Podcasts

Ryan Duff fills in for Adam in this week’s news segment. Ryan used to work at US Cyber Command as a cyber operations tactician but these days he’s in the private sector. He shares his thoughts on the week’s happenings.

This week’s feature guest is Google Project Zero’s Natalie Silvanovich. A little while back she fired off a few tweets saying companies are simply not doing enough to minimise the attack surface in their software. She was finding it so frustrating that she tweeted an offer – she said she was happy to turn up at any company that would have her and give a talk on how to minimise attack surface.

She’s since done that talk about half a dozen times and she joins us today to give us the general idea of the advice she’s been providing.

This week’s sponsor interview is with the man, the legend, Haroon Meer.

Haroon is the founder of Thinkst Canary, simple hardware honeypots that work amazingly well. This week Haroon joins the show to talk about how we can avoid the next Equifax. He says a lot of it comes down to empowerment, which sounds like the sort of thing an annoying person with capped teeth would put in their slide deck, but when you hear Haroon explain what he actually means it actually makes sense.

See links to show notes below, and follow Patrick or Ryan on Twitter if that’s your thing!

Cylance, as many of you would know, is a so-called next generation AV company. They were early movers on machine learning tech, and they’ve been tremendously successful. They’re a tech unicorn – clocking up a valuation of over a billion dollars in a very short space of time.

Cylance was founded in 2012, and there’s been a lot of movement in the endpoint security space since. There are now a whole swag of next generation endpoint security companies gobbling up the market share of the incumbent AV companies. A lot of them started off in the EDR space and are now doing anti-virus as well. It feels like we’ve reached a consensus point. Endpoint security software should do both EDR and AV.

So, Cylance is building out its EDR products.

So we’ll be speaking with Cylance’s chief product officer, Rahul Kashyap, about convergence. Not just in terms of what they’re doing, but more broadly.

Rahul has been in the security game for a long time. He worked on developing network-based IDS products with Nsecure back in the early 2000s, before taking a job at McAfee. He served as McAfee’s head of vulnerability research for four years before joining Bromium as its chief security architect. Rahul has been on Risky Business before and he’s a guy who very much knows what’s up.

On this week’s show, of course, we’ll be using the news segment to take a look at the dumpster fire that is the Equifax breach. We’ve got suspicious short trades, executive share sales and an absolutely shambolic response. This one’s got the lot; something for everyone.

We’ll also take a look at these latest Bluetooth bugs and of course we’ll recap the rest of the week’s security news.

In this week’s feature interview we’re chatting with Emily Crose. After cutting her teeth at CIA, NSA and US Cyber Command, these days Emily works in the private sector, and her hobby at the moment is using machine learning-based image processing to identify problematic social media images.

Some social media companies say it’s too hard to identify, for example, ze Nazis. Emily says nope.

I would say this week’s show is brought to you by Tenable Network Security, but now I’m just going to say Tenable because these days that’s what they’re calling themselves. And it makes sense. Vulnerability management isn’t really just about what’s on your network anymore.

With that in mind, they’ve really changed the messaging of the company. They’re not calling it continuous monitoring anymore, they’re calling it cyber exposure measurement. Corey Bodzin, VP of product operations at Tenable joins the show to walk us through the rationale behind the new messaging.

Adam Boileau is this week’s news guest.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

On this week’s show we’re going to take a look at the ICO bubble. We’ll hear some excerpts from a chat I had with Coinjar CEO Asher Tan and then Adam and I are going to talk about what the hell is happening with all this crypto madness. We also take a look at the scuttling of the Kenyan election over hacking fears, the latest drama with Kaspersky being caught in the middle of geopolitical intrigue, the FSB’s unconventional BBQ in San Francisco and more.

This week’s show is brought to you by Netsparker.

Netsparker makes an automated webapp testing tool, you can kinda dial up the level of automation you want. They have a few nice tricks in their suite, too, like auto proof of concept exploitation of some bug classes so you can actually prove people need to fix stuff while you drink coffee, that’s nice.

In this week’s sponsor interview we’re speaking with Ferruh Mavituna, the founder and CEO of Netsparker, about automated testing at scale. It’s a sponsor interview, but it’s also a pretty generic chat about how you tackle that problem. Basically he says when you’re doing this scanning at scale you really can start with the bad, dumb stuff, because if you’re in an enterprise of any sort of size at all your automated testing is going to spit out a horror-show list.

Links to everything are below.

Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

This podcast deals with authentication tech – in particular, if you manage a Windows network, you’ll want to listen to this to get an idea of some different approaches to solving some of your authentication challenges.

This isn’t our weekly show, this is something we do four times a year – we get a bunch of vendors together and they explain their tech. Last week I published interviews with Crowdstrike, Replicated and AttackIQ, go check them out if you haven’t already, but I wanted to break out these two companies into their own podcast.

In this edition we’re going to hear from two companies – Remediant and Yubico.

Yubico, of course, makes yubikeys, the hardware authentication device used by companies like Google and Facebook to lock down accounts. I own one, and it wasn’t a freebie, I paid for it. A lot of security people use these USB devices because they work really, really well.

What I didn’t know, because I’m a dumbass, is there’s native support for Yubikeys in Windows. So if you want to add hardware-backed two factor authentication to your Windows accounts, this is one way to do it.

But before we talk to Yubico, we’re going to hear from Remediant.

Remediant is a start up that also makes some interesting Windows auth tech. Now, a lot of Risky Business listeners operate in high security or compliance heavy environments. This will often mean using password vault technology for better privileged account management. Remediant has something they think is better.

Basically they have created a tech that lets you enable and disable privileged accounts on, like a time-lock basis. If you have to do some admin work on a box, you log in to your Remediant server, enable that account for a set period of time, then off you go. Easy. It’s a very light touch way of solving some pretty serious management headaches, and it’s very easy to audit, which will keep our friends in heavily regulated environments very happy.

In this week’s show we recap all the week’s major security news items. St Jude Medical products will be patched in half a million patients, we get the latest with the DreamHost warrant, find out how Hansa marketplace members were de-cloaked by the Dutch cops and more.

In this week’s feature interview we chat with Scott Helme about HTTP Public Key Pinning as an attack vector. If someone manages to hack own your domain registrar, they can now cause all sorts of havoc. First, they redirect people to a box they control, then obtain a free, automated domain validated cert for that box, then flick on the HPKP header and pin every visitor to a certificate and key that they control.

You get your domain back, sure, but then what? Nobody who visited your site while it was under the attacker’s control can visit it. Yay. So Scott will join us this week to talk about HPKP ransom and what we might do about this situation.

This week’s sponsor interview is fascinating. We chat with Homer Strong, director of data science at Cylance, about machine learning explainability and “interrogatability”.

Adam Boileau is on a company retreat this week, so Haroon Meer is filling in. Links to everything are below.

Oh, and you can follow Patrick or Haroon on Twitter if that’s your thing.

This is part one of our latest Snake Oilers podcast, the sponsored podcast that doesn’t suck! I have to say, when I launched this podcast series I had no idea it would actually wind up being genuinely engaging and interesting. All three interviews in this podcast are top notch and I think anyone working in infosec would do well to listen.

The original idea behind these Snake Oilers podcasts was vendors would come on to the show and aggressively pitch their products. But you know what? What they mostly want to do is actually explain what their technology does so people out there in listener land actually know what they do.

I’ve broken this special into two parts. In this part we’ll hear from CrowdStrike, Replicated and AttackIQ. On Monday next week I’ll be posting part two with Remediant and Yubico, the makers of Yubikeys. Those two companies both make authentication technology, which is why I split them out on to their own.

In this part:

• Crowdstrike tell us why they think their EDR and AV solution is the best. A lot of you probably didn’t even know Crowdstrike does AV now… they’ve got a pretty compelling endpoint detection and response plus AV pitch.

• AttackIQ will pitch its software as a way to augment red teaming exercises and help you think of security as a continuous feedback loop

• Replicated talks through its tech. They take SaaS software and turn it into on-prem or private cloud software

On this week’s show we chat with James Kettle of Portswigger Web Security about some adventures he had with reverse proxies and malformed host headers. Using some simple tricks, James was able to do some craaaazy stuff and earn himself about $30k in bounties. He’s turned some of his techniques into tools for Burp Suite, so he’ll be joining us to talk about that.

In this week’s sponsor interview we’re tackling the new European general data protection regulation. With the new regime due to kick in on May 25 next year, there’s a lot of angst out there, and for good reason. The penalties for mishandling info are up to 4% of global turnover, which is a stiff enough penalty to strike fear into the hearts of CEOs everywhere.

Senetas’ is this week’s sponsor. They make layer 2 encryption gear, as well as SureDrop, a GDPR and enterprise friendly dropbox-style service. Senetas Europe’s managing director Graham Wallace joins the show this week to talk about some of the ins and outs of GDPR. Stay tuned for that.

As usual, Adam Boileau also joins the show to talk about the week’s security news. Links to everything are below.

Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show we chat with Charlie Miller all about the security of autonomous vehicles. As you’ll hear, he says autonomous vehicle security all comes down to some security fundamentals that are, in fact, being taken seriously by carmakers.

We’ve got an absolutely fantastic sponsor interview for you this week. This week’s show is brought to you by Senrio. They make an IoT network monitoring solution that’s actually really good. Stephen Ridley is the founder and head honcho at Senrio. He’s a very well known researcher and he joins us this week to talk about a few things.

First up he recaps the gSOAP library bugs the Senrio team found. They were a big deal in July, but as you’ll hear, people kinda missed the point. The affected gSOAP library is absolutely everywhere, including in, ahem, browsers. So yeaaaaah. There’s that.

Then we move on to the more sponsor-y part of the sponsor interview, talking about Senrio’s experience running the IoT hacking village at DEFCON. It was a great time for them, throwing their product at the most hostile IoT network the world has ever seen. To round out the Stephen Ridley omnibus experience we’ll also hear about a few training courses he’s offering on Android hacking and software exploitation via hardware exploitation.

Adam Boileau joins the show to talk about the week’s security news, links to everything are below.

Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show we’ll be chatting with Kelly Shortridge, formerly a detection manager at BAE, all about her Black Hat talk. It’s all about why most of what you hear about applying game theory to detection strategies is total bullshit.

This week’s show is brought to you by Signal Sciences!

Signal Sciences makes a killer product focussed on web application and web server security. It’s really popular with the dev ops crowd, which is interesting, because most security products in devops focus on the dev, whereas Signal Sciences focusses more on the ops component.

This week we speak to Signal Sciences co-founder Zane Lackey about this burgeoning market for security tooling geared towards non-security people. It’s actually a really interesting conversation. Non security groups at large organisations are having to become security self sufficient and it really is a game changer. More on that with Zane Lackey in this week’s sponsor interview.

Adam Boileau is this week’s news guest.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!