Soap Box is the wholly sponsored podcast series we do where vendors pay to participate.

Our guest in this edition is Jerrod Chong, the SVP of product at Yubico, the makers of Yubikeys. We were originally going to publish this Soap Box with Yubico a few weeks ago, but we delayed it for a very good reason.

This podcast is going out at the same time as a press release from Yubico – they’re releasing the Yubikey 5, and it’s a very significant update.

Regular listeners would have heard me talk about seeing Yubico’s booth at Black Hat – it was like a mosh pit, and I think there are two reasons for that. Firstly, they were giving away keys, (haha) but secondly, they were demonstrating FIDO2 Windows logins over NFC.

With the launch of the Yubikey 5, Yubico has actually delivered passwordless logins for Windows networks. You can do tap only via NFC, tap and pin via NFC, or you can roll old school with USB.

So, Jerrod Chong joined me for this conversation. We talk about the Yubikey 5, and more broadly about the future of authentication and authentication devices.

We’re going to be talking to two people in this podcast and the topic is, for the most part, the introduction of pointer authentication on the latest Apple iPhones. This is a development that flew under the radar of most of the infosec media and it’s significant because it is going to basically wipe out ROP exploits as we know them. There’s no such thing as a perfect mitigation, but Apple has leveraged some recent ARM features to really lock down their devices.

In addition to the pointer authentication suff they’ve also made some changes that will affect the ability of companies like Cellebrite to unlock phones. Again, this won’t kill unlocks completely, but in one release Apple really has made life a lot harder for people in the offence game.

This will eventually have some consequences for the crypto debate. These devices are just getting more and more secure through some really cool engineering.

So we’ll be talking to Chris Wade about this, he’s the brain behind Corellium, an iOS emulator. His clients include everyone from exploit developers to the publishers of very popular iOS applications. If you want to back-test an app change on 15 different versions of iOS Corellium is the way to do that… or if you want to, you know, test your latest 0day it’s good for that, too.

Then we’re going to hear from Dr. Silvio Cesare of Infosect here in Oz. He’s going to talk about whether we might see similar mitigations on intel and weigh in on Apple’s changes.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• Citizen Lab drops NSO Group report
• “Weaponised Stuxnet” claims are idiotic
• Another State Department email breach! Drink!
• Dutch foil planned attack against Swiss Novichok lab
• Mirai botnet authors working for FBI
• US telcos want to be consumer auth brokers
• US fails to extradite “Mr Bitcoin”
• Much, much more

This week’s show is brought to you by Remediant. They make a just-in-time access solution for privileged account management (PAM), and we’re doing something a little different in this week’s sponsor interview.

Paul Lanzi of Remediant will be along, but so will Harry Perper of MITRE corporation. Harry’s pay-cheques say MITRE, but he’s been working on a NIST project. The National Cybersecurity Center of Excellence (NCCoE) at NIST has been working on a project to provide guidance on the secure usage and management of privileged accounts. The so-called 1800-18 document is a practical guide and reference architecture for privileged account management and we’ll talk to both Harry and Paul about that after the news.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

[**PLEASE SEE BELOW FOR A CORRECTION**]

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• The DPRK indictment and subsequent fall out
• British Airways gets owned
• Webauthn hits some roadblocks
• The latest action from Washington DC
• Trend Micro has a bad time
• Tesla pays out for key-fob clone attack
• Tor browser 0day hits Twitter
• Much, much more

We’ve got a great sponsor interview for you this week – we’ll be joined by Haroon Meer of Thinkst Canary. They did something unusual over the last couple of weeks – they removed a feature in their Canary product. We’ll be talking about that, and also about the tendency for security software to be too complicated and configurable.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

CORRECTION:

The original release of this podcast included discussion of some rumours that turned out to amount to nothing. We had mentioned three data points:

• The CISO of American Airlines, Dan Glass, departing a few weeks ago
• Someone I know had their AA/Citi credit card re-issued, despite saying they only ever used that card to buy AA fares
• A rumour an FBI computer crime investigator is on site at American Airlines

Well, it turns out Dan Glass is a listener, and he got in touch with us after the podcast ran to clear this up. He says the reason he left is actually because AA was offering some very attractive redundancy packages. Following AA’s merger with US Airways the combined group eventually found itself in the position of having too many executives. As many listeners will know, being a CISO is a pretty hardcore job so Dan jumped at the chance to bounce out and have some time off.

As for the FBI being on-site, Dan says that’s not unusual. They’re one of the largest airlines in the world so they’re frequently liaising with LE. As for my pal’s card getting re-issued… who knows?

The point is it looks like these rumours and data points don’t actually add up to much. This is why I rarely run rumour in the podcast and at least try to do some verification. In this case I just didn’t have time, but still, I just should have just held it over until I’d had a chance to make some basic enquiries. It was sloppy. Sorry.

In particular I’d like to apologise to the fraud teams who may have been asked to follow this up, the PR teams who’ve no doubt been fielding questions about this and also to Dan Glass. Although, it must be said Dan and I had a very nice chat and he didn’t seem upset. Thanks for being a chiller, Dan!

Again, I’m sorry. I’ll do better in the future.

Pat

On this edition of Snake Oilers we hear from three companies, and for one of them, it’s actually their product launch!

Assetnote is a cloud asset discovery and security scanning platform spun out of the bug bounty community. If you’re a CSO with any large public attack surface you’ll really want to hear about that one. This platform finds things you didn’t even know your company had online in cloud environments and then scans them for real, actual RCEs. The user interface is awesome, too.

Then we’re going to hear from Pedram Amini of InQuest – they make a box that reassembles files from network packets captured off the wire or funnelled in through ICAP and then rips them to bits looking for badness. They call it deep file inspection and it’s a great way to supplement client side detection, at scale. You can even pass these reassembled files on to multi-AV or cloud services and use this platform to do spot threat hunting. It’s very powerful stuff, and honestly that’s an interview that got me thinking in a new way about detection concepts.

And then finally we’re joined by Omaru Maruatona of Aiculus. Omaru has a PHD in applying machine learning to bank fraud that he obtained while working for one of the big four banks here in Australia. After that he moved on the PwC as a penetration tester and now he’s running Aiculus. Aiculus has developed an API proxy that uses machine learning to detect funky calls. If you’re not satisfied that your API gateway has you completely covered then yeah, you’ll want to listen to that one.

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• Five Eyes nations send a clear message on encryption
• Massive Azure outage
• FBI releases political campaign security guidance
• Google wants to kill the URL
• MEGA.nz plugin owned sideways
• Final “Celebgate” hacker sentenced
• Google launches font fuzzing tool
• Chinese-made Google/Feitian U2F keys under scrutiny
• Some interesting TPM research
• MUCH MORE

This week’s podcast is brought to you by AttackIQ.

AttackIQ founder Stephan Chenette will be along in this week’s sponsor interview to talk to us about a few things – the MITRE attack matrix being one. He’ll also share with us his view that EDR is the most commonly misconfigured security technology he sees out there, and he has pretty good visibilty into things like that because AttackIQ, of course, makes attack simulation software designed to measure the efficacy of these types of solutions.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

The widespread adoption of smart and IoT devices – everything from drones and security cameras to thermostats and routers, mean the developers of non-Windows-based malware have been pretty busy lately

In fact, there’s been an almost tenfold increase in the volume of these (ELF) samples submitted to Virus Total over the past two years. That’s according to a cohort of researchers from the Software and System Security group at French graduate school EURECOM, who set out in 2016 to develop an empirical study of non-Windows malware.

They downloaded hundreds of daily candidate samples from Virus Total for a year, resulting in a dataset of more than 10,000 binaries and a tool called Padawan, an automated framework for dynamic analysis of non-Windows malware.

The researchers presented findings earlier this year at the IEEE Symposium on Security and Privacy, and more recently at reverse engineering conference RECon in Montreal. Risky Business contributor Hilary Louise recently caught up over the phone with France-based EURECOM doctoral student Emanuele Cozzi who says the land of Linux-type malware analysis is a bit of a nascent field.

We’re going to stick with the revised format this week – we’re going long on news with Adam, then diving right in to the sponsor interview with Zane Lackey of Signal Sciences.

A bunch of you heard my long form, Soap Box interview with Zane from a few weeks back. We’re extending that interview out a bit in this week’s interview. Zane will be outlining what he thinks needs to change in DevSecOps tooling and workflow for things to really work nicely – it’s just a solid 12 minutes of good thinking and advice, that interview, so do stick around for it.

Adam Boileau will join the show to recap the week’s news:

• Australia and Japan to ban Huawei from their 5G builds
• Struts bug: Big deal or meh?
• Voting machine maker ES&S rebuked by researchers AND US gov
• The DNC phish that wasn’t
• Recapping Andy Greenberg’s Maersk/Notpetya coverage
• Instagram adds real 2FA
• Windows privesc 0day on teh twittarz
• T-Mobile pwned harder than it initially admitted
• Log in to Windows with Google accounts
• Some hilarious Lazarus group shenanigans
• Much, much more

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

We’ve got two vendors pitching their wares in this edition of Snake Oilers. First up we’re talking to Rapid7 about its vulnerability scanning and management software. They’ve made some changes and they’ve got a couple more coming. This is bread and butter infosec stuff.

Then we’re going to hear from the team at ITProTV. They’re a video-based online training site, pitching themselves as like a Netflix but for online training. Instead of instructor-led training, they try to make stuff less dry – half hour training videos with two instructors on all sorts of topics.

The online training video sector is just booming right now, and ITProTV’s co-founder and “edutainer” Don Pezet will be along to walk through all of that.

Both of these companies are tracking enquiries originating from the podcast, so please do use the URLs in the show notes below if you’re interested in learning more.

In this podcast you’ll hear an interview I did with Bob Lord, the Chief Security Officer for the Democratic National Committee, the DNC. Bob has previously served as the CISOs for both Yahoo and Twitter, before spending some time in vendorland with Rapid7 as their CISO in residence.

The state-sponsored attack against the DNC is without doubt the most politically consequential data theft event the planet has ever witnessed. It trumped both the Manning/Wikileaks disclosures and “climategate” in terms of impact, and indeed to a large degree the fallout of the DNC hack is still ongoing.

So, I wanted to bring Bob in to talk about his job.

The DNC isn’t a large organisation, in a head office sense. They have about 200 core staff members, but as you’ll hear, a political organisation’s IT setup is pretty atypical. So Bob and I mostly just spoke about how one handles security for an organisation like the DNC.

On this week’s show we’ll be running through the week’s security news, then diving right on in to a sponsor interview with Lauren Pearl of Trail of Bits. She’s joining us to talk about something Trail of Bits have been up to lately: adding features to open source software – and auditing open source software – on behalf of its customers.

I do have a feature interview this week, but it’s a long one so I’ll be breaking that out in to a separate podcast. It’s a nice long chat with Bob Lord, the CSO for the Democratic National Committee. You know, the guy who hid “the server”.

The news we’re covering this week:

• Melbourne teenager hacky-hack hacks Apple
• Facebook nukes Iranian and RU influence ops
• Report: Sealed court order seeks Facebook Messenger E2E intercept
• USG ditches PPD-20 equities process
• A look at “Intrusion Truth” CN operator doxing ring
• Microsoft kills RU phishing domains
• PLUS MOAR

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

In this breakout podcast we chat with Adam Boileau about the talks that caught his attention in Las Vegas a couple of weeks ago. The Black Hat PR team were kind enough to credential Adam for the con so he could go and see a few talks with his Risky Business hat on.

I was at Black Hat but spent most of my time running around like a headless chicken. These days Vegas week for me is mostly about locking in the next year’s sponsorships, as well as catching up with friends I hardly ever see. The good news is the sponsorship side is done. We’re almost sold out across the weekly show, Snake Oilers and Soap Box until 2020. The bad news is I didn’t really get to go to any talks.

But that’s ok, because Adam went to both Black Hat and DEF CON and he joined me to talk about the highlights from his point of view. This was his first trip to the Vegas cons since 2005, and agreed with me that the content this year was actually pretty bloody good.

I’ve done my best to assemble links to everything Adam talks about into a list below:

Adam and I have just returned from Black Hat and DEF CON in Las Vegas, so in this week’s show we’re going to have a look at the infosec news we missed over last couple of weeks. We did plan to recap Black Hat in this podcast, but we’ve wound up a bit short on space so I’m busting that out into a separate podcast that I’ll publish on Monday. So this podcast will just be a discussion around news plus a sponsor interview.

The news we’re covering:

• Australia’s new surveillance/”anti-encryption” laws
• Intel SGX vulnerability research
• Taiwan Semiconductor WannaCry woes
• Details on CYBERCOM op against ISIS
• Reddit pwnage
• Bitcoin investor sues AT&T over $23m loss
• FIN7 arrests
• CIA’s loss of scores of China assets may have been hack-related
• Massive ATM cashout and SWIFT attack hits Indian bank
• Much, much more

Bugcrowd CTO Casey Ellis joins us in this week’s sponsor interview to talk about a few things – firstly, how some research presented at Black Hat by the team at Portswigger is a sign that serious research teams are using bounties to cash in on their serious security research. Then we’ll be talking about the Bugcrowd University initiative and a reboot of the disclose.io project.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show we hear from Greg Shipley. Greg works at an initiative spun up by In-Q-Tel called Cyber Reboot. Its goal is to develop open source tools that can push things forward in security – things the private sector aren’t doing.

He’ll be telling us about some changes his colleagues have made to tcpdump, which, if they ever manage to get the changes adopted, could actually be quite useful to the security community.

This week’s show is brought to you by Duo Security! And Duo’s very own Dave Lewis will be joining us this week to talk about the roadblocks you might face if you’re trying to head down the BeyondCorp road to the deperimiterised nirvana!

Adam Boileau drops in to discuss the week’s news, including:

• COSCO shipping ransomwared into oblivion
• DHS warning on impending ERP attacks
• Charges against SIM-swap cryptocurrency thief
• Google’s “Shielded VMs”
• Google’s launch of its own hardware security tokens
• Master134 malvertising campaign
• New Kronos version
• NetSpectre attacks
• Bluetooth bugs
• Much, much more

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

What you’re about to hear is a long form interview with Zane Lackey, a former pentester turned director of security engineering for Etsy turned co-founder and CSO of Signal Sciences.

Signal Sciences can be broadly, kinda described as “next generation WAF”. If you do have a requirement for a waffy, raspy thing, then you absolutely need to check out Signal Sciences.

They give you visibility in to attacks against your applications, and even auto-blocking a bunch of them without that turning into a cascading horror-show.

Signal Sciences’ product has a really strong emphasis on assisting organisations who are running DevOps shops. And it makes sense, Zane’s key achievement at Etsy was managing the security of that company’s Devops transition.

He’s actually just written an O’Reilly book, Building a Modern Security Program. So, he joined me to talk about his book, what’s in it, about DevSecOps more generally, and about some new stuff Signal Sciences has been working on.

We didn’t have space to run a feature in this week’s show, mostly because we had three weeks of news to catch up on because of my holiday. Adam Boileau is away on a company retreat this week, so Haroon Meer is this week’s news guest.

We talk about:

• The Russia indictment
• Chrome now marks http sites as “not secure”
• Julian Assange is close to being turfed out of his London digs
• Microsoft’s midterm meddling misfire
• Singapore loses 1.5m health records
• Some cool research from Talos and Cyberark
• Azimuth Security acquired by L3
• The npm supply-chain attack
• Chrome site isolation
• And much more!

This week’s sponsor is ICEBRG. And ICEBRG just announced today that it’s been acquired by Gigamon, which is pretty big news for them. So we’ll spend a couple of minutes talking about that with ICEBRG’s Jason Rebholz. Then we’ll be talking to Justin Warner about a pretty cool Flash 0day they found hiding in a Microsoft Office document. That was some pretty cool work, and the attackers in that case did some pretty novel things in terms of keeping their payload away from prying eyes. Obviously they didn’t do a good enough job or we wouldn’t be talking about it, but there are some new techniques there, fun stuff.

*****NOTE: At one point I get Jason Rebholz’s name wrong. I call him Justin Rebholz by accident. Apologies for the error, Jason!

There’s no weekly show this week, I’m on a beach somewhere tropical right now and I prepared this one so we’d have something to run while I’m away. The Soap Box is one of our wholly sponsored podcasts here at Risky Biz HQ – vendors pay to come on to talk about what’s on their mind.

And this week we’ve got Cylance’s very own Chris Sestito joining us. He heads threat research for Cylance, the AV company.

Cylance is a relatively new company – they’ve been around about six years now – and regular listeners would have heard me credit them for almost singlehandedly shaking up the AV industry.

They built a machine learning model for detecting malware that was effective enough to actually challenge the incumbents, who until then, had a stranglehold on the market. Cylance’s fortunes rose further when it played an instrumental part in detecting and cleaning up malware used against the US office of personnel management, or OPM.

That was a big moment, because from there it seemed like all of a sudden EVERYONE was a machine learning company. I’m sure a lot of people listening to this podcast are so sick to death of hearing pitches from vendors about machine learning.

But the thing is, Cylance was built on machine learning and they are still 100%, 24-carat true believers. Chris Sestito joined me to talk about driving machine learning model development with threat research, dodgy machine learning marketing and more.

Snake Oilers is a wholly sponsored podcast series we a few times a year here at Risky Biz HQ. The idea is we get a bunch of vendors together and they pitch their tech in a straightforward way. Less “stops advanced cyber threats” and more “here’s what our stuff does and how it works”.

You’re hearing this instead of a weekly show because I am currently on a beach somewhere tropical.

We’ve got two vendors in this edition of ‘Oilers: next-gen SIEM platform company Exabeam and email filtering giant Proofpoint.

Our sponsor guest from Proofpoint is Ryan Kalember. Ryan is the SVP of cybersecurity strategy at Proofpoint, and regular listeners would have heard him pop up here and there on other Risky Business podcasts.

Ryan knows an awful lot about email security and he’s joining us this week to talk about a few things. A big selling point he wants to hit home this week is that Proofpoint offers its clients dedicated IPs for their outbound mail servers. That means you won’t be blocked when someone else using the same IP for outbound mail starts sending spam. Believe it or not this is a thing that happens to users on other mail filtering platforms. From there Ryan spells out Proofpoint’s approach to combating credential phishing. Aaaaand we talk about other stuff too. We started off by talking about how some organisations are getting blocked because their filtering provider is sharing IPs between clients.

Exabeam also drops in to talk about what a next gen SIEM actually is. From day one Exabeam was a startup that meant business. As you’ll hear, they started off as a SIEM-helper, and they’ve gradually built out their product from there. Now they’re going after the established SIEM market – think Splunk, Arcsight, those types of products. Despite only being five years old, Exabeam has quickly established itself as a real player in the SIEM market.

And why not? They make a compelling argument that the most popular SIEM products have gone stale. Anu Yamanan is the VP of products at Exabeam and she’s here to explain the general pitch behind all next generation SIEM gear. The idea is to go beyond the event log and build a timeline of events that actually has context around it. SOC analysts, SIEM specialists and CSOs will be interested to hear what she has to say here.

On this week’s show we’re chatting with a PR pro who specialises in information security. Melanie Ensign currently works at Uber, but she also served as a security PR for Facebook and before that, AT&T. She drops in this week to talk about how you can work with the PR professionals in your organisation to help tell your security story to the wider world. She also has some great tips for infosec professionals who might be a bit nervous about dealing with journalists.

In this week’s sponsor interview we’re joined by Julian Fay, the CTO of Senetas.

Senetas has a long history of making layer 2 network encryptors, but they are branching out in all sorts of ways these days. One thing they’re doing now is working on approaches to network encryption that play nicely with software-defined WAN. The days of hauling all your network traffic back to a single choke point are numbered – Julian thinks in the near future you’ll have some sort of CPE device that actually implements different types of encryption on different types of traffic crossing your border. So, Senetas has actually built that gear and we’ll be hearing about why.

Adam Boileau joins the show to talk about the week’s security news:

• Some very cool LTE research
• Equifax manager charged with insider trading
• Ticketmaster’s bad week
• The US DoD’s very own app store
• Weird, maybe, possibly-but-probably-not OPM-related fraud
• MOAR Rowhammer stuff affecting ‘droid handsets

Links to everything are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

No feature interview in this week’s show, we go long on news instead. Adam Boileau joins the podcast to talk through the week’s infosec news, including:

• Confusion reigns in David Sanger vs FireEye spat
• Reality Winner pleads guilty
• PEXA property settlement platform users fleeced
• US Supreme Court decides location info requires a warrant
• The Apple unlock bug that wasn’t

This week’s show is brought to you by Thinkst Canary. Thinkst’s very own Marco Slaviero joins us in this week’s sponsor segment to talk about how some vendors are derping out when it comes to creating needlessly complicated “deception platforms”.

Links to everything are below, and you can follow Adam or Patrick on Twitter if that’s your thing.