In this week’s feature interview we’ll be chatting with Shubham Shah and his friend Lord Tuskington about continuous asset discovery’s impact on testing methodologies. Shubs has worked as both a pentester and as a very successful bug bounty hunter. In fact he’s built an entire asset discovery platform that he and his buddies have been using to rip crazy amounts of cash out of bounty programs over the last few years and he’s turning that platform into a product. So I wanted to talk to him about that, but I also wanted to get a pentester’s perspective on how this type of continuous asset discovery tech could change the testing industry.

This week’s show is brought to you by Exabeam, a next generation SIEM company! And it’s amazing how nicely this week’s feature and sponsor interviews dovetail actually, because Exabeam’s Steve Gailey will be along in this week’s sponsor interview to have a chat about how SIEM technology has changed much faster than SOC operations methodologies. Because basically everyone has structured their operations around three levels of response and the workflows are so ingrained, nobody seems to know know what to do with a next generation SIEM.

Adam Boileau is also along, like always, to talk about the week’s security news.

The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Here it is – this week’s feature interview with Marisa Emerson! Marisa is a security researcher who did a great talk at BSides Canberra in March all about game cheating.

She was specifically talking about the cheating techniques PUBG gamers are using and just how advanced they are. The crazy thing is the cheaters here are rolling some pretty decent techniques. It’s reminiscent of the iPhone jailbreaking scene – a lot of good hackers who don’t know they’re good hackers.

Marisa is running a binary exploitation bootcamp in Brisbane that will have another session next semester. Details are here.

In this week’s weekly show we’re just going to drill in to the week’s extra long security news section with Adam Boileau then go straight to the sponsor interview. I’ve got a fantastic feature interview for you this week, but I’m going to publish it outside of the news show. It was either that or run stupidly long or cut too much from everything to make it all fit.

This week’s sponsor interview is a good one though. We’re chatting with the team behind DarkTrace. They make a machine learning-backed network monitor. A key different with this kit is it actually gets involved on the network. If it sees something it’s confident is attacker behaviour it will start spraying TCP resets to boot them off the network.

This is something the IPS systems of old used to do but it’s an approach that fell out of favour. We’ll find out why that approach was discarded and why it’s coming back, as well as generally discuss the role of machine learning in security with a company that has invested in it heavily. This isn’t a “for or against” interview segment. This is a discussion with one company that is getting value out of the approach, so stick around for that.

The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

On this week’s show we’re taking a look at some recent data out of Microsoft trumpeting its Defender antivirus install figures on Windows. They’ve got 18% market share on windows 7/9 and 50% on Win10.

For the AV and endpoint security industry Microsoft has always been the existential threat, but has the plane flown into the mountain already? We’ll speak with Securosis analyst and DisruptOps founder Rich Mogull about that in this week’s feature interview.

In this week’s sponsor interview we’re joined by the always entertaining Haroon Meer of Thinkst Canary. When we spoke Haroon had just wrapped up his first ever booth at the RSA conference. He’ll join us this week to tell us, surprisingly, that it was a really worthwhile exercise for Thinkst, but as you’ll hear he also thinks the broader industry can be a pack of dumbasses when it comes to actually marketing tech at events like RSA. If he becomes global ruler RSA booths will be gimmick-free and just show people product demos.

The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

In this edition of Soap Box we’re chatting with Root9b. They’ve just launched an updated version of their ORION platform. And I guess the way you’d describe Root9b is as a threat hunt product maker and managed threat hunt provider. And their approach is a bit different – their software is agentless. They basically authenticate to a machine, inject various payloads into memory, and use that to pull back all sorts of telemetry from machines.

They say this means it’s much less likely that attackers will see them and they offer this as a product, ORION, or they offer it as a service. They say their managed services customers come to them because pretty unhappy with their MDR and MSSP providers and want better signalling.

So I was joined by John Harbaugh, COO of Root9b, and Mike Morris, CTO. Both of these guys were US Air Force cyberdudes before jumping out to the private sector. The company actually started off doing training before developing their platform ORION.

John and Mike joined me by Skype for this podcast. Enjoy!

This week’s Risky Business is kind of going back to its roots a bit. As much as we love talking about policy and the intersection of cyber security with global affairs, sometimes it pays to remember that computer security is actually about computers.

With that in mind this week we’ve got two fantastic interviews for you. We’ll be chatting with Dr. Silvio Cesare in this week’s feature interview. Silvio’s dusted off his bug hunting hat and he’s taken to Twitch-streaming his auditing sessions. Dave Aitel described watching Silvio’s Twitch stream as like seeing a Titan ransack a small Greek village. Five months, 100 bugs, 50 of them in kernel stuff.

He’s doing this for a couple of reasons – he wants to show people how it’s done, and he wants people to realise there are still lots of bugs out there to be found. We’ll chat to him about that in this week’s feature.

This week’s sponsor interview is with another old school hacker, Stephen Ridley. Stephen is the founder of Senrio, which is technically an IoT security play, but the thing is the tech he’s developed has turned out to be useful for all sorts of other stuff too.

Senrio is another one of those hacker-led startups in the spirit of Duo Security or Thinkst Canary. Stephen is a really well respected guy and this week he’s joining us to talk about a bunch of stuff. A lot of it is related to the unexpected uses for Senrio’s monitoring platform. He built a classifier for network-connected devices as a part of Senrio’s IoT security platform, and it turns out it’s actually running rings around a bunch of Enterprise Asset Management tools. People are actually using his IoT security monitoring solution to do asset management and figure out install gaps for their EDR solutions.

Totally not what he intended people to use it for, but hey, a win’s a win. So Stephen joins us this week to talk about that, also to talk about recent developments in the IoT space and really a bunch more stuff.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

On this week’s show we hear from Jennifer Bisceglie, the CEO of Interos Solutions, a company that recently prepared a report on supply chain security for the US government’s US-China Economic and Security Review Commission. Risky Business contributor Brian Donohue caught up with Jennifer to talk about the report and really get an idea of what supply chain risks look like from a macro level. The long and the short of it is the supply chain is already very, very opaque, so governments and the private sector will have to work pretty hard to mitigate the risks involved here.

This week’s show is brought to you by Netsparker, the web application security scanning toolmaker. Netsparker was founded nine years ago by this week’s sponsor guest, Ferruh Mavituna. He was a pentester who created Netsparker to help him with his own work. But just recently they raised a bundle of cash: US$40m. We’ll catch up with him and find out if a webapp scanning company with $40m is like the mule with the spinning wheel. It certainly seems like Ferruh has some ambitious plans. We haven’t seen this sort of money being raised by comparable companies so it’s definitely interesting stuff.

In this week’s news we cover off:

• Mysterious BGP route hijacking for lame Ether theft (??)
• Google disabling domain fronting
• Canadian teen charged with downloading documents from a website
• City of Atlanta spending $2.6m to recover from its ransomware event
• RSA’s conference app fail
• White House chaos over Rob Joyce replacement (MAGA!!! MAGAAAAAA!!!!!)
• Much more

The show notes/links are below, and you can follow Adam, Brian or Patrick on Twitter if that’s your thing.

We’re still running in a trimmed down format this week, sorry about that. Regular listeners would know we’ve been dealing with some unexpected stuff over here in the house of Business, but the good news is things have settled down and we’re actually back home after more than three weeks away. Things are looking good for a return to a full format show either next week or the week after.

But don’t worry, there’s plenty of good stuff in this week’s news segment with Mark Piper, including:

• Russia blocking 15m cloud service IPs to shut down Telegram
• RU router hax: Are they a big deal?
• FBI’s “going dark” narrative questioned
• Rob Joyce departs White House
• ZTE in all sorts of trouble
• AND MOAR

This week’s show is brought to you by Cylance. Jim Walter of Cylance will be along in this week’s sponsor interview to talk about a couple of things – we’ll be looking at “fileless” malware – for what it’s worth it’s a term that we both hate – and we’ll also be talking about how complete amateurs are now able to run reasonably sophisticated malware campaigns these days thanks to the badware for hire business getting even more slick.

The show notes/links are below, and you can follow Pipes or Patrick on Twitter if that’s your thing.

Regular listeners would know Risky Business is just running the news and sponsor segments at the moment so there’s no feature interview in this week’s show. But that’s fine because we’ve got plenty to get through in the news segment with Adam Boileau.

Then we’ve got a killer sponsor interview for you this week with Nick Steele and James Barclay of Duo Security.

They’re here to talk about WebAuthn. It’s the new authentication spec currently going through the W3C process. Both Nick and James will be along later to talk about what the spec is designed to do, how it works and what its chances of becoming mainstream are, and spoiler alert, those chances are pretty good.

They’ve also provided me with some links for people out there who want to play around with Webauthn, they are below.

Links to all the news items are also below, and you can follow Patrick or Adam on Twitter if that floats your boat.

This week’s show is just the news segment and sponsor interview. But, as always, there’s plenty to discuss with our news guest Adam Boileau!

In this week’s sponsor interview we’ll be hearing from Timothy Keeler from Remediant.

Remediant is a small but growing company that does privileged account management stuff, but they’re not a password vault. Tim’s joining us this week to walk through some of the challenges of managing privileged access in devops environments and also to talk a bit about some of the challenges around single sign on and privilege management. It’s all good stuff, and it’s coming up after the news.

Links to all the news items are below, and you can follow Patrick or Adam on Twitter if that floats your boat.

This Soap Box edition is brought to you by ICEBRG.

ICEBRG is in the business of network-based response and detection. In simple terms they drop a box on your network that strips network metadata and shunts it up to their cloud for analysis. This allows incident responders in particular to really, really speed up their investigations. We know that a lot of internet traffic is encrypted these days, and that’s made some people take their eye off the network ball. The focus and buzz these days is very much on endpoint detection and response. Our guest on this edition of Soap Box, ICEBRG’s VP of Strategic Partnerships Jason Rebholz, thinks we’ve wound up with a blind spot as a result.

It’s true that a lot of network security tech fell behind the times, but there are some fresh approaches emerging these days that are pretty bloody useful. ICEBRG started off as a product to accelerate incident response, an example use case is deploying it in 15 minutes when you’re starting an IR job; it gives you amazing visibility for the time invested. But, they’re broadening the product a bit these days. They’re not turning it in to an IDS, but they’re able to give clients some very, very high quality signalling. I think this is what you get when you get a bunch of ex-govvies and incident responders together and they develop a product. Their alerts are more along the lines of “you’re owned by this APT group” not so much “hmm, that’s some strange ICMP traffic hitting your mail server. Maybe some router in Azerbaijan needs a reboot, ."

So the thinking is definitely fresh, and I’m increasingly seeing companies play in the network security space again. Network detection is dead! Long live network detection!

Sorry this week’s show is late – I found myself taking an unexpected and unavoidable trip. But I’m back on deck and we’ve got a great show for you this week.

This week we hear from Thomas Rid, Professor of Strategic Studies at Johns Hopkins University’s School of Advanced International Studies. We’re having a conversation inspired by the latest spectacular Russian intelligence blunder: a Russian SIGINT operator exposing their GRU headquarters’ IP address because they forgot to fire up their VPN when logging in to their Guccifer 2.0 persona accounts. Oops.

It’s hilarious stuff, but it’s brought out the conspiracy types who are saying hey, as if they’d make this mistake. Something’s fishy! Well, as you’ll hear, these types of agencies make similar mistakes on a pretty routine basis. Thomas joins us to talk about that, and also about how mistakes like this don’t really matter in the broad scheme of things. They’re a bit of a distraction.

This week’s show is brought to you by Bugcrowd, the managed bug bounty company. Bugcrowd’s founder and CTO Casey Ellis will be dropping by to talk about a few things. They’ve raised a stack of cash since we last spoke and they plan to spend it on a bunch of stuff – they’re working on doing more efficient triage and they’re also looking at creating better legal agreements between their customers and their researchers. That’s all interesting stuff, and it’s coming up later.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Snake Oilers is a wholly sponsored podcast where vendors pay to pitch their tech at you, the listeners. Last week we heard from Rapid7, Mimecast and VMRay, but this week we’ve got two more pitches for you. First up we’re going to hear from Penten, an Australian based company that is doing some genuinely interesting stuff with honey documents.

Also in this edition we’ll be chatting with the team at Trend Micro. And this isn’t really about pitching a product – there more here to combat messaging coming out of newer EDR companies who are portraying established vendors like them as out of touch.

As listeners would know, beating up the incumbent AV companies is one of my hobbies, so basically Trend Micro’s Eric Skinner and Eric Shulze will be along this week to tell me why I’m an idiot. They’re also going to make a strong case for independent AV testing – it’s something the industry has struggled with for a long time, but they say they want it to happen more than ever.

What a week, huh? As you’ll soon hear it’s been an absolute monster week for infosec news. Top of the list is the Cambridge Analytica scandal. For those who haven’t had time to catch up on this one, a former staffer from the data analytics firm has given some interviews in which he says the company scraped 50 million Facebook profiles and used that data to target US voters with political messages on behalf of Donald Trump’s campaign. Obviously this has made people feel quite uncomfortable, everyone is mad at Facebook and it’s news everywhere.

It also looks like Facebook CSO Alex Stamos is on his way out due to events entirely unrelated to this.

Also in this week’s show we’ve got:

• Iranians trying to blow up Saudi Arabian chemical plants
• Americans blaming Russia for attacks on its energy grid
• Kaspersky blowing LIVE SOCOM ops against Al Qaeda and the remnants of Islamic State
• The UK vowing to exact revenge on Russia via “cyber” retaliation over the Skripal affair

There is no feature interview in this week’s show, we’re going long on news, but this week’s sponsor interview is absolutely fantastic. It’s with Haroon Meer, head honcho over at Thinkst Canary.

He’s not here to talk about anything really related to products this week, instead we’re going to talk about CISO stuff. He’ll be thoughtlording the absolute sh*t out of you all this week.

Haroon thinks breached organisations are getting off too lightly in the current infosec climate because people are scared to victim shame. As you’ll hear, he thinks there’s just no excuses for how some high profile data breaches have occurred and says more CSOs should be prepared to die on the right hills to stop their companies engaging in straight up suicidal behaviour. It’s great for security to be an enabler, but that doesn’t mean signing off on whatever anyone wants to do.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

As most of you know this isn’t the regular weekly show, this is a special edition we publish four times a year, and as you may have guessed from the title, this is the Risky Business podcast where vendors pay for time to pitch their products to you, the listeners.

And we’ve actually got some great pitches for you today. We’ll be hearing from Rapid7 first – they’ve developed a new addition to their Insight platform – Insight Phish. There are already so many phishing simulation tools out there, so we’ll hear from Justin Buchanan on why Rapid7 has gone down this path. He actually makes a pretty compelling argument on why they’ve bothered. Simulation is just one part of Insight Phish, the other part is response.

They’ve kind of closed the loop on that, so if you’re already a Rapid7 customer you’ll probably be VERY interested in Insight Phish. And even if you’re not it might get you looking at their stuff!

Then we’re going to hear from the team at VMRay. VMRay makes a cloud-based binary analyser for all you DFIR types. They’re a German company founded on the back of the founder’s PhD. They actually raised millions of dollars in funding in 2016 from German investors. I know I want to hear from any company that convinced Germans to invest large sums of money! They’ve released a new version of their product and they’ll be telling us a bit about that.

And finally we’re going to hear from Mimecast. And you know what? Mail filtering is a hard thing to pitch – most of the functionality is completely opaque to the user. So the Mimecast team will be along in our final pitch of the day to explain to you all what you should be asking of your email filtering provider. It’s actually really good generic advice… surprisingly neutral advice, too, so stick around for that!

Links to all our sweet, sweet Snake Oiler offerings are below!

On this week’s show we’re taking a look at how an acceleration in 24-carat bonkers state-sponsored hacking is leading to calls at senior levels of government for some actual norms to be established. We’ve got Russia hacking the planet with NotPetya, North Korea owning central banks and cryptocurrency exchanges, China owning the CCleaner supply chain and… well.. it’s all getting a bit much.

So in this week’s feature segment we’re going to zero in on one norm-breaking country, North Korea. We’ll hear from John Hultquist of FireEye and Adam Meyers of Crowdstrike on that.

As you’ll hear, countries like North Korea are pushing the limits of what they can get away with on the Internet and friendlier states are desperately trying to establish what the boundaries for good faith actors should actually be. We’ll hear from Australia’s cyber ambassador Tobias Feakin on that part of the discussion, courtesy of some audio gifted to the Risky Business podcast by Australian journalist James Riley. That’s a fun package and it’s coming up after the news.

This week’s sponsor interview is with Zane Lackey of Signal Sciences. Zane joins us to talk about a few things – how developer teams are increasingly making their own security decisions and how that’s actually a good thing… we’ll also talk about companies that have found themselves operating on multiple cloud platforms even though they didn’t plan for it.

Adam Boileau, as usual, is this week’s news guest.

We cover:

• The AMD bugs
• China’s tightening grip on security research
• Slingshot APT
• Christopher Wray’s mind bogglingly daffy comments on key escrow
• AND MOAR!

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

On this week’s show we’re chatting with Professor of Law at the University of Maryland Danielle Citron about an article she co-authored on so-called “deep fake” videos. Citron and Bobby Chesney wrote a fascinating piece about the privacy and national security implications of this latest trend and we’ll be talking to her about that a little bit later on.

In this week’s sponsor interview we’re chatting with Julian Fay, CTO of this week’s sponsor Senetas. We talk to him about how encryption hardware industry is responding to the looming spectre of quantum computing.

As you’ll hear, standards bodies are already rolling out draft implementations of quantum-resistant algorithms that companies like Senetas will be baking into their kit as additional layers of protection.

Adam Boileau, as usual, is this week’s news guest.

We cover:

• Massive memcached DDoS attacks
• Trustico having a bad week
• Reported flaws in 4G/LTE
• Uber breach lawsuit
• …and more!

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

This isn’t the regular weekly show, Soap Box is the podcast where vendors pay to appear to talk about big picture stuff, or really anything they want.

Unless you’ve been living under a rock lately you’d know that Google’s parent company Alphabet announced the spinoff of an enterprise information security company. They’ve named it Chronicle, but beyond that it’s all a bit mysterious. Unlike other startups that stay super stealth until they launch their product, Alphabet basically realised that as it already has its platform out there under beta test with a bunch of organisations the creation of the company would eventually leak, and that would have been a mess from Alphabet’s point of view. So, their solution was to announce the company before it’s ready to ship its product.

I would love to tell you that they’re going to drop all the juicy details in this podcast but they’re not. They’ll drop some hints, but for now, Chronicle’s mystery platform will remain that: a mystery.

But that’s not to say there isn’t some other stuff to talk about. As a part of the spinoff, Virus Total is now a part of Chronicle. And you know what? There’s a lot more to Virus Total, in particular Virus Total Intelligence, than I realised. That’s partly because Alphabet hasn’t really done much marketing around it, and this is a kind of first step down that path.

So in this podcast you’re going to hear from two people from Chronicle – Rick Caccia who is the chief marketing officer, he’s mostly chiming in to explain a little bit about the new company – and Mike Wiacek, the CSO and co-founder of Chronicle. He’s going to be telling us about all the features of Virus Total that you probably didn’t realise exist. Did you know if you have a VTI account you can run YARA rules against everything that comes in to Virus Total? And you can apply the rules retrospectively to see what shakes out? And that they have graph and clustering features? And … and … and … you get the idea.

I hope you enjoy this podcast!

On this week’s show we’ll chat with Troy Hunt of Have I Been Pwned. He’s released version two of his pwned password service and API. Basically it lets websites check to see if a user’s password is one that he has in his dataset. Version two allows this process to happen without users having to send over a complete password hash to HIBP.

It’s making some waves already. It’s a genuinely interesting, free service.

In this week’s sponsor interview we chat with Trail of Bits security engineer JP Smith about all thing blockchain. Trail of Bits has gotten into blockchain stuff because, hey, we’ve all heard about the many, many security issues associated with things like Ethereum smart contracts, and when it comes to blockchain and Ethereum security, well, someone has to do it.

JP will talk us through some of the bug classes he sees as well as talk about the work trail of bits has done on its dynamic binary analysis software Manticore in terms of applying it to the Etherum Virtual Machine.

Adam Boileau, as always, is this week’s news guest.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

This edition of Soap Box is brought to you by Bugcrowd. So the next 40 minutes or so is a conversation between Bugcrowd CTO and founder Casey Ellis and I.

As most of you would know, Bugcrowd runs outsourced bug bounty programs for a wide variety of organisations, from Silicon Valley megabrands to financial services to development-heavy SMEs, Bugcrowd is there.

And what a time it is for the bug bounty business. There’s a lot of attention on the bug bounty concept at the moment – we even saw a senate subcommittee hearing on them take place earlier this month. It’s a competitive sector, too.

In this podcast Casey tells us about a few things, like what Bugcrowd is doing to try to add some innovation to bug bounty programs. As you’ll hear, he’s actually got some really great ideas. I came into this as a bit of a sceptic, as in, how can you innovate around something as simple as a bug bounty program? It turns out you can. We also try to make the case that bug bounties are an established part of infosec now; a boring part of the mix.

So we cover off some interesting stuff Bugcrowd is doing, then we talk about how the bug bounty provides types might be able to actually engage their crowds in defensive work.