Risky Business Podcast

This week’s feature interview is with Facebook CSO and Black Hat 2017 keynote speaker Alex Stamos. We’ll be digging a little deeper on some of the points he hit on in his talk in Las Vegas this year. I’ve linked through to a video of his keynote in this week’s show notes (below), and I’d really recommend you watch it. It was just very, very good.

This week’s show is brought to you by Thinkst Canary. They’re best known for their little Canary honeypots, you put them on your network and they’ll alert you to all sorts of lateral movement. Thinkst’s Founder and chief brain Haroon Meer will be along later on to talk about cloud security.

He’ll be echoing some of the points made in our interview a few week’s back with Daniel Grzelak from Atlassian, as well as looking at how you can start to put together a somewhat coherent strategy for detecting when your cloud services get popped.

Adam Boileau is this week’s news guest.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

In this week’s feature interview I speak with the Australian Prime Minister’s cyber security advisor Alastair MacGibbon about what it is that the Australian government is pushing for in terms of industry cooperation around surveillance.

There’s been a lot of hype on this one. “Al Mac” joins the show to work through some of it, and honestly, Australia’s push at the moment is the sort of thing I think you can expect to see more of around the world, so this is an interview of global relevance.

Some of that conversation hinges on a blog post I wrote on the weekend. If you want to, you can read that here.

This week’s show is brought to you by Remediant!

Remediant makes a product that’s designed to make lateral movement through a network much harder. Essentially it’s a way to restrict all privileged accounts on your infrastructure until you actually need it. So instead of being able to just log in to your production environment, you can actually set it up so you can enable the privilege you need to a set period of time.

It’s a different approach to privilege management than things like password vaults, so if you work in an authentication group you’re going to want to hear what they have to say. Remediant CEO Tim Keeler is this week’s sponsor guest.

Adam Boileau is this week’s news guest. We talk about all the continuing notPetya drama at Maersk and FedEx/TNT, the Alphabay latest and more.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

This month’s Soap Box podcast is brought to you by AttackIQ, a company that makes attack simulation software.

This is a wholly sponsored podcast that won’t bore you to tears.

There are countless CISOs who listen to this podcast who’ve shovelled an awful lot of money at their organisation’s security controls. Whether that’s endpoint/AV or fancy network kit that’s supposed to detect exfil, the sad truth is most organisations have no way to know if their expensive kit is actually doing what it’s supposed to.

Until, of course, they get breached. Then there is much wailing and gnashing of teeth.

So the idea behind attack simulation is pretty simple. You load a lightweight agent on to your corporate systems, the agent then runs scriptable attack scenarios that can simulate attacker behaviour.

These attack scripts might get some endpoints to start nmapping internal systems. They might start changing some registry keys or stimulate a bunch of disk activity that looks like an encryption/ransomware process. They might start sending off a bunch of dummy data via a DNS exfil technique. Did your endpoint solution catch the funny registry stuff? Did your network controls catch the simulated exfil?

Now imagine you have 1,000 pre-coded attack simulations with all sorts of different combinations and permutations of attacker behaviours. How many of them do you actually need to run through before you can spot the weak points in your defences?

Attack simulation is a great way to test and validate your security controls, and you can do it continuously.

AttackIQ’s cofounder and CEO Stephan Chenette joined me to talk about attack simulation and what it’s good for.

On this week’s show we chat with Atlassian’s head of security, Daniel Grzelak, all about some AWS security tools he’s come up with. He also previews a new tool for generating AWS access key honeytokens at scale, which is really neat.

This week’s show is brought to you by Veracode!

Veracode’s director of developer engagement, Peter Chestna, will be along in this week’s sponsor interview to have a yarn about some common misunderstandings between security people and developers. We look at misunderstandings both ways.

Adam Boileau is this week’s news guest. We talk about all the latest dark markets drama, plus the Great Nuclear Hax Freakout of 2017.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

Adam Boileau has some out of town business to handle this week so he can’t join us in the news segment. But that’s ok, because industry legend Haroon Meer has very kindly agreed to fill in for him! We chat to Haroon shortly about all the latest NotPetya developments, we’ll also talk about the drama Kaspersky is experiencing right now, as well as dissecting the latest battle reports from the cryptowar! All the news is covered.

This week’s show is brought to you by ICEBRG!

ICEBRG’s co-founder, Will Peteroy, joins the show this week to chat a bit about what they’re up to. Will has an interesting background. He was the technical director of a government agency Red Team. That meant red team exercises against agencies, but he was also responsible for doing assessments on security products. He also put in a bunch of time at Microsoft where he was the endpoint for product security for Windows and Internet Explorer, which meant he was the recipient of oh-so-much-0day for around a year and a half. So yeah, Will knows what he’s doing, and he’s made a thing, and you’re going to hear about that thing after this week’s news.

See links to show notes below, and follow Patrick or Haroon on Twitter if that’s your thing!

In this edition of the Risky Business Soap Box podcast we chat with the founder and CEO of Bugcrowd, Casey Ellis, about the establishment of the bug bounty market and how things have shaped up. We also look at where it’s going.

The days of bounty programs being operated solely by large technology firms are long gone. Casey predicted that shift years ago. The question becomes, where will bounty programs be in three years from now?

Well, Casey doesn’t shy away from making some bold predictions. He thinks most enterprises will have vulnerability reporting mechanisms within two years, and a substantial proportion of those will offer rewards to bug hunters via companies like Bugcrowd.

He also sees bounty programs increasingly serving the specialist market.

You can find Casey on Twitter here.

This week we’ll be chatting with Andy Greenberg from Wired about his cover story for that magazine. He travelled to Ukraine back in March to research his story on Russian attacks against the Ukrainian power network. He joins us this week to share the insights he gleaned during his travels.

This week’s show is brought to you by SensePost.

SensePost are based in South Africa and England, but they are very well known for offering training courses at Black Hat. This year will be the 17th year they’ve run training courses there… as can be expected their brand new devops security course has gone absolutely gangbusters in terms of registrations this year, but they’re also offering a bunch of other courses. They’ll be joining us to chat about trends in training in this week’s sponsor interview.

Adam Boileau, as always, drops by for the week’s news segment. You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

On this week’s show we’re covering off all the big news of the week: the arrest of Reality Winner, the apparent hacks that have ratcheted up the political crisis in Qatar and the renewed calls for Internet companies to be more government-friendly.

In this week’s feature interview we catch up with Samy Kamkar to get his take on what the lowering cost of hardware-based hacking could mean for our increasingly automated world. And in this week’s sponsor interview we chat with Duo Security’s Pepijn Bruienne about some recent attacks against the Mac OS software supply chain.

Big thanks to Duo Security for sponsoring this week’s show. Duo makes all manner of kick-ass two factor authentication solutions, you can check them out at Duo.com.

You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

Patrick is taking a vacation. Risky Business will return on June 28

On this week’s show we’re taking a detour: This week’s feature interview has absolutely nothing to do with infosec. But it is related to the Internet. Sort of. If you squint a little.

This week’s feature guest is John Safran. He’s been gracing television screens here in Australia for nearly 20 years, but John is also a rather brilliant author. I’ve just finished reading John’s new book, Depends what you mean by Extremist, Going Rogue with Australian Deplorables. Honestly, it’s fascinating enough for me to just squeeze it into this show.

Basically John wrote a book about the year and a half he spent hanging out with all sorts of extremists; Left-wing Marxists, anarchists, right wing anti-Islam types and even Islamic State supporters, some of whom are now up on terror-related charges.

I speak to John about the Internet’s influence on extremism, as well as extremism in general. I highly, highly recommend this book. It’s a fascinating look at the contemporary political landscape through the eyes of extremist movements of all flavours, and it’s not a tough read. It’s actually quite funny and it really the most on-point thing I’ve read in a long, long time.

This week’s show is brought to you by Bugcrowd, big thanks to them! And in this week’s sponsor interview we’ll chat with Casey Ellis, Bugcrowd’s founder and CEO. Now that outsourced bug bounties have gone mainstream, we know more what they’re for and how people find them useful. So we speak to Casey about how a lot of orgs are basically just throwing the lower value testing out to bounties to free up their infosec teams to do higher value work. We talk about that and a couple of other points.

Adam Boileau, as always, drops in to discuss the week’s security news!

You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

On this week’s show Adam pops in to discuss the week’s news. (Links below) After the news segment Adam and Patrick both chat about topics near and dear to their hearts: Shoddy infosec marketing and shoddy MSP security.

This week’s show is brought to you by WordFence, a company that makes a WordPress security plugin. It’s not so much an enterprise security tool, but it turns out that when you run two million Wordpress plugins you wind up collecting some pretty valuable threat intel and IOCs. WordFence’s Mark Maunder joins the show this week to talk about WordPress security and malware distribution!

You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…