Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!

Quick note from Michael about the Straight Talk Framework & Program -- >

• Get your free copy at https://securitycatalyst.com/straight-talk-framework/
• Launched a new program last week... boy, did I learn a lot.
  • Mostly, it’s my failure to explain. I’m going to chronicle some of the lessons over the next few days and share them
  • If you’ve already downloaded the questions - I’d love to chat with you about your experience...
  • If you find yourself in a situation like this, let’s chat. 25 minutes on the phone and we’ll both benefit
• Until Monday, August 22nd, chance to get on board early and benefit yourself; i’ve got a lot to share this week and into the future. We’re at the start of something big!

Microsoft Accidentally Leaks 'Golden Keys' That Unlock Secure Boot-Protected Windows Devices: Oops?

• http://www.techtimes.com/articles/173282/20160811/microsoft-accidentally-leaks-golden-keys-that-unlock-secure-boot-protected-windows-devices-oops.htm
• Bottom line: backdoors are always discovered, compromised
• Another take away: key management... sounds easy, is rarely so.
• If you have the need to manage keys in your enterprise, don't try to do this yourself

The Future Of ATM Hacking

• http://www.darkreading.com/endpoint/the-future-of-atm-hacking/d/d-id/1326549
• We didn’t have a problem, but we went ahead with the solution. Looking back on it, imagine some straight talk on this fiasco?
• Yes, I realize some of you like the elegance of chip + pin; do you like the UX? Because it sucks. And if you lament the mag stripe, does that mean you stopped using a terrestrial radio, too?
• Our need as leaders - in the enterprise and across the industry - is to focus limited energy and assets on the areas that create the most value

Apple will reward hackers with "bug bounty" to find flaws

Support the show

>>> If you're reading this, consider clicking the link above to support the show!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHq
LinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!

Synopsis

This episode with Jeff was awesome, recorded at the OWASP LASCON security conference, I got a chance to sit down with Jeff in person and talk shop. I always learn something, but in this podcast Jeff dispensed his usual wisdom in buckets, I could barely write this stuff down fast enough. We covered the raising of the "information security table stakes", and what the last 15 years have meant to the information security profession in terms of evolution. We went into a discussion on how information security can avoid being a cost center and feeling the traditional expansion and contraction with workload and economic times, and I learned what the phrase "it was a business decision" really means. In case you need one more compelling reason, Jeff brought up yet another gem when he discussed how the business pushes the boulder off the cliff, then expects information security to change its trajectory mid-fall ... you're not going to want to miss this. I had a wonderful time catching up with Mr. Reich, and you'll enjoy this podcast, that's a promise.

Guest

• Jeff Reich - (hint: it's prounounced "rich") - A solid history of developing and providing expertise and leadership on information security and all associated disciplines by integrating Managed Risk into the business in the energy, manufacturing, technology and financial services industries. Successfully created and implemented comprehensive Security and Risk Management Infrastructure for a large oil and gas company as well as four of the largest Internet and e commerce providers in their respective industries. Holds a national reputation of excellence through results, publications and presentations of value. Known for ability to hire, train and inspire high performance teams that support and help drive the core business structures. [LinkedIn: http://www.linkedin.com/in/jreich]
  In addition to that, I've known Jeff for a very, very long time throughout his illustrious career, and have always been amazed by his ability to dispense one-liner wisdom, like this one on a recent blog post on "The compliance hamster wheel": "I have been saying for years that simply chasing compliance is like chasing your tail. You probably won't catch it and if you do, it will hurt."

Support the show

>>> If you're reading this, consider clicking the link above to support the show!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHq
LinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!

In this episode...

• John discusses some of the foundational principles of Threat Modeling
• We talk about why threat modeling is like your time in high school
• We discuss why threat modeling is such an incredibly important tool to the enterprise
• John gives us some nuggets of his experience with threat modeling enterprise applications

Guest

• John Steven ( @m1splacedsoul ) - John Steven is the Internal CTO at Cigital with over a decade of hands-on experience in software security. John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John’s keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.
  John is known for his in-depth work in software security, his expertise in the field of threat modeling, and his snarkcasm. If you don't follow John on Twitter or haven't attended one of the talks he's been known to give occasionally - I recommend you do so.

Support the show

>>> If you're reading this, consider clicking the link above to support the show!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHq
LinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!

TL;DR:
This week's show features Oded Hareven, Co-Founder & CEO at Akeyless, and we cover some topics that are important, but brand new to us. Oded started a secrets management company and addressed some of the challenges and new technology with us.
First, we discuss the "secret zero" problem (the one I worry about quite often), then zero-knowledge secrets management, and finally, this thing called "distributed fragmented crypto" (which is a bit mind-blowing honestly). I think you'll enjoy this podcast, as it's a little more technical than most, and something you may not hear elsewhere.
YouTube Video: https://youtube.com/live/uNtoFbFrTjo
Guest:

• Oded Hareven
  • LinkedIn: https://www.linkedin.com/in/odedhareven/
  • Akeyless website: https://akeyless.io

Support the show

>>> If you're reading this, consider clicking the link above to support the show!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHq
LinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!

In this episode...

• BadLock bug (which now has a website, a graphic, and more hype than Bieber) is out there
  • Is the bug really worth all this hype?
  • Is this anything more than a PR stunt, and a big marketing opportunity?
  • Everyone has an opinion, but one thing is for certain, this bug is making big waves
  • http://www.wired.com/2016/03/hype-around-mysterious-badlock-bug-raises-criticism/
• Your wireless mouse is probably a security risk... seriously.
  • RF-based mice typically don't use encryption or mutual authentication
  • Some do (all of my Microsoft & Logitech mice tell me they mutually authenticate & encrypt... I think)
  • How far up, or down, your risk register is this one; and how much should it matter to enterprise?
  • http://www.thefiscaltimes.com/2016/03/23/Your-Wireless-Mouse-May-Be-Exposing-You-Cyber-Hackers
• Your Node.js package manager could be an entry point for worms?
  • Now that everything has functionality over our endpoints...
  • Dependencies seem to be (at least partially) to blame here (who's surprised?)
  • http://news.softpedia.com/news/node-js-package-manager-vulnerable-to-malicious-worm-packages-502216.shtml
• Ransomware is getting nastier (and more effective)
  • Remember it's just a business model, so they actually are pretty good at unlocking, support, etc once you pay up
  • What happens when a hospital system gets locked/encrypted -- real lives are at stake here!
  • Enterprise advice? Backup, test, and take it all offline regularly so you can recover
  • This is only going to get worse. Much, much worse.
  • http://www.itsecurityplanet.com/experts-corner/hospital-hit-with-ransomware-contagion-declares-internal-emergency
  • http://www.healthitoutcomes.com/doc/backup-recovery-system-control-ransomware-attack-0001
  • http://www.healthcareitnews.com/news/ransomware-wreak-havoc-2016-icit-study-says

Support the show

>>> If you're reading this, consider clicking the link above to support the show!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHq
LinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
X/Twitter: https://twitter.com/dtsr_podcast