Podcasts

As regular listeners know, this isn’t the weekly Risky Biz news and current affairs show, if you want that, scroll back in the podcast feed to the previous podcast. This is a Soap Box edition, a solely sponsored podcast series we do here at Risky Biz where vendors pay us to come on to the show to talk about, well, whatever they want, really.

We’ve heard Duo Security talking about WebAuthn, we’ve got one with Proofpoint coming up that’s about insights they’ve gleaned from filtering such ridiculous amounts of email.

But in this edition, Garret Grajek from BlackBerry Cylance will be along to talk about its new product, Cylance Persona. This latest product is kinda out of the box, it’s a machine learning classifier that you install on the endpoint that learns what the typical user behaviour looks like. Once the observed user behaviour starts diverging from what’s expected, it can perform actions – like kicking up for 2fa, locking the user out, whatever you want, really.

It’s a novel approach to dealing with compromised endpoints. Two factor authentication is great, but if your endpoints are hosed that doesn’t really count for much. And that’s really what this new gear is about.

Adam Boileau is along this week to discuss the week’s security news. We cover:

• NYTimes reports USA is getting all up in Russia’s grids
• Kremlin not happy
• CYBERCOM targets Iranian rocket control and APT crews
• TRITON attackers target US grid
• Turla completes hostile takeover of Oilrig
• Reuters publishes huge feature on Cloudhopper/APT10
• China pwns global telcos, targets key subscribers
• FVEY owns Yandex
• Tourists entering Xinjiang now have mobile malware installed at border
• Florida city governments having a bad time
• Much, much more!

This week’s edition of Risky Business is brought to you by Senetas. They make layer 2 encryption tech, but they’ve also got a content disarm and reconstruction play now, Votiro, as well as their safe file sharing platform SureDrop. But we’re sticking with encryption in this week’s sponsor interview. Senetas CTO Julian Fay will be along a bit later to talk about his trip to the International Crypto Module Conference. He’ll fill us in on what the agenda was there – lots of talk about quantum resistant crypto and also some talk about streamlining various certification regimes.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

This is the first edition of a new series of podcasts we’re doing here at Risky.Biz that will focus on cyber policy issues. The Hewlett Foundation approached us a while back to see if we’d be interested in doing this series we jumped at the opportunity.

The Foundation funds a lot of interesting people and work in the cybersecurity space. So the idea is pretty simple: we can talk to some of Hewlett’s grant recipients or experts in its network about pressing policy issues and turn those conversations into podcasts. The whole idea is to get some policy perspectives out there among the Risky Business audience, which, funnily enough, includes a lot of policy people.

Our first cab off the rank is this interview with Jim Baker. He joined the Department of Justice in 1990 and rose through the ranks to become the FBI general counsel in January 2014, a position he held until December 2017. So of course he was running all things legal for the FBI during the Apple-FBI dispute over a locked iPhone 5C recovered from the gunman responsible for the San Bernardino shooting.

Baker was the US Government’s point man on all things encryption, taking stances that outraged technologists and reinvigorated a policy debate that had – at least to a degree – stagnated for years. These days, Jim Baker serves as Director of the R Street think tank’s National Security and Cybersecurity Program.

This interview focusses on the so-called encryption wars. The FBI and other law enforcement/intelligence agencies want better access to encrypted material, while technologists say that’s impossible to accomplish without introducing unacceptable risks into the technology ecosystem. Baker shares his view on the topic.

The Australian government law enforcement and intelligence agencies guide to the Assistance and Access Act, which is mentioned in the introduction to the podcast, can be found here. (Ironically enough, served over http!)

PLEASE NOTE: Jim Baker joined our meeting via a phone call, so the audio quality here isn’t up to our usual standards. Sorry about that!

On this week’s show Adam Boileau and Patrick Gray discuss the week’s news, including:

• CBP loses photo and license plate database
• Some Android phones shipped with backdoor
• Info on Google’s cloud outage
• USG ramps up “defend forward”
• Trump and Mnuchin can’t get their stories straight on Huawei
• The latest from Baltimore, more on that RDP bug
• TalkTalk hacker sentenced
• Much, much more

This week’s show is brought to you by Remediant! Remediant CEO Tim Keeler will be along this week to have a chinwag. We’ll talk about how simple security tech is really en vogue these days and how that’s a good thing.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show Patrick and Adam talk through all the week’s security news, including:

• NYTimes story on EternalBlue and Baltimore is bunk
• An RDP worm is feeling kind of inevitable
• Iran is still getting Shadowbrokersed
• Intercept has a great feature on SID Today dumps
• Australian Federal Police crack down on national security journalism
• Phantom Secure CEO gets nine years and loses $80m
• Silk Road 2.0 admin must be an amazing snitch
• Another Bitcoin tumbler bites the dust
• Much, much more

This week’s sponsor interview is with Marco Slaviero of Thinkst Canary.

Marco is joining us this week to talk about how he thinks web application-based deception techniques are kind of a waste of time right now. We talk about how deception approaches work best in privileged domains, then we talk about how security teams do better when they have a dedicated ops developer.

Adam Boileau couldn’t make it this week, but that’s ok because we’ve got former Facebook CSO and current Stanford adjunct professor Alex Stamos filling in for him in today’s show. He’ll be talking through all the week’s security news, including:

• NYTimes report blames Baltimore ransomware attack on leaked NSA exploit
• Assange to face espionage charges, extradition fight looming
• SanboxEscaper just keeps dropping those 0days
• Fury over Facebook’s response to doctored Pelosi video
• Much, much more

This week’s sponsor interview with David Warburton of F5 Networks. You know F5 as a blinky-light box manufacturer. Load balancers, SSL termination, that sort of stuff. Not exactly a growth industry at the moment, so they’re pivoting.

They’ve dropped $670m on NGINX – f5 now owns the NGINX company – and they’re making all sorts of moves in the appsec space. That interview is mostly about F5’s business, but I found it interesting because what do you do when you’re an $8bn company that makes data-centre equipment and that industry starts going into decline?

Links to everything discussed are below, and you can follow Patrick or Alex on Twitter if that’s your thing.

This is not the regular Risky Business weekly show, the Soap Box series of podcasts that run on Risky.Biz are wholly sponsored. Everyone you hear in Soap Box paid to be here.

With that disclaimer out of the way, this is actually a really interesting conversation. Carsten Willems is the co-founder and CEO of VMRay, a company that makes… well.. what do you call it? Is it an incident response tool? Is it a detection tool? Or is it just a good hypervisor-based sandbox that you can use to do both of those things?

I’m going to say it’s the third – VMRay is a company that makes a great hyper-visor sandbox and has applied that technology to both response and detection.

In an ideal world you’d have a team of malware reversers on staff pulling apart every single binary that looks shady. But this isn’t a perfect world, so that’s never going to happen. So the original use case that Carsten and his team set out to solve was around automating malware reversing. They build a hyper-visor based sandbox that’s very hard to bypass, you can run your standard build on it, throw binaries and documents at it and see what blows up. That’s really the primary use case here.

But there is a second use case, which is detection. VMRay can give you a pretty decent risk score on samples, and they’ve entered into a few OEM arrangements with vendors to provide that extra level of detection.

I’d never met Carsten Willems before we prepared this podcast, but it’s safe to say we hit it off. This podcast basically turned into Carsten telling his story, the story of where VMRay came from and where he wants it to go. Enjoy!

On this week’s show Patrick and Adam talk through all the week’s security news, including:

• New executive order paved way for Huawei ban
• Google pulls service from Huawei
• No wait, that’s not right, it’s for new handsets
• The ban’s now reversed to allow them to continue the support that they didn’t have to discontinue?
• I’m so confused
• ¯_(ツ)_/¯
• Israeli broadcaster fingers Hamas over Eurovision coverage hack
• New moves to regulate offensive cyber services
• Salesforce has a bad time
• Instagram influencers have a bad time (Hah!)
• OGUsers pwned
• Much, much more

This week’s show is brought to you by CMD Security. They make security software for Linux that does two things – firstly it gives you visibility into what’s happening on your Linux workloads, which actions are being performed by which accounts, that sort of thing. The second thing it does is allow you to lock down accounts by action, rather than by traditional privilege. They’re funded by Google Ventures, among others, and although they’re a relatively small and new company I think they’re going to do really well.

Jake was just at a MITRE conference in Brussels that was all about the Attack Matrix. He’s joining me this week to have a bit of talk about his experience at that event, then we’ll be talking through some of the issues he’s seeing out there in Linux cloud workload land. Jake’s a great communicator and a very smart guy and that interview is a lot of fun.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

In recent days at least one news outlet has sought to sow the seeds of distrust around end-to-end encryption.

Unfortunately this means a number of people are now under the impression that secure messaging apps are pointless because one’s phone could be hacked via other means, rendering all encryption obsolete. This is a bad, retrograde take, but that’s not to say that WhatsApp is without its issues.

You can argue about degrees, but WhatsApp is unquestionably a product of the surveillance capitalist ecosystem. Eventually it will evolve to monetise the digital exhaust of our interactions, or in terms Harvard professor Shoshana Zuboff puts it: using private human experience as raw materials in a behavioural data rendering process which is designed to herd and tune us towards profitable outcomes.

The suppliers of widely-adopted secure communications should not also be the controllers of this behavioural modification market. Any application claiming to offer privacy must be entirely disentangled from the interests of these parties. Apple has had a crack with iMessage, but sadly its products remain out of reach to most of the world. iPhones are bloody expensive, and not everyone can afford to pay a ridiculous premium on a shiny phone so their personal communications don’t wind up as a part of a data set flagged for monetisation.

Here’s the trap: digital consumer platforms like WhatsApp offer an incredibly attractive bargain to consumers. Unlike the platform-locked iMessage, they’re cross-platform, free, easy, and offer relatively robust security protections. And they’ve become central to the modern, digital experience.

Google’s mail infrastructure is another great example. At the moment it’s the best we can hope for when it comes to nudging the average user towards some form of agreeable security mixed with ease. There are many alternative email platforms which are more ethical, transparent, and in my personal opinion offer a more friendly experience, and I will routinely try and herd people towards them, but most folks simply don’t want to complicate their lives.

Some in the information security world blame this on human laziness, but that’s off the mark. There’s a fundamental difference between being lazy and wanting less hassle. The implementation of fiddly alternatives and self-made servers is a wholly unappealing thought for anyone not heavily invested in the field of information security, and letting the end user run free with their own code and implementation makes them far more vulnerable to hacking and things being set on fire.

Having personalised ads constantly shoved in your face is the 21st century bargain we’ve accepted as the trade-off for access to these services.

But let’s imagine a lovely, meditative scenario where we dismantle Google Mail and move everybody to another platform. To make this tempting for millions of people we’d have to uproot the workplace document storage environment, around two dozen regularly used interconnected applications that cover time-keeping, finance, and data, an entire branch of mobile phone operating systems, and who knows how many “stored preferences” that interconnect all of the things the average person enjoys on a daily basis. It’s a technology soup that’s borderline impossible to unmix.

With all of that in mind, it’s extremely unfair to call anyone out for being unwilling to step back from these monopolies, because key elements of their life are tied directly to them. It’s an alarming reality, and one that needs to be broken down in small chunks and whacked at with a machete until the path is finally clear to proceed.

WhatsApp’s main appeal to the masses is not its secure, end-to-end encryption, but its general simplicity. For those that aren’t largely tech-savvy, it’s arguably the most accessible mobile communication interface, both at an application and psychological level.

The fact that tens of millions of people are now, without even needing to understand it, using necessary high level encryption protocols in their real-time messaging is just a happy accident. 99% of WhatsApp’s users more than likely have no idea how E2E encryption works and they don’t even particularly care about it.

That’s fine. It exists, in the background, as a very fortunate byproduct of the attraction of the other, shiny, appealing traits of the platform, which as we all know tend to focus on things like talking to people quickly, setting up connections with family members, accessing and disseminating media from various sources in seconds. The things humans like doing on a regular basis while exerting as little energy as possible.

But is that good enough? For a while, but not in the long term. WhatsApp is not the endgame. It’s certainly moved the dial in terms of readily-available security for everyday conversation, but people deserve better. More accurately, we need less of specific things. Less “would you like to back up your messages weekly to the cloud,” less “connect with Facebook,” less “opt-in to exactly what we say or we won’t give you X”.

Establishing a sustainable model for secure communications providers is a daunting prospect for those who must eventually become “the new WhatsApp”. I believe the very competent teams behind similar apps such as Signal, Wire, and Threema are going to be at the heart of the eventual shift into the new era of communication, but it’s impossible to say at this moment in time how that shift will pan out.

In the meantime, though, let’s keep our eye on the ball. There are reasons to be wary of WhatsApp, but attacking end-to-end encryption as a “gimmick” is a rotten red herring that belongs in the bin.

Jake Davis is a former global hacker terrorist menace who now works in a creative young person job that I don’t quite understand I dunno ask him his twitter account is here.

This isn’t our weekly news and current affairs show, this is a wholly sponsored podcast we do here at Risky Biz. The idea behind Soap Box is vendors pay to come on to the show and talk about the things they want to talk about.

Today’s Soap Box is brought to you by Signal Sciences. If you’re not familiar with them, they make web security software. If you operate a website and you’re looking to auto-block a lot of the common attacks and attack techniques that are likely to be directed against your website, then Signal Sciences are definitely worth a look.

Their whole pitch is really about making software that’s easy to deploy. You just drop it on your web server or run it as a WAF proxy, and bang, you’re done. Most of their clients run this software in full blocking mode out of the gate and don’t have any issues.

It’s really, really good at blocking stuff like cred stuffing and weird bot activity, as well as your typical OWASPY-style attacks.

Signal Sciences Trusted Appsec Advisor Phillip Maddux is our guest today. We spoke about a bunch of stuff really: the future of appsec, how the pivot to serverless is changing things. Then we talk about app-layer deception, and finally Phillip basically takes a dump on the bulk of RASP solutions out there.

Enjoy!