Risky Business Podcast

On this week’s show we’re taking a look at how an acceleration in 24-carat bonkers state-sponsored hacking is leading to calls at senior levels of government for some actual norms to be established. We’ve got Russia hacking the planet with NotPetya, North Korea owning central banks and cryptocurrency exchanges, China owning the CCleaner supply chain and… well.. it’s all getting a bit much.

So in this week’s feature segment we’re going to zero in on one norm-breaking country, North Korea. We’ll hear from John Hultquist of FireEye and Adam Meyers of Crowdstrike on that.

As you’ll hear, countries like North Korea are pushing the limits of what they can get away with on the Internet and friendlier states are desperately trying to establish what the boundaries for good faith actors should actually be. We’ll hear from Australia’s cyber ambassador Tobias Feakin on that part of the discussion, courtesy of some audio gifted to the Risky Business podcast by Australian journalist James Riley. That’s a fun package and it’s coming up after the news.

This week’s sponsor interview is with Zane Lackey of Signal Sciences. Zane joins us to talk about a few things – how developer teams are increasingly making their own security decisions and how that’s actually a good thing… we’ll also talk about companies that have found themselves operating on multiple cloud platforms even though they didn’t plan for it.

Adam Boileau, as usual, is this week’s news guest.

We cover:

• The AMD bugs
• China’s tightening grip on security research
• Slingshot APT
• Christopher Wray’s mind bogglingly daffy comments on key escrow
• AND MOAR!

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

On this week’s show we’re chatting with Professor of Law at the University of Maryland Danielle Citron about an article she co-authored on so-called “deep fake” videos. Citron and Bobby Chesney wrote a fascinating piece about the privacy and national security implications of this latest trend and we’ll be talking to her about that a little bit later on.

In this week’s sponsor interview we’re chatting with Julian Fay, CTO of this week’s sponsor Senetas. We talk to him about how encryption hardware industry is responding to the looming spectre of quantum computing.

As you’ll hear, standards bodies are already rolling out draft implementations of quantum-resistant algorithms that companies like Senetas will be baking into their kit as additional layers of protection.

Adam Boileau, as usual, is this week’s news guest.

We cover:

• Massive memcached DDoS attacks
• Trustico having a bad week
• Reported flaws in 4G/LTE
• Uber breach lawsuit
• …and more!

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

This isn’t the regular weekly show, Soap Box is the podcast where vendors pay to appear to talk about big picture stuff, or really anything they want.

Unless you’ve been living under a rock lately you’d know that Google’s parent company Alphabet announced the spinoff of an enterprise information security company. They’ve named it Chronicle, but beyond that it’s all a bit mysterious. Unlike other startups that stay super stealth until they launch their product, Alphabet basically realised that as it already has its platform out there under beta test with a bunch of organisations the creation of the company would eventually leak, and that would have been a mess from Alphabet’s point of view. So, their solution was to announce the company before it’s ready to ship its product.

I would love to tell you that they’re going to drop all the juicy details in this podcast but they’re not. They’ll drop some hints, but for now, Chronicle’s mystery platform will remain that: a mystery.

But that’s not to say there isn’t some other stuff to talk about. As a part of the spinoff, Virus Total is now a part of Chronicle. And you know what? There’s a lot more to Virus Total, in particular Virus Total Intelligence, than I realised. That’s partly because Alphabet hasn’t really done much marketing around it, and this is a kind of first step down that path.

So in this podcast you’re going to hear from two people from Chronicle – Rick Caccia who is the chief marketing officer, he’s mostly chiming in to explain a little bit about the new company – and Mike Wiacek, the CSO and co-founder of Chronicle. He’s going to be telling us about all the features of Virus Total that you probably didn’t realise exist. Did you know if you have a VTI account you can run YARA rules against everything that comes in to Virus Total? And you can apply the rules retrospectively to see what shakes out? And that they have graph and clustering features? And … and … and … you get the idea.

I hope you enjoy this podcast!

On this week’s show we’ll chat with Troy Hunt of Have I Been Pwned. He’s released version two of his pwned password service and API. Basically it lets websites check to see if a user’s password is one that he has in his dataset. Version two allows this process to happen without users having to send over a complete password hash to HIBP.

It’s making some waves already. It’s a genuinely interesting, free service.

In this week’s sponsor interview we chat with Trail of Bits security engineer JP Smith about all thing blockchain. Trail of Bits has gotten into blockchain stuff because, hey, we’ve all heard about the many, many security issues associated with things like Ethereum smart contracts, and when it comes to blockchain and Ethereum security, well, someone has to do it.

JP will talk us through some of the bug classes he sees as well as talk about the work trail of bits has done on its dynamic binary analysis software Manticore in terms of applying it to the Etherum Virtual Machine.

Adam Boileau, as always, is this week’s news guest.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

This edition of Soap Box is brought to you by Bugcrowd. So the next 40 minutes or so is a conversation between Bugcrowd CTO and founder Casey Ellis and I.

As most of you would know, Bugcrowd runs outsourced bug bounty programs for a wide variety of organisations, from Silicon Valley megabrands to financial services to development-heavy SMEs, Bugcrowd is there.

And what a time it is for the bug bounty business. There’s a lot of attention on the bug bounty concept at the moment – we even saw a senate subcommittee hearing on them take place earlier this month. It’s a competitive sector, too.

In this podcast Casey tells us about a few things, like what Bugcrowd is doing to try to add some innovation to bug bounty programs. As you’ll hear, he’s actually got some really great ideas. I came into this as a bit of a sceptic, as in, how can you innovate around something as simple as a bug bounty program? It turns out you can. We also try to make the case that bug bounties are an established part of infosec now; a boring part of the mix.

So we cover off some interesting stuff Bugcrowd is doing, then we talk about how the bug bounty provides types might be able to actually engage their crowds in defensive work.

On this week’s show we’re going to chat with Katie Moussouris about her testimony before a Senate Subcommittee last week. She fronted a session on Consumer Protection, Product Safety, Insurance, and Data Security titled, “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers. We’ll hear from her on how all that went and what she hopes the US government learned from the committee panel.

Also this week we’ll be hearing from Mark Maunder of Wordfence, that’s this week’s sponsor interview. Wordfence sells a Wordpress security plugin. There have been some interesting developments in the Wordpress world over the last week that are definitely worth covering. Wordpress actually pushed an update to core that actually disables future auto updates. Yikes.

We’ll find out how long that update was out, what percentage of the Wordpress ecosystem swallowed it, and we’ll also talk about about a couple of dysfunctional things happening in the Wordpress ecosystem.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

On this week’s show we’re chatting with Travis McPeak at Netflix about a tool they’ve developed called RepoKid. It automatically strips unused AWS permissions, which I’m guessing a lot of you will find quite useful.

We’ll also chat with Dan Kuykendall in this week’s sponsor interview. Dan works for Rapid7, and they’ve been doing some interesting stuff with their agents, basically tweaking them to give better visibility of application security issues and exploitation attempts. T

hat conversation is really about how security firms these days are using the agent footprint they have to just do whatever they can.

Adam Boileau, as always, pops in to discuss the week’s news. We cover the:

• AutoSploit arm waving
• Lauri Love beating extradition
• Nik Cubrilovic’s arrest
• MOAR

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

On this week’s show we’re checking in with Kelly Shortridge and the topic is zombies. Not the botnet kind, the heavily-VC-backed kind.

A recent report from the Reuters news agency highlighted the amount of VC pouring into the so-called “cyber” industry vs the amount of money actually coming out of it in the form of profitable exits isn’t matching up. The industry is filling up with so-called zombie companies – they’ll never exit, but they’re not going to completely die, either.

As it turns out, Kelly recently did a presentation on precisely this topic, so in this week’s feature we get her take on why this is happening and what’s likely to change. The tl;dr is something will have to give in the next couple of years, and it’s going to be ugly.

In this week’s sponsor interview we check in with Jordan Wright of Duo Security. Jordan has done some research into phishing kits. While phishing isn’t the sexiest topic, the team at Duo has actually done some pretty comprehensive research here – they looked at thousands of kits and pulled out some interesting stats.

We’ll talk to him about that, and also about the likelihood that U2F hardware will soon be baked into consumer devices. That’s really going to change things in years to come.

Adam Boileau, as always, pops in to discuss the week’s news. We cover the:

• Strava heatmap
• Dutch infiltration of Cozy Bear
• Possible nationalisation of the US 5G network on security grounds
• Microsoft disabling Intel Spectre patches
• Google’s Chronicle announcement
• US$400m Cyptocurrency ownage
• MOAR

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

On this week’s show we’ll be taking a look at the freshly re-authorised section 702 of the FISA act. As you’ll soon hear, the updated section now allows the FBI to search data captured under 702 programs for evidence against US citizens in a bunch of circumstances, including, drum roll please, during investigations with a cyber security tilt.

The co-founder of the Lawfare blog, law professor and Associate Dean for Academic Affairs at the University of Texas Ausin, Bobby Chesney, will be along in this week’s feature to talk about all of that!

In this week’s feature interview we’re joined by Haroon Meer of Thinkst Canary. Haroon will be along to talk about the effectiveness of various honey tokens. Thinkst has been playing around with this stuff for a couple of years now, and Haroon will be joining us to talk about how they’ll will wind up being used in an enterprise context. How do you get detection canaries to scale? That’s coming up later.

Adam Boileau, as always, pops in to discuss the week’s news. It’s been a relatively calm week, but we’ve got some interesting news about botched Spectre patches and a discussion around a sensational report about Kaspersky Lab published by Buzzfeed in conjunction with Russian outlet Meduza.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

On this week’s show we chat with Collin Anderson about Iranian internet censorship, as well as how sanctions on Iran led Google to block app engine access within Iran.

That’s a problem for Signal users there, because when the primary Signal servers are blocked, the software falls back to a domain-fronting approach that uses… drum roll please.. Google App Engine.

That’s a pretty wide ranging discussion of ‘net censorship in Iran and ‘net censorship generally and that’s coming up after the news.

This week’s show is brought to you by Bugcrowd, big thanks to them for that. In this week’s sponsor interview we’ll chat with Bugcrowd trust and security engineer Keith Hoodlet about some work they’ve been doing on producing detailed remediation information for their clients.

Adam Boileau is also along, as always, to discuss the week’s security news. The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.