This week’s podcast features Patrick and Adam talking about the week’s security news, including:

• Huawei staffer arrested for spying in Poland
• Conviction in DPRK SWIFT hack against Bangladesh central bank
• El Chapo used Flexispy to spy on mistresses and staff
• NSO group on charm offensive
• Iran hijacking DNS entries, conducting PITM with DV certs
• Kaspersky tipped NSA on Hal Martin
• US government certificates expire amid shutdown
• Idiot sentenced to 10 years prison for DDoSing children’s hospital

This week’s show is brought to you by Trail of Bits! Trail of Bits is a security engineering firm and consultancy based in New York. They aren’t a typical pen-testing firm, they build as well as break.

In this week’s sponsor interview JP Smith from Trail of Bits joins us to talk about the work he put in to CSAW. Not the Centre for Sustainable Architecture with Wood, which is a thing, but the Cyber Security Awareness Worldwide CTF.

JP is a sick man. He’s sick. You’ll hear about the mind-bending CTF challenges he put together for CSAW. Remarkably, some teams were actually able to solve his problems, some of which featured complex numbers mapped to a four dimensional unit sphere being used to drive the rotation of a virtual IBM Selectric typewriter golfball in Second Life. As I say, he’s a sick, sick man.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

In this week’s show Adam Boileau and Patrick Gray discuss the security news of the last few weeks, including:

• German politicians pwnt, suspect arrested
• Possible ransomware attack affects US newspapers
• Mass 2FA bypasses impacting Gmail users in Middle East
• Emergency warning system in Australia popped
• Ethereum Classic double-spend attack a sign of things to come
• EU to fund open source bug bounties
• Attackers steal details of 1,000 North Korean defectors
• Doing the Bloomberg hack for real at 35C3
• El Chapo should have used Signal
• Much, much more…

This week’s show is brought to you by Cylance! BlackBerry announced that it’s acquiring Cylance for $1.4bn (I don’t know if that’s closed yet) which is great news for all the founders and early employees there – some of whom I know reasonably well. So congrats to team Cylance on that!

But we’re not talking about that this week. Instead, Cylance’s very own Scott Scheferman joins us to talk about the MITRE ATT&CK framework and how it’s informing their product dev. There’s some product talk in that interview but there’s also some real meat there so I let it run long. Scott says we’re close to the terrible situation where security companies are going to start using MITRE ATT&CK as a marketing tool, like “Full MITRE ATT&CK coverage!”

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Soap Box is the podcast series we do here at Risky.Biz where we have detailed discussions with vendors about all sorts of stuff – sometimes it’s about their products, other times it’s about the landscape as they see it, other times it’s about research they’ve done that they want to promote. Soap Box is a wholly sponsored podcast series – just so you know – so everyone you hear on it, paid to be on it.

And this Soap Box edition is brought to you by Respond Software. We’ll be joined by Respond Software’s co-founder and CEO, Mike Armistead to talk about Respond’s tech. Mike has an interesting history in infosec… he actually co-founded Fortify, the software security firm, before winding up at HPE as the VP and General Manager for Arcsight, the poor fella. But he’s free now! Freeeeeee! And he’s co-founded the venture we’re talking about today.

So, what’s the idea behind Respond Software? Well, to break it down into really simple terms the whole idea is to take all the zillions of events your existing security kit flags and distill them down into meaningful alerts. To put this into context, Mike says that during the 30 days in the lead up to the interview we recorded, his customers fed two billion events into their Respond Software gear. Of those two billion events, Respond deemed 7 million of them worthy of escalation, and from there determined 45,000 were malicious, but then… and this is the cool part, this only resulted in 350 incidents raised by the Respond platform. From 2 billion to 350.

So it’s a great idea – tune out the crap and look at meaningful correlations. Automate the decision making around what’s serious and what’s not. You’ve got all this gear, maybe you’ve got something aggregating it, but what’s applying decision logic to it?

Mike sent me a list of software Respond currently supports: all manner of IDSes, AV and EDR suites and then other stuff that gives their software the context it needs to make better decisions, like active directory, Nessus, Qualys, Splunk, QRadar… whatever! The idea is, plug ALL your over-alerting crap into Respond Software’s gear and it’ll do a good enough job of correlating events that you’ll only have to deal with what’s real. Well, that’s the pitch. Mike Armistead joined me to to flesh it out a bit more.

This is the last weekly Risky Business podcast for 2018. We’ll be posting a Soap Box edition early next week then going on break until January 9.

In this week’s show Adam Boileau and Patrick Gray discuss the week’s security news:

• Huawei’s CFO arrested over sanctions violations
• BT in the UK removes Huawei equipment from 4G network
• Australia passes controversial surveillance law
• US House Oversight Committee blasts Equifax in scathing report
• Bloomberg plays word-games on Super Micro story
• MOAR

This week’s show is sponsored by Bugcrowd. In this week’s sponsor interview Bugcrowd’s CTO and founder Casey Ellis tells us why his company is launching “pay for effort” products to run alongside bounty programs.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers is the podcast where we get a bunch of vendors together to pitch their stuff – they all pay to participate, just so you know – and today we’re going to hear three pitches from tech companies: one from Forticode, one from Exabeam and one from SentinelOne.

That’s right, we talk to vendors to get their best pitches so you don’t have to!

Forticode joins us to pitch its Cipherise platform – applied PKI wrapped into a slick mobile platform that helps large organisations authenticate their users, and helps their users authenticate them.

Exabeam will be talking about how they’re doing more device analytics in their SIEM platform and SentinelOne will be talking about how they differentiate themselves in the highly competitive EDR space.

Links to all of these companies are below.

This week’s show features Patrick Gray and Adam Boileau discussing the week’s security news, including:

• The Marriott, Quora, Dell and Sky Brazil data breaches
• Kashoggi associate to sue NSO Group
• Australia’s AA Bill set to pass
• NZ give Huawei the boot
• AutoCAD malware targets key verticals
• Republicans’ 2018 campaign hacked
• Czech government blames Russia for intrusions into key systems
• Horror-show bug in Kubernetes

This week’s show is brought to you by Duo Security, big thanks to Duo for that! In this week’s sponsor interview we’ll be chatting with Duo Security’s very own Dave Lewis about some Beyond Corp stuff. Beyond Corp is the enterprise computing model of the future and Dave will be along after this week’s news to talk about some of its finer points.

Links to everything that we discussed are below. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

This is the first part of our final Snake Oilers edition for 2018.

Snake OIlers, for people don’t know it, is the podcast where vendors pay to come on to the show to promote their wares. This series actually turned out to be way more popular than we expected. People quite like listening to security companies actually explaining what they do in clear terms.

We have six vendors participating in this last round of Snake Oilers for the year – we’ve split the podcast into two podcasts containing three vendor pitches each, and in this part you’ll be hearing pitches from Rapid7, WhiteSource and Chronicle.

• Dan Kuykendall of Rapid7 talks InsightAppSec, its DAST solution.
• David Habusha of WhiteSource talks software composition analysis
• Brandon Levene of Chronicle on VirusTotal Enterprise

Part two is up next week!

We’ve got a slightly different edition of the show this week – Alex Stamos is filling in for Adam Boileau this week in the news slot.

Most of you know him as Facebook’s recently departed chief security officer. Alex also served as the CSO at Yahoo for a time, but his security career stretches back a long way. He co-founded iSEC Partners back in 2004, and before that he did some time with @Stake.

The @Stake mafia is everywhere.

These days Alex is an adjunct professor at Stanford University. He joined me to talk about the week’s security news, as well as to have a chat about the Edward Snowden disclosures, five years on.

This week’s show is brought to you by Thinkst Canary, big thanks to them for that. And instead of one of their staff being on the show this week in the sponsor chair, they asked me to interview this week’s sponsor guest, their customer, Mike Ruth, a security engineer with Cruise Automation.

Mike did a presentation at a conference called QCon recently all about automating the deployment of canary tokens at scale using some nifty CI/CD tricks. He’ll be joining us after the news to tell us all about that.

Items discussed in this week’s news:

• NSO Group busted to selling to Saudi Arabia
• NSO malware targets Mexican journalists
• Edward Snowden claims NSO connection in Khashoggi case
• Australia’s AA Bill latest
• npm supply-chain attack targets Bitcoiners
• Guardian reports Manafort met Assange, denials, lawsuits flying already
• UK parliament seizes Facebook documents
• Uber fined over 2016 breach coverup
• UK cops decline to charge bug reporter
• USPS finally fixes data exposure after Krebs intervention
• Rowhammer attack bypasses ECC protections
• Bloomberg is investigating its own reporting on Supermicro
• Magecart is everywhere
• Google, Mozilla plan browser access to file systems

Links to everything that we discussed are below and you can follow Patrick or Alex on Twitter if that’s your thing.

The Soap Box podcast series is a wholly sponsored podcast series we do here at Risky.Biz – vendors pay to participate. This Soap Box edition is brought to you by AttackIQ.

AttackIQ is a five-year-old company that makes an attack simulation platform. The idea is you agitate a network with suspicious traffic and activities, then measure what the response looks like on the other side. As you’ll hear, Stephan argues this is a better way to test your controls than trying to do it after an incident has been and gone.

Mostly people are using it to verify the effectiveness of their security controls. They already have endpoint security software, IDS, various monitoring bits and pieces, but quite often this stuff just isn’t tuned right. So, you throw some attack traffic and behaviour at your systems and see what bubbles up

One piece of work that has been absolutely vital to AttackIQ’s success is the MITRE ATT&CK Matrix. Like AttackIQ, the ATT&CK Matrix has been around for five years.

Stephan Chenette is AttackIQ’s CTO and he joined me to talk all about how they’re trying to use the ATT&CK Matrix to drive their whole outlook, and, conversely, how they’re spending time talking to MITRE about where the whole thing is going.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• Cozy Bear is back, Fancy Bear has new tooling
• Russian government wants DNC lawsuit thrown out
• Cyber Command submitting samples to VirusTotal
• Google BGP shenanigans
• Australian/China Telecom BGP shenanigans
• All the recent Facebook drama
• More speculative execution bugs
• Julian Assange likely to be charged
• Vault7 leaker facing new charges
• Phineas Fisher investigation abandoned
• Bitcoin/Tether link probed by DoJ, btc in free-fall
• MUCH MOAR

This week’s show is brought to you by Proofpoint.

Sherrod DeGrippo, Proofpoint’s director of threat research and detection is this week’s sponsor guest. Surprisingly, she tells us that ransomware via email is a dead duck.

Links to everything that we discussed are below. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

We’ve got a great podcast for you this week. Tanya Janca will be talking about some volunteer work she’s been doing with a Canadian government panel on getting security content into children’s school curriculums.

In this week’s sponsor interview we’ll be talking with Ferruh Mavituna of Netsparker.

They launched Netsparker Cloud a while ago so now they have some decent telemetry I wanted to ask Ferruh what he’s found surprising now he’s sitting on a mountain of scan results. The types of bugs being turned up aren’t really a surprise, but the extent to which old software is a problem was actually pretty surprising to him. He knew it was bad, he says, but he didn’t know it’s this bad.

Adam Boileau, as usual, joins the show this week to talk about all the week’s security news:

• More Chinese MSS officers indicted by the US DoJ
• ASD chief speaks publicly on 5G Huawei ban
• China playing funny buggers with BGP
• Russia is still messing with the US during the midterms
• Facebook boots more Iranian influence pages
• New privacy features in Signal
• Plus much, much more!

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Soap Box is the wholly sponsored podcast series we do where vendors pay to participate. They sometimes want to talk about their products, other times they want to talk about general ecosystem stuff, other times they want to talk about research they’ve done.

And that’s what’s happening today! Olabode Anise is a data scientist at Duo Security. He and his colleague Jordan Wright put together a talk for Black Hat this year all about Twitter bots. It was called Don’t @ me, hunting Twitter bots at scale.

As you’ll hear, finding bots on Twitter at scale isn’t that hard, but doing so with 100% confidence isn’t as easy as you’d think.

You can check out a blog post from Olabode in the show note below.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• CYBERCOM doxing Russian operators. No, really.
• Arrest over Russian midterm info-op
• Bloomberg dumpster fire is now a tyre fire
• Equifax insider sentenced for insider trading
• Twitter releases bot dataset
• Saudi insider responsible for 2015 Twitter breach
• Trisis/Triton now linked to Russia
• Kaspersky doxes NSA op
• Risky Business cited by Senate Estimates, AA Bill faces possible delay
• Much, much more!

This week’s show is sponsored by Cylance, and this week’s sponsor interview is with Josh Lemos.

That’s an interesting chat – Cylance has succeeded in applying machine learning to classifying binaries, but what next? Where does it make sense to apply machine learning next, from their point of view? As you’ll hear, a binary classifier is one thing, but applying ML to something like endpoint detection and response or network traffic is actually a lot more complicated.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• More info on the Facebook token hack
• Facebook boots “Russian Cambridge Analytica” off platform
• Chinese MSS officer extradited to USA after being lured to Belgium
• NotPetya linked to Sandworm crew
• Czech intelligence services kill Hezbollah APT
• Pentagon travel records pwnt
• No, Khashoggi’s Apple Watch didn’t record his death
• Apple takes aim at Australia’s AA Bill
• US voter records for sale in hack forums
• PHP 5 support ends soon, netpocalypse to commence shortly afterward
• The world’s most hilarious libssh bug
• PLUS MOAR

This week’s show is sponsored by Senrio.

Senrio is best known for doing IoT identification, classification, visualisation and anomaly detection, but they’ve now applied the same approach to general IT. Stephen will be along later in the show to talk about what they’ve been able to engineer here. I’ve actually been working with them on this (in a limited capacity) for a few months and it’s very interesting stuff.

So yeah he’s talking about a feature release, then he’ll be releasing some open source tooling that mine your network metadata and spot interactive shells in your environment, which is handy, and then he’s going to preview some free training he’s doing with some other very well respected security people in New York soon.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• Bloomberg’s shaky, disputed report on hardware back doors
• A look back on other false reports about imaginary incidents published by Bloomberg
• GRU operations doxed by GCHQ
• DOJ charges Russian intelligence officers
• APT crews targeting MSPs
• Google+ API exposure the final straw
• Enterprise TLS interception gear is woefully insecure

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

In this podcast hardware security expert Joe Fitzpatrick, a named source in Bloomberg’s “Big Hack” piece, explains why he felt uncomfortable reading the story when it was published.

He also provided Risky.Biz with emails he sent to Bloomberg, prior to the story’s publication, that said the hardware back-dooring the article described “didn’t make sense”.

The Soap Box podcast series is a wholly sponsored podcast series we do here at Risky.Biz – vendors pay to participate. This soap box edition is brought to you by Trend Micro.

And in this edition we’re speaking with Dustin Childs who works for the Zero Day Initiative. ZDI is the entity responsible for the pwn2own competition. But not just that – they’ve been buying bugs since before it was cool. Everything from enterprise software, to linux bugs.. whatever. You find it, they’ll buy it.

Trend Micro actually owns the ZDI, and there’s a story right there in how that came to pass… but you know what? Trend seems to really be behind the ZDI program.

As you’ll hear, the original idea behind ZDI when it was a TippingPoint thing was so they could write IDS signatures for vulnerabilities that ZDI unearthed. We know today that spinning up sigs for bugs you’re paying for isn’t really a winning strategy for picking up 0day attempts against your computers, so, the question becomes, what do you do with a program like ZDI when you’re Trend Micro?

As it turns out, you do two things with it – there’s the marketing side, but there’s also the constant stream of exploit submissions that come in handy when you’re making endpoint security software.

We’ll also be hearing from Eric Skinner in this podcast – he’s Trend’s VP of Solution Marketing at Trend. Trend is pushing a major release of its endpoint security software and he’s along to spruik that a bit, as well as chiming in on some of the ZDI stuff.

In this podcast I interview Stephen Ridley about Bloomberg’s blockbuster – but so far uncorroborated – story about possible hardware supply chain subversion by the Chinese government.

I also lay out some facts I’ve learned since the story broke.

[CORRECTED] I’ve added a correction to this podcast because the only source I could turn up who would corroborate the Bloomberg piece has retracted their claims.

This is a source who has provided me with good information in the past, I’ve known them for about 15 years and they’re very well plugged in. They showed me photos they said were from a teardown of a supermicro motherboard. These photos showed an unlabelled integrated circuit the source said was likely a hardware back door.

Further, the source said there were other problems with the Supermicro gear, including vulnerable firmware and security functions that just didn’t work properly.

Now the source says the photos were from different equipment, not their teardown of the Supermicro gear, and that they did not find hardware back doors on the Supermicro equipment.

So basically that source’s credibility with me is pretty shot right now, and the best I can do is retract my repetition of the source’s claim that they had verified backdoors in the Supermicro equipment.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• Facebook breach impacts 50m accounts
• US courts deny authorities’ attempted FB messenger wiretap
• Uber fined $148m for nondisclosure of 2016 breach
• Fancy Bear-linked UEFI malware appears in wild
• UK Conservative party conference app leaks like sieve
• Twitter bans distribution of “hacked material”
• VPNFilter botnet gets more capabilities
• Duo arrested over $14m cryptocurrency SIM-swap heist
• MOAR

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• Former NSA staffer gets 66 months over incident at heart of Kaspersky scandal
• Zoho has a very bad week
• Telco lobby group raises some legit concerns over Australia’s “anti-encryption” legislation
• Twitter API leaks DMs
• Equifax fined by UK
• Yubikey 5 enables passwordless Windows logins
• Privacy International has an aneurism
• NSS Labs launches antitrust suit against security software makers
• MOAR

This week’s show is brought to you by Rapid7.

Jen Andre is this week’s sponsor guest. She was the founder of Komand, which was a security automation and orchestration company but is now a part of Rapid7 as of about mid way through last year. I spoke to Jen a bit about how she came to start Komand and where the security automation and orchestration discipline is at right now.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.