-it-would-be-death-of-company/ Are companies required to pay for credit protection? It is common, but is it required? Can a class action suit succeed to force it? Will that matter if they just declare bankruptcy? If not.. What is the purpose to filing the suit? California Bill would add security standards to data breach law https://bol.bna.com/california-bill-would-add-security-standards-to-data-breach-law/ But what is reasonable… it can’t just be what a reasonable company would implement. Bill Text - h...2016-08-3059 min

Down the Security RabbitholeDtSR Episode 208 - Beyond the Ransomware EconomyThis week Michael and I chat with Jamison Utter of Infoblox on one of the more interesting topics at hand - the economy of ransomware. We talk through the sudden popularity of the attack vector, the way the underground "criminal enterprise" has scaled and grown and the future of being a bad guy. If you have occasion to talk to your organization's leadership on the ransomware epidemic, you need to listen to this podcast first.2016-08-2341 min

Down the Security RabbitholeDtSR Episode 207 - NewsCast for August 16th 2016Quick note from Michael about the Straight Talk Framework & Program -- > Get your free copy at https://securitycatalyst.com/straight-talk-framework/ Launched a new program last week… boy, did I learn a lot. Mostly, it’s my failure to explain. I’m going to chronicle some of the lessons over the next few days and share them If you’ve already downloaded the questions - I’d love to chat with you about your experience… If you find yourself in a situation like this, let’s chat. 25 minutes on the phone and we’ll both benefit Until Monday, August 22nd, chance to ge...2016-08-1847 min

Down the Security RabbitholeDtSR Episode 206 - Vulnerabilities, Disclosure, Ethics, Research and SecurityIn this episode we chat with Steve Christey Coley currently the Principal Information Security Engineer over at MITRE Corp. In this episode we talk through our industry's obsession with vulnerabilities, dive headlong into the thorny issue of security research, talk through the various issues with disclosure and even delve into some ethics issues. This episode is content-packed with some content that you will likely want to talk to us about. So here's how to find us: Steve on Twitter: @SushiDude Hashtag for the show: #DtSR Steve's Bio (from LinkedIn...2016-08-101h 01

Down the Security RabbitholeDtSR Episode 205 - NewsCast for August 2nd 2016Quick note from Michael about the Straight Talk Framework -- > I’ve separated the framework from the programs; the framework is free and available for download from my website. More on the way! To support both the framework and the programs, I’ve just finished a video that introduces the 5 questions; I have an optional workbook available and make a special offer at the end of the video I’m about to launch an online offering… stay tuned for details $2.7 Million HIPAA Penalty For Two Smaller Breaches http://www.healthcareinfosecurity.com/27-million-hipaa-penalty-for-two-smaller-breaches-a-9270?rf=2016-07-18-eh&mk...2016-08-0642 min

Down the Security RabbitholeDtSR Episode 204 - On Changing CultureThis week, Chris Romeo joins Michael, James and I to talk about changing the security posture of an organization by changing culture. This episode talks through tough issues like incentives, measurements and success factors. This episode with Chris is of particular interest for leaders and those who are working hard to change companies at their core, for the long term. Chris Romeo's bio: Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring application security awareness to all organizations, large and small. He was the Chief Security Advocate at C...2016-07-2644 min

Down the Security RabbitholeDtSR Episode 203 - NewsCast for July 19th 2016Ransomware that's 100% pure JavaScript? Sort of... Slightly misleading article Generally a Windows-based attack (go where the users are) https://nakedsecurity.sophos.com/2016/06/20/ransomware-thats-100-pure-javascript-no-download-required/ Researchers have come up with a 'cure' for ransomware Based on some interesting things like file-type changes, similarity measurements and entropy Interesting but not perfect ... do we even think perfect is reachable? Average of 10 files before an identification was made http://www.scmagazineuk.com/florida-researchers-claim-to-discover-cure-for-the-common-ransomware/article/509147/ The government has officially issued a 'fact sheet' on randomware Yes, it's a reportable breach Lots of interesting misconceptions (or half-truths) in this guidance...2016-07-1952 min

Down the Security RabbitholeDtSR Episode 202 - Outsourced but BetterThis week on the Down the Security Rabbithole podcast, Brandon Dunlap is back for his second show. Following up on Episode 158 where we discussed outsourced security, this time around we talk through the next iteration of what "Managed Security" and outsourcing means to security. You're not going to want to miss this episode! As always, hit up our hashtag on Twitter at #DtSR and you can find Brandon on Twitter as well at @bsdunlap if you want to talk to him directly.2016-07-1245 min

Down the Security RabbitholeDtSR Episode 200 - Privacy, Security, Risk and Law Collide** Our 200th numbered episode! ** A note from Raf: Thanks to everyone who has been listening to us, tweeting us, and sharing the links to our podcast. We are absolutely floored with the support and listenership we've received. The average show now gets just under 2,500 downloads when released in the first week, and that number goes up every week. So from the bottom of my heart, I humbly thank you and hope you'll continue to listen, share, and comment. This week's episode is titled "Privacy, Security, Risk and Law Collide" as we hos...2016-06-281h 10

Down the Security RabbitholeDtSR Episode 199 - NewsCast for June 21st 2016In this episode.. The "Nuclear Bomb" analogy isn't working, stop using it" http://thebulletin.org/flawed-analogy-between-nuclear-and-cyber-deterrence9179 This is important with respect to how security people talk to real-life issues Here is another example: http://insight.kellogg.northwestern.edu/article/is-reading-someones-emails-like-entering-their-home/ iOS apps will require secure https connections by 2017 http://www.cnet.com/news/ios-apps-will-require-secure-https-connections-by-2017/ We have seen this push on the web before Michael wrote about this topic back in March 2015 (https://www.developsec.com/2015/03/17/is-http-being-left-behind-for-https/) Saw the government push this for all public facing websites (https://https.cio.gov/) ...2016-06-2151 min

Down the Security RabbitholeDtSR Episode 198 - What Legal Counsel Wishes CISOs KnewOn this episode of the Down the Security Rabbithole podcast, Dawn-Marie Hutchinson, currently an Executive Director within the Optiv Office of the CISO joins us and we talk about the things that she's learned over her career working with legal counsel, CISOs and solving problems. A fantastic episode with lessons learned, and executive leadership crammed into less than an hour. Give it a listen! Find Rie on Twitter at @CISO_Advantage UPDATE: Thanks to Sean Jackson (@74rku5) who has hand-transcribed the show. I haven't read this, personally, so if there if he...2016-06-1448 min

Down the Security RabbitholeDtSR Episode 197 - NewsCast for June 7th 2016In this episode... Are people "going offline" as a result of increasing dangers of the Internet? This article makes the case for yes: http://www.techspot.com/news/64839-increasing-number-internet-dangers-driving-millions-americans-offline.html But ... "millions"? We collectively call BS As the world moves more to mobile and digital, who thinks they have 'control' of their own data anyway? "Sandjacking" allows attackers to install evil iOS apps IF that attacker is physically holding your device AND your device is unlocked AND it takes a while because you have to backup, and restore a ph...2016-06-0748 min

Down the Security RabbitholeDtSR Episode 196 - Jason WittyOn this episode of the Down the Security Rabbithole podcast, I get the pleasure of sitting down with one of my all-time favorite Chief Security Executives, Mr. Jason Witty. He's had a long career of successful security leadership, and in this podcast he sits down with us to talk about risk, threats and words we often confuse. You're not going to want to miss this episode.2016-05-3143 min

Down the Security RabbitholeDtSR Episode 195 - NewsCast for May 24th 2016This week the gang's all here to talk about some news happenings. Michael, James and I talk through some of the stories we've been tracking. Have something you've been reading and want to talk about? Hit us on Twitter with hashtag #DtSR and suggest a topic/story for the next NewsCast! Tennessee Amends Breach Notification Statute http://www.natlawreview.com/article/tennessee-amends-breach-notification-statute Removes the exception for encrypted data. Will this raise the costs to companies? Encrypted or not, will credit monitoring be the norm? More lawsuits (even if the data is encrypted) Do...2016-05-2454 min

Down the Security RabbitholeDtSR Episode 194 - Update on Cyberlaw w Shawn TumaIn this episode... Michael and I welcome back Shawn Tuma, our resident Cyber Law Expert from the great state of Texas. We discuss some of the recent cases (unlocking an iPhone!) and some of the tough issues facing the court systems today. Shawn provides insights into the use of the finger (not joking) and some amusing and frustrating aspects of cyber law as the courts continue to evolve. Join us!2016-05-1746 min

Down the Security RabbitholeDtSR Episode 193 - NewsCast for May 10th, 2016In this episode.. ImageTragick - major flaw in open source image processing toolkit ImageTragick is CVE-2016-3714 Logo & Website: https://imagetragick.com Has a logo, so it must be yuge Is this really that big of a deal? How many are impacted potentially? https://blog.sucuri.net/2016/05/imagemagick-remote-command-execution-vulnerability.html Remote code execution, with minor caveats - likely darn near everywhere Detroit company loses $495k to wire fraud Source was a faked email to make a wire transfer Why didn’t someone verify this?! http://www.detroitnews.com/story/news/local/oakland-county/2016/05/03/troy-investment-company-hacked/83879240/ Wil...2016-05-1157 min

Down the Security RabbitholeDtSR Episode 192 - Healthcare and Critical Infrastructure SecurityIn this episode... Join our guest Larry Whiteside, Michael and I as we record live from InfoSec World 2016 in sunny Orlando, Florida! We talk through the life of a CISO, and the challenges of being in the Healthcare and Critical Infrastructure spaces and the similarities and differences. Larry has had a very diverse and successful career leading some of the most challenging organizations, so we dig into some of the things he's faced, how he's addressed some of those bigger leadership-level challenges, and just the mess that healthcare and critical infrastructure are in right now. ...2016-05-0445 min

Down the Security RabbitholeDtSR Episode 191 - NewsCast for April 26th 2016In this episode... Only about a third of companies know how many vendors access their systems nearly every company is at risk for a third party breach it's almost impossible to vet every third party developing a strategy and being consistent, scaling is key http://www.csoonline.com/article/3055012/techology-business/only-a-third-of-companies-know-how-many-vendors-access-their-systems.html No firewall, second-hand $10 routers are to blame for Bengladesh bank heist we talked about this initially in episode 185 (Link: DtSR Episode 185 - NewsCast for March 15th 2016) it's almost unfathomable that this happened SWIFT attacked, now the suspected malware is identified Jim M...2016-04-2635 min

Down the Security RabbitholeDtSR Episode 190 - Interview with Lance JamesIn this episode, James, Michael and I are live from InfoSec World 2016 and we get the pleasure of interviewing Lance James fresh off the keynote stage. In this intimate, fast-paced and bold interview we talk through some of the challenges InfoSec is facing today, and where Lance believes we should be going. If you haven't been to InfoSec World, we highly recommend going next year. The content team continues to provide a solid mix of technical, managerial and transitioning information security speakers. Make sure you have this one on your calendar for next year, and be...2016-04-2044 min

Down the Security RabbitholeDtSR Episode 189 - NewsCast for April 12th 2016In this episode... Pros examine mossack-fonseca breach: Wordpress plugin, Drupal likely suspects Plug-ins seem to be a universal weakness Many companies have this type of 3rd party security issue The broader enterprise implications - how do you find these sites? http://www.scmagazine.com/pros-examine-mossack-fonseca-breach-wordpress-plugin-drupal-likely-suspects/article/488697/ WordPress pushes free https encryption for all hosted sites What's the problem we're trying to solve? 2 separate issues, trust vs. authentication - know which you're solving http://www.securityweek.com/wordpresscom-pushes-free-https-all-hosted-sites If you can't break crypto, break the client Bishop-Fox researcher finds webkit bug in...2016-04-1250 min

Down the Security RabbitholeDtSR Episode 188 - Security Talent TruthsIntro song: "Josh Gabriel - Deep Down"; Intro/Outro v/o courtesy of @ToddHaverkos 2016-04-0548 min

Down the Security RabbitholeDtSR Episode 187 - NewsCast for March 29th, 2016In this episode... BadLock bug (which now has a website, a graphic, and more hype than Bieber) is out there Is the bug really worth all this hype? Is this anything more than a PR stunt, and a big marketing opportunity? Everyone has an opinion, but one thing is for certain, this bug is making big waves http://www.wired.com/2016/03/hype-around-mysterious-badlock-bug-raises-criticism/ Your wireless mouse is probably a security risk... seriously. RF-based mice typically don't use encryption or mutual authentication Some do (all of my Microsoft & Logitech mice tell me they mutually authenticate & encrypt... I think) How far u...2016-03-2940 min

Down the Security RabbitholeDtSR Episode 186 - Becoming a CISOIn this episode I posed some questions to Joey, an InfoSec professional who had recently moved into a CISO role in a midwest retail company: Let's talk a little bit about the background you had before walking into your first day as a CISO... How long have you been in your role, and what do you think "so far"? What do you think were the biggest lessons you've learned in your time as a new CISO? What do you make of all the talk about CISO burn-out rates, and the average tenure of a C...2016-03-2242 min

Down the Security RabbitholeDtSR Episode 185 - NewsCast for March 15th 2016In this episode... The FTC is getting into providing guidance on password changes Well OK, this isn't really guidance, it's just a blog But - does this mean that the FTC is getting into technical guidance? https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes Dwolla hit by CFPB and fined $100,000 Who is the CFPB (Consumer Finance Protection Bureau)? This opening sentence is crucial: "The Consumer Financial Protection Bureau (Bureau) has reviewed certain acts and practices of Dwolla, Inc. (Respondent, as defined below) and has identified the following law violations: deceptive ac...2016-03-2142 min

Down the Security RabbitholeDtSR Episode 184 - A CISO Post-RSA WrapUpIn this episode, we wind down from RSA Conference 2016 and talk with Jonathan and Michael, both security executives and leaders at their respective companies whom were both out at RSA Conf and share with us some of their insights, lessons learned, and discuss some of the more interesting topics. Join James and I for an informative, insightful, and slightly unnerving conversation about the state of our industry. If you missed RSA Conference (or even if you were out there but wish you weren't) this is one you're going to want to listen to at least o...2016-03-1642 min

Down the Security RabbitholeDtSR Episode 183 - NewsCast for March 1st 2016This is RSA Conference week, so while Rafal is out in San Francisco trying to make it through another one, James and Michael break down the news events that you may have missed. 300,000 Homes affected by security alarm bug http://www.forbes.com/sites/thomasbrewster/2016/02/17/simplisafe-alarm-attacks/#3202d4e679a3 According to Spokesperson, Alarm still alerts users' smart device when the alarm is armed or disarmed. Device is an alerting mechanism, not a lock Technically, we’d consider this… wait for it… a ‘detective’ control. Appears to only intercept when pin is entered into the device.. do...2016-03-0140 min

Down the Security RabbitholeDtSR Episode 182 - Apple Versus the FBIIn this episode... Michael and I moderate what turns out to be an expert-filled panel discussion on the real issues of the Apple vs FBI debate Shawn Tuma, our favorite cyber attorney, provides expert insights into the statutes, laws and applicable legislation in this case Dave Kennedy, Von Welch and Gary bring their technical expertise and background to discuss the issues from a technology and policy perspective We think this is one of those landmark podcast episodes you'll want to listen to a few times. Lots of interesting content here, and we encourage you to share! 2016-02-2355 min

Down the Security RabbitholeDtSR Episode 181 - NewsCast for Feb 16 2016In this episode Class action lawsuit against SuperValu dismissed No damage (use of stolen information) so there's no case? As time passes, risk of use of stolen data, according to judge, decreases The precedent appears to be that in order to sue, you have to prove damage (imagine that?) http://legalnewsline.com/stories/510661014-data-breach-class-action-against-grocery-chain-dismissed Nieman Marcus - breached again (with another lesson this time) http://www.bankinfosecurity.com/neiman-marcus-reports-new-breach-a-8843 So is it official, not having MFA is weak authentication? Is someone accessing accounts through the web interface with stolen passwords a “breach”? Encry...2016-02-1648 min

Down the Security RabbitholeDtSR Episode 180 - From the CISO PerspectiveIn this episode... Andrew discusses a few of the key challenges making it difficult for the healthcare sector right now Robb, Andrew and Raf discuss the importance of identity in the corporate environment Robb and Andrew give some of their wisdom for the successes and failures of CISOs (and the broader security industry) We discuss the technical vs executive CISO approach (which is better?) Robb and Andrew provide some unfiltered advice for CISOs and those who want to become them Guests Robb Reck ( @RobbReck ) - Chief Information Security Officer at Ping Identity, contributor to ISSA Denver wi...2016-02-0942 min

Down the Security RabbitholeDtSR Episode 179 - NewsCast for Feb 2nd 2016In this episode Employees may face penalties if they misinterpret security policies? Human behavior still seen as the biggest weakness Employers are growing less tolerant of misbehaving employees If you "invite a data breach" you could be held liable http://www.welivesecurity.com/2016/01/14/employees-face-penalties-misinterpreting-security-policies/ New lawsuit filed blaming Twitter for ISIS attack Should social media filter content from terror groups like ISIS? Can social media companies be held liable, why or why not? http://blogs.wsj.com/digits/2016/01/14/lawsuit-blames-twitter-for-isis-terrorist-attack/ SCADA/ICS make incident response more complicated Typical IR activities are co...2016-02-0253 min

Down the Security RabbitholeDtSR Episode 178 - What Will Get Us ThereIn this episode What goes us here - so where are we? Where do we go, and how? (addressing stunt hacking) We discuss how we can influence outcomes, without hand waving and endangering lives What about truly understanding risk, versus ‘security stuff’? Michael breaks out the “risk catnip” Raf asks Haroon - “What are the 2-3 things security does right now, that we should just quit?” We discuss some of the breakers that are turning into builders, and implications With the rate of bad vastly outpacing the rate of good - what’s the solution? Guest Haroon Meer...2016-01-2756 min

Down the Security RabbitholeDtSR Episode 177 - NewsCast for January 19th, 2016In this episode FTC imposes a $250,000 fine for "false advertising" of encryption Interesting case, where there really was 'false advertising' Would this even have been a 'security issue'? https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-provider-settles-ftc-charges-it-misled NY wants to ban encrypted smart phone sales Another clear case of legislators being clueless? What about all the existing technology, and kit you can buy across state lines? http://www.zdnet.com/article/apple-iphone-ban-new-york-looks-to-outlaw-sale-of-encrypted-smartphones/ Las Vegas casino is suing cybersecurity firm over "woefully inadequate" work Are there ethical implications here of a competitor defining negligence? Burden o...2016-01-1952 min

Down the Security RabbitholeDtSR Episode 176 - 2015 InfoSec Legal ReviewWe open up our 2016 year interviewing Shawn Tuma on the show. Shawn is our legal eagle, and a regular contributor to the podcast. This episode ran a little bit long (OK a lot long) but I think you'll enjoy the show... In this episode... Most important cybersecurity-related legal developments of 2015 Tectonic Shift that occurred with “standing” in consumer data breach claims Discussion of law prior to Neiman Marcus case, and post Neiman Marcus Does this now apply to all consumer data breach cases? Immediate impact? Companies now liable? Lesson is in seeing the trend and ho...2016-01-131h 16

Down the Security RabbitholeDtSR Episode 175 - NewsCast for January 5th 2016In this episode... Juniper has a backdoor problem 2 separate issues, auth bypass & VPN weakness backdoor discovered in Juniper devices lots of speculation on who put it there, but it was meant to be disguised as ‘debug code’ enterprise implications - same as before (what's the bigger picture?) https://isc.sans.edu/forums/diary/Infocon+Yellow+Juniper+Backdoor+CVE20157755+and+CVE20157756/20521/ Iranians broke into New York dam in 2013 and “had a look around” no direct damage done US has largest number of ICS connected to Internet critical infrastructure is vulnerable, being probed this is not a...2016-01-0552 min

Down the Security RabbitholeDtSR Episode 174 - Health Check on Healthcare InfoSecIn this episode... We discuss what in the world is going on in the healthcare space, and why they’re such a target for attackers Dustin discusses why the explosion in digitalization in health care is both amazing and terrifying We discuss future-proofing “smart” healthcare I stumble on “the fundamentals” Dustin discusses the security of “data analytics” in the healthcare space I ask how we can make health care professionals better security people, without making them security people I ask Dustin what the healthcare industry should be doing, going forward into 2016 Guest "Dustin" is a progressive CISO at a Fort...2015-12-2836 min

Down the Security RabbitholeDtSR Episode 173 - NewsCast for December 14th 2015In this episode... Vizio is getting sued, over data their TVs collect? James provided security tips on the local news station and one of those tips was around the privacy details of your gadgets Companies need to be considering what they are doing with their data At what point does data go from an asset to a liability? Do companies understand the difference? http://www.consumerreports.org/lcd-led-oled-tvs/vizio-sued-for-smart-tv-data-sharing Wyndham settles (caves to) the FTC Agrees to legally be bound to do things they should already be doing .. ? 20 years of audits Interesting ending to the long saga, assuming t...2015-12-1452 min

Down the Security RabbitholeDtSR Episode 143 - NewsCast for May 18th, 2015In this episode... Netflix launched FIDO (not that one, or that one, no the other one) Focused on automating incident response practices FIDO is an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats. If you don't use it, at least they provide a structured framework for response and IR workflow http://techblog.netflix.com/2015/05/introducing-fido-automated-security.html IT Chief leaves sensitive data in car- spoiler: it gets stolen Something smells like a fish market in the July heat on this story Maybe it's time to check in on...2015-05-1847 min

Down the Security RabbitholeDtSR Episode 134 - Fundamental SecurityIn this episode... Michael C and the team talk bout "going back to basics" and the need for security fundamentals Michael C talks a little about why we (security professionals) fail at fixing problems at scale We dive into the need for automation, and Michael C talks about why creating more work for security professionals is a bad thing Michael C and the crew talk through why many of our metrics fail, highlighting the need to get away from the typical dashboard approach of "bigger numbers is better" We discuss the balance between false positives and false negatives...2015-03-1648 min

Down the Security RabbitholeDtSR Episode 123 - NewsCast for December 15th, 2014Topics covered The unfolding case of the Sony Pictures Entertainment breach http://blog.wh1t3rabbit.net/2014/12/when-press-aids-enemy.html http://www.thedailybeast.com/articles/2014/12/12/shocking-new-reveals-from-sony-hack-j-law-pitt-clooney-and-comparing-fincher-to-hitler.html http://www.csoonline.com/article/2857455/business-continuity/fbi-says-theres-nothing-linking-north-korea-to-sony-hack.html http://www.csoonline.com/article/2854672/business-continuity/the-breach-at-sony-pictures-is-no-longer-just-an-it-issue.html The phishing scam that succeeded at hitting a big chunk of Wall Street - it probably would have fooled you too. Here's what we've learned http://arstechnica.com/security/2014/12/phishing-scam-that-penetrated-wall-street-just-might-work-against-you-too/ Iranian hackers hit Las Vegas behemoth with a sophisticated attacked ... wait it was a Visual Basic base?! http://arstechnica.com/security/2014/12/iranian-hackers-used-visual-basic-malware-to-wipe-vegas-casinos-network/ Judge refuses to dismiss...2014-12-1543 min

Down the Security RabbitholeDtR Episode 119 - NewsCast for November 17th, 2014Note: The hashtag for the show on Twitter has changed, please connect with us using #DtSR going forward. Thanks! Topics covered Update: Home Depot breach (Hint: apparently it was a 3rd party entry point) Story: http://www.computerworld.com/article/2844491/home-depot-attackers-broke-in-using-a-vendors-stolen-credentials.html Apparently as a reaction, all execs are being switched to iDevices (blame Windows? and why only execs?) - http://www.imore.com/home-depot-switches-execs-iphones-macbooks-it-blames-windows-massive-breach Also, they lost ~53 Million email addresses too - http://online.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282 American Express is pushing tokenization to their payment ecosystem, this is big news but leaves a lot mo...2014-11-1741 min

Down the Security RabbitholeDtR Episode 113 - NewsCast for October 6th, 2014Topics covered The petition on WhiteHouse.gov titled "Unlock public access to research on software safety through DMCA and CFAA reform" and ...well we talk about it with an attorney and some necessary skepticism https://petitions.whitehouse.gov/petition/unlock-public-access-research-software-safety-through-dmca-and-cfaa-reform/DHzwhzLD My take: http://blog.wh1t3rabbit.net/2014/10/to-reform-and-institutionalize-research.html A Marriott property in Nashville (Gaylord Opryland) will pay $600,000 in an FCC settlement for jamming/blocking guests' personal WiFi hotspots http://www.fcc.gov/document/marriott-pay-600k-resolve-wifi-blocking-investigation A Pakistani man has been indicted in Virginia for selling "StealthGenie", an app designed specifically as spyware http://www.justice.go...2014-10-0647 min

Down the Security RabbitholeDtR Episode 97 - NewsCast for June 16th, 2014Note: I want to thank Will Gragido for stopping by this morning to talk over the news with us. Always great to have someone with a fresh perspective, I hope you enjoy the show. Topics Covered Don't like Google Glass (or similar devices) on your network? Kick them off - http://mashable.com/2014/06/04/glassholes-wifi-jamming/ The FAA has issued an order for Boeing to 'protect the planes from computer hackers' ... but what is really going on here? - http://www.usatoday.com/story/news/nation/2014/06/06/faa-boeing-737/10066247/ APT, APT, APT, APT ... evolved APT? - http://www.csoon...2014-06-1651 min

Down the Security RabbitholeDtR Episode 95 - NewsCast for June 2nd, 2014Note: Today, Kim Halavakoski joined us on the show to provide perspective all the way from Finland! We appreciate his international addition to the show, and hope the listeners enjoy the added brainpower. Topics covered Facebook's next major update will turn your mobile device into an always-on listening tool for FaceBook. This is a good time to remind you that you are the product, not the customer - http://www.ibtimes.com/facebook-microphone-update-store-data-social-media-giant-confirms-new-feature-will-1588916 In a blow to security professionals' ego everywhere, investors apparently aren't swayed by data breaches - http://www.businessweek.com/articles/2014-05-2...2014-06-0247 min

Down the Security RabbitholeDtR Episode 86 - From DDoS to Quantum Computing [Guest: Prof Alan Woodward]In this episode Rise of DDoS Where did it come from What's next Why does it work Spoofer project 3-DOS attacks Quantum computing What is it How is it different than what we commonly use today What problems does it solve How practical is it The dark web Where did it come from Legitimate uses, turn into nefarious use-cases Alternatives, adoption and options Guest Prof. Alan Woodward ( @ProfWoodward ) - Alan is not only a subject matter expert in computing, computer security and the impact technology has on business but brings to his roles a very broad ra...2014-03-3146 min

Down the Security RabbitholeDtR Episode 61 - NewsCast for October 7th, 2013Big thanks to the soon-to-be-regular peanut gallery ... @JoeKnape and @BeauWoods for jumping in this morning and breaking it down with James and I. As a personal message to those of you who listen and our community - please ...remember we all live in a giant glass house, and throwing rocks is a bad, bad idea. I've said it before and I'm looking right at the media for this one (ahem...) - unless you've been in a high-stress environment and have successfully thwarted every attack, please don't go trying to personally attack those out there who work hard...2013-10-0745 min

Down the Security Rabbithole* DtR Episode 50 - The Emergence of Geopolitics in InfoSecWelcome down the rabbithole as we hit EPISODE 50! I'm thrilled that we've made it this far, and look forward to having you along for the ride into the future! At this point, I'd like to encourage you to listen to some of the fascinating guests we've had on this show, people I'm proud to have had a chat with, in the past archives... suggest guests, or just leave us a comment. /Wh1t3Rabbit In this episode... We try and discuss 'defense in depth' on the geopolitical scale @packetknife drops the truth...2013-07-2242 min

Down the Security RabbitholeDtR Episode 37 - NewsCast for April 22nd 2013It's Monday April 22nd, 2013, and here are the topics from the last 2 weeks James ( @jardinesoftware ) and I ( @Wh1t3Rabbit ) will be talking about as we Monday-morning-quarterback the last 2 weeks in Information Security... Fair warning, we have way too many topics to fit into 20 minutes... so went a little bit longer but both feel it's well worth your time. Laugh, cry, and be informed. Topics Covered Microsoft rolls out 2-factor authentication - James points out that Microsoft has rolled out authenticator-agnostic, robust 2-factor authentication... if only I could figure out how to use it? If you...2013-04-2233 min

Down the Security RabbitholeDown the Rabbithole - Holiday 2011 Year End Wrap-Up Episode (Part 3) Synopsis This is the third and final part of a 3-part (3 x 30 minute segments) holiday episode that was aired LIVE, where Will, Scott and I talk about what significant things happened in 2011, and what we should be looking forward to in 2012. No predictions, no propaganda, just hard-hitting, amusing, and often nostalgic discussion about the realities of living in an ever-more connected world as we go into 2012. I hope you enjoy the podcast series if you missed it live. In the future, look for announcements of live episodes on my (@Wh1t3rabbit) podcast feed and join in the...2012-01-0930 min

Down the Security RabbitholeDown the Rabbithole - Holiday 2011 Year End Wrap-Up Episode (Part 2) Synopsis This is the second part of a 3-part (3 x 30 minute segments) holiday episode that was aired LIVE, where Will, Scott and I talk about what significant things happened in 2011, and what we should be looking forward to in 2012. No predictions, no propaganda, just hard-hitting, amusing, and often nostalgic discussion about the realities of living in an ever-more connected world as we go into 2012. I hope you enjoy the podcast series if you missed it live. In the future, look for announcements of live episodes on my (@Wh1t3rabbit) podcast feed and join in the discussion! 2011-12-2830 min

Down the Security RabbitholeDown the Rabbithole - Holiday 2011 Year End Wrap-Up Episode (Part 1)Synopsis This is the first part of a 3-part (3 x 30 minute segments) holiday episode that was aired LIVE, where Will, Scott and I talk about what significant things happened in 2011, and what we should be looking forward to in 2012. No predictions, no propaganda, just hard-hitting, amusing, and often nostalgic discussion about the realities of living in an ever-more connected world as we go into 2012. I hope you enjoy the podcast series if you missed it live. In the future, look for announcements of live episodes on my (@Wh1t3rabbit) podcast feed and join in the discussion! 2011-12-2628 min

Down the Security RabbitholeDown the Rabbithole - Episode 2 - "Can You Be Hacked Out of Business?"Synopsis This edition of the podcast doesn't hold back. We ask "Can someone be hacked out of business?" and as usual we don't really like the answers we come up with. While Martin, Rob and I have been in most every aspect of security for just over a combined 3 decades, we end up with a conslusion that I don't think any of us are comfortable with ...at least not that we were willing to say out loud, until now. So is it possible? Is DigiNotar being "hacked out of business" as Dark Reading suggests all FUD? Listen and f...2011-09-2935 min

Down the Security RabbitholeThe #SecBiz Podcast - Talking "Cloud Security" with Phil CoxPhil Cox joins Rafal (aka Wh1t3 Rabbit) and Martin McKeay and a gallery of others dicussing the issues with the very nebulous term "Cloud Security", and what it means, and how we as vendors can realistically help the consumers of cloud get a handle on what the heck this all means. Fascinating conversation ensues.2011-09-1451 min