Podcasts

The widespread adoption of smart and IoT devices – everything from drones and security cameras to thermostats and routers, mean the developers of non-Windows-based malware have been pretty busy lately

In fact, there’s been an almost tenfold increase in the volume of these (ELF) samples submitted to Virus Total over the past two years. That’s according to a cohort of researchers from the Software and System Security group at French graduate school EURECOM, who set out in 2016 to develop an empirical study of non-Windows malware.

They downloaded hundreds of daily candidate samples from Virus Total for a year, resulting in a dataset of more than 10,000 binaries and a tool called Padawan, an automated framework for dynamic analysis of non-Windows malware.

The researchers presented findings earlier this year at the IEEE Symposium on Security and Privacy, and more recently at reverse engineering conference RECon in Montreal. Risky Business contributor Hilary Louise recently caught up over the phone with France-based EURECOM doctoral student Emanuele Cozzi who says the land of Linux-type malware analysis is a bit of a nascent field.

We’re going to stick with the revised format this week – we’re going long on news with Adam, then diving right in to the sponsor interview with Zane Lackey of Signal Sciences.

A bunch of you heard my long form, Soap Box interview with Zane from a few weeks back. We’re extending that interview out a bit in this week’s interview. Zane will be outlining what he thinks needs to change in DevSecOps tooling and workflow for things to really work nicely – it’s just a solid 12 minutes of good thinking and advice, that interview, so do stick around for it.

Adam Boileau will join the show to recap the week’s news:

• Australia and Japan to ban Huawei from their 5G builds
• Struts bug: Big deal or meh?
• Voting machine maker ES&S rebuked by researchers AND US gov
• The DNC phish that wasn’t
• Recapping Andy Greenberg’s Maersk/Notpetya coverage
• Instagram adds real 2FA
• Windows privesc 0day on teh twittarz
• T-Mobile pwned harder than it initially admitted
• Log in to Windows with Google accounts
• Some hilarious Lazarus group shenanigans
• Much, much more

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

We’ve got two vendors pitching their wares in this edition of Snake Oilers. First up we’re talking to Rapid7 about its vulnerability scanning and management software. They’ve made some changes and they’ve got a couple more coming. This is bread and butter infosec stuff.

Then we’re going to hear from the team at ITProTV. They’re a video-based online training site, pitching themselves as like a Netflix but for online training. Instead of instructor-led training, they try to make stuff less dry – half hour training videos with two instructors on all sorts of topics.

The online training video sector is just booming right now, and ITProTV’s co-founder and “edutainer” Don Pezet will be along to walk through all of that.

Both of these companies are tracking enquiries originating from the podcast, so please do use the URLs in the show notes below if you’re interested in learning more.

In this podcast you’ll hear an interview I did with Bob Lord, the Chief Security Officer for the Democratic National Committee, the DNC. Bob has previously served as the CISOs for both Yahoo and Twitter, before spending some time in vendorland with Rapid7 as their CISO in residence.

The state-sponsored attack against the DNC is without doubt the most politically consequential data theft event the planet has ever witnessed. It trumped both the Manning/Wikileaks disclosures and “climategate” in terms of impact, and indeed to a large degree the fallout of the DNC hack is still ongoing.

So, I wanted to bring Bob in to talk about his job.

The DNC isn’t a large organisation, in a head office sense. They have about 200 core staff members, but as you’ll hear, a political organisation’s IT setup is pretty atypical. So Bob and I mostly just spoke about how one handles security for an organisation like the DNC.

On this week’s show we’ll be running through the week’s security news, then diving right on in to a sponsor interview with Lauren Pearl of Trail of Bits. She’s joining us to talk about something Trail of Bits have been up to lately: adding features to open source software – and auditing open source software – on behalf of its customers.

I do have a feature interview this week, but it’s a long one so I’ll be breaking that out in to a separate podcast. It’s a nice long chat with Bob Lord, the CSO for the Democratic National Committee. You know, the guy who hid “the server”.

The news we’re covering this week:

• Melbourne teenager hacky-hack hacks Apple
• Facebook nukes Iranian and RU influence ops
• Report: Sealed court order seeks Facebook Messenger E2E intercept
• USG ditches PPD-20 equities process
• A look at “Intrusion Truth” CN operator doxing ring
• Microsoft kills RU phishing domains
• PLUS MOAR

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

In this breakout podcast we chat with Adam Boileau about the talks that caught his attention in Las Vegas a couple of weeks ago. The Black Hat PR team were kind enough to credential Adam for the con so he could go and see a few talks with his Risky Business hat on.

I was at Black Hat but spent most of my time running around like a headless chicken. These days Vegas week for me is mostly about locking in the next year’s sponsorships, as well as catching up with friends I hardly ever see. The good news is the sponsorship side is done. We’re almost sold out across the weekly show, Snake Oilers and Soap Box until 2020. The bad news is I didn’t really get to go to any talks.

But that’s ok, because Adam went to both Black Hat and DEF CON and he joined me to talk about the highlights from his point of view. This was his first trip to the Vegas cons since 2005, and agreed with me that the content this year was actually pretty bloody good.

I’ve done my best to assemble links to everything Adam talks about into a list below:

Adam and I have just returned from Black Hat and DEF CON in Las Vegas, so in this week’s show we’re going to have a look at the infosec news we missed over last couple of weeks. We did plan to recap Black Hat in this podcast, but we’ve wound up a bit short on space so I’m busting that out into a separate podcast that I’ll publish on Monday. So this podcast will just be a discussion around news plus a sponsor interview.

The news we’re covering:

• Australia’s new surveillance/”anti-encryption” laws
• Intel SGX vulnerability research
• Taiwan Semiconductor WannaCry woes
• Details on CYBERCOM op against ISIS
• Reddit pwnage
• Bitcoin investor sues AT&T over $23m loss
• FIN7 arrests
• CIA’s loss of scores of China assets may have been hack-related
• Massive ATM cashout and SWIFT attack hits Indian bank
• Much, much more

Bugcrowd CTO Casey Ellis joins us in this week’s sponsor interview to talk about a few things – firstly, how some research presented at Black Hat by the team at Portswigger is a sign that serious research teams are using bounties to cash in on their serious security research. Then we’ll be talking about the Bugcrowd University initiative and a reboot of the disclose.io project.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show we hear from Greg Shipley. Greg works at an initiative spun up by In-Q-Tel called Cyber Reboot. Its goal is to develop open source tools that can push things forward in security – things the private sector aren’t doing.

He’ll be telling us about some changes his colleagues have made to tcpdump, which, if they ever manage to get the changes adopted, could actually be quite useful to the security community.

This week’s show is brought to you by Duo Security! And Duo’s very own Dave Lewis will be joining us this week to talk about the roadblocks you might face if you’re trying to head down the BeyondCorp road to the deperimiterised nirvana!

Adam Boileau drops in to discuss the week’s news, including:

• COSCO shipping ransomwared into oblivion
• DHS warning on impending ERP attacks
• Charges against SIM-swap cryptocurrency thief
• Google’s “Shielded VMs”
• Google’s launch of its own hardware security tokens
• Master134 malvertising campaign
• New Kronos version
• NetSpectre attacks
• Bluetooth bugs
• Much, much more

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

What you’re about to hear is a long form interview with Zane Lackey, a former pentester turned director of security engineering for Etsy turned co-founder and CSO of Signal Sciences.

Signal Sciences can be broadly, kinda described as “next generation WAF”. If you do have a requirement for a waffy, raspy thing, then you absolutely need to check out Signal Sciences.

They give you visibility in to attacks against your applications, and even auto-blocking a bunch of them without that turning into a cascading horror-show.

Signal Sciences’ product has a really strong emphasis on assisting organisations who are running DevOps shops. And it makes sense, Zane’s key achievement at Etsy was managing the security of that company’s Devops transition.

He’s actually just written an O’Reilly book, Building a Modern Security Program. So, he joined me to talk about his book, what’s in it, about DevSecOps more generally, and about some new stuff Signal Sciences has been working on.

We didn’t have space to run a feature in this week’s show, mostly because we had three weeks of news to catch up on because of my holiday. Adam Boileau is away on a company retreat this week, so Haroon Meer is this week’s news guest.

We talk about:

• The Russia indictment
• Chrome now marks http sites as “not secure”
• Julian Assange is close to being turfed out of his London digs
• Microsoft’s midterm meddling misfire
• Singapore loses 1.5m health records
• Some cool research from Talos and Cyberark
• Azimuth Security acquired by L3
• The npm supply-chain attack
• Chrome site isolation
• And much more!

This week’s sponsor is ICEBRG. And ICEBRG just announced today that it’s been acquired by Gigamon, which is pretty big news for them. So we’ll spend a couple of minutes talking about that with ICEBRG’s Jason Rebholz. Then we’ll be talking to Justin Warner about a pretty cool Flash 0day they found hiding in a Microsoft Office document. That was some pretty cool work, and the attackers in that case did some pretty novel things in terms of keeping their payload away from prying eyes. Obviously they didn’t do a good enough job or we wouldn’t be talking about it, but there are some new techniques there, fun stuff.

*****NOTE: At one point I get Jason Rebholz’s name wrong. I call him Justin Rebholz by accident. Apologies for the error, Jason!