Risky Business Podcast

On this week’s show Adam Boileau and Patrick Gray discuss the week’s news, including:

• CBP loses photo and license plate database
• Some Android phones shipped with backdoor
• Info on Google’s cloud outage
• USG ramps up “defend forward”
• Trump and Mnuchin can’t get their stories straight on Huawei
• The latest from Baltimore, more on that RDP bug
• TalkTalk hacker sentenced
• Much, much more

This week’s show is brought to you by Remediant! Remediant CEO Tim Keeler will be along this week to have a chinwag. We’ll talk about how simple security tech is really en vogue these days and how that’s a good thing.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show Patrick and Adam talk through all the week’s security news, including:

• NYTimes story on EternalBlue and Baltimore is bunk
• An RDP worm is feeling kind of inevitable
• Iran is still getting Shadowbrokersed
• Intercept has a great feature on SID Today dumps
• Australian Federal Police crack down on national security journalism
• Phantom Secure CEO gets nine years and loses $80m
• Silk Road 2.0 admin must be an amazing snitch
• Another Bitcoin tumbler bites the dust
• Much, much more

This week’s sponsor interview is with Marco Slaviero of Thinkst Canary.

Marco is joining us this week to talk about how he thinks web application-based deception techniques are kind of a waste of time right now. We talk about how deception approaches work best in privileged domains, then we talk about how security teams do better when they have a dedicated ops developer.

Adam Boileau couldn’t make it this week, but that’s ok because we’ve got former Facebook CSO and current Stanford adjunct professor Alex Stamos filling in for him in today’s show. He’ll be talking through all the week’s security news, including:

• NYTimes report blames Baltimore ransomware attack on leaked NSA exploit
• Assange to face espionage charges, extradition fight looming
• SanboxEscaper just keeps dropping those 0days
• Fury over Facebook’s response to doctored Pelosi video
• Much, much more

This week’s sponsor interview with David Warburton of F5 Networks. You know F5 as a blinky-light box manufacturer. Load balancers, SSL termination, that sort of stuff. Not exactly a growth industry at the moment, so they’re pivoting.

They’ve dropped $670m on NGINX – f5 now owns the NGINX company – and they’re making all sorts of moves in the appsec space. That interview is mostly about F5’s business, but I found it interesting because what do you do when you’re an $8bn company that makes data-centre equipment and that industry starts going into decline?

Links to everything discussed are below, and you can follow Patrick or Alex on Twitter if that’s your thing.

This is not the regular Risky Business weekly show, the Soap Box series of podcasts that run on Risky.Biz are wholly sponsored. Everyone you hear in Soap Box paid to be here.

With that disclaimer out of the way, this is actually a really interesting conversation. Carsten Willems is the co-founder and CEO of VMRay, a company that makes… well.. what do you call it? Is it an incident response tool? Is it a detection tool? Or is it just a good hypervisor-based sandbox that you can use to do both of those things?

I’m going to say it’s the third – VMRay is a company that makes a great hyper-visor sandbox and has applied that technology to both response and detection.

In an ideal world you’d have a team of malware reversers on staff pulling apart every single binary that looks shady. But this isn’t a perfect world, so that’s never going to happen. So the original use case that Carsten and his team set out to solve was around automating malware reversing. They build a hyper-visor based sandbox that’s very hard to bypass, you can run your standard build on it, throw binaries and documents at it and see what blows up. That’s really the primary use case here.

But there is a second use case, which is detection. VMRay can give you a pretty decent risk score on samples, and they’ve entered into a few OEM arrangements with vendors to provide that extra level of detection.

I’d never met Carsten Willems before we prepared this podcast, but it’s safe to say we hit it off. This podcast basically turned into Carsten telling his story, the story of where VMRay came from and where he wants it to go. Enjoy!

On this week’s show Patrick and Adam talk through all the week’s security news, including:

• New executive order paved way for Huawei ban
• Google pulls service from Huawei
• No wait, that’s not right, it’s for new handsets
• The ban’s now reversed to allow them to continue the support that they didn’t have to discontinue?
• I’m so confused
• ¯_(ツ)_/¯
• Israeli broadcaster fingers Hamas over Eurovision coverage hack
• New moves to regulate offensive cyber services
• Salesforce has a bad time
• Instagram influencers have a bad time (Hah!)
• OGUsers pwned
• Much, much more

This week’s show is brought to you by CMD Security. They make security software for Linux that does two things – firstly it gives you visibility into what’s happening on your Linux workloads, which actions are being performed by which accounts, that sort of thing. The second thing it does is allow you to lock down accounts by action, rather than by traditional privilege. They’re funded by Google Ventures, among others, and although they’re a relatively small and new company I think they’re going to do really well.

Jake was just at a MITRE conference in Brussels that was all about the Attack Matrix. He’s joining me this week to have a bit of talk about his experience at that event, then we’ll be talking through some of the issues he’s seeing out there in Linux cloud workload land. Jake’s a great communicator and a very smart guy and that interview is a lot of fun.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

This isn’t our weekly news and current affairs show, this is a wholly sponsored podcast we do here at Risky Biz. The idea behind Soap Box is vendors pay to come on to the show and talk about the things they want to talk about.

Today’s Soap Box is brought to you by Signal Sciences. If you’re not familiar with them, they make web security software. If you operate a website and you’re looking to auto-block a lot of the common attacks and attack techniques that are likely to be directed against your website, then Signal Sciences are definitely worth a look.

Their whole pitch is really about making software that’s easy to deploy. You just drop it on your web server or run it as a WAF proxy, and bang, you’re done. Most of their clients run this software in full blocking mode out of the gate and don’t have any issues.

It’s really, really good at blocking stuff like cred stuffing and weird bot activity, as well as your typical OWASPY-style attacks.

Signal Sciences Trusted Appsec Advisor Phillip Maddux is our guest today. We spoke about a bunch of stuff really: the future of appsec, how the pivot to serverless is changing things. Then we talk about app-layer deception, and finally Phillip basically takes a dump on the bulk of RASP solutions out there.

Enjoy!

On this week’s show Patrick and Adam talk through all the week’s security news, including:

• NSO Group WhatsApp vuln coverage goes nuclear
• Activists targeted by NSO malware in hiding in west after CIA tipoffs
• Cisco Trust Anchor drags on sea floor
• Linux kernel bugs likely overhyped
• Adobe patches insane number of CVEs
• Microsoft patches rumoured GCHQ VEP’d RDP bug
• New hardware bugs affect Intel processors
• SHA-1 collisions become much more practical
• Major US anti-virus firms owned hard

This week’s sponsor interview with Ryan Kalember of Proofpoint. Ryan is a listener, and when he heard Adam talking about how password rotations actually result in crappy passwords, it hit a nerve with him. He says Proofpoint, via its CASBY product, is seeing a lot of targeted credential stuffing campaigns cycling through variations of passwords that have appeared in dumps.

Apparently the bad guys are hip to what a typical password rotation variation looks like and they’re using this knowledge to better direct their cred stuffing attempts.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• IDF takes out Hamas cyber HQ (Features commentary from Bobby Chesney and Klon Kitchen)
• NYTimes mangles Symantec’s “Buckeye” research
• Lots of dark web arrests
• SAP exploits not all they’re cracked up to be
• Magecart-style attacks spread to other platforms
• Tech-led crackdown on Chinese-muslims intensifies
• Japan to create “defensive malware”

This week’s sponsor interview is with Duo Security advisory CSO Richard Archdeacon and we’ll be talking about zero trust networks. Richard isn’t so worried about every vendor under the sun claiming to be a zero trust tech company. He doesn’t think that’s going to derail the move to zero trust architectures because the move towards them is too strong.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

This isn’t the regular weekly risky biz news and current affairs show, this is the special podcast series we do here at Risky Biz HQ where we take that dirty, dirty vendor cash and let security companies tell the audience all about what they do. Think of it as show and tell for security vendors!

In this edition we’ve got three more vendors vying for your hard-earned bread. We’ll be hearing from Rapid7 on their InsightConnect product, that one used to be known as Komand. What can you automate and orchestrate with it? How does it work? Who’s using it? What are they doing with it?

Then we’ll be hearing from Trend Micro about their O365 mail security product, and this one is legit interesting for one very simple reason – the deployment method. Most of the mail security firms basically make you route your mail through them.

In this case what Trend has done is create a mail security product that just fiddles with your mailboxes through the Microsoft O365 API. They have literally set up a demo account for an enterprise over a beer at a bar. So yeah, I suspect we’ll be seeing more mail security products deploying this way… and because it’s show and tell, Trend will be along to talk about some of the bells and whistles that come with that product.

Then finally we’ll be hearing from Cybermerc. This is a group based out of Canberra in Australia. They’ve done a lot of enterprise deception hybrid hardware/consulting, that’s something they’ve gotten very good at. They also do a lot of cyber cyber training, but now they’re trying to market a managed service towards small to medium businesses – those with 50 to a few hundred seats. A managed honeypot, some internal vuln scans, and a partridge in a pear tree!

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• Docker Hub owned
• That Confluence bug we were talking about a couple of weeks ago got wormified
• Oracle WebLogic users also having a bad time
• Cloudflare faces investor pressure over providing services to Nazis
• Slack warns investors of possible nation-state attacks against it
• Norsk Hydro puts dollar value on ransomware incident
• Bloomberg publishes another ridiculous security story
• Much, much more!

This week’s sponsor interview is with Casey Ellis, the CTO and co-founder of Bugcrowd.

As most of you are probably aware, Bugcrowd announced its so-called “next generation penetration testing” product last year, a move followed some months later by its competitor HackerOne. With others in the bounty space already offering these types of penetration testing packages, it looks like these efforts are here to stay.

But where do crowdsourced penetration tests sit in the wider penetration testing market? Are they coming after the Insomnia and Atredis Partners type firms? The NCCs? The shonky nessus-scan “penetration testers”? Well, not surprisingly Casey argues that this is a new sub-niche in the market and he makes a pretty compelling case to support that argument.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.