We’ve got a great podcast for you this week. Tanya Janca will be talking about some volunteer work she’s been doing with a Canadian government panel on getting security content into children’s school curriculums.

In this week’s sponsor interview we’ll be talking with Ferruh Mavituna of Netsparker.

They launched Netsparker Cloud a while ago so now they have some decent telemetry I wanted to ask Ferruh what he’s found surprising now he’s sitting on a mountain of scan results. The types of bugs being turned up aren’t really a surprise, but the extent to which old software is a problem was actually pretty surprising to him. He knew it was bad, he says, but he didn’t know it’s this bad.

Adam Boileau, as usual, joins the show this week to talk about all the week’s security news:

• More Chinese MSS officers indicted by the US DoJ
• ASD chief speaks publicly on 5G Huawei ban
• China playing funny buggers with BGP
• Russia is still messing with the US during the midterms
• Facebook boots more Iranian influence pages
• New privacy features in Signal
• Plus much, much more!

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Soap Box is the wholly sponsored podcast series we do where vendors pay to participate. They sometimes want to talk about their products, other times they want to talk about general ecosystem stuff, other times they want to talk about research they’ve done.

And that’s what’s happening today! Olabode Anise is a data scientist at Duo Security. He and his colleague Jordan Wright put together a talk for Black Hat this year all about Twitter bots. It was called Don’t @ me, hunting Twitter bots at scale.

As you’ll hear, finding bots on Twitter at scale isn’t that hard, but doing so with 100% confidence isn’t as easy as you’d think.

You can check out a blog post from Olabode in the show note below.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• CYBERCOM doxing Russian operators. No, really.
• Arrest over Russian midterm info-op
• Bloomberg dumpster fire is now a tyre fire
• Equifax insider sentenced for insider trading
• Twitter releases bot dataset
• Saudi insider responsible for 2015 Twitter breach
• Trisis/Triton now linked to Russia
• Kaspersky doxes NSA op
• Risky Business cited by Senate Estimates, AA Bill faces possible delay
• Much, much more!

This week’s show is sponsored by Cylance, and this week’s sponsor interview is with Josh Lemos.

That’s an interesting chat – Cylance has succeeded in applying machine learning to classifying binaries, but what next? Where does it make sense to apply machine learning next, from their point of view? As you’ll hear, a binary classifier is one thing, but applying ML to something like endpoint detection and response or network traffic is actually a lot more complicated.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• More info on the Facebook token hack
• Facebook boots “Russian Cambridge Analytica” off platform
• Chinese MSS officer extradited to USA after being lured to Belgium
• NotPetya linked to Sandworm crew
• Czech intelligence services kill Hezbollah APT
• Pentagon travel records pwnt
• No, Khashoggi’s Apple Watch didn’t record his death
• Apple takes aim at Australia’s AA Bill
• US voter records for sale in hack forums
• PHP 5 support ends soon, netpocalypse to commence shortly afterward
• The world’s most hilarious libssh bug
• PLUS MOAR

This week’s show is sponsored by Senrio.

Senrio is best known for doing IoT identification, classification, visualisation and anomaly detection, but they’ve now applied the same approach to general IT. Stephen will be along later in the show to talk about what they’ve been able to engineer here. I’ve actually been working with them on this (in a limited capacity) for a few months and it’s very interesting stuff.

So yeah he’s talking about a feature release, then he’ll be releasing some open source tooling that mine your network metadata and spot interactive shells in your environment, which is handy, and then he’s going to preview some free training he’s doing with some other very well respected security people in New York soon.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• Bloomberg’s shaky, disputed report on hardware back doors
• A look back on other false reports about imaginary incidents published by Bloomberg
• GRU operations doxed by GCHQ
• DOJ charges Russian intelligence officers
• APT crews targeting MSPs
• Google+ API exposure the final straw
• Enterprise TLS interception gear is woefully insecure

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

In this podcast hardware security expert Joe Fitzpatrick, a named source in Bloomberg’s “Big Hack” piece, explains why he felt uncomfortable reading the story when it was published.

He also provided Risky.Biz with emails he sent to Bloomberg, prior to the story’s publication, that said the hardware back-dooring the article described “didn’t make sense”.

The Soap Box podcast series is a wholly sponsored podcast series we do here at Risky.Biz – vendors pay to participate. This soap box edition is brought to you by Trend Micro.

And in this edition we’re speaking with Dustin Childs who works for the Zero Day Initiative. ZDI is the entity responsible for the pwn2own competition. But not just that – they’ve been buying bugs since before it was cool. Everything from enterprise software, to linux bugs.. whatever. You find it, they’ll buy it.

Trend Micro actually owns the ZDI, and there’s a story right there in how that came to pass… but you know what? Trend seems to really be behind the ZDI program.

As you’ll hear, the original idea behind ZDI when it was a TippingPoint thing was so they could write IDS signatures for vulnerabilities that ZDI unearthed. We know today that spinning up sigs for bugs you’re paying for isn’t really a winning strategy for picking up 0day attempts against your computers, so, the question becomes, what do you do with a program like ZDI when you’re Trend Micro?

As it turns out, you do two things with it – there’s the marketing side, but there’s also the constant stream of exploit submissions that come in handy when you’re making endpoint security software.

We’ll also be hearing from Eric Skinner in this podcast – he’s Trend’s VP of Solution Marketing at Trend. Trend is pushing a major release of its endpoint security software and he’s along to spruik that a bit, as well as chiming in on some of the ZDI stuff.

In this podcast I interview Stephen Ridley about Bloomberg’s blockbuster – but so far uncorroborated – story about possible hardware supply chain subversion by the Chinese government.

I also lay out some facts I’ve learned since the story broke.

[CORRECTED] I’ve added a correction to this podcast because the only source I could turn up who would corroborate the Bloomberg piece has retracted their claims.

This is a source who has provided me with good information in the past, I’ve known them for about 15 years and they’re very well plugged in. They showed me photos they said were from a teardown of a supermicro motherboard. These photos showed an unlabelled integrated circuit the source said was likely a hardware back door.

Further, the source said there were other problems with the Supermicro gear, including vulnerable firmware and security functions that just didn’t work properly.

Now the source says the photos were from different equipment, not their teardown of the Supermicro gear, and that they did not find hardware back doors on the Supermicro equipment.

So basically that source’s credibility with me is pretty shot right now, and the best I can do is retract my repetition of the source’s claim that they had verified backdoors in the Supermicro equipment.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• Facebook breach impacts 50m accounts
• US courts deny authorities’ attempted FB messenger wiretap
• Uber fined $148m for nondisclosure of 2016 breach
• Fancy Bear-linked UEFI malware appears in wild
• UK Conservative party conference app leaks like sieve
• Twitter bans distribution of “hacked material”
• VPNFilter botnet gets more capabilities
• Duo arrested over $14m cryptocurrency SIM-swap heist
• MOAR

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• Former NSA staffer gets 66 months over incident at heart of Kaspersky scandal
• Zoho has a very bad week
• Telco lobby group raises some legit concerns over Australia’s “anti-encryption” legislation
• Twitter API leaks DMs
• Equifax fined by UK
• Yubikey 5 enables passwordless Windows logins
• Privacy International has an aneurism
• NSS Labs launches antitrust suit against security software makers
• MOAR

This week’s show is brought to you by Rapid7.

Jen Andre is this week’s sponsor guest. She was the founder of Komand, which was a security automation and orchestration company but is now a part of Rapid7 as of about mid way through last year. I spoke to Jen a bit about how she came to start Komand and where the security automation and orchestration discipline is at right now.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Soap Box is the wholly sponsored podcast series we do where vendors pay to participate.

Our guest in this edition is Jerrod Chong, the SVP of product at Yubico, the makers of Yubikeys. We were originally going to publish this Soap Box with Yubico a few weeks ago, but we delayed it for a very good reason.

This podcast is going out at the same time as a press release from Yubico – they’re releasing the Yubikey 5, and it’s a very significant update.

Regular listeners would have heard me talk about seeing Yubico’s booth at Black Hat – it was like a mosh pit, and I think there are two reasons for that. Firstly, they were giving away keys, (haha) but secondly, they were demonstrating FIDO2 Windows logins over NFC.

With the launch of the Yubikey 5, Yubico has actually delivered passwordless logins for Windows networks. You can do tap only via NFC, tap and pin via NFC, or you can roll old school with USB.

So, Jerrod Chong joined me for this conversation. We talk about the Yubikey 5, and more broadly about the future of authentication and authentication devices.

We’re going to be talking to two people in this podcast and the topic is, for the most part, the introduction of pointer authentication on the latest Apple iPhones. This is a development that flew under the radar of most of the infosec media and it’s significant because it is going to basically wipe out ROP exploits as we know them. There’s no such thing as a perfect mitigation, but Apple has leveraged some recent ARM features to really lock down their devices.

In addition to the pointer authentication suff they’ve also made some changes that will affect the ability of companies like Cellebrite to unlock phones. Again, this won’t kill unlocks completely, but in one release Apple really has made life a lot harder for people in the offence game.

This will eventually have some consequences for the crypto debate. These devices are just getting more and more secure through some really cool engineering.

So we’ll be talking to Chris Wade about this, he’s the brain behind Corellium, an iOS emulator. His clients include everyone from exploit developers to the publishers of very popular iOS applications. If you want to back-test an app change on 15 different versions of iOS Corellium is the way to do that… or if you want to, you know, test your latest 0day it’s good for that, too.

Then we’re going to hear from Dr. Silvio Cesare of Infosect here in Oz. He’s going to talk about whether we might see similar mitigations on intel and weigh in on Apple’s changes.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• Citizen Lab drops NSO Group report
• “Weaponised Stuxnet” claims are idiotic
• Another State Department email breach! Drink!
• Dutch foil planned attack against Swiss Novichok lab
• Mirai botnet authors working for FBI
• US telcos want to be consumer auth brokers
• US fails to extradite “Mr Bitcoin”
• Much, much more

This week’s show is brought to you by Remediant. They make a just-in-time access solution for privileged account management (PAM), and we’re doing something a little different in this week’s sponsor interview.

Paul Lanzi of Remediant will be along, but so will Harry Perper of MITRE corporation. Harry’s pay-cheques say MITRE, but he’s been working on a NIST project. The National Cybersecurity Center of Excellence (NCCoE) at NIST has been working on a project to provide guidance on the secure usage and management of privileged accounts. The so-called 1800-18 document is a practical guide and reference architecture for privileged account management and we’ll talk to both Harry and Paul about that after the news.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

[**PLEASE SEE BELOW FOR A CORRECTION**]

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• The DPRK indictment and subsequent fall out
• British Airways gets owned
• Webauthn hits some roadblocks
• The latest action from Washington DC
• Trend Micro has a bad time
• Tesla pays out for key-fob clone attack
• Tor browser 0day hits Twitter
• Much, much more

We’ve got a great sponsor interview for you this week – we’ll be joined by Haroon Meer of Thinkst Canary. They did something unusual over the last couple of weeks – they removed a feature in their Canary product. We’ll be talking about that, and also about the tendency for security software to be too complicated and configurable.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

CORRECTION:

The original release of this podcast included discussion of some rumours that turned out to amount to nothing. We had mentioned three data points:

• The CISO of American Airlines, Dan Glass, departing a few weeks ago
• Someone I know had their AA/Citi credit card re-issued, despite saying they only ever used that card to buy AA fares
• A rumour an FBI computer crime investigator is on site at American Airlines

Well, it turns out Dan Glass is a listener, and he got in touch with us after the podcast ran to clear this up. He says the reason he left is actually because AA was offering some very attractive redundancy packages. Following AA’s merger with US Airways the combined group eventually found itself in the position of having too many executives. As many listeners will know, being a CISO is a pretty hardcore job so Dan jumped at the chance to bounce out and have some time off.

As for the FBI being on-site, Dan says that’s not unusual. They’re one of the largest airlines in the world so they’re frequently liaising with LE. As for my pal’s card getting re-issued… who knows?

The point is it looks like these rumours and data points don’t actually add up to much. This is why I rarely run rumour in the podcast and at least try to do some verification. In this case I just didn’t have time, but still, I just should have just held it over until I’d had a chance to make some basic enquiries. It was sloppy. Sorry.

In particular I’d like to apologise to the fraud teams who may have been asked to follow this up, the PR teams who’ve no doubt been fielding questions about this and also to Dan Glass. Although, it must be said Dan and I had a very nice chat and he didn’t seem upset. Thanks for being a chiller, Dan!

Again, I’m sorry. I’ll do better in the future.

Pat

On this edition of Snake Oilers we hear from three companies, and for one of them, it’s actually their product launch!

Assetnote is a cloud asset discovery and security scanning platform spun out of the bug bounty community. If you’re a CSO with any large public attack surface you’ll really want to hear about that one. This platform finds things you didn’t even know your company had online in cloud environments and then scans them for real, actual RCEs. The user interface is awesome, too.

Then we’re going to hear from Pedram Amini of InQuest – they make a box that reassembles files from network packets captured off the wire or funnelled in through ICAP and then rips them to bits looking for badness. They call it deep file inspection and it’s a great way to supplement client side detection, at scale. You can even pass these reassembled files on to multi-AV or cloud services and use this platform to do spot threat hunting. It’s very powerful stuff, and honestly that’s an interview that got me thinking in a new way about detection concepts.

And then finally we’re joined by Omaru Maruatona of Aiculus. Omaru has a PHD in applying machine learning to bank fraud that he obtained while working for one of the big four banks here in Australia. After that he moved on the PwC as a penetration tester and now he’s running Aiculus. Aiculus has developed an API proxy that uses machine learning to detect funky calls. If you’re not satisfied that your API gateway has you completely covered then yeah, you’ll want to listen to that one.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• Five Eyes nations send a clear message on encryption
• Massive Azure outage
• FBI releases political campaign security guidance
• Google wants to kill the URL
• MEGA.nz plugin owned sideways
• Final “Celebgate” hacker sentenced
• Google launches font fuzzing tool
• Chinese-made Google/Feitian U2F keys under scrutiny
• Some interesting TPM research
• MUCH MORE

This week’s podcast is brought to you by AttackIQ.

AttackIQ founder Stephan Chenette will be along in this week’s sponsor interview to talk to us about a few things – the MITRE attack matrix being one. He’ll also share with us his view that EDR is the most commonly misconfigured security technology he sees out there, and he has pretty good visibilty into things like that because AttackIQ, of course, makes attack simulation software designed to measure the efficacy of these types of solutions.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

The widespread adoption of smart and IoT devices – everything from drones and security cameras to thermostats and routers, mean the developers of non-Windows-based malware have been pretty busy lately

In fact, there’s been an almost tenfold increase in the volume of these (ELF) samples submitted to Virus Total over the past two years. That’s according to a cohort of researchers from the Software and System Security group at French graduate school EURECOM, who set out in 2016 to develop an empirical study of non-Windows malware.

They downloaded hundreds of daily candidate samples from Virus Total for a year, resulting in a dataset of more than 10,000 binaries and a tool called Padawan, an automated framework for dynamic analysis of non-Windows malware.

The researchers presented findings earlier this year at the IEEE Symposium on Security and Privacy, and more recently at reverse engineering conference RECon in Montreal. Risky Business contributor Hilary Louise recently caught up over the phone with France-based EURECOM doctoral student Emanuele Cozzi who says the land of Linux-type malware analysis is a bit of a nascent field.

We’re going to stick with the revised format this week – we’re going long on news with Adam, then diving right in to the sponsor interview with Zane Lackey of Signal Sciences.

A bunch of you heard my long form, Soap Box interview with Zane from a few weeks back. We’re extending that interview out a bit in this week’s interview. Zane will be outlining what he thinks needs to change in DevSecOps tooling and workflow for things to really work nicely – it’s just a solid 12 minutes of good thinking and advice, that interview, so do stick around for it.

Adam Boileau will join the show to recap the week’s news:

• Australia and Japan to ban Huawei from their 5G builds
• Struts bug: Big deal or meh?
• Voting machine maker ES&S rebuked by researchers AND US gov
• The DNC phish that wasn’t
• Recapping Andy Greenberg’s Maersk/Notpetya coverage
• Instagram adds real 2FA
• Windows privesc 0day on teh twittarz
• T-Mobile pwned harder than it initially admitted
• Log in to Windows with Google accounts
• Some hilarious Lazarus group shenanigans
• Much, much more

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

We’ve got two vendors pitching their wares in this edition of Snake Oilers. First up we’re talking to Rapid7 about its vulnerability scanning and management software. They’ve made some changes and they’ve got a couple more coming. This is bread and butter infosec stuff.

Then we’re going to hear from the team at ITProTV. They’re a video-based online training site, pitching themselves as like a Netflix but for online training. Instead of instructor-led training, they try to make stuff less dry – half hour training videos with two instructors on all sorts of topics.

The online training video sector is just booming right now, and ITProTV’s co-founder and “edutainer” Don Pezet will be along to walk through all of that.

Both of these companies are tracking enquiries originating from the podcast, so please do use the URLs in the show notes below if you’re interested in learning more.

In this podcast you’ll hear an interview I did with Bob Lord, the Chief Security Officer for the Democratic National Committee, the DNC. Bob has previously served as the CISOs for both Yahoo and Twitter, before spending some time in vendorland with Rapid7 as their CISO in residence.

The state-sponsored attack against the DNC is without doubt the most politically consequential data theft event the planet has ever witnessed. It trumped both the Manning/Wikileaks disclosures and “climategate” in terms of impact, and indeed to a large degree the fallout of the DNC hack is still ongoing.

So, I wanted to bring Bob in to talk about his job.

The DNC isn’t a large organisation, in a head office sense. They have about 200 core staff members, but as you’ll hear, a political organisation’s IT setup is pretty atypical. So Bob and I mostly just spoke about how one handles security for an organisation like the DNC.