Risky Business Podcast

On this week’s show we’ll be chatting with information security’s enfant terrible Nathaniel Wakelam about some recon tricks he’s been using in bug bounty programs. He uses some nice tricks to rapidly identify ephemeral resources that often result in some spectacular hacks, like, say, being able to download all of REDACTED’s source code. That one was cool because it was a temporary resource that got popped – that’s something you have to watch these days.

This week’s show is brought to you by Cylance! Cylance makes machine learning-based AV software that by all reports works really well. Cylance CTO and co-founder Ryan Permeh is this week’s feature guest and we’re talking about something that we touched on last week – gaming machine learning. Does Cylance worry that a determined attacker will be able to gradually input bad data into Cylance’s learning set and game the whole system? Well, no, they’re not worried about it, but it’s definitely something they pay attention to. That’s really interesting stuff and it’s coming up after this week’s feature interview.

Adam Boileau, as always, pops in for this week’s news.

Links to everything are in this week’s show notes.

Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

On this week’s show we check in with Matt Tait, who’s probably better known by his Twitter handle: pwnallthethings. And we’ll be talking about the politicisation of infosec and the science of attribution.

This week’s show is brought to you by Bugcrowd. Bugcrowd’s CEO and co-founder Casey Ellis will be along in this week’s sponsor interview to talk about his adventures running a MongoDB honeypot. Bugcrowd are pretty interested in talking about all those poor MongoDBs getting hosed because, well, if you’ve got a bug bounty program running, open DBs are the sorts of things that tend to get reported.

As you’ll hear in that interview, the attackers who made some fast cash taking control of MongoDBs are now going after other stuff – elasticsearch, Hadoop.

Adam Boileau, as always, joins the show to discuss the week’s security news, and our good buddy Jake Davis is back for another edition of Story Corner.

Links to everything are in this week’s show notes.

Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

On this week’s show we’re chatting with Alec Muffett about an absolutely awful bit of journalism run by The Guardian. Unless you’ve been hiding under a rock the last few days you would have seen a story circulating about a supposed government-friendly backdoor in the popular messaging app WhatsApp. Alec joins us this week to explain why that story is, put simply, bullshit.

This week’s show is brought to you by Senetas, makers of layer 2 encryption gear. Senetas co-founder and CTO Julian Fay is along for the sponsor interview and we’re talking to him about what the charge to the cloud means for things like network encryption. Julian listened to last week’s interview with Rich Mogull, and he has some thoughts he’d like to share.

Also this week, a new segment that I hope will become regular – story corner, with Jake Davis. Do stick around for that at the closing of this week’s show.

Adam Boileau, as usual, joins us for this week’s news segment.

Links to everything are in this week’s show notes.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we’ll be speaking with industry analyst Rich Mogull about what he sees as tidal forces that are going to rip the information security industry as we know it apart – he has some compelling ideas on that, that’s this week’s feature.

We also check in with Mara Tam who spent today attending the Senate Select Committee on Intelligence in DC. It was a public hearing, but a few things shook out of it were pretty interesting.

This week’s show is brought to you by Canary.tools, makers of honeypot tech, or, if you’re a wanker, Deception Technology. I’m guessing I’ll capitulate eventually and start using that terminology, but not yet, dammit! Haroon joins us to look at how Geopolitics now looks like an IRC war from 1999! We also look at some industry trends, in particular, very smart people building very good tech.

Adam Boileau is back in the news hotseat to talk about all the stuff we missed over the last six weeks. From Trumpleaks (lol) to Wassenaar, hax and more.

Links to everything are in this week’s show notes.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

This is the last episode for the year – the last episode of the 10th season! On this week’s show Adam and I will discuss the week’s news and then we’re going to reflect on the major events in 2016; the stuff that stuck out for us. I don’t think it’ll come as a surprise that the cyber intrigue surrounding the 2016 US presidential election is what peaked our interest this year.

This week’s show is brought to you by Canary.Tools. Canaries are of course those awesome little honeypots you can deploy on your network for excellent signalling. They will tell you if you have an attacker on your network, they’re cost effective and really nicely designed.

Canary’s very own Marco Slaviero will be along a bit later to talk through a recent Tweetstorm that centred on honeypots, as well as to preview Canary’s next release. In a few weeks you will be able to buy a purpose-built ICS honeypot, as well as one that mimics a code repository, so if you work with ICS gear or for a dev shop, you’ll really want to tune in to that one.

**RISKY BUSINESS WILL BE BACK ON JANUARY 12, 2017**

Links to everything are in this week’s show notes.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we’re chatting with Fitbit security director Sasha Biskup and his colleague Marc Bown about how to build secure embedded devices from insecure components. During the development phase of some Fitbit products, the Fitbit security team has discovered some hideous vulnerabilities that could have compromised security downstream. They’ve been able to mitigate these issues, but they worry other embedded device manufacturers aren’t even looking at the security implications of their suppliers’ mistakes.

This week’s show is brought to you by CyberArk! CyberArk’s Jeffrey Kok is this week’s sponsor guest. He joins the show to talk about what CyberArk knows best – privileged account management. It’s such a basic thing, but it’s hard to do right.

This week’s news segment was recorded at Kiwicon in Wellington, NZ, and features Assurance.com.au’s Neal Wise, plus Rob Fuller and David Jorm.

In this week’s show we’re going to have a chat with former NSA general counsel and cyberlaw podcast host Stewart A Baker. We’ll get his thoughts on what a Trump presidency could mean when it comes to cyber security.

This week’s show is sponsored by Senetas, and you know what? They’re branching out. Senetas has some new goodies that can replace all the crappy tools like dropbox that are in your organisation despite you not approving of them. The Senetas solution is actually good enough that it’s being used to handle classified data, because hey, Senetas does a lot of business with SafeNet, which is owned by Gemalto – so if the idea of a HSM-authenticated and locked down dropbox-style platform appeals, hang about for this week’s sponsor interview!

Adam Boileau is this week’s news guest. Links to everything are in this week’s show notes.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we chat with Errata Security’s Robert Graham about a ridiculous non-story that had readers in the USA convinced that Slate magazine had uncovered a covert communication channel between Donald Trump and a state-linked Russian bank. The basis of this jaw-dropping conclusion? Cherry-picked DNS query logs. We’ll find out why that story was total, utter bullshit in this week’s feature.

In this week’s sponsor interview we’re chatting with the former CEO and CTOs of Flawcheck, a company that made vulnerability scanning tools for Docker containers. Flawcheck has been acquired by this week’s sponsor, Tenable Network Security, and it’s a really handy thing to use if your company makes use of Docker. You can actually register for a free trial of Flawcheck here. We’ll find out why you need specialist kit to do container scanning.

Adam Boileau is this week’s news guest. Links to everything are in this week’s show notes.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we’re taking a look at the Great DDoSSening of 2016! Yep, we’ll be having a look at the attacks against Dyn, but perhaps more importantly we’ll be asking the question: With a zillion perma-owned things out there able to launch some pretty serious DDoS attacks: What now?

IoT device security specialist Stephen Ridley will join us in this week’s feature slot to discuss that.

This week’s sponsor interview is a cracker. We’ll be chatting with Cyalnce chief research officer Jon Miller about how the hell you’re supposed to benchmark AV these days. It’s actually trickier than you’d think, for reasons we’ll get into later. We also talk about managing false positives and hit on a few other topics in that one. Jon’s ex ISS X-Force, he’s been around the traps for a long time and really knows what he’s talking about. That’s a good interview… big thanks to Cylance for sponsoring this week’s show.

Adam Boileau is this week’s news guest. Links to everything are in this week’s show notes.

Oh, and do add Patrick and Adam on Twitter if that’s your thing.

On this week’s show we’re taking a look at the business dealings of John McAfee. Earlier today the NYSE announced the company that arranged to hire McAfee, MGT Capital, would be de-listed from the NYSE: MKT small cap exchange. This follows a class action investor lawsuit and the unearthing of a remuneration agreement between the company and McAfee that have lead some to suggest the whole company could be a pump and dump scam.

This comes hot on the heels of a release of a Showtime documentary that alleges McAfee’s involvement in two murders and the rape of a scientist working for him. We’ll hear from respected industry analyst Rich Mogull about MGT’s proposed product line while Georgetown Law’s Visiting Professor Russell Stevenson takes a look at MGT’s somewhat strange remuneration agreement with McAfee.

This week’s show is brought to you by Canary.Tools.. If you’re a regular listener you’ve heard me sing the praises of Canary in the past. It’s basically a little honeypot that you can configure to look like anything, you put it on your LAN somewhere and wait for an attacker to mess with it. It’s a great product that’s experiencing amazing growth. Canary.Tools head honcho Haroon Meer will be along in this week’s sponsor interview to talk about how little hacks can help defenders as well as attackers.

Adam is away on his company retreat this week so I’ve actually asked Haroon to fill in for him in the news segment, too. It’s your double dose of Haroon Meer!

Oh, and do add Patrick and Haroon on Twitter if that’s your thing.