Risky Business Podcast

This is the last episode for the year – the last episode of the 10th season! On this week’s show Adam and I will discuss the week’s news and then we’re going to reflect on the major events in 2016; the stuff that stuck out for us. I don’t think it’ll come as a surprise that the cyber intrigue surrounding the 2016 US presidential election is what peaked our interest this year.

This week’s show is brought to you by Canary.Tools. Canaries are of course those awesome little honeypots you can deploy on your network for excellent signalling. They will tell you if you have an attacker on your network, they’re cost effective and really nicely designed.

Canary’s very own Marco Slaviero will be along a bit later to talk through a recent Tweetstorm that centred on honeypots, as well as to preview Canary’s next release. In a few weeks you will be able to buy a purpose-built ICS honeypot, as well as one that mimics a code repository, so if you work with ICS gear or for a dev shop, you’ll really want to tune in to that one.

**RISKY BUSINESS WILL BE BACK ON JANUARY 12, 2017**

Links to everything are in this week’s show notes.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we’re chatting with Fitbit security director Sasha Biskup and his colleague Marc Bown about how to build secure embedded devices from insecure components. During the development phase of some Fitbit products, the Fitbit security team has discovered some hideous vulnerabilities that could have compromised security downstream. They’ve been able to mitigate these issues, but they worry other embedded device manufacturers aren’t even looking at the security implications of their suppliers’ mistakes.

This week’s show is brought to you by CyberArk! CyberArk’s Jeffrey Kok is this week’s sponsor guest. He joins the show to talk about what CyberArk knows best – privileged account management. It’s such a basic thing, but it’s hard to do right.

This week’s news segment was recorded at Kiwicon in Wellington, NZ, and features Assurance.com.au’s Neal Wise, plus Rob Fuller and David Jorm.

In this week’s show we’re going to have a chat with former NSA general counsel and cyberlaw podcast host Stewart A Baker. We’ll get his thoughts on what a Trump presidency could mean when it comes to cyber security.

This week’s show is sponsored by Senetas, and you know what? They’re branching out. Senetas has some new goodies that can replace all the crappy tools like dropbox that are in your organisation despite you not approving of them. The Senetas solution is actually good enough that it’s being used to handle classified data, because hey, Senetas does a lot of business with SafeNet, which is owned by Gemalto – so if the idea of a HSM-authenticated and locked down dropbox-style platform appeals, hang about for this week’s sponsor interview!

Adam Boileau is this week’s news guest. Links to everything are in this week’s show notes.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we chat with Errata Security’s Robert Graham about a ridiculous non-story that had readers in the USA convinced that Slate magazine had uncovered a covert communication channel between Donald Trump and a state-linked Russian bank. The basis of this jaw-dropping conclusion? Cherry-picked DNS query logs. We’ll find out why that story was total, utter bullshit in this week’s feature.

In this week’s sponsor interview we’re chatting with the former CEO and CTOs of Flawcheck, a company that made vulnerability scanning tools for Docker containers. Flawcheck has been acquired by this week’s sponsor, Tenable Network Security, and it’s a really handy thing to use if your company makes use of Docker. You can actually register for a free trial of Flawcheck here. We’ll find out why you need specialist kit to do container scanning.

Adam Boileau is this week’s news guest. Links to everything are in this week’s show notes.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we’re taking a look at the Great DDoSSening of 2016! Yep, we’ll be having a look at the attacks against Dyn, but perhaps more importantly we’ll be asking the question: With a zillion perma-owned things out there able to launch some pretty serious DDoS attacks: What now?

IoT device security specialist Stephen Ridley will join us in this week’s feature slot to discuss that.

This week’s sponsor interview is a cracker. We’ll be chatting with Cyalnce chief research officer Jon Miller about how the hell you’re supposed to benchmark AV these days. It’s actually trickier than you’d think, for reasons we’ll get into later. We also talk about managing false positives and hit on a few other topics in that one. Jon’s ex ISS X-Force, he’s been around the traps for a long time and really knows what he’s talking about. That’s a good interview… big thanks to Cylance for sponsoring this week’s show.

Adam Boileau is this week’s news guest. Links to everything are in this week’s show notes.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we’re taking a look at the business dealings of John McAfee. Earlier today the NYSE announced the company that arranged to hire McAfee, MGT Capital, would be de-listed from the NYSE: MKT small cap exchange. This follows a class action investor lawsuit and the unearthing of a remuneration agreement between the company and McAfee that have lead some to suggest the whole company could be a pump and dump scam.

This comes hot on the heels of a release of a Showtime documentary that alleges McAfee’s involvement in two murders and the rape of a scientist working for him. We’ll hear from respected industry analyst Rich Mogull about MGT’s proposed product line while Georgetown Law’s Visiting Professor Russell Stevenson takes a look at MGT’s somewhat strange remuneration agreement with McAfee.

This week’s show is brought to you by Canary.Tools.. If you’re a regular listener you’ve heard me sing the praises of Canary in the past. It’s basically a little honeypot that you can configure to look like anything, you put it on your LAN somewhere and wait for an attacker to mess with it. It’s a great product that’s experiencing amazing growth. Canary.Tools head honcho Haroon Meer will be along in this week’s sponsor interview to talk about how little hacks can help defenders as well as attackers.

Adam is away on his company retreat this week so I’ve actually asked Haroon to fill in for him in the news segment, too. It’s your double dose of Haroon Meer!

Oh, and do add Patrick and Haroon on Twitter if that’s your thing.

On this week’s show we’re taking a look at what the hell the USA should do in response to Russia’s hacks against the DNC. A few days ago the Director of National Intelligence and DHS issued a joint statement that officially puts blame for the DNC hacks squarely on Russia. Since then the Internets have been in meltdown over what exactly should be done in response.

Cyber policy lady Mara Tam is this week’s feature guest. She’ll tell us what sort of reaction we can expect to see, as well as give us some context around why all this is happening in the first place. That’s this week’s feature interview.

This week’s show is brought to you by the fine folks at Bugcrowd. This week’s sponsor interview is with Bugcrowd founder and CEO Casey Ellis. Recently a company that makes static analysis software took a bit of a poke at bug bounties in its marketing. If anything it was kind of an acknowledgement that Bugcrowd and its competitors have had a pretty substantial impact on how testing actually gets done.

But are people actually thinking of services like managed bug bounties as a substitute for static analysis? And why is every single company that makes developer tools scrambling to become agile or devops ready when hardly anyone is actually doing it yet?

Adam Boileau is this week’s news guest.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we are catching up with Mustafa Al-Bassam. He’s a lovely young chap from England who was once upon a time one of the LulzSec crew. Like all the other guys in that crew he got busted, but he didn’t spend any time in prison and these days he is doing really well. He has finished his undergrad, works with some blockchain technology and is about to start a PhD. He joins us this week to talk about his in depth analysis of the Shadowbrokers dump, as well as to reflect on his crimes. As you’ll hear, he has some regrets.

This week’s show is brought to you by Bromium! And last week you might have caught an announcement that Microsoft has moved virtualisation based security up into the app stack. The Edge browser is getting thrown into a micro VM in certain circumstances. Of course Microsoft worked with Bromium on all this stuff, so Bromium CTO, Simon Crosby will be along to talk about what Microsoft has actually done here. Bromium, of course, makes fully featured micro VM security software in addition to helping Microsoft improve windows, so that chat is interesting stuff and it’s coming up after this week’s feature.

Adam Boileau is this week’s news guest.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

This week we’ll be having a chat to Paul Marsh about a recent report from UK think tank Chatham House that says there’s a looming cyber security crisis about to wreak havoc on the satellite ecosystem. But as you’ll hear, Paul thinks the concerns are somewhat overhyped.

In this week’s sponsor interview we chat with Space Rogue, aka Tenable Network Security’s very own Cris Thomas. He’s joining us this week to talk about election security. Two new bills dealing with the security of voting computers have been proposed in the USA. We’ll get Cris’s thoughts on how likely they are to actually make a difference. We also have a general discussion around the security of e-voting infrastructure.

Adam Boileau is this week’s news guest.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we’ll be chatting with security researcher Ryan Duff about the rabbit hole that is the Tor Browser Bundle certificate pinning bug. The bug itself is interesting, but the questions it raises about how suitable Tor is for genuinely critical use are, you know, substantial. That’s a really, really interesting chat with Ryan Duff, coming up after the news.

This week’s show is brought to you by Hewlett Packard Enterprise Fortify! Of course HPE Fortify makes both static and dynamic analysis tools to help their customers weed out bugs in their software… but what are the relative strengths of static versus dynamic? Where should you use these tools? As this week’s sponsor guest Michael Farnum explains, the trend these days is to not only use both, but move them both as far to the left as possible in the development cycle. That’s this week’s sponsor interview, coming up a bit later.

Mark Piper is this week’s news guest.

Oh, and do add Patrick on Twitter if that’s your thing.