Risky Business #489 -- (Deep) Fake News

Seeing isn't believing anymore...

On this week’s show we’re chatting with Professor of Law at the University of Maryland Danielle Citron about an article she co-authored on so-called “deep fake” videos. Citron and Bobby Chesney wrote a fascinating piece about the privacy and national security implications of this latest trend and we’ll be talking to her about that a little bit later on.

In this week’s sponsor interview we’re chatting with Julian Fay, CTO of this week’s sponsor Senetas. We talk to him about how encryption hardware industry is responding to the looming spectre of quantum computing.

As you’ll hear, standards bodies are already rolling out draft implementations of quantum-resistant algorithms that companies like Senetas will be baking into their kit as additional layers of protection.

Adam Boileau, as usual, is this week’s news guest.

We cover:

  • Massive memcached DDoS attacks
  • Trustico having a bad week
  • Reported flaws in 4G/LTE
  • Uber breach lawsuit
  • …and more!

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Biz Soap Box: Alphabet Chronicle co-founder Mike Wiacek talks Virus Total Intelligence

The company's secret platform is still under wraps, but there's plenty to talk about...

This isn’t the regular weekly show, Soap Box is the podcast where vendors pay to appear to talk about big picture stuff, or really anything they want.

Unless you’ve been living under a rock lately you’d know that Google’s parent company Alphabet announced the spinoff of an enterprise information security company. They’ve named it Chronicle, but beyond that it’s all a bit mysterious. Unlike other startups that stay super stealth until they launch their product, Alphabet basically realised that as it already has its platform out there under beta test with a bunch of organisations the creation of the company would eventually leak, and that would have been a mess from Alphabet’s point of view. So, their solution was to announce the company before it’s ready to ship its product.

I would love to tell you that they’re going to drop all the juicy details in this podcast but they’re not. They’ll drop some hints, but for now, Chronicle’s mystery platform will remain that: a mystery.

But that’s not to say there isn’t some other stuff to talk about. As a part of the spinoff, Virus Total is now a part of Chronicle. And you know what? There’s a lot more to Virus Total, in particular Virus Total Intelligence, than I realised. That’s partly because Alphabet hasn’t really done much marketing around it, and this is a kind of first step down that path.

So in this podcast you’re going to hear from two people from Chronicle – Rick Caccia who is the chief marketing officer, he’s mostly chiming in to explain a little bit about the new company – and Mike Wiacek, the CSO and co-founder of Chronicle. He’s going to be telling us about all the features of Virus Total that you probably didn’t realise exist. Did you know if you have a VTI account you can run YARA rules against everything that comes in to Virus Total? And you can apply the rules retrospectively to see what shakes out? And that they have graph and clustering features? And … and … and … you get the idea.

I hope you enjoy this podcast!

Risky Business #488 -- Stop users recycling passwords with the pwned passwords API

Troy Hunt talks about the v2 release of pwned passwords...

On this week’s show we’ll chat with Troy Hunt of Have I Been Pwned. He’s released version two of his pwned password service and API. Basically it lets websites check to see if a user’s password is one that he has in his dataset. Version two allows this process to happen without users having to send over a complete password hash to HIBP.

It’s making some waves already. It’s a genuinely interesting, free service.

In this week’s sponsor interview we chat with Trail of Bits security engineer JP Smith about all thing blockchain. Trail of Bits has gotten into blockchain stuff because, hey, we’ve all heard about the many, many security issues associated with things like Ethereum smart contracts, and when it comes to blockchain and Ethereum security, well, someone has to do it.

JP will talk us through some of the bug classes he sees as well as talk about the work trail of bits has done on its dynamic binary analysis software Manticore in terms of applying it to the Etherum Virtual Machine.

Adam Boileau, as always, is this week’s news guest.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Biz Soap Box: Bugcrowd CTO Casey Ellis on bounty innovation, PII norms and defensive bounties

If you're at all interested in bug bounties and crowdsourced security, listen to this...

This edition of Soap Box is brought to you by Bugcrowd. So the next 40 minutes or so is a conversation between Bugcrowd CTO and founder Casey Ellis and I.

As most of you would know, Bugcrowd runs outsourced bug bounty programs for a wide variety of organisations, from Silicon Valley megabrands to financial services to development-heavy SMEs, Bugcrowd is there.

And what a time it is for the bug bounty business. There’s a lot of attention on the bug bounty concept at the moment – we even saw a senate subcommittee hearing on them take place earlier this month. It’s a competitive sector, too.

In this podcast Casey tells us about a few things, like what Bugcrowd is doing to try to add some innovation to bug bounty programs. As you’ll hear, he’s actually got some really great ideas. I came into this as a bit of a sceptic, as in, how can you innovate around something as simple as a bug bounty program? It turns out you can. We also try to make the case that bug bounties are an established part of infosec now; a boring part of the mix.

So we cover off some interesting stuff Bugcrowd is doing, then we talk about how the bug bounty provides types might be able to actually engage their crowds in defensive work.

Risky Business #487 -- Guest Katie Moussouris on her recent Senate Subcommittee testimony

Plus Mark Maunder of Wordfence on challenges in the Wordpress ecosystem...

On this week’s show we’re going to chat with Katie Moussouris about her testimony before a Senate Subcommittee last week. She fronted a session on Consumer Protection, Product Safety, Insurance, and Data Security titled, “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers. We’ll hear from her on how all that went and what she hopes the US government learned from the committee panel.

Also this week we’ll be hearing from Mark Maunder of Wordfence, that’s this week’s sponsor interview. Wordfence sells a Wordpress security plugin. There have been some interesting developments in the Wordpress world over the last week that are definitely worth covering. Wordpress actually pushed an update to core that actually disables future auto updates. Yikes.

We’ll find out how long that update was out, what percentage of the Wordpress ecosystem swallowed it, and we’ll also talk about about a couple of dysfunctional things happening in the Wordpress ecosystem.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #486 -- Locking down AWS permissions with RepoKid

Plus all the week's security news...

On this week’s show we’re chatting with Travis McPeak at Netflix about a tool they’ve developed called RepoKid. It automatically strips unused AWS permissions, which I’m guessing a lot of you will find quite useful.

We’ll also chat with Dan Kuykendall in this week’s sponsor interview. Dan works for Rapid7, and they’ve been doing some interesting stuff with their agents, basically tweaking them to give better visibility of application security issues and exploitation attempts. T

hat conversation is really about how security firms these days are using the agent footprint they have to just do whatever they can.

Adam Boileau, as always, pops in to discuss the week’s news. We cover the:

  • AutoSploit arm waving
  • Lauri Love beating extradition
  • Nik Cubrilovic’s arrest
  • MOAR

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #485 -- Infosec startups overfunded, good exits unlikely

Kelly Shortridge joins the show to discuss disturbing investment trends...

On this week’s show we’re checking in with Kelly Shortridge and the topic is zombies. Not the botnet kind, the heavily-VC-backed kind.

A recent report from the Reuters news agency highlighted the amount of VC pouring into the so-called “cyber” industry vs the amount of money actually coming out of it in the form of profitable exits isn’t matching up. The industry is filling up with so-called zombie companies – they’ll never exit, but they’re not going to completely die, either.

As it turns out, Kelly recently did a presentation on precisely this topic, so in this week’s feature we get her take on why this is happening and what’s likely to change. The tl;dr is something will have to give in the next couple of years, and it’s going to be ugly.

In this week’s sponsor interview we check in with Jordan Wright of Duo Security. Jordan has done some research into phishing kits. While phishing isn’t the sexiest topic, the team at Duo has actually done some pretty comprehensive research here – they looked at thousands of kits and pulled out some interesting stats.

We’ll talk to him about that, and also about the likelihood that U2F hardware will soon be baked into consumer devices. That’s really going to change things in years to come.

Adam Boileau, as always, pops in to discuss the week’s news. We cover the:

  • Strava heatmap
  • Dutch infiltration of Cozy Bear
  • Possible nationalisation of the US 5G network on security grounds
  • Microsoft disabling Intel Spectre patches
  • Google’s Chronicle announcement
  • US$400m Cyptocurrency ownage
  • MOAR

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #484 -- What's up with the new 702?

Lawfare Blog co-founder and UT Austin law professor Bobby Chesney talks surveillance law updates...

On this week’s show we’ll be taking a look at the freshly re-authorised section 702 of the FISA act. As you’ll soon hear, the updated section now allows the FBI to search data captured under 702 programs for evidence against US citizens in a bunch of circumstances, including, drum roll please, during investigations with a cyber security tilt.

The co-founder of the Lawfare blog, law professor and Associate Dean for Academic Affairs at the University of Texas Ausin, Bobby Chesney, will be along in this week’s feature to talk about all of that!

In this week’s feature interview we’re joined by Haroon Meer of Thinkst Canary. Haroon will be along to talk about the effectiveness of various honey tokens. Thinkst has been playing around with this stuff for a couple of years now, and Haroon will be joining us to talk about how they’ll will wind up being used in an enterprise context. How do you get detection canaries to scale? That’s coming up later.

Adam Boileau, as always, pops in to discuss the week’s news. It’s been a relatively calm week, but we’ve got some interesting news about botched Spectre patches and a discussion around a sensational report about Kaspersky Lab published by Buzzfeed in conjunction with Russian outlet Meduza.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #483 -- Internet censorship in Iran, China

Collin Anderson joins the show to talk about the politics of 'net censorship...

On this week’s show we chat with Collin Anderson about Iranian internet censorship, as well as how sanctions on Iran led Google to block app engine access within Iran.

That’s a problem for Signal users there, because when the primary Signal servers are blocked, the software falls back to a domain-fronting approach that uses… drum roll please.. Google App Engine.

That’s a pretty wide ranging discussion of ‘net censorship in Iran and ‘net censorship generally and that’s coming up after the news.

This week’s show is brought to you by Bugcrowd, big thanks to them for that. In this week’s sponsor interview we’ll chat with Bugcrowd trust and security engineer Keith Hoodlet about some work they’ve been doing on producing detailed remediation information for their clients.

Adam Boileau is also along, as always, to discuss the week’s security news. The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #482 -- Meltdown and Spectre coverage without the flappy arms

Matt "pwnallthethings" Tait helps us understand these interesting flaws...

On this week’s show Matt “pwnallthethings” Tait joins the show to walk us through the so-called Meltdown and Spectre bugs. Most of the coverage of the flaws has either been massively hyped or detail-free, and Matt pops by to untangle the whole mess. He does a great job of it, too.

This week’s show is brought to you by Cylance. CTO Rahul Kashyap will be along in the sponsor chair to talk about why so many AV packages were causing Windows boxes to BSOD when Microsoft pushed its Meltdown patch.

Adam Boileau is back in the news hotseat, and boy oh boy do we have a lot to cover. Show notes are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #481 -- Inside the Anthem breach with someone who was there

Sobering listening on the last show for 2017...

This is the last show for the year, Risky Business will return on January 10th 2018.

In this week’s feature Stephen Moore joins us. He was formerly the Staff Vice President of Cyber Security Analytics at Anthem, the healthcare company that was spectacularly owned by a Chinese APT crew in 2015.

Instead of us all just saying “lol they got owned, they’re idiots,” I thought it would be a good idea to actually talk to someone who was there. As you’ll hear, Anthem’s team knew they were being targeted by an APT crew, did its best to fend off the attackers, but sadly they lost anyway.

It’s sobering listening.

This week’s sponsor interview is also just great. We’ll check in with Casey Ellis of Bugcrowd. He’ll be along to talk about this whole Uber mess. A lot of the reporting around the so-called Uber data breach seemed to fixate a bit on the fact that the attacker was paid via the HackerOne bug bounty platform. The coverage has conflated extortion with bug bounty programs, much to Casey’s dismay. He’ll be along later to share his views on what the Uber snafu means, as well as to share his thoughts on DJI’s disastrous bug bounty program.

Adam Boileau, as usual, stops by to discuss the week’s security news, and also to wrap up the 2017 season.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Bromium on custom microvirtualization for legacy apps

Run your legacy crapware, sleep at night!

Today’s Soap Box is brought to you by Bromium.

Bromium makes a security suite that wraps key applications in microvisors. It’s a way to get app-specific, hardware-based virtualisation.

Historically Bromium has wrapped things like browsers and the office suite into these microvisors. Bromium has also found a lot of success in selling to organisations that have to run out-of-date browsers and Java. Wrapping an old browser in Bromium actually does make it safe to use.

Well, now they’ve gone a step further. They’ve launched secure app extensions, which is where they custom-wrap your application, or an application you use, into a microvisor. So if you’re using some awful, old, insecure enterprise app and it’s keeping you awake at night, this might be a solution for you if you can’t rip and replace.

Have a listen!

Risky Business #480 -- Uber, Kaspersky woes continue

PLUS: A look at the new OWASP top 10...

On this week’s show we’ll be having a look at the latest OWASP top 10. As many of you would know, the new list is out. A couple of items have been dropped and a couple of items have been introduced. But we’re really using this new top 10 as an excuse to have a broader chat about the top 10 and the OWASP mission more generally.

As you’ll hear, everyone seems to agree the list is a good thing, but maybe OWASP needs to sharpen its communication strategy a little to make itself more accessible to the developers it’s trying to help.

We’ll hear from OWASP Bristol chapter leader and Veracode consultant Katy Anton on that, as well as Safestack head honcho Laura Bell and penetration tester and founder of Matchme consulting Pam O’Shea.

This week’s show is brought to you by a first time sponsor, VMRAY. They make malware analysis software that’s very popular with CERTs, but I suspect a lot of listeners out there in IR will also be interested in what they’re doing. The core offering is a cloud malware analyser that isn’t public, so if you don’t want to fire off a sample to VirusTotal and let the bad guys know you’re on to them, VMRAY is a better option.

VMRAY didn’t actually get one of its staff into this week’s sponsor slot, it chose one of its users instead – Koen Van Impe. He pops along to talk through what he uses VMRAY for and to give us a bit of an overview of what it does.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers #4: Dino Dai Zovi, Chris McNab and Sylvain Gil

Of Capsule8, AlphaSOC and Exabeam respectively...

We’ll be hearing from three vendors in this edition of Oilers. Dino Dai Zovi will be along first up to talk about his startup, Capsule8, which looks very promising indeed.

After we’ve heard from Dino we’ll be chatting with Chris McNab. He used to run incident response for iSec Partners and later NCC Group, but these days he runs AlphaSOC, a company he founded. They’re a very simply play – they do DNS and IP analytics.

They offer that as a Splunk application or via an API, and you would be amazed how much bad stuff you can kick off your network with something as simple as DNS and IP analytics. Tor exfil, whole families of malware, BitTorrent, all sorts of stuff. Chris will be along soon to talk about that.

Then we’re rounding it out with a conversation with Sylvain Gil, the co-founder of Exabeam.

Exabeam started off in analytics and UEBA, but they’ve taken a bunch of money and they’re spending it on building out their SIEM, which is already pretty popular in certain circles because they don’t license it based on volume. Sylvain pops along later on to talk about how that’s changing SIEM use cases for a bunch of people. For example they can pump their EDR logs into their SIEM without wearing a seven figure SIEM consumption bill. He also walks through how they’ve used open source technologies like Hadoop in their products. It’s an all around chat that one, not so much a pitch, but yeah, I found it really interesting and I hope you will too.

Links to all three profiled vendors are below!

Risky Business #479 -- Oh, Uber. Oh, Apple.

PLUS: Susan Hennessey on the FBI hacking the planet...

On this week’s show we’re speaking with Susan Hennessey, a Fellow in National Security in Governance Studies at the Brookings Institution and managing editor of Lawfare. We’re talking to her about cross-border law enforcement in the Internet age.

We hear a lot of people in the infosec community expressing some discomfort with the FBI’s use of Network Investigative Techniques designed to de-cloak Tor users. Susan pops by to explain why the FBI and other law enforcement bodies aren’t worried about the international ramifications of dropping de-cloaking technique on the whole planet.

We also cover off a few of the other issues around how data can be turned over to various governments. It’s a fascinating chat and it’s coming up after the news.

This week’s show is brought to you by Tenable Security. In this week’s sponsor slot we’ll be hearing from Ray Komar, Tenable’s VP of technical alliances. We’re talking to Ray about a partnership Tenable has formed with Siemens. They’re trying to tackle the issue of tracking vulnerabilities in industrial control system equipment, but as you’ll hear, people aren’t actually buying it so much for the vulnerability tracking side, they’re buying it for the visibility side. It turns out dropping a passive scanner on your ICS network is a good way to know what’s actually ON your ICS network.

As always, Adam Boileau pops in to discuss the security news. We cover:

  • The Uber hack
  • Apple’s comedy “root” bug
  • Krebs on possible Shadowbrokers link
  • Charges against more Chinese APT operators and Iranian HBO attacker
  • More “hack back” legislation action
  • Intel ME bug details
  • Golden SAML
  • MOAR

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #478 -- Why a "Digital Geneva Convention" won't work

PLUS: Facebook wants yer nudes...

On this week’s show we check in with Mara Tam. She’ll be telling us why the idea of a so-called “Digital Geneva Convention” is silly.

Then, after that, Rich Smith of Duo Security will be in the sponsor chair.

You may have heard about some recent research Duo Labs did into Apple EFI patches basically not working/sticking. Rich walks us through that research, why Duo did it, how they did it, and what it can tell us. It might be Mac research but the real worry, as you’ll hear, is around Wintel firmware.

Adam Boileau pops by for this week’s news discussion. We’ll be covering:

  • Facebook’s plan to combat “non-consensual intimate imagery”
  • Wikileaks Vault8 leaks
  • Assange sending a “guessed” password to Donald Trump Jnr
  • NYTimes reports on the Shadowbears
  • Cracking FaceID with a rubber mask
  • MOAR

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #477 -- US mulls charges against Russian officials involved in DNC hack

Bumper news week on Risky.Biz...

There’s no feature interview in this week’s edition, just a slightly longer news session with Adam Boileau, then it’s straight into this week’s sponsor interview.

Adam and I will be speaking about:

  • Charges against Russian officials involved in the DNC hack
  • Confirmation of Russian involvement in Ukraine artillery targeting app
  • Attribution claims in Bad Rabbit campaign
  • “Hack Back” bill is picking up steam
  • 1 million installations of counterfeit WhatsApp clone
  • A properly awful Tor browser bug
  • The cryptocurrency comedies/tragedies of the week
  • MOAR

Marco Slaviero is this week’s sponsor guest. He’ll be along with a radical marketing approach: He’ll be telling us what Canaries can’t do! But you know what? It’s a useful thought exercise. He’ll also update us on the latest stuff they’re doing in the cloud. They’ve got some new VMWare virtual canaries too.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers #3: Bot prevention and distributed "crypto magic" credit card storage

An all Australian edition of Snake Oilers. Aussie snake oil is the best snake oil.

In this edition of Snake Oilers we’re taking a look at two Australian companies and their solutions: Kasada and Haventec.

Kasada’s product is a simple one – it’s bot prevention using proof of work and a couple of other things, and Haventech’s solution is a bit more out there.

They’ve got a couple of products. One uses device fingerprinting plus a secret for authentication, but they’ve actually come up with something else that’ll be really interesting to people in the payment card processing space.

Basically they’ve come up with a way to split credit card info into a few pieces so it can be stored in a distributed way. Part of the info with the user, part with the merchant and part with the processor. It’s a better approach than tokenisation, and will drastically reduce the liability and costs that comes with storing huge amounts of card data on the processor side. Oh, and they’ve solved the chargeback problem on that one too.

Links to the companies profiled can be found below. I hope you enjoy the show!

Risky Business #476 -- Zeynep Tufekci on machine learning and disinformation

PLUS: Sponsor guest Julian Fay on recent crypto vulns...

On this week’s show we’re chatting with Zeynep Tufekci about how machine learning accelerates the dissemination of crazy s–t, basically. Zeynep’s September TED talk titled “We’re building a dystopia just to make people click on ads” is a must watch and has been doing the rounds on infosec Twitter over the last couple of weeks. She joins us this week to talk through what we might be able to do about the tendency of online platforms to send people down pretty warped rabbit holes. That’s a fascinating chat.

This week’s show is brought to you by Senetas.

Senetas is a Melbourne-based company that develops and manufactures layer 2 encryption gear. They also operate the SureDrop secure file sharing platform and are working on a bunch of cloud crypto tech as well. Julian Fay is CTO over at Senetas and he’s along this week to talk us through the bugs Matthew Green and his colleagues found in a bunch of FIPS-certified gear from Fortinet. It’s a really, really illuminating chat. I love it when Julian’s in the sponsor chair because I always learn a lot.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #475 -- Matt Tait: US gov needs to put up or shut up on Kaspersky claims

It's time for the US government to just come out and say it...

On this week’s show we’re catching up with Matt Tait. Matt’s better known as @pwnallthethings on Twitter. He’s joining us this week to talk about the claims various sources have made against Kaspersky. I say sources because up to this point the only thing we’ve seen is various officials saying people shouldn’t use it. There’s been no official statement from the government or the intelligence community that actually says “don’t use it”.

And the situation is getting ridiculous. It’s as clear as mud right now, basically, so Matt will be along later to argue the US government really just needs to back the claims in an official way if they’re to be taken seriously.

This week’s show is brought to you by Cylance. This week we’re chatting to Chris Coulter, a seasoned IR professional who’s recently moved from the services arm of Cylance to the product side. We’ll be talking to Chris about IR and where EDR software is going. That one is really worth listening to. It’s easy to look at Cylance today and just see another antivirus company. People have forgotten that they basically shook up the biggest market in infosec and I think they have a solid chance of doing the same thing with a few of their upcoming releases in the EDR and UBA space. So yeah, check out that sponsor interview with Chris Coulter, coming up towards the back of the show!

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.