Podcasts

On this week’s show Patrick and Adam talk through all the week’s security news, including:

• New executive order paved way for Huawei ban
• Google pulls service from Huawei
• No wait, that’s not right, it’s for new handsets
• The ban’s now reversed to allow them to continue the support that they didn’t have to discontinue?
• I’m so confused
• ¯_(ツ)_/¯
• Israeli broadcaster fingers Hamas over Eurovision coverage hack
• New moves to regulate offensive cyber services
• Salesforce has a bad time
• Instagram influencers have a bad time (Hah!)
• OGUsers pwned
• Much, much more

This week’s show is brought to you by CMD Security. They make security software for Linux that does two things – firstly it gives you visibility into what’s happening on your Linux workloads, which actions are being performed by which accounts, that sort of thing. The second thing it does is allow you to lock down accounts by action, rather than by traditional privilege. They’re funded by Google Ventures, among others, and although they’re a relatively small and new company I think they’re going to do really well.

Jake was just at a MITRE conference in Brussels that was all about the Attack Matrix. He’s joining me this week to have a bit of talk about his experience at that event, then we’ll be talking through some of the issues he’s seeing out there in Linux cloud workload land. Jake’s a great communicator and a very smart guy and that interview is a lot of fun.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

In recent days at least one news outlet has sought to sow the seeds of distrust around end-to-end encryption.

Unfortunately this means a number of people are now under the impression that secure messaging apps are pointless because one’s phone could be hacked via other means, rendering all encryption obsolete. This is a bad, retrograde take, but that’s not to say that WhatsApp is without its issues.

You can argue about degrees, but WhatsApp is unquestionably a product of the surveillance capitalist ecosystem. Eventually it will evolve to monetise the digital exhaust of our interactions, or in terms Harvard professor Shoshana Zuboff puts it: using private human experience as raw materials in a behavioural data rendering process which is designed to herd and tune us towards profitable outcomes.

The suppliers of widely-adopted secure communications should not also be the controllers of this behavioural modification market. Any application claiming to offer privacy must be entirely disentangled from the interests of these parties. Apple has had a crack with iMessage, but sadly its products remain out of reach to most of the world. iPhones are bloody expensive, and not everyone can afford to pay a ridiculous premium on a shiny phone so their personal communications don’t wind up as a part of a data set flagged for monetisation.

Here’s the trap: digital consumer platforms like WhatsApp offer an incredibly attractive bargain to consumers. Unlike the platform-locked iMessage, they’re cross-platform, free, easy, and offer relatively robust security protections. And they’ve become central to the modern, digital experience.

Google’s mail infrastructure is another great example. At the moment it’s the best we can hope for when it comes to nudging the average user towards some form of agreeable security mixed with ease. There are many alternative email platforms which are more ethical, transparent, and in my personal opinion offer a more friendly experience, and I will routinely try and herd people towards them, but most folks simply don’t want to complicate their lives.

Some in the information security world blame this on human laziness, but that’s off the mark. There’s a fundamental difference between being lazy and wanting less hassle. The implementation of fiddly alternatives and self-made servers is a wholly unappealing thought for anyone not heavily invested in the field of information security, and letting the end user run free with their own code and implementation makes them far more vulnerable to hacking and things being set on fire.

Having personalised ads constantly shoved in your face is the 21st century bargain we’ve accepted as the trade-off for access to these services.

But let’s imagine a lovely, meditative scenario where we dismantle Google Mail and move everybody to another platform. To make this tempting for millions of people we’d have to uproot the workplace document storage environment, around two dozen regularly used interconnected applications that cover time-keeping, finance, and data, an entire branch of mobile phone operating systems, and who knows how many “stored preferences” that interconnect all of the things the average person enjoys on a daily basis. It’s a technology soup that’s borderline impossible to unmix.

With all of that in mind, it’s extremely unfair to call anyone out for being unwilling to step back from these monopolies, because key elements of their life are tied directly to them. It’s an alarming reality, and one that needs to be broken down in small chunks and whacked at with a machete until the path is finally clear to proceed.

WhatsApp’s main appeal to the masses is not its secure, end-to-end encryption, but its general simplicity. For those that aren’t largely tech-savvy, it’s arguably the most accessible mobile communication interface, both at an application and psychological level.

The fact that tens of millions of people are now, without even needing to understand it, using necessary high level encryption protocols in their real-time messaging is just a happy accident. 99% of WhatsApp’s users more than likely have no idea how E2E encryption works and they don’t even particularly care about it.

That’s fine. It exists, in the background, as a very fortunate byproduct of the attraction of the other, shiny, appealing traits of the platform, which as we all know tend to focus on things like talking to people quickly, setting up connections with family members, accessing and disseminating media from various sources in seconds. The things humans like doing on a regular basis while exerting as little energy as possible.

But is that good enough? For a while, but not in the long term. WhatsApp is not the endgame. It’s certainly moved the dial in terms of readily-available security for everyday conversation, but people deserve better. More accurately, we need less of specific things. Less “would you like to back up your messages weekly to the cloud,” less “connect with Facebook,” less “opt-in to exactly what we say or we won’t give you X”.

Establishing a sustainable model for secure communications providers is a daunting prospect for those who must eventually become “the new WhatsApp”. I believe the very competent teams behind similar apps such as Signal, Wire, and Threema are going to be at the heart of the eventual shift into the new era of communication, but it’s impossible to say at this moment in time how that shift will pan out.

In the meantime, though, let’s keep our eye on the ball. There are reasons to be wary of WhatsApp, but attacking end-to-end encryption as a “gimmick” is a rotten red herring that belongs in the bin.

Jake Davis is a former global hacker terrorist menace who now works in a creative young person job that I don’t quite understand I dunno ask him his twitter account is here.

This isn’t our weekly news and current affairs show, this is a wholly sponsored podcast we do here at Risky Biz. The idea behind Soap Box is vendors pay to come on to the show and talk about the things they want to talk about.

Today’s Soap Box is brought to you by Signal Sciences. If you’re not familiar with them, they make web security software. If you operate a website and you’re looking to auto-block a lot of the common attacks and attack techniques that are likely to be directed against your website, then Signal Sciences are definitely worth a look.

Their whole pitch is really about making software that’s easy to deploy. You just drop it on your web server or run it as a WAF proxy, and bang, you’re done. Most of their clients run this software in full blocking mode out of the gate and don’t have any issues.

It’s really, really good at blocking stuff like cred stuffing and weird bot activity, as well as your typical OWASPY-style attacks.

Signal Sciences Trusted Appsec Advisor Phillip Maddux is our guest today. We spoke about a bunch of stuff really: the future of appsec, how the pivot to serverless is changing things. Then we talk about app-layer deception, and finally Phillip basically takes a dump on the bulk of RASP solutions out there.

Enjoy!

On this week’s show Patrick and Adam talk through all the week’s security news, including:

• NSO Group WhatsApp vuln coverage goes nuclear
• Activists targeted by NSO malware in hiding in west after CIA tipoffs
• Cisco Trust Anchor drags on sea floor
• Linux kernel bugs likely overhyped
• Adobe patches insane number of CVEs
• Microsoft patches rumoured GCHQ VEP’d RDP bug
• New hardware bugs affect Intel processors
• SHA-1 collisions become much more practical
• Major US anti-virus firms owned hard

This week’s sponsor interview with Ryan Kalember of Proofpoint. Ryan is a listener, and when he heard Adam talking about how password rotations actually result in crappy passwords, it hit a nerve with him. He says Proofpoint, via its CASBY product, is seeing a lot of targeted credential stuffing campaigns cycling through variations of passwords that have appeared in dumps.

Apparently the bad guys are hip to what a typical password rotation variation looks like and they’re using this knowledge to better direct their cred stuffing attempts.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• IDF takes out Hamas cyber HQ (Features commentary from Bobby Chesney and Klon Kitchen)
• NYTimes mangles Symantec’s “Buckeye” research
• Lots of dark web arrests
• SAP exploits not all they’re cracked up to be
• Magecart-style attacks spread to other platforms
• Tech-led crackdown on Chinese-muslims intensifies
• Japan to create “defensive malware”

This week’s sponsor interview is with Duo Security advisory CSO Richard Archdeacon and we’ll be talking about zero trust networks. Richard isn’t so worried about every vendor under the sun claiming to be a zero trust tech company. He doesn’t think that’s going to derail the move to zero trust architectures because the move towards them is too strong.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

This isn’t the regular weekly risky biz news and current affairs show, this is the special podcast series we do here at Risky Biz HQ where we take that dirty, dirty vendor cash and let security companies tell the audience all about what they do. Think of it as show and tell for security vendors!

In this edition we’ve got three more vendors vying for your hard-earned bread. We’ll be hearing from Rapid7 on their InsightConnect product, that one used to be known as Komand. What can you automate and orchestrate with it? How does it work? Who’s using it? What are they doing with it?

Then we’ll be hearing from Trend Micro about their O365 mail security product, and this one is legit interesting for one very simple reason – the deployment method. Most of the mail security firms basically make you route your mail through them.

In this case what Trend has done is create a mail security product that just fiddles with your mailboxes through the Microsoft O365 API. They have literally set up a demo account for an enterprise over a beer at a bar. So yeah, I suspect we’ll be seeing more mail security products deploying this way… and because it’s show and tell, Trend will be along to talk about some of the bells and whistles that come with that product.

Then finally we’ll be hearing from Cybermerc. This is a group based out of Canberra in Australia. They’ve done a lot of enterprise deception hybrid hardware/consulting, that’s something they’ve gotten very good at. They also do a lot of cyber cyber training, but now they’re trying to market a managed service towards small to medium businesses – those with 50 to a few hundred seats. A managed honeypot, some internal vuln scans, and a partridge in a pear tree!

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• Docker Hub owned
• That Confluence bug we were talking about a couple of weeks ago got wormified
• Oracle WebLogic users also having a bad time
• Cloudflare faces investor pressure over providing services to Nazis
• Slack warns investors of possible nation-state attacks against it
• Norsk Hydro puts dollar value on ransomware incident
• Bloomberg publishes another ridiculous security story
• Much, much more!

This week’s sponsor interview is with Casey Ellis, the CTO and co-founder of Bugcrowd.

As most of you are probably aware, Bugcrowd announced its so-called “next generation penetration testing” product last year, a move followed some months later by its competitor HackerOne. With others in the bounty space already offering these types of penetration testing packages, it looks like these efforts are here to stay.

But where do crowdsourced penetration tests sit in the wider penetration testing market? Are they coming after the Insomnia and Atredis Partners type firms? The NCCs? The shonky nessus-scan “penetration testers”? Well, not surprisingly Casey argues that this is a new sub-niche in the market and he makes a pretty compelling case to support that argument.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• Marcus Hutchins faces his milkshake duck moment
• Iranian APT crew gets Shadowbrokersed
• DNS interference campaign is actually two large-scale actors
• UK to use some Huawei components in 5G build
• French Government launches comms app for politicians, it doesn’t go well
• More detail on CCleaner/ASUS crew
• Carbanak source found on VT (lol)
• Wall Street Market exit scams
• BEC costing US firms $1.3bn PA
• Much MOAR!

This week’s show is brought to you by Signal Sciences, their CEO Andrew Peterson will be along in this week’s sponsor interview to have a bit of a chat about how a lot of traditional enterprises are running serious business web app shops these days.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this edition of Snake Oilers you’ll be hearing from three vendors offering what I believe to be excellent security technology. I haven’t personally used this tech, but conceptually everything featured in this edition is The Good Stuff. You’ll see. Or hear. You know what I mean.

First up we’ll be hearing from CMD, they make killer software for Linux that lets you lock down account actions. Not permissions, actions. Do all the default and service accounts you have to run on your Linux fleet terrify you? Well, this is a solution for that. There’s a visibility component there, too.

Then we’ll be hearing from AlphaSOC. When we last spoke to them they were just doing domain-based analytics, but they’ve expanded their tech and now offer IP-based and http request-based analytics. You can deploy AlphaSOC as a Splunk app or hook up to their API any other way you want. They’re offering free trials, but even when you’re on the paid service it’s actually pretty affordable.

The brain behind AlphaSOC is Chris McNab who used to run incident response at NCC Group. He’s seen how the planes crash into the mountains and he has created a product that performs eminently sensible analysis on your traffic and metadata to alert you to badness.

Then finally we’ll be hearing from Nucleus. This is a new company and if your job is managing vulnerabilities and vuln scanners in your org then straight up, just skip to the Nucleus interview immediately. They’ve created a web app that normalises vulnerability scanning information. It’ll take the outputs from Snyk, Rapid7, Checkmarx, Netsparker, OpenVAS, Twistlock, Fortify, Burp Suite, Nessus, Qualys, Acunetix AND others.

It ingests all of this data, normalises it, then plumbs these alerts through to the right people through a multitude of different ticketing systems. If your’e stuck in the 7th layer of Sharepoint or Spreadsheet vulnerability management hell, this is a solution to your problems. You will weep salty tears of joy when you hear this one. Free trials of Nucleus are also available.

Links to the companies featured are below!

On this week’s show Adam Boileau and Patrick Gray discuss the week’s security news:

• Julian Assange arrested, likely to be extradited to the USA
• Krebs: Breach at outsourcing firm Wipro
• WordPress 0day drama causing serious headaches
• Silk Road 2’s “DPR2” sent to slammer
• More from Kaspersky SAS

This week’s show is brought to you by Thinkst Canary! Thinkst founder Haroon Meer will be along in this week’s show to talk about the effect venture capital is having on the security ecosystem. He thinks VC money often makes weak ideas look strong, and in a market where it’s quite difficult to make informed purchasing decisions, that’s not a good thing.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.