Risky Business #562 -- Two former Twitter staff charged over Saudi spying

PLUS: USG border device searches now require reasonable suspicion...

On this week’s show Patrick and Adam discuss the week’s security news, including:

  • Two ex Twitter employees charged with spying for KSA
  • US border device searches now require suspicion after ACLU win
  • Unredacted Corellium lawsuit response drops
  • Ransomware attacks on hospitals increase mortality
  • Much, much more!

This week’s sponsor interview is with Stephan Chenette, the co-founder and CTO of AttackIQ. We talk to him about some CSOs playing Pokemon Go with MITRE ATT&CK (“Gotta catch ‘em all!”) and about recent ATT&CK developments.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Capsule8 chief scientist Brandon Edwards

Contemporary production environment complexity is killing us...

The Soap Box podcast is a wholly sponsored podcast series we do here at Risky.biz, which means everyone you hear on it paid to appear.

This edition of the Soap Box is brought to you by Capsule8.

It’s taken a long time, but over the last couple of years we’ve seen a meaningful Linux security software market emerge. It makes sense, I guess, considering the modern production environment is all glued together from various Linux systems. So, we’re seeing some interesting approaches to the Linux security challenge pop up.

Capsule8 makes detection and visibility software for Linux. You can use it to spot various types of funny behaviour on your Linux systems. Brandon Edwards is Capsule8’s chief scientist and he is our guest today.

We speak about a few things, but primarily this conversation centres on the fact that modern production environments have become so complex it’s almost impossible to comprehend how they work. We’ve lost insight, and we’ve even lost the ability to understand how individual security flaws can impact our wider production environments.

So we’re going to talk about complexity in modern production environments, and then we’ll talk a bit about Capsule8’s approach to the Linux security challenge. Enjoy!

Risky Business #561 -- Report: NSO exploits used against politicians, senior military targets

Whoops! NSO Group malware showing up on the phones of, err, important people...

On this week’s show Patrick Gray and Mark Piper discuss all the week’s security news, including:

  • NSO Group malware turning up in some unexpected places
  • Bluekeep mass exploitation finally begins
  • Owning smart home devices with friggin’ lasers
  • Two plead guilty to hacks on Lynda.com, Uber
  • Imperva CEO departs following breach
  • TLS Delegated Credentials sound like A VERY GOOD IDEA
  • Cybercommand heads to Montenegro
  • Much, much more

This week’s show is brought to you by Thinkst Canary. Haroon Meer and Adrian Sanabria from Thinkst recently did a keynote talk at the Virus Bulletin conference in London. Titled “The Security Products We Deserve,” it’s a stinging critique of the security product lifecycle. VC firms keeping stupid ideas alive, analyst firms being parasites, vendors not doing security testing on their equipment and so much more. We’ll be talking to Haroon Meer about that keynote in this week’s sponsor interview, which will run after this week’s news segment.

Links to everything are below.

Feature Podcast: Critical infrastructure security with Eric Rosenbach and Robert M Lee

Are we all going to die? We're all going to die, aren't we...

This podcast is brought to you by the William and Flora Hewlett Foundation, and it’s the second in a series of podcasts we’re doing that are all about cyber policy.

The Foundation funds a lot of interesting people and work in the cybersecurity space. So the idea behind this podcast series is pretty simple: we talk to Hewlett’s grant recipients, or experts in Hewlett’s network, about pressing policy issues and turn those conversations into podcasts. The whole idea is to get some policy perspectives out there among the Risky Business audience, which, funnily enough, includes a lot of policymakers.

This podcast features both Eric Rosenbach and Robert M Lee talking about ICS security.

Eric is the co-director of the Belfer Center for Science and International Affairs at the Harvard Kennedy School. He also heads the Defending Digital Democracy project there. Eric has a very long and somewhat fascinating resume. As United States Assistant Secretary of Defense he led the US Defense Department’s efforts to counter cyberattacks by Iran and North Korea on US critical infrastructure. He’s also worked as a Chief Security Officer in the private sector and served as Pentagon chief of staff from 2015-2017.

Robert M Lee is the founder of Dragos Inc, a very well known company in the ICS/OT security space. Rob started out in infosec with the US Air Force as a Cyber Warfare Operations Officer tasked to the NSA, but as you’ll hear, Rob is actually pretty optimistic about the ICT/OT security challenge.

Risky Business #560 -- Facebook sues NSO Group

PLUS: It's likely DPRK hackers attacked an Indian nuclear power plant administrative network...

On this week’s show Patrick and gust co-host Alex Stamos discuss the week’s security news, including:

  • Facebook files suit against NSO Group
  • Corellium responds to Apple suit
  • Indian nuclear power plant administrative network likely attacked by DPRK
  • Mass defacement in Georgia. Old schooooool!
  • Fancy Bear targets 2020 Olympics
  • FCC proposes subsidies for telcos to rip and replace Huawei, ZTE equipment
  • City of Johannesburg data held to ransom, but it’s not ransomware
  • Much, much more

This week’s sponsor interview is with Jake King of CMD Security. The topic is applying the MITRE ATT&CK framework

Links to everything that we discussed are below and you can follow Patrick or Alex on Twitter if that’s your thing.

Risky Business #559 -- Maybe it was the Israelis hacking the Russians to masquerade as Iranians?

Hostile Turla takeover of Oilrig more extensive than previously understood...

On this week’s show Patrick and Adam discuss the week’s security news, including:

  • Fresh details on Turla’s hostile takeover of Oilrig
  • Russians doing very interesting things with “tagged” TLS
  • China wants an aerospace sector so a lot of people got a lot of owned
  • Imperva releases breach details
  • Zendesk cops to 2016 breach
  • German manufacturer, US transport tech company sunk by ransomware
  • NordVPN gets owned
  • AVAST owned. Lots. Again.
  • Welcome to Video takedown
  • Much, much more

This week’s show is brought to you by Trail of Bits! We’ll be hearing from Trail of Bits practice lead for assurance Stefan Edwards all about their work on a recent security audit of Kubernetes. As it turns out, Kubernetes isn’t actually a horror show, but Stefan thinks you might want to run a hosted instance unless you’re a real expert.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers 10 part 2: Do too many users have VPN access to your prod environment? There's another way!

A great chat with StrongDM, plus pitches from Rapid7 and f5 Networks...

In this edition of Snake Oilers Patrick speaks to:

  • Justin McCarthy of StrongDM

StrongDM makes a protocol proxy that you can use to provision production services (like Kubernetes and SQL access) to users without them requiring full VPN access to prod. This is very cool stuff, if you manage a large prod environment that’s suffering from VPN sprawl you’ll want to check this one out.

  • Nicholas Davis of Rapid7

Nicholas is the senior technical product manager for InsightIDR. InsightIDR is a SIEM/EDR play that integrates a bunch of stuff. These days Rapid7 is really emphasising the holistic nature of InsightIDR, rather than the endpoint part, and Nicholas joins the show to talk about that.

  • Preston Hogue of F5 Networks

F5 Networks recently acquired NGINX as a part of a push to become cloud-relevant. Their strategy is to allow for F5 security smarts to be inserted basically anywhere and anyhow you want. Preston joins the show to talk about that!

Links to our Snake Oilers sponsors are below!

Risky Biz Soap Box: Yubico's Jerrod Chong talks series 5 Yubikeys and what's next

Risky Business listeners can get a discount on them, too, which is nice...

These Soap Box podcasts are a wholly sponsored series of podcasts we do here at Risky.Biz, so everyone you hear on the Soap Box podcast paid to be here.

But that’s ok, because we’ve got some great sponsors. This podcast is brought to you by Yubico, makes of the Yubikey devices. These podcasts with Yubico have basically turned into an annual thing. Jerrod Chong is the Chief Solutions Officer at Yubico and he joined me for this conversation about what’s new in Yubico-land. They’ve launched some new stuff, including Yubikeys with lightning adapters for iOS devices, and Jerrod also talks about hardware 2FA moving increasingly to the mainstream.

If you’re reading this within 48 hours of this podcast going live, you can get yourself a $20 discount on any two of the new series 5 Yubikeys by visiting this link and using the code ‘Risky19’.

Risky Business #558 -- Trump targets Crowdstrike, Apple jailbreakers rejoice

All the week's big security news....

On this week’s show Patrick and Adam discuss the week’s security news, including:

  • Apple jailbreakers partying in the streets
  • Donald Trump targets Crowdstrike over 4chan conspiracy nonsense
  • Ransomware absolutely everywhere this week
  • Horror-show VxWorks bugs are popping up in other stacks
  • OnApp fixes mother of all misconfigurations
  • More SIM card issues
  • Much, much more

In this week’s sponsor interview we chat with Mr Sandbox himself, VMRay’s Carsten Willems. He’s along to talk about VMRay’s involvement in a machine-learning bypass competition that happened at DEFCON earlier this year.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers 10 part 1: Richard Bejtlich talks Zeek plus pitches from Respond Software and PATH Networks

We let this one run long because it's full of goodness!

In this edition of the Snake Oilers podcast host Patrick Gray speaks to:

  • Richard Bejtlich of Corelight

Richard talks about Zeek, formerly Bro, and how enterprises can use it to capture useful network information for analysis, forensics and detection purposes. Richard is an industry luminary and it’s a great interview.

  • Marshal Webb of PATH Networks

Marshal explains how new technology like eBPF and XDP mean it’s possible to build DDoS mitigation rigs out of commodity hardware. That means DDoS mitigation is about to get a whole lot cheaper, and PATH is in pole position in this soon-to-be disrupted market.

  • Chris Triolo from Respond Software

Respond Software makes a decision agent for the modern SOC. They are aiming to completely replace level 1 SOC analysts so those resources can be freed up to do higher-value work. They’re offering free live and retroactive trials of their software, and it definitely belongs in the “why not take it out for a spin” category.

Some links to the company websites and blogs are below!

Risky Business #557 -- 26 nations release cyber norms statement at UN

State-backed activity reaching fever pitch...

On this week’s show Patrick and Adam discuss the week’s security news, including:

  • Tibetans targeted in mobile malware campaign
  • Iran denies cyber-attack nobody was asking about
  • More news from the Middle East
  • 26 nations open UN General Assembly with statement on cyber norms
  • Fedex sued over company’s NotPetya response, exec share sales
  • Why “quantum supremacy” isn’t a big deal. Yet.
  • Much, much more

In this week’s sponsor interview we talk to Cody Wood of Signal Sciences about http request smuggling. What it is and why it’s a nightmare to fix.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #556 -- US Treasury targets DPRK crews, more details on Ukraine power hack

Another big week of security news....

On this week’s show Patrick and Adam discuss the week’s security news, including:

  • US Treasury targets DPRK APT crews
  • Russia owned FBI counter surveillance team radio comms
  • New details on 2016 attack against Ukraine power grid
  • US Government to sue Edward Snowden for memoir profits
  • Did RCMP intelligence director tip Phantom Secure on investigation?
  • Much, much more!

This week’s sponsor interview is with Casey Ellis of Bugcrowd. It’s an interesting chat with Casey this week. He was at the Billington cyber conference a couple of weeks ago and he had a bunch of interesting discussions there with people in the aerospace sector.

Between recent Black Hat presentations on 787 security and the trouble Boeing has had with it’s 737-MAX, software security and resiliency is all of a sudden on the agenda in aerospace. Casey drops by to talk about all of that.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #555 -- Bluekeep Metasploit module released, Paige Thompson pleads not guilty and more

Your weekly news round up with Patrick Gray and Adam Boileau...

On this week’s show Patrick and Adam discuss the week’s security news, including:

  • Paige Thompson pleads not guilty to CapitalOne hack
  • German government probes FinFisher
  • Bluekeep Metasploit module dropped
  • DPRK samples hit VT, courtesy of our friends in the USA
  • Apple releases awful statement about mass exploitation of its devices
  • Much more

This week’s show is brought to you by Blackberry Cylance. In this week’s sponsor interview we’ll be talking about US Cybercommand dropping some sweet, sweet APT28 samples on VirusTotal back in May. We’ll talk a little bit about that malware, and also have a more general discussion about CYBERCOM VT drops with Cylance research staffers Steve Barnes and Josh Lemos.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: MITRE ATT&CK framework is now officially everywhere

A chat with Chris Kennedy of AttackIQ...

The Soap Box podcast series is a fully sponsored podcast series we do here at Risky.Biz, and that means that everyone you hear in it paid to be featured.

This edition of the Soap Box podcast is brought to you by AttackIQ and in in it we talk to its CISO and VP of customer success Chris Kennedy. And we’ll be discussing a topic of that frankly should be talked about a bit more: the MITRE ATT&CK framework.

We also talk about attack simulation and which security controls are most commonly and catastrophically misconfigured. If you’re a CISO you’ll like this one.

Risky Business #554 -- Is there an iOS exploit glut?

Apple's mobile OS has a very bad week...

Alex Stamos is our news co-host this week. Patrick and Alex discuss all the week’s security news, including:

  • Mass exploitation of iOS devices by Chinese govt
  • Telegram moves to nix phone number enumeration “feature”
  • USA targeted Iranian maritime awareness system
  • Existence of Stuxnet mole revealed by Kim Zetter
  • @jack gets hacked
  • Much, much more

This week’s sponsor interview is with Michelle Price of AustCyber. AustCyber is the organisation here in Australia that aims to build out the Australian cyber security industry and skills base, and Michelle pops in this week to tell us all about the upcoming Australian Cyber Week.

Links to everything are below in the show notes.

Risky Business #553 -- Imperva's cloud WAF gets owned hard

PLUS: Fortinet and Pulse Security SSL VPNs, Webmin interfaces attacked in wild...

On this week’s show Adam Boileau and Patrick Gray discuss the week’s security news, including:

  • Fortinet, Pulse Security VPNs are being exploited in wild
  • Imperva’s cloud WAF gets colossally owned
  • US authorities fear ransomware attacks against election systems
  • Apple fixes re-introduced jailbreak bug
  • Telegram design choice puts HK protestors at risk
  • Researcher drops two 0days in Valve’s Steam client after bounty spat
  • Much, much more

This week’s sponsor guest is Ryan Kalember, EVP of cybersecurity strategy with Proofpoint. Ryan is stopping by this week to touch on a couple of topics. He’ll tell us why Proofpoint didn’t attribute a recent malware campaign targeting US utilities to APT10 despite there being some pretty APT10-like tradecraft used in that particular campaign.

He’ll also talk a bit about how thread hijacking is a giant pain in the ass. That’s where attackers take over a mailbox, then just jump right in replying to existing mail threads. Detecting that is hard, of course, because it’s internal mail. It’s a great little mixed bag interview.

Enjoy!

Risky Biz Soap Box: Casey Ellis on "match.com for hackers"

Bounty programs, yes, but skills matching the future for Bugcrowd and its ilk...

We used to think of companies like Bugcrowd as offering a very simple service: managed bug bounties. But these days that’s a bit too simplistic. All the “bounty” companies are offering more comprehensive and specific products these days. In this edition of the Soap Box podcast Bugcrowd CTO Casey Ellis joins the show to talk through what the future looks like in crowdsourced security. Matching individual hackers’ skills to individual gigs and launching new services like Bugcrowd for Marketplaces will be a big part of that future.

Risky Business #552 -- Guest host Alex Stamos on all the week's security news

Chinese disinformation, Bluetooth flaws, Apple sues Corellium and more...

In this week’s show Patrick Gray and Alex Stamos discuss all the week’s news, including:

  • Confirmed: 30 companies affected by CapitalOne attacker
  • China info-ops booted off Twitter, Facebook
  • Real deal Bluetooth bugs
  • Apple re-introduces kernel bug, jailbreaks aplenty
  • Apple to sue Corellium for copyright infringement
  • DPRK gets its malware VT’d by CYBERCOM
  • Much, much more

Haroon Meer of Thinkst Canary is this week’s sponsor guest. We spoke to Haroon while he was in the USA, just before he was about to deliver a talk to USENIX all about “embracing hackiness”. Haroon thinks “hackiness” is a huge advantage for red teams, but that doesn’t mean blue teams can’t use the same hacky approaches to defence. It’s a typically great chat with Haroon. Links to everything discussed are below.

Feature Podcast: Inaction is escalatory

A fascinating conversation with former senior Pentagon cyber official Kate Charlet...

This podcast is brought to you by the William and Flora Hewlett Foundation, and it’s the second in a series of podcasts we’re doing that are all about cyber policy.

The Foundation funds a lot of interesting people and work in the cybersecurity space. So the idea behind this podcast series is pretty simple: we talk to Hewlett’s grant recipients, or experts in Hewlett’s network, about pressing policy issues and turn those conversations into podcasts. The whole idea is to get some policy perspectives out there among the Risky Business audience, which, funnily enough, includes a lot of policymakers.

In this podcast we’re speaking with Katherine Charlet. She currently serves as the director of the Technology and International Affairs Program at the Carnegie Endowment for International Peace. Prior to joining Carnegie, Kate served as the deputy assistant secretary of defence for cyber policy, where she managed the development of US Department of Defence cyber policy and strategy, its development of cyber capabilities, and the expansion of its international relationships.

This conversation essentially covers what the state of affairs is when it comes to militaries and their actions in the cyber domain. It was only a few weeks ago that reports claimed the United States government launched a cyber attack against Iranian weapons systems. We’ll hear from Kate about what she thinks that all means, and then we’re going to talk about all sorts of stuff really – the blurring of the line between what warrants a law enforcement response versus a military response, what the path to this situation looked like, so on and so on. But I kicked things off by asking Kate to tell us what this concept of “defending forward” actually means. In the last couple of years we’ve heard that term bandied about by all sorts of people, but everyone seems to have a different definition. Here, Kate shares her more definitive definition.

Risky Business #551 -- Post Vegas edition, more news than we can handle

An amazing bunch of stories to get through...

Adam Boileau is along this week to discuss the week’s security news. We cover:

  • Follow ups on CapitalOne
  • Amazon EBS snapshots exposed
  • North Korea bags $2bn in cybercrime spree
  • Attempted Coinbase breach postmortem
  • Apple’s new research phones for bug hunters
  • APT41 busted moonlighting
  • Cloudflare finally ditches 8chan
  • Leaked Boeing 787 code shredded, full of bugs
  • Qualcomm bugs pave path through to Android kernel
  • Microsoft gets Tavis’d
  • More RDP/RDS bugs
  • Much, much more

This week’s sponsor interview is with Jake King of CMD. CMD has developed a control layer for Linux systems that restricts account actions, not just by traditional permissions. Jake will be along this week to talk a little bit about EDR on Linux. He saw a nice talk from some IBM X-Forcers at Black Hat about Linux EDR bypasses and that led to a conversation about Linux EDR generally. It’s interesting stuff

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.