Detailed
Compact
Art
Reverse
October 9, 2019
In this edition of Snake Oilers Patrick speaks to: Justin McCarthy of StrongDM StrongDM makes a protocol proxy that you can use to provision production services (like Kubernetes and SQL access) to users without them requiring full VPN access to prod. This is very cool stuff, if you manage a large prod environment that’s suffering from VPN sprawl you’ll want to check this one out. Nicholas Davis of Rapid7 Nicholas is the senior technical product manager for InsightIDR. InsightIDR is a SIEM/EDR play that integrates a bunch of stuff. These days Rapid7 is really emphasising the holistic nature of InsightIDR, rather than the endpoint part, and Nicholas joins the show to talk about that. Preston Hogue of F5 Networks F5 Networks recently acquired NGINX as a part of a push to become cloud-relevant. Their strategy is to allow for F5 security smarts to be inserted basically anywhere and anyhow you want. Preston joins the show to talk about that! Links to our Snake Oilers sponsors are below!
October 3, 2019
These Soap Box podcasts are a wholly sponsored series of podcasts we do here at Risky.Biz, so everyone you hear on the Soap Box podcast paid to be here. But that’s ok, because we’ve got some great sponsors. This podcast is brought to you by Yubico, makes of the Yubikey devices. These podcasts with Yubico have basically turned into an annual thing. Jerrod Chong is the Chief Solutions Officer at Yubico and he joined me for this conversation about what’s new in Yubico-land. They’ve launched some new stuff, including Yubikeys with lightning adapters for iOS devices, and Jerrod also talks about hardware 2FA moving increasingly to the mainstream. If you’re reading this within 48 hours of this podcast going live, you can get yourself a $20 discount on any two of the new series 5 Yubikeys by visiting this link and using the code ‘Risky19’.
October 2, 2019
On this week’s show Patrick and Adam discuss the week’s security news, including: Apple jailbreakers partying in the streets Donald Trump targets Crowdstrike over 4chan conspiracy nonsense Ransomware absolutely everywhere this week Horror-show VxWorks bugs are popping up in other stacks OnApp fixes mother of all misconfigurations More SIM card issues Much, much more In this week’s sponsor interview we chat with Mr Sandbox himself, VMRay’s Carsten Willems. He’s along to talk about VMRay’s involvement in a machine-learning bypass competition that happened at DEFCON earlier this year. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
September 26, 2019
In this edition of the Snake Oilers podcast host Patrick Gray speaks to: Richard Bejtlich of Corelight Richard talks about Zeek, formerly Bro, and how enterprises can use it to capture useful network information for analysis, forensics and detection purposes. Richard is an industry luminary and it’s a great interview. Marshal Webb of PATH Networks Marshal explains how new technology like eBPF and XDP mean it’s possible to build DDoS mitigation rigs out of commodity hardware. That means DDoS mitigation is about to get a whole lot cheaper, and PATH is in pole position in this soon-to-be disrupted market. Chris Tiolo from Respond Software Respond Software makes a decision agent for the modern SOC. They are aiming to completely replace level 1 SOC analysts so those resources can be freed up to do higher-value work. They’re offering free live and retroactive trials of their software, and it definitely belongs in the “why not take it out for a spin” category. Some links to the company websites and blogs are below!
September 25, 2019
On this week’s show Patrick and Adam discuss the week’s security news, including: Tibetans targeted in mobile malware campaign Iran denies cyber-attack nobody was asking about More news from the Middle East 26 nations open UN General Assembly with statement on cyber norms Fedex sued over company’s NotPetya response, exec share sales Why “quantum supremacy” isn’t a big deal. Yet. Much, much more In this week’s sponsor interview we talk to Cody Wood of Signal Sciences about http request smuggling. What it is and why it’s a nightmare to fix. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
September 18, 2019
On this week’s show Patrick and Adam discuss the week’s security news, including: US Treasury targets DPRK APT crews Russia owned FBI counter surveillance team radio comms New details on 2016 attack against Ukraine power grid US Government to sue Edward Snowden for memoir profits Did RCMP intelligence director tip Phantom Secure on investigation? Much, much more! This week’s sponsor interview is with Casey Ellis of Bugcrowd. It’s an interesting chat with Casey this week. He was at the Billington cyber conference a couple of weeks ago and he had a bunch of interesting discussions there with people in the aerospace sector. Between recent Black Hat presentations on 787 security and the trouble Boeing has had with it’s 737-MAX, software security and resiliency is all of a sudden on the agenda in aerospace. Casey drops by to talk about all of that. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
September 11, 2019
On this week’s show Patrick and Adam discuss the week’s security news, including: Paige Thompson pleads not guilty to CapitalOne hack German government probes FinFisher Bluekeep Metasploit module dropped DPRK samples hit VT, courtesy of our friends in the USA Apple releases awful statement about mass exploitation of its devices Much more This week’s show is brought to you by Blackberry Cylance. In this week’s sponsor interview we’ll be talking about US Cybercommand dropping some sweet, sweet APT28 samples on VirusTotal back in May. We’ll talk a little bit about that malware, and also have a more general discussion about CYBERCOM VT drops with Cylance research staffers Steve Barnes and Josh Lemos. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
September 5, 2019
The Soap Box podcast series is a fully sponsored podcast series we do here at Risky.Biz, and that means that everyone you hear in it paid to be featured. This edition of the Soap Box podcast is brought to you by AttackIQ and in in it we talk to its CISO and VP of customer success Chris Kennedy. And we’ll be discussing a topic of that frankly should be talked about a bit more: the MITRE ATT&CK framework. We also talk about attack simulation and which security controls are most commonly and catastrophically misconfigured. If you’re a CISO you’ll like this one.
September 4, 2019
Alex Stamos is our news co-host this week. Patrick and Alex discuss all the week’s security news, including: Mass exploitation of iOS devices by Chinese govt Telegram moves to nix phone number enumeration “feature” USA targeted Iranian maritime awareness system Existence of Stuxnet mole revealed by Kim Zetter @jack gets hacked Much, much more This week’s sponsor interview is with Michelle Price of AustCyber. AustCyber is the organisation here in Australia that aims to build out the Australian cyber security industry and skills base, and Michelle pops in this week to tell us all about the upcoming Australian Cyber Week. Links to everything are below in the show notes.
August 28, 2019
On this week’s show Adam Boileau and Patrick Gray discuss the week’s security news, including: Fortinet, Pulse Security VPNs are being exploited in wild Imperva’s cloud WAF gets colossally owned US authorities fear ransomware attacks against election systems Apple fixes re-introduced jailbreak bug Telegram design choice puts HK protestors at risk Researcher drops two 0days in Valve’s Steam client after bounty spat Much, much more This week’s sponsor guest is Ryan Kalember, EVP of cybersecurity strategy with Proofpoint. Ryan is stopping by this week to touch on a couple of topics. He’ll tell us why Proofpoint didn’t attribute a recent malware campaign targeting US utilities to APT10 despite there being some pretty APT10-like tradecraft used in that particular campaign. He’ll also talk a bit about how thread hijacking is a giant pain in the ass. That’s where attackers take over a mailbox, then just jump right in replying to existing mail threads. Detecting that is hard, of course, because it’s internal mail. It’s a great little mixed bag interview. Enjoy!
August 22, 2019
We used to think of companies like Bugcrowd as offering a very simple service: managed bug bounties. But these days that’s a bit too simplistic. All the “bounty” companies are offering more comprehensive and specific products these days. In this edition of the Soap Box podcast Bugcrowd CTO Casey Ellis joins the show to talk through what the future looks like in crowdsourced security. Matching individual hackers’ skills to individual gigs and launching new services like Bugcrowd for Marketplaces will be a big part of that future.
August 21, 2019
In this week’s show Patrick Gray and Alex Stamos discuss all the week’s news, including: Confirmed: 30 companies affected by CapitalOne attacker China info-ops booted off Twitter, Facebook Real deal Bluetooth bugs Apple re-introduces kernel bug, jailbreaks aplenty Apple to sue Corellium for copyright infringement DPRK gets its malware VT’d by CYBERCOM Much, much more Haroon Meer of Thinkst Canary is this week’s sponsor guest. We spoke to Haroon while he was in the USA, just before he was about to deliver a talk to USENIX all about “embracing hackiness”. Haroon thinks “hackiness” is a huge advantage for red teams, but that doesn’t mean blue teams can’t use the same hacky approaches to defence. It’s a typically great chat with Haroon. Links to everything discussed are below.
August 15, 2019
This podcast is brought to you by the William and Flora Hewlett Foundation, and it’s the second in a series of podcasts we’re doing that are all about cyber policy. The Foundation funds a lot of interesting people and work in the cybersecurity space. So the idea behind this podcast series is pretty simple: we talk to Hewlett’s grant recipients, or experts in Hewlett’s network, about pressing policy issues and turn those conversations into podcasts. The whole idea is to get some policy perspectives out there among the Risky Business audience, which, funnily enough, includes a lot of policymakers. In this podcast we’re speaking with Katherine Charlet. She currently serves as the director of the Technology and International Affairs Program at the Carnegie Endowment for International Peace. Prior to joining Carnegie, Kate served as the deputy assistant secretary of defence for cyber policy, where she managed the development of US Department of Defence cyber policy and strategy, its development of cyber capabilities, and the expansion of its international relationships. This conversation essentially covers what the state of affairs is when it comes to militaries and their actions in the cyber domain. It was only a few weeks ago that reports claimed the United States government launched a cyber attack against Iranian weapons systems. We’ll hear from Kate about what she thinks that all means, and then we’re going to talk about all sorts of stuff really – the blurring of the line between what warrants a law enforcement response versus a military response, what the path to this situation looked like, so on and so on. But I kicked things off by asking Kate to tell us what this concept of “defending forward” actually means. In the last couple of years we’ve heard that term bandied about by all sorts of people, but everyone seems to have a different definition. Here, Kate shares her more definitive definition.
August 14, 2019
Adam Boileau is along this week to discuss the week’s security news. We cover: Follow ups on CapitalOne Amazon EBS snapshots exposed North Korea bags $2bn in cybercrime spree Attempted Coinbase breach postmortem Apple’s new research phones for bug hunters APT41 busted moonlighting Cloudflare finally ditches 8chan Leaked Boeing 787 code shredded, full of bugs Qualcomm bugs pave path through to Android kernel Microsoft gets Tavis’d More RDP/RDS bugs Much, much more This week’s sponsor interview is with Jake King of CMD. CMD has developed a control layer for Linux systems that restricts account actions, not just by traditional permissions. Jake will be along this week to talk a little bit about EDR on Linux. He saw a nice talk from some IBM X-Forcers at Black Hat about Linux EDR bypasses and that led to a conversation about Linux EDR generally. It’s interesting stuff Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
July 31, 2019
Adam Boileau is along this week to discuss the week’s security news. We cover: Deep dive on the CapitalOne breach Marcus Hutchins sentenced to time served Telegram voicemail bug leads to political crisis in Brazil Ransomware leaves South Africans without electricity Much, much more Wolfgang Goerlich is this week’s sponsor guest. He’s an advisory CISO with Duo Security and will be along after this week’s news segment to walk us through Duo’s Trusted Access Report. They’ve got some interesting telemetry to share with us. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
July 24, 2019
Adam Boileau is along this week to discuss the week’s security news. We cover: FSB contractor gets itself a whole lotta owned NSO Group pitches cloud access Hal Martin gets 9 years NSA to launch defensive division Bulgarian breach data exposed DataSpii scandal a 2019 privacy case study Google boots DarkMatter certificates from Chrome and Android Equifax fined $700m Horror show bugs in enterprise VPN concentrators from Palo Alto, Fortinet Microsoft demos ElectionGuard SDK (looks pretty cool) This week’s sponsor interview is with Casey Ellis of Bugcrowd. We’ll talk about how organisations are increasingly doing bug bounties on technology they use, not just technology they develop. And then we’ll be talking about a new thing Bugcrowd is doing – Bugcrowd for marketplaces. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
July 18, 2019
Soap Box isn’t the regular, weekly show we do at Risky.Biz, if you’re looking for that, just scroll one podcast back in your feed or on the Risky Business website. Soap Box is a fully sponsored podcast series we do where vendors pay to come on and talk about research they’ve done, products they’ve launched, whatever. This edition of Soap Box is a particularly good one. Ryan Kalember is EVP of cybersecurity strategy at Proofpoint and he’s our guest in this edition. Ryan was on the show a little while back talking about the concept of VAPs – very attacked people. In this interview he’s going to expand on that. It’s one thing to know that some of your key people are being attacked, but let’s take it one step further. Of those people, who among them is most likely to actually do something like click an untrusted link? What do we know about those users that can tell us how at-risk they are, based on how frequently they’re attacked, and also how likely they are to engage with phishing attempts or dodgy attachments? And if they ARE a risky user, what can you do about that? Measuring risk is only useful if you can do something about it.
July 17, 2019
Adam Boileau is along this week to discuss the week’s security news. We cover: US mayors agree: no more paying off ransomware crews BitPoint exchange loses $32m in cryptocurrency FinSpy is back, big time Chinese AV companies won’t flag government malware US security companies free to help political campaigns with discounted services, products Facebook to pay $5bn privacy fine with money from its spare pants Much, much more Assetnote’s Shubham Shah also joins the news segment to dish on the Zoom RCE bug he and his team found back in March. This week’s sponsor is Kasada, an Australian company that runs a bot filtering service. Kasada is a relatively new company but they’re kicking some pretty serious goals here in Australia and are now pushing into other markets like the USA. But instead of supplying us with one of their people, they suggested we interview one of their customers - REA Group CSO and head of platform Craig Templeton. REA Group runs realestate.com.au, Australia’s biggest real estate listings website. They had all sorts of trouble with content scrapers, bots causing service interruptions, cred stuffing, you name it. In the end they went with Kasada to solve their bot problems and Craig pops by this week to talk about the issues they were having and to sing Kasada’s praises. Getting a reference customer to speak publicly is a Herculean task, so full credit to Kasada for making this one happen. If you operate a website that pushes a lot of traffic you’ll want to hear that interview.
July 10, 2019
Adam Boileau is along this week to discuss the week’s security news. We cover: Zoom’s week from hell BA, Marriott face massive GDPR fines Seth Rich conspiracy originated from Russia’s SVR Coast Guard warns of ship hax Cybercommand issues warning on DDE exploitation PGP ecosystem having a rough time Much, much more! This week’s show is brought to you by our lovely friends at Signal Sciences. I guess you’d call them a next generation WAF. Signal Sciences co-founder and CTO Zane Lackey will be along in this week’s sponsor interview to plug their new cloud-based WAF product, and also to have a chat about a trend he’s seeing at non-security conferences – more high quality security content. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
July 4, 2019
As regular listeners know, this isn’t the weekly Risky Biz news and current affairs show, if you want that, scroll back in the podcast feed to the previous podcast. This is a Soap Box edition, a solely sponsored podcast series we do here at Risky Biz where vendors pay us to come on to the show to talk about, well, whatever they want, really. We’ve heard Duo Security talking about WebAuthn, we’ve got one with Proofpoint coming up that’s about insights they’ve gleaned from filtering such ridiculous amounts of email. But in this edition, Garret Grajek from BlackBerry Cylance will be along to talk about its new product, Cylance Persona. This latest product is kinda out of the box, it’s a machine learning classifier that you install on the endpoint that learns what the typical user behaviour looks like. Once the observed user behaviour starts diverging from what’s expected, it can perform actions – like kicking up for 2fa, locking the user out, whatever you want, really. It’s a novel approach to dealing with compromised endpoints. Two factor authentication is great, but if your endpoints are hosed that doesn’t really count for much. And that’s really what this new gear is about.
July 3, 2019
Adam Boileau is along this week to discuss the week’s security news. We cover: NYTimes reports USA is getting all up in Russia’s grids Kremlin not happy CYBERCOM targets Iranian rocket control and APT crews TRITON attackers target US grid Turla completes hostile takeover of Oilrig Reuters publishes huge feature on Cloudhopper/APT10 China pwns global telcos, targets key subscribers FVEY owns Yandex Tourists entering Xinjiang now have mobile malware installed at border Florida city governments having a bad time Much, much more! This week’s edition of Risky Business is brought to you by Senetas. They make layer 2 encryption tech, but they’ve also got a content disarm and reconstruction play now, Votiro, as well as their safe file sharing platform SureDrop. But we’re sticking with encryption in this week’s sponsor interview. Senetas CTO Julian Fay will be along a bit later to talk about his trip to the International Crypto Module Conference. He’ll fill us in on what the agenda was there – lots of talk about quantum resistant crypto and also some talk about streamlining various certification regimes. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
June 15, 2019
This is the first edition of a new series of podcasts we’re doing here at Risky.Biz that will focus on cyber policy issues. The Hewlett Foundation approached us a while back to see if we’d be interested in doing this series we jumped at the opportunity. The Foundation funds a lot of interesting people and work in the cybersecurity space. So the idea is pretty simple: we can talk to some of Hewlett’s grant recipients or experts in its network about pressing policy issues and turn those conversations into podcasts. The whole idea is to get some policy perspectives out there among the Risky Business audience, which, funnily enough, includes a lot of policy people. Our first cab off the rank is this interview with Jim Baker. He joined the Department of Justice in 1990 and rose through the ranks to become the FBI general counsel in January 2014, a position he held until December 2017. So of course he was running all things legal for the FBI during the Apple-FBI dispute over a locked iPhone 5C recovered from the gunman responsible for the San Bernardino shooting. Baker was the US Government’s point man on all things encryption, taking stances that outraged technologists and reinvigorated a policy debate that had – at least to a degree – stagnated for years. These days, Jim Baker serves as Director of the R Street think tank’s National Security and Cybersecurity Program. This interview focusses on the so-called encryption wars. The FBI and other law enforcement/intelligence agencies want better access to encrypted material, while technologists say that’s impossible to accomplish without introducing unacceptable risks into the technology ecosystem. Baker shares his view on the topic. The Australian government law enforcement and intelligence agencies guide to the Assistance and Access Act, which is mentioned in the introduction to the podcast, can be found here. (Ironically enough, served over http!) PLEASE NOTE: Jim Baker joined our meeting via a phone call, so the audio quality here isn’t up to our usual standards. Sorry about that!
June 12, 2019
On this week’s show Adam Boileau and Patrick Gray discuss the week’s news, including: CBP loses photo and license plate database Some Android phones shipped with backdoor Info on Google’s cloud outage USG ramps up “defend forward” Trump and Mnuchin can’t get their stories straight on Huawei The latest from Baltimore, more on that RDP bug TalkTalk hacker sentenced Much, much more This week’s show is brought to you by Remediant! Remediant CEO Tim Keeler will be along this week to have a chinwag. We’ll talk about how simple security tech is really en vogue these days and how that’s a good thing. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.
June 5, 2019
On this week’s show Patrick and Adam talk through all the week’s security news, including: NYTimes story on EternalBlue and Baltimore is bunk An RDP worm is feeling kind of inevitable Iran is still getting Shadowbrokersed Intercept has a great feature on SID Today dumps Australian Federal Police crack down on national security journalism Phantom Secure CEO gets nine years and loses $80m Silk Road 2.0 admin must be an amazing snitch Another Bitcoin tumbler bites the dust Much, much more This week’s sponsor interview is with Marco Slaviero of Thinkst Canary. Marco is joining us this week to talk about how he thinks web application-based deception techniques are kind of a waste of time right now. We talk about how deception approaches work best in privileged domains, then we talk about how security teams do better when they have a dedicated ops developer.
May 29, 2019
Adam Boileau couldn’t make it this week, but that’s ok because we’ve got former Facebook CSO and current Stanford adjunct professor Alex Stamos filling in for him in today’s show. He’ll be talking through all the week’s security news, including: NYTimes report blames Baltimore ransomware attack on leaked NSA exploit Assange to face espionage charges, extradition fight looming SanboxEscaper just keeps dropping those 0days Fury over Facebook’s response to doctored Pelosi video Much, much more This week’s sponsor interview with David Warburton of F5 Networks. You know F5 as a blinky-light box manufacturer. Load balancers, SSL termination, that sort of stuff. Not exactly a growth industry at the moment, so they’re pivoting. They’ve dropped $670m on NGINX – f5 now owns the NGINX company – and they’re making all sorts of moves in the appsec space. That interview is mostly about F5’s business, but I found it interesting because what do you do when you’re an $8bn company that makes data-centre equipment and that industry starts going into decline? Links to everything discussed are below, and you can follow Patrick or Alex on Twitter if that’s your thing.
May 23, 2019
This is not the regular Risky Business weekly show, the Soap Box series of podcasts that run on Risky.Biz are wholly sponsored. Everyone you hear in Soap Box paid to be here. With that disclaimer out of the way, this is actually a really interesting conversation. Carsten Willems is the co-founder and CEO of VMRay, a company that makes… well.. what do you call it? Is it an incident response tool? Is it a detection tool? Or is it just a good hypervisor-based sandbox that you can use to do both of those things? I’m going to say it’s the third – VMRay is a company that makes a great hyper-visor sandbox and has applied that technology to both response and detection. In an ideal world you’d have a team of malware reversers on staff pulling apart every single binary that looks shady. But this isn’t a perfect world, so that’s never going to happen. So the original use case that Carsten and his team set out to solve was around automating malware reversing. They build a hyper-visor based sandbox that’s very hard to bypass, you can run your standard build on it, throw binaries and documents at it and see what blows up. That’s really the primary use case here. But there is a second use case, which is detection. VMRay can give you a pretty decent risk score on samples, and they’ve entered into a few OEM arrangements with vendors to provide that extra level of detection. I’d never met Carsten Willems before we prepared this podcast, but it’s safe to say we hit it off. This podcast basically turned into Carsten telling his story, the story of where VMRay came from and where he wants it to go. Enjoy!
May 22, 2019
On this week’s show Patrick and Adam talk through all the week’s security news, including: New executive order paved way for Huawei ban Google pulls service from Huawei No wait, that’s not right, it’s for new handsets The ban’s now reversed to allow them to continue the support that they didn’t have to discontinue? I’m so confused ¯_(ツ)_/¯ Israeli broadcaster fingers Hamas over Eurovision coverage hack New moves to regulate offensive cyber services Salesforce has a bad time Instagram influencers have a bad time (Hah!) OGUsers pwned Much, much more This week’s show is brought to you by CMD Security. They make security software for Linux that does two things – firstly it gives you visibility into what’s happening on your Linux workloads, which actions are being performed by which accounts, that sort of thing. The second thing it does is allow you to lock down accounts by action, rather than by traditional privilege. They’re funded by Google Ventures, among others, and although they’re a relatively small and new company I think they’re going to do really well. Jake was just at a MITRE conference in Brussels that was all about the Attack Matrix. He’s joining me this week to have a bit of talk about his experience at that event, then we’ll be talking through some of the issues he’s seeing out there in Linux cloud workload land. Jake’s a great communicator and a very smart guy and that interview is a lot of fun. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.
May 16, 2019
This isn’t our weekly news and current affairs show, this is a wholly sponsored podcast we do here at Risky Biz. The idea behind Soap Box is vendors pay to come on to the show and talk about the things they want to talk about. Today’s Soap Box is brought to you by Signal Sciences. If you’re not familiar with them, they make web security software. If you operate a website and you’re looking to auto-block a lot of the common attacks and attack techniques that are likely to be directed against your website, then Signal Sciences are definitely worth a look. Their whole pitch is really about making software that’s easy to deploy. You just drop it on your web server or run it as a WAF proxy, and bang, you’re done. Most of their clients run this software in full blocking mode out of the gate and don’t have any issues. It’s really, really good at blocking stuff like cred stuffing and weird bot activity, as well as your typical OWASPY-style attacks. Signal Sciences Trusted Appsec Advisor Phillip Maddux is our guest today. We spoke about a bunch of stuff really: the future of appsec, how the pivot to serverless is changing things. Then we talk about app-layer deception, and finally Phillip basically takes a dump on the bulk of RASP solutions out there. Enjoy!
May 15, 2019
On this week’s show Patrick and Adam talk through all the week’s security news, including: NSO Group WhatsApp vuln coverage goes nuclear Activists targeted by NSO malware in hiding in west after CIA tipoffs Cisco Trust Anchor drags on sea floor Linux kernel bugs likely overhyped Adobe patches insane number of CVEs Microsoft patches rumoured GCHQ VEP’d RDP bug New hardware bugs affect Intel processors SHA-1 collisions become much more practical Major US anti-virus firms owned hard This week’s sponsor interview with Ryan Kalember of Proofpoint. Ryan is a listener, and when he heard Adam talking about how password rotations actually result in crappy passwords, it hit a nerve with him. He says Proofpoint, via its CASBY product, is seeing a lot of targeted credential stuffing campaigns cycling through variations of passwords that have appeared in dumps. Apparently the bad guys are hip to what a typical password rotation variation looks like and they’re using this knowledge to better direct their cred stuffing attempts. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.
May 8, 2019
On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: IDF takes out Hamas cyber HQ (Features commentary from Bobby Chesney and Klon Kitchen) NYTimes mangles Symantec’s “Buckeye” research Lots of dark web arrests SAP exploits not all they’re cracked up to be Magecart-style attacks spread to other platforms Tech-led crackdown on Chinese-muslims intensifies Japan to create “defensive malware” This week’s sponsor interview is with Duo Security advisory CSO Richard Archdeacon and we’ll be talking about zero trust networks. Richard isn’t so worried about every vendor under the sun claiming to be a zero trust tech company. He doesn’t think that’s going to derail the move to zero trust architectures because the move towards them is too strong. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.
May 2, 2019
This isn’t the regular weekly risky biz news and current affairs show, this is the special podcast series we do here at Risky Biz HQ where we take that dirty, dirty vendor cash and let security companies tell the audience all about what they do. Think of it as show and tell for security vendors! In this edition we’ve got three more vendors vying for your hard-earned bread. We’ll be hearing from Rapid7 on their InsightConnect product, that one used to be known as Komand. What can you automate and orchestrate with it? How does it work? Who’s using it? What are they doing with it? Then we’ll be hearing from Trend Micro about their O365 mail security product, and this one is legit interesting for one very simple reason – the deployment method. Most of the mail security firms basically make you route your mail through them. In this case what Trend has done is create a mail security product that just fiddles with your mailboxes through the Microsoft O365 API. They have literally set up a demo account for an enterprise over a beer at a bar. So yeah, I suspect we’ll be seeing more mail security products deploying this way… and because it’s show and tell, Trend will be along to talk about some of the bells and whistles that come with that product. Then finally we’ll be hearing from Cybermerc. This is a group based out of Canberra in Australia. They’ve done a lot of enterprise deception hybrid hardware/consulting, that’s something they’ve gotten very good at. They also do a lot of cyber cyber training, but now they’re trying to market a managed service towards small to medium businesses – those with 50 to a few hundred seats. A managed honeypot, some internal vuln scans, and a partridge in a pear tree!
May 1, 2019
On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: Docker Hub owned That Confluence bug we were talking about a couple of weeks ago got wormified Oracle WebLogic users also having a bad time Cloudflare faces investor pressure over providing services to Nazis Slack warns investors of possible nation-state attacks against it Norsk Hydro puts dollar value on ransomware incident Bloomberg publishes another ridiculous security story Much, much more! This week’s sponsor interview is with Casey Ellis, the CTO and co-founder of Bugcrowd. As most of you are probably aware, Bugcrowd announced its so-called “next generation penetration testing” product last year, a move followed some months later by its competitor HackerOne. With others in the bounty space already offering these types of penetration testing packages, it looks like these efforts are here to stay. But where do crowdsourced penetration tests sit in the wider penetration testing market? Are they coming after the Insomnia and Atredis Partners type firms? The NCCs? The shonky nessus-scan “penetration testers”? Well, not surprisingly Casey argues that this is a new sub-niche in the market and he makes a pretty compelling case to support that argument. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.
April 25, 2019
On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: Marcus Hutchins faces his milkshake duck moment Iranian APT crew gets Shadowbrokersed DNS interference campaign is actually two large-scale actors UK to use some Huawei components in 5G build French Government launches comms app for politicians, it doesn’t go well More detail on CCleaner/ASUS crew Carbanak source found on VT (lol) Wall Street Market exit scams BEC costing US firms $1.3bn PA Much MOAR! This week’s show is brought to you by Signal Sciences, their CEO Andrew Peterson will be along in this week’s sponsor interview to have a bit of a chat about how a lot of traditional enterprises are running serious business web app shops these days. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.
April 23, 2019
On this edition of Snake Oilers you’ll be hearing from three vendors offering what I believe to be excellent security technology. I haven’t personally used this tech, but conceptually everything featured in this edition is The Good Stuff. You’ll see. Or hear. You know what I mean. First up we’ll be hearing from CMD, they make killer software for Linux that lets you lock down account actions. Not permissions, actions. Do all the default and service accounts you have to run on your Linux fleet terrify you? Well, this is a solution for that. There’s a visibility component there, too. Then we’ll be hearing from AlphaSOC. When we last spoke to them they were just doing domain-based analytics, but they’ve expanded their tech and now offer IP-based and http request-based analytics. You can deploy AlphaSOC as a Splunk app or hook up to their API any other way you want. They’re offering free trials, but even when you’re on the paid service it’s actually pretty affordable. The brain behind AlphaSOC is Chris McNab who used to run incident response at NCC Group. He’s seen how the planes crash into the mountains and he has created a product that performs eminently sensible analysis on your traffic and metadata to alert you to badness. Then finally we’ll be hearing from Nucleus. This is a new company and if your job is managing vulnerabilities and vuln scanners in your org then straight up, just skip to the Nucleus interview immediately. They’ve created a web app that normalises vulnerability scanning information. It’ll take the outputs from Snyk, Rapid7, Checkmarx, Netsparker, OpenVAS, Twistlock, Fortify, Burp Suite, Nessus, Qualys, Acunetix AND others. It ingests all of this data, normalises it, then plumbs these alerts through to the right people through a multitude of different ticketing systems. If your’e stuck in the 7th layer of Sharepoint or Spreadsheet vulnerability management hell, this is a solution to your problems. You will weep salty tears of joy when you hear this one. Free trials of Nucleus are also available. Links to the companies featured are below!
    15
    15
      0:00:00 / 0:00:00