Podcasts

In this week’s show Patrick Gray and Alex Stamos discuss all the week’s news, including:

• Confirmed: 30 companies affected by CapitalOne attacker
• China info-ops booted off Twitter, Facebook
• Real deal Bluetooth bugs
• Apple re-introduces kernel bug, jailbreaks aplenty
• Apple to sue Corellium for copyright infringement
• DPRK gets its malware VT’d by CYBERCOM
• Much, much more

Haroon Meer of Thinkst Canary is this week’s sponsor guest. We spoke to Haroon while he was in the USA, just before he was about to deliver a talk to USENIX all about “embracing hackiness”. Haroon thinks “hackiness” is a huge advantage for red teams, but that doesn’t mean blue teams can’t use the same hacky approaches to defence. It’s a typically great chat with Haroon. Links to everything discussed are below.

This podcast is brought to you by the William and Flora Hewlett Foundation, and it’s the second in a series of podcasts we’re doing that are all about cyber policy.

The Foundation funds a lot of interesting people and work in the cybersecurity space. So the idea behind this podcast series is pretty simple: we talk to Hewlett’s grant recipients, or experts in Hewlett’s network, about pressing policy issues and turn those conversations into podcasts. The whole idea is to get some policy perspectives out there among the Risky Business audience, which, funnily enough, includes a lot of policymakers.

In this podcast we’re speaking with Katherine Charlet. She currently serves as the director of the Technology and International Affairs Program at the Carnegie Endowment for International Peace. Prior to joining Carnegie, Kate served as the deputy assistant secretary of defence for cyber policy, where she managed the development of US Department of Defence cyber policy and strategy, its development of cyber capabilities, and the expansion of its international relationships.

This conversation essentially covers what the state of affairs is when it comes to militaries and their actions in the cyber domain. It was only a few weeks ago that reports claimed the United States government launched a cyber attack against Iranian weapons systems. We’ll hear from Kate about what she thinks that all means, and then we’re going to talk about all sorts of stuff really – the blurring of the line between what warrants a law enforcement response versus a military response, what the path to this situation looked like, so on and so on. But I kicked things off by asking Kate to tell us what this concept of “defending forward” actually means. In the last couple of years we’ve heard that term bandied about by all sorts of people, but everyone seems to have a different definition. Here, Kate shares her more definitive definition.

Adam Boileau is along this week to discuss the week’s security news. We cover:

• Follow ups on CapitalOne
• Amazon EBS snapshots exposed
• North Korea bags $2bn in cybercrime spree
• Attempted Coinbase breach postmortem
• Apple’s new research phones for bug hunters
• APT41 busted moonlighting
• Cloudflare finally ditches 8chan
• Leaked Boeing 787 code shredded, full of bugs
• Qualcomm bugs pave path through to Android kernel
• Microsoft gets Tavis’d
• More RDP/RDS bugs
• Much, much more

This week’s sponsor interview is with Jake King of CMD. CMD has developed a control layer for Linux systems that restricts account actions, not just by traditional permissions. Jake will be along this week to talk a little bit about EDR on Linux. He saw a nice talk from some IBM X-Forcers at Black Hat about Linux EDR bypasses and that led to a conversation about Linux EDR generally. It’s interesting stuff

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Adam Boileau is along this week to discuss the week’s security news. We cover:

• Deep dive on the CapitalOne breach
• Marcus Hutchins sentenced to time served
• Telegram voicemail bug leads to political crisis in Brazil
• Ransomware leaves South Africans without electricity
• Much, much more

Wolfgang Goerlich is this week’s sponsor guest. He’s an advisory CISO with Duo Security and will be along after this week’s news segment to walk us through Duo’s Trusted Access Report. They’ve got some interesting telemetry to share with us.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Adam Boileau is along this week to discuss the week’s security news. We cover:

• FSB contractor gets itself a whole lotta owned
• NSO Group pitches cloud access
• Hal Martin gets 9 years
• NSA to launch defensive division
• Bulgarian breach data exposed
• DataSpii scandal a 2019 privacy case study
• Google boots DarkMatter certificates from Chrome and Android
• Equifax fined $700m
• Horror show bugs in enterprise VPN concentrators from Palo Alto, Fortinet
• Microsoft demos ElectionGuard SDK (looks pretty cool)

This week’s sponsor interview is with Casey Ellis of Bugcrowd. We’ll talk about how organisations are increasingly doing bug bounties on technology they use, not just technology they develop. And then we’ll be talking about a new thing Bugcrowd is doing – Bugcrowd for marketplaces.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Soap Box isn’t the regular, weekly show we do at Risky.Biz, if you’re looking for that, just scroll one podcast back in your feed or on the Risky Business website.

Soap Box is a fully sponsored podcast series we do where vendors pay to come on and talk about research they’ve done, products they’ve launched, whatever.

This edition of Soap Box is a particularly good one. Ryan Kalember is EVP of cybersecurity strategy at Proofpoint and he’s our guest in this edition. Ryan was on the show a little while back talking about the concept of VAPs – very attacked people. In this interview he’s going to expand on that.

It’s one thing to know that some of your key people are being attacked, but let’s take it one step further. Of those people, who among them is most likely to actually do something like click an untrusted link? What do we know about those users that can tell us how at-risk they are, based on how frequently they’re attacked, and also how likely they are to engage with phishing attempts or dodgy attachments? And if they ARE a risky user, what can you do about that? Measuring risk is only useful if you can do something about it.

Adam Boileau is along this week to discuss the week’s security news. We cover:

• US mayors agree: no more paying off ransomware crews
• BitPoint exchange loses $32m in cryptocurrency
• FinSpy is back, big time
• Chinese AV companies won’t flag government malware
• US security companies free to help political campaigns with discounted services, products
• Facebook to pay $5bn privacy fine with money from its spare pants
• Much, much more

Assetnote’s Shubham Shah also joins the news segment to dish on the Zoom RCE bug he and his team found back in March.

This week’s sponsor is Kasada, an Australian company that runs a bot filtering service. Kasada is a relatively new company but they’re kicking some pretty serious goals here in Australia and are now pushing into other markets like the USA. But instead of supplying us with one of their people, they suggested we interview one of their customers - REA Group CSO and head of platform Craig Templeton.

REA Group runs realestate.com.au, Australia’s biggest real estate listings website. They had all sorts of trouble with content scrapers, bots causing service interruptions, cred stuffing, you name it. In the end they went with Kasada to solve their bot problems and Craig pops by this week to talk about the issues they were having and to sing Kasada’s praises. Getting a reference customer to speak publicly is a Herculean task, so full credit to Kasada for making this one happen. If you operate a website that pushes a lot of traffic you’ll want to hear that interview.

Adam Boileau is along this week to discuss the week’s security news. We cover:

• Zoom’s week from hell
• BA, Marriott face massive GDPR fines
• Seth Rich conspiracy originated from Russia’s SVR
• Coast Guard warns of ship hax
• Cybercommand issues warning on DDE exploitation
• PGP ecosystem having a rough time
• Much, much more!

This week’s show is brought to you by our lovely friends at Signal Sciences. I guess you’d call them a next generation WAF. Signal Sciences co-founder and CTO Zane Lackey will be along in this week’s sponsor interview to plug their new cloud-based WAF product, and also to have a chat about a trend he’s seeing at non-security conferences – more high quality security content.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

As regular listeners know, this isn’t the weekly Risky Biz news and current affairs show, if you want that, scroll back in the podcast feed to the previous podcast. This is a Soap Box edition, a solely sponsored podcast series we do here at Risky Biz where vendors pay us to come on to the show to talk about, well, whatever they want, really.

We’ve heard Duo Security talking about WebAuthn, we’ve got one with Proofpoint coming up that’s about insights they’ve gleaned from filtering such ridiculous amounts of email.

But in this edition, Garret Grajek from BlackBerry Cylance will be along to talk about its new product, Cylance Persona. This latest product is kinda out of the box, it’s a machine learning classifier that you install on the endpoint that learns what the typical user behaviour looks like. Once the observed user behaviour starts diverging from what’s expected, it can perform actions – like kicking up for 2fa, locking the user out, whatever you want, really.

It’s a novel approach to dealing with compromised endpoints. Two factor authentication is great, but if your endpoints are hosed that doesn’t really count for much. And that’s really what this new gear is about.

Adam Boileau is along this week to discuss the week’s security news. We cover:

• NYTimes reports USA is getting all up in Russia’s grids
• Kremlin not happy
• CYBERCOM targets Iranian rocket control and APT crews
• TRITON attackers target US grid
• Turla completes hostile takeover of Oilrig
• Reuters publishes huge feature on Cloudhopper/APT10
• China pwns global telcos, targets key subscribers
• FVEY owns Yandex
• Tourists entering Xinjiang now have mobile malware installed at border
• Florida city governments having a bad time
• Much, much more!

This week’s edition of Risky Business is brought to you by Senetas. They make layer 2 encryption tech, but they’ve also got a content disarm and reconstruction play now, Votiro, as well as their safe file sharing platform SureDrop. But we’re sticking with encryption in this week’s sponsor interview. Senetas CTO Julian Fay will be along a bit later to talk about his trip to the International Crypto Module Conference. He’ll fill us in on what the agenda was there – lots of talk about quantum resistant crypto and also some talk about streamlining various certification regimes.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.