The Southern Fried Security Podcast (podcasts)
Join Andy Willingham, Martin Fisher,Steve Ragan, Yvette Johnson, and Joseph Sokoly as they discuss information security, news, and interview interesting people. Get in the discussion at www.southernfriedsecurity.com.

Episode 202 - Evaluating Your Security Program: Awareness & Education

 

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. What do you think you do?
      1. Mandatory CBLs
      2. CyberCyberCyberStuff (Posters, Email, Swag)
      3. Briefings and Classes
      4. Phishing Awareness
      5. $NOVEL_IDEA
      1. How many people is it designed to engage?
        1. Not how many people took the awareness, how many people were ENGAGED?
      2. How many people were actually engaged?
      3. How did they do? (CBL completions, % phished, reviews, etc)
        1. If CBL_Completion = 15(clicks) then you may want to rethink that
        2. 0% phished is not a sign of a great security program...more likely a sign of a bad phishing program
        3. If there is no way to allow for anonymous reviews of training/briefings/etc then you’re not likely to get fully honest reviews (Who wants to piss off security?)
      4. Are you being honest with yourself?
    2. How do you measure it?
  3. Measuring Awareness & Education
    1. Don’t change the measurement...change the program
      1. The key to long term success is consistently measuring the same thing over time
      2. You may want to update goals (up or down) but be able to explain why especially if you are making the test easier
      1. Big changes in delivery will skew the numbers in ways you likely will not like
      2. Constant large turmoil is counter to most corporate cultures
      3. Small changes take advantage of previous investments best
      4. “Iterate small and grow larger” - doing too much too fast almost always ends is highly suboptimal results over time
    2. Don’t make drastic changes until Year 3 unless you have to make drastic changes
    3. Clearly failing components should be axed and replaced and not tweaked around the edges - especially if there’s a compliance or safety aspect
  4. Adjusting The Program
  5. If this feels like “Wash, Rinse, Repeat” it’s because is it “Wash, Rinse, Repeat”
Direct download: SFS_Podcast_-_Episode_202.mp3
Category:podcasts -- posted at: 6:31pm EST

Episode 200 - Building A Security Strategy - Part III

  1. Recap
    1. Strategy vs Policy
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  2. The Question is “How do I make one?”
    1. Tech
      1. Tech, by itself, only consumes electricity and turns cool air into warm air
      2. So many choices….
      3. The tech selection is the *least* critical one for developing a capability
      4. http://www.southernfriedsecurity.com/episode-192-security-waste/
      1. This is the “Stuff You Have To Do”
      2. Usually determined by regulation, policy, or corporate edict
      3. Describes a desired outcome - not how to get there
      4. Examples include “Malware Detection”, “Email Security”
    2. Service
      1. How you do the crazy things you do
      2. Security is not a One-Off - things must be repeatable and consistent
    3. Process
      1. Describes value team brings to org
      2. While tech and service selection is important the biggest improvement usually comes from better process
    4. Capability
  3. Capability = (Tech + Service) * Process
    1. Armorguy’s Maxim of Life: “Start small and iterate larger”
    2. Try to do to much out of the gate and you WILL fail
    3. Define success criteria for each stage that allows for error and learning
  4. Crawl, Walk, Run
    1. Security cannot exist as an island
    2. Interdependence with business units is key - if you don’t you are the foreigner and will be rejected
    3. The relationship with IT Operations is going to be wonky at first
  5. It Takes A Village
    1. Where do you look for more info?
  6. Strategy - It’s What CISOs Do…
Direct download: SFS_Podcast_-_Ep_200.mp3
Category:podcasts -- posted at: 9:32pm EST

Episode 199 - Building A Security Strategy - Part II

  1. Recap
    1. Strategy vs Policy
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  2. The Question is “How do I make one?”
    1. Almost no business is in the business of information security
    2. Follow The Money
    3. Understand The Decisioning Process
    4. “Culture Eats Strategy For Breakfast”
    5. Vocabulary Matters
  3. Understand the Business of Your Business
    1. Know the Formal and Informal Org Charts
    2. Influencers are as important as Deciders
    3. Beware the Spoiler
    4. “Culture Eats Strategy For Breakfast”
    5. Don’t Give a Vote or Veto Unnecessarily
  4. Know Who Your Stakeholders Really Are
    1. We will keep discussing this.
    2. Underestimating the power of culture WILL result in your plan faling
    3. That’s a majority of the reason that Strategy Is Hard
  5. Culture Is The Key
Direct download: SFS_Podcast_-_Ep_199.mp3
Category:podcasts -- posted at: 1:23pm EST

Episode 198 – Building a Security Strategy – Part 1

 

Strategy is the hardest thing a CISO will do in their career...except if they have to explain a massive breach…

 

  1. What is a Strategy?
    1. What’s the difference between a strategy and a policy?
      1. A policy is binding statements
      2. A strategy is thought out planning
      1. A list of tech you want to buy
      2. A remediation plan that follows an audit/assessment
      3. A continued justification for the way you’ve always done things
      4. The stuff your favorite vendor told you needs doing
    2. What a strategy isn’t…
      1. Based on the needs and desires of the org and its senior leaders
      2. Culturally relevant
      3. A guide to where investment (money and people) need to be made
      4. Balanced between boldness and reassurance
      5. Built on a set of capabilities that map to business success criteria
    3. A strategy is…
    1. Creates a consistent frame of reference for talking about the program
    2. Helps senior leaders understand the where/why of the investments
    3. Lays out a connected story for CFOrg to make budget less hard
    4. Provides a decision-making framework that enables effective choices
  2. Why do you want one?
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  3. How do I make one?

 

In our next episodes we’ll break down each of the steps and talk more about strategy…

Direct download: SFS_Podcast_Ep_-_198.mp3
Category:podcasts -- posted at: 8:53pm EST

Episode 197 - After the Penetration Test 

We've kind of talked about how to choose your vendors, and we’ll get more into services soon, but we wanted to take some time to talk about penetration tests and especially what to do as they wrap up, how they affect the organization, and how you can manage your penetration tests to make sure they're actually effective.

  • Receiving the report
    • First and foremost, you are the customer. The report is not done until you say it is done.
      • That doesn't mean to massage the data, but you need to be sure that the penetration testers actually provided value.
    • If there isn't a solid executive summary, send it back. Period. Your testers should be able to summarize what they did, what they found, and what they think for your executives.
    • A Nessus or Burp scan is not a report. Ever.
    • Always ask “how did we do for this application/organization size” etc. You’re not just paying for someone to run Nessus on your network, you’re paying for their analysis. Ask for that.
  • Triaging the Results
    • Results rarely go to the same place in the organization. You might have findings for different teams, or entirely different parts of your org. Make sure they get to the right people.
    • Results may be inaccurate for your organization. A penetration tester isn't necessarily familiar with your organization’s risk profile, priorities, or anything else. What they mark as a medium may be a high or critical for you, or vice versa.
      • Example: Information disclosure in Healthcare is often rated much higher when triaging than in other types of businesses.
  • Working with the stakeholders
    • Work in systems that make sense to people that need to do the work. Rally, Jira, etc.
      • This can also give you traceability for when things are actually fixed.
    • Don’t dump on people in big group meetings, take the findings to the specific teams
      • That will give them time to develop a plan for the findings that are affecting them
  • Managing upwards
    • No matter how well or poorly the report is written, it’s still going to end up being your job to explain “how bad is this thing you handed me?”
    • Have to manage the findings and their perception upwards
      • Remediate, mitigate, or accept
      • That's an upper management call
  • Dealing with the Re-test
    • Most penetration tests have a clause in there for re-testing findings. Make sure you actually take advantage of that.
      • This looks good from both an actual security posture position and a management position
    • Some penetration testers will let you remediate quickly and have them re-test, which can be reflected in the final report
      • Especially if your report might going to customers, this is incredibly useful. Take advantage of this if at all possible.
Direct download: SFS_Podcast_Ep_-_197.mp3
Category:podcasts -- posted at: 10:46pm EST

SFS Podcast - Episode 196

 

Wannacry: Woulda, Coulda, Shoulda 

First and foremost: Why was medical hit so hard by WannaCry? See Episode 189 - Medical Device Security and Risky Business 455 - https://risky.biz/RB455/

  1. The Lead-Up
    1. Threat Intelligence is A Thing
    2. Threat Intelligence is Hard
    3. Threat Intelligence Feeds are [REDACTED] for many/most
    1. Do
      1. Stay Calm
        1. You have finite human resources
        2. You have finite time
      2. Prioritize Your Responses
        1. Episode 192 - Security Waste
      3. Know what all your tools can do and be ready to use them
        1. Your Business Continuity Program can inform that
        2. You do have a BCP, right?
      4. Know what area to focus on first
      5. Be willing to cut off an arm to save the body
      6. When you can remember that Herd Immunity is a Thing.
      1. Scare the Children
      2. Waffle in decision making
        1. This is not the time to point out for the millionth time that your patching program is suboptimal
        2. This is not the time to point out that if you’d only gotten that BlinkyBox last capital season this wouldn’t be an issue
      3. Focus on what you can’t do
      4. Overpromise
    2. Don’t…
  2. When the Crisis Arrives
    1. Be sure you’re in Aftermath and not still in Crisis
    2. Do a Hot Wash and a full After Action Review/Post-Mortem
    3. Document your lessons learned and distribute them widely
    4. Follow Up, Follow Up, FOLLOW UP!!
  3. The Aftermath
Direct download: SFS_Podcast_Ep_-_196.mp3
Category:podcasts -- posted at: 8:54pm EST

Episode 195 - Annual Policy Review - Making It Worthwhile

 

  1. Define policy vs. standards vs. procedures
    1. What is a Policy? It is a guiding principle to set the direction of an organization. High level, governing, statements. Do not include technical details.
      1. Example: Policy statement = Users must authenticate with a unique ID and password
      2. Standard: User passwords must be: # of characters, include one uppercase letter, one special character, be at least 10 characters in length. This type of information would go into an Access Control Standard.
    2. What is a Standard? Standards support the policy, make it more meaningful and effective.
    3. What is a Procedure? A procedure is a step by step, how to guide to which is consistent with the end result being the same. These are the steps for configuring your firewalls, setting up a new user, building a server, etc.
    1. Every policy guide everywhere says you need to review your policies regularly which almost always means annually.
    2. Failure to do the annual review can get you in hot water with your regulator and/or auditor.
    3. It just Makes Sense.
  2. Why review your policies?
    1. It’s the one time a year you can nudge the organization where it needs to go
      1. Past Problems
      2. Current Issues
      3. Future Challenges
    2. Killing off/modifying policies that get in the way of people doing work will Make Friends And Influence People
    3. There is no better way to ensure your team is working on what needs to be worked on than aligning with stated policy.
  3. Making Sense of Policy Review
    1. Alert The Approvers
    2. Line Them Up
    3. Divide and Conquer
    4. Bring The Business Into The Process
      1. Internal Audit
      2. Legal
      3. Risk
      4. Corporate Security
      5. IT
      6. Marketing / Public Relations
    5. As Needed Bring In
    6. Change Crosswalks FTW
    7. Communicate, Communicate, Communicate.
  4. The Review Process
    1. Have a process to deal with questions.  Route questions to the authoritative source for an answer - don’t answer stuff you can’t/shouldn’t
  5. Questions?
  6. Resources?

 

More Notes

 

  • Make sure what is being added is enforceable. This is a legal document and can be used in court. Statements support what is being done today, not what you would like to do or wish the program would do in the future.
  • Go back to those “parking lot” statements that were not added or removed from a draft because you couldn’t enforce them at the time. Can they be added? Don’t lose sight of them if they are important to your security program  
  • Does the corporate culture / C levels support statements in the policy? As a security practitioner you may firmly believe that your security program must abide by certain policy statements but the corporate culture or your CEO/CFO even CISO may not support it. They may become “parking lot” items for a future version or you may be able to successfully display that the program can support that statement without affecting the culture.
  • Legal is an important reviewer. It feels nitpicky during the review but Legal knows when “should” and “must” are appropriate.
  • Don’t reinvent the wheel. ISO 27001 is a good framework for your policy. Use it. Don’t try to come up with statements because you think you have to appear to be an Info Sec Policy God. KISS!
  • Don’t write standards and procedures in your policy! We’ve reviewed countless policies that had what we’d consider a standard or “step by step instructions for making firewall changes. That’s a procedure! Keep it out of your policy.
Direct download: SFS_Podcast_Ep_-_195.mp3
Category:podcasts -- posted at: 8:21pm EST

Evaluating Security Product Vendors

 

In light of recent news about “Vendors Behaving Badly” we want to talk about how a security professional should evaluate vendors and their products.

 

Recent News:

Tanium exposed hospital’s IT while using its network in sales demos: https://arstechnica.com/security/2017/04/security-vendor-uses-hospitals-network-for-unauthorized-sales-demos/

Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance: https://arstechnica.com/information-technology/2017/04/the-mystery-of-the-malware-that-wasnt/

 

  1. There are so many different sources of information about vendors and their products.  You owe it to yourself to evaluate not just the vendor but also each source of information.
    1. Analyst Firms:  Gartner/Forrester/etc
      1. Always remember they take a very generic view using a notional enterprise as the standard.
      2. Current customer interviews are important but, remember, those customer contacts likely came from the vendor.
      3. The perception of “Pay for Play” is there no matter how much the firms want to squelch that.
      1. These tests presume a lot so make sure you understand what the conditions of the test were.
      2. The “Pay for Play” perception exists here too….
      3. The results of the testing aren’t specific but can help show outliers in a group
    2. 3rd Party Testing:  NSS Labs, etc.
      1. Obviously your best and most relevant source of information.  :-)
    3. Podcasts
      1. If you have developed a reliable network of peers you can reach out and ask folks.  But, remember, buy them a beer for their troubles…
      2. Always remember perspective is everything.  Some people just don’t like Company_Z and will always hate their products.
    4. Networking
  2. Information Sources
    1. Start with 3rd party data and demos.  This will determine if your requirements (you did write out your requirements, right?) are met by the product
      1. Do not allow the vendor to drive the definition of “success” in a PoC
      2. Try to break it.  I mean REALLY try to break it.
      3. Remember during the PoC is going to be the best support and interaction you will ever get.  If that sucks you might want to move along.
      4. Test *all* of your use cases. (you do have documented use cases, right?)
    2. Do a PoC (Proof of Concept).
  3. Product Evaluation Rules
    1. Service providers such as penetration testers and MSSPs
  4. Edge Cases
Direct download: SFS_Podcast_Ep_-_194.mp3
Category:podcasts -- posted at: 9:53pm EST

Tonight's episode is all about those learning moments. 

CISOs and security orgs find new and interesting way to screw up all the time.  Leaving that Any-Any rule in place on the new firewall…  Disabling the CEOs account by accident…  Not realizing that Shadow IT had just installed a new egress point…


Here are our stories.  The name have been changed to protect the culpable.

Direct download: SFS_Podcast_Ep_-_193.mp3
Category:podcasts -- posted at: 10:02am EST

Today's Topic: Security Waste - Buying new tools without maximizing use of current tool set

It’s not just a security problem but we often add to our arsenal without fully (or even mostly) utilizing the tools that we do have.

Problems associated with this are:

  • Have more complexity in your environment
  • Needing more staff or requiring current staff to stretch themselves thin to support differing tools
  • Increased cost (capital, operational, support)
  • Information overload - even with a SIEM more data requires more analysis
    • Increased chance of missing key events
    • Increased false positives
  • What am I missing?

 

How do we work through this when you’re not the decision maker?

  • “Operational Excellence” - Martin’s story

 

How do we work with our vendors to ensure that we are leveraging their tools without over dependence on one tool or vendor?

Direct download: SFS_Podcast_Ep_-_192.mp3
Category:podcasts -- posted at: 9:02pm EST

Guillaume’s last visit to the show: Episode 167
Last year’s WWDC episode

WWDC 2016 Security Rumors and Wishes
Possible Touch ID changes
Touch ID for the Mac?

Wishlist
Encrypted iCloud Backups
Permissions and Pairing
Granular Location Access
Better Public Wi-Fi, VPN And SSL/TLS Handling

Reduced Annoyances and Increased Security on iOS

Find us on Twitter:
@gepeto42
@SFSPodcast
@armorguy
@jsokoly
@andywillingham
@SteveD3
@jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter. And if you’ve found our Facebook page, we’re sorry. We’re going to fix that up.

 

Direct download: SFS_Podcast_Ep_-_181.mp3
Category:podcasts -- posted at: 10:35pm EST

This evening, Martin sat down with Patrick Heim from Dropbox. Enjoy the interview, and the gang will be back next episode.

Direct download: SFS_Podcast_Ep_-_180.mp3
Category:podcasts -- posted at: 9:00pm EST

The 2016 DBIR
OSVDB Thoughts on the DBIR
Analyzing the 2016 Verizon Data Breach Investigations Report » Digital Shadows
The DBIR’s ‘Forest’ of Exploit Signatures – Trail of Bits Blog
Response to Kenna Security’s Explanation of the DBIR Vulnerability Mess | OSVDB

Find us on Twitter:
@SFSPodcast
@armorguy
@jsokoly
@andywillingham
@SteveD3
@jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter.

 

Direct download: SFS_Podcast_Ep_-_179.mp3
Category:podcasts -- posted at: 8:36pm EST

This evening, Martin, Steve, and Joseph talk about overhyped vulnerabilities, and how that affects communication with the business.

Badlock’s Site
Sadlock
Hyping vulnerabilities is no longer helping application security awareness | TechCrunch

Find us on Twitter:
@SFSPodcast
@armorguy
@jsokoly
@andywillingham
@SteveD3
@jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter. And if you’ve found our Facebook page, we’re sorry. We’re going to fix that up.

Direct download: SFS_Podcast_Ep_-_178.mp3
Category:podcasts -- posted at: 8:45pm EST

Tonight, Martin and Joseph sit down and talk about communicating cautionary tales without turning them into FUD.

US-CERT advisory on ransomware

Find us on Twitter:
@SFSPodcast
@armorguy
@jsokoly
@andywillingham
@SteveD3
@jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter. And if you’ve found our Facebook page, we’re sorry. We’re going to fix that up.

Direct download: SFS_Podcast_Ep_-_177.mp3
Category:podcasts -- posted at: 8:40pm EST

InfoSec programs without money are like cereal but no milk, peanut butter but no jelly, Milli but no Vanilli… (Get over it, I’m old - Martin)

Martin is doing a talk on “The ABCs of Getting Your InfoSec Program Funded” and we’re going to discuss how this works in the real world at all of the different levels.

Find us on Twitter:
@SFSPodcast
@armorguy
@jsokoly
@andywillingham
@SteveD3
@jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter. And if you’ve found our Facebook page, we’re sorry. We’re going to fix that up.

Direct download: SFS_Podcast_Ep_-_176.mp3
Category:podcasts -- posted at: 10:06pm EST

Episode 175 - RSAC Wrapup and More...

Congrats to Risky Business for winning this year’s podcast of the year!

RSA:
Let’s get an update from our reporter on the scene: Mr. Steve Ragan.

Fear and loathing at RSA: Hacking, security and the limits of protection | TechCrunch

Hack the Planet! I mean the Pentagon: U.S. military invites vetted experts to "Hack the Pentagon" | Fortune

Spear Phishing:
Three more firms hit by targeted Phishing attacks seeking W2 data | CSO Online

What Happens When You Dare Expert Hackers to Hack You

Backdoors:
Linux Mint hacked: Compromised data up for sale, ISO downloads backdoored | CSO Online

Transmission Infected with KeRanger Ransomware – MacStories

Find us on Twitter:
@SFSPodcast
@armorguy
@jsokoly
@andywillingham
@SteveD3
@jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_Ep_-_175.mp3
Category:podcasts -- posted at: 9:07pm EST

We’ve been nominated for the 2016 Security Blogger Awards!

Topic: Threat Intel

Norse Corp disappears shortly after CEO is asked to step down

Digital Shadows announces 14 million series B fund raising

PDF WARNING - Threat Intelligence Maturity Model (tl;dr - Intel programs are hard and take years to get right)

Forrester - Maximizing your investment in cyber threat intelligence providers (tl;dr - be careful spending big bucks and make sure you are gathering your own intel first)

Mind Over Matter: The Importance of Intelligence in Your Threat Program - “When it comes down to it, you can’t outsource your business risk management strategy.”

Threat Intelligence Indicators are not Signatures // InfoSec Zanshin

Find us on Twitter:
@SFSPodcast
@armorguy
@jsokoly
@andywillingham
@SteveD3
@jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_Ep_-_174.mp3
Category:podcasts -- posted at: 9:17pm EST

We’ve been nominated for the 2016 Security Blogger Awards!

Topic: Vendor Relationships 

Trend Micro AV gave any website command-line access to Windows PCs

Google security researcher excoriates TrendMicro for critical AV defects

Trustwave lawsuit

Norse story

Demos:
Pro Tip: Kicking off your demo with "I hope you'll understand these concepts" sets a pretty sad tone. - Martin

Pro Tip: Presuming you know our business processes during your demo means you aren't showing us what we are looking for. Ask first. - Martin

Pro Tip: If you don't prepare to demo the requested features please just cancel and move along. - Martin

Find us on Twitter:
@SFSPodcast
@armorguy
@jsokoly
@andywillingham
@SteveD3
@jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_Ep_-_173.mp3
Category:podcasts -- posted at: 9:38pm EST

Topic: Security Awareness

Some people think it's a waste of time:

Why you shouldn’t train employees for security awareness
Schneier on Security Awareness Training
Does security awareness training even work?

But, that said, it's a requirement for government agencies and regulated industries:

HHS Security Awareness and Training Requirements

Privacy and Security Training requirements for multiple regulations

DISCUSSION & OPINION: Is Security Awareness worth the time?

If you have to do it, make it better:
Ten Recommendations for Security Awareness Programs

Find us on Twitter:
@SFSPodcast
@armorguy
@jsokoly
@andywillingham
@SteveD3
@jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Ep_172.mp3
Category:podcasts -- posted at: 8:51pm EST

Tonight, Martin, Joseph, Steve, and Andy got together and went over how their 2015 predictions went, and laid out what their predictions were for 2016.

The gang is on break from now until the new year, happy holidays!

Direct download: SFS_Podcast_Ep_-_171.mp3
Category:podcasts -- posted at: 9:45pm EST

Check for signs of the apocalypse, everyone was here tonight...

Comcast resets nearly 200,000 passwords

In the era of GPS, Naval Academy revives celestial navigation

How Carders Can Use eBay as a Virtual ATM

What Flu Season Can Teach Us About Fighting Cyberattacks

Find us on Twitter:
@SFSPodcast
@jsokoly
@steveD3
@armorguy
@jetsetyvette

Direct download: SFS_Podcast_Ep_-_170.mp3
Category:podcasts -- posted at: 10:59pm EST

This week, Andy's back!

The FitBit "hack"

The FBI's Advice on Ransomware? Just Pay The Ransom

Find us on Twitter:
@SFSPodcast
@jsokoly
@steveD3

Direct download: SFS_Podcast_Ep_-_169.mp3
Category:podcasts -- posted at: 9:27pm EST

Tonight, Steve and Joseph talked password managers and consumer reports for cybersecurity.

LogMeIn now owns LastPass

Troy Hunt's article on switching from LastPass

Websites, Please Stop Blocking Password Managers. It's 2015

Mudge's Consumer Cyber Reports

Find us on Twitter:
@SFSPodcast
@jsokoly
@steveD3

Direct download: SFS_Podcast_Ep_-_168.mp3
Category:podcasts -- posted at: 10:27pm EST

This week, Joseph and Guillaume Ross talked content blockers, phishing consequences, and home network monitoring.

Back to Work Episode 239

Accidental Tech Podcast Episode 136

FireEye: Forbes.com served malicious ads to visitors | CSO Online

Ad Blocking, Ad Networks, & Your IP Address

DHS infosec chief: We should pull clearance of feds who fail phish test | Ars Technica

Cujo Is a Smart-Home Device That Protects Against Hacks | Digital Trends

Find us on Twitter:
@SFSPodcast
@jsokoly
@gepeto42

Direct download: SFS_Podcast_Ep_-_167.mp3
Category:podcasts -- posted at: 10:52am EST

This week Martin and Joseph sat down and talked about stress, burnout, and why Martin took a break for a while. 

Direct download: SFS_Podcast_Ep_-_166.mp3
Category:podcasts -- posted at: 10:40pm EST

Tweet from Ed Willson

Chrome and Firefox dump Flash

Netflix dumps antivirus

Windows 10:
Even When Told Not To, Windows 10 Can't Stop Talking to Microsoft
Even the pirates are nervous about Windows 10
Timcast - Windows 10 is spying on you and it's super creepy

Where you can find us:
@SFSPodcast
@jsokoly
@steved3

Direct download: SFS_Podcast_-_Ep_165.mp3
Category:podcasts -- posted at: 9:48pm EST

This week's show notes:

Vegas:
BlackHat Day 1
Car Hacking
BlackHat Day 2
Defcon Roundup
@sawaba's BSides Talk
Washington Post's Article on l0pht

Oracle's CSO makes a questionable publishing decision

Where you can find us:
@SFSPodcast
@jsokoly
@steved3

Direct download: SFS_Podcast_-_Ep_164.mp3
Category:podcasts -- posted at: 9:51pm EST

No full episode this week thanks to Security Summer Camp, but Martin got to sit down and chat with good friend of the podcast Wendy Nather. 

We'll be back soon!

Direct download: SFS_Podcast_Interview_With_Wendy.mp3
Category:podcasts -- posted at: 10:47pm EST

Life is Short. For some it may get shorter?

Archuleta is out at OPM: Who didn't see that one coming?

If you look for breaches, you might find them.

Darkode Shutdown: Former FireEye Intern Accused Of Creating $65,000 Android Malware - Forbes 

BREAKING: UCLA Health breach hits data of 4.5M - Modern Healthcare

Direct download: SFS_Podcast_-_Ep_163.mp3
Category:podcasts -- posted at: 12:38am EST

Tonight, Joseph and Steve tackled the Hacking Team breach: why it's interesting, what's happening, and some of the data that's come out so far. 
 
 

 

 
Find us on Twitter:
Direct download: SFS_Podcast_-_Ep_162.mp3
Category:podcasts -- posted at: 9:56pm EST

This episode, the gang was joined by Chris Burton (@cyberhiker) to talk about the OPM breach.

OPM - The Breach that Keeps on Giving:

Second OPM Hack Exposed Information About Military, Intelligence Workers - Defense One
http://www.defenseone.com/technology/2015/06/second-opm-hack-compromised-information-military-intelligence-workers/115213/

Report: Hack of government employee records discovered by product demo | Ars Technica
http://arstechnica.com/security/2015/06/report-hack-of-government-employee-records-discovered-by-product-demo/

Carnal0wnage Attack Research Blog: Hard to Sprint When You Have Two Broken Legs
http://carnal0wnage.attackresearch.com/2015/06/hard-to-sprint-when-you-have-two-broken.html

Data hacked from U.S. government dates back to 1985: U.S. official | Reuters
http://www.reuters.com/article/2015/06/06/us-cybersecurity-usa-idUSKBN0OL1V320150606?irpc=932

Brief: 4 million federal employees affected by data breach at OPM | CSO Online
http://www.csoonline.com/article/2931560/data-breach/brief-4-million-federal-employees-affected-by-data-breach-at-opm.html

Find us on Twitter:

@SFSPodcast
@jsokoly
@JetSetYvette
@cyberhiker

 

Direct download: SFS_Podcast_-_Ep_161.mp3
Category:podcasts -- posted at: 8:54am EST

The show notes for this episode have some screenshots, see the website for the full notes:

http://www.southernfriedsecurity.com/apple-and-privacy-with-guillaume-ross/ 

Find us on Twitter: 
@SFSPodcast 
@jsokoly 
@gepeto42

Direct download: Apple_and_Privacy_with_Guillaume_Ross.mp3
Category:podcasts -- posted at: 12:07pm EST

This week Steve and Joseph were joined by a guest from America's hat: Guillaume Ross. 

 

The IRS and PII as verification:

Security checks that rely on PII put businesses and consumers at risk | CSO Online http://www.csoonline.com/article/2927652/data-protection/security-checks-that-rely-on-pii-put-businesses-and-consumers-at-risk.html

If you're not paying for the service, you're probably the product:
Adios, Hola! - Why you should immediately uninstall Hola http://adios-hola.org/

 

Hola VPN client vulnerabilities put millions of users at risk | CSO Online

http://www.csoonline.com/article/2928817/vulnerabilities/hola-vpn-client-vulnerabilities-put-millions-of-users-at-risk.html

 

Facebook Uses PGP

Official announcement:

https://www.facebook.com/notes/protect-the-graph/securing-email-communications-from-facebook/1611941762379302

https://threatpost.com/facebook-bolsters-message-security-adds-openpgp/113079

 

Find us on Twitter:

@SFSPodcast

@jsokoly

@SteveD3
@gepeto42

Direct download: SFS_Podcast_-_Ep_160.mp3
Category:podcasts -- posted at: 7:00am EST

Joseph and Steve were joined by a special guest tonight, Mr. Kevin Riggins. They tackled mafia-style shakedowns, vulnerabilities in medical equipment, and “stunt hacking.”

 

"Breach" Extortion:

http://money.cnn.com/2015/05/07/technology/tiversa-labmd-ftc/index.html

 

ICS-CERT issues advisory for medical equipment for the first time:

https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01A

http://hextechsecurity.com/?p=123

 

"Stunt Hacking":

http://aptn.ca/news/2015/05/15/hacker-told-f-b-made-plane-fly-sideways-cracking-entertainment-system/

http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/

http://idoneous-security.blogspot.com/2015/05/lessons-in-grown-up-security.html

http://carnal0wnage.attackresearch.com/2015/05/normal-0-false-false-false-en-us-x-none.html

 

Find us on Twitter:

@SFSPodcast

@jsokoly

@SteveD3
@kriggins

 

Direct download: SFS_Podcast_-_Ep_159.mp3
Category:podcasts -- posted at: 9:14pm EST

This week, Joseph and Steve talked about what these "six hacker tribes" are, and the recent rise of some accountability in security in both the government and the private sector.

"The Six Hacker Tribes"
http://www.telegraph.co.uk/technology/internet-security/11568376/Unmasked-the-six-hacker-tribes-you-need-to-watch-out-for.html

“Accountability in Security” on multiple fronts:
http://www.forbes.com/sites/davelewis/2015/04/29/notes-from-rsa-accountability-in-security/

http://www.csoonline.com/article/2916649/disaster-recovery/fireeye-customers-get-liability-shield-thanks-to-safety-act.html

And if you have any feedback, questions, or comments, find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Ep_158.mp3
Category:podcasts -- posted at: 9:32pm EST

The gang is back with some cast changes. Martin will be taking a break for a while, so Joseph will be hosting for the next while.

This week, we talked Wordpress, Steve's experiences at RSAC, and this year's DBIR:

Wordpress:
http://www.csoonline.com/article/2915142/vulnerabilities/wordpress-promises-patch-for-zero-day-within-hours.html 

RSAC:
RSAC 2015: RSA Conference (Day 1): http://www.csoonline.com/article/2910943/security-industry/rsac-2015-rsa-conference-day-1.html

RSAC 2015: RSA Conference (Day 2): http://www.csoonline.com/article/2912475/security-awareness/rsac-2015-rsa-conference-day-2.html 

RSAC 2015: RSA Conference (Day 3): http://www.csoonline.com/article/2912411/data-protection/rsac-2015-rsa-conference-day-3.html

Defcon/BH Attendance: http://venturebeat.com/2014/08/12/black-hat-and-defcon-see-record-attendance-and-thats-not-even-counting-the-spies/

The DBIR:
http://www.verizonenterprise.com/DBIR/2015/

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Ep_157.mp3
Category:podcasts -- posted at: 9:51am EST

Episode 156 - Sad Panda Martin, Steve, and Joseph got on tonight to talk about clickbait-that-wasn't, AV eating itself, and 6 ways the Sony breach didn't actually change everything. A great slideshow article from friend of the podcast Michael Santarcangelo http://www.csoonline.com/article/2895341/security-leadership/8-steps-successful-security-leaders-follow-to-drive-improvement.html A bad, bad day for Panda AV http://www.infosecurity-magazine.com/news/panda-labs-detects-itself-as/ http://redd.it/2yofpo "6 Ways The Sony Hack Changes Everything" http://www.darkreading.com/risk/6-ways-the-sony-hack-changes-everything-/a/d-id/1319415 And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Episode_156.mp3
Category:podcasts -- posted at: 8:28pm EST

The Show Notes

 

Opening Music

 

BSides Atlanta

  • SFS Podcast is a sponsor

  • Martin is presenting “The Art of Speaking with Muggles”

  • Sold out but sponsors have tix they are handing out. Also Eventbrite courtesy.

 

Stories:

 

It’s hard to find infosec folks…

http://www.csoonline.com/article/2894377/infosec-staffing/shortage-of-security-pros-worsens.html

 

http://www.zdnet.com/article/how-infosec-hiring-lost-its-way-harsh-findings-in-leviathan-report/

 

The number of things wrong with the editorial are immense…  We read it so you don’t have to….

http://www.darkreading.com/application-security/which-apps-should-you-secure-first--wrong-question/a/d-id/1319355

 

Anthem declines post-breach audit from regulators…

https://threatpost.com/anthem-refusing-oig-security-audit-following-breach/111476



Twitter: @SFSPodcast

www.SouthernFriedSecurity.com

Direct download: SFS_Podcast_-_Episode_155.mp3
Category:podcasts -- posted at: 8:48pm EST

 Martin & Steve get a change to talk to Rob Fuller (@mubix) about his ideas on Open Source Architecture.  It's a great conversation where you can see the idea grow in front of your own ears!

 

The link to the Open Source Architecture group is:

 

https://groups.google.com/forum/#!forum/ossag

 

Remember BSidesATL and BSidesLV!

Direct download: SFS_Podcast_-_Episode_154.mp3
Category:podcasts -- posted at: 7:39pm EST

Episode 153 - Internet Veapon The gang braved the snow to get a show together tonight, here's what they covered: $17 mill-yun dollars scammed from Omaha company… A cautionary tale on business process controls... http://www.csoonline.com/article/2884339/malware-cybercrime/omahas-scoular-co-loses-17-million-after-spearphishing-attack.html You get an attribution! And you get an attribution! You all get attributions! https://threatpost.com/massive-decades-long-cyberespionage-framework-uncovered/111080 Feds want more threat info from private companies. Is this the way to go? http://www.wired.com/2015/02/president-obama-signs-order-encourage-sharing-cyber-threat-information/ Join us next week for episode 1784 of the continuing special “Responsible Disclosure!” http://www.infosecurity-magazine.com/news/google-blinks-first-with-project/ PSAs: BSidesATL 2015 CFP is open http://www.securitybsides.com/w/page/92311122/BSidesATL2015 BSidesLV 2015 CFP and Call for Mentors is open as well http://www.bsideslv.org/ And if you have any feedback, questions, or comments, drop us a comment here or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Episode_153.mp3
Category:podcasts -- posted at: 8:22pm EST

SFS Podcast

Run Sheet for 2/9/15 - Episode 152

 

The Stories

 

Anthem…. a megabreach if ever we've seen one...

 

http://www.csoonline.com/article/2881532/business-continuity/anthem-how-does-a-breach-like-this-happen.html

 

With the end of Microsoft’s Trusted Computing Group has the overall security posture of products taken a hit?  Anecdotes say...maybe.

 

http://www.itproportal.com/2015/02/02/microsofts-new-ios-outlook-app-serious-security-flaws/

 

BSides Vegas PSA

 

Security Model is Broken. In other news, water is wet, and if you stop breathing, you may die.

 

http://www.scmagazine.com/the-security-model-is-broken/article/393033/

 

A vendor sponsored survey is slanted so that the “biggest problem” is likely fixed by the sponsor?  NO WAY!!

 

http://www.csoonline.com/article/2879117/data-protection/vendor-math-doesnt-add-up-on-federal-security-priorities.html





 

 

Direct download: SFS_Podcast_-_Episode_152.mp3
Category:podcasts -- posted at: 8:31pm EST

Episode 151 -  

 

Tonight, the gang dodged the snow for long enough to talk about some of the stories that have come out in the past week or two.

 

Can we finally quantify risk?

http://www.csoonline.com/article/2874171/data-protection/new-framework-helps-companies-quantify-risk.html

 

Security budgets seem to be on the rise according to Ponemon:

http://www.darkreading.com/attacks-breaches/security-budgets-going-up-thanks-to-mega-breaches/d/d-id/1318714?

 

Filed under "Duh..."

http://www.infosecisland.com/blogview/24236-Fear-Hackers-First-Invest-in-an-IT-Security-Culture-Change.html

 

There are lots of potential changes to the CFAA, what can you do?

http://www.csoonline.com/article/2873537/security-industry/post-state-of-the-union-reaction-to-proposed-legislation-remains-mixed.html

 

https://medium.com/message/we-should-all-step-back-from-security-journalism-e474cd67e2fa

 

https://community.rapid7.com/community/infosec/blog/2015/01/26/how-do-we-de-criminalize-security-research-aka-what-s-next-for-the-cfaa

 

Public Service Announcement:

BSidesLV's awesome Proving Grounds track is looking for speakers: http://www.securitybsides.com/w/page/89943218/BSidesLV2015

CircleCityCon's CFP is open: https://circlecitycon.com/

BSidesCharm is looking for sponsors: http://www.securitybsides.com/w/page/80637041/BSidesCharm2015

 

And if you have any feedback, questions, or comments, drop us a comment here or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Episode_151.mp3
Category:podcasts -- posted at: 8:35pm EST

Episode 150 - Not Quite Explicit The gang is back after their holiday break, and it sure was nice that nothing big happened between episodes, right? Right? Now, we're not tackling Sony in this episode, but there was still plenty to discuss. Microsoft is ending Advanced Patch Notification Service for everyone except for certain support levels. http://windowsitpro.com/security/microsoft-ends-advanced-patch-notification-service-and-slams-google-early-warning-policy Microsoft and Google are starting up the disclosure discussion all over again. http://blog.erratasec.com/2015/01/a-call-for-better-vulnerability-response.html http://blogs.technet.com/b/msrc/archive/2015/01/11/a-call-for-better-coordinated-vulnerability-disclosure.aspx http://www.csoonline.com/article/2867534/vulnerabilities/microsoft-blasts-google-for-vulnerability-disclosure-policy.html Surprise surprise, politicians are calling for regulation of technology. http://www.nytimes.com/2015/01/12/us/politics/obama-to-call-for-laws-covering-data-hacking-and-student-privacy.html If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes. And if you have any feedback, questions, or comments, drop us a comment here or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Episode_150.mp3
Category:podcasts -- posted at: 8:21pm EST

The gang got together for one last show before the end of year hiatus to give talk about the year in review, and their predictions for the year to come. We'll be on hiatus until January, so have a safe holiday season, and we'll be back next year. If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes. And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Episode_149.mp3
Category:podcasts -- posted at: 8:29pm EST

It's a longer than normal episode with two great interviews.

First Martin talks with Jennifer Minella (@jjx) about the upcoming (ISC)2 elections and her experience being on the board for the past year.

Then Martin brings Dave Shackleford (@daveshackleford) on to talk about what it wrong with security cons today.

We'll be back next week!

Direct download: SFS_Podcast_-_Episode_148.mp3
Category:podcasts -- posted at: 7:11pm EST

Tonight Martin, Steve, and Joseph tackled FUD, stolen medical data, and executive orders. Remember, if it says X number of Y, you should probably just move on. http://www.csoonline.com/article/2835080/data-breach/15-of-the-scariest-things-hacked.html Stolen Medical Data is Now Worth Something http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924 A great step forward by the government?! http://www.csoonline.com/article/2835476/data-protection/obama-signs-executive-order-to-bolster-federal-credit-card-security.html There are also a lot of upcoming SecurityBSides events that you should check out here: http://www.securitybsides.com/w/page/12194156/FrontPage If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes. And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Episode_147.mp3
Category:podcasts -- posted at: 8:05pm EST

In case of breach, ask reporters for money? http://motherboard.vice.com/read/hacked-snapchat-website-demands-payment-bitcoin-to-talk-about-getting-hacked-snapsaved POODLE explained. Is this really what the future of vulnerability disclosure looks like? http://www.wired.com/2014/10/poodle-explained/ Rethinking the Security “Con” http://daveshackleford.com/?p=1063 If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes. And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Episode_146.mp3
Category:podcasts -- posted at: 8:04pm EST

Sorry for the delay in getting episodes out, folks.  Life...it happens.

Today's episode is two fantastic interviews.

First, Sparkles interviews Dave Kennedy (@hackingdave) at DerbyCon.

Next, Martin interviews Ally Miller (@selenakyle) on PCI, Chips, PINs, and other amazing stuff.

We'll be back to what passes for a normal schedule shortly.

Direct download: SFS_Podcast_-_Episode_145.mp3
Category:podcasts -- posted at: 7:34pm EST

Episode 144 - The Ballad of Ricky Joe Tonight marked the return of Yvette back to the podcast, joining Martin, Andy, and Joseph to talk about what else but more Home Depot. http://arstechnica.com/security/2014/09/home-depot-ignored-security-warnings-for-years-employees-say/ http://arstechnica.com/security/2014/09/home-depots-former-security-architect-had-history-of-techno-sabotage/ We also managed to fit in a great discussion on chip and pin and it's effectiveness here in the US. http://www.csoonline.com/article/2685514/data-protection/chip-and-pin-no-panacea-but-worth-the-effort-and-the-cost.html If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes. And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Episode_144.mp3
Category:podcasts -- posted at: 8:28pm EST


This week Andy made his triumphant return back to the show with Martin, Steve, and Joseph. They dove right back in on some of the recent breaches, as well as a discussion about how CISOs should respond when they find themselves in a "resume-generating event." "C-level security" http://www.businessweek.com/articles/2014-09-12/home-depot-didnt-encrypt-credit-card-data-former-workers-say What are the technical details behind the Home Depot breach? There's a lot of people looking into that. http://sub0day.com/2014/09/pos-hacks/ http://www.darkreading.com/home-depot-breach-may-not-be-related-to-blackpos-target/d/d-id/1315636 "Six stages of data breach denial" http://www.csoonline.com/article/2606174/infosec-careers/caught-in-the-breach-how-a-good-cso-confronts-inevitable-bad-news.html?nsdr=true Minecraft purchased by Microsoft, and Notch is leaving Mojang http://pastebin.com/raw.php?i=n1qTeikM If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes. And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_143.mp3
Category:podcasts -- posted at: 8:37pm EST

It kind of felt like Groundhog Day on the show this evening as Martin, Steve, and Joseph talked about some of the pressing stories that have come to light over the past week. Steve also gave some insight into discussion of breaches in the media. Home Depot has issued a statement confirming that they have been breached, and have posted a FAQ for the breach. http://www.csoonline.com/article/2604320/data-protection/what-you-need-to-know-about-the-home-depot-data-breach.html https://corporate.homedepot.com/MediaCenter/Pages/Statement1.aspx A simple misconfiguration error led to a development server compromise for Healthcare.gov. http://www.csoonline.com/article/2602964/data-protection/configuration-errors-lead-to-healthcare-gov-breach.html If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes. And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Episode_142.mp3
Category:podcasts -- posted at: 8:27pm EST

Episode 141 - What's goin' on? Tonight Martin and Joseph tackled some of the breaking news of the week. Breaking news: Home Depot breached? http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/ 'Celebgate' is upon us, apparently. http://www.theverge.com/2014/9/2/6098107/apple-denies-icloud-breach-celebrity-nude-photo-hack And according to Kaspersky, if we've done nothing wrong, we have nothing to fear. http://www.theregister.co.uk/2014/08/29/kaspersky_backpedals_on_done_nothing_wrong_nothing_to_fear_company_article/ If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes. And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_141.mp3
Category:podcasts -- posted at: 8:19pm EST

Tonight was an interesting news night for Martin, Steve, and Joseph. This was an episode filled with healthcare discussion. First, CHS Hacked via Heartbleed? https://www.trustedsec.com/august-2014/chs-hacked-heartbleed-exclusive-trustedsec/ http://www.sec.gov/Archives/edgar/data/1108109/000119312514312504/d776541d8k.htm Second, CMS refuses to reveal details on the security behind Healthcare.gov http://bigstory.ap.org/article/us-wont-reveal-records-health-website-security If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes. And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_140.mp3
Category:podcasts -- posted at: 8:21pm EST

Tonight Martin, Steve, and Joseph took the opportunity to get a little ranty. It must be a slow news week in the weeks leading up to Security Summer Camp, so there was some great fodder for the guys tonight.

 

Elon Musk - Dreamy Hero or Dreamiest Hero?

http://news.hitb.org/content/tesla-model-s-hacked-security-contest

 

It's time to schedule another World Cup final, it seems.

http://www.darkreading.com/attacks-breaches/website-hacks-dropped-during-world-cup-final/d/d-id/1297370

 

Great post by Spencer Hsieh on the realities of targeted attacks.

http://www.csoonline.com/article/2456221/security-awareness/misconceptions-about-targeted-attacks.html

 

"We're like sheep waiting to be slaughtered" apparently.

http://www.nytimes.com/2014/07/21/business/a-tough-corporate-job-asks-one-question-can-you-hack-it.html

 

If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.

 

And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_139.mp3
Category:podcasts -- posted at: 8:18pm EST

Tonight Martin, Yvette, Steve, and Joseph tackled some fun topics, stories are below.

 

Is this the end of password managers? No.

http://arstechnica.com/security/2014/07/severe-password-manager-attacks-steal-digital-keys-and-data-en-masse/

 

Bitcoin isn't Money

http://www.wired.com/2014/07/silkroad-bitcoin-isnt-money/

 

What can you do to help your security budget?

http://www.csoonline.com/article/2369048/security-leadership/do-these-3-things-to-get-the-security-budget-you-want.html

 

Clearly we should track all of our special snowflakes. 

http://www.npr.org/blogs/alltechconsidered/2014/07/10/330406463/a-new-device-lets-you-track-your-preschooler-and-listen-in

 

If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.

 

And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_138.mp3
Category:podcasts -- posted at: 8:30pm EST

Tonight went a little off the rails, but Martin (@armorguy), Steve (@steveD3), and Joseph (@jsokoly) had some fun talking about stories.

DNS is important
http://www.darkreading.com/microsofts-seizure-of-no-ip-domains-disrupted-criminals-and-innocents-alike/d/d-id/1279079

Are CISOs too confident?
http://net-security.org/secworld.php?id=17047

Has the Internet of Things gone "mainstream"?
http://www.npr.org/2014/07/05/328888392/from-thermostats-to-prison-security-more-things-going-online

Can we finally kill Comic Sans?
http://theuniversaltypeface.com/home

If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.

And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_137.mp3
Category:podcasts -- posted at: 8:20pm EST

Episode 136 - Let's talk about pri-va-cy

 

Tonight Joseph, Andy, and Steve continued their theme of talking about themes. Joseph brought up a discussion of privacy and got the guys talking. The stories that they discussed are below.

 

http://www.macworld.com/article/2366921/why-apple-really-cares-about-your-privacy.html

 

http://www.wired.com/2014/06/usable-security/

 

http://www.networkworld.com/article/2393044/security/german-government-to-drop-verizon-because-of-us-spying.html

 

If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.

 

And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_136.mp3
Category:podcasts -- posted at: 11:51am EST

onight was a little different of an episode. Joseph, Steve, and Andy talked about how tired they were of the "Breach of the Week," how what is old is new again, and the Code Spaces nightmare scenario.

 

http://www.csoonline.com/article/2137033/network-security/meetup-struggles-under-the-weight-of-a-massive-ddos-attack.html

http://www.csoonline.com/article/2114873/network-security/after-refusing-to-pay-ransom--basecamp-hit-with-ddos.html

http://www.csoonline.com/article/2362004/cloud-security/ddos-triggers-massive-evernote-outage.html

http://www.csoonline.com/article/2362243/malware-cybercrime/feedly-hit-by-ddos-after-refusing-extortion-demands.html

http://www.csoonline.com/article/2365062/disaster-recovery/code-spaces-forced-to-close-its-doors-after-security-incident.html

http://www.csoonline.com/article/2365772/cloud-security/how-to-avoid-having-your-cloud-hosted-business-destroyed-by-hackers.html

 

If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.

 

And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_135.mp3
Category:podcasts -- posted at: 8:02pm EST

Tonight Martin, Joseph, Yvette, and Steve managed to pull themselves away from the US vs Ghana World Cup game long enough to talk about some stories tonight. 

When was the last time we saw someone resort to carbon copy?
http://www.darkreading.com/pf-changs-confirms-security-breach/d/d-id/1278577

Is Target's New CISO doomed from the start? 
http://www.csoonline.com/article/2363210/data-protection/target-top-security-officer-reporting-to-cio-seen-as-a-mistake.html

http://www.csoonline.com/article/2360984/security-leadership/the-cso-s-failure-to-lead.html

TweetDeck was "hacked", but they sure handled it well.
http://www.wired.com/2014/06/tweetdeck-hacked/

If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.

And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_134.mp3
Category:podcasts -- posted at: 8:24pm EST

Episode 132 - place holder text.

 

Tonight it was just Joseph and Steve on the podcast, and they had themselves a grand old time. 

 

http://www.wired.com/2014/05/ebay-demonstrates-how-not-to-respond-to-a-huge-data-breach/

http://www.csoonline.com/article/2157782/security-awareness/raising-awareness-quickly-the-ebay-database-compromise.html

 

http://blog.erratasec.com/2014/05/can-i-drop-pacemaker-0day.html

 

http://www.darkreading.com/endpoint/the-mystery-of-the-truecrypt-encryption-software-shutdown-/d/d-id/1269323

https://www.grc.com/misc/truecrypt/truecrypt.htm

 

If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.

 

And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_132.mp3
Category:podcasts -- posted at: 6:14pm EST

Martin & Steve handle the 'cast without the rest of the crew tonight...

 

Here's the stories we comment upon:

 

Dan Geer blows our mind....again.

 

https://securityledger.com/2014/05/blade-runner-redux-do-embedded-systems-need-a-time-to-die/

 

Martin disagrees (kinda) with Michael Santarchangelo for the first time ever..

 

http://www.csoonline.com/article/2156104/security-leadership/thinking-about-security-beyond-winning-and-losing.html

 

To redefine winning you gotta get rid of the myths...

 

http://www.darkreading.com/risk/dispelling-the-myths-of-cyber-security/a/d-id/1251171

 

Like always the Twitter feed is at @SFSPodcast and the website is www.southernfriedsecurity.com

 

See you in two weeks!

Direct download: SFS_Podcast_-_Episode_131.mp3
Category:podcasts -- posted at: 8:25pm EST

Martin, Andy, Steven, and Yvette talk about Nick Selby's high school experiences, the Internet of Things, and why Martin doesn't sleep well at night.

 

http://www.darkreading.com/threat-intelligence/why-threat-intelligence-is-like-teenage-sex/a/d-id/1235049

 

https://securityledger.com/2014/05/no-silver-bullet-for-securing-internet-of-things/

 

http://www.wired.com/2014/04/hospital-equipment-vulnerable/

 

 

Direct download: SFS_Podcast_-_Episode_130.mp3
Category:podcasts -- posted at: 8:10pm EST

Joseph is in charge this week and that's about all I've got to say about that.

 

-Martin

 

:)

 


http://online.wsj.com/news/articles/SB10001424052702303417104579542140235850578?mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052702303417104579542140235850578.html

http://www.forbes.com/sites/lauraheller/2014/05/05/targets-ceo-departure-isnt-just-about-the-data-breach/

http://www.csoonline.com/article/2150205/browser-security/microsoft-fixes-internet-explorer-flaw-with-out-of-band-patch-xp-included.html

As always, you can find the direct link to the podcast here:
http://sfspodcast.libsyn.com If you’d like to subscribe, you can find the
RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.

And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_129.mp3
Category:podcasts -- posted at: 3:28pm EST

Episode 128 - $VULN_pocalypse

Tonight, Martin and Joseph sat down and talked about $vuln of the week, as well as this year's Verizon DBIR:

http://www.pcworld.com/article/2148368/new-internet-explorer-zero-day-puts-web-at-risk-and-xp-isnt-getting-a-fix.html

http://www.pcworld.com/article/2148921/dhs-warns-against-using-internet-explorer-until-bug-is-patched.html

http://www.verizonenterprise.com/DBIR/2014/

As always, you can find the direct link to the podcast here:
http://sfspodcast.libsyn.com If you’d like to subscribe, you can find the
RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.

And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_128.mp3
Category:podcasts -- posted at: 8:09pm EST

Episode Number 127 - Advanced Malware Attack

Tonight, the whole gang actually got together for the first time in who knows how long. So of course, we tackled some fun stuff:

http://www.csoonline.com/article/2145541/michaels-says-breach-at-its-stores-affected-nearly-3m-payment-cards.html

http://heartbleed.com/

http://www.csoonline.com/article/2142626/security-leadership/how-you-need-to-respond-to-heartbleed-and-how-you-can-explain-it-to-others.html

http://www.csoonline.com/article/2142700/vulnerabilities/heartbleed-cve-2014-0160-an-overview-of-the-problem-and-the-resources-needed-to.html 

http://www.wired.com/2014/04/att-hacker-conviction-vacated/

As always, you can find the direct link to the podcast here:
http://sfspodcast.libsyn.com If you’d like to subscribe, you can find the
RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.

And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_127.mp3
Category:podcasts -- posted at: 9:03pm EST

It's just Andy and Martin for the first time in years on this episode.  The boys talk about the impending demise of Windows XP and then rant/rage/wax philosophic on all things PCI/QSA...

 

Follow the podcast twitter feed at @SFSPodcast and check out our website at www.southernfriedsecurity.com

Direct download: SFS_Podcast_-_Episode_126.mp3
Category:podcasts -- posted at: 8:14pm EST


Martin, Steve, Yvette, and Joseph sat down on this St. Patrick's Day to have a little discussion on breaches, consequences, and SEEMs. Also, it seems that Yvette may be out of a job, as we found out that "Compliance is not Hard."

http://www.csoonline.com/article/749758/how-to-avoid-becoming-a-victim-like-target

http://www.securityweek.com/what-happens-stolen-data-after-breach

http://www.darkreading.com/compliance/compliance-is-not-hard/240166352
http://www.darkreading.com/authors/Glenn-Phillips

Direct download: SFS_Podcast_-_Episode_125.mp3
Category:podcasts -- posted at: 8:26pm EST

This week Yvette, Martin, Andy, and Steve debated the issue of trust when it
comes to security vendors, off-shoring security management, and the latest
trend of Security by Obscurity as a Service - because you can't hack what
you can't see.

http://www.csoonline.com/article/749173/the-risk-of-offshoring-security

http://www.darkreading.com/privacy/security-firms-face-crisis-of-trust/24016
6454

http://www.unisys.com/unisys/landingPages/index.jsp?id=1120000970027210173

As always, you can find the direct link to the podcast here:
http://sfspodcast.libsyn.com
If you'd like to subscribe, you can find the RSS feed here:
http://sfspodcast.libsyn.com/rss or on iTunes.

And if you have any feedback, drop us a comment or find us at @SFSPodcast on
Twitter

Direct download: SFS_Podcast_-_Episode_124.mp3
Category:podcasts -- posted at: 8:39pm EST

Episode 123 - Outrage Outrage

Tonight, Martin, Andy and Joseph sat down and talked about passwords, old operating systems, and outrage.

http://blogs.csoonline.com/security-leadership/3020/we-abandon-passwords-these-3-critical-elements-authentication-need-be-fixed

http://www.csoonline.com/article/749074/china-s-windows-xp-users-to-still-get-security-support
http://www.csoonline.com/article/748815/apple-retires-snow-leopard-from-support-leaves-1-in-5-macs-vulnerable-to-attacks

http://www.darkreading.com/risk/juniper-security-chief-takes-swipe-at-se/240166326

As always, you can find the direct link to the podcast here: http://sfspodcast.libsyn.com
If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.
And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_123.mp3
Category:podcasts -- posted at: 8:17pm EST

Well, we close out 2013 doing a fantastic interview with Mark Horstman of the Manager Tools podcast (www.manager-tools.com).  We highly recommend these folks to anyone who wants to learn effective ways of doing what managers are supposed to do.

Also - we'll be on hiatus until sometime in February 2014.

We wish you and yours a very Merry Christmas and a Blessed New Year.

Direct download: SFS_Podcast_-_Episode_120.mp3
Category:podcasts -- posted at: 8:23pm EST

Episode 119 - All PCI All The Time

For the first time in a long, long time, the whole crew was back together, plus one! Branden Williams joined us while out on the road to discuss his opinions and answer questions about the new PCI DSS 3.0.

https://www.brandenwilliams.com/blog/2013/11/08/pci-dss-3-0-the-good-the-bad-the-confusing/

Direct download: SFS_Podcast_-_Episode_119.mp3
Category:podcasts -- posted at: 5:12pm EST

Martin got the chance to interview Jennifer Minella (@JJX) to talk about her candidacy for the Board of Directors of (ISC)2, the challenges and opportunities that (ISC)2 has, and her drive to get a slate of write-in candidates elected.

http://securityuncorked.com/2013/11/jjs-complete-unofficial-isc2-voter-guidebook/

Direct download: SFS_Podcast_-_Episode_118.mp3
Category:podcasts -- posted at: 4:40pm EST

Episode 117 – End Times

 

The end is coming when the podcast is put out 2 weeks in a row AND Andy Willingham is on…  J

 

Martin, Andy, and Yvette wax philosophic on these stories…

 

Automated Hacking Tools….94% of all web login attempts?

 

http://www.networkworld.com/news/2013/110713-automated-hacking-tools-swarm-web-275723.html

 

Also, as promised, here are the slides Matt Bing of Arbor Networks ASERT used during his talk on Fort Disco at this years University of Michigan SUMIT conference.  It was a GREAT talk.

 

http://safecomputing.umich.edu/events/sumit13/docs/Bing_FortDisco_SUMIT2013b.pdf

 

 

Can the new HIPAA rule cut down on ePHI breaches?  Ummmm….no?

 

http://www.networkworld.com/news/2013/110813-can-the-new-hipaa-rule-275790.html

 

 

And, finally, just realize leadership isn’t about you.  It’s about helping people solve their problems.’’

 

http://www.npr.org/2013/11/11/230841224/lessons-in-leadership-its-not-about-you-its-about-them

 

 

 

Direct download: SFS_Podcast_-_Episode_117.mp3
Category:podcasts -- posted at: 8:35pm EST

Episode 116.5 - The NSA Ain't Gonna Stop Us

This week, Andy rejoined the gang! Alongside Martin, Joseph, and Yvette, they tackled Blackberry, enterprise defense, and turf battles:

http://www.nbcnews.com/business/blackberry-abandons-sale-plan-replaces-ceo-report-says-8C11519748

http://www.tuaw.com/2013/10/22/blackberry-announces-5-million-downloads-of-bbm-for-ios-and-andr/

http://www.csoonline.com/article/742317/the-emerging-turf-battle-between-information-and-physical-security-pros

http://www.csoonline.com/article/742486/enterprise-defenses-lag-despite-rising-cybersecurity-awareness

As always, you can find the direct link to the podcast here:http://sfspodcast.libsyn.com
If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.
And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter
Direct download: SFS_Podcast_-_Episode_116.5.mp3
Category:podcasts -- posted at: 8:22pm EST

Martin and Yvette discuss "I am the Cavalry" and other interesting ideas with Josh Corman (@joshcorman) and Nick Percoco (@c7five).

Direct download: SFS_Podcast_-_Episode_115.mp3
Category:podcasts -- posted at: 8:58pm EST

Tonight Martin, Joseph, Yvette, and Steve hit a couple of stories.

First, we talked about the shutdown of the Silk Road, and the arrest of the Dread Pirate Roberts:
http://www1.icsi.berkeley.edu/~nweaver/UlbrichtCriminalComplaint.pdf

Then, cybersecurity is an occupation, but not a profession?
http://www.fiercegovernmentit.com/story/cybersecurity-occupation-not-profession-says-report/2013-09-18

http://www.csoonline.com/article/740456/cybersecurity-should-be-seen-as-an-occupation-not-a-profession-report-says

As always, you can find the direct link to the podcast here:http://sfspodcast.libsyn.com
If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.
And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter
Direct download: SFS_Podcast_-_Episode_114.mp3
Category:podcasts -- posted at: 8:23pm EST

This evening, Martin turned over the keys to the kingdom and let Joseph run the podcast tonight. So Martin, Steve and Joseph got into the nitty gritty about how useful security awareness training really is:

http://www.csoonline.com/article/739753/social-engineering-and-phishing-attacks-are-getting-smarter-but-are-employers-

And of course, we had to talk about the new iPhone 5S and its crazy fingerprint sensor:

http://www.macworld.com/article/2048514/the-iphone-5s-fingerprint-reader-what-you-need-to-know.html

As always, you can find the direct link to the podcast here:http://sfspodcast.libsyn.com
If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.
And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter
Direct download: SFS_Podcast_-_Episode_113.mp3
Category:podcasts -- posted at: 8:13pm EST

Episode 111 - Summer Blockbusters

This evening, Martin, Steve, Yvette, and Joseph discussed some of their blockbusters of the summer.

As always, you can find the direct link to the podcast here:http://sfspodcast.libsyn.com
If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.
And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter
Direct download: SFS_Podcast_-_Episode_111.mp3
Category:podcasts -- posted at: 8:52pm EST

This evening, we had a special guest interview: good friend of the podcast Nick Selby. He joined us to talk about a project that he is involved with called Code for America. If you're interested in more about Code for America, you can find more information here: http://codeforamerica.org/

We also briefly discussed the unfortunate passing of Barnaby Jack. Our hearts and prayers go out to the friends and family of Jack.

http://techland.time.com/2013/07/29/barnaby-jack-hacker-who-made-atms-spit-out-cash-dies-in-california/?iid=tl-main-lead

As always, you can find the direct link to the podcast here:http://sfspodcast.libsyn.com
If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.
And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter.
Direct download: Episode_110_-_Sheepdogs.mp3
Category:podcasts -- posted at: 8:46pm EST

Andy, Joseph, and Yvette can't make it this time so Martin and Steve talk about the recent announcement that Feds should stay away from DefCon.

Oh, and Steve just joined CSO as a Staff Writer.  Here's his first byline:

http://www.csoonline.com/article/736383/sony-drops-psn-breach-appeal-after-risk-assessment

Direct download: Episode_109_-_No_Feds.mp3
Category:podcasts -- posted at: 7:58pm EST

This evening Martin, Andy, Steve, and Joseph had a special guest on board: Nick Selby. Nick joined us to continue our discourse relating to the show last week, the NSA leak and Edward Snowden.

Once we beat that horse enough, we switched gears a bit to a discussion of a recent Bloomberg article discussing consultants with loose lips.

http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html

As always, you can find the direct link to the podcast here:http://sfspodcast.libsyn.com
If you'd like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.
And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter.
Direct download: SFS_Podcast_-_Episode_108.mp3
Category:podcasts -- posted at: 8:57pm EST

Martin, Steve, and Joseph try hard to find a topic to talk about and settle on the NSA/PRISM issues that have dominated the Echo Chamber for the last several weeks.

Direct download: SFS_Podcast_-_Episode_107.mp3
Category:podcasts -- posted at: 8:24pm EST

Episode 106 - Shazam!!

Tonight, Martin, Andy, and Joseph hit some fun topics and some more serious ones as well.

First, could your phone be hacked via lights, sound, or magnets?!

http://www.theregister.co.uk/2013/05/28/light_sound_magnetic_malware_hidden_trigger/

Then, the French Police suggest replacing their missing person searches with Facebook:

http://www.networkworld.com/news/2013/052313-french-police-end-missing-persons-270071.html

On a more serious note, the US Department of Health and Human Services fined Idaho Statue University for a breach:

http://www.networkworld.com/news/2013/053013-university-fined-400000-after-disabled-270285.html

And finally, are IT pros masochists, suffering from Stockholm Syndrome, or both? 

http://www.cio.com.au/article/462571/despite_poor_work-life_balance_it_pros_like_their_jobs_survey/

If you're looking for something to do this weekend, make sure you head over to BSides Charlotte, where our own Martin Fisher will be speaking about halos or something. 

http://bsidesclt.org/

As always, you can find the podcast here or on iTunes: http://sfspodcast.libsyn.com
And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter.
Direct download: SFS_Podcast_-_Episode_106.mp3
Category:podcasts -- posted at: 8:35pm EST

Martin and Steve discuss the DHS plan to distribute cybersecurity (DRINK!) data through a small set of trusted defense/telecom vendors....who might end up charging users for the data...

Here are some story links:

http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/news/2013/051713-experts-ding-dhs-vulnerability-sharing-269889.html&pagename=/news/2013/051713-experts-ding-dhs-vulnerability-sharing-269889.html&pageurl=http://www.networkworld.com/news/2013/051713-experts-ding-dhs-vulnerability-sharing-269889.html&site=security&nsdr=n

http://mobile.reuters.com/article/article/idUSBRE94E11B20130515?irpc=932

And if you are anywhere near Charlotte on June 7 & 8 you need to attend BsidesCLT!

http://bsidesclt.org/

Direct download: SFS_Podcast_-_Episode_105.mp3
Category:podcasts -- posted at: 8:55pm EST

Tonight Martin, Steve, and Joseph discussed one of Steve's recent experiences with open source products and services in a business environment.

As always, you can find the podcast here or on iTunes: http://sfspodcast.libsyn.com
And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter.
Direct download: SFS_Podcast_-_Episode_104.mp3
Category:podcasts -- posted at: 8:23pm EST

Three stories get the Southern Fried treatment from Martin, Andy, and Yvette.

Moving from "checkbox compliance" to "GRC"..... Good idea.

http://www.darkreading.com/compliance/can-we-cease-check-box-compliance/240153220

The Washington Post wants government action on all things "cyber".....  Maybe a Good Idea, Maybe a Bad Idea

http://www.washingtonpost.com/opinions/government-private-sector-must-team-up-to-fight-cyberthreats/2013/04/21/0b3b80fc-a913-11e2-a8e2-5b98cb59187f_story.html#

First thing you do when you've been breached?  Advise your customers!  A very, very Bad Idea.

http://www.infosecisland.com/blogview/23092-Into-the-Breach.html

Remember you can always follow our feed at @SFSPodcast or see our website at www.southernfriedsecurity.com

Direct download: SFS_Podcast_-_Episode_103.mp3
Category:podcasts -- posted at: 8:27pm EST

This week was another deep dive topic for Martin, Steve, and Joseph. We chose to tackle some of the opinions on the oft-discussed topic of security awareness. Here are a couple of articles that we used to kind of establish a baseline:

http://www.schneier.com/blog/archives/2013/03/security_awaren_1.html

http://searchsecurity.techtarget.com/news/2240162630/Data-supports-need-for-awareness-training-despite-naysayers

http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness

Take a listen, let us know your thoughts!

As always, you can find the podcast here or on iTunes: http://sfspodcast.libsyn.com
And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter.
Direct download: SFS_Podcast_-_Episode_102.mp3
Category:podcasts -- posted at: 8:28pm EST

With Andy, Joseph, and Yvette not able to make it Martin and Steve take a deeper dive into the events around Weev....what does this mean for our community, what can we learn....

Direct download: Episode_101_-_Weev.mp3
Category:podcasts -- posted at: 8:43pm EST

Here's a quick look behind the scenes here at Southern Fried...  Our Episode 100 Run Sheet...

SFS Podcast Ep100 Run List

 

Open1            -           Jack Daniel Opener

Open2                        -           New Theme

 

Martin Intro & Welcome

 

<Random Discussion>

 

Andy’s Favorite Interview:  Jack Daniel

 

Interview Clip of Jack and the 10 Questions

 

Andy’s Favorite Moment:  Ep9 – Crossing the Streams

 

Ep9 Clip –

 

Andy’s Favorite Show: Offensive Security: Pros and Cons w/ Paul and John Strand (43)

 

Andy – What has changed most in the industry since the start of the podcast?

 

<COMMERCIAL BREAK>

 

Bumper1        -           Liquid Matrix Bumper

Bumper2        -           Bella Security Justice Bumper

 

Steve’s Favorite Interview: ?????

 

Steve’s Favorite Show:   Ep17 – Steve in the Cage

 

Show Clip – Steve in the Cage

 

Steve – What has changed the most on the podcast since we started?

 

Joseph’s Favorite Interview:

 

Joseph’s Favorite Show:   Red Firewall…

 

Joseph – What’s the podcast done/meant for you?

 

<COMMERICAL BREAK>

 

Bumper 1       -           Becky Exotic Liability

Bumper 2       -           Dueling Banjo – Short

 

Yvette’s Favorite Interview

Yvette’s Favorite Show:  Manvirtex (Ep97)

 

Yvette:  As the FNG – how’s it been going?

 

Martin’s Favorite Interview – Shrdlu Ep2

Martin’s Favorite Show - ????

 

Discussion:  What’s changed the most in the world of enterprise infosec since we launched in January of 2010?

 

<Random Discussion & Final Thoughts>

 

Close out

 

Clip 1 – Old bumper plus Hoff’s Security Rock Star

 

Direct download: SFS_Podcast_-_Episode_100.mp3
Category:podcasts -- posted at: 9:27pm EST

Episode 99: Making a Point or Making a Difference?

In our last episode before the big 100, Martin, Andy, and Joseph tackled one of the bigger stories recently, the Mandiant Report on "APT1":

http://intelreport.mandiant.com/

That segued nicely into a recent article on Threatpost about "Avoiding Attack Attribution Distraction":

http://threatpost.com/en_us/blogs/avoid-attack-attribution-distraction-022113

We wrapped up the night with a discussion of some of the more common failures that risk and security officers make:

http://blogs.gartner.com/paul-proctor/2013/02/24/risk-and-security-officer-failures/

Be sure to tune in next time for episode 100!

Direct download: SFS_Podcast_-_Episode_99.mp3
Category:podcasts -- posted at: 8:34pm EST

Martin, Andy, and Steve get together and, after a brief reflection about ShmooCon, talk about...

13 IT Security Myths and some ranting about Richard Stiennon...

http://m.networkworld.com/news/2013/021514-security-myths-266773.html?page=1

Are we investing the the wrong tech....or is this just another vendor survey?

http://m.networkworld.com/news/2013/021313-security-pros-say-their-companies-266702.html

A new Presidential CyberSecurity Directive....will it change anything?

http://www.zdnet.com/obamas-cybersecurity-executive-order-what-you-need-to-know-7000011221/

As always you can follow the podcast as @SFSPodcast!

Direct download: SFS_Podcast_-_Episode_98.mp3
Category:podcasts -- posted at: 8:24pm EST

Martin, Andy, and Yvette get together and discuss a little bit about these stories:

The Three Worst Words in the English Language....

http://www.darkreading.com/identity-and-access-management/blog/240147002/the-three-worst-words-in-the-english-language-can-t-we-just.html

Friend Of The Podcast Nick Selby of the Police Led Intelligence podcast rips Symantec a new one regarding how they treated the New York Times following the recent breach of the Times....

http://policeledintelligence.com/2013/02/04/we-dont-got-your-back-we-got-your-money/

And, finally, another Friend Of The Podcast, Wendy Nather, gives us a great training plan for RSA.  Yvette and Martin are *so* in on this training plan!

http://www.infosecisland.com/blogview/22902-Training-for-RSAC.html

Direct download: SFS_Podcast_-_Episode_97.mp3
Category:podcasts -- posted at: 8:30pm EST

Andy and Martin get together to riff on Facebook Graph, Change Management, and 2013 predictions.

Direct download: SFS_Podcast_-_Episode_96.mp3
Category:podcasts -- posted at: 8:25pm EST

Martin, Steve, and Joseph have the pleasure of talking with Gene Kim and Josh Corman about Gene's new book "The Phoenix Project".

You Need This Book!

http://itrevolution.com/books/phoenix-project-devops-novel/

Stay tuned for the fun announcements coming up for Episode 100!

Direct download: SFS_Podcast_-_Episode_95.mp3
Category:podcasts -- posted at: 7:23pm EST

Well, if the Mayans got it right this is gonna be the final episode of our three year run....but we're not holding our breath.

Andy and Martin talk about the Top 5 Stories of 2012 and share what they think 2013 will be "The Year of"...

Be sure to join Martin at Shmoocon in February for his talk on Bringing The Sexy Back to Defense In Depth...

Direct download: SFS_Podcast_-_Episode_94.mp3
Category:podcasts -- posted at: 8:55pm EST

This evening, Martin, Steve, Andy, and Joseph Tackled some stuff that just makes you say “duh.”

Starting off, we talked about the exciting Macy’s Thanksgiving Day Ticker Tape Parade, which unleashed confidential data upon unsuspecting parade watchers:

http://www.wpix.com/news/wpix-confidential-confetti-at-thanksgiving-parade,0,4718007.story

We went straight from there to a sticky topic that’s been making the rounds lately about AT&T:

http://www.wired.com/threatlevel/2012/11/att-hacker-found-guilty/

To lighten the mood, we talked about some of Facebook’s recent decisions and how it’s affecting the greater Facebook population:

http://threatpost.com/en_us/blogs/facebook-proposes-eliminating-user-voting-system-privacy-changes-112112

http://www.wired.com/business/2012/11/facebook-copyright-hoax/

We also talked about good friend of the podcast Wendy Nather’s article on Threat Intelligence Hype:

http://www.darkreading.com/security-monitoring/blog/240142229/threat-intelligence-hype.html

And as a reference for those of you interested in the incident response report for South Carolina that we discusses a few weeks back, that’s available for public viewing now:

https://docs.google.com/viewer?url=http%3A%2F%2Fgovernor.sc.gov%2FDocuments%2FMANDIANT%2520Public%2520IR%2520Report%2520-%2520Department%2520of%2520Revenue%2520-%252011%252020%25202012.pdf

As always, you can find the podcast here or on iTunes: http://sfspodcast.libsyn.com
And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter.

Direct download: SFS_Podcast_-_Episode_93.mp3
Category:podcasts -- posted at: 8:41pm EST

Martin, Andy, and Steve get together to talk about....

3 Ways (with 2 of them being decent and one a complete FAIL) To Get Execs to Listen About Risk....  (Summary: There is no ROI for Security....)

http://www.darkreading.com/risk-management/167901115/security/news/240012747/3-ways-to-get-executives-to-listen-about-risk.html

A typical article on Anon....with some good comments from Steve on OpVendetta

http://www.csoonline.com/article/720734/anonymous-protests-planned-over-government-surveillance

3 smart people and one chucklehead talk to George V. Hulme about BCP/DR when you are using The Cloud

http://searchcloudsecurity.techtarget.com/news/2240170168/Sandy-put-business-continuity-planning-in-spotlight

Direct download: SFS_Podcast_-_Episode_92.mp3
Category:podcasts -- posted at: 8:54pm EST

For the first time in who knows how long, we had the whole crew on the show this evening, and we hit some really fun stories.

First, there are a few upcoming InfoSec events that you might want to be aware of. First, BSidesDFW is this upcoming weekend, November the 3rd: http://www.securitybsides.com/w/page/50488342/BSidesDFW%202012. 

Next weekend are three different BSides events, BSidesDelaware, Portland, and Jackson: http://www.securitybsides.com/w/page/28563447/BSidesDelaware http://www.securitybsides.com/w/page/40113672/BsidesPDX http://www.securitybsides.com/w/page/53447313/BSidesJackson

Then we jumped into our first story for the evening, the recent breach in South Carolina:

http://www.cbsnews.com/8301-505245_162-57542255/haley-taxpayer-info-didnt-need-to-be-encrypted/
http://www.reuters.com/article/2012/10/29/us-usa-cybersecurity-southcarolina-idUSBRE89S13T20121029

Once our heads stopped spinning from some of those quotes, we went into a pretty cool, old style hack that Barnes and Noble recently disclosed:

http://www.wired.com/threatlevel/2012/10/barnes-and-noble-pos-hack/

From those, we transitioned into a discussion on Incident Response:
http://www.infosecisland.com/blogview/22470-Have-You-Added-Personas-to-your-Incident-Response-Program.html

As well as Mike Rothman's great article on security tradeoffs:

http://www.darkreading.com/blog/240010015/making-security-trade-offs.html

After our MAD Security Minute for the week, we wrapped up with a discussion of IAM from Darkreading:

http://www.darkreading.com/identity-and-access-management/167901114/security/news/240009630/7-costly-iam-mistakes.html

As always, you can find the podcast here or on iTunes: http://sfspodcast.libsyn.com
And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter.
Direct download: SFS_Podcast_-_Episode_91.mp3
Category:podcasts -- posted at: 9:26pm EST

Martin recorded an interview with Matt and Chris talking about an open source project sponsored by SecureState to bring a pragmatic and usable risk framework to "the masses".

You can get more information on iRisk at:

http://community.securestate.com

More MAD Security minutes coming starting next episode!

Direct download: SFS_Podcast_-_Episode_90.mp3
Category:podcasts -- posted at: 5:29pm EST