Risky Business Podcast

On this week’s show we chat with Errata Security’s Robert Graham about a ridiculous non-story that had readers in the USA convinced that Slate magazine had uncovered a covert communication channel between Donald Trump and a state-linked Russian bank. The basis of this jaw-dropping conclusion? Cherry-picked DNS query logs. We’ll find out why that story was total, utter bullshit in this week’s feature.

In this week’s sponsor interview we’re chatting with the former CEO and CTOs of Flawcheck, a company that made vulnerability scanning tools for Docker containers. Flawcheck has been acquired by this week’s sponsor, Tenable Network Security, and it’s a really handy thing to use if your company makes use of Docker. You can actually register for a free trial of Flawcheck here. We’ll find out why you need specialist kit to do container scanning.

Adam Boileau is this week’s news guest. Links to everything are in this week’s show notes.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we’re taking a look at the Great DDoSSening of 2016! Yep, we’ll be having a look at the attacks against Dyn, but perhaps more importantly we’ll be asking the question: With a zillion perma-owned things out there able to launch some pretty serious DDoS attacks: What now?

IoT device security specialist Stephen Ridley will join us in this week’s feature slot to discuss that.

This week’s sponsor interview is a cracker. We’ll be chatting with Cyalnce chief research officer Jon Miller about how the hell you’re supposed to benchmark AV these days. It’s actually trickier than you’d think, for reasons we’ll get into later. We also talk about managing false positives and hit on a few other topics in that one. Jon’s ex ISS X-Force, he’s been around the traps for a long time and really knows what he’s talking about. That’s a good interview… big thanks to Cylance for sponsoring this week’s show.

Adam Boileau is this week’s news guest. Links to everything are in this week’s show notes.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we’re taking a look at the business dealings of John McAfee. Earlier today the NYSE announced the company that arranged to hire McAfee, MGT Capital, would be de-listed from the NYSE: MKT small cap exchange. This follows a class action investor lawsuit and the unearthing of a remuneration agreement between the company and McAfee that have lead some to suggest the whole company could be a pump and dump scam.

This comes hot on the heels of a release of a Showtime documentary that alleges McAfee’s involvement in two murders and the rape of a scientist working for him. We’ll hear from respected industry analyst Rich Mogull about MGT’s proposed product line while Georgetown Law’s Visiting Professor Russell Stevenson takes a look at MGT’s somewhat strange remuneration agreement with McAfee.

This week’s show is brought to you by Canary.Tools.. If you’re a regular listener you’ve heard me sing the praises of Canary in the past. It’s basically a little honeypot that you can configure to look like anything, you put it on your LAN somewhere and wait for an attacker to mess with it. It’s a great product that’s experiencing amazing growth. Canary.Tools head honcho Haroon Meer will be along in this week’s sponsor interview to talk about how little hacks can help defenders as well as attackers.

Adam is away on his company retreat this week so I’ve actually asked Haroon to fill in for him in the news segment, too. It’s your double dose of Haroon Meer!

Oh, and do add Patrick and Haroon on Twitter if that’s your thing.

On this week’s show we’re taking a look at what the hell the USA should do in response to Russia’s hacks against the DNC. A few days ago the Director of National Intelligence and DHS issued a joint statement that officially puts blame for the DNC hacks squarely on Russia. Since then the Internets have been in meltdown over what exactly should be done in response.

Cyber policy lady Mara Tam is this week’s feature guest. She’ll tell us what sort of reaction we can expect to see, as well as give us some context around why all this is happening in the first place. That’s this week’s feature interview.

This week’s show is brought to you by the fine folks at Bugcrowd. This week’s sponsor interview is with Bugcrowd founder and CEO Casey Ellis. Recently a company that makes static analysis software took a bit of a poke at bug bounties in its marketing. If anything it was kind of an acknowledgement that Bugcrowd and its competitors have had a pretty substantial impact on how testing actually gets done.

But are people actually thinking of services like managed bug bounties as a substitute for static analysis? And why is every single company that makes developer tools scrambling to become agile or devops ready when hardly anyone is actually doing it yet?

Adam Boileau is this week’s news guest.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we are catching up with Mustafa Al-Bassam. He’s a lovely young chap from England who was once upon a time one of the LulzSec crew. Like all the other guys in that crew he got busted, but he didn’t spend any time in prison and these days he is doing really well. He has finished his undergrad, works with some blockchain technology and is about to start a PhD. He joins us this week to talk about his in depth analysis of the Shadowbrokers dump, as well as to reflect on his crimes. As you’ll hear, he has some regrets.

This week’s show is brought to you by Bromium! And last week you might have caught an announcement that Microsoft has moved virtualisation based security up into the app stack. The Edge browser is getting thrown into a micro VM in certain circumstances. Of course Microsoft worked with Bromium on all this stuff, so Bromium CTO, Simon Crosby will be along to talk about what Microsoft has actually done here. Bromium, of course, makes fully featured micro VM security software in addition to helping Microsoft improve windows, so that chat is interesting stuff and it’s coming up after this week’s feature.

Adam Boileau is this week’s news guest.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

This week we’ll be having a chat to Paul Marsh about a recent report from UK think tank Chatham House that says there’s a looming cyber security crisis about to wreak havoc on the satellite ecosystem. But as you’ll hear, Paul thinks the concerns are somewhat overhyped.

In this week’s sponsor interview we chat with Space Rogue, aka Tenable Network Security’s very own Cris Thomas. He’s joining us this week to talk about election security. Two new bills dealing with the security of voting computers have been proposed in the USA. We’ll get Cris’s thoughts on how likely they are to actually make a difference. We also have a general discussion around the security of e-voting infrastructure.

Adam Boileau is this week’s news guest.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we’ll be chatting with security researcher Ryan Duff about the rabbit hole that is the Tor Browser Bundle certificate pinning bug. The bug itself is interesting, but the questions it raises about how suitable Tor is for genuinely critical use are, you know, substantial. That’s a really, really interesting chat with Ryan Duff, coming up after the news.

This week’s show is brought to you by Hewlett Packard Enterprise Fortify! Of course HPE Fortify makes both static and dynamic analysis tools to help their customers weed out bugs in their software… but what are the relative strengths of static versus dynamic? Where should you use these tools? As this week’s sponsor guest Michael Farnum explains, the trend these days is to not only use both, but move them both as far to the left as possible in the development cycle. That’s this week’s sponsor interview, coming up a bit later.

Mark Piper is this week’s news guest.

Oh, and do add Patrick on Twitter if that’s your thing.

We have a great feature interview this week. Risky Business contributor Brian Donohue spoke with Cahill law firm partner Brad Bondi about the suit St Jude Medical has brought against MedSec and Muddy Waters over the short-sell of the medical device manufacturer’s shares. That is an illuminating chat that certainly gave me an understanding of where this all could be heading, both in terms of the upcoming trial and how likely it is we’ll see similar stuff in the future. This week’s show is brought to you by Cylance! These guys basically offer an AV solution that works differently. But you know what? I’ve asked a dozen people what they actually do, and no one has really been able to tell me. So, I talk to Cylance founder and CEO Stuart McClure about the fall out from the House Oversight report into the OPM breach – a report that went in to some detail on Cylance’s role in determining the extent of the breach – but I also talk to him more generally about what it is that Cylance actually does.

Adam Boileau is back in the news chair this week to talk about the week’s information security headlines.

Oh, and do add Patrick or Adam on Twitter if that’s your thing.

In this week’s feature interview we chat with Stephen Ridley about all things IoT. Stephen is a researcher turned entrepreneur and he’ll be along to talk about the platform consolidation we’re going to see when it comes to “things”. Once that settles, he argues, we’ll get a better idea of the security risks we should really, actually be worried about. In this week’s sponsor interview we’re chatting with Simon Galbally at Senetas.

Senetas, of course, makes high assurance network encryptors and Simon joins us this week to talk about where certification schemes might be headed. Did you know there are no sunset clauses on many of the certification schemes out there? So yeah, you can be using a FIPS certified box that’s riddled with known bugs and yep, it’s still certified. Certifications could start moving towards more continuous models.

Insomnia Security’s Mark Piper is this week’s news guest.

Oh, and do add Patrick on Twitter if that’s your thing.

On this week's show we've landed what looks to be a fairly exclusive interview -- at least as far as the tech press is concerned. Justine Bone will be joining us to explain why the company she works with, MedSec, decided to use vulnerability information on implantable medical devices to drive a short-selling scheme in partnership with Muddy Waters.

This week's show is sponsored by Tenable Network Security. We're doing something a bit different in this week's sponsor interview -- we're chatting with one of Tenable's customers, City of San Diego CISO Gary Hayslip.

They've just invested heavily in Nessus, among other things. Gary drops by to explain what he's been doing since he took the CISO position a few years ago. If you're a CISO it's actually a pretty interesting interview. That team has to deal with everything from embedded devices in cop cars to control systems to its very own POS network. Hey, citizens have to pay for government services somehow, right?

Trail of Bits head honcho Dan Guido is this week's news guest.

Oh, and do add Patrick and Dan on Twitter if that's your thing.