In this week’s show Patrick Gray and Alex Stamos discuss the week’s news, as well as discussing the rise of white supremacist communities and propaganda on the Internet and what can be done about it.

News:

• Norsk Hydro ransomwared
• Huawei ban gets more and more political
• APT40 hitting USA hard
• Cyber Command’s Euro road-trip
• Kremlin interference in EU elections extremely likely
• US Senators seek information on breaches targeting them
• Cloudflare won’t pull service from 8chan in wake of NZ attack
• Beto O’Rourke was cDc member
• New Mirari variant
• 150 million Android devices hosed by new malware
• Much, much more

This week’s show is brought to you by Chronicle Security! We’ll be joined by Chronicle co-founders Shapor Naghibzadeh and Mike Wiacek. They had a tremendously successful launch at RSA and they’re going to pop in to tell us about some near future plans they have for their Backstory product.

Links to everything are below, and you can follow Patrick or Alex on Twitter if that’s your thing.

On this week’s show Adam Boileau and Patrick Gray discuss the week’s news:

• Chelsea Manning back in jail
• Citrix owned, Resecurity claims it was Iran. Again. Because reasons, apparently.
• Huawei politics get messy
• EXCLUSIVE: Toyota Oz, other carmakers likely targeted by APT32 (Vietnam)
• Much, much more

This week’s sponsor is Senetas. They make layer 2 encryption gear but recently made a US$8m investment into Votiro, a Content Disarm and Reconstruction (CDR) play. Votiro CEO Aviv Grafi is this week’s sponsor guest. He stops by to explain CDR tech.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show Adam Boileau and Patrick Gray discuss the week’s news:

• The NSA isn’t that interested in phone metadata anymore
• More Chinese mass surveillance data leaks
• Chelsea Manning, David House subpoenaed over Wikileaks
• Quadriga cold wallets were actually empty at time of founder’s death
• NSA deployed “rm -rf / shark” at Internet Research Agency
• HackerOne follows Bugcrowd into pentesting
• NSA releases Ghidra
• Much, much more!

This week’s sponsor interview is with Chris Kennedy, AttackIQ’s CISO and VP of customer success. And we’ll be talking about a few things really, like about how continuous validation of security controls like monitoring is a good thing. Everyone uses software like Tenable to verify patching, why not do the same for your monitoring?

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

In this edition of the show we’re playing a small part in Chronicle’s launch of its flagship product, Backstory.

Chronicle is of course the security spinoff of Google’s parent company, Alphabet. The launch of Chronicle itself was announced about a year ago, but until now it’s only really had one product: Virus Total Enterprise. That all changed today when Chronicle launched Backstory at the RSA conference in the USA.

I was lucky enough to see a demo of Backstory before we recorded this interview last week, and I’m going to characterise it in a way that Chronicle probably won’t like, but it’s basically a cloud-SIEM, albeit a very good one.

Backstory ingests logs from a bunch of data sources – DNS lookup information, DHCP info, your EDR logs (from your Crowdstrike or Carbon Black software), web proxy logs, firewall alerts – and then it structures this stuff so you can make use of it. You get nice pointy-clicky timelines and useful visualisations. That’s handy enough, but keep in mind your logs are now with the company that is responsible for Virus Total. They have some pretty good intel, and they can now apply various IOCs to the logs you’ve submitted.

So one obvious use case for Backstory is doing the type of threat hunting threat hunters like to do, but beyond that, this is likely going to become a pretty useful alerting platform.

On this week’s show Adam and Patrick discuss the week’s security news:

• Cyber Command kicks the IRA off the Internet on election day
• WSJ reporting on Iran vs Australia likely incorrect
• Two Russian cybersecurity professionals sentenced over treason
• DPRK spearphishing US summit participants
• LOTS of technical news and research this week

This week’s show is brought to you by Remediant. Their CEO Tim Keeler will be along in this week’s sponsor segment to talk about how they’re doing “virtual directory binding” to make managing Linux accounts via Active Directory less traumatic. If you’re struggling with horrible, horrible PAM solutions in your devops environments have a listen to that one.

*** NOTE FROM PAT: I made some mistakes in the recording phase of this week’s show. As a result, my vocal audio is pretty atrocious. Sorry! ***

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Adam Boileau is along this week to discuss the week’s security news, which also features comment from Dmitri Alperovitch, Klon Kitchen and The Grugq. We cover:

• Former USAF counterintelligence official indicted over spearphishing, leaking secrets
• Australia’s major political parties targeted by APT crew that totally isn’t Chinese. (It’s Chinese)
• More on the Iran DNS hijacks
• Venezuelans phished by their own government
• China’s mass surveillance of Uyghur Muslims laid bare in data leak
• Millions of Swedes have their healthcare help-line calls exposed
• Bank of Valletta dodges a bullet, catches fraudulent transfers
• VK gets Samy’d
• Calls for GDPR-like law in USA
• Marcus “Malwaretech” Hutchins has a bad week

This week’s sponsor interview is with Jason Haddix of Bugcrowd. He’ll be along to talk a little more about what Bugcrowd calls next-generation pentests. They claim one of their tests is sufficient for compliance purposes under PCI, ISO or NIST and they’ve had a third party auditor prove that for them. They also say the service has really taken off despite being launched only a couple of months ago.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Adam Boileau is back in the news seat this week. We talk about:

• Amazing Reuters report on UAE’s “Project Raven”
• Bezos’ dick pics, Saudi Arabia and a creepy brother
• US government security staffers play post-shutdown catch-up
• Krebs: National Credit Union Administration probably pwned
• Russia to test complete disconnection from wider Internet
• China suspected of involvement in Australian parliament hack
• Trump likely to ban all Chinese telco equipment makers from US builds
• Lasers
• Google: iOS privesc 0days were in wild
• $145m in cryptocurrency lost forever due to exchange CEO death
• VFEmail has a very bad day
• Facebook/Apple cert wars
• MORE

This week’s show is brought to you by AustCyber, a nonprofit funded by grants from the Australian government. Its goal is to promote Australia’s cybersecurity industry.

AustCyber CEO Michelle Price will be along in this week’s sponsor interview to tell us all about what they’ve got planned for RSA.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

As regular listeners know, this isn’t the regular weekly Risky Business podcast, all Soap Box podcasts are paid promotions. We ran 10 of these last year, we’re running more of them this year – the total number is up to 14, but we’re running fewer of our other promotional podcast Snake Oilers.

In this Soap Box podcast we’re chatting with a company with a legitimately fascinating origin story.

You remember how in 2017 and 2018 people were running all these shonky initial coin offerings where they’d sell off millions of dollars of crypto tokens on the basis of a two minute video and a whitepaper? What happened in a lot of these cases is after the ICO the founders would take the money, launder it and move to the Bahamas.

Well, Polyswarm raised its money in an ICO. About $26m US dollars (!!). And, because they weren’t mainlining the ICO Kool-Aid, they cashed out about half of what they raised into real money before cryptocurrency values crashed.

Instead of moving to the Bahamas, they actually stuck around to build the business that tokenholders had chosen to fund. Their token value has crashed like everyone else’s has, but that doesn’t matter – they’re funded, and because of their unconventional funding source they don’t have a whole bunch of venture capitalists breathing down their neck.

So, what’s the business? It’s a marketplace for threat detection. Yes, my pinned tweet says “I do not want your blockchain expert as a guest on my podcast,” and yes, this company does use blockchain fairy dust, but as you’ll hear, the blockchain element to this business isn’t really what it’s about. Indeed, the founder and CEO of Polyswarm, Steve Bassi, says he would find life a lot easier in many ways if they weren’t actually using blockchain tech here as a marketplace enabler. He’s also banned himself from ever attending a blockchain conference again in his life.

Ok, so what is the Polyswarm marketplace and how does it work. As you’ll hear in this interview it took me a bit to actually understand exactly what they’re doing here, but what they’ve essentially built is a marketplace for AV. The best way to explain this is to just explain how it works. If you’re an enterprise client or an MSSP you can submit a sample to this marketplace. You’re submitting it with a question – is this file bad or good – and you attach a tokenised value to the answer.

On the other side of the equation are all these AV engines. Big ones, small ones… even tiny little micro engines that are only good at detecting very niche threats. So the enterprise submits the sample – that can be a whole file or just a hash – and it gets distributed to all the people who are running these AV engines. They scan the file, and if they’re super confident on an answer, they return that answer as well as a tokenised stake as a measure of their confidence. The idea is you can have a competitive marketplace for threat detection in which even niche players can participate. Polyswarm CEO Steve Bassi joined me to talk me through the whole concept.

There’s no news segment in this week’s show. Instead, you’re going to hear a long-form feature interview I did with the NSA’s Rob Joyce.

Rob is probably best known for his tenure as special assistant to the president on cybersecurity and for being the cybersecurity coordinator on the US National Security Council.

He also served as acting homeland security advisor to Donald Trump for a short time following the departure of Tom Bossert from the Whitehouse. In May last year he went back to NSA where he now serves as a senior advisor to the director of NSA for Cyber Security strategy.

Some of you may also know Rob for his blockbuster January 2016 conference talk “disrupting nation state hackers” back when he was heading TAO at NSA. Good talk, that one, and it’s on YouTube. (Link below.)

But gradually over the last couple of years Rob has emerged as a sort of friendly-face of NSA, at least as far as the infosec industry is concerned. He’s spoke at DEF CON last year, he often appears at events and on panels and he’s doesn’t seem terrified of actually comment on things.

This is a huge departure from the historical way agencies like NSA handled themselves. But as you’ll hear, Rob sees this new approach as being vital to the NSA’s current-day mission.

Topics covered include:

• DoJ indictments of foreign gov hackers
• 5G networks and Huawei
• Kaspersky AV
• Bloomberg’s Supermicro story
• Software and hardware supply chain security
• The USG aggressively burning adversary tools

We also have a sponsor interview for you this week with Zane Lackey, the co-founder of Signal Sciences. I guess you’d call these guys “next generation WAF,” more on that later… but Zane will be along a little bit later with some pretty incredible stats on the way security spending has changed over the last year or two. Money is just piling into appsec while spending on some other controls is actually reducing. It’s a sign of change.

Adam Boileau co-hosts this week’s Risky Business episode. We talk about:

• The Huawei indictments
• The epic Facetime logic bug
• The even more epic Exchange privesc bug
• CISA’s “fix yo DNS” directive
• Black Cube busted doing shady stuff to Citizen Lab
• Yahoo shareholder lawsuit settlement makes directors twitchy
• Internet filtering kicks off in Venezuela
• Much, much MORE!

This week’s show is brought to you by Thinkst Canary – they make hardware honeypots and the tools you need to deploy canarytokens at scale. They also make virtual honeypots! This week Thinkst’s founder Haroon Meer will be along to wave his finger at basically all of us over what he sees as the security discipline’s tendency to not really learn anything from security conferences. It’s “contertainment,” he says, followed by “GET OFF MY LAWN”.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Alex Stamos co-hosts this week’s episode. Topics discussed include:

• DNC says Russia tried to own its servers in November 2018
• South Korean Defence Ministry owned
• Lazarus Group busy in Chile
• West African banks suffer multiple intrusions
• Michael Cohen admits rigging online poll for Trump
• Nine charged over SEC hack
• More USG SSL certificates due to expire
• apt-get remote root RCE
• Don’t use your Garmin to scope your murder escape route
• Big plot twist in viral video outrage

This week’s show is brought to you by Duo Security, which I guess is now Cisco Duo Security. Wendy Nather - Duo’s head of advisory CISOs - will be along in this week’s sponsor interview to talk about a topic near and dear to my heart: victim shaming. That’s a good one so please do stick around for that.

Links to everything that we discussed are below and you can follow Patrick or Alex on Twitter if that’s your thing.

This week’s podcast features Patrick and Adam talking about the week’s security news, including:

• Huawei staffer arrested for spying in Poland
• Conviction in DPRK SWIFT hack against Bangladesh central bank
• El Chapo used Flexispy to spy on mistresses and staff
• NSO group on charm offensive
• Iran hijacking DNS entries, conducting PITM with DV certs
• Kaspersky tipped NSA on Hal Martin
• US government certificates expire amid shutdown
• Idiot sentenced to 10 years prison for DDoSing children’s hospital

This week’s show is brought to you by Trail of Bits! Trail of Bits is a security engineering firm and consultancy based in New York. They aren’t a typical pen-testing firm, they build as well as break.

In this week’s sponsor interview JP Smith from Trail of Bits joins us to talk about the work he put in to CSAW. Not the Centre for Sustainable Architecture with Wood, which is a thing, but the Cyber Security Awareness Worldwide CTF.

JP is a sick man. He’s sick. You’ll hear about the mind-bending CTF challenges he put together for CSAW. Remarkably, some teams were actually able to solve his problems, some of which featured complex numbers mapped to a four dimensional unit sphere being used to drive the rotation of a virtual IBM Selectric typewriter golfball in Second Life. As I say, he’s a sick, sick man.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

In this week’s show Adam Boileau and Patrick Gray discuss the security news of the last few weeks, including:

• German politicians pwnt, suspect arrested
• Possible ransomware attack affects US newspapers
• Mass 2FA bypasses impacting Gmail users in Middle East
• Emergency warning system in Australia popped
• Ethereum Classic double-spend attack a sign of things to come
• EU to fund open source bug bounties
• Attackers steal details of 1,000 North Korean defectors
• Doing the Bloomberg hack for real at 35C3
• El Chapo should have used Signal
• Much, much more…

This week’s show is brought to you by Cylance! BlackBerry announced that it’s acquiring Cylance for $1.4bn (I don’t know if that’s closed yet) which is great news for all the founders and early employees there – some of whom I know reasonably well. So congrats to team Cylance on that!

But we’re not talking about that this week. Instead, Cylance’s very own Scott Scheferman joins us to talk about the MITRE ATT&CK framework and how it’s informing their product dev. There’s some product talk in that interview but there’s also some real meat there so I let it run long. Scott says we’re close to the terrible situation where security companies are going to start using MITRE ATT&CK as a marketing tool, like “Full MITRE ATT&CK coverage!”

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Soap Box is the podcast series we do here at Risky.Biz where we have detailed discussions with vendors about all sorts of stuff – sometimes it’s about their products, other times it’s about the landscape as they see it, other times it’s about research they’ve done that they want to promote. Soap Box is a wholly sponsored podcast series – just so you know – so everyone you hear on it, paid to be on it.

And this Soap Box edition is brought to you by Respond Software. We’ll be joined by Respond Software’s co-founder and CEO, Mike Armistead to talk about Respond’s tech. Mike has an interesting history in infosec… he actually co-founded Fortify, the software security firm, before winding up at HPE as the VP and General Manager for Arcsight, the poor fella. But he’s free now! Freeeeeee! And he’s co-founded the venture we’re talking about today.

So, what’s the idea behind Respond Software? Well, to break it down into really simple terms the whole idea is to take all the zillions of events your existing security kit flags and distill them down into meaningful alerts. To put this into context, Mike says that during the 30 days in the lead up to the interview we recorded, his customers fed two billion events into their Respond Software gear. Of those two billion events, Respond deemed 7 million of them worthy of escalation, and from there determined 45,000 were malicious, but then… and this is the cool part, this only resulted in 350 incidents raised by the Respond platform. From 2 billion to 350.

So it’s a great idea – tune out the crap and look at meaningful correlations. Automate the decision making around what’s serious and what’s not. You’ve got all this gear, maybe you’ve got something aggregating it, but what’s applying decision logic to it?

Mike sent me a list of software Respond currently supports: all manner of IDSes, AV and EDR suites and then other stuff that gives their software the context it needs to make better decisions, like active directory, Nessus, Qualys, Splunk, QRadar… whatever! The idea is, plug ALL your over-alerting crap into Respond Software’s gear and it’ll do a good enough job of correlating events that you’ll only have to deal with what’s real. Well, that’s the pitch. Mike Armistead joined me to to flesh it out a bit more.

This is the last weekly Risky Business podcast for 2018. We’ll be posting a Soap Box edition early next week then going on break until January 9.

In this week’s show Adam Boileau and Patrick Gray discuss the week’s security news:

• Huawei’s CFO arrested over sanctions violations
• BT in the UK removes Huawei equipment from 4G network
• Australia passes controversial surveillance law
• US House Oversight Committee blasts Equifax in scathing report
• Bloomberg plays word-games on Super Micro story
• MOAR

This week’s show is sponsored by Bugcrowd. In this week’s sponsor interview Bugcrowd’s CTO and founder Casey Ellis tells us why his company is launching “pay for effort” products to run alongside bounty programs.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers is the podcast where we get a bunch of vendors together to pitch their stuff – they all pay to participate, just so you know – and today we’re going to hear three pitches from tech companies: one from Forticode, one from Exabeam and one from SentinelOne.

That’s right, we talk to vendors to get their best pitches so you don’t have to!

Forticode joins us to pitch its Cipherise platform – applied PKI wrapped into a slick mobile platform that helps large organisations authenticate their users, and helps their users authenticate them.

Exabeam will be talking about how they’re doing more device analytics in their SIEM platform and SentinelOne will be talking about how they differentiate themselves in the highly competitive EDR space.

Links to all of these companies are below.

This week’s show features Patrick Gray and Adam Boileau discussing the week’s security news, including:

• The Marriott, Quora, Dell and Sky Brazil data breaches
• Kashoggi associate to sue NSO Group
• Australia’s AA Bill set to pass
• NZ give Huawei the boot
• AutoCAD malware targets key verticals
• Republicans’ 2018 campaign hacked
• Czech government blames Russia for intrusions into key systems
• Horror-show bug in Kubernetes

This week’s show is brought to you by Duo Security, big thanks to Duo for that! In this week’s sponsor interview we’ll be chatting with Duo Security’s very own Dave Lewis about some Beyond Corp stuff. Beyond Corp is the enterprise computing model of the future and Dave will be along after this week’s news to talk about some of its finer points.

Links to everything that we discussed are below. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

This is the first part of our final Snake Oilers edition for 2018.

Snake OIlers, for people don’t know it, is the podcast where vendors pay to come on to the show to promote their wares. This series actually turned out to be way more popular than we expected. People quite like listening to security companies actually explaining what they do in clear terms.

We have six vendors participating in this last round of Snake Oilers for the year – we’ve split the podcast into two podcasts containing three vendor pitches each, and in this part you’ll be hearing pitches from Rapid7, WhiteSource and Chronicle.

• Dan Kuykendall of Rapid7 talks InsightAppSec, its DAST solution.
• David Habusha of WhiteSource talks software composition analysis
• Brandon Levene of Chronicle on VirusTotal Enterprise

Part two is up next week!

We’ve got a slightly different edition of the show this week – Alex Stamos is filling in for Adam Boileau this week in the news slot.

Most of you know him as Facebook’s recently departed chief security officer. Alex also served as the CSO at Yahoo for a time, but his security career stretches back a long way. He co-founded iSEC Partners back in 2004, and before that he did some time with @Stake.

The @Stake mafia is everywhere.

These days Alex is an adjunct professor at Stanford University. He joined me to talk about the week’s security news, as well as to have a chat about the Edward Snowden disclosures, five years on.

This week’s show is brought to you by Thinkst Canary, big thanks to them for that. And instead of one of their staff being on the show this week in the sponsor chair, they asked me to interview this week’s sponsor guest, their customer, Mike Ruth, a security engineer with Cruise Automation.

Mike did a presentation at a conference called QCon recently all about automating the deployment of canary tokens at scale using some nifty CI/CD tricks. He’ll be joining us after the news to tell us all about that.

Items discussed in this week’s news:

• NSO Group busted to selling to Saudi Arabia
• NSO malware targets Mexican journalists
• Edward Snowden claims NSO connection in Khashoggi case
• Australia’s AA Bill latest
• npm supply-chain attack targets Bitcoiners
• Guardian reports Manafort met Assange, denials, lawsuits flying already
• UK parliament seizes Facebook documents
• Uber fined over 2016 breach coverup
• UK cops decline to charge bug reporter
• USPS finally fixes data exposure after Krebs intervention
• Rowhammer attack bypasses ECC protections
• Bloomberg is investigating its own reporting on Supermicro
• Magecart is everywhere
• Google, Mozilla plan browser access to file systems

Links to everything that we discussed are below and you can follow Patrick or Alex on Twitter if that’s your thing.

The Soap Box podcast series is a wholly sponsored podcast series we do here at Risky.Biz – vendors pay to participate. This Soap Box edition is brought to you by AttackIQ.

AttackIQ is a five-year-old company that makes an attack simulation platform. The idea is you agitate a network with suspicious traffic and activities, then measure what the response looks like on the other side. As you’ll hear, Stephan argues this is a better way to test your controls than trying to do it after an incident has been and gone.

Mostly people are using it to verify the effectiveness of their security controls. They already have endpoint security software, IDS, various monitoring bits and pieces, but quite often this stuff just isn’t tuned right. So, you throw some attack traffic and behaviour at your systems and see what bubbles up

One piece of work that has been absolutely vital to AttackIQ’s success is the MITRE ATT&CK Matrix. Like AttackIQ, the ATT&CK Matrix has been around for five years.

Stephan Chenette is AttackIQ’s CTO and he joined me to talk all about how they’re trying to use the ATT&CK Matrix to drive their whole outlook, and, conversely, how they’re spending time talking to MITRE about where the whole thing is going.