Podcasts

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Iowa app falls over, social and mainstream media chaos ensues
• Twitter acknowledges state-backed API abuse
• CDA 230 under review. Uh oh.
• Toll Group ransomware
• ICS-compatible ransomware spotted in wild
• UN got owned pretty hard
• Is Joshua Schulte The Shadow Brokers? A theory
• Much, much more.

This week’s show is brought to you by Okta.

Okta’s Simon Thorpe will be along this week to talk about a new trend they’re seeing and obviously encouraging – enterprises ditching Microsoft’s Active Directory. It’s a cloud, cloud, cloud, cloud, world these days. and in the year 2020, you might want to actually ask yourself – do you still need to be using AD?

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

In this edition of the Soap Box podcast we’re joined by Zane Lackey, a co-founder of Signal Sciences.

Signal Sciences makes, in essence, a “next generation” Web Application Firewall, or WAF. Signal Sciences is a pretty well-established startup these days with a zillion customers, so he has some real insight into what’s happening out there in webapp land.

In this conversation he has some really interesting things to say: First, there’s a rush to Azure happening right now. It has become the platform of choice for all sorts of organisations.

He also has some really interesting things to say about how to protect web applications from logic flaws. Some simple ideas that should really help lock things down.

Enjoy!

On this week’s show Patrick and Adam discuss the week’s security news, including:

• The FTI report on the Bezos incident is a massive let down
• UK lets Huawei into 5G build
• SeaTurtle campaign pinned on Turkey
• Mitsubishi owned through its AV solution
• Ransomware crews owning unpatched Citrix boxes
• Much, much more.

This week’s sponsor guest is Sherrod DeGrippo of Proofpoint. She’s a senior director of threat research there and she’ll be along to talk about the Emotet malware. Despite being spray and pray malware, it’s pretty successful because it operates at such ridiculous scale. Sherrod joins us with details.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

This podcast is brought to you by the William and Flora Hewlett Foundation. The Foundation funds a lot of interesting people and work in the cybersecurity space and they’re supporting this special podcast series examining topics of interest to cyber policy makers.

In this podcast we’re going to hear from Alexa O’Brien. She’s currently studying a Masters in Applied Intelligence at Georgetown University. She’s also working on an ethical framework for the applied intelligence discipline – collection, analysis and the like – for media practitioners.

Alexa is also a journalist. Her most recent major work is a July 2019 analysis of the US media’s coverage of civilian harm in the war against ISIS, I’ve linked through to that in the show notes below.

Before she worked as an established journalist, Alexa covered Chelsea Manning’s trial at Fort Meade on her blog. Her transcript of the proceedings were a tremendous help to the wider media, and it was this work that briefly pulled her into the Wikileaks “scene”.

It wasn’t a good fit.

Alexa joined me for this freewheeling discussion about intelligence, ethics, moral authority and signs that not everything is as it seems in the Wikileaks universe.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• MBS fingered in Bezos dick pic breach
• Glenn Greenwald facing cybercrime charges over Vaza Jato Telegram leaks
• Citrix finally patches 90s-style ADC bugs
• IE 0day doing the rounds, no patch available
• PoCs for 0601 drop
• Much, much more…

This week’s show is sponsored by VMRay, a sandbox-based malware analyser. You throw a sample into it and it spits out all sorts of useful information. Rather than having one of its own staff in this week’s sponsor slot, VMRay has put forward one of its customers instead. Expel is a managed security provider, and it is making heavy use of VMRay to do malware analysis. Tyler Fornes is a Senior Detection and Response Analyst at Expel and he joined me to talk about how they’re using VMRay to actually make life easier.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• NSA drops a sweet Microsoft crypto bug
• Burisma targeted by GRU. 2016 all over again?
• Citrix users having a bad time
• Intrusion Truth targets APT40
• No more BYOD for US soldiers in Middle East
• Much, much more

We have a new sponsor in this week’s show – ExtraHop Networks. Network monitoring is dead! Long live network monitoring!

Matt Cauthorn is ExtraHop’s VP of cybersecurity engineering and he’ll join us this week to talk about recent moves by cloud providers to offer full virtual network mirror ports out of their infrastructure.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

*Credit for this week’s headline goes to @appsecbloke.

In this week’s show Patrick Gray and Alex Stamos discuss all the week’s news, including:

• Will Iran cyber all the cybers?
• ToTok chat app alleged to be UAE spy tool
• China makes moves on own OS
• Big game ransomware hits crisis levels
• WSJ carries water for NSO Group
• Much, much more

This week’s show is brought to you Bugcrowd. We’ll be hearing from Bugcrowd’s Casey Ellis in this week’s sponsor interview. He’ll be talking about the US federal government’s decision to force all departments into accepting bug reports – he thinks this is a move that will have a big impact on the wider security ecosystem.

Links to everything are below!

On this week’s show Patrick and Adam discuss the week’s security news, including:

• China to ditch foreign hardware, software, from government use
• Huawei sues FCC
• More background on Project Raven
• Senate hearings into encryption
• Reddit fingers alleged RU disinfo campaign
• “Evil Corp” hackers have lots of money, terrible taste
• Ransomware attacks galore
• Much, much more

This week’s sponsor interview is with Haroon Meer of Thinkst Canary. And we’re going to do the typical thing and have a look forward to what we can expect to see in security next year. But we’re going less for the big, dumb predictions and more picking the trends we expect to strengthen over the next year.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Our guest in this edition is Will Peteroy. He’s currently the CTO of security at Gigamon after his company, ICEBRG, was acquired by Gigamon last year. Will has a long and interesting background in security.

As you’ll hear, he worked on the security team at Microsoft once upon a time. He even co-wrote Microsoft’s gigantic paper on mitigating “pass the hash” attacks some years ago. He also did some time with the “Department of Defense” some time ago. He’s a knowledgable fella.

And he’s been spending considerable time lately focussing on the issue of Zero Trust Networks.

Zero Trust is one of those things that’s super simple in theory, but absolutely, awfully complicated when you actually try to do it. So Will joined me for this chat about Zero Trust networks, how to define them, how to transition to them, what some of the steps are and thinking is. It’s a great conversation for any CSOs who are working through some of the issues that pop up when they’re transitioning to ZT architectures.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Ethereum developer Virgil Griffith charged for allegedly teaching DPRK about cryptocurrency
• DHS/CISA government vulnerability disclosure program takes shape, looks good
• Adobe discloses Magento Marketplace data breach
• Fully patched Android devices targeted
• IM-RAT takedown
• Much, much more

This week’s sponsor interview is with Brian Robison of BlackBerry Cylance. He pops along to talk about some interesting research they’ve done on mobile malware.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.