Detailed
Compact
Art
Reverse
August 5, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Trump’s war on TikTok (featuring guest Alex Stamos) Twitter hackers caught. Pretty embarrassing stuff, really. NSO implants target Easter Bunny Garmin may need a good OFAC lawyer (featuring comment from Dmitri Alperovitch) Blackberry cracked after five years leads to multiple arrests in Australia Much, much more Matt Cauthorn of ExtraHop Networks is this week’s news guest. He’ll join us to talk about how the pivot to work from home has changed incident response workflows. The tl;dr is the north-south traffic might look a bit different these days but the east-west shenanigans are still the same. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
July 30, 2020
Soap Box is the wholly sponsored podcast series we do here at Risky.Biz. That means everyone you hear on this podcast paid to be here. In this podcast you’re going to hear my latest interview with Jerrod Chong, Yubico’s Chief Solutions Officer. Hardware security keys like Yubikeys have come a long way, even over the last couple of years. The biggest change is that the support for hardware keys is borderline ubiquitous now. FIDO2 support is in all the major browsers. You can even use Yubikeys with Google apps on an iPhone. The plumbing is here, it’s arrived. But there are still some hurdles to overcome before the full potential of hardware security keys will be unlocked. One issue is that if you’re operating an at-scale service, you’re still stuck with the same old problems around account recovery. The process problems. So in this interview I talk with Jerrod about how far things have come and where they might go next.
July 29, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Two Chinese nationals charged with freelancing for MSS Russia, China hacking COVID-19 research The world dodged a bullet on the Windows DNS bug Twitter blue tick pwnapalooza Much, much more. This week’s show is brought to you by Corelight. The company’s Chief Product Officer, Brian Dye, will be along for a chat a bit later on. We look at how adopting a zero trust model, sadly, doesn’t mean you can just ignore your network completely, as much as that would be nice. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
July 9, 2020
Normally these Soap Box podcasts – which are wholly sponsored – feature vendors trying to sell you stuff. But this time we’re doing something different: This podcast is an interview with two senior Facebook staffers: Pedro Canahuati, VP of Engineering Chris Bream, Security Engineering Director. Why is facebook’s security engineering group sponsoring a Soap Box episode of Risky Biz? They figure lifting the veil a bit on how things are done over there will be good for them. They’re always hiring, right? Enjoy! (A reminder – there will be no weekly show this week or next. The weekly Risky Biz news podcast returns on July 29.)
July 8, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: The latest on the EncroChat hack-related arrests Details about the fresh F5 and Citrix bugs Natanz go boom Paying Wastedlocker ransoms violates Treasury sanctions North Korea embraces Magecart (lol) Much, much more… This week’s show is brought to you by Cmd Security. They make a very useful Linux security agent. Essentially they add an additional layer of control to your Linux systems: you can restrict user actions, even for root. Instead of having one of their own staff on to the show this week they’ve nominated a customer. HPE is a Cmd user, they actually heard about it on the podcast and wound up buying it. So HPE ITOC engineering lead Adam Cardillo and his colleague Curtis Simpson – the ITOC CISO – will both join us in this week’s sponsor interview to talk about how they’re using the software. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
July 2, 2020
This edition of the Soap Box podcast is brought to you by Proofpoint. Today’s guest is Proofpoint’s EVP of Cybersecurity Strategy, Ryan Kalember, and the topic is business email compromise, or BEC. BEC is a big deal, generating billions of dollars in losses every year across basically all industry verticals and levels of government. Until recently, there haven’t been many technical controls that help to mitigate it. Trying to get on top of this issue is very much in Ryan Kalember’s job description. BEC is a diabolical problem, and as a company with a specialty in email security, Proofpoint is really expected to help clients get on top of it. In this conversation you’ll hear us talk a bunch about the problem and Proofpoint’s approach to trying to minimise BEC.
July 1, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Inside the new American “e2ee busting” bill Julian Assange hit with (another) superseding indictment Trustwave uncovers sneaky Chinese accounting software backdoor Much, much more… This week’s show is brought to you by Okta. They are, of course, the identity and auth giant and one of the few sponsors we actually approached last year for 2020 because, well, they are very good at what they do. This week Marc will be joining us to talk about a privacy-related topic. The discussion is nuanced, but it’s basically about how the public perception of privacy risks has diverged from the reality/ Further, that the COVID-19 crisis and the advent of digital contact tracing apps have actually brought general concerns around digital privacy to the fore. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
June 24, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Australia “under attack” - a wrap Microsoft releases more security protections for E5 customers US to introduce “anti encryption” bill Shady encrypted phone company owned by the cops NSA to offer filtered DNS services to defence industry MORE This week’s sponsor is Kasada. They offer a service that eliminates synthetic/bot traffic from the web. Former Australian Prime Minister Malcolm Turnbull is an investor and has joined Kasada’s board. Kasada’s CEO Pascal Podvin is this week’s sponsor guest. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
June 19, 2020
This podcast is brought to you by the Cyber Initiative at the Hewlett Foundation. They gave us a grant so we can do these podcast interviews that have relevance to cyber policy, so big thanks to the Cyber Initiative at the Hewlett Foundation for funding this work. Today we’re chatting with Citizen Lab Senior Researcher John Scott-Railton about the work they did investigating the Indian hacker-for-hire firm BellTrox. For those of you who didn’t catch the news, The Citizen Lab, which operates out of the Munk School of Global Affairs at the University of Toronto, dropped a huge report a couple of weeks back that lays Belltrox’s operations bare. As you’ll hear this company attempted to hack tens of thousands of email accounts belonging to everyone from government officials to hedge fund managers and activists.
June 17, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Facebook commissioned custom 0day to de-cloak child sex predator IP stack bugs to plague IoT, ICS for years Sandworm was doxxed by the NSA and hardly anyone noticed Congress demands answers on 2015 Juniper NetScreen back door investigation Amazon, Microsoft join moratorium on sale of facial recognition to police Much, much more This week’s show is brought to you by Signal Sciences. And instead of having one of their staff on the show, they nominated one of their customers to appear instead. So in this week’s sponsored segment we’re going to hear from Keith Hoodlet. Keith is currently the Senior Manager of Application Experience at Thermo Fisher Scientific, a $137 billion company. He built their appsec program and he’ll be along later on to talk through all of that. It’s a rapid-fire interview about how he was able to get started and make a dent quickly. Keith used to co-host the Application Security Weekly podcast and he’s worked for Bugcrowd and Veracode. He’s a cool guy, it’s a great interview, make sure you stick around for that one. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
June 10, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Full scale of Indian hacker-for-hire firm revealed IBM exits facial recognition Contact tracing apps flop Much, much more This week’s show is brought to you by AttackIQ. AttackIQ’s Chris Kennedy will be along in this week’s sponsor interview to talk about how for some organisations threat intelligence has moved from a nice-to-have to being central to blue team efforts. As you’ll hear he says MITRE ATT&CK makes threat intel actionable, and some orgs playing on hard mode are really kicking some goals that way. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
June 4, 2020
The Soap Box podcasts we run here at Risky.Biz are wholly sponsored affairs – everyone you hear in a soap box podcast, paid to be here. The idea is vendors get to come on to the show and chat about their products, what their stuff does, the thinking behind it, so on and so on. Today we’re hearing from Justin McCarthy of StrongDM. StrongDM is a bit of a niche player – essentially what they do is make a product that provisions secure access to engineers who need to access various back end services. You can think of them as an identity aware proxy of sorts, but for engineers. So instead of provisioning regular users with access to web applications like a typical identity aware proxy, a StrongDM user will use the product to get access to the production database, or to kubernetes, or other services like SSH. And since the COVID crisis kicked off, business has gone pretty berserk.
June 3, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: NSA warns of Sandworm Exim exploitation Huawei CFO extradition process to continue Google TAG implicates Indian hacker-for-hire outfits in espionage Black lives matter F–k police brutality This week’s sponsor interview is with Marco Slaviero of Thinkst Canary. He’ll be talking through a few of the partnerships Thinkst has entered into over the years. He’ll also talk a bit about some new Canary integrations, such as a new one with HD Moore’s Rumble. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
May 28, 2020
This feature podcast series is produced with the assistance of the Hewlett Foundation’s Cyber Initiative. They gave us a grant so we could spend more time focussing on issues around cyber policy, and today we’re really going to hook in to a topic that’s near and dear to my heart: alternative approaches to dealing with ransomware. Regular listeners to the podcast would know that for the last year or so, my cohost Adam Boileau and I have been talking a lot about how governments might involve non law enforcement agencies in a response to the big game ransomware epidemic. To discuss that, we’re joined by Bobby Chesney, the co-founder of the Lawfare blog and a very highly respected figure in US national security circles. After we hear from Bobby we’re chatting with Mieke Eoyang about more traditional cyber law enforcement concepts. Mieke is the Vice President of Third Way’s national security program and she’ll be joining us to tell us how traditional cybercrime enforcement might be improved.
May 27, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: German intelligence warns of widespread Russian infrastructure hacks NGOs urge COVID-19 hack de-escalation UK mulls total Huawei ban… we think it’s a done deal DHS warning on 5G “moronavirus” Wen jailbreak? NOW JAILBREAK!! iOS 14 leaks Much, much more… This week’s sponsor interview is with Casey Ellis, the CTO of Bugcrowd. As you’ll hear, Bugcrowd did a survey of managers in security to see if their attitudes around work from home had changed since the COVID-19 crisis, and yes, they have. Casey also tells us about Bugcrowd’s latest LevelUp virtual conference. That conversation led to him sharing some interesting insights about trends amongst the crowd of registered testers on Bugcrowd’s platform. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
May 20, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: easyJet breach linked to Chinese APT Israel claims credit for attack against Iranian port Chinese-linked crew behind Taiwan energy hax Crypto-wars reignite over Pensacola shooter’s phone Much, much more This week’s show is brought to you by Gigamon Threat Insight. Will Peteroy is our sponsor guest in this week’s show and he drops by with a pretty sobering message: large companies are provisioning VPN access to all and sundry right now because of the COVID-19 crisis and ransomware crews are sailing right on in on the back of that access. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
May 14, 2020
This isn’t the normal, weekly Risky Business podcast, Soap Box is the wholly sponsored podcast series we do here at Risky.Biz where vendors pay us money to come on to the show and talk about topics that interest them. Today we’re speaking with Jesse Rothstein, the co-founder and CTO of ExtraHop Networks. ExtraHop is a network security play, but they started off more in the application monitoring and performance space before gradually moving into security over time. In this interview Jesse talks about network security monitoring, ExtraHop’s history, and what people are using the ExtraHop tech to do during the COVID-19 crisis.
May 13, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: US takes aim at China over vaccine hax ??? takes aim at Iranian port infrastructure over ??? Iran attacks Gilead pharma Zoom acquires Keybase Thunderbolt research discussed US to drop more DPRK malware Ransomware targets European hospital group Australian flu vaccine distribution disrupted by ransomware More! CMD’s co-founder and CEO Jake King joins us in this week’s sponsor interview to talk about what happened when he came on to the show a couple of months ago to spruik their new freemium offering. There was a stampede! It’s a hit! So he’ll be along to tell us what shook out of that whole process, and also about what he’s seeing people use the CMD product for since the COVID-19 crisis began. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
May 6, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Salt framework 1Day wreaks havoc Toll Group hit with ransomware attack. Again. Germans indict APT28 operator Ransomware a key word in SEC filings Much, much more! This week’s show is brought to you by Remediant. They offer software that lets you get privileged accounts under control very quickly. In this week’s sponsor interview we’re chatting with Remediant’s COO Paul Lanzi and Julie Smith, the executive director of the Identity Defined Security Alliance (IDSA). We’ll be talking about what the IDSA actually is and what its goals are. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
April 30, 2020
Snake Oilers isn’t the regular Risky Business podcast, if you’re looking for that just scroll back to one of the numbered episodes in our podcast feed. Snake Oilers is the wholly sponsored podcast series we do here at Risky.Biz where vendors give us money so they can come on to the show and pitch you their sweet, sweet Snake Oil. In this edition of snake oilers we’ll hear from: David Cottingham of Airlock Digital pitches the Crowdstrike/Airlock two piece combo meal deal Marc Rogers of Okta talks passwordless authentication and pitches modern SSO generally John Emmitt of Kaseya pops in to pitch the VSA endpoint management agent Links to the vendors are in the show notes. Enjoy!
April 29, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Spy companies pitch ridiculously invasive approaches to contact tracing NSO Group busted running c2 boxes in USA according to WhatsApp lawsuit Australian government releases contact tracing app, no idea if it works Chinese telcos to get boot from USA Much, much more This week’s show is brought to you by Senetas. This week’s sponsor interview is with listener favourite, Senetas CTO Julian Fay. He’ll be along in this week’s show to talk about an open source project Senetas has put together – oqs-engine. It’s an OpenSSL engine plugin you can go grab right now if you want to play around with Open Quantum Safe encryption algorithms. Senetas didn’t write the algorithms, but they have squeezed them into this handy OpenSSL engine plugin package. Julian drops in to tell us all about that. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
April 22, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Czechs claim state-backed healthcare sector attack preparation Pompeo goes full cyber berserker New iOS exploit chain targets Uyghur diaspora Zoom 0day for $500k? Tell him he’s dreamin’. This week’s show is brought to you by Trail of Bits. Dan Guido is this week’s sponsor guest and he’s talking about the future of secure, app-based voting. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
April 16, 2020
Snake Oilers is a wholly sponsored podcast series we do here at Risky.Biz where vendors come on to the show to pitch their wonderful, wonderful, magical snake oil to you, the listeners. In today’s podcast you’ll hear from: Kenn White from MongoDB talking about client-side field level encryption AlphaSOC’s Chris McNab talking about their latest – they’re not just doing DNS analytics anymore SecureStack are making developer-friendly cloud security, provisioning and visibility tooling Enjoy!
April 15, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Details about Apple and Google’s contact tracing API and OS changes Alex Stamos joins Zoom as outside consultant More Zoom news US government weighs China Telecom ban following BGP hijacking Travelex paid $2.3m to decrypt files in ransomware attack. This week’s show is brought to you by AttackIQ. They make a breach and attack simulation platform that you can use to figure out which of your security controls are actually working. Carl Wright of AttackIQ will join the show to talk about the new, free online training they’re offering. If you’re stuck at home like half the planet right now and you’re interested in operationalising MITRE ATT&CK then you can check out AttackIQ academy. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
April 8, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: ASD launches offensive action against criminals Bio-tech firms working on COVID-19 targeted by ransomware Iran targets WHO Did you hear there’s a security issue with Zoom? You might not have heard. Don’t worry we’ll tell you about it Much, much more This week’s show is brought to you by Yubico, makers of the Yubikey devices. Yubico’s Chief Solutions Officer Jerrod Chong will be along in this week’s sponsor interview to talk through a few things: what is he seeing out there among users? As you’ll hear, he’s seeing what all of us are seeing, a massive rush to enable remote working. Jerrod also us through some new stuff Yubico is planning, from managed credential services through to biometric Yubikeys. Don’t miss it! You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
April 3, 2020
This podcast is brought to you by the Hewlett Foundation. They provided us with a grant to support us doing some podcasts about cybersecurity issues that touch on policy. Regular listeners would have heard some of these special podcasts already. Today’s guest is Jennifer Morrell. She’s a partner with Elections Group and is a recognised expert on election audits. We were originally scheduled to record this interview just a few short weeks ago, but the COVID-19 crisis really hit and we had to postpone. And it’s a good thing we did, too, because the issues facing elections today are substantially different to the issues facing elections even a few weeks ago. The whole world has just shifted. So, instead of having the usual conversation about risk limiting audits, voting machine and tally/counting infrastructure security, we had this conversation instead. How on earth do you run an election during a pandemic? There’s a tl;dr here – e-voting is still a pipe dream but internet supported vote-by-mail is where things will land. I hope you enjoy this podcast.
April 1, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: KSA uses SS7 to track its citizens in USA Governments begin virus tracking through personal devices FBI warns of Iran-linked crew in yer supply chains Voatz gets booted from HackerOne All the cloud and Zoom drama (PLEASE NOTE: This is a re-post. Looks like our CDN mangled the initial mp3 for some regions. Should work ok now. - Pat) This week’s show is brought to you by Signal Sciences. Instead of interviewing one of their people, they suggested we interview Andrew Becherer in this week’s sponsor interview. Andrew runs security for Iterable, but before that he ran the security program at DataDog. He’ll be along after this week’s news to talk about how much easier it is to stand up a security program in 2020 as opposed to the last time he did it five or so years ago You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
March 29, 2020
In this (sponsored) podcast Akamai’s CTO of Security Strategy Patrick Sullivan talks us through the basics of identity-aware proxies. With more and more internal applications being served to newly external users, identity-aware proxies are the new hotness. Akamai isn’t the only company that offers an identity-aware proxy product, but it was a relatively early mover in the space offering the service since 2016. Obviously there are some massive shifts happening right now with so many people stuck working at home right now. That means Akamai’s identity-aware proxy service – and its network more broadly – is getting a pretty serious workout right now. What are the quick wins with a technology like this? Where are the wins harder? Patrick Sullivan joined me to talk about identity-aware proxies and what’s been happening on Akamai’s tubes over the last couple of weeks.
March 25, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Azure resource constraints hit Europe Should we unleash surveillance on COVID-19, privacy be damned? Browser maintainers cease new releases South Korea-linked APT crew attacks World Health Organization Much, much more This week’s show is brought to you by Thinks Canary. Thinkst’s Haroon Meer joins the show this week to talk about what he tells customers when they ask him if Thinkst could go rogue and own all their customers. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
March 18, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Coronavirus phishing lures are everywhere Czech hospital ransomwared during crisis Voatz mobile voting app destroyed by Trail of Bits audit We recap yesterday’s livestream Windows SMBv3 bug probably not such a big deal ALL the week’s news This week’s sponsor interview is with Sam Crowther, founder of Kasada. They do bot detection and mitigation and apparently they’re quite good at it. Sam joins the show to talk through the new greyhatter of anti-anti-bot. It’s actually a really fun conversation, that one, so stick around for it. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
March 16, 2020
If you don’t know already, all guests who appear on the Risky Business Soap Box podcast paid to be here. These podcasts are promotional, but as regular listeners know, they’re not just mindless recitations of marketing talking points. This edition of Soap Box is brought to you by Trend Micro, which is a company that’s in a really interesting position at the moment. With Symantec acquired by Broadcom, which only really cares about the biggest 500 companies in the world, Sophos absorbed, Borg-style, by Thoma Bravo and McAfee sitting in the corner eating its paste, there’s an opportunity for a new “portfolio” security software firm to emerge, and Trend wants to be it. Jon Clay is Trend’s director of global threat communications and he joined me for this conversation about ransomware, how EDR is becoming “just another feature,” and what the role for a “portfolio” company in infosec is going to be in the future.
March 11, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Two Exabeam engineers sick with Coronavirus following RSA attendance Hung jury in Joshua Schulte Vault7 trial Qihoo 360 tries to “pull an APT1” but it was just weird and awkward instead Corellium releases Android for iPhone hardware toolkit Much, much more. This week’s sponsor interview is with Scott Kuffer of Nucleus Security. They have built a web application that pulls together feeds from all your vulnscanners and vulnerability-related software (Snyk, Burp, whatever), normalises it then lets you slice it, dice it, and send it through to the most relevant project owner/dev team. It’s insanely popular stuff, and Scott pops along this week to talk about vulnerability management and what his last year has looked like as Nucleus’s business has boomed. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
February 20, 2020
These Soap Box podcasts are wholly sponsored. That means everyone you hear on one of these editions of the show, paid to be here. But that’s ok, because we have interesting sponsors! Today’s sponsor is AttackIQ. They make an attack and breach simulation platform. They started sponsoring risky biz when they were a little baby startup, but these days, as you’ll hear, attack sim is actually emerging as a budget line item, particularly for larger companies. They use the platform to test their existing controls, figure out where they have gaps or bad products, then kick on to planning from there… then retest, evaluate, plan, implement, etc etc etc. For a lot of organisations, something like this is going to be really helpful. Another super helpful thing is that AttackIQ is all in on MITRE ATT&CK. AttackIQ is, in fact, one of the first vendors I know of that jumped on the MITRE ATT&CK bandwagon. They got in early, and this podcast is mostly going to be focussed on ATT&CK. Chris Kennedy is AttackIQ’s CISO and VP of customer success! He did one of these soap boxes last year and it was really popular with the CISOs who tune in to risky biz. He joined me for this discussion about MITTRE ATT&CK; where it’s at, where it’s going, how people are using it and how AttackIQ is using it to make its products more useful.
February 19, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Ransomware shutters US natural gas plants Huawei hit with huge indictment Voatz mobile voting app shredded by MIT, dust-up ensues The latest from the Vault7 trial Reality Winner seeking clemency Ring to force all users on to 2FA Israeli court rules Facebook must reinstate NSO staff profiles USG drops more North Korean samples OpenSSH gets Fido/U2F support This week’s sponsor interview is with Dave Cottingham from Airlock Digital. They make whitelisting software that’s actually useable. And until I did this interview I didn’t know that their agent actually does host hardening as well, which is pretty cool. Since we last spoke they’ve also popped up in CrowdStrike’s app store thingy, which means a bunch of you Crowdstrike customers will be able to dabble in some whitelisting if you want to. Dave joins the show to talk about a bunch of stuff, including their experience having Silvio Cesare do a code audit on their agent. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
February 13, 2020
Soap Box podcasts are fully sponsored which means everyone you hear on these editions of the show paid to be here. If you’re looking for the regular, weekly Risky Business podcast, just scroll one back in your podcast feed. But you know what? I wouldn’t recommend it, because this edition of Soap Box is top notch. In it we’re joined by Jake King, a co-founder of CMD Security. CMD makes Linux security software, and I love their approach mostly because, well, it’s simple. It has two main functions – visibility and control – but both of these functions focus on execution. The visibility piece is “which user executed what?” and the control piece is “only let user X execute Y”. The idea here is you can apply an additional layer of control over user actions, but obviously the visibility aspect to this is pretty useful at driving decisions around what sort of limits to put on various accounts. Jake has fronted this edition of the show with an exclusive offer to Risky Business listeners, which is free use of their software. Obviously you won’t get access to absolutely all its features, but certainly enough of them to be very, very useful. They’re getting to the point where they can do this – throw out most of the functionality and just sell the icing on the cake to companies who want it. You can register for early access to the free trial at cmd.com/risky.
February 12, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Chinese operators indicted over Equifax breach, more indictments coming Alleged backdoor in Huawei lawful intercept features Data on 6.4m Israelis exposed by political party app Iowa caucus app was a pile of crap, 4chan clogged up caucus night phones Corp.com is up for sale. That’s a lotta hashes. Much, much more. This week’s show is brought to you by Corelight. Corelight’s Richard Bejtlich joins the show this week in the sponsor slot to talk about what the company is doing to try to build the open source community behind Zeek, the tool its products are based on. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
February 5, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: Iowa app falls over, social and mainstream media chaos ensues Twitter acknowledges state-backed API abuse CDA 230 under review. Uh oh. Toll Group ransomware ICS-compatible ransomware spotted in wild UN got owned pretty hard Is Joshua Schulte The Shadow Brokers? A theory Much, much more. This week’s show is brought to you by Okta. Okta’s Simon Thorpe will be along this week to talk about a new trend they’re seeing and obviously encouraging – enterprises ditching Microsoft’s Active Directory. It’s a cloud, cloud, cloud, cloud, world these days. and in the year 2020, you might want to actually ask yourself – do you still need to be using AD? Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
January 30, 2020
In this edition of the Soap Box podcast we’re joined by Zane Lackey, a co-founder of Signal Sciences. Signal Sciences makes, in essence, a “next generation” Web Application Firewall, or WAF. Signal Sciences is a pretty well-established startup these days with a zillion customers, so he has some real insight into what’s happening out there in webapp land. In this conversation he has some really interesting things to say: First, there’s a rush to Azure happening right now. It has become the platform of choice for all sorts of organisations. He also has some really interesting things to say about how to protect web applications from logic flaws. Some simple ideas that should really help lock things down. Enjoy!
January 29, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: The FTI report on the Bezos incident is a massive let down UK lets Huawei into 5G build SeaTurtle campaign pinned on Turkey Mitsubishi owned through its AV solution Ransomware crews owning unpatched Citrix boxes Much, much more. This week’s sponsor guest is Sherrod DeGrippo of Proofpoint. She’s a senior director of threat research there and she’ll be along to talk about the Emotet malware. Despite being spray and pray malware, it’s pretty successful because it operates at such ridiculous scale. Sherrod joins us with details. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
January 23, 2020
This podcast is brought to you by the William and Flora Hewlett Foundation. The Foundation funds a lot of interesting people and work in the cybersecurity space and they’re supporting this special podcast series examining topics of interest to cyber policy makers. In this podcast we’re going to hear from Alexa O’Brien. She’s currently studying a Masters in Applied Intelligence at Georgetown University. She’s also working on an ethical framework for the applied intelligence discipline – collection, analysis and the like – for media practitioners. Alexa is also a journalist. Her most recent major work is a July 2019 analysis of the US media’s coverage of civilian harm in the war against ISIS, I’ve linked through to that in the show notes below. Before she worked as an established journalist, Alexa covered Chelsea Manning’s trial at Fort Meade on her blog. Her transcript of the proceedings were a tremendous help to the wider media, and it was this work that briefly pulled her into the Wikileaks “scene”. It wasn’t a good fit. Alexa joined me for this freewheeling discussion about intelligence, ethics, moral authority and signs that not everything is as it seems in the Wikileaks universe.
January 22, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: MBS fingered in Bezos dick pic breach Glenn Greenwald facing cybercrime charges over Vaza Jato Telegram leaks Citrix finally patches 90s-style ADC bugs IE 0day doing the rounds, no patch available PoCs for 0601 drop Much, much more… This week’s show is sponsored by VMRay, a sandbox-based malware analyser. You throw a sample into it and it spits out all sorts of useful information. Rather than having one of its own staff in this week’s sponsor slot, VMRay has put forward one of its customers instead. Expel is a managed security provider, and it is making heavy use of VMRay to do malware analysis. Tyler Fornes is a Senior Detection and Response Analyst at Expel and he joined me to talk about how they’re using VMRay to actually make life easier. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
January 16, 2020
On this week’s show Patrick and Adam discuss the week’s security news, including: NSA drops a sweet Microsoft crypto bug Burisma targeted by GRU. 2016 all over again? Citrix users having a bad time Intrusion Truth targets APT40 No more BYOD for US soldiers in Middle East Much, much more We have a new sponsor in this week’s show – ExtraHop Networks. Network monitoring is dead! Long live network monitoring! Matt Cauthorn is ExtraHop’s VP of cybersecurity engineering and he’ll join us this week to talk about recent moves by cloud providers to offer full virtual network mirror ports out of their infrastructure. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing. *Credit for this week’s headline goes to @appsecbloke.
January 8, 2020
In this week’s show Patrick Gray and Alex Stamos discuss all the week’s news, including: Will Iran cyber all the cybers? ToTok chat app alleged to be UAE spy tool China makes moves on own OS Big game ransomware hits crisis levels WSJ carries water for NSO Group Much, much more This week’s show is brought to you Bugcrowd. We’ll be hearing from Bugcrowd’s Casey Ellis in this week’s sponsor interview. He’ll be talking about the US federal government’s decision to force all departments into accepting bug reports – he thinks this is a move that will have a big impact on the wider security ecosystem. Links to everything are below!
December 11, 2019
On this week’s show Patrick and Adam discuss the week’s security news, including: China to ditch foreign hardware, software, from government use Huawei sues FCC More background on Project Raven Senate hearings into encryption Reddit fingers alleged RU disinfo campaign “Evil Corp” hackers have lots of money, terrible taste Ransomware attacks galore Much, much more This week’s sponsor interview is with Haroon Meer of Thinkst Canary. And we’re going to do the typical thing and have a look forward to what we can expect to see in security next year. But we’re going less for the big, dumb predictions and more picking the trends we expect to strengthen over the next year. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
December 5, 2019
Our guest in this edition is Will Peteroy. He’s currently the CTO of security at Gigamon after his company, ICEBRG, was acquired by Gigamon last year. Will has a long and interesting background in security. As you’ll hear, he worked on the security team at Microsoft once upon a time. He even co-wrote Microsoft’s gigantic paper on mitigating “pass the hash” attacks some years ago. He also did some time with the “Department of Defense” some time ago. He’s a knowledgable fella. And he’s been spending considerable time lately focussing on the issue of Zero Trust Networks. Zero Trust is one of those things that’s super simple in theory, but absolutely, awfully complicated when you actually try to do it. So Will joined me for this chat about Zero Trust networks, how to define them, how to transition to them, what some of the steps are and thinking is. It’s a great conversation for any CSOs who are working through some of the issues that pop up when they’re transitioning to ZT architectures.
December 4, 2019
On this week’s show Patrick and Adam discuss the week’s security news, including: Ethereum developer Virgil Griffith charged for allegedly teaching DPRK about cryptocurrency DHS/CISA government vulnerability disclosure program takes shape, looks good Adobe discloses Magento Marketplace data breach Fully patched Android devices targeted IM-RAT takedown Much, much more This week’s sponsor interview is with Brian Robison of BlackBerry Cylance. He pops along to talk about some interesting research they’ve done on mobile malware. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
November 27, 2019
On this week’s show Patrick and Adam discuss the week’s security news, including: RIPE has officially run out of v4 addresses NSO workers sue Facebook to get their accounts back Mike Pompeo, Republican lawmakers keep Crowdstrike conspiracy theory alive Bugs, hacks, ransomware disasters and more. This week’s sponsor interview is with Sally Carson of Duo Security. Sally has been a designer for over 20 years, joining Duo in 2015 to build the company’s Product Design and User Research practice from the ground up. Duo now employs one designer for every five users, which is an extremely generous ratio. As you’ll hear, Sally thinks empathy is the key to designing usable technology. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
November 26, 2019
This is a Soap Box edition of the show. Soap Box isn’t our regular weekly news program. If you’re looking for that one, scroll one show back in your podcast feed. Soap Box is a wholly sponsored series of podcasts we do here at Risky Business where vendors give us money to appear. And while these are sponsored episodes they’ve actually become almost as popular as the weekly show. They started off about half as popular, and then I guess people gradually realised they don’t actually suck, so here we are. Trend’s head of cloud research, Mark Nunnikhoven, is our guest in this edition and we have a pretty wide ranging conversation. A big part of this conversation is us talking about the differences between locking down a corporate network vs locking down a modern application production stack… and there’s a very funny part of this interview where Mark points out that AV scanning for Docker images actually makes sense. Seriously.
November 21, 2019
On this week’s show Patrick and Adam discuss the week’s security news, including: Phineas Phisher returns, claims credit for Cayman bank hack and offers bounties for activist hijinks Microsoft cautiously backs DoH Huawei granted another 90-day stay of execution in US market Iranian APT crew targeting ICS supply chain Alexei Burkov extradition complete, appears in US court Some very funny stuff is happening to GPS in the Shanghai area Louisiana government ransomwared, emerges relatively unscathed Official Monero binaries trojaned. Lol. Much, much more! This week’s show is brought to you by Senetas. Rob Linton from Senetas joins the show this week to talk about its O365 integration for its SureDrop product, a new feature that will be of interest to many Risky Business listeners. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
November 13, 2019
On this week’s show Patrick and Adam discuss the week’s security news, including: Two ex Twitter employees charged with spying for KSA US border device searches now require suspicion after ACLU win Unredacted Corellium lawsuit response drops Ransomware attacks on hospitals increase mortality Much, much more! This week’s sponsor interview is with Stephan Chenette, the co-founder and CTO of AttackIQ. We talk to him about some CSOs playing Pokemon Go with MITRE ATT&CK (“Gotta catch ‘em all!”) and about recent ATT&CK developments. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
November 7, 2019
The Soap Box podcast is a wholly sponsored podcast series we do here at Risky.biz, which means everyone you hear on it paid to appear. This edition of the Soap Box is brought to you by Capsule8. It’s taken a long time, but over the last couple of years we’ve seen a meaningful Linux security software market emerge. It makes sense, I guess, considering the modern production environment is all glued together from various Linux systems. So, we’re seeing some interesting approaches to the Linux security challenge pop up. Capsule8 makes detection and visibility software for Linux. You can use it to spot various types of funny behaviour on your Linux systems. Brandon Edwards is Capsule8’s chief scientist and he is our guest today. We speak about a few things, but primarily this conversation centres on the fact that modern production environments have become so complex it’s almost impossible to comprehend how they work. We’ve lost insight, and we’ve even lost the ability to understand how individual security flaws can impact our wider production environments. So we’re going to talk about complexity in modern production environments, and then we’ll talk a bit about Capsule8’s approach to the Linux security challenge. Enjoy!
November 6, 2019
On this week’s show Patrick Gray and Mark Piper discuss all the week’s security news, including: NSO Group malware turning up in some unexpected places Bluekeep mass exploitation finally begins Owning smart home devices with friggin’ lasers Two plead guilty to hacks on Lynda.com, Uber Imperva CEO departs following breach TLS Delegated Credentials sound like A VERY GOOD IDEA Cybercommand heads to Montenegro Much, much more This week’s show is brought to you by Thinkst Canary. Haroon Meer and Adrian Sanabria from Thinkst recently did a keynote talk at the Virus Bulletin conference in London. Titled “The Security Products We Deserve,” it’s a stinging critique of the security product lifecycle. VC firms keeping stupid ideas alive, analyst firms being parasites, vendors not doing security testing on their equipment and so much more. We’ll be talking to Haroon Meer about that keynote in this week’s sponsor interview, which will run after this week’s news segment. Links to everything are below.
October 31, 2019
This podcast is brought to you by the William and Flora Hewlett Foundation, and it’s the second in a series of podcasts we’re doing that are all about cyber policy. The Foundation funds a lot of interesting people and work in the cybersecurity space. So the idea behind this podcast series is pretty simple: we talk to Hewlett’s grant recipients, or experts in Hewlett’s network, about pressing policy issues and turn those conversations into podcasts. The whole idea is to get some policy perspectives out there among the Risky Business audience, which, funnily enough, includes a lot of policymakers. This podcast features both Eric Rosenbach and Robert M Lee talking about ICS security. Eric is the co-director of the Belfer Center for Science and International Affairs at the Harvard Kennedy School. He also heads the Defending Digital Democracy project there. Eric has a very long and somewhat fascinating resume. As United States Assistant Secretary of Defense he led the US Defense Department’s efforts to counter cyberattacks by Iran and North Korea on US critical infrastructure. He’s also worked as a Chief Security Officer in the private sector and served as Pentagon chief of staff from 2015-2017. Robert M Lee is the founder of Dragos Inc, a very well known company in the ICS/OT security space. Rob started out in infosec with the US Air Force as a Cyber Warfare Operations Officer tasked to the NSA, but as you’ll hear, Rob is actually pretty optimistic about the ICT/OT security challenge.
October 30, 2019
On this week’s show Patrick and gust co-host Alex Stamos discuss the week’s security news, including: Facebook files suit against NSO Group Corellium responds to Apple suit Indian nuclear power plant administrative network likely attacked by DPRK Mass defacement in Georgia. Old schooooool! Fancy Bear targets 2020 Olympics FCC proposes subsidies for telcos to rip and replace Huawei, ZTE equipment City of Johannesburg data held to ransom, but it’s not ransomware Much, much more This week’s sponsor interview is with Jake King of CMD Security. The topic is applying the MITRE ATT&CK framework Links to everything that we discussed are below and you can follow Patrick or Alex on Twitter if that’s your thing.
October 23, 2019
On this week’s show Patrick and Adam discuss the week’s security news, including: Fresh details on Turla’s hostile takeover of Oilrig Russians doing very interesting things with “tagged” TLS China wants an aerospace sector so a lot of people got a lot of owned Imperva releases breach details Zendesk cops to 2016 breach German manufacturer, US transport tech company sunk by ransomware NordVPN gets owned AVAST owned. Lots. Again. Welcome to Video takedown Much, much more This week’s show is brought to you by Trail of Bits! We’ll be hearing from Trail of Bits practice lead for assurance Stefan Edwards all about their work on a recent security audit of Kubernetes. As it turns out, Kubernetes isn’t actually a horror show, but Stefan thinks you might want to run a hosted instance unless you’re a real expert. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
October 9, 2019
In this edition of Snake Oilers Patrick speaks to: Justin McCarthy of StrongDM StrongDM makes a protocol proxy that you can use to provision production services (like Kubernetes and SQL access) to users without them requiring full VPN access to prod. This is very cool stuff, if you manage a large prod environment that’s suffering from VPN sprawl you’ll want to check this one out. Nicholas Davis of Rapid7 Nicholas is the senior technical product manager for InsightIDR. InsightIDR is a SIEM/EDR play that integrates a bunch of stuff. These days Rapid7 is really emphasising the holistic nature of InsightIDR, rather than the endpoint part, and Nicholas joins the show to talk about that. Preston Hogue of F5 Networks F5 Networks recently acquired NGINX as a part of a push to become cloud-relevant. Their strategy is to allow for F5 security smarts to be inserted basically anywhere and anyhow you want. Preston joins the show to talk about that! Links to our Snake Oilers sponsors are below!
October 3, 2019
These Soap Box podcasts are a wholly sponsored series of podcasts we do here at Risky.Biz, so everyone you hear on the Soap Box podcast paid to be here. But that’s ok, because we’ve got some great sponsors. This podcast is brought to you by Yubico, makes of the Yubikey devices. These podcasts with Yubico have basically turned into an annual thing. Jerrod Chong is the Chief Solutions Officer at Yubico and he joined me for this conversation about what’s new in Yubico-land. They’ve launched some new stuff, including Yubikeys with lightning adapters for iOS devices, and Jerrod also talks about hardware 2FA moving increasingly to the mainstream. If you’re reading this within 48 hours of this podcast going live, you can get yourself a $20 discount on any two of the new series 5 Yubikeys by visiting this link and using the code ‘Risky19’.
October 2, 2019
On this week’s show Patrick and Adam discuss the week’s security news, including: Apple jailbreakers partying in the streets Donald Trump targets Crowdstrike over 4chan conspiracy nonsense Ransomware absolutely everywhere this week Horror-show VxWorks bugs are popping up in other stacks OnApp fixes mother of all misconfigurations More SIM card issues Much, much more In this week’s sponsor interview we chat with Mr Sandbox himself, VMRay’s Carsten Willems. He’s along to talk about VMRay’s involvement in a machine-learning bypass competition that happened at DEFCON earlier this year. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
September 26, 2019
In this edition of the Snake Oilers podcast host Patrick Gray speaks to: Richard Bejtlich of Corelight Richard talks about Zeek, formerly Bro, and how enterprises can use it to capture useful network information for analysis, forensics and detection purposes. Richard is an industry luminary and it’s a great interview. Marshal Webb of PATH Networks Marshal explains how new technology like eBPF and XDP mean it’s possible to build DDoS mitigation rigs out of commodity hardware. That means DDoS mitigation is about to get a whole lot cheaper, and PATH is in pole position in this soon-to-be disrupted market. Chris Tiolo from Respond Software Respond Software makes a decision agent for the modern SOC. They are aiming to completely replace level 1 SOC analysts so those resources can be freed up to do higher-value work. They’re offering free live and retroactive trials of their software, and it definitely belongs in the “why not take it out for a spin” category. Some links to the company websites and blogs are below!
September 25, 2019
On this week’s show Patrick and Adam discuss the week’s security news, including: Tibetans targeted in mobile malware campaign Iran denies cyber-attack nobody was asking about More news from the Middle East 26 nations open UN General Assembly with statement on cyber norms Fedex sued over company’s NotPetya response, exec share sales Why “quantum supremacy” isn’t a big deal. Yet. Much, much more In this week’s sponsor interview we talk to Cody Wood of Signal Sciences about http request smuggling. What it is and why it’s a nightmare to fix. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
September 18, 2019
On this week’s show Patrick and Adam discuss the week’s security news, including: US Treasury targets DPRK APT crews Russia owned FBI counter surveillance team radio comms New details on 2016 attack against Ukraine power grid US Government to sue Edward Snowden for memoir profits Did RCMP intelligence director tip Phantom Secure on investigation? Much, much more! This week’s sponsor interview is with Casey Ellis of Bugcrowd. It’s an interesting chat with Casey this week. He was at the Billington cyber conference a couple of weeks ago and he had a bunch of interesting discussions there with people in the aerospace sector. Between recent Black Hat presentations on 787 security and the trouble Boeing has had with it’s 737-MAX, software security and resiliency is all of a sudden on the agenda in aerospace. Casey drops by to talk about all of that. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
September 11, 2019
On this week’s show Patrick and Adam discuss the week’s security news, including: Paige Thompson pleads not guilty to CapitalOne hack German government probes FinFisher Bluekeep Metasploit module dropped DPRK samples hit VT, courtesy of our friends in the USA Apple releases awful statement about mass exploitation of its devices Much more This week’s show is brought to you by Blackberry Cylance. In this week’s sponsor interview we’ll be talking about US Cybercommand dropping some sweet, sweet APT28 samples on VirusTotal back in May. We’ll talk a little bit about that malware, and also have a more general discussion about CYBERCOM VT drops with Cylance research staffers Steve Barnes and Josh Lemos. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
September 5, 2019
The Soap Box podcast series is a fully sponsored podcast series we do here at Risky.Biz, and that means that everyone you hear in it paid to be featured. This edition of the Soap Box podcast is brought to you by AttackIQ and in in it we talk to its CISO and VP of customer success Chris Kennedy. And we’ll be discussing a topic of that frankly should be talked about a bit more: the MITRE ATT&CK framework. We also talk about attack simulation and which security controls are most commonly and catastrophically misconfigured. If you’re a CISO you’ll like this one.
September 4, 2019
Alex Stamos is our news co-host this week. Patrick and Alex discuss all the week’s security news, including: Mass exploitation of iOS devices by Chinese govt Telegram moves to nix phone number enumeration “feature” USA targeted Iranian maritime awareness system Existence of Stuxnet mole revealed by Kim Zetter @jack gets hacked Much, much more This week’s sponsor interview is with Michelle Price of AustCyber. AustCyber is the organisation here in Australia that aims to build out the Australian cyber security industry and skills base, and Michelle pops in this week to tell us all about the upcoming Australian Cyber Week. Links to everything are below in the show notes.
August 28, 2019
On this week’s show Adam Boileau and Patrick Gray discuss the week’s security news, including: Fortinet, Pulse Security VPNs are being exploited in wild Imperva’s cloud WAF gets colossally owned US authorities fear ransomware attacks against election systems Apple fixes re-introduced jailbreak bug Telegram design choice puts HK protestors at risk Researcher drops two 0days in Valve’s Steam client after bounty spat Much, much more This week’s sponsor guest is Ryan Kalember, EVP of cybersecurity strategy with Proofpoint. Ryan is stopping by this week to touch on a couple of topics. He’ll tell us why Proofpoint didn’t attribute a recent malware campaign targeting US utilities to APT10 despite there being some pretty APT10-like tradecraft used in that particular campaign. He’ll also talk a bit about how thread hijacking is a giant pain in the ass. That’s where attackers take over a mailbox, then just jump right in replying to existing mail threads. Detecting that is hard, of course, because it’s internal mail. It’s a great little mixed bag interview. Enjoy!
August 22, 2019
We used to think of companies like Bugcrowd as offering a very simple service: managed bug bounties. But these days that’s a bit too simplistic. All the “bounty” companies are offering more comprehensive and specific products these days. In this edition of the Soap Box podcast Bugcrowd CTO Casey Ellis joins the show to talk through what the future looks like in crowdsourced security. Matching individual hackers’ skills to individual gigs and launching new services like Bugcrowd for Marketplaces will be a big part of that future.
August 21, 2019
In this week’s show Patrick Gray and Alex Stamos discuss all the week’s news, including: Confirmed: 30 companies affected by CapitalOne attacker China info-ops booted off Twitter, Facebook Real deal Bluetooth bugs Apple re-introduces kernel bug, jailbreaks aplenty Apple to sue Corellium for copyright infringement DPRK gets its malware VT’d by CYBERCOM Much, much more Haroon Meer of Thinkst Canary is this week’s sponsor guest. We spoke to Haroon while he was in the USA, just before he was about to deliver a talk to USENIX all about “embracing hackiness”. Haroon thinks “hackiness” is a huge advantage for red teams, but that doesn’t mean blue teams can’t use the same hacky approaches to defence. It’s a typically great chat with Haroon. Links to everything discussed are below.
August 15, 2019
This podcast is brought to you by the William and Flora Hewlett Foundation, and it’s the second in a series of podcasts we’re doing that are all about cyber policy. The Foundation funds a lot of interesting people and work in the cybersecurity space. So the idea behind this podcast series is pretty simple: we talk to Hewlett’s grant recipients, or experts in Hewlett’s network, about pressing policy issues and turn those conversations into podcasts. The whole idea is to get some policy perspectives out there among the Risky Business audience, which, funnily enough, includes a lot of policymakers. In this podcast we’re speaking with Katherine Charlet. She currently serves as the director of the Technology and International Affairs Program at the Carnegie Endowment for International Peace. Prior to joining Carnegie, Kate served as the deputy assistant secretary of defence for cyber policy, where she managed the development of US Department of Defence cyber policy and strategy, its development of cyber capabilities, and the expansion of its international relationships. This conversation essentially covers what the state of affairs is when it comes to militaries and their actions in the cyber domain. It was only a few weeks ago that reports claimed the United States government launched a cyber attack against Iranian weapons systems. We’ll hear from Kate about what she thinks that all means, and then we’re going to talk about all sorts of stuff really – the blurring of the line between what warrants a law enforcement response versus a military response, what the path to this situation looked like, so on and so on. But I kicked things off by asking Kate to tell us what this concept of “defending forward” actually means. In the last couple of years we’ve heard that term bandied about by all sorts of people, but everyone seems to have a different definition. Here, Kate shares her more definitive definition.
August 14, 2019
Adam Boileau is along this week to discuss the week’s security news. We cover: Follow ups on CapitalOne Amazon EBS snapshots exposed North Korea bags $2bn in cybercrime spree Attempted Coinbase breach postmortem Apple’s new research phones for bug hunters APT41 busted moonlighting Cloudflare finally ditches 8chan Leaked Boeing 787 code shredded, full of bugs Qualcomm bugs pave path through to Android kernel Microsoft gets Tavis’d More RDP/RDS bugs Much, much more This week’s sponsor interview is with Jake King of CMD. CMD has developed a control layer for Linux systems that restricts account actions, not just by traditional permissions. Jake will be along this week to talk a little bit about EDR on Linux. He saw a nice talk from some IBM X-Forcers at Black Hat about Linux EDR bypasses and that led to a conversation about Linux EDR generally. It’s interesting stuff Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
July 31, 2019
Adam Boileau is along this week to discuss the week’s security news. We cover: Deep dive on the CapitalOne breach Marcus Hutchins sentenced to time served Telegram voicemail bug leads to political crisis in Brazil Ransomware leaves South Africans without electricity Much, much more Wolfgang Goerlich is this week’s sponsor guest. He’s an advisory CISO with Duo Security and will be along after this week’s news segment to walk us through Duo’s Trusted Access Report. They’ve got some interesting telemetry to share with us. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
July 24, 2019
Adam Boileau is along this week to discuss the week’s security news. We cover: FSB contractor gets itself a whole lotta owned NSO Group pitches cloud access Hal Martin gets 9 years NSA to launch defensive division Bulgarian breach data exposed DataSpii scandal a 2019 privacy case study Google boots DarkMatter certificates from Chrome and Android Equifax fined $700m Horror show bugs in enterprise VPN concentrators from Palo Alto, Fortinet Microsoft demos ElectionGuard SDK (looks pretty cool) This week’s sponsor interview is with Casey Ellis of Bugcrowd. We’ll talk about how organisations are increasingly doing bug bounties on technology they use, not just technology they develop. And then we’ll be talking about a new thing Bugcrowd is doing – Bugcrowd for marketplaces. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
July 18, 2019
Soap Box isn’t the regular, weekly show we do at Risky.Biz, if you’re looking for that, just scroll one podcast back in your feed or on the Risky Business website. Soap Box is a fully sponsored podcast series we do where vendors pay to come on and talk about research they’ve done, products they’ve launched, whatever. This edition of Soap Box is a particularly good one. Ryan Kalember is EVP of cybersecurity strategy at Proofpoint and he’s our guest in this edition. Ryan was on the show a little while back talking about the concept of VAPs – very attacked people. In this interview he’s going to expand on that. It’s one thing to know that some of your key people are being attacked, but let’s take it one step further. Of those people, who among them is most likely to actually do something like click an untrusted link? What do we know about those users that can tell us how at-risk they are, based on how frequently they’re attacked, and also how likely they are to engage with phishing attempts or dodgy attachments? And if they ARE a risky user, what can you do about that? Measuring risk is only useful if you can do something about it.
July 17, 2019
Adam Boileau is along this week to discuss the week’s security news. We cover: US mayors agree: no more paying off ransomware crews BitPoint exchange loses $32m in cryptocurrency FinSpy is back, big time Chinese AV companies won’t flag government malware US security companies free to help political campaigns with discounted services, products Facebook to pay $5bn privacy fine with money from its spare pants Much, much more Assetnote’s Shubham Shah also joins the news segment to dish on the Zoom RCE bug he and his team found back in March. This week’s sponsor is Kasada, an Australian company that runs a bot filtering service. Kasada is a relatively new company but they’re kicking some pretty serious goals here in Australia and are now pushing into other markets like the USA. But instead of supplying us with one of their people, they suggested we interview one of their customers - REA Group CSO and head of platform Craig Templeton. REA Group runs realestate.com.au, Australia’s biggest real estate listings website. They had all sorts of trouble with content scrapers, bots causing service interruptions, cred stuffing, you name it. In the end they went with Kasada to solve their bot problems and Craig pops by this week to talk about the issues they were having and to sing Kasada’s praises. Getting a reference customer to speak publicly is a Herculean task, so full credit to Kasada for making this one happen. If you operate a website that pushes a lot of traffic you’ll want to hear that interview.
July 10, 2019
Adam Boileau is along this week to discuss the week’s security news. We cover: Zoom’s week from hell BA, Marriott face massive GDPR fines Seth Rich conspiracy originated from Russia’s SVR Coast Guard warns of ship hax Cybercommand issues warning on DDE exploitation PGP ecosystem having a rough time Much, much more! This week’s show is brought to you by our lovely friends at Signal Sciences. I guess you’d call them a next generation WAF. Signal Sciences co-founder and CTO Zane Lackey will be along in this week’s sponsor interview to plug their new cloud-based WAF product, and also to have a chat about a trend he’s seeing at non-security conferences – more high quality security content. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
July 4, 2019
As regular listeners know, this isn’t the weekly Risky Biz news and current affairs show, if you want that, scroll back in the podcast feed to the previous podcast. This is a Soap Box edition, a solely sponsored podcast series we do here at Risky Biz where vendors pay us to come on to the show to talk about, well, whatever they want, really. We’ve heard Duo Security talking about WebAuthn, we’ve got one with Proofpoint coming up that’s about insights they’ve gleaned from filtering such ridiculous amounts of email. But in this edition, Garret Grajek from BlackBerry Cylance will be along to talk about its new product, Cylance Persona. This latest product is kinda out of the box, it’s a machine learning classifier that you install on the endpoint that learns what the typical user behaviour looks like. Once the observed user behaviour starts diverging from what’s expected, it can perform actions – like kicking up for 2fa, locking the user out, whatever you want, really. It’s a novel approach to dealing with compromised endpoints. Two factor authentication is great, but if your endpoints are hosed that doesn’t really count for much. And that’s really what this new gear is about.
July 3, 2019
Adam Boileau is along this week to discuss the week’s security news. We cover: NYTimes reports USA is getting all up in Russia’s grids Kremlin not happy CYBERCOM targets Iranian rocket control and APT crews TRITON attackers target US grid Turla completes hostile takeover of Oilrig Reuters publishes huge feature on Cloudhopper/APT10 China pwns global telcos, targets key subscribers FVEY owns Yandex Tourists entering Xinjiang now have mobile malware installed at border Florida city governments having a bad time Much, much more! This week’s edition of Risky Business is brought to you by Senetas. They make layer 2 encryption tech, but they’ve also got a content disarm and reconstruction play now, Votiro, as well as their safe file sharing platform SureDrop. But we’re sticking with encryption in this week’s sponsor interview. Senetas CTO Julian Fay will be along a bit later to talk about his trip to the International Crypto Module Conference. He’ll fill us in on what the agenda was there – lots of talk about quantum resistant crypto and also some talk about streamlining various certification regimes. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
June 15, 2019
This is the first edition of a new series of podcasts we’re doing here at Risky.Biz that will focus on cyber policy issues. The Hewlett Foundation approached us a while back to see if we’d be interested in doing this series we jumped at the opportunity. The Foundation funds a lot of interesting people and work in the cybersecurity space. So the idea is pretty simple: we can talk to some of Hewlett’s grant recipients or experts in its network about pressing policy issues and turn those conversations into podcasts. The whole idea is to get some policy perspectives out there among the Risky Business audience, which, funnily enough, includes a lot of policy people. Our first cab off the rank is this interview with Jim Baker. He joined the Department of Justice in 1990 and rose through the ranks to become the FBI general counsel in January 2014, a position he held until December 2017. So of course he was running all things legal for the FBI during the Apple-FBI dispute over a locked iPhone 5C recovered from the gunman responsible for the San Bernardino shooting. Baker was the US Government’s point man on all things encryption, taking stances that outraged technologists and reinvigorated a policy debate that had – at least to a degree – stagnated for years. These days, Jim Baker serves as Director of the R Street think tank’s National Security and Cybersecurity Program. This interview focusses on the so-called encryption wars. The FBI and other law enforcement/intelligence agencies want better access to encrypted material, while technologists say that’s impossible to accomplish without introducing unacceptable risks into the technology ecosystem. Baker shares his view on the topic. The Australian government law enforcement and intelligence agencies guide to the Assistance and Access Act, which is mentioned in the introduction to the podcast, can be found here. (Ironically enough, served over http!) PLEASE NOTE: Jim Baker joined our meeting via a phone call, so the audio quality here isn’t up to our usual standards. Sorry about that!
June 12, 2019
On this week’s show Adam Boileau and Patrick Gray discuss the week’s news, including: CBP loses photo and license plate database Some Android phones shipped with backdoor Info on Google’s cloud outage USG ramps up “defend forward” Trump and Mnuchin can’t get their stories straight on Huawei The latest from Baltimore, more on that RDP bug TalkTalk hacker sentenced Much, much more This week’s show is brought to you by Remediant! Remediant CEO Tim Keeler will be along this week to have a chinwag. We’ll talk about how simple security tech is really en vogue these days and how that’s a good thing. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.
June 5, 2019
On this week’s show Patrick and Adam talk through all the week’s security news, including: NYTimes story on EternalBlue and Baltimore is bunk An RDP worm is feeling kind of inevitable Iran is still getting Shadowbrokersed Intercept has a great feature on SID Today dumps Australian Federal Police crack down on national security journalism Phantom Secure CEO gets nine years and loses $80m Silk Road 2.0 admin must be an amazing snitch Another Bitcoin tumbler bites the dust Much, much more This week’s sponsor interview is with Marco Slaviero of Thinkst Canary. Marco is joining us this week to talk about how he thinks web application-based deception techniques are kind of a waste of time right now. We talk about how deception approaches work best in privileged domains, then we talk about how security teams do better when they have a dedicated ops developer.
May 29, 2019
Adam Boileau couldn’t make it this week, but that’s ok because we’ve got former Facebook CSO and current Stanford adjunct professor Alex Stamos filling in for him in today’s show. He’ll be talking through all the week’s security news, including: NYTimes report blames Baltimore ransomware attack on leaked NSA exploit Assange to face espionage charges, extradition fight looming SanboxEscaper just keeps dropping those 0days Fury over Facebook’s response to doctored Pelosi video Much, much more This week’s sponsor interview with David Warburton of F5 Networks. You know F5 as a blinky-light box manufacturer. Load balancers, SSL termination, that sort of stuff. Not exactly a growth industry at the moment, so they’re pivoting. They’ve dropped $670m on NGINX – f5 now owns the NGINX company – and they’re making all sorts of moves in the appsec space. That interview is mostly about F5’s business, but I found it interesting because what do you do when you’re an $8bn company that makes data-centre equipment and that industry starts going into decline? Links to everything discussed are below, and you can follow Patrick or Alex on Twitter if that’s your thing.
May 23, 2019
This is not the regular Risky Business weekly show, the Soap Box series of podcasts that run on Risky.Biz are wholly sponsored. Everyone you hear in Soap Box paid to be here. With that disclaimer out of the way, this is actually a really interesting conversation. Carsten Willems is the co-founder and CEO of VMRay, a company that makes… well.. what do you call it? Is it an incident response tool? Is it a detection tool? Or is it just a good hypervisor-based sandbox that you can use to do both of those things? I’m going to say it’s the third – VMRay is a company that makes a great hyper-visor sandbox and has applied that technology to both response and detection. In an ideal world you’d have a team of malware reversers on staff pulling apart every single binary that looks shady. But this isn’t a perfect world, so that’s never going to happen. So the original use case that Carsten and his team set out to solve was around automating malware reversing. They build a hyper-visor based sandbox that’s very hard to bypass, you can run your standard build on it, throw binaries and documents at it and see what blows up. That’s really the primary use case here. But there is a second use case, which is detection. VMRay can give you a pretty decent risk score on samples, and they’ve entered into a few OEM arrangements with vendors to provide that extra level of detection. I’d never met Carsten Willems before we prepared this podcast, but it’s safe to say we hit it off. This podcast basically turned into Carsten telling his story, the story of where VMRay came from and where he wants it to go. Enjoy!
May 22, 2019
On this week’s show Patrick and Adam talk through all the week’s security news, including: New executive order paved way for Huawei ban Google pulls service from Huawei No wait, that’s not right, it’s for new handsets The ban’s now reversed to allow them to continue the support that they didn’t have to discontinue? I’m so confused ¯_(ツ)_/¯ Israeli broadcaster fingers Hamas over Eurovision coverage hack New moves to regulate offensive cyber services Salesforce has a bad time Instagram influencers have a bad time (Hah!) OGUsers pwned Much, much more This week’s show is brought to you by CMD Security. They make security software for Linux that does two things – firstly it gives you visibility into what’s happening on your Linux workloads, which actions are being performed by which accounts, that sort of thing. The second thing it does is allow you to lock down accounts by action, rather than by traditional privilege. They’re funded by Google Ventures, among others, and although they’re a relatively small and new company I think they’re going to do really well. Jake was just at a MITRE conference in Brussels that was all about the Attack Matrix. He’s joining me this week to have a bit of talk about his experience at that event, then we’ll be talking through some of the issues he’s seeing out there in Linux cloud workload land. Jake’s a great communicator and a very smart guy and that interview is a lot of fun. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.
May 16, 2019
This isn’t our weekly news and current affairs show, this is a wholly sponsored podcast we do here at Risky Biz. The idea behind Soap Box is vendors pay to come on to the show and talk about the things they want to talk about. Today’s Soap Box is brought to you by Signal Sciences. If you’re not familiar with them, they make web security software. If you operate a website and you’re looking to auto-block a lot of the common attacks and attack techniques that are likely to be directed against your website, then Signal Sciences are definitely worth a look. Their whole pitch is really about making software that’s easy to deploy. You just drop it on your web server or run it as a WAF proxy, and bang, you’re done. Most of their clients run this software in full blocking mode out of the gate and don’t have any issues. It’s really, really good at blocking stuff like cred stuffing and weird bot activity, as well as your typical OWASPY-style attacks. Signal Sciences Trusted Appsec Advisor Phillip Maddux is our guest today. We spoke about a bunch of stuff really: the future of appsec, how the pivot to serverless is changing things. Then we talk about app-layer deception, and finally Phillip basically takes a dump on the bulk of RASP solutions out there. Enjoy!
May 15, 2019
On this week’s show Patrick and Adam talk through all the week’s security news, including: NSO Group WhatsApp vuln coverage goes nuclear Activists targeted by NSO malware in hiding in west after CIA tipoffs Cisco Trust Anchor drags on sea floor Linux kernel bugs likely overhyped Adobe patches insane number of CVEs Microsoft patches rumoured GCHQ VEP’d RDP bug New hardware bugs affect Intel processors SHA-1 collisions become much more practical Major US anti-virus firms owned hard This week’s sponsor interview with Ryan Kalember of Proofpoint. Ryan is a listener, and when he heard Adam talking about how password rotations actually result in crappy passwords, it hit a nerve with him. He says Proofpoint, via its CASBY product, is seeing a lot of targeted credential stuffing campaigns cycling through variations of passwords that have appeared in dumps. Apparently the bad guys are hip to what a typical password rotation variation looks like and they’re using this knowledge to better direct their cred stuffing attempts. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.
May 8, 2019
On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: IDF takes out Hamas cyber HQ (Features commentary from Bobby Chesney and Klon Kitchen) NYTimes mangles Symantec’s “Buckeye” research Lots of dark web arrests SAP exploits not all they’re cracked up to be Magecart-style attacks spread to other platforms Tech-led crackdown on Chinese-muslims intensifies Japan to create “defensive malware” This week’s sponsor interview is with Duo Security advisory CSO Richard Archdeacon and we’ll be talking about zero trust networks. Richard isn’t so worried about every vendor under the sun claiming to be a zero trust tech company. He doesn’t think that’s going to derail the move to zero trust architectures because the move towards them is too strong. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.
May 2, 2019
This isn’t the regular weekly risky biz news and current affairs show, this is the special podcast series we do here at Risky Biz HQ where we take that dirty, dirty vendor cash and let security companies tell the audience all about what they do. Think of it as show and tell for security vendors! In this edition we’ve got three more vendors vying for your hard-earned bread. We’ll be hearing from Rapid7 on their InsightConnect product, that one used to be known as Komand. What can you automate and orchestrate with it? How does it work? Who’s using it? What are they doing with it? Then we’ll be hearing from Trend Micro about their O365 mail security product, and this one is legit interesting for one very simple reason – the deployment method. Most of the mail security firms basically make you route your mail through them. In this case what Trend has done is create a mail security product that just fiddles with your mailboxes through the Microsoft O365 API. They have literally set up a demo account for an enterprise over a beer at a bar. So yeah, I suspect we’ll be seeing more mail security products deploying this way… and because it’s show and tell, Trend will be along to talk about some of the bells and whistles that come with that product. Then finally we’ll be hearing from Cybermerc. This is a group based out of Canberra in Australia. They’ve done a lot of enterprise deception hybrid hardware/consulting, that’s something they’ve gotten very good at. They also do a lot of cyber cyber training, but now they’re trying to market a managed service towards small to medium businesses – those with 50 to a few hundred seats. A managed honeypot, some internal vuln scans, and a partridge in a pear tree!
May 1, 2019
On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: Docker Hub owned That Confluence bug we were talking about a couple of weeks ago got wormified Oracle WebLogic users also having a bad time Cloudflare faces investor pressure over providing services to Nazis Slack warns investors of possible nation-state attacks against it Norsk Hydro puts dollar value on ransomware incident Bloomberg publishes another ridiculous security story Much, much more! This week’s sponsor interview is with Casey Ellis, the CTO and co-founder of Bugcrowd. As most of you are probably aware, Bugcrowd announced its so-called “next generation penetration testing” product last year, a move followed some months later by its competitor HackerOne. With others in the bounty space already offering these types of penetration testing packages, it looks like these efforts are here to stay. But where do crowdsourced penetration tests sit in the wider penetration testing market? Are they coming after the Insomnia and Atredis Partners type firms? The NCCs? The shonky nessus-scan “penetration testers”? Well, not surprisingly Casey argues that this is a new sub-niche in the market and he makes a pretty compelling case to support that argument. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.
April 25, 2019
On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: Marcus Hutchins faces his milkshake duck moment Iranian APT crew gets Shadowbrokersed DNS interference campaign is actually two large-scale actors UK to use some Huawei components in 5G build French Government launches comms app for politicians, it doesn’t go well More detail on CCleaner/ASUS crew Carbanak source found on VT (lol) Wall Street Market exit scams BEC costing US firms $1.3bn PA Much MOAR! This week’s show is brought to you by Signal Sciences, their CEO Andrew Peterson will be along in this week’s sponsor interview to have a bit of a chat about how a lot of traditional enterprises are running serious business web app shops these days. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.
April 23, 2019
On this edition of Snake Oilers you’ll be hearing from three vendors offering what I believe to be excellent security technology. I haven’t personally used this tech, but conceptually everything featured in this edition is The Good Stuff. You’ll see. Or hear. You know what I mean. First up we’ll be hearing from CMD, they make killer software for Linux that lets you lock down account actions. Not permissions, actions. Do all the default and service accounts you have to run on your Linux fleet terrify you? Well, this is a solution for that. There’s a visibility component there, too. Then we’ll be hearing from AlphaSOC. When we last spoke to them they were just doing domain-based analytics, but they’ve expanded their tech and now offer IP-based and http request-based analytics. You can deploy AlphaSOC as a Splunk app or hook up to their API any other way you want. They’re offering free trials, but even when you’re on the paid service it’s actually pretty affordable. The brain behind AlphaSOC is Chris McNab who used to run incident response at NCC Group. He’s seen how the planes crash into the mountains and he has created a product that performs eminently sensible analysis on your traffic and metadata to alert you to badness. Then finally we’ll be hearing from Nucleus. This is a new company and if your job is managing vulnerabilities and vuln scanners in your org then straight up, just skip to the Nucleus interview immediately. They’ve created a web app that normalises vulnerability scanning information. It’ll take the outputs from Snyk, Rapid7, Checkmarx, Netsparker, OpenVAS, Twistlock, Fortify, Burp Suite, Nessus, Qualys, Acunetix AND others. It ingests all of this data, normalises it, then plumbs these alerts through to the right people through a multitude of different ticketing systems. If your’e stuck in the 7th layer of Sharepoint or Spreadsheet vulnerability management hell, this is a solution to your problems. You will weep salty tears of joy when you hear this one. Free trials of Nucleus are also available. Links to the companies featured are below!
    15
    15
      0:00:00 / 0:00:00