Podcasts

The Russians go to a lot of effort to hack the Ukrainian electrical grid and do “flick the light” cyber attacks.

These last a few hours, don’t really cause that much damage (compared to say, shelling) and the military objective is clearly missing as there is never any follow up or attempt to use “light flicking” as part of a combined arms operation. It is just some considerable effort put into flicking the lights.

Heres the thing: The only people absolutely terrified of flicking the lights as a cyberwar activity are the Americans (and the West in general). “Cyber light flicking” isn’t militarily useful and isn’t even some sort of “strategic bombing” version of cyber war. The Ukrainians, modern as they are, are probably stoic enough to suffer threw a few hours of power outages in the middle of a shooting war.

Even American civilians have been known to survive for several hours without power, see CyberSquirrel1 for examples.

This light flicking costs money and burns some cyber capabilities these operations cost resources: the malware gets discovered, the vulnerabilities patched, etc. This isn’t free. Just planning and managing the operation is going to consume considerable time and resources. So these are expensive little ops with no apparent military objective.

Why would the Russian forces do something like this? There is one very obvious answer, but it seems to get lost in the excitement over “real” cyberwar. I think this is a layer deeper, using cyber for PSYOPS. Russia is signalling a capability to the US, one that they know the US (and the West) is uniquely terrified of. The spectre of cyberwar as the West understands it: “light flicking”.

There is a long history of Russia and the US using wars as a way of signalling to each other.

Here’s my speculation: The American cyberwar industry is currently all caught up in trying to figure out what counts as deterrence in the cyber domain. This a silly idea, but basically they are mentally modelling cyber like nuclear weapons.

Just like generals always fight the last war rather than the current one, the West are trying to model cyber as the last war that never happened. I think this is a completely foolish idea, but then again I don’t run a think tank.

The West believes that cyberwar is only real when there is a kinetic effect (eg light flicking), and they are also postulating that deterrence happens when you demonstrate your capability to your opponent so they know you can fuck them up. Russia is just demonstrating capability to deter the West from engaging in active cyber kinetic assaults.

I don’t believe that Russia has adopted the “demonstrate capability to deter activity” theory, but they know the West has, or at the very least is contemplating it. It’s a game they’re happy to play in the hope the West will follow through on their theories as praxis. Flicking lights doesn’t match Russian doctrine. These actions are designed for a western audience.

This expensive light flicking makes more sense when viewed as an influence operation to signal the West that Russia has what the West itself believes are “real cyberwar cyberweapons”. I also think that Russia knows how to run a conflict in the informatics sphere and completely dominate. They have a much better understanding of how the use of the internet as an information platform can be used to manipulate the way that the adversary thinks. Long story short? They know what they’re doing.

The infosec industry and the cyber military complex have been extremely excited figuring out and talking about the “how” of the Russian cyberwar operations in Ukraine, but maybe it is time they starting asking about the “why”.

Russia has flicked Ukraine’s lights twice now. The first one wasn’t a test run to see if the system was operational – there was no military followup with the second event – and it wasn’t to gauge the response to the use of this new “cyberweapon.”

We know this because there was no response, even after the second attack. There is no reason to run two tests of an offensive operation if the first is successful. They want to make sure the West gets the signal.

@thegrugq I dunno. There's really no history of Russia and West signaling each other through conflict in third party countries. pic.twitter.com/dkXpm6ZOHv

— John Hultquist (@JohnHultquist) March 3, 2017

We’ve got a real bread and butter show for you this week. Troy Hunt will be along to talk about the Cloudflare bug and why everyone freaked out about it, and Haroon Meer of Thinks Canary will be along to talk about RSA.

This week’s show is, of course, brought to you by Canary.Tools, and Haroon will tell us about his first ever RSA conference experience. That’s actually a really fun chat. Funny in parts, too.

Adam Boileau is along to discuss the week’s news. Microsoft, Amazon and a handful of Russians are all having an awful, awful week, and he’ll be talking all about that.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

As many of you would know, Risky Business has been through a bit of change over the last couple of years. What started as an Australian security podcast launched with the intention of making me just enough money not to have to write about enterprise storage systems for magazines anymore (the horror) has actually become a popular media outlet for infosec pros.

These days, each episode of Risky Business clocks up about 16,000 downloads, with approximately 50% of the audience in the USA and the rest scattered all over the globe. That means we actually have a really great reach into the industry.

Last year I set my mind to “modernising” Risky.Biz. I wanted to be able to grow the business side of things without killing off the thing that makes it worth listening to – the fact that we don’t take ourselves too seriously, and the fact that we cast a critical eye over the infosec industry.

As some of you will know, the Risky Business weekly sponsorships are ridiculously popular. Our weekly show sponsorships are currently booked out until 2018 and have been since January.

With that in mind, I came up with two new podcast ideas that would be commercially successful yet still deliver something valuable to the audience: The Soap Box podcast and the Snake Oil podcast.

The idea behind the Soap Box podcasts is pretty simple – a CTO or other senior exec from a major vendor can spend 45 minutes chatting with me about the way they see things, and the company they work for sponsors the exercise. Some people were concerned it would consist of 45 minutes of a CTO just pushing product, but that’s not the way it’s worked out, and it was never the intention. We’ve already published one of these, with HPE Fortify’s Jason Schmitt talking about DevOps and security. You can listen to that one here.

We’ll be running a maximum of one of those per month, pushed to the main feed. The nice thing about doing a podcast like Risky Business in 2017 is the vendors are capable of having really interesting discussions about security concepts. That wasn’t possible in 2007 when we launched, and it’s what Soap Box is designed to facilitate and I think it’s working well.

The other podcast series we’re launching is something we’ll be doing four or five times a year called Snake Oil.

The idea behind the Snake Oil series is to get five vendors together into an hourlong podcast to each pitch a specific product for about 10 minutes. Now, before you think “ye gads, I don’t want to listen to sales people prattle on about their box with lights that goes BING!” I want you to consider that a lot of Risky Business listeners are technology buyers. And where can you actually go for decent product information?

The copy on most infosec vendors’ websites consists primarily of indecipherable gibberish and Gartner reports are more of a guide to what people are using than specific product capabilities.

This is different. You remember those lift-outs infosec magazines used to do that were pay-to-play product information guides? Think of this as an audio equivalent of that.

The idea behind this product series is listeners who actually have to buy tech can get five, high-quality pitches that actually answer such questions as:

* What are you selling us today?
* Who is the typical buyer? (Operations? Management? Development?)
* What does your product actually do?
* Who are your competitors?
* Why do you think yours is better?
* How much does it cost?

This will save them approximately five hours of lunches with vendor salespeople who can’t actually answer those questions. We’re not offering any endorsement of the products on sale, we’re just a conduit, connecting distilled vendor pitches to the 16,000 or so weekly Risky Business listeners.

Of course the name “Snake Oil” is a gag. For a long time the products peddled by the information security industry were indeed about as affective as carnival-sold snake oil for arthritis. Thankfully there’s been a trend towards more useful stuff these days, but hey, we still want to have fun with the name.

As I say, we’ll only be doing four or five of these a year, and we genuinely think they’ll be useful for a whole bunch of our listeners. Even those of you who aren’t actually tech buyers should find it an efficient way to figure out which vendor sells which product and what they claim it does.

So that’s it! We’re hoping to publish the first Snake Oil podcast in late March, but that’ll really depend on what the demand is like from the vendor side. But the tl;dr is you can expect 10-11 Soap Box podcasts in your feed every year, and maybe 4-5 Snake Oil podcasts. We’re going from 44 podcasts a year to 58-60.

Also, I hope it goes without saying that buying any Risky Business sponsorship product doesn’t shield any vendor a free pass from criticism in the weekly show. Credibility is currency in media, especially in infosec, and we know who really butters our bread: the listeners.

Of course if you’re not interested in listening to the Snake Oil stuff, just don’t download it! Listening isn’t mandatory. That said, we think you’ll probably quite like it. And if you’re a vendor who’s interested in participating in a Snake Oil podcast, please contact sales@risky.biz.

We’re quite familiar with what marketing products in the infosec space look like, and if you can’t find budget to do this, frankly you’re mental.

On this week’s show we’re chatting with Peter Gutmann about a couple of things that have combined to form a legit problem: The abuse of the Lets-Encrypt domain validated certificate authority combined with recent UI changed in Chrome are a phishers wet dream. We chat with Peter about that. The tl;dr is the browser makers need to get off their asses and do something about that, pronto.

This week’s show is sponsored by Exabeam. They just took $30m in funding from a VC and Cisco and they’re looking at doing some really interesting stuff in the SIEM world with, you guessed it, machine learning! In this week’s sponsor interview we’re chatting with Exabeam co-founder Sylvain Gil about a few things – the conversation does veer a bit into their products but it actually stays interesting, mostly because he discusses things like Exabeam’s roadmap in terms of problems they’re trying to solve. So even if you have no desire to buy a new SIEM, you’ll still probably find that one interesting from an academic point of view.

Adam Boileau, as always, stops in to discuss the week’s news, and Jake Davis is back with a… reinterpretation(?!) of the Hacker Manifesto.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

On this week’s show we’ll be chatting with two of the organisers of an event that was held here in Australia – PlatyPus con. As you’ll hear, it wasn’t really a typical security con – attendees had to bring laptops and had to participate. The whole thing was centred around workshops. Everyone I know who went said it was brilliant, and I personally think this is an idea that is going to catch on outside of Australia. We’ll be speaking with Snail and Lin_s about that one in this week’s feature interview.

This week’s show is brought to you by Veracode, big thanks to them. In this week’s sponsor interview we’ll be chatting with Veracode’s senior product innovation manager Colin Domony about a couple of things. Veracode did a pretty interesting survey recently that really shows that developers are, in fact, finally, becoming security aware in a big way. Not only that, but Veracode has made some pretty significant changes to its products to reflect this switch. Static analysis software security tools are becoming something the developers themselves use, they’re not just for the security teams these days. So we’ll talk about the rationale behind Veracode’s recent release of a scanner that plugs into IDEs: Veracode Greenlight.

Adam Boileau joins us, as always, to talk about the week’s security news.

Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

There’s no feature interview in this week’s show. Instead, we’re going to spend a bit more time with Adam Boileau talking about the week’s news, and there’s plenty to chew through.

This week’s show is brought to you by Tenable Network Security! In this week’s sponsor interview we’ll be chatting with Amit Yoran, Tenable’s new-ish CEO. Amit has an interesting background in infosec and he’ll be joining us to talk about a few things – Tenable’s just launched a whole new platform, which is interesting from a sign-of-the-times perspective. We’ll also get his thoughts on where he sees things going in the industry more generally. This isn’t Amit’s first CEO post – he was previously the big cheese at Netwitness then RSA, so he certainly has the experience to weigh in on trends.

Links to everything are in this week’s show notes.

Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

This is the first ever Risky Business Soap Box Special, produced by Risky.Biz for HP Enterprise Fortify. If you’re in infosec you know who they are already – Fortify makes software development security tools: everything from code scanners to its RASP solution Application Defender to Continuous Application Monitoring Services via Fortify on Demand, etc etc etc.

The concept behind these special shows is pretty simple – up to once a month I’ll be interviewing an executive from the infosec industry about the field they operate in. Yes, it’s supposed to be promotional, but really, hearing these conversations is something a lot of listeners have told me they’d find extremely valuable. It’s called the Soap Box because it’s about helping men and women in positions of influence in the infosec industry actually access an audience. And they do have a lot to say.

Jason Schmitt is the vice president and general manager of the Fortify business within the HP Enterprise Security Products organization. Before HP he held product management and engineering management positions at SPI Dynamics, Barracuda Networks, Steelbox Networks, and Andersen Consulting (now Accenture).

In this special edition Jason talks about the impact the shift to DevOps is having on appsec, as well as looking at the results of a survey HPE did last year that yielded some pretty depressing results. (You can find that paper here [pdf].) We’ll also be referencing a talk by then Yahoo! CSO Alex Stamos (currently Facebook CSO) at Appsec USA 2015 titled “Appsec is eating security”. You can watch that one on YouTube here.

On this week’s show we’ll be chatting with information security’s enfant terrible Nathaniel Wakelam about some recon tricks he’s been using in bug bounty programs. He uses some nice tricks to rapidly identify ephemeral resources that often result in some spectacular hacks, like, say, being able to download all of REDACTED’s source code. That one was cool because it was a temporary resource that got popped – that’s something you have to watch these days.

This week’s show is brought to you by Cylance! Cylance makes machine learning-based AV software that by all reports works really well. Cylance CTO and co-founder Ryan Permeh is this week’s feature guest and we’re talking about something that we touched on last week – gaming machine learning. Does Cylance worry that a determined attacker will be able to gradually input bad data into Cylance’s learning set and game the whole system? Well, no, they’re not worried about it, but it’s definitely something they pay attention to. That’s really interesting stuff and it’s coming up after this week’s feature interview.

Adam Boileau, as always, pops in for this week’s news.

Links to everything are in this week’s show notes.

Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

On this week’s show we check in with Matt Tait, who’s probably better known by his Twitter handle: pwnallthethings. And we’ll be talking about the politicisation of infosec and the science of attribution.

This week’s show is brought to you by Bugcrowd. Bugcrowd’s CEO and co-founder Casey Ellis will be along in this week’s sponsor interview to talk about his adventures running a MongoDB honeypot. Bugcrowd are pretty interested in talking about all those poor MongoDBs getting hosed because, well, if you’ve got a bug bounty program running, open DBs are the sorts of things that tend to get reported.

As you’ll hear in that interview, the attackers who made some fast cash taking control of MongoDBs are now going after other stuff – elasticsearch, Hadoop.

Adam Boileau, as always, joins the show to discuss the week’s security news, and our good buddy Jake Davis is back for another edition of Story Corner.

Links to everything are in this week’s show notes.

Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

On this week’s show we’re chatting with Alec Muffett about an absolutely awful bit of journalism run by The Guardian. Unless you’ve been hiding under a rock the last few days you would have seen a story circulating about a supposed government-friendly backdoor in the popular messaging app WhatsApp. Alec joins us this week to explain why that story is, put simply, bullshit.

This week’s show is brought to you by Senetas, makers of layer 2 encryption gear. Senetas co-founder and CTO Julian Fay is along for the sponsor interview and we’re talking to him about what the charge to the cloud means for things like network encryption. Julian listened to last week’s interview with Rich Mogull, and he has some thoughts he’d like to share.

Also this week, a new segment that I hope will become regular – story corner, with Jake Davis. Do stick around for that at the closing of this week’s show.

Adam Boileau, as usual, joins us for this week’s news segment.

Links to everything are in this week’s show notes.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.