Risky Business Podcast

In this week’s show Patrick Gray and Alex Stamos discuss all the week’s news, including:

• Will Iran cyber all the cybers?
• ToTok chat app alleged to be UAE spy tool
• China makes moves on own OS
• Big game ransomware hits crisis levels
• WSJ carries water for NSO Group
• Much, much more

This week’s show is brought to you Bugcrowd. We’ll be hearing from Bugcrowd’s Casey Ellis in this week’s sponsor interview. He’ll be talking about the US federal government’s decision to force all departments into accepting bug reports – he thinks this is a move that will have a big impact on the wider security ecosystem.

Links to everything are below!

On this week’s show Patrick and Adam discuss the week’s security news, including:

• China to ditch foreign hardware, software, from government use
• Huawei sues FCC
• More background on Project Raven
• Senate hearings into encryption
• Reddit fingers alleged RU disinfo campaign
• “Evil Corp” hackers have lots of money, terrible taste
• Ransomware attacks galore
• Much, much more

This week’s sponsor interview is with Haroon Meer of Thinkst Canary. And we’re going to do the typical thing and have a look forward to what we can expect to see in security next year. But we’re going less for the big, dumb predictions and more picking the trends we expect to strengthen over the next year.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Our guest in this edition is Will Peteroy. He’s currently the CTO of security at Gigamon after his company, ICEBRG, was acquired by Gigamon last year. Will has a long and interesting background in security.

As you’ll hear, he worked on the security team at Microsoft once upon a time. He even co-wrote Microsoft’s gigantic paper on mitigating “pass the hash” attacks some years ago. He also did some time with the “Department of Defense” some time ago. He’s a knowledgable fella.

And he’s been spending considerable time lately focussing on the issue of Zero Trust Networks.

Zero Trust is one of those things that’s super simple in theory, but absolutely, awfully complicated when you actually try to do it. So Will joined me for this chat about Zero Trust networks, how to define them, how to transition to them, what some of the steps are and thinking is. It’s a great conversation for any CSOs who are working through some of the issues that pop up when they’re transitioning to ZT architectures.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Ethereum developer Virgil Griffith charged for allegedly teaching DPRK about cryptocurrency
• DHS/CISA government vulnerability disclosure program takes shape, looks good
• Adobe discloses Magento Marketplace data breach
• Fully patched Android devices targeted
• IM-RAT takedown
• Much, much more

This week’s sponsor interview is with Brian Robison of BlackBerry Cylance. He pops along to talk about some interesting research they’ve done on mobile malware.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• RIPE has officially run out of v4 addresses
• NSO workers sue Facebook to get their accounts back
• Mike Pompeo, Republican lawmakers keep Crowdstrike conspiracy theory alive
• Bugs, hacks, ransomware disasters and more.

This week’s sponsor interview is with Sally Carson of Duo Security. Sally has been a designer for over 20 years, joining Duo in 2015 to build the company’s Product Design and User Research practice from the ground up. Duo now employs one designer for every five users, which is an extremely generous ratio.

As you’ll hear, Sally thinks empathy is the key to designing usable technology.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

This is a Soap Box edition of the show. Soap Box isn’t our regular weekly news program. If you’re looking for that one, scroll one show back in your podcast feed.

Soap Box is a wholly sponsored series of podcasts we do here at Risky Business where vendors give us money to appear. And while these are sponsored episodes they’ve actually become almost as popular as the weekly show. They started off about half as popular, and then I guess people gradually realised they don’t actually suck, so here we are.

Trend’s head of cloud research, Mark Nunnikhoven, is our guest in this edition and we have a pretty wide ranging conversation. A big part of this conversation is us talking about the differences between locking down a corporate network vs locking down a modern application production stack… and there’s a very funny part of this interview where Mark points out that AV scanning for Docker images actually makes sense. Seriously.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Phineas Phisher returns, claims credit for Cayman bank hack and offers bounties for activist hijinks
• Microsoft cautiously backs DoH
• Huawei granted another 90-day stay of execution in US market
• Iranian APT crew targeting ICS supply chain
• Alexei Burkov extradition complete, appears in US court
• Some very funny stuff is happening to GPS in the Shanghai area
• Louisiana government ransomwared, emerges relatively unscathed
• Official Monero binaries trojaned. Lol.
• Much, much more!

This week’s show is brought to you by Senetas. Rob Linton from Senetas joins the show this week to talk about its O365 integration for its SureDrop product, a new feature that will be of interest to many Risky Business listeners.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Two ex Twitter employees charged with spying for KSA
• US border device searches now require suspicion after ACLU win
• Unredacted Corellium lawsuit response drops
• Ransomware attacks on hospitals increase mortality
• Much, much more!

This week’s sponsor interview is with Stephan Chenette, the co-founder and CTO of AttackIQ. We talk to him about some CSOs playing Pokemon Go with MITRE ATT&CK (“Gotta catch ‘em all!”) and about recent ATT&CK developments.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

The Soap Box podcast is a wholly sponsored podcast series we do here at Risky.biz, which means everyone you hear on it paid to appear.

This edition of the Soap Box is brought to you by Capsule8.

It’s taken a long time, but over the last couple of years we’ve seen a meaningful Linux security software market emerge. It makes sense, I guess, considering the modern production environment is all glued together from various Linux systems. So, we’re seeing some interesting approaches to the Linux security challenge pop up.

Capsule8 makes detection and visibility software for Linux. You can use it to spot various types of funny behaviour on your Linux systems. Brandon Edwards is Capsule8’s chief scientist and he is our guest today.

We speak about a few things, but primarily this conversation centres on the fact that modern production environments have become so complex it’s almost impossible to comprehend how they work. We’ve lost insight, and we’ve even lost the ability to understand how individual security flaws can impact our wider production environments.

So we’re going to talk about complexity in modern production environments, and then we’ll talk a bit about Capsule8’s approach to the Linux security challenge. Enjoy!

On this week’s show Patrick Gray and Mark Piper discuss all the week’s security news, including:

• NSO Group malware turning up in some unexpected places
• Bluekeep mass exploitation finally begins
• Owning smart home devices with friggin’ lasers
• Two plead guilty to hacks on Lynda.com, Uber
• Imperva CEO departs following breach
• TLS Delegated Credentials sound like A VERY GOOD IDEA
• Cybercommand heads to Montenegro
• Much, much more

This week’s show is brought to you by Thinkst Canary. Haroon Meer and Adrian Sanabria from Thinkst recently did a keynote talk at the Virus Bulletin conference in London. Titled “The Security Products We Deserve,” it’s a stinging critique of the security product lifecycle. VC firms keeping stupid ideas alive, analyst firms being parasites, vendors not doing security testing on their equipment and so much more. We’ll be talking to Haroon Meer about that keynote in this week’s sponsor interview, which will run after this week’s news segment.

Links to everything are below.