Podcasts

On this week’s show we hear from Jennifer Bisceglie, the CEO of Interos Solutions, a company that recently prepared a report on supply chain security for the US government’s US-China Economic and Security Review Commission. Risky Business contributor Brian Donohue caught up with Jennifer to talk about the report and really get an idea of what supply chain risks look like from a macro level. The long and the short of it is the supply chain is already very, very opaque, so governments and the private sector will have to work pretty hard to mitigate the risks involved here.

This week’s show is brought to you by Netsparker, the web application security scanning toolmaker. Netsparker was founded nine years ago by this week’s sponsor guest, Ferruh Mavituna. He was a pentester who created Netsparker to help him with his own work. But just recently they raised a bundle of cash: US$40m. We’ll catch up with him and find out if a webapp scanning company with $40m is like the mule with the spinning wheel. It certainly seems like Ferruh has some ambitious plans. We haven’t seen this sort of money being raised by comparable companies so it’s definitely interesting stuff.

In this week’s news we cover off:

• Mysterious BGP route hijacking for lame Ether theft (??)
• Google disabling domain fronting
• Canadian teen charged with downloading documents from a website
• City of Atlanta spending $2.6m to recover from its ransomware event
• RSA’s conference app fail
• White House chaos over Rob Joyce replacement (MAGA!!! MAGAAAAAA!!!!!)
• Much more

The show notes/links are below, and you can follow Adam, Brian or Patrick on Twitter if that’s your thing.

We’re still running in a trimmed down format this week, sorry about that. Regular listeners would know we’ve been dealing with some unexpected stuff over here in the house of Business, but the good news is things have settled down and we’re actually back home after more than three weeks away. Things are looking good for a return to a full format show either next week or the week after.

But don’t worry, there’s plenty of good stuff in this week’s news segment with Mark Piper, including:

• Russia blocking 15m cloud service IPs to shut down Telegram
• RU router hax: Are they a big deal?
• FBI’s “going dark” narrative questioned
• Rob Joyce departs White House
• ZTE in all sorts of trouble
• AND MOAR

This week’s show is brought to you by Cylance. Jim Walter of Cylance will be along in this week’s sponsor interview to talk about a couple of things – we’ll be looking at “fileless” malware – for what it’s worth it’s a term that we both hate – and we’ll also be talking about how complete amateurs are now able to run reasonably sophisticated malware campaigns these days thanks to the badware for hire business getting even more slick.

The show notes/links are below, and you can follow Pipes or Patrick on Twitter if that’s your thing.

Regular listeners would know Risky Business is just running the news and sponsor segments at the moment so there’s no feature interview in this week’s show. But that’s fine because we’ve got plenty to get through in the news segment with Adam Boileau.

Then we’ve got a killer sponsor interview for you this week with Nick Steele and James Barclay of Duo Security.

They’re here to talk about WebAuthn. It’s the new authentication spec currently going through the W3C process. Both Nick and James will be along later to talk about what the spec is designed to do, how it works and what its chances of becoming mainstream are, and spoiler alert, those chances are pretty good.

They’ve also provided me with some links for people out there who want to play around with Webauthn, they are below.

Links to all the news items are also below, and you can follow Patrick or Adam on Twitter if that floats your boat.

This week’s show is just the news segment and sponsor interview. But, as always, there’s plenty to discuss with our news guest Adam Boileau!

In this week’s sponsor interview we’ll be hearing from Timothy Keeler from Remediant.

Remediant is a small but growing company that does privileged account management stuff, but they’re not a password vault. Tim’s joining us this week to walk through some of the challenges of managing privileged access in devops environments and also to talk a bit about some of the challenges around single sign on and privilege management. It’s all good stuff, and it’s coming up after the news.

Links to all the news items are below, and you can follow Patrick or Adam on Twitter if that floats your boat.

This Soap Box edition is brought to you by ICEBRG.

ICEBRG is in the business of network-based response and detection. In simple terms they drop a box on your network that strips network metadata and shunts it up to their cloud for analysis. This allows incident responders in particular to really, really speed up their investigations. We know that a lot of internet traffic is encrypted these days, and that’s made some people take their eye off the network ball. The focus and buzz these days is very much on endpoint detection and response. Our guest on this edition of Soap Box, ICEBRG’s VP of Strategic Partnerships Jason Rebholz, thinks we’ve wound up with a blind spot as a result.

It’s true that a lot of network security tech fell behind the times, but there are some fresh approaches emerging these days that are pretty bloody useful. ICEBRG started off as a product to accelerate incident response, an example use case is deploying it in 15 minutes when you’re starting an IR job; it gives you amazing visibility for the time invested. But, they’re broadening the product a bit these days. They’re not turning it in to an IDS, but they’re able to give clients some very, very high quality signalling. I think this is what you get when you get a bunch of ex-govvies and incident responders together and they develop a product. Their alerts are more along the lines of “you’re owned by this APT group” not so much “hmm, that’s some strange ICMP traffic hitting your mail server. Maybe some router in Azerbaijan needs a reboot, ."

So the thinking is definitely fresh, and I’m increasingly seeing companies play in the network security space again. Network detection is dead! Long live network detection!

Sorry this week’s show is late – I found myself taking an unexpected and unavoidable trip. But I’m back on deck and we’ve got a great show for you this week.

This week we hear from Thomas Rid, Professor of Strategic Studies at Johns Hopkins University’s School of Advanced International Studies. We’re having a conversation inspired by the latest spectacular Russian intelligence blunder: a Russian SIGINT operator exposing their GRU headquarters’ IP address because they forgot to fire up their VPN when logging in to their Guccifer 2.0 persona accounts. Oops.

It’s hilarious stuff, but it’s brought out the conspiracy types who are saying hey, as if they’d make this mistake. Something’s fishy! Well, as you’ll hear, these types of agencies make similar mistakes on a pretty routine basis. Thomas joins us to talk about that, and also about how mistakes like this don’t really matter in the broad scheme of things. They’re a bit of a distraction.

This week’s show is brought to you by Bugcrowd, the managed bug bounty company. Bugcrowd’s founder and CTO Casey Ellis will be dropping by to talk about a few things. They’ve raised a stack of cash since we last spoke and they plan to spend it on a bunch of stuff – they’re working on doing more efficient triage and they’re also looking at creating better legal agreements between their customers and their researchers. That’s all interesting stuff, and it’s coming up later.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Snake Oilers is a wholly sponsored podcast where vendors pay to pitch their tech at you, the listeners. Last week we heard from Rapid7, Mimecast and VMRay, but this week we’ve got two more pitches for you. First up we’re going to hear from Penten, an Australian based company that is doing some genuinely interesting stuff with honey documents.

Also in this edition we’ll be chatting with the team at Trend Micro. And this isn’t really about pitching a product – there more here to combat messaging coming out of newer EDR companies who are portraying established vendors like them as out of touch.

As listeners would know, beating up the incumbent AV companies is one of my hobbies, so basically Trend Micro’s Eric Skinner and Eric Shulze will be along this week to tell me why I’m an idiot. They’re also going to make a strong case for independent AV testing – it’s something the industry has struggled with for a long time, but they say they want it to happen more than ever.

What a week, huh? As you’ll soon hear it’s been an absolute monster week for infosec news. Top of the list is the Cambridge Analytica scandal. For those who haven’t had time to catch up on this one, a former staffer from the data analytics firm has given some interviews in which he says the company scraped 50 million Facebook profiles and used that data to target US voters with political messages on behalf of Donald Trump’s campaign. Obviously this has made people feel quite uncomfortable, everyone is mad at Facebook and it’s news everywhere.

It also looks like Facebook CSO Alex Stamos is on his way out due to events entirely unrelated to this.

Also in this week’s show we’ve got:

• Iranians trying to blow up Saudi Arabian chemical plants
• Americans blaming Russia for attacks on its energy grid
• Kaspersky blowing LIVE SOCOM ops against Al Qaeda and the remnants of Islamic State
• The UK vowing to exact revenge on Russia via “cyber” retaliation over the Skripal affair

There is no feature interview in this week’s show, we’re going long on news, but this week’s sponsor interview is absolutely fantastic. It’s with Haroon Meer, head honcho over at Thinkst Canary.

He’s not here to talk about anything really related to products this week, instead we’re going to talk about CISO stuff. He’ll be thoughtlording the absolute sh*t out of you all this week.

Haroon thinks breached organisations are getting off too lightly in the current infosec climate because people are scared to victim shame. As you’ll hear, he thinks there’s just no excuses for how some high profile data breaches have occurred and says more CSOs should be prepared to die on the right hills to stop their companies engaging in straight up suicidal behaviour. It’s great for security to be an enabler, but that doesn’t mean signing off on whatever anyone wants to do.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

As most of you know this isn’t the regular weekly show, this is a special edition we publish four times a year, and as you may have guessed from the title, this is the Risky Business podcast where vendors pay for time to pitch their products to you, the listeners.

And we’ve actually got some great pitches for you today. We’ll be hearing from Rapid7 first – they’ve developed a new addition to their Insight platform – Insight Phish. There are already so many phishing simulation tools out there, so we’ll hear from Justin Buchanan on why Rapid7 has gone down this path. He actually makes a pretty compelling argument on why they’ve bothered. Simulation is just one part of Insight Phish, the other part is response.

They’ve kind of closed the loop on that, so if you’re already a Rapid7 customer you’ll probably be VERY interested in Insight Phish. And even if you’re not it might get you looking at their stuff!

Then we’re going to hear from the team at VMRay. VMRay makes a cloud-based binary analyser for all you DFIR types. They’re a German company founded on the back of the founder’s PhD. They actually raised millions of dollars in funding in 2016 from German investors. I know I want to hear from any company that convinced Germans to invest large sums of money! They’ve released a new version of their product and they’ll be telling us a bit about that.

And finally we’re going to hear from Mimecast. And you know what? Mail filtering is a hard thing to pitch – most of the functionality is completely opaque to the user. So the Mimecast team will be along in our final pitch of the day to explain to you all what you should be asking of your email filtering provider. It’s actually really good generic advice… surprisingly neutral advice, too, so stick around for that!

Links to all our sweet, sweet Snake Oiler offerings are below!

On this week’s show we’re taking a look at how an acceleration in 24-carat bonkers state-sponsored hacking is leading to calls at senior levels of government for some actual norms to be established. We’ve got Russia hacking the planet with NotPetya, North Korea owning central banks and cryptocurrency exchanges, China owning the CCleaner supply chain and… well.. it’s all getting a bit much.

So in this week’s feature segment we’re going to zero in on one norm-breaking country, North Korea. We’ll hear from John Hultquist of FireEye and Adam Meyers of Crowdstrike on that.

As you’ll hear, countries like North Korea are pushing the limits of what they can get away with on the Internet and friendlier states are desperately trying to establish what the boundaries for good faith actors should actually be. We’ll hear from Australia’s cyber ambassador Tobias Feakin on that part of the discussion, courtesy of some audio gifted to the Risky Business podcast by Australian journalist James Riley. That’s a fun package and it’s coming up after the news.

This week’s sponsor interview is with Zane Lackey of Signal Sciences. Zane joins us to talk about a few things – how developer teams are increasingly making their own security decisions and how that’s actually a good thing… we’ll also talk about companies that have found themselves operating on multiple cloud platforms even though they didn’t plan for it.

Adam Boileau, as usual, is this week’s news guest.

We cover:

• The AMD bugs
• China’s tightening grip on security research
• Slingshot APT
• Christopher Wray’s mind bogglingly daffy comments on key escrow
• AND MOAR!

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.