Risky Business Podcast

In this Soap Box edition of the show Nucleus Security’s Scott Kuffer discusses Stakeholder-Specific Vulnerability Categorization (SSVC) and why tools alone can’t fix a dysfunctional vulnerability management program.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• Google’s search results have become a malware-riddled sh*tshow
• Ransomware payment values dropped by 40% YoY in 2022
• Kraken takes over Solaris the old school way
• Grand Theft Auto RCE is wreaking havoc
• ManageEngine customers are all getting owned
• So you know, pretty much business as usual

This week’s show is brought to you by Kroll.

Jim Hung co-leads the special projects and applied research team at Kroll and joins us to talk about the big changes happening in the incident response discipline.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• Royal Mail attack was LockBit and GCHQ will probably “bust some heads”
• CircleCI’s incident report and the problem with malwared endpoints in the Zero Trust age
• Cloudflare backs Mastodon
• Paul Nakasone: NSA did some great stuff! It was really good!
• Cisco won’t patch SMB routers sold in 2020
• Much, much more

This week’s show is brought to you by Material Security. Material co-founder Ryan Noon and Snowflake’s head of cybersecurity strategy Omer Singer are this week’s sponsor guests.

On this week’s show Patrick Gray and Adam Boileau discuss the news we missed while on break. Because it’s the first show of the year, we split the discussion into themes:

• Attacks against critical online services like Okta, CircleCI, Slack and Lastpass will increase in volume
• All the latest global intrigue, from NSO being noped by the US Supreme Court to DDoS attacks in Serbia, Turla’s latest campaign, supply chain attacks against Ukraine, why Russia has been more active than we realised and much more
• A ransomware wrap, a discussion about the rise of data extortion and why it’s unlikely to remain a huge problem
• Why automotive security research will actually be interesting this year
• PLUS: A bunch of random news!

This week’s show is brought to you by Trail of Bits. Dan Guido is this week’s sponsor guest and he joins us to talk about something they’ve developed – a zero knowledge proof of exploit technique. Very interesting stuff!

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• Apple to introduce user-encrypted backups, FBI is sad
• Twitter ices e2ee plans for DMs
• RackSpace is getting sued over its hosted Exchange ransomware incident
• Dodgy driving: Microsoft signs some shady stuff
• Japan to change laws, release the Shibas
• A look at the US NDAA
• Much, much more

This week’s show is sponsored by Obsidian Security. Obsidian co-founder Ben Johnson joins the show this week to talk through SaaS configuration security and visibility/monitoring.

In this sponsored podcast Patrick Gray and Ryan Kalember talk about Proofpoint’s acquisition of Illusive, a company that started off in the “deception” space and then moved towards doing attack path analysis and management.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• Samsung, LG Android signing keys pinched
• LastPass gets owned again
• APT41 steal covid relief money
• Amnesty International hacked in Canada
• Much, much more

This week’s show is brought to you by Airlock Digital. Its CEO and CTO join host Patrick Gray this week to talk about admin to kernel as a security boundary, and the limitations of kernel driver blocklists.

Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• UK, USA ban Chinese security cameras
• What is the Boa webserver and why is it everywhere?
• Vanuatu, Guadeloupe smashed by ransomware
• REvil back with more dumps despite ASD attention
• Much, much more

This week’s sponsor guest is Jake King from Elastic Security, who joins us to talk through the company’s most recent threat report. There’s a link to the report in our show notes.

Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• Half of all UK COBRA meetings are ransomware related
• Ransomware biggest risk to US port security
• White House to move on spyware industry
• EU to launch its own Starlink equivalent
• Much, much more

AttackIQ’s Jonathan Reiber will be joining us in this week’s sponsor interview to talk about how companies and their boards are really moving towards outcomes-based security programs.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

In this podcast we speak with Randall Degges who leads the Developer Relations & Community team at Snyk. He’s here to talk to us about how to get developers enthusiastic about security, how to get them to use the right tooling, and how this tooling will evolve in the future to actually help developers fix bugs in their code.