On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• IDF takes out Hamas cyber HQ (Features commentary from Bobby Chesney and Klon Kitchen)
• NYTimes mangles Symantec’s “Buckeye” research
• Lots of dark web arrests
• SAP exploits not all they’re cracked up to be
• Magecart-style attacks spread to other platforms
• Tech-led crackdown on Chinese-muslims intensifies
• Japan to create “defensive malware”

This week’s sponsor interview is with Duo Security advisory CSO Richard Archdeacon and we’ll be talking about zero trust networks. Richard isn’t so worried about every vendor under the sun claiming to be a zero trust tech company. He doesn’t think that’s going to derail the move to zero trust architectures because the move towards them is too strong.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

This isn’t the regular weekly risky biz news and current affairs show, this is the special podcast series we do here at Risky Biz HQ where we take that dirty, dirty vendor cash and let security companies tell the audience all about what they do. Think of it as show and tell for security vendors!

In this edition we’ve got three more vendors vying for your hard-earned bread. We’ll be hearing from Rapid7 on their InsightConnect product, that one used to be known as Komand. What can you automate and orchestrate with it? How does it work? Who’s using it? What are they doing with it?

Then we’ll be hearing from Trend Micro about their O365 mail security product, and this one is legit interesting for one very simple reason – the deployment method. Most of the mail security firms basically make you route your mail through them.

In this case what Trend has done is create a mail security product that just fiddles with your mailboxes through the Microsoft O365 API. They have literally set up a demo account for an enterprise over a beer at a bar. So yeah, I suspect we’ll be seeing more mail security products deploying this way… and because it’s show and tell, Trend will be along to talk about some of the bells and whistles that come with that product.

Then finally we’ll be hearing from Cybermerc. This is a group based out of Canberra in Australia. They’ve done a lot of enterprise deception hybrid hardware/consulting, that’s something they’ve gotten very good at. They also do a lot of cyber cyber training, but now they’re trying to market a managed service towards small to medium businesses – those with 50 to a few hundred seats. A managed honeypot, some internal vuln scans, and a partridge in a pear tree!

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• Docker Hub owned
• That Confluence bug we were talking about a couple of weeks ago got wormified
• Oracle WebLogic users also having a bad time
• Cloudflare faces investor pressure over providing services to Nazis
• Slack warns investors of possible nation-state attacks against it
• Norsk Hydro puts dollar value on ransomware incident
• Bloomberg publishes another ridiculous security story
• Much, much more!

This week’s sponsor interview is with Casey Ellis, the CTO and co-founder of Bugcrowd.

As most of you are probably aware, Bugcrowd announced its so-called “next generation penetration testing” product last year, a move followed some months later by its competitor HackerOne. With others in the bounty space already offering these types of penetration testing packages, it looks like these efforts are here to stay.

But where do crowdsourced penetration tests sit in the wider penetration testing market? Are they coming after the Insomnia and Atredis Partners type firms? The NCCs? The shonky nessus-scan “penetration testers”? Well, not surprisingly Casey argues that this is a new sub-niche in the market and he makes a pretty compelling case to support that argument.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• Marcus Hutchins faces his milkshake duck moment
• Iranian APT crew gets Shadowbrokersed
• DNS interference campaign is actually two large-scale actors
• UK to use some Huawei components in 5G build
• French Government launches comms app for politicians, it doesn’t go well
• More detail on CCleaner/ASUS crew
• Carbanak source found on VT (lol)
• Wall Street Market exit scams
• BEC costing US firms $1.3bn PA
• Much MOAR!

This week’s show is brought to you by Signal Sciences, their CEO Andrew Peterson will be along in this week’s sponsor interview to have a bit of a chat about how a lot of traditional enterprises are running serious business web app shops these days.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this edition of Snake Oilers you’ll be hearing from three vendors offering what I believe to be excellent security technology. I haven’t personally used this tech, but conceptually everything featured in this edition is The Good Stuff. You’ll see. Or hear. You know what I mean.

First up we’ll be hearing from CMD, they make killer software for Linux that lets you lock down account actions. Not permissions, actions. Do all the default and service accounts you have to run on your Linux fleet terrify you? Well, this is a solution for that. There’s a visibility component there, too.

Then we’ll be hearing from AlphaSOC. When we last spoke to them they were just doing domain-based analytics, but they’ve expanded their tech and now offer IP-based and http request-based analytics. You can deploy AlphaSOC as a Splunk app or hook up to their API any other way you want. They’re offering free trials, but even when you’re on the paid service it’s actually pretty affordable.

The brain behind AlphaSOC is Chris McNab who used to run incident response at NCC Group. He’s seen how the planes crash into the mountains and he has created a product that performs eminently sensible analysis on your traffic and metadata to alert you to badness.

Then finally we’ll be hearing from Nucleus. This is a new company and if your job is managing vulnerabilities and vuln scanners in your org then straight up, just skip to the Nucleus interview immediately. They’ve created a web app that normalises vulnerability scanning information. It’ll take the outputs from Snyk, Rapid7, Checkmarx, Netsparker, OpenVAS, Twistlock, Fortify, Burp Suite, Nessus, Qualys, Acunetix AND others.

It ingests all of this data, normalises it, then plumbs these alerts through to the right people through a multitude of different ticketing systems. If your’e stuck in the 7th layer of Sharepoint or Spreadsheet vulnerability management hell, this is a solution to your problems. You will weep salty tears of joy when you hear this one. Free trials of Nucleus are also available.

Links to the companies featured are below!

On this week’s show Adam Boileau and Patrick Gray discuss the week’s security news:

• Julian Assange arrested, likely to be extradited to the USA
• Krebs: Breach at outsourcing firm Wipro
• WordPress 0day drama causing serious headaches
• Silk Road 2’s “DPR2” sent to slammer
• More from Kaspersky SAS

This week’s show is brought to you by Thinkst Canary! Thinkst founder Haroon Meer will be along in this week’s show to talk about the effect venture capital is having on the security ecosystem. He thinks VC money often makes weak ideas look strong, and in a market where it’s quite difficult to make informed purchasing decisions, that’s not a good thing.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

In this week’s show Patrick Gray and Adam Boileau recap all the infosec news of the last three weeks, including:

• Chinese woman arrested at Mar-a-Lago being very shady
• The ASUS supply chain attack
• Flame-related malware lived on longer than expected
• boostrap-sass Ruby gem backdoored
• Latest on Norsk Hydro and other victims of the same crew
• More trouble at Toyota
• Huawei spanked by UK oversight panel
• Exodus govvie malware affects Android and iOS
• Plus much, much more

This week’s sponsor interview is with Kumud Kalia, the Chief Information and Technology Officer of Cylance. They actually dropped a really interesting product announcement at RSA a few weeks back and Kumud will be along later on to tell us about that. The tl;dr it’s an agent that models endpoint behaviour so when someone - or something - else starts using that endpoint to do things that don’t fit the user profile, action can be taken.

It’s the type of tech concept that normally belongs in academic papers, not in actual products people can actually buy. That’s an interesting chat.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

This is a wholly sponsored podcast brought to you by Duo Security.

WebAuthn is a new multifactor authentication standard for the web that is all rooted in very smart encryption tech. Some of you would already be using similar authentication standards in apps without even thinking about it, like doing biometric authentication in your banking apps. You want to log in via your app and it scans your face to auth you, that sort of thing. WebAuthn makes those types of authentication actions available to users through the browser.

It’s now an official W3C standard supported by most browsers. It’s the future of auth on the Web.

Duo Security has been involved a little bit with the standards process and in this edition of the Soap Box podcast you’re going to hear a nearly hour long conversation between myself, Nick Steele and James Barclay who are Duo’s resident Webauthn dudes at Duo Labs.

I hope you enjoy this conversation.

In this week’s show Patrick Gray and Alex Stamos discuss the week’s news, as well as discussing the rise of white supremacist communities and propaganda on the Internet and what can be done about it.

News:

• Norsk Hydro ransomwared
• Huawei ban gets more and more political
• APT40 hitting USA hard
• Cyber Command’s Euro road-trip
• Kremlin interference in EU elections extremely likely
• US Senators seek information on breaches targeting them
• Cloudflare won’t pull service from 8chan in wake of NZ attack
• Beto O’Rourke was cDc member
• New Mirari variant
• 150 million Android devices hosed by new malware
• Much, much more

This week’s show is brought to you by Chronicle Security! We’ll be joined by Chronicle co-founders Shapor Naghibzadeh and Mike Wiacek. They had a tremendously successful launch at RSA and they’re going to pop in to tell us about some near future plans they have for their Backstory product.

Links to everything are below, and you can follow Patrick or Alex on Twitter if that’s your thing.

On this week’s show Adam Boileau and Patrick Gray discuss the week’s news:

• Chelsea Manning back in jail
• Citrix owned, Resecurity claims it was Iran. Again. Because reasons, apparently.
• Huawei politics get messy
• EXCLUSIVE: Toyota Oz, other carmakers likely targeted by APT32 (Vietnam)
• Much, much more

This week’s sponsor is Senetas. They make layer 2 encryption gear but recently made a US$8m investment into Votiro, a Content Disarm and Reconstruction (CDR) play. Votiro CEO Aviv Grafi is this week’s sponsor guest. He stops by to explain CDR tech.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show Adam Boileau and Patrick Gray discuss the week’s news:

• The NSA isn’t that interested in phone metadata anymore
• More Chinese mass surveillance data leaks
• Chelsea Manning, David House subpoenaed over Wikileaks
• Quadriga cold wallets were actually empty at time of founder’s death
• NSA deployed “rm -rf / shark” at Internet Research Agency
• HackerOne follows Bugcrowd into pentesting
• NSA releases Ghidra
• Much, much more!

This week’s sponsor interview is with Chris Kennedy, AttackIQ’s CISO and VP of customer success. And we’ll be talking about a few things really, like about how continuous validation of security controls like monitoring is a good thing. Everyone uses software like Tenable to verify patching, why not do the same for your monitoring?

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

In this edition of the show we’re playing a small part in Chronicle’s launch of its flagship product, Backstory.

Chronicle is of course the security spinoff of Google’s parent company, Alphabet. The launch of Chronicle itself was announced about a year ago, but until now it’s only really had one product: Virus Total Enterprise. That all changed today when Chronicle launched Backstory at the RSA conference in the USA.

I was lucky enough to see a demo of Backstory before we recorded this interview last week, and I’m going to characterise it in a way that Chronicle probably won’t like, but it’s basically a cloud-SIEM, albeit a very good one.

Backstory ingests logs from a bunch of data sources – DNS lookup information, DHCP info, your EDR logs (from your Crowdstrike or Carbon Black software), web proxy logs, firewall alerts – and then it structures this stuff so you can make use of it. You get nice pointy-clicky timelines and useful visualisations. That’s handy enough, but keep in mind your logs are now with the company that is responsible for Virus Total. They have some pretty good intel, and they can now apply various IOCs to the logs you’ve submitted.

So one obvious use case for Backstory is doing the type of threat hunting threat hunters like to do, but beyond that, this is likely going to become a pretty useful alerting platform.

On this week’s show Adam and Patrick discuss the week’s security news:

• Cyber Command kicks the IRA off the Internet on election day
• WSJ reporting on Iran vs Australia likely incorrect
• Two Russian cybersecurity professionals sentenced over treason
• DPRK spearphishing US summit participants
• LOTS of technical news and research this week

This week’s show is brought to you by Remediant. Their CEO Tim Keeler will be along in this week’s sponsor segment to talk about how they’re doing “virtual directory binding” to make managing Linux accounts via Active Directory less traumatic. If you’re struggling with horrible, horrible PAM solutions in your devops environments have a listen to that one.

*** NOTE FROM PAT: I made some mistakes in the recording phase of this week’s show. As a result, my vocal audio is pretty atrocious. Sorry! ***

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Adam Boileau is along this week to discuss the week’s security news, which also features comment from Dmitri Alperovitch, Klon Kitchen and The Grugq. We cover:

• Former USAF counterintelligence official indicted over spearphishing, leaking secrets
• Australia’s major political parties targeted by APT crew that totally isn’t Chinese. (It’s Chinese)
• More on the Iran DNS hijacks
• Venezuelans phished by their own government
• China’s mass surveillance of Uyghur Muslims laid bare in data leak
• Millions of Swedes have their healthcare help-line calls exposed
• Bank of Valletta dodges a bullet, catches fraudulent transfers
• VK gets Samy’d
• Calls for GDPR-like law in USA
• Marcus “Malwaretech” Hutchins has a bad week

This week’s sponsor interview is with Jason Haddix of Bugcrowd. He’ll be along to talk a little more about what Bugcrowd calls next-generation pentests. They claim one of their tests is sufficient for compliance purposes under PCI, ISO or NIST and they’ve had a third party auditor prove that for them. They also say the service has really taken off despite being launched only a couple of months ago.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Adam Boileau is back in the news seat this week. We talk about:

• Amazing Reuters report on UAE’s “Project Raven”
• Bezos’ dick pics, Saudi Arabia and a creepy brother
• US government security staffers play post-shutdown catch-up
• Krebs: National Credit Union Administration probably pwned
• Russia to test complete disconnection from wider Internet
• China suspected of involvement in Australian parliament hack
• Trump likely to ban all Chinese telco equipment makers from US builds
• Lasers
• Google: iOS privesc 0days were in wild
• $145m in cryptocurrency lost forever due to exchange CEO death
• VFEmail has a very bad day
• Facebook/Apple cert wars
• MORE

This week’s show is brought to you by AustCyber, a nonprofit funded by grants from the Australian government. Its goal is to promote Australia’s cybersecurity industry.

AustCyber CEO Michelle Price will be along in this week’s sponsor interview to tell us all about what they’ve got planned for RSA.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

As regular listeners know, this isn’t the regular weekly Risky Business podcast, all Soap Box podcasts are paid promotions. We ran 10 of these last year, we’re running more of them this year – the total number is up to 14, but we’re running fewer of our other promotional podcast Snake Oilers.

In this Soap Box podcast we’re chatting with a company with a legitimately fascinating origin story.

You remember how in 2017 and 2018 people were running all these shonky initial coin offerings where they’d sell off millions of dollars of crypto tokens on the basis of a two minute video and a whitepaper? What happened in a lot of these cases is after the ICO the founders would take the money, launder it and move to the Bahamas.

Well, Polyswarm raised its money in an ICO. About $26m US dollars (!!). And, because they weren’t mainlining the ICO Kool-Aid, they cashed out about half of what they raised into real money before cryptocurrency values crashed.

Instead of moving to the Bahamas, they actually stuck around to build the business that tokenholders had chosen to fund. Their token value has crashed like everyone else’s has, but that doesn’t matter – they’re funded, and because of their unconventional funding source they don’t have a whole bunch of venture capitalists breathing down their neck.

So, what’s the business? It’s a marketplace for threat detection. Yes, my pinned tweet says “I do not want your blockchain expert as a guest on my podcast,” and yes, this company does use blockchain fairy dust, but as you’ll hear, the blockchain element to this business isn’t really what it’s about. Indeed, the founder and CEO of Polyswarm, Steve Bassi, says he would find life a lot easier in many ways if they weren’t actually using blockchain tech here as a marketplace enabler. He’s also banned himself from ever attending a blockchain conference again in his life.

Ok, so what is the Polyswarm marketplace and how does it work. As you’ll hear in this interview it took me a bit to actually understand exactly what they’re doing here, but what they’ve essentially built is a marketplace for AV. The best way to explain this is to just explain how it works. If you’re an enterprise client or an MSSP you can submit a sample to this marketplace. You’re submitting it with a question – is this file bad or good – and you attach a tokenised value to the answer.

On the other side of the equation are all these AV engines. Big ones, small ones… even tiny little micro engines that are only good at detecting very niche threats. So the enterprise submits the sample – that can be a whole file or just a hash – and it gets distributed to all the people who are running these AV engines. They scan the file, and if they’re super confident on an answer, they return that answer as well as a tokenised stake as a measure of their confidence. The idea is you can have a competitive marketplace for threat detection in which even niche players can participate. Polyswarm CEO Steve Bassi joined me to talk me through the whole concept.

There’s no news segment in this week’s show. Instead, you’re going to hear a long-form feature interview I did with the NSA’s Rob Joyce.

Rob is probably best known for his tenure as special assistant to the president on cybersecurity and for being the cybersecurity coordinator on the US National Security Council.

He also served as acting homeland security advisor to Donald Trump for a short time following the departure of Tom Bossert from the Whitehouse. In May last year he went back to NSA where he now serves as a senior advisor to the director of NSA for Cyber Security strategy.

Some of you may also know Rob for his blockbuster January 2016 conference talk “disrupting nation state hackers” back when he was heading TAO at NSA. Good talk, that one, and it’s on YouTube. (Link below.)

But gradually over the last couple of years Rob has emerged as a sort of friendly-face of NSA, at least as far as the infosec industry is concerned. He’s spoke at DEF CON last year, he often appears at events and on panels and he’s doesn’t seem terrified of actually comment on things.

This is a huge departure from the historical way agencies like NSA handled themselves. But as you’ll hear, Rob sees this new approach as being vital to the NSA’s current-day mission.

Topics covered include:

• DoJ indictments of foreign gov hackers
• 5G networks and Huawei
• Kaspersky AV
• Bloomberg’s Supermicro story
• Software and hardware supply chain security
• The USG aggressively burning adversary tools

We also have a sponsor interview for you this week with Zane Lackey, the co-founder of Signal Sciences. I guess you’d call these guys “next generation WAF,” more on that later… but Zane will be along a little bit later with some pretty incredible stats on the way security spending has changed over the last year or two. Money is just piling into appsec while spending on some other controls is actually reducing. It’s a sign of change.

Adam Boileau co-hosts this week’s Risky Business episode. We talk about:

• The Huawei indictments
• The epic Facetime logic bug
• The even more epic Exchange privesc bug
• CISA’s “fix yo DNS” directive
• Black Cube busted doing shady stuff to Citizen Lab
• Yahoo shareholder lawsuit settlement makes directors twitchy
• Internet filtering kicks off in Venezuela
• Much, much MORE!

This week’s show is brought to you by Thinkst Canary – they make hardware honeypots and the tools you need to deploy canarytokens at scale. They also make virtual honeypots! This week Thinkst’s founder Haroon Meer will be along to wave his finger at basically all of us over what he sees as the security discipline’s tendency to not really learn anything from security conferences. It’s “contertainment,” he says, followed by “GET OFF MY LAWN”.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Alex Stamos co-hosts this week’s episode. Topics discussed include:

• DNC says Russia tried to own its servers in November 2018
• South Korean Defence Ministry owned
• Lazarus Group busy in Chile
• West African banks suffer multiple intrusions
• Michael Cohen admits rigging online poll for Trump
• Nine charged over SEC hack
• More USG SSL certificates due to expire
• apt-get remote root RCE
• Don’t use your Garmin to scope your murder escape route
• Big plot twist in viral video outrage

This week’s show is brought to you by Duo Security, which I guess is now Cisco Duo Security. Wendy Nather - Duo’s head of advisory CISOs - will be along in this week’s sponsor interview to talk about a topic near and dear to my heart: victim shaming. That’s a good one so please do stick around for that.

Links to everything that we discussed are below and you can follow Patrick or Alex on Twitter if that’s your thing.

This week’s podcast features Patrick and Adam talking about the week’s security news, including:

• Huawei staffer arrested for spying in Poland
• Conviction in DPRK SWIFT hack against Bangladesh central bank
• El Chapo used Flexispy to spy on mistresses and staff
• NSO group on charm offensive
• Iran hijacking DNS entries, conducting PITM with DV certs
• Kaspersky tipped NSA on Hal Martin
• US government certificates expire amid shutdown
• Idiot sentenced to 10 years prison for DDoSing children’s hospital

This week’s show is brought to you by Trail of Bits! Trail of Bits is a security engineering firm and consultancy based in New York. They aren’t a typical pen-testing firm, they build as well as break.

In this week’s sponsor interview JP Smith from Trail of Bits joins us to talk about the work he put in to CSAW. Not the Centre for Sustainable Architecture with Wood, which is a thing, but the Cyber Security Awareness Worldwide CTF.

JP is a sick man. He’s sick. You’ll hear about the mind-bending CTF challenges he put together for CSAW. Remarkably, some teams were actually able to solve his problems, some of which featured complex numbers mapped to a four dimensional unit sphere being used to drive the rotation of a virtual IBM Selectric typewriter golfball in Second Life. As I say, he’s a sick, sick man.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.