Risky Business Podcast

On this week’s show Patrick and Adam discuss the week’s security news, including:

• KSA uses SS7 to track its citizens in USA
• Governments begin virus tracking through personal devices
• FBI warns of Iran-linked crew in yer supply chains
• Voatz gets booted from HackerOne
• All the cloud and Zoom drama

This week’s show is brought to you by Signal Sciences. Instead of interviewing one of their people, they suggested we interview Andrew Becherer in this week’s sponsor interview.

In this (sponsored) podcast Akamai’s CTO of Security Strategy Patrick Sullivan talks us through the basics of identity-aware proxies. With more and more internal applications being served to newly external users, identity-aware proxies are the new hotness.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Azure resource constraints hit Europe
• Should we unleash surveillance on COVID-19, privacy be damned?
• Browser maintainers cease new releases
• South Korea-linked APT crew attacks World Health Organization
• Much, much more

This week’s show is brought to you by Thinkst Canary.

Thinkst’s Haroon Meer joins the show this week to talk about what he tells customers when they ask him if Thinkst could go rogue and own all their customers.

You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here.

You can subscribe to our new YouTube channel here.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Around 50 hospitals around the world are less likely to get popped in ransomware attacks this week, thanks largely to a loose band of InfoSec pros that banded together to help healthcare providers during the COVID-19 crisis.

While they aren’t yet going after ransomware gangs in vigilante-style retribution, the group’s pro bono work has already helped pinpoint over 50 healthcare organizations running vulnerable versions of Citrix NetScalers or Pulse Secure VPN gateways.

Vulnerable VPN endpoints have been targeted by several ransomware gangs in recent months, and despite promises from some groups not to target healthcare organizations, hospital networks and the medical supply chain continue to fall victim.

The voluntary threat intel and hunting effort has been welcome help for Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center (H-ISAC), which has taken on the role of aggregating and disclosing vulnerability information collected by the group to affected healthcare providers.

The group of independent researchers - which now numbers around 200 - has no name. Most of its members prefer anonymity and volunteer outside of work hours. So far they have provided H-ISAC data from honeypots set up to detect opportunistic scanning activity. They also scanned the internet for IP addresses hosting vulnerable VPN endpoints, from which H-ISAC extracted a list of 50 healthcare providers. H-ISAC has sent those organisations links to technical write-ups on the vulnerabilities in question, as well as generic mitigation advice, irrespective of whether they are H-ISAC members.

Weiss is optimistic the advisories will be acted on. “Based on our prior experience, most [hospitals] will pay attention and do something,” he said. The hospitals will be prompted with further information if their systems continue to show up in scans, he said.

Ohad Zaidenberg, one of the few public figures working to corral volunteers, told Risky Business the group has only “just started.”

“From tomorrow, we will start to work actively,” he said, but was coy as to what the next phase of their program involves.

Healthcare CSOs we spoke to this week were grateful for the camaraderie and generosity of their industry peers. But they also cautioned to not expect too much of hospitals under strain.

“The offers of intel-sharing and threat hunting is only useful to the extent that hospitals have the capacity and capability to consume it,” said Christopher Neal, CSO of Ramsay Health Care, which operates a global network of 480 medical facilities in 11 countries. In most hospital networks, Neal said, there are insufficient resources available to act on the information - even prior to the coronavirus outbreak.

Neal wants to see “clearer public policy arguments to increase funding for security programs” in healthcare.

Weiss said that he is keen to receive more Indicators of Compromise (both atomic indicators and TTPs) about ransomware attacks, as well as decryption methods for various strains of the malware. But he recognizes the difficulties that might emerge as the initiative scales. Automation may be required to filter and sort through the volume of data coming in and to prepare actionable reports.

Still, he said, “I’d rather have that problem than the reverse.”

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Coronavirus phishing lures are everywhere
• Czech hospital ransomwared during crisis
• Voatz mobile voting app destroyed by Trail of Bits audit
• We recap yesterday’s livestream
• Windows SMBv3 bug probably not such a big deal
• ALL the week’s news

This week’s sponsor interview is with Sam Crowther, founder of Kasada. They do bot detection and mitigation and apparently they’re quite good at it. Sam joins the show to talk through the new greyhatter of anti-anti-bot. It’s actually a really fun conversation, that one, so stick around for it.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

If you don’t know already, all guests who appear on the Risky Business Soap Box podcast paid to be here. These podcasts are promotional, but as regular listeners know, they’re not just mindless recitations of marketing talking points.

This edition of Soap Box is brought to you by Trend Micro, which is a company that’s in a really interesting position at the moment.

With Symantec acquired by Broadcom, which only really cares about the biggest 500 companies in the world, Sophos absorbed, Borg-style, by Thoma Bravo and McAfee sitting in the corner eating its paste, there’s an opportunity for a new “portfolio” security software firm to emerge, and Trend wants to be it.

Jon Clay is Trend’s director of global threat communications and he joined me for this conversation about ransomware, how EDR is becoming “just another feature,” and what the role for a “portfolio” company in infosec is going to be in the future.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Two Exabeam engineers sick with Coronavirus following RSA attendance
• Hung jury in Joshua Schulte Vault7 trial
• Qihoo 360 tries to “pull an APT1” but it was just weird and awkward instead
• Corellium releases Android for iPhone hardware toolkit
• Much, much more.

This week’s sponsor interview is with Scott Kuffer of Nucleus Security. They have built a web application that pulls together feeds from all your vulnscanners and vulnerability-related software (Snyk, Burp, whatever), normalises it then lets you slice it, dice it, and send it through to the most relevant project owner/dev team. It’s insanely popular stuff, and Scott pops along this week to talk about vulnerability management and what his last year has looked like as Nucleus’s business has boomed.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

These Soap Box podcasts are wholly sponsored. That means everyone you hear on one of these editions of the show, paid to be here. But that’s ok, because we have interesting sponsors!

Today’s sponsor is AttackIQ. They make an attack and breach simulation platform. They started sponsoring risky biz when they were a little baby startup, but these days, as you’ll hear, attack sim is actually emerging as a budget line item, particularly for larger companies.

They use the platform to test their existing controls, figure out where they have gaps or bad products, then kick on to planning from there… then retest, evaluate, plan, implement, etc etc etc.

For a lot of organisations, something like this is going to be really helpful. Another super helpful thing is that AttackIQ is all in on MITRE ATT&CK.

AttackIQ is, in fact, one of the first vendors I know of that jumped on the MITRE ATT&CK bandwagon. They got in early, and this podcast is mostly going to be focussed on ATT&CK. Chris Kennedy is AttackIQ’s CISO and VP of customer success! He did one of these soap boxes last year and it was really popular with the CISOs who tune in to risky biz.

He joined me for this discussion about MITTRE ATT&CK; where it’s at, where it’s going, how people are using it and how AttackIQ is using it to make its products more useful.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Ransomware shutters US natural gas plants
• Huawei hit with huge indictment
• Voatz mobile voting app shredded by MIT, dust-up ensues
• The latest from the Vault7 trial
• Reality Winner seeking clemency
• Ring to force all users on to 2FA
• Israeli court rules Facebook must reinstate NSO staff profiles
• USG drops more North Korean samples
• OpenSSH gets Fido/U2F support

This week’s sponsor interview is with Dave Cottingham from Airlock Digital.

They make whitelisting software that’s actually useable. And until I did this interview I didn’t know that their agent actually does host hardening as well, which is pretty cool. Since we last spoke they’ve also popped up in CrowdStrike’s app store thingy, which means a bunch of you Crowdstrike customers will be able to dabble in some whitelisting if you want to.

Dave joins the show to talk about a bunch of stuff, including their experience having Silvio Cesare do a code audit on their agent.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Soap Box podcasts are fully sponsored which means everyone you hear on these editions of the show paid to be here. If you’re looking for the regular, weekly Risky Business podcast, just scroll one back in your podcast feed.

But you know what? I wouldn’t recommend it, because this edition of Soap Box is top notch. In it we’re joined by Jake King, a co-founder of Cmd Security.

Cmd makes Linux security software, and I love their approach mostly because, well, it’s simple. It has two main functions – visibility and control – but both of these functions focus on execution. The visibility piece is “which user executed what?” and the control piece is “only let user X execute Y”. The idea here is you can apply an additional layer of control over user actions, but obviously the visibility aspect to this is pretty useful at driving decisions around what sort of limits to put on various accounts.

Jake has fronted this edition of the show with an exclusive offer to Risky Business listeners, which is free use of their software. Obviously you won’t get access to absolutely all its features, but certainly enough of them to be very, very useful. They’re getting to the point where they can do this – throw out most of the functionality and just sell the icing on the cake to companies who want it. You can register for early access to the free trial at cmd.com/risky.