Risky Business #500 -- Web asset discovery is getting useful

Shubham Shah and Lord Tuskington on how better continuous asset discovery can change security testing...
23 May 2018 » Risky Business

In this week’s feature interview we’ll be chatting with Shubham Shah and his friend Lord Tuskington about continuous asset discovery’s impact on testing methodologies. Shubs has worked as both a pentester and as a very successful bug bounty hunter. In fact he’s built an entire asset discovery platform that he and his buddies have been using to rip crazy amounts of cash out of bounty programs over the last few years and he’s turning that platform into a product. So I wanted to talk to him about that, but I also wanted to get a pentester’s perspective on how this type of continuous asset discovery tech could change the testing industry.

This week’s show is brought to you by Exabeam, a next generation SIEM company! And it’s amazing how nicely this week’s feature and sponsor interviews dovetail actually, because Exabeam’s Steve Gailey will be along in this week’s sponsor interview to have a chat about how SIEM technology has changed much faster than SOC operations methodologies. Because basically everyone has structured their operations around three levels of response and the workflows are so ingrained, nobody seems to know know what to do with a next generation SIEM.

Adam Boileau is also along, like always, to talk about the week’s security news.

The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes

Alleged CIA Leaker Joshua Schulte Has Some of the Worst Opsec I’ve Ever Seen - Motherboard
Accused CIA leaker Joshua Schulte accused of more leaks
Alleged CIA Leaker Tweeted That Chelsea Manning ‘Should Be Executed’ - Motherboard
Trump feels presidential smartphone security is “too inconvenient” | Ars Technica
Trump, Chinese leaders moving forward on deal to save ZTE - The Washington Post
House measure asks DHS to share info on potential ZTE cyberthreat
Potential Trump deal to ease sanctions on China's ZTE riles Congress
Revealed: Pentagon Push to Hack Nuke Missiles Before They Launch
Banks Adopt Military-Style Tactics to Fight Cybercrime - The New York Times
Inside 'Project Indigo,' the quiet info-sharing program between banks and U.S. Cyber Command
Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US - Motherboard
LocationSmart bug allowed for leak of location data for nearly any U.S. phone - CyberScoop
Who's Afraid of Kaspersky? - Motherboard
New speculative-execution vulnerability strikes AMD, ARM, and Intel | Ars Technica
After Arrest in Serbia, Netflix Hackers ‘The Dark Overlord’ Say They’re Still Going - Motherboard
Cisco's Talos Intelligence Group Blog: TeleGrab - Grizzly Attacks on Secure Messaging
North Korea-tied hackers used Google Play and Facebook to infect defectors | Ars Technica
The Wayback Machine is Deleting Evidence of Malware Sold to Stalkers - Motherboard
Latvian national convicted of running 'VirusTotal-for-criminals' malware scanner
Alphabet's Jigsaw offers political campaigns free DDoS protection
T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account — Krebs on Security
Karin Kosina on Twitter: "So the guy behind the Carbanak malware that stole hundreds of millions of dollars? He was caught because he bought a car for 70k and didn't pay the bill. Can't make this sh** up :) #opsec #fail https://t.co/rRmFzywmVI"
GPON Routers Attacked With New Zero-Day
Cisco fixes critical ‘DNA’ software flaws
Pakistan: Campaign of hacking, spyware and surveillance targets human rights defenders | Amnesty International