Risky Business #496 -- The China supply chain problem

WARNING: May contain traces of cyber...

On this week’s show we hear from Jennifer Bisceglie, the CEO of Interos Solutions, a company that recently prepared a report on supply chain security for the US government’s US-China Economic and Security Review Commission. Risky Business contributor Brian Donohue caught up with Jennifer to talk about the report and really get an idea of what supply chain risks look like from a macro level. The long and the short of it is the supply chain is already very, very opaque, so governments and the private sector will have to work pretty hard to mitigate the risks involved here.

This week’s show is brought to you by Netsparker, the web application security scanning toolmaker. Netsparker was founded nine years ago by this week’s sponsor guest, Ferruh Mavituna. He was a pentester who created Netsparker to help him with his own work. But just recently they raised a bundle of cash: US$40m. We’ll catch up with him and find out if a webapp scanning company with $40m is like the mule with the spinning wheel. It certainly seems like Ferruh has some ambitious plans. We haven’t seen this sort of money being raised by comparable companies so it’s definitely interesting stuff.

In this week’s news we cover off:

  • Mysterious BGP route hijacking for lame Ether theft (??)
  • Google disabling domain fronting
  • Canadian teen charged with downloading documents from a website
  • City of Atlanta spending $2.6m to recover from its ransomware event
  • RSA’s conference app fail
  • White House chaos over Rob Joyce replacement (MAGA!!! MAGAAAAAA!!!!!)
  • Much more

The show notes/links are below, and you can follow Adam, Brian or Patrick on Twitter if that’s your thing.

Risky Business #495 -- Russian Internet users are having a bad time

Mark "Pipes" Piper joins Risky Business to talk news...

We’re still running in a trimmed down format this week, sorry about that. Regular listeners would know we’ve been dealing with some unexpected stuff over here in the house of Business, but the good news is things have settled down and we’re actually back home after more than three weeks away. Things are looking good for a return to a full format show either next week or the week after.

But don’t worry, there’s plenty of good stuff in this week’s news segment with Mark Piper, including:

  • Russia blocking 15m cloud service IPs to shut down Telegram
  • RU router hax: Are they a big deal?
  • FBI’s “going dark” narrative questioned
  • Rob Joyce departs White House
  • ZTE in all sorts of trouble

This week’s show is brought to you by Cylance. Jim Walter of Cylance will be along in this week’s sponsor interview to talk about a couple of things – we’ll be looking at “fileless” malware – for what it’s worth it’s a term that we both hate – and we’ll also be talking about how complete amateurs are now able to run reasonably sophisticated malware campaigns these days thanks to the badware for hire business getting even more slick.

The show notes/links are below, and you can follow Pipes or Patrick on Twitter if that’s your thing.

Risky Business #494 -- Cisco customers have a bad week, plus a deep dive on WebAuthn

PLUS all the week's security news!

Regular listeners would know Risky Business is just running the news and sponsor segments at the moment so there’s no feature interview in this week’s show. But that’s fine because we’ve got plenty to get through in the news segment with Adam Boileau.

Then we’ve got a killer sponsor interview for you this week with Nick Steele and James Barclay of Duo Security.

They’re here to talk about WebAuthn. It’s the new authentication spec currently going through the W3C process. Both Nick and James will be along later to talk about what the spec is designed to do, how it works and what its chances of becoming mainstream are, and spoiler alert, those chances are pretty good.

They’ve also provided me with some links for people out there who want to play around with Webauthn, they are below.

Links to all the news items are also below, and you can follow Patrick or Adam on Twitter if that floats your boat.

Risky Business #493 -- SWIFT, pipeline attacks, Chrome's AV feature and more

A deep dive in to the week's news with Adam Boileau...

This week’s show is just the news segment and sponsor interview. But, as always, there’s plenty to discuss with our news guest Adam Boileau!

In this week’s sponsor interview we’ll be hearing from Timothy Keeler from Remediant.

Remediant is a small but growing company that does privileged account management stuff, but they’re not a password vault. Tim’s joining us this week to walk through some of the challenges of managing privileged access in devops environments and also to talk a bit about some of the challenges around single sign on and privilege management. It’s all good stuff, and it’s coming up after the news.

Links to all the news items are below, and you can follow Patrick or Adam on Twitter if that floats your boat.

Risky Biz Soap Box: Network detection is dead! Long live network detection!

ICEBRG joins Soap Box to talk about network blind spots...

This Soap Box edition is brought to you by ICEBRG.

ICEBRG is in the business of network-based response and detection. In simple terms they drop a box on your network that strips network metadata and shunts it up to their cloud for analysis. This allows incident responders in particular to really, really speed up their investigations. We know that a lot of internet traffic is encrypted these days, and that’s made some people take their eye off the network ball. The focus and buzz these days is very much on endpoint detection and response. Our guest on this edition of Soap Box, ICEBRG’s VP of Strategic Partnerships Jason Rebholz, thinks we’ve wound up with a blind spot as a result.

It’s true that a lot of network security tech fell behind the times, but there are some fresh approaches emerging these days that are pretty bloody useful. ICEBRG started off as a product to accelerate incident response, an example use case is deploying it in 15 minutes when you’re starting an IR job; it gives you amazing visibility for the time invested. But, they’re broadening the product a bit these days. They’re not turning it in to an IDS, but they’re able to give clients some very, very high quality signalling. I think this is what you get when you get a bunch of ex-govvies and incident responders together and they develop a product. Their alerts are more along the lines of “you’re owned by this APT group” not so much “hmm, that’s some strange ICMP traffic hitting your mail server. Maybe some router in Azerbaijan needs a reboot, ."

So the thinking is definitely fresh, and I’m increasingly seeing companies play in the network security space again. Network detection is dead! Long live network detection!

Risky Business #492 -- Thomas Rid on sloppy active measures

PLUS: All the news in another crazy week...

Sorry this week’s show is late – I found myself taking an unexpected and unavoidable trip. But I’m back on deck and we’ve got a great show for you this week.

This week we hear from Thomas Rid, Professor of Strategic Studies at Johns Hopkins University’s School of Advanced International Studies. We’re having a conversation inspired by the latest spectacular Russian intelligence blunder: a Russian SIGINT operator exposing their GRU headquarters’ IP address because they forgot to fire up their VPN when logging in to their Guccifer 2.0 persona accounts. Oops.

It’s hilarious stuff, but it’s brought out the conspiracy types who are saying hey, as if they’d make this mistake. Something’s fishy! Well, as you’ll hear, these types of agencies make similar mistakes on a pretty routine basis. Thomas joins us to talk about that, and also about how mistakes like this don’t really matter in the broad scheme of things. They’re a bit of a distraction.

This week’s show is brought to you by Bugcrowd, the managed bug bounty company. Bugcrowd’s founder and CTO Casey Ellis will be dropping by to talk about a few things. They’ve raised a stack of cash since we last spoke and they plan to spend it on a bunch of stuff – they’re working on doing more efficient triage and they’re also looking at creating better legal agreements between their customers and their researchers. That’s all interesting stuff, and it’s coming up later.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Snake Oilers 5 part 2: Penten talks Honey Docs, Trend Micro on its latest

Vendors selling the steak, not the sizzle...

Snake Oilers is a wholly sponsored podcast where vendors pay to pitch their tech at you, the listeners. Last week we heard from Rapid7, Mimecast and VMRay, but this week we’ve got two more pitches for you. First up we’re going to hear from Penten, an Australian based company that is doing some genuinely interesting stuff with honey documents.

Also in this edition we’ll be chatting with the team at Trend Micro. And this isn’t really about pitching a product – there more here to combat messaging coming out of newer EDR companies who are portraying established vendors like them as out of touch.

As listeners would know, beating up the incumbent AV companies is one of my hobbies, so basically Trend Micro’s Eric Skinner and Eric Shulze will be along this week to tell me why I’m an idiot. They’re also going to make a strong case for independent AV testing – it’s something the industry has struggled with for a long time, but they say they want it to happen more than ever.

Risky Business #491 -- The biggest infosec news week we've ever seen

We can barely believe all that's happened in the last seven days...

What a week, huh? As you’ll soon hear it’s been an absolute monster week for infosec news. Top of the list is the Cambridge Analytica scandal. For those who haven’t had time to catch up on this one, a former staffer from the data analytics firm has given some interviews in which he says the company scraped 50 million Facebook profiles and used that data to target US voters with political messages on behalf of Donald Trump’s campaign. Obviously this has made people feel quite uncomfortable, everyone is mad at Facebook and it’s news everywhere.

It also looks like Facebook CSO Alex Stamos is on his way out due to events entirely unrelated to this.

Also in this week’s show we’ve got:

  • Iranians trying to blow up Saudi Arabian chemical plants
  • Americans blaming Russia for attacks on its energy grid
  • Kaspersky blowing LIVE SOCOM ops against Al Qaeda and the remnants of Islamic State
  • The UK vowing to exact revenge on Russia via “cyber” retaliation over the Skripal affair

There is no feature interview in this week’s show, we’re going long on news, but this week’s sponsor interview is absolutely fantastic. It’s with Haroon Meer, head honcho over at Thinkst Canary.

He’s not here to talk about anything really related to products this week, instead we’re going to talk about CISO stuff. He’ll be thoughtlording the absolute sh*t out of you all this week.

Haroon thinks breached organisations are getting off too lightly in the current infosec climate because people are scared to victim shame. As you’ll hear, he thinks there’s just no excuses for how some high profile data breaches have occurred and says more CSOs should be prepared to die on the right hills to stop their companies engaging in straight up suicidal behaviour. It’s great for security to be an enabler, but that doesn’t mean signing off on whatever anyone wants to do.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Snake Oilers #5 part 1: Rapid7 Insight Phish, VMRay's updated platform and mail filtering with Mimecast

Roll up roll up get your magical snake oil here!

As most of you know this isn’t the regular weekly show, this is a special edition we publish four times a year, and as you may have guessed from the title, this is the Risky Business podcast where vendors pay for time to pitch their products to you, the listeners.

And we’ve actually got some great pitches for you today. We’ll be hearing from Rapid7 first – they’ve developed a new addition to their Insight platform – Insight Phish. There are already so many phishing simulation tools out there, so we’ll hear from Justin Buchanan on why Rapid7 has gone down this path. He actually makes a pretty compelling argument on why they’ve bothered. Simulation is just one part of Insight Phish, the other part is response.

They’ve kind of closed the loop on that, so if you’re already a Rapid7 customer you’ll probably be VERY interested in Insight Phish. And even if you’re not it might get you looking at their stuff!

Then we’re going to hear from the team at VMRay. VMRay makes a cloud-based binary analyser for all you DFIR types. They’re a German company founded on the back of the founder’s PhD. They actually raised millions of dollars in funding in 2016 from German investors. I know I want to hear from any company that convinced Germans to invest large sums of money! They’ve released a new version of their product and they’ll be telling us a bit about that.

And finally we’re going to hear from Mimecast. And you know what? Mail filtering is a hard thing to pitch – most of the functionality is completely opaque to the user. So the Mimecast team will be along in our final pitch of the day to explain to you all what you should be asking of your email filtering provider. It’s actually really good generic advice… surprisingly neutral advice, too, so stick around for that!

Links to all our sweet, sweet Snake Oiler offerings are below!

Risky Business #490 -- North Korea, "cyber norms" and diplomacy

The DPRK is the Soprano Family of APT groups...

On this week’s show we’re taking a look at how an acceleration in 24-carat bonkers state-sponsored hacking is leading to calls at senior levels of government for some actual norms to be established. We’ve got Russia hacking the planet with NotPetya, North Korea owning central banks and cryptocurrency exchanges, China owning the CCleaner supply chain and… well.. it’s all getting a bit much.

So in this week’s feature segment we’re going to zero in on one norm-breaking country, North Korea. We’ll hear from John Hultquist of FireEye and Adam Meyers of Crowdstrike on that.

As you’ll hear, countries like North Korea are pushing the limits of what they can get away with on the Internet and friendlier states are desperately trying to establish what the boundaries for good faith actors should actually be. We’ll hear from Australia’s cyber ambassador Tobias Feakin on that part of the discussion, courtesy of some audio gifted to the Risky Business podcast by Australian journalist James Riley. That’s a fun package and it’s coming up after the news.

This week’s sponsor interview is with Zane Lackey of Signal Sciences. Zane joins us to talk about a few things – how developer teams are increasingly making their own security decisions and how that’s actually a good thing… we’ll also talk about companies that have found themselves operating on multiple cloud platforms even though they didn’t plan for it.

Adam Boileau, as usual, is this week’s news guest.

We cover:

  • The AMD bugs
  • China’s tightening grip on security research
  • Slingshot APT
  • Christopher Wray’s mind bogglingly daffy comments on key escrow

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #489 -- (Deep) Fake News

Seeing isn't believing anymore...

On this week’s show we’re chatting with Professor of Law at the University of Maryland Danielle Citron about an article she co-authored on so-called “deep fake” videos. Citron and Bobby Chesney wrote a fascinating piece about the privacy and national security implications of this latest trend and we’ll be talking to her about that a little bit later on.

In this week’s sponsor interview we’re chatting with Julian Fay, CTO of this week’s sponsor Senetas. We talk to him about how encryption hardware industry is responding to the looming spectre of quantum computing.

As you’ll hear, standards bodies are already rolling out draft implementations of quantum-resistant algorithms that companies like Senetas will be baking into their kit as additional layers of protection.

Adam Boileau, as usual, is this week’s news guest.

We cover:

  • Massive memcached DDoS attacks
  • Trustico having a bad week
  • Reported flaws in 4G/LTE
  • Uber breach lawsuit
  • …and more!

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Biz Soap Box: Alphabet Chronicle co-founder Mike Wiacek talks Virus Total Intelligence

The company's secret platform is still under wraps, but there's plenty to talk about...

This isn’t the regular weekly show, Soap Box is the podcast where vendors pay to appear to talk about big picture stuff, or really anything they want.

Unless you’ve been living under a rock lately you’d know that Google’s parent company Alphabet announced the spinoff of an enterprise information security company. They’ve named it Chronicle, but beyond that it’s all a bit mysterious. Unlike other startups that stay super stealth until they launch their product, Alphabet basically realised that as it already has its platform out there under beta test with a bunch of organisations the creation of the company would eventually leak, and that would have been a mess from Alphabet’s point of view. So, their solution was to announce the company before it’s ready to ship its product.

I would love to tell you that they’re going to drop all the juicy details in this podcast but they’re not. They’ll drop some hints, but for now, Chronicle’s mystery platform will remain that: a mystery.

But that’s not to say there isn’t some other stuff to talk about. As a part of the spinoff, Virus Total is now a part of Chronicle. And you know what? There’s a lot more to Virus Total, in particular Virus Total Intelligence, than I realised. That’s partly because Alphabet hasn’t really done much marketing around it, and this is a kind of first step down that path.

So in this podcast you’re going to hear from two people from Chronicle – Rick Caccia who is the chief marketing officer, he’s mostly chiming in to explain a little bit about the new company – and Mike Wiacek, the CSO and co-founder of Chronicle. He’s going to be telling us about all the features of Virus Total that you probably didn’t realise exist. Did you know if you have a VTI account you can run YARA rules against everything that comes in to Virus Total? And you can apply the rules retrospectively to see what shakes out? And that they have graph and clustering features? And … and … and … you get the idea.

I hope you enjoy this podcast!

Risky Business #488 -- Stop users recycling passwords with the pwned passwords API

Troy Hunt talks about the v2 release of pwned passwords...

On this week’s show we’ll chat with Troy Hunt of Have I Been Pwned. He’s released version two of his pwned password service and API. Basically it lets websites check to see if a user’s password is one that he has in his dataset. Version two allows this process to happen without users having to send over a complete password hash to HIBP.

It’s making some waves already. It’s a genuinely interesting, free service.

In this week’s sponsor interview we chat with Trail of Bits security engineer JP Smith about all thing blockchain. Trail of Bits has gotten into blockchain stuff because, hey, we’ve all heard about the many, many security issues associated with things like Ethereum smart contracts, and when it comes to blockchain and Ethereum security, well, someone has to do it.

JP will talk us through some of the bug classes he sees as well as talk about the work trail of bits has done on its dynamic binary analysis software Manticore in terms of applying it to the Etherum Virtual Machine.

Adam Boileau, as always, is this week’s news guest.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Biz Soap Box: Bugcrowd CTO Casey Ellis on bounty innovation, PII norms and defensive bounties

If you're at all interested in bug bounties and crowdsourced security, listen to this...

This edition of Soap Box is brought to you by Bugcrowd. So the next 40 minutes or so is a conversation between Bugcrowd CTO and founder Casey Ellis and I.

As most of you would know, Bugcrowd runs outsourced bug bounty programs for a wide variety of organisations, from Silicon Valley megabrands to financial services to development-heavy SMEs, Bugcrowd is there.

And what a time it is for the bug bounty business. There’s a lot of attention on the bug bounty concept at the moment – we even saw a senate subcommittee hearing on them take place earlier this month. It’s a competitive sector, too.

In this podcast Casey tells us about a few things, like what Bugcrowd is doing to try to add some innovation to bug bounty programs. As you’ll hear, he’s actually got some really great ideas. I came into this as a bit of a sceptic, as in, how can you innovate around something as simple as a bug bounty program? It turns out you can. We also try to make the case that bug bounties are an established part of infosec now; a boring part of the mix.

So we cover off some interesting stuff Bugcrowd is doing, then we talk about how the bug bounty provides types might be able to actually engage their crowds in defensive work.

Risky Business #487 -- Guest Katie Moussouris on her recent Senate Subcommittee testimony

Plus Mark Maunder of Wordfence on challenges in the Wordpress ecosystem...

On this week’s show we’re going to chat with Katie Moussouris about her testimony before a Senate Subcommittee last week. She fronted a session on Consumer Protection, Product Safety, Insurance, and Data Security titled, “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers. We’ll hear from her on how all that went and what she hopes the US government learned from the committee panel.

Also this week we’ll be hearing from Mark Maunder of Wordfence, that’s this week’s sponsor interview. Wordfence sells a Wordpress security plugin. There have been some interesting developments in the Wordpress world over the last week that are definitely worth covering. Wordpress actually pushed an update to core that actually disables future auto updates. Yikes.

We’ll find out how long that update was out, what percentage of the Wordpress ecosystem swallowed it, and we’ll also talk about about a couple of dysfunctional things happening in the Wordpress ecosystem.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #486 -- Locking down AWS permissions with RepoKid

Plus all the week's security news...

On this week’s show we’re chatting with Travis McPeak at Netflix about a tool they’ve developed called RepoKid. It automatically strips unused AWS permissions, which I’m guessing a lot of you will find quite useful.

We’ll also chat with Dan Kuykendall in this week’s sponsor interview. Dan works for Rapid7, and they’ve been doing some interesting stuff with their agents, basically tweaking them to give better visibility of application security issues and exploitation attempts. T

hat conversation is really about how security firms these days are using the agent footprint they have to just do whatever they can.

Adam Boileau, as always, pops in to discuss the week’s news. We cover the:

  • AutoSploit arm waving
  • Lauri Love beating extradition
  • Nik Cubrilovic’s arrest
  • MOAR

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #485 -- Infosec startups overfunded, good exits unlikely

Kelly Shortridge joins the show to discuss disturbing investment trends...

On this week’s show we’re checking in with Kelly Shortridge and the topic is zombies. Not the botnet kind, the heavily-VC-backed kind.

A recent report from the Reuters news agency highlighted the amount of VC pouring into the so-called “cyber” industry vs the amount of money actually coming out of it in the form of profitable exits isn’t matching up. The industry is filling up with so-called zombie companies – they’ll never exit, but they’re not going to completely die, either.

As it turns out, Kelly recently did a presentation on precisely this topic, so in this week’s feature we get her take on why this is happening and what’s likely to change. The tl;dr is something will have to give in the next couple of years, and it’s going to be ugly.

In this week’s sponsor interview we check in with Jordan Wright of Duo Security. Jordan has done some research into phishing kits. While phishing isn’t the sexiest topic, the team at Duo has actually done some pretty comprehensive research here – they looked at thousands of kits and pulled out some interesting stats.

We’ll talk to him about that, and also about the likelihood that U2F hardware will soon be baked into consumer devices. That’s really going to change things in years to come.

Adam Boileau, as always, pops in to discuss the week’s news. We cover the:

  • Strava heatmap
  • Dutch infiltration of Cozy Bear
  • Possible nationalisation of the US 5G network on security grounds
  • Microsoft disabling Intel Spectre patches
  • Google’s Chronicle announcement
  • US$400m Cyptocurrency ownage
  • MOAR

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #484 -- What's up with the new 702?

Lawfare Blog co-founder and UT Austin law professor Bobby Chesney talks surveillance law updates...

On this week’s show we’ll be taking a look at the freshly re-authorised section 702 of the FISA act. As you’ll soon hear, the updated section now allows the FBI to search data captured under 702 programs for evidence against US citizens in a bunch of circumstances, including, drum roll please, during investigations with a cyber security tilt.

The co-founder of the Lawfare blog, law professor and Associate Dean for Academic Affairs at the University of Texas Ausin, Bobby Chesney, will be along in this week’s feature to talk about all of that!

In this week’s feature interview we’re joined by Haroon Meer of Thinkst Canary. Haroon will be along to talk about the effectiveness of various honey tokens. Thinkst has been playing around with this stuff for a couple of years now, and Haroon will be joining us to talk about how they’ll will wind up being used in an enterprise context. How do you get detection canaries to scale? That’s coming up later.

Adam Boileau, as always, pops in to discuss the week’s news. It’s been a relatively calm week, but we’ve got some interesting news about botched Spectre patches and a discussion around a sensational report about Kaspersky Lab published by Buzzfeed in conjunction with Russian outlet Meduza.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #483 -- Internet censorship in Iran, China

Collin Anderson joins the show to talk about the politics of 'net censorship...

On this week’s show we chat with Collin Anderson about Iranian internet censorship, as well as how sanctions on Iran led Google to block app engine access within Iran.

That’s a problem for Signal users there, because when the primary Signal servers are blocked, the software falls back to a domain-fronting approach that uses… drum roll please.. Google App Engine.

That’s a pretty wide ranging discussion of ‘net censorship in Iran and ‘net censorship generally and that’s coming up after the news.

This week’s show is brought to you by Bugcrowd, big thanks to them for that. In this week’s sponsor interview we’ll chat with Bugcrowd trust and security engineer Keith Hoodlet about some work they’ve been doing on producing detailed remediation information for their clients.

Adam Boileau is also along, as always, to discuss the week’s security news. The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #482 -- Meltdown and Spectre coverage without the flappy arms

Matt "pwnallthethings" Tait helps us understand these interesting flaws...

On this week’s show Matt “pwnallthethings” Tait joins the show to walk us through the so-called Meltdown and Spectre bugs. Most of the coverage of the flaws has either been massively hyped or detail-free, and Matt pops by to untangle the whole mess. He does a great job of it, too.

This week’s show is brought to you by Cylance. CTO Rahul Kashyap will be along in the sponsor chair to talk about why so many AV packages were causing Windows boxes to BSOD when Microsoft pushed its Meltdown patch.

Adam Boileau is back in the news hotseat, and boy oh boy do we have a lot to cover. Show notes are below, and you can follow Adam or Patrick on Twitter if that’s your thing.