Podcasts

We’ve got a great show for you this week. In-Q-Tel CSO Dan Geer will be along for a very interesting conversation about the major cloud providers. Are they too big to fail the same way some banks are? Does the efficiency of highly concentrated ownership of a large chunk of the world’s Internet service capacity make it less resilient? We talk about that and more in this week’s feature interview.

This week’s sponsor interview is also an absolute cracker. We’re speaking with Mike Hanley of Duo Security. Mike is the senior director of security at Duo, and he’s along this week to talk about Google’s BeyondCorp initiative.

BeyondCorp is Google’s vision for the next generation of enterprise environments and it has a lot to do with deperimiterisation. Mike is along this week to talk about that concept and how solid authentication is basically the first step in moving towards that vision. It’s really, really solid stuff, so do stick around for that one.

Adam Boileau, as always, joins us to talk about the week’s security news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

On this week’s show Patrick and Adam have a look at the surprisingly great report about 0day prepared by RAND Corporation, as well as the other security news of the week. How ‘bout dat Struts bug, eh?

Dr. Vanessa Teague of the University of Melbourne also joins the show to talk about the latest developments around computerised voting. Vanessa is an expert on e-voting and she’s been in the space for a long time – she’ll be joining us this week to talk about how European authorities have been responding to the risks posed to their elections by outside parties, and we take a look at some voting security ideas for America.

This week’s show is brought to you by Netsparker. Netsparker is a black-box web application testing tool that aims to speed up webapp tests through automation. Netsparker’s creator Ferruh Mavituna is this week’s sponsor guest. He’s joining us to basically talk about what you can actually automate in webapp testing, but also about what you can’t automate. That’s a really interesting chat, one that the pentesters will love I’m sure.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

A couple of days ago I suggested the “Vault 7” material posted by Wikileaks may have in fact been obtained from Hal Martin’s unauthorised exploit stash.

Now I think we’re dealing with something a little more, ahem, “comprehensive”.

For those who are unfamiliar, Hal Martin was an intelligence contractor working for Booz Allen Hamilton who, as it turned out, was also performing “unauthorised offsite backups” of some of NSA’s most sensitive material. He was arrested by the FBI last August.

The thinking is the data he took home included the Tailored Access Operations (TAO) implants and exploits disclosed by a group called “Shadow Brokers”, who were likely a front for Russian intelligence.

Martin’s “backups” were discovered when Shadow Brokers started auctioning the NSA implants on the Internet. The assumption we’re working under here is investigators took a look at some logs pertaining to the Shadow Brokers files and saw Martin had accessed the lot. From there, they no doubt would have done a full audit of his network activities.

Cue arrest.

He’d hoarded an incredible volume of material relating to CNE over his 23 years of intelligence contracting. Thanks to a recent court appearance, we also know that he had access to CIA files as well as NSA files. (Also NRO, DoD etc etc.)

Was Hal Martin the source of the Shadow Brokers files? Well, maybe, but he’s been charged with mishandling information, not working in cahoots with a foreign intelligence service.

That leads us to a tantalising theory: Hal Martin hoarded all these documents, and at some point an enterprising Russian CNE type took a poke around his home network and found them there. After all, he held a top clearance and did work for Tailored Access Operations as a contractor. That’s a home network I’d take a look at if I worked for an FIS, that’s for sure.

Flash forward to this week, and it’s the Wikileaks Vault 7 dump that has everyone talking. Again, everyone’s talking about contractors. In a media release, Wikileaks says the CIA “lost control” of the material, and it was being circulated among “contractors” who then provided the material to Assange and his buddies.

There are more than a couple of curiosities in all of this: CIA insiders have been quoted in recent reports as saying they already knew this material was “out there,” yet other reports claim the FBI is investigating the leak. But these two narratives bump into each other. How could CIA know, months in advance, about the specifics of what was leaked, but not know who leaked them? Have they and their NSA cousins been popping a few shells on a laptop at a certain Latin American embassy? Could they see the material arrive, but not tell where it came from?

Or does it mean that the FBI found this stuff on Hal Martin’s network when they kicked his door in and worked under the assumption that it was in Russian hands? But, if Martin was the source, why investigate?

So there’s obviously a piece missing, and I think I might have it. What if this is bigger than just Hal Martin?

It’s not widely known, but Russia has been collecting the personal information of “cyber” contractors with high clearances – like Martin – via human intelligence operations for at least several years. Counterintelligence officers know about this.

So let’s run another theory up the flagpole, that being:

1. Russian intelligence services have realised intelligence contractors aren’t required to take their opsec and counter-intelligence training as seriously as their “on staff” counterparts.

2. They have collected as much information on these contractors as possible via passive and active campaigns.

3. They have then used that information to either directly compromise the contractors, or, more likely, their home networks. People have been taking stuff home they shouldn’t have.

4. For whatever reason, Russia decided to burn its own campaign last year. That led to the Shadow Brokers fiasco.

5. After weathering some opsec disasters related to the DNC and Podesta hacks, they decided to just dump the rest of the material on Wikileaks, knowing that Assange would do his job and launder the documents for them.

So it’s all just a theory, but it’s one worth floating: Russian intelligence services have owned the home networks of as many cleared contractors as possible, waiting for them to bring material home that they shouldn’t. If that’s what they’ve done you’ve got to hand it to them, it’s definitely lateral thinking. What a pipeline of information!

If we see some leaked memos from the likes of Booz and Raytheon in coming weeks suggesting that hey, really, taking your work home with you is a really fucking bad idea, we’ll know there’s something to this.

It’s just a theory, but let’s see.

On this week’s news we put Wikileaks’ latest dumps under the microscope and offer a few theories on what’s really going on.

We also have a chat with Mike Arpaia, the creator of osquery. osquery is host-based instrumentation software put together by Mike and his team when they worked at Facebook. It’s open source these days and now Mike is trying to get it adopted.

This week’s show is brought to you by Cyberark! And we’ll be chatting with Cyberark’s Chief Architect Gerrit Lansing. Cyberark makes software that manages privileged accounts, and we’ll be talking to Gerrit about privileged account management automation in this week’s sponsor interview.

Adam Boileau is along to discuss the week’s news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

The Russians go to a lot of effort to hack the Ukrainian electrical grid and do “flick the light” cyber attacks.

These last a few hours, don’t really cause that much damage (compared to say, shelling) and the military objective is clearly missing as there is never any follow up or attempt to use “light flicking” as part of a combined arms operation. It is just some considerable effort put into flicking the lights.

Heres the thing: The only people absolutely terrified of flicking the lights as a cyberwar activity are the Americans (and the West in general). “Cyber light flicking” isn’t militarily useful and isn’t even some sort of “strategic bombing” version of cyber war. The Ukrainians, modern as they are, are probably stoic enough to suffer threw a few hours of power outages in the middle of a shooting war.

Even American civilians have been known to survive for several hours without power, see CyberSquirrel1 for examples.

This light flicking costs money and burns some cyber capabilities these operations cost resources: the malware gets discovered, the vulnerabilities patched, etc. This isn’t free. Just planning and managing the operation is going to consume considerable time and resources. So these are expensive little ops with no apparent military objective.

Why would the Russian forces do something like this? There is one very obvious answer, but it seems to get lost in the excitement over “real” cyberwar. I think this is a layer deeper, using cyber for PSYOPS. Russia is signalling a capability to the US, one that they know the US (and the West) is uniquely terrified of. The spectre of cyberwar as the West understands it: “light flicking”.

There is a long history of Russia and the US using wars as a way of signalling to each other.

Here’s my speculation: The American cyberwar industry is currently all caught up in trying to figure out what counts as deterrence in the cyber domain. This a silly idea, but basically they are mentally modelling cyber like nuclear weapons.

Just like generals always fight the last war rather than the current one, the West are trying to model cyber as the last war that never happened. I think this is a completely foolish idea, but then again I don’t run a think tank.

The West believes that cyberwar is only real when there is a kinetic effect (eg light flicking), and they are also postulating that deterrence happens when you demonstrate your capability to your opponent so they know you can fuck them up. Russia is just demonstrating capability to deter the West from engaging in active cyber kinetic assaults.

I don’t believe that Russia has adopted the “demonstrate capability to deter activity” theory, but they know the West has, or at the very least is contemplating it. It’s a game they’re happy to play in the hope the West will follow through on their theories as praxis. Flicking lights doesn’t match Russian doctrine. These actions are designed for a western audience.

This expensive light flicking makes more sense when viewed as an influence operation to signal the West that Russia has what the West itself believes are “real cyberwar cyberweapons”. I also think that Russia knows how to run a conflict in the informatics sphere and completely dominate. They have a much better understanding of how the use of the internet as an information platform can be used to manipulate the way that the adversary thinks. Long story short? They know what they’re doing.

The infosec industry and the cyber military complex have been extremely excited figuring out and talking about the “how” of the Russian cyberwar operations in Ukraine, but maybe it is time they starting asking about the “why”.

Russia has flicked Ukraine’s lights twice now. The first one wasn’t a test run to see if the system was operational – there was no military followup with the second event – and it wasn’t to gauge the response to the use of this new “cyberweapon.”

We know this because there was no response, even after the second attack. There is no reason to run two tests of an offensive operation if the first is successful. They want to make sure the West gets the signal.

@thegrugq I dunno. There's really no history of Russia and West signaling each other through conflict in third party countries. pic.twitter.com/dkXpm6ZOHv

— John Hultquist (@JohnHultquist) March 3, 2017

We’ve got a real bread and butter show for you this week. Troy Hunt will be along to talk about the Cloudflare bug and why everyone freaked out about it, and Haroon Meer of Thinks Canary will be along to talk about RSA.

This week’s show is, of course, brought to you by Canary.Tools, and Haroon will tell us about his first ever RSA conference experience. That’s actually a really fun chat. Funny in parts, too.

Adam Boileau is along to discuss the week’s news. Microsoft, Amazon and a handful of Russians are all having an awful, awful week, and he’ll be talking all about that.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

As many of you would know, Risky Business has been through a bit of change over the last couple of years. What started as an Australian security podcast launched with the intention of making me just enough money not to have to write about enterprise storage systems for magazines anymore (the horror) has actually become a popular media outlet for infosec pros.

These days, each episode of Risky Business clocks up about 16,000 downloads, with approximately 50% of the audience in the USA and the rest scattered all over the globe. That means we actually have a really great reach into the industry.

Last year I set my mind to “modernising” Risky.Biz. I wanted to be able to grow the business side of things without killing off the thing that makes it worth listening to – the fact that we don’t take ourselves too seriously, and the fact that we cast a critical eye over the infosec industry.

As some of you will know, the Risky Business weekly sponsorships are ridiculously popular. Our weekly show sponsorships are currently booked out until 2018 and have been since January.

With that in mind, I came up with two new podcast ideas that would be commercially successful yet still deliver something valuable to the audience: The Soap Box podcast and the Snake Oil podcast.

The idea behind the Soap Box podcasts is pretty simple – a CTO or other senior exec from a major vendor can spend 45 minutes chatting with me about the way they see things, and the company they work for sponsors the exercise. Some people were concerned it would consist of 45 minutes of a CTO just pushing product, but that’s not the way it’s worked out, and it was never the intention. We’ve already published one of these, with HPE Fortify’s Jason Schmitt talking about DevOps and security. You can listen to that one here.

We’ll be running a maximum of one of those per month, pushed to the main feed. The nice thing about doing a podcast like Risky Business in 2017 is the vendors are capable of having really interesting discussions about security concepts. That wasn’t possible in 2007 when we launched, and it’s what Soap Box is designed to facilitate and I think it’s working well.

The other podcast series we’re launching is something we’ll be doing four or five times a year called Snake Oil.

The idea behind the Snake Oil series is to get five vendors together into an hourlong podcast to each pitch a specific product for about 10 minutes. Now, before you think “ye gads, I don’t want to listen to sales people prattle on about their box with lights that goes BING!” I want you to consider that a lot of Risky Business listeners are technology buyers. And where can you actually go for decent product information?

The copy on most infosec vendors’ websites consists primarily of indecipherable gibberish and Gartner reports are more of a guide to what people are using than specific product capabilities.

This is different. You remember those lift-outs infosec magazines used to do that were pay-to-play product information guides? Think of this as an audio equivalent of that.

The idea behind this product series is listeners who actually have to buy tech can get five, high-quality pitches that actually answer such questions as:

* What are you selling us today?
* Who is the typical buyer? (Operations? Management? Development?)
* What does your product actually do?
* Who are your competitors?
* Why do you think yours is better?
* How much does it cost?

This will save them approximately five hours of lunches with vendor salespeople who can’t actually answer those questions. We’re not offering any endorsement of the products on sale, we’re just a conduit, connecting distilled vendor pitches to the 16,000 or so weekly Risky Business listeners.

Of course the name “Snake Oil” is a gag. For a long time the products peddled by the information security industry were indeed about as affective as carnival-sold snake oil for arthritis. Thankfully there’s been a trend towards more useful stuff these days, but hey, we still want to have fun with the name.

As I say, we’ll only be doing four or five of these a year, and we genuinely think they’ll be useful for a whole bunch of our listeners. Even those of you who aren’t actually tech buyers should find it an efficient way to figure out which vendor sells which product and what they claim it does.

So that’s it! We’re hoping to publish the first Snake Oil podcast in late March, but that’ll really depend on what the demand is like from the vendor side. But the tl;dr is you can expect 10-11 Soap Box podcasts in your feed every year, and maybe 4-5 Snake Oil podcasts. We’re going from 44 podcasts a year to 58-60.

Also, I hope it goes without saying that buying any Risky Business sponsorship product doesn’t shield any vendor a free pass from criticism in the weekly show. Credibility is currency in media, especially in infosec, and we know who really butters our bread: the listeners.

Of course if you’re not interested in listening to the Snake Oil stuff, just don’t download it! Listening isn’t mandatory. That said, we think you’ll probably quite like it. And if you’re a vendor who’s interested in participating in a Snake Oil podcast, please contact sales@risky.biz.

We’re quite familiar with what marketing products in the infosec space look like, and if you can’t find budget to do this, frankly you’re mental.

On this week’s show we’re chatting with Peter Gutmann about a couple of things that have combined to form a legit problem: The abuse of the Lets-Encrypt domain validated certificate authority combined with recent UI changed in Chrome are a phishers wet dream. We chat with Peter about that. The tl;dr is the browser makers need to get off their asses and do something about that, pronto.

This week’s show is sponsored by Exabeam. They just took $30m in funding from a VC and Cisco and they’re looking at doing some really interesting stuff in the SIEM world with, you guessed it, machine learning! In this week’s sponsor interview we’re chatting with Exabeam co-founder Sylvain Gil about a few things – the conversation does veer a bit into their products but it actually stays interesting, mostly because he discusses things like Exabeam’s roadmap in terms of problems they’re trying to solve. So even if you have no desire to buy a new SIEM, you’ll still probably find that one interesting from an academic point of view.

Adam Boileau, as always, stops in to discuss the week’s news, and Jake Davis is back with a… reinterpretation(?!) of the Hacker Manifesto.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

On this week’s show we’ll be chatting with two of the organisers of an event that was held here in Australia – PlatyPus con. As you’ll hear, it wasn’t really a typical security con – attendees had to bring laptops and had to participate. The whole thing was centred around workshops. Everyone I know who went said it was brilliant, and I personally think this is an idea that is going to catch on outside of Australia. We’ll be speaking with Snail and Lin_s about that one in this week’s feature interview.

This week’s show is brought to you by Veracode, big thanks to them. In this week’s sponsor interview we’ll be chatting with Veracode’s senior product innovation manager Colin Domony about a couple of things. Veracode did a pretty interesting survey recently that really shows that developers are, in fact, finally, becoming security aware in a big way. Not only that, but Veracode has made some pretty significant changes to its products to reflect this switch. Static analysis software security tools are becoming something the developers themselves use, they’re not just for the security teams these days. So we’ll talk about the rationale behind Veracode’s recent release of a scanner that plugs into IDEs: Veracode Greenlight.

Adam Boileau joins us, as always, to talk about the week’s security news.

Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

There’s no feature interview in this week’s show. Instead, we’re going to spend a bit more time with Adam Boileau talking about the week’s news, and there’s plenty to chew through.

This week’s show is brought to you by Tenable Network Security! In this week’s sponsor interview we’ll be chatting with Amit Yoran, Tenable’s new-ish CEO. Amit has an interesting background in infosec and he’ll be joining us to talk about a few things – Tenable’s just launched a whole new platform, which is interesting from a sign-of-the-times perspective. We’ll also get his thoughts on where he sees things going in the industry more generally. This isn’t Amit’s first CEO post – he was previously the big cheese at Netwitness then RSA, so he certainly has the experience to weigh in on trends.

Links to everything are in this week’s show notes.

Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.