Risky Business Media

Between Two Nerds: An internet blackout won't stop NSA in Iran

The Grugq — Tue, 10 Mar 2026 06:36:38 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about why an internet shutdown won't stop US cyber operations in Iran. This episode is also available on [Youtube](https://youtu.be/RZHiQDZzlpk).

Risky Bulletin: New White House EO prioritizes fight against scams and cybercrime

Catalin Cimpanu — Mon, 09 Mar 2026 12:13:44 +1100

US federal agencies told to crack down on scams and cybercrime, the White House releases its new Cyber Strategy, suspected Chinese hackers breach the FBI’s wiretap network, and Romania's largest meat exporter is insolvent after a ransomware attack.

Risky Bulletin: Iranian hackers are scanning for security cameras to aid missile strikes

Catalin Cimpanu — Fri, 06 Mar 2026 13:32:10 +1100

Iran attempts to hack security cameras to support its missile strikes, Israel bombs Iran's cyber headquarters, authorities take down LeakBase and Tycoon 2FA, and TikTok says 'no' to encrypted private messaging.

Being a wartime CISO

James Wilson — Fri, 06 Mar 2026 11:50:07 +1100

In this edition of Risky Business Features James Wilson chats with cohost Brad Arkin about what it's like being a CISO for a global company when a war starts. How do you deal with a branch office full of important key material being abandoned? What about cloud infrastructure that's in a data centre that falls into enemy hands? And if your staff are okay, are any of your key suppliers going to face problems? As you'll hear, being a wartime CISO is less about adjusting your SIEM sensitivity because the Iranians are coming to get you, and more about figuring out how to deal with very real threats to life and infrastructure.

Srsly Risky Biz: The four hour cyber war on Iran

Amberleigh Jack — Thu, 05 Mar 2026 13:58:16 +1100

Tom Uren and Amberleigh Jack talk about how cyber operations were used in the first hours of the US-Israeli attack on Iran. They were instrumental in the attack on Iranian Supreme Leader Ali Khamenei, but they didn't last long. The Iranian regime implemented an internet blackout within four hours of the first bombs. They also discuss how threat actors are using AI. It's not game-changing so far, but it is very much altering the balance between attack and defence. This episode is also available on [Youtube](https://youtu.be/UHoaIi9Ai1E).

Risky Business #827 -- Iranian cyber threat actors are down but not out

James Wilson — Wed, 04 Mar 2026 15:29:15 +1100

On this week’s show, Patrick Gray, Adam Boileau and James WIlson discuss the week’s cybersecurity news. They cover: * The US-Israeli attack on Iran had a whole lot of cyber. It's clearly in the playbook now! * The NSA Triangulation / L3 Harris Trenchant iOS exploit kit is on the loose, and being used by Chinese crypto scammers * So long Maddhu Gottumukkala, but CISA's annus horribilis continues * Adam "humbug" Boileau complains about the Airsnitch wifi attack just being three ethernets in a trenchcoat * ASD's Cisco SD-WAN threat hunting guide is clearly borne of … experience This week's episode is sponsored by AI threat hunting platform Nebulock. Sydney Marrone joins to talk about how useful AI models are on the hunt, and her work building out an open source framework and maturity model. It's methodology agnostic, so you can adapt it for your environment, and the github link is in the show notes! This episode is also available on [Youtube](https://youtu.be/4MwR6dRixJo).

Risky Bulletin: Cyber Command conducted cyberattacks ahead of Iran strikes

Catalin Cimpanu — Wed, 04 Mar 2026 10:00:00 +1100

The US conducted cyberattacks ahead of strikes on Iran, Russia aims for internet independence by 2028, Google finds a new iOS exploit kit in the wild, and Chrome moves to a two-week release cycle.

Between Two Nerds: The evolution of cyber ops in Ukraine

The Grugq — Tue, 03 Mar 2026 07:37:58 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq how the use of cyber operations in the war in Ukraine has evolved over time. This episode is also available on [Youtube](https://youtu.be/CUL4YC8xh0w).

Risky Bulletin: LLMs can deanonymize internet users based on their comments

Catalin Cimpanu — Mon, 02 Mar 2026 12:17:26 +1100

LLMs can deanonymize internet users based on their comments, CISA gets a new acting director, hackers steal 15 million records from the French Ministry of Health, and Google takes down an ad fraud botnet.

What to do about North Korean remote workers

James Wilson — Fri, 27 Feb 2026 14:31:52 +1100

In this podcast James Wilson chats with Brad Arkin about North Korea’s sprawling fake IT worker ecosystem. From fake interviews, to stolen identities, basement laptop farms and IP-KVM tricks, the North Koreans are operating a whole employment fraud industry. Brad and James discuss how the scheme works in practice and the technical detection challenges defenders now face, like dealing with stolen or borrowed identities, bribed verification checks and multi-person operational chains. They also dig into why enterprises are largely on the back foot, and why there’s no single product you can buy to solve this. As the former CISO of Adobe, Cisco and Salesforce, Brad has some firsthand experience dealing with this stuff!

Risky Bulletin: Russian man extorts Conti ransomware group

Catalin Cimpanu — Fri, 27 Feb 2026 13:42:24 +1100

A Russian man prosecuted for extorting the Conti ransomware group, Google takes down a Chinese cyber-espionage operation, Anthropic tells Department of War to pound sand over AI restrictions, and a Cisco zero-day was exploited in the wild for three years.

Srsly Risky Biz: Is Claude too woke for war?

Amberleigh Jack — Thu, 26 Feb 2026 11:59:10 +1100

Tom Uren and Amberleigh Jack talk about the argy-bargy between the Pentagon and AI company Anthropic. US Defense Secretary Pete Hegseth is demanding that all safeguards are lifted from Claude, while Anthropic CEO Dario Amodei is insisting on protections against mass surveillance of Americans and use in lethal autonomous weapons. They also discuss the return of Volt Typhoon, the Chinese hacker group prepositioning in critical infrastructure for sabotage in the event of a conflict over Taiwan. The group is still around, even though the US government declared victory against it last July. This episode is also available on [Youtube](https://youtu.be/XBFQXi61O_E).

Risky Business #826 -- A week of AI mishaps and skulduggery

James Wilson — Wed, 25 Feb 2026 14:49:29 +1100

On this week’s show, Patrick Gray, Adam Boileau and James WIlson discuss the week’s cybersecurity news. They cover: * Low skill actors compromise 600 Fortinets with AI-generated playbooks * Anthropic calls out Chinese AI firms over model distillation * Meta's director of AI safety tells her ClawdBot not to delete her mail… so of course it does * Peter Williams cops 7 years in jail for selling L3 Harris Trenchant's exploits to Russia * Ivanti got hacked in 2021 via… bugs in Ivanti This episode is sponsored by line-rate network capture system Corelight. CEO Brian Dye joins to discuss what AI can do for defenders, and what it can't. This episode is also available on [Youtube](https://youtu.be/yy5H2eE5h98).

Risky Bulletin: Russia starts criminal probe of Telegram founder Pavel Durov

Catalin Cimpanu — Wed, 25 Feb 2026 12:29:58 +1100

Russia launches a criminal probe into Telegram’s founder, two teenagers arrested for a South Korean bike share hack, Anthropic accuses Chinese AI firms of distillation attacks, and the US Treasury sanctions a Russian exploit broker.

Between Two Nerds: How NSA will use AI

The Grugq — Tue, 24 Feb 2026 08:13:02 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how 'professional' Five Eyes cyber espionage agencies like NSA will use AI. These agencies place a premium on stealth and won't yolo AI. This episode is available on [Youtube](https://youtu.be/w7sTC9GcL8A).

Risky Bulletin: AI-driven hacking campaign breaches 600+ Fortinet devices

Catalin Cimpanu — Mon, 23 Feb 2026 11:48:53 +1100

An AI-driven hacking campaign breached 600 Fortinet devices, Ivanti was hacked via its own product, Wikipedia bans Archive-dot-Today for DDoS attacks, and Chinese hackers breached Italy’s police force.

Risky Bulletin: RPKI infrastructure sits on shaky ground

Catalin Cimpanu — Fri, 20 Feb 2026 13:00:06 +1100

RPKI relies on vulnerable servers, the French Ministry of Economy discloses a data breach, the UK gives tech platforms 48 hours to remove revenge porn, and ClickFix-attacks are responsible for 50% of malware infections.

Risky Biz Soap Box: The lethal trifecta of AI risks

Patrick Gray — Fri, 20 Feb 2026 10:33:55 +1100

There's a lethal trifecta of AI risks: access to private data, exposure to untrusted content, and external communication. In this conversation, Risky Business host Patrick Gray chats with Josh Devon, the co-founder of Sondera, about how to best address these risks. There is no magic solution to this problem. AI models mix code and data, are non-deterministic, and are crawling around all over your enterprise data and APIs as you read this. But in this sponsored interview, Josh outlines how we can start to wrap our hands around the problem. This episode is also available on [Youtube](https://youtu.be/BB9evsAp8mI).

Former Adobe, Cisco and Salesforce CISO talks AI pentesting

James Wilson — Fri, 20 Feb 2026 10:30:28 +1100

In this debut feature conversation in the Risky Business Features feed James Wilson sits down with Brad Arkin, the former CSO of Adobe, Cisco, and Salesforce, to talk all about AI pentesting. Finding and fixing bugs is great, but does it materially improve the overall security of a product? What's the point of a pentest if the tester can't walk you through their findings when it's over? Is "bugs per dollar spend" really the measure of value in security testing? We hope you enjoy this podcast!

Srsly Risky Biz: Cyber bullets can't replace political will

Amberleigh Jack — Thu, 19 Feb 2026 12:55:11 +1100

Tom Uren and Amberleigh Jack talk about a groundswell of calls from European officials to build cyber capabilities to strike back against adversaries. There are good reasons that countries should have their own cyber capabilities, but if you don't have the political will to strike back, having a magic cyber weapon doesn't really make a difference. They also talk about 'distillation attacks'. They are a way that AI developers can steal the secret sauce of advanced models just by asking questions. It looks like American companies need government assistance if the US wants to keep its AI lead. This episode is also available on [Youtube](https://youtu.be/5gh2PqEWMKo).

Risky Business #825 -- Palo Alto Networks blames it on the boogie

James Wilson — Wed, 18 Feb 2026 14:49:36 +1100

On this week's show, Patrick Gray, Adam Boileau and James WIlson discuss the week's cybersecurity news. They cover: * Palo Alto threat researchers want to attribute to China, but management says shush * An increasing proportion of ransomware is data extortion. Is this good? * Cambodia says it’s going to dismantle scam compounds * CISA sufferers through yet another shutdown * Google Gemini's training secrets are being systematically harvested to improve other LLMs * Academics assess SaaS password managers’ resilience against a malicious server This episode is sponsored by SSO-firewall integration vendor Knocknoc. Chief exec Adam Pointon joins to talk about the latest in defences… which is to say Knocknoc for Solaris/Sparc and HPUX on PA-RISC?! Okay also that other little known OS… Windows. This episode is also available on [Youtube](https://youtu.be/kNVm-iRCxo4).

Risky Bulletin: Supply chain attack plants backdoor on Android tablets

Catalin Cimpanu — Wed, 18 Feb 2026 14:24:51 +1100

A supply chain attack plants backdoors on Android tablets, the EU blocks AI from lawmakers’ devices, Cellebrite was used against a Kenyan politician, and a Chinese APT is exploiting a Dell zero-day.

History Repeats: Security in the AI Agent Era

James Wilson — Tue, 17 Feb 2026 13:20:42 +1100

AI agents are being deployed with the same trust-by-default architecture the early internet had. Same mistakes, MUCH faster timeline. OpenClaw has hit 180K+ GitHub stars. But in the past week: * 341 malicious skills on ClawHub were distributing Atomic Stealer * ZeroPath disclosed a Browser Relay vuln enabling cross-tab cookie theft * CrowdStrike, Cisco, and Bitdefender all published enterprise advisories * VirusTotal partnered with ClawHub to scan uploads * Korean tech firms (Kakao, Naver, Karrot) banned it on corporate networks * 1,000+ Open PRs, 250+ less than 24 hours old. But how does this thing actually work? Join James Wilson as he explains why banning these types of agents doesn't work, why browser sessions are now API surfaces, and why your organisation needs to think of these issues early or be condemned to decades of catch-up programs.

Between Two Nerds: Buying the magic weapon

The Grugq — Tue, 17 Feb 2026 07:24:23 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq discuss whether middle powers should be investing in military cyber capabilities. This episode is also available on [Youtube](https://youtu.be/kC_x8niABrw)

Risky Bulletin: Cambodia promises to dismantle scam compounds by April

Catalin Cimpanu — Mon, 16 Feb 2026 14:14:00 +1100

Cambodia promises to dismantle cyber scam compounds by April, CISA urges companies to adopt the OpenEoX standard, Linux gets post-quantum crypto support, and Palo Alto Networks avoids attributing an APT to China.

Risky Bulletin: IcedID malware developer fakes his own death to escape the FBI

Catalin Cimpanu — Fri, 13 Feb 2026 13:07:45 +1100

A Malware developer faked his own death to evade the FBI, Apple patches a zero-day used in a targeted attack, the Tianfu Cup quietly returns, and researchers spot the first malicious Outlook add-in.

Srsly Risky Biz: Microsoft forgoes its secure future

Amberleigh Jack — Thu, 12 Feb 2026 11:46:20 +1100

Tom Uren and Amberleigh Jack talk about Microsoft CEO Satya Nadella's messaging around personnel changes at the top of its security organisation. These signal a focus on selling security products rather than on making secure products. They also discuss Expedition Cloud, a Chinese cyber range that replicated the critical infrastructure of neighbouring countries, apparently to develop and fine-tune cyber disruption operations. Finally, they talk about what we've learnt about the role of cyber operations in the US bombing of Iranian nuclear facilities. It was far bigger than we previously thought. This episode is also available on [Youtube](https://youtu.be/fJ8N2BjhVzM).

Risky Business #824 -- Microsoft's Secure Future is looking a bit wobbly

James Wilson — Wed, 11 Feb 2026 14:50:13 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * Microsoft reshuffles security leadership. It doesn't spark joy. * Russia is hacking the Winter Olympics. Again. But y tho? * China-linked groups are keeping busy, hacking telcos in Norway, Singapore and dozens of others * Campaigns underway targeting Ivanti, BeyondTrust and SolarWinds products * An unknown hero blocks 23/tcp on the US internet backbone * And James Wilson pops into talk about Claude's go at a C compiler This week's episode is sponsored by Ent.AI, an AI startup that isn't quite ready to tell us all what they're doing. But nevertheless, founder Brandon Dixon joins to discuss AI's role in security. Where does language-based understanding take us that previous methods couldn't? This episode is also available on [Youtube](https://youtu.be/GdO-16hDnIE).

Risky Bulletin: Chinese cyber-spies breached all of Singapore's telcos

Catalin Cimpanu — Wed, 11 Feb 2026 14:02:28 +1100

China has breached all of Singapore's major telcos, Microsoft announces two new security features, a hacktivist leaks data from a stalkerware provider, and researchers map out “GRU information warfare units” based on their insignia.

Between Two Nerds: Why we are doomed to insecurity

The Grugq — Tue, 10 Feb 2026 07:59:19 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about why the world is destined to be perpetually insecure. This episode is also available on [Youtube](https://youtu.be/aiXF18q5Vsk).

Risky Bulletin: SmarterTools hacked via its own product

Catalin Cimpanu — Mon, 09 Feb 2026 13:45:08 +1100

A software company gets hacked through vulnerabilities in its own product, European agencies are hacked via recent Ivanti zero-days, Senegal is being extorted by hackers, and a state actor is behind a Signal phishing campaign in Germany.

Risky Bulletin: Denmark recruits hackers for offensive cyber operations

Catalin Cimpanu — Fri, 06 Feb 2026 11:13:49 +1100

Denmark recruits hackers for offensive cyber operations, CISA tells agencies to remove old edge devices, Coinbase has another insider breach, and Microsoft appoints a new security chief.

Srsly Risky Biz: Google's cyber disruption unit kicks its first goal

Amberleigh Jack — Thu, 05 Feb 2026 13:41:10 +1100

Tom Uren and Amberleigh Jack talk about Google's cyber disruption unit taking aim at the IPIDEA residential proxy network. The network was a cybercrime enabler that was used by hundreds of threat actors for crime and espionage. More of this kind of disruption please. They also discuss SpaceX's rapid action to stop the Russian military using Starlink terminals to guide drones deep into Ukrainian territory. This episode is also available on [Youtube](https://youtu.be/N7TusSygxEg).

Risky Business #823 -- Humans impersonate clawdbots impersonating humans

James Wilson — Wed, 04 Feb 2026 14:13:54 +1100

Patrick Gray and Adam Boileau are joined by the newest guy on the Risky Business Media team, James WIlson. They discuss the week's cybersecurity news, including: * Notepad++ update supply chain attack has been attributed to China * The AI agent future is even more stupid than expected; behold the OpenClaw/Clawdbot/Moltbook mess * The Epstein files claim he had a personal hacker? * Microsoft is finally getting ready to (think about starting to begin to) disable NTLM by default * The usual bugs in the usual things! Ivanti, Fortinet, and Solarwinds. Again. * Telco hides a free trip in its privacy policy, someone actually reads it and wins! This weeks's episode is sponsored by opensource IDP platform Authentik. CEO Fletcher Heisler talks to Pat about their new endpoint agent that can enforce device posture policies during login. This episode is also available on [Youtube](https://youtu.be/W5hxcHaNDMs).

Risky Bulletin: Plone CMS stops supply-chain attack

Catalin Cimpanu — Wed, 04 Feb 2026 12:32:12 +1100

The Plone CMS stops a supply-chain attack, French cops raid the X Paris office; the number of malicious OpenClaw skills grows, and a Chinese APT hacked Notepad++ servers.

Between Two Nerds: The internal logic of Russian power grid attacks

The Grugq — Tue, 03 Feb 2026 07:31:56 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq discuss the recent Russian attack on Polish electricity infrastructure. This episode is also available on [Youtube](https://youtu.be/IqLHE-lIP4s).

Risky Bulletin: StopICE blames hack on "a CBP agent here in SoCal"

Catalin Cimpanu — Mon, 02 Feb 2026 13:26:42 +1100

ICE tracking app blames a recent hack on a government agent, Microsoft will disable NTLM in the next release of Windows, Poland bans Chinese cars from military bases, and Ivanti patches two new zero-days.

Risky Bulletin: eScan antivirus distributes backdoor in latest supply chain attack

Amberleigh Jack — Fri, 30 Jan 2026 09:58:47 +1100

Hackers breach eScan antivirus and distribute a backdoor, Google takes down the IPIDEA proxy botnet, most GDPR fines remain uncollected, and the Poland wiper attack hit 30 locations.

Srsly Risky Biz: Punish the wicked and reward the righteous

Amberleigh Jack — Thu, 29 Jan 2026 12:53:57 +1100

Tom Uren and Amberleigh Jack talk about the Pall Mall Process, an international effort to reign in abusive spyware. Tom thinks the US has already stumbled into a viable carrots and sticks style strategy that will shape the industry more than coming up with standards will. The pair also discuss news that Chinese Salt Typhoon hackers compromised the calls of senior UK officials in Downing Street. The UK has extensive telecommunications security regulations and the incident makes us wonder what that legislation is actually good for. This episode is also available on [Youtube](https://youtu.be/vMGHuO4qQng).

Risky Business #822 -- France will ditch American tech over security risks

Adam Boileau — Wed, 28 Jan 2026 14:35:47 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news. They discuss: * La France is tres sérieux about ditching US productivity software * China's Salt Typhoon was snooping on Downing Street * Trump wields the mighty DISCOMBOBULATOR * ESET says the Polish power grid wiper was Russia's GRU Sandworm crew * US cyber institutions CISA and NIST are struggling * Voice phishing for MFA bypass is getting even more polished This episode is sponsored by Sublime Security. Brian Baskin is one of the team behind Sublime's 2026 Email Threat Research report. He joins to talk through what they see of attackers' use of AI, as well as the other trends of the year. This episode is also available on [Youtube](https://youtu.be/hvkye_3O-hQ0).

Risky Bulletin: Cyberattack cripples cars across Russia

Amberleigh Jack — Wed, 28 Jan 2026 08:06:05 +1100

A cyberattack has crippled cars in Russia, Microsoft patches an Office zero-day, WhatsApp rolls out an account lockdown feature, and a handful of Chrome extensions steal ChatGPT auth tokens.

Between Two Nerds: Getting pinged and the fog of war

The Grugq — Tue, 27 Jan 2026 07:26:51 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq discuss how getting pinged hurts state hackers by introducing uncertainty. Publishing technical reports on the hack can actually improve the situation by removing uncertainty about how attackers were detected. This episode is also available on [Youtube](https://youtu.be/988iMgzddqk).

Risky Bulletin: Russia deployed wipers on Poland's energy grid

Amberleigh Jack — Mon, 26 Jan 2026 10:04:28 +1100

Russia deployed wipers against Poland's energy grid, Microsoft shared BitLocker keys with the FBI, Romania dismantles a murder-for-hire portal, and the EU creates a new anti-spyware group.

Risky Bulletin: Improperly patched bug exploited again in Fortinet firewalls

Amberleigh Jack — Fri, 23 Jan 2026 09:26:03 +1100

A poorly patched bug is being exploited in Fortinet firewalls, hackers go after security testing environments, Jordanian police used Cellebrite against activists, and new Cisco and SmarterMail zero-days.

Srsly Risky Biz: You can't block space internet

Amberleigh Jack — Thu, 22 Jan 2026 12:25:07 +1100

Tom Uren and Amberleigh Jack talk about the rise of technologies that can undermine internet blackouts such as Starlink and its relatively new direct-to-cell service. Authoritarian internet shutdowns and disasters happen often enough that governments should think about how to take advantage of these new technologies rather than just reacting when crises arise. They also discuss the nomination of General Joshua Rudd as head of NSA and US Cyber Command. This episode is also available on [Youtube](https://youtu.be/UodJd3Cjv54).

Risky Business #821 -- Wiz researchers could have owned every AWS customer

Adam Boileau — Wed, 21 Jan 2026 15:28:42 +1100

In this week's show, Patrick Gray and Adam Boileau discuss the week's cybersecurity news, joined by a special guest. BBC World Cyber Correspondent Joe Tidy is a long time listener and he pops in for a ride-along in the news segment plus a chat about his new book. This week news includes: * Did the US cyber Venezuela's power grid, or do they just want us to think they coulda? * US govt might boycott the RSAC Conference 'cause Jen Easterly being CEO makes them mad * MS Patch Tuesday fixes CVSS5.5 bug and … stops you shutting down * Wiz pulls off cloud stunt hack that ends with control of everyone's AWS console * Millions of Bluetooth devices that use Google's Fast Pairing will pair with anyone, any time * GNU inet-tools' telnetd parties like it’s 2007, and brings -f root unauthed remote login back Thinkst is this week's sponsor, and long time friend of the show Haroon Meer joins. As always they're polishing their Canary tokens - adding breadcrumbs to lead you to them - but they're also a bunch of giant nerds who now run South Africa's Computer Olympiad. This episode is also available on [Youtube](https://youtu.be/R_jyEjsckTY).

Risky Bulletin: Domain resurrection attacks come to Canonical's Snap Store

Amberleigh Jack — Wed, 21 Jan 2026 12:41:55 +1100

Canonical's Snap Store hit by domain resurrection attacks, Russia will use AI to detect VPN users, Iranian hackers switch to Starlink during internet outage, and Greece arrests SMS blasters... by dumb luck.

Between Two Nerds: Why the West sucks at Information Warfare

The Grugq — Tue, 20 Jan 2026 06:52:53 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about what information warfare even is, revisit a 30-year-old paper and examine why Western governments struggle with the concept. This episode is also available on [Youtube](https://youtu.be/R3p12DTmE9A).

Risky Bulletin: Germany seeks more hacking and surveillance powers for its intel service

Amberleigh Jack — Mon, 19 Jan 2026 09:41:53 +1100

Germany seeks more hacking and surveillance powers for its intelligence service, Finland intends to criminalize the spreading of false information, patriotic “French” social media goes quiet during Iran’s internet outage, and hackers are extorting GrubHub.

Risky Bulletin: China bans Israeli and US cybersecurity products

Amberleigh Jack — Fri, 16 Jan 2026 10:00:57 +1100

China bans Israeli and US cybersecurity products, Sean Plankey is re-nominated for CISA Director, RAM price hikes are likely to impact the cost of firewalls, and Lumen sinkholes the Kimwolf DDoS botnet.

Srsly Risky Biz: China Fights Scam Compounds … For China

Amberleigh Jack — Thu, 15 Jan 2026 12:02:36 +1100

Tom Uren and Amberleigh Jack talk about the Chinese government's reactive approach to tackling scam compounds. It's driven by bad news on domestic media and therefore focusses on the compounds that are targeting Chinese citizens. Rather than eliminating the industry, that may instead be shaping the industry to focus on other countries and particularly Americans. They also discuss the role of disruptive cyber operations in the US's raid to capture Venezuelan President Nicolás Maduro. This episode is also available on [Youtube](https://youtu.be/3bNxh_XuvuA).

Risky Bulletin: Russia fines 33 telcos for surveillance non-compliance

Amberleigh Jack — Wed, 14 Jan 2026 14:22:51 +1100

Russia fines 33 telcos for surveillance non-compliance, AVCheck admin is arrested in Amsterdam, Poland repels an attack on its power grid, and voice cloning defenses can be bypassed.

Risky Business #820 -- Asian fraud kingpin will face Chinese justice (pew pew!)

Adam Boileau — Wed, 14 Jan 2026 12:42:29 +1100

Risky Business returns for 2026! Patrick Gray and Adam Boileau talk through the week's cybersecurity news, including: * Santa brings hackers MongoDB memory leaks for Christmas * Vercel pays out a million bucks to improve its React2Shell WAF defences * 39C3 delivers; the pink Power Ranger deletes nazis, while a catgirl ruins GnuPG * Cambodian scam compound kingpin gets extradited to China, and we don't think it'll go well for him * Krebs picks apart the Kimwolf botnet and residential proxy networks * So many healthcare data leaks that we have a roundup section This week's episode is sponsored by Airlock Digital. The founders of the application allow-listing vendor, David Cottingham and Daniel Schell, discuss Microsoft's ClickOnce .NET app packaging, and how attackers have been abusing it to load code. Airlock hates it when you load code! This episode is also available on [Youtube](https://youtu.be/5fsZklyapss). This episode is also available on [Youtube](

Between Two Nerds: Lights out!

The Grugq — Tue, 13 Jan 2026 07:32:35 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq about the role of cyber operations in the US capture of Venezuela's president Nicolas Maduro. This episode is also available on [Youtube](https://youtu.be/acaPlBDOQYI).

Risky Bulletin: Apex Legends streamers hacked again

Amberleigh Jack — Mon, 12 Jan 2026 09:32:41 +1100

The Apex Legends game is hacked again, data about 17 million Instagram users put up for sale, Indonesia blocks X over pornographic content, and a ransomware attack hits major Chilean energy provider

How the World Got Owned Episode 1: The 1980s

Amberleigh Jack — Wed, 07 Jan 2026 07:00:00 +1100

In this special documentary episode, Patrick Gray and Amberleigh Jack take a historical dive into hacking in the 1980s. Through the words of those that were there, they discuss life on the ARPANET, the 414s hacking group, the Morris Worm, the vibe inside the NSA and a parallel hunt for German hackers happening at a similar time to Cliff Stoll’s famous Cuckoo's Egg story. This podcast features the memories of: * Jon Callas, former principal software engineer at Digital Equipment Corporation * Mark Rasch, Morris Worm prosecutor * Timothy Winslow, former 414 hacker * Greg Chartrand, author of Cracking the Cuckoos Egg and * Tony Sager, former NSA How the World Got Owned is produced in partnership with SentinelOne.

How the World Got Owned Episode 1: The 1980s

Amberleigh Jack — Wed, 07 Jan 2026 07:00:00 +1100

Risky Bulletin: Belarus deploys spyware on journalists' phones

Catalin Cimpanu — Fri, 19 Dec 2025 13:02:37 +1100

Belarus deployed spyware on journalists' phones, a man is arrested for installing malware on a ferry, France arrests the hacker behind an Interior Ministry email server breach, and new Cisco and SonicWall zero-days.

Srsly Risky Biz: Like Huawei, but for electricity

Patrick Gray — Thu, 18 Dec 2025 10:56:12 +1100

Tom Uren and Patrick Gray talk about America's increasing dependence on Chinese manufacturers for electrical sector equipment. This doesn't seem like a good idea when China is hacking electric utilities for sabotage and PLA researchers are dreaming up ways to attack the grid. They also discuss the possibility that the US was responsible for a cyber attack on Venezuela's state oil company and how Russian state-backed hacktivism is so dumb. This episode is also available on [Youtube](https://youtu.be/5LlOvAxhg8w).

Risky Business #819 -- Venezuela (credibly?!) blames USA for wiper attack

Adam Boileau — Wed, 17 Dec 2025 13:13:10 +1100

In the final show of 2025, Patrick Gray and Adam Boileau discuss the week's cybersecurity news, including: * React2Shell attacks continue, surprising no one * The unholy combination of OAuth consent phishing, social engineering and Azure CLI * Venezuela's state oil firm gets ransomware'd, blames US… but what if it really is a US cyber op?! * Russian junk-hacktivist gets indicted for cybering critical… err... a car wash and a fountain * Microsoft finally turns RC4 off by default in Active Directory Kerberos * Traefik's TLS verify=on … turns it off, whoopsie 🤡 This week's episode is sponsored by Sublime Security, makers of an email filtering solution that's up for dealing with modern problems. Founder and CEO Josh Kamdjou joins to talk about calendar invite phishing, and the extra steps they've had to take to reach into people's calendars and fix the mess. The Risky Business weekly show is taking holiday break, and will return on 14 January for its twentieth year! Good luck out there, internet friends. This episode is also available on [Youtube](https://youtu.be/-5FFQnCyzLc).

Risky Bulletin: Most smart devices run outdated web browsers

Catalin Cimpanu — Wed, 17 Dec 2025 11:39:05 +1100

Most smart devices run outdated web browsers, Ukrainian hacktivists breach a major Russian defense contractor, ransomware hits Venezuela's state-owned oil company, and hackers are trying to extort PornHub with stolen user data.

Between Three Nerds: The evolution of Iranian cyber espionage

The Grugq — Tue, 16 Dec 2025 07:37:39 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk to Hamid Kashfi, CEO and founder of DarkCell, talk about the Iranian cyber espionage scene. Kashfi talks about how the regime once forced people to hack and crushed the domestic security research scene. He describes how and why the government has changed its approach and is now reaping the rewards of improved Iranian capabilities. This episode is available on [Youtube](https://youtu.be/0TlmD07DwwQ).

Risky Bulletin: African freelancers behind anti-US and anti-French disinfo campaigns

Catalin Cimpanu — Mon, 15 Dec 2025 12:56:14 +1100

Russia is hiring African freelancers for disinformation campaigns, the US is preparing to let contractors run offensive cyber operations, Germany blames Russia for the hack of its air traffic control agency, and Apple patches two WebKit zero-days.

Risky Bulletin: EU has a problem attracting and retaining cyber talent

Catalin Cimpanu — Fri, 12 Dec 2025 13:59:37 +1100

The EU has a problem attracting and retaining cyber talent, the CEO of Coupang resigns following the company’s security breach, Microsoft expands its bug bounty program to cover third party code, and Chrome and Gogs patch zero-days.

Risky Biz Soap Box: Graph the planet!

Patrick Gray — Fri, 12 Dec 2025 06:26:18 +1100

In this sponsored Soap Box edition of the Risky Business podcast, Patrick Gray chats with Jared Atkinson, CTO of SpecterOps, about BloodHound OpenGraph. OpenGraph enumerates attack paths across platforms and services, not just your primary directories. A compromised GitHub account to on-prem AD compromise attack path? It's a thing, and OpenGraph will find it. Cross-platform attack path enumeration! So good! This episode is also available on [Youtube](https://youtu.be/uGGFqRbbQA0).

Risky Business #818 -- React2Shell is a fun one

Adam Boileau — Wed, 10 Dec 2025 13:33:11 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * There's a CVSS 10/10 remote code exec in the React javascript server. JS server? U wot mate? * China is out popping shells with it * Linux adds support for PCIe bus encryption * Amnesty International says Intellexa can just TeamViewer into its customers' surveillance systems * ...and a Belgian murder suspect complains that GrapheneOS's duress wipe feature failed him? This week's episode is sponsored by Kroll Cyber. Simon Onyons is Managing Director at Kroll's Cyber and Data Resilience arm, and he discusses a problem near to many of our hearts. Just how do you explain cyber risk to the board? This episode is also available on [Youtube](https://youtu.be/r3YSqx-U3OA).

Risky Bulletin: Linux adds PCIe encryption to help secure cloud servers

Catalin Cimpanu — Wed, 10 Dec 2025 11:12:01 +1100

Linux adds PCIe encryption to help secure cloud servers, Europol cracks down on Violence-as-a-Service providers, the International Criminal Court prepares for cyber-enabled genocide, and Cambodia busts a warehouse full of SMS blasters.

Risky Bulletin: APTs go after the React2Shell vulnerability within hours

Catalin Cimpanu — Mon, 08 Dec 2025 10:32:22 +1100

APTs go after the React2Shell vulnerability just hours after public disclosure. CISA remains without a director after the nomination stalls again, NSA is down 2,000 staff this year, and Intellexa is still active despite sanctions.

Srsly Risky Biz: When cyber campaigns cross a line

Patrick Gray — Thu, 04 Dec 2025 11:02:51 +1100

Tom Uren and Patrick Gray discuss a new report proposing a framework for deciding when cyber operations raise red flags. It suggests seven red flags and could help clarify thinking about how to respond to different operations. They also discuss Anthropic testifying to Congress and Iran using cyber intelligence to target missile strikes including by sharing it with Houthi rebels who fired at a specific ship. And finally, we are not reassured by China's white paper about being a good cyber citizen. This episode is also available of [Youtube](https://youtu.be/q8j_NLZfYHM).

Risky Business #817 -- Less carnage than your usual Thanksgiving

Adam Boileau — Wed, 03 Dec 2025 13:38:27 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news. It's a quiet week with Thanksgiving in the US, but there's always some cyber to talk about: * Airbus rolls out software updates after a cosmic ray bitflips an A320 into a dive * Krebs tracks down a Scattered Lapsus$ Hunters teen through the usual poor opsec... * ... as Wired publishes an opsec guide for teens. * Microsoft decides its login portal is worth a Content Security Policy * South Korean online retailer data breach covers 65% of the country This week's episode is sponsored by Nebulock. Founder and CEO Damien Lewke joins to talk through their work bringing more SIgma threat detection rules to MacOS. This episode is also available on [Youtube](https://youtu.be/eViNIVpPV20).

Between Two Nerds: Beating back state espionage

The Grugq — Tue, 02 Dec 2025 06:56:47 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq wonder whether it is possible to deter states from cyber espionage with doxxing and other disruption measures. This episode is also available on [Youtube](https://youtu.be/rg00Ku-UN6c).

Srsly Risky Biz: DeepSeek and Musk's Grok both toe the party line

Amberleigh Jack — Thu, 27 Nov 2025 13:07:43 +1100

Tom Uren and Amberleigh Jack talk about new research that shows the Chinese-made DeepSeek-R1 AI model produces insecure code when prompts include topics that the Chinese Communist Party dislikes. It's interesting research, but the CCP doesn't have a monopoly on imposing AI bias. They also discuss the complete doxxing of the Iranian cyber espionage group known as APT35 or Charming Kitten. This episode is also available on [Youtube](https://youtu.be/e8l6pe73AcQ).

Risky Business #816 -- Copilot Actions for Windows is extremely dicey

Adam Boileau — Wed, 26 Nov 2025 14:34:45 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * Salesforce partner Gainsight has customer data stolen * Crowdstrike fires insider who gave hackers screenshots of internal systems * Australian Parliament turns off wifi and bluetooth in fear of of visiting Chinese bigwigs * Shai-Hulud npm/Github worm is back, and rm -rf'ier than ever * SEC gives up on Solarwinds lawsuit * Dog eats cryptographer's key material This week's episode is sponsored by runZero. HD Moore pops in to talk about how they’re integrating runZero with Bloodhound-style graph databases. He also discusses uses for driving runZero's tools with an AI, plus the complexities of shipping AI when the company has a variety of deployment models. This episode is also available on [Youtube](https://youtu.be/3YC5aBR-N5o).

Between Two Nerds: Telcos bad, Cloud good.

The Grugq — Tue, 25 Nov 2025 07:36:52 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about the differences between telcos and cloud companies. Does the nature of the business force cloud companies to be better at security? This episode is also available on [Youtube](https://youtu.be/-xDzwi126Ug).

Risky Biz Soap Box: Greynoise knows when bad bugs are coming

Patrick Gray — Fri, 21 Nov 2025 06:20:20 +1100

In this sponsored Soap Box edition of the podcast, Andrew Morris joins Patrick Gray to talk about how Greynoise can often get a 90 day heads up on serious vulnerabilities. Whether it's malicious actors doing reconnaissance or the affected vendors trying to understand the scope of the problem, it seems that mass scanning activity lines up pretty nicely with typical 90-day disclosure timelines. A fascinating chat with Andrew, as always. This episode is also available on [Youtube](https://youtu.be/AqSGEMGfaa0).

Srsly Risky Biz: AI-Powered espionage will favor China

Amberleigh Jack — Thu, 20 Nov 2025 12:46:35 +1100

Tom Uren and Amberleigh Jack talk about Anthropic's discovery of an "AI-orchestrated" cyber espionage campaign. To Tom, it feels a research project, but it's pretty clear it will be really useful for threat actors that aren't focussed on specific high-priority targets. Think ransomware, Chinese intellectual property theft and North Korean hackers. But it won't be so good for Western intelligence agencies. They also discuss Google's legal disruption of the China-based Lighthouse phishing as a service operation. Surprisingly, it seems to be working! Finally, they talk about why the memory safe Rust language has been a triple win for Android. This episode is also available on [Youtube](https://youtu.be/6Wm5XcoECJo).

Risky Business #815 -- Anthropic's AI APT report is a big deal

Adam Boileau — Wed, 19 Nov 2025 12:43:19 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * Anthropic says a Chinese APT orchestrated attacks using its AI * It’s a day ending in -y, so of course there are shamefully bad Fortinet exploits in the wild * Turns out slashing CISA was a bad idea, now it’s time for a hiring spree * Researchers brute force entire phone number space against Whatsapp contact discovery API * DOJ figures out how to make SpaceX turn off scam compounds’ Starlink service This week's episode is sponsored by Mastercard. Senior Vice President of Mastercard Cybersecurity Urooj Burney joins to talk about how the roles of fraud and cyber teams in the financial sector are starting to converge. Mastercard also recently acquired Recorded Future, and Urooj talks about how they aim to integrate cyber threat intelligence into the financial world. This episode is also available on [Youtube](https://youtu.be/_R1jpzVZx-0).

Between Two Nerds: Russia's cyber war on wheat

The Grugq — Tue, 18 Nov 2025 07:18:45 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about the strategic "logic" of Russian wiper attacks on the Ukrainian grain sector. This episode is also available on [Youtube](https://youtu.be/UAeeWSiXHZ4).

Risky Bulletin: Europol takes down Elysium, VenomRAT, and Rhadamanthys

Catalin Cimpanu — Fri, 14 Nov 2025 13:45:06 +1100

Europol takes down servers behind three malware operations, the US sanctions another Burmese military group linked to scam compounds, Google backs down from mandatory Android developer registration, and Checkout-dot-com donates its ransom to cybercrime researchers instead of paying hackers.

Srsly Risky Biz: Meta's fraud profit scandal

Amberleigh Jack — Thu, 13 Nov 2025 12:35:03 +1100

Tom Uren and Amberleigh Jack talk about a new Reuters' report that reveals how Meta is knowingly raking in cash from scam advertisements. It's around $16 billion worth, and in documents Meta calculates that it outweighs the costs of possible regulatory action. They also discuss recent state-backed supply chain attacks that have, so far, remained targeted and responsible. Finally they look at the UK's decision to stop sharing intelligence with the US about suspected drug boats in the Caribbean. This episode is also available on [Youtube](https://youtu.be/6G1xLJrU_oY).

Risky Business #814 -- It's a bad time to be a scam compound operator

Adam Boileau — Wed, 12 Nov 2025 13:48:11 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * The KK Park scam compound in Myanmar gets blasted with actual dynamite * China sentences more scammers TO DEATH * While Singapore is opting to lash them with the cane * Chinese security firm KnownSec leaks a bunch of documents * Necromancy continues on NSO Group, with a Trump associate in charge * OWASP freshens up the Top 10, you won't believe what's number three! This week's episode is sponsored by Thinkst Canary. Big bird Haroon Meer joins and, as usual, makes a good point. If you're going to trust a vendor to do something risky like put a box on your network, they have an obligation to explain how they make that safe. Thinkst has a /security page that does exactly that. So why do we let Palo Alto and Fortinet get away with "trust me, bro"? This episode is also available on [Youtube](https://youtu.be/SVgSbsbAaIs).

Risky Bulletin: Another Chinese security firm has its data leaked

Catalin Cimpanu — Wed, 12 Nov 2025 10:13:15 +1100

Internal data leaks from another Chinese security firm, a US Congressional Budget Office breach has not been contained, the Cyber infosharing act likely to be extended until January, and we have a new OWASP Top 10.

Between Two Nerds: Why AI in malware is lame

The Grugq — Tue, 11 Nov 2025 07:44:05 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq discuss how cyber criminals and even state actors are being dumb about using AI. This episode is also available on [Youtube](https://youtu.be/E71VoECXKp4).

Risky Bulletin: Myanmar scam compound goes boom!

Catalin Cimpanu — Mon, 10 Nov 2025 13:43:05 +1100

Myanmar starts demolishing the KK Park scam compound, the US Congressional Budget Office gets hacked by a foreign APT, Chrome will remove risky X-S-L-T support, and scammers in Singapore will get the cane.

Risky Bulletin: Europol arrests massive credit card fraud ring

Catalin Cimpanu — Fri, 07 Nov 2025 12:39:29 +1100

Payment service provider executives arrested over a credit card fraud ring, Meta makes a fortune showing scam ads, South Korean telco KT tried to hide a second breach and five more scammers are sentenced to death in China.

Srsly Risky Biz: The cyber regime change pipe dream

Amberleigh Jack — Thu, 06 Nov 2025 12:46:13 +1100

Tom Uren and Amberleigh Jack talk about aggressive US cyber operations targeting the Venezuelan government in President Trump's first term. These were narrowly successful in that they achieved their immediate operational goals, but they didn't achieve Trump's broader policy goal of ousting Venezuelan leader Nicolás Maduro. They also talk about why the adtech ecosystem is a national security problem all round the world and how cybercriminals are collaborating with organised crime to steal cargo from logistics companies. This episode is also available on [Youtube](https://youtu.be/KnAg-m3rp54).

Risky Business #813 -- FFmpeg has a point

Adam Boileau — Wed, 05 Nov 2025 14:29:28 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * We love some good vulnerability reporting drama, this time FFmpeg's got beef with Google * OpenAI announces its Aardvark bug-gobbling system * Two US ransomware responders get arrested for… ransomware * Memento (nee HackingTeam) CEO says: Sì, those are totally our tools getting snapped in Russia * Hackers help freight theft gangs steal shipments to resell * A second Jabber Zeus mastermind gets his comeuppance 15 years on This week's episode is sponsored by Nucleus Security, who make a vulnerability information management system. Co-founder Scott Kuffer says that approaches for triaging vulnerabilities have started to fall apart, given there are just. So. Many. And they're all important! This episode is also available on [Youtube](https://youtu.be/6vd1PqMl-8Y).

Risky Bulletin: US indicts two rogue cybersecurity employees for ransomware attacks

Catalin Cimpanu — Wed, 05 Nov 2025 13:51:58 +1100

The US indicts two cybersecurity employees over ransomware attacks, hackers extort customers of South Korean massage parlors, another crypto firm gets hacked for $128 million dollars, and cargo thieves collab with hackers to target freight companies.

Between Two Nerds: Lost in transmission

The Grugq — Tue, 04 Nov 2025 07:06:37 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq discuss the futility of using aggressive cyber operations to send messages between states. This episode is also available on [Youtube](https://youtu.be/cTrzkF5ExOU).

Risky Bulletin: Norway skittish of its Chinese electric buses

Catalin Cimpanu — Mon, 03 Nov 2025 12:24:10 +1100

Norway finds remote control features in its Chinese electric buses, the US CyberCorps program may saddle students with debt, Edge and Chrome get AI-based scareware blockers, and a Conti member has been extradited to the US.

Risky Bulletin: Russia arrests Meduza Stealer group

Catalin Cimpanu — Fri, 31 Oct 2025 10:22:34 +1100

Russian police arrest the Meduza-Stealer trio, a Former L-3Harris manager pleads guilty to selling exploits to Russia, the US hacked Venezuela in 2020, and Windows 11 Administrator Protection goes live.

Srsly Risky Biz: Peter Williams, Ex-ASD, Pleads Guilty to Selling Eight Exploits to Russia

Amberleigh Jack — Thu, 30 Oct 2025 13:26:51 +1100

Tom Uren and Amberleigh Jack talk about Peter Williams, the general manager of vulnerability research firm Trenchant, who has pleaded guilty to selling exploits to the Russian 0day broker Operation Zero. It's a terrible look, but it doesn't mean the private sector can't be trusted to develop exploits. They also discuss a new report's recommendations to empower the Office of the National Cyber Director. It's a good idea, but it won't make up for the cuts in funding and personnel across the Trump administration's cyber portfolio. This episode is also available on [Youtube](https://youtu.be/hYnUDgllhDo).

Risky Business #812 -- Alleged Trenchant exploit mole is ex-ASD

Adam Boileau — Wed, 29 Oct 2025 14:30:38 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * L3Harris Trenchant boss accused of selling exploits to Russia once worked at the Australian Signals Directorate * Microsoft WSUS bug being exploited in the wild * Dan Kaminsky DNS cache poisoning comes back because of a bad PRNG * SpaceX finally starts disabling Starlink terminals used by scammers * Garbage HP update deletes certificates that authed Windows systems to Entra This week's episode is sponsored by automation company Tines. Field CISO Matt Muller joins to discuss how Tines has embraced LLMs and the agentic-AI future into their workflow automation. This episode is also available on [Youtube](https://youtu.be/qVTC4F5KeRI).

Risky Bulletin: HackingTeam is back!

Catalin Cimpanu — Wed, 29 Oct 2025 10:01:52 +1100

HackingTeam's successor is targeting Russia and Belarus, X users must re-enroll their security keys, Chrome will put HTTP behind a warning dialogue, and 15 people are expected to plead guilty in an Italian hacking scandal.

Between Two Nerds: NSA gets its mojo back!

The Grugq — Tue, 28 Oct 2025 05:57:46 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq dissect a recent Chinese CERT report that the NSA had hacked China's national time keeping service. This episode is also available on [Youtube](https://youtu.be/m5KbO1cwfVw).

Risky Bulletin: WSUS bug under attack

Catalin Cimpanu — Mon, 27 Oct 2025 12:24:36 +1100

A bug in Microsoft WSUS is under attack, Thailand revokes the citizenship of scam-linked businessman, the US charges high tech poker cheat, and Iran's top hacking school is breached.

Risky Bulletin: iOS 26 change deletes clues of old spyware infections

Catalin Cimpanu — Fri, 24 Oct 2025 11:45:55 +1100

A change in iOS is deleting-clues of old spyware infections, Starlink disables 2,500 terminals at scam compounds, a Caribbean hospital is still down 5 months after a ransomware attack, and officials are charged in Poland’s Pegasus spyware scandal.

Srsly Risky Biz: Hacking for Godot

Amberleigh Jack — Thu, 23 Oct 2025 13:09:55 +1100

Tom Uren and Amberleigh Jack talk about how America can better use its private sector to scale up offensive cyber activities, including espionage and disruption operations. Involving it to tackle ransomware and cryptocurrency scammers makes a lot of sense. They also talk about how the ransomware ecosystem is splintering, and one operator's relatively quick journey from being an affiliate to a platform operator. This episode is also available on [Youtube](https://youtu.be/FqD-xzGEfnQ).

Risky Business #811 -- F5 is the tip of the crap software iceberg

Adam Boileau — Wed, 22 Oct 2025 14:05:21 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * China has been rummaging in F5's networks for a couple of years * Meanwhile China tries to deflect by accusing the NSA of hacking its national timing system * Salesforce hackers use their stolen data trove to dox NSA, ICE employees * Crypto stealing, proxy-deploying, blockchain-C2-ing VS Code worm charms us with its chutzpah * Adam gets humbled by new Linux-capabilities backdoor trick * Microsoft ignores its own guidance on avoiding BinaryFormatter, gets WSUS owned. This episode is sponsored by Push Security. Co-founder and Chief Product Officer Jacques Louw joins to talk through how Push traced a LinkedIn phishing campaign targeting CEOs, and the new logging capabilities that proved critical to understanding it. This episode is also available on [Youtube](https://youtu.be/yFanv9MEf4M).

Risky Bulletin: Clever worm hits the VS Code scene

Catalin Cimpanu — Wed, 22 Oct 2025 09:35:15 +1100

A worm hits VS Code users, F5 was breached via its own devices back in 2023, Korea Telecom’s CEO says he’ll resign following a recent security breach, and the Boy Scouts will award cybersecurity merit badges.

Wide World of Cyber: A deep dive on the F5 hack

Chris Krebs — Tue, 21 Oct 2025 13:28:13 +1100

In this edition of the Wide World of Cyber podcast Patrick Gray talks to Chris Krebs and Alex Stamos about the F5 incident. They talk about what happened, whether it's a big deal, and why private equity ownership of mid-tier cybersecurity companies is often a red flag.

Between Three Nerds: India, the sleeping cyber superpower

The Grugq — Tue, 21 Oct 2025 08:33:01 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk to Joe Devanny, senior lecturer from King's College London, all about India's missing cyber power. It has all the ingredients to become a cyber superpower, but so far, hasn't shown the motivation. This episode is also available on [Youtube](https://youtu.be/NJwy2sUKlHk).

Risky Bulletin: Prisoner hacks his prison IT system, goes wild!

Catalin Cimpanu — Mon, 20 Oct 2025 13:33:44 +1100

A Romanian inmate hacks his prison’s IT system, hackers leak the data of DHS and DOJ employees, classified material was stolen from John Bolton’s AOL account and authorities seize a SIM farm in Latvia.

Risky Bulletin: F5 says an APT stole source code, vulnerability reports

Catalin Cimpanu — Fri, 17 Oct 2025 10:23:43 +1100

An APT stole source code and vulnerability reports from F5, a European MP files a criminal hacking complaint against Hungary’s Prime Minister, airport PA systems are hijacked in Canada and the US, and the PowerSchool hacker gets prison time.

Risky Biz Soap Box: Why Mastercard is scaling its cybersecurity business

Patrick Gray — Fri, 17 Oct 2025 10:12:05 +1100

In this sponsored Soap Box edition of the Risky Business podcast, host Patrick Gray chats with Mastercard's Executive Vice President and Head of Security Solutions, Johan Gerber, about how the card brand thinks about cybersecurity and why it's aggressively investing in the space. After listening to this interview you'll understand why the credit card company spent $2.65b on threat intelligence vendor Recorded Future! This episode is also available on [Youtube](https://youtu.be/xNn7387RGxE).

Srsly Risky Biz: Small beer surveillance firms escape crackdown, for now

Amberleigh Jack — Thu, 16 Oct 2025 13:31:40 +1100

Tom Uren and Amberleigh Jack talk about First Wap, a Jakarta-based company that is selling surveillance-as-a-service. The good news is that it appears that government and media attention has had an impact on high-profile spyware vendors like NSO Group. The bad news is that these smaller players are flying under the radar and aren't afraid of selling to sketchy customers. They also talk about how the Chinese government has harnessed the power of its exploit development community with hacking contests. This episode is also available on [Youtube](https://youtu.be/pvZIQ0fgqFU).

Risky Business #810 -- Data extortion attacks have a silver lining

Adam Boileau — Wed, 15 Oct 2025 16:30:14 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * FBI intervenes in Scattered Spider Salesforce leaksite * Clop loots Oracle E-Biz deployments * Plus so much more data extortion.. At least it’s not ransomware … we guess? * The US still can't decide who's gonna be in charge of NSA & Cybercom * Cambodian scam compounds get sanctioned and $15b in crypto is seized * NSO gets sold for pocket-lint-grade money * Bugs! Redis CVSS 10, Ivanti, Crowdstrike and… Internet Explorer?! zeroday?! In the wild?!!!? This week's episode is sponsored by Stairwell. Founder Mike Wiacek talks about how Stairwell brings VirusTotal-like visibility to private files, and about integrating the insights that brings into your SOC workflow. This episode is also available on [Youtube](https://youtu.be/zc_t8Q3by-I).

Risky Bulletin: Windows 10 reaches End-of-Life

Catalin Cimpanu — Wed, 15 Oct 2025 14:45:35 +1100

Windows 10 reaches End-of-Life, CISA cyber personnel avoided last week’s layoffs, the US seizes $15 billion dollars from a cyber-scam-compound operator, and a Secure Boot bypass impacts 200,000 Framework computers.

Between Two Nerds: The Keyser Soze of Scattered Spider

The Grugq — Tue, 14 Oct 2025 07:45:44 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how different cybercriminal groups are after insiders to provide network access. This episode is available on [Youtube](https://youtu.be/qDjA9nF_nJw).

Risky Bulletin: Microsoft revamps Edge's "IE Mode" after zero-day attacks

Catalin Cimpanu — Mon, 13 Oct 2025 13:18:07 +1100

Microsoft revamps Edge-IE-Mode after zero-day attacks, the FBI seizes the extortion site targeting Salesforce, a new round of layoffs hits CISA, and Apple doubles its bug bounty rewards.

Risky Bulletin: EU scraps Chat Control vote

Catalin Cimpanu — Fri, 10 Oct 2025 13:56:31 +1100

The EU scraps its upcoming vote on Chat Control, Ukraine establishes a Cyber Force, CISA workers are reassigned to immigration enforcement, and two teens are arrested over the UK nursery hacks.

Srsly Risky Biz: Clop is a big fish, but not worth hunting

Amberleigh Jack — Thu, 09 Oct 2025 12:27:04 +1100

Tom Uren and Amberleigh Jack talk about the Clop ransomware gang. It is interesting because the group has arrived at a strategy that rinses a whole lot of enterprises at once and comes with a decent pay day, But it's actually the least damaging kind of ransomware. Tom wonders why can't more gangs be like Clop? They also discuss the US government having second thoughts about ignoring foreign influence operations. Its adversaries run them all the time, so perhaps just sticking its head in the sand isn't the best strategy. This episode is also available on [Youtube](https://youtu.be/4E3gvFeYgw8).

Risky Bulletin: Redis vulnerability impacts all versions released in the last 13 years

Catalin Cimpanu — Wed, 08 Oct 2025 10:42:55 +1100

Redis patches a remote code execution vulnerability, Oracle out-of-band-fixes a zero-day used in a recent extortion campaign, Medusa ransomware group was behind a recent Fortra zero-day, and India fixes a tax filing system flaw;

Snake Oilers: Realm Security, Horizon3 and Persona

Patrick Gray — Wed, 08 Oct 2025 08:50:04 +1100

In this edition of the Snake Oilers podcast, three vendors pop in to pitch you all on their wares: * [Realm Security](https://realm.security/riskybiz/): A security focussed, AI-first data pipeline platform * [Horizon3](https://horizon3.ai/): AI hackers! Pentesting robots!! They're coming fer yur jerbs! * [Persona](https://withpersona.com): Verify customer and staff identities with live capture This episode is also available on [Youtube](https://youtu.be/eaaKPWM0Vxg).

Between Two Nerds: What drives 0day mass exploitation

The Grugq — Tue, 07 Oct 2025 06:00:53 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about the 0day mass exploitation of SharePoint and Exchange. This type of widespread hacking appears to be increasingly common... but is it? This episode is also available on [YouTube](https://youtu.be/inV8w2bEp6U).

Risky Bulletin: Microsoft tells users to uninstall games affected by a Unity bug

Catalin Cimpanu — Mon, 06 Oct 2025 10:56:52 +1100

Microsoft tells users to uninstall games affected by a Unity bug, Discord discloses a data breach, Google rolls out end-to-end encryption for Gmail, and Apple and Google block an ICE tracking app.

Risky Bulletin: Scam compound operators sentenced to death in China

Catalin Cimpanu — Fri, 03 Oct 2025 13:22:39 +1000

China sentences 11 scam compound operators to death, the UK makes another request for Apple user data, an Iranian APT gets doxxed again, and Microsoft launches a Security Store.

Srsly Risky Biz: The cyberespionage gig economy

Amberleigh Jack — Thu, 02 Oct 2025 12:01:26 +1000

Tom Uren and Amberleigh Jack talk about different ways foreign intelligence services are finding to recruit local proxies. These methods could be too risky for Western intelligence agencies, but for some state's services they just make sense. They also discuss a report into DOGE and how speed was prioritised over robust governance. This episode is also available on [Youtube](https://youtu.be/PaIpDhJFTrU).

Risky Business #809 -- Hackers try to pay a journalist for access to the BBC

Amberleigh Jack — Wed, 01 Oct 2025 17:01:41 +1000

On this week’s show Patrick Gray is on holiday so Amberleigh Jack and Adam Boileau hijack the studio to discuss the week’s cybersecurity news, including: * Hackers learn that trying to coerce a journalist just makes for … a great story? * A man in his 40s gets arrested over the European airport chaos. Yep, we’re surprised, too. * Adam fanboys over Watchtowr Labs while bemoaning Fortra. * Academics pick apart Tile trackers and find them lacking * CISA tells agencies to patch their damn Cisco gear This episode is also available on [YouTube](https://youtu.be/klnGOkUmguo).

Risky Bulletin: Router APIs abused to send SMS spam

Catalin Cimpanu — Wed, 01 Oct 2025 11:43:13 +1000

A Cybercrime group abuses routers to send SMS spam, CISA announces a new collaboration model for state governments, South Korea raises its cyber threat level after a data center fire, and Tile tracking devices expose their location.

Between Two Nerds: The power of cyber

The Grugq — Tue, 30 Sep 2025 06:48:33 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq discuss the power of cyber. This episode is also available on [Youtube](https://youtu.be/yYqHuggx6kE).

Risky Bulletin: UK to bail out Jaguar Land Rover

Catalin Cimpanu — Mon, 29 Sep 2025 10:55:56 +1000

The UK will bail out Jaguar Land Rover following its cyberattack, hackers try to extort a ransom using childrens’ photos, Dutch police arrest two teens over sniffing WiFi for Russian spies, and a recent GoAnywhere MFT bug is being exploited.

Risky Bulletin: EU users to get free Windows 10 extended security updates

Catalin Cimpanu — Fri, 26 Sep 2025 14:03:32 +1000

European users will get free Windows 10 extended security updates, Cisco patches three zero-days, Microsoft drops an Israeli intel surveillance contract and a UK man is arrested for the EU airport disruptions.

Srsly Risky Biz: The kids aren't alright

Amberleigh Jack — Thu, 25 Sep 2025 13:15:36 +1000

Tom Uren and Amberleigh Jack talk about how the funnel that turns kids into cyber criminals has evolved over the last decade. Cybercrime's reach has broadened, it is more lucrative and more violent. They also talk about new thinking about deterring America's cyber adversaries. This episode is also available on [YouTube](https://youtu.be/w02DoIHt5zY)

Risky Business #808 -- Insane megabug in Entra left all tenants exposed

Patrick Gray — Wed, 24 Sep 2025 13:03:14 +1000

On this week’s show Patrick Gray and special guest Rob Joyce discuss the week’s cybersecurity news, including: * Secret Service raids a SIM farm in New York * MI6 launches a dark web portal * Are the 2023 Scattered Spider kids finally getting their comeuppance? * Production halt continues for Jaguar Land Rover * GitHub tightens its security after Shai-Hulud worm This week's episode is sponsored by Sublime Security. In this week's sponsor interview, Sublime founder and CEO Josh Kamdjou joins host Patrick Gray to chat about the pros and cons of using agentic AI in an email security platform. This episode is also available on [YouTube](https://youtu.be/xn63oyBFLW4)

Risky Bulletin: US raids SIM farm in New York

Catalin Cimpanu — Wed, 24 Sep 2025 11:24:57 +1000

The US Secret Service raids a SIM farm in New York, EU airport disruptions were caused by ransomware, thieves steal gold nuggets from a French museum after a cyberattack and SonicWall releases a firmware update to remove SMA rootkits.

Between Two Nerds: How the US can win the cyber war

The Grugq — Tue, 23 Sep 2025 06:50:47 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at a new Center for Strategic and International Studies report: A Playbook for Winning the Cyber War. This episode is also available on [YouTube](https://youtu.be/8w30ql1AqKo).

Risky Bulletin: Cyberattack disrupts airports across Europe

Catalin Cimpanu — Mon, 22 Sep 2025 10:37:32 +1000

A cyberattack disrupts European airports, a Scattered Spider member turns himself in to US authorities, the Pentagon hires a new cyber policy leader and two Russian APTs work together for the first time.

Risky Bulletin: Pentagon has more than 70,000 cyber personnel

Amberleigh Jack — Fri, 19 Sep 2025 10:50:01 +1000

America's Government Accountability Office says the Pentagon employs more than 70,000 cyber personnel, hackers steal SonicWall firewall configs, DeepSeek returns insecure code for groups China doesn’t like, and two Scattered Spider members arrested in the UK.

Srsly Risky Biz: US investment in spyware skyrockets

Amberleigh Jack — Thu, 18 Sep 2025 13:03:16 +1000

Tom Uren and Amberleigh Jack talk about why it is good news that US investment in spyware vendors has skyrocketed. They also discuss the in-principle agreement for TikTok to remain in the US. It's a win-win: a win for China and a win for TikTok, but not so much a win for US national security. This episode is also available on [YouTube](https://youtu.be/9kDz1Z_5yFI).

Risky Business #807 -- Shai-Hulud npm worm wreaks old-school havoc

Adam Boileau — Wed, 17 Sep 2025 13:01:40 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * Shai-Hulud worm propagates via npm and steals credentials * Jaguar Land Rover attack may put smaller suppliers out of business * Leaked data emerges from the vendor behind the Great Firewall of China * Vastaamo hacker walks free while appeal is underway * Why is a senator so mad about Kerberos? This week's episode is sponsored by Knocknoc. Chief exec Adam Pointon joins to talk through the surprising number of customers that are using Knocknoc's identity-to-firewall glue to protect internal services and networks. This week's episode is also available on [Youtube](https://youtu.be/LzCRbNX_Z0s).

Risky Bulletin: Android switches to risk-based security updates

Catalin Cimpanu — Wed, 17 Sep 2025 09:06:29 +1000

Android will only issue monthly updates for high-risk vulnerabilities A self-replicating attack hits the npm registry; BreachForums’ admin resentenced on appeal; ...and hackers breach Gucci's parent company.

Between Two Nerds: The limits of cyber power

The Grugq — Tue, 16 Sep 2025 06:47:11 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about the limits of a state's cyber power. This episode is also available on [YouTube](https://www.youtube.com/watch?v=VMUduWU4S78&t=1708s)

Risky Bulletin: DC sues crypto ATM operator for profiting from scams

Catalin Cimpanu — Mon, 15 Sep 2025 12:09:31 +1000

The US sues a crypto ATM operator for profiting from scams, SMS blasters make their way into Switzerland, the US and Portugal tussle over the extradition of the RaidForums admin, and Samsung patches a zero-day in its phones.

Risky Biz Soap Box: runZero shakes up vulnerability management

Patrick Gray — Mon, 15 Sep 2025 10:01:43 +1000

In this sponsored Soap Box edition of the Risky Business podcast, industry legend HD Moore joins the show to talk about runZero's major push into vulnerability management. With its new Nuclei integration, runZero is now able to get a very accurate picture of what's vulnerable in your environment, without spraying highly privileged credentials at attackers on your network. It can also integrate with your EDR platform, and other data sources, to give you powerful visibility into the true state of things on your network and in your cloud. This episode is also available on [Youtube](https://youtu.be/8mta57Ba7rQ).

Risky Bulletin: Apple notifies French users of spyware attacks

Catalin Cimpanu — Fri, 12 Sep 2025 13:40:36 +1000

Apple notifies French users of spyware attacks, China will increase fines for data breaches Google pays $1.6mil for cloud bugs at a hackathon event, and no more hacked free laundry for Dutch students

Srsly Risky Biz: Exploiting authorisation sprawl is the new black

Amberleigh Jack — Thu, 11 Sep 2025 13:27:41 +1000

Tom Uren and Amberleigh Jack talk about the Salesloft Drift incident. It is a great example of the sprawling impact that the breach of a single service provider can have. We expect these single-compromise-large-blast-radius attacks will become the new norm. They also talk about Apple's Memory Integrity Enforcement, which promises to be a big step forward for memory safety on Apple devices. This episode is also available on [Youtube](https://youtu.be/hNmkkfXx2mc).

Risky Business #806 -- Apple's Memory Integrity Enforcement is a big deal

Adam Boileau — Wed, 10 Sep 2025 14:54:02 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * Apple ruins exploit developers’ week with fresh memory corruption mitigations * Feross Aboukhadijeh drops by to talk about the big, dumb npm supply chain attack * Salesloft says its GitHub was the initial entry point for its compromise * Sitecore says people should "patch" its using-the-keymat-from-the-documentation "zero day" * Rogue certs for 1.1.1.1 appear to be just (stupid) testing * Jaguar Land Rover ransomware attackers are courting trouble This week's episode is sponsored by open source cloud security tool, Prowler. Founder Toni de la Fuente joins to discuss their new support for Microsoft 365. Time to point Prowler at your OneDrive and Sharepoint! This episode is also available on [Youtube](https://youtu.be/Dk1KizNzRSQ).

Risky Bulletin: White House to keep CyberCom and NSA dual role

Catalin Cimpanu — Wed, 10 Sep 2025 12:04:20 +1000

The White House will keep the CyberCom and NSA dual-hat leadership arrangement, the US charges a major ransomware figure, Apple ships a memory safety protection feature and yet another supply chain attack hits the npm world.

Between Two Nerds: The death of the exploit

The Grugq — Tue, 09 Sep 2025 09:16:22 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about the trend toward outrageously complicated exploits and what it means for hacking and cyber espionage. This episode is also available on [YouTube](https://www.youtube.com/watch?v=yak3bWXvQdM)

Snake Oilers: Nebulock, Vali Cyber and Cape

Patrick Gray — Mon, 08 Sep 2025 14:20:48 +1000

In this edition of the Snake Oilers podcasts, three vendors pop in to pitch you all on their wares: * Automated, AI-powered threat hunting with [Nebulock](https://nebulock.io/) Damien Lewke from Nebulock joins the show to talk about how its agentic AI platform can surface attacker activity out of all those "low" and "informational" findings your detection team doesn't have time to look at. * Runtime security for hypervisors from [Vali Cyber](https://valicyber.com/) Austin Gadient from Vali Cyber stops by to talk about ZeroLock, its hypervisor security product. It's marketed as a counter-ransomware control but is just a generally useful security platform for virtualised environments. * A secure mobile telco: [Cape](https://cape.co/) The only thing American cell providers love more than providing patchy coverage is getting their customers' data owned. Cape is here to change that. It's a security and anonymity-focussed virtual mobile network operator (MVNO) that's been spun up by a highly competent team. If we lived in the USA we would be customers, and a bunch of CISOs listening to this might want to consider Cape subscriptions for their workforce. This episode is also available on [Youtube](https://youtu.be/K1C-bR728ro)

Risky Bulletin: New APT group turns out to be a phishing test

Catalin Cimpanu — Mon, 08 Sep 2025 10:28:23 +1000

A new APT group turns out to be a phishing test, Qantas cuts executives’ bonuses after a recent breach, Anthropic stops selling AI tools to Chinese firms, and Nepal blocks 26 social media sites.

Risky Bulletin: Cyberattack disrupts Bridgestone tyre factories across North America

Catalin Cimpanu — Fri, 05 Sep 2025 13:31:47 +1000

A cyberattack disrupts Bridgestone tyre factories in North America, a new infostealer takes your photo while you watch porn, bad certificates for Cloudflare infrastructure went undetected for more than a year, and Brazil deals with another payment system hack.

Srsly Risky Biz: Google sharpens its cyber knife

Amberleigh Jack — Thu, 04 Sep 2025 12:47:44 +1000

Tom Uren and Amberleigh Jack talk about Google starting a cyber disruption unit. It's a sign of the times but could also point the way forward for policymakers looking to involve the private sector in government-endorsed efforts to strike back in cyberspace. They also talk about cyber security authorities from 13 different countries pegging Salt Typhoon to three Chinese companies. That's a lot of countries, but Tom wonders whether attribution is just viewed as a cost of doing business for the Chinese government. And it turns out that Apple's dispute with the UK government about encrypted iCloud data has not yet been resolved, despite media reports to the contrary. This episode is also available on [Youtube](https://youtu.be/TsjE2vzBlyM).

Risky Business #805 -- On the Salesloft Drift breach and "OAuth soup"

Adam Boileau — Wed, 03 Sep 2025 13:56:55 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * The Salesloft breach and why OAuth soup is a problem * The Salt Typhoon telco hackers turn out to be Chinese private sector, but state-directed * Google says it will stand up a "disruption unit" * Microsoft writes up a ransomware gang that's all-in on the cloud future * Aussie firm hot-mics its work-from-home employees' laptops * Youtube scam baiters help the feds take down a fraud ring This episode is sponsored by Dropzone.AI. Founder and CEO Edward Wu joins the show to talk about how AI driven SOC tools can help smaller organisations claw their way above the "security poverty line". A dedicated monitoring team, threat hunting and alert triage, in a company that only has a couple of part time infosec people? Yes please! This episode is also available on [Youtube](https://youtu.be/SKWooX9Kg3k).

Risky Bulletin: YouTubers unmask and help dismantle Chinese scam ring

Catalin Cimpanu — Wed, 03 Sep 2025 10:16:00 +1000

Two YouTube channels help dismantle a Chinese scam operation, Cloudflare, Zscaler, and Palo Alto disclose Salesloft-related breaches, a ransomware attack disrupts vehicle production at Jaguar Land Rover, and we have a new record DDoS attack.

Between Two Nerds: How threat actors are using AI to run wild

The Grugq — Tue, 02 Sep 2025 07:42:15 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how cyber threat actors are using AI tools to fill in resource and skills gaps that they have. This episode is also available on [Youtube](https://youtu.be/AjQVn1bGBQw).

Risky Bulletin: Noem fires FEMA IT team over alleged cybersecurity failures

Catalin Cimpanu — Mon, 01 Sep 2025 10:04:22 +1000

FEMA's IT staff fired over an alleged breach, WhatsApp patches a zero-day, the Salesloft breach impacted more than just Salesforce, and a scammer steals $1.5 million dollars from the city of Baltimore.

Risky Bulletin: npm attack uses AI prompts to steal creds, crypto-wallet keys

Amberleigh Jack — Fri, 29 Aug 2025 10:43:24 +1000

An npm supply chain attack uses AI to steal credentials and crypto-wallet keys, Google establishes a cyber disruption unit, a ransomware attack disrupts more than 200 Swedish municipalities, and Salt Typhoon hacks have now hit more than 80 countries.

Srsly Risky Biz: America wants to hack the planet

Amberleigh Jack — Thu, 28 Aug 2025 12:27:15 +1000

Tom Uren and Amberleigh Jack talk about proposed legislation that would allow the President to license private sector hackers to go after cybercrime groups. The bill won't pass, but letting hackers loose on industrial-scale scam farms actually makes sense. They also talk about Microsoft's blind spot regarding China. It has trusted China-based engineers with sensitive work, and is now only just realising that China's security interests are not compatible with Microsoft's. This episode is also available on [Youtube](https://youtu.be/MIId1l9x_pc).

Risky Business #804 -- Phrack's DPRK hacker is probably a Chinese APT guy

Adam Boileau — Wed, 27 Aug 2025 15:02:20 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * Australia expels Iranian ambassador * Hackers sabotage Iranian shipping satcoms * APT hacker got doxxed in Phrack. Kind of. They’re probably Chinese, not DPRK? * Trail of Bits uses image-downscaling to sneak prompts into Google Gemini * The Com's King Bob gets ten years in the slammer * It's a day that ends in -y, so of course there's a new Citrix Netscaler RCE being used in the wild. This week's episode is brought to you by Corelight. Chief Strategy Officer Greg Bell talks through how they've been implementing AI for sifting through your network data. A model-context-protocol server that can rummage in all those packet logs for you while you keep investigating? Yes please. This episode is also available on [Youtube](https://youtu.be/UyBhgvy43r8).

Risky Bulletin: FCC removes 1,200 voice providers from US phone network

Catalin Cimpanu — Wed, 27 Aug 2025 12:30:46 +1000

The FCC removes 1,200 voice providers from the US phone network, a cyberattack shuts down Nevada’s state government services; hackers breach Salesloft and pivot into Salesforce accounts, and Citrix patches yet another zero-day.

Between Two Nerds: Teenage hackers are like goldfish

The Grugq — Tue, 26 Aug 2025 07:28:49 +1000

In this edition of Between Two Nerds, Tom Uren and The Grugq talk about how the teenage hacking groups Scattered Spider, Lapsus$ and Shiny Hunters are collaborating. They examine whether this is bad news and what will it take to slow these wrecking crews down. Plus, how teenage hackers are like goldfish. This episode is also available on [Youtube](https://youtu.be/iSqj1AMNUFQ).

Wide World of Cyber: Microsoft's China Entanglement

Alex Stamos — Mon, 25 Aug 2025 14:24:29 +1000

The Wide World of Cyber podcast is back! In this episode host Patrick Gray chats with Alex Stamos and Chris Krebs about Microsoft's entanglement in China. Redmond has been using Chinese engineers to do everything from remotely support US DoD private cloud systems to maintain the on premise version of the SharePoint code base. It's all blown up in the press over the last month, but how did we get here? Did Microsoft make these decisions to save money? Or was it more about getting access to the Chinese market? And how can we all make the world's most important software company stop doing things like this? Tune in to the Wide World of Cyber podcast to find out! This episode is also available on [Youtube](https://youtu.be/C8B7y7CvhZM).

Risky Bulletin: Hackers sabotage Iranian ships at sea, again

Catalin Cimpanu — Mon, 25 Aug 2025 10:18:39 +1000

Hackers sabotage Iranian ships for a second time this year, mass cybercrime arrests across Africa, South Korea extradites a Chinese man behind celebrity hacks, and a French supermarket chain discloses a data breach.

Risky Bulletin: Microsoft restricts Chinese firms’ access to MAPP

Catalin Cimpanu — Fri, 22 Aug 2025 08:07:04 +1000

Microsoft restricts Chinese firms’ access to its MAPP program, Apple patches a zero-day used in the wild, a Scattered Spider member gets 10 years in prison, and a new exploit broker pops up in the UAE.

Srsly Risky Biz: Russian cyber security picked a side

Amberleigh Jack — Thu, 21 Aug 2025 12:49:11 +1000

Tom Uren and Amberleigh Jack talk about a new report that looks at how Russian cyber security firms have adapted since the country's invasion of Ukraine. These firms are doing surprisingly well financially. It turns out that in an era of great power competition, picking sides is not just necessary, it is also a winning strategy. They also discuss Russia effectively killing foreign messenger services to promote its own WeChat-like service and claims that the UK has backed down on its Apple encryption order. This episode is also available on [Youtube](https://youtu.be/s9l9ONUKijY).

Risky Business #803 -- Oracle's CSO Mary Ann Davidson quietly departs

Adam Boileau — Wed, 20 Aug 2025 14:34:58 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * Oracle's long term CSO departs, and we're not that sad about it * Canada's House of Commons gets popped through a Microsoft bug * Russia degrades voice calls via Whatsapp and Telegram to push people towards Max * South-East Asian scam compounds are also behind child sextortion * Reports that the UK has backed down on Apple crypto are… strange * Oh and of course there's a Fortinet bug! There's always a Fortinet bug! This week's episode is sponsored by open source identity provider Authentik. CEO Fletcher Heisler joins the show this week, and explains the journey of implementing SSO backed login on Windows, Mac and Linux. You'll never guess which one was a few lines of PAM config, and which was a multi-month engineering project! This episode is also available on [Youtube](https://youtu.be/1oGbizhqV28).

Risky Bulletin: Child sextortion cases linked to scam compounds

Catalin Cimpanu — Wed, 20 Aug 2025 12:20:28 +1000

Almost 500 child sextortion cases have been linked to scam compounds, Oracle's CSO departs after 37 years, Europol offers a reward for the Qilin ransomware group, and the UK drops its demand for an Apple backdoor.

Between Two Nerds: Cyber myopia

The Grugq — Tue, 19 Aug 2025 07:16:18 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about whether the cyber industry and intelligence agencies focus too much on technical details and ignore the bigger picture. This episode is also available on [Youtube](https://youtu.be/1uIe_b-d-60).

Risky Bulletin: Academics pull off novel 5G attack

Catalin Cimpanu — Mon, 18 Aug 2025 09:19:11 +1000

Academics develop a 5G downgrade attack, ransomware hits car salvage yards across North America, multiple VPN apps share the same hardcoded password, and Bangladesh spent $190 million on hacking and surveillance tools.

Risky Bulletin: HTTP2 flaw enables massive DDoS attacks

Catalin Cimpanu — Fri, 15 Aug 2025 11:11:56 +1000

An HTTP-2 vulnerability enables DDoS attacks, Russia blocks Telegram and WhatsApp voice calls, attackers abuse a zero-day in N-able servers, and the US government is adding trackers to chip shipments.

Risky Biz Soap Box: How to measure vulnerability reachability

Patrick Gray — Fri, 15 Aug 2025 09:06:39 +1000

In this Soap Box edition of the Risky Business podcast Patrick Gray chats with Socket founder Feross Aboukhadijeh about how to measure the reachability of vulnerabilities in applications. It's great to know there's a CVE in a library you're using, but it's even better if you can say whether or not that vulnerability actually impacts your application. They also talk about how Socket started out as a way to discover malicious packages in software projects, but these days it's playing the CVE game as well. This episode is also available on [Youtube](https://youtu.be/cCzr83mU3A4).

Srsly Risky Biz: Drug cartels are the new APTs

Amberleigh Jack — Thu, 14 Aug 2025 12:07:27 +1000

Tom Uren and Amberleigh Jack talk about a recent hack of the US courts document management system. It's about as bad as can be, with multiple threat actors including states and possibly even drug cartels rummaging around in there, possibly for years. They also discuss Microsoft's involvement in an Israeli surveillance system and the head of Australia's security organisation's blunt warning about espionage. This episode is also available on [Youtube](https://youtu.be/yCzMVPxCG1E).

Risky Business #802 -- Accessing internal Microsoft apps with your Hotmail creds

Adam Boileau — Wed, 13 Aug 2025 15:51:34 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * CISA warns about the path from on-prem Exchange to the cloud * Microsoft awards a crisp zero dollar bill for a report about what a mess its internal Entra-authed apps are * Everyone and their dog seems to have a shell in US Federal Court information systems * Google pays $250k for a Chrome sandbox escape * Attackers use javascript in adult SVG files to … farm facebook likes?! * SonicWall says users aren't getting hacked with an 0day… this time. This week's episode is sponsored by SpecterOps. Chief product officer Justin Kohler talks about how the flagship Bloodhound tool has evolved to map attack paths anywhere. Bring your own applications, directories and systems into the graph, and join the identity attacks together. This episode is also available on [Youtube](https://youtu.be/Yfs4guB641k).

Risky Bulletin: Russia suspected of US Courts hack

Catalin Cimpanu — Wed, 13 Aug 2025 11:05:21 +1000

Russia suspected of hacking a US Court system, researchers break the DarkBit ransomware’s encryption, a new attack can leak sensitive data from AMD processors, and a brute-force campaign targets Fortinet devices.

Risky Bulletin: Researcher scores $250,000 for Chrome bug

Catalin Cimpanu — Mon, 11 Aug 2025 10:34:39 +1000

A security researcher scores $250,000 for a Chrome bug, WinRAR patches another zero-day, new vulnerabilities found in the Tetra communications protocol, and a researcher gains access to Microsoft's internal network for fun... and no profit.

Risky Bulletin: CISA tells federal agencies to mitigate on-prem-to-cloud Exchange attack

Catalin Cimpanu — Fri, 08 Aug 2025 10:47:21 +1000

Federal agencies told to patch a new Exchange flaw, millions of sites are vulnerable to HTTP desync attacks, Trend Micro patches a zero-day, and the Salesforce data breaches continue.

Risky Business #801 -- AI models can hack well now and it's weirding us out

Amberleigh Jack — Wed, 06 Aug 2025 15:24:55 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's cybersecurity news. Google security engineering VP Heather Adkins drops by to talk about their AI bug hunter, and Risky Business producer Amberleigh Jack makes her main show debut. This episode explores the rise of AI-powered bug hunting: * Google's Project Zero and Deepmind team up to find and report 20 bugs to open source projects * The XBOW AI bug hunting platform sees success on HackerOne * Is an AI James Kettle on the horizon? There's also plenty of regular cybersecurity news to discuss: * On-prem Sharepoint's codebase is maintained out of China… awkward! * China frets about the US backdooring its NVIDIA chips, how you like ‘dem apples, China? * SonicWall advises customers to turn off their VPNs * Hardware controlling Dell laptop fingerprint and card readers has nasty driver bugs * Russia uses its ISPs to in-the-middle embassy computers and backdoor 'em. * The Russian government pushes VK's Max messenger for everything This week's show is sponsored by device management platform Devicie. Head of Solutions Sean Ollerton talks through the impending Windows 10 apocalypse, as Microsoft ends mainstream support. He says Windows 11 isn't as scary as people make out, but if the update isn't on your radar now, time is running out. This episode is also available on [Youtube](https://youtu.be/jX0V5J9g1TQ).

Risky Bulletin: Russia's war on foreign software continues

Catalin Cimpanu — Wed, 06 Aug 2025 11:11:28 +1000

Russian companies must migrate to domestic ERP systems; A Thai hospital gets fined over the the dumbest data breach ever; Ohio’s public sector will have to approve ransom payments in public; ...and Chanel and Cisco disclose data breaches.

Between Two Nerds: The Aeroflot hack

The Grugq — Tue, 05 Aug 2025 07:13:46 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq dissect the Belarusian Cyber Partisans hack of Russian airline Aeroflot. Despite the short-term impact, the airline will likely bounce back quite quickly. But it is still a big win for the Cyber Partisans. This episode is also available on [Youtube](https://youtu.be/WeLvVS1X-Y4).

Risky Bulletin: China with the accusations again

Catalin Cimpanu — Mon, 04 Aug 2025 12:10:37 +1000

China accuses the US of new cyberattacks, a $14.5b crypto hack discovered five years later, the US National Cyber Director is named, and Lovense considers legal action over a security flaw disclosure.

Soap Box: Why AI can't fix bad security products

Patrick Gray — Fri, 01 Aug 2025 13:37:33 +1000

In this Soap Box edition of the show Patrick Gray chats with the CEO of email security company Sublime Security, Josh Kamdjou. They talk about where AI is useful, where it isn't, and why AI can't save vendors from their bad product design choices. This episode is also available on [Youtube](https://youtu.be/7g1BGIBxHPs).

Risky Bulletin: Russia spies on local embassies via ISPs

Catalin Cimpanu — Fri, 01 Aug 2025 13:36:01 +1000

Russia spies on local embassies via ISPs, a Canadian man jailed for stealing Internet Apes, Signal threatens to leave Australia, and Russian pharmacies go down after a cyberattack.

Srsly Risky Biz: The West's tepid China deterrence is not working

Amberleigh Jack — Thu, 31 Jul 2025 11:33:22 +1000

Tom Uren and Amberleigh Jack talk about how recent SharePoint exploitation is a blow-by-blow repeat of the 2021 Microsoft Exchange mass compromise event. The international response to that clearly didn't deter Chinese hackers, so it is time to try something different. They also talk about recent cases where outsourcing IT services has come with increased risk. Convenient, cheap, secure, pick any two. This episode is also available on [Youtube](https://youtu.be/4Q-f-eelYVw).

Risky Business #800 — The SharePoint bug may have leaked from Microsoft MAPP

Adam Boileau — Wed, 30 Jul 2025 14:49:20 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * Did the SharePoint bug leak out of the Microsoft MAPP program? * Expel retracts its FIDO bypass writeup * The mess surrounding the women-only dating-safety app Tea gets worse * Broadcom customers struggle to get patches for VMWare hypervisor escapes * Aeroflot gets hacked by the Cyber Partisans, disrupting flights This week's episode is sponsored by Push Security. Daniel Cuthbert joins and explains how having telemetry about identity from inside the browser is a key pillar for investigating intrusions in the browser-centric future. This episode is also available on [Youtube](https://youtu.be/ABIwfZiZwqo).

Risky Bulletin: Russia's Aeroflot cancels flights after hack

Catalin Cimpanu — Wed, 30 Jul 2025 11:10:58 +1000

Russia’s national airline cancels more than 100 flights following a cyberattack, the FBI seizes $2.4 million from the Chaos ransomware, Kazakhstan arrests a ransomware suspect, and Kyrgyzstan nationalizes internet access.

Risky Bulletin: Microsoft investigates MAPP leak

Catalin Cimpanu — Mon, 28 Jul 2025 09:41:51 +1000

Microsoft investigates a MAPP leak as the source of the SharePoint zero-day, US law enforcement takes down the BlackSuit ransomware portal, an Arizona woman is imprisoned for running a North Korean laptop farm, and Allianz life insurance suffers a security breach.

Risky Bulletin: Microsoft rolls out linkable token identifiers to help IR teams

Catalin Cimpanu — Fri, 25 Jul 2025 14:09:08 +1000

Microsoft rolls out better logging for incident responders, the SharePoint hacking spree hits major US agencies, Ukraine arrests the admin of a well-known hacking forum, and China launches a national Digital ID system.

Risky Business #799 -- Everyone's Sharepoint gets shelled

Adam Boileau — Wed, 23 Jul 2025 15:53:42 +1000

Risky Biz returns after two weeks off, and there sure is cybersecurity news to catch up on. Patrick Gray and Adam Boileau discuss: * Microsoft tried to make outsourcing the Pentagon's cloud maintenance to China okay (it was not) * She shells Sharepoint by the sea-shore (by 'she' we mean 'China') * Four (alleged) Scattered Spider members arrested (and bailed) in the UK * Hackers spend $2700 to buy creds for a Brazilian payment system, steal $100M * Fortinet has SQLI in the auth header, Citrix mem leak is weaponised, HP hardcodes creds and Sonicwalls get user-moderootkits. Just security vendor things! This week's episode is sponsored by Airlock Digital. CEO David Cottingham talks through what it takes to build a mature, resilient management platform for a security critical system. This episode is also available on [Youtube](https://youtu.be/Xs3q4LG5yvg).

Risky Bulletin: Three Chinese APTs are behind the SharePoint zero-day attacks

Catalin Cimpanu — Wed, 23 Jul 2025 09:40:13 +1000

Three Chinese APTs are behind the recent SharePoint zero-day attacks, the UK wants to ban the public sector from paying ransoms, Russia takes down a malware operation, and South Korea charges airline employees over selling celebrity data.

Between Two Nerds: How China's cyber militia make sense

The Grugq — Tue, 22 Jul 2025 07:45:44 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq discuss whether China's 'cyber militia' make sense and what they could be good for. This episode is also available on [Youtube](https://youtu.be/XPpp9SKQfcQ).

Risky Bulletin: Iranian security firm behind airline hacking spree

Catalin Cimpanu — Mon, 21 Jul 2025 10:54:47 +1000

An Iranian security firm is behind an airline hacking spree, Chinese hackers breach Singapore's critical infrastructure, new SharePoint and CrushFTP zero-days are being used in the wild, and Japan releases free ransomware decrypters.

Risky Bulletin: New phishing technique bypasses FIDO keys

Catalin Cimpanu — Fri, 18 Jul 2025 13:42:35 +1000

Hackers bypass FIDO keys with a new phishing technique, a mobile surveillance vendor deploys an SS7 exploit, ransomware hits South Korea's largest insurance provider, and law enforcement agencies dismantle a pro-Kremlin DDoS group.

Srsly Risky Biz: Spain leaves key under mat for Huawei

Amberleigh Jack — Thu, 17 Jul 2025 12:56:16 +1000

Tom Uren and Amberleigh Jack talk about Huawei's contract to manage storage for Spain's lawful intercept system. News broke this week that Spain had signed a €12 million contract, but it turns out Huawei has been involved in the system since 2004! They also discuss arrests in the UK of four individuals associated with Scattered Spider. The criminal resumés of two of the suspects support the idea that there are key individuals with outsize impact. But they also reinforce that the online communities they are involved in act as training grounds for cyber criminals. Arrests will slow hacks, not stop them. This episode is also available on [Youtube](https://youtu.be/zUtIsanHbe4).

Risky Bulletin: China breaches US National Guard

Catalin Cimpanu — Wed, 16 Jul 2025 12:10:02 +1000

Salt Typhoon breaches a US state's National Guard, Ukrainian hackers wipe the servers of a Russian drone maker, the UK relocates Afghans caught up in a data leak, and Microsoft outsources some US government work to China.

Between Two Nerds: Is US cyber espionage too careful?

The Grugq — Tue, 15 Jul 2025 06:24:20 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq examine whether US cyber operations are too stealthy. Could they get more bang for the buck if they adopted a devil may care attitude to getting busted? This episode is also available on [Youtube](https://youtu.be/RAVsR95GE1I).

Risky Biz Soap Box: Prowler, the open cloud security platform

Patrick Gray — Tue, 15 Jul 2025 06:15:09 +1000

In this sponsored Soap Box edition of the Risky Business podcast Patrick Gray chats with Toni de la Fuente, founder of open source multi-cloud security product Prowler. Toni explains how Prowler came to be, and how its journey followed his own learning about the cloud. The pair also discuss Prowler's successful transition from an open-source project into a community, and now a growing business with an as-a-service platform. This episode is also available on [Youtube](https://youtu.be/JR9t9nRlatA).

Risky Bulletin: Radio equipment vulnerability can bring trains to sudden stops

Catalin Cimpanu — Mon, 14 Jul 2025 11:00:48 +1000

A radio equipment vulnerability can bring trains to sudden stops, researchers prevent a Lazarus crypto attack, Spain hands Huawei control over its phone wiretapping system, and CISA warns of ongoing CitrixBleed 2 attacks.

Risky Bulletin: Two billion eSIMs receive crucial security patch

Catalin Cimpanu — Fri, 11 Jul 2025 13:50:22 +1000

Two billion eSIMs receive crucial security patches, China's cyber militias go on the offensive, four Scattered Spider members detained over UK retail attacks, and a Russian basketball player is arrested in a ransomware case.

Srsly Risky Biz: Four key players drive Scattered Spider

Amberleigh Jack — Thu, 10 Jul 2025 12:01:59 +1000

Tom Uren and Amberleigh Jack talk about our developing understanding of the group that people call Scattered Spider. Independent security firms agree that there are a small number of key people that are driving the group's outrageous success. That gives us hope that targeted action might stem the bleeding. They also talk about data leaks from China's cyber espionage ecosystem that are for sale on a data leak site. These look to contain actionable information from a counterintelligence point of view. And Tom wonders if a market for espionage-as-a-service will develop? This episode is also available on [Youtube](https://youtu.be/C0UHoedldhQ).

Risky Bulletin: Chinese APT member arrested in Italy

Catalin Cimpanu — Wed, 09 Jul 2025 14:00:31 +1000

Italy arrests a Chinese APT hacker, a Russian drone software group gets wiped, the SatanLock ransomware operation shuts down, and browser extensions power a web scraping botnet.

Between Two Nerds: The opportunity in Asia

The Grugq — Tue, 08 Jul 2025 07:20:17 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how there is an opportunity for the US to expand its 0day and talent acquisition pool to Asia. They revisit a paper comparing the Chinese and American 0day acquisition strategies and have some quibbles. This episode is also available on [Youtube](https://youtu.be/XoCVcdLC2WU).

Risky Bulletin: Chinese researchers claim to find new North American APT

Catalin Cimpanu — Mon, 07 Jul 2025 10:56:20 +1000

Chinese security researchers claim to have found a new American APT, the SEC and SolarWinds are seeking a settlement, a company insider was behind Brazil's bank hack, and Luis Vuitton discloses a security breach.

Risky Bulletin: Hunters International ransomware shuts down, releases decryption keys

Catalin Cimpanu — Fri, 04 Jul 2025 13:57:03 +1000

A ransomware operation shuts down and releases free decryption keys, the FBI investigates a ransomware negotiator for taking kickbacks, Spain arrests two over government hacks, and hackers steal $185 million from Brazilian financial institutions.

Srsly Risky Biz: Why Iran is a scaredy cat cyber chicken

Patrick Gray — Thu, 03 Jul 2025 12:05:09 +1000

Tom Uren and Patrick Gray discuss warnings about Iranian cyber attacks on US critical infrastructure. Despite many many warnings, there have been no actual attacks and they discuss the reasons why Iran would want to avoid escalatory cyber attacks. They also talk about how the FBI is struggling to deal with the democratisation of surveillance and data analysis, what the agency calls Ubiquitous Technical Surveillance (UTS). A Department of Justice audit of the FBI's response finds the threat from UTS is real and that sources have been murdered. But it seems that the FBI just doesn't care. This episode is also available on [Youtube](https://youtu.be/YRo2r8oqr3w).

Risky Business #798 -- Mexican cartel surveilled the FBI to identify, kill witnesses

Adam Boileau — Wed, 02 Jul 2025 14:54:27 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * Australian airline Qantas looks like it got a Scattered Spider-ing * Microsoft works towards blunting the next CrowdStrike disaster * Changes are coming for Microsoft's default enterprise app consenting setup * Synology downplays hardcoded passwords for its M365 cloud backup agent * The next Citrix Netscaler memory disclosure looks nasty * Drug cartels used technical surveillance to find, fix and finish FBI informants and witnesses This week's episode is sponsored by RAD Security. Co-founder Jimmy Mesta joins to talk through how they use AI automation to assess the security posture of sprawling cloud environments. This episode is also available on [Youtube](https://youtu.be/mpu3prpQrOU).

Risky Bulletin: The US sanctions another Russian bulletproof hosting provider

Catalin Cimpanu — Wed, 02 Jul 2025 13:58:30 +1000

The US sanctions another Russian bulletproof hosting provider, the International Criminal Court discloses a security breach, the US dismantles 29 North Korean laptop farms, and a Chinese student gets jailed in the UK for SMS blasting.

Between Two Nerds: Microsoft embraces digital sovereignty

The Grugq — Tue, 01 Jul 2025 07:49:39 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how Microsoft has embraced digital sovereignty and is bending over backwards to satisfy European tech supply chain concerns. This episode is also available on [Youtube](https://youtu.be/t6X_0fQ9504).

Risky Bulletin: Scattered Spider targets the aviation sector

Catalin Cimpanu — Mon, 30 Jun 2025 12:02:27 +1000

The Scattered Spider group targets the aviation sector, Russia throttles traffic from Cloudflare, a Mexican cartel hired hackers to track an FBI official, and Canada tells Hikvision to cease operations.

Risky Bulletin: Phishers abuse forgotten Direct Send feature

Catalin Cimpanu — Fri, 27 Jun 2025 09:57:37 +1000

A phishing group abuses a forgotten Exchange Online feature, a patient's death is linked to the Synnovis ransomware attack, France arrests the BreachForums leadership, and Microsoft offers free Windows 10 Extended Security Updates … with a catch.

Srsly Risky Biz: Comparing Chinese and American 0day pipelines

Patrick Gray — Thu, 26 Jun 2025 12:37:35 +1000

Tom Uren and Patrick Gray talk about a new report that compares Chinese and American 0day pipelines. The US is narrowly focussed on acquiring exquisitely stealthy and reliable exploits, while China casts a far broader net. That was fine in the past, but as 0days get harder and harder to find, the report argues that the US needs to change the way it goes about getting them. The pair also talk about Cyber Command supporting the US bomb strikes against Iranian nuclear facilities. We like to believe in magic cyber capabilities, but we suspect the truth was far more mundane in this case. This episode is also available on [Youtube](https://youtu.be/e8lXBbRGcqU).

Risky Business #797 -- Stuxnet vs Massive Ordnance Penetrators

Adam Boileau — Wed, 25 Jun 2025 14:48:25 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * We roll our eyes over the "16 billion credentials" leak hitting mainstream news * Some interesting cyber angles emerge from the conflict in Iran * Opensource maintainer of libxml2 is fed up with this hacker crap * Shockingly, there are yet more ways to trick people into pasting commands into Windows * Veeam "patches" its backup software RCE like it’s 2002 … by breaking the public PoC This week's episode is sponsored by Internet-wide honeypot reconnaissance platform, Greynoise. Founder Andrew Morris joins to talk about their journey spotting Chinese ORB-builders hacking thousands of ASUS routers, and why they're destined for the woodchipper. This episode is also available on [Youtube](https://youtu.be/CHiBh88nrtQ).

Risky Bulletin: Hackers breach Norwegian dam, open valve at full capacity

Catalin Cimpanu — Wed, 25 Jun 2025 13:47:41 +1000

Hackers fully open a valve at a Norwegian dam, the US house bans WhatsApp on staff devices, Russia wants to build a national IMEI database, and four REvil members are released after time served.

Between Two Nerds: The evil genius of Predatory Sparrow

The Grugq — Tue, 24 Jun 2025 07:05:08 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq dive into the motivations and actions of Predatory Sparrow, a purported hacktivist group that has been attacking Iran for the last five years and has leapt into the Iran-Israel war. This episode is also available on [Youtube](https://youtu.be/WtET19NktXs).

Risky Bulletin: White House rejects nominee for NSA & CyberCom leader

Catalin Cimpanu — Mon, 23 Jun 2025 13:04:44 +1000

The White House rejects the Pentagon’s nominee for NSA & CyberCom leader, the FCC probes the US Cyber Trust Mark program, a cyberattack disrupts Russia's animal products industry, and hackers leak data about everyone in Paraguay.

Risky Bulletin: Russian hackers abuse app-specific passwords to bypass MFA

Catalin Cimpanu — Fri, 20 Jun 2025 13:48:25 +1000

Russian hackers abuse app-specific passwords to bypass multi-factor, the tenth Salt Typhoon victim is identified, Predatory Sparrow destroys $90 million from an Iranian crypto-exchange, and Argentina arrests a Russian disinfo gang.

Srsly Risky Biz: Data brokers are a killer's best friend

Patrick Gray — Thu, 19 Jun 2025 12:50:23 +1000

Tom Uren and Patrick Gray talk about a Minnesota man who used people-search services to locate, stalk and eventually murder political targets. They also discuss purported hacktivist group Predatory Sparrow weighing in on the Iran-Israel conflict. It has attacked Iran's financial system including a bank associated with the Iranian Revolutionary Guard Corp and also burnt USD$90 million worth of cryptocurrency from an Iranian exchange This episode is also available on [Youtube](https://youtu.be/tV70I3RiArw).

Risky Business #796 -- With special guest co-host Chris Krebs

Chris Krebs — Wed, 18 Jun 2025 14:43:47 +1000

On this week’s show Patrick Gray and Adam Boileau are joined by special guest Chris Krebs to discuss the week’s cybersecurity news. They talk through: * Israeli "hacktivists" take out an Iranian state-owned bank * Scattered-spider and friends pivot into attacking insurers * Securing identities in a cloud-first world keeps us awake at night * Microsoft takes the "aas" out of SaaS for Europe, leaving us with just software! * An AI prompt injection into M365 exfils corporate data This week's episode is sponsored by Kroll's Cyber practice. Kroll Cyber Associate Managing Director George Glass is based in London and talks through his experiences helping organisations in the UK deal with the Scattered Spider attacks. This episode is also available on [Youtube](https://youtu.be/3wfVQywhIHs).

Risky Bulletin: Israel-linked hackers claim Iran bank disruption

Catalin Cimpanu — Wed, 18 Jun 2025 14:14:42 +1000

An Israeli-linked hacktivist group claims attack on Iranian bank, Chrome gets a new prompt to prevent local network attacks, a Century-old German napkin company goes under following ransomware attack, and Europol takes down the Archetyp dark web market.

Between Two Nerds: Why modern influence operations suck

The Grugq — Tue, 17 Jun 2025 07:51:51 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq take a look at a new AI-powered covert influence campaign and compare it to World War 2 efforts. This episode is also available on [Youtube](https://youtu.be/IArf0gZr3P8).

Risky Bulletin: Washington Post email accounts hacked

Catalin Cimpanu — Mon, 16 Jun 2025 13:05:14 +1000

Email accounts compromised at the Washington Post, shady email provider Cock.li gets hacked, hackers steal data from a French university, and the EU invests €145 million in hospital cybersecurity.

Soap Box: AI has entered the SOC, and it ain't going anywhere

Patrick Gray — Mon, 16 Jun 2025 11:40:56 +1000

In this sponsored Soap Box edition of the Risky Business podcast Patrick Gray chats with Dropzone AI founder Ed Wu about the role of LLMs in the SOC. The debate about whether AI agents are going to wind up in the SOC is over, they've already arrived. But what are they good for? What are they NOT good for? And where else will we see AI popping up in security? This episode is also available on [Youtube](https://youtu.be/mGU4pliTV5w).

Risky Bulletin: Predator spyware alive despite US sanctions

Catalin Cimpanu — Fri, 13 Jun 2025 13:51:39 +1000

Intellexa is alive and well despite US sanctions, Paragon spyware used a zero-click iMessage exploit, South Korea's largest online bookstore gets ransomwared, and law enforcement takes down several cybercrime operations.

Srsly Risky Biz: Trump scales back Biden product security demands

Patrick Gray — Thu, 12 Jun 2025 15:13:48 +1000

Tom Uren and Patrick Gray talk about how a Trump executive order has scaled back the government's cyber security ambitions. The carrots and sticks that would have been used to encourage organisations to adopt stricter security standards are gone. They also discuss North Korea's use of AI in its IT worker scam and the emergence of espionage-as-a-service... perhaps. This episode is also available on [Youtube](https://youtu.be/DljPq6IvjM8).

Risky Business #795 -- How The Com is hacking Salesforce tenants

Adam Boileau — Wed, 11 Jun 2025 14:57:30 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * New York Times gets a little stolen Russian FSB data as a treat * iVerify spots possible evidence of iOS exploitation against the Harris-Walz campaign * Researcher figures out a trick to get Google account holders' full names and phone numbers * Major US food distributor gets ransomwared * The Com's social engineering of Salesforce app authorisations is a harbinger of our future problems * Australian Navy forgets New Zealand has computers, zaps Kiwis with their giant radar. This week's episode is sponsored by identity provider Okta. Long-time friend of the show Alex Tilley is Okta's Global Threat Research Coordinator, and he joins to discuss how organisations can use both human and technical signals to spot North Koreans in their midst. This episode is also available on [Youtube](https://youtu.be/elVFqcIWphQ).

Risky Bulletin: SentinelOne dodges a Chinese APT hack

Catalin Cimpanu — Wed, 11 Jun 2025 14:05:48 +1000

SentinelOne dodges a Chinese APT hack, anonymous sources point to more Salt Typhoon victims, a cyberattack disrupts grocery deliveries in the US, and 140 arrested in Kazakhstan for selling citizens' data.

Between Two Nerds: How Russia's sabotage team got into hacking

The Grugq — Tue, 10 Jun 2025 06:10:02 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq take a look at the hackers of Unit 29155, Russian military intelligence's sabotage and assassination group. This episode is also available on [Youtube](https://youtu.be/ZozUhgJRAZ0).

Risky Bulletin: EU launches its own DNS service

Catalin Cimpanu — Mon, 09 Jun 2025 10:33:03 +1000

The EU launches its own DNS service, Trump revises previous administrations’ cyber executive orders, a supply chain attack hits popular NPM packages, and mysterious iOS attacks spotted in the wild.

Risky Bulletin: APTeens go after Salesforce data

Catalin Cimpanu — Fri, 06 Jun 2025 13:28:23 +1000

A hacking group goes after Salesforce data, the FBI takes down the BidenCash carding forum, China offers rewards for Taiwanese military hackers, and high risk bugs are patched in enterprise software from HPE and Infoblox.

Srsly Risky Biz: Law Enforcement Is Finally Making Progress on Ransomware

Patrick Gray — Thu, 05 Jun 2025 11:04:43 +1000

Tom Uren and Patrick Gray talk about how Operation Endgame, the multinational law enforcement effort to tackle ransomware is approaching the problem holisitically. It's tackling the enablers of ransomware and although it won't eliminate the crime, it'll make it harder for criminals. They also discuss the spyware app that helped to dismantle the Syrian regime, at least maybe a little bit, and how Russian military intelligence's sabotage and assasination unit got into cyber operations. This episode is also available on [Youtube](https://youtu.be/5ZiO7LrRIlU).

Risky Business #794 -- Psychic Panda outgunned by Fluffy Lizard and UNC56728242

Adam Boileau — Wed, 04 Jun 2025 14:56:13 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * Cyber firms agree to deconflict and cross-reference hacker group names * Russian nuclear facility blueprints gathered from public procurement websites * Someone audio deepfaked the White House Chief of Staff, but for the dumbest reasons * Germany identifies the Trickbot kingpin * Google spots China's MSS using Calendar events for malware C2 * Meta apps abuse localhost listeners to track web sessions. This week's episode is sponsored by automation vendor Tines. Its Field CISO, Matt Muller, joins the show to discuss an open letter penned by JP Morgan Chase's CISO that pleads with Software as a Service suppliers to try to suck less at security. This episode is also available on [Youtube](https://youtu.be/tvzh7GacC3A).

Risky Bulletin: Syrian Army infected with spyware before regime collapse

Catalin Cimpanu — Wed, 04 Jun 2025 11:16:53 +1000

A spyware app infected the Syrian Army's soldiers before the regime collapsed, NSO appeals its WhatsApp verdict, Chrome and Qual-comm patch zero-days, and an Emergency services information sharing group shuts down;

Between Two Nerds: NSA's thinking on information warfare

The Grugq — Tue, 03 Jun 2025 07:00:35 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at NSA's take on information warfare, all the way back from 1997. This episode is also available on [Youtube](https://youtu.be/onLjkeW6RI4).

Risky Bulletin: Law enforcement takes down AVCheck

Catalin Cimpanu — Mon, 02 Jun 2025 13:51:38 +1000

Law enforcement agencies take down A-V-Check, four US Senators urge for the reinstatement of the Cyber Safety Review Board, Germany identifies the leader of the TrickBot gang, and an AI-vibe-coding platform leaks user data and API keys.

Risky Bulletin: Windows Update will patch third party apps

Catalin Cimpanu — Fri, 30 May 2025 13:04:10 +1000

Windows Update will deliver third party app updates, a public database exposed Russia's nuclear secrets, US banks ask the SEC to rescind cyber breach disclosure rule, and ConnectWise discloses an APT breach.

Srsly Risky Biz: Russia's cybercriminals and spies are officially in cahoots

Patrick Gray — Thu, 29 May 2025 11:58:57 +1000

Tom Uren and Patrick Gray talk about Russian DanaBot malware developers making a tailored variant of their malware specifically for espionage. This fills in some of the blanks on the exact relationship between Russian criminals and the country's intelligence services. They also discuss a US Director of National Intelligence initiative to centralise the purchase of commercially acquired information. Although this information can be used maliciously, having a one-stop-shop should make it easier to check that it is being used responsibly. This episode is also available on [Youtube](https://youtu.be/bAfWUjAAVyA).

Risky Business #793 -- Scattered Spider is hijacking MX records

Adam Boileau — Wed, 28 May 2025 14:56:57 +1000

In this week's edition of Risky Business Dmitri Alperovitch and Adam Boileau join Patrick Gray to talk through the week's news, including: * EXCLUSIVE: A Scattered Spider-style crew is hijacking DNS MX entries and compromising enterprises within minutes * The SVG format brings the all horrors of HTML+JS to image files, and attackers have noticed * Brian Krebs eats a 6.3Tbps DDoS … 'cause that's how you demo your packet cannon * Law enforcement takes out Lumma Stealer, Qakbot, Danabot and some dark web drug traffickers * Iranian behind 2019 Baltimore ransomware mysteriously appears in North Carolina and pleads guilty * CISA's leadership is fleeing in droves, even though the US needs them more than ever. This week's episode is sponsored by Thinkst Canary. Long time friend of the show Haroon Meer joins and talks through where he feels the industry is at, having just returned home from the AI-fueled hype at this year's RSA conference. This episode is also available on [Youtube](https://youtu.be/VDk__mgXCH4).

Risky Bulletin: Dutch intelligence discovers a new Russian APT

Catalin Cimpanu — Wed, 28 May 2025 12:23:57 +1000

Dutch intelligence discovers a new Russian APT, a ransomware attack hits the maker of MATLAB, 20 arrested in Nigeria over hacking exam results, and an Iranian pleads guilty for the Robbinhood ransomware attacks.

Between Two Nerds: Cyber's hard problems

The Grugq — Tue, 27 May 2025 08:12:22 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about cyber's 'hard problems' and why they are intractable. This episode is also available on [Youtube](https://youtu.be/MmGLTP4QwDw).

Risky Bulletin: Major CISA leadership exodus underway

Catalin Cimpanu — Mon, 26 May 2025 12:33:41 +1000

A major exodus of leadership is underway at CISA, the US government will audit NIST over its vulnerability backlog; an ancient and mysterious APT has been linked to Spain's government, and the SVG image format is great for phishing.

Risky Bulletin: DanaBot and Lumma Stealer taken down

Catalin Cimpanu — Fri, 23 May 2025 13:11:19 +1000

Law enforcement takes down the DanaBot and Lumma Stealer malware operations, the US government wants a centralized data broker platform, Turkey dismantles a Chinese IMSI catcher spy ring, and Russia hacked border cameras to track Ukrainian military aid.

Srsly Risky Biz: Telegram is cooperating with authorities, for now

Patrick Gray — Thu, 22 May 2025 12:03:15 +1000

Tom Uren and Patrick Gray talk about how Telegram took down the two largest ever criminal marketplaces recently. They used Telegram for all their communications and had collectively sold over USD$30 billion in illicit products. The pair discuss why Telegram is now cooperating with authorities after historically being reluctant and whether this assistance will continue. They also discuss how Meta is awash with scam advertisements and how Chinese mobile app encryption is suspiciously awful. This episode is also available on [Youtube](https://youtu.be/NM83OZko0Ww).

Risky Business #792 -- Beware, Coinbase users. Crypto thieves are taking fingers now

Adam Boileau — Wed, 21 May 2025 14:21:26 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * TeleMessage memory dumps show up on DDoSecrets * Coinbase contractor bribed to hand over user data * Telegram does seem to be actually cooperating with law enforcement * Britain's legal aid service gets 15 years worth of applicant data stolen * Shocking no one, Ivanti were weaseling when they blamed latest bugs on a third party library This week's episode is sponsored by Prowler, who make an open source cloud security tool. Founder and original project developer Toni de la Fuente joins to talk through the flexibility that open tooling brings. Prowler is also adding support for SaaS platforms like M365, and of course, an AI assistant to help you write checks! This episode is also available on [Youtube](https://youtu.be/https://youtu.be/naXPpXlBm2U).

Risky Bulletin: TeleMessage data published by DDoSecrets

Catalin Cimpanu — Wed, 21 May 2025 13:15:42 +1000

DDoSecrets archives 400GB of stolen TeleMessage data, the FBI closes its FISA watchdog office, Predatorgate lawsuit delayed due to interpreter shortage, and a wave of DDoS attacks disrupt Russian government portals.

Between Two Nerds: Why hackers and spies don't mix

The Grugq — Tue, 20 May 2025 08:52:16 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq examine what makes it hard for even competent hackers to contribute to state-backed espionage agencies. This episode is also available on [Youtube](https://youtu.be/dhEmrQKjWsk).

Risky Bulletin: Japan passes active cyber defense law

Catalin Cimpanu — Mon, 19 May 2025 10:09:17 +1000

Japan passes a new active cyber defense law, printer software gets shipped with malware, a UK telco leaks user data and geolocation via its 4G network, and Volkswagen patches major bugs in its mobile app.

Risky Bulletin: Coinbase reveals insider breach, extortion attempt

Catalin Cimpanu — Fri, 16 May 2025 14:06:06 +1000

Coinbase was extorted by hackers who bribed employees for user data, America’s largest steel producer halts production after a cyberattack, Scattered Spider shifts to targeting US retailers, and the US abandons plans to protect Americans from data brokers.

Risky Biz Soap Box: Push Security's browser-first twist on identity security

Patrick Gray — Fri, 16 May 2025 09:33:43 +1000

In this wholly sponsored Soap Box edition of the show, Patrick Gray chats with Adam Bateman and Luke Jennings from Push Security. Push has built an identity security platform that collects identity information and events from your users' browsers. It can detect phish kits and shut down phishing attempts, protect SSO credentials, and find shadow/personal account that a user has spun up. It's extremely difficult to bypass. That's because when you're in the browser it doesn't matter how a phishing link arrives, or how a threat actor has concealed it from your detection stack -- if the user sees it, Push sees it. There are solutions for protecting your users SSO credentials, like passkeys. But what about all the SaaS in your environment? Even if it's enrolled into your SSO, are you sure that's how your users are authenticating to it? What about the automation platforms your developers and admins use? What about data platforms like Snowflake? Are your using setting up passkeys for those accounts? How would you know, and what problems can it cause if those accounts are vulnerable? This is a fun one! This episode is also available on [Youtube](https://youtu.be/yyq8kcWpRRU).

Srsly Risky Biz: Special guests Rob Joyce and Andy Boyd on offensive cyber

Patrick Gray — Thu, 15 May 2025 10:15:11 +1000

In this special edition of the Seriously Risky Business podcast Patrick Gray speaks with former NSA Cybersecurity Director Rob Joyce and former director of the CIA's Center for Cyber Intelligence Andy Boyd. The talk about what offensive cyber could look like under Trump 2.0, and the shake-up the intelligence community is going through under various White House initiatives. This episode is also available on [Youtube](https://youtu.be/TUgbPlzoCcA).

Risky Business #791 -- Woof! Copilot for Sharepoint coughs up creds and keys

Adam Boileau — Wed, 14 May 2025 14:47:37 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * Struggling to find that pesky passwords.xlsx in Sharepoint? Copilot has your back! * The ransomware ecosystem is finding life a bit tough lately * SAP Netweaver bug being used by Chinese APT crew * Academics keep just keep finding CPU side-channel attacks * And of course… bugs! Asus, Ivanti, Fortinet… and a Nissan LEAF? This week's episode is sponsored by Resourcely, who will soothe your Terraform pains. Founder and CEO Tracis McPeak joins to talk about how to get from a very red dashboard full of cloud problems to a workable future. This episode is also available on [Youtube](https://youtu.be/eShq_dvwWiA).

Risky Bulletin: EU launches its own vulnerability database

Catalin Cimpanu — Wed, 14 May 2025 12:23:29 +1000

The EU launches its own vulnerability database, a Turkish APT deploys a zero-day in Iraq, North Korea tasks an APT to Ukraine, and Spain will probe cyber's role in last month's energy grid collapse.

Between Two Nerds: Should US spies steal Chinese commercial secrets?

The Grugq — Tue, 13 May 2025 08:02:48 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq examine whether the US should steal intellectual property from Chinese companies. This episode is also available on [Youtube](https://youtu.be/hWeDVhGr9Ro).

Risky Bulletin: Kaleidoscope ad fraud network infects 2.5m devices a month

Catalin Cimpanu — Mon, 12 May 2025 09:52:30 +1000

The Kaleidoscope ad fraud network infects 2.5 million devices a month, Germany seizes the eXch crypto-mixing service, the US takes down the Anyproxy botnet, and Chrome will use on-device AI to detect tech support scams.

Risky Bulletin: France says Russia's influence operations are achieving results

Catalin Cimpanu — Fri, 09 May 2025 12:49:32 +1000

France says Russia's influence operations are achieving results, Crowdstrike lays off 5% of its staff, a hacker dumps LockBit's ransomware database, and a ransomware attack slows production at a major US medical device maker.

Wide World of Cyber: How state adversaries attack security vendors

Alex Stamos — Fri, 09 May 2025 10:28:56 +1000

In this edition of the Wide World of Cyber podcast Patrick Gray talks to SentinelOne's Steve Stone and Alex Stamos about how foreign adversaries are targeting security vendors, including them. From North Korean IT workers to Chinese supply chain attacks, SentinelOne and its competitors are constantly fending off sophisticated hacking campaigns. This edition of the Wide World of Cyber was recorded in front of a live audience in San Francisco, with Patrick attending via Zoom. The Wide World of Cyber podcast series is a wholly sponsored co-production between SentinelOne and Risky Business Media. This episode is also available on [Youtube](https://youtu.be/vdxrU4XX8GQ).

Srsly Risky Biz: US Cyber Command to be unleashed

Patrick Gray — Thu, 08 May 2025 11:48:05 +1000

Tom Uren and Patrick Gray talk about how the US is planning to take the gloves off in cyberspace and conduct much more aggressive offensive cyber operations. US responses to cyber espionage have not been very aggressive to date, but Tom is not convinced that cyber punches are required, so much as blows that really hurt. The pair also discuss TeleMessage, the Signal clone the Trump cabinet has been using. The app managed to sidestep certification and assessment processes and ended up being used by various agencies in the US government. And the White House. It's a mystery how this happened. This episode is also available on [Youtube](https://youtu.be/Mge1nIjvmyM).

Risky Business #790 -- Bye bye Signal-gate, hello TeleMessage-gate

Adam Boileau — Wed, 07 May 2025 14:55:44 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * White House's off-brand Israeli Signal fork logs cleartext messages with hard coded creds while getting hacked (twice). Just … Wow. * Ransomware attacks on UK retailers are linked, and Marks & Spencer has it extra bad * After six years dormant, a Magento eCommerce platform backdoor comes to life * The North Korean IT worker scam is truly webscale * NSO group owes Meta $168m for hacking WhatsApp This week's episode is sponsored by vulnerability management wranglers, Nucleus Security. Aaron Unterberger joins to talk through the complexities of tracking vulnerabilities in cloud components - left to the source, right to the deployments, and …sideways into the sidecars? This week's show also features an excerpt from Pat's interview with Senator Mark Warner - [Scoot back one in your podcast feed](https://risky.biz/markwarner/) to check out the full chat, or find it on [Youtube](https://youtu.be/ZezjjoaYrQA). This episode is available on [Youtube](https://youtu.be/dM4TGUpMO-0) too.

Risky Bulletin: NSO ordered to pay Meta $167 million in WhatsApp lawsuit

Catalin Cimpanu — Wed, 07 May 2025 14:24:40 +1000

NSO Group ordered to pay Meta $167 million dollars, the White House tells N-S-A to cut 8% of its civilian staff, the US sanctions a Myanmar militia group leader for cyber scams, and one of the Nomad Bridge hackers gets arrested in Israel.

BONUS INTERVIEW: Senator Mark Warner on Signalgate, Volt Typhoon and tariffs

Patrick Gray — Tue, 06 May 2025 15:03:06 +1000

In this extended interview the Vice Chair of the Senate Select Committee on Intelligence, Senator Mark Warner, joins Risky Business host Patrick Gray to talk about: * The latest developments in the Signalgate scandal * Why America needs to be more aggressive in responding to Volt Typhoon * How tariffs are affecting American alliances * Why the Five Eyes alliance is sacrosanct This episode is available on [Youtube](https://youtu.be/ZezjjoaYrQA)

Between Two Nerds: How tools evolve

The Grugq — Tue, 06 May 2025 08:02:53 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about an in-depth report on a Ukrainian hacking control panel. The panel shows how the Ukrainian group thinks about hacking operations and the pair discuss why the report exists and what it achieves. This episode is also available on [Youtube](https://youtu.be/AKyvjh9eqrw).

Risky Bulletin: Trump admin's Signal clone gets hacked, messages exposed

Catalin Cimpanu — Mon, 05 May 2025 14:00:54 +1000

The Trump admin's Signal clone gets hacked, a six-year-old backdoor comes to life to hijack online stores, a Phishing kingpin identified as a 24-year-old Chinese man, and Ireland fines TikTok for transferring EU user data to China.

Risky Bulletin: New Microsoft accounts will be passwordless by default

Catalin Cimpanu — Fri, 02 May 2025 13:13:45 +1000

New Microsoft accounts will be passwordless by default, a Chinese APT is hijacking software updates, the US dominates EU cybersecurity market, and Commvault discloses a breach.

Srsly Risky Biz: Security vendors are constantly attacked

Patrick Gray — Thu, 01 May 2025 11:50:38 +1000

Tom Uren and Patrick Gray talk about a SentinelOne report about how it is constantly targeted by both cybercriminal and state-backed hackers. Security firms are high-value targets, so constant attacks on them are the new normal. They also discuss an article that calls Signal "a kind of dark matter of American politics and media". Many policy discussions occur on the app, and this explains the Trump administration's extensive use of the app. This episode is also available on [Youtube](https://youtu.be/zZf-Dar8jXM).

Risky Business #789 -- Apple's AirPlay vulns are surprisingly awful

Adam Boileau — Wed, 30 Apr 2025 15:30:32 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * British retail stalwart Marks & Spencer gets cybered * South Korean telco sets out to replace all its subscriber SIMs after (we assume) it lost the keymat * It's a good exploit week! Bugs in Apple Airplay, SAP webservers, Erlang SSH and CommVault backups * Juice jacking! No, really! Some researchers actually did it (so still not in the wild, then) * Anti-DOGE whistleblower sure sounds like he has a point This week's episode is sponsored by Knocknoc, who let you glue your firewalls to your single sign on. Knocknoc's CEO Adam Pointon talks about the joy that having end-to-end IPv6 would bring for zero-trust access control. He also touches on people using Knocknoc inside their network to isolate critical systems. _Editors Note : Pat also gives Adam (Boileau) stick in the sponsor interview about the Risky Biz webserver not having IPv6 enabled, which fact-checking during the edit says is FAKE NEWS. Just uh, don't look at how fresh that AAAA record in the DNS is, friends 😉_ This episode is also available on [Youtube](https://youtu.be/wke0U7WKI5o).

Risky Bulletin: French government grows spine, calls out Russian hacks

Catalin Cimpanu — Wed, 30 Apr 2025 14:17:47 +1000

The French government calls out Russian hacks for the first time, Marks & Spencer sends staff home after a ransomware attack, China accuses America of hacking a major cryptography provider, and AirBorne vulnerabilities impact Apple's AirPlay.

Between Two Nerds: Releasing the hounds on scam compounds

The Grugq — Tue, 29 Apr 2025 08:47:16 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq discuss the Southeast Asian criminal syndicates that run online scam compounds. Should organisations like US Cyber Command or the UK's National Cyber Force target these gangs with disruption operations? This episode is also available on [Youtube](https://youtu.be/ebDegtpEUbM).

Snake Oilers: LimaCharlie, Honeywell Cyber Insights, CobaltStrike and Outflank

Patrick Gray — Mon, 28 Apr 2025 14:44:34 +1000

In this edition of the Snake Oilers podcast, three sponsors come along to pitch their products: * [LimaCharlie](https://limacharlie.io/): A public cloud for SecOps * [Honeywell Cyber Insights](https://process.honeywell.com/us/en/products/ot-cybersecurity/cyber-insights): An OT security/discovery solution * [Fortra's CobaltStrike](https://www.fortra.com/offensive-security-tools) and [Outflank](https://www.outflank.nl/): Security tooling for red teamers This episode is also available on [Youtube](https://youtu.be/UZN4e-iiVLo).

Risky Bulletin: Top AI models all fall to new prompt injection technique

Catalin Cimpanu — Mon, 28 Apr 2025 13:37:58 +1000

A new prompt injection attack is effective against all the big AI models, Poland says Facebook is failing to remove malicious ads, Africa's largest telco discloses a security breach, and hackers breach Malaysian brokerage accounts.

Dropzone AI on AI's impact and role for SOC teams

Catalin Cimpanu — Mon, 28 Apr 2025 07:51:54 +1000

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Edward Wu, founder and CEO of Dropzone AI. Edward talks about the impact AI in modern-day SOC teams and how its role slowly becomes a force multiplier and productivity boost rather than workforce replacement.

Risky Bulletin: Cybercriminals stole more than $16 billion last year

Catalin Cimpanu — Fri, 25 Apr 2025 09:14:46 +1000

Cybercriminals stole more than $16 billion last year, Iran tries to hack an EU official, the Lazarus Groups pulls off a successful watering hole and zero-day attack, and WhatsApp adds new chat privacy features.

Srsly Risky Biz: When pig butcherers fly

Adam Boileau — Thu, 24 Apr 2025 12:50:44 +1000

Tom Uren and Adam Boileau talk about how scam compound criminal syndicates are responding to strong government action by moving operations overseas. It's good they are being affected, but they are shifting into new countries that don't have the ability to counter industrial-scale transnational organised crime. They also discuss CISA's Secure by Design initiative and that key people behind the program have left the organisation. Given prospective job cuts at CISA it is hard to see the initiative getting a lot of love, but international cyber security authorities should pick up the slack. This episode is also available on [Youtube](https://youtu.be/Zia1bzjySiw).

Risky Bulletin: Russian military personnel targeted with Android spyware

Catalin Cimpanu — Wed, 23 Apr 2025 13:02:43 +1000

Russian military personnel targeted with Android spyware, Trump defends Hegseth after second Signalgate scandal, CISA’s Secure by Design leaders depart the agency, and forced-labour cyber scam compounds expand globally.

Between Two Nerds: The fate of nations

The Grugq — Tue, 22 Apr 2025 07:56:17 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq discuss whether cyber operations can be 'strategic', that is, can they affect the fate of nations. This episode is also available on [Youtube](https://youtu.be/LLVSA4ojO2Y).

Risky Bulletin: Crypto-thieves abuse Zoom's remote control feature

Catalin Cimpanu — Mon, 21 Apr 2025 13:08:49 +1000

Zoom has a remote control feature so of course crypto thieves are abusing it, hackers make $700 million in unauthorised stock trades, a Chinese APT leaks its exploits and Euro MPs traveling to Hungary are offered anti-spying pouches for their phones.

Risky Bulletin: Chris Krebs resigns, vows to fight

Catalin Cimpanu — Fri, 18 Apr 2025 13:48:42 +1000

Chris Krebs resigns from SentinelOne and vows to fight, the Thai army and police doxed pro-democracy dissidents, CISA extends MITRE's CVE contract, and Apple patches two iOS zero-days.

Snake Oilers: Pangea, Cosive and Sysdig

Patrick Gray — Thu, 17 Apr 2025 15:15:58 +1000

In this edition of Snake Oilers three vendors pitch host Patrick Gray on their tech: * Pangea: Guardrails and security for AI agents and applications (https://pangea.cloud) Worried about your AI apps going rogue, being mean to your customers or even disclosing sensitive information? Pangea exists to address these risks. Fascinating stuff. * Cosive: A threat intelligence company that can host your MISP server in AWS. CloudMISP! (https://www.cosive.com/capabilities/cloud-misp) Are you running a MISP server on some old hardware under a desk in your SOC? There's a better way! Cosive can run it for you on AWS so you can just use it instead of wrestling with maintaining it. They also do some CTI consulting to help you get better use out of MISP. * Sysdig: A Linux runtime security platform (https://sysdig.com/) The modern Windows network is an all-singing, all-dancing, perfectly orchestrated, EDR-protected ballet. The modern Linux production environment... isn't. Find out how Sysdig can help you get some visibility and control over your Linux fleet. This episode is also available on [Youtube](https://youtu.be/Q1mdNlVRnBo).

Srsly Risky Biz: Trump vs Krebs and the sound of silence

Patrick Gray — Thu, 17 Apr 2025 13:45:33 +1000

Tom Uren and Patrick Gray discuss Trump's order singling out Chris Krebs, former head of CISA, that requires investigations into Krebs and also punishes his employer. It is a move deliberately designed to chill dissent and they look at what the cyber security industry will likely do in response, which is probably not much. The pair also discuss what is being interpreted as an admission that Chinese senior leadership is behind the Volt Typhoon hacking of US critical infrastructure. This episode is also available on [Youtube](https://youtu.be/1oSJb-9sAa0).

Risky Business #788 -- Trump targets Chris Krebs, SentinelOne

Patrick Gray — Wed, 16 Apr 2025 14:34:04 +1000

On this week's show Patrick Gray talks to former NSA Cybersecurity Director Rob Joyce about Donald Trump's unprecedented, unwarranted and completely bonkers political persecution of Chris Krebs and his employer SentinelOne. They also talk through the week's cybersecurity news, covering: * Mitre's stewardship of the CVE database gets its funding DOGE'd * The US signs on to the Pall Mall anti-spyware agreement * China tries to play the nationstate cyber-attribution game, but comedically badly * Hackers run their malware inside the Windows sandbox, for security against EDR This week's episode is sponsored by open source identity provider Authentik. CEO Fletcher Heisler joins to talk through the increasing sprawl of the identity ecosystem. This episode is also available on [Youtube](https://youtu.be/uXY_HouhZww).

Risky Bulletin: MITRE says funding risk could disrupt CVE database

Catalin Cimpanu — Wed, 16 Apr 2025 13:41:57 +1000

MITRE corporation says funding cuts will impact the CVE database, China accuses NSA employees of an Asian Winter Games hack, a ransomware attack disrupts dialysis clinics, the CA/Browser Forum will limit TLS certificate lifetime to 47 days, and 4chan gets hacked.

Between Two Nerds: Global critical infrastructure

The Grugq — Tue, 15 Apr 2025 10:25:35 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at the idea of global critical infrastructure. One common example is submarine cables, which are globally important but are vulnerable because they are hard to defend. But what about services from tech giants? Are they global critical infrastructure? This episode is also available on [Youtube](https://youtu.be/KNo0cQtmWLk).

Risky Bulletin: China privately admits to hacking US

Catalin Cimpanu — Mon, 14 Apr 2025 10:40:56 +1000

China privately admits to hacking American critical infrastructure, the US Treasury was compromised by password spraying, America will sign a global spyware agreement after all, and a Chinese APT is abusing the Windows Sandbox to hide its malware.

Risky Bulletin: Trump orders investigation into former CISA director Chris Krebs

Catalin Cimpanu — Fri, 11 Apr 2025 13:19:41 +1000

Trump orders investigation into former CISA director Chris Krebs, the US DOJ disbands its crypto crime team, NSO hires a new lobby team, and researchers raise the alarm on something called "slopsquatting".

Wide World of Cyber: How the Trump admin is changing the cybersecurity landscape

Alex Stamos — Thu, 10 Apr 2025 15:03:10 +1000

In this podcast, Patrick Gray chats with SentinelOne's Chris Krebs and Alex Stamos about the huge changes afoot in the United States government and what they mean for the threat environment. From the director of NSA being fired to massive job cuts at CISA and huge foreign policy shifts, tomorrow's threat environment is going to be very different to today's. Tune in to hear analysis from two of the best in the business! This episode is also available on [Youtube](https://youtu.be/JPYtQseDoyQ).

Srsly Risky Biz: MAGA's NSA purge will get messy

Patrick Gray — Thu, 10 Apr 2025 12:13:45 +1000

Tom Uren and Patrick Gray discuss Trump's recent firing of General Timothy Haugh, the head of NSA and Cyber Command. Tom dives into the implications and thinks why this is not good news for the agencies. They also discuss Europe losing faith in the US intelligence commitments that underpin transatlantic data flows. That would be bad news for US tech companies. This episode is also available on [Youtube](https://youtu.be/fwXz27v6MB4).

Risky Business #787 -- Trump fires NSA director, CISA cuts inbound

Adam Boileau — Wed, 09 Apr 2025 15:30:07 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * Oracle quietly cops to being hacked, but immediately pivots into pretending it didn't matter * NSA and CyberCom leaders fired for not being MAGA enough * US Treasury had some dusty corners it hadn't found China in yet, looked, found China in them * …which is a great time to discuss slashing CISA's staffing * Ransomware crews and bullet proof hosting providers are getting rekt, and we love it * And Microsoft patches yet another logging 0-day being used in the wild. This episode is sponsored by Yubico, makers of Yubikey hardware authentication tokens. Yubico's Vice President of Solutions Architecture and Alliances Derek Hanson joins to discuss how the consumer-centric passkey ecosystem has become a real challenge for enterprises. And one that Yubico is actually really ideally positioned to solve. This episode is also available on [Youtube](https://youtu.be/Pj707gEGrQs).

Risky Bulletin: Hackers leak data from major bulletproof hosting provider

Catalin Cimpanu — Wed, 09 Apr 2025 13:51:34 +1000

Hackers leak data from a major Russian bulletproof hosting provider, Australia deregisters 95 companies linked to cyber scams, the US Treasury gets hacked again, and Meta expands "teen accounts" to Facebook and Facebook Messenger.

Between Two Nerds: Feast or famine?

The Grugq — Tue, 08 Apr 2025 07:27:30 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at the idea of 'false scarcities' in cyber security. Are bugs and talent rare? Or is our thinking blinkered? This episode is also available on [Youtube](https://youtu.be/4VtEp1BMpCI).

Risky Bulletin: Trump fires CyberCom and NSA head

Catalin Cimpanu — Mon, 07 Apr 2025 11:56:56 +1000

Trump fires NSA and CyberCom leadership, CISA looks likely to be halved in size, hackers hit Australian pension funds, and NIST gives up on old CVEs in its backlog.

Risky Bulletin: Android looks set to get its own Lockdown Mode

Catalin Cimpanu — Fri, 04 Apr 2025 13:11:13 +1100

Android looks set to get its own Lockdown Mode, China overhauls cybersecurity and privacy laws, a crypto platform gets hacked for $70 million dollars, and Greece's intel agency is set to hire more hackers.

Srsly Risky Biz: North Korean IT workers head to Europe

Patrick Gray — Thu, 03 Apr 2025 11:24:03 +1100

Tom Uren and Patrick Gray discuss how North Korean IT worker scam is shifting towards Europe and employing tactics that make it more dangerous. They also discuss why Signalgate was a massive security failure. We learnt this week that US cabinet members were in multiple Signal groups discussing different topics. Phone hacking is not uncommon, an adversary states will be able to take advantage of the intelligence in these conversations. This episode is also available on [Youtube](https://youtu.be/QkXN2fcKPj4).

Risky Business #786 -- Oracle is lying

Adam Boileau — Wed, 02 Apr 2025 14:40:25 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * Yes, Oracle Health and Oracle Cloud did get hacked * The fallout from Signalgate continues * North Korean IT workers pivot to Europe * Honeypot data suggests a storm is brewing for Palo Alto VPNs * Canadian Anon gets arrested for hacking Texas GOP This week's episode is sponsored by Trail of Bits. Tjaden Hess, a Principal Security Engineer at Trail of Bits who specialises in cryptography, joins the show this week to talk about what a responsible crypto-currency exchange cold wallet setup looks like, and … contrasts that with Bybit. This episode is also available on [Youtube](https://youtu.be/DNAOwukOQi4).

Risky Bulletin: North Korean IT worker scams expand to Europe

Catalin Cimpanu — Wed, 02 Apr 2025 12:29:37 +1100

A North Korean IT worker scheme pivots to Europe after a US crackdown, 24,000 IPs are looking for Palo Alto Networks VPNs, Gmail rolls out end-to-end encrypted emails for enterprise users, and hackers steal over $100 million via Coinbase phishing.

Between Two Nerds: The 800 pound gorilla

The Grugq — Tue, 01 Apr 2025 07:35:26 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq look at all the strands of evidence that make people think NSA is a top-tier cyber actor. This episode is also available on [Youtube](https://youtu.be/1pwf9cV9BX0)

Risky Bulletin: Oracle's healthtech division hacked, customers extorted

Catalin Cimpanu — Mon, 31 Mar 2025 13:48:51 +1100

Oracle's Health Tech division gets hacked and its customers extorted, the Italian government admits it used Paragon to spy on an NGO, a WordPress feature is being abused to silently install malicious plugins, and the Dutch public prosecutor pulls systems offline after a cyber incident.

Risky Bulletin: France runs phishing test on 2.5 million students

Catalin Cimpanu — Fri, 28 Mar 2025 13:43:53 +1100

France runs a phishing test on 2 and a half million students, Google fixes a Chrome zero-day abused for espionage, China publishes new facial recognition rules, and the DragonForce ransomware group hacks two rivals.

Srsly Risky Biz: The Signalgate clown show

Patrick Gray — Thu, 27 Mar 2025 12:19:36 +1100

Tom Uren and Patrick Gray discuss how the Signalgate messages betray an alarming lack of security nous at the highest levels of the US natsec leadership. It's head-scratchingly bad. They also discuss the possibility the Trump Administration will reconstitute the CSRB. The Board wasn't perfect, but in our view it is better to get it started again rather than waiting for reviews to determine its perfect form. This episode is also available on [Youtube](https://youtu.be/n8YXiW8YrgI).

Soap Box: Knocknoc glues your SSO to your firewalls for Just-in-Time network access

Patrick Gray — Thu, 27 Mar 2025 10:48:45 +1100

In this Soap Box edition of Risky Business host Patrick Gray talks to Knocknoc CEO Adam Pointon about how to easily rein in attack surface by glueing your single sign-on service to your network controls. Do your Palo Alto and Fortinet devices really need to be discoverable by ransomware crews? Does your file transfer appliance need to be open to the whole world? What about your SSH and RDP? Your Citrix? Your (gasp) Exchange Online servers?? You can do a lot with IP allowlisting and simple Identity Aware Proxies (IAPs) to minimise your exposure. Knocknoc is a bit of a "Risky Business special", too. Pat helped Knocknoc to raise a seed round through Decibel Partners where he's a founder advisor. He also serves on Knocknoc's board of directors. This episode is also available on [Youtube](https://youtu.be/kPd85kW09oE).

Risky Business #785 -- Signal-gate is actually as bad as it looks

Adam Boileau — Wed, 26 Mar 2025 14:41:49 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * Yes, the Trump admin really did just add a journo to their Yemen-attack-planning Signal group * The Github actions hack is smaller than we thought, but was targeting crypto * Remote code exec in Kubernetes, ouch * Oracle denies its cloud got owned, but that sure does look like customer keymat * Taiwanese hardware maker Clevo packs its private keys into bios update zip * US Treasury un-sanctions Tornado Cash, party time in Pyongyang? This week's episode is sponsored by runZero. Long time hackerman HD Moore joins to talk about how network vulnerability scanning has atrophied, and what he's doing to bring it back en vogue. Do you miss early 2000s Nessus? HD knows it, he's got you fam. This episode is also available on [Youtube](https://youtu.be/mzgqooN6PmM).

Risky Bulletin: Cyberattack hits Ukraine's state railway

Catalin Cimpanu — Wed, 26 Mar 2025 14:25:00 +1100

Ukraine's state railway hit by a cyberattack, a ransomware attack reduces Malaysia's largest airport to writing flight details on a whiteboard, buggy exploits put DrayTek routers in a reboot loop, and the NIST CVE backlog grows bigger despite efforts to address it.

Between Two Nerds: The 0day fetish

The Grugq — Tue, 25 Mar 2025 08:42:54 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about why people studying cyber operations are fascinated by 0days. These are vulnerabilities or exploits that have been found in a system before the vendor or manufacturer is made aware of them and so therefore no fix exists. This episode is also available on [Youtube](https://youtu.be/Huz2lP-iW9s).

Risky Bulletin: US removes Tornado Cash sanctions

Catalin Cimpanu — Mon, 24 Mar 2025 12:37:51 +1100

The US removes Tornado Cash sanctions, the White House shifts cyber responsibility to state and local governments, a Michigan football coach is indicted for hacking, and Google sues a Maps scam syndicate.

Risky Bulletin: Hacktivists claim cyber-sabotage of 116 Iranian ships

Catalin Cimpanu — Fri, 21 Mar 2025 13:33:49 +1100

Hacktivists sabotage over 100 Iranian ships, Iran calls out China for hacking, six new Paragon customers come to light, and North Korea creates a new cyber unit.

Srsly Risky Biz: China's MSS gets personal

Patrick Gray — Thu, 20 Mar 2025 13:47:15 +1100

Tom Uren and Patrick Gray discuss how China's Ministry of State Security is increasingly doxxing and threatening Taiwanese APT operators. In some ways this mirrors the US strategy of naming and shaming Chinese cyber operators in indictments that contain lots of supporting information. But although MSS statements are filled with propaganda rather than technical detail, naming Taiwanese military hackers has some bite. They also discuss Russia's 'shadow war' sabotage campaign across Europe. The Russian campaign mostly relies on traditional sabotage and finding local proxies to throw bombs. But it does make sense for Western governments to respond with destructive cyber operations. This episode is also available on [Youtube](https://youtu.be/Umj3OpozCdY).

Risky Business #784 -- GitHub supply chain attack steals secrets from 23k projects

Adam Boileau — Wed, 19 Mar 2025 14:58:07 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * Github Actions supply chain attack loots keys and secrets from 23k projects * Why a VC fund now owns a minority stake in Risky Business Media (!?!?) * China doxes Taiwanese military hackers * Microsoft thinks .lnk file whitespace trick isn't worth patching but APTs sure love it * CISA delivers government efficiency by re-hiring fired staff… to put them on paid leave * ...and Google acquires Wiz for $32bn This week's show is sponsored by Zero Networks, and they have sent along a happy customer to talk about their experience. Aaron Steinke is Head of Infrastructure at La Trobe Financial, an asset management firm in Australia. Aaron talks through bringing modern zero-trust goodness to the reality of a technology environment that's been around 40 years. This episode is also available on [Youtube](https://youtu.be/19AMGS4cG8w).

Risky Bulletin: Google buys Wiz for $32 billion

Catalin Cimpanu — Wed, 19 Mar 2025 14:30:07 +1100

Google buys Wiz for $32 billion, China attributes the Poison Ivy APT group to the Taiwanese Military, APT groups abuse a Windows zero-day and a judge tells CISA to reinstate fired workers.

Between Two Nerds: Sowing discord by being nice!

The Grugq — Tue, 18 Mar 2025 08:50:47 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how offensive cyber operations could do so much more than just 'deny, disrupt, degrade and destroy'. Grugq thinks this thinking is rooted in military culture and he wonders why cyber operations are always so mean. This episode is also available on [Youtube](https://youtu.be/h09Szw8X5i0).

Risky Bulletin: GitHub supply chain attack leaks secrets

Catalin Cimpanu — Mon, 17 Mar 2025 09:59:35 +1100

A GitHub supply chain attack leaks secrets, the White House tells federal agencies to stop firing cyber staff, Germany exempts cybersecurity from debt limits, and the RCS standard adds support for end-to-end encryption.

Risky Bulletin: FBI says online file converters are nasty

Catalin Cimpanu — Fri, 14 Mar 2025 14:01:56 +1100

The FBI warns of online file converters that distribute malware, China backdoors Juniper router, a wave of ransomware hits Taiwan, and North Korean spyware slips into the Play Store.

Srsly Risky Biz: Outside America, Musk's X is a foreign influence threat

Patrick Gray — Thu, 13 Mar 2025 12:02:17 +1100

Tom Uren and Patrick Gray discuss how X is actively engaging in political interference outside the US. The risks mirror those of TikTok. American legislators moved against TikTok because it could potentially be a powerful tool for the Chinese government to interfere with American political discourse. X is a realised threat, not a potential one, so we expect that foreign governments will start to consider a ban. They also explore why mass firing of probationary employees in NSA and intelligence agencies is particularly damaging. This episode is also available on [Youtube](https://youtu.be/R6DkIbJw4Ig).

Risky Business #783 -- Evil webcam ransomwares entire Windows network

Adam Boileau — Wed, 12 Mar 2025 15:30:32 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news with special guest Rob Joyce, a Former Special Assistant to the US President and Director of Cybersecurity for NSA. They talk through: * A realistic bluetooth-proximity phishing attack against Passkeys * A very patient ransomware actor encrypts an entire enterprise with a puny linux webcam processor * The ESP32 backdoor that is neither a door nor at the back * The X DDoS that Elon said was Ukraine is claimed by pro-Palestinian hacktivists * Years later, LastPass hackers are still emptying crypto-wallets * …and it turns out North Korea nailed {Safe}Wallet with a malicious docker image. Nice! Rob Joyce recently testified to the US House Select Committee on the Chinese Communist Party, and he explains why DOGE kicking probationary employees to the curb is "devastating" for the national security staff pipeline. This week's episode is sponsored by SpecterOps, makers of the BloodHound identity attack path mapping tool. Chief Product Officer Justin Kohler and Principal Security Researcher Lee Chagolla-Christensen discuss their pragmatic approach to disabling NTLM authentication in Active Directory using BloodHound's insight. This episode is also available on [Youtube](https://youtu.be/28s8uURA6xM).

Risky Bulletin: Pro-Palestinian hacktivists claim X DDoS

Catalin Cimpanu — Wed, 12 Mar 2025 12:37:36 +1100

A Pro Palestinian group claims credit for the X DDoS, CISA gets a new director as DOGE fires its red teams, and Asian scam compounds keep growing.

Between Two Nerds: A European cyber command

The Grugq — Tue, 11 Mar 2025 07:26:37 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about what Europe should do given that US security guarantees are evaporating. Should Europe grow its cyber capabilities, what it would get out of it and how should it go about doing it? This episode is also available on [Youtube](https://youtu.be/FeGTxVuyOLI).

Risky Bulletin: Major browsers patch passkey phishing flaw

Catalin Cimpanu — Mon, 10 Mar 2025 13:59:57 +1100

Mobile browsers patch a passkey phishing vector, researchers find undocumented commands in a common IoT chip, the US government cuts election security funding, and a hacker steals -- and then returns -- funds from DeFi platform 1inch.

Risky Bulletin: US indicts i-Soon and APT27 hackers

Catalin Cimpanu — Fri, 07 Mar 2025 13:23:01 +1100

The US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.

Srsly Risky Biz: Starlink an internet lifeline for pig butchering compounds

Patrick Gray — Thu, 06 Mar 2025 14:07:47 +1100

In this podcast Tom Uren and Patrick Gray discuss how Starlink is providing an internet lifeline for scam compounds that have had their internet access cut by Thai authorities. Starlink has a very poor track record dealing with unauthorised use, but it is time for the company to develop the processes to keep on top of these problems. They also discuss how President Trump's actions that favour Russia will make Five Eyes partners take stock, particularly when it comes to HUMINT intelligence sharing. Finally they examine the did-it-happen-or-not stand-down of US Cyber Command's Russian operations. This episode is also available on [Youtube](https://youtu.be/UN2M2tjRhZE).

Risky Business #782 -- Are the USA and Russia cyber friends now?

Adam Boileau — Wed, 05 Mar 2025 14:25:31 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * Did the US decide to stop caring about Russian cyber, or not? * Adam stans hard for North Korea's massive ByBit crypto-theft * Cellebrite firing Serbia is an example of the system working * Starlink keeps scam compounds in Myanmar running * Biggest DDoS botnet yet pushes over 6Tbps This week's episode is sponsored by network visibility company Corelight. Vincent Stoffer, field CTO at Corelight joins to talk through where eyes on your network can spot attackers like Salt and Volt Typhoon. This episode is also available on [Youtube](https://youtu.be/nIw9BYzv3X4).

Risky Bulletin: Research turns any Bluetooth device into an AirTag

Catalin Cimpanu — Wed, 05 Mar 2025 12:02:45 +1100

Researchers turn any Bluetooth device into an AirTag tracker, VMware patches three ESXi zero-days, France debates encryption backdoors, and a fifth of the stolen Bybit funds are now untraceable.

RBTALKS6: Will Thomas on the Black Basta leaks

Catalin Cimpanu — Tue, 04 Mar 2025 15:52:56 +1100

In this Risky Business Talks interview we invited Will Thomas to talk about the recent leak of internal chats from the Black Basta ransomware group. Will is a SANS Instructor, co-author of the SANS FOR589 course, and the co-founder of a community research project for CTI analysts called Curated Intelligence. Will walks us through the Black Basta leak and uses the group's attack on US healthcare provider Ascension to break down how the gang operated.

Between Two Nerds: NSA's 9 to 5 hacking campaign

The Grugq — Tue, 04 Mar 2025 08:07:39 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq take a deep dive into incident response reports from Chinese cybersecurity firms that attribute the hack of one of the country's top seven defence universities to the US National Security Agency. These reports were collated and translated into English by the security researcher known as Inversecos [https://x.com/inversecos]. This episode is also available on [Youtube](https://www.youtube.com/watch?v=WPaBeBm3OeQ).

Risky Bulletin: Trump admin halts Russia cyber operations

Catalin Cimpanu — Mon, 03 Mar 2025 13:22:48 +1100

The Trump administration stops treating Russian hackers as a threat, Meta seeks a permanent NSO injunction, new Cellebrite zero-days come to light, and big name Russian cyber criminals get ... home detention.

Risky Bulletin: Cellebrite fires Serbia as a customer

Catalin Cimpanu — Fri, 28 Feb 2025 13:38:30 +1100

Cellebrite bans Serbia from using its products, Chinese hackers breached the Belgian security service, the Republican National Committee hid a Chinese hack and Microsoft removes malicious extensions from the VSCode Marketplace.

Srsly Risky Biz: Canada's expulsion from Five Eyes would be a disaster

Patrick Gray — Thu, 27 Feb 2025 14:31:45 +1100

Tom Uren and Patrick Gray talk about the White House apparently considering kicking Canada out of the Five Eyes intelligence alliance to apply pressure on the country. It's a terrible idea and even thinking about it undermines the strength of the alliance. They also discuss Sweden's proposed legislation that would order apps like WhatsApp and Signal to store messages so they could be provided under warrant to authorities. The story is a vignette of the ongoing encryption debate, but we think apps like Signal will leave the country rather than comply. Finally, they talk about how the illicit cryptocurrency ecosystem is evolving in response to government action such as takedowns and sanctions. This episode is also available on [Youtube](https://youtu.be/NVCkBTgVX0o).

Risky Business #781 -- How Bybit oopsied $1.4bn

Adam Boileau — Wed, 26 Feb 2025 15:20:33 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: * North Korea pulls off a 1.5 billion dollar crypto heist * Apple pulls Advanced Data Protection from the UK * Black Basta ransomware gang's internal chats leak * Russians snoop on Signal with QR codes * And Myanmar ships thousands of freed scam compound workers to Thailand Regular guest Lina Lau joins to discuss her work reading Chinese incident response reports on WeChat, and how that has people thinking that … she outed the NSA? This week's episode is sponsored by Airlock Digital, and allow-listing tragics Daniel Schell and David Cottingham are along with an amusing tale of using Windows' own allow-listing software to block EDR from loading. This episode is also available on [Youtube](https://youtu.be/dvSTj31CPcI).

Risky Bulletin: Signal threatens to leave Sweden over backdoor request

Catalin Cimpanu — Wed, 26 Feb 2025 14:29:03 +1100

Signal threatens to leave Sweden over backdoor request, the EU sanctions a North Korean general linked to two APTs, Australia bans Kaspersky products on government systems and Google will use QR codes for Gmail authentication.

Between Two Nerds: Hacking's first principles

The Grugq — Tue, 25 Feb 2025 09:40:19 +1100

In this edition of Between Two Nerds Tom, Uren and The Grugq examine the fundamental principles of network exploitation as described in Matthew Monte's 'Network Attacks and Exploitation: A Framework' book using recent hacks as case studies. This episode is also available on [Youtube](https://youtu.be/XEXgO8LzdP8).

Risky Bulletin: North Korean hackers steal $1.5 billion from Bybit

Catalin Cimpanu — Mon, 24 Feb 2025 13:11:18 +1100

North Korean hackers steal one and a half billion dollars from Bybit, Apple disables iCloud backup encryption in the UK, stream-jacking hits the e-sports world and Palau faces its third ransomware attack in six years.

Wide World of Cyber: DeepSeek lobs an AI hand grenade

Alex Stamos — Fri, 21 Feb 2025 13:31:15 +1100

In this episode of the Wide World of Cyber podcast Risky Business host Patrick Gray chats with SentinelOne’s Chris Krebs and Alex Stamos about AI, DeepSeek, and regulation. From its bad transport security to its Chinese ownership and the economic implications of China "entering the chat", everyone’s freaking out over this new model. But should they be? Pat, Alex and Chris dissect the model's significance, the politics of it all and how AI regulation in Europe, the US and China will shape the future of LLMs. This episode is also available on [Youtube](

Risky Bulletin: BlackBasta implodes, internal chats leak online

Catalin Cimpanu — Fri, 21 Feb 2025 12:33:36 +1100

The BlackBasta ransomware group implodes, Russian military hackers target Signal with QR codes, Microsoft patches a Power Pages zero-day, and Meta sues a man who hacked accounts and extorted users.

Srsly Risky Biz: Why America needs its own Salt Typhoon

Patrick Gray — Thu, 20 Feb 2025 14:46:47 +1100

In this podcast Tom Uren and Patrick Gray talk about the idea of launching a retaliatory campaign to hack Chinese telcos in response to Salt Typhoon's targeting of US ones. US Senator Mark Warner floated the idea as a way to persuade the Chinese government to pull back Salt Typhoon, but we think that kind of campaign has merit regardless. They also discuss how Samoa's CERT calling out APT40 is a big deal. It's striking to see a small country of 200,000 people calling out Chinese hacking.

Risky Business #780 -- ASD torched Zservers data while admins were drunk

Adam Boileau — Wed, 19 Feb 2025 14:39:53 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * Australian spooks scrubbed Medibank data off Zservers bulletproof hosting * Why device code phishing is the latest trick in confusing poor users about cloud authentication * Cloudflare gets blocked in Spain, but only on weekends and because of... football? * Palo Alto has yet another dumb bug * Adam gushes about Qualys' latest OpenSSH vulns Enterprise browser maker Island is this week's sponsor and Chief Customer Officer Bradon Rogers joins the show to talk about how the adoption of AI everywhere is causing headaches.

Risky Bulletin: Insight Partners discloses security breach

Catalin Cimpanu — Wed, 19 Feb 2025 12:04:40 +1100

VC giant Insight Partners gets social engineered; OpenSSH patches an attacker-in-the-middle bug; Ecuador's parliament hit by cyberattacks; ...and a Monero zero-day awaits a patch.

Between Two Nerds: Is 39 vulnerabilities a lot?

The Grugq — Tue, 18 Feb 2025 07:09:56 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about the United State's Vulnerabilities Equities Program, which balances the need for intelligence collection with the need to protect the public. The government recently revealed that in 2023 it released 39 vulnerabilities, but what does this really tell us? This episode is also available on [Youtube](https://youtu.be/AQtO7bE16VA).

Risky Bulletin: Sandworm deploys Tor nodes on hacked networks

Catalin Cimpanu — Mon, 17 Feb 2025 10:51:04 +1100

Sandworm deploys Tor nodes on hacked networks, the UK drops military training for cyber staff, Salt Typhoon's hacking spree continues, and Russian APTs adopt device code phishing.

Risky Biz Soap Box: Run your own open source IDP with Authentik

Patrick Gray — Fri, 14 Feb 2025 11:24:24 +1100

In this SoapBox edition of the show Patrick Gray chats to Fletcher Heisler, the CEO of open-source identity provider Authentik. The whole idea of Authentik is you can take control of an essential IT and security function: identity. Because Authentik is open source it's extremely flexible, and if you're running it yourself, you get to decide where your IDP should sit in your architecture. You can run it on prem if you're an emergency call centre or you're operating an airgapped network, or you can spin it up in your cloud environment if you're a typical enterprise. Fletcher talks through the reasons Authentik users are decoupling themselves from the major SaaS Identity Providers, and the flexibility that comes from being able to assemble exactly what you need.

Srsly Risky Biz: Governments are losing the crypto wars

Patrick Gray — Thu, 13 Feb 2025 12:04:43 +1100

In this podcast Tom Uren and Patrick Gray talk about Apple's refusal to obey a UK government order to provide the capability to access to encrypted iCloud data. Its the latest round in the ongoing government vs technology fights over warrant-proof encryption, and again it looks like governments will lose. They also talk about good news in the fight against ransomware. Government actions are putting pressure on the cyber criminal ecosystem, splintering groups and even making it hard to for crooks to convert cryptocurrency to hard cash. This episode is also available on [Youtube](

Risky Business #779 -- DOGE staffer linked to The Com

Adam Boileau — Wed, 12 Feb 2025 14:18:48 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * Musk's DOGE kid has a history with The Com * Paragon fires Italy as a spyware customer * Thailand cuts power to scam compounds… * … and arrests Phobos/8Base Russian cybercrims * The CyberCX DFIR report shows non-U2F MFA is well and truly over * And much, much more. This week's episode is sponsored by Dropzone.AI. They make an AI SOC analysis platform that relieves your analysts of the necessary but tedious work, so they can focus on the value of human insight. Dropzone's founder and CEO Edward Wu joins to talk about how they approach the problem. This episode is also available on [Youtube](https://youtu.be/4bzLaoCeS2I).

Between Two Nerds: A Paragon of virtue

The Grugq — Tue, 11 Feb 2025 08:39:41 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about Israeli spyware vendor Paragon, how and why it positions itself to sell to the US market, and how its capabilities might work.

Risky Bulletin: Browser extension supply chain attack hits AdsPower

Catalin Cimpanu — Fri, 07 Feb 2025 13:03:23 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird.

Srsly Risky Biz: DeepSeek a boon for Chinese APTs

Patrick Gray — Thu, 06 Feb 2025 12:21:34 +1100

_UPDATED AUDIO: An earlier version of this podcast audio contained an editing mistake that desynchronised Patrick and Tom’s audio._ In this podcast Tom Uren and Patrick Gray talk about the cyber espionage implications of Chinese AI firm DeepSeek's recently released models. They will certainly be picked up by various APT crews to try and accelerate their campaigns. They also discuss the UK NCSC's attempt to quantify 'comedy bugs' and whether EU sanctions against Russian military intelligence officers for a five-year-old cyber espionage campaign targeting Estonia are pointless.

Risky Business #778 -- Musk's child soldiers seize control of FedGov IT systems

Adam Boileau — Wed, 05 Feb 2025 14:24:50 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * DeepSeek leaves an unauthed database on the internet * Russia hacked UK prime minister's personal mail * Australia sanctions a Telegram group… which is more sensible than it sounds * Medical device backdoor turns out to be just poorly thought out upgrade feature * Google abuses weak hashing to patch AMD CPU microcode * And much, much more. This week's episode is sponsored by email security boffins Sublime. Their co-founder and CEO Josh Kamdjou joins to talk about how attackers' abuse of legitimate services like Docusign is a challenge for email security vendors.

Risky Bulletin: UK Prime Minister's personal email hacked by Russia

Catalin Cimpanu — Wed, 05 Feb 2025 11:53:51 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird.

Between Two Nerds: How the internet gets Salt Typhoon wrong

The Grugq — Tue, 04 Feb 2025 08:22:48 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how the compromise of US telecommunications companies by Chinese hackers has very little to do with US government lawful intercept laws.

Risky Bulletin: US authorities sound the alarm on a medical device backdoor

Catalin Cimpanu — Mon, 03 Feb 2025 11:08:15 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird.

Risky Bulletin: Authorities seize the Cracked and Nulled cybercrime forums

Catalin Cimpanu — Fri, 31 Jan 2025 12:42:25 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird.

Risky Business #777 -- It's SonicWall's turn

Adam Boileau — Wed, 29 Jan 2025 14:29:48 +1100

Coming to you from the same room in Risky Business headquarters Patrick Gray and Adam Boileau discuss the week's cybersecurity news. They talk through: * Sonicwall firewalls hand out remote code exec like candy * Mastercard make a slapstick-grade mistake with their DNS * The data breach at PowerSchool and other niche SaaS providers * Academic research proposes taking down Europe's power grid * Apple CPUs get a new speculative execution side channel * And much, much more. This week's episode is sponsored by Push Security, who make an identity security product that runs inside browsers. Luke Jennings joins to discuss some of the pitfalls of federated authentication, like attackers using unexpected identity providers to log in to your apps. This episode is also available on [Youtube](https://youtu.be/AsjcZAqdNYw).

Risky Bulletin: EU sanctions three GRU hackers

Catalin Cimpanu — Wed, 29 Jan 2025 09:29:48 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird.

Risky Bulletin: Public transport in Tbilisi is free after anti-government hack

Catalin Cimpanu — Mon, 27 Jan 2025 13:12:26 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird.

Risky Bulletin: Contactless payment card relay fraud booms in Russia

Catalin Cimpanu — Fri, 24 Jan 2025 10:27:52 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird.

Risky Business #776 -- Trump will flex American cyber muscles

Adam Boileau — Wed, 22 Jan 2025 14:18:15 +1100

Risky Business returns for its 19th year! Patrick Gray and Adam Boileau discuss the week's cybersecurity news and there is a whole bunch of it. They discuss: * The incoming Trump administration guts the CSRB * Biden's last cyber Executive Order has sensible things in it * China's breach of the US Treasury gets our reluctant admiration * Ross Ulbricht - the Dread Pirate Roberts of Silk Road fame - gets his Trump pardon * New year, same shameful comedy Forti- and Ivanti- bugs * US soldier behind the Snowflake hacks faces charges after a solid Krebs-ing * And much, much (much! after a month off) more. This week's episode is sponsored by Sandfly Security, who make a Linux EDR solution. Founder Craig Rowland joins to talk about how the Linux ecosystem struggles with its lack of standardised approaches to detection and response. If you've got a telco full of unix, and people are asking how much Salt Typhoon you've got in there… Sandfly's tools are probably what you're looking for. If you like your Business like us… - Risky - then we're hiring! We're looking for someone to help with audio and video production for our work, manage our socials, and if you're also into the Cybers… even better. Position is remote, with a preference for timezones amenable to Australia/NZ. Drop us a line: editorial at risky.biz.

Risky Bulletin: Trump guts the Cyber Safety Review Board

Catalin Cimpanu — Wed, 22 Jan 2025 10:30:09 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird.

Risky Bulletin: Biden's last cyber executive order

Catalin Cimpanu — Mon, 20 Jan 2025 10:18:15 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird.

RBTALKS5: How Pfizer uses AI to detect insider risk

Catalin Cimpanu — Fri, 20 Dec 2024 14:18:15 +1100

Brian A. Coleman, Senior Director for Insider Risk, Information Security, and Digital Forensics at Pfizer, talks to us about how his security team is experimenting with AI to improve their insider risk detection systems. The system Brian and his team put together can detect sensitive information or documents handled by unauthorized accounts, but can also spot documents moving around and ending up where they shouldn't be - either by accident, malice, or as a result of a security breach.

Risky Biz Soap Box: Cool compliance tricks with the Island enterprise browser

Patrick Gray — Fri, 20 Dec 2024 14:16:53 +1100

In this sponsored Soap Box edition of the show Patrick Gray talks to Island CEO Michael Fey about some of the cool tricks in the Island enterprise browser. You can use it to tick off so many compliance boxes, and not just cybersecurity boxes. This is largely a conversation about compliance, but it's actually interesting and fun. These are words we never thought we'd type!

Risky Bulletin: Russia designates Recorded Future an "undesirable organization"

Catalin Cimpanu — Fri, 20 Dec 2024 09:52:33 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird.

Srsly Risky Biz: Why two hats are better than two heads

Patrick Gray — Thu, 19 Dec 2024 12:26:29 +1100

In this podcast Tom Uren and Patrick Gray talk about the likelihood that the incoming Trump administration will end the 'dual-hat' arrangement where a single officer leads both US Cyber Command and the National Security Agency. This would result in Cyber Command outranking NSA and could prioritise cyber disruption operations over intelligence collection. That would be a bad outcome. They also talk about how changes to SEC disclosure rules have led to an outpouring of corporate drivel and how WhatsApp became an everything app. This episode is also availble on [Youtube](https://youtu.be/RNw5NCYSeG8).

Risky Bulletin: Cl0p returns

Catalin Cimpanu — Wed, 18 Dec 2024 12:37:09 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird.

Risky Business #775 -- Cl0p is back, SEC hack disclosures disappoint

Adam Boileau — Wed, 18 Dec 2024 12:37:09 +1100

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * The SEC's cyber incident reporting isn't very exciting after all * China Telecom on the way to being thrown out of the US * The NSA/Cybercom might get two separate hats * The Cl0p ransomware crew are back and taking responsibility for the Cleo hacks * (Yet another) File upload bug in Struts makes Java admins weep * And much, much more. This episode is sponsored by SpecterOps, who run a pretty top notch offsec/pentest team when they're not busy making the Bloodhound Enterprise identity attack path enumeration software. SpecterOps' Robby Winchester joins to talk about how pentest has changed, and how their customers get value from their testing. This episode is also available [Youtube](https://youtu.be/RquLQQyrP-I).

Between Two Nerds: The evolution of Russia's cyber operations in Ukraine

The Grugq — Tue, 17 Dec 2024 08:42:02 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about the evolution of Russian cyber operations during its invasion of Ukraine. This episode is also available on [Youtube](https://youtu.be/e49QGvfSWoU).

Risky Bulletin: Secret ransomware campaign targeted DrayTek routers for a year

Catalin Cimpanu — Mon, 16 Dec 2024 13:42:02 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird.

Wide World of Cyber: SentinelOne's Chris Krebs on Chinese cyber operations

Patrick Gray — Fri, 13 Dec 2024 14:56:26 +1100

In this edition of the Wild World of Cyber podcast Patrick Gray sits down with SentinelOne's Chief Intelligence and Public Policy Officer Chris Krebs to talk all about Chinese cyber operations. They look at the Salt Typhoon and Volt Typhoon campaigns, the last 20 years of Chinese operations, and the evolution of the cyber roles of China's Ministry of State Security and People's Liberation Army. It's a very dense hour of conversation! This podcast was recorded in front of an audience at the Museum of Contemporary Art in Sydney. This episode is also available on [Youtube](https://youtu.be/MQaVx9vpvQg).

Risky Bulletin: Germany's BSI sinkhole BADBOX malware

Catalin Cimpanu — Fri, 13 Dec 2024 14:19:47 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird.

Srsly Risky Biz: FCC demands telcos improve security

Tom Uren — Thu, 12 Dec 2024 11:58:49 +1100

In this podcast Tom Uren and Patrick Gray talk about the US Federal Communications Commission effort to get US telcos to lift their security game and compares it to UK and Australian efforts. The US is very late to the game, and improving security is a huge job. They also talk about Chinese cyber actors continuing to pointlessly sow chaos and how an influence campaign in Romania is an absolute disaster for TikTok. This episode is also available on [Youtube](https://youtu.be/pKqXR4gXpv8).

Risky Business #774 -- Cleo file transfer appliances under widespread attack

Patrick Gray — Wed, 11 Dec 2024 14:08:26 +1100

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * Cleo file transfer products have a remote code exec, here we go again! * Snowflake phases out password-based auth * Chinese Sophos-exploit-dev company gets sanctioned * Romania's election gets rolled back after Tiktok changed the outcome * AMD's encrypted VM tech bamboozled by RAM with one extra address bit * Some cool OpenWRT research * And much, much more. This week's episode is sponsored by Thinkst, who love sneaky canary token traps. Jacob Torrey previews an upcoming Blackhat talk filled with interesting operating system tricks you can use to trigger canaries in your environment. You wont believe the third trick! Attackers hate him! This episode is also available on [Youtube](https://youtu.be/5AMukehBDiA).

Risky Biz News: Improperly patched Cleo bug exploited in the wild

Catalin Cimpanu — Wed, 11 Dec 2024 12:08:25 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: Why the US is so uptight about cyber operations

Tom Uren — Tue, 10 Dec 2024 08:38:08 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how states have very different approaches to controlling cyber operations. At the very beginning they refer to [this](https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/) Microsoft Threat Intelligence post.

Risky Biz News: Members of US Congress targeted by phishing op

Catalin Cimpanu — Mon, 09 Dec 2024 10:42:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz Soapbox: Enterprise Yubikeys can now be pre-registered

Patrick Gray — Mon, 09 Dec 2024 09:49:27 +1100

In this interview Patrick Gray talks to Yubico's COO and President Jerrod Chong about a new Yubikey feature: pre-registration. You can now ship pre-registered Yubikeys to your staff so you don't need to rely on your staff to enrol them. They've achieved this with really slick Okta and Entra ID integrations. Jerrod also talks about a recent trip to Singapore and concerns he has about the cybersecurity of critical infrastructure in the energy sector.

Risky Biz News: Salt Typhoon's telco hacking spree keeps getting bigger

Catalin Cimpanu — Fri, 06 Dec 2024 10:44:59 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Why hack and leak is still a big deal

Tom Uren — Thu, 05 Dec 2024 12:28:59 +1100

In this podcast Tom Uren and Adam Boileau talk about the continued importance of hack and leak operations. They didn't really affect the recent US presidential election, but they are still a powerful tool for vested interests to influence public policy. They also discuss the police bust of MATRIX, yet another encrypted messenger that is marketed to criminals and designed to resist police surveillance. The crimephone landscape is splintering due to the constant drumbeat of police success. This episode is also available on [Youtube](https://youtu.be/8X4AgxhKg-8).

Risky Business #773 -- Cybercriminals are dropping like flies in Russia

Patrick Gray — Wed, 04 Dec 2024 12:54:12 +1100

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * The FTC decides its time to take another look at Microsoft * Exxon's opponents targeted by hackers * Russian hackers keep getting sentenced and it confuses us * The Feds recommend Signal, because throwing hackers out of telcos ain't gonna happen * A South Korean set-top-box manufacturer shipped a DDoS client for corpo-combat * And much, much more. This week's sponsor interview with Vijit Nair from Corelight. We talk to him about doing detection in cloud environments, and how the varied nature of cloud systems makes the old ways - network monitoring - useful in new and interesting ways. If you're in Sydney, Pat is recording a live episode of the Wide World of Cyber with Chris Krebs on 5 December. There might still be [tickets left](https://go.sentinelone.com/risky-business-live-apj-sydney-en.html)! This episode is also available on [Youtube](https://youtu.be/cstfm5FbRFI).

Risky Biz News: Poland arrests former spy chief in Pegasus scandal

Catalin Cimpanu — Wed, 04 Dec 2024 11:16:45 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: The kid to criminal pipeline

Tom Uren — Tue, 03 Dec 2024 08:51:41 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how the opportunities for hackers have changed and how that has altered the pipelines that turn kids into criminals.

Risky Biz News: Russia arrests WazaWaka

Catalin Cimpanu — Mon, 02 Dec 2024 13:02:14 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Microsoft’s thanksgiving treat: an FTC investigation

Catalin Cimpanu — Fri, 29 Nov 2024 14:08:12 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Australian government to shut down AN0M evidence appeals

Tom Uren — Thu, 28 Nov 2024 13:31:03 +1100

In this podcast Tom Uren and Patrick Gray talk about the Australian Government's extraordinary legislation that will retrospectively ensure that warrants used for the An0m crimephone sting operation are valid. They also discuss a sterling CISA red team report and the naiveté of Microsoft's Vice Chair and President Brad Smith. This episode is also available on [Youtube](https://youtu.be/_K8OfqvQIms).

Risky Business #772 -- Salt Typhoon is truly a national security disaster

Patrick Gray — Wed, 27 Nov 2024 14:02:05 +1100

On this week’s show, Patrick Gray and Adam Boileau discuss the week's cybersecurity news, including: * A ransomware attack has crippled US supply chain software provider Blue Yonder * Russian spies hack nearby wifi to get to their targets, but that doesn't seem surprising? * Salt Typhoon's attacks on telcos are hard to solve and big on impact * China's surveillance state workers sell their access at home * Palo Alto is bad and should feel bad * And much, much more. In this week's sponsor interview Patrick Gray chats with Matt Muller from Tines about Gartner's "spicy take" that the SOAR category is dead. SOAR is dead! Long live SOAR! This episode is also available on [Youtube](https://youtu.be/toR7pBeOUnc).

Risky Biz News: Banshee Stealer shuts down after source code leak

Catalin Cimpanu — Wed, 27 Nov 2024 13:50:29 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: Why attribution matters

Tom Uren — Tue, 26 Nov 2024 08:36:33 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about different views on attribution and why it still matters for sophisticated state-backed groups.

Risky Biz News: Four PR firms are behind a Chinese propaganda network

Catalin Cimpanu — Mon, 25 Nov 2024 10:26:29 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: US charges five Scattered Spider members

Catalin Cimpanu — Fri, 22 Nov 2024 12:47:34 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: The PLA's cyber operations go dark

Tom Uren — Thu, 21 Nov 2024 11:29:01 +1100

In this podcast Tom Uren and Patrick Gray talk about what the People's Liberation Army cyber operators have been up to. They used to be China's most visible cyber operators but have since disappeared. They also discuss the shift towards widespread exploitation of 0days, particularly in enterprise perimeter devices. This episode is also available on [Youtube](https://youtu.be/SXQuYawXqC4).

Risky Business #771 -- Palo Alto's firewall 0days are very, very stupid

Patrick Gray — Wed, 20 Nov 2024 14:31:18 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * Microsoft introduces some sensible sounding post-Crowdstrike changes * Palo Alto patches hella-stupid bugs in its firewall management webapp * CISA head Jen Easterly to depart as Trump arrives * AI grandma tarpits phone scammers in family-tech-support hell * Academic research supports your gut-reaction; phishing training doesn't work * And much, much more. This week's episode is sponsored by Greynoise. The always excitable Andrew Morris joins to remind us that the edge-device vulnerabilities Pat and Adam complain about on the show are in fact actually even worse than we make them out to be. Andrew also tells us about a zero-day Greynoise' AI system truffle-pigged out of their data set. This episode is also available on [Youtube](https://youtu.be/RxyemwE4XBo).

Risky Biz News: Remote fix feature for unbootable PCs coming to Windows

Catalin Cimpanu — Wed, 20 Nov 2024 14:04:24 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: Cyber weapons

Tom Uren — Tue, 19 Nov 2024 09:13:06 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about what cyber weapons really are and why use of the term is counterproductive. They reference Defining Offensive Cyber Capabilities, a paper authored by Tom.

Risky Biz News: Unpatched zero-day in Palo Alto Networks is in the wild

Catalin Cimpanu — Mon, 18 Nov 2024 14:04:55 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: MSS now dominates China's cyber activity

Catalin Cimpanu — Fri, 15 Nov 2024 13:25:33 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: How Trump will drive covert operations

Tom Uren — Thu, 14 Nov 2024 12:00:10 +1100

In this podcast Tom Uren and Patrick Gray talk about what to expect from President Trump's second term. Trump is an activist president who believes in using state power, so intelligence agencies will be pushed to conduct more audacious or even outrageous covert operations. They also discuss concerns about a new UN cybercrime treaty that is set for a vote at the General Assembly and the Canadian government's curious decision to force the closure of TikTok's local offices. This episode is also available on [Youtube](https://youtu.be/XDI5FJU_cC8).

Risky Business #770 -- A Russian IR guy discovers extremely cool spookware

Patrick Gray — Wed, 13 Nov 2024 15:31:56 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * Apple frustrates law enforcement with iOS auto-reboot * CISA says most KEV vulnerabilities in 2023 were first used as zero days * Russians roll incident response on some sweet Linux spookware * Regular users can create mailboxes in M365? * Tor tracks down the source of its joe-job abuse complaints * And much, much more. This week's feature guest is former FBI agent Chris Tarbell, who arrested Silk Road operator Ross Ulbricht way back in 2013. As suggestions swirl that an incoming Trump administration might release Ulbricht, Chris talks about the reality of the Dread Pirate Roberts. This episode is sponsored by software supply chain security firm Socket.dev. Founder Feross Aboukhadijeh thinks that we need a CVE-like catalogue for supply-chain attacks, and he makes a solid argument. The show is also available on [Youtube](https://youtu.be/s7iPp5QaHmI).

Risky Biz News: Most of 2023's top exploited vulnerabilities were initially zero-days

Catalin Cimpanu — Wed, 13 Nov 2024 10:29:47 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: How Telegram creates cybercriminals

Tom Uren — Tue, 12 Nov 2024 07:15:24 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how ungoverned spaces on Telegram result in increasingly toxic and antisocial communities.

Risky Biz Soap Box: Why black box email security is dead

Patrick Gray — Mon, 11 Nov 2024 13:14:53 +1100

In this edition of the Risky Business Soap Box we're talking all about email security with Sublime Security co-founder Josh Kamdjou. Email security is one of the oldest product categories in security, but as you'll hear, Josh thinks the incumbents are just doing it wrong. He joins Risky Business host Patrick Gray for this interview about Sublime's origin story and its new approach to email security.

Risky Biz News: iPhones are auto-rebooting to defeat law enforcement

Catalin Cimpanu — Mon, 11 Nov 2024 13:13:47 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Russia blocks Cloudflare ECH connections

Catalin Cimpanu — Fri, 08 Nov 2024 09:48:47 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: How Telegram makes criminal enterprise easy

Tom Uren — Thu, 07 Nov 2024 13:36:50 +1100

In this podcast Tom Uren and Patrick Gray talk about the Snowflake hack after the person allegedly responsible was arrested in Canada. Telegram is involved at all sorts of levels and Tom wonders if this crime would have occurred if Telegram didn't exist. They also discuss the impact of the Chinese hack of US telcos and Sophos' five-year cyber knife fight with Chinese APT crews. This episode is also available on [Youtube](https://youtu.be/CsS_AgifrmU).

Risky Business #769 -- Sophos drops implants on Chinese exploit devs

Patrick Gray — Wed, 06 Nov 2024 15:47:43 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * Sophos drops implants on Chinese firewall exploit devs * Microsoft workshops better just-in-time Windows admin privileges * Snowflake hacker arrested in Canada * Okta has a fun, but not very impactful auth-bypass bug * Russians bring dumb-but-smart RDP client attacks * And much, much more. Special guest Sophos CISO Ross McKerchar joined us to talk about its "hacking back" campaign. The full interview is [available on Youtube](https://www.youtube.com/watch?v=QDh5-ZL3nis) for those who want to really live vicariously through Sophos doing what every vendor probably wants to do. This week's episode is sponsored by attack surface mapping vendor runZero. Founder and CEO HD Moore joins to talk about marrying up the outside and inside views of your network. You can also watch this episode [on Youtube](https://www.youtube.com/watch?v=GpQu3mza8PM)

Risky Biz News: Big changes coming to Windows 11 admin accounts

Catalin Cimpanu — Wed, 06 Nov 2024 12:14:39 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: The grand strategy of ransomware

Tom Uren — Tue, 05 Nov 2024 07:53:11 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq discuss what the Russian state gains and loses from hosting a ransomware ecosystem.

Risky Biz News: 1,000 detained in scam compound raid

Catalin Cimpanu — Mon, 04 Nov 2024 13:51:01 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Sophos doxes Chinese exploit development centers

Catalin Cimpanu — Fri, 01 Nov 2024 14:07:16 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #768 -- CSRB will investigate China's Wiretap Hacks

Patrick Gray — Wed, 30 Oct 2024 14:32:59 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * CSRB to investigate China’s telco-wiretapping hacks * Euro law enforcement takes down the Redline infostealer * Someone steals Fed crypto… and then tries to quietly sneak it back in * Russia sentences REvil guys to … jail? Really? * Apple private cloud compute gets a proper bug bounty program * And much, much more. This week’s episode is sponsored by Material Security, who help navigate the mess of cloud productivity data security. Daniel Ayala - Chief Security and Trust Officer at Dotmatics - is a Material customer, and joins Pat and Material Security's Rajan Kapoor to talk about how to wrangle securing data that ends up in corporate cloud email and file stores. This episode is also available on [Youtube](https://youtu.be/wrFcfU1z_Qo).

Risky Biz News: Two arrests in Operation Magnus

Catalin Cimpanu — Wed, 30 Oct 2024 10:28:43 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz Soap Box: Thinkst Canary's decade of deception

Patrick Gray — Mon, 28 Oct 2024 13:36:08 +1100

In this Soap Box edition of the podcast Patrick Gray chats with Thinkst Canary founder Haroon Meer about his "decade of deception", including: * A history of Thinkst Canary including a recap of what they actually do * A look at why they're still really the only major player in the deception game * A look at what companies like Microsoft are doing with deception * Why security startups should have conference booths

Risky Biz News: Russia sends REvil gang members to prison

Catalin Cimpanu — Mon, 28 Oct 2024 10:53:08 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Fortinet bungles another zero-day disclosure

Catalin Cimpanu — Fri, 25 Oct 2024 14:10:34 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: EU lobs software liability hand grenade

Tom Uren — Thu, 24 Oct 2024 12:42:42 +1100

In this podcast Tom Uren, Patrick Gray and Adam Boileau talk about an EU directive that will make vendors liable for software defects. The directive sets a very high bar but is also limited in scope. It only applies to individuals and doesn't cover professional use so it is a very practical way to start changing expectations about liability. They also talk about Session Messenger app which has decamped from Australia and set up a foundation in Switzerland. The encrypted and metadata-resistant app is catnip for criminals, so we expect that it is on a collision course with state power. This episode is also available on [Youtube](https://youtu.be/DCD1WJv-e58).

Risky Biz News: Apple wants a 45 day limit on TLS certificates

Catalin Cimpanu — Wed, 23 Oct 2024 14:35:11 +1100

*This episode previously referred to a 10 day limit, but we read the wrong bit of a table. This has been corrected in the title to 45 days, but the podcast audio still refers to the incorrect 10 day maximum age. Sorry!* A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #767 – SEC fines Check Point, Mimecast, Avaya and Unisys over hacks

Patrick Gray — Wed, 23 Oct 2024 13:40:07 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: * SEC fines tech firms for downplaying the Solarwinds hacks * Anonymous Sudan still looks and quacks like a Russian duck * Apple proposes max 10 day TLS certificate life * Oopsie! Microsoft loses a bunch of cloud logs * Veeam and Fortinet are bad and should feel bad * North Koreans are good (at hacking) * And much, much more. This week’s episode is sponsored by Proofpoint. Chief Strategy Officer Ryan Kalember joins to talk about their work keeping up with prolific threat actor SocGholish. This episode is also available on [Youtube](https://youtu.be/C7DkZwPiqyI).

Between Two Nerds: Measuring cyber power

Tom Uren — Tue, 22 Oct 2024 07:46:31 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about a new attempt to measure cyber power, the International Institute for Strategic Studies Cyber Power Matrix.

Risky Biz News: The EU will make vendors liable for bugs

Catalin Cimpanu — Mon, 21 Oct 2024 14:13:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Anonymous Sudan's Russia Links Are (Still) Obvious

Catalin Cimpanu — Fri, 18 Oct 2024 14:30:43 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: When thuggery is your cyber talent pipeline

Tom Uren — Thu, 17 Oct 2024 12:59:01 +1100

In this podcast Tom Uren and Patrick Gray talk about the evolving relationship between Russian intelligence services and the country's cybercriminals. The GRU's sabotage unit, for example, has been recruiting crooks to build a destructive cyber capability. Tom suspects that GRU thugs are not so good at hands-on-keyboard operations, but excellent at coercing weedy cybercriminals to hack for the state. They also talk about OpenAI's report into malicious actor's use of its models, and how Australia's proposed cyber security law looks pretty sensible.

Risky Business #766 – China hacks America's lawful intercept systems

Patrick Gray — Wed, 16 Oct 2024 14:14:25 +1100

On this week’s show Patrick Gray and Adam Boileau discuss the week’s infosec news, including: * Chinese spooks all up in western telco lawful intercept * Jerks ruin the Internet Archive’s day * Microsoft drops a great report with a bad chart * The feds make their own crypto currency and get it pumped * Forti-, Palo- and Ivanti-fail * And much, much more. This week's episode is sponsored by detection-as-code vendor Panther. Casey Hill, Panther’s Director Product Management joins to discuss why the old "just bung it all in a data lake and... ???... " approach hasn’t worked out, and what smart teams do to handle their logs. This episode is also available on [Youtube].(https://youtu.be/86zy6DcwtbE)

Risky Biz News: China says the US is framing other countries for espionage operations

Catalin Cimpanu — Wed, 16 Oct 2024 13:07:08 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: How criminals are using deepfakes

Tom Uren — Tue, 15 Oct 2024 08:36:02 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how criminals are using deepfakes... but it is not the end of the world.

Risky Biz News: Verizon call logs breached

Catalin Cimpanu — Mon, 14 Oct 2024 14:09:05 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Dutch government to physically replace tens of thousands of hackable traffic lights

Catalin Cimpanu — Fri, 11 Oct 2024 13:00:19 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: How Telegram turbocharges organised crime

Tom Uren — Thu, 10 Oct 2024 12:37:26 +1100

In this podcast Tom Uren and Adam Boileau talk a new UN report that spells out the role Telegram plays as a massive enabler for transnational organised crime. They also discuss China's hacking of US telcos to possibly target of lawful intercept equipment and a remarkably entertaining account of North Korean IT workers being employed by over a dozen cryptocurrency firms. This episode is also available on [Youtube](https://youtu.be/ZUq0rEAS57Y).

Risky Biz News: EU adopts new sanctions framework to cover Russia's cyber warfare and disinformation

Catalin Cimpanu — Wed, 09 Oct 2024 11:24:37 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: The rise of cyber persistence

Tom Uren — Tue, 08 Oct 2024 07:47:55 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about 'cyber persistence theory'. They cover what it is, why it is increasingly popular amongst America's allies, why we think the theory is right and also cover some critiques of the theory. They refer to the article in CyberScoop ['America’s allies are shifting: Cyberspace is about persistence, not deterrence'](https://cyberscoop.com/cybersecurity-deterrence-persistence-richard-harknett-dod-strategy/) in CyberScoop.

Risky Biz News: China wiretaps US wiretapping system

Catalin Cimpanu — Mon, 07 Oct 2024 10:48:48 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Russia arrests Cryptex founder a week after US sanctions

Catalin Cimpanu — Fri, 04 Oct 2024 12:46:58 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Tackling election interference at warp speed

Tom Uren — Thu, 03 Oct 2024 10:04:54 +1000

In this podcast Tom Uren and Adam Boileau talk about how the US government's response to Iranian election interference is proceeding at light speed. This allows other actors such as Meta to make decisions relating to interference with certainty. They also discuss how Russian cybercrime group Evil Corp's relationship with Russian intelligence was built on the founder's marriage. This episode is also available on [Youtube](https://youtu.be/qBBXfYhQWks).

Risky Biz News: New EvilCorp sanctions and LockBit arrests

Catalin Cimpanu — Wed, 02 Oct 2024 10:56:51 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Snake Oilers: Sandfly Security, Permiso and Wiz

Patrick Gray — Wed, 02 Oct 2024 09:40:57 +1000

In this edition of Snake Oilers we hear pitches from three security vendors: * Sandfly Security: An agentless Linux security platform that actually sounds very cool * Permiso: An identity security platform founded by ex FireEye folks * Wiz: The cloud security giant is getting in on code security scanning You can watch this edition of Snake Oilers on YouTube here.

Between Two Nerds: Cyber forces in Southeast Asia

Tom Uren — Tue, 01 Oct 2024 05:58:36 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about various Southeast Asian countries investing in cyber forces, the drivers behind these decisions and what kind of actions make sense.

Risky Biz News: Attackers are on the hunt for the new UNIX CUPS RCE

Catalin Cimpanu — Mon, 30 Sep 2024 11:22:27 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Three years later, US charges Joker's Stash carding forum admin

Catalin Cimpanu — Fri, 27 Sep 2024 13:47:18 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Neutering Volt Typhoon to deter China

Tom Uren — Thu, 26 Sep 2024 12:54:57 +1000

In this podcast Tom Uren and Patrick Gray talk about the possibility of deterring Volt Typhoon, the Chinese group that is compromising US critical infrastructure to enable future disruption operations in the event of a conflict with US. Tom thinks it is not possible to deter Volt Typhoon, but things might work the other way. If the US can neuter Volt Typhoon and take away the PRC's magic cyber bullet, it could make conflict less likely. They also discuss the lessons for all companies in Microsoft's security turnaround and how X and Telegram have folded in the face of government pressure. The video version of this episode is also available on [Youtube](https://youtu.be/u9G4Ov5cXw4).

Risky Business #765 -- The Kaspersky switcheroo

Patrick Gray — Wed, 25 Sep 2024 14:23:38 +1000

Patrick Gray and Adam Boileau discuss the week’s infosec news with everyone’s favourite ex-NSA big-brain, Rob Joyce. They talk through: * Musk and Durov bow to government pressure * Tiktok rushes to ban authoritarian propagandists * The US doesn't want Chinese software in its cars * Kaspersky replaces itself with an AV no one has ever heard of * Aussie police chalk up another crimephone takedown * Press Win-R Ctrl-V to prove you’re human * And much, much more. This week's show is brought to you by Stairwell, and Stairwell's founder Mike Wiacek will be along to talk about how people are using their platform to hunt down detection resistant malware. A video version of this episode is also available on [Youtube](https://youtu.be/u9G4Ov5cXw4).

Risky Biz News: China says Taiwan's military is behind a hacktivist group

Catalin Cimpanu — Wed, 25 Sep 2024 13:38:03 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: Setting Europe ablaze with cyber criminals

Tom Uren — Tue, 24 Sep 2024 07:50:55 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about new reports saying that Russia is creating new cyber groups made up of cyber criminals.

Risky Biz News: Stealer devs bypass Chrome's new cookie protection

Catalin Cimpanu — Mon, 23 Sep 2024 11:08:43 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: A flurry of law enforcement takedowns

Catalin Cimpanu — Fri, 20 Sep 2024 11:05:33 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #764 -- Mossad expands into telecommunications services

Patrick Gray — Wed, 18 Sep 2024 14:49:06 +1000

On this week’s show, Patrick Gray and Adam Boileau discuss the weeks security news, including: * Hezbollah’s attempts to avoid SIGINT with pagers ends in explosions * The US shines many bright lights on RT’s disinfo role * Australia counters Chinese bullying in the Pacific * Valid accounts are the most prevalent entry point, says CISA’s data * Ivanti and Fortinet vie for worst vendor of the week * Krebs writes up the shift towards charging The Com with terrorism * And much, much more... This week’s episode is sponsored by Push Security, who bring security visibility to where it needs to be these days -- the browser. Luke Jennings joins this week's show to discuss how phish-kit crews are driving the arms race forward, and how detection has to adapt and go where the users are. This episode is also available on [Youtube](https://youtu.be/uPjcpKPYF8g).

Risky Biz News: US Treasury piles more sanctions on Intellexa

Catalin Cimpanu — Wed, 18 Sep 2024 10:42:04 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: US says RT moved into cyber and intelligence-gathering territory

Catalin Cimpanu — Mon, 16 Sep 2024 11:07:27 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Vo1d infects 1.3 million Android TV boxes

Catalin Cimpanu — Fri, 13 Sep 2024 11:31:31 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: The three I's in Spyware

Tom Uren — Thu, 12 Sep 2024 11:40:19 +1000

In this podcast Tom Uren and Patrick Gray talk about the structure of the spyware ecosystem. It's concentrated, with lots of vendors in India, Israel and Italy. And its a small pool of talent, with many companies being founded by just a few individuals. They also talk about the US government's actions against Russia's disinformation ecosystem. The US very clearly linked different 'layers' of that ecosystem directly to the Russian government. Employing influencers via cutouts also shows how Russian disinformation has responded as social media platforms have countered interference efforts. This episode is also available on [Youtube](https://www.youtube.com/watch?v=U4szUGdvvyw).

Risky Business #763 – Microsoft un-patches critical bug

Patrick Gray — Wed, 11 Sep 2024 14:50:58 +1000

On this week’s show, Patrick Gray and Adam Boileau discuss the weeks security news, including: * Russia’s disinformation peddlers face multifaceted sternness from the DoJ * Telegram is now law enforcement’s bestest new pal, all of a sudden * Iran’s banking industry arranges a payment plan for a ransom * Columbia investigates how it sent private jets full of cash to pay for Pegasus * Microsoft innovates with Un-Patch Tuesday * And much, much more. This week’s sponsor is Kroll Cyber, and one of their incident responders Paul Wells joins to discuss that one weird trick that actually helps - preparing for an incident before hand, rather than learning all those hard lessons in the middle of a crisis. This week's episode is also available on [Youtube](https://www.youtube.com/watch?v=PFMBzEnknis).

Risky Biz News: UK NCA "on its knees" and bleeding staff

Catalin Cimpanu — Wed, 11 Sep 2024 10:09:18 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: Verify, but don't trust

Tom Uren — Tue, 10 Sep 2024 07:31:51 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq dissect an FBI advisory about North Korean groups targeting cryptocurrency firms with social engineering.

Risky Biz News: Two security enhancements coming to Windows

Catalin Cimpanu — Mon, 09 Sep 2024 10:38:08 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Doppelganger gets a kick in the butt from Uncle Sam

Catalin Cimpanu — Fri, 06 Sep 2024 11:36:26 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Snake Oilers: Authentik, Dropzone and SlashID

Patrick Gray — Fri, 06 Sep 2024 11:00:22 +1000

In this edition of Snake Oilers Patrick Gray gets pitches from three cybersecurity companies: * Authentik, an open source identity provider that a lot of large organisations are deploying on prem as an alternative to cloud-based IDPs * Dropzone AI, an LLM-based agent that can do the work of a Tier 1 SOC analyst * SlashID, an identity security company that can crunch your logs to find attackers You can watch this edition of Snake Oilers on YouTube here.

Srsly Risky Biz: Using Exploits to Steal Exploits Is as Old as Time

Tom Uren — Thu, 05 Sep 2024 12:27:52 +1000

In this podcast Tom Uren and Patrick Gray discuss Russia's use of exploits from commercial spyware vendors. Bought through a front, or stolen with other bugs? The also discuss Iran's counter-intelligence innovations - if you apply for a job thats very clearly an Israeli front, then perhaps you're not that trustworthy after all? This episode is also available on [Youtube](https://www.youtube.com/watch?v=3loM75K4e7k).

Risky Business #762 -- Brazil nukes X, Iranian APTs deploy ransomware

Patrick Gray — Wed, 04 Sep 2024 14:46:06 +1000

On this week’s show, Patrick Gray and Adam Boileau discuss the weeks security news, including: * Brazil’s supreme court bans X-formerly-Twitter, * Iranian cyber teams cooperate with ransomware crews * While North Koreans wield chrome-windows 0-day * Yubikey cloning attack is impressive, but doesn’t have us binning our keys quite yet * The White House is coming for your unsigned BGP announcements * And much, much more. This week’s episode is sponsored by Okta, and specifically their Identity Security Posture Management product. Okta recently acquired Spera Security, and co-founder Ariel Kadyshevitch joins to talk through the messy reality of modern identity. Pat even gets the giggles at how terrible everything is! You can also watch this episode on [Youtube](https://www.youtube.com/watch?v=u-Q9TzKPwqI).

Risky Biz News: China ramps up US election disinformation

Catalin Cimpanu — Wed, 04 Sep 2024 13:02:34 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Between Three Nerds: How the MSS became a cyber juggernaut

Tom Uren — Tue, 03 Sep 2024 11:32:23 +1000

In this edition of Between Three Nerds Tom Uren and The Grugq talk to Alex Joske, author of a book about how the Chinese Ministry of State Security (MSS) has shaped Western perceptions of China. They discuss the MSS's position in the Chinese bureaucracy, its increasing role in cyber espionage, its use of contractors and the PRC's vulnerability disclosure laws.

Risky Biz News: US charges swatters who terrorized government officials

Catalin Cimpanu — Mon, 02 Sep 2024 13:28:50 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Biz News: Iranian APT moonlights as access broker and ransomware helper

Catalin Cimpanu — Fri, 30 Aug 2024 12:25:45 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Telegram's CEO released on bail, can't leave France

Tom Uren — Thu, 29 Aug 2024 12:40:25 +1000

In this podcast Tom Uren and Patrick Gray talk about Telegram's founder and CEO Pavel Durov being bailed. They dive into the backstory behind the charges he's facing and what it all might mean for other messaging platforms. They also discuss a very handy list of straightforward ways to detect North Korean's trying to sneak into remote work jobs.

Risky Business #761 – Telegram v frogs. Fight!

Patrick Gray — Wed, 28 Aug 2024 15:27:10 +1000

On this week’s show, Patrick Gray and Adam Boileau discusses the week’s security news, including: * Telegram founder’s arrest in France * Volt Typhoon 0days some SD-WAN gear * Russia frets about Ukraine all up in Kursk’s webcams * Cybercriminals social engineer payment card NFC relay attacks in the wild * The slow burn of Active Directory name collisions * And much, much more. This week’s episode is sponsored by Nucleus Security. Aaron Unterberger joins to discuss how vulnerability management starts out easy, but gets serious very quickly. You can also watch this week’s show on [Youtube](https://www.youtube.com/watch?v=WdekGRcS0C4).

Risky Biz News: Volt Typhoon returns with a new zero-day

Catalin Cimpanu — Wed, 28 Aug 2024 12:09:10 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Between Two Nerds: Phishing is easy, phishing is difficult

Tom Uren — Tue, 27 Aug 2024 07:57:45 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq discuss the opportunities in phishing and why it is both easy and difficult.

Feature interview: ASIO Director General Mike Burgess on encryption and access

Patrick Gray — Mon, 26 Aug 2024 12:39:49 +1000

Mike Burgess is the director general of ASIO. But the thing about Mike is he's actually a cybersecurity guy. He joined ASD, Australia's NSA, back in 1995 when it was still the Defence Signals Directorate. He was there for 18 years before he bounced out to the private sector for a while to work as the CISO for Australia's largest telco, Telstra. In 2017 he returned to ASD to run it, and in 2019 he was appointed director general of ASIO. Back in April, Burgess made a series of comments on the topic of encrypted messaging during a Press Club speech in Canberra. Our right to privacy, he said, is not absolute, and he implied that if certain providers didn't start helping Australian authorities out a little more, he'd use some of the provisions in Australia's Assistance and Access bill to force them to provide access to certain content. So I reached out to organise this interview to get some more detail from him about exactly what sort of cooperation he's seeking and why.

Risky Biz News: Telegram founder Pavel Durov detained in France

Catalin Cimpanu — Mon, 26 Aug 2024 11:29:47 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey You can find the newsletter version of this podcast here.

Risky Biz News: Fraud tactics evolve with NFC card cloning malware

Catalin Cimpanu — Fri, 23 Aug 2024 11:15:43 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Australia's National ID System Will Be Awful... And Then Great

Tom Uren — Thu, 22 Aug 2024 13:05:22 +1000

In this podcast Tom Uren and Patrick Gray discuss an Australian government effort to bridge the gap between online and real identity across the whole economy. It addresses a real need, but Tom doesn't think it will go smoothly. They also discuss ongoing Chinese cyber espionage focussed on Russian targets. They may have a 'no limits' friendship, but spying between allies is remarkably common. This episode is also available on [Youtube](https://www.youtube.com/watch?v=hpesV4nylMA).

Risky Business #760 – Microsoft to make MFA mandatory

Patrick Gray — Wed, 21 Aug 2024 14:59:22 +1000

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news including: * Microsoft did a good thing! Soon all Azure admins will require MFA * The three billion row National Public Data breach mess, courtesy Florida Man * US govt confirms that it was Iran that hacked the Trump campaign * Is TP-Link the next Huawei, or just not very good at computers? * Major Chinese RFID card maker has hardcoded backdoors * And much, much more. This week’s episode is sponsored by Specter Ops, makers of Bloodhound Enterprise. VP of Products Justin Kohler joins to talk about how they’ve joined their on-prem AD and cloud Entra attack path graphs, so you can map out that juicy, real-world attack surface.

Risky Biz News: Mandatory MFA comes to Azure admins in October

Catalin Cimpanu — Wed, 21 Aug 2024 11:56:19 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Between Two Nerds: The cyber security industry is weird

Tom Uren — Tue, 20 Aug 2024 08:09:15 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq examine how the cybersecurity industry is very strange when compared to other professional fields such as doctors and accountants.

Wide World of Cyber: 2024 election interference, the media and Iran's hack and leak

Patrick Gray — Mon, 19 Aug 2024 16:09:14 +1000

In this conversation Risky Business host Patrick Gray speaks with SentinelOne's Chris Krebs and Alex Stamos about what sort of cyber enabled interference we can expect in the 2024 US presidential race. Alex was the CISO at Facebook during the 2016 election, and Chris Krebs was responsible for US election security as the director of CISA in 2020. Watch the video version of this episode on [Youtube](https://www.youtube.com/watch?v=IVPy5wC-5mk).

Risky Biz News: Hardware backdoors found in Chinese key card

Catalin Cimpanu — Mon, 19 Aug 2024 10:28:40 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Ransom campaign hits cloud servers

Catalin Cimpanu — Fri, 16 Aug 2024 09:48:26 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: The US Government's cyber insurance plans are silly

Tom Uren — Thu, 15 Aug 2024 11:44:55 +1000

In this podcast Tom Uren and Patrick Gray discuss a US government policy initiative to cover cyber insurance gaps while also improving security across the economy. Lofty goals, but Tom wonders if it is a difficult way to address security gaps. They also talk about what appears to be a hack and leak operation targeting the Trump campaign and a recent US federal court decision which ruled that geofence warrants are unconstitutional. You can watch the video version of this episode [here](https://www.youtube.com/watch?v=76-PmR33aVg).

Risky Business #759 – Why Iran's hack and leak will amount to naught

Patrick Gray — Wed, 14 Aug 2024 14:22:20 +1000

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news and recap the best research presented at Black Hat and DEF CON in Las Vegas last week. They cover: * Iran tries an election hack’n’leak like its still 2016 * Crowdstrike takes home the Pwnie for Epic Fail at DEF CON * UK healthcare SaaS faces six million pound fine for lack of MFA * US circuit courts disagree on geofence warrants * Our roundup of juicy Blackhat/DEF CON research * And much, much more. This week’s episode is sponsored by Trail of Bits. CEO Dan Guido is fresh back from the DARPA AI Cyber Challenge at DEF CON, where the Trail of Bits team moved through into the finals. Dan talks through the challenge of finding, reporting and fixing bugs with AI systems. You can also watch this week’s show on [Youtube](https://www.youtube.com/watch?v=4zpPk3Y4CYA).

Risky Biz News: FBI seizes Dispossessor ransomware servers

Catalin Cimpanu — Wed, 14 Aug 2024 12:01:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: The golden age of OSINT

Tom Uren — Tue, 13 Aug 2024 07:16:54 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq discuss what it would mean to be in a golden age of OSINT and whether we are in one.

Soap Box: Making security tech more people friendly

Patrick Gray — Mon, 12 Aug 2024 11:09:08 +1000

In this sponsored Soap Box edition of the show we talk to Proofpoint's Chief Strategy Officer Ryan Kalember about making security tech more people centric. We often talk about how we can use signals from users to drive some of our security tech. But what about using our security tech to drive user behaviour? Ryan thinks there are some opportunities here, particularly around identity security.

Risky Biz News: Trump campaign points finger at Iran for hack-and-leak

Catalin Cimpanu — Mon, 12 Aug 2024 10:41:29 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: SEC drops MOVEit hack investigation

Catalin Cimpanu — Fri, 09 Aug 2024 10:23:34 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: US intelligence community worried about personal data

Tom Uren — Thu, 08 Aug 2024 12:13:38 +1000

In this podcast Tom Uren and Patrick Gray discuss the US's National Counterintelligence strategy and that it highlights the risk that foreign intelligence entities will use personal information to target and blackmail individuals. They also talk about the recent international prisoner swap. Although two cybercriminals were exchanged in the swap, there is still no strong evidence that they were working for the state.

Risky Business #758 – Crowdstrike's postmortem underwhelms

Patrick Gray — Wed, 07 Aug 2024 13:54:43 +1000

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news, including: * Crowdstrike talks loud in its postmortem, but says very little * Digicert fears the CA-Browser Forum, gets lawsuit from a customer * Dmitri Alperovitch joins the show to talk about the Russian prisoner swap * Cloudflare continues to harbour scum and villainy * Professional ransomware crew … is an improvement? * And much, much more. This week’s episode is sponsored by Thinkst Canary. Marko Slaviero joins to discuss the unfashionable choice they made in hosting their platform one-VM-per-customer.

Risky Biz News: CrowdStrike and Microsoft blame Delta for its prolonged outage

Catalin Cimpanu — Wed, 07 Aug 2024 11:47:16 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: Why Chinese APT tactics are evolving

Tom Uren — Tue, 06 Aug 2024 07:08:56 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq discuss recent changes in a Chinese APTs tactics and how cyber security agencies have responded.

Risky Biz News: Crypto-wallet service seized for helping ransomware gangs launder stolen funds

Catalin Cimpanu — Mon, 05 Aug 2024 11:02:10 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Two cyber-criminals included in US-Russian prisoner swap

Catalin Cimpanu — Fri, 02 Aug 2024 11:25:31 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: When Israeli national security trumps US lawsuits

Tom Uren — Thu, 01 Aug 2024 11:45:54 +1000

In this podcast Tom Uren and Patrick Gray discuss the Israeli government seizing documents from NSO Group so that they couldn't be shared with opposition counsel in a US lawsuit during discovery. It's a terrible look. They also talk about foreign adversaries turning to commercial firms to buy election interference services in the lead up to the presidential election. Tom argues that is fundamentally good news. A video version of this episode is available [on YouTube](https://www.youtube.com/watch?v=HOrOkxNy8kg).

Risky Business #757 – The ClownStrike cleanup continues

Patrick Gray — Wed, 31 Jul 2024 13:42:05 +1000

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news, including: - The insurance industry’s reaction to CrowdStrike’s mess - Google’s Workspace email validation flaw and its consequences for OAuth’d applications - Is the VMWare ESX group membership feature a CVE or an FYI? - Secureboot continues to under-deliver - North Korea’s revenue neutral intelligence services - And much, much more This episode is sponsored by allowlisting software vendor Airlock Digital. Airlock uses a kernel driver on Windows, so Chief Executive David Cottingham joined to discuss what the CrowdStrike kernel driver bug drama means for security vendors. This episode is also available on Youtube. If you want to ruin the magic of radio and see the faces behind the show, well, [now you can](https://www.youtube.com/watch?v=mu9xJ2mHayU)!

Risky Biz News: NVD backlog unlikely to be addressed by September

Catalin Cimpanu — Wed, 31 Jul 2024 11:11:27 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Wide World of Cyber: Why we should show CrowdStrike no mercy

Patrick Gray — Tue, 30 Jul 2024 13:31:12 +1000

In this episode of Wide World of Cyber, Risky Business host Patrick Gray discusses the recent CrowdStrike incident and its implications for security software that operates in kernel space with Chris Krebs and Alex Stamos of SentinelOne, a CrowdStrike Competitor. The conversation also delves into Microsoft's role in this whole disaster and the potential changes it could make to its operating system to prevent similar incidents in the future. A video version of this episode is also available [on Youtube!]( https://www.youtube.com/watch?v=EGRqtscp4eE)

Between Two Nerds: What the CrowdStrike outage teaches us about cyber war

Tom Uren — Tue, 30 Jul 2024 07:26:28 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq discuss what the widespread disruption caused by CrowdStrike's faulty update tells us about how useful cyber operations are for war.

Risky Biz News: AMI Platform Key leak undermines Secure Boot on 800+ PC models

Catalin Cimpanu — Mon, 29 Jul 2024 11:16:51 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: US charges Andariel member for ransomware attacks

Catalin Cimpanu — Fri, 26 Jul 2024 11:00:45 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Chinese Illegal Gambling's Worldwide Tentacles

Tom Uren — Thu, 25 Jul 2024 13:42:32 +1000

In this podcast Tom Uren and Patrick Gray discuss the wild story of a Chinese illegal gambling operation that involves human trafficking, shell companies, money laundering, hundreds of thousands of websites and sponsorship of European football teams. They also talk about why a potential CSRB review of CrowdStrike's disaster should focus... not on CrowdStrike, but instead on the legacy practice of security vendors having kernel-level access to Windows. Finally, Tom is happy that the FTC is going to investigate 'surveillance pricing'.

Risky Business #756 -- Move fast and break everything

Patrick Gray — Wed, 24 Jul 2024 14:29:22 +1000

The Risky Biz main show returns from a break to the traditional internet-melting mess that happens whenever Patrick Gray takes a holiday. Pat and Adam Boileau talk through the week’s security news, including: * Oh Crowdstrike, no, oh no, honey, no * AT&T stored call records on Snowflake and you’ll never guess what happened next * Squarespace buys Google Domains and makes a hash of it * Some but not all of the SECs case against Solarwinds gets thrown out * Pity the incident responders digging through a terabyte of Disney Slack dumps * Internet Explorer rises from the grave, and it wants SHELLS RAAAAARGH SSHHEEELLLS * And much, much more. This week's show is brought to you by Sublime Security, a flexible and modern email security platform. If you're sick of using a black box email security solution, Sublime is a terrific option for you.

Risky Biz News: New Russian ICS malware cuts heat to 600 Ukrainian apartment buildings

Catalin Cimpanu — Wed, 24 Jul 2024 12:04:50 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: Every cloud has a silver lining

Tom Uren — Tue, 23 Jul 2024 06:51:32 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq discuss whether the rise of cloud computing has been a boon or a curse for cyber espionage agencies.

Risky Biz News: CrowdStrike faulty update affects 8.5 million Windows systems

Catalin Cimpanu — Mon, 22 Jul 2024 12:23:05 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Trickbot dev arrested in Moscow

Catalin Cimpanu — Fri, 19 Jul 2024 11:34:08 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: World vs China cyber security reporting duel

Tom Uren — Thu, 18 Jul 2024 13:22:33 +1000

In this podcast Tom Uren and Adam Boileau talk about how countries are using cyber security reports and advisories to win friends and influence people; why having gaping holes in US federal government security is situation normal; and efforts to make up for the disappearance of Twitter's trust and safety team.

Risky Biz Soap Box: Mike Wiacek on lazy mode threat hunting

Patrick Gray — Wed, 17 Jul 2024 10:51:31 +1000

This Soap Box edition of the show is with Mike Wiacek, the CEO and Founder of Stairwell. Stairwell is a platform that creates something similar to an NDR, but for file analysis instead of network traffic. The idea is you get a copy of every unique file in your environment to the Stairwell platform, via a file forwarding agent. You get an inventory that lists where these files exist in your environment, at what times, and from there you can start doing analysis. If you find a dodgy file you can do all the usual malware analysis type stuff, but you can also do things like immediately find out where else that file is in your organisation, or even where else it was. From there you can identify other files that are similar -- variants of those files -- and search for those. And you can unpack all this very, very quickly. This is the type of tool that EDR companies use internally to do threat hunting, but it's just for you and your org -- you can drive it. And as you'll hear, the idea of a transparent, customisable and programmable security stack is something that's on-trend at the moment. Mike lays out the case that doing this sort of file analysis in your organisation makes a whole lot of sense.

Risky Biz News: Kasperksy winds down US business

Catalin Cimpanu — Wed, 17 Jul 2024 09:47:55 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: The great game, cyber edition

Tom Uren — Tue, 16 Jul 2024 09:25:25 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq discuss Shashank Joshi's notes from a recent Oxford Cyber forum. Topics include the role of 0days and who is ahead when it comes to offensive cyber operations. The pair refer to observations made in [this thread](https://x.com/shashj/status/1808578712956457460).

Risky Biz News: AT&T discloses massive hack

Catalin Cimpanu — Mon, 15 Jul 2024 11:34:25 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Apple warns iPhone users of new spyware attacks

Catalin Cimpanu — Fri, 12 Jul 2024 09:41:57 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Wide World of Cyber: State directed cybercrime

Patrick Gray — Wed, 10 Jul 2024 17:59:03 +1000

In this podcast Alex Stamos, Chris Krebs and Patrick Gray discuss the relationship between cybercrime and the state, which is often more complicated than it should be. While the US Government and its allies fight the scourge of ransomware, other governments are using it to either raise revenue or irritate their foes. North Korea sees ransomware as a money spinner, while the Kremlin enjoys poking the west in the eye with it. Join us for a breakdown of the relationships between governments who should know better and the worst types of people on the planet.

Risky Biz News: US takes down RT's Twitter bot farm

Catalin Cimpanu — Wed, 10 Jul 2024 10:51:29 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: How bureaucracies deal with super talented people

Tom Uren — Tue, 09 Jul 2024 07:26:46 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how bureaucracies should deal with outstandingly talented individuals.

Risky Biz News: A ransomware attack is putting lives at risk across South Africa

Catalin Cimpanu — Mon, 08 Jul 2024 11:24:30 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Ransomware attacks increase hospital mortality rates

Catalin Cimpanu — Fri, 05 Jul 2024 09:34:23 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: When hacking customers is good business

Tom Uren — Thu, 04 Jul 2024 14:10:29 +1000

In this podcast Tom Uren and Patrick Gray talk about how South Korean internet regulations inadvertently encouraged a large ISP to hack their own customers to cut down on torrent traffic. They also look at state-backed hackers behaving very badly.

Risky Business #755 -- SSH 0day! Polyfill drama! Entrust crushed!

Patrick Gray — Wed, 03 Jul 2024 15:47:15 +1000

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news, including: * Widely used polyfill javascript gets hijacked by its new owners * MacOS supply chain disaster bullet dodged * That OpenSSH remote code exec OH MY <3 * Entrust gets its CA business kicked to the kerb by Google * South Korean telco intentionally viruses 600k customers * Microsoft continues to deeply underwhelm * And much, much more. This week’s episode is sponsored by Greynoise. Founder Andrew Morris joins to talk about ways to track attackers across NAT and VPNs, as well as how you can join in the fun of running an internet-scale honeypot network.

Risky Biz News: Unauth RCE in OpenSSH—a scary combination of words

Catalin Cimpanu — Wed, 03 Jul 2024 09:08:47 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: Private enterprise is on its own

Tom Uren — Tue, 02 Jul 2024 10:19:19 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about why governments have failed to protect the private sector from state-backed cyber espionage.

Risky Biz News: Russia hacks TeamViewer

Catalin Cimpanu — Mon, 01 Jul 2024 13:49:03 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz Soap Box: Why AI shouldn't really change your security controls

Patrick Gray — Fri, 28 Jun 2024 12:40:50 +1000

This is a sponsored Soap Box edition of the Risky Business podcast. Abhishek Agrawal is the CEO and co-founder of Material Security, an email security company that locks down cloud email archives. Attackers have been raiding mailspools since hacking has existed, and with those mailspools now in the cloud with services like o365 and Google Workspace, guess where the attackers are going? Material built a product that helps you lock up your email data, to archive and redact sensitive information. The idea is to really just limit what an attacker can do with email data if they pop an account. Abhishek joined me to talk about a few things, like how non phishing resistant MFA is basically dead, how email content is very useful to security programs, and about how the gen AI won't really change much on the defensive control side.

Srsly Risky Biz: Why the Optus breach was dumb

Tom Uren — Thu, 27 Jun 2024 12:20:33 +1000

In this podcast Tom Uren and Patrick Gray talk about how Optus's 2022 data breach went down and how the company had been vulnerable for years. They also look at the US government's ban on Kaspersky products, why it makes sense and why the ban took a long time to arrive.

Risky Business #754 -- Assange pleads guilty to espionage, walks free

Patrick Gray — Wed, 26 Jun 2024 15:57:31 +1000

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news, including: * Julian Assange finally cuts a deal, pleads guilty, and goes free * USA to ban Kaspersky - even updates * Car dealer SaaS provider CDK contemplates paying a ransom * Intolerable healthcare ransomware attacks continue * We revisit Windows proximity bugs via wifi and bluetooth * And much, much more. This week’s episode is sponsored by enterprise browser maker Island. Crowdstrike co-founder Dmitri Alperovitch is an investor in Island, and joins on its behalf to discuss why an enterprise browser is really starting to make sense.

Risky Business #753 – Congress and vuln researchers maul Microsoft

Patrick Gray — Wed, 19 Jun 2024 19:35:25 +1000

On this week’s retreat special, the entire Risky Business team is together in a tropical paradise for the first time. The team takes a break from the infinity pool to discuss the week’s security news: * Microsoft recalls Recall, but why did it have to be such a mess * And a Windows kernel wifi code-exec, really? * Passkeys and identity are hard * Scattered Spider bigwig arrested in Spain * The pentagon runs a deeply flawed info-op * Is it time E2E crypto nerds accept their place in the world? * And much, much more. This week's show is brought to you by Corelight... Corelight's CEO Brian Dye will be along in this week's sponsor interview to make a really compelling case for something that shouldn't exist... which is NDR in cloud environments.

Risky Biz News: Russia wants its own CISA

Catalin Cimpanu — Fri, 14 Jun 2024 10:39:29 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: China's superstar hackers

Tom Uren — Thu, 13 Jun 2024 12:03:19 +1000

In this podcast Tom Uren and Patrick Gray talk about a [new report](https://css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/CyberDefenseReport_%20From%20Vegas%20to%20Chengdu.pdf) that explores how China's vulnerability discovery and research ecosystem is linked to state sponsored espionage. This research finds that a relatively small number of people are responsible for an outsize contribution to vulnerability discovery. They also talk about difficulties at CISA's Joint Cyber Defence Collaborative initiative and why it should be retired.

Risky Business #752 -- Apple announcements thrill and terrify at the same time

Patrick Gray — Wed, 12 Jun 2024 16:07:09 +1000

On this week’s show Patrick Gray and Adam Boileau are joined by long-time NSA boffin Rob Joyce. Now Rob’s left the government service, he’s hobnobbing with us pundits, talking through the week’s news: - Apple announces a big leap for confidential cloud computing into the mass market - While at the same time, letting you just mosey around your iPhone from your Mac - Mandiant reports in about the Snowflake breach - Moody’s say credit ratings might consider cyber incidents - Microsoft fixes an Azure flaw with a… “comprehensive documentation update" - And much, much more. This week’s show is sponsored by Yubico, maker of the Yubikey hardware authentication token. Jerrod Chong, Yubico's COO and President joins to talk about the challenges of the passkey and hardware authenticator ecosystem.

Risky Biz News: Apple launches private cloud for AI workloads

Catalin Cimpanu — Wed, 12 Jun 2024 11:42:04 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: The cyber Rorschach test

Tom Uren — Tue, 11 Jun 2024 06:03:53 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how the use of cyber operations in Ukraine is informative but information is incomplete. Rather than clarifying the role of cyber operations in conventional warfare there is still a lot of room for confirmation bias.

Risky Biz News: Microsoft relents on Windows 11 Recall

Catalin Cimpanu — Mon, 10 Jun 2024 09:55:35 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Interpol plugs Red Notices leak

Catalin Cimpanu — Fri, 07 Jun 2024 10:15:07 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Russian attacks on Europe double

Tom Uren — Thu, 06 Jun 2024 15:15:53 +1000

In this podcast Tom Uren and Patrick Gray talk about Russia's escalating actions in Europe in the lead up to elections and the Paris Olympics. They combine disruptive cyber elements, disinformation and real-world covert action.

Risky Business #751 -- Snowflake, operation Endgame and Microsoft's looming FTC problem

Patrick Gray — Wed, 05 Jun 2024 14:47:35 +1000

On this week’s show Patrick Gray and Mark Piper discuss the week’s security news, including: * What on earth happened at Snowflake? * A look at operation Endgame * Check Point's hilarious adventures with dot dot slash * Report says the FTC is looking at Microsoft's security product bundling * More ransomware hits Russia * Much, much more 404 Media co-founder Joseph Cox is this week's feature guest. He joins us to talk about his new book, Dark Wire, which is all about the FBI's Anom sting. This week's show is brought to you by Resourcely. If your Terraform is a mess or your CSPM dashboards are lighting up with insane and stupid things, you should check out Resourcely. Its founder and CEO Travis McPeak will be along in this week's sponsor interview to talk about all things Terraform.

Risky Biz News: Making Linux a CNA was a bad decision

Catalin Cimpanu — Wed, 05 Jun 2024 13:29:44 +1000

A short podcast updating listeners on the security news of the last few days, prepared by Catalin Cimpanu and read by Claire Aird.

Between Two Nerds: Why trolling cyber criminals is misguided

Tom Uren — Tue, 04 Jun 2024 11:09:23 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about law enforcement agencies trolling cyber criminals when they carry out disruption operations, and why it might be counterproductive.

Risky Biz News: What actually happened with Snowflake, Ticketmaster

Catalin Cimpanu — Mon, 03 Jun 2024 11:22:24 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Law enforcement disrupts six malware botnets

Catalin Cimpanu — Fri, 31 May 2024 14:00:04 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Cyber Command is a half-ripe melon

Tom Uren — Thu, 30 May 2024 14:32:49 +1000

In this podcast Tom Uren and Patrick Gray talk about continued discussion about the creation of a Cyber Force. It's a discussion that won't go away and shows there is an underlying feeling that Cyber Command could do better. They also discuss how Scattered Spider is like Hollywood and how TikTok's report on influence campaigns will do nothing to convince people it is not a national security risk.

Risky Business #750 -- Why Microsoft's Recall is an attacker's best friend

Patrick Gray — Wed, 29 May 2024 14:48:30 +1000

On this week’s show Patrick and Adam discuss the week’s security news, including: * Russian delivery company gets ransomware-wiper’d * A supply-chain attack targets video software used in US courts * Checkpoint firewalls get hacked, details as clear as mud * Microsoft Recall delights hackers * Aussie telco Optus gets told its IR report isn’t legal advice * Cyber insurer says you’re 5x more likely to get rekt if you have a Cisco ASA * And much, much more. This week’s episode is sponsored by Kroll Cyber. Alex Cowperthwaite, Kroll's technical director research and development for offence joins to talk about how his team attacks AI models, in ways both classic and new.

Risky Biz News: MediSecure asks for a government bailout; denied!

Catalin Cimpanu — Wed, 29 May 2024 10:49:10 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: Ransomware and the state

Tom Uren — Tue, 28 May 2024 08:04:16 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about the role of the state in tackling ransomware. They discuss why action has been slow and ineffective, and what it will take to truly change the situation.

Risky Biz News: Google throws out GlobalTrust certs

Catalin Cimpanu — Mon, 27 May 2024 09:32:28 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Backdoor found in court AV recording software

Catalin Cimpanu — Fri, 24 May 2024 13:51:28 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: UK to consider licensing ransomware payments

Tom Uren — Thu, 23 May 2024 14:20:43 +1000

In this podcast Tom Uren and Patrick Gray talk about a UK government proposal that would see ransomware victims seek government approval before making ransom payments. They also talk about why governments need to be more proactive about defending democracy and why that is difficult.

Risky Business #749 -- Google answer to Microsoft's insecurity? Buy Google stuff!

Patrick Gray — Thu, 23 May 2024 13:09:55 +1000

This week’s episode was recorded in front of a live audience at AusCERT's 2024 conference. Pat and Adam talked through: * Google starts using security as a marketing tool against Microsoft, along with steep discounts * Microsoft announces a creepy desktop recording AI * UK govt proposes ransom payment controls * Arizona woman runs a laptop farm for North Korea * Julian Assange just keeps on with his malarky * And much, much more This week’s episode is sponsored by Tines. Its CEO Eoin Hinchy joins the show to talk about how AI can be genuinely useful in automation.

Risky Biz News: DNSBomb attack is here! Pew pew pew!!!

Catalin Cimpanu — Wed, 22 May 2024 09:32:18 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Three Nerds: The strategic culture of Russian intelligence

Tom Uren — Tue, 21 May 2024 07:28:51 +1000

In this edition of Between Three Nerds Tom Uren and The Grugq talk to Elena Grossfeld about the strategic culture of Russian intelligence organisations. In the discussion we refer to Elena's paper on Russia's [declining satellite reconnaissance capability](https://www.tandfonline.com/doi/full/10.1080/08850607.2024.2330848) and she talks about '[lustration](https://en.wikipedia.org/wiki/Lustration)', the removal of public officials who are [associated with a tainted political regime](https://judiciariesworldwide.fjc.gov/question/what-lustration#:~:text=from%20the%20Latin%20lustratio%2C%20meaning,newly%20independent%20and%20postconflict%20countries.). Elena is researching Russian and Soviet intelligence culture at [Kings College London](https://www.kcl.ac.uk/people/elena-grossfeld) and is on X [@kloosha](https://twitter.com/kloosha).

Risky Biz News: Germany sues Microsoft for details on past hack

Catalin Cimpanu — Mon, 20 May 2024 09:43:32 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Feds seize BreachForums again

Catalin Cimpanu — Fri, 17 May 2024 14:18:23 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Wide World of Cyber: Krebs and Stamos on How AI Will Change Cybersecurity

Patrick Gray — Fri, 17 May 2024 10:12:05 +1000

In this podcast SentinelOne's Chief Trust officer Alex Stamos and its Chief Intelligence and Public Policy Officer Chris Krebs join Patrick Gray to talk all about AI. It's been a year and a half since ChatGPT landed and freaked everyone out. Since then, AI has really entrenched itself as the next big thing. It's popping up everywhere, and the use cases for cybersecurity are starting to come into focus. Threat actors and defenders are using this stuff already, but it's early days and as you'll hear, things are really going to change, and fast.

Srsly Risky Biz: The proliferation of spyware in Southeast Asia

Tom Uren — Thu, 16 May 2024 13:24:35 +1000

In this podcast Tom Uren and Patrick Gray talk about Amnesty International's research into Indonesia's use of spyware implicated in human rights abuses. They also talk about proposed regulation that would dock payments to US hospitals that don't meet minimum cyber security standards and why the idea needs some tweaking.

Risky Business #748 -- New cyber rules for US healthcare are coming

Patrick Gray — Wed, 15 May 2024 15:48:37 +1000

This week Patrick Gray and Adam Boileau along special guest Lina Lau discuss the week’s news, including: * The ongoing Ascension healthcare disruption, and * Whether its reasonable for healthcare orgs to be pushing back * Platforming cybercriminals for interviews * Own the libs by… not using E2EE messaging? * CISA’s secure by design, we want to believe! * The $64billion scale of indusrialised fraud * And much, much more. This week’s sponsor is network discovery specialist, Run Zero. Director of research Rob King joins to talk about the weird and wonderful delights in their new Research Report.

Risky Biz News: Ebury gang compromises entire ISPs and hosting providers

Catalin Cimpanu — Wed, 15 May 2024 09:33:34 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two (Other) Nerds: Signalling, Cyber Signalling is Dead

Tom Uren — Tue, 14 May 2024 08:55:06 +1000

The regular two nerds have the week off, but the former Director of the CIA's Center for Cyber Intelligence Andy Boyd joins Patrick Gray for a rollicking conversation in front of a live audience in San Francisco. Grugq and Tom return next week!

Risky Biz News: Black Basta group spam-bombs victims and then calls to help

Catalin Cimpanu — Mon, 13 May 2024 09:33:22 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: 68 tech companies sign up to CISA's Secure by Design project

Catalin Cimpanu — Fri, 10 May 2024 10:38:35 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: 'Security' the new marketing mantra

Tom Uren — Thu, 09 May 2024 13:39:43 +1000

In this podcast Tom Uren and Adam Boileau talk about how Microsoft's reprioritisation of security after recent breaches and a scathing CSRB report seem to be influencing other companies. They are now touting their security chops, so could it be that security is actually becoming a competitive advantage? They also talk about law enforcement trying to make life difficult for the LockBit ringleader and how the Change Healthcare disaster had deeper underlying causes beyond "no MFA on Citrix".

Risky Business #747 -- Lockbit Leader Has A Very Bad Day

Patrick Gray — Wed, 08 May 2024 15:09:06 +1000

Patrick dials in from RSA in San Francisco to discuss the week’s security news with Adam, including: * The west doxxes LockbitSupp, who must now hide his hundred million dollars * Revil hacker behind Kasaya breach gets 14 years * Microsoft makes some positive sounding* noises on security * A fun flaw in nearly all VPN clients * Gitlab admins continue their never-ending incident response * And much, much more. This week’s sponsor is Stairwell. Long time infosec researcher Silas Cutler joins us to talk through his adventures in attacker C2 systems, and how this feeds into Stairwell’s data. \* we’re still sceptical they’ll get it right, but they do at least seem to realise how deep the doo-doo they’re in is… Pat speculates they have … tentacles, and a regulatory-threat-gland.

Risky Biz News: LockBit leader unmasked, charged, and sanctioned

Catalin Cimpanu — Wed, 08 May 2024 10:52:17 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: How organisations learn in a world of secrets

Tom Uren — Tue, 07 May 2024 07:11:32 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at how different types of secrecy obsessed organisations learn. The Grugq mentions the book [Mafia Organisations: The Visible Hand of Criminal Enterprise](https://www.cambridge.org/core/books/mafia-organizations/C44554D6F19D0AA6C49702311F2361A4) by Maurizio Catino.

Risky Biz News: Microsoft ties security goals to executive compensation

Catalin Cimpanu — Mon, 06 May 2024 10:15:30 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: New router malware intercepts traffic to steal credentials

Catalin Cimpanu — Fri, 03 May 2024 11:49:11 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: The problem with big tech

Tom Uren — Thu, 02 May 2024 13:52:18 +1000

In this podcast Tom Uren and Adam Boileau talk about how there is a growing consensus between regulators and lawmakers on the key problems of modern tech companies. They also dive into how to deal with malicious foreign actors buying their way onto domestic cloud infrastructure and how drones are actually just like modern cars.

Risky Business #746 – Microsoft takes your security seriously*

Patrick Gray — Wed, 01 May 2024 14:34:13 +1000

On this week’s show Patrick and Adam discuss the week’s security news, including: * Microsoft reassures* us that they take security very seriously* * Cisco ASA firewalls get sneakily backdoored, but no one’s quite sure how * Change Healthcare was 1FA Citrix all along * The FTC, FCC and other government sticks get waved at tech * Lizard Squad Finn who hacked the Vastaamo therapy chain gets sentenced * And much, much more. This week’s sponsor is Zero Networks, who make a network micro-segmentation product that is actually usable. Zero Networks CEO Benny Lakunishok joins us to talk through why firewalling everything everywhere is finally workable. \* You’ll forgive us for being… a tad sceptical.

Risky Biz News: Change Healthcare blames it all on a Citrix password

Catalin Cimpanu — Wed, 01 May 2024 09:51:17 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: Busting 0day Myths

Tom Uren — Tue, 30 Apr 2024 07:54:17 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at the life cycle of 0days, dissect the conventional wisdom and talk about how 0days are never truly 'burnt'.

Snake Oilers: Push Security, Knocknoc and iVerify

Patrick Gray — Mon, 29 Apr 2024 16:12:13 +1000

In this edition of Snake Oilers we'll be hearing from: * [Push Security](https://pushsecurity.com): A browser plugin-based security company that combats identity-based attacks. (Much more compelling that it sounds in this description.) * [Knocknoc](https://knocknoc.io/): The tool Risky Business uses to protect our own applications and services. (Restrict network/port access to users who are authenticated via SSO.) * [iVerify](https://www.iverify.io/): Mobile security and threat hunting for iOS and Android. (Caught Pegasus in the wild!)

Risky Biz News: Cyber Partisans hack Belarus KGB

Catalin Cimpanu — Mon, 29 Apr 2024 12:22:40 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Cisco zero-day fun time is here!

Catalin Cimpanu — Fri, 26 Apr 2024 09:03:05 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Patrick Gray. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Sandworm an inspiration for hostile actors

Tom Uren — Thu, 25 Apr 2024 13:30:41 +1000

In this podcast Adam Boileau and Tom Uren talk about what there is to learn from Mandiant's report into the GRU Sandworm crew. Are the Russians a model for other actors, or just a get-'er-done bunch of pragmatists? They also talk about an attempt to build a World Cybercrime Index, assessing different national cybercrime specialisations.

Risky Biz News: First US spyware visa ban hammer falls on 13 individuals

Catalin Cimpanu — Wed, 24 Apr 2024 12:10:31 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Special Edition: Chris Krebs, Alex Stamos and Patrick Gray

Patrick Gray — Wed, 24 Apr 2024 10:03:04 +1000

In this special edition of the Risky Business podcast Patrick Gray chats with former Facebook CSO Alex Stamos and founding CISA director Chris Krebs about sovereignty and technology. China and Russia are doing their level best to yeet American tech from their supply chains -- hardware, software and cloud services. They'll be rebuilding these supply chains -- for government systems, at least -- from components that they have complete visibility into, and control over. Meanwhile, America's government faces different supply chain challenges. It has a supply chain that won't be weaponised against it by its adversaries, but it lacks the same sort of visibility and control that its adversaries will eventually achieve over their supply chains. So where does this leave the west? Where does it leave China and Russia?

Risky Biz News: File transfer system hacking spree continues with a CrushFTP zero-day

Catalin Cimpanu — Mon, 22 Apr 2024 09:06:27 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read today by Patrick Gray, as Claire Aird is unwell. You can find the newsletter version of this podcast here.

Risky Biz News: Authorities take down LabHost PhaaS

Catalin Cimpanu — Fri, 19 Apr 2024 10:07:26 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Why the compromise of open source projects is inevitable

Tom Uren — Thu, 18 Apr 2024 13:09:43 +1000

In this podcast Patrick Gray and Tom Uren talk about how open source software is inherently vulnerable to malicious 'good samaritan' attacks and what to do about it. They also talk about a recent breach at data analytics company Sisense, how dependency on Microsoft is a strategic risk, and US Cyber Command's view of the world.

Risky Business #745 – Tales from the PANageddon

Patrick Gray — Wed, 17 Apr 2024 15:35:25 +1000

On this week’s show Patrick and Adam discuss the week’s security news, including: * Palo Alto’s firewalls have a ../ bad day * Sisense’s bucket full of creds gets kicked over * United Healthcare draws the ire of congress * FISA 702 reauthorisation finally moves forward * Apple warns about “mercenary exploitation” but what’s the India link? * And much, much, more This week’s sponsor is Panther, a platform that does detection as code on massive amounts of data. Panther's founder Jack Naglieri is this week's sponsor guest, and we spoke with him about some common detection-as-code approaches.

Risky Biz News: PuTTY crypto bug exposes private keys

Catalin Cimpanu — Wed, 17 Apr 2024 13:21:46 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: 0days in 2023

Tom Uren — Tue, 16 Apr 2024 08:39:47 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at Google's review of 0days in 2023. They discuss what this kind of information tells us and how Google's perspective influences the report.

Risky Biz News: Palo Alto Networks scrambles to push zero-day RCE patch

Catalin Cimpanu — Mon, 15 Apr 2024 11:29:27 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: CISA sounds alarm on Sisense breach

Catalin Cimpanu — Fri, 12 Apr 2024 11:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast [here](https://news.risky.biz)

Srsly Risky Biz: States behaving badly

Tom Uren — Thu, 11 Apr 2024 18:00:00 +1000

In this podcast Patrick Gray and Tom Uren talk about how different states are transgressing what we want to be norms of online behaviour. They also look at the framing around new bipartisan privacy legislation and why vendors should have positive security obligations.

Risky Biz News: Ukraine suspends SBU cyber chief

Catalin Cimpanu — Wed, 10 Apr 2024 18:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #744 -- Ransomware upstarts jostle in Lockbit's absence

Patrick Gray — Wed, 10 Apr 2024 18:00:00 +1000

On this week’s show Patrick and Adam discuss the week’s security news, including: * Ransomware: down but not out * Zero day prices on the rise… * … and what it means for enterprise software * Geopolitical conflict comes to computers in Palau * Ukraine cyber chief Illia Vitiuk suspended * More x86 microarchitectural bad times * And much much more Proofpoint's chief strategy officer Ryan Kalember is this week's sponsor guest. He takes aim at some recent vendor trends, like security companies describing themselves as "platforms".

Between Two Nerds: The human side of the XZ supply chain attack

Tom Uren — Tue, 09 Apr 2024 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at the tradecraft used in the compromise of the XZ open source data compression project.

Risky Biz News: Backdoor found in 92k D-Link NAS devices

Catalin Cimpanu — Mon, 08 Apr 2024 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Snake Oilers: Kodex, ClearVector and Censys

Patrick Gray — Fri, 05 Apr 2024 00:00:00 +1100

In this edition of Snake Oilers you'll hear pitches from three companies: * [Kodex](https://www.kodexglobal.com/): Makes a platform companies can use to interact with law enforcement (Solves the law enforcement impersonator problem, among others.) * [ClearVector](https://www.clearvector.com/): Cloud security startup from former FireEye/Mandiant SVP/CTO John Laliberte * [Censys](https://censys.com/): Scans the entire internet, identifies assets you didn't know were yours, helps you track attacker infrastructure like C2

Risky Biz News: Ukraine wants Sandworm hackers tried at The Hague

Catalin Cimpanu — Fri, 05 Apr 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: The heavy weight of CIRCIA regulation

Tom Uren — Thu, 04 Apr 2024 00:00:00 +1100

In this podcast Patrick Gray and Tom Uren talk about the weighty tome of CISA's critical infrastructure reporting legislation, CIRCIA, and compare different approaches to defining regulation. They also look at moves to better protect customers from being tracked by the telco protocol Signalling System 7.

Risky Business #743 -- A chat about the xz backdoor with the guy who found it

Patrick Gray — Wed, 03 Apr 2024 19:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: * The SSH backdoor that dreams (or nightmares) are made of * Microsoft gets a solid spanking from the CSRB * Ukraine uses an old Russian WinRAR bug to hack Russia * Push-notifications and social-engineering combined-arms vs Apple * And much, much more. We have a special guest in this week's show, Andres Freund, the Postgres developer who discovered the backdoor in the xz Linux compression library. This week's show is brought to you by Island, a company that makes a security-focussed enterprise browser. Island's Bradon Rogers is this week's sponsor guest and he'll be joining us to talk about how people are swapping out their Virtual Desktop Infrastructure for enterprise-focussed browsers like theirs.

Risky Biz News: CSRB drops scathing Microsoft report

Catalin Cimpanu — Wed, 03 Apr 2024 00:00:00 +1100

Description: A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: The asymmetry of 'information warfare'

Tom Uren — Tue, 02 Apr 2024 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq look at how states have very different views about manipulating the information environment aka 'information warfare'.

Risky Biz News: Epic supply chain attack on Linux SSH

Catalin Cimpanu — Mon, 01 Apr 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Spyware vendors behind 24 zero-days last year

Catalin Cimpanu — Fri, 29 Mar 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: China hacking for more than just IP

Tom Uren — Thu, 28 Mar 2024 00:00:00 +1100

In this podcast Patrick Gray and Tom Uren talk about recent US and UK action including indictments and sanctions levied on PRC Ministry of State Security related hackers. In contrast to previous indictments, this one focuses a lot on the hacking of government officials and parliamentarians. That's new. They also look at a [new report](https://www.fdd.org/analysis/2024/03/25/united-states-cyber-force/) that lays out the case for a US Cyber Force.

Risky Biz News: China called out over hacks, again

Catalin Cimpanu — Wed, 27 Mar 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #742 -- China bans AMD and Intel, pivots to Linux on the desktop

Patrick Gray — Wed, 27 Mar 2024 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: * FVEY protests China’s widespread hacking of western politicians * China bans western CPUs, Windows and databases * Apple’s leaky M-chip prefetcher * Nigeria holds ex-IRS investigator hostage in Binance stoush * Researchers bring Rowhammer to AMD Zen and DDR5 * And much, much more. This week's show is brought to you by Thinkst Canary. Its founder Haroon Meer joins this week's show to make a passionate case that security vendors don't all have to go for explosive growth. Slow and steady with a focus on excellent and relevant products will win the race, he says.

Risky Biz News: EU bans anonymous crypto payments

Catalin Cimpanu — Mon, 25 Mar 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz Soap Box: Why Azure vulns should get CVEs

Patrick Gray — Fri, 22 Mar 2024 00:00:00 +1100

In this Soap Box edition of the podcast Patrick Gray talks to Nucleus Security co-founder Scott Kuffer about whether or not cloud service vulnerabilities should get CVEs, what on earth is happening with NIST's National Vulnerability Database (NVD) and more.

Risky Biz News: US sanctions Russian disinfo peddlers in LATAM

Catalin Cimpanu — Fri, 22 Mar 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Microsoft deserves the stick

Tom Uren — Thu, 21 Mar 2024 00:00:00 +1100

Normal Seriously Risky Biz correspondent Tom Uren is on leave this week, so there's some lunatics-running-the-asylum energy in the episode. Patrick Gray wrote this week's newsletter, and Adam Boileau asks him what exactly we are to do with Microsoft? They're so big, and their security posture of late has us all sobbing into our Azure dashboards. Pat advocates for less carrot, and several varieties of stick. They also talk through where ransomware disruption is going to have to head next. What more creative, less ... uh... law-and-order options do we have for imposing cost on actors in pariah states?

Risky Biz News: New DoS loop attack impacts 300,000 systems

Catalin Cimpanu — Wed, 20 Mar 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #741 -- The Mintlify breach and modern supply chains

Patrick Gray — Wed, 20 Mar 2024 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: * Turns out AI is still bad code review after all, * Mintlify loses a bunch of Github tokens, * Everything old is new again with the UDP loop DoS, * Know-your-(recon satellite)-customer is hard, * Microsoft takes away Russia’s powershell, solving living off the land, * And much, much more This week's show is brought to you by Material Security. In this week's sponsor interview we speak with Material's Rajan Kapoor, VP of Customer Experience at Material. We're also joined by Chaim Sanders, who heads Security and Privacy at Lyft.

Between Two Nerds: Russia's Taurus missile leak

Tom Uren — Tue, 19 Mar 2024 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq look at Russia's recent leak of an intercepted German military discussion. From an intelligence point of view the content of the discussion is only moderately interesting, but Russia decided to leak it in an attempt to influence European attitudes towards providing military aid to Ukraine.

Risky Biz News: Edge adds new sandbox escape protection

Catalin Cimpanu — Mon, 18 Mar 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: NIST stopped curating the CVE database a month ago

Catalin Cimpanu — Fri, 15 Mar 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Does 'delete America' mean deleting China too?

Tom Uren — Thu, 14 Mar 2024 00:00:00 +1100

In this podcast Patrick Gray and Tom Uren talk about 'Document 79', a PRC government document that calls for the Chinese companies in finance, energy and other sectors, to remove foreign software from their IT systems by 2027. They also talk about the difficulties that Microsoft is facing in permanently removing SVR hackers from its systems.

Risky Biz News: Tor launches new WebTunnel anti-censorship protocol

Catalin Cimpanu — Wed, 13 Mar 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #740 -- Midnight Blizzard's Microsoft hack isn't over

Patrick Gray — Wed, 13 Mar 2024 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: * Weather forecast in Redmond is still for blizzards at midnight * Maybe Change Healthcare wasn’t just crying nation-state wolf * Hackers abuse e-prescription systems to sell drugs * CISA goes above and beyond to relate to its constituency by getting its Ivantis owned * VMware drinks from the Tianfu Cup * Much, much more This week's feature guest is John P Carlin. He was principal associate deputy attorney general under Deputy Attorney General Lisa Monaco for about 18 months in 2021 and 2022, and also served as Robert Mueller's chief of staff when he was FBI director. John is joining us this week to talk about all things SEC. He wrote the recent Amicus Brief that says the SEC needs to be careful in its action against Solarwinds. He'll also be talking to us more generally about these new SEC disclosure requirements, which are in full swing. Rad founder Jimmy Mesta will along in this week's sponsor segment to talk about some really interesting work they've done in baselining cloud workloads. It's the sort of thing that sounds simple that really, really isn't.

Between Two Nerds: How to disrupt ransomware groups

Tom Uren — Tue, 12 Mar 2024 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq look at recent efforts to disrupt ransomware gangs and discuss what could make these efforts more effective.

Risky Biz News: Russian hackers stole Microsoft's source code

Catalin Cimpanu — Mon, 11 Mar 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Crypto-fraud is now bigger than BEC

Catalin Cimpanu — Fri, 08 Mar 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: German use of WebEx is fine, actually

Tom Uren — Thu, 07 Mar 2024 00:00:00 +1100

In this podcast Patrick Gray and Tom Uren talk about the recent kerfuffle in Germany after a WebEx discussion between senior air force officials was leaked by Russian propagandists. Its interesting to see Russia using raw intelligence to try and shape German actions and they conclude that WebEx would have been fine if it had been used properly. They also talk about a new executive order aimed at preventing bulk sale of Americans' sensitive personal data to countries of concern. This is the best short term option, but they contrast this with the ad tech ecosystem to explore what controls on the collection of data might look like.

Risky Biz News: AlphV admins exit-scam with Change Healthcare’s ransom

Catalin Cimpanu — Wed, 06 Mar 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #739 -- ALPHV exit scams while Change Healthcare burns

Patrick Gray — Wed, 06 Mar 2024 00:00:00 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about: * The serious consequences from the Change Healthcare ransomware, and the need for a … nastier response * Predator spyware maker getting a stern sanctioning * A German military WebEx meeting gets snooped * Mem-corrpution is still king * And much, much more In this week's sponsor interview Patrick Gray speaks to Karl McGuinness, Okta's chief architect, about some new security improvements they've built into their IDP.

Between Two Nerds: Ukraine goes on the offensive

Tom Uren — Tue, 05 Mar 2024 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq look at the shift that has taken place in Ukraine's cyber strategy as it has gone on the front foot and its cyber forces have launched multiple cyber strikes in the last few months. They discuss reasons why Ukraine might want to make this change and ask whether it makes sense.

Risky Biz News: Intellexa pulls the plug on new Predator spyware infrastructure

Catalin Cimpanu — Mon, 04 Mar 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Rizky Biz: The memory safety long game

Tom Uren — Fri, 01 Mar 2024 00:00:00 +1100

In this podcast Patrick Gray and Tom Uren talk about the White House's push for memory safe programming languages and software measurability. They also discuss Nevada's moves against end to end encryption for children and the national security concerns with commercial data sales to geopolitical rivals. You can find the newsletter version of this podcast here.

Risky Biz News: US restricts sale of personal data to hostile nations

Catalin Cimpanu — Fri, 01 Mar 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: US sanctions Sandvine over Egypt sales

Catalin Cimpanu — Wed, 28 Feb 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #738 -- LockBit is down but not out. Yet.

Patrick Gray — Wed, 28 Feb 2024 00:00:00 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about: * LockBit gets back up after takedown * Russia arrests Medibank hacker... for something else * ConnectWise gives out free updates, but customers aren’t happy * Microsoft gives in to demands for more logs * Sandvine gets entity-listed * And much much more. Dmitri Alperovitch also joins the show to discuss Starlink, Starshield and a row with Congress about its availability in Taiwan. In this week’s sponsor interview, Airlock Digital’s Daniel Schell talks about his adventures with WDAC, and Dave Cottingham predicts Windows 12 will go all in on signed code.

Between Two Nerds: In search of Russian cyber doctrine

Tom Uren — Tue, 27 Feb 2024 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq apologise for repeating a quote that is purported to be Russian cyber doctrine, but is not. They also wonder why this phenomena has happened before with the so-called Gerasimov doctrine.

Risky Biz News: Backdoor code found in Tornado Cash

Catalin Cimpanu — Mon, 26 Feb 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: Google addresses Chrome JIT security

Catalin Cimpanu — Fri, 23 Feb 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: China's free market espionage machine

Tom Uren — Thu, 22 Feb 2024 00:00:00 +1100

In this podcast Patrick Gray and Tom Uren talk about a recent leak from a PRC cyber espionage contractor i-SOON. The leak sheds light on China's cyber salt mines and the system's hyper-capitalist, pay-for-results, approach to stealing secrets.

Risky Biz News: Law enforcement thoroughly dismantle LockBit

Catalin Cimpanu — Wed, 21 Feb 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #737 -- LockBit gets absolutely rekt

Patrick Gray — Wed, 21 Feb 2024 00:00:00 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about: * LockBit has been taken down by law enforcement * Some mega-juicy leaks out of Chinese offsec/APT contractor I-SOON * GRU gets its Moobot network shutdown * Signal adding usernames is… complicated * Much, much more In this week's sponsor interview Devicie's Tom Plant joins the show to talk about problems orgs run into when it comes to Windows policies. There's an expectation out there that Windows policies are set and forget, but sadly, this is not so.

Between Two Nerds: Russian cyber doctrine

Tom Uren — Tue, 20 Feb 2024 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq examine Russian cyber doctrine and how it was applied in the early days of its invasion of Ukraine. They mention this Human Rights Watch report which examined how international humanitarian law was applied in the 2003 invasion of Iraq.

Soap Box: A deep dive on how Russia's SVR is hacking Microsoft 365 tenants

Patrick Gray — Mon, 19 Feb 2024 00:00:00 +1100

The need to properly secure Entra ID tenants has been made pretty obvious this year thanks to a large-scale attack on them by Russia's SVR intelligence agency. In this interview Andy Robbins from SpecterOps, the maker of Bloodhound Enterprise, talks through how he thinks those attacks actually went down, about how if you're an o365 customer you're using Entra ID whether you like it or not, and about how you can lock down your Entra ID tenant.

Risky Biz News: NSO Group capability revealed in court documents

Catalin Cimpanu — Mon, 19 Feb 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: US takes down GRU/APT28 botnet

Catalin Cimpanu — Fri, 16 Feb 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: The spyware ecosystem

Tom Uren — Thu, 15 Feb 2024 00:00:00 +1100

In this podcast Patrick Gray and Tom Uren talk about what to do about commercial spyware. A new Google TAG report is a great primer on the ecosystem. They also talk about Ukraine's shift in cyber strategy. It is now carrying out and publicising that it is launching destructive cyber operations. Finally, they look at all the reasons why banning ransomware payments is a bad idea.

Risky Biz News: Rhysida ransomware secretly decrypted nine months ago

Catalin Cimpanu — Wed, 14 Feb 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #736 -- Azure misconfigurations are 2024's looming threat

Patrick Gray — Wed, 14 Feb 2024 00:00:00 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about: * Somehow there are still more Ivanti and Fortinet exploits * Volt Typhoon have been at it for years * Starlink in Ukraine gets complicated * Canadians hate poor Flipper * Much, much more… In this week's sponsor interview Feross Aboukhadijeh from Socket joins the show to talk about the sheer volume of malicious packages being committed to code repositories and why older SCA tools aren't well equipped to deal with them.

Between Two Nerds: The cyber magic bullet

Tom Uren — Tue, 13 Feb 2024 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about why military doctrine in authoritarian states has an emphasis on cyber and information supremacy.

Soap Box: How to dismantle Volt Typhoon-style relay networks

Patrick Gray — Mon, 12 Feb 2024 00:00:00 +1100

In this Soap Box interview Greynoise founder and absolute legend Andrew Morris joins the show to talk about: * Why Greynoise hasn't seen a substantial drop off in Volt Typhoon's network of compromised routers after the US Government's takedown action * How vendors are using Greynoise as an early warning system to identify exploitation of their products * How he's using large language models to reverse exploitation attempts into actual exploits It truly is a great conversation, we hope you enjoy it!

Risky Biz News: Authorities take down Warzone RAT gang

Catalin Cimpanu — Mon, 12 Feb 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: Ransomware passed $1 billion mark in 2023

Catalin Cimpanu — Fri, 09 Feb 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: Beating back Volt Typhoon

Tom Uren — Thu, 08 Feb 2024 00:00:00 +1100

In this podcast Adam Boileau and Tom Uren talk about how the US has kicked off a campaign to combat Volt Typhoon, a PRC group that is positioning itself in US critical infrastructure to be able to disrupt it in the event of conflict. They also discuss how changing attacker behaviour has led to CISA's emergency directive to disconnect Ivanti Connect Secure devices.

Risky Biz News: US imposes visa ban on individuals linked to commercial spyware

Catalin Cimpanu — Wed, 07 Feb 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #735 -- AnyDesk fails the transparency test

Patrick Gray — Wed, 07 Feb 2024 00:00:00 +1100

In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about: * Thought eels were slippery? Check out AnyDesk's PR! * Why Microsoft's 365 is a nightmare to secure * Cloudflare's needlessly hostile blog post * US Government introduces "Disneyland ban" for spyware peddlers * Much, much more... This week's feature guest is Eric Goldstein, the executive assistant director for cybersecurity at CISA. He's joining the show to talk about CISA's demand that US government agencies unplug their Ivanti appliances. He also chimes in on why the US government is so rattled by Volt Typhoon and addresses a recent report from Politico that claims CISA's Joint Cyber Defense Collaborative is a bit of a shambles. This week's sponsor guest is Dan Guido from Trail of Bits. He joins us to talk about their new Testing Handbook. Trail of Bits does a bunch of audit work and they've committed to trying to make bug discovery a one time thing -- if you find that bug once, you shouldn't have to manually find it on another client engagement. Semgrep for the win!

Between Two Nerds: What to expect when you are expecting to cyber

Tom Uren — Tue, 06 Feb 2024 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about what up and coming countries should expect from a cyber command and whether they should invest in them.

Risky Biz News: Two Iranian cyber groups doxed in a week

Catalin Cimpanu — Mon, 05 Feb 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: Ivanti finally releases zero-day patches

Catalin Cimpanu — Fri, 02 Feb 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: US data dumpster fire singes NSA

Tom Uren — Thu, 01 Feb 2024 00:00:00 +1100

In this podcast Patrick Gray and Tom Uren talk about how the NSA suffered collateral damage from the US's lax data privacy environment. They also discuss how to respond to aggressive adversaries, how the current SEC cyber security disclosure regime is pointless and finally admit they occasionally get things wrong.

Risky Biz News: Brazilian police arrest Grandoreiro malware gang

Catalin Cimpanu — Wed, 31 Jan 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #734 -- The number of hacked Microsoft 365 customers is skyrocketing

Patrick Gray — Wed, 31 Jan 2024 00:00:00 +1100

In this week's show Patrick Gray and Adam Boileau discuss the week's security news. They talk about: * More details on sanctioned Medibank hacker Aleksandr Ermakov * More details on alleged Scattered Spider hacker Noah Michael Urban * RUMINT that the number of Microsoft customers impacted by the SVR oauth/365 campaign is huge * Ron Wyden did something useful... * ...then did something stupid * Ivanti's clown car collides with dumpster fire * Much, much more This week's feature guest is Australia's assistant foreign minister (and cybersecurity tragic) Tim Watts. He joins us to talk about why the Australian government sanctioned Aleksandr Ermakob. Sublime Security founder and CEO Josh Kamdjou is this week's sponsor guest. He joins us to talk about combating QR-code phishing.

Between Two Nerds: Rethinking mobile phones on the battlefield

Tom Uren — Tue, 30 Jan 2024 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how the war in Ukraine is showing how useful mobile devices are in war. Using them is risky, but those risks need to be managed. They refer to this report which examines location tracking in the battlefield.

REPOSTED: Sponsored: Talking with Island on how enterprise browsers could replace some technology stacks

Catalin Cimpanu — Mon, 29 Jan 2024 00:00:00 +1100

NOTE: We initially published the wrong mp3 for this episode. It has been corrected! In this Risky Business News sponsor interview, Catalin Cimpanu talks with Bradon Rogers, Chief Customer Officer at enterprise browser Island, on how a modern enterprise browser solution like Island can be used to replace, complement, or enhance some enterprise security tools or technology stacks.

Risky Biz News: DOJ and FTC tell companies to stop deleting chats

Catalin Cimpanu — Mon, 29 Jan 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: How the SEC's new cyber disclosure rules are shaking out

Tom Uren — Fri, 26 Jan 2024 00:00:00 +1100

In this podcast Patrick Gray and Tom Uren talk about how the SEC's new disclosure rules that mean companies have four days to report cyber security incidents once they've formally decided that they are material. So far, companies are very much erring on the side of caution. They also look at the criticism of the CSRB's board composition. Tom thinks these critiques are misguided. The cyber security landscape is so fractured that if the board were made up of faceless bureaucrats it would get very limited traction.

Risky Biz News: SVR hackers also breached HPE

Catalin Cimpanu — Thu, 25 Jan 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Between Two Nerds: Why data brokers aren't causing widespread harms

Tom Uren — Thu, 25 Jan 2024 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how having so much data available about Americans feels creepy, yet there is little visible harm to individuals. But there are still reasons to be worried.

Risky Biz News: AU, UK, US sanction Russian behind Medibank ransomware attack

Catalin Cimpanu — Wed, 24 Jan 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #733 -- Say cheese, motherf---er

Patrick Gray — Wed, 24 Jan 2024 00:00:00 +1100

In this week's show Patrick Gray and Adam Boileau discuss the week's security news. * Microsoft honks its clown car horn * Australia's hounds, released, catch their man * The beginning of the end for Scattered Spider * SEC was SIM swapped but had MFA off any way * Ivanti learns a lesson... * ... while Progress does not * and much more DHS undersecretary for policy and Cyber Safety Review Board head Rob Silvers is this week's feature guest. He joins the show to talk about how the CSRB handles possible conflicts of interests from board members with industry day jobs. In this week's sponsor interview Resourcely's founder Travis McPeak talks about why we need to help developers with "paved roads" instead of relying on dashboard products to tell us when things have gone wrong.

Risky Biz News: SVR hackers breach Microsoft

Catalin Cimpanu — Mon, 22 Jan 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: Congress considers making CSRB permanent

Catalin Cimpanu — Fri, 19 Jan 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: The PRC doesn't care about stealth, just access

Tom Uren — Thu, 18 Jan 2024 00:00:00 +1100

In this podcast Adam Boileau and Tom Uren talk about how although the PRC has pivoted to quieter living-off-the-land approaches, they don't really care about stealth. They just want long-term access. So this means noisily digging in to networks and targeting end-of-life devices. They also look at the FTC's settlement against geolocation data broker Outlogic. It's a win, but it's built on shaky foundations.

Risky Biz News: Ivanti Connect Secure zero-days suffer mass exploitation

Catalin Cimpanu — Wed, 17 Jan 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #732 — We are CRUSHED

Patrick Gray — Wed, 17 Jan 2024 00:00:00 +1100

On this week’s SURPRISE edition, Patrick Gray and Adam Boileau discuss the week’s security news. They cover: * Their disappointment over last week’s SEC Twitter hack * China rainbow-tables Airdrop * Enterprise bugs galore… * … and why patching fast is hard when there isn’t even a patch yet * UEFI flaws get trad-BIOS-era vendor response * and much, much more… This week’s show is unsponsored, we’re just here for the fun of it.

Between Two Nerds: Stuxnet, the inevitable game changer

Tom Uren — Tue, 16 Jan 2024 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how Stuxnet was an 'inevitability gamechanger', how much we now know about the operation and how much the Dutch government should have known at the time.

Risky Biz News: Chinese APT hacks a third of Cisco RV320/325 routers

Catalin Cimpanu — Mon, 15 Jan 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: Chinese APT exploits two Pulse Secure zero-days

Catalin Cimpanu — Fri, 12 Jan 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: Russia's cyber war fantasy

Tom Uren — Thu, 11 Jan 2024 00:00:00 +1100

In this podcast Adam Boileau and Tom Uren talk about how cyber operations are being used in conflicts in both Ukraine and the Middle East. Some of these operations make sense but others seem pointless or even counterproductive.

Risky Biz News: Ransomware wrecks Paraguay's largest telco

Catalin Cimpanu — Wed, 10 Jan 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #731 -- SEC Twitter hack moves Bitcoin price

Patrick Gray — Wed, 10 Jan 2024 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * SEC Twitter account hack moves bitcoin price * Kaspersky admires Triangulation hackers' fine work * Telcos hacked all over * Israel hacks Iranian gasoline pumps again * Iran up in Albania, Sudan, Egypt and Tanzania * and much, much more... This week's show is brought to you by Nucleus Security. Co-founder Scott Kuffer joins us to talk about why patch management is more nuanced than just "patch fast!"

Between Three Nerds: Martijn Grooten on how Infosec has changed

Tom Uren — Tue, 09 Jan 2024 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk with infosec and anti-virus veteran Martijn Grooten about how the infosec industry has changed over the years.

Risky Biz News: Merck settles NotPetya lawsuit

Catalin Cimpanu — Mon, 08 Jan 2024 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #730 -- Apple, Facebook go all in on e2ee

Patrick Gray — Wed, 13 Dec 2023 00:00:00 +1100

In this week's edition of the show Patrick Gray and guest co-host Dmitri Alperovitch discuss: * Major telco in Ukraine taken down by Russia * Apple and Facebook go all in on e2ee * Why 702 reauthorisation is looking a bit sketchy * The USG wants your push notifications * The year in review, plus some predictions for 2024 This week's show is brought to you by Thinkst Canary. Haroon Meer, Thinkst's founder, is this week's sponsor guest. He joins us to talk about APT groups pivoting to living-off-the-land techniques.

Risky Biz Soap Box: Why enterprise browsers are good, actually

Patrick Gray — Tue, 12 Dec 2023 00:00:00 +1100

In this Soap Box edition of the Risky Business podcast Patrick Gray talks to Island's Bradon Rogers about security-focussed, enterprise browsers. You can use Island to do stuff like grant third parties access to corporate applications on unmanaged devices in a not insane way -- that's a huge pain point for a lot of CISOs, and something that is bringing a lot of new customers through Island's doors. Obviously for devices you _do_ manage, you can roll Island out as your default enterprise browser. There are a lot of security benefits to doing that.

Risky Biz News: UK summons Russian ambassador over hacking campaigns

Catalin Cimpanu — Fri, 08 Dec 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Why election interference is inevitable

Tom Uren — Thu, 07 Dec 2023 00:00:00 +1100

In this podcast Patrick Grey and Tom Uren talk about whether election interference will take place in the Taiwanese, US and Russian elections that are all taking place in 2024. They also look at a ChatGPT-powered online harassment campaign.

Risky Business #729 -- Why patching faster won't save us

Patrick Gray — Wed, 06 Dec 2023 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * Iran-linked attacks on US water infrastructure * Why the ownCloud bug isn't the end of the world * The D-Link 0day that... never existed? * In defence of Okta * Much, much more This week's show is brought to you by Proofpoint. Ryan Kalember, Proofpoint's EVP of Cybersecurity Strategy, is this week's sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Risky Biz News: US government agencies officially suck at logging

Catalin Cimpanu — Tue, 05 Dec 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Between Two Nerds: Revisiting Ukraine's IT Army

Tom Uren — Tue, 05 Dec 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about recent hints that the Ukrainian government has figured out how to make use of the IT Army

Risky Biz News: US Government sounds alarm on water plant hacks

Catalin Cimpanu — Mon, 04 Dec 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Black Basta group made $107 million from ransom payments

Catalin Cimpanu — Fri, 01 Dec 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Living off the land is the new normal

Tom Uren — Thu, 30 Nov 2023 00:00:00 +1100

In this podcast Patrick Grey and Tom Uren talk about how threat actors abusing legitimate tools (aka living off the land) is the new normal. Everyone is doing it, from activists to cybercriminals to nation states. It's a worry because defender's standard practices really aren't set up to detect and deal with that kind of behaviour. They also discuss how cyber incidents in the US and UK amongst providers of key real estate services are disrupting house sales.

Risky Biz News: Ransomware cripples hospitals in six US states

Catalin Cimpanu — Wed, 29 Nov 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #728 -- The Citrixbleed ransomware disaster

Patrick Gray — Wed, 29 Nov 2023 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * The Citrixbleed ransomware crisis * Why the FBI hasn't arrested Scattered Spider members * DPRK is in your supply chains * Microsoft has a brainwave and buys a HSM * When civil war meets pig butchering * Much, much more This week's show is brought to you by Airlock Digital. David Cottingham and Daniel Schell are this week's sponsor guests. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: The evolution of Russian electricity attacks

Tom Uren — Tue, 28 Nov 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about the latest Russian cyber attacks on the Ukrainian energy grid.

Risky Biz News: Chipmaker NXT hacked by Chinese APT group

Catalin Cimpanu — Mon, 27 Nov 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Death by a thousand cuts

Tom Uren — Thu, 23 Nov 2023 00:00:00 +1100

NOTE: We have removed this podcast audio from our feed due to a legal action against the Reuters article on which this discussion is based. In this podcast Adam Boileau and Tom Uren talk the rise of the Indian hack-for-hire industry. It doesn't get the same attention that high-profile iPhone 'zero-click' hacking does, but its a global scourge that undermines legal processes. They also discuss the AlphV ransomware group reporting a company to the SEC for not disclosing a breach that it caused.

Risky Biz News: Fastly to block domain fronting in 2024

Catalin Cimpanu — Thu, 23 Nov 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Tor Project removes 1k relays linked to cryptocurrency scheme

Catalin Cimpanu — Wed, 22 Nov 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Between Two Nerds: How marketing has changed the cyber security landscape

Tom Uren — Tue, 21 Nov 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how being more open about cyber security threats is great for marketing and has also forced cyber security companies to pick sides and make value judgements.

Risky Biz News: DIALStranger vulnerabilities disclosed after four years

Catalin Cimpanu — Mon, 20 Nov 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: FCC adopts SIM-swapping and port-out protections

Catalin Cimpanu — Fri, 17 Nov 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz Soap Box: Why o365 and Google Workspace are a security liability

Patrick Gray — Thu, 16 Nov 2023 00:00:00 +1100

In this Soap Box podcast Patrick Gray talks to Material Security's CEO and co-founder Abhishek Agrawal about the security problems inherent to modern productivity suites. Does it make sense that threat actors can authenticate to o365 and Workspace accounts and clean them out entirely? Years of mail, years of files? Material Security has built a product that tackles this issue. It can lock up email archives behind MFA challenges, redact PII from inboxes, better control files share via Google Drive and OneDrive, and just generally limit the damage a threat actor can inflict when they compromise a cloud productivity account. Even if you're not interested in buying a product to tackle this, we think this one is a great listen.

Srsly Risky Biz: LockBit's disastrous success

Tom Uren — Thu, 16 Nov 2023 00:00:00 +1100

In this podcast Adam Boileau and Tom Uren talk about two very significant cyber incidents. In the first, LockBit attacked the US arm of China's biggest bank and the disruption left the bank owing USD$9bn at the end of the day. The other disrupted 40% of Australia's port traffic. They also examine the reasons why it makes sense for banks to do more regarding fraud.

Risky Biz News: Russia hacked 22 Danish critical infrastructure companies

Catalin Cimpanu — Wed, 15 Nov 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Between Two Nerds: The Rules of War in cyberspace

Tom Uren — Tue, 14 Nov 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about International Humanitarian Law aka the Rules of War in cyberspace. These rules don't really make sense in cyberspace, but despite that we think talking about them (and other norms of behaviour) is still worthwhile

Risky Biz News: Malay officials take down BulletProftLink

Catalin Cimpanu — Mon, 13 Nov 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Clop is coming for your SysAid servers

Catalin Cimpanu — Fri, 10 Nov 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Microsoft's Future Security Initiative disappoints

Tom Uren — Thu, 09 Nov 2023 00:00:00 +1100

In this podcast Adam Boileau and Tom Uren talk about Microsoft's Secure Future Initiative. It's been likened to the company's 2002 Trustworthy Computing initiative, but compared to that it is a massive disappointment. They also discuss how the European-wide police operation against EncroChat unravelled when a UK intelligence analyst warned her friends with criminal links that the service had been compromised.

Risky Biz News: Microsoft makes MFA mandatory for cloud admin portals

Catalin Cimpanu — Wed, 08 Nov 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Between Two Nerds: The Morris Worm

Tom Uren — Tue, 07 Nov 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about the internet-melting 1988 Morris Worm and how cyber security has changed since then.

Risky Biz News: US sanctions Russian woman for laundering Ryuk gang money

Catalin Cimpanu — Mon, 06 Nov 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Microsoft goes through a second Trustworthy Computing moment

Catalin Cimpanu — Fri, 03 Nov 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Srsly Risky Biz: When good cyber security leads to violence

Tom Uren — Thu, 02 Nov 2023 00:00:00 +1100

In this podcast host Adam Boileau and Tom Uren talk about the confluence of hacking and real-world violence. They also discuss the SEC's decision to charge SolarWinds and its CISO for not being transparent enough about SolarWinds' real cybersecurity risks. Unfortunately, almost all companies have cyber security problems but disclose them only in very generic ways.

Risky Biz News: SEC charges SolarWinds and its CISO

Catalin Cimpanu — Wed, 01 Nov 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #727 -- Mr Gray goes to Washington

Patrick Gray — Wed, 01 Nov 2023 00:00:00 +1100

On this week’s show Patrick Gray talks through the news with Chris Krebs and Dmitri Alperovitch. They discuss: * The SEC enforcement action against Solarwinds' CISO * The White House AI Executive Order * CitrixBleed exploitation goes wide * How Kaspersky captured some (likely) Five Eyes iOS 0day * Elon Musk's Gaza Strip adventures * Much, much more This week's show is brought to you by Greynoise. Andrew Morris, Greynoise's founder and CEO, is this week's sponsor guest. He talks about how Greynoise is using large language models to help them analyse massive quantities of malicious internet traffic.

Between Two Nerds: What is really at stake with cyber security

Tom Uren — Tue, 31 Oct 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq discuss what is really at stake when it comes to cyber security.

Risky Biz Soap Box: Stairwell will offer platform to researchers

Patrick Gray — Mon, 30 Oct 2023 00:00:00 +1100

In this edition of the Soap Box we hear from Mike Wiacek and Eric Foster from Stairwell. Stairwell makes a product that collects and analyses every executable file in your environment. You deploy file collectors to your systems and they forward all new files to Stairwell for manual and automated analysis. You can do a lot of really cool analysis once you have all that stuff in the same place. But as you'll hear, Stairwell is broadening out the use cases for its platform. You don't want to forward files from every system? You don't have to. It's still very useful as an analysis platform. It's sort of like VirusTotal, but private and with a bunch more bells and whistles. There's also a bunch of sharing tools in the platform, which gives it a "social network for CTI nerds" flavour.

Risky Biz News: Ransomware gangs pounce on CitrixBleed vulnerability

Catalin Cimpanu — Mon, 30 Oct 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: First Kazakhstan-based APT discovered, tries to disguise itself as Azerbaijan

Catalin Cimpanu — Fri, 27 Oct 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Ransomware's soft underbelly

Tom Uren — Thu, 26 Oct 2023 00:00:00 +1100

In this podcast guest host Adam Boileau and Tom Uren talk about the recent Ukrainian hacktivist group's hack and burn attack on a ransomware gang. This makes us think there are definitely opportunities for Western cyber outfits. They also discuss why companies should think about human rights when they make contingency plans for crises like war.

Risky Biz News: 1Password joins the list of Okta victims

Catalin Cimpanu — Wed, 25 Oct 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #726 -- Okta owned while Cisco takes a massive L

Patrick Gray — Wed, 25 Oct 2023 00:00:00 +1100

On this week’s show Patrick Gray talks through the news with Dmitri Alperovitch, NSA Cybersecurity director Rob Joyce and NSA CCC director Morgan Adamski. They discuss: * The Okta breach * 40-50k feral Ciscos * Why the http/2 protocol flaw is a real headache * The Ragnar Locker takedown * What the NSA CCC has been thinking about This week's show is brought to you by Socket. Socket's founder Feross Aboukhadijeh joins us this week to talk about their actually-not-crazy use of large language models in their product.

The Between Two Nerds Halloween Special

Tom Uren — Tue, 24 Oct 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq discuss "spooky effects" aka when agencies play silly buggers with target computers.

Risky Biz News: Cisco IOS XE hackers hide their tracks as patches come out

Catalin Cimpanu — Mon, 23 Oct 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Two ransomware gang websites go puff!

Catalin Cimpanu — Fri, 20 Oct 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Srsly Risky Biz: CISA to vendors — fix your products

Tom Uren — Thu, 19 Oct 2023 00:00:00 +1100

In this podcast guest host Patrick Gray and Tom Uren talk about a CISA and NSA advisory that lists the 10 most common network misconfigurations they. It's 101-level stuff and is particularly sobering because CISA and NSA don't look at run of the mill networks, they look at important ones. CISA thinks part of the problem is vendors that make insecure-by-default products. They also talk about a new Five Eyes security intelligence leader summit that warns of PRC intellectual property theft.

Risky Biz News: 30k+ Cisco devices compromised with IOS XE zero-day

Catalin Cimpanu — Wed, 18 Oct 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Israel warns citizens of security camera hack risk

Catalin Cimpanu — Mon, 16 Oct 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Between Two Nerds: Effects operations during war and peace

Tom Uren — Mon, 16 Oct 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq discuss how changing circumstances change the risk/reward balance and change whether effects operations are worthwhile.

Risky Biz Soap Box: Preventing MFA reset attacks

Patrick Gray — Fri, 13 Oct 2023 00:00:00 +1100

Patrick Gray speaks to Yubico's Jerrod Chong about how organisations can better verify the identities of users when performing MFA resets. In other words, how to not get MGM'd. He also talks about the chain-of-trust issues inherent to synchronisable passkey implementations.

Risky Biz News: Microsoft takes NTLM behind the shed

Catalin Cimpanu — Fri, 13 Oct 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Srsly Risky Biz: The EU needs to grow a political spine on spyware

Tom Uren — Thu, 12 Oct 2023 00:00:00 +1100

In this podcast guest host Patrick Gray and Tom Uren talk about research that discovered that EU-based spyware was being used to target EU and US officials. Will that encourage EU governments to take action against spyware? They also discuss Belgian concerns that the PRC will take advantage of a Chinese logistics firm with a hub in Liège for espionage. Finally, they discuss whether hacktivists will follow International Humanitarian Law (IHL or the Rules of Law) rules about hactivism in wartime. Almost certainly not, but Tom still thinks its worth talking about and promoting responsible behaviour.

Risky Biz News: Microsoft kills VBScript

Catalin Cimpanu — Wed, 11 Oct 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Business #725 -- Microsoft knifes VBScript, passkeys the new default for Google accounts

Patrick Gray — Wed, 11 Oct 2023 00:00:00 +1100

On this week's show Patrick Gray and Lina Lau discuss the week's security news. They cover: * Microsoft has killed VBScript * Google to make passkeys the new default sign-in method * MGM losses to exceed $100m * Clorox has a bad quarter * Why a bug in cURL could be really bad news * Much, much more This week's show is brought to you by KSOC. Jimmy Mesta, KSOC's co-founder and CTO, is this week's sponsor guest. He talks to us about how we can start applying real, actual IAM to Kubernetes environments.

Between Two Nerds: BEC and ransomware, a match made in hell

Tom Uren — Tue, 10 Oct 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq examine the opportunities that ransomware gangs and business email compromise/romance scammers have to collaborate.

Risky Biz News: Human-operated ransomware attacks double in a year

Catalin Cimpanu — Mon, 09 Oct 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Biz News: Ransomware dwell times plummet

Catalin Cimpanu — Fri, 06 Oct 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Srsly Risky Biz: NSA wants to protect America's AI edge

Tom Uren — Thu, 05 Oct 2023 00:00:00 +1100

In this podcast Patrick Gray and Tom Uren talk about the NSA's creation of a new AI Security Center. One of it's roles is to help protect AI intellectual property and so maintain the US's AI advantage. They also look at a new Mandiant report that looks at vulnerabilities that are exploited in the wild. This research finds a shift away from the top three vendors (Microsoft, Apple and Google) and there are rich pickings for threat actors at the network edge.

Risky Business #724 -- Exploitation moves away from Microsoft, Google and Apple products

Catalin Cimpanu — Wed, 04 Oct 2023 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * Ransomware crews target WS_FTP and Jetbrains servers * Global energy supply shapes up as big target * The Dossier Center drops another banger * Indian nationalists DDoS Canadian targets * A look at the Exim drama * Much, much more This week's show is brought to you by Kroll Cyber. George Glass is this week's sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Risky Biz News: Ransomware gangs hit TeamCity and WS_FTP servers

Catalin Cimpanu — Wed, 04 Oct 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Between Two Nerds: Have offensive cyber operations against ransomware groups failed?

Tom Uren — Tue, 03 Oct 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq examine whether offensive cyber operations against ransomware groups have succeeded or failed. And how would we even know?

Risky Biz News: Critical Exim bugs remains unpatched

Catalin Cimpanu — Mon, 02 Oct 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Biz Sponsor Interview: The e-crime ecosystem is changing

Tom Uren — Sun, 01 Oct 2023 00:00:00 +1000

In this Risky Business News sponsor interview Tom Uren talks to Selena Larson, Senior Threat Intelligence Analyst at Proofpoint, about the state of play in the cybercrime ecosystem. People and organisations are getting better at protecting themselves from scams and compromises, but criminals will use every possible avenue to reach people and scam them.

Risky Biz News: More in-the-wild 0day for Firefox, Chrome

Catalin Cimpanu — Fri, 29 Sep 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Srsly Risky Biz: The cyber-yoofs must be stopped!

Tom Uren — Thu, 28 Sep 2023 00:00:00 +1000

In this edition of Seriously Risky Business Patrick Gray and Tom Uren talk about the possibility of diverting youths from a life of serious cybercrime. It'll be tough. They also talk about a Ukrainian government report into changes in Russian cyber activity.

Risky Business #723 -- MGM and Caesars: Western youths are working with ransomware gangs

Patrick Gray — Thu, 28 Sep 2023 00:00:00 +1000

On this week's show Patrick Gray and Dmitri Alperovitch discuss the week's security news. They cover: * How western youths are working with Russian ransomware crews * Russia has changed its targeting in Ukraine * A massive breach of historical Russian flight information is god's gift to OSINT orgs * Cisco buys Splunk for $28bn * Much, much more This week's show is brought to you by Panther. Its field CISO Ken Westin is this week's sponsor guest. Links to everything that we discussed are below.

Risky Biz News: CISA publishes HBOM framework

Catalin Cimpanu — Wed, 27 Sep 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Biz News: China admits NSA hacked Huawei

Catalin Cimpanu — Mon, 25 Sep 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Between Two Nerds: Why the UK and US Cyber Strategies are Mirror Images

Tom Uren — Mon, 25 Sep 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq examine how US and UK strategies to use cyber power differ but are in some ways mirror images of each other.

Snake Oilers: Sublime Security, VulnCheck and Devicie

Patrick Gray — Fri, 22 Sep 2023 00:00:00 +1000

In this edition of Snake Oilers you'll hear product pitches from: * Sublime Security: e-mail security for people who want to tune their detections * VulnCheck: Provides vulnerability intelligence to governments, large enterprises and vendors * Devicie: Manage your devices with Intune without pulling your hair out

Risky Business #722 -- Microsoft embraces Zero Trust... Authentication?

Patrick Gray — Wed, 20 Sep 2023 00:00:00 +1000

On this week's show Patrick Gray, Adam Boileau and Lina Lau discuss the week's security news. They cover: * Microsoft's 38TB oopsie * MGM's Okta compromised, was this what Okta was warning us about? * Why we need a cyber knife fight * Google Authenticator sync abused in the wild * Much, much more This week's show is brought to you by Push Security. Co-founder Adam Bateman is this week's sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Risky Biz News: North Korea steals $54 million from CoinEx

Catalin Cimpanu — Fri, 15 Sep 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Microsoft's security culture sucks

Tom Uren — Thu, 14 Sep 2023 00:00:00 +1000

In this edition of Seriously Risky Biz guest host Adam Boileau talks with Tom Uren about what Microsoft's recent breach by a Chinese-based threat actor tells us about the company's security culture. There were several serious governance failures that allowed this incident to happen. They also look at a new UK government effort to reassure companies that they won't be punished (as much) for seeking help from the NCSC.

Risky Biz News: Won't someone think of the... casinos?!

Catalin Cimpanu — Wed, 13 Sep 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Business #721 -- Why Storm-0558's Microsoft hack should have failed

Patrick Gray — Wed, 13 Sep 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * How Storm-0558 stole Microsoft's signing key * Cisco 0day being used by ransomware crews * We were right about Elon stumbling into the Ukraine war * Someone's amazing image library 0day just got crushed * Much, much more! This week's show is brought to you by Nucleus Security. Co-founder Scott Kuffer is this week's sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: How AI can turbocharge cyber scams

Tom Uren — Tue, 12 Sep 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq examine how AI can help cyber criminals and scammers.

Risky Biz News: Ransomware gangs using Cisco 0day

Catalin Cimpanu — Mon, 11 Sep 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Snake Oilers: ConductorOne, Bloodhound Enterprise and Zero Networks

Patrick Gray — Fri, 08 Sep 2023 00:00:00 +1000

In this edition of Snake Oilers you'll hear product pitches from: * ConductorOne: PAM, account cycle management and access auditing for cloud and SaaS accounts * Bloodhound Enterprise: Enumerate attack paths in your environment and shut them down * Zero Networks: Agentless: heavily automated microsegmentation and a VPN product that won't get you insta-owned

Risky Biz News: Microsoft explains how it lost its signing key

Catalin Cimpanu — Fri, 08 Sep 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Why "pig butchering" is even worse than you think

Tom Uren — Thu, 07 Sep 2023 00:00:00 +1000

In this podcast Patrick Gray and Tom Uren talk about a new UN report that says that hundreds of thousands of innocent people are being forced into working in online crypto and romance scams. They also look at new age verification laws that aim to make it more difficult for children to see pornography. It's a complex topic, but Australia's eSafety office has done excellent work on it.

Risky Biz News: China cracks down on Southeast Asian scam call centers

Catalin Cimpanu — Wed, 06 Sep 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Business #720 -- How cloud identity provider federation features can get you mega-owned

Patrick Gray — Wed, 06 Sep 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * Why everyone should pay attention to some recent attacks on Okta customers * Why third party comms apps are risky af * Why are Russian espionage opps using Tor for C2? * Surveillance firms abuse Fiji Telco Digicel's SS7 access * Much, much more! This week's show is brought to you by Gigamon. Mark Jow, Gigamon's EMEA Technical Director is this week's sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: When states are at the mercy of tech company policy

Tom Uren — Tue, 05 Sep 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at how companies often make unilateral decisions that constrain states' behaviour, for better and worse.

Risky Biz Sponsor Interview: Why Island raised over $250m to build an enterprise browser

Tom Uren — Mon, 04 Sep 2023 00:00:00 +1000

In this Risky Business News sponsor interview Tom Uren talks to Mike Fey, CEO and co-founder of Island about the idea of an 'enterprise browser'. Tom and Mike discuss what an enterprise browser actually is, what problems it solves, and why browsers focussed on business requirements haven't been a product category until now.

Risky Biz News: Okta Super Administrator accounts targeted

Catalin Cimpanu — Mon, 04 Sep 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Biz News: Chinese APT sneaks trojaned Signal app into Play Store

Catalin Cimpanu — Fri, 01 Sep 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Srsly Risky Biz: The UK snoopers' charter won't stop security patches

Tom Uren — Thu, 31 Aug 2023 00:00:00 +1000

In this podcast Patrick Gray and Tom Uren about proposed changes to the UK's Investigatory Powers Act. Some pundits are saying the changes will clear the way for the government to prevent tech companies from rolling out security patches. They're wrong. They also look at a new Mandiant report that dives deeper into a recent Chinese group's campaign that compromised Barracuda Email Security Gateways. The report provides a wonderful overview of the campaign.

Risky Biz News: FBI nukes Qakbot botnet

Catalin Cimpanu — Wed, 30 Aug 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Business #719 -- FBI vapes 700,000 Qakbot infections

Patrick Gray — Wed, 30 Aug 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * The FBI takes down Qakbot, steals operators' bitcoins ha ha * Danish hosting provider completely destroyed in ransomware attack * Sophisticated Russian cyber attack on Polish trains. Well. Not really. * Microsoft revokes cert then revokes its revocation * Much, much more! This week's show is brought to you by Proofpoint. Ryan Kalember, Proofpoint's EVP of cybersecurity strategy Ryan Kalember is this week's sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: Know thyself

Tom Uren — Tue, 29 Aug 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at how asset inventory tools aren't a substitute for knowing what a business values.

Risky Biz News: Kroll SIM-swapped in attack targeting crypto platforms

Catalin Cimpanu — Mon, 28 Aug 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Why did Russia deploy hackers to war zones?

Tom Uren — Fri, 25 Aug 2023 00:00:00 +1000

In this podcast Patrick Gray and Tom Uren talk about how Ukraine has countered Russia's cyber operations. They also look at various initiatives the US government is taking to secure open source software and ask whether it is getting serious about FOSS.

Risky Biz News: WinRAR zero-day used to hack stock and crypto traders

Catalin Cimpanu — Fri, 25 Aug 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Biz News: South Korea investigates Chinese "spy chips"

Catalin Cimpanu — Wed, 23 Aug 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Business #718 -- Chaos and carnage, business as usual

Patrick Gray — Wed, 23 Aug 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: (NOTE: This podcast was initially pushed out into the Risky Business News podcast feed in error. Sorry about that!) * US Government warnings to private space sector on cyber risk * Ukrainian hackers dump the inbox of Russian Duma deputy chair * Absentee voting in Ecuador's election disrupted by DDoS attack * South Korea warns of Chinese "spy chips" * Much, much more! This week's show is brought to you by Airlock Digital. Its co-founders Daniel Schell and David Cottingham join this week's show to talk about Powershell Constrained Language mode. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: Hacking CCTV cameras for fun and profit

Tom Uren — Tue, 22 Aug 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq examine the history of CCTV hacking and what different groups they get out of these hacks.

Feature Interview: How Sandworm prepared Ukraine for a cyber war

Patrick Gray — Mon, 21 Aug 2023 00:00:00 +1000

In this joint Risky Business and Geopolitics Decanted feature interview, Patrick Gray and Dmitri Alperovitch talk to Illia Vitiuk, the Head of the Department of Cyber and Information Security of the Security Service of Ukraine (SBU) about the cyber dimension to Russia's invasion. From turning off Ukraine's power grid with a cyber attack in 2015 to the Viasat hack in 2022, Russia's intelligence services are world renowned for executing creative destructive cyber campaigns. Despite this, after a year and a half of Russia waging war on Ukraine its power grid is up, its telcos are functioning and its banks are still processing transactions. How has Ukraine been able to withstand Russia's onslaught in the cyber domain? Vitiuk joins us to reveal insights into how Russian intelligence services are operating in Ukraine, and how the SBU is countering them.

Risky Biz Sponsor Interview: Using AI to do security research

Tom Uren — Mon, 21 Aug 2023 00:00:00 +1000

In this Risky Business News sponsor interview Tom Uren talks to Dan Guido, CEO of Trail of Bits, about AI. Dan thinks AI technologies will be a "game changer". But he also thinks the conversation around AI is not very sophisticated just yet.

Risky Biz News: Foreign intelligence services are targeting the US space sector

Catalin Cimpanu — Mon, 21 Aug 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Biz News: PowerShell's official package repo is a supply chain mess

Catalin Cimpanu — Fri, 18 Aug 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Biz News: Lockbit is posting fictitious leaks, is close to implosion

Catalin Cimpanu — Wed, 16 Aug 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Business #717 -- The kids are okay. At ripping your face off.

Patrick Gray — Wed, 16 Aug 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * More victims identified in Chinese breach of Microsoft email accounts * Cyber Safety Review Board to investigate Microsoft * We got some stuff wrong last week * More details on Viasat hack revealed * Special guest Heather Adkins talks about the CSRB's Lapsus$ report * Much, much more This week's show is brought to you by RunZero. Its co-founder HD Moore is this week's sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: The juice jacking mass delusion

Tom Uren — Tue, 15 Aug 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at why 'juice jacking' is a forever fear even though its not a real-world threat.

Risky Biz Sponsor Interview with Jacob Torrey of Thinkst Labs

Tom Uren — Mon, 14 Aug 2023 00:00:00 +1000

In this Risky Business News sponsor interview Tom Uren talks to Jacob Torrey, Thinkst's Head of Labs. Jacob produces ThinkstScapes, a brilliant quarterly summary of the most interesting security research from around the world. In this interview Jacob talks about his favourite research of this issue, why Thinkst invests the time and effort in producing ThinkstScapes and also talks about Thinkst Citation, a companion product that contains information about nearly 70,000 security talks going all the way back to 1993.

Risky Biz News: CSRB to investigate Microsoft hack

Catalin Cimpanu — Mon, 14 Aug 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Biz News: Russia blocks OpenVPN and WireGuard VPN protocols

Catalin Cimpanu — Fri, 11 Aug 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Why Russia's Plan to Hide Spy Data Will Fail

Tom Uren — Thu, 10 Aug 2023 00:00:00 +1000

In this podcast Patrick Gray and Tom Uren talk about how the Russian government is planning to alter databases to hide their spies from open source investigations. It's a nice try, but we don't think it will work. They also look at contrasting stories that illustrate how law enforcement agencies can facial recognition technology responsibly, but can also royally screw things up.

Risky Business #716 -- This ain't your grandma's cloud

Patrick Gray — Wed, 09 Aug 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * Tenable gives Microsoft a spray over Azure bug fix delay, quality * Lateral movement fun via Azure Active Directory Cross-Tenant Synchronization * Ransomware targets hospitals, special needs schools * Japan's cybersecurity has some catching up to do * Much, much more This week's show is brought to you by Corelight. Brian Dye, Corelight's CEO, is this week's sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Risky Biz News: Sandworm hackers target Ukraine's military systems

Catalin Cimpanu — Wed, 09 Aug 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Between Two Nerds: China's Changing Cyber Espionage Playbook

Tom Uren — Tue, 08 Aug 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq ask whether Chinese operations are becoming stealthier and why? Is it a top-down directive to be careful? Or do the operations themselves require more stealth?

Risky Biz News: Ransomware attack cripples hospitals across five US states

Catalin Cimpanu — Mon, 07 Aug 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Biz News: Microsoft botches Azure bug fix

Catalin Cimpanu — Fri, 04 Aug 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Srsly Risky Biz: On Microsoft, Wyden's Bark May Have Some Bite

Tom Uren — Thu, 03 Aug 2023 00:00:00 +1000

In this podcast Patrick Gray and Tom Uren talk about how Microsoft's lackadaisical cloud product security is attracting the ire of important politicians. They also examine a presidential advisory board report into Section 702 collection and discuss why oversight in intelligence collection is important.

Risky Biz News: "American" cloud provider is allegedly an Iranian bulletproof host

Catalin Cimpanu — Wed, 02 Aug 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Business #715 -- Pressure mounts on Microsoft to explain itself

Patrick Gray — Wed, 02 Aug 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * Ron Wyden's "please explain" letter to Microsoft * Chinese APT crews prepositioning to disrupt US military logistics * China claims US hacked its seismology sensors * Ivanti/MobileIron exploitation going vertical * Much, much more This week's show is brought to you by Stairwell. Mike Wiacek, Stairwell's founder and CEO, is this week's sponsor guest. He's joined by Eric Foster, Stairwell's VP of Business Development. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: The Rights and Wrongs of IP Theft

Tom Uren — Tue, 01 Aug 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at the arguments against intellectual property theft and why there isn't universal agreement that it should be prohibited.

Risky Biz News: Calls to investigate Microsoft over SolarWinds, Storm-0558

Catalin Cimpanu — Mon, 31 Jul 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Biz News: SEC adopts new cybersecurity rules

Catalin Cimpanu — Fri, 28 Jul 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Feature interview: Australia's Cyber Security Minister Clare O'Neil

Patrick Gray — Thu, 27 Jul 2023 00:00:00 +1000

In this interview Patrick Gray speaks to Australia's Home Affairs and Cyber Security Minister Clare O'Neil and NCSC founding director Ciaran Martin about the government's upcoming cybersecurity strategy, releasing the hounds and more.

Srsly Risky Biz: In Beijing, the Fourth Amendment is Still For Sale

Tom Uren — Thu, 27 Jul 2023 00:00:00 +1000

In this podcast Patrick Gray and Tom Uren talk about draft US legislation that aims to stop law enforcement from circumventing the Fourth Amendment by simply buying data on US citizens. It's a good move, but the overall data ecosystem needs broader reform. They also discuss new reports into the ransomware ecosystem. There is both good news and bad news, but data gaps still make it difficult for policymakers to have a good handle on how to respond.

Risky Biz News: Norwegian government hacked with MobileIron zero-day

Catalin Cimpanu — Wed, 26 Jul 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #714 -- Microsoft vs Wiz: pistols at dawn

Patrick Gray — Wed, 26 Jul 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * The dust-up between Microsoft and Wiz * MobileIron/Ivanti 0day hoses Norwegian government agencies * That'll do TETRA, that'll do... * Microsoft finally agrees to offer decent logging without price gouging * Much, much more This week's show is brought to you by Resoucely. Travis McPeak, Resourcely's co-founder and CEO, is this week's sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: When iPhones aren't good enough

Tom Uren — Tue, 25 Jul 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at when it makes sense for governments to invest in building their own secure phone

Risky Biz News: Ransomware victims stop paying up

Catalin Cimpanu — Sun, 23 Jul 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz Soap Box: BEC actors embrace LLMs to attack Japan

Patrick Gray — Fri, 21 Jul 2023 00:00:00 +1000

This Soap Box edition of the podcast is sponsored by Proofpoint. Proofpoint offers email security and DLP products and services, and they're probably best known for being the biggest email security company on the planet. That means they process a LOT of emails in the hopes of throttling the number of malicious emails that organisations have to deal with, whether that's malware, phishing or BEC. So, with that in mind, what role could large language models play in email security? Now that the initial ChatGPT hype has died off a little, we spoke with Proofpoint's VP of cybersecurity strategy Ryan Kalember about large language models and how they're going to help defenders and attackers alike.

Risky Biz News: Microsoft capitulates on cloud security logs

Catalin Cimpanu — Fri, 21 Jul 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Time for Cloud Transparency

Tom Uren — Thu, 20 Jul 2023 00:00:00 +1000

In this podcast Patrick Gray and Tom Uren talk about recent breaches of JumpCloud and Microsoft cloud services. It's great they disclosed these incidents voluntarily, but cloud companies are so important that detailed postmortems shouldn't be voluntary. They also discuss the Biden administration's cyber security strategy implementation plan and the opportunity to collect email destined for the US military by typo-squatting on the '.ml' domain.

Risky Biz News: A Citrix 0day RCE is being actively exploited

Catalin Cimpanu — Wed, 19 Jul 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #713 -- Microsoft activates PR weasels after State Department hack

Patrick Gray — Wed, 19 Jul 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * Microsoft's weasel-word response to the State Department email hack * JumpCloud got owned, maybe by DPRK * Citrix 0day is getting stuff rekt * Two more spyware firms sanctioned by USA * Scammers list fake phone numbers for major airlines on Google Maps * Much, much more This week's show is brought to you by security focussed enterprise browser maker Island. Dan Amiga, Island's CTO and co-founder, is this week's sponsor guest. He talks about why widespread enterprise browser deployment is inevitable. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: Shaping ransomware group behaviour

Tom Uren — Tue, 18 Jul 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at the idea of actively shaping ransomware group behaviour to get the type of behaviour we'd prefer.

Risky Biz News: JumpCloud compromised by APT group

Catalin Cimpanu — Mon, 17 Jul 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Risky Biz News: Microsoft likely compromised in US Government hack

Catalin Cimpanu — Fri, 14 Jul 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast here.

Srsly Risky Biz: WeChat's Privacy Policy Is Useless

Tom Uren — Thu, 13 Jul 2023 00:00:00 +1000

In this podcast Patrick Gray and Tom Uren talk about Citizen Lab's analysis of WeChat's behaviour and its privacy policy. That report misses the point: WeChat is an integral part of the PRC's architecture of censorship and repression, and the Chinese government isn't constrained by WeChat's privacy policy. They also discuss a new report that proposes a human-centred framework for assessing client-side Child Sexual Abuse Material (CSAM) detection technologies. It's a step forward because it makes clearer the tradeoffs that are being made when these technologies are suggested.

Risky Biz News: Microsoft nukes 100 malicious drivers

Catalin Cimpanu — Wed, 12 Jul 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #712 -- The 336,000 undead Fortigates of DOOM

Patrick Gray — Wed, 12 Jul 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * The SEC is targeting SolarWinds executives * UK to make banks liable for fraud * NSA issues advice on UEFI trojan * Microsoft blocks 100+ dodgy drivers * The US IC knew what Prihozhin was up to. But what FSB doing? * Much, much more This week's show is brought to you by Netwrix. Martin Cannard, Netwrix's VP of Product Strategy, is this week's sponsor guest. He talks about why zero standing privilege is a worthy goal. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Risky Biz Sponsor Interview with Scott Hanson from Kroll on Detection-as-Code

Catalin Cimpanu — Mon, 10 Jul 2023 00:00:00 +1000

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Scott Hanson, Head of Global Security Operations at Kroll, on how the company has adopted Detection-as-Code for its approach to writing, managing, and rolling out detection rules for its customers.

Risky Biz News: Mastodon plugs a horror-show bug

Catalin Cimpanu — Mon, 10 Jul 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Ransomware cripples Japan's largest cargo port

Catalin Cimpanu — Fri, 07 Jul 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: The Russia vs US Extradition Tug of War

Tom Uren — Thu, 06 Jul 2023 00:00:00 +1000

In this podcast Patrick Gray and Tom Uren talk about the regular extradition battles that occur between the US and Russia whenever a Russian cybercriminal is arrested in a third country. It's less about protecting cybercriminals and more about Russia trying to poke the USA in the eye. They also discuss recent Ukrainian hacktivist operations that have been extremely successful, but also don't seem to have had any really meaningful impact.

Risky Biz News: $922 million worth of crypto stolen in H1 2023

Catalin Cimpanu — Tue, 04 Jul 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: Should journalists be protected against spyware?

Tom Uren — Tue, 04 Jul 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at the EU's proposed media freedom act and how one of its goals is to protect journalists from spyware.

Sponsor Interview: RunZero adds passive scanning for OT networks

Tom Uren — Mon, 03 Jul 2023 00:00:00 +1000

In this Risky Business News sponsor interview Tom Uren talks to RunZero's CEO Chris Kirsch about how RunZero has evolved from an IT network active scanning product to one that can now discover assets on OT and cloud environments using both active and passive scanning approaches.

Risky Biz News: Prigozhin's troll farms in limbo after Wagner mutiny

Catalin Cimpanu — Mon, 03 Jul 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Philippine authorities free 2,700 "cybercrime slaves"

Catalin Cimpanu — Fri, 30 Jun 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: The SEC Gets Personal

Tom Uren — Thu, 29 Jun 2023 00:00:00 +1000

In this podcast Patrick Gray and Tom Uren talk about the US Securities Exchange Commission warning SolarWinds executives that it is planning to bring enforcement actions against them. This is a big deal and really signifies that the SEC wants companies to be much more open about cybersecurity incident disclosures. They also discuss the outcomes from a European law enforcement operation against the EncroChat 'crimephone'. It was an absolutely stunning success, but what does it mean for the future of the access debate?

Risky Biz News: LetMeSpy gets hacked

Catalin Cimpanu — Wed, 28 Jun 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz Soap Box: Defeating Living of the Land

Patrick Gray — Mon, 26 Jun 2023 00:00:00 +1000

In this edition of the Soap Box podcast we're going to be talking about a great topic -- living off the land. The recent Volt Typhoon report out of Microsoft chronicled the adventures of a Chinese APT crew in US critical infrastructure. But one of the most fascinating aspects of the Volt Typhoon campaign was that the attackers almost exclusively used so-called living off the land techniques. So the question becomes -- what can you do about an attacker in your environment who has privilege and isn't using malware? Guests David Cottingham and Daniel Schell, the CEO and CTO of Airlock Digital, join the show to talk it through.

Risky Biz News: SEC moves on SolarWinds executives

Catalin Cimpanu — Mon, 26 Jun 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Apple patches "Triangulation" zero-days

Catalin Cimpanu — Fri, 23 Jun 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: Why China's Barracuda Hacks Are Just Plain Rude

Tom Uren — Thu, 22 Jun 2023 00:00:00 +1000

In this podcast Patrick Gray and Tom Uren talk about the PRC's campaign compromising Barracuda Email Security Gateways. It doesn't quite break international "norms", but it is definitely on the nose. They also discuss Albania's police raid of an Iranian opposition refugee camp which is said to be hosting a hacking cell that targeted Iran's government.

Risky Biz News: Albania raids Iranian MEK camp for running a "hacker center"

Catalin Cimpanu — Wed, 21 Jun 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #711 -- Albanian authorities raid MEK camp over Iran hacks

Patrick Gray — Wed, 21 Jun 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * Albanian authorities raid MEK over Iran hacks * Microsoft admits "Anonymous Sudan" took down its services * US Government puts $10m bounty on CL0P * A deeper look at the Barracuda hack campaign * Much, much more This week's show is brought to you by Material Security. We'll be hearing from one of Material's friends -- Courtney Healey, senior manager of insider threat at Coinbase -- in this week's sponsor interview. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: Go Big or Go Home

Tom Uren — Tue, 20 Jun 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at three different state operations that have recently been outed and what these operations tell us about how these states are behaving.

Risky Biz News: Microsoft admits it got DDoSed by Anonymous Sudan

Catalin Cimpanu — Mon, 19 Jun 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Russian LockBit affiliate arrested in… the US?

Catalin Cimpanu — Fri, 16 Jun 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: IC Reform Wanted, Decent Privacy Laws Needed

Tom Uren — Thu, 15 Jun 2023 00:00:00 +1000

In this podcast Patrick Gray and Tom Uren talk about a new report examining how the US intelligence communities uses data it buys. It finds that data you can buy now rivals or exceeds what intelligence agencies can collect, but the IC overall doesn't treat the data with the sensitivity and care that it deserves. Fixing IC policy is one thing, but that won't help at all with foreign adversaries or even local US law enforcement. US needs good data privacy law that cleans up the whole field. They also look at new research that examines how lawyers' incentives to protect clients mean that incident response is hamstrung when it comes to discovering root causes and learning lessons.

Risky Biz News: CISA orders federal agencies to secure internet-exposed routers, firewalls, and VPNs

Catalin Cimpanu — Wed, 14 Jun 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #710 -- Why your corporate VPN will get you owned

Patrick Gray — Wed, 14 Jun 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * Fortinet 0day Groundhog Day * CISA's new binding directive on exposed management interfaces * Confirmed: US intelligence buying commercially available data * MOVEit drama rolls on * Much, much more This week's show is brought to you by Red Canary. Chris Rothe is this week's sponsor guest and he joins us to talk about how MDR providers are helping customers deal with cloud monitoring. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: The Hallmarks of a State

Tom Uren — Tue, 13 Jun 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about the elements that make them think an operation is state-backed.

Risky Biz News: Ukrainian hackers wipe Russian telco's equipment

Catalin Cimpanu — Mon, 12 Jun 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Throw your Barracudas into a wood chipper plz

Catalin Cimpanu — Fri, 09 Jun 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: ASD's Charm Offensive

Tom Uren — Thu, 08 Jun 2023 00:00:00 +1000

In this podcast Patrick Gray and Tom Uren talk about why China and Russia are increasingly outing US cyber espionage operations and what they hope to get out of it. They also discuss a new documentary that reveals more information about some of ASD's offensive cyber operations and and also looks at how the organisation helped track down the Bali bombers.

Risky Biz News: Clop linked to MOVEit hacks, over 100 orgs breached so far

Catalin Cimpanu — Wed, 07 Jun 2023 00:00:00 +1000

Risky Business #709 -- Cl0p goes berserk with MOVEit 0day

Patrick Gray — Wed, 07 Jun 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * Russia's FSB uncovers "NSA malware" on iPhones * Cl0p mass harvests data from MOVEit file transfer servers * ASD discloses a bunch of operations against ISIS, criminals * Why China's prepositioning is probably… prepositioning * Much, much more This week's show is brought to you by Thinkst Canary. Marco Slaviero is this week's sponsor guest and he joins us to talk about indirect LLM prompt injection and the latest Canary release. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: What it takes to be a Cyber Power II

Tom Uren — Tue, 06 Jun 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at how different cyber powers leverage companies through coercive power, regulation and the attraction of values.

Risky Biz News: Windows finally gets SMB signing by default

Catalin Cimpanu — Mon, 05 Jun 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: Yo Vladimir! All your iPhones are belong to us!

Catalin Cimpanu — Fri, 02 Jun 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: Why Volt Typhoon is so worrying

Patrick Gray — Thu, 01 Jun 2023 10:00:00 +1000

In this edition of Seriously Risky Business Tom Uren and Patrick Gray talk about the recent Volt Typhoon report and why we need to take the IC's assessment of China's intent seriously. They also talk about NSO Group's restructure and the way its competitor, Paragon, managed to avoid similar problems.

Risky Biz News: Iranian hacktivists breach president's office, leak sensitive files

Catalin Cimpanu — Wed, 31 May 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #708 – China's lolbin-powered adventures in US critical infrastructure

Patrick Gray — Wed, 31 May 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * China's lolbin-powered intrusions into critical infrastructure * Trend Micro backs BlackBerry's Cuba call * Anonymous Sudan shakes down Scandanavian Airlines * Iranian opposition party MEK publishes gargantuan leak * Much, much more This week's show is brought to you by Kubernetes security company KSOC. Jimmy Mesta is this week's sponsor guest and he joins us to talk about the big security challenges in Kubernetes. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: Hiding from the State

Tom Uren — Tue, 30 May 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at how criminals -- and spies -- try to protect themselves from state adversaries.

Risky Biz News: NSO Group has new owners

Catalin Cimpanu — Mon, 29 May 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz Soap Box: Why your EDR won't save you

Patrick Gray — Fri, 26 May 2023 00:00:00 +1000

In this Soap Box podcast Patrick Gray talks to George Glass, the threat intelligence operations leader in the Cyber Risk practice at Kroll. They talk about all sorts of things, like: * How the ransomware ecosystem is evolving into "ma and pa" operations * Some killer detections they've figured out * What separates the good networks from the bad ones * Why EDR is of limited value if you're not actually monitoring it * Why not letting MDRs do the R part of their job is really, really, really dumb

Risky Biz News: Chinese APT attacks US critical infrastructure

Catalin Cimpanu — Fri, 26 May 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Kaitlyn Sawrey. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: G-Men Gone Wild

Tom Uren — Thu, 25 May 2023 00:00:00 +1000

In this podcast Patrick Gray talks to Tom Uren about the FBI's overenthusiastic use of foreign intelligence data collected with the Foreign Intelligence Surveillance Act's Section 702 powers.

Risky Biz News: FinFisher execs charged in Germany

Catalin Cimpanu — Wed, 24 May 2023 00:00:00 +1000

Risky Business #707 -- Inside China's information lockdown with Chris Krebs

Patrick Gray — Wed, 24 May 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * Germans charge FinFisher executives * The got FBI busted misusing 702 data * Special guest Chris Krebs talks China * New research breaks Android fingerprint auth * Much, much more This week's show is brought to you by Trail of Bits. Dan Guido is this week's sponsor guest and he joins us to talk about the work Trail of Bits is doing in securing AI systems, and making them safe. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: Cyber Pinch Points

Tom Uren — Tue, 23 May 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at the concept of cyber "pinch points", a place of vulnerability that can be targeted to bring an opponent to their knees. These points of vulnerability must surely but Tom and The Grugq wonder how easy they are to identify beforehand.

Risky Biz News: China bans American chips, FBI feels heat over "improper" FISA searches

Catalin Cimpanu — Mon, 22 May 2023 00:00:00 +1000

Risky Biz Sponsor Interview: Haroon Meer on the importance of honeypots

Tom Uren — Sun, 21 May 2023 00:00:00 +1000

In this Risky Business News sponsor interview Tom Uren asks Thinkst Canary's Haroon Meer about Mandiant CEO Kevin Mandia's seven tips for cyber defenders. Honeypots appear at position number three, but Tom wonders what they actually achieve and how mature your security program needs to be before they it can take advantage of them.

Risky Biz News: Google will delete inactive accounts

Catalin Cimpanu — Fri, 19 May 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: Crimephones are a cop's best friend

Tom Uren — Thu, 18 May 2023 00:00:00 +1000

In this edition of the Seriously Risky Biz podcast Patrick Gray and Tom Uren talk about the trajectory of crimephones from criminals' best friend to greatest liability. These devices were bad for police at the beginning, but they've become a net positive for law enforcement efforts, leading to hundreds of arrests, tonnes of seized drugs and deeper insight into criminal operations.

Risky Biz News: US charges, sanctions WazaWaka

Catalin Cimpanu — Wed, 17 May 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #706 -- Why BlackBerry thinks Cuba ransomware is a Russian front

Patrick Gray — Wed, 17 May 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * Wazawaka charged, sanctioned * PlugwalkJoe extradited, pleads guilty * BlackBerry thinks Cuba ransomware is a front for Russian intelligence * Anonymous Sudan pops up in Israel * Microsoft's Outlook patch fail * Much, much more This week's show is brought to you by Bloodhound Enterprise. Andy Robbins is this week's sponsor guest. He talks about how graph theory could help us to uncover more lolbins. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: The Culture of the Snake

Tom Uren — Tue, 16 May 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at last week's Snake malware joint cybersecurity advisory and dive into what it tells us about the FSB.

Selena Larson on how cybercriminals use threat intelligence

Tom Uren — Mon, 15 May 2023 00:00:00 +1000

In this Risky Business News sponsor interview Tom Uren asks Proofpoint's Selena Larson about how threat actors reacted en masse after Microsoft blocked various types of macros. Cyber criminals used a variety of different techniques to evade these blocks. In part this happened quickly because of knowledge sharing by the cyber threat intelligence community.

Risky Biz News: The VMProtect source code leaks. Again.

Catalin Cimpanu — Mon, 15 May 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird.

Risky Biz News: Gmail to warn users on dark web password exposures

Catalin Cimpanu — Fri, 12 May 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: FBI takes down Turla's Snake malware

Catalin Cimpanu — Wed, 10 May 2023 00:00:00 +1000

Risky Business #705 -- USA's Turla takedown marks a shift in tactics

Patrick Gray — Wed, 10 May 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * Joe Sullivan's sentencing * MSI key material leak * Merck to be paid in NotPetya claim * The FBI takes down Turla's Snake malware operation * Much, much more This week's show is brought to you by Gigamon. Chaim Mazal, Gigamon's CSO, is this week's sponsor guest. He's talking about how the company's gear is acting as a data source for network security products.

Between Two Nerds: Why cyber insurance is great in theory but not in practice

Tom Uren — Tue, 09 May 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq look at how cyber insurance should theoretically improve security and examine what actually happens in practice.

Risky Biz News: DEFCON attendees will target AI models

Catalin Cimpanu — Mon, 08 May 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Sponsor Interview with Material Security's Chris Long

Tom Uren — Sun, 07 May 2023 00:00:00 +1000

In this Risky Business News sponsor interview Tom Uren asks Material Security's Director of Security Chris Long about what ittakes to run a "modern" phishing workflow. Chris thinks there are opportunities to take identify and take advantage of "phishing superusers", employees who are a cut above when it comes to uncovering phishing and other malicious activities. Phishing is also the "point of the spear" for defenders — it provides an entry point into attacker activities that enable all sorts of potential detection opportunities.

Risky Biz News: No jail time for Uber's Joe Sullivan

Catalin Cimpanu — Fri, 05 May 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Snake Oilers: Resourcely, Panther and Island

Patrick Gray — Thu, 04 May 2023 00:00:00 +1000

In this edition of Snake Oilers: * Travis McPeak pitches Resourcely's automagic Terraform cloud-provisioning technology * Ken Westin pitches Panther – a cloud-native SIEM developed by former practitioners * Brian Kenyon from Island talks about the company's enterprise browser Enjoy!

Srsly Risky Biz: Iran Fake’s It Till It Makes It

Tom Uren — Thu, 04 May 2023 00:00:00 +1000

In this podcast Patrick Gray and Tom Uren take a whirlwind tour examining the different ways countries conduct cyber-enabled influence operations. Iran, China and the UK all have different approaches and we have our favourite. China has a new counter-epsionage law and even though it hasn't been formerly passed yet already foreign companies are getting in trouble for doing due diligence or corporate intelligence type work. The real point here is to tighten information control, and the wording is so broad that it leaves tremendous scope for the PRC to use the law whenever it wants to send a message. Finally, the two discuss concrete examples of intelligence derived from Section 702 of the US FISA Act. 702 allows US intelligence agencies to compel service providers to help conduct targeted surveillance of foreigners outside the US and will expire at the end of the year unless Congress renews it.

Risky Biz News: Apple and Google partner to kill AirTag stalking

Catalin Cimpanu — Wed, 03 May 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #704 -- Why LLMs aren't an exploit bonanza

Patrick Gray — Wed, 03 May 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * Rob Joyce weighs in on AI and offsec * Mysterious hacker doxes Russian intelligence agency bitcoin wallets * Wired deep dives on SolarWinds * AmeriCold food logistics giant suffers incident * Iranian authorities roll low-tech spyware * Much, much more This week's show is brought to you by Greynoise. Its founder and CEO Andrew Morris is this week's sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: Cyber Deterrence part II

Tom Uren — Tue, 02 May 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq dive further into deterrence based on both reader feedback and recent news about Iranian destructive operations. One of the requirements for effective deterrence is transparency and people sometimes assume that states have good information about what their cyber operators are doing. But we discuss the universal incentives that encourage state actors to exaggerate their current operations. If this is happening deterrence won't work because leaders will think they are already getting away with murder.

Risky Biz News: Hacker exposes Bitcoin addresses operated by Russian intelligence

Catalin Cimpanu — Mon, 01 May 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: Cl0p goes all-in on Papercut bug

Catalin Cimpanu — Fri, 28 Apr 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: North Korea's "Vibes-based" targeting

Tom Uren — Thu, 27 Apr 2023 00:00:00 +1000

In this podcast Patrick Gray talks to Tom Uren about North Korea's "double" or "threaded" supply chain attack via Trading Technologies and 3CX. This type of "access begets access" approach makes total sense and Tom thinks it will likely be a standard approach for North Korea. Microsoft has released a couple of reports over the month that indicate Iran is increasingly willing to launch destructive cyber attacks. One Iranian group, Mango Sandstorm, has been destroying on-prem and cloud environments. Another, Mint Sandstorm, has been targeting a wide swathe of US critical infrastructure. It's a worry. Finally, Tom and Pat discuss cyber security company Team Cyrmu's sale of netflow to US government agencies, which has been controversial in the press because of potential privacy violations. Tom spoke to the company and based on what we learnt there isn't a privacy concern here. But the broader principle that data purchases be examined for privacy risks still stands.

Risky Biz News: Google Authenticator can now sync data to Google accounts

Catalin Cimpanu — Wed, 26 Apr 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #703 -- Russia whines about its tech dependence on China

Patrick Gray — Wed, 26 Apr 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * The supply chain attack in the supply chain attack * Russia has a China dependency problem * Recent research into TLS resumption flaws * Google and Intel team up on hardware hacking * DHS will hack enterprise kit * Much, much more This week's show is brought to you by Corelight. Brian Dye, Corelight's CEO, is this week's sponsor guest. He's talking about the (actually sensible) ChatGPT-driven features Corelight has built into its NDR platform. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: Cyber Deterrence

Tom Uren — Tue, 25 Apr 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq discuss whether cyber operations are any good at deterrence. Tom thinks that attributes of the domain mean that it is just no good for deterrence. The Grugq, however, thinks that it can be, although perhaps not in a state vs state context.

Risky Biz News: CISA will rescue abandoned open source security tool

Catalin Cimpanu — Mon, 24 Apr 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: 3CX was a supply chain attack in a supply chain attack

Catalin Cimpanu — Fri, 21 Apr 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Snake Oilers: Socket, Teleport and Mandiant's Purple Team

Patrick Gray — Thu, 20 Apr 2023 00:00:00 +1000

Snake Oilers isn’t our regular weekly podcast, it’s a wholly sponsored series we do at Risky.Biz where vendors come on to the show to pitch their products to you, the Risky Business listener. To be clear – everyone you hear in one of these editions, paid to be here. We’ll hear from three vendors in this edition of Snake Oilers: * Socket.dev, a software supply chain product that currently deploys as a GitHub addon * Teleport, a company that makes a secure access gateway/single sign on product for engineers to securely access infrastructure * Mandiant joins us to pitch its Purple Team engagement product Enjoy!

Srsly Risky Biz: After Viasat, Space Systems Get Scrutiny

Tom Uren — Thu, 20 Apr 2023 00:00:00 +1000

In this podcast Patrick Gray talks to Tom Uren about a report by CSC 2.0 that recommends the US government designate space systems as critical infrastructure. Lots of satellites systems are already covered under other critical infrastructure sectors such as communication or defence, but Tom agrees that there are some good reasons to carve out a space-specific critical infrastructure sector. They also talk about the US State Department working on developing a portfolio of cyber diplomacy "offerings", ranging from disaster relief funding, to technical capacity building, through to policy-level cyber education. This seems like a great idea.

Risky Biz News: Apple's Lockdown Mode wins against iOS zero-day

Catalin Cimpanu — Wed, 19 Apr 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #702 -- 3CX: It's like SolarWinds, but stupider

Patrick Gray — Wed, 19 Apr 2023 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: * Why 3CX was the dumbest supply chain attack we've seen * Why Wiz's AzureAD research was a showstopper that didn't get the attention it deserved * How attackers are burning down cloud infrastructure * The latest from the world of spyware * Much, much more This week's show is brought to you by Nucleus Security. Chris Hughes from Aquia is this week's sponsor guest. He appeared at Nucleus Security's invitation. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: The NCF's Practical Guide to Offensive Cyber Operations

Tom Uren — Tue, 18 Apr 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq discuss the UK's National Cyber Force's recently published "Responsible Cyber Power in Practice" document. The Grugq thinks he's been plagiarised, while Tom wonders whether the NCF's "doctrine of cognitive effects" highlights the limits of cyber operations. It's a good document and will be influential in shaping how people discuss offensive operations (those that disrupt, degrade, destroy etc).

Risky Biz News: Israeli spyware vendor QuaDream has allegedly shut down

Catalin Cimpanu — Mon, 17 Apr 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz Soap Box: Haroon Meer on why the VC apocalypse is great news

Patrick Gray — Tue, 11 Apr 2023 00:00:00 +1000

In this Soap Box edition of the show, Thinkst Canary founder Haroon Meer joins us to talk about why the sudden pullback in venture funding in infosec is actually a good thing. He thinks this will give founders licence to slow down and actually focus on making good products, instead of trying to build a company around vapourware or a minimum viable product.

Risky Biz News: Microsoft and Fortra declare war on cracked Cobalt Strike

Catalin Cimpanu — Fri, 07 Apr 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: Genesis Market goes boom

Catalin Cimpanu — Wed, 05 Apr 2023 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Between Two Nerds: Why Glowing Symphony Feels So Small

Tom Uren — Mon, 03 Apr 2023 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq contrast between different cyber operations that occurred in 2016. In one, US Cyber Command used cyber operations to attack ISIS' propaganda operations. In the other, Russian cyber operators interfered with US Presidential elections. US action was tightly scoped, measurable and an underwhelming success, whereas Russian activity was nebulous and hard to measure but could have changed the course of the election.

Risky Biz News: Microsoft to fix OneNote's malspam problem

Catalin Cimpanu — Sun, 02 Apr 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: North Korean hackers behind supply chain attack on 3CX

Catalin Cimpanu — Fri, 31 Mar 2023 00:00:00 +1100

Srsly Risky Biz: Army. Navy. Air Force. Cyber Force?

Tom Uren — Thu, 30 Mar 2023 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about the a thought bubble floated by military cyber professionals that the US armed forces needs a US Cyber Force. The justification is a bit light on and Tom doesn't really think the proposal makes sense. They also discuss US Cyber Command's "Hunt Forward" operations. In these operations partner countries invite CYBERCOM in to hunt for adversary activity. Access to networks is touchy stuff, though, so CYBERCOM spends a lot of time and effort in diplomatic efforts convincing potential partner agencies. We think these types of activities are great but in some parts of the world — think Asia — a warmer and fuzzier branding might be the go.

Risky Biz News: White House bars federal agencies from using rogue commercial spyware

Catalin Cimpanu — Wed, 29 Mar 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #701 -- Why infosec is wrong about TikTok

Patrick Gray — Wed, 29 Mar 2023 00:00:00 +1100

NOTE: Patrick's audio is a bit degraded in a few parts of this episode. It's still clear enough, but if you hear some degradation in parts then yes, it's us, not you. On this week's show Patrick Gray, Adam Boileau and Tom Uren discuss the week's security news. They cover: * The Biden White House's executive order on spyware * Why the infosec community writ large is wrong on TikTok * Clop campaign: it's time to ditch your file transfer gateways * Major Android app booted from store because it was full of 0day privesc exploits lol * More detail on the BreachForums admin arrest * Much, much more This week's show is brought to you by runZero. HD Moore, co-founder of runZero, is this week's sponsor guest. Links to everything that we discussed are below and you can follow Patrick, Adam and Tom on Mastodon if that's your thing.

Between Two Nerds: The Real Problem with TikTok

Tom Uren — Mon, 27 Mar 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq look at what the real problems with TikTok are. Many people are focussing on risks we think are irrelevant or overblown, but it is a massively influential app under Chinese Communist Party control.

Risky Biz News: CISA rolls out pre-ransomware notification system

Catalin Cimpanu — Sun, 26 Mar 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: FTC to scrutinize cloud providers' business practices

Catalin Cimpanu — Fri, 24 Mar 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: BreachForums shuts down for good

Catalin Cimpanu — Wed, 22 Mar 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #700 -- Yevgeny Prigozhin's empire gets owned

Patrick Gray — Wed, 22 Mar 2023 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news in front of a live audience at AISA's CyberCon in Canberra. They cover: * Yevgeny Prigozhin's entire enterprise got majorly owned * Kremlin bans iPhones among President's staff * A look at those Android handset baseband bugs (woof) * A discussion of the acropalypse issue * Why you need to sort out your egress filtering in light of the latest Outlook bug * Shanna Daly joins us on stage to talk about why the infosec industry sucks * Plus much much more This week's show is sponsored by Stairwell. Mike Wiacek, Stairwell's founder, is this week's sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: The Balance between Offence and Defence

Tom Uren — Tue, 21 Mar 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq look at the natural advantages that network defenders have. Despite this "home ground advantage" hackers still have a great deal of success and Tom and The Grugq look at what does work in favour of attackers.

Risky Biz News: Horror show 0days hit Samsung smartphones

Catalin Cimpanu — Mon, 20 Mar 2023 00:00:00 +1100

Risky Biz News: Google wants to reduce lifespan of TLS certificates to 90 days

Catalin Cimpanu — Fri, 17 Mar 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: The RESTRICT Act Is Not About TikTok

Tom Uren — Thu, 16 Mar 2023 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about the RESTRICT Act, proposed US legislation that tries to deal with the problems posed by technologies from foreign adversaries. RESTRICT gives the US government powers to deal with companies like Kaspersky, Huawei and now TikTok on an ongoing basis, rather than muddling through in an ad hoc way each time a problem company pops up. It also requires that the Secretary of Commerce come up with processes and procedures to deal with and mitigate these types of threats, rather than the current whack-a-mole approach. They also discuss a draft Cambodian cyber security law and experts' concerns that it could be abused by the Cambodian government to maintain its grip on power. This law has many similarities to Australian critical infrastructure law and Tom and Pat discuss the reasons behind the law in Australia. There's a straight line between a serious ransomware incident in Australia and the resulting law, but still, Cambodia's government remains authoritarian. Finally, they look at a Carnegie report on Chinese manipulation of international standards setting organisations. It's a good report and explains what is going on — Chinese manipulation does happen occasionally, but it is "largely unsuccessful".

Risky Biz News: CISA establishes ransomware warning pilot program

Catalin Cimpanu — Wed, 15 Mar 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #699 -- BYOD risks ramp up

Patrick Gray — Wed, 15 Mar 2023 00:00:00 +1100

Threat actors are really enjoying home networks and BYOD these days… On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Why our LastPass/DPRK hunch weakened * CISA launches ransomware warning program * Is the Ring data extortion real? * White House flags cloud service security regulation * Pig Butchering overtakes BEC as top cybercrime earner * Much more!

Between Two Nerds: Cyber Powers and Talent Pipelines

Tom Uren — Tue, 14 Mar 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq look at how different countries take different approaches to talent identification and recruitment. How much of a difference does it make? And why do countries have these different approaches?

Risky Biz News: The US Government wants to regulate cloud security

Catalin Cimpanu — Mon, 13 Mar 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz Soap Box: Six degrees of Domain Admin

Patrick Gray — Fri, 10 Mar 2023 00:00:00 +1100

Today's soap box is an absolute cracker. We're talking to Andy Robbins, the principal product architect at SpecterOps and one of the three original creators of the original open source version of Bloodhound. If you don't know what Bloodhound is, it's a tool that grabs Active Directory information and turns it into a navigable graph. So if you're an attacker you land on a network, enumerate directory information, and then map out a path to domain admin. Bloodhound has been extremely popular with red teamers for years – to the point that it's just a standard tool in the red team toolkit. But the team behind Bloodhound is now turning their attention to making Bloodhound a defensive tool as well as an offensive tool.

Risky Biz News: Hackers steal data on US House members

Catalin Cimpanu — Fri, 10 Mar 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: Grandpa Biden, Cyber President

Tom Uren — Thu, 09 Mar 2023 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about the recently released US National Cyber Security Strategy. Tom really likes it because it sets out how the US will "win" by reshaping who is liable when crapware hits the fan. It's got other stuff in it too... Tom and Pat also discuss the story of an MSS agent being busted when trying to steal intellectual property from the aviation industry. He used the same iphone for both his personal life and his spying and his iCloud backups were an intelligence bonanza. These backups not only had messages to potential recruits, they also had had audio of meetings he'd recorded where he was discussing his approach to espionage. Finally, we talk about the security risks that arise from the use of Chinese ship-to-shore cranes at ports. Apparently these are chock full of sensors and could be spying on port logistics.

Risky Biz News: DoppelPaymer ransomware gang members identified

Catalin Cimpanu — Wed, 08 Mar 2023 00:00:00 +1100

Risky Business #698 -- Why LastPass was probably DPRK*

Patrick Gray — Wed, 08 Mar 2023 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Why the White House's cybersecurity strategy is actually quite good * The LastPass breach was probably DPRK * UEFI bootkits are going downmarket, and this is bad * GitHub will scan repos for secrets * A look at some interesting DJI drone research * Much, much more This week's show is brought to you by Airlock Digital. Two of Airlock's founders -- Daniel Schell and David Cottingham -- are this week's sponsor guests. * NOTE: We now think LastPass was likely *not* DPRK. It's complicated and we'll explain why we think we got this wrong in next week's show

Between Two Nerds: A year of the Ukraine War

Tom Uren — Tue, 07 Mar 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq look at how cyber operations have been used in the war in Ukraine. They examine what we know given the "fog of cyber war" and what "cyber warfare" might look like in future.

Risky Biz News: New vulnerabilities expose location of DJI drone operators

Catalin Cimpanu — Mon, 06 Mar 2023 00:00:00 +1100

Risky Biz News: White House unveils National Cybersecurity Strategy

Catalin Cimpanu — Fri, 03 Mar 2023 00:00:00 +1100

Srsly Risky Biz: Give Me E2EE or Give Me Death!

Tom Uren — Thu, 02 Mar 2023 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about Signal's vow to pull out of the UK if the proposed Online Safety Bill requires it to weaken its encryption. Tom and Patrick agree that end-to-end encryption isn't at stake, but Signal could well be asked what steps it is taking to mitigate child exploitation and terrorist content. Patrick thinks there are useful steps Signal could take that would be helpful, but both Tom and Pat find it hard to imagine that Signal will actually make these choices. They also discuss the US government floating the idea of shifting legal liability to technology manufacturers when they make terribly insecure products. Tom thinks this is an attractive idea, but the government would be better off doing much more to encourage transparency first.

Risky Biz News: Chinese hackers breach ASEAN organization in cyber-espionage campaign

Catalin Cimpanu — Wed, 01 Mar 2023 00:00:00 +1100

Risky Business #697 -- LastPass attacker: Do you gotta hand it to 'em?

Patrick Gray — Wed, 01 Mar 2023 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * A look at LastPass's intrusion post mortem * A very stable genius decided to ransomware the US Marshals Service * Why Signal's complaints about UK's Online Safety Act are bad faith * Much, much more... This week's show is brought to you by Tines, the no-code automation platform. Its co-founder and CEO Eoin Hinchy joins the show in the sponsor slot, and you can check out a Tines demo we recorded with Eoin on YouTube. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Risky Biz News: US Treasury sanctions Russian cyber and influence firms

Catalin Cimpanu — Mon, 27 Feb 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Between Two Nerds: Making sense of cyber power rankings

Tom Uren — Mon, 27 Feb 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq look at reports that try and distil a country's cyber power into a single number so that they can be ranked and compared. Do these reports say anything useful and have any value?

Risky Biz News: Russian radio stations hacked to blast fake air raid warnings

Catalin Cimpanu — Fri, 24 Feb 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

An interview with Andrew Boyd, director of the CIA's Centre for Cyber Intelligence

Patrick Gray — Thu, 23 Feb 2023 00:00:00 +1100

In this interview the director of the CIA's Center for Cyber Intelligence (CCI) sits down with Risky Business podcast host Patrick Gray to talk about: * What CCI actually does * The CIA's role in cyber intel and operations * What lessons have been learned from Russia's cyber campaigns targeting Ukraine * Why a cyber conflict with China will be very, very different * His views on the ransomware threat * Much, much more

Srsly Risky Biz: Move Over NSO, the Internet Has a New Villain

Tom Uren — Thu, 23 Feb 2023 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about investigations into the disinformation industry. One election interference for hire company, known as "Team Jorge", provides a huge variety of dirty tricks services, but we think its claims of massive influence are overblown. Despite that, however, these companies are still corrosive for democracy and a scourge worth tackling. Patrick thinks they're the "new internet villain" and will replace NSO as a target of hate. They also discuss Google's new report that covers Russian cyber operations in its invasion of Ukraine. On the whole a good report, but both Tom and Pat think some of it is problematic. Finally, they talk about Patrick's interview with the head of the CIA's Center for Cyber Intelligence. It's great to have intelligence officials explain how they see the cyber threat landscape and get their take on war in Ukraine and what that means for cyber operations in future conflicts.

Risky Biz News: Russia preparing new Vepr surveillance system

Catalin Cimpanu — Wed, 22 Feb 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #696 -- Why Twitter had to kill SMS 2FA

Patrick Gray — Wed, 22 Feb 2023 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Why Twitter had to kill SMS 2FA * A look at Meta's new verification service * How a ransomware attack disrupted the semiconductor supply chain * Why Anonymous Sudan is probably a Russian info op * Microsoft mixes up public and private keys in Azure B2C (for real) * Much, much more This week's show is brought to you by Proofpoint. Its Executive Vice President of Cybersecurity Strategy Ryan Kalember joins the show in the sponsor slot. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: Is cyberespionage actually signals intelligence?

Tom Uren — Tue, 21 Feb 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq look at the differences and similarities between signals intelligence and cyber operations. Why did Five Eyes Sigint organisations end up 'owning' cyber operations and does that make sense, or should there be a separate cyber intelligence organisation?

Risky Biz News: Applied Materials to take $250m ransomware hit

Catalin Cimpanu — Mon, 20 Feb 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: EU cybersecurity agencies warn of Chinese APT spying

Catalin Cimpanu — Fri, 17 Feb 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Patrick Gray, who's filling in for Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz Soap Box: Greynoise has built the world's biggest, and smartest, honeypot

Patrick Gray — Thu, 16 Feb 2023 00:00:00 +1100

In this interview we're chatting with the founder of Greynoise Intelligence, Andrew Morris. Greynoise operates a global network of sensors that collect data on things like mass scanning, exploitation and reconnaissance. The idea is if your SOC gets an alert from a particular IP you can see if it's associated with mass scanning or exploitation, or if it's something that's just targeting you. And as you'll hear, there are other use cases also, but we're talking about a few things with Andrew today. He talks about being able to selectively port forward attacks targeting his sensor network to a data centre running the services being targeted, about the ESXiArgs ransomware attack and more. Enjoy!

Srsly Risky Biz: North Korean ransomware, Biden flags US privacy reform

Tom Uren — Thu, 16 Feb 2023 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about North Korea's foray into state-sponsored ransomware targeting healthcare organisations. There's reasons to be concerned — North Korea has pulled off some sophisticated hacks and the responses that maybe "work" against cybercriminals might not work at all against the DPRK. Tom thinks that the international community can do a lot more around sanctions that will help. They also look at President Biden's talk about privacy at his recent State of the Union speech. Does this mean that the US will finally get meaningful federal privacy and data security legislation? We hope so. Finally, Tom and Patrick revisit the Chinese spy balloon saga. Even though a single balloon is not a huge threat, an uncontested balloon surveillance program would be and the US is responding strongly. It's sanctioned six Chinese firms and the US is looking for balloons and finding them. Three more have been shot down since last week, but it looks like they are all just errant balloons rather than more surveillance craft.

Risky Biz News: FTC orders MoneyGram to return $115 million to scammed victims

Catalin Cimpanu — Wed, 15 Feb 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #695 -- North Korea is ransomwaring hospitals, Russia to make "patriotic" hacking legal

Patrick Gray — Wed, 15 Feb 2023 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * North Korea is ransomwaring hospitals with homegrown and Russian strains * Russia proposes law greenlighting "patriotic hacks" * It's 702 renewal time… again * CISA releases ESXiArgs recovery script (yay!) * UK mulls crimephone ban * Much, much more This week's show is brought to you by Thinkst Canary. Haroon Meer is this week's sponsor guest and joins us to talk about Thinkst's latest release: the credit card canary. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: Deny! Degrade! Discombobulate?

Tom Uren — Tue, 14 Feb 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq compare and contrast the way Russia and the West project power with cyber operations.

Risky Biz News: Russia wants to absolve patriotic hackers of criminal liability

Catalin Cimpanu — Mon, 13 Feb 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: US and UK sanction seven Trickbot members

Catalin Cimpanu — Fri, 10 Feb 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: China's magnificent spy balloon, Iran throws an epic cyber tanty

Tom Uren — Thu, 09 Feb 2023 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about the bizarre Chinese spy balloon story. There may be incremental intelligence gains for the PRC but they were far outweighed by the diplomatic fallout. They also discuss an Iranian operation attacking French satiricial magazine Charlie Hebdo. States use cyber operations to pursue vastly different goals and most of them make sense for a state's point of view. But some operations, like this one, and like the North Korean attack on Sony Pictures, are "vanity projects" that cater to the whims of the "dear leader". Finally, the Conti ransomware attack on the Irish public health system (HSE) is turning into the best ransomware case study. It brings together a detailed examination of the management failures with stories from staff, patients and also from inside the Conti group. You can read the newsletter this podcast is based on here.

Risky Biz News: Tor network hit with DDoS attacks over past seven months

Catalin Cimpanu — Wed, 08 Feb 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #694 -- Cleansing fire claims ESXi, GoAnywhere servers

Patrick Gray — Wed, 08 Feb 2023 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Unpatched ESXi boxes are getting rinsed * GoAnywhere MFT file transfer boxes are too * Royal Mail data being ransomed by Lockbit * Advanced materials manufacturer and finance company among latest rware victims * Guilty plea in Ubiquiti case * Much, much more This week's show is brought to you by Red Canary. Red Canary's Adam Mashinchi is this week's sponsor guest. He joins us to talk about the impact layoffs are having on infosec teams. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Risky Biz News: Ransomware wave hits thousands of VMWare ESXi servers

Catalin Cimpanu — Mon, 06 Feb 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Between Two Nerds: When companies become an arm of the State

Tom Uren — Mon, 06 Feb 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq examine how states have different thresholds for compelling companies to act on their behalf. Where do those thresholds lie and is one approach better than another? Why do states have these different approaches?

Risky Biz News: Zero-day alert for GoAnywhere file transfer servers

Catalin Cimpanu — Fri, 03 Feb 2023 00:00:00 +1100

Srsly Risky Biz: Links between Russian state and cybercriminals remain elusive

Tom Uren — Thu, 02 Feb 2023 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about a new Recorded Future report that collates evidence of Russian intelligence service links to cybercriminals. There's a lot of circumstantial evidence, but it feels more like the state uses criminals opportunistically rather than systematically. The FBI disruption and takedown of the Hive ransomware crew is a huge success and Tom and Patrick examine the tradeoffs about exactly when to seize Hive's servers. They also discuss the different approaches the US and Singapore government are taking to counter scam robocalls and SMS messages.

Risky Biz News: Google discloses breach of its Fi cell service

Catalin Cimpanu — Wed, 01 Feb 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #693 -- Hive takedown is the beginning, not the end

Patrick Gray — Wed, 01 Feb 2023 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * A look at the Hive takedown * UK's Royal Mail still struggling * GitHub's code signing certificates stolen * TSA misses the point on no-fly list theft * Much, much more This week's show is brought to you by Remediant, which is now a part of Netwrix. Tim Keeler is co-founder of Remediant and joins us to talk about how the PAM market -- and the tech that makes it up -- is changing.

Risky Biz News: FCC warns Twilio on scam robocalls

Catalin Cimpanu — Mon, 30 Jan 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: FBI hacked Hive ransomware infrastructure, stole decryption keys

Catalin Cimpanu — Fri, 27 Jan 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz Soap Box: Tools alone won't solve your vuln management problems

Patrick Gray — Wed, 25 Jan 2023 00:00:00 +1100

In this Soap Box edition of the show Nucleus Security's Scott Kuffer discusses Stakeholder-Specific Vulnerability Categorization (SSVC) and why tools alone can't fix a dysfunctional vulnerability management program.

Risky Biz News: FBI links Harmony's $100 million hack to the Lazarus Group

Catalin Cimpanu — Wed, 25 Jan 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #692 -- Google search results spew malware, phishing sites

Patrick Gray — Wed, 25 Jan 2023 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Google's search results have become a malware-riddled sh*tshow * Ransomware payment values dropped by 40% YoY in 2022 * Kraken takes over Solaris the old school way * Grand Theft Auto RCE is wreaking havoc * ManageEngine customers are all getting owned * So you know, pretty much business as usual This week's show is brought to you by Kroll. Jim Hung co-leads the special projects and applied research team at Kroll and joins us to talk about the big changes happening in the incident response discipline.

Risky Biz News: Crypto-crime volumes went down in 2022, ransomware payments too

Catalin Cimpanu — Mon, 23 Jan 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Between Two Nerds: When Operations Get Burnt

Tom Uren — Mon, 23 Jan 2023 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq look at operations being 'burnt' from the adversary's point of view. What do they do when an operation is burnt? What are the factors that go into the decisions that they make?

Risky Biz News: Dark web mega-hack as Kraken takes over Solaris

Catalin Cimpanu — Fri, 20 Jan 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: LockBit ripe for disruption, Russians throw kitchen sink at Ukraine

Tom Uren — Thu, 19 Jan 2023 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about security researcher Jon DiMaggio infiltrating the LockBit ransomware group. DiMaggio’s report shows that there are numerous disruption operations. They also cover a new Ukrainian report about Russia’s combined cyber, conventional and military operations. It doesn’t look like the Russians are deftly coordinating these different attacks to maximum effect so much as using a kitchen sink approach. Finally, they look at a French general’s warning to other European countries that the US might use Cyber Command hunt forward operations as an intelligence gathering operation. We don’t think this is at all likely, but the general has hit on a fear that other countries will have.

Risky Biz News: Google Search and Ads have a major malware problem

Catalin Cimpanu — Wed, 18 Jan 2023 00:00:00 +1100

Risky Business #691 -- LockBit and "Pablo Escobar syndrome"

Patrick Gray — Wed, 18 Jan 2023 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Royal Mail attack was LockBit and GCHQ will probably "bust some heads" * CircleCI's incident report and the problem with malwared endpoints in the Zero Trust age * Cloudflare backs Mastodon * Paul Nakasone: NSA did some great stuff! It was really good! * Cisco won't patch SMB routers sold in 2020 * Much, much more This week's show is brought to you by Material Security. Material co-founder Ryan Noon and Snowflake's head of cybersecurity strategy Omer Singer are this week's sponsor guests.

Risky Biz News: Secure Boot is useless on recent MSI motherboards

Catalin Cimpanu — Mon, 16 Jan 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: Pro-Russian hacktivists offer cryptocurrency for DDoS attacks against Ukraine and western targets

Catalin Cimpanu — Fri, 13 Jan 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: Carnegie Report Takes Wind Out of Cyber War's Sails

Tom Uren — Thu, 12 Jan 2023 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about a new Carnegie report that does a really good job examining the interplay of disruptive cyber operations and conventional military action in Russia’s invasion of Ukraine. They also examine the trajectory of NSO Group. The US Supreme Court has decided that WhatsApp’s court case against the firm can continue, but the political environment has changed so drastically we don’t think the court case will make much difference in the end.

Risky Biz News: Windows 7 reaches end-of-support

Catalin Cimpanu — Wed, 11 Jan 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Risky Business #690 -- 2023 will be a rough year for critical online services

Patrick Gray — Wed, 11 Jan 2023 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the news we missed while on break. Because it's the first show of the year, we split the discussion into themes: * Attacks against critical online services like Okta, CircleCI, Slack and Lastpass will increase in volume * All the latest global intrigue, from NSO being noped by the US Supreme Court to DDoS attacks in Serbia, Turla's latest campaign, supply chain attacks against Ukraine, why Russia has been more active than we realised and much more * A ransomware wrap, a discussion about the rise of data extortion and why it's unlikely to remain a huge problem * Why automotive security research will actually be interesting this year * PLUS: A bunch of random news! This week's show is brought to you by Trail of Bits. Dan Guido is this week's sponsor guest and he joins us to talk about something they've developed – a zero knowledge proof of exploit technique. Very interesting stuff!

Risky Biz News: Ukraine jams Russian satellite TV stations in occupied territories

Catalin Cimpanu — Mon, 09 Jan 2023 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and read by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: The Access Debate is Now the Child Safety Debate

Tom Uren — Thu, 15 Dec 2022 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about Apple’s latest move to roll out end-to-end encrypted iCloud backups and how that plays into the lawful access debate. Pending legislation in the US, UK and EU is all about mitigating online harms and countering child exploitation, so they think the policy debate has moved on from lawful access. There are lots of measures that companies could take in this space that don’t compromise end-to-end encryption, and legislators are going to force companies to do more. They also look at the next move for North Korean hackers. They’ve had an absolute field day pillaging cryptocurrency ventures. What will their next move be as the “Crypto Winter” arrives? You can find the newsletter post this podcast is based on here.

Risky Biz News: Citrix and Fortinet patch zero-days exploited in APT and ransomware campaigns

Catalin Cimpanu — Wed, 14 Dec 2022 00:00:00 +1100

Description: A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Patrick Gray. You can find the newsletter version of this podcast click here.

Risky Business #689 -- FBI baulks at Apple's iCloud encryption push

Patrick Gray — Wed, 14 Dec 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Apple to introduce user-encrypted backups, FBI is sad * Twitter ices e2ee plans for DMs * RackSpace is getting sued over its hosted Exchange ransomware incident * Dodgy driving: Microsoft signs some shady stuff * Japan to change laws, release the Shibas * A look at the US NDAA * Much, much more This week's show is sponsored by Obsidian Security. Obsidian co-founder Ben Johnson joins the show this week to talk through SaaS configuration security and visibility/monitoring.

Risky Biz Soap Box: Attack Path Management is the New Hotness

Patrick Gray — Tue, 13 Dec 2022 00:00:00 +1100

In this sponsored podcast Patrick Gray and Ryan Kalember talk about Proofpoint's acquisition of Illusive, a company that started off in the "deception" space and then moved towards doing attack path analysis and management.

Between Two Nerds: The US has it all wrong on cyber

Tom Uren — Tue, 13 Dec 2022 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq find that for most countries use of cyber capabilities makes sense. Except for the US. They are in a different position and the development of cyberspace as a domain of strategic competition is a net loss for them.

Risky Biz News: Disgruntled member doxes and extorts URSNIF gang

Catalin Cimpanu — Mon, 12 Dec 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Patrick Gray, who's filling in for Claire Aird. You can find the newsletter version of this podcast click here.

Risky Biz News: Apple to encrypt iCloud backups, support third-party security keys

Catalin Cimpanu — Fri, 09 Dec 2022 00:00:00 +1100

Description: A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird. You can find the newsletter version of this podcast click here.

Srsly Risky Biz: Microsoft’s Dull Bulb Fails to Illuminate

Tom Uren — Thu, 08 Dec 2022 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about how Microsoft continues to get important stuff wrong on Chinese vulnerability regulation and Russian cyber warfare. They also discuss how Cyber Safety Review Board's decision to look at teenage hacking Lapsus$ is a good one, and how a Chinese APT group’s efforts to steal US Covid relief money will really annoy people. You can read the newsletter the podcast is based on here.

Risky Business #688 -- APT41 pickpockets Uncle Sam

Patrick Gray — Wed, 07 Dec 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Samsung, LG Android signing keys pinched * LastPass gets owned again * APT41 steal covid relief money * Amnesty International hacked in Canada * Much, much more This week's show is brought to you by Airlock Digital. Its CEO and CTO join host Patrick Gray this week to talk about admin to kernel as a security boundary, and the limitations of kernel driver blocklists. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Risky Biz News: New Scattered Spider group targets telcos for SIM swapping attacks

Catalin Cimpanu — Wed, 07 Dec 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird. You can find the newsletter version of this podcast click here.

Between Two Nerds: The ethical rules of espionage

Tom Uren — Tue, 06 Dec 2022 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq discuss reader feedback about whether the Five Eyes engage in economic espionage and look at allegations that Australia spied on the East Timorese government to get an edge in negotiations regarding an oil and gas negotiation. In various hypothetical scenarios we examine the ethics of the situation and what would have to change for that spying to be morally justified.

Risky Biz News: Samsung, MediaTek, and other Android platform certs used to sign malware

Catalin Cimpanu — Mon, 05 Dec 2022 00:00:00 +1100

Risky Biz News: LastPass discloses second breach, Google exposes new spyware vendor

Catalin Cimpanu — Fri, 02 Dec 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: We Need a More Conscious Decoupling

Tom Uren — Thu, 01 Dec 2022 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about US-China technological decoupling and the lack of an observable strategy so far. They also find that the use of geofence warrants in the Capital riot seems perfectly reasonable, and examine how Chinese twitter uses trying to find news about recent Covid protests are being deluged with spam. You can read the newsletter this podcast is based on here.

Risky Biz News: Australia passes new privacy bill with huge data breach fines

Catalin Cimpanu — Wed, 30 Nov 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #687 -- Shady deeds in sunny places: Ransomware smashes Vanuatu, Guadeloupe

Patrick Gray — Wed, 30 Nov 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * UK, USA ban Chinese security cameras * What is the Boa webserver and why is it everywhere? * Vanuatu, Guadeloupe smashed by ransomware * REvil back with more dumps despite ASD attention * Much, much more This week's sponsor guest is Jake King from Elastic Security, who joins us to talk through the company's most recent threat report. There's a link to the report in our show notes. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing.

Between Two Nerds: Good News, Bad News

Tom Uren — Tue, 29 Nov 2022 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq have some good news for a change — ransomware has peaked and they examine why criminals will look for different sources of income. Of course, every silver lining has a cloud, and ransomware will be replaced by other types of cyber crime.

Risky Biz News: US and UK ban Chinese equipment on national security grounds

Catalin Cimpanu — Mon, 28 Nov 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Authorities seize iSpoof in major blow to fraudsters and cybercrime groups

Catalin Cimpanu — Fri, 25 Nov 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird.You can find the newsletter version of this podcast here.

Srsly Risky Biz: Why TikTok is a genuine risk, inside the NSPM-13 changes

Tom Uren — Thu, 24 Nov 2022 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about which national security concerns around TikTok are actually the "real ones" in light of Christopher Wray's congressional testimony last week. They also talk about changes to NSPM-13, the rules governing Cyber Command operations and the looming Executive Order on commercial spyware. You can read the newsletter this podcast is based on here.

Risky Biz News: Meta formally links pro-Western influence operation to US military

Catalin Cimpanu — Wed, 23 Nov 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird.You can find the newsletter version of this podcast here.

Risky Business #686 -- White House to move on spyware industry

Patrick Gray — Wed, 23 Nov 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Half of all UK COBRA meetings are ransomware related * Ransomware biggest risk to US port security * White House to move on spyware industry * EU to launch its own Starlink equivalent * Much, much more AttackIQ's Jonathan Reiber will be joining us in this week's sponsor interview to talk about how companies and their boards are really moving towards outcomes-based security programs. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing.

Risky Biz Soap Box: How to get your developers invested in security

Patrick Gray — Mon, 21 Nov 2022 00:00:00 +1100

In this podcast we speak with Randall Degges who leads the Developer Relations & Community team at Snyk. He's here to talk to us about how to get developers enthusiastic about security, how to get them to use the right tooling, and how this tooling will evolve in the future to actually help developers fix bugs in their code.

Risky Biz News: Cyber Partisans hack and disrupt Kremlin censor

Catalin Cimpanu — Mon, 21 Nov 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird.You can find the newsletter version of this podcast here.

Between Two Nerds: Why regulating the 0day market won't stop mercenary spyware

Tom Uren — Mon, 21 Nov 2022 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq examine some recommendations in a recent draft report from a European Parliament inquiry into the use of Pegasus and similar spyware. The report contains an interesting overview of the European spyware market but makes some recommendations that are not just ineffective but positively counterproductive — they'll actually make the world a less safe place.

Risky Biz News: Iranian state hackers breached US government, deployed a cryptominer

Catalin Cimpanu — Fri, 18 Nov 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird.You can find the newsletter version of this podcast here.

Risky Biz News: Major hack-and-leak info-op unfolding in Moldova

Catalin Cimpanu — Wed, 16 Nov 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird.You can find the newsletter version of this podcast here.

Risky Business #685 -- Australia releases the hounds, and it might just work

Patrick Gray — Wed, 16 Nov 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Australia lets ASD loose on ransomware crews, but will it work? (Tom Uren joins us to chat about this one) * Twitter's wheels haven't fallen off yet but they sure are wobbling * Hundreds of millions stolen from FTX mid implosion * Security researchers start looking at Mastodon and… yeah * Much, much more! This week's show is brought to you by Gigamon. George Sandford from Gigamon pops in for this week's sponsor interview to talk about how to successfully stand up an NDR program.

Risky Biz News: Australia to hack the hackers

Catalin Cimpanu — Mon, 14 Nov 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird. You can find the newsletter version of this podcast here.

Risky Biz News: Twitter's CISO and head of trust and safety both resign

Catalin Cimpanu — Fri, 11 Nov 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird.You can find the newsletter version of this podcast here.

RBTALKS: Google's VP of Security Engineering Heather Adkins Talks Aurora

Catalin Cimpanu — Thu, 10 Nov 2022 00:00:00 +1100

In this podcast Tom Uren interviews Google's VP of Security Engineering Heather Adkins about what changed at Google after the infamous 2009 Aurora attacks.

Risky Biz News: The spyware industry has found a cozy home in the EU

Catalin Cimpanu — Wed, 09 Nov 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #684 -- DoJ seizes 50,000 stolen bitcoins from popcorn tin

Patrick Gray — Wed, 09 Nov 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * DoJ seizes 50k bitcoin stolen from Silk Road, charges thief * Australian health insurer Medibank refuses to pay ransom, data leaked * Inside Qatar's $386m world cup espionage operation * EU Parliament report into spyware lands * SolarWinds settles shareholder lawsuit, faces SEC enforcement action * Much, much more This week's sponsor guest is Andrew Morris from Greynoise Intelligence. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing.

Risky Biz News: Chinese APTs used more zero-days last year

Catalin Cimpanu — Mon, 07 Nov 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: Why does Europe suck?

Tom Uren — Mon, 07 Nov 2022 00:00:00 +1100

What's the point of having military cyber capability? It seems that states in the European Union don't know either. In this edition of Between Two Nerds Tom Uren and The Grugq discuss why states in the EU are no good at military cyber operations.

Risky Biz News: OPERA1ER group hits African banks for $30 million

Catalin Cimpanu — Fri, 04 Nov 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird. You can find the newsletter version of this podcast here.

Srsly Risky Biz: The Liz Truss hack and securing politcians' comms

Tom Uren — Thu, 03 Nov 2022 00:00:00 +1100

In this podcast Patrick Gray talks to Tom Uren about the alleged hack of former UK Prime Minister Liz Truss's smartphone by Russian intelligence services and what governments might be able to do to better protect politicians against similar hacks.

REPOST: Risky Biz News: Internal chats for Yanluowang ransomware gang leaked

Catalin Cimpanu — Wed, 02 Nov 2022 00:00:00 +1100

REPOST: This podcast initially went out linking to the wrong audio recording. Apologies for the inconvenience. A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird. You can find the newsletter version of this podcast here.

Risky Business #683 -- OpenSSL bug is a fizzer, ASD responds to Medibank hack

Patrick Gray — Wed, 02 Nov 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Twitter bluechecks face phishing barrage * Australian government goes berserk on Medibank hack response * Former WSJ journalist sues law firm over email hack and info op that got him fired * OpenSSL bug lands with a whimper * Apple macOS Ventura update breaks security tools * Much, much more This week's show is brought to you by Thinkst Canary. Marco Slaviero, Thinkst's head of engineering, joins us this week to talk through the company's latest release, codenamed Quokka.

Risky Biz News: The Profanity Vulnerability Claims Another Victim

Catalin Cimpanu — Mon, 31 Oct 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared by Catalin Cimpanu and presented by Claire Aird. You can find the newsletter version of this podcast here.

Between Two Nerds: When Small is Beautiful

Tom Uren — Sun, 30 Oct 2022 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq discuss why some states seem to favour small dispersed groups that are contractors rather than large centralised organisations like the NSA and GCHQ. Do they see positive benefits in that approach? Or do they use contractors out of necessity?

Risky Biz News: Microsoft rolls out number matching to counter MFA push notification spam attacks

Catalin Cimpanu — Fri, 28 Oct 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Raccoon Stealer dev didn't die in Ukrainian war; he was arrested in the Netherlands

Catalin Cimpanu — Wed, 26 Oct 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: GitHub aflood with fake and malicious PoCs

Catalin Cimpanu — Mon, 24 Oct 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Between Two Nerds: Internet Giants and the state

Tom Uren — Sun, 23 Oct 2022 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq discuss internet giants such as Google, Amazon, Yandex and AliBaba and explore their relationships with the state.

Risky Biz News: URSNIF goes from banking trojan to backdoor, dreaming of ransomware profits

Catalin Cimpanu — Fri, 21 Oct 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Snake Oilers: Truffle Security, KSOC and Snyk

Patrick Gray — Wed, 19 Oct 2022 00:00:00 +1100

Snake Oilers isn’t our regular weekly podcast, it’s a wholly sponsored series we do at Risky.Biz where vendors come on to the show to pitch their products to you, the Risky Business listener. To be clear – everyone you hear in one of these editions, paid to be here. We’ll hear from three vendors in this edition of Snake Oilers: * Truffle Security talks secrets discovery * KSOC builds Kubernetes security tools * Snyk has a new product to better secure Infrastructure as Code

Risky Biz News: IRGC installed malware on phones of Iranian protesters following their arrest

Catalin Cimpanu — Wed, 19 Oct 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Russia is building a centralized video surveillance system

Catalin Cimpanu — Mon, 17 Oct 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Between Two Nerds: Cyber Operations on the Battlefield

Tom Uren — Sun, 16 Oct 2022 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq discuss whether destructive cyber effects can be integrated effectively with tactical conventional warfare. There are some wrinkles: how do soldiers on the ground know what cyber ops can be used for, can you execute them fast enough and what can they even do anyway?

Snake Oilers: Tines, Code42 and Kroll

Patrick Gray — Fri, 14 Oct 2022 00:00:00 +1100

Snake Oilers isn’t our regular weekly podcast, it’s a wholly sponsored series we do at Risky.Biz where vendors come on to the show to pitch their products to you, the Risky Business listener. To be clear – everyone you hear in one of these editions, paid to be here. We’ll hear from three vendors in this edition of Snake Oilers: * Tines, the no code security automation solution that people are going absolutely nuts over * Code42, the insider threat detection solution maker * Kroll talks about its MDR offering

Risky Biz News: China does a funny and tries to pose as IntrusionTruth

Catalin Cimpanu — Fri, 14 Oct 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Seriously Risky Biz: Biden's SIGINT EO Doesn't Change Much

Tom Uren — Thu, 13 Oct 2022 00:00:00 +1100

In this edition of Seriously Risky Business Patrick Gray and Tom Uren talk about US President Joe Biden's Executive Order on SIGINT collection and why Albania almost invoking Article 5 over a cyberattack probably isn't a gigantic big deal.

Risky Biz News: White House working on cybersecurity labels for IoT products

Catalin Cimpanu — Wed, 12 Oct 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #682 -- Starlink goes dark on Ukraine's front line

Patrick Gray — Wed, 12 Oct 2022 00:00:00 +1100

On this week's show Patrick Gray, Adam Boileau and Dmitri Alperovitch discuss the week's security news, including: * Why former Uber CISO Joe Sullivan's guilty verdict shouldn't worry you * United States puts chipmaking restrictions on China, APT activity is coming * Elon blinks and Starlink goes dark on Ukraine's front line * Master cyber criminal arrested in Australia * Much, much more This week's show is brought to you by runZero, the asset inventory and network visibility solution. runZero's founding CTO and industry legend HD Moore is this week's sponsor guest.

Risky Biz News: LofyGang runs amok in the npm ecosystem with minimal gains

Catalin Cimpanu — Mon, 10 Oct 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Between Two Nerds: Using Offensive Capabilities Against Criminals

Tom Uren — Mon, 10 Oct 2022 00:00:00 +1100

In this edition of Between Two Nerds Tom Uren and The Grugq talk about the idea of using the big cyber agencies to go after foreign criminals.

Risky Biz News: Good news for the Capital One hacker, bad news for the former Uber CSO

Catalin Cimpanu — Fri, 07 Oct 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Seriously Risky Biz: The CIA is too stupid to know it's stupid

Tom Uren — Thu, 06 Oct 2022 00:00:00 +1100

In this episode of Seriously Risky Biz Patrick Gray and Tom Uren talk about the CIA's catastrophically moronic covert communications system, the North Korean smartphone hacking scene and the significance of a Netwalker affiliate's 20 year prison sentence.

Risky Biz News: China blocks several protocols used to bypass the Great Firewall

Catalin Cimpanu — Wed, 05 Oct 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #681 -- It's Exchangehog Day

Patrick Gray — Wed, 05 Oct 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * More Exchange 0days cause more havoc * A look at some earlier Exchange hack incidents * How the CIA got its agents killed with its truly awful online opsec * Ex NSA staffer arrested for espionage * Much, much more This week's show is brought to you by Proofpoint. Ryan Kalember, Proofpoint's EVP of cybersecurity strategy, joins the show this week to talk about some overlooked detection opportunities – some simple stuff you can look for in your environment that should raise gigantic flashing red flags.

Risky Biz News: Interpol arrests scammers linked to Nigerian "Air Lords" crime syndicate

Catalin Cimpanu — Mon, 03 Oct 2022 00:00:00 +1100

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Between Two Nerds: How cyber agencies are constrained

Tom Uren — Sun, 02 Oct 2022 00:00:00 +1000

In this episode of Between Two Nerds Tom Uren talks to The Grugq about how large SIGINT organisations like NSA have limitations and are constrained in all sorts of ways.

Seriously Risky Biz #12 -- Why Huawei is Germany's next Nordstream

Tom Uren — Fri, 30 Sep 2022 00:00:00 +1000

In this week's edition of Seriously Risky Business Patrick Gray and Tom Uren talk about the Australian government's response to the Optus hack, why Viasat was a massively significant attack despite a lack of clarity on how it affected battlefield communications, and how Germany's late warning on Kaspersky software betrays larger problems with its strategic thinking.

Risky Biz News: Twitch limits browser logins as it deals with massive bot attack

Catalin Cimpanu — Fri, 30 Sep 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz Soap Box: Why Microsoft's Smart Application Control is very strange

Patrick Gray — Thu, 29 Sep 2022 00:00:00 +1000

In this Soap Box podcast Patrick Gray interviews Airlock Digital CTO Daniel Schell and CEO David Cottingham about Microsoft's new Smart Application Control feature, why controlling browser extensions via endpoint instrumentation is really hard and why PAM solutions don't actually do allowlisting, even if they claim they do.

Risky Biz News: Facebook takes down large network of (low quality) fake news sites pushing Russian propaganda

Catalin Cimpanu — Wed, 28 Sep 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #680 -- Uber, Rockstar Games hacker arrested

Patrick Gray — Wed, 28 Sep 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Lapsus$'s Teapot arrested by UK police * Optus hacker issues grovelling apology after feeling AFP and ASD heat * Ukraine claims Russia is planning massive attacks on its infrastructure * RSOCKS bot herder begs for extradition to USA * Russians scammed when seeking military service exemptions * Much, much more This week's show is sponsored by Votiro. Ravi Srinivasan, Votiro's CEO, joins the show this week to talk about how people are using content disarm and reconstruction.

Risky Biz News: XakNet "hacktivists" linked to APT28 and Russia's GRU intelligence service

Catalin Cimpanu — Mon, 26 Sep 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Between Two Nerds: How Ukraine Could Actually Use Its "IT Army"

Tom Uren — Sun, 25 Sep 2022 00:00:00 +1000

In this episode of Between Two Nerds Tom Uren talks to The Grugq about how Ukraine could make better use of its so-called "IT Army".

Risky Biz News: EU data supervisor sues the EU and Europol for skirting data protection rules

Catalin Cimpanu — Fri, 23 Sep 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Seriously Risky Biz: Chaos Is the New Normal

Tom Uren — Thu, 22 Sep 2022 00:00:00 +1000

In this week's edition of Seriously Risky Biz Patrick Gray and Tom Uren talk about the new chaotic normal. Should policymakers abandon efforts to wind back the cyber chaos or should they start focussing more on how to adapt to it? They also talk about some research from the Atlantic Council into Chinese vulnerability disclosure rules and their effect on the pipeline of vuln information from China to other countries.

Risky Biz News: US Ransomware Task Force to go after ransomware top dogs

Catalin Cimpanu — Wed, 21 Sep 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #679 -- A look at Uber's very bad week

Patrick Gray — Wed, 21 Sep 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * A look at how Uber got owned so hard * Why cleartext cookie storage in Microsoft Teams' Electron-based app is actually a big deal * Russian official: Starlink is a legitimate military target * Wagner mercs get doxxed * Kiwi Farms having a bad time * Much, much more In this week's sponsor interview we'll be chatting to Nucleus's CEO Steve Carter about CISA's KEV list. He has feelings about the KEV list – they're mostly positive, but he also has a few reasonable gripes and he joins me to talk about them.

Risky Biz News: KiwiFarms discloses security breach, says user data may have been stolen

Catalin Cimpanu — Mon, 19 Sep 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Between Two Nerds: On culture and SIGINT agencies

Tom Uren — Mon, 19 Sep 2022 00:00:00 +1000

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how SIGINT agencies in different regions have different cultures, and how these differences are rooted in the military traditions and hacker cultures of various countries.

Risky Biz News: Poland refuses to cooperate with the EU in spyware scandal

Catalin Cimpanu — Fri, 16 Sep 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz Soap Box: Haroon Meer on "sensitive command tokens"

Patrick Gray — Thu, 15 Sep 2022 00:00:00 +1000

In this edition of the Soap Box podcast Patrick Gray talks to Haroon Meer about Thinkst Canary's new sensitive command token. It's a great way to detect intruders on your Windows systems. Haroon also talks about how to use canaries strategically.

Seriously Risky Biz: Why Twitter is a magnet for foreign infiltrators

Tom Uren — Thu, 15 Sep 2022 00:00:00 +1000

In this week's edition of Seriously Risky Business Patrick Gray and Tom Uren talk about the important bits of Mudge's disclosures about Twitter's security practices and why the West's response to Iran's norm-shattering attacks on Albania matter.

Risky Biz News: Breached forum has already replaced the now-defunct RAIDforums

Catalin Cimpanu — Wed, 14 Sep 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #678 -- Iranians Gone Wild

Patrick Gray — Wed, 14 Sep 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Albania suffers under another crippling Iranian attack * Iran's APT42 using clever, multi-persona phishing * State Department cyber snitching program paying off * Former NSA director Gen. Keith Alexander sued over alleged IronNet pump and dump * Mudge fronts US Senate Judiciary Committee * Much, much more… This week's show is brought to you by Stairwell. Mike Wiacek, Stairwell's founder and CEO is this week's sponsor guest and he talks about why they've pushed their Inception platform beyond YARA hunting. You can see a demo of Inception on our YouTube product demo page.

Risky Biz News: Albania-Iran cyber drama far from over

Catalin Cimpanu — Mon, 12 Sep 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Former Conti members are now targeting Ukraine

Catalin Cimpanu — Fri, 09 Sep 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Seriously Risky Biz #9 -- Albania suspends diplomatic ties with Iran over hack

Tom Uren — Thu, 08 Sep 2022 00:00:00 +1000

In this edition of Seriously Risky Business Patrick Gray and Tom Uren talk about the Albanian government's decision to break off diplomatic ties with Iran in the wake of a wiper attack in July. They also weigh in on the Fog Reveal tool that sells mobile location data to law enforcement agencies via a pretty interface. They also discuss Cloudflare's ridiculous hate speech policies.

Risky Biz News: China does its best US APT attribution effort but falls short of the mark

Catalin Cimpanu — Wed, 07 Sep 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #677 -- A day late and a dollar short: China doxxes NSA op

Patrick Gray — Wed, 07 Sep 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * China's super spies figure out Rob Joyce ran TAO ops * FBI, French authorities fly to Montenegro to investigate ransomware attack * NEWSFLASH: Cloudflare are still a bunch of Nazi cuddlers * SIM swap drama spills into real world shootings, firebombings * Yandex Taxi hack clogs Moscow streets * The TikTok breach that wasn't * Project Raven veterans get wings clipped * Why recent BGP hijacks are getting a bit concerning * Much, much more This week's show is brought to you by Corelight, the company that maintains Zeek. Corleight's Federal CTO Jean Schaffer joins us in this week's sponsor interview to talk about whether or not the White House's executive order on Zero Trust is actually changing anything.

Risky Biz News: Encryption and privacy pioneer Peter Eckersley has died

Catalin Cimpanu — Mon, 05 Sep 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Between Two Nerds: How OSINT makes clandestine HUMINT difficult

Tom Uren — Mon, 05 Sep 2022 00:00:00 +1000

In this podcast, Seriously Risky Business editor Tom Uren talks to The Grugq about how OSINT is making clandestine HUMINT very difficult these days.

Risky Biz News: Academics find a tiny crack in Apple's Private Relay

Catalin Cimpanu — Fri, 02 Sep 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Seriously Risky Biz #8 -- Why Western propaganda is good, actually

Tom Uren — Thu, 01 Sep 2022 00:00:00 +1000

In this edition of Seriously Risky Business Patrick Gray and Tom Uren talk about why overt western propaganda is good, actually. They also talk about why western intelligence agencies should embrace the investigative methodologies pioneered by OSINT organisations like Bellingcat.

Risky Biz News: Greece tries to downplay its spyware scandal

Catalin Cimpanu — Wed, 31 Aug 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #676 -- Okta, Authy users among Twilio hack targets

Patrick Gray — Wed, 31 Aug 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * The Twilio breach was actually a big deal * How a Belarusian Cyber Partisans hack burned a GRU illegal * Who wants 25m hashed passwords from Russia? * An NFT we can get behind * How attackers are using game anti-cheat drivers to defeat EDR * Much, much more This week's sponsor interview is with Mike Benjamin, the VP of security research at Fastly. He pops in to argue that your red team needs to actually consider how your apps will cope with bot-driven attacks.

Risky Biz News: Cybercrime groups got bored of RU/UA hacktivism

Catalin Cimpanu — Mon, 29 Aug 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Between Two Nerds: Why we hate the term "cyberwar"

Tom Uren — Sun, 28 Aug 2022 00:00:00 +1000

In this podcast, Seriously Risky Business newsletter author Tom Uren and espionage connoisseur The Grugq talk about why they hate the term cyberwar. What is it even supposed to mean?

Seriously Risky Biz: What the Lloyd's of London decision means for governments

Tom Uren — Fri, 26 Aug 2022 00:00:00 +1000

This podcast is a discussion between Patrick Gray and Tom Uren on the big stories affecting people in cyber policy. It’s based on the latest Seriously Risky Business newsletter, which you can find here.

Risky Biz News: Rare pro-Western influence operation caught and exposed

Catalin Cimpanu — Fri, 26 Aug 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Explosive whistleblower report exposes Twitter's shoddy security

Catalin Cimpanu — Wed, 24 Aug 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #675 -- The problem with Mudge's whistleblowing complaint

Patrick Gray — Wed, 24 Aug 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * A deep look at Mudge's sensational whistleblower complaint against Twitter * Brazilian Federal Police raid Lapsus$ crew * NSO CEO to stand down (again), 100 staff to be let go * Signal users impacted in Twilio incident * Tornado Cash OFACs around and finds out * Much, much more This week's show is brought to you by Greynoise. Its founder, Andrew Morris, joins the show with a stinging critique of the wider threat intelligence industry. Don't miss that one.

RBTALKS3: Vitali Kremez on the impending downfall of the RaaS ecosystem

Catalin Cimpanu — Tue, 23 Aug 2022 00:00:00 +1000

Vitali Kremez, CEO of Advanced Intelligence, talks to Risky Business about the impending downfall of the Ransomware-as-a-Service ecosystem, as major ransomware gangs are slowly moving to corporate hack-steal-extort-or-leak schemes, with no encryption involved.

Risky Biz News: Bitcoin ATMs hacked

Catalin Cimpanu — Mon, 22 Aug 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Between Two Nerds: Predatory Sparrow, the "hacktivist crew" obsessed with norms

Tom Uren — Mon, 22 Aug 2022 00:00:00 +1000

In this podcast, Seriously Risky Business newsletter author Tom Uren and espionage connoisseur The Grugq discuss Predatory Sparrow's remarkably responsible attacks.

Risky Biz News: CyberCom faces staffing issues

Catalin Cimpanu — Fri, 19 Aug 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Programmers will need to learn to love MFA, even if they like it or not

Catalin Cimpanu — Wed, 17 Aug 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Is ransomware going after the Global South? Sure looks like it!

Catalin Cimpanu — Mon, 15 Aug 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz Soap Box: Okta's Brett Winterford on session cookie theft and mitigations

Patrick Gray — Tue, 09 Aug 2022 00:00:00 +1000

In this edition of the Soap Box podcast Okta's APAC CISO and former Risky Biz editor Brett Winterford talks about how attackers are getting much better at swiping session cookies via realtime phishing and malware. He also talks about some mitigation strategies to combat this threat and introduces the concept of continuous authentication.

Between Two Nerds: Why some APT crews don't care about OPSEC

Tom Uren — Sun, 07 Aug 2022 00:00:00 +1000

In this podcast, Seriously Risky Business newsletter author Tom Uren and espionage connoisseur The Grugq discuss why some APT crews have zero interest in maintaining secrecy in their operations.

Risky Biz News: FIRST releases TLP v2.0

Catalin Cimpanu — Fri, 05 Aug 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Srsly Risky Biz #6 -- On Spyware, More Sanctions Please

Tom Uren — Thu, 04 Aug 2022 00:00:00 +1000

Risky Biz News: Would a tax relief for SMBs improve cybersecurity postures and ransomware defenses?

Catalin Cimpanu — Wed, 03 Aug 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #674 -- "Free money" exploit spawns $150m blockchain feeding frenzy

Patrick Gray — Wed, 03 Aug 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Taiwan tensions fail to conjure the cyber apocalypse * Crypto bridge exploit results in $150m feeding frenzy * Chainalysis evidence to be challenged in court * Post-quantum NIST candidate algorithm gets smoked * DSIRF's Russia links * Much, much more This week's sponsor interview is with Jerrod Chong from Yubico. He's joining the show to talk about why consumer-focussed implementations of Webauthn like Apple's Passkeys aren't a great enterprise solution.

Risky Biz News: Confluence servers under attack due to hardcoded password

Catalin Cimpanu — Mon, 01 Aug 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Srsly Risky Biz #5 -- US DNI will monitor the commercial spyware industry

Tom Uren — Fri, 29 Jul 2022 00:00:00 +1000

Risky Biz News: Microsoft puts the limelight on another spyware maker—DSIRF from Austria

Catalin Cimpanu — Fri, 29 Jul 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Microsoft mitigates PPL exploit after four years

Catalin Cimpanu — Wed, 27 Jul 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #673 -- When throwing computers into a woodchipper is standard IR

Patrick Gray — Wed, 27 Jul 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Why Entrust being ransomwared is good news * UEFI bootkits turn hardware into landfill * Microsoft resumes macro blocking rollout * Pat and Adam talk about why plugging your IDP into legacy apps is a dreadful idea * Much, much more This week's sponsor guest is Paul "The Voice" Lanzi of Remediant. He's popping along to talk about the emergence of a new product category – Identity Threat Detection and Response, or ITDR.

RBTALKS2: How the Belarusian Cyber Partisans learned from real spies

Catalin Cimpanu — Mon, 25 Jul 2022 00:00:00 +1000

Catalin Cimpanu will be back later this week with more Risky Business News podcasts, but until then we've got this great feature interview for you. In this podcast interview Seriously Risky Business newsletter writer Tom Uren talks to The Grugq about the Belarusian Cyber Partisans. The group first emerged in 2019 to zero fanfare when its early campaigns fell flat. But its tactics have improved and these days it's giving the Belarusian government some serious headaches. They’ve disrupted railways, infiltrated intelligence agencies and stolen massive government databases and troves of Belarusian audio intercepts including Interior Ministry intercepts from foreign embassies in Belarus. But how did they evolve into an effective group? We think it’s because they’ve independently reinvented how professional intelligence agencies do business. We talk about the Cyber Partisans and the intelligence cycle, which encompasses planning, collection, processing and exploitation, analysis and dissemination. Grugq and Tom discuss the Cyber Partisans in relation to the intelligence cycle and how the group is not only doing collection and exploitation but has more recently invested in analysis and dissemination, turning raw intelligence into something that will have impact.

RBTALKS1: Yuriy Ackermann on securing Ukraine with security keys

Catalin Cimpanu — Fri, 22 Jul 2022 00:00:00 +1000

Yuriy Ackermann, VP of War Efforts at Hideez, talks to Risky Business about the company's latest project to protect the Ukrainian government and its critical sector entities against Russian cyberattacks by rolling out tens of thousands of Yubikey security keys.

Srsly Risky Biz #4 -- The Global Internet is Dead

Tom Uren — Thu, 21 Jul 2022 00:00:00 +1000

Risky Business #672 -- "Expected behaviour" is in the eye of the beholder

Patrick Gray — Wed, 20 Jul 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * A look at the DHS Cyber Safety Review Board's Log4j report * Joshua Schulte no longer the "alleged" Vault7 leaker * Chinese APT crews targeted US political journalists before Jan 6 * Ransomware gangs make leak sites searchable * Why recovering plaintext passwords from Okta is expected behaviour * US Government seizes North Korean ransomware payment * Much, much more This week's show is brought to you by Trail of Bits. Dan Guido is this week's sponsor guest and he'll tell us about work Trail of Bits did for DARPA on investigating blockchain security fundamentals.

Risky Biz News: Google removes app permissions from the Play Store

Catalin Cimpanu — Mon, 18 Jul 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Chinese APT targeted White House reporters ahead of Jan. 6 insurrection

Catalin Cimpanu — Fri, 15 Jul 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: New side-channel attack disclosed in Intel and AMD processors

Catalin Cimpanu — Wed, 13 Jul 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #671 -- The case for an American-owned NSO Group

Patrick Gray — Wed, 13 Jul 2022 00:00:00 +1000

On this week's show Patrick Gray and guest cohost Dmitri Alperovitch discuss the week's security news, including: * Why an American defence contractor acquiring NSO Group would be a nonproliferation win * A look at Microsoft's botched macro measures * iPhone's Lockdown Mode * Ukraine goes big on Yubikeys * Aerojet Rocketdyne pays millions over poor security controls, CISO whistleblower gets bag of cash * Much, much more This week's show is sponsored by Proofpoint. Ryan Kalember, Proofpoint's Executive Vice President of Cybersecurity Strategy, joins us in this week's sponsor interview to talk about changes he's observed in the criminal ecosystem.

Risky Biz Soap Box: Running a global vulnerability management program

Patrick Gray — Mon, 11 Jul 2022 00:00:00 +1000

Today's soap box is brought to you by Nucleus Security. Nucleus makes a platform that ingests vulnerability scan information from all your vuln scanning tech so that you can do things like assign different vulnerabilities to different teams to manage and remediate. Send these ones to infrastructure, send these ones to app teams, send everything up and down this stack to this department etc. If you want to see Nucleus in action I have recorded a demo and it's on our YouTube product demos page, I've linked through to it in the show notes for this podcast. Our guest in this episode is Scott Kuffer, co-founder of Nucleus, and the topic is running a vulnerability management program in a very large enterprise.

Risky Biz News: Thousands of Yubikeys have been deployed in Ukraine, more to come

Catalin Cimpanu — Mon, 11 Jul 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Apple debuts Lockdown Mode to protect users against high-end spyware

Catalin Cimpanu — Fri, 08 Jul 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Srsly Risky Biz #3 — China Gonna China

Tom Uren — Thu, 07 Jul 2022 00:00:00 +1000

This podcast is a discussion between Patrick Gray and Tom Uren on the big stories affecting people in cyber policy. It's based on the latest Seriously Risky Business newsletter, which you can find here.

Risky Biz News: China faces its first truly mega-leak

Catalin Cimpanu — Wed, 06 Jul 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #670 -- China's world record data breach

Patrick Gray — Wed, 06 Jul 2022 00:00:00 +1000

On this week's show Patrick Gray and guest cohost Mark Piper discuss the week's security news, including: * A billion records leaked in China * China to develop desktop operating system * HackerOne fires insider for stealing hackers' work and bounties * FSB officer charged with stealing hacker's bitcoin * Why Microsoft is wrong on Russia and Ukraine * Much, much more Red Canary's Adam Mashinchi and Brian Donohue will be along in this week's sponsor interview to talk about Atomic Red Team, the open source adversary emulation framework they help to maintain.

Risky Biz News: HackerOne discloses malicious insider incident, and nobody's surprised

Catalin Cimpanu — Mon, 04 Jul 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Half of 2022's zero-days are variants of older vulnerabilities

Catalin Cimpanu — Fri, 01 Jul 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Srsly Risky Biz #2 — Israel's Implausible Deniability

Tom Uren — Thu, 30 Jun 2022 00:00:00 +1000

Risky Biz News: Hackers hit Iranian steel industry

Catalin Cimpanu — Wed, 29 Jun 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #669 -- Finally, an ICS attack that made stuff explode!

Patrick Gray — Wed, 29 Jun 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Activists who are totally not Israeli military hackers make Iranian steel mills firebally * Chinese APT crews use ransomware to muddy attribution * Attackers are now ransoming cloud access * Chinese APTs using building control systems for persistence and stealth * USA, UK and NZ govts issue PowerShell advice * Much, much more This week's show is brought to you by Material Security. JJ Agha, CISO at Compass, joins the show to talk about how he's using it to make phishing triage and automation less traumatic.

Risky Biz News: US critical infrastructure needs better cyber insurance coverage

Catalin Cimpanu — Mon, 27 Jun 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz Soap Box: HD Moore on taking Rumble to the cloud

Patrick Gray — Sun, 26 Jun 2022 00:00:00 +1000

Today's Soap Box guest is an industry legend -- Metasploit creator HD Moore. He's here to tell us more about what's happening with his latest creation, Rumble Network Discovery.

Risky Biz News: Google TAG says it tracks 30 surveillance vendors

Catalin Cimpanu — Fri, 24 Jun 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Srsly Risky Biz #1 — TikTok can't unscramble it's data omelette

Tom Uren — Thu, 23 Jun 2022 00:00:00 +1000

Risky Biz News: Hackers blamed for false air raid sirens in Israel

Catalin Cimpanu — Wed, 22 Jun 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #668 -- Microsoft is hiding its Azure security problems

Patrick Gray — Wed, 22 Jun 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Paige Thompson guilty of Capital One hack * Microsoft is hiding serious Azure security issues * New Australian government lobbying for Julian Assange * How to ransomware documents in the cloud * Microsoft stops Windows 10/11 downloads in Russia * Belarusian cyber partisans obtain spy agency's audio recordings * Much, much more This week's edition of the show is brought to you by Gigamon. Josh Day, Gigamon's Director of applied threat research team, will be along in this week's sponsor interview to talk about detecting badness on your network in encrypted traffic.

Risky Biz News: Germany indicts GRU hacker for NATO think tank breach

Catalin Cimpanu — Mon, 20 Jun 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Top websites have sucky password policies

Catalin Cimpanu — Fri, 17 Jun 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Microsoft accused of concealing Azure vulnerabilities

Catalin Cimpanu — Wed, 15 Jun 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Google shuts down YouTube Russian propaganda channels

Catalin Cimpanu — Mon, 13 Jun 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #667 -- "Shields Up" for cyber's forever war

Patrick Gray — Mon, 13 Jun 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * "Shields Up" advice is now provably meaningless * Russia to ditch offshore comms apps like WhatsApp * Evil Corp's Lockbit sanctions evasion attempt backfires * Binance is a cesspit of shady financial dealings * Apple's passkey release foreshadows FIDO mass adoption * Much, much more This week's sponsor interview is about Elastic's teardown on some really interesting APT linux malware called BPFdoor. Jake King and Colson Wilhoit joined the show for that interview.

Risky Biz News: BPF malware is now a thing

Catalin Cimpanu — Fri, 10 Jun 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: LockBit-Mandiant drama, explained

Catalin Cimpanu — Wed, 08 Jun 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Microsoft disrupts Bohrium APT infrastructure

Catalin Cimpanu — Mon, 06 Jun 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Website defacements and CCTV hacks in Iran

Catalin Cimpanu — Fri, 03 Jun 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Russia orders Google to remove Tor Browser from Russian Play Store

Catalin Cimpanu — Wed, 01 Jun 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #666 -- The msdt RTF of DOOM

Patrick Gray — Tue, 31 May 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * The msdt/office lolbinapalooza * Microsoft to introduce sensible defaults to Azure * Twitter fined $150m for sms 2fa spam * It turns out npm got owned in that Heroku/Travis CI thing * AWS cred-stealing supply chain attack was research your honour, I swear! * Much, much more We'll be chatting with Airlock Digital co-founder and CTO Daniel Schell in this week's sponsor interview. He'll be walking us through some of his own research into how to own Microsoft boxes via document-embedded office add-ins.

Risky Biz News: Threat actor stole data for 100,000 npm users

Catalin Cimpanu — Mon, 30 May 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Microsoft will enable better security defaults for all Azure AD tenants next month

Catalin Cimpanu — Fri, 27 May 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Python and PHP libraries hijacked to steal AWS keys

Catalin Cimpanu — Wed, 25 May 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business -- #665 You can ransomware whole countries now

Patrick Gray — Wed, 25 May 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Conti's war against Costa Rica * DoJ revises CFAA guidance * Naughty kids get access to DEA portal * A look at a Russian disinfo tool * PyPI and PHP supply chain drama * Much, much more This week's show is brought to you by Thinkst Canary. Its founder Haroon Meer will join us in this week's sponsor interview to talk about what might happen to infosec programs now the world economy is getting all funky.

Risky Biz News: STAR Labs wins Pwn2Own 2022

Catalin Cimpanu — Mon, 23 May 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

SAMPLE PODCAST: Risky Biz News: FSB-linked DDoS tool could also be used for disinformation campaigns

Catalin Cimpanu — Fri, 20 May 2022 00:00:00 +1000

The following is a sample of our latest podcast, Risky Business News, which is published into a new RSS feed. It's a short podcast published three times a week that updates listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: FSB-linked DDoS tool could also be used for disinformation campaigns

Catalin Cimpanu — Fri, 20 May 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz Soap Box: While you're watching a quiet one a noisy one will kill you

Patrick Gray — Wed, 18 May 2022 00:00:00 +1000

In this Soap Box edition of the show Proofpoint's EVP of Cybersecurity Strategy Ryan Kalember joins host Patrick Gray to talk about why some security spending is just misguided. So much of the infosec industry is geared towards protecting organisations against exotic threats when, really, the trifecta of ransomware, BEC and staff being careless with data are the thing that will sink them.

Risky Biz News: New Bluetooth relay attack bypasses current defenses

Catalin Cimpanu — Wed, 18 May 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Zyxel firewalls and VPN devices come under attack

Catalin Cimpanu — Mon, 16 May 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Musk says Russia has ramped up efforts to hack Starlink

Catalin Cimpanu — Fri, 13 May 2022 00:00:00 +1000

Correction: Joseph "Rich" Baich is the new CIA CISO, not its new CIO. This was reported correctly in the newsletter but a word was dropped during the podcast script read. Sorry about that! A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: EU, Five Eyes condemn Russia's Viasat hack

Catalin Cimpanu — Wed, 11 May 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Costa Rica declares national emergency after ransomware attack

Catalin Cimpanu — Mon, 09 May 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Apple, Google, and Microsoft commit to passwordless logins

Catalin Cimpanu — Fri, 06 May 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: SEC expands crypto cyber fraud team

Catalin Cimpanu — Wed, 04 May 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #664 -- The Spanish Prime Minister got Pegasus'd

Patrick Gray — Wed, 04 May 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Spanish PM's phone infected by Pegasus * Microsoft drops Ukraine research report * We can't make heads or tails out of the FBI's transparency report * France hit with coordinated fibre sabotage campaign * Why Musk's algorithm pledge is meaningless * Much, much more This week's sponsor interview is with ExtraHop Networks' CEO Patrick Dennis. He's joining us this week to talk about how you can turn "Shield's Up!" advice into something actionable.

Risky Biz News: Side-channel attacks discovered in Apple CPUs; new twist in Kronos ransomware attack fallout

Catalin Cimpanu — Mon, 02 May 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: Microsoft saw Russia pre-position a year before invasion

Catalin Cimpanu — Fri, 29 Apr 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Biz News: VirusTotal denies vulnerability report; and some NFT apes got stolen... again

Catalin Cimpanu — Wed, 27 Apr 2022 00:00:00 +1000

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here.

Risky Business #663 -- Israel cracks down on spyware exports

Patrick Gray — Wed, 27 Apr 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Israel Ministry of Defence is denying a lot of spyware export licences * Private detective in New York pleads guilty over BellTroX shenanigans * Scammers enrol stolen credit cards into Apple Pay * The Blackcat ransomware crew is very active right now * VirusTotal shells lol * Much, much more This week's sponsor interview is with Okta's Brett Winterford, who talks in detail about the company's brush with the Lapsus$ hacking crew. It's unusual for a sponsor interview to be a must listen, but here we are.

Risky Business #662 -- It's a bad month to be an electricity grid

Patrick Gray — Thu, 21 Apr 2022 00:00:00 +1000

On this week's show Patrick Gray, Adam Boileau and Dmitri Alperovitch discuss the week's security news, including: * Ukraine foils Russian ICS hack * US Government burns someone's ICS toolkit * China gets all up in India's energy gridz * The Heroku/Hithub/Travis CI story is very confusing * US DOJ removes GRU malware from Watchguard boxes under Rule 41 * North Korea behind $540m crypto hack * Much, much more This week's sponsor interview is with Scott Kuffer, co-founder of Nucleus Security, and Jared Semrau of Mandiant. They'll be joining us to talk about how you can now plug Mandiant data into the Nucleus vulnerability scan aggregator.

Snake Oilers: Vectra, Google Security and SecureStack

Patrick Gray — Wed, 13 Apr 2022 00:00:00 +1000

Snake Oilers isn’t our regular weekly podcast, it’s a wholly sponsored series we do at Risky.Biz where vendors come on to the show to pitch their products to you, the Risky Business listener. To be clear – everyone you hear in one of these editions, paid to be here. We'll hear from three vendors in this edition of Snake Oilers: * Kevin Kennedy from Vectra talks about the company's cloud native detection -- it crunches stuff like CloudTrail and AzureAD logs and correlates it with network event information * Paul McCarty from SecureStack on its software composition analysis and "SBOM plus" tool * Google Cloud's Anton Chuvakin talks about cloud-based SIEMs like Chronicle

Risky Business #661 -- Viasat hack details firm up

Patrick Gray — Wed, 06 Apr 2022 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Why Spring4Shell isn't all hype * How Viasat actually got owned * Russian war crimes likely extend to coercing sysadmis * Why lighter fluid and a box of matches is more effective than cyber in Belarus * Much, much more This week's sponsor interview is with Bernard Brantley, Corelight's Chief Information Security Officer. Corelight makes a network sensor you can use to plug in to your SIEM, among other things. It's based on Zeek, the open source network sensor that Corelight maintains. Corelight is absolutely the industry standard for this sort of thing. And they've just become the standard for something else, too: Microsoft Defender for IoT can now accept Corelight feeds. Bernard fills us in on that.

Snake Oilers: PentesterLab, AttackForge and Sysdig

Patrick Gray — Mon, 04 Apr 2022 00:00:00 +1000

Snake Oilers isn't our regular weekly podcast, it's a wholly sponsored series we do at Risky.Biz where vendors come on to the show to pitch their products to you, the Risky Business listener. To be clear -- everyone you hear in one of these editions, paid to be here. We'll hear from three vendors in this edition of Snake Oilers: * Upskill your testers and developers with PentesterLab for US$20 a month * Manage penetration tests and reporting with AttackForge * How Sysdig can help herd your container cats (vuln management and detection for container environments)

Risky Business #660 -- Lapsus$ arrests, latest on Okta incident

Patrick Gray — Wed, 30 Mar 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Some arrests of suspected Lapsus$ members in the UK * Why the Okta incident is probably a fizzer * Four FSB officers indicted over Triton/Trisis malware * Kim Zetter interviewed Intrusion Truth * Australian government to upsize ASD * Wave bye bye to Finfisher * Much, much more This week's sponsor interview is with Mike Wiacek from Stairwell. Stairwell makes a product that catalogues the files in your environment and lets you slice and dice that data. That makes threat hunting pretty easy and Mike is joining the show this week to talk about why organisations of all stripes should be doing threat hunting.

Risky Biz Soap Box: Why allowlisting is ready for prime time

Patrick Gray — Thu, 24 Mar 2022 00:00:00 +1100

Airlock Digital co-founders Daniel Schell and Dave Cottingham join host Patrick Gray to talk about: * What an effective allowlisting program looks like * Why the third party allowlisting industry failed the first time * What you can achieve with Microsoft tooling versus specialist tools * How much effort is involved to do this right

Risky Business #659 -- Okta and Microsoft meet LAPSUS$

Patrick Gray — Wed, 23 Mar 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Okta's somewhat awful comms around its LAPSUS$ incident * Inside Microsoft's brush with the same group * How Elon Musk's Starlink service is being used to drop bombs on Russian tanks * US, UK governments warn of impending Russian cyberdoom * Much, much more... This week's sponsor interview is with Paul Lanzi, co-founder of Remediant. Paul joins the show this week to talk about cyber insurance. It's a topic that has come up a lot for us lately -- ransomware has borderline sunk the current cyber insurance model as payments ballooned and payouts made a lot of insurers adjust premiums to the. But all is not lost -- Paul says this blowup means the insurance industry is actually adapting and could wind up being a driver of better security practices. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing.

Risky Business #658 -- Germany sounds alarm on Kaspersky software

Patrick Gray — Wed, 16 Mar 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Germany issues stark warning to Kaspersky users * Ukraine SATCOM hack keeps getting more interesting * Russia to spin up its own CA, but it's not what it seems * Why the ransomware threat could get worse, then better * Much, much more This week's show is brought to you by Fastly. Kelly Shortridge, Fastly's Senior Principal Product Technologist, joins the show this week to tell us what modern security actually looks like. Kelly is always fascinating so we were thrilled she was in the sponsor chair this week.

Risky Business #657 -- Belarus targets refugee data

Patrick Gray — Wed, 09 Mar 2022 00:00:00 +1100

On this week's show Patrick Gray, Brian Krebs and Adam Boileau discuss the week's security news, including: * The Contileaks latest * Belarus targeted refugee data. Was it behind the ICRC hack? * How APT41 hacked America's livestock * SATCOM hack in Ukraine may bode ill for Musk * Much, much more Material Security's co-founder Ryan Noon is this week's sponsor guest. He joins the show to talk about a few things, how the building blocks for a whole new generation of security tooling -- like large-scale data crunching tech -- is now just available off the shelf. He also talks us through an integration Material has done with a groovy new SOAR platform called Tines.

Risky Business #656 – We expected a cyberwar but got an infowar

Patrick Gray — Thu, 03 Mar 2022 00:00:00 +1100

On this week's show Patrick Gray, Dmitri Alperovitch and Adam Boileau discuss the week's security news, including: * We expected a cyberwar but got an information war * People with SDR kits are doing SIGINT in Ukraine * Conti has imploded and it’s hilarious * Much, much more This week’s show is brought to you by Proofpoint. Sherrod DeGrippo, Proofpoint’s Vice President of Threat Research and Detection is this week’s sponsor guest. She joins us to talk about how there isn’t really any magic advice she can dispense to protect customers from Russian attacks. There are some show notes below, but they’re not exhaustive.

Risky Biz Soap Box: US Government will embrace "phishing resistant MFA"

Patrick Gray — Mon, 28 Feb 2022 00:00:00 +1100

These Soap Box editions of the show are entirely sponsored -- that means everyone you hear in one of these episodes paid to be here. In this edition we're talking to Yubico's Chief Solutions Officer Jerrod Chong. We do one of these Soap Box podcasts with Jerrod every year. Yubico, of course, is the maker of the Yubikey hardware security device. In this chat with Jerrod we cover a few things -- like the zero trust executive order, hardware-backed web transactions and how the industry leading the charge on security keys right now is actually the cryptocurrency space.

Risky Business #655 -- USG: Expect Russian cyber drama

Patrick Gray — Wed, 23 Feb 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Ukraine sanctions may lead to Russia going "cyber feral" * Brian Krebs links Red Cross breach to Iranian actor * APT10 uses cred stuffing as misdirection * Report: Global logistics behemoth Expeditors ransomwared * NFT thefts still hilarious * Inside the epic KlaySwap hack * Much, much more In this week's sponsor interview Thinkst Canary's Marco Slaviero talks about some work they've done on introducing a "Safety Net" against AWS token enumeration edge cases. That's a very interesting interview.

Risky Biz Feature: "Everyone has a plan until they get punched in the face"

Patrick Gray — Wed, 16 Feb 2022 00:00:00 +1100

There is no weekly news show this week. Instead, we're running this feature interview with Michael Montoya, the CISO of Equinix. This isn't a sponsored interview or anything like that, this podcast was prepared with support from the Hewlett Foundation's Cyber Initiative. Equinix has 9,000 staff and operates 220 data centres globally. Its annual revenue is in the order of USD$6bn. In September 2020 it was attacked by criminals who deployed the Netwalker ransomware on its corporate network. The attackers demanded a USD$4.5m ransom payment for service restoration and to keep the data they stole from the company private. This interview has taken a while to organise, but when I first found out Michael was open to the idea of talking through the incident I jumped at it. It's extremely rare for CISOs to be made available to talk about events like this, but it's something that should happen more often. We can learn a lot by dissecting these types of incidents publicly. Enjoy!

Risky Business #654 -- FBI arrests deeply annoying cryptocurrency influencers

Patrick Gray — Wed, 09 Feb 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * A spate of ransomware attacks on European energy and transport * Russian authorities extend cybercrime crackdown * Irritating influencers arrested for laundering 2016 Bitfinex hack proceeds * IRS abandons ID.me trial * Microsoft disables macros by default, disables MSIX protocol handler * Much, much more This week's show is brought to you by ExtraHop. Extrahop's Ted Driggs is this week's sponsor guest -- he was on the show about a year ago talking about how we should really start thinking about putting together software bills of behaviours as well as bills of material. Ted is back to tell us how that effort is progressing. As you'll hear, a lot of the behavioural data on software already exists, but it's being hoarded by different vendors.

Risky Biz Soap Box: The state of malicious mass scanning with Andrew Morris

Patrick Gray — Thu, 03 Feb 2022 00:00:00 +1100

These soap box podcasts are wholly sponsored -- that means everyone you hear in one of these editions paid to be here. Today's guest is Andrew Morris, the founder and CEO of Greynoise. Greynoise is one of those companies that has a brief that sounds simple but is actually quite hard to execute on. They detect malicious mass scanning on the Internet so their customers can plug that data into their SOC to see if the IP they just got an alert on is something targeting them or something targeting the whole internet. You don't even need to be a customer to get some use out of Greynoise. If you want to know about an IP you've seen an alert for just head over to greynoise.io and drop it into the search box -- magic awaits. Greynoise makes its money by selling API access to its service, basically, and its customers mostly use it for SIEM enrichment. But as you'll hear, Andrew says the company is looking at moving toward actually blocking this type of mass scanning from hitting customer environments, and is even looking at working with telcos to scrub the most egregious stuff from the internet entirely. His rationale is actually pretty simple -- he wants to narrow the aperture through which mass scanning can fit through. He wants to make it harder. But this interview isn't just about what Greynoise doing, it's also about the current state of mass scanning.

Risky Business #653 -- REvil arrests: Sometimes a banana is just a banana

Patrick Gray — Wed, 02 Feb 2022 00:00:00 +1100

On this week's show Patrick Gray, Tom Uren and Joe Slowik discuss the week's security news, including: * Why China's Olympics app is probably not spyware * New DDoS record set at 3.47Tbps * USG goes all in on Zero Trust * Dmitry Medvedev makes all the right noises on ransomware cooperation * Iranian APT crew dabbles in ransomware * German fuel distribution ransomwared * The latest on NSO * Much, much more This week's show is brought to you by Google Cloud. Anton Chuvakin, the head of security solution strategy at Google Cloud will be along in this week's sponsor interview to talk about why SIEM vendors -- including Google Cloud -- are gobbling up SOAR platforms in acquisitions. Links to everything that we discussed are below and you can follow Patrick, Tom or Joeon Twitter if that's your thing.

Risky Business #652 -- Cyber Partisans take down Belarusian rail systems

Patrick Gray — Wed, 26 Jan 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Belarusian Cyber Partisans ransom train network * A look at developments in Ukraine * Merck wins NotPetya insurance lawsuit * US VC firm in talks to acquire NSO Group * Much, much more This week's show is brought to you by Trail of Bits, the security engineering firm. Dan Guido joins us this week week to talk about zkdocs, a bunch of documentation Trail of Bits put together to provide guidance on how to implement some of these newfangled concepts -- like zero knowledge proofs -- that are popular in blockchain and cryptoland.

Risky Business #651 -- Russia's ransomware diplomacy

Patrick Gray — Wed, 19 Jan 2022 00:00:00 +1100

On this week's show Patrick Gray, Adam Boileau and Dmitri Alperovitch discuss the week's security news, including: * Russia arrests REvil crew * Ukraine government hit in messy hacks * White House hosts open source pow-wow, but is it pointless? * US cyber reporting law will come back from the dead * Report: Israeli police targeted activists with NSO but without warrants * Much, much more This week's sponsor interview is with HD Moore, the founder of Rumble. We're talking through what how he and his team helped customers respond to the log4j drama. They quickly added the capability to scan customer's environments for log4shell-affected tech. When asset discovery meets rapid vuln response!

Risky Biz Soap Box: Rolling your own threat intelligence with Steve Miller

Patrick Gray — Fri, 14 Jan 2022 00:00:00 +1100

In this edition of the soap box we're chatting with Steve Miller, a senior researcher at Stairwell. Steve has a long history doing this sort of stuff. He worked inside various bits of the US government doing cyber things, and also spent a decent chunk of his career at Mandiant. His new employer, Stairwell, makes a platform that collects information about all files present in your environment and let's you do some fancy stuff with that information. You'll hear a little bit more about what they do in this interview, but we're not really talking that much about Stairwell in this interview. It's more about the evolution of threat intel. As you'll hear, Steve said the first iteration of the commercial threat intel space was very much born of govvies jumping out and bringing their thinking with them, but the space is evolving. The take away from this interview is that threat intelligence is more something that you do, not something you just blindly consume.

Risky Business #650 -- USG drops Russia advisory as Ukraine tensions mount

Patrick Gray — Wed, 12 Jan 2022 00:00:00 +1100

On this week's show Patrick Gray, Katie Nickels and Joe Slowik discuss the week's security news, including: * US Government warns of impending critical infrastructure hacks * Log4j bug in VMWare gets a workout * Ex Uber CSO Joe Sullivan facing wire fraud charges * Signal to push ahead on cryptocurrency payments * Italian literary nerd busted for running one man APT operation * Much, much more This week's show is brought to you by Okta. Marc Rogers is the executive director of cybersecurity there and he's joining us this week to talk about the log4j bug and some adjacent issues. He's working on a paper with IST about the bug and what it all means, and he's joining us this week to talk about why the log4j drama was different.

Risky Business #649 -- Java being a fiddly mess saves the day

Patrick Gray — Wed, 05 Jan 2022 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * The log4j bug wrap * The ransomware wrap * The human rights and surveillance industry wrap * Research and carnage wrap This week's show is brought to you by Airlock Digital. They make allowlisting software that has mostly been used in Windows environments, but as you're about to hear they've now got a very, very nice solution for the bigger Linux distros, and their Mac agent is going to be launched in a few weeks.

Risky Biz Soap Box: Why Thinkst gives its honeytoken tech away for free

Patrick Gray — Fri, 10 Dec 2021 00:00:00 +1100

This isn't the normal weekly news episode of the show, if you're looking for the regular weekly Risky Business podcast, scroll one back in your podcast feed. This is a Soap Box edition, a wholly sponsored podcast brought to you in this instance by Thinkst Canary. For those who don't know, Thinkst makes hardware and virtual honeypots you can put on your network or into your cloud environments -- they'll start chirping if an attacker interacts with them. They're a low cost and extremely effective detection tool. But you might not know that Thinkst also operates canarytokens.org where you can go set up a bunch of honeytokens for free. Hundreds of thousands of people are using canarytokens.org, but Thinkst doesn't charge anything for it, it's free to use. They'll even give you a docker container of the whole thing so you can run it yourself. Our guest today is Thinkst's founder and infosec legend Haroon Meer. He spent a chunk of his career at the South African security consultancy SensePost before founding Thinkst Applied Research and eventually launching Canary.Tools. In this interview we talk about what the industry is getting wrong, supply chain security, effective detections and more. But I started off by asking him why Thinkst hasn't tried to monetise canarytokens.org given how many people use it.

Risky Business #648 -- Adios, 2021, it's been real

Patrick Gray — Wed, 08 Dec 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * NSO Group tools found on US embassy staff phones in Uganda * Mitto is up to shady bidnez * Ubiquiti "whistleblower" charged over hack * Hounds everywhere * Planned Parenthood breached * Much, much more This week's sponsor interview is with Andrew Morris of Greynoise. Greynoise has a bunch of sensors out there on the Internets, so they can tell you when and IP that's hitting you is also hitting everyone else. If you work in a SOC, you know this is very useful. Greynoise has just signed a $30m deal with the US Department of Defense. As Andrew will explain in just a moment, this means if you work in a DoD agency it's now very easy for you to get a subscription. In this interview I also talk to Andrew about his adventures chasing down one of the people spamming Internet attached receipt printers with the antiwork manifesto from Reddit.

Risky Business #647 -- Israel slashes cyber exports, Interpol takes down 1,000 crooks

Patrick Gray — Wed, 01 Dec 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Israel slashes number of countries it will export cyber tools to * Interpol takes down 1,000 Internet fraudsters * Ransomware crews lying low? * When the tabloids do cyber the results are sometimes awesome * Much, much more... This week's sponsor interview is with Ryan Kalember of Proofpoint. He's the EVP of Cybersecurity Strategy there and he's joining me this week to talk about how investment activity in cybersecurity is basically leaving everyone who isn't a mega enterprise behind.

Risky Business #646 -- Apple cracks the sads, sues NSO Group

Patrick Gray — Wed, 24 Nov 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Apple sues NSO Group and it's all a bit weird * Israel charges defence minister's house cleaner with Iranian hacker collusion (really) * USA charges two Iranians over "Proud Boy" emails * Cyber insurers nope out of comprehensive coverage * Prodaft shells Conti, drops report like it's a Normal Thing * Much, much more This week's show is sponsored by VMRay. We'll be chatting with one of VMRay's customers in this week's sponsor interview. Jim Byrge works on the CSIRT team at Valvoline, and he'll be along to talk about how they replaced their ageing, in-house developed SOAR platform with commercial tools. It was still harder than it should be in 2021, but they got there in the end.

Risky Biz Soap Box: DDoS crews will hit you creatively

Patrick Gray — Fri, 19 Nov 2021 00:00:00 +1100

In this edition of the Risky Biz Soap Box podcast we chat with Sean Leach, the Chief Product Architect at Fastly, about the history and current status of the DDoS ecosystem. Despite never really making money for criminals, DDoS attacks are still a problem. CDNs have soaked up a lot of the problem, so DDoS crews are getting creative. Do you know where you're vulnerable?

Risky Business #645 -- How Israel used NSO to make friends in low places

Patrick Gray — Wed, 17 Nov 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Watering hole attacks are getting much better * How Israel's government used NSO to strengthen its diplomatic ties * Randori sat on some PAN 0day. This is fine. * Facebook outs state-backed ops * FBi has unfortunate incident with its mail boxes * Much, much more This week's sponsor interview is with HD Moore. He's the founder of Rumble, the network asset discovery scanner, and he's joining us to talk about some new tricks he's added to the product, like integrations with cloud service APIs and external discovery products like Censys.

Risky Biz Soap Box: Linux is an infrastructure OS, act accordingly

Patrick Gray — Fri, 12 Nov 2021 00:00:00 +1100

In this edition of the Soap Box podcast we're chatting with Jake King. Jake is a co-founder of Cmd Security, a Linux Security startup that was recently acquired by Elastic. Cmd's technology basically started out as a control and visibility tool for Linux systems that could restrict user actions. But over time, the product evolved to be more detection and response oriented. In this interview we talk to Jake about why Cmd wound up where it is, product wise, and what customers can expect now his company has been swept up by Elastic as a part of its broader push into XDR, or Extended Detection and Response.

Risky Business #644 -- USA sanctions NSO Group, hits REvil

Patrick Gray — Wed, 10 Nov 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * US sanctions NSO, Candiru, COSEINC and Positive Technologies * We wrap up the action in ransomware * Why exploit tournaments are boring in America and exciting in China * More malicious npm packages in the wild * Pentagon updates CMMC to 2.0 * Much, much more We'll hear from Corelight's CISO Bernard Brantley in this week's sponsor interview. We're talking about how attackers think in graphs and defenders think in lists.. Microsoft's John Lambert wrote a post about that back in 2015, and Bernard joins the show this week to talk about why it's just as relevant as ever. Stick around for that one.

Risky Business #643 -- Iranian fuel stations targeted, PNG ransomware a regional security risk

Patrick Gray — Wed, 03 Nov 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Someone took down Iranian fuel stations * Papua New Guinea ransomware attack is pretty grim stuff * Russia's SVR still going berserk in cloudtown * China Telecom America gets the boot * Much, much more We'll be hearing from Senetas CEO Andrew Wilson in this week's sponsor interview. He's joining us to talk about how the global semiconductor shortage is making him a very, very sad panda.

Risky Biz Feature Interview: Mark Dowd on the 0day market and future of exceptional access

Patrick Gray — Tue, 19 Oct 2021 00:00:00 +1100

This feature podcast was made possible by the Hewlett Foundation's Cyber Initiative. The foundation has given us grant funding to produce this podcast series, which is designed to educate policymakers in cybersecurity so they can make better decisions. In this edition you'll hear an interview I recorded with Mark Dowd. Mark is a world-renowned security researcher who, some years ago, co-founded a company called Azimuth Security. As you'll hear, the original plan was to provide security research and consulting services to vendors. But, pretty quickly, Azimuth became a serious player in offensive security, selling exploits and other tools to government agencies in the Five Eyes countries. We recorded this interview touching on the history of Azimuth, what the public gets wrong when talking about 0day and surveillance, and were this whole thing could go -- especially considering writing memory corruption exploits is getting so much harder.

Risky Business #642 -- Brits, Dutch and Aussies embrace Hounds Doctrine

Patrick Gray — Wed, 13 Oct 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * UK, Netherlands and Australia promise offensive response to big ticket ransomware * Wave of major cyber regulation and legislation in USA * Iran up in yer O365s, Russians in yer gmails * Submarine spy guy would have been fine, if he didn't make one very big mistake * Much, much more Jonathan Reiber is this week's sponsor guest. He's senior director of cybersecurity at AttackIQ and he's joining us to talk through the US Government's executive order on Zero Trust. Jonathan says it is actually born of a realisation the US government needs to do something differently, that the old approaches aren't working.

Risky Business #641 -- Lawsuit: Ransomware contributed to baby's death

Patrick Gray — Wed, 06 Oct 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Group-IB CEO arrested in Russia for treason * Lawsuit alleges ransomware contributed to hospitalised baby's death * Nakasone outs self as hound release advocate * Syniverse owned, but we don't know how badly * Why Google keyword warrants are awesome * Much, much more... Nucleus co-founder Scott Kuffer is this week's sponsor guest and the topic is actually a bit hilarious. They've found a killer use case that customers are clamouring for: Being able to map vulnerabilities to org groups within your enterprise so you can see who's slacking off when it comes to patching.

Risky Biz Snake Oilers: Mike Wiacek launches Stairwell, Red Canary on modern MDR and Datadog pitches full stack monitoring

Patrick Gray — Fri, 01 Oct 2021 00:00:00 +1000

In this edition of the Snake Oilers we’ll hear pitches from three vendors: * Stairwell! A new startup from Chronicle Security co-founder Mike Wiacek * Red Canary explains what modern managed detection and response looks like * Pierre Betouin from Datadog talks about the challenges around bringing together DevOps and Security while providing full-stack security Links to everything we talked about are in the show notes.

Risky Business #640 -- Huh. The CIA really was out to neck Assange

Patrick Gray — Wed, 29 Sep 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * The amazing Yahoo! News story on the former CIA director's awesome brainwaves * Hostage diplomacy pays off for Huawei CFO * NSA releases great guidance on VPN security * Microsoft has actually hired a cybersecurity executive * Much, much more This week's show is brought to you by Material Security. Material's co-founder Ryan Noon will be along in this week's sponsor interview to talk about smarter ways to do email retention and destruction. They have a product that interfaces with your mail provider's API -- whether you're on Google Workspace or O365 -- to do things like archive and redact email, and they're finding their customers are using these features to actually implement retention email strategies.

Risky Business #639 -- USA's ransomware non-policy fails to meet its unstated objective

Patrick Gray — Wed, 22 Sep 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * BlackMatter is back in the USA's critical supply chain * The FBI and friends apparently got up in REvil's business * The Azure OMI thing is totally the disaster we were expecting * Much, much more Brett Winterford is this week's sponsor guest. These days Brett is a senior director of cybersecurity strategy at Okta, but the reason you might recognise his name is because he took a year off working for vendors to be our newsletter author -- he was the founding editor of the Seriously Risky Business newsletter. He'll be along to talk about legacy auth and why vendors should have deprecation policies.

Risky Business #638 -- Licensed to Pwn

Patrick Gray — Wed, 15 Sep 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss recent security news, including: * Apple 0day has everyone freaking out * So much more 0day in the wild * American Project Raven staffers settle with DoJ * Two absolutely bonkers Azure security problems * SEC tells corporate America to spill on breaches * Much, much more In this week's sponsor interview Gigamon's security product manager Fayyaz Rajpari will be along to talk about some of the work they've been doing to integrate their NDR product with Crowdstrike.

Snake Oilers: Get Signal Sciences in your CDN, automate canary generation and cloud your SIEM!

Patrick Gray — Fri, 10 Sep 2021 00:00:00 +1000

Snake Oilers: Get Signal Sciences in your CDN, automate canary generation and cloud your SIEM! Three solid pitches in this edition... In this edition of the Snake Oilers we'll hear pitches from three vendors: * Brian Joe from Fastly talks about its integration of the Signal Sciences WAF into its CDN * Ben Whitham and Dan Holman talk about HoneyTrace, a canary creation and monitoring automation play * Anton Chuvakin from Google Cloud talks about cloud native SIEMs Links to everything we talked about are in the show notes.

Risky Business #637 -- Infosec's bigfoot

Patrick Gray — Wed, 08 Sep 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss recent security news, including: * Apple backs down on CSAM measures * FTC shuts down spouseware company * REvil is back! * Confluence boxes are getting owned a lot * Trickbot crew member arrested in South Korea * The Juniper/NSA backdoor story just keeps on truckin' This week's show is brought to you by Thinkst Canary. Thinkst's Jacob Torrey is this week's sponsor guest. He pops by to tell us about the relaunch of Thinkstscapes, a fantastic quarterly publication that analyses security research. (Editor's note: Dmitri Alperovitch is a guest in this podcast and wishes to express his gratitude to Matthew Green of Johns Hopkins University for helping guide him on the Juniper story.)

Risky Business #636 -- Victims are shunning data extortion payments

Patrick Gray — Wed, 01 Sep 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss recent security news, including: * More info on the Belarusian Cyber Patriots * How infosec overhyped election security risks * Is data ransoming dying? * All about the Azure Cosmos DB drama * Much, much more... In this week's sponsor interview Airlock Digital's Daniel Schell and David Cottingham join the show to talk about EDR bypasses. They are a thing.

Risky Biz Soap Box: Bad incentives make Microsoft a villain again

Patrick Gray — Fri, 27 Aug 2021 00:00:00 +1000

In this edition of the Soap Box podcast we'll be hearing from Ryan Kalember, the EVP of cybersecurity strategy at Proofpoint, a company best known for being an email filtering giant. Proofpoint's biggest challenger in that space is Microsoft, and if you've been paying attention you'd know that Microsoft is doing an absolutely massive push into the security space. It claims security is a $10bn revenue centre for the company, which is a bit of a screwy situation given a lot of the insecurity its security products mitigate is introduced through deficiencies in its core products. And, largely, that's what this interview is about -- the screwy incentives that are driving Microsoft's decisionmaking. More emphasis on security product development, and less effort on securing its core products. Of course it's self-serving for Ryan and Proofpoint to give Microsoft a kicking, given Redmond is its primary competitor. But the thing is, Ryan makes some very good points. We talk about the incentives thing, and then we talk about why active directory is a trashfire and why the replication of the domain trust model in AzureAD is going to eventually bite us all in the ass. The circle of life, enterprise computing fail edition. Enjoy.

Risky Business #635 -- Owned via telnet? Must be "highly sophisticated attackers"!

Patrick Gray — Wed, 25 Aug 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss recent security news, including: * T-Mobile owned hard * USA no fly list winds up on unsecured ElasticSearch in Bahrain... because reasons * Facebook scrambles to secure Afghani accounts * Hacker steals and returns $600 from de-fi platform * Healthcare sector struggles with ransomware attacks * A very sweet TCP-based amplification technique that will be A Problem * Much, much more Evan Sultanik and Dan Guido will be joining us to talk about Fickling -- a tool developed by Trail of Bits to do unnatural things to the Python Pickle files that are heavily used as a means to share machine learning models. The machine learning supply chain is really quite wobbly, and they'll be joining us later to talk about that.

Risky Biz Soap Box: HD Moore talks Rumble and DCE/RPC party tricks

Patrick Gray — Tue, 17 Aug 2021 00:00:00 +1000

I am stoked to be publishing this interview. This Soap Box is brought to you by Rumble, the asset discovery company founded by HD Moore. For those of you who don't know, HD is a security legend, having done all sorts of amazing research over the years and creating Metasploit all the way back in 2003. This guy, as you'll hear, vibrates at a slightly higher frequency than the rest of us. He's one of those people who's not only insanely talented, but he's also insanely hardworking, which is why we get to have nice things like Metsaploit and, now, Rumble. So: What is Rumble? It's is an active asset discovery tool. You set it loose on your network and it shows you what's there... but this isn't your grandma's portscanner. This thing can see through walls and around corners, and what it finds will genuinely blow you away. A couple of weeks ago a guy by the name of Tom Lawrence did an awesome 15 minute demo of Rumble for his YouTube channel. I would highly recommend you watch it, even before you listen to this podcast. He does a fantastic job of demoing the product and showing that it's able to make sense of what it sees to a very surprising degree. Tom demos it on a small network, but yeah, it scales -- HD says Rumble counts a Fortune 5 among its customers. Anyway, what HD has done with Rumble is create a tool -- a lightweight scanner you can run from basically anywhere in a network -- that will show you networks you didn't know existed, it'll identify devices with ridiculous granularity... it can even tell you if a windows box has EDR on it or a wireless card installed, all with an unauthenticated network scan.

Risky Business #634 -- Major hacks to shake up Belarusian KGB

Patrick Gray — Wed, 11 Aug 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss recent security news, including: * The United States backing away from "releasing the hounds" * Apple has dropped its lawsuit against Corellium * "Activists" dox Belarusian security apparatus * Another sign hiding IR reports behind legal privilege is looking shaky * Apple implements new child protection tech * Much, much more After this week's news we'll hear from Matt Cauthorn from ExtraHop Networks in this week's sponsor interview. We'll be talking about ransomware hack and leak and about how ransomware crews are losing credibility. You used to be able to actually trust them to just unlock you or keep your data private, but that's not so much the case anymore.

Risky Business #633 -- President grandpa rattles sabre at cloud

Patrick Gray — Wed, 04 Aug 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss recent security news, including: * US President Joe Biden says next shooting war will result from cyber incident * The Sun tabloid reports UK government weighing "cyber strike" against Iran * Australia, UK and USA release list of most commonly used CVEs * NSA drops Kubernetes security guide * Much, much more! This week's show is brought to you by Cmd Security. It makes what can best be described as a security agent for Linux. It can handle everything from user action restriction to IDR functionality, and Cmd's co-founder Jake King will be along in this week's sponsor slot to talk about what he's seeing out there in Linux land. Jake says there's a big cloud modernisation push happening right now as people re-architect their "legacy cloud" infrastructure into more modern setups.

Risky Biz Soap Box: VMRay talks about its second line of defence for email security

Patrick Gray — Mon, 02 Aug 2021 00:00:00 +1000

In this sponsored edition of the Risky Biz Soap Box podcast VMRay's VP of Products Uriel Cohen joins me to talk about its Email Threat Defender product. They've glued some automated sandbox analysis to their fancy phishing/link analysis/detection tech and they're pitching it as a secondary control. That means no, they're not trying to replace big services like Proofpoint or Microsoft's upper tier filtering, but as a seat belt to catch things that slip the net. We talk about what they're trying to do, look at the limitations of static and dynamic detection and talk about all sorts of other stuff too. Enjoy!

Risky Business #632 -- The Kaseya incident wasn't nearly as big as we thought

Patrick Gray — Wed, 28 Jul 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss recent security news, including: * Analysis suggests the Kaseya REvil incident was actually a bit of a fizzer * They also obtained a decrypt key and no one knows how * EU to follow US Treasury on Bitcoin controls * Israeli Government has eyes on NSO fallout * PetitPotam Active Directory technique is very bad news * Much, much more... This week's show is brought to you by Remediant. Remediant makes a PAM solution that's, well, quite different from the traditional password-vault style solutions. That's put them in an interesting situation lately with Gartner. Remediant scored an honourable mention as a PAM to take note of, alongside Microsoft, but the thing is they don't even qualify as a PAM vendor under Gartner's own criteria. This might mean the analyst firms need to re-jig the way they evaluate and rank tech given there are so many more ways to skin cats these days. Remediant co-founder Paul Lanzi will join me in this week's sponsor slot to talk through all of that.

Risky Business #631 -- USA and friends send nastygram to China

Patrick Gray — Wed, 21 Jul 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss recent security news, including: * USA and friends send a sternly worded letter * NSO group in the news, but parts of the coverage don't add up * Google TAG drops another great post * We unveil the details of the earth shattering Kaseya 0day cyberweapon * MORE This week's show is brought to you by Signal Sciences, which is now a part of Fastly. Instead of booking an interview with one of their staff, they suggested we interview one of their customers -- so this week's sponsor guest is J J Agha, the CISO of Compass, the American real estate website. He'll be joining us to talk about his general approach, and yes, Signal Sciences is a part of that, but he'll speak to automation and orchestration and a bunch of other stuff too.

Risky Biz Feature Podcast: An interview with Rob Joyce

Patrick Gray — Fri, 16 Jul 2021 00:00:00 +1000

In this podcast we chat with Rob Joyce, the NSA's Director of Cybersecurity. As many listeners would know Rob has a pretty interesting resume, having served as a special advisor on cybersecurity to US president Donald Trump, and, before that, leading Tailored Access Operations for NSA. More recently he served as the NSA liaison to Britain's GCHQ, but he returned to the USA this year to take up his new post as the head of NSA's defence-oriented Cybersecurity Directorate. And here's the thing: Rob is a senior bureaucrat who is genuinely passionate about technology. His con talks are fantastic. He did one on how to make TAO's life hard in 2016 that was really a blockbuster technical talk, and he's even done a talk about how to engineer wildly over-the-top Christmas light displays. I'm telling you this to let you know that, well, Rob is a real, actual security geek. He's the hacker-bureaucrat, if you will. Anyway, he generously made himself available to do this interview with us and we covered a bunch of stuff: The terrible state of enterprise security, cloud service providers being dumb with their defaults, the role of the intelligence community in combating ransomware and more. But we started off with some nuts and bolts discussion about what NSA's cybersecurity directorate actually does. Enjoy!

Risky Business #630 -- We tried the carrot, it's time for the stick

Patrick Gray — Wed, 14 Jul 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss recent security news, including: * REvil takes a vacation * Kaseya finally patches VSA * Morgan Stanley data exposed by third party Accellion hack * CISA issues emergency directive on MS print spooler bug * Patrick and Adam dream up ways for the US government to pressure vendors * MORE This week's show is brought to you by Senetas. They've traditionally made layer 2 encryption gear but, as you'll hear, they're moving with the times! Senetas CTO Julian Fay joins us this week to talk through a bunch of stuff -- what they've been working on, a really interesting project they had to abandon because of COVID and the latest news on the move to quantum-resistant crypto.

Risky Business #629 -- Kaseya 0day was utter trash

Patrick Gray — Wed, 07 Jul 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss recent security news, including: * Our take on the REvil attack against Kaseya customers * Microsoft's print spooler bug is a real worry * Reports the RNC breached by Russia's SVR * NSA snaps GRU brute forcing efforts * Much, much more This week's show is brought to you by Material Security, a very interesting startup that has a completely different take on what email security actually is. Material's co-founder Ryan Noon will be along in this week's sponsor interview to talk about the cool stuff they're doing on the analytics side.

Risky Business #628 -- Microsoft is not your friend

Patrick Gray — Wed, 30 Jun 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss recent security news, including: * Microsoft reluctantly and belatedly discloses breach * Chinese APT suspected of Air India breach * JBS paid $11m even though they successfully restored systems * cl0p money launderer arrests * Ransomware news roundup * The latest research and MORE This week's show is brought to you by Greynoise. Its founder and CEO, Andrew Morris, joins us this week to talk through some of the work he's been doing to extend Greynoise's use cases. It's a great chat, that one.

Risky Biz Soap Box: EclecticIQ's CEO Joep Gommers on operationalising threat intelligence

Patrick Gray — Mon, 28 Jun 2021 00:00:00 +1000

Aaaaand we're back on deck! We're kicking things off this week with this interview with Joep Gommers, the CEO and founder of EclecticIQ. And FYI, in case you didn't know, these Soap Box podcasts are wholly sponsored. If your job involves handling threat intel, then I think you'll really enjoy this conversation. It touches on a bunch of stuff. The first part of this is talking through what EclecticIQ actually offers, currently, then we talk more broadly about operationalising threat intelligence, and finally we talk about EclecticIQ's new stuff -- which include introducing XDR tooling.

Risky Biz Soap Box: Banks to embrace Yubikeys for customers

Patrick Gray — Thu, 10 Jun 2021 00:00:00 +1000

As regular listeners know, the soap box podcasts we publish here at Risky.Biz are wholly sponsored. That means everyone you hear in one of these podcasts, paid to be here. And this edition of Soap Box has become an annual thing -- it's our once-yearly catch up with Jerrod Chong, the chief solutions officer of Yubico, makers of the Yubikey and YubiHSM. Yubikey is an infosec darling, really, because they're in the unique position of having a product that's popular with security professionals like CISOs while also being popular with security-conscious consumers. Businesses get value out of Yubikeys, but so do normal people, thanks to key support being baked into services like Facebook and Google. As you're about to hear, there's a whole new category of use about to open up -- Bank of America is launching FIDO2 U2F support for its customers. That's a big deal -- the more FIDO2 keys we get out there the better.

Risky Business #627 -- USG claws back Colonial pipeline ransom money

Patrick Gray — Wed, 09 Jun 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * US Government claws back Colonial ransom bitcoin. We don't think the FBI acted alone. * Meet an0m, the cute little app for planning crimes that drinks milkshakes. * Ransomware stuff, duh. * Trickbot developer arrested in Florida * Supreme court upends CFAA "exceed authorised access" element * Much, much more This week's show is brought to you by Datadog. Michael Yamnitsky will be along in this week's sponsor interview to talk about cloud security posture management. DataDog is launching a product in that space, so we'll be hearing about the types of issues CSPM products can help to unearth.

Risky Business #626 -- Russian ransomware beef simmers

Patrick Gray — Wed, 02 Jun 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Ransomware attack threatens Australian and US beef supply * Talos dubs Russian ransomware crews "privateers" * NYTimes writes another bad story * More Fortinet pwnage * Belgian government rolls Hafnium IR and finds, well, something else * Google unveils new rowhammer techniques * Much, much more Haroon Meer of Thinkst Canary is this week's sponsor guest. Thinkst is spinning up a labs division, but they'll be doing something different to the same-old bug hunting. That's a quality conversation.

Risky Business #625 -- Iranians wipe some machines, Israelis kaboom some

Patrick Gray — Wed, 26 May 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * The latest news on the health system ransomware crisis in Ireland * TSA to force pipeline operators to disclose attacks they probably aren't detecting anyway * Colonial paying ransom angers US congresspeople who really haven't thought this through * Iran targets Israeli systems with new wipers * Israel targets Hamas systems with guided munitions that go bang * Much, much more This week's sponsor guest is Ryan Kalember, EVP of Cybersecurity Strategy at Proofpoint. He joins us to talk about how compromised o365 accounts are powering all sorts of threat actors right now -- from ransomware operators to BEC crews and APT units, everyone loves a popped mailbox.

Risky Biz Feature Podcast: The politics of cybersecurity

Patrick Gray — Mon, 24 May 2021 00:00:00 +1000

In this podcast we'll be hearing from an Australian politician, Tim Watts. He's a member of our federal parliament and serves as our shadow minister for communications and cybersecurity. For our overseas listeners, the "shadow" part of his title is there because he's a member of the opposition party, so he's not in government. But, of course, if the Labor party wins the next election he'll be our communications and cybersecurity minister. Anyway, Tim is a bit of an anomaly in politics because he has a genuine, nerd-like interest in the field we so love. Tim and I chat pretty regularly, and I can say that yes, 100%, his interest in this field is genuine and he has a firm grasp on the issues that matter. I thought now would be a great time to run an interview on the politics of infosec. While it's true that policymakers spend time thinking about this stuff, cybersecurity hasn't yet crossed over into being what they call a "retail politics" issue. But thanks to the Colonial pipeline ransomware incident, that might be about to change.

Risky Business #624 -- Ransomware farce continues

Patrick Gray — Wed, 19 May 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * The aftermath of the Colonial ransomware attack * Biden signs cybersecurity EO * DarkSide crew hounded off the Internet. For now. * Ransomware campaigns continue, hitting health, insurance targets globally * IIS PoC released * Rapid7 discloses Codecov-related source code breach * Much, much more This week's show is brought to you by AttackIQ. Its VP of Product Mark Bagley and Senior Director of Cybersecurity Strategy and Policy Jonathan Reiber are this week's sponsor guests.

Risky Biz Snake Oilers: Google pitches BeyondCorp for Enterprise

Patrick Gray — Thu, 13 May 2021 00:00:00 +1000

As regular listeners would know, Snake OIlers is a wholly sponsored podcast series we do here at Risky Biz HQ where vendors give us money so they can come on and pitch their products to you, our dear, dear listeners. And we have three vendors along today to pitch you: * Google Cloud Security is in the top slot pitching their Zero Trust product suite BeyondCorp Zero Trust for Enterprise. * Devicie, an Australian startup, that developed a solution that makes Microsoft Intune useable. * Trend Micro joins the show to talk about its latest XDR features

Risky Business #623 -- Ransomware threatens US energy security

Patrick Gray — Wed, 12 May 2021 00:00:00 +1000

On this week's show Patrick Gray, Adam Boileau and Chris Krebs discuss the week's security news, including: * An analysis of the Colonial pipeline ransomware attack * More ransomware news * UK and US expose APT29's preferred exploits (again) * IntrusionTruth drops a new post * 128m Apple devices were hit by XCodeGhost * Much, much more This week's sponsor interview is with Aaron Parecki, a Senior Security Architect at Okta. He's also been a spec editor and member of the oath working group at IETF for nearly 11 years, so he knows a thing or two about OAuth. He'll be joining me after the week's news to talk through the latest OAuth guidance the IETF is going to release.

Risky Business #622 -- GitHub weighs exploit ban

Patrick Gray — Wed, 05 May 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * GitHub weighs banning exploits * Ransomware galore * Belgian government crippled in DDoS attack * Intrusion Truth Twitter account suspended * More Pulsesecure victims identified * Much, much more This week's show is brought to you by ExtraHop networks, and they'll pop along in this week's sponsor interview to float a really, really good idea. The Biden administration EO on cybersecurity will mandate software is shipped with a so-called software bill of materials so customers will actually know what's in their supply chain. Ben Higgins and Ted Driggs from Extrahop will join us today to argue they should also supply a bill of behaviours; data in a standardised form that will tell you things like what domains and IPs the software will connect to.

Risky Business #621 -- Ultra professional criminal attackers ascendant

Patrick Gray — Wed, 28 Apr 2021 00:00:00 +1000

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * USA imposes sanctions over SolarWinds campaign * Enterprise border devices being attacked everywhere by all and sundry * Malvertising is coming back * Ultra professional criminal attackers are ascendant * All the latest ransomware, supply chain and other infosec news This week's sponsor interview is with Brian Dye, CEO of Corelight. We speak to him about what he's calling "Open NDR". A lot of the big SOCs have settled on their preferred ways of sharing threat information, and Brian drops by to talk all about those trends.

Snake Oilers: Greynoise! MergeBase! Votiro!

Patrick Gray — Tue, 20 Apr 2021 00:00:00 +1000

In this edition of Snake Oilers we'll be hearing from three very different vendors who've all been doing interesting stuff. Greynoise: An infosec startup darling, Greynoise can tell you when an attack you've detected is internet-wide, automated activity. Very useful for de-prioritising entire alert sets. MergeBase: Software Composition Analisys (SCA) with two key differentiators. MergeBase says it gives users MUCH better remediation advice than competitors, and also offers a "in prod" dynamic SCA product that feeds Java app telemetry back to app/security teams. Very cool, and getting popular. Votiro: Regular listeners would know about CDR company Votiro. They've spent the last little while updating their product to better deal with macro-based threats. There's some site-specific machine learning pixie dust as well as some more generic static detections and re-writes.

Risky Business #620 -- Project Zero burns Western counterterrorism operation

Patrick Gray — Wed, 31 Mar 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Ubiquiti insider blows whistle on breach * Cyber insurer ransomwared * Project Zero burned a Western counterterrorism operation * Australian parliament, media, politicians all under attack * Executive Order would require vendors to notify US government of incidents * Much, much more... This week's sponsor guest is a special one. Metasploit creator and Rumble.run founder HD Moore will join us to talk all about his new venture, the Rumble asset discovery tool. It's an absolutely fantastic interview, as you'd expect from HD.

Risky Business #619 -- REvil crew demands $50m from Acer

Patrick Gray — Wed, 24 Mar 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * REvil demands US$50m from Acer in ransomware attack * Shell added to Accellion victim list * Governments banding together to tackle ransomware * BEC theft hits $1.8bn in 2021: FBI * Exchange tyre fire is, surprisingly, almost under control * MORE Remediant's Paul Lanzi will pop along in this week's sponsor interview to talk about how they've integrated their PAM solution with Carbon Black. It's an integration that is actually somewhat obvious in hindsight: if a box has been popped then some accounts have, too, so tying these things together does make sense.

Risky Biz Soap Box: 12 years since Operation Aurora. Have we learned anything?

Patrick Gray — Tue, 23 Mar 2021 00:00:00 +1100

This is a wholly sponsored podcast brought to you by Okta. In this interview we chat with Marc Rogers, the executive director of Cybersecurity at Okta. The question that we're exploring in this interview is whether or not we've managed to move the infosec needle since the Chinese government hacked Google back during the Operation Aurora attacks of 2009.

Risky Business #618 -- MS security licensing faces congressional scrutiny

Patrick Gray — Wed, 17 Mar 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * The latest on the Exchange tyre fire * Lawmakers in the USA have had enough of Microsoft's ridiculous licensing tiers * White House mulls software security rating system * Joseph Cox's SMS adventures * Things didn't quite work out for APT6920 Arson Cats * Much, much more This week's show is brought to you by VMRay. They asked us to interview one of their customers in this week's sponsor segment so Brad Marr, the CISO of Life Fitness, pops in to walk through his VMRay use case.

Risky Biz Feature Podcast: Chasing crooks through the blockchain

Patrick Gray — Mon, 15 Mar 2021 00:00:00 +1100

This podcast was made possible thanks to the support of the Hewlett Foundation's Cyber Initiative. They've provided us with grant funding so we can do feature podcasts that will be of interest to people working in policy roles. The idea is educate people working in policy about issues that they're in a position to do something about. In this interview we spoke with Kim Grauer, the head of research at Chainalysis. Chainalysis makes software that cryptocurrency exchanges, regulators, law enforcement and intelligence services use to get insight into what's happening in terms of bitcoin and other cryptocurrencies moving around. You would have heard us talk about their reports in the news segment of Risky Biz a few times because they have a habit of publishing really interesting insights into things like the ransomware economy.

Risky Business #617 -- Exchangapalooza '21

Patrick Gray — Wed, 10 Mar 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * All the Exchange boxes on the planet have pretty much been owned lol * See above * Someone's hacking Russian crime forums * The Accellion scandal keeps on truckin' * Dependency confusion attacks are going berserk in the wild * Gab got owned. Again. * John McAfee is in all sorts of trouble * Much, much more This week's show is brought to you by Nucleus Security. Its director of APAC operations, Gil Azaria, joins us in this week's sponsor interview to talk about how he became a Nucleus customer before he joined the vendor as its APAC guy.

Web shells everywhere

Brett Winterford — Tue, 09 Mar 2021 00:00:00 +1100

A China-linked espionage campaign against select US targets has exploded into a frenzy of indiscriminate exploitation that has compromised tens of thousands of Microsoft Exchange servers across the globe.

Risky Business #616 -- Exchange 0day party time for Chinese APT crew

Patrick Gray — Wed, 03 Mar 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Chinese APT crew goes berserk with Exchange 0day * Russia hacks Ukraine and USA, India hacks China, China hacks India * The NYTimes got something big wrong again (shock horror) * CANVAS exploit pack leaks, including their sweet, sweet Spectre exploit * Atlantic Council report into offensive capability vendors/contractors * Your vCentre gear it probably already on fire: find out why! * Much, much more This week's show is brought to you by Yubico, the makers of the Yubikey.

Mandatory intel sharing won't cure Holiday Bear woes

Brett Winterford — Tue, 02 Mar 2021 00:00:00 +1100

Lawmakers are warming to a Microsoft request for Congress to pass laws that would compel private sector companies to notify the US Government about security incidents.

Risky Biz Soap Box: ExtraHop CTO and co-founder Jesse Rothstein

Patrick Gray — Mon, 01 Mar 2021 00:00:00 +1100

This is a sponsored podcast featuring ExtraHop's co-founder and CTO Jesse Rothstein. ExtraHop is a Network Detection and Response (NDR) vendor that started out offering network health and monitoring tools before being pulled into the security space by its own customers. Jesse joined host Patrick Gray to talk about the SolarWinds compromise from a Network Detection and Response vendor's perspective, about cloud security and monitoring, some of ExtraHop's backstory and more. Enjoy!

Risky Business #615 -- Dependency confusion is, uh, pretty bad

Patrick Gray — Wed, 24 Feb 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * USA floats new sanctions against Russia * TikTok, WeChat get stay of execution * Dependency confusion is ugh * US indicts Lazarus crypto-thieves * France ties Sandworm crew to Centreon intrusion * MORE This week's show is brought to you by Thinkst Canary. Thinkst's founder Haroon Meer is this week's sponsor guest and he joins us to have a very Haroon-style conversation. We talk about how security controls and detections often fall over when things happen that take place outside of our assumptions: trojaned software updates, attackers hiding in unconventional places like monitors, things like that. That's a great conversation.

Accellion customers are getting ransom notices

Brett Winterford — Tue, 16 Feb 2021 00:00:00 +1100

The five most recent listings on the leak site of the CL0P ransomware group have two things in common. One, and most obviously, they are being extorted. And two, they've deployed Accellion file transfer appliances to send large files in their recent past.

Risky Biz Feature Podcast: A primer on Microsoft cloud security

Patrick Gray — Thu, 11 Feb 2021 00:00:00 +1100

Recent attacks by SVR against US targets have mostly been written up under the moniker of the "SolarWinds campaign". In our view, that's inaccurate. The defining characteristic of this campaign wasn't the SolarWinds supply chain stuff, it was the abuse of Microsoft cloud services. My understanding of how contemporary cloud services work isn't actually as good as it should be. And that got me thinking -- if my understanding isn't that great, then there's probably a lot of other people out there who don't quite grok this stuff, particularly on the policy side. So, I set out to prepare a primer on Microsoft cloud security. Our guest in this podcast is Dirk-Jan Mollema. He works at Fox-IT in the Netherlands and is one of their core researchers on Azure AD and Active Directory Security. What you're about to listen to, essentially, is me picking his brain so I can wrap my own head around this stuff. The hope is that some of you will learn along with me!

Risky Business #614 -- So was it Florida Man or an Iranian APT?

Patrick Gray — Wed, 10 Feb 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * The latest on the attempted Florida water poisoning incident * How to abuse Google Sync services for great victory * Why Signal's TLS proxies for Iranians are probably a bad idea * OG username brokers targeted by social media legal army * Much, much more This week's sponsor interview is with Dan Guido of Trail of Bits. They've released an enterprise version of their iVerify tool. It's a security tool for iOS (an Android version is in beta) that lets organisations monitor things like patch levels and passcode compliance without actually requiring the installation of MDM profiles. It's an enterprise mobile security tool for orgs that don't need or want full MDM.

Hackers attempt to poison American town's water supply

Brett Winterford — Tue, 09 Feb 2021 00:00:00 +1100

Somebody used a simple remote access tool to pump up the supply of chemicals into the water supply to a small town in Florida. Was it Florida Man or Iranian APT? Either is possible, but one would be a curiosity, the other an international incident.

Risky Business #613 -- It's time to check your Accellion logs

Patrick Gray — Wed, 03 Feb 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * Emotet is... gone? * Accellion FTAs were owned everywhere, not just in ANZ * US courts air-gap sensitive filings in wake of Holiday Bear attacks * iOS 14 brings iMessage security improvements * Much, much more Proofpoint's Sherrod DeGrippo is this week's sponsor guest. She joins the show to talk about Emotet's demise, Trickbot's survival, BEC, ransomware and more.

Risky Biz Soap Box: Email is a target, not just a vector

Patrick Gray — Mon, 01 Feb 2021 00:00:00 +1100

These Soap Box editions of the show are wholly sponsored, which means everyone you hear in one of these editions, paid to be here. This edition of the show is brought to you by Material Security. Basically what they do is lock up your cloud-based email. They use Google and Microsoft's APIs to redact sensitive information from your mail spool -- or even redact entire messages from your spool, like, say, anything over a month old -- and then kick you up to an auth challenge when you want to access that mail. It's a product that recognises that email isn't just a vector -- often it's an attacker's target.

Risky Business #612 -- DPRK slides into researcher DMs

Patrick Gray — Wed, 27 Jan 2021 00:00:00 +1100

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: * DPRK offers free 0day to researchers, with a pretty significant catch * SonicWall gets owned because it runs SonicWall gear. Big mistake. * Chinese trains didn't stop running because Flash died :( * Dominion to sue Rudy Giuliani for $1.3bn over insecurity claims * The sudo bug. Lol. This week's show is brought to you by Cmd Security, the Linux security company. Its focus has traditionally been on restricting the type of bash commands users can enter. It's like a control plane for Linux systems. But some of its customers manage their Linux endpoints through different, non-bash entry points. So they've added some features to their product to deal with that, which has also resulted in them having an IDR capability. It's all pretty sensible stuff though, and Cmd co-founder and CEO Jake King will be along to talk us through all of that.

Risky Business #611 -- MalwareBytes the latest "Holiday Bear" victim

Patrick Gray — Wed, 20 Jan 2021 00:00:00 +1100

On this week's show Dmitri Alperovitch, Sherrod DeGrippo and Joe Slowik join host Patrick Gray to talk through the week's news: * MalwareBytes the latest victim in the increasingly poorly-named "SolarWinds campaign" * FireEye issues helpful guidance, tools, to help orgs detect "golden SAML" and related techniques * Rob Joyce, Anne Neuberger, Michael Sulmeyer all get promoted! Wooo! * Much, much more

Risky Business #610 -- Propellerheads in dark on JetBrains

Patrick Gray — Wed, 13 Jan 2021 00:00:00 +1100

Joe Slowik and Katie Nickels are guest co-hosts in this week's edition of the show. They join Patrick Gray to talk about: * Mimecast having some stolen certificate, errr, "problems" * The confusing reports about JetBrains * Analysis of the malware used in the SolarWinds campaign * Australian man arrested in Germany and charged with running DarkMarket * The Great Deplatforming of 2021

Risky Biz Soap Box: Mapping NIST 800-53 to MITRE ATT&CK

Patrick Gray — Tue, 12 Jan 2021 00:00:00 +1100

These Soap Box editions of the show are wholly sponsored. If that's not your thing and you're looking for the weekly news edition of the show, just scroll one show back in your feed. This soap box edition is brought to you by AttackIQ. They make a Breach and Attack Simulation platform that's designed to test the effectiveness of your security controls by simulating bad things in your environment. Carl Wright and Jonathan Reiber are joining us in this edition of the show. These days he's AttackIQ's senior director of cybersecurity and strategy but he previously served as a former Chief Strategy Officer for Cyber Policy in the Office of the Secretary of Defense. They joined the show to talk through their work in mapping NIST 800-53 to the MITRE ATT&CK framework. Enjoy!

Risky Business #609 -- It's not NotPetya

Patrick Gray — Wed, 06 Jan 2021 00:00:00 +1100

On this week's show, Patrick Gray talks to Joe Slowik and Dmitri Alperovitch about the APT campaign that impacted the US government and FireEye via SolarWinds' supply chain. Alex Stamos also joins the show to chime in more generally on supply chain interference before discussing some other news, like: * Apple losing (most of) its case against Corellium * Assange won't be extradited... yet * Adobe has finally killed Flash, and killed it good

Risky Business #608 -- FireEye discloses breach and tool exfil

Patrick Gray — Wed, 09 Dec 2020 00:00:00 +1100

On this week's show Patrick and Adam Boileau discuss the week's security news, including: * FireEye's Very Bad Week * Russian bears all up in your VMwares * Chris Krebs sues Trump campaign * Foxconn ransomware * So much more

Risky Biz Soap Box: VMRay co-founders on the evolution of sandbox tech

Patrick Gray — Mon, 07 Dec 2020 00:00:00 +1100

Soap Box podcasts like this one are wholly sponsored. This edition of the Soap Box is brought to you by VMRay. They make a virtualised sandbox that initially found a market with DFIR professionals, but these days is being used for all sorts of things. VMRay's cofounders -- CEO Carsten Willems and CTO Ralf Hund -- joined host Patrick Gray to talk through the history of the sandbox tech arms race.

Risky Business #607 -- Trump lawyer calls for Krebs' execution, ransomware insurance getting wobbly

Patrick Gray — Wed, 02 Dec 2020 00:00:00 +1100

On this week's show Patrick and Adam Boileau discuss the week's security news, including: * ORIGINAL: Ransomware insurance payouts are looking pretty unsustainable * Trump lawyer calls for Chris Krebs' execution * Hunger relief charity loses $1m to BEC * Supreme court weighs CFAA * Much, much more!

Risky Business #606 -- BEC nukes Australian hedge fund

Patrick Gray — Wed, 25 Nov 2020 00:00:00 +1100

On this week's show Patrick and Mark Piper discuss the week's security news, including: * UK unveils Cyber Force * US passes surprisingly sane IoT security law * Symantec drops some APT10 research * MobileIron bugs getting a decent workout courtesy of state-backed attackers * Much, much more...

Risky Biz Soap Box: Bugcrowd CEO Ashish Gupta

Patrick Gray — Thu, 19 Nov 2020 00:00:00 +1100

This is not an edition of the weekly news show, scroll back one episode in your podcast feed if you're looking for that. Rhis is a wholly sponsored podcast brought to you by Bugcrowd. Bugcrowd's CEO Ashish Gupta joins us in this edition of the Soap Box. He's been the CEO over there for about three years, taking the reins from our friend Casey Ellis who moved into the CTO position. As you're about to hear, the bug bounty companies have moved on from the days when they just provided the simple service of running bug bounty competitions for their clients. What's emerging is a much more nuanced product mix designed to extract as much usefulness as possible out of the testers registered on their platforms.

Risky Business #605 -- Trump fires CISA director Chris Krebs

Patrick Gray — Wed, 18 Nov 2020 00:00:00 +1100

On this week's show Patrick and Adam discuss the week's security news, including: * CISA director Chris Krebs fired * Trump ramps up his disinformation campaign * TikTok ban stalls * BlackBerry discovers new hacker-for-hire crew * DNS cache poisoning is back. But do we really care? * Much, much more

Australia eyes payment card data for contact tracing

Brett Winterford — Tue, 17 Nov 2020 00:00:00 +1100

Payment data is being pitched as another tool to help contact tracing professionals squash outbreaks of COVID-19.

Risky Business #604 -- Election-related cyber shenanigans fail to materialise

Patrick Gray — Wed, 11 Nov 2020 00:00:00 +1100

On this week's show Patrick and Adam discuss the week's security news, including: * Zoom settles with FTC over misleading E2EE claim * Some poor sod had to give up $1bn in Bitcoin * Solaris SSH 0day? Let's party like it's 1999 * Samy Kamkar's latest trick: NAT Slipstreaming * Australia's hardcore critical infrastructure protection bill * Much, much more

China flaunts its exploit prowess

Brett Winterford — Tue, 10 Nov 2020 00:00:00 +1100

Judging by what gets put on show, we can no longer safely assume US superiority in exploit development.

Australia's hardcore critical infrastructure laws open to challenge

Brett Winterford — Tue, 10 Nov 2020 00:00:00 +1100

Australia's Department of Home Affairs has yielded to pressure from industry and state governments to publish an exposure draft of the bill that underpins its plan to directly intervene in the cyber security of the country's critical infrastructure.

The many personalities of Lazarus

Daniel Gordon and Brett Winterford — Wed, 28 Oct 2020 00:00:00 +1100

North Korea's "Lazarus Group" gets through an impossibly prodigious amount of activity. That's because this “group” is better understood as several distinct, connected clusters that together add up to North Korea's formidable hacking operation.

Risky Business #603 -- YOU get sanctions, and YOU get sanctions

Patrick Gray — Wed, 28 Oct 2020 00:00:00 +1100

On this week's show Patrick and Adam discuss the week's security news, including: * "Proud Boys" email campaign attributed to Iran in record time * Sanctions for everyone! * US doxes more adversary TTPs * Katie Nickels and Chris Krebs join the show This week's show is brought to you by attack simulation platform company AttackIQ. Carl Wright from AttackIQ joins us this week to talk about the distinct possibility that large organisations are going to start slashing their security budgets in response to the changing economy.

CISA, FBI roll the dice on transparency

Brett Winterford — Tue, 27 Oct 2020 00:00:00 +1100

CISA and the FBI are calling out Russian intrusions as they see them, while US Treasury imposes sanctions on the developers of Triton ICS malware and Iranian disinformation shops.

Snake Oilers 12 part 2: Gravwell seeks to shake up SIEM market, Plextrac pitches its pentest reporting platform

Patrick Gray — Thu, 22 Oct 2020 00:00:00 +1100

In this (wholly sponsored) edition of the Snake Oilers podcast, three vendors will drop by to pitch their sweet, sweet snake oil: * Gravwell pitches its "structure on read" approach to SIEM * Plextrac describes its red team/pentest reporting platform * ITProTV's Don Pezet talks about trends in online training

Risky Business #602 -- US DoJ hooks Sandworm

Patrick Gray — Wed, 21 Oct 2020 00:00:00 +1100

On this week's show Patrick and Adam discuss the week's security news, including: * US DoJ unseals indictments against Sandworm operators * Twitter backtracks on "hacked materials" policy * No consensus on Trickbot c2 status * NSA publishes "most exploited" listicle that's actually interesting * Much, much more

Sandworm operators indicted

Brett Winterford — Tue, 20 Oct 2020 00:00:00 +1100

Russia, Russia, Russia. The US Department of Justice has indicted six members of Sandworm, a military intelligence unit of Russia's GRU, while the UK accused it of preparing attacks on the (now postponed) Tokyo Olympics. Russian crews have also been identified in recent attacks against Norway's parliament and state and local governments in the US. We also, reluctantly, touch on another actor with a Russian nexus, Rudy Giuliani.

Risky Business #601 -- Everyone's messing with TrickBot

Patrick Gray — Wed, 14 Oct 2020 00:00:00 +1100

On this week's show Patrick and Adam discuss the week's security news, including: * Yep, it was Cyber Command * Also Microsoft, Symantec, Lumen and others * Norwegian parliament hack pinned on Russia * We finally talk about "ethics in OST" * More

Cyber Command and Microsoft pile in on TrickBot

Brett Winterford — Tue, 13 Oct 2020 00:00:00 +1100

A group of technology companies were ready to unveil a long-term plan to disrupt and impose costs on the operators of the TrickBot botnet, when some other parties started messing with it...

Snake Oilers 12 Part 1: An incident management platform for the SOC and auditing for your SaaS accounts

Patrick Gray — Mon, 12 Oct 2020 00:00:00 +1100

In this (wholly sponsored) edition of the Snake Oilers podcast, three vendors will drop by to pitch their sweet, sweet snake oil: * Vaughan Shanks pitches the Cydarm SOC incident management platform * Adrian Kitto introduces Detexian, a platform that audits SaaS accounts * Eric Skinner from Trend Micro talks about XDR

Risky Business #600 -- Who's messing with TrickBot?

Patrick Gray — Wed, 07 Oct 2020 00:00:00 +1100

On this week's show Patrick and Adam discuss the week's security news, including: * The UHS ransomware attack * Someone is messing with TrickBot: Did the USA release the hounds? * US Treasury issues final warning on sanctioned ransomware crews * Azerbaijan and Armenia going at it * Fancy Bear owns US government department

Ransomware attack cripples 250 US hospitals

Brett Winterford — Tue, 06 Oct 2020 00:00:00 +1100

This week alone, ransomware attacks have crippled several hundred US hospitals and inconvenienced scientists working on COVID-19 vaccines and treatments. The lines have been crossed so many times now: do lawmakers really need to wait until an attack changes patient outcomes before the hounds are released?

Risky Biz special guest: Former Australian Prime Minister Malcolm Turnbull

Patrick Gray — Wed, 30 Sep 2020 00:00:00 +1000

In this podcast you'll hear an interview with former Australian prime minister Malcolm Turnbull. He joins Risky Business to talk through a bunch of issues from Huawei's exclusion from Australia's NBN and 5G builds, to political accountability and leadership in cybersecurity.

Risky Biz Soap Box: Identity as the new perimeter

Patrick Gray — Wed, 23 Sep 2020 00:00:00 +1000

Okta's director of technology strategy Sami Laine joins the show to talk about identity in 2020.

Front companies for Chinese and Iranian APTs doxxed

Brett Winterford — Tue, 22 Sep 2020 00:00:00 +1000

The US Department of Justice has doxxed over 50 state-sponsored hackers from China and Iran in a spree of indictments and sanctions.

Risky Business #599 -- You get domain admin! And YOU get domain admin!

Patrick Gray — Wed, 16 Sep 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * Russia, China, Iran having a red hot go at US political orgs * Crowdstrike drops report, telcos having a bad time * MSS owning US government with dumb bugs * DoJ indicts Iranian script kiddie because reasons * Proposed TikTok-Oracle deal barely makes sense * The mother of all Microsoft auth bugs, wow * Much, much more...

GRU eyes US election

Brett Winterford — Tue, 15 Sep 2020 00:00:00 +1000

Microsoft has outed attempts by GRU attackers to hack into the Office365 accounts of political campaigns.

Risky Business #598 -- China closing the "cyber gap" with USA

Patrick Gray — Wed, 09 Sep 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * Why integrity and availability are key to developing a COVID vaccine * China closing the "cyber gap" with USA * ASPI publishes research on TikTok, WeChat censorship * Belarusian "news app" was tracking activists * Julian Assange back in court to fight extradition * Much, much more

Ransomware takes down state-owned bank

Brett Winterford — Tue, 08 Sep 2020 00:00:00 +1000

Plus DDoS extortion surge, Norwegian Parliament inboxes under attack, US weighs up cost of replacing Huawei and more...

Risky Biz Soap Box: Canary's Royal origin story

Patrick Gray — Thu, 03 Sep 2020 00:00:00 +1000

This is a sponsored podcast. Today we're chatting with a very special guest, Haroon Meer. Haroon is the founder of Thinkst Canary. Some call it a deception company, but he doesn't, as you'll hear. He says Canary is a detection company and the distinction is important.

Risky Business #597 -- Alex Stamos talks news, Pompeo's "clean networks" initiative

Patrick Gray — Wed, 02 Sep 2020 00:00:00 +1000

On this week's show Patrick and Alex discuss the week's security news, including: * NZ stock exchange felled by DDoS attack * DNI cancels in-person election security briefings for Democats * Russians didn't hack Michigan voter data * Sendgrid having a bad time of its own making * US to doxes historical DPRK crypto laundering infrastructure, processes

The US exposes how the DPRK cashes out from cybercrime

Patrick Gray — Tue, 01 Sep 2020 00:00:00 +1000

The US Government has stepped up its campaign to expose North Korea's state-backed cybercrime operations, this week doxxing malware the DPRK uses to cash out attacks on banks and the techniques it uses to launder funds stolen from cryptocurrency exchanges.

Risky Business #596 -- DoJ gives Uber breach response one star

Patrick Gray — Wed, 26 Aug 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * Former Uber CSO Joe Sullivan charged with obstruction of justice * Whitehouse to concede WeChat carveouts for US operations in China * A bunch of news that sounds like it's from 1997

Former Uber CSO charged with obstruction of justice

Brett Winterford — Tue, 25 Aug 2020 00:00:00 +1000

A criminal complaint filed against Uber's former chief security officer this week was an extraordinary event because Uber's response to its 2016 breach was anything but ordinary. There are nonetheless some hard lessons in it for every CSO.

Risky Business #595 -- NSA and FBI document GRU's Linux malware for them

Patrick Gray — Wed, 19 Aug 2020 00:00:00 +1000

On this week's show Patrick, Adam and Sherrod DeGrippo discuss the week's security news, including: * NSA and FBI doxx GRU malware. Lol. * Malicious Azure app snags SANS staffer * Oracle to acquire TikTok? * Trump weighs Snowden pardon * Much, much more This week's show is brought to you by Airlock Digital. They make allowlist/safelist software that is actually manageable at scale! David Cottingham, an Airlock co-founder, joins the show this week to talk through a few product updates.

GRU uses Linux rootkits, everyone else is OAuth phishing

Brett Winterford — Tue, 18 Aug 2020 00:00:00 +1000

If the SANS Institute can fall victim to OAuth phishing, what hope do most Microsoft customers have?

Australia puts “critical infrastructure” on war footing

Brett Winterford — Tue, 18 Aug 2020 00:00:00 +1000

The Australian Government has unveiled plans for unprecedented interventions in the operations of critical infrastructure providers.

America must counter China’s “military-civil union”

James Jay Carafano and Klon Kitchen — Thu, 13 Aug 2020 00:00:00 +1000

American technology companies must accept they have a role to play in national security, and that the return of Great Power competition requires them to choose sides.

Risky Business #594 -- How ESNIs will change censorship and NDR

Patrick Gray — Wed, 12 Aug 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * WeChat joins TikTok in the naughty corner * TLS 1.3 with ESNI will have a massive impact on censorship AND security * Belarus goes dark after dodgy election * Capital One fined $80m * Much, much more

America's clean path is slippery

Brett Winterford — Tue, 11 Aug 2020 00:00:00 +1000

A US-China trade war and a global pandemic have in a few short months accelerated a drift into 'network sovereignty': a world in which the internet is no longer a truly open, global network.

Australia wants boards held to account for infosec

Brett Winterford — Tue, 11 Aug 2020 00:00:00 +1000

Australia's 2020 cyber security strategy is the latest national plan to propose that company directors be held accountable for meeting minimum information security baselines prescribed by the government. In the absence of anything specific in the strategy document, _Risky.Biz_ talked to some real experts on measuring cyber security maturity to suggest some ways forward.

Risky Business #593 -- China promises "mortal combat in the tech realm"

Patrick Gray — Wed, 05 Aug 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * Trump's war on TikTok (featuring guest Alex Stamos) * Twitter hackers caught. Pretty embarrassing stuff, really. * NSO implants target Easter Bunny * Garmin may need a good OFAC lawyer (featuring comment from Dmitri Alperovitch) * Blackberry cracked after five years leads to multiple arrests in Australia * Much, much more

TikTok review reduced to meaningless farce

Brett Winterford and Patrick Gray — Tue, 04 Aug 2020 00:00:00 +1000

Donald Trump’s personal involvement in threats to ban TikTok is distracting from any legitimate national security concerns the video sharing app might present to the United States. What started as some half-hearted sabre rattling after he was thoroughly punk'd by TikTok teens at his Tulsa rally in late June has spiralled into a theatre of the absurd.

Sanctions abound, but the hacks keep coming

Brett Winterford — Tue, 04 Aug 2020 00:00:00 +1000

In the same week the EU imposed sanctions against Russian, Chinese and North Korean actors, hacking crews from all three countries were implicated in new mischief.

Risky Biz Soap Box: Yubico Chief Solutions Officer Jerrod Chong

Patrick Gray — Thu, 30 Jul 2020 00:00:00 +1000

Soap Box is the wholly sponsored podcast series we do here at Risky.Biz. That means everyone you hear on this podcast paid to be here. In this podcast you're going to hear my latest interview with Jerrod Chong, Yubico's Chief Solutions Officer. Hardware security keys like Yubikeys have come a long way, even over the last couple of years. The biggest change is that the support for hardware keys is borderline ubiquitous now. FIDO2 support is in all the major browsers. You can even use Yubikeys with Google apps on an iPhone. The plumbing is here, it's arrived.

Risky Business #592 -- We're back. Did we miss anything?

Patrick Gray — Wed, 29 Jul 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * Two Chinese nationals charged with freelancing for MSS * Russia, China hacking COVID-19 research * The world dodged a bullet on the Windows DNS bug * Twitter blue tick pwnapalooza * Much, much more.

Chinese campaign a sad indictment of infosec

Brett Winterford — Tue, 28 Jul 2020 00:00:00 +1000

Who needs custom malware and 0day when wins come this easy?

The enterprise apps are revolting too

Brett Winterford — Tue, 21 Jul 2020 00:00:00 +1000

If it's any consolation, the most capable infosec teams in the world are having just as much trouble dealing with the current onslaught of high severity vulnerabilities as you are.

What even is Winnti?

Daniel Gordon — Mon, 20 Jul 2020 00:00:00 +1000

Winnti is all at once a malware family, a group, and several groups with wildly diverging motivations. We're at the point where we may as well scrap the name and start again.

Risky Biz Soap Box: Facebook, under the hood

Patrick Gray — Thu, 09 Jul 2020 00:00:00 +1000

Normally these Soap Box podcasts -- which are wholly sponsored -- feature vendors trying to sell you stuff. But this time we're doing something different: an interview with two of Facebook's most senior engineers.

Risky Business #591 -- EncroChat user experience includes getting owned, going to prison

Patrick Gray — Wed, 08 Jul 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * The latest on the EncroChat hack-related arrests * Details about the fresh F5 and Citrix bugs * Natanz go boom * Paying Wastedlocker ransoms violates Treasury sanctions * North Korea embraces Magecart (lol) * Much, much more...

The network devices are revolting

Brett Winterford — Tue, 07 Jul 2020 00:00:00 +1000

A critical, trivially exploitable vulnerability in the management interface of F5’s Big-IP devices is the latest in a string of nasty bugs in networking equipment critical to enterprise computing. Like last year’s Citrix NetScaler and Pulse Secure vulnerabilities, this one is going to hurt.

Risky Biz Soap Box: No magic wand for business email compromise (BEC)

Patrick Gray — Thu, 02 Jul 2020 00:00:00 +1000

This edition of the Soap Box podcast is brought to you by Proofpoint. Today's guest is Proofpoint's EVP of Cybersecurity Strategy, Ryan Kalember, and the topic is business email compromise, or BEC. BEC is a big deal, generating billions of dollars in losses every year across basically all industry verticals and levels of government. Until recently, there haven't been many technical controls that help to mitigate it.

Risky Business #590 -- REPOST: It turns out we're not SAML experts

Patrick Gray — Wed, 01 Jul 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * Inside the new American "e2ee busting" bill * Julian Assange hit with (another) superseding indictment * Trustwave uncovers sneaky Chinese accounting software backdoor * Much, much more... This week's show is brought to you by Okta. They are, of course, the identity and auth giant and one of the few sponsors we actually approached last year for 2020 because, well, they are very good at what they do. This week Marc will be joining us to talk about a privacy-related topic. The discussion is nuanced, but it's basically about how the public perception of privacy risks has diverged from the reality/ Further, that the COVID-19 crisis and the advent of digital contact tracing apps have actually brought general concerns around digital privacy to the fore.

Decrypting America's new push for lawful interception

Brett Winterford — Tue, 30 Jun 2020 00:00:00 +1000

Three US Senators have put forward a bill that apes the powers of the UK Investigatory Powers Act and Australia's Assistance and Access Act, while omitting many of the (albeit weak) safeguards that protect that power from being abused. The _Lawful Access to Encrypted Data Act of 2020_, introduced by Republican Senators Lindsay Graham, Tom Cotton and Marsha Blackburn, compels device manufacturers and digital service providers to provide access to user data when served with a warrant. It’s the Nike approach: Just do it!

Risky Business #589 -- Why Microsoft's steep E5 license pricing is a national security risk

Patrick Gray — Wed, 24 Jun 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * Australia "under attack" - a wrap * Microsoft releases more security protections for E5 customers * US to introduce "anti encryption" bill * Shady encrypted phone company owned by the cops * NSA to offer filtered DNS services to defence industry * MORE

One thing Microsoft could do to avert state-sponsored attacks

Brett Winterford — Tue, 23 Jun 2020 00:00:00 +1000

Technical indicators released by the Australian Government reveal that state-backed actors are among the many attackers abusing OAuth apps to gain unauthorised access to cloud accounts. _Risky.Biz_ reckons there is more Microsoft can do to stop it.

Feature podcast: Inside BellTrox's hacker-for-hire operation

Patrick Gray — Fri, 19 Jun 2020 00:00:00 +1000

Today we're chatting with Citizen Lab Senior Researcher John Scott-Railton about the work they did investigating the Indian hacker-for-hire firm BellTrox. For those of you who didn't catch the news, The Citizen Lab, which operates out of the Munk School of Global Affairs at the University of Toronto, dropped a huge report a couple of weeks back that lays Belltrox's operations bare. As you'll hear this company attempted to hack tens of thousands of email accounts belonging to everyone from government officials to hedge fund managers and activists.

Risky Business #588 -- Catastrophic bugs to plague ICS for years

Patrick Gray — Wed, 17 Jun 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * Facebook commissioned custom 0day to de-cloak child sex predator * IP stack bugs to plague IoT, ICS for years * Sandworm was doxxed by the NSA and hardly anyone noticed * Congress demands answers on 2015 Juniper NetScreen back door investigation * Amazon, Microsoft join moratorium on sale of facial recognition to police * Much, much more

Exclusive: Sandworm's Exim hacks reveal wider Russian activity

Brett Winterford — Tue, 16 Jun 2020 00:00:00 +1000

Threat hunters studying the IoCs released in the NSA's May 2020 advisory on recent Sandworm activity have used them to identify a large amount of infrastructure that looks custom-made to conduct credential phishing attacks against email and social media accounts used in Western countries.

Risky Business #587 -- Full scale of Indian hacking-for-hire revealed

Patrick Gray — Wed, 10 Jun 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * Full scale of Indian hacker-for-hire firm revealed * IBM exits facial recognition * Contact tracing apps flop * Much, much more

Another online voting system teardown, Big game hunters net Honda and Lion, and more...

Brett Winterford — Tue, 09 Jun 2020 00:00:00 +1000

Researchers have exposed gaps in the security and privacy design of OmniBallot - another online voting system used in the United States. It has no privacy policy, and curiously sends user voting preferences to a central server even when a user chooses to print out a completed ballot to return by mail.

Why spies are targeting vaccine research

Brett Winterford — Tue, 09 Jun 2020 00:00:00 +1000

There are sound reasons why anxious governments are tasking signals intelligence services to track the progress of COVID-19 vaccines and treatments.

Risky Biz Soap Box: A better way to provision access to production environments

Patrick Gray — Thu, 04 Jun 2020 00:00:00 +1000

The Soap Box podcasts we run here at Risky.Biz are wholly sponsored affairs -- everyone you hear in a soap box podcast, paid to be here. The idea is vendors get to come on to the show and chat about their products, what their stuff does, the thinking behind it, so on and so on. Today we're hearing from Justin McCarthy of strongDM. strongDM is a bit of a niche player -- essentially what they do is make a product that provisions secure access to engineers who need to access various back end services.

Risky Business #586 -- Google TAGs Indian mercenaries

Patrick Gray — Wed, 03 Jun 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * Google TAG implicates Indian hacker-for-hire outfits in espionage * NSA warns of Sandworm Exim exploitation * Huawei CFO extradition process to continue * Black lives matter * F--k police brutality

Sandworm tapping unpatched mail servers, Capital One forced to hand over IR reports, and more...

Brett Winterford — Tue, 02 Jun 2020 00:00:00 +1000

The NSA warns that Sandworm, one of Russia's most formidable offensive cyber operations, has been exploiting a known flaw in the Exim mail transfer agent (MTA) in attacks for at least 10 months. Sandworm - part of Russia's GRU intelligence unit - were fingered for NotPetya and crippling wiper attacks on Ukraine's power grid. You don't want these guys up in your business.

Surprise Capital One court decision spells trouble for incident response

Brett Winterford — Mon, 01 Jun 2020 00:00:00 +1000

When litigants suing Capital One sought a forensic incident response report into its [2019 data breach](https://www.capitalone.com/facts2019/), the bank played a reliable card: the report was commissioned by its outside law firm, and therefore subject to attorney-client privilege. In a surprising move, this week a US District Court [rejected the bank's claim](https://www.cyberscoop.com/capital-one-breach-mandiant-report-judge-ruling/) to privilege and demanded the document be handed over, in what appears to set an unsettling precedent.

Feature Podcast: Releasing the hounds with Bobby Chesney

Patrick Gray — Thu, 28 May 2020 00:00:00 +1000

Regular listeners to the podcast would know that for the last year or so, my cohost Adam Boileau and I have been talking a lot about how governments might involve non law enforcement agencies in a response to the big game ransomware epidemic. To discuss that, we're joined by Bobby Chesney, the co-founder of the Lawfare blog and a very highly respected figure in US national security circles.

UK changes course on Huawei

Brett Winterford — Wed, 27 May 2020 00:00:00 +1000

The United Kingdom is pulling together a plan to remove Huawei from its mobile networks within the next three years, following the lead of Australia and the United States.

Risky Business #585 -- UK mulls Huawei ban, NGOs urge COVID-19 hack de-escalation

Patrick Gray — Wed, 27 May 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * German intelligence warns of widespread Russian infrastructure hacks * NGOs urge COVID-19 hack de-escalation * UK mulls total Huawei ban... we think it's a done deal * DHS warning on 5G "moronavirus" * Wen jailbreak? NOW JAILBREAK * iOS 14 leaks * Much, much more...

Risky Business #584 -- Nation-backed attackers own easyJet, jump airgaps, hack ports

Patrick Gray — Wed, 20 May 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * easyJet breach linked to Chinese APT * Israel claims credit for attack against Iranian port * Chinese-linked crew behind Taiwan energy hax * Crypto-wars reignite over Pensacola shooter's phone * Much, much more

Wuhan lab dossier debunked

Brett Winterford — Tue, 19 May 2020 00:00:00 +1000

Russia has some competition in the disinformation game. The US administration's claim that the COVID-19 outbreak was caused by a laboratory accident was based on a report that has now been thoroughly debunked.

All roads lead to CISA to secure .gov

Brett Winterford — Fri, 15 May 2020 00:00:00 +1000

The US Government has spent a decade and tens of billions trying to centralise cybersecurity capability across civilian agencies, without much success. So why now are policymakers so buzzed about CISA?

Risky Biz Soap Box: ExtraHop CTO Jesse Rothstein talks network monitoring

Patrick Gray — Thu, 14 May 2020 00:00:00 +1000

This isn't the normal, weekly Risky Business podcast, Soap Box is the wholly sponsored podcast series we do here at Risky.Biz where vendors pay us money to come on to the show and talk about topics that interest them. Today we're speaking with Jesse Rothstein, the co-founder and CTO of ExtraHop Networks. ExtraHop is a network security play, but they started off more in the application monitoring and performance space before gradually moving into security over time. In this interview Jesse talks about network security monitoring, ExtraHop's history, and what people are using the ExtraHop tech to do during the COVID-19 crisis.

Risky Business #583 -- COVID-19 collection intensifies, tensions mount

Patrick Gray — Wed, 13 May 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * US takes aim at China over vaccine hax * ??? takes aim at Iranian port infrastructure over ??? * Iran attacks Gilead pharma * Zoom acquires Keybase * Thunderbolt research discussed * US to drop more DPRK malware * Ransomware targets European hospital group * Australian flu vaccine distribution disrupted by ransomware * More!

Attacks on healthcare are crossing all the red lines

Brett Winterford — Tue, 12 May 2020 00:00:00 +1000

The ongoing march of destructive attacks on medical organisations and a frenzy of espionage interest in COVID-19 vaccine and treatment research is testing the restraint of several governments. This week's Seriously Risky Biz newsletter and our livestream discuss the ethical and policy dilemmas this race poses.

Risky Business #582 -- Germans indict APT28 operator

Patrick Gray — Wed, 06 May 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * Salt framework 1Day wreaks havoc * Toll Group hit with ransomware attack. Again. * Germans indict APT28 operator * Ransomware a key word in SEC filings * Much, much more!

Ransomware is now officially on the board agenda

Brett Winterford — Tue, 05 May 2020 00:00:00 +1000

How's this for a cogent data point: Catalin Cimpanu at ZDNet had the curiosity and foresight to search for the word 'ransomware' in recent SEC filings. Cimpanu found that over 1000 public US companies now list ransomware attacks as a forward-looking risk. It wasn't long ago that a company getting popped in a ransomware attack would rate a mention on the Risky Business podcast. Today, it takes a novel attack to raise an eyebrow.

Australia’s COVID-19 app is buggy, not yet operational

Patrick Gray and Brett Winterford — Mon, 04 May 2020 00:00:00 +1000

The Australian Government has placed uptake of its COVID-19 contact tracing app front and centre of its strategy to walk back lockdown measures, despite mounting evidence it isn’t fit for purpose. On Friday, Australia's Prime Minister Scott Morrison framed uptake of the government’s contact tracing app as one of a few remaining pre-conditions before lockdown measures would be lifted. However, according to multiple reports, the government’s COVIDSafe app is barely functional on iOS devices, state health authorities don’t yet have access to the contact tracing data it was designed to collect and the app is interfering with some Bluetooth-based medical devices.

Snake Oilers 11 part 2: Go passwordless with Okta, why Crowdstrike customers need Airlock

Patrick Gray — Thu, 30 Apr 2020 00:00:00 +1000

Snake Oilers isn't the regular Risky Business podcast, if you're looking for that just scroll back to one of the numbered episodes in our podcast feed. Snake Oilers is the wholly sponsored podcast series we do here at Risky.Biz where vendors give us money so they can come on to the show and pitch you their sweet, sweet Snake Oil. In this edition of snake oilers we'll hear from: * David Cottingham of Airlock Digital pitches the Crowdstrike/Airlock two piece combo meal deal * Marc Rogers of Okta talks passwordless authentication and pitches modern SSO generally * John Emmitt of Kaseya pops in to pitch the VSA endpoint management agent

Risky Business #581 -- Chinese telcos under fire in USA, spy firms pitch COVID-19 surveillance

Patrick Gray — Wed, 29 Apr 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * Spy companies pitch ridiculously invasive approaches to contact tracing * NSO Group busted running c2 boxes in USA according to WhatsApp lawsuit * Australian government releases contact tracing app, no idea if it works * Chinese telcos to get boot from USA * Much, much more

Chinese telcos have 30 days to prevent US expulsion

Brett Winterford — Tue, 28 Apr 2020 00:00:00 +1000

The US Federal Communications Commission has ordered three Chinese State-owned telcos to 'show cause' for why it shouldn't expunge their license to operate in the United States. China Telecom Americas, China Unicom Americas and Pacific Networks each have 30 days to prove their operations and subsidiaries are "not subject to the influence and control of the Chinese government." Among other demands, each must detail affiliations between directors/employees and the CCP/Chinese Government, provide network diagrams, list interconnections with other service providers, provide inventories of network equipment and hand over US subscriber information to avoid license revocation.

Risky Business #580 -- Czech spear phishing spurs fightin' words from Pompeo

Patrick Gray — Wed, 22 Apr 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * Czechs claim state-backed healthcare sector attack preparation * Pompeo goes full cyber berserker * New iOS exploit chain targets Uyghur diaspora * Zoom 0day for $500k? Tell him he's dreamin'

Deterrence in cyberspace isn't working. What next?

Brett Winterford — Tue, 21 Apr 2020 00:00:00 +1000

The United States is on the cusp of making far-reaching changes to how it defends its networks and projects its capabilities in cyberspace. Over the coming months, lawmakers will review the recommendations of the Cyberspace Solarium Commission - a year-long review into US cyber strategy. Will they have the nerve to push for contentious reforms, and who wins and loses in the process? Risky.Biz looks for answers in this three-part series.

Governments gravitate to Gapple contact tracing standard

Brett Winterford — Tue, 21 Apr 2020 00:00:00 +1000

Health authorities are revisiting plans to release hastily-developed COVID-19 contact tracing apps that are unsupported by Apple and Google, now that the tech giants are promising developers a built-in [contact tracing framework](https://www.apple.com/covid19/contacttracing). Several countries have released, piloted or approved apps that use Bluetooth Low Energy for contact tracing well in advance of the Google-Apple (hereafter 'Gapple') announcement. Their experiences are instructive. Inspired by Singapore's TraceTogether app, the Czech Republic released the [eRouška](https://erouska.cz/) Android app on April 11. It did not release an iOS version for the same reason TraceTogether struggled with adoption - Apple does not support the use of Bluetooth Low Energy advertisements while apps run in the background, and won't until apps conform to the Gapple framework. The Android app attracted 100,000 users (1% of population) in its first week. NHSX - the digital arm of the UK's NHS - is currently piloting a contact tracing app, but appears [likely](https://www.bbc.com/news/technology-52263244) to pivot to make use of the Gapple framework. The UK Information Commissioner's Office has signalled [conditional support](https://ico.org.uk/media/about-the-ico/documents/2617653/apple-google-api-opinion-final-april-2020.pdf) for it.

Snake Oilers 11 part 1: MongoDB's new encryption plus AlphaSOC and SecureStack

Patrick Gray — Thu, 16 Apr 2020 00:00:00 +1000

Snake Oilers is a wholly sponsored podcast series we do here at Risky.Biz where vendors come on to the show to pitch their wonderful, wonderful, magical snake oil to you, the listeners. In today's podcast you'll hear from: * Kenn White from MongoDB talking about client-side field level encryption * AlphaSOC's Chris McNab talking about their latest -- they're not just doing DNS analytics anymore * SecureStack are making developer-friendly cloud security, provisioning and visibility tooling

Risky Business #579 -- Apple and Google go all in on contact tracing

Patrick Gray — Wed, 15 Apr 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * Details about Apple and Google's contact tracing API and OS changes * Alex Stamos joins Zoom as outside consultant * More Zoom news * US government weighs China Telecom ban following BGP hijacking * Travelex paid $2.3m to decrypt files in ransomware attack.

Srsly Risky Biz: Apple, Google to bring COVID-19 contact tracing to billions

Brett Winterford — Tue, 14 Apr 2020 00:00:00 +1000

Apple and Google have answered a call from policy makers to build a [consent-based contact tracing tool for Android or iOS devices](https://blog.google/documents/57/Overview_of_COVID-19_Contact_Tracing_Using_BLE.pdf). The two organisations will release OS updates in mid-May that allow health authorities to use 'contact detection' APIs developed by Apple and Google to launch multi-platform contact tracing apps. Under the [published design](https://www.apple.com/covid19/contacttracing/), if two users of these apps have been in close proximity for a designated period of time, their devices exchange a set of identifiers (ephemeral 'tracing keys') via [Bluetooth Low Energy (BLE)](https://en.wikipedia.org/wiki/Bluetooth_Low_Energy). Storage of these anonymised identifiers is decentralised - stored only on user devices.

Why you can’t trust your vote to the internet just yet

Brett Winterford — Thu, 09 Apr 2020 00:00:00 +1000

A common adage in information security is that most startups don’t hire their first full-time security engineer until they’ve got around 300 staff. If your app only stores public data and has no need to authenticate users, that might not present much of a problem. But when your app needs to be trusted to protect the confidentiality of a person’s political preference, it’s something else entirely. It’s why Tusk Philanthropies - an organisation devoted to bringing mobile voting to the masses - is playing matchmaker between a half-dozen mobile voting startups and the security experts that can help bring them up to snuff.

Risky Business #578 -- ASD launches offensive campaign against criminals

Patrick Gray — Wed, 08 Apr 2020 00:00:00 +1000

On this week's show Patrick and Adam discuss the week's security news, including: * ASD launches offensive action against criminals * Bio-tech firms working on COVID-19 targeted by ransomware * Iran targets WHO * Did you hear there's a security issue with Zoom? You might not have heard. Don't worry we'll tell you about it * Much, much more

Srsly Risky Biz: Tuesday, April 7, 2020

Brett Winterford — Tue, 07 Apr 2020 00:00:00 +1000

Brett's take on the week's infosec news. Click through for subscription link.

Experts agree: Internet voting isn’t ready for COVID-19 crisis

Brett Winterford — Mon, 06 Apr 2020 00:00:00 +1000

Internet technologies are set to play a critical role in the 2020 Presidential Election. State election officials face the daunting task of upholding the most essential function of democracy in the midst of a health pandemic that constrains the movement and assembly of people in public spaces.

Feature Podcast: Voting in 2020 will likely be by mail

Patrick Gray — Fri, 03 Apr 2020 00:00:00 +1100

This podcast is brought to you by the Hewlett Foundation. They provided us with a grant to support us doing some podcasts about cybersecurity issues that touch on policy. Regular listeners would have heard some of these special podcasts already. Today's guest is Jennifer Morrell. She's a partner with Elections Group and is a recognised expert on election audits.

Risky Business #577 -- Stir crazy lockdown edition (reposted)

Patrick Gray — Wed, 01 Apr 2020 00:00:00 +1100

On this week's show Patrick and Adam discuss the week's security news, including: * KSA uses SS7 to track its citizens in USA * Governments begin virus tracking through personal devices * FBI warns of Iran-linked crew in yer supply chains * Voatz gets booted from HackerOne * All the cloud and Zoom drama This week's show is brought to you by Signal Sciences. Instead of interviewing one of their people, they suggested we interview Andrew Becherer in this week's sponsor interview.

Risky Business Live #3 -- Booz Allen Hamilton's Russia report, Azure getting creaky and more

Patrick Gray — Tue, 31 Mar 2020 00:00:00 +1100

This is a completely unedited recording of a YouTube livestream broadcast on March 31, 2020. It features Patrick Gray, Dmitri Alperovitch, Alex Stamos and Adam Boileau.

Srsly Risky Biz: Tuesday, March 31

Brett Winterford — Tue, 31 Mar 2020 00:00:00 +1100

The US Government is tapping the data of mobile advertising companies to identify non-compliance with social distancing measures, according to the Wall Street Journal. The scoop follows reports last week that the White House sought assistance from US tech giants to help monitor quarantine compliance and perform contact tracing. Last week Risky Business explored what measures might prove effective and published a guest column by Stanford Law’s Albert Gidari suggesting Facebook and Google volunteer their expansive reach to offer privacy-preserving solutions. In the absence of either announcing initiatives, startups are stepping up to the plate. ...

Risky Biz Soap Box: VPNs are out, identity-aware proxies are in

Patrick Gray — Sun, 29 Mar 2020 00:00:00 +1100

In this (sponsored) podcast Akamai's CTO of Security Strategy Patrick Sullivan talks us through the basics of identity-aware proxies. With more and more internal applications being served to newly external users, identity-aware proxies are the new hotness.

Op-Ed: How location history can help contain COVID-19 while protecting privacy

Albert Gidari — Fri, 27 Mar 2020 00:00:00 +1100

If Typhoid Mary carried a cell phone, we would all want to know where she’d been over the last few days. Technology exists right now to trace the historical location and movement of any person who has tested positive for COVID-19. That location history is more detailed and accurate than information the Center for Disease Control (CDC) gets from interviewing people who have tested positive, and it can be used to map the trajectory of the disease over time and place, all while protecting privacy. However, privacy concerns and sufficient resources within public health organizations have hindered development of a location history solution. These concerns are understandable, because there have been reports about third party location aggregators or surveillance equipment providers trying to sell bulk location information to the government. A better approach - discussed below - dismisses third party aggregators because they largely are unaccountable, the data sources are speculative and without consent provenance, and the data tends to be less comprehensive and representative of communities. Over a dozen countries have introduced or deployed tracking technologies, physical surveillance and censorship measures in a bid to slow the spread of the virus. A Digital Rights Index has been published to help stem overreach, promote scrutiny, and ensure that intrusive measures don’t continue for any longer than absolutely necessary. So how would a location history solution work while protecting privacy? Consider what your device already knows about you. If you use Google Maps, for example, your Timeline can be seen in the Maps Menu. Click and you will see a detailed summary of your daily travels for as long as you’ve stored it, and your actual route is displayed on the adjacent map. My history for January 17th shows that I flew from San Jose to Seattle, took a 1:10pm ferry to Bainbridge Island, went to the barber at 2:30pm, then to the post office at 3pm, then home, and then had dinner at Sawan’s Thai Kitchen at 6:30pm. If I fell sick and tested positive two days later, I doubt that I could relate the details of my movements for two or three days before diagnosis with that degree of specificity. But if I provide my cell phone number and/or account identifier to the public health official and consent to it, the data could then be sent to CDC - a governmental entity under the Stored Communications Act who can by law request emergency location information from Google or any other platform or provider that maintains my location history. The emergency request is the same procedure used dozens of times each day where law enforcement submits a request to a provider to disclose user information in emergency cases like kidnappings. It is tried and tested. The infrastructure exists for it right now, including rapid delivery of the data back to the governmental entity. Privacy concerns can be minimized by ensuring that the user’s opt-in consent for sharing with the CDC solely is for the purpose of tracing potential infectious contacts and cannot be shared with other governmental agencies without the person’s added consent. Further, the CDC can confirm it will destroy the identifiable information promptly upon receipt of the location history - the CDC only needs to know where a person with a positive test traveled and when. Everyone’s location history already is known to their providers; the person who tested positive already is sharing their movements as best as possible with health providers. The person infected is consenting to their information being used to notify others of the risk and for no other purpose. Contact tracing already is being done at the local level with scarce resources. More can be done once the location history of the infected user is known. Platforms and wireless carriers can use incoming CDC or user data requests to determine how many other users were in the vicinity of the positive case at any given time. This is called geofencing. It is done today in response to search warrants from law enforcement to identify users in and around a crime scene, or, all registered phones on a cell tower serving a crime scene area. Rather than the CDC simply telling the local community that a person has tested positive in their county, providers instead can tell specific proximate users precise facts by means of a text, email, or device notification: a person who tested positive was on the 9am flight from San Jose, landed at SeaTac at 11:10am and got a cab 10 minutes later, was on the 1:10pm ferry to Bainbridge Island, stopped at various places, and went home. That is actionable intelligence - it relieves the anxiety of people on a later flight or ferry or who ate before the infected person, or all those people who only are told someone has the disease in the community at large. It tells others who were in close proximity that they should self-isolate. No, this is not a substitute for greater testing, but it may help direct valuable testing resources to a particular at-risk community and to target resources better. Imagine that there were 10 people identified on that 1:10 ferry. With their location maps layered on top of each other, we see a trajectory for the disease throughout the community and further identify the specific risk of immediate contact by others in the vicinity. Perhaps everyone gets directed to shelter-in-place, or, perhaps the proximity map shows only small pockets of concern. Whatever the data shows is immediately actionable at the local level and the CDC will be getting aggregate location data for those in proximity to persons who tested positive. Knowing that a significant number of persons with the disease were in the general population at a specific time and place is better than any currently available information today, and is more accurate than anecdotal data from those who have tested positive. And again, the CDC (i.e. the government) is only ever getting the opt-in data for the person who tested positive; the providers are doing the rest. Some have complained that this solution is not perfect, doesn’t cover all places or people, isn’t granular enough to avoid “false positives” and requires providers to do something to facilitate it. Right now, the alternative is for everyone to stay home and live with the anxiety that interacting with anyone puts you and your family at risk. That is one big false positive. The approach above is surgical, and most times, good is better than perfect - at least with pandemics. We also have seen how location information can be used to quarantine or restrict people’s movement in places like China. No one wants a virtual ankle bracelet for quarantine in this country, but those are some of the ideas being floated now. The benefit of the location tracing proposed here is that it is opt-in by those who have tested positive, and privacy protective for the user and all those who were in close proximity to persons so identified. It is better than using a surveillance hammer. There is some privacy risk to the infected user whose location history becomes part of a map, in that crowdsourcing may identify the individual. But that risk can be lowered by not mapping the end point - if it is a personal residence for example. There is some risk inherent in the use of location data - but again, the degree of specificity for what goes on the map can be determined by the provider and minimized to exclude key data points. A rule might display “post office” but not display “home address”. It is important to say again that this proposal alone is not a comprehensive solution to the difficult problem of contact tracing. There may be smaller numbers of users with location history enabled on various platforms due to privacy concerns. But if data is drawn from Google, Foursquare, Facebook, Uber, Lyft and other platforms, a comprehensive map will emerge that is sufficient to show trajectory and allow CDC to identify hot spots and resource needs, while simultaneously reducing anxiety in the areas least affected or proximate to individuals who have tested positive. Albert Gidari is the Director of Privacy at Stanford Law School’s Center for Internet and Society and retired partner at Perkins Coie LLP where he represented wireless companies and Internet platforms. Read more on proposed contract tracing solutions in the Risky.Biz feature story: ‘The cyberpunk dystopia we feared is here, and just in the nick of time’.

The cyberpunk dystopia we feared is here, and just in the nick of time

Brett Winterford — Thu, 26 Mar 2020 00:00:00 +1100

The unprecedented COVID-19 pandemic has raised a thorny question for technologists and lawmakers: how might the location data from our cellphones be used to help contain the spread of the virus? Two broad use cases have emerged: the first is using location data to monitor compliance with quarantine. And the second is contact tracing - using location data to track down people that have come into contact with a person that tests positive to the virus. The team at Risky Biz discussed both in a livestream this week with regular co-host and Insomnia Security founder Adam Boileau, adjunct professor at Stanford University’s Center for International Security Alex Stamos, and Crowdstrike founder and former CTO Dmitri Alperovitch. Watch the recent Risky Business livestream on COVID-19 surveillance: Monitoring quarantine compliance In an ideal world, people that have tested positive to a deadly and contagious disease would dutifully self-isolate to prevent further infection, and those that they’ve recently come in contact with would dutifully quarantine before their test results come in. In some countries, there are few limits on the coercive power of the state to compel people to follow these measures, or very few limits on the tracking of civilian movements. In Western democracies, the use of monitoring for such a purpose requires legislative change and a dramatic suspension of social norms. In the United States, governments do not have the legal authority to tap cell phone records or social media data for the purpose of enforcing quarantine compliance. The United States is struggling to even make the case for using geofencing data to convict a suspect with a bank robbery. Emergency powers are gradually being put into place as clusters of infections emerge. Airlines, for example, are now required under US law to submit data to the Center for Disease Control and Prevention (CDC) data about all incoming passengers for the purpose of enforcing quarantine. And the White House is now in discussion with US tech giants such as Facebook and Google about how their location data might also be put to use. Today, anonymised data from mobile networks and apps is already made available to researchers for the purpose of tracking the spread of disease. Users of IoT thermometers, for example, can already opt-in to share their data for use in the aggregate. But the prospect of using the data at the individual level for purposes that could be deemed punitive is ethically and legally complex. Albert Gidari, Director of Privacy at the Center for Internet & Society at Stanford Law School notes that the US Stored Communication Act would not permit compelled disclosure. “Any system devised to take advantage of location history would have to be consent-based and rely on voluntary cooperation of providers,” he told Risky.Biz. Compelled disclosure might also prove ineffective. The Electronic Frontier Foundation argues that the threat of having your movements monitored could create a perverse disincentive: people that feel unwell - but not so unwell to present for testing - may choose to avoid being tested to avoid it. And if such a system offered no agency or benefit to those being monitored, what is to stop them from simply leaving their mobile device at home? “We can’t expect that people who choose to be non-compliant are going to use an app voluntarily,” Boileau notes. “So at that point, [authorities] are left with using the phone infrastructure - or other companies that have location data. In New Zealand, for example, the telcos have the data for emergency call location - and in an emergency, a whole bunch of the usual rules don’t apply.” There are potential benefits for users - measuring compliance with quarantine would be an important input into determining “how long we should be in lockdown”, he said. In other words - put up with surveillance now, and lives can return to normal much sooner. But that’s a very difficult sell - what’s acceptable to a person in New Zealand or Scandinavia might not fly in Germany or the United States. Contact Tracing Using mobile location data for contact tracing presents many of the same legal and ethical challenges as monitoring compliance with quarantine. But it offers far more palatable use cases for countries seeking to balance containment of the disease with preserving civil rights in the longer term. Gidari posits the concept of a system whereby individuals that test positive may voluntarily disclose their mobile phone number or online account identifier to healthcare agencies. The government could then use existing lawful arrangements with tech companies to request rapid emergency access to the user’s location history. The agency could also request aggregate geofencing data to have the provider alert other users who were in close proximity to the person during their illness. If protected by privacy-preserving caveats - such as limiting which agency can access the data and how long they can retain or use the data - it might be something privacy advocates can live with. “We don’t need a Korea-style approach to this problem to get actionable data in the hands of the CDC or other health care providers,” Gidari said. “We can protect privacy too.” Stamos - who has previously been an expert witness on cases that involve location-based data - isn’t confident that cell tower data is precise enough for contact tracing without generating an unacceptable number of false positives. But data from Bluetooth beacons and WiFi SSIDs might do. The government of Singapore used Bluetooth as part of their efforts to contain the virus. Citizens were encouraged to voluntarily download the ‘TraceTogether’ app, provide the Ministry of Health their mobile phone number and turn Bluetooth on permanently. The app asks for user consent to log any other user of the app that spends more than 30 minutes within 2m of the person. The data is then acted upon if any of the users return a positive test. Over 600,000 Singaporeans have already volunteered to download the app, perhaps motivated by the sense of national solidarity pervasive in Singapore, or perhaps by the assumption that using a government-issued app will fast-track access to testing when it becomes necessary. In any case, the app has its limitations. The iOS app has to run permanently in the foreground to be effective, and the Android version must be manually configured to run in the background. Users are unlikely to be so diligent that they remember to turn it on every time they are in a public place - well in advance of getting sick - limiting the use case to people already on high alert, such as those that came into contact with a person waiting for test results. Developers may improve TraceTogether now that Singapore plans to release the app’s source code. Other efforts to convince users to voluntarily download a privacy-preserving app - such as Cambridge University’s ‘FluPhone’ app in 2011 and MIT’s new ‘PrivateKit’ app - haven’t driven enough user interest to make a meaningful impact. Stamos sees a faster way to enrol users in a privacy-preserving system. Any time Google or Facebook offer features like ‘People You May Know’, he notes, they are effectively already performing a similar feature to contact tracing. And both of those platforms have in excess of 2.5 billion users. “Contact tracing is a technique already proven in the field by Google and Facebook,” Stamos said. “This is why sometimes when you go into a store, you end up getting related ads in your feed - because Bluetooth beacons placed in the store have recorded your interest for future advertising.” He envisions a system under which any Facebook or Android user that tests positive to Coronavirus could - at the push of a button in an app they are familiar with - give permission for Facebook or Google to contact any other account holders that have been in the same Bluetooth Beacon or WiFi network (SSID) for more than 30 minutes. Stamos recommends the tech giants get on the front foot and build this capability voluntarily for US users, lest they be compelled by governments to build a compromised solution. “If I tested positive, I’d much prefer to hit a button and have Google and Facebook inform everyone that I’ve been in contact with, warning them to go get tested,” he said. “And that data doesn’t necessarily have to go to the government. It could be a relationship between me and counterparties, mediated by an app we use in common.” As long as the app is opt-in, that consent is provided, and that the app brokers the tracing and notification (rather than the user or other human operator), it could be rolled out in the United States without the need for legislative change, he said. “All the infrastructure is there to do it,” he said. “It would use the same [geofencing] mechanisms these companies use today, which we know to be legal.” The same wouldn’t apply for Europe, where GDPR and other regulations would likely prove too prohibitive. Even the most diehard privacy advocates say they would be willing to make a compromise in such an emergency. But contact tracing apps will only help, Alperovich notes, if there is enough testing capacity available to help the population know if they are infected or have been in contact with somebody infected. That’s not available in the US today. “It won’t do anything to trace people if we can’t actually test them,” he said. “But maybe when we get to the point of re-opening this country, and we want to make sure we don’t have new outbreaks, it’s something to consider.” Speaking as a person that has opted out of platforms that track his location data, he remains cautious. “I would want full transparency,” he said. “I’d want the source code of the app published by the government. I’d want strict oversight on how the data is used and I’d want mandatory purging of that data every so many days.” “If it can be effective, and if the user volunteers to submit data on social networks they already use, then with the right safeguards - I’m a tentative yes.” Even Boileau, who often quips that commercial surveillance is the “cyberpunk dystopia” we always dreaded, is in reluctant agreement. “The voluntary approach has some real benefits,” he said. “It’s an emergency. We’ve got the data and we should use it. Privacy can just suck it for a while.” For more coverage: Subscribe to the Risky Business podcast Subscribe to the Risky Business YouTube channel Subscribe to the Seriously Risky Business weekly newsletter

Risky Business #576 -- Are cloud computing resources the new toilet paper?

Patrick Gray — Wed, 25 Mar 2020 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: Azure resource constraints hit Europe Should we unleash surveillance on COVID-19, privacy be damned? Browser maintainers cease new releases South Korea-linked APT crew attacks World Health Organization Much, much more This week’s show is brought to you by Thinkst Canary. Thinkst’s Haroon Meer joins the show this week to talk about what he tells customers when they ask him if Thinkst could go rogue and own all their customers. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Srsly Risky Biz: Tuesday, March 24

Brett Winterford — Tue, 24 Mar 2020 00:00:00 +1100

Subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Tech firms asked to help COVID contact tracing Lawmakers have asked US tech companies to contribute data to help health authorities monitor quarantine compliance and trace recent contacts of people infected with coronavirus. As authorities the world over rush to flatten the curve of coronavirus infections, even the most diehard privacy advocates are exhibiting a willingness to temporarily let civil liberties slide in the name of saving lives. You might be surprised by which of our regular Risky.Biz contributors said as much when we hosted a livestream discussion on cell phone tracking earlier today - which featured Dmitri Alperovitch, Adam Boileau, Patrick Gray and Alex Stamos. Healthcare hit with ransomware, despite promised truce Two prominent ransomware actors promised not to target primary healthcare providers until the COVID-19 crisis is resolved. The Maze and DoppelPaymer ransomware gangs told Lawrence Abrams at Bleeping Computer that they would assist hospitals directly if incidentally infected by their malware. DoppelPaymer’s disclaimer is that it will continue attacking pharmaceutical companies and the broader medical supply chain. Abrams told Risky Biz that he’s also since heard from the Netwalker ransomware gang, who explicitly stated that all its victims have to pay - healthcare or not. This week London-based insurer Beazley disclosed that it handled twice as many ransomware-related claims in 2019 than the year prior, and that 35% of the 700+ organizations claiming losses from ransomware attacks in 2019 were healthcare providers. Hospitals in Croatia and the United States have both fallen victim in recent days, as have fintech firm Finestra and local governments in France. InfoSec pros turn the tables on ransomware The COVID-19 crisis is bringing out the best in the InfoSec community, with hundreds of hackers donating their time to projects that aid the healthcare sector. This week Risky.Biz covered the story of 200 volunteer researchers that in their first week identified 50 hospitals with vulnerable VPN endpoints. Meanwhile, we are starting to see ‘Coronavirus Fraud Coordinators’ appointed by US Attorneys across the United States, whose remit includes prosecuting ransomware gangs that use Coronavirus-related lures. Are we at ‘peak cyber’? There’s talk in VC-land about whether we’ve reached the peak of speculation on cyber security startups. Some US$5 billion was invested in cyber security startups across 311 deals tracked by Pitchbook in 2019. While nobody would expect an epidemic-plagued 2020 to reach these heights, there is some evidence emerging that the market was already coming off its peak. Early stage funding and aggregate deal sizes for cyber security startups in the US were already tapering off late in 2019, well before the market crashed. Newly-unemployed targeted in mule schemes Cybercrime gangs have long promised unsuspecting jobseekers attractive ‘work from home’ roles that actually serve to launder stolen funds. As unemployment soars across the Western world, we can anticipate that these gangs will find it easier to hire new mules. Brian Krebs has a great story on a new muling operation that is advertising for new roles to ‘process transactions for a Coronavirus Relief Fund’. Because we really need a Windows zero-day right now Microsoft has warned clients of a zero-day vulnerability in Windows - specifically in Adobe Type Manager Library. The vulnerability is being exploited by malicious actors and Microsoft has listed a number of temporary workarounds until a patch is available. FSB’s botnet schematic dumped online A hacking group that calls itself ‘Digital Revolution’ has published 12 documents that it claims to have stolen from a subcontractor to Russian intelligence service FSB. The documents include a 2018 proposal to build the intel agency ‘Fronton’ - a Mirai-style botnet from compromised IoT devices. Two years later, there is little evidence that the project went ahead. Three reasons to actually be cheerful this week: Singapore open sources contact tracing app: The state of Singapore will release a mobile app that identifies who has been within 2m of a coronavirus patient for longer than 30 minutes. Over 600,000 Singaporeans volunteered to download the app and submit data to health authorities. Chrome, Firefox remove FTP support: Mozilla has joined Google in removing support for the ageing File Transfer Protocol in their web browsers. On behalf of every blue team: good riddance! Watching out for your keystrokes: Google engineers have developed and released under open source some new heuristics for detecting USB keystroke injection. Shorts New IoT botnet: Meet ‘Mukashi’, a new botnet made up of compromised Zyxel NAS devices and routers. The vendor’s patch for the vulnerability - which doesn’t fix older Zyxel devices and the vulnerability - scores a perfect 10 for severity. Trickbot adapted for espionage: TrickBot - typically used a banking trojan - has been modified for targeted attacks on telcos in what appears to be an espionage campaign. WHO sent you that email? Attackers are setting up over 2000 malicious domains a day relating to COVID-19, with many mimicking the World Health Organization. Attackers didn’t need any in one recent phishing campaign, which abused an open redirect condition in the US Department of Health and Human Services website. Not a great look. Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at editorial@risky.biz

Volunteers and vigilantes back hospital InfoSec

Brett Winterford — Mon, 23 Mar 2020 00:00:00 +1100

Around 50 hospitals around the world are less likely to get popped in ransomware attacks this week, thanks largely to a loose band of InfoSec pros that banded together to help healthcare providers during the COVID-19 crisis. While they aren’t yet going after ransomware gangs in vigilante-style retribution, the group’s pro bono work has already helped pinpoint over 50 healthcare organizations running vulnerable versions of Citrix NetScalers or Pulse Secure VPN gateways. Vulnerable VPN endpoints have been targeted by several ransomware gangs in recent months, and despite promises from some groups not to target healthcare organizations, hospital networks and the medical supply chain continue to fall victim. The voluntary threat intel and hunting effort has been welcome help for Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center (H-ISAC), which has taken on the role of aggregating and disclosing vulnerability information collected by the group to affected healthcare providers. The group of independent researchers - which now numbers around 200 - has no name. Most of its members prefer anonymity and volunteer outside of work hours. So far they have provided H-ISAC data from honeypots set up to detect opportunistic scanning activity. They also scanned the internet for IP addresses hosting vulnerable VPN endpoints, from which H-ISAC extracted a list of 50 healthcare providers. H-ISAC has sent those organisations links to technical write-ups on the vulnerabilities in question, as well as generic mitigation advice, irrespective of whether they are H-ISAC members. Weiss is optimistic the advisories will be acted on. “Based on our prior experience, most [hospitals] will pay attention and do something,” he said. The hospitals will be prompted with further information if their systems continue to show up in scans, he said. Ohad Zaidenberg, one of the few public figures working to corral volunteers, told Risky Business the group has only “just started.” “From tomorrow, we will start to work actively,” he said, but was coy as to what the next phase of their program involves. Healthcare CSOs we spoke to this week were grateful for the camaraderie and generosity of their industry peers. But they also cautioned to not expect too much of hospitals under strain. “The offers of intel-sharing and threat hunting is only useful to the extent that hospitals have the capacity and capability to consume it,” said Christopher Neal, CSO of Ramsay Health Care, which operates a global network of 480 medical facilities in 11 countries. In most hospital networks, Neal said, there are insufficient resources available to act on the information - even prior to the coronavirus outbreak. Neal wants to see “clearer public policy arguments to increase funding for security programs” in healthcare. Weiss said that he is keen to receive more Indicators of Compromise (both atomic indicators and TTPs) about ransomware attacks, as well as decryption methods for various strains of the malware. But he recognizes the difficulties that might emerge as the initiative scales. Automation may be required to filter and sort through the volume of data coming in and to prepare actionable reports. Still, he said, “I’d rather have that problem than the reverse.”

Playing the long game on remote access

Brett Winterford — Fri, 20 Mar 2020 00:00:00 +1100

As multiple cities head into lockdown, IT teams face extraordinary pressure to urgently deliver remote working to more users in a broader number of roles. Over the coming weeks, the contrast between well and poorly resourced IT teams will be stark. Many won’t have the wherewithal to navigate this crisis without introducing unacceptable risks. Those that can will leap ahead. The tools we have on-hand to provide remote access in 2020 are orders of magnitude better than even a year or two ago. Web-based identity brokers, trivially-deployed MFA and identity-aware proxies have arrived to save us from the hell of “just install TeamViewer”. And while the least imaginative solution to the crisis is to ramp up VPN access, others will dare to use this crisis as an opportunity to move to a “zero trust” delivery model. This week we’re asking: What can organisations do to quickly stand-up work from home options for a displaced workforce that might even leave us in a more secure place than we started? Avoiding the worst It’s safe to say that if a user wasn’t offered remote access to enterprise systems before COVID-19, it was probably for a fairly intractable reason. Many admins will now be looking for a ‘least worst’ option to make it happen fast. So let’s start there. Availability and speed probably trump all other considerations at present. But security has to hold out on a few minimum requirements: Use managed devices, wherever possible - Unfashionable though it might be to say, users need to be held to a minimum standard of security. For the majority of companies that haven’t arrived at a zero-trust nirvana, we only get the control and visibility necessary to secure remote connections when we can enforce policy on the device. Avoid third-party remote support tools - Limit use of VNC, TeamViewer and other remote support tools. Users should only connect via remote sessions that are encrypted, and on apps that can be patched and monitored by the security team. If you aren’t using application whitelisting tools, a combination of Group Policy (restrict hashes of their EXE files) and firewall rules might be the best you can manage. MFA, always - All user connections should require a second factor of authentication - irrespective of device or access mechanism. Hardware MFA is king, SMS the least desirable, and the many variations in between the most practical. Scan and patch - All components of the remote access solution should be patched against known vulnerabilities - with close attention paid to VPN agents and concentrators. Avoid RDP altogether - If you don’t absolutely need it, you should ideally have disabled RDP. But if you must… Don’t expose RDP to the internet - User connections should only be made from managed devices over an SSL VPN. Avoid direct RDP connections - RDP sessions should be forced through a centrally-managed RD Gateway deployed in a DMZ, preferably behind a web application firewall. If that sounds like a performance nightmare, it’s because it is. We’re going on the assumption that you’re desperate. Enforce basic security config - Long and complex passwords, MFA and account lockouts for multiple incorrect passwords, in the very least. Hunt - RDP is so commonly abused by attackers, you’re going to need to keep a close eye on it. So what if the supply-chain of new devices breaks down, and BYOD becomes your only choice? Connecting user-owned devices to virtual desktops in an organisation’s private cloud may be a reasonable compromise, especially for users requiring access to older or resource-intensive apps. VDI isn’t the worst option - but you’re going to need a lot of spare compute, storage and network capacity. A sudden influx of remote users isn’t going to be cheap. If you’re going to go to that much effort and cost, you may as well be thinking longer-term. Adjunct Professor at Stanford and fellow Risky.Biz contributor Alex Stamos suggests CIOs take the urgent use case to provide remote access - which has very good chances of being funded - and use it as a stepping stone to zero-trust. View the recent Risky Business livestream on enabling a work-from-home workforce: Identity-Aware Proxies: your Coronavirus friend It might not be as big a leap as you think. Any organisation that has deployed Office 365, for example, has created a cloud-hosted identity store (in Azure AD). Microsoft’s Azure AD Application Proxy can use this identity store to provide the same remote (SSO) access into internally-hosted web apps as Microsoft’s cloud suite. CSOs and CIOs aren’t limited to Microsoft technology here, either. Akamai, Cloudflare and others now offer the network-level plumbing required to provision internal services to remote workers via “identity-aware” proxy services. Users sign-in using SSO (via Azure AD, Okta, whatever), then get piped through Akamai or Cloudflare’s network to internal apps. So if you’re really stuck - and feeling brave - the users previously bound to the workstation at HQ might make for a great pilot group. It’s relatively new tech and there will be teething issues, but it’s certainly worth a look. How are you most likely to be attacked? You can also build a strong case for taking a new approach to remote access when you look at the initial infection vector used in recent attacks. Attacking vulnerable users There’s already been a proliferation of COVID-themed credential phishing campaigns from both State-sponsored attackers and cybercrime gangs, to such a degree that US Attorney General William Barr has urged the Department of Justice to prioritise prosecution of COVID-themed scams. We should also anticipate that attackers will double-down on tech support scams. Users will be asked to follow unfamiliar procedures over the coming weeks. Some will be unfamiliar with the devices they’ve been assigned. They’ll have no prior experience with connecting using the corporate VPN. They may never have raised requests for IT support when outside the network. These attacks will have a higher impact than usual, as many users will be connecting to corporate apps from user-owned devices. These devices will be highly susceptible to malware infection, unmonitored, difficult to support and difficult to acquire and re-image after they get infected. Malware distributors won’t need to innovate much to net a bigger and more profitable catch. Trawling for exposed remote access We can expect attackers to scan for internet-exposed RDP (remote desktop protocol - defaults to port 3389) and ports used for third-party remote support tools (VNC, TeamViewer etc) to find low-hanging fruit. Ransomware actors in particular are fond of abusing exposed RDP connections as an initial infection vector for attacks - as evidenced by recent ‘big-game hunting’ ransomware attacks in France. We’re also seeing commodity malware distributors like the TrickBot gang target RDP. To date, researchers we’ve spoken to that run RDP honeypots haven’t picked up on major changes in attacker behaviour. Scanners are gonna scan, epidemic or not, and there were enough boxes to own before the crisis. But as Insomnia Security’s Adam Boileau noted in a Risky.Biz livecast this week, the impacts of the many poor decisions made this week are likely to be long-felt. “Admins will install VNC on desktops, punch some holes in the firewall, and hand out a port number and a password. We will live with a very, very long tail of the mess we’ve made.” Vulnerable gateways Attackers will also be keeping an eye out for victims that haven’t patched VPN kit against known vulnerabilities. In hindsight, it was probably good fortune that offensive security researchers got so intimate with corporate VPN apps during the course of 2019. A quick refresher: In April 2019, US Homeland Security warned of authentication bypass flaws in a long list of enterprise VPN apps. Using these flaws, attackers that compromised a victim’s endpoint could assume the user’s full VPN access and go for broke in the corporate network. Palo Alto and Pulse Secure were the only vendors to immediately respond with patches for their VPN desktop apps. Researchers dropped a new set of bugs found in Palo Alto Networks, Pulse Secure and Fortinet VPN solutions at Black Hat in August. Within days, attackers were scanning thousands of vulnerable Pulse Secure VPN endpoints and Fortigate SSL VPN web portals, collecting private keys and passwords for use in later attacks. From late 2019, the flaws were being actively exploited by APT crews and weeks later by ransomware gangs - including the crew that crippled Travelex. Already in 2020, we’ve seen attackers scanning for vulnerable Citrix gateways. It’s assumed that the ransomware actors that popped German auto parts manufacturer Gedia, France’s Bretagne Telecom, steel manufacturer EMRAZ and possibly the German City of Potsdam abused a set of critical vulnerabilities found in Citrix products in late 2019. Where do you expect attackers to focus their attention? Hit me up on Twitter.

Risky Business #575 -- World drowns in Coronavirus phishing lures as crisis escalates

Patrick Gray — Wed, 18 Mar 2020 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: Coronavirus phishing lures are everywhere Czech hospital ransomwared during crisis Voatz mobile voting app destroyed by Trail of Bits audit We recap yesterday’s livestream Windows SMBv3 bug probably not such a big deal ALL the week’s news This week’s sponsor interview is with Sam Crowther, founder of Kasada. They do bot detection and mitigation and apparently they’re quite good at it. Sam joins the show to talk through the new greyhatter of anti-anti-bot. It’s actually a really fun conversation, that one, so stick around for it. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Trend Micro's Jon Clay talks ransomware and being a portfolio company

Patrick Gray — Mon, 16 Mar 2020 00:00:00 +1100

If you don’t know already, all guests who appear on the Risky Business Soap Box podcast paid to be here. These podcasts are promotional, but as regular listeners know, they’re not just mindless recitations of marketing talking points. This edition of Soap Box is brought to you by Trend Micro, which is a company that’s in a really interesting position at the moment. With Symantec acquired by Broadcom, which only really cares about the biggest 500 companies in the world, Sophos absorbed, Borg-style, by Thoma Bravo and McAfee sitting in the corner eating its paste, there’s an opportunity for a new “portfolio” security software firm to emerge, and Trend wants to be it. Jon Clay is Trend’s director of global threat communications and he joined me for this conversation about ransomware, how EDR is becoming “just another feature,” and what the role for a “portfolio” company in infosec is going to be in the future.

Risky Business #574 -- EARN IT Act targets crypto, Joshua Schulte to be retried on most serious charges

Patrick Gray — Wed, 11 Mar 2020 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: Two Exabeam engineers sick with Coronavirus following RSA attendance Hung jury in Joshua Schulte Vault7 trial Qihoo 360 tries to “pull an APT1” but it was just weird and awkward instead Corellium releases Android for iPhone hardware toolkit Much, much more. This week’s sponsor interview is with Scott Kuffer of Nucleus Security. They have built a web application that pulls together feeds from all your vulnscanners and vulnerability-related software (Snyk, Burp, whatever), normalises it then lets you slice it, dice it, and send it through to the most relevant project owner/dev team. It’s insanely popular stuff, and Scott pops along this week to talk about vulnerability management and what his last year has looked like as Nucleus’s business has boomed. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Chris Kennedy on the latest MITRE ATT&CK developments

Patrick Gray — Thu, 20 Feb 2020 00:00:00 +1100

These Soap Box podcasts are wholly sponsored. That means everyone you hear on one of these editions of the show, paid to be here. But that’s ok, because we have interesting sponsors! Today’s sponsor is AttackIQ. They make an attack and breach simulation platform. They started sponsoring risky biz when they were a little baby startup, but these days, as you’ll hear, attack sim is actually emerging as a budget line item, particularly for larger companies. They use the platform to test their existing controls, figure out where they have gaps or bad products, then kick on to planning from there… then retest, evaluate, plan, implement, etc etc etc. For a lot of organisations, something like this is going to be really helpful. Another super helpful thing is that AttackIQ is all in on MITRE ATT&CK. AttackIQ is, in fact, one of the first vendors I know of that jumped on the MITRE ATT&CK bandwagon. They got in early, and this podcast is mostly going to be focussed on ATT&CK. Chris Kennedy is AttackIQ’s CISO and VP of customer success! He did one of these soap boxes last year and it was really popular with the CISOs who tune in to risky biz. He joined me for this discussion about MITTRE ATT&CK; where it’s at, where it’s going, how people are using it and how AttackIQ is using it to make its products more useful.

Risky Business #573 -- Gas plant ransomware attack, Huawei mega-indictment and more

Patrick Gray — Wed, 19 Feb 2020 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: Ransomware shutters US natural gas plants Huawei hit with huge indictment Voatz mobile voting app shredded by MIT, dust-up ensues The latest from the Vault7 trial Reality Winner seeking clemency Ring to force all users on to 2FA Israeli court rules Facebook must reinstate NSO staff profiles USG drops more North Korean samples OpenSSH gets Fido/U2F support This week’s sponsor interview is with Dave Cottingham from Airlock Digital. They make whitelisting software that’s actually useable. And until I did this interview I didn’t know that their agent actually does host hardening as well, which is pretty cool. Since we last spoke they’ve also popped up in CrowdStrike’s app store thingy, which means a bunch of you Crowdstrike customers will be able to dabble in some whitelisting if you want to. Dave joins the show to talk about a bunch of stuff, including their experience having Silvio Cesare do a code audit on their agent. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Cmd's Jake King talks Linux security

Patrick Gray — Thu, 13 Feb 2020 00:00:00 +1100

Soap Box podcasts are fully sponsored which means everyone you hear on these editions of the show paid to be here. If you’re looking for the regular, weekly Risky Business podcast, just scroll one back in your podcast feed. But you know what? I wouldn’t recommend it, because this edition of Soap Box is top notch. In it we’re joined by Jake King, a co-founder of Cmd Security. Cmd makes Linux security software, and I love their approach mostly because, well, it’s simple. It has two main functions – visibility and control – but both of these functions focus on execution. The visibility piece is “which user executed what?” and the control piece is “only let user X execute Y”. The idea here is you can apply an additional layer of control over user actions, but obviously the visibility aspect to this is pretty useful at driving decisions around what sort of limits to put on various accounts. Jake has fronted this edition of the show with an exclusive offer to Risky Business listeners, which is free use of their software. Obviously you won’t get access to absolutely all its features, but certainly enough of them to be very, very useful. They’re getting to the point where they can do this – throw out most of the functionality and just sell the icing on the cake to companies who want it. You can register for early access to the free trial at cmd.com/risky.

Risky Business #572 -- Equifax indictments land, some big Huawei news

Patrick Gray — Wed, 12 Feb 2020 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: Chinese operators indicted over Equifax breach, more indictments coming Alleged backdoor in Huawei lawful intercept features Data on 6.4m Israelis exposed by political party app Iowa caucus app was a pile of crap, 4chan clogged up caucus night phones Corp.com is up for sale. That’s a lotta hashes. Much, much more. This week’s show is brought to you by Corelight. Corelight’s Richard Bejtlich joins the show this week in the sponsor slot to talk about what the company is doing to try to build the open source community behind Zeek, the tool its products are based on. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #571 -- Is Joshua Schulte The Shadow Brokers?

Patrick Gray — Wed, 05 Feb 2020 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: Iowa app falls over, social and mainstream media chaos ensues Twitter acknowledges state-backed API abuse CDA 230 under review. Uh oh. Toll Group ransomware ICS-compatible ransomware spotted in wild UN got owned pretty hard Is Joshua Schulte The Shadow Brokers? A theory Much, much more. This week’s show is brought to you by Okta. Okta’s Simon Thorpe will be along this week to talk about a new trend they’re seeing and obviously encouraging – enterprises ditching Microsoft’s Active Directory. It’s a cloud, cloud, cloud, cloud, world these days. and in the year 2020, you might want to actually ask yourself – do you still need to be using AD? Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Zane Lackey on the rush to Azure and securing Web apps against logic flaws

Patrick Gray — Thu, 30 Jan 2020 00:00:00 +1100

In this edition of the Soap Box podcast we’re joined by Zane Lackey, a co-founder of Signal Sciences. Signal Sciences makes, in essence, a “next generation” Web Application Firewall, or WAF. Signal Sciences is a pretty well-established startup these days with a zillion customers, so he has some real insight into what’s happening out there in webapp land. In this conversation he has some really interesting things to say: First, there’s a rush to Azure happening right now. It has become the platform of choice for all sorts of organisations. He also has some really interesting things to say about how to protect web applications from logic flaws. Some simple ideas that should really help lock things down. Enjoy!

Risky Business #570 -- FTI report lands like a lead balloon

Patrick Gray — Wed, 29 Jan 2020 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: The FTI report on the Bezos incident is a massive let down UK lets Huawei into 5G build SeaTurtle campaign pinned on Turkey Mitsubishi owned through its AV solution Ransomware crews owning unpatched Citrix boxes Much, much more. This week’s sponsor guest is Sherrod DeGrippo of Proofpoint. She’s a senior director of threat research there and she’ll be along to talk about the Emotet malware. Despite being spray and pray malware, it’s pretty successful because it operates at such ridiculous scale. Sherrod joins us with details. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Feature podcast: Alexa O'Brien on Wikileaks, intelligence and influence

Patrick Gray — Thu, 23 Jan 2020 00:00:00 +1100

This podcast is brought to you by the William and Flora Hewlett Foundation. The Foundation funds a lot of interesting people and work in the cybersecurity space and they’re supporting this special podcast series examining topics of interest to cyber policy makers. In this podcast we’re going to hear from Alexa O’Brien. She’s currently studying a Masters in Applied Intelligence at Georgetown University. She’s also working on an ethical framework for the applied intelligence discipline – collection, analysis and the like – for media practitioners. Alexa is also a journalist. Her most recent major work is a July 2019 analysis of the US media’s coverage of civilian harm in the war against ISIS, I’ve linked through to that in the show notes below. Before she worked as an established journalist, Alexa covered Chelsea Manning’s trial at Fort Meade on her blog. Her transcript of the proceedings were a tremendous help to the wider media, and it was this work that briefly pulled her into the Wikileaks “scene”. It wasn’t a good fit. Alexa joined me for this freewheeling discussion about intelligence, ethics, moral authority and signs that not everything is as it seems in the Wikileaks universe.

Risky Business #569 -- Bezos' Saudi hack claims, Glenn Greenwald facing cybercrime charges

Patrick Gray — Wed, 22 Jan 2020 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: MBS fingered in Bezos dick pic breach Glenn Greenwald facing cybercrime charges over Vaza Jato Telegram leaks Citrix finally patches 90s-style ADC bugs IE 0day doing the rounds, no patch available PoCs for 0601 drop Much, much more… This week’s show is sponsored by VMRay, a sandbox-based malware analyser. You throw a sample into it and it spits out all sorts of useful information. Rather than having one of its own staff in this week’s sponsor slot, VMRay has put forward one of its customers instead. Expel is a managed security provider, and it is making heavy use of VMRay to do malware analysis. Tyler Fornes is a Senior Detection and Response Analyst at Expel and he joined me to talk about how they’re using VMRay to actually make life easier. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #568 -- Let's Decrypt

Patrick Gray — Thu, 16 Jan 2020 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: NSA drops a sweet Microsoft crypto bug Burisma targeted by GRU. 2016 all over again? Citrix users having a bad time Intrusion Truth targets APT40 No more BYOD for US soldiers in Middle East Much, much more We have a new sponsor in this week’s show – ExtraHop Networks. Network monitoring is dead! Long live network monitoring! Matt Cauthorn is ExtraHop’s VP of cybersecurity engineering and he’ll join us this week to talk about recent moves by cloud providers to offer full virtual network mirror ports out of their infrastructure. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing. *Credit for this week’s headline goes to @appsecbloke.

Risky Business #567 -- ToTok, Iran and big-game ransomware galore

Patrick Gray — Wed, 08 Jan 2020 00:00:00 +1100

In this week’s show Patrick Gray and Alex Stamos discuss all the week’s news, including: Will Iran cyber all the cybers? ToTok chat app alleged to be UAE spy tool China makes moves on own OS Big game ransomware hits crisis levels WSJ carries water for NSO Group Much, much more This week’s show is brought to you Bugcrowd. We’ll be hearing from Bugcrowd’s Casey Ellis in this week’s sponsor interview. He’ll be talking about the US federal government’s decision to force all departments into accepting bug reports – he thinks this is a move that will have a big impact on the wider security ecosystem. Links to everything are below!

Risky Business #566 -- Balkanisation, ransomware, comedy bugs close out the decade

Patrick Gray — Wed, 11 Dec 2019 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: China to ditch foreign hardware, software, from government use Huawei sues FCC More background on Project Raven Senate hearings into encryption Reddit fingers alleged RU disinfo campaign “Evil Corp” hackers have lots of money, terrible taste Ransomware attacks galore Much, much more This week’s sponsor interview is with Haroon Meer of Thinkst Canary. And we’re going to do the typical thing and have a look forward to what we can expect to see in security next year. But we’re going less for the big, dumb predictions and more picking the trends we expect to strengthen over the next year. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Some Zero Trust facts of life

Patrick Gray — Thu, 05 Dec 2019 00:00:00 +1100

Our guest in this edition is Will Peteroy. He’s currently the CTO of security at Gigamon after his company, ICEBRG, was acquired by Gigamon last year. Will has a long and interesting background in security. As you’ll hear, he worked on the security team at Microsoft once upon a time. He even co-wrote Microsoft’s gigantic paper on mitigating “pass the hash” attacks some years ago. He also did some time with the “Department of Defense” some time ago. He’s a knowledgable fella. And he’s been spending considerable time lately focussing on the issue of Zero Trust Networks. Zero Trust is one of those things that’s super simple in theory, but absolutely, awfully complicated when you actually try to do it. So Will joined me for this chat about Zero Trust networks, how to define them, how to transition to them, what some of the steps are and thinking is. It’s a great conversation for any CSOs who are working through some of the issues that pop up when they’re transitioning to ZT architectures.

Risky Business #565 -- Crypto bro takes Jong turn

Patrick Gray — Wed, 04 Dec 2019 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: Ethereum developer Virgil Griffith charged for allegedly teaching DPRK about cryptocurrency DHS/CISA government vulnerability disclosure program takes shape, looks good Adobe discloses Magento Marketplace data breach Fully patched Android devices targeted IM-RAT takedown Much, much more This week’s sponsor interview is with Brian Robison of BlackBerry Cylance. He pops along to talk about some interesting research they’ve done on mobile malware. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #564 -- PRC suffers leak, alleged defection

Patrick Gray — Wed, 27 Nov 2019 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: RIPE has officially run out of v4 addresses NSO workers sue Facebook to get their accounts back Mike Pompeo, Republican lawmakers keep Crowdstrike conspiracy theory alive Bugs, hacks, ransomware disasters and more. This week’s sponsor interview is with Sally Carson of Duo Security. Sally has been a designer for over 20 years, joining Duo in 2015 to build the company’s Product Design and User Research practice from the ground up. Duo now employs one designer for every five users, which is an extremely generous ratio. As you’ll hear, Sally thinks empathy is the key to designing usable technology. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Trend Micro VP of Cloud Research Mark Nunnikhoven

Patrick Gray — Tue, 26 Nov 2019 00:00:00 +1100

This is a Soap Box edition of the show. Soap Box isn’t our regular weekly news program. If you’re looking for that one, scroll one show back in your podcast feed. Soap Box is a wholly sponsored series of podcasts we do here at Risky Business where vendors give us money to appear. And while these are sponsored episodes they’ve actually become almost as popular as the weekly show. They started off about half as popular, and then I guess people gradually realised they don’t actually suck, so here we are. Trend’s head of cloud research, Mark Nunnikhoven, is our guest in this edition and we have a pretty wide ranging conversation. A big part of this conversation is us talking about the differences between locking down a corporate network vs locking down a modern application production stack… and there’s a very funny part of this interview where Mark points out that AV scanning for Docker images actually makes sense. Seriously.

Risky Business #563 -- Phineas Phisher returns

Patrick Gray — Thu, 21 Nov 2019 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: Phineas Phisher returns, claims credit for Cayman bank hack and offers bounties for activist hijinks Microsoft cautiously backs DoH Huawei granted another 90-day stay of execution in US market Iranian APT crew targeting ICS supply chain Alexei Burkov extradition complete, appears in US court Some very funny stuff is happening to GPS in the Shanghai area Louisiana government ransomwared, emerges relatively unscathed Official Monero binaries trojaned. Lol. Much, much more! This week’s show is brought to you by Senetas. Rob Linton from Senetas joins the show this week to talk about its O365 integration for its SureDrop product, a new feature that will be of interest to many Risky Business listeners. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #562 -- Two former Twitter staff charged over Saudi spying

Patrick Gray — Wed, 13 Nov 2019 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: Two ex Twitter employees charged with spying for KSA US border device searches now require suspicion after ACLU win Unredacted Corellium lawsuit response drops Ransomware attacks on hospitals increase mortality Much, much more! This week’s sponsor interview is with Stephan Chenette, the co-founder and CTO of AttackIQ. We talk to him about some CSOs playing Pokemon Go with MITRE ATT&CK (“Gotta catch ‘em all!”) and about recent ATT&CK developments. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Capsule8 chief scientist Brandon Edwards

Patrick Gray — Thu, 07 Nov 2019 00:00:00 +1100

The Soap Box podcast is a wholly sponsored podcast series we do here at Risky.biz, which means everyone you hear on it paid to appear. This edition of the Soap Box is brought to you by Capsule8. It’s taken a long time, but over the last couple of years we’ve seen a meaningful Linux security software market emerge. It makes sense, I guess, considering the modern production environment is all glued together from various Linux systems. So, we’re seeing some interesting approaches to the Linux security challenge pop up. Capsule8 makes detection and visibility software for Linux. You can use it to spot various types of funny behaviour on your Linux systems. Brandon Edwards is Capsule8’s chief scientist and he is our guest today. We speak about a few things, but primarily this conversation centres on the fact that modern production environments have become so complex it’s almost impossible to comprehend how they work. We’ve lost insight, and we’ve even lost the ability to understand how individual security flaws can impact our wider production environments. So we’re going to talk about complexity in modern production environments, and then we’ll talk a bit about Capsule8’s approach to the Linux security challenge. Enjoy!

Risky Business #561 -- Report: NSO exploits used against politicians, senior military targets

Patrick Gray — Wed, 06 Nov 2019 00:00:00 +1100

On this week’s show Patrick Gray and Mark Piper discuss all the week’s security news, including: NSO Group malware turning up in some unexpected places Bluekeep mass exploitation finally begins Owning smart home devices with friggin’ lasers Two plead guilty to hacks on Lynda.com, Uber Imperva CEO departs following breach TLS Delegated Credentials sound like A VERY GOOD IDEA Cybercommand heads to Montenegro Much, much more This week’s show is brought to you by Thinkst Canary. Haroon Meer and Adrian Sanabria from Thinkst recently did a keynote talk at the Virus Bulletin conference in London. Titled “The Security Products We Deserve,” it’s a stinging critique of the security product lifecycle. VC firms keeping stupid ideas alive, analyst firms being parasites, vendors not doing security testing on their equipment and so much more. We’ll be talking to Haroon Meer about that keynote in this week’s sponsor interview, which will run after this week’s news segment. Links to everything are below.

Feature Podcast: Critical infrastructure security with Eric Rosenbach and Robert M Lee

Patrick Gray — Thu, 31 Oct 2019 00:00:00 +1100

This podcast is brought to you by the William and Flora Hewlett Foundation, and it’s the second in a series of podcasts we’re doing that are all about cyber policy. The Foundation funds a lot of interesting people and work in the cybersecurity space. So the idea behind this podcast series is pretty simple: we talk to Hewlett’s grant recipients, or experts in Hewlett’s network, about pressing policy issues and turn those conversations into podcasts. The whole idea is to get some policy perspectives out there among the Risky Business audience, which, funnily enough, includes a lot of policymakers. This podcast features both Eric Rosenbach and Robert M Lee talking about ICS security. Eric is the co-director of the Belfer Center for Science and International Affairs at the Harvard Kennedy School. He also heads the Defending Digital Democracy project there. Eric has a very long and somewhat fascinating resume. As United States Assistant Secretary of Defense he led the US Defense Department’s efforts to counter cyberattacks by Iran and North Korea on US critical infrastructure. He’s also worked as a Chief Security Officer in the private sector and served as Pentagon chief of staff from 2015-2017. Robert M Lee is the founder of Dragos Inc, a very well known company in the ICS/OT security space. Rob started out in infosec with the US Air Force as a Cyber Warfare Operations Officer tasked to the NSA, but as you’ll hear, Rob is actually pretty optimistic about the ICT/OT security challenge.

Risky Business #560 -- Facebook sues NSO Group

Patrick Gray — Wed, 30 Oct 2019 00:00:00 +1100

On this week’s show Patrick and gust co-host Alex Stamos discuss the week’s security news, including: Facebook files suit against NSO Group Corellium responds to Apple suit Indian nuclear power plant administrative network likely attacked by DPRK Mass defacement in Georgia. Old schooooool! Fancy Bear targets 2020 Olympics FCC proposes subsidies for telcos to rip and replace Huawei, ZTE equipment City of Johannesburg data held to ransom, but it’s not ransomware Much, much more This week’s sponsor interview is with Jake King of CMD Security. The topic is applying the MITRE ATT&CK framework Links to everything that we discussed are below and you can follow Patrick or Alex on Twitter if that’s your thing.

Risky Business #559 -- Maybe it was the Israelis hacking the Russians to masquerade as Iranians?

Patrick Gray — Wed, 23 Oct 2019 00:00:00 +1100

On this week’s show Patrick and Adam discuss the week’s security news, including: Fresh details on Turla’s hostile takeover of Oilrig Russians doing very interesting things with “tagged” TLS China wants an aerospace sector so a lot of people got a lot of owned Imperva releases breach details Zendesk cops to 2016 breach German manufacturer, US transport tech company sunk by ransomware NordVPN gets owned AVAST owned. Lots. Again. Welcome to Video takedown Much, much more This week’s show is brought to you by Trail of Bits! We’ll be hearing from Trail of Bits practice lead for assurance Stefan Edwards all about their work on a recent security audit of Kubernetes. As it turns out, Kubernetes isn’t actually a horror show, but Stefan thinks you might want to run a hosted instance unless you’re a real expert. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers 10 part 2: Do too many users have VPN access to your prod environment? There's another way!

Patrick Gray — Wed, 09 Oct 2019 00:00:00 +1100

In this edition of Snake Oilers Patrick speaks to: Justin McCarthy of StrongDM StrongDM makes a protocol proxy that you can use to provision production services (like Kubernetes and SQL access) to users without them requiring full VPN access to prod. This is very cool stuff, if you manage a large prod environment that’s suffering from VPN sprawl you’ll want to check this one out. Nicholas Davis of Rapid7 Nicholas is the senior technical product manager for InsightIDR. InsightIDR is a SIEM/EDR play that integrates a bunch of stuff. These days Rapid7 is really emphasising the holistic nature of InsightIDR, rather than the endpoint part, and Nicholas joins the show to talk about that. Preston Hogue of F5 Networks F5 Networks recently acquired NGINX as a part of a push to become cloud-relevant. Their strategy is to allow for F5 security smarts to be inserted basically anywhere and anyhow you want. Preston joins the show to talk about that! Links to our Snake Oilers sponsors are below!

Risky Biz Soap Box: Yubico's Jerrod Chong talks series 5 Yubikeys and what's next

Patrick Gray — Thu, 03 Oct 2019 00:00:00 +1000

These Soap Box podcasts are a wholly sponsored series of podcasts we do here at Risky.Biz, so everyone you hear on the Soap Box podcast paid to be here. But that’s ok, because we’ve got some great sponsors. This podcast is brought to you by Yubico, makes of the Yubikey devices. These podcasts with Yubico have basically turned into an annual thing. Jerrod Chong is the Chief Solutions Officer at Yubico and he joined me for this conversation about what’s new in Yubico-land. They’ve launched some new stuff, including Yubikeys with lightning adapters for iOS devices, and Jerrod also talks about hardware 2FA moving increasingly to the mainstream. If you’re reading this within 48 hours of this podcast going live, you can get yourself a $20 discount on any two of the new series 5 Yubikeys by visiting this link and using the code ‘Risky19’.

Risky Business #558 -- Trump targets Crowdstrike, Apple jailbreakers rejoice

Patrick Gray — Wed, 02 Oct 2019 00:00:00 +1000

On this week’s show Patrick and Adam discuss the week’s security news, including: Apple jailbreakers partying in the streets Donald Trump targets Crowdstrike over 4chan conspiracy nonsense Ransomware absolutely everywhere this week Horror-show VxWorks bugs are popping up in other stacks OnApp fixes mother of all misconfigurations More SIM card issues Much, much more In this week’s sponsor interview we chat with Mr Sandbox himself, VMRay’s Carsten Willems. He’s along to talk about VMRay’s involvement in a machine-learning bypass competition that happened at DEFCON earlier this year. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers 10 part 1: Richard Bejtlich talks Zeek plus pitches from Respond Software and PATH Networks

Patrick Gray — Thu, 26 Sep 2019 00:00:00 +1000

In this edition of the Snake Oilers podcast host Patrick Gray speaks to: Richard Bejtlich of Corelight Richard talks about Zeek, formerly Bro, and how enterprises can use it to capture useful network information for analysis, forensics and detection purposes. Richard is an industry luminary and it’s a great interview. Marshal Webb of PATH Networks Marshal explains how new technology like eBPF and XDP mean it’s possible to build DDoS mitigation rigs out of commodity hardware. That means DDoS mitigation is about to get a whole lot cheaper, and PATH is in pole position in this soon-to-be disrupted market. Chris Triolo from Respond Software Respond Software makes a decision agent for the modern SOC. They are aiming to completely replace level 1 SOC analysts so those resources can be freed up to do higher-value work. They’re offering free live and retroactive trials of their software, and it definitely belongs in the “why not take it out for a spin” category. Some links to the company websites and blogs are below!

Risky Business #557 -- 26 nations release cyber norms statement at UN

Patrick Gray — Wed, 25 Sep 2019 00:00:00 +1000

On this week’s show Patrick and Adam discuss the week’s security news, including: Tibetans targeted in mobile malware campaign Iran denies cyber-attack nobody was asking about More news from the Middle East 26 nations open UN General Assembly with statement on cyber norms Fedex sued over company’s NotPetya response, exec share sales Why “quantum supremacy” isn’t a big deal. Yet. Much, much more In this week’s sponsor interview we talk to Cody Wood of Signal Sciences about http request smuggling. What it is and why it’s a nightmare to fix. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #556 -- US Treasury targets DPRK crews, more details on Ukraine power hack

Patrick Gray — Wed, 18 Sep 2019 00:00:00 +1000

On this week’s show Patrick and Adam discuss the week’s security news, including: US Treasury targets DPRK APT crews Russia owned FBI counter surveillance team radio comms New details on 2016 attack against Ukraine power grid US Government to sue Edward Snowden for memoir profits Did RCMP intelligence director tip Phantom Secure on investigation? Much, much more! This week’s sponsor interview is with Casey Ellis of Bugcrowd. It’s an interesting chat with Casey this week. He was at the Billington cyber conference a couple of weeks ago and he had a bunch of interesting discussions there with people in the aerospace sector. Between recent Black Hat presentations on 787 security and the trouble Boeing has had with it’s 737-MAX, software security and resiliency is all of a sudden on the agenda in aerospace. Casey drops by to talk about all of that. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #555 -- Bluekeep Metasploit module released, Paige Thompson pleads not guilty and more

Patrick Gray — Wed, 11 Sep 2019 00:00:00 +1000

On this week’s show Patrick and Adam discuss the week’s security news, including: Paige Thompson pleads not guilty to CapitalOne hack German government probes FinFisher Bluekeep Metasploit module dropped DPRK samples hit VT, courtesy of our friends in the USA Apple releases awful statement about mass exploitation of its devices Much more This week’s show is brought to you by Blackberry Cylance. In this week’s sponsor interview we’ll be talking about US Cybercommand dropping some sweet, sweet APT28 samples on VirusTotal back in May. We’ll talk a little bit about that malware, and also have a more general discussion about CYBERCOM VT drops with Cylance research staffers Steve Barnes and Josh Lemos. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: MITRE ATT&CK framework is now officially everywhere

Patrick Gray — Thu, 05 Sep 2019 00:00:00 +1000

The Soap Box podcast series is a fully sponsored podcast series we do here at Risky.Biz, and that means that everyone you hear in it paid to be featured. This edition of the Soap Box podcast is brought to you by AttackIQ and in in it we talk to its CISO and VP of customer success Chris Kennedy. And we’ll be discussing a topic of that frankly should be talked about a bit more: the MITRE ATT&CK framework. We also talk about attack simulation and which security controls are most commonly and catastrophically misconfigured. If you’re a CISO you’ll like this one.

Risky Business #554 -- Is there an iOS exploit glut?

Patrick Gray — Wed, 04 Sep 2019 00:00:00 +1000

Alex Stamos is our news co-host this week. Patrick and Alex discuss all the week’s security news, including: Mass exploitation of iOS devices by Chinese govt Telegram moves to nix phone number enumeration “feature” USA targeted Iranian maritime awareness system Existence of Stuxnet mole revealed by Kim Zetter @jack gets hacked Much, much more This week’s sponsor interview is with Michelle Price of AustCyber. AustCyber is the organisation here in Australia that aims to build out the Australian cyber security industry and skills base, and Michelle pops in this week to tell us all about the upcoming Australian Cyber Week. Links to everything are below in the show notes.

Risky Business #553 -- Imperva's cloud WAF gets owned hard

Patrick Gray — Wed, 28 Aug 2019 00:00:00 +1000

On this week’s show Adam Boileau and Patrick Gray discuss the week’s security news, including: Fortinet, Pulse Security VPNs are being exploited in wild Imperva’s cloud WAF gets colossally owned US authorities fear ransomware attacks against election systems Apple fixes re-introduced jailbreak bug Telegram design choice puts HK protestors at risk Researcher drops two 0days in Valve’s Steam client after bounty spat Much, much more This week’s sponsor guest is Ryan Kalember, EVP of cybersecurity strategy with Proofpoint. Ryan is stopping by this week to touch on a couple of topics. He’ll tell us why Proofpoint didn’t attribute a recent malware campaign targeting US utilities to APT10 despite there being some pretty APT10-like tradecraft used in that particular campaign. He’ll also talk a bit about how thread hijacking is a giant pain in the ass. That’s where attackers take over a mailbox, then just jump right in replying to existing mail threads. Detecting that is hard, of course, because it’s internal mail. It’s a great little mixed bag interview. Enjoy!

Risky Biz Soap Box: Casey Ellis on "match.com for hackers"

Patrick Gray — Thu, 22 Aug 2019 00:00:00 +1000

We used to think of companies like Bugcrowd as offering a very simple service: managed bug bounties. But these days that’s a bit too simplistic. All the “bounty” companies are offering more comprehensive and specific products these days. In this edition of the Soap Box podcast Bugcrowd CTO Casey Ellis joins the show to talk through what the future looks like in crowdsourced security. Matching individual hackers’ skills to individual gigs and launching new services like Bugcrowd for Marketplaces will be a big part of that future.

Risky Business #552 -- Guest host Alex Stamos on all the week's security news

Patrick Gray — Wed, 21 Aug 2019 00:00:00 +1000

In this week’s show Patrick Gray and Alex Stamos discuss all the week’s news, including: Confirmed: 30 companies affected by CapitalOne attacker China info-ops booted off Twitter, Facebook Real deal Bluetooth bugs Apple re-introduces kernel bug, jailbreaks aplenty Apple to sue Corellium for copyright infringement DPRK gets its malware VT’d by CYBERCOM Much, much more Haroon Meer of Thinkst Canary is this week’s sponsor guest. We spoke to Haroon while he was in the USA, just before he was about to deliver a talk to USENIX all about “embracing hackiness”. Haroon thinks “hackiness” is a huge advantage for red teams, but that doesn’t mean blue teams can’t use the same hacky approaches to defence. It’s a typically great chat with Haroon. Links to everything discussed are below.

Feature Podcast: Inaction is escalatory

Patrick Gray — Thu, 15 Aug 2019 00:00:00 +1000

This podcast is brought to you by the William and Flora Hewlett Foundation, and it’s the second in a series of podcasts we’re doing that are all about cyber policy. The Foundation funds a lot of interesting people and work in the cybersecurity space. So the idea behind this podcast series is pretty simple: we talk to Hewlett’s grant recipients, or experts in Hewlett’s network, about pressing policy issues and turn those conversations into podcasts. The whole idea is to get some policy perspectives out there among the Risky Business audience, which, funnily enough, includes a lot of policymakers. In this podcast we’re speaking with Katherine Charlet. She currently serves as the director of the Technology and International Affairs Program at the Carnegie Endowment for International Peace. Prior to joining Carnegie, Kate served as the deputy assistant secretary of defence for cyber policy, where she managed the development of US Department of Defence cyber policy and strategy, its development of cyber capabilities, and the expansion of its international relationships. This conversation essentially covers what the state of affairs is when it comes to militaries and their actions in the cyber domain. It was only a few weeks ago that reports claimed the United States government launched a cyber attack against Iranian weapons systems. We’ll hear from Kate about what she thinks that all means, and then we’re going to talk about all sorts of stuff really – the blurring of the line between what warrants a law enforcement response versus a military response, what the path to this situation looked like, so on and so on. But I kicked things off by asking Kate to tell us what this concept of “defending forward” actually means. In the last couple of years we’ve heard that term bandied about by all sorts of people, but everyone seems to have a different definition. Here, Kate shares her more definitive definition.

Risky Business #551 -- Post Vegas edition, more news than we can handle

Patrick Gray — Wed, 14 Aug 2019 00:00:00 +1000

Adam Boileau is along this week to discuss the week’s security news. We cover: Follow ups on CapitalOne Amazon EBS snapshots exposed North Korea bags $2bn in cybercrime spree Attempted Coinbase breach postmortem Apple’s new research phones for bug hunters APT41 busted moonlighting Cloudflare finally ditches 8chan Leaked Boeing 787 code shredded, full of bugs Qualcomm bugs pave path through to Android kernel Microsoft gets Tavis’d More RDP/RDS bugs Much, much more This week’s sponsor interview is with Jake King of CMD. CMD has developed a control layer for Linux systems that restricts account actions, not just by traditional permissions. Jake will be along this week to talk a little bit about EDR on Linux. He saw a nice talk from some IBM X-Forcers at Black Hat about Linux EDR bypasses and that led to a conversation about Linux EDR generally. It’s interesting stuff Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #550 -- CapitalOne owned, Hutchins sentenced, VxWorks horror-show and more!

Patrick Gray — Wed, 31 Jul 2019 00:00:00 +1000

Adam Boileau is along this week to discuss the week’s security news. We cover: Deep dive on the CapitalOne breach Marcus Hutchins sentenced to time served Telegram voicemail bug leads to political crisis in Brazil Ransomware leaves South Africans without electricity Much, much more Wolfgang Goerlich is this week’s sponsor guest. He’s an advisory CISO with Duo Security and will be along after this week’s news segment to walk us through Duo’s Trusted Access Report. They’ve got some interesting telemetry to share with us. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #549 -- FSB contractor breached, Equifax fined, NSO Group targets cloud

Patrick Gray — Wed, 24 Jul 2019 00:00:00 +1000

Adam Boileau is along this week to discuss the week’s security news. We cover: FSB contractor gets itself a whole lotta owned NSO Group pitches cloud access Hal Martin gets 9 years NSA to launch defensive division Bulgarian breach data exposed DataSpii scandal a 2019 privacy case study Google boots DarkMatter certificates from Chrome and Android Equifax fined $700m Horror show bugs in enterprise VPN concentrators from Palo Alto, Fortinet Microsoft demos ElectionGuard SDK (looks pretty cool) This week’s sponsor interview is with Casey Ellis of Bugcrowd. We’ll talk about how organisations are increasingly doing bug bounties on technology they use, not just technology they develop. And then we’ll be talking about a new thing Bugcrowd is doing – Bugcrowd for marketplaces. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Ryan Kalember of Proofpoint on "Very Attacked People"

Patrick Gray — Thu, 18 Jul 2019 00:00:00 +1000

Soap Box isn’t the regular, weekly show we do at Risky.Biz, if you’re looking for that, just scroll one podcast back in your feed or on the Risky Business website. Soap Box is a fully sponsored podcast series we do where vendors pay to come on and talk about research they’ve done, products they’ve launched, whatever. This edition of Soap Box is a particularly good one. Ryan Kalember is EVP of cybersecurity strategy at Proofpoint and he’s our guest in this edition. Ryan was on the show a little while back talking about the concept of VAPs – very attacked people. In this interview he’s going to expand on that. It’s one thing to know that some of your key people are being attacked, but let’s take it one step further. Of those people, who among them is most likely to actually do something like click an untrusted link? What do we know about those users that can tell us how at-risk they are, based on how frequently they’re attacked, and also how likely they are to engage with phishing attempts or dodgy attachments? And if they ARE a risky user, what can you do about that? Measuring risk is only useful if you can do something about it.

Risky Business #548 -- Zoom RCE details and all the week's news

Patrick Gray — Wed, 17 Jul 2019 00:00:00 +1000

Adam Boileau is along this week to discuss the week’s security news. We cover: US mayors agree: no more paying off ransomware crews BitPoint exchange loses $32m in cryptocurrency FinSpy is back, big time Chinese AV companies won’t flag government malware US security companies free to help political campaigns with discounted services, products Facebook to pay $5bn privacy fine with money from its spare pants Much, much more Assetnote’s Shubham Shah also joins the news segment to dish on the Zoom RCE bug he and his team found back in March. This week’s sponsor is Kasada, an Australian company that runs a bot filtering service. Kasada is a relatively new company but they’re kicking some pretty serious goals here in Australia and are now pushing into other markets like the USA. But instead of supplying us with one of their people, they suggested we interview one of their customers - REA Group CSO and head of platform Craig Templeton. REA Group runs realestate.com.au, Australia’s biggest real estate listings website. They had all sorts of trouble with content scrapers, bots causing service interruptions, cred stuffing, you name it. In the end they went with Kasada to solve their bot problems and Craig pops by this week to talk about the issues they were having and to sing Kasada’s praises. Getting a reference customer to speak publicly is a Herculean task, so full credit to Kasada for making this one happen. If you operate a website that pushes a lot of traffic you’ll want to hear that interview.

Risky Business #547 -- Zoom-gate, massive GDPR fines, ship hack warnings and more

Patrick Gray — Wed, 10 Jul 2019 00:00:00 +1000

Adam Boileau is along this week to discuss the week’s security news. We cover: Zoom’s week from hell BA, Marriott face massive GDPR fines Seth Rich conspiracy originated from Russia’s SVR Coast Guard warns of ship hax Cybercommand issues warning on DDE exploitation PGP ecosystem having a rough time Much, much more! This week’s show is brought to you by our lovely friends at Signal Sciences. I guess you’d call them a next generation WAF. Signal Sciences co-founder and CTO Zane Lackey will be along in this week’s sponsor interview to plug their new cloud-based WAF product, and also to have a chat about a trend he’s seeing at non-security conferences – more high quality security content. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Cylance talks Persona

Patrick Gray — Thu, 04 Jul 2019 00:00:00 +1000

As regular listeners know, this isn’t the weekly Risky Biz news and current affairs show, if you want that, scroll back in the podcast feed to the previous podcast. This is a Soap Box edition, a solely sponsored podcast series we do here at Risky Biz where vendors pay us to come on to the show to talk about, well, whatever they want, really. We’ve heard Duo Security talking about WebAuthn, we’ve got one with Proofpoint coming up that’s about insights they’ve gleaned from filtering such ridiculous amounts of email. But in this edition, Garret Grajek from BlackBerry Cylance will be along to talk about its new product, Cylance Persona. This latest product is kinda out of the box, it’s a machine learning classifier that you install on the endpoint that learns what the typical user behaviour looks like. Once the observed user behaviour starts diverging from what’s expected, it can perform actions – like kicking up for 2fa, locking the user out, whatever you want, really. It’s a novel approach to dealing with compromised endpoints. Two factor authentication is great, but if your endpoints are hosed that doesn’t really count for much. And that’s really what this new gear is about.

Risky Business #546 -- The fifth domain sees some action

Patrick Gray — Wed, 03 Jul 2019 00:00:00 +1000

Adam Boileau is along this week to discuss the week’s security news. We cover: NYTimes reports USA is getting all up in Russia’s grids Kremlin not happy CYBERCOM targets Iranian rocket control and APT crews TRITON attackers target US grid Turla completes hostile takeover of Oilrig Reuters publishes huge feature on Cloudhopper/APT10 China pwns global telcos, targets key subscribers FVEY owns Yandex Tourists entering Xinjiang now have mobile malware installed at border Florida city governments having a bad time Much, much more! This week’s edition of Risky Business is brought to you by Senetas. They make layer 2 encryption tech, but they’ve also got a content disarm and reconstruction play now, Votiro, as well as their safe file sharing platform SureDrop. But we’re sticking with encryption in this week’s sponsor interview. Senetas CTO Julian Fay will be along a bit later to talk about his trip to the International Crypto Module Conference. He’ll fill us in on what the agenda was there – lots of talk about quantum resistant crypto and also some talk about streamlining various certification regimes. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Feature podcast: An interview with Jim Baker, former general counsel, FBI

Patrick Gray — Sat, 15 Jun 2019 00:00:00 +1000

This is the first edition of a new series of podcasts we’re doing here at Risky.Biz that will focus on cyber policy issues. The Hewlett Foundation approached us a while back to see if we’d be interested in doing this series we jumped at the opportunity. The Foundation funds a lot of interesting people and work in the cybersecurity space. So the idea is pretty simple: we can talk to some of Hewlett’s grant recipients or experts in its network about pressing policy issues and turn those conversations into podcasts. The whole idea is to get some policy perspectives out there among the Risky Business audience, which, funnily enough, includes a lot of policy people. Our first cab off the rank is this interview with Jim Baker. He joined the Department of Justice in 1990 and rose through the ranks to become the FBI general counsel in January 2014, a position he held until December 2017. So of course he was running all things legal for the FBI during the Apple-FBI dispute over a locked iPhone 5C recovered from the gunman responsible for the San Bernardino shooting. Baker was the US Government’s point man on all things encryption, taking stances that outraged technologists and reinvigorated a policy debate that had – at least to a degree – stagnated for years. These days, Jim Baker serves as Director of the R Street think tank’s National Security and Cybersecurity Program. This interview focusses on the so-called encryption wars. The FBI and other law enforcement/intelligence agencies want better access to encrypted material, while technologists say that’s impossible to accomplish without introducing unacceptable risks into the technology ecosystem. Baker shares his view on the topic. The Australian government law enforcement and intelligence agencies guide to the Assistance and Access Act, which is mentioned in the introduction to the podcast, can be found here. (Ironically enough, served over http!) PLEASE NOTE: Jim Baker joined our meeting via a phone call, so the audio quality here isn’t up to our usual standards. Sorry about that!

Risky Business #545 -- US Government loses control of customs mugshot database

Patrick Gray — Wed, 12 Jun 2019 00:00:00 +1000

On this week’s show Adam Boileau and Patrick Gray discuss the week’s news, including: CBP loses photo and license plate database Some Android phones shipped with backdoor Info on Google’s cloud outage USG ramps up “defend forward” Trump and Mnuchin can’t get their stories straight on Huawei The latest from Baltimore, more on that RDP bug TalkTalk hacker sentenced Much, much more This week’s show is brought to you by Remediant! Remediant CEO Tim Keeler will be along this week to have a chinwag. We’ll talk about how simple security tech is really en vogue these days and how that’s a good thing. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #544 -- NYTimes Baltimore report falls over

Patrick Gray — Wed, 05 Jun 2019 00:00:00 +1000

On this week’s show Patrick and Adam talk through all the week’s security news, including: NYTimes story on EternalBlue and Baltimore is bunk An RDP worm is feeling kind of inevitable Iran is still getting Shadowbrokersed Intercept has a great feature on SID Today dumps Australian Federal Police crack down on national security journalism Phantom Secure CEO gets nine years and loses $80m Silk Road 2.0 admin must be an amazing snitch Another Bitcoin tumbler bites the dust Much, much more This week’s sponsor interview is with Marco Slaviero of Thinkst Canary. Marco is joining us this week to talk about how he thinks web application-based deception techniques are kind of a waste of time right now. We talk about how deception approaches work best in privileged domains, then we talk about how security teams do better when they have a dedicated ops developer.

Risky Business #543 -- NYTimes blames NSA for Baltimore hacks, Assange faces espionage charges

Patrick Gray — Wed, 29 May 2019 00:00:00 +1000

Adam Boileau couldn’t make it this week, but that’s ok because we’ve got former Facebook CSO and current Stanford adjunct professor Alex Stamos filling in for him in today’s show. He’ll be talking through all the week’s security news, including: NYTimes report blames Baltimore ransomware attack on leaked NSA exploit Assange to face espionage charges, extradition fight looming SanboxEscaper just keeps dropping those 0days Fury over Facebook’s response to doctored Pelosi video Much, much more This week’s sponsor interview with David Warburton of F5 Networks. You know F5 as a blinky-light box manufacturer. Load balancers, SSL termination, that sort of stuff. Not exactly a growth industry at the moment, so they’re pivoting. They’ve dropped $670m on NGINX – f5 now owns the NGINX company – and they’re making all sorts of moves in the appsec space. That interview is mostly about F5’s business, but I found it interesting because what do you do when you’re an $8bn company that makes data-centre equipment and that industry starts going into decline? Links to everything discussed are below, and you can follow Patrick or Alex on Twitter if that’s your thing.

Risky Biz Soap Box: VMRay CEO Carsten Willems talks sandbox tech

Patrick Gray — Thu, 23 May 2019 00:00:00 +1000

This is not the regular Risky Business weekly show, the Soap Box series of podcasts that run on Risky.Biz are wholly sponsored. Everyone you hear in Soap Box paid to be here. With that disclaimer out of the way, this is actually a really interesting conversation. Carsten Willems is the co-founder and CEO of VMRay, a company that makes… well.. what do you call it? Is it an incident response tool? Is it a detection tool? Or is it just a good hypervisor-based sandbox that you can use to do both of those things? I’m going to say it’s the third – VMRay is a company that makes a great hyper-visor sandbox and has applied that technology to both response and detection. In an ideal world you’d have a team of malware reversers on staff pulling apart every single binary that looks shady. But this isn’t a perfect world, so that’s never going to happen. So the original use case that Carsten and his team set out to solve was around automating malware reversing. They build a hyper-visor based sandbox that’s very hard to bypass, you can run your standard build on it, throw binaries and documents at it and see what blows up. That’s really the primary use case here. But there is a second use case, which is detection. VMRay can give you a pretty decent risk score on samples, and they’ve entered into a few OEM arrangements with vendors to provide that extra level of detection. I’d never met Carsten Willems before we prepared this podcast, but it’s safe to say we hit it off. This podcast basically turned into Carsten telling his story, the story of where VMRay came from and where he wants it to go. Enjoy!

Risky Business #542 -- Confusion reigns over Huawei ban

Patrick Gray — Wed, 22 May 2019 00:00:00 +1000

On this week’s show Patrick and Adam talk through all the week’s security news, including: New executive order paved way for Huawei ban Google pulls service from Huawei No wait, that’s not right, it’s for new handsets The ban’s now reversed to allow them to continue the support that they didn’t have to discontinue? I’m so confused ¯_(ツ)_/¯ Israeli broadcaster fingers Hamas over Eurovision coverage hack New moves to regulate offensive cyber services Salesforce has a bad time Instagram influencers have a bad time (Hah!) OGUsers pwned Much, much more This week’s show is brought to you by CMD Security. They make security software for Linux that does two things – firstly it gives you visibility into what’s happening on your Linux workloads, which actions are being performed by which accounts, that sort of thing. The second thing it does is allow you to lock down accounts by action, rather than by traditional privilege. They’re funded by Google Ventures, among others, and although they’re a relatively small and new company I think they’re going to do really well. Jake was just at a MITRE conference in Brussels that was all about the Attack Matrix. He’s joining me this week to have a bit of talk about his experience at that event, then we’ll be talking through some of the issues he’s seeing out there in Linux cloud workload land. Jake’s a great communicator and a very smart guy and that interview is a lot of fun. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

There's a problem with WhatsApp, but it isn't end-to-end encryption

Jake Davis — Tue, 21 May 2019 00:00:00 +1000

In recent days at least one news outlet has sought to sow the seeds of distrust around end-to-end encryption. Unfortunately this means a number of people are now under the impression that secure messaging apps are pointless because one’s phone could be hacked via other means, rendering all encryption obsolete. This is a bad, retrograde take, but that’s not to say that WhatsApp is without its issues. You can argue about degrees, but WhatsApp is unquestionably a product of the surveillance capitalist ecosystem. Eventually it will evolve to monetise the digital exhaust of our interactions, or in terms Harvard professor Shoshana Zuboff puts it: using private human experience as raw materials in a behavioural data rendering process which is designed to herd and tune us towards profitable outcomes. The suppliers of widely-adopted secure communications should not also be the controllers of this behavioural modification market. Any application claiming to offer privacy must be entirely disentangled from the interests of these parties. Apple has had a crack with iMessage, but sadly its products remain out of reach to most of the world. iPhones are bloody expensive, and not everyone can afford to pay a ridiculous premium on a shiny phone so their personal communications don’t wind up as a part of a data set flagged for monetisation. Here’s the trap: digital consumer platforms like WhatsApp offer an incredibly attractive bargain to consumers. Unlike the platform-locked iMessage, they’re cross-platform, free, easy, and offer relatively robust security protections. And they’ve become central to the modern, digital experience. Google’s mail infrastructure is another great example. At the moment it’s the best we can hope for when it comes to nudging the average user towards some form of agreeable security mixed with ease. There are many alternative email platforms which are more ethical, transparent, and in my personal opinion offer a more friendly experience, and I will routinely try and herd people towards them, but most folks simply don’t want to complicate their lives. Some in the information security world blame this on human laziness, but that’s off the mark. There’s a fundamental difference between being lazy and wanting less hassle. The implementation of fiddly alternatives and self-made servers is a wholly unappealing thought for anyone not heavily invested in the field of information security, and letting the end user run free with their own code and implementation makes them far more vulnerable to hacking and things being set on fire. Having personalised ads constantly shoved in your face is the 21st century bargain we’ve accepted as the trade-off for access to these services. But let’s imagine a lovely, meditative scenario where we dismantle Google Mail and move everybody to another platform. To make this tempting for millions of people we’d have to uproot the workplace document storage environment, around two dozen regularly used interconnected applications that cover time-keeping, finance, and data, an entire branch of mobile phone operating systems, and who knows how many “stored preferences” that interconnect all of the things the average person enjoys on a daily basis. It’s a technology soup that’s borderline impossible to unmix. With all of that in mind, it’s extremely unfair to call anyone out for being unwilling to step back from these monopolies, because key elements of their life are tied directly to them. It’s an alarming reality, and one that needs to be broken down in small chunks and whacked at with a machete until the path is finally clear to proceed. WhatsApp’s main appeal to the masses is not its secure, end-to-end encryption, but its general simplicity. For those that aren’t largely tech-savvy, it’s arguably the most accessible mobile communication interface, both at an application and psychological level. The fact that tens of millions of people are now, without even needing to understand it, using necessary high level encryption protocols in their real-time messaging is just a happy accident. 99% of WhatsApp’s users more than likely have no idea how E2E encryption works and they don’t even particularly care about it. That’s fine. It exists, in the background, as a very fortunate byproduct of the attraction of the other, shiny, appealing traits of the platform, which as we all know tend to focus on things like talking to people quickly, setting up connections with family members, accessing and disseminating media from various sources in seconds. The things humans like doing on a regular basis while exerting as little energy as possible. But is that good enough? For a while, but not in the long term. WhatsApp is not the endgame. It’s certainly moved the dial in terms of readily-available security for everyday conversation, but people deserve better. More accurately, we need less of specific things. Less “would you like to back up your messages weekly to the cloud,” less “connect with Facebook,” less “opt-in to exactly what we say or we won’t give you X”. Establishing a sustainable model for secure communications providers is a daunting prospect for those who must eventually become “the new WhatsApp”. I believe the very competent teams behind similar apps such as Signal, Wire, and Threema are going to be at the heart of the eventual shift into the new era of communication, but it’s impossible to say at this moment in time how that shift will pan out. In the meantime, though, let’s keep our eye on the ball. There are reasons to be wary of WhatsApp, but attacking end-to-end encryption as a “gimmick” is a rotten red herring that belongs in the bin. Jake Davis is a former global hacker terrorist menace who now works in a creative young person job that I don’t quite understand I dunno ask him his twitter account is here.

Risky Biz Soap Box: Signal Sciences on serverless, app-layer deception and more

Patrick Gray — Thu, 16 May 2019 00:00:00 +1000

This isn’t our weekly news and current affairs show, this is a wholly sponsored podcast we do here at Risky Biz. The idea behind Soap Box is vendors pay to come on to the show and talk about the things they want to talk about. Today’s Soap Box is brought to you by Signal Sciences. If you’re not familiar with them, they make web security software. If you operate a website and you’re looking to auto-block a lot of the common attacks and attack techniques that are likely to be directed against your website, then Signal Sciences are definitely worth a look. Their whole pitch is really about making software that’s easy to deploy. You just drop it on your web server or run it as a WAF proxy, and bang, you’re done. Most of their clients run this software in full blocking mode out of the gate and don’t have any issues. It’s really, really good at blocking stuff like cred stuffing and weird bot activity, as well as your typical OWASPY-style attacks. Signal Sciences Trusted Appsec Advisor Phillip Maddux is our guest today. We spoke about a bunch of stuff really: the future of appsec, how the pivot to serverless is changing things. Then we talk about app-layer deception, and finally Phillip basically takes a dump on the bulk of RASP solutions out there. Enjoy!

Risky Business #541 -- NSO Group makes global headlines. What next?

Patrick Gray — Wed, 15 May 2019 00:00:00 +1000

On this week’s show Patrick and Adam talk through all the week’s security news, including: NSO Group WhatsApp vuln coverage goes nuclear Activists targeted by NSO malware in hiding in west after CIA tipoffs Cisco Trust Anchor drags on sea floor Linux kernel bugs likely overhyped Adobe patches insane number of CVEs Microsoft patches rumoured GCHQ VEP’d RDP bug New hardware bugs affect Intel processors SHA-1 collisions become much more practical Major US anti-virus firms owned hard This week’s sponsor interview with Ryan Kalember of Proofpoint. Ryan is a listener, and when he heard Adam talking about how password rotations actually result in crappy passwords, it hit a nerve with him. He says Proofpoint, via its CASBY product, is seeing a lot of targeted credential stuffing campaigns cycling through variations of passwords that have appeared in dumps. Apparently the bad guys are hip to what a typical password rotation variation looks like and they’re using this knowledge to better direct their cred stuffing attempts. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #540 -- In depth: Hamas cyber unit destroyed in air strike

Patrick Gray — Wed, 08 May 2019 00:00:00 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: IDF takes out Hamas cyber HQ (Features commentary from Bobby Chesney and Klon Kitchen) NYTimes mangles Symantec’s “Buckeye” research Lots of dark web arrests SAP exploits not all they’re cracked up to be Magecart-style attacks spread to other platforms Tech-led crackdown on Chinese-muslims intensifies Japan to create “defensive malware” This week’s sponsor interview is with Duo Security advisory CSO Richard Archdeacon and we’ll be talking about zero trust networks. Richard isn’t so worried about every vendor under the sun claiming to be a zero trust tech company. He doesn’t think that’s going to derail the move to zero trust architectures because the move towards them is too strong. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers 9 part 2: Rapid7 talks SOAR, Trend Micro on its API-based email security play

Patrick Gray — Thu, 02 May 2019 00:00:00 +1000

This isn’t the regular weekly risky biz news and current affairs show, this is the special podcast series we do here at Risky Biz HQ where we take that dirty, dirty vendor cash and let security companies tell the audience all about what they do. Think of it as show and tell for security vendors! In this edition we’ve got three more vendors vying for your hard-earned bread. We’ll be hearing from Rapid7 on their InsightConnect product, that one used to be known as Komand. What can you automate and orchestrate with it? How does it work? Who’s using it? What are they doing with it? Then we’ll be hearing from Trend Micro about their O365 mail security product, and this one is legit interesting for one very simple reason – the deployment method. Most of the mail security firms basically make you route your mail through them. In this case what Trend has done is create a mail security product that just fiddles with your mailboxes through the Microsoft O365 API. They have literally set up a demo account for an enterprise over a beer at a bar. So yeah, I suspect we’ll be seeing more mail security products deploying this way… and because it’s show and tell, Trend will be along to talk about some of the bells and whistles that come with that product. Then finally we’ll be hearing from Cybermerc. This is a group based out of Canberra in Australia. They’ve done a lot of enterprise deception hybrid hardware/consulting, that’s something they’ve gotten very good at. They also do a lot of cyber cyber training, but now they’re trying to market a managed service towards small to medium businesses – those with 50 to a few hundred seats. A managed honeypot, some internal vuln scans, and a partridge in a pear tree!

Risky Business #539 -- Docker Hub owned, Cloudflare, Bloomberg under fire

Patrick Gray — Wed, 01 May 2019 00:00:00 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: Docker Hub owned That Confluence bug we were talking about a couple of weeks ago got wormified Oracle WebLogic users also having a bad time Cloudflare faces investor pressure over providing services to Nazis Slack warns investors of possible nation-state attacks against it Norsk Hydro puts dollar value on ransomware incident Bloomberg publishes another ridiculous security story Much, much more! This week’s sponsor interview is with Casey Ellis, the CTO and co-founder of Bugcrowd. As most of you are probably aware, Bugcrowd announced its so-called “next generation penetration testing” product last year, a move followed some months later by its competitor HackerOne. With others in the bounty space already offering these types of penetration testing packages, it looks like these efforts are here to stay. But where do crowdsourced penetration tests sit in the wider penetration testing market? Are they coming after the Insomnia and Atredis Partners type firms? The NCCs? The shonky nessus-scan “penetration testers”? Well, not surprisingly Casey argues that this is a new sub-niche in the market and he makes a pretty compelling case to support that argument. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #538 -- Marcus Hutchins is a milkshake duck, Iranian APTs doxxed and more

Patrick Gray — Thu, 25 Apr 2019 00:00:00 +1000

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: Marcus Hutchins faces his milkshake duck moment Iranian APT crew gets Shadowbrokersed DNS interference campaign is actually two large-scale actors UK to use some Huawei components in 5G build French Government launches comms app for politicians, it doesn’t go well More detail on CCleaner/ASUS crew Carbanak source found on VT (lol) Wall Street Market exit scams BEC costing US firms $1.3bn PA Much MOAR! This week’s show is brought to you by Signal Sciences, their CEO Andrew Peterson will be along in this week’s sponsor interview to have a bit of a chat about how a lot of traditional enterprises are running serious business web app shops these days. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers 9 part 1: The best Snake Oilers edition we've ever run

Patrick Gray — Tue, 23 Apr 2019 00:00:00 +1000

On this edition of Snake Oilers you’ll be hearing from three vendors offering what I believe to be excellent security technology. I haven’t personally used this tech, but conceptually everything featured in this edition is The Good Stuff. You’ll see. Or hear. You know what I mean. First up we’ll be hearing from CMD, they make killer software for Linux that lets you lock down account actions. Not permissions, actions. Do all the default and service accounts you have to run on your Linux fleet terrify you? Well, this is a solution for that. There’s a visibility component there, too. Then we’ll be hearing from AlphaSOC. When we last spoke to them they were just doing domain-based analytics, but they’ve expanded their tech and now offer IP-based and http request-based analytics. You can deploy AlphaSOC as a Splunk app or hook up to their API any other way you want. They’re offering free trials, but even when you’re on the paid service it’s actually pretty affordable. The brain behind AlphaSOC is Chris McNab who used to run incident response at NCC Group. He’s seen how the planes crash into the mountains and he has created a product that performs eminently sensible analysis on your traffic and metadata to alert you to badness. Then finally we’ll be hearing from Nucleus. This is a new company and if your job is managing vulnerabilities and vuln scanners in your org then straight up, just skip to the Nucleus interview immediately. They’ve created a web app that normalises vulnerability scanning information. It’ll take the outputs from Snyk, Rapid7, Checkmarx, Netsparker, OpenVAS, Twistlock, Fortify, Burp Suite, Nessus, Qualys, Acunetix AND others. It ingests all of this data, normalises it, then plumbs these alerts through to the right people through a multitude of different ticketing systems. If your’e stuck in the 7th layer of Sharepoint or Spreadsheet vulnerability management hell, this is a solution to your problems. You will weep salty tears of joy when you hear this one. Free trials of Nucleus are also available. Links to the companies featured are below!

Risky Business #537 -- Assange arrested, WordPress ecosystem on fire

Patrick Gray — Wed, 17 Apr 2019 00:00:00 +1000

On this week’s show Adam Boileau and Patrick Gray discuss the week’s security news: Julian Assange arrested, likely to be extradited to the USA Krebs: Breach at outsourcing firm Wipro WordPress 0day drama causing serious headaches Silk Road 2’s “DPR2” sent to slammer More from Kaspersky SAS This week’s show is brought to you by Thinkst Canary! Thinkst founder Haroon Meer will be along in this week’s show to talk about the effect venture capital is having on the security ecosystem. He thinks VC money often makes weak ideas look strong, and in a market where it’s quite difficult to make informed purchasing decisions, that’s not a good thing. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #536 -- Mar-a-Lago arrest, ASUS supply chain attack and more

Patrick Gray — Wed, 10 Apr 2019 00:00:00 +1000

In this week’s show Patrick Gray and Adam Boileau recap all the infosec news of the last three weeks, including: Chinese woman arrested at Mar-a-Lago being very shady The ASUS supply chain attack Flame-related malware lived on longer than expected boostrap-sass Ruby gem backdoored Latest on Norsk Hydro and other victims of the same crew More trouble at Toyota Huawei spanked by UK oversight panel Exodus govvie malware affects Android and iOS Plus much, much more This week’s sponsor interview is with Kumud Kalia, the Chief Information and Technology Officer of Cylance. They actually dropped a really interesting product announcement at RSA a few weeks back and Kumud will be along later on to tell us about that. The tl;dr it’s an agent that models endpoint behaviour so when someone - or something - else starts using that endpoint to do things that don’t fit the user profile, action can be taken. It’s the type of tech concept that normally belongs in academic papers, not in actual products people can actually buy. That’s an interesting chat. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: All about WebAuthn with Duo Security

Patrick Gray — Tue, 02 Apr 2019 00:00:00 +1100

This is a wholly sponsored podcast brought to you by Duo Security. WebAuthn is a new multifactor authentication standard for the web that is all rooted in very smart encryption tech. Some of you would already be using similar authentication standards in apps without even thinking about it, like doing biometric authentication in your banking apps. You want to log in via your app and it scans your face to auth you, that sort of thing. WebAuthn makes those types of authentication actions available to users through the browser. It’s now an official W3C standard supported by most browsers. It’s the future of auth on the Web. Duo Security has been involved a little bit with the standards process and in this edition of the Soap Box podcast you’re going to hear a nearly hour long conversation between myself, Nick Steele and James Barclay who are Duo’s resident Webauthn dudes at Duo Labs. I hope you enjoy this conversation.

Risky Business #535 -- Stop giving Cloudflare money

Patrick Gray — Wed, 20 Mar 2019 00:00:00 +1100

In this week’s show Patrick Gray and Alex Stamos discuss the week’s news, as well as discussing the rise of white supremacist communities and propaganda on the Internet and what can be done about it. News: Norsk Hydro ransomwared Huawei ban gets more and more political APT40 hitting USA hard Cyber Command’s Euro road-trip Kremlin interference in EU elections extremely likely US Senators seek information on breaches targeting them Cloudflare won’t pull service from 8chan in wake of NZ attack Beto O’Rourke was cDc member New Mirari variant 150 million Android devices hosed by new malware Much, much more This week’s show is brought to you by Chronicle Security! We’ll be joined by Chronicle co-founders Shapor Naghibzadeh and Mike Wiacek. They had a tremendously successful launch at RSA and they’re going to pop in to tell us about some near future plans they have for their Backstory product. Links to everything are below, and you can follow Patrick or Alex on Twitter if that’s your thing.

Risky Business #534 -- Manning back in clink, automotive industry under attack

Patrick Gray — Wed, 13 Mar 2019 00:00:00 +1100

On this week’s show Adam Boileau and Patrick Gray discuss the week’s news: Chelsea Manning back in jail Citrix owned, Resecurity claims it was Iran. Again. Because reasons, apparently. Huawei politics get messy EXCLUSIVE: Toyota Oz, other carmakers likely targeted by APT32 (Vietnam) Much, much more This week’s sponsor is Senetas. They make layer 2 encryption gear but recently made a US$8m investment into Votiro, a Content Disarm and Reconstruction (CDR) play. Votiro CEO Aviv Grafi is this week’s sponsor guest. He stops by to explain CDR tech. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #533 -- Ghidra release, NSA discontinues metadata program and more

Patrick Gray — Wed, 06 Mar 2019 00:00:00 +1100

On this week’s show Adam Boileau and Patrick Gray discuss the week’s news: The NSA isn’t that interested in phone metadata anymore More Chinese mass surveillance data leaks Chelsea Manning, David House subpoenaed over Wikileaks Quadriga cold wallets were actually empty at time of founder’s death NSA deployed “rm -rf / shark” at Internet Research Agency HackerOne follows Bugcrowd into pentesting NSA releases Ghidra Much, much more! This week’s sponsor interview is with Chris Kennedy, AttackIQ’s CISO and VP of customer success. And we’ll be talking about a few things really, like about how continuous validation of security controls like monitoring is a good thing. Everyone uses software like Tenable to verify patching, why not do the same for your monitoring? Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: PRODUCT LAUNCH: Backstory by Alphabet's Chronicle

Patrick Gray — Mon, 04 Mar 2019 00:00:00 +1100

In this edition of the show we’re playing a small part in Chronicle’s launch of its flagship product, Backstory. Chronicle is of course the security spinoff of Google’s parent company, Alphabet. The launch of Chronicle itself was announced about a year ago, but until now it’s only really had one product: Virus Total Enterprise. That all changed today when Chronicle launched Backstory at the RSA conference in the USA. I was lucky enough to see a demo of Backstory before we recorded this interview last week, and I’m going to characterise it in a way that Chronicle probably won’t like, but it’s basically a cloud-SIEM, albeit a very good one. Backstory ingests logs from a bunch of data sources – DNS lookup information, DHCP info, your EDR logs (from your Crowdstrike or Carbon Black software), web proxy logs, firewall alerts – and then it structures this stuff so you can make use of it. You get nice pointy-clicky timelines and useful visualisations. That’s handy enough, but keep in mind your logs are now with the company that is responsible for Virus Total. They have some pretty good intel, and they can now apply various IOCs to the logs you’ve submitted. So one obvious use case for Backstory is doing the type of threat hunting threat hunters like to do, but beyond that, this is likely going to become a pretty useful alerting platform.

Risky Business #532 -- A big week of research and tech news

Patrick Gray — Thu, 28 Feb 2019 00:00:00 +1100

On this week’s show Adam and Patrick discuss the week’s security news: Cyber Command kicks the IRA off the Internet on election day WSJ reporting on Iran vs Australia likely incorrect Two Russian cybersecurity professionals sentenced over treason DPRK spearphishing US summit participants LOTS of technical news and research this week This week’s show is brought to you by Remediant. Their CEO Tim Keeler will be along in this week’s sponsor segment to talk about how they’re doing “virtual directory binding” to make managing Linux accounts via Active Directory less traumatic. If you’re struggling with horrible, horrible PAM solutions in your devops environments have a listen to that one. *** NOTE FROM PAT: I made some mistakes in the recording phase of this week’s show. As a result, my vocal audio is pretty atrocious. Sorry! *** Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #531 -- Australia's political parties targeted, the Witt indictment and more

Patrick Gray — Wed, 20 Feb 2019 00:00:00 +1100

Adam Boileau is along this week to discuss the week’s security news, which also features comment from Dmitri Alperovitch, Klon Kitchen and The Grugq. We cover: Former USAF counterintelligence official indicted over spearphishing, leaking secrets Australia’s major political parties targeted by APT crew that totally isn’t Chinese. (It’s Chinese) More on the Iran DNS hijacks Venezuelans phished by their own government China’s mass surveillance of Uyghur Muslims laid bare in data leak Millions of Swedes have their healthcare help-line calls exposed Bank of Valletta dodges a bullet, catches fraudulent transfers VK gets Samy’d Calls for GDPR-like law in USA Marcus “Malwaretech” Hutchins has a bad week This week’s sponsor interview is with Jason Haddix of Bugcrowd. He’ll be along to talk a little more about what Bugcrowd calls next-generation pentests. They claim one of their tests is sufficient for compliance purposes under PCI, ISO or NIST and they’ve had a third party auditor prove that for them. They also say the service has really taken off despite being launched only a couple of months ago. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #530 -- UAE's Project Raven, Bezosgate and more

Patrick Gray — Tue, 12 Feb 2019 00:00:00 +1100

Adam Boileau is back in the news seat this week. We talk about: Amazing Reuters report on UAE’s “Project Raven” Bezos’ dick pics, Saudi Arabia and a creepy brother US government security staffers play post-shutdown catch-up Krebs: National Credit Union Administration probably pwned Russia to test complete disconnection from wider Internet China suspected of involvement in Australian parliament hack Trump likely to ban all Chinese telco equipment makers from US builds Lasers Google: iOS privesc 0days were in wild $145m in cryptocurrency lost forever due to exchange CEO death VFEmail has a very bad day Facebook/Apple cert wars MORE This week’s show is brought to you by AustCyber, a nonprofit funded by grants from the Australian government. Its goal is to promote Australia’s cybersecurity industry. AustCyber CEO Michelle Price will be along in this week’s sponsor interview to tell us all about what they’ve got planned for RSA. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Polyswarm builds a marketplace for AV engines

Patrick Gray — Thu, 07 Feb 2019 00:00:00 +1100

As regular listeners know, this isn’t the regular weekly Risky Business podcast, all Soap Box podcasts are paid promotions. We ran 10 of these last year, we’re running more of them this year – the total number is up to 14, but we’re running fewer of our other promotional podcast Snake Oilers. In this Soap Box podcast we’re chatting with a company with a legitimately fascinating origin story. You remember how in 2017 and 2018 people were running all these shonky initial coin offerings where they’d sell off millions of dollars of crypto tokens on the basis of a two minute video and a whitepaper? What happened in a lot of these cases is after the ICO the founders would take the money, launder it and move to the Bahamas. Well, Polyswarm raised its money in an ICO. About $26m US dollars (!!). And, because they weren’t mainlining the ICO Kool-Aid, they cashed out about half of what they raised into real money before cryptocurrency values crashed. Instead of moving to the Bahamas, they actually stuck around to build the business that tokenholders had chosen to fund. Their token value has crashed like everyone else’s has, but that doesn’t matter – they’re funded, and because of their unconventional funding source they don’t have a whole bunch of venture capitalists breathing down their neck. So, what’s the business? It’s a marketplace for threat detection. Yes, my pinned tweet says “I do not want your blockchain expert as a guest on my podcast,” and yes, this company does use blockchain fairy dust, but as you’ll hear, the blockchain element to this business isn’t really what it’s about. Indeed, the founder and CEO of Polyswarm, Steve Bassi, says he would find life a lot easier in many ways if they weren’t actually using blockchain tech here as a marketplace enabler. He’s also banned himself from ever attending a blockchain conference again in his life. Ok, so what is the Polyswarm marketplace and how does it work. As you’ll hear in this interview it took me a bit to actually understand exactly what they’re doing here, but what they’ve essentially built is a marketplace for AV. The best way to explain this is to just explain how it works. If you’re an enterprise client or an MSSP you can submit a sample to this marketplace. You’re submitting it with a question – is this file bad or good – and you attach a tokenised value to the answer. On the other side of the equation are all these AV engines. Big ones, small ones… even tiny little micro engines that are only good at detecting very niche threats. So the enterprise submits the sample – that can be a whole file or just a hash – and it gets distributed to all the people who are running these AV engines. They scan the file, and if they’re super confident on an answer, they return that answer as well as a tokenised stake as a measure of their confidence. The idea is you can have a competitive marketplace for threat detection in which even niche players can participate. Polyswarm CEO Steve Bassi joined me to talk me through the whole concept.

Risky Business #529 -- Special guest Rob Joyce, NSA

Patrick Gray — Tue, 05 Feb 2019 00:00:00 +1100

There’s no news segment in this week’s show. Instead, you’re going to hear a long-form feature interview I did with the NSA’s Rob Joyce. Rob is probably best known for his tenure as special assistant to the president on cybersecurity and for being the cybersecurity coordinator on the US National Security Council. He also served as acting homeland security advisor to Donald Trump for a short time following the departure of Tom Bossert from the Whitehouse. In May last year he went back to NSA where he now serves as a senior advisor to the director of NSA for Cyber Security strategy. Some of you may also know Rob for his blockbuster January 2016 conference talk “disrupting nation state hackers” back when he was heading TAO at NSA. Good talk, that one, and it’s on YouTube. (Link below.) But gradually over the last couple of years Rob has emerged as a sort of friendly-face of NSA, at least as far as the infosec industry is concerned. He’s spoke at DEF CON last year, he often appears at events and on panels and he’s doesn’t seem terrified of actually comment on things. This is a huge departure from the historical way agencies like NSA handled themselves. But as you’ll hear, Rob sees this new approach as being vital to the NSA’s current-day mission. Topics covered include: DoJ indictments of foreign gov hackers 5G networks and Huawei Kaspersky AV Bloomberg’s Supermicro story Software and hardware supply chain security The USG aggressively burning adversary tools We also have a sponsor interview for you this week with Zane Lackey, the co-founder of Signal Sciences. I guess you’d call these guys “next generation WAF,” more on that later… but Zane will be along a little bit later with some pretty incredible stats on the way security spending has changed over the last year or two. Money is just piling into appsec while spending on some other controls is actually reducing. It’s a sign of change.

Risky Business #528 -- Huawei dinged, epic FaceTime and Exchange bugs

Patrick Gray — Tue, 29 Jan 2019 00:00:00 +1100

Adam Boileau co-hosts this week’s Risky Business episode. We talk about: The Huawei indictments The epic Facetime logic bug The even more epic Exchange privesc bug CISA’s “fix yo DNS” directive Black Cube busted doing shady stuff to Citizen Lab Yahoo shareholder lawsuit settlement makes directors twitchy Internet filtering kicks off in Venezuela Much, much MORE! This week’s show is brought to you by Thinkst Canary – they make hardware honeypots and the tools you need to deploy canarytokens at scale. They also make virtual honeypots! This week Thinkst’s founder Haroon Meer will be along to wave his finger at basically all of us over what he sees as the security discipline’s tendency to not really learn anything from security conferences. It’s “contertainment,” he says, followed by “GET OFF MY LAWN”. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #527 -- Featuring Alex Stamos, The Grugq, Susan Hennessey, Brian Krebs, Kelly Shortridge and Bobby Chesney

Patrick Gray — Tue, 22 Jan 2019 00:00:00 +1100

Alex Stamos co-hosts this week’s episode. Topics discussed include: DNC says Russia tried to own its servers in November 2018 South Korean Defence Ministry owned Lazarus Group busy in Chile West African banks suffer multiple intrusions Michael Cohen admits rigging online poll for Trump Nine charged over SEC hack More USG SSL certificates due to expire apt-get remote root RCE Don’t use your Garmin to scope your murder escape route Big plot twist in viral video outrage This week’s show is brought to you by Duo Security, which I guess is now Cisco Duo Security. Wendy Nather - Duo’s head of advisory CISOs - will be along in this week’s sponsor interview to talk about a topic near and dear to my heart: victim shaming. That’s a good one so please do stick around for that. Links to everything that we discussed are below and you can follow Patrick or Alex on Twitter if that’s your thing.

Risky Business #526 -- Huawei arrest in Poland, DPRK SWIFT hack conviction, more from the El Chapo trial

Patrick Gray — Tue, 15 Jan 2019 00:00:00 +1100

This week’s podcast features Patrick and Adam talking about the week’s security news, including: Huawei staffer arrested for spying in Poland Conviction in DPRK SWIFT hack against Bangladesh central bank El Chapo used Flexispy to spy on mistresses and staff NSO group on charm offensive Iran hijacking DNS entries, conducting PITM with DV certs Kaspersky tipped NSA on Hal Martin US government certificates expire amid shutdown Idiot sentenced to 10 years prison for DDoSing children’s hospital This week’s show is brought to you by Trail of Bits! Trail of Bits is a security engineering firm and consultancy based in New York. They aren’t a typical pen-testing firm, they build as well as break. In this week’s sponsor interview JP Smith from Trail of Bits joins us to talk about the work he put in to CSAW. Not the Centre for Sustainable Architecture with Wood, which is a thing, but the Cyber Security Awareness Worldwide CTF. JP is a sick man. He’s sick. You’ll hear about the mind-bending CTF challenges he put together for CSAW. Remarkably, some teams were actually able to solve his problems, some of which featured complex numbers mapped to a four dimensional unit sphere being used to drive the rotation of a virtual IBM Selectric typewriter golfball in Second Life. As I say, he’s a sick, sick man. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #525 -- Back on deck for 2019!

Patrick Gray — Wed, 09 Jan 2019 00:00:00 +1100

In this week’s show Adam Boileau and Patrick Gray discuss the security news of the last few weeks, including: German politicians pwnt, suspect arrested Possible ransomware attack affects US newspapers Mass 2FA bypasses impacting Gmail users in Middle East Emergency warning system in Australia popped Ethereum Classic double-spend attack a sign of things to come EU to fund open source bug bounties Attackers steal details of 1,000 North Korean defectors Doing the Bloomberg hack for real at 35C3 El Chapo should have used Signal Much, much more… This week’s show is brought to you by Cylance! BlackBerry announced that it’s acquiring Cylance for $1.4bn (I don’t know if that’s closed yet) which is great news for all the founders and early employees there – some of whom I know reasonably well. So congrats to team Cylance on that! But we’re not talking about that this week. Instead, Cylance’s very own Scott Scheferman joins us to talk about the MITRE ATT&CK framework and how it’s informing their product dev. There’s some product talk in that interview but there’s also some real meat there so I let it run long. Scott says we’re close to the terrible situation where security companies are going to start using MITRE ATT&CK as a marketing tool, like “Full MITRE ATT&CK coverage!” Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: From 2 billion events to 350 alerts with Respond Software

Patrick Gray — Fri, 14 Dec 2018 00:00:00 +1100

Soap Box is the podcast series we do here at Risky.Biz where we have detailed discussions with vendors about all sorts of stuff – sometimes it’s about their products, other times it’s about the landscape as they see it, other times it’s about research they’ve done that they want to promote. Soap Box is a wholly sponsored podcast series – just so you know – so everyone you hear on it, paid to be on it. And this Soap Box edition is brought to you by Respond Software. We’ll be joined by Respond Software’s co-founder and CEO, Mike Armistead to talk about Respond’s tech. Mike has an interesting history in infosec… he actually co-founded Fortify, the software security firm, before winding up at HPE as the VP and General Manager for Arcsight, the poor fella. But he’s free now! Freeeeeee! And he’s co-founded the venture we’re talking about today. So, what’s the idea behind Respond Software? Well, to break it down into really simple terms the whole idea is to take all the zillions of events your existing security kit flags and distill them down into meaningful alerts. To put this into context, Mike says that during the 30 days in the lead up to the interview we recorded, his customers fed two billion events into their Respond Software gear. Of those two billion events, Respond deemed 7 million of them worthy of escalation, and from there determined 45,000 were malicious, but then… and this is the cool part, this only resulted in 350 incidents raised by the Respond platform. From 2 billion to 350. So it’s a great idea – tune out the crap and look at meaningful correlations. Automate the decision making around what’s serious and what’s not. You’ve got all this gear, maybe you’ve got something aggregating it, but what’s applying decision logic to it? Mike sent me a list of software Respond currently supports: all manner of IDSes, AV and EDR suites and then other stuff that gives their software the context it needs to make better decisions, like active directory, Nessus, Qualys, Splunk, QRadar… whatever! The idea is, plug ALL your over-alerting crap into Respond Software’s gear and it’ll do a good enough job of correlating events that you’ll only have to deal with what’s real. Well, that’s the pitch. Mike Armistead joined me to to flesh it out a bit more.

Risky Business #524 -- Huawei CFO arrested, US Government dumps on Equifax

Patrick Gray — Wed, 12 Dec 2018 00:00:00 +1100

This is the last weekly Risky Business podcast for 2018. We’ll be posting a Soap Box edition early next week then going on break until January 9. In this week’s show Adam Boileau and Patrick Gray discuss the week’s security news: Huawei’s CFO arrested over sanctions violations BT in the UK removes Huawei equipment from 4G network Australia passes controversial surveillance law US House Oversight Committee blasts Equifax in scathing report Bloomberg plays word-games on Super Micro story MOAR This week’s show is sponsored by Bugcrowd. In this week’s sponsor interview Bugcrowd’s CTO and founder Casey Ellis tells us why his company is launching “pay for effort” products to run alongside bounty programs. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers 8 part 2: Forticode's Cipherise, device features from Exabeam and SentinelOne on "active EDR"

Patrick Gray — Mon, 10 Dec 2018 00:00:00 +1100

Snake Oilers is the podcast where we get a bunch of vendors together to pitch their stuff – they all pay to participate, just so you know – and today we’re going to hear three pitches from tech companies: one from Forticode, one from Exabeam and one from SentinelOne. That’s right, we talk to vendors to get their best pitches so you don’t have to! Forticode joins us to pitch its Cipherise platform – applied PKI wrapped into a slick mobile platform that helps large organisations authenticate their users, and helps their users authenticate them. Exabeam will be talking about how they’re doing more device analytics in their SIEM platform and SentinelOne will be talking about how they differentiate themselves in the highly competitive EDR space. Links to all of these companies are below.

Risky Business #523 -- So many breaches

Patrick Gray — Wed, 05 Dec 2018 00:00:00 +1100

This week’s show features Patrick Gray and Adam Boileau discussing the week’s security news, including: The Marriott, Quora, Dell and Sky Brazil data breaches Kashoggi associate to sue NSO Group Australia’s AA Bill set to pass NZ give Huawei the boot AutoCAD malware targets key verticals Republicans’ 2018 campaign hacked Czech government blames Russia for intrusions into key systems Horror-show bug in Kubernetes This week’s show is brought to you by Duo Security, big thanks to Duo for that! In this week’s sponsor interview we’ll be chatting with Duo Security’s very own Dave Lewis about some Beyond Corp stuff. Beyond Corp is the enterprise computing model of the future and Dave will be along after this week’s news to talk about some of its finer points. Links to everything that we discussed are below. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers 8 part 1: Rapid7's InsightAppSec, WhiteSource and Virus Total Enterprise

Patrick Gray — Mon, 03 Dec 2018 00:00:00 +1100

This is the first part of our final Snake Oilers edition for 2018. Snake OIlers, for people don’t know it, is the podcast where vendors pay to come on to the show to promote their wares. This series actually turned out to be way more popular than we expected. People quite like listening to security companies actually explaining what they do in clear terms. We have six vendors participating in this last round of Snake Oilers for the year – we’ve split the podcast into two podcasts containing three vendor pitches each, and in this part you’ll be hearing pitches from Rapid7, WhiteSource and Chronicle. Dan Kuykendall of Rapid7 talks InsightAppSec, its DAST solution. David Habusha of WhiteSource talks software composition analysis Brandon Levene of Chronicle on VirusTotal Enterprise Part two is up next week!

Risky Business #522 -- Alex Stamos co-hosts the show, reflects on Snowden disclosures

Patrick Gray — Wed, 28 Nov 2018 00:00:00 +1100

We’ve got a slightly different edition of the show this week – Alex Stamos is filling in for Adam Boileau this week in the news slot. Most of you know him as Facebook’s recently departed chief security officer. Alex also served as the CSO at Yahoo for a time, but his security career stretches back a long way. He co-founded iSEC Partners back in 2004, and before that he did some time with @Stake. The @Stake mafia is everywhere. These days Alex is an adjunct professor at Stanford University. He joined me to talk about the week’s security news, as well as to have a chat about the Edward Snowden disclosures, five years on. This week’s show is brought to you by Thinkst Canary, big thanks to them for that. And instead of one of their staff being on the show this week in the sponsor chair, they asked me to interview this week’s sponsor guest, their customer, Mike Ruth, a security engineer with Cruise Automation. Mike did a presentation at a conference called QCon recently all about automating the deployment of canary tokens at scale using some nifty CI/CD tricks. He’ll be joining us after the news to tell us all about that. Items discussed in this week’s news: NSO Group busted to selling to Saudi Arabia NSO malware targets Mexican journalists Edward Snowden claims NSO connection in Khashoggi case Australia’s AA Bill latest npm supply-chain attack targets Bitcoiners Guardian reports Manafort met Assange, denials, lawsuits flying already UK parliament seizes Facebook documents Uber fined over 2016 breach coverup UK cops decline to charge bug reporter USPS finally fixes data exposure after Krebs intervention Rowhammer attack bypasses ECC protections Bloomberg is investigating its own reporting on Supermicro Magecart is everywhere Google, Mozilla plan browser access to file systems Links to everything that we discussed are below and you can follow Patrick or Alex on Twitter if that’s your thing.

Risky Biz Soap Box: MITRE ATT&CK Matrix, misconfigured security controls, attack sim and more!

Patrick Gray — Sun, 25 Nov 2018 00:00:00 +1100

The Soap Box podcast series is a wholly sponsored podcast series we do here at Risky.Biz – vendors pay to participate. This Soap Box edition is brought to you by AttackIQ. AttackIQ is a five-year-old company that makes an attack simulation platform. The idea is you agitate a network with suspicious traffic and activities, then measure what the response looks like on the other side. As you’ll hear, Stephan argues this is a better way to test your controls than trying to do it after an incident has been and gone. Mostly people are using it to verify the effectiveness of their security controls. They already have endpoint security software, IDS, various monitoring bits and pieces, but quite often this stuff just isn’t tuned right. So, you throw some attack traffic and behaviour at your systems and see what bubbles up One piece of work that has been absolutely vital to AttackIQ’s success is the MITRE ATT&CK Matrix. Like AttackIQ, the ATT&CK Matrix has been around for five years. Stephan Chenette is AttackIQ’s CTO and he joined me to talk all about how they’re trying to use the ATT&CK Matrix to drive their whole outlook, and, conversely, how they’re spending time talking to MITRE about where the whole thing is going.

Risky Business #521 -- Bears everywhere

Patrick Gray — Wed, 21 Nov 2018 00:00:00 +1100

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news: Cozy Bear is back, Fancy Bear has new tooling Russian government wants DNC lawsuit thrown out Cyber Command submitting samples to VirusTotal Google BGP shenanigans Australian/China Telecom BGP shenanigans All the recent Facebook drama More speculative execution bugs Julian Assange likely to be charged Vault7 leaker facing new charges Phineas Fisher investigation abandoned Bitcoin/Tether link probed by DoJ, btc in free-fall MUCH MOAR This week’s show is brought to you by Proofpoint. Sherrod DeGrippo, Proofpoint’s director of threat research and detection is this week’s sponsor guest. Surprisingly, she tells us that ransomware via email is a dead duck. Links to everything that we discussed are below. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #520 -- Tanya Janca talks security in the curriculum

Patrick Gray — Wed, 31 Oct 2018 00:00:00 +1100

We’ve got a great podcast for you this week. Tanya Janca will be talking about some volunteer work she’s been doing with a Canadian government panel on getting security content into children’s school curriculums. In this week’s sponsor interview we’ll be talking with Ferruh Mavituna of Netsparker. They launched Netsparker Cloud a while ago so now they have some decent telemetry I wanted to ask Ferruh what he’s found surprising now he’s sitting on a mountain of scan results. The types of bugs being turned up aren’t really a surprise, but the extent to which old software is a problem was actually pretty surprising to him. He knew it was bad, he says, but he didn’t know it’s this bad. Adam Boileau, as usual, joins the show this week to talk about all the week’s security news: More Chinese MSS officers indicted by the US DoJ ASD chief speaks publicly on 5G Huawei ban China playing funny buggers with BGP Russia is still messing with the US during the midterms Facebook boots more Iranian influence pages New privacy features in Signal Plus much, much more! Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Duo's Olabode Anise recap's his Black Hat talk on Twitter bots

Patrick Gray — Fri, 26 Oct 2018 00:00:00 +1100

Soap Box is the wholly sponsored podcast series we do where vendors pay to participate. They sometimes want to talk about their products, other times they want to talk about general ecosystem stuff, other times they want to talk about research they’ve done. And that’s what’s happening today! Olabode Anise is a data scientist at Duo Security. He and his colleague Jordan Wright put together a talk for Black Hat this year all about Twitter bots. It was called Don’t @ me, hunting Twitter bots at scale. As you’ll hear, finding bots on Twitter at scale isn’t that hard, but doing so with 100% confidence isn’t as easy as you’d think. You can check out a blog post from Olabode in the show note below.

Risky Business #519 -- '90s IRC war between US and Russia intensifies

Patrick Gray — Wed, 24 Oct 2018 00:00:00 +1100

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news: CYBERCOM doxing Russian operators. No, really. Arrest over Russian midterm info-op Bloomberg dumpster fire is now a tyre fire Equifax insider sentenced for insider trading Twitter releases bot dataset Saudi insider responsible for 2015 Twitter breach Trisis/Triton now linked to Russia Kaspersky doxes NSA op Risky Business cited by Senate Estimates, AA Bill faces possible delay Much, much more! This week’s show is sponsored by Cylance, and this week’s sponsor interview is with Josh Lemos. That’s an interesting chat – Cylance has succeeded in applying machine learning to classifying binaries, but what next? Where does it make sense to apply machine learning next, from their point of view? As you’ll hear, a binary classifier is one thing, but applying ML to something like endpoint detection and response or network traffic is actually a lot more complicated. Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #518 -- "Russian Cambridge Analytica" booted off Facebook after token hack

Patrick Gray — Wed, 17 Oct 2018 00:00:00 +1100

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news: More info on the Facebook token hack Facebook boots “Russian Cambridge Analytica” off platform Chinese MSS officer extradited to USA after being lured to Belgium NotPetya linked to Sandworm crew Czech intelligence services kill Hezbollah APT Pentagon travel records pwnt No, Khashoggi’s Apple Watch didn’t record his death Apple takes aim at Australia’s AA Bill US voter records for sale in hack forums PHP 5 support ends soon, netpocalypse to commence shortly afterward The world’s most hilarious libssh bug PLUS MOAR This week’s show is sponsored by Senrio. Senrio is best known for doing IoT identification, classification, visualisation and anomaly detection, but they’ve now applied the same approach to general IT. Stephen will be along later in the show to talk about what they’ve been able to engineer here. I’ve actually been working with them on this (in a limited capacity) for a few months and it’s very interesting stuff. So yeah he’s talking about a feature release, then he’ll be releasing some open source tooling that mine your network metadata and spot interactive shells in your environment, which is handy, and then he’s going to preview some free training he’s doing with some other very well respected security people in New York soon. Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #517 -- Bloomberg's dumpster fire lights up infosec

Patrick Gray — Wed, 10 Oct 2018 00:00:00 +1100

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news: Bloomberg’s shaky, disputed report on hardware back doors A look back on other false reports about imaginary incidents published by Bloomberg GRU operations doxed by GCHQ DOJ charges Russian intelligence officers APT crews targeting MSPs Google+ API exposure the final straw Enterprise TLS interception gear is woefully insecure Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business Feature: Named source in "The Big Hack" has doubts about the story

Patrick Gray — Tue, 09 Oct 2018 00:00:00 +1100

In this podcast hardware security expert Joe Fitzpatrick, a named source in Bloomberg’s “Big Hack” piece, explains why he felt uncomfortable reading the story when it was published. He also provided Risky.Biz with emails he sent to Bloomberg, prior to the story’s publication, that said the hardware back-dooring the article described “didn’t make sense”.

Risky Biz Soap Box: What's up with the ZDI these days?

Patrick Gray — Mon, 08 Oct 2018 00:00:00 +1100

The Soap Box podcast series is a wholly sponsored podcast series we do here at Risky.Biz – vendors pay to participate. This soap box edition is brought to you by Trend Micro. And in this edition we’re speaking with Dustin Childs who works for the Zero Day Initiative. ZDI is the entity responsible for the pwn2own competition. But not just that – they’ve been buying bugs since before it was cool. Everything from enterprise software, to linux bugs.. whatever. You find it, they’ll buy it. Trend Micro actually owns the ZDI, and there’s a story right there in how that came to pass… but you know what? Trend seems to really be behind the ZDI program. As you’ll hear, the original idea behind ZDI when it was a TippingPoint thing was so they could write IDS signatures for vulnerabilities that ZDI unearthed. We know today that spinning up sigs for bugs you’re paying for isn’t really a winning strategy for picking up 0day attempts against your computers, so, the question becomes, what do you do with a program like ZDI when you’re Trend Micro? As it turns out, you do two things with it – there’s the marketing side, but there’s also the constant stream of exploit submissions that come in handy when you’re making endpoint security software. We’ll also be hearing from Eric Skinner in this podcast – he’s Trend’s VP of Solution Marketing at Trend. Trend is pushing a major release of its endpoint security software and he’s along to spruik that a bit, as well as chiming in on some of the ZDI stuff.

[CORRECTED] Risky Business feature: A podcast on Bloomberg's absolutely wild Supermicro story

Patrick Gray — Fri, 05 Oct 2018 00:00:00 +1000

In this podcast I interview Stephen Ridley about Bloomberg’s blockbuster – but so far uncorroborated – story about possible hardware supply chain subversion by the Chinese government. I also lay out some facts I’ve learned since the story broke. [CORRECTED] I’ve added a correction to this podcast because the only source I could turn up who would corroborate the Bloomberg piece has retracted their claims. This is a source who has provided me with good information in the past, I’ve known them for about 15 years and they’re very well plugged in. They showed me photos they said were from a teardown of a supermicro motherboard. These photos showed an unlabelled integrated circuit the source said was likely a hardware back door. Further, the source said there were other problems with the Supermicro gear, including vulnerable firmware and security functions that just didn’t work properly. Now the source says the photos were from different equipment, not their teardown of the Supermicro gear, and that they did not find hardware back doors on the Supermicro equipment. So basically that source’s credibility with me is pretty shot right now, and the best I can do is retract my repetition of the source’s claim that they had verified backdoors in the Supermicro equipment.

Risky Business #516 -- The Facebook breach, e2e VOIP court verdict, Uber's record fine and more

Patrick Gray — Wed, 03 Oct 2018 00:00:00 +1000

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news: Facebook breach impacts 50m accounts US courts deny authorities’ attempted FB messenger wiretap Uber fined $148m for nondisclosure of 2016 breach Fancy Bear-linked UEFI malware appears in wild UK Conservative party conference app leaks like sieve Twitter bans distribution of “hacked material” VPNFilter botnet gets more capabilities Duo arrested over $14m cryptocurrency SIM-swap heist MOAR Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #515 -- NSA staffer at centre of Kaspersky scandal jailed

Patrick Gray — Wed, 26 Sep 2018 00:00:00 +1000

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news: Former NSA staffer gets 66 months over incident at heart of Kaspersky scandal Zoho has a very bad week Telco lobby group raises some legit concerns over Australia’s “anti-encryption” legislation Twitter API leaks DMs Equifax fined by UK Yubikey 5 enables passwordless Windows logins Privacy International has an aneurism NSS Labs launches antitrust suit against security software makers MOAR This week’s show is brought to you by Rapid7. Jen Andre is this week’s sponsor guest. She was the founder of Komand, which was a security automation and orchestration company but is now a part of Rapid7 as of about mid way through last year. I spoke to Jen a bit about how she came to start Komand and where the security automation and orchestration discipline is at right now. Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Yubico launches Yubikey 5, ushers in passwordless Windows logins

Patrick Gray — Mon, 24 Sep 2018 00:00:00 +1000

Soap Box is the wholly sponsored podcast series we do where vendors pay to participate. Our guest in this edition is Jerrod Chong, the SVP of product at Yubico, the makers of Yubikeys. We were originally going to publish this Soap Box with Yubico a few weeks ago, but we delayed it for a very good reason. This podcast is going out at the same time as a press release from Yubico – they’re releasing the Yubikey 5, and it’s a very significant update. Regular listeners would have heard me talk about seeing Yubico’s booth at Black Hat – it was like a mosh pit, and I think there are two reasons for that. Firstly, they were giving away keys, (haha) but secondly, they were demonstrating FIDO2 Windows logins over NFC. With the launch of the Yubikey 5, Yubico has actually delivered passwordless logins for Windows networks. You can do tap only via NFC, tap and pin via NFC, or you can roll old school with USB. So, Jerrod Chong joined me for this conversation. We talk about the Yubikey 5, and more broadly about the future of authentication and authentication devices.

Risky Business feature: iOS exploits just got a lot more expensive

Patrick Gray — Fri, 21 Sep 2018 00:00:00 +1000

We’re going to be talking to two people in this podcast and the topic is, for the most part, the introduction of pointer authentication on the latest Apple iPhones. This is a development that flew under the radar of most of the infosec media and it’s significant because it is going to basically wipe out ROP exploits as we know them. There’s no such thing as a perfect mitigation, but Apple has leveraged some recent ARM features to really lock down their devices. In addition to the pointer authentication suff they’ve also made some changes that will affect the ability of companies like Cellebrite to unlock phones. Again, this won’t kill unlocks completely, but in one release Apple really has made life a lot harder for people in the offence game. This will eventually have some consequences for the crypto debate. These devices are just getting more and more secure through some really cool engineering. So we’ll be talking to Chris Wade about this, he’s the brain behind Corellium, an iOS emulator. His clients include everyone from exploit developers to the publishers of very popular iOS applications. If you want to back-test an app change on 15 different versions of iOS Corellium is the way to do that… or if you want to, you know, test your latest 0day it’s good for that, too. Then we’re going to hear from Dr. Silvio Cesare of Infosect here in Oz. He’s going to talk about whether we might see similar mitigations on intel and weigh in on Apple’s changes.

Risky Business #514 -- New NSO Group report released and another State Department email breach. Drink!

Patrick Gray — Wed, 19 Sep 2018 00:00:00 +1000

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news: Citizen Lab drops NSO Group report “Weaponised Stuxnet” claims are idiotic Another State Department email breach! Drink! Dutch foil planned attack against Swiss Novichok lab Mirai botnet authors working for FBI US telcos want to be consumer auth brokers US fails to extradite “Mr Bitcoin” Much, much more This week’s show is brought to you by Remediant. They make a just-in-time access solution for privileged account management (PAM), and we’re doing something a little different in this week’s sponsor interview. Paul Lanzi of Remediant will be along, but so will Harry Perper of MITRE corporation. Harry’s pay-cheques say MITRE, but he’s been working on a NIST project. The National Cybersecurity Center of Excellence (NCCoE) at NIST has been working on a project to provide guidance on the secure usage and management of privileged accounts. The so-called 1800-18 document is a practical guide and reference architecture for privileged account management and we’ll talk to both Harry and Paul about that after the news. Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #513 -- The DPRK indictment, BA gets owned, Webauthn issues and more [CORRECTED]

Patrick Gray — Wed, 12 Sep 2018 00:00:00 +1000

[**PLEASE SEE BELOW FOR A CORRECTION**] This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news: The DPRK indictment and subsequent fall out British Airways gets owned Webauthn hits some roadblocks The latest action from Washington DC Trend Micro has a bad time Tesla pays out for key-fob clone attack Tor browser 0day hits Twitter Much, much more We’ve got a great sponsor interview for you this week – we’ll be joined by Haroon Meer of Thinkst Canary. They did something unusual over the last couple of weeks – they removed a feature in their Canary product. We’ll be talking about that, and also about the tendency for security software to be too complicated and configurable. Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing. CORRECTION: The original release of this podcast included discussion of some rumours that turned out to amount to nothing. We had mentioned three data points: The CISO of American Airlines, Dan Glass, departing a few weeks ago Someone I know had their AA/Citi credit card re-issued, despite saying they only ever used that card to buy AA fares A rumour an FBI computer crime investigator is on site at American Airlines Well, it turns out Dan Glass is a listener, and he got in touch with us after the podcast ran to clear this up. He says the reason he left is actually because AA was offering some very attractive redundancy packages. Following AA’s merger with US Airways the combined group eventually found itself in the position of having too many executives. As many listeners will know, being a CISO is a pretty hardcore job so Dan jumped at the chance to bounce out and have some time off. As for the FBI being on-site, Dan says that’s not unusual. They’re one of the largest airlines in the world so they’re frequently liaising with LE. As for my pal’s card getting re-issued… who knows? The point is it looks like these rumours and data points don’t actually add up to much. This is why I rarely run rumour in the podcast and at least try to do some verification. In this case I just didn’t have time, but still, I just should have just held it over until I’d had a chance to make some basic enquiries. It was sloppy. Sorry. In particular I’d like to apologise to the fraud teams who may have been asked to follow this up, the PR teams who’ve no doubt been fielding questions about this and also to Dan Glass. Although, it must be said Dan and I had a very nice chat and he didn’t seem upset. Thanks for being a chiller, Dan! Again, I’m sorry. I’ll do better in the future. Pat

Snake Oilers 7 part 2: Assetnote.io launch, InQuest and Aiculus

Patrick Gray — Thu, 06 Sep 2018 00:00:00 +1000

On this edition of Snake Oilers we hear from three companies, and for one of them, it’s actually their product launch! Assetnote is a cloud asset discovery and security scanning platform spun out of the bug bounty community. If you’re a CSO with any large public attack surface you’ll really want to hear about that one. This platform finds things you didn’t even know your company had online in cloud environments and then scans them for real, actual RCEs. The user interface is awesome, too. Then we’re going to hear from Pedram Amini of InQuest – they make a box that reassembles files from network packets captured off the wire or funnelled in through ICAP and then rips them to bits looking for badness. They call it deep file inspection and it’s a great way to supplement client side detection, at scale. You can even pass these reassembled files on to multi-AV or cloud services and use this platform to do spot threat hunting. It’s very powerful stuff, and honestly that’s an interview that got me thinking in a new way about detection concepts. And then finally we’re joined by Omaru Maruatona of Aiculus. Omaru has a PHD in applying machine learning to bank fraud that he obtained while working for one of the big four banks here in Australia. After that he moved on the PwC as a penetration tester and now he’s running Aiculus. Aiculus has developed an API proxy that uses machine learning to detect funky calls. If you’re not satisfied that your API gateway has you completely covered then yeah, you’ll want to listen to that one.

Risky Business #512 -- Five Eyes nations send clear message on encryption

Patrick Gray — Wed, 05 Sep 2018 00:00:00 +1000

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news: Five Eyes nations send a clear message on encryption Massive Azure outage FBI releases political campaign security guidance Google wants to kill the URL MEGA.nz plugin owned sideways Final “Celebgate” hacker sentenced Google launches font fuzzing tool Chinese-made Google/Feitian U2F keys under scrutiny Some interesting TPM research MUCH MORE This week’s podcast is brought to you by AttackIQ. AttackIQ founder Stephan Chenette will be along in this week’s sponsor interview to talk to us about a few things – the MITRE attack matrix being one. He’ll also share with us his view that EDR is the most commonly misconfigured security technology he sees out there, and he has pretty good visibilty into things like that because AttackIQ, of course, makes attack simulation software designed to measure the efficacy of these types of solutions. Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business feature interview: Linux malware is booming, thanks to IoT

Patrick Gray — Fri, 31 Aug 2018 00:00:00 +1000

The widespread adoption of smart and IoT devices – everything from drones and security cameras to thermostats and routers, mean the developers of non-Windows-based malware have been pretty busy lately In fact, there’s been an almost tenfold increase in the volume of these (ELF) samples submitted to Virus Total over the past two years. That’s according to a cohort of researchers from the Software and System Security group at French graduate school EURECOM, who set out in 2016 to develop an empirical study of non-Windows malware. They downloaded hundreds of daily candidate samples from Virus Total for a year, resulting in a dataset of more than 10,000 binaries and a tool called Padawan, an automated framework for dynamic analysis of non-Windows malware. The researchers presented findings earlier this year at the IEEE Symposium on Security and Privacy, and more recently at reverse engineering conference RECon in Montreal. Risky Business contributor Hilary Louise recently caught up over the phone with France-based EURECOM doctoral student Emanuele Cozzi who says the land of Linux-type malware analysis is a bit of a nascent field.

Risky Business #511 -- Australia, Japan to ban Huawei, Struts drama, DNC lols and more

Patrick Gray — Wed, 29 Aug 2018 00:00:00 +1000

We’re going to stick with the revised format this week – we’re going long on news with Adam, then diving right in to the sponsor interview with Zane Lackey of Signal Sciences. A bunch of you heard my long form, Soap Box interview with Zane from a few weeks back. We’re extending that interview out a bit in this week’s interview. Zane will be outlining what he thinks needs to change in DevSecOps tooling and workflow for things to really work nicely – it’s just a solid 12 minutes of good thinking and advice, that interview, so do stick around for it. Adam Boileau will join the show to recap the week’s news: Australia and Japan to ban Huawei from their 5G builds Struts bug: Big deal or meh? Voting machine maker ES&S rebuked by researchers AND US gov The DNC phish that wasn’t Recapping Andy Greenberg’s Maersk/Notpetya coverage Instagram adds real 2FA Windows privesc 0day on teh twittarz T-Mobile pwned harder than it initially admitted Log in to Windows with Google accounts Some hilarious Lazarus group shenanigans Much, much more Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers 7 part 1: Rapid7 on changes to InsightVM, ITProTV on online training

Patrick Gray — Mon, 27 Aug 2018 00:00:00 +1000

We’ve got two vendors pitching their wares in this edition of Snake Oilers. First up we’re talking to Rapid7 about its vulnerability scanning and management software. They’ve made some changes and they’ve got a couple more coming. This is bread and butter infosec stuff. Then we’re going to hear from the team at ITProTV. They’re a video-based online training site, pitching themselves as like a Netflix but for online training. Instead of instructor-led training, they try to make stuff less dry – half hour training videos with two instructors on all sorts of topics. The online training video sector is just booming right now, and ITProTV’s co-founder and “edutainer” Don Pezet will be along to walk through all of that. Both of these companies are tracking enquiries originating from the podcast, so please do use the URLs in the show notes below if you’re interested in learning more.

Risky Business feature interview: Bob Lord, CSO, Democratic National Committee

Patrick Gray — Fri, 24 Aug 2018 00:00:00 +1000

In this podcast you’ll hear an interview I did with Bob Lord, the Chief Security Officer for the Democratic National Committee, the DNC. Bob has previously served as the CISOs for both Yahoo and Twitter, before spending some time in vendorland with Rapid7 as their CISO in residence. The state-sponsored attack against the DNC is without doubt the most politically consequential data theft event the planet has ever witnessed. It trumped both the Manning/Wikileaks disclosures and “climategate” in terms of impact, and indeed to a large degree the fallout of the DNC hack is still ongoing. So, I wanted to bring Bob in to talk about his job. The DNC isn’t a large organisation, in a head office sense. They have about 200 core staff members, but as you’ll hear, a political organisation’s IT setup is pretty atypical. So Bob and I mostly just spoke about how one handles security for an organisation like the DNC.

Risky Business #510 -- Hacky hack hack

Patrick Gray — Wed, 22 Aug 2018 00:00:00 +1000

On this week’s show we’ll be running through the week’s security news, then diving right on in to a sponsor interview with Lauren Pearl of Trail of Bits. She’s joining us to talk about something Trail of Bits have been up to lately: adding features to open source software – and auditing open source software – on behalf of its customers. I do have a feature interview this week, but it’s a long one so I’ll be breaking that out in to a separate podcast. It’s a nice long chat with Bob Lord, the CSO for the Democratic National Committee. You know, the guy who hid “the server”. The news we’re covering this week: Melbourne teenager hacky-hack hacks Apple Facebook nukes Iranian and RU influence ops Report: Sealed court order seeks Facebook Messenger E2E intercept USG ditches PPD-20 equities process A look at “Intrusion Truth” CN operator doxing ring Microsoft kills RU phishing domains PLUS MOAR Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business feature: Adam Boileau recaps Black Hat and DEF CON

Patrick Gray — Mon, 20 Aug 2018 00:00:00 +1000

In this breakout podcast we chat with Adam Boileau about the talks that caught his attention in Las Vegas a couple of weeks ago. The Black Hat PR team were kind enough to credential Adam for the con so he could go and see a few talks with his Risky Business hat on. I was at Black Hat but spent most of my time running around like a headless chicken. These days Vegas week for me is mostly about locking in the next year’s sponsorships, as well as catching up with friends I hardly ever see. The good news is the sponsorship side is done. We’re almost sold out across the weekly show, Snake Oilers and Soap Box until 2020. The bad news is I didn’t really get to go to any talks. But that’s ok, because Adam went to both Black Hat and DEF CON and he joined me to talk about the highlights from his point of view. This was his first trip to the Vegas cons since 2005, and agreed with me that the content this year was actually pretty bloody good. I’ve done my best to assemble links to everything Adam talks about into a list below:

Risky Business #509 -- Just the usual mayhem and ownage

Patrick Gray — Thu, 16 Aug 2018 00:00:00 +1000

Adam and I have just returned from Black Hat and DEF CON in Las Vegas, so in this week’s show we’re going to have a look at the infosec news we missed over last couple of weeks. We did plan to recap Black Hat in this podcast, but we’ve wound up a bit short on space so I’m busting that out into a separate podcast that I’ll publish on Monday. So this podcast will just be a discussion around news plus a sponsor interview. The news we’re covering: Australia’s new surveillance/”anti-encryption” laws Intel SGX vulnerability research Taiwan Semiconductor WannaCry woes Details on CYBERCOM op against ISIS Reddit pwnage Bitcoin investor sues AT&T over $23m loss FIN7 arrests CIA’s loss of scores of China assets may have been hack-related Massive ATM cashout and SWIFT attack hits Indian bank Much, much more Bugcrowd CTO Casey Ellis joins us in this week’s sponsor interview to talk about a few things – firstly, how some research presented at Black Hat by the team at Portswigger is a sign that serious research teams are using bounties to cash in on their serious security research. Then we’ll be talking about the Bugcrowd University initiative and a reboot of the disclose.io project. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #508 -- Special guest Greg Shipley of In-Q-Tel's Cyber Reboot

Patrick Gray — Tue, 31 Jul 2018 00:00:00 +1000

On this week’s show we hear from Greg Shipley. Greg works at an initiative spun up by In-Q-Tel called Cyber Reboot. Its goal is to develop open source tools that can push things forward in security – things the private sector aren’t doing. He’ll be telling us about some changes his colleagues have made to tcpdump, which, if they ever manage to get the changes adopted, could actually be quite useful to the security community. This week’s show is brought to you by Duo Security! And Duo’s very own Dave Lewis will be joining us this week to talk about the roadblocks you might face if you’re trying to head down the BeyondCorp road to the deperimiterised nirvana! Adam Boileau drops in to discuss the week’s news, including: COSCO shipping ransomwared into oblivion DHS warning on impending ERP attacks Charges against SIM-swap cryptocurrency thief Google’s “Shielded VMs” Google’s launch of its own hardware security tokens Master134 malvertising campaign New Kronos version NetSpectre attacks Bluetooth bugs Much, much more Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Zane Lackey of Signal Sciences talks DevOps

Patrick Gray — Mon, 30 Jul 2018 00:00:00 +1000

What you’re about to hear is a long form interview with Zane Lackey, a former pentester turned director of security engineering for Etsy turned co-founder and CSO of Signal Sciences. Signal Sciences can be broadly, kinda described as “next generation WAF”. If you do have a requirement for a waffy, raspy thing, then you absolutely need to check out Signal Sciences. They give you visibility in to attacks against your applications, and even auto-blocking a bunch of them without that turning into a cascading horror-show. Signal Sciences’ product has a really strong emphasis on assisting organisations who are running DevOps shops. And it makes sense, Zane’s key achievement at Etsy was managing the security of that company’s Devops transition. He’s actually just written an O’Reilly book, Building a Modern Security Program. So, he joined me to talk about his book, what’s in it, about DevSecOps more generally, and about some new stuff Signal Sciences has been working on.

Risky Business #507 -- For Vlad

Patrick Gray — Wed, 25 Jul 2018 00:00:00 +1000

We didn’t have space to run a feature in this week’s show, mostly because we had three weeks of news to catch up on because of my holiday. Adam Boileau is away on a company retreat this week, so Haroon Meer is this week’s news guest. We talk about: The Russia indictment Chrome now marks http sites as “not secure” Julian Assange is close to being turfed out of his London digs Microsoft’s midterm meddling misfire Singapore loses 1.5m health records Some cool research from Talos and Cyberark Azimuth Security acquired by L3 The npm supply-chain attack Chrome site isolation And much more! This week’s sponsor is ICEBRG. And ICEBRG just announced today that it’s been acquired by Gigamon, which is pretty big news for them. So we’ll spend a couple of minutes talking about that with ICEBRG’s Jason Rebholz. Then we’ll be talking to Justin Warner about a pretty cool Flash 0day they found hiding in a Microsoft Office document. That was some pretty cool work, and the attackers in that case did some pretty novel things in terms of keeping their payload away from prying eyes. Obviously they didn’t do a good enough job or we wouldn’t be talking about it, but there are some new techniques there, fun stuff. *****NOTE: At one point I get Jason Rebholz’s name wrong. I call him Justin Rebholz by accident. Apologies for the error, Jason!

Risky Biz Soap Box: Cylance: Driving machine learning model development with threat research

Patrick Gray — Wed, 18 Jul 2018 00:00:00 +1000

There’s no weekly show this week, I’m on a beach somewhere tropical right now and I prepared this one so we’d have something to run while I’m away. The Soap Box is one of our wholly sponsored podcasts here at Risky Biz HQ – vendors pay to come on to talk about what’s on their mind. And this week we’ve got Cylance’s very own Chris Sestito joining us. He heads threat research for Cylance, the AV company. Cylance is a relatively new company – they’ve been around about six years now – and regular listeners would have heard me credit them for almost singlehandedly shaking up the AV industry. They built a machine learning model for detecting malware that was effective enough to actually challenge the incumbents, who until then, had a stranglehold on the market. Cylance’s fortunes rose further when it played an instrumental part in detecting and cleaning up malware used against the US office of personnel management, or OPM. That was a big moment, because from there it seemed like all of a sudden EVERYONE was a machine learning company. I’m sure a lot of people listening to this podcast are so sick to death of hearing pitches from vendors about machine learning. But the thing is, Cylance was built on machine learning and they are still 100%, 24-carat true believers. Chris Sestito joined me to talk about driving machine learning model development with threat research, dodgy machine learning marketing and more.

Snake Oilers 6 part 2: Proofpoint on cred phishing, Exabeam defines next-gen SIEM

Patrick Gray — Thu, 05 Jul 2018 00:00:00 +1000

Snake Oilers is a wholly sponsored podcast series we a few times a year here at Risky Biz HQ. The idea is we get a bunch of vendors together and they pitch their tech in a straightforward way. Less “stops advanced cyber threats” and more “here’s what our stuff does and how it works”. You’re hearing this instead of a weekly show because I am currently on a beach somewhere tropical. We’ve got two vendors in this edition of ‘Oilers: next-gen SIEM platform company Exabeam and email filtering giant Proofpoint. Our sponsor guest from Proofpoint is Ryan Kalember. Ryan is the SVP of cybersecurity strategy at Proofpoint, and regular listeners would have heard him pop up here and there on other Risky Business podcasts. Ryan knows an awful lot about email security and he’s joining us this week to talk about a few things. A big selling point he wants to hit home this week is that Proofpoint offers its clients dedicated IPs for their outbound mail servers. That means you won’t be blocked when someone else using the same IP for outbound mail starts sending spam. Believe it or not this is a thing that happens to users on other mail filtering platforms. From there Ryan spells out Proofpoint’s approach to combating credential phishing. Aaaaand we talk about other stuff too. We started off by talking about how some organisations are getting blocked because their filtering provider is sharing IPs between clients. Exabeam also drops in to talk about what a next gen SIEM actually is. From day one Exabeam was a startup that meant business. As you’ll hear, they started off as a SIEM-helper, and they’ve gradually built out their product from there. Now they’re going after the established SIEM market – think Splunk, Arcsight, those types of products. Despite only being five years old, Exabeam has quickly established itself as a real player in the SIEM market. And why not? They make a compelling argument that the most popular SIEM products have gone stale. Anu Yamanan is the VP of products at Exabeam and she’s here to explain the general pitch behind all next generation SIEM gear. The idea is to go beyond the event log and build a timeline of events that actually has context around it. SOC analysts, SIEM specialists and CSOs will be interested to hear what she has to say here.

Risky Business #506 -- How security teams can work with PR

Patrick Gray — Wed, 04 Jul 2018 00:00:00 +1000

On this week’s show we’re chatting with a PR pro who specialises in information security. Melanie Ensign currently works at Uber, but she also served as a security PR for Facebook and before that, AT&T. She drops in this week to talk about how you can work with the PR professionals in your organisation to help tell your security story to the wider world. She also has some great tips for infosec professionals who might be a bit nervous about dealing with journalists. In this week’s sponsor interview we’re joined by Julian Fay, the CTO of Senetas. Senetas has a long history of making layer 2 network encryptors, but they are branching out in all sorts of ways these days. One thing they’re doing now is working on approaches to network encryption that play nicely with software-defined WAN. The days of hauling all your network traffic back to a single choke point are numbered – Julian thinks in the near future you’ll have some sort of CPE device that actually implements different types of encryption on different types of traffic crossing your border. So, Senetas has actually built that gear and we’ll be hearing about why. Adam Boileau joins the show to talk about the week’s security news: Some very cool LTE research Equifax manager charged with insider trading Ticketmaster’s bad week The US DoD’s very own app store Weird, maybe, possibly-but-probably-not OPM-related fraud MOAR Rowhammer stuff affecting ‘droid handsets Links to everything are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #505 -- Sanger vs FireEye, Reality Winner cops a plea

Patrick Gray — Wed, 27 Jun 2018 00:00:00 +1000

No feature interview in this week’s show, we go long on news instead. Adam Boileau joins the podcast to talk through the week’s infosec news, including: Confusion reigns in David Sanger vs FireEye spat Reality Winner pleads guilty PEXA property settlement platform users fleeced US Supreme Court decides location info requires a warrant The Apple unlock bug that wasn’t This week’s show is brought to you by Thinkst Canary. Thinkst’s very own Marco Slaviero joins us in this week’s sponsor segment to talk about how some vendors are derping out when it comes to creating needlessly complicated “deception platforms”. Links to everything are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Snake Oilers 6 part 1: InsightIDR from Rapid7, whitelisting with Airlock Digital and testing your SOC personnel with AttackIQ

Patrick Gray — Thu, 21 Jun 2018 00:00:00 +1000

First up in this edition of Snake Oilers we speak with Rapid7. Listeners of the regular show would have heard me talk about their UserInsight software for years. That’s because I knew people who used it and they swore by it. UserInsight was user and entity behaviour analytics (UEBA) software that was massively ahead of its time. It was very good at spotting weird things happening on your network when it comes to dumped or compromised creds popping up in weird places. Well, InsightIDR is basically where UserInsight wound up, and yeah, it’s morphed in to a product that’s half SIEM and half EDR. Every Tom, Dick and Harriett seems to be offering EDR software these days, and every next-gen SIEM company is becoming more and more UEBA-centric, so what Rapid7 has created here is something in between. InsightIDR product manager Eric Sun will tell us all about it. Next up we’ll hear the simplest pitch in this podcast, from Airlock Digital. They’re an Australian company that makes whitelisting software that’s actually useable. If your organisation has tried implementing whitelisting through Microsoft’s Applocker then you know how badly it sucks. These guys have created a simple but useable whitelisting solution. I’ve been to the booth! I’ve seen the demo! Airlock Digital co-founder David Cottingham is our guest on their behalf. In addition to being a founder, David is also the author of the SANS course SEC480: which covers the ASD top 4 – number one on that list is whitelisting. He has experience in the federal government implementing whitelisting and after seeing just how badly other products suck, he and his mates founded Airlock Digital. So yeah, if you’re whitelist-curious or if you’re sick of dealing with Applocker, then you really, really should stick around for that one. After that we’re checking in with Stephan Chenette of AttackIQ. They make attack simulation software, but in response to customer demand they’ve actually taken it to its logical extension - they’re now offering modules you can use to test your SOC staff, or, if you outsource, you can use these modules to test your MSSP. Throw some alerts at them and see what comes back – get scores for individual SOC operators. Hey, even if you ARE an MSSP you might want to use this software to see who to promote in your SOC. That’s interesting stuff.

Risky Business #504 -- Latest email frauds and changes to money muling

Patrick Gray — Wed, 20 Jun 2018 00:00:00 +1000

On this week’s show we’re chatting with Alex Tilley. He’s with Secureworks in Australia these days, but before that he spent a big chunk of his career with the Australian Federal Police. He did a presentation a few weeks back at the AusCERT conference all about what fraud crews are up to these days. He’ll be joining us to walk through how much damage West African crime groups are doing with compromised office 365 accounts. We also talk a bit about trends in money muling, because that game has really changed. This week’s show is brought to you by Cylance, and in this week’s sponsor interview we’ll be chatting with Cylance’s very own Jim Walter about how ransomware hasn’t really gone anywhere, despite most of the tech press getting sick of writing about it. Adam Boileau, as usual, joins us to talk about the week’s news, including: The Vault7 guy is totally screwed US Senate scuttles Trump’s plan to save ZTE Chinese pwning satellite comms, telcos Olympic Destroyer crew is back Links to everything are below and you can follow Patrick and Adam on Twitter if that’s your thing.

Risky Business #503 -- North Korean tech in the global supply chain

Patrick Gray — Wed, 13 Jun 2018 00:00:00 +1000

You might have noticed North Korea’s been in the news over the last couple of days. Well, we’re sticking with the theme – we’ve got a great feature interview for you this week with Andrea Berger. She’s a senior research associate at the US-based James Martin Centre for Nonproliferation Studies and the co-host of the Arms Control Wonk podcast. This week she speaks with Risky Business contributor Hilary Louise about a report the centre did into North Korea’s IT industry. Yep, they have one, and you’ll be surprised by its scope and reach. That’s this week’s feature interview. This week’s sponsor interview is with Signal Sciences co-founder and CEO Andrew Peterson. Andrew was at a Gartner event in DC last week, and I grabbed some time with him to talk about what’s new in DevSecOps, how people are applying various DevSecOps tools, and what the general awareness of good DevSecOps practices is out there. Andrew’s prior career was in development, not security. He and Zane Lackey worked together at Etsy and Signal Sciences was very much inspired by the work they both did there. Andrew says analysts are starting to understand that web application security isn’t something you drop on to a network in an appliance and things are actually changing. Mark “Pipes” Piper is this week’s news guest. All the show links are below and you can follow Patrick, Pipes or Hilary, if that floats your boat.

Risky Business #502 -- Inside China's hacker scene

Patrick Gray — Wed, 06 Jun 2018 00:00:00 +1000

On this week’s show we chat with Peter Wesley. Peter’s well known around the Australian security scene, but a few years back he relocated to China, where security is booming. He did a presentation at the AusCERT conference on the Gold Coast last week all about the Chinese hacker scene and security industry. He joins us in this week’s feature interview to tell us about how the Chinese scene evolved and what its current relationship with the Chinese government looks like. This week’s sponsor interview is a cracker. We’ll be joined by Ryan Kalember, Senior Vice President of Strategy with Proofpoint, the email filtering company. Ryan is along to talk about a phenomenon the Proofpointers are very interested in – we’ve all heard of VIPs, but he’s here to talk about VAPs – Very Attacked People. So much attacker behaviour these days is driven by email-based attacks, and the people getting hit the most with this sort of stuff might not be the ones you expect. Ryan joins us later on for that conversation in this week’s sponsor interview, with thanks to Proofpoint. The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #501 -- Trisis: signalling, deterrence or escalation?

Patrick Gray — Wed, 30 May 2018 00:00:00 +1000

On this week’s show we’ll be talking about a whole bunch of stuff – the FBI taking down a botnet in a very FBI way, we go deep on the Trisis malware popping up in the US following America’s withdrawal from the so-called Iran agreement. We look at the latest in the crypto debate, breaches, bugs and more! We’ll hear from Tom Uren of Australia’s Strategic Policy Institute (ASPI) on the Trisis side of things. Tom worked in an interesting place in Australia’s defence department but these days spends his days think tanking for the Australian Strategic Policy Institute. He shares his thoughts on what it is Iran could be up to with Trisis. This week’s show is brought to you by: Australia! AustCYBER is a government-supported industry group here that is trying to get the Australian cybersecurity industry organised. There’s the VC-backed US model, the build a “cyber city” in the desert Israeli model, then there’s the Australia model, which is actually quite different. It’s much more about helping local startups win deals locally, then internationally, to get them on a path to profitability so they don’t have to sign the awful term sheets Australian VCs put in front of them. Well, there’s more to it than that, but AustCYBER head honcho Michelle Price will be along in this week’s sponsor interview to walk us through what she’s trying to do for the Australian security industry and how foreign multinational companies can also benefit from that.

Risky Biz Soap Box: Kill your own meat with EclecticIQ

Patrick Gray — Mon, 28 May 2018 00:00:00 +1000

Soap Box is not our regular weekly show, it’s the monthly podcast here at Risky Biz HQ where vendors pay to come on to the show to talk about what it is they actually do. Before EclecticIQ sponsored this edition, to be honest, I didn’t really know much about them. All I knew is that their positioning was very much around “threat intelligence,” which, as regular listeners would know, are two words that are usually followed by “derpa derpa” on the regular Risky Business podcast. BUT! Here’s the thing. EclecticIQ don’t sell a “blinky light” box that receives a creaky feed of 12-month-old IOCs. They sell their solution to either massive organisations or very high risk organisations. They could be national cyber security centres, entire defence departments, very, very big enterprises; basically anyone that has an intelligence team and multiple constituent departments or agencies. They also play in ultra high risk sectors like defence contracting. The EclecticIQ platform isn’t for small organisations. It really is for orgs that have dedicated, externally-focussed intelligence teams. Their play isn’t “we feed you threat intelligence,” it’s use our tooling to go get your own threat intelligence, develop a strategy for dealing with the resulting product then distributing the strategy that flows from that process out to the relevant people in your organisation. I like to think of this approach as “killing your own meat”. That’s what EclecticIQ is all about. They give you the shotgun and a map, the last known locations of the deer, a cool room and a bunch of cleavers. Delicious. Apologies to any vegetarians listening for that metaphor. Joep Gommers is our guest. He is the founder and CEO of EclecticIQ. Prior to founding EclecticIQ, Joep served as Head of Global Collection and Global Intelligence Operations at iSIGHT Partners, which was, of course, acquired by FireEye. Joep joined me to talk about what it is that EclecticIQ actually does and the resulting conversation, I hope, will be interesting to anyone who wants to understand how Threat intelligence is developed and disseminated at scale. There’s a link to EclecticIQ’s website below, and you can follow Joep Gommers on Twitter here.

Risky Business #500 -- Web asset discovery is getting useful

Patrick Gray — Wed, 23 May 2018 00:00:00 +1000

In this week’s feature interview we’ll be chatting with Shubham Shah and his friend Lord Tuskington about continuous asset discovery’s impact on testing methodologies. Shubs has worked as both a pentester and as a very successful bug bounty hunter. In fact he’s built an entire asset discovery platform that he and his buddies have been using to rip crazy amounts of cash out of bounty programs over the last few years and he’s turning that platform into a product. So I wanted to talk to him about that, but I also wanted to get a pentester’s perspective on how this type of continuous asset discovery tech could change the testing industry. This week’s show is brought to you by Exabeam, a next generation SIEM company! And it’s amazing how nicely this week’s feature and sponsor interviews dovetail actually, because Exabeam’s Steve Gailey will be along in this week’s sponsor interview to have a chat about how SIEM technology has changed much faster than SOC operations methodologies. Because basically everyone has structured their operations around three levels of response and the workflows are so ingrained, nobody seems to know know what to do with a next generation SIEM. Adam Boileau is also along, like always, to talk about the week’s security news. The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business feature interview: Hacking PUBG

Patrick Gray — Fri, 18 May 2018 00:00:00 +1000

Here it is – this week’s feature interview with Marisa Emerson! Marisa is a security researcher who did a great talk at BSides Canberra in March all about game cheating. She was specifically talking about the cheating techniques PUBG gamers are using and just how advanced they are. The crazy thing is the cheaters here are rolling some pretty decent techniques. It’s reminiscent of the iPhone jailbreaking scene – a lot of good hackers who don’t know they’re good hackers. Marisa is running a binary exploitation bootcamp in Brisbane that will have another session next semester. Details are here.

Risky Business #499 -- Is PGP actually busted and Signal pwnt? Noooope

Patrick Gray — Wed, 16 May 2018 00:00:00 +1000

In this week’s weekly show we’re just going to drill in to the week’s extra long security news section with Adam Boileau then go straight to the sponsor interview. I’ve got a fantastic feature interview for you this week, but I’m going to publish it outside of the news show. It was either that or run stupidly long or cut too much from everything to make it all fit. This week’s sponsor interview is a good one though. We’re chatting with the team behind DarkTrace. They make a machine learning-backed network monitor. A key different with this kit is it actually gets involved on the network. If it sees something it’s confident is attacker behaviour it will start spraying TCP resets to boot them off the network. This is something the IPS systems of old used to do but it’s an approach that fell out of favour. We’ll find out why that approach was discarded and why it’s coming back, as well as generally discuss the role of machine learning in security with a company that has invested in it heavily. This isn’t a “for or against” interview segment. This is a discussion with one company that is getting value out of the approach, so stick around for that. The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #498 -- There sure is a lot of Microsoft Defender out there these days

Patrick Gray — Wed, 09 May 2018 00:00:00 +1000

On this week’s show we’re taking a look at some recent data out of Microsoft trumpeting its Defender antivirus install figures on Windows. They’ve got 18% market share on windows 7/9 and 50% on Win10. For the AV and endpoint security industry Microsoft has always been the existential threat, but has the plane flown into the mountain already? We’ll speak with Securosis analyst and DisruptOps founder Rich Mogull about that in this week’s feature interview. In this week’s sponsor interview we’re joined by the always entertaining Haroon Meer of Thinkst Canary. When we spoke Haroon had just wrapped up his first ever booth at the RSA conference. He’ll join us this week to tell us, surprisingly, that it was a really worthwhile exercise for Thinkst, but as you’ll hear he also thinks the broader industry can be a pack of dumbasses when it comes to actually marketing tech at events like RSA. If he becomes global ruler RSA booths will be gimmick-free and just show people product demos. The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Biz Soap Box: Root9b on agentless threat hunting

Patrick Gray — Fri, 04 May 2018 00:00:00 +1000

In this edition of Soap Box we’re chatting with Root9b. They’ve just launched an updated version of their ORION platform. And I guess the way you’d describe Root9b is as a threat hunt product maker and managed threat hunt provider. And their approach is a bit different – their software is agentless. They basically authenticate to a machine, inject various payloads into memory, and use that to pull back all sorts of telemetry from machines. They say this means it’s much less likely that attackers will see them and they offer this as a product, ORION, or they offer it as a service. They say their managed services customers come to them because pretty unhappy with their MDR and MSSP providers and want better signalling. So I was joined by John Harbaugh, COO of Root9b, and Mike Morris, CTO. Both of these guys were US Air Force cyberdudes before jumping out to the private sector. The company actually started off doing training before developing their platform ORION. John and Mike joined me by Skype for this podcast. Enjoy!

Risky Business #497 -- Silvio's greatest hits

Patrick Gray — Wed, 02 May 2018 00:00:00 +1000

This week’s Risky Business is kind of going back to its roots a bit. As much as we love talking about policy and the intersection of cyber security with global affairs, sometimes it pays to remember that computer security is actually about computers. With that in mind this week we’ve got two fantastic interviews for you. We’ll be chatting with Dr. Silvio Cesare in this week’s feature interview. Silvio’s dusted off his bug hunting hat and he’s taken to Twitch-streaming his auditing sessions. Dave Aitel described watching Silvio’s Twitch stream as like seeing a Titan ransack a small Greek village. Five months, 100 bugs, 50 of them in kernel stuff. He’s doing this for a couple of reasons – he wants to show people how it’s done, and he wants people to realise there are still lots of bugs out there to be found. We’ll chat to him about that in this week’s feature. This week’s sponsor interview is with another old school hacker, Stephen Ridley. Stephen is the founder of Senrio, which is technically an IoT security play, but the thing is the tech he’s developed has turned out to be useful for all sorts of other stuff too. Senrio is another one of those hacker-led startups in the spirit of Duo Security or Thinkst Canary. Stephen is a really well respected guy and this week he’s joining us to talk about a bunch of stuff. A lot of it is related to the unexpected uses for Senrio’s monitoring platform. He built a classifier for network-connected devices as a part of Senrio’s IoT security platform, and it turns out it’s actually running rings around a bunch of Enterprise Asset Management tools. People are actually using his IoT security monitoring solution to do asset management and figure out install gaps for their EDR solutions. Totally not what he intended people to use it for, but hey, a win’s a win. So Stephen joins us this week to talk about that, also to talk about recent developments in the IoT space and really a bunch more stuff. The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #496 -- The China supply chain problem

Patrick Gray — Wed, 25 Apr 2018 00:00:00 +1000

On this week’s show we hear from Jennifer Bisceglie, the CEO of Interos Solutions, a company that recently prepared a report on supply chain security for the US government’s US-China Economic and Security Review Commission. Risky Business contributor Brian Donohue caught up with Jennifer to talk about the report and really get an idea of what supply chain risks look like from a macro level. The long and the short of it is the supply chain is already very, very opaque, so governments and the private sector will have to work pretty hard to mitigate the risks involved here. This week’s show is brought to you by Netsparker, the web application security scanning toolmaker. Netsparker was founded nine years ago by this week’s sponsor guest, Ferruh Mavituna. He was a pentester who created Netsparker to help him with his own work. But just recently they raised a bundle of cash: US$40m. We’ll catch up with him and find out if a webapp scanning company with $40m is like the mule with the spinning wheel. It certainly seems like Ferruh has some ambitious plans. We haven’t seen this sort of money being raised by comparable companies so it’s definitely interesting stuff. In this week’s news we cover off: Mysterious BGP route hijacking for lame Ether theft (??) Google disabling domain fronting Canadian teen charged with downloading documents from a website City of Atlanta spending $2.6m to recover from its ransomware event RSA’s conference app fail White House chaos over Rob Joyce replacement (MAGA!!! MAGAAAAAA!!!!!) Much more The show notes/links are below, and you can follow Adam, Brian or Patrick on Twitter if that’s your thing.

Risky Business #495 -- Russian Internet users are having a bad time

Patrick Gray — Wed, 18 Apr 2018 00:00:00 +1000

We’re still running in a trimmed down format this week, sorry about that. Regular listeners would know we’ve been dealing with some unexpected stuff over here in the house of Business, but the good news is things have settled down and we’re actually back home after more than three weeks away. Things are looking good for a return to a full format show either next week or the week after. But don’t worry, there’s plenty of good stuff in this week’s news segment with Mark Piper, including: Russia blocking 15m cloud service IPs to shut down Telegram RU router hax: Are they a big deal? FBI’s “going dark” narrative questioned Rob Joyce departs White House ZTE in all sorts of trouble AND MOAR This week’s show is brought to you by Cylance. Jim Walter of Cylance will be along in this week’s sponsor interview to talk about a couple of things – we’ll be looking at “fileless” malware – for what it’s worth it’s a term that we both hate – and we’ll also be talking about how complete amateurs are now able to run reasonably sophisticated malware campaigns these days thanks to the badware for hire business getting even more slick. The show notes/links are below, and you can follow Pipes or Patrick on Twitter if that’s your thing.

Risky Business #494 -- Cisco customers have a bad week, plus a deep dive on WebAuthn

Patrick Gray — Tue, 10 Apr 2018 00:00:00 +1000

Regular listeners would know Risky Business is just running the news and sponsor segments at the moment so there’s no feature interview in this week’s show. But that’s fine because we’ve got plenty to get through in the news segment with Adam Boileau. Then we’ve got a killer sponsor interview for you this week with Nick Steele and James Barclay of Duo Security. They’re here to talk about WebAuthn. It’s the new authentication spec currently going through the W3C process. Both Nick and James will be along later to talk about what the spec is designed to do, how it works and what its chances of becoming mainstream are, and spoiler alert, those chances are pretty good. They’ve also provided me with some links for people out there who want to play around with Webauthn, they are below. Links to all the news items are also below, and you can follow Patrick or Adam on Twitter if that floats your boat.

Risky Business #493 -- SWIFT, pipeline attacks, Chrome's AV feature and more

Patrick Gray — Wed, 04 Apr 2018 00:00:00 +1000

This week’s show is just the news segment and sponsor interview. But, as always, there’s plenty to discuss with our news guest Adam Boileau! In this week’s sponsor interview we’ll be hearing from Timothy Keeler from Remediant. Remediant is a small but growing company that does privileged account management stuff, but they’re not a password vault. Tim’s joining us this week to walk through some of the challenges of managing privileged access in devops environments and also to talk a bit about some of the challenges around single sign on and privilege management. It’s all good stuff, and it’s coming up after the news. Links to all the news items are below, and you can follow Patrick or Adam on Twitter if that floats your boat.

Risky Biz Soap Box: Network detection is dead! Long live network detection!

Patrick Gray — Mon, 02 Apr 2018 00:00:00 +1000

This Soap Box edition is brought to you by ICEBRG. ICEBRG is in the business of network-based response and detection. In simple terms they drop a box on your network that strips network metadata and shunts it up to their cloud for analysis. This allows incident responders in particular to really, really speed up their investigations. We know that a lot of internet traffic is encrypted these days, and that’s made some people take their eye off the network ball. The focus and buzz these days is very much on endpoint detection and response. Our guest on this edition of Soap Box, ICEBRG’s VP of Strategic Partnerships Jason Rebholz, thinks we’ve wound up with a blind spot as a result. It’s true that a lot of network security tech fell behind the times, but there are some fresh approaches emerging these days that are pretty bloody useful. ICEBRG started off as a product to accelerate incident response, an example use case is deploying it in 15 minutes when you’re starting an IR job; it gives you amazing visibility for the time invested. But, they’re broadening the product a bit these days. They’re not turning it in to an IDS, but they’re able to give clients some very, very high quality signalling. I think this is what you get when you get a bunch of ex-govvies and incident responders together and they develop a product. Their alerts are more along the lines of “you’re owned by this APT group” not so much “hmm, that’s some strange ICMP traffic hitting your mail server. Maybe some router in Azerbaijan needs a reboot, ." So the thinking is definitely fresh, and I’m increasingly seeing companies play in the network security space again. Network detection is dead! Long live network detection!

Risky Business #492 -- Thomas Rid on sloppy active measures

Patrick Gray — Thu, 29 Mar 2018 00:00:00 +1100

Sorry this week’s show is late – I found myself taking an unexpected and unavoidable trip. But I’m back on deck and we’ve got a great show for you this week. This week we hear from Thomas Rid, Professor of Strategic Studies at Johns Hopkins University’s School of Advanced International Studies. We’re having a conversation inspired by the latest spectacular Russian intelligence blunder: a Russian SIGINT operator exposing their GRU headquarters’ IP address because they forgot to fire up their VPN when logging in to their Guccifer 2.0 persona accounts. Oops. It’s hilarious stuff, but it’s brought out the conspiracy types who are saying hey, as if they’d make this mistake. Something’s fishy! Well, as you’ll hear, these types of agencies make similar mistakes on a pretty routine basis. Thomas joins us to talk about that, and also about how mistakes like this don’t really matter in the broad scheme of things. They’re a bit of a distraction. This week’s show is brought to you by Bugcrowd, the managed bug bounty company. Bugcrowd’s founder and CTO Casey Ellis will be dropping by to talk about a few things. They’ve raised a stack of cash since we last spoke and they plan to spend it on a bunch of stuff – they’re working on doing more efficient triage and they’re also looking at creating better legal agreements between their customers and their researchers. That’s all interesting stuff, and it’s coming up later. The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Snake Oilers 5 part 2: Penten talks Honey Docs, Trend Micro on its latest

Patrick Gray — Mon, 26 Mar 2018 00:00:00 +1100

Snake Oilers is a wholly sponsored podcast where vendors pay to pitch their tech at you, the listeners. Last week we heard from Rapid7, Mimecast and VMRay, but this week we’ve got two more pitches for you. First up we’re going to hear from Penten, an Australian based company that is doing some genuinely interesting stuff with honey documents. Also in this edition we’ll be chatting with the team at Trend Micro. And this isn’t really about pitching a product – there more here to combat messaging coming out of newer EDR companies who are portraying established vendors like them as out of touch. As listeners would know, beating up the incumbent AV companies is one of my hobbies, so basically Trend Micro’s Eric Skinner and Eric Shulze will be along this week to tell me why I’m an idiot. They’re also going to make a strong case for independent AV testing – it’s something the industry has struggled with for a long time, but they say they want it to happen more than ever.

Risky Business #491 -- The biggest infosec news week we've ever seen

Patrick Gray — Wed, 21 Mar 2018 00:00:00 +1100

What a week, huh? As you’ll soon hear it’s been an absolute monster week for infosec news. Top of the list is the Cambridge Analytica scandal. For those who haven’t had time to catch up on this one, a former staffer from the data analytics firm has given some interviews in which he says the company scraped 50 million Facebook profiles and used that data to target US voters with political messages on behalf of Donald Trump’s campaign. Obviously this has made people feel quite uncomfortable, everyone is mad at Facebook and it’s news everywhere. It also looks like Facebook CSO Alex Stamos is on his way out due to events entirely unrelated to this. Also in this week’s show we’ve got: Iranians trying to blow up Saudi Arabian chemical plants Americans blaming Russia for attacks on its energy grid Kaspersky blowing LIVE SOCOM ops against Al Qaeda and the remnants of Islamic State The UK vowing to exact revenge on Russia via “cyber” retaliation over the Skripal affair There is no feature interview in this week’s show, we’re going long on news, but this week’s sponsor interview is absolutely fantastic. It’s with Haroon Meer, head honcho over at Thinkst Canary. He’s not here to talk about anything really related to products this week, instead we’re going to talk about CISO stuff. He’ll be thoughtlording the absolute sh*t out of you all this week. Haroon thinks breached organisations are getting off too lightly in the current infosec climate because people are scared to victim shame. As you’ll hear, he thinks there’s just no excuses for how some high profile data breaches have occurred and says more CSOs should be prepared to die on the right hills to stop their companies engaging in straight up suicidal behaviour. It’s great for security to be an enabler, but that doesn’t mean signing off on whatever anyone wants to do. The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Snake Oilers #5 part 1: Rapid7 Insight Phish, VMRay's updated platform and mail filtering with Mimecast

Patrick Gray — Mon, 19 Mar 2018 00:00:00 +1100

As most of you know this isn’t the regular weekly show, this is a special edition we publish four times a year, and as you may have guessed from the title, this is the Risky Business podcast where vendors pay for time to pitch their products to you, the listeners. And we’ve actually got some great pitches for you today. We’ll be hearing from Rapid7 first – they’ve developed a new addition to their Insight platform – Insight Phish. There are already so many phishing simulation tools out there, so we’ll hear from Justin Buchanan on why Rapid7 has gone down this path. He actually makes a pretty compelling argument on why they’ve bothered. Simulation is just one part of Insight Phish, the other part is response. They’ve kind of closed the loop on that, so if you’re already a Rapid7 customer you’ll probably be VERY interested in Insight Phish. And even if you’re not it might get you looking at their stuff! Then we’re going to hear from the team at VMRay. VMRay makes a cloud-based binary analyser for all you DFIR types. They’re a German company founded on the back of the founder’s PhD. They actually raised millions of dollars in funding in 2016 from German investors. I know I want to hear from any company that convinced Germans to invest large sums of money! They’ve released a new version of their product and they’ll be telling us a bit about that. And finally we’re going to hear from Mimecast. And you know what? Mail filtering is a hard thing to pitch – most of the functionality is completely opaque to the user. So the Mimecast team will be along in our final pitch of the day to explain to you all what you should be asking of your email filtering provider. It’s actually really good generic advice… surprisingly neutral advice, too, so stick around for that! Links to all our sweet, sweet Snake Oiler offerings are below!

Risky Business #490 -- North Korea, "cyber norms" and diplomacy

Patrick Gray — Wed, 14 Mar 2018 00:00:00 +1100

On this week’s show we’re taking a look at how an acceleration in 24-carat bonkers state-sponsored hacking is leading to calls at senior levels of government for some actual norms to be established. We’ve got Russia hacking the planet with NotPetya, North Korea owning central banks and cryptocurrency exchanges, China owning the CCleaner supply chain and… well.. it’s all getting a bit much. So in this week’s feature segment we’re going to zero in on one norm-breaking country, North Korea. We’ll hear from John Hultquist of FireEye and Adam Meyers of Crowdstrike on that. As you’ll hear, countries like North Korea are pushing the limits of what they can get away with on the Internet and friendlier states are desperately trying to establish what the boundaries for good faith actors should actually be. We’ll hear from Australia’s cyber ambassador Tobias Feakin on that part of the discussion, courtesy of some audio gifted to the Risky Business podcast by Australian journalist James Riley. That’s a fun package and it’s coming up after the news. This week’s sponsor interview is with Zane Lackey of Signal Sciences. Zane joins us to talk about a few things – how developer teams are increasingly making their own security decisions and how that’s actually a good thing… we’ll also talk about companies that have found themselves operating on multiple cloud platforms even though they didn’t plan for it. Adam Boileau, as usual, is this week’s news guest. We cover: The AMD bugs China’s tightening grip on security research Slingshot APT Christopher Wray’s mind bogglingly daffy comments on key escrow AND MOAR! The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #489 -- (Deep) Fake News

Patrick Gray — Wed, 07 Mar 2018 00:00:00 +1100

On this week’s show we’re chatting with Professor of Law at the University of Maryland Danielle Citron about an article she co-authored on so-called “deep fake” videos. Citron and Bobby Chesney wrote a fascinating piece about the privacy and national security implications of this latest trend and we’ll be talking to her about that a little bit later on. In this week’s sponsor interview we’re chatting with Julian Fay, CTO of this week’s sponsor Senetas. We talk to him about how encryption hardware industry is responding to the looming spectre of quantum computing. As you’ll hear, standards bodies are already rolling out draft implementations of quantum-resistant algorithms that companies like Senetas will be baking into their kit as additional layers of protection. Adam Boileau, as usual, is this week’s news guest. We cover: Massive memcached DDoS attacks Trustico having a bad week Reported flaws in 4G/LTE Uber breach lawsuit …and more! The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Biz Soap Box: Alphabet Chronicle co-founder Mike Wiacek talks Virus Total Intelligence

Patrick Gray — Fri, 02 Mar 2018 00:00:00 +1100

This isn’t the regular weekly show, Soap Box is the podcast where vendors pay to appear to talk about big picture stuff, or really anything they want. Unless you’ve been living under a rock lately you’d know that Google’s parent company Alphabet announced the spinoff of an enterprise information security company. They’ve named it Chronicle, but beyond that it’s all a bit mysterious. Unlike other startups that stay super stealth until they launch their product, Alphabet basically realised that as it already has its platform out there under beta test with a bunch of organisations the creation of the company would eventually leak, and that would have been a mess from Alphabet’s point of view. So, their solution was to announce the company before it’s ready to ship its product. I would love to tell you that they’re going to drop all the juicy details in this podcast but they’re not. They’ll drop some hints, but for now, Chronicle’s mystery platform will remain that: a mystery. But that’s not to say there isn’t some other stuff to talk about. As a part of the spinoff, Virus Total is now a part of Chronicle. And you know what? There’s a lot more to Virus Total, in particular Virus Total Intelligence, than I realised. That’s partly because Alphabet hasn’t really done much marketing around it, and this is a kind of first step down that path. So in this podcast you’re going to hear from two people from Chronicle – Rick Caccia who is the chief marketing officer, he’s mostly chiming in to explain a little bit about the new company – and Mike Wiacek, the CSO and co-founder of Chronicle. He’s going to be telling us about all the features of Virus Total that you probably didn’t realise exist. Did you know if you have a VTI account you can run YARA rules against everything that comes in to Virus Total? And you can apply the rules retrospectively to see what shakes out? And that they have graph and clustering features? And … and … and … you get the idea. I hope you enjoy this podcast!

Risky Business #488 -- Stop users recycling passwords with the pwned passwords API

Patrick Gray — Wed, 28 Feb 2018 00:00:00 +1100

On this week’s show we’ll chat with Troy Hunt of Have I Been Pwned. He’s released version two of his pwned password service and API. Basically it lets websites check to see if a user’s password is one that he has in his dataset. Version two allows this process to happen without users having to send over a complete password hash to HIBP. It’s making some waves already. It’s a genuinely interesting, free service. In this week’s sponsor interview we chat with Trail of Bits security engineer JP Smith about all thing blockchain. Trail of Bits has gotten into blockchain stuff because, hey, we’ve all heard about the many, many security issues associated with things like Ethereum smart contracts, and when it comes to blockchain and Ethereum security, well, someone has to do it. JP will talk us through some of the bug classes he sees as well as talk about the work trail of bits has done on its dynamic binary analysis software Manticore in terms of applying it to the Etherum Virtual Machine. Adam Boileau, as always, is this week’s news guest. The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Biz Soap Box: Bugcrowd CTO Casey Ellis on bounty innovation, PII norms and defensive bounties

Patrick Gray — Thu, 22 Feb 2018 00:00:00 +1100

This edition of Soap Box is brought to you by Bugcrowd. So the next 40 minutes or so is a conversation between Bugcrowd CTO and founder Casey Ellis and I. As most of you would know, Bugcrowd runs outsourced bug bounty programs for a wide variety of organisations, from Silicon Valley megabrands to financial services to development-heavy SMEs, Bugcrowd is there. And what a time it is for the bug bounty business. There’s a lot of attention on the bug bounty concept at the moment – we even saw a senate subcommittee hearing on them take place earlier this month. It’s a competitive sector, too. In this podcast Casey tells us about a few things, like what Bugcrowd is doing to try to add some innovation to bug bounty programs. As you’ll hear, he’s actually got some really great ideas. I came into this as a bit of a sceptic, as in, how can you innovate around something as simple as a bug bounty program? It turns out you can. We also try to make the case that bug bounties are an established part of infosec now; a boring part of the mix. So we cover off some interesting stuff Bugcrowd is doing, then we talk about how the bug bounty provides types might be able to actually engage their crowds in defensive work.

Risky Business #487 -- Guest Katie Moussouris on her recent Senate Subcommittee testimony

Patrick Gray — Thu, 15 Feb 2018 00:00:00 +1100

On this week’s show we’re going to chat with Katie Moussouris about her testimony before a Senate Subcommittee last week. She fronted a session on Consumer Protection, Product Safety, Insurance, and Data Security titled, “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers. We’ll hear from her on how all that went and what she hopes the US government learned from the committee panel. Also this week we’ll be hearing from Mark Maunder of Wordfence, that’s this week’s sponsor interview. Wordfence sells a Wordpress security plugin. There have been some interesting developments in the Wordpress world over the last week that are definitely worth covering. Wordpress actually pushed an update to core that actually disables future auto updates. Yikes. We’ll find out how long that update was out, what percentage of the Wordpress ecosystem swallowed it, and we’ll also talk about about a couple of dysfunctional things happening in the Wordpress ecosystem. The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #486 -- Locking down AWS permissions with RepoKid

Patrick Gray — Wed, 07 Feb 2018 00:00:00 +1100

On this week’s show we’re chatting with Travis McPeak at Netflix about a tool they’ve developed called RepoKid. It automatically strips unused AWS permissions, which I’m guessing a lot of you will find quite useful. We’ll also chat with Dan Kuykendall in this week’s sponsor interview. Dan works for Rapid7, and they’ve been doing some interesting stuff with their agents, basically tweaking them to give better visibility of application security issues and exploitation attempts. T hat conversation is really about how security firms these days are using the agent footprint they have to just do whatever they can. Adam Boileau, as always, pops in to discuss the week’s news. We cover the: AutoSploit arm waving Lauri Love beating extradition Nik Cubrilovic’s arrest MOAR The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #485 -- Infosec startups overfunded, good exits unlikely

Patrick Gray — Wed, 31 Jan 2018 00:00:00 +1100

On this week’s show we’re checking in with Kelly Shortridge and the topic is zombies. Not the botnet kind, the heavily-VC-backed kind. A recent report from the Reuters news agency highlighted the amount of VC pouring into the so-called “cyber” industry vs the amount of money actually coming out of it in the form of profitable exits isn’t matching up. The industry is filling up with so-called zombie companies – they’ll never exit, but they’re not going to completely die, either. As it turns out, Kelly recently did a presentation on precisely this topic, so in this week’s feature we get her take on why this is happening and what’s likely to change. The tl;dr is something will have to give in the next couple of years, and it’s going to be ugly. In this week’s sponsor interview we check in with Jordan Wright of Duo Security. Jordan has done some research into phishing kits. While phishing isn’t the sexiest topic, the team at Duo has actually done some pretty comprehensive research here – they looked at thousands of kits and pulled out some interesting stats. We’ll talk to him about that, and also about the likelihood that U2F hardware will soon be baked into consumer devices. That’s really going to change things in years to come. Adam Boileau, as always, pops in to discuss the week’s news. We cover the: Strava heatmap Dutch infiltration of Cozy Bear Possible nationalisation of the US 5G network on security grounds Microsoft disabling Intel Spectre patches Google’s Chronicle announcement US$400m Cyptocurrency ownage MOAR The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #484 -- What's up with the new 702?

Patrick Gray — Wed, 24 Jan 2018 00:00:00 +1100

On this week’s show we’ll be taking a look at the freshly re-authorised section 702 of the FISA act. As you’ll soon hear, the updated section now allows the FBI to search data captured under 702 programs for evidence against US citizens in a bunch of circumstances, including, drum roll please, during investigations with a cyber security tilt. The co-founder of the Lawfare blog, law professor and Associate Dean for Academic Affairs at the University of Texas Ausin, Bobby Chesney, will be along in this week’s feature to talk about all of that! In this week’s feature interview we’re joined by Haroon Meer of Thinkst Canary. Haroon will be along to talk about the effectiveness of various honey tokens. Thinkst has been playing around with this stuff for a couple of years now, and Haroon will be joining us to talk about how they’ll will wind up being used in an enterprise context. How do you get detection canaries to scale? That’s coming up later. Adam Boileau, as always, pops in to discuss the week’s news. It’s been a relatively calm week, but we’ve got some interesting news about botched Spectre patches and a discussion around a sensational report about Kaspersky Lab published by Buzzfeed in conjunction with Russian outlet Meduza. The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #483 -- Internet censorship in Iran, China

Patrick Gray — Wed, 17 Jan 2018 00:00:00 +1100

On this week’s show we chat with Collin Anderson about Iranian internet censorship, as well as how sanctions on Iran led Google to block app engine access within Iran. That’s a problem for Signal users there, because when the primary Signal servers are blocked, the software falls back to a domain-fronting approach that uses… drum roll please.. Google App Engine. That’s a pretty wide ranging discussion of ‘net censorship in Iran and ‘net censorship generally and that’s coming up after the news. This week’s show is brought to you by Bugcrowd, big thanks to them for that. In this week’s sponsor interview we’ll chat with Bugcrowd trust and security engineer Keith Hoodlet about some work they’ve been doing on producing detailed remediation information for their clients. Adam Boileau is also along, as always, to discuss the week’s security news. The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #482 -- Meltdown and Spectre coverage without the flappy arms

Patrick Gray — Wed, 10 Jan 2018 00:00:00 +1100

On this week’s show Matt “pwnallthethings” Tait joins the show to walk us through the so-called Meltdown and Spectre bugs. Most of the coverage of the flaws has either been massively hyped or detail-free, and Matt pops by to untangle the whole mess. He does a great job of it, too. This week’s show is brought to you by Cylance. CTO Rahul Kashyap will be along in the sponsor chair to talk about why so many AV packages were causing Windows boxes to BSOD when Microsoft pushed its Meltdown patch. Adam Boileau is back in the news hotseat, and boy oh boy do we have a lot to cover. Show notes are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Risky Business #481 -- Inside the Anthem breach with someone who was there

Patrick Gray — Wed, 13 Dec 2017 00:00:00 +1100

This is the last show for the year, Risky Business will return on January 10th 2018. In this week’s feature Stephen Moore joins us. He was formerly the Staff Vice President of Cyber Security Analytics at Anthem, the healthcare company that was spectacularly owned by a Chinese APT crew in 2015. Instead of us all just saying “lol they got owned, they’re idiots,” I thought it would be a good idea to actually talk to someone who was there. As you’ll hear, Anthem’s team knew they were being targeted by an APT crew, did its best to fend off the attackers, but sadly they lost anyway. It’s sobering listening. This week’s sponsor interview is also just great. We’ll check in with Casey Ellis of Bugcrowd. He’ll be along to talk about this whole Uber mess. A lot of the reporting around the so-called Uber data breach seemed to fixate a bit on the fact that the attacker was paid via the HackerOne bug bounty platform. The coverage has conflated extortion with bug bounty programs, much to Casey’s dismay. He’ll be along later to share his views on what the Uber snafu means, as well as to share his thoughts on DJI’s disastrous bug bounty program. Adam Boileau, as usual, stops by to discuss the week’s security news, and also to wrap up the 2017 season. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Bromium on custom microvirtualization for legacy apps

Patrick Gray — Mon, 11 Dec 2017 00:00:00 +1100

Today’s Soap Box is brought to you by Bromium. Bromium makes a security suite that wraps key applications in microvisors. It’s a way to get app-specific, hardware-based virtualisation. Historically Bromium has wrapped things like browsers and the office suite into these microvisors. Bromium has also found a lot of success in selling to organisations that have to run out-of-date browsers and Java. Wrapping an old browser in Bromium actually does make it safe to use. Well, now they’ve gone a step further. They’ve launched secure app extensions, which is where they custom-wrap your application, or an application you use, into a microvisor. So if you’re using some awful, old, insecure enterprise app and it’s keeping you awake at night, this might be a solution for you if you can’t rip and replace. Have a listen!

Risky Business #480 -- Uber, Kaspersky woes continue

Patrick Gray — Wed, 06 Dec 2017 00:00:00 +1100

On this week’s show we’ll be having a look at the latest OWASP top 10. As many of you would know, the new list is out. A couple of items have been dropped and a couple of items have been introduced. But we’re really using this new top 10 as an excuse to have a broader chat about the top 10 and the OWASP mission more generally. As you’ll hear, everyone seems to agree the list is a good thing, but maybe OWASP needs to sharpen its communication strategy a little to make itself more accessible to the developers it’s trying to help. We’ll hear from OWASP Bristol chapter leader and Veracode consultant Katy Anton on that, as well as Safestack head honcho Laura Bell and penetration tester and founder of Matchme consulting Pam O’Shea. This week’s show is brought to you by a first time sponsor, VMRAY. They make malware analysis software that’s very popular with CERTs, but I suspect a lot of listeners out there in IR will also be interested in what they’re doing. The core offering is a cloud malware analyser that isn’t public, so if you don’t want to fire off a sample to VirusTotal and let the bad guys know you’re on to them, VMRAY is a better option. VMRAY didn’t actually get one of its staff into this week’s sponsor slot, it chose one of its users instead – Koen Van Impe. He pops along to talk through what he uses VMRAY for and to give us a bit of an overview of what it does. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers #4: Dino Dai Zovi, Chris McNab and Sylvain Gil

Patrick Gray — Mon, 04 Dec 2017 00:00:00 +1100

We’ll be hearing from three vendors in this edition of Oilers. Dino Dai Zovi will be along first up to talk about his startup, Capsule8, which looks very promising indeed. After we’ve heard from Dino we’ll be chatting with Chris McNab. He used to run incident response for iSec Partners and later NCC Group, but these days he runs AlphaSOC, a company he founded. They’re a very simply play – they do DNS and IP analytics. They offer that as a Splunk application or via an API, and you would be amazed how much bad stuff you can kick off your network with something as simple as DNS and IP analytics. Tor exfil, whole families of malware, BitTorrent, all sorts of stuff. Chris will be along soon to talk about that. Then we’re rounding it out with a conversation with Sylvain Gil, the co-founder of Exabeam. Exabeam started off in analytics and UEBA, but they’ve taken a bunch of money and they’re spending it on building out their SIEM, which is already pretty popular in certain circles because they don’t license it based on volume. Sylvain pops along later on to talk about how that’s changing SIEM use cases for a bunch of people. For example they can pump their EDR logs into their SIEM without wearing a seven figure SIEM consumption bill. He also walks through how they’ve used open source technologies like Hadoop in their products. It’s an all around chat that one, not so much a pitch, but yeah, I found it really interesting and I hope you will too. Links to all three profiled vendors are below!

Risky Business #479 -- Oh, Uber. Oh, Apple.

Patrick Gray — Wed, 29 Nov 2017 00:00:00 +1100

On this week’s show we’re speaking with Susan Hennessey, a Fellow in National Security in Governance Studies at the Brookings Institution and managing editor of Lawfare. We’re talking to her about cross-border law enforcement in the Internet age. We hear a lot of people in the infosec community expressing some discomfort with the FBI’s use of Network Investigative Techniques designed to de-cloak Tor users. Susan pops by to explain why the FBI and other law enforcement bodies aren’t worried about the international ramifications of dropping de-cloaking technique on the whole planet. We also cover off a few of the other issues around how data can be turned over to various governments. It’s a fascinating chat and it’s coming up after the news. This week’s show is brought to you by Tenable Security. In this week’s sponsor slot we’ll be hearing from Ray Komar, Tenable’s VP of technical alliances. We’re talking to Ray about a partnership Tenable has formed with Siemens. They’re trying to tackle the issue of tracking vulnerabilities in industrial control system equipment, but as you’ll hear, people aren’t actually buying it so much for the vulnerability tracking side, they’re buying it for the visibility side. It turns out dropping a passive scanner on your ICS network is a good way to know what’s actually ON your ICS network. As always, Adam Boileau pops in to discuss the security news. We cover: The Uber hack Apple’s comedy “root” bug Krebs on possible Shadowbrokers link Charges against more Chinese APT operators and Iranian HBO attacker More “hack back” legislation action Intel ME bug details Golden SAML MOAR Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #478 -- Why a "Digital Geneva Convention" won't work

Patrick Gray — Wed, 15 Nov 2017 00:00:00 +1100

On this week’s show we check in with Mara Tam. She’ll be telling us why the idea of a so-called “Digital Geneva Convention” is silly. Then, after that, Rich Smith of Duo Security will be in the sponsor chair. You may have heard about some recent research Duo Labs did into Apple EFI patches basically not working/sticking. Rich walks us through that research, why Duo did it, how they did it, and what it can tell us. It might be Mac research but the real worry, as you’ll hear, is around Wintel firmware. Adam Boileau pops by for this week’s news discussion. We’ll be covering: Facebook’s plan to combat “non-consensual intimate imagery” Wikileaks Vault8 leaks Assange sending a “guessed” password to Donald Trump Jnr NYTimes reports on the Shadowbears Cracking FaceID with a rubber mask MOAR Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #477 -- US mulls charges against Russian officials involved in DNC hack

Patrick Gray — Wed, 08 Nov 2017 00:00:00 +1100

There’s no feature interview in this week’s edition, just a slightly longer news session with Adam Boileau, then it’s straight into this week’s sponsor interview. Adam and I will be speaking about: Charges against Russian officials involved in the DNC hack Confirmation of Russian involvement in Ukraine artillery targeting app Attribution claims in Bad Rabbit campaign “Hack Back” bill is picking up steam 1 million installations of counterfeit WhatsApp clone A properly awful Tor browser bug The cryptocurrency comedies/tragedies of the week MOAR Marco Slaviero is this week’s sponsor guest. He’ll be along with a radical marketing approach: He’ll be telling us what Canaries can’t do! But you know what? It’s a useful thought exercise. He’ll also update us on the latest stuff they’re doing in the cloud. They’ve got some new VMWare virtual canaries too. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers #3: Bot prevention and distributed "crypto magic" credit card storage

Patrick Gray — Mon, 06 Nov 2017 00:00:00 +1100

In this edition of Snake Oilers we’re taking a look at two Australian companies and their solutions: Kasada and Haventec. Kasada’s product is a simple one – it’s bot prevention using proof of work and a couple of other things, and Haventech’s solution is a bit more out there. They’ve got a couple of products. One uses device fingerprinting plus a secret for authentication, but they’ve actually come up with something else that’ll be really interesting to people in the payment card processing space. Basically they’ve come up with a way to split credit card info into a few pieces so it can be stored in a distributed way. Part of the info with the user, part with the merchant and part with the processor. It’s a better approach than tokenisation, and will drastically reduce the liability and costs that comes with storing huge amounts of card data on the processor side. Oh, and they’ve solved the chargeback problem on that one too. Links to the companies profiled can be found below. I hope you enjoy the show!

Risky Business #476 -- Zeynep Tufekci on machine learning and disinformation

Patrick Gray — Wed, 01 Nov 2017 00:00:00 +1100

On this week’s show we’re chatting with Zeynep Tufekci about how machine learning accelerates the dissemination of crazy s–t, basically. Zeynep’s September TED talk titled “We’re building a dystopia just to make people click on ads” is a must watch and has been doing the rounds on infosec Twitter over the last couple of weeks. She joins us this week to talk through what we might be able to do about the tendency of online platforms to send people down pretty warped rabbit holes. That’s a fascinating chat. This week’s show is brought to you by Senetas. Senetas is a Melbourne-based company that develops and manufactures layer 2 encryption gear. They also operate the SureDrop secure file sharing platform and are working on a bunch of cloud crypto tech as well. Julian Fay is CTO over at Senetas and he’s along this week to talk us through the bugs Matthew Green and his colleagues found in a bunch of FIPS-certified gear from Fortinet. It’s a really, really illuminating chat. I love it when Julian’s in the sponsor chair because I always learn a lot. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #475 -- Matt Tait: US gov needs to put up or shut up on Kaspersky claims

Patrick Gray — Wed, 25 Oct 2017 00:00:00 +1100

On this week’s show we’re catching up with Matt Tait. Matt’s better known as @pwnallthethings on Twitter. He’s joining us this week to talk about the claims various sources have made against Kaspersky. I say sources because up to this point the only thing we’ve seen is various officials saying people shouldn’t use it. There’s been no official statement from the government or the intelligence community that actually says “don’t use it”. And the situation is getting ridiculous. It’s as clear as mud right now, basically, so Matt will be along later to argue the US government really just needs to back the claims in an official way if they’re to be taken seriously. This week’s show is brought to you by Cylance. This week we’re chatting to Chris Coulter, a seasoned IR professional who’s recently moved from the services arm of Cylance to the product side. We’ll be talking to Chris about IR and where EDR software is going. That one is really worth listening to. It’s easy to look at Cylance today and just see another antivirus company. People have forgotten that they basically shook up the biggest market in infosec and I think they have a solid chance of doing the same thing with a few of their upcoming releases in the EDR and UBA space. So yeah, check out that sponsor interview with Chris Coulter, coming up towards the back of the show! Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #474 -- Inside new, "invisible" Rowhammer attacks

Patrick Gray — Wed, 18 Oct 2017 00:00:00 +1100

On this week’s show we’re chatting with Daniel Gruss an infosec researcher doing a postdoc in the Secure Systems group at the Graz University of Technology in Austria. Daniel was one of the authors of a recent paper on a new Rowhammer technique. This one’s pretty clever, basically because it evades all known detection techniques by executing in an Intel SGX enclave. In this week’s feature interview we chat with Dan Guido from Trail of Bits. He’s along this week to talk about his experience in helping to build secure software and security tools for his clients. Of course the big news this week are the so-called “KRACK” attacks against WPA2. Adam’s done his homework on that and joins the news segment to tell you all how bad it is. We also look at the RNG bugs making life hard for smart card vendors and all the other news of the week! Links to everything are below. Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #473 -- Kaspersky is officially toast

Patrick Gray — Wed, 11 Oct 2017 00:00:00 +1100

On this week’s show we’re taking a deep dive into the latest news about Kaspersky and its alleged ties to Russian security services. The New York Times has just published an absolutely blockbuster piece that claims Israeli intelligence infiltrated Kaspersky’s network in 2014 and uncovered slam dunk evidence the company was operating espionage campaigns on behalf of the Russian government. We’ll jump into that in a minute, then in this week’s feature I’ll chat with Dave Aitel of Immunity Inc and get his feelings on the Kaspersky controversy. Casey Ellis is this week’s sponsor guest. He’s joining us this week to talk about how people running their own bug bounties can avoid false negatives. A couple of weeks back we ran a feature here on the show about a guy who had a pretty hard time reporting a legitimate security bug to Microsoft. Casey will be along with some ideas on how companies might do better when managing a lot of inbound bug reports, many of which are bogus. How do you sort the wheat from the chaff. Links to everything are below. Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #472 -- Iran DDoSed banks in 2012, US DoSed DPRK

Patrick Gray — Wed, 04 Oct 2017 00:00:00 +1100

There is no feature interview in this week’s show – it was a long weekend here in Australia plus a few things came up. But we’ve got a great show for you anyway. We’ll be discussing the week’s news headlines with Adam Boileau who’s back on deck after a short break, and then we’ll get straight into this week’s sponsor interview with Lee Weiner of Rapid7. He’s the Chief Product Officer there and he’s joining us this week to explain why so many vendors are suddenly so obsessed with automation and orchestration. It’s a trend that actually makes a bunch of sense for a bunch of reasons, but the key is 100% going to be in the execution. Links to everything are below. Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Exploit kits are dead, at-scale social engineering the new black

Patrick Gray — Fri, 29 Sep 2017 00:00:00 +1000

This isn’t the weekly show, this is a deep dive vendor podcast we do 10 times a year. All the vendors who appear in the Soap Box podcasts paid to be here, but you know what? Even though this is sponsored content, it’s really interesting. And this Soap Box edition is a double surprise, because we’re talking about one of the driest topics in infosec: email filtering. But this is actually a really engaging conversation. I was very surprised by how much I enjoyed talking to our guests in this special, Ryan Kalember and Christopher Iezzoni of Proofpoint. Proofpoint, among other things, is a huge player in email security and filtering. This conversation all hinges on a report Proofpoint published called “The Human Factor”. It made some really important observations. For example, the death of popular exploit kits like Angler has just pushed attackers into social engineering at scale as an attack vector. That can be straight up fraud, attached malware or macro stuff, and some of these campaigns involve really sophisticated mass personalisation. The days of exploit kits being used at scale might actually be over. I picked up The Human Factor report the day before we recorded this session and its findings are genuinely interesting. Proofpoint’s Ryan Kalember (SVP, Cybersecurity Strategy) and Christopher Iezzoni (Manager, Threat Research) joined me to discuss report and also to talk about why email filtering is actually interesting again. You can find The Human Factor report here.

Risky Business #471 -- Good Microsoft, bad Microsoft

Patrick Gray — Wed, 27 Sep 2017 00:00:00 +1000

On this week’s show we’re taking a look at a mediocre response from Microsoft’s security response centre in the face of a fairly run-of-the-mill bug report. Our guest today found some Microsoft software was failing to validate SSL certificates. He reported it, but Microsoft said it wasn’t a security issue because, drum roll please, the attacker would require man in the middle to exploit the failure. Ummm. What? It all got sorted out eventually, and by sorted out I mean silently patched with no note to customers. So if you have a script running somewhere that’s invoking this tool it’s probably not checking for valid certificates, so that’s fun. In this week’s show notes we’ll be talking with industry legend Jon Oberheide, co-founder of Duo Security, about a couple of things. We’ll be looking at the features platform vendors like Microsoft and Google are now baking into their operating systems that allow companies like Duo to be able to query the health of endpoints. We also have a general conversation about how it is actually the platform vendors who will solve the biggest problems, not so much the security industry. That’s this week’s sponsor interview, with big thanks to Duo Security. The Grugq is this week’s news guest. Links to everything discussed are below, and you can also follow Patrick or The Grugq on Twitter if that’s your thing.

Risky Business #470 -- Project Zero's Natalie Silvanovich on reducing attack surface

Patrick Gray — Wed, 20 Sep 2017 00:00:00 +1000

Ryan Duff fills in for Adam in this week’s news segment. Ryan used to work at US Cyber Command as a cyber operations tactician but these days he’s in the private sector. He shares his thoughts on the week’s happenings. This week’s feature guest is Google Project Zero’s Natalie Silvanovich. A little while back she fired off a few tweets saying companies are simply not doing enough to minimise the attack surface in their software. She was finding it so frustrating that she tweeted an offer – she said she was happy to turn up at any company that would have her and give a talk on how to minimise attack surface. She’s since done that talk about half a dozen times and she joins us today to give us the general idea of the advice she’s been providing. This week’s sponsor interview is with the man, the legend, Haroon Meer. Haroon is the founder of Thinkst Canary, simple hardware honeypots that work amazingly well. This week Haroon joins the show to talk about how we can avoid the next Equifax. He says a lot of it comes down to empowerment, which sounds like the sort of thing an annoying person with capped teeth would put in their slide deck, but when you hear Haroon explain what he actually means it actually makes sense. See links to show notes below, and follow Patrick or Ryan on Twitter if that’s your thing!

Risky Biz Soap Box: Consolidation to hit infosec software industry

Patrick Gray — Fri, 15 Sep 2017 00:00:00 +1000

Cylance, as many of you would know, is a so-called next generation AV company. They were early movers on machine learning tech, and they’ve been tremendously successful. They’re a tech unicorn – clocking up a valuation of over a billion dollars in a very short space of time. Cylance was founded in 2012, and there’s been a lot of movement in the endpoint security space since. There are now a whole swag of next generation endpoint security companies gobbling up the market share of the incumbent AV companies. A lot of them started off in the EDR space and are now doing anti-virus as well. It feels like we’ve reached a consensus point. Endpoint security software should do both EDR and AV. So, Cylance is building out its EDR products. So we’ll be speaking with Cylance’s chief product officer, Rahul Kashyap, about convergence. Not just in terms of what they’re doing, but more broadly. Rahul has been in the security game for a long time. He worked on developing network-based IDS products with Nsecure back in the early 2000s, before taking a job at McAfee. He served as McAfee’s head of vulnerability research for four years before joining Bromium as its chief security architect. Rahul has been on Risky Business before and he’s a guy who very much knows what’s up.

Risky Business #469 -- More like EquiHAX. AMIRITE??

Patrick Gray — Wed, 13 Sep 2017 00:00:00 +1000

On this week’s show, of course, we’ll be using the news segment to take a look at the dumpster fire that is the Equifax breach. We’ve got suspicious short trades, executive share sales and an absolutely shambolic response. This one’s got the lot; something for everyone. We’ll also take a look at these latest Bluetooth bugs and of course we’ll recap the rest of the week’s security news. In this week’s feature interview we’re chatting with Emily Crose. After cutting her teeth at CIA, NSA and US Cyber Command, these days Emily works in the private sector, and her hobby at the moment is using machine learning-based image processing to identify problematic social media images. Some social media companies say it’s too hard to identify, for example, ze Nazis. Emily says nope. I would say this week’s show is brought to you by Tenable Network Security, but now I’m just going to say Tenable because these days that’s what they’re calling themselves. And it makes sense. Vulnerability management isn’t really just about what’s on your network anymore. With that in mind, they’ve really changed the messaging of the company. They’re not calling it continuous monitoring anymore, they’re calling it cyber exposure measurement. Corey Bodzin, VP of product operations at Tenable joins the show to walk us through the rationale behind the new messaging. Adam Boileau is this week’s news guest. See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

Risky Business #468 -- Marcus Hutchins gets "Krebsed," the ICO bubble and more

Patrick Gray — Wed, 06 Sep 2017 00:00:00 +1000

On this week’s show we’re going to take a look at the ICO bubble. We’ll hear some excerpts from a chat I had with Coinjar CEO Asher Tan and then Adam and I are going to talk about what the hell is happening with all this crypto madness. We also take a look at the scuttling of the Kenyan election over hacking fears, the latest drama with Kaspersky being caught in the middle of geopolitical intrigue, the FSB’s unconventional BBQ in San Francisco and more. This week’s show is brought to you by Netsparker. Netsparker makes an automated webapp testing tool, you can kinda dial up the level of automation you want. They have a few nice tricks in their suite, too, like auto proof of concept exploitation of some bug classes so you can actually prove people need to fix stuff while you drink coffee, that’s nice. In this week’s sponsor interview we’re speaking with Ferruh Mavituna, the founder and CEO of Netsparker, about automated testing at scale. It’s a sponsor interview, but it’s also a pretty generic chat about how you tackle that problem. Basically he says when you’re doing this scanning at scale you really can start with the bad, dumb stuff, because if you’re in an enterprise of any sort of size at all your automated testing is going to spit out a horror-show list. Links to everything are below. Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

Snake Oilers #2: Part 2: Authentication tech from Yubico and Remediant

Patrick Gray — Mon, 04 Sep 2017 00:00:00 +1000

This podcast deals with authentication tech – in particular, if you manage a Windows network, you’ll want to listen to this to get an idea of some different approaches to solving some of your authentication challenges. This isn’t our weekly show, this is something we do four times a year – we get a bunch of vendors together and they explain their tech. Last week I published interviews with Crowdstrike, Replicated and AttackIQ, go check them out if you haven’t already, but I wanted to break out these two companies into their own podcast. In this edition we’re going to hear from two companies – Remediant and Yubico. Yubico, of course, makes yubikeys, the hardware authentication device used by companies like Google and Facebook to lock down accounts. I own one, and it wasn’t a freebie, I paid for it. A lot of security people use these USB devices because they work really, really well. What I didn’t know, because I’m a dumbass, is there’s native support for Yubikeys in Windows. So if you want to add hardware-backed two factor authentication to your Windows accounts, this is one way to do it. But before we talk to Yubico, we’re going to hear from Remediant. Remediant is a start up that also makes some interesting Windows auth tech. Now, a lot of Risky Business listeners operate in high security or compliance heavy environments. This will often mean using password vault technology for better privileged account management. Remediant has something they think is better. Basically they have created a tech that lets you enable and disable privileged accounts on, like a time-lock basis. If you have to do some admin work on a box, you log in to your Remediant server, enable that account for a set period of time, then off you go. Easy. It’s a very light touch way of solving some pretty serious management headaches, and it’s very easy to audit, which will keep our friends in heavily regulated environments very happy.

Risky Business #467 -- HPKP as an attack vector

Patrick Gray — Thu, 31 Aug 2017 00:00:00 +1000

In this week’s show we recap all the week’s major security news items. St Jude Medical products will be patched in half a million patients, we get the latest with the DreamHost warrant, find out how Hansa marketplace members were de-cloaked by the Dutch cops and more. In this week’s feature interview we chat with Scott Helme about HTTP Public Key Pinning as an attack vector. If someone manages to hack own your domain registrar, they can now cause all sorts of havoc. First, they redirect people to a box they control, then obtain a free, automated domain validated cert for that box, then flick on the HPKP header and pin every visitor to a certificate and key that they control. You get your domain back, sure, but then what? Nobody who visited your site while it was under the attacker’s control can visit it. Yay. So Scott will join us this week to talk about HPKP ransom and what we might do about this situation. This week’s sponsor interview is fascinating. We chat with Homer Strong, director of data science at Cylance, about machine learning explainability and “interrogatability”. Adam Boileau is on a company retreat this week, so Haroon Meer is filling in. Links to everything are below. Oh, and you can follow Patrick or Haroon on Twitter if that’s your thing.

Snake Oilers #2: Part 1: Crowdstrike, AttackIQ and Replicated explain their tech

Patrick Gray — Mon, 28 Aug 2017 00:00:00 +1000

This is part one of our latest Snake Oilers podcast, the sponsored podcast that doesn’t suck! I have to say, when I launched this podcast series I had no idea it would actually wind up being genuinely engaging and interesting. All three interviews in this podcast are top notch and I think anyone working in infosec would do well to listen. The original idea behind these Snake Oilers podcasts was vendors would come on to the show and aggressively pitch their products. But you know what? What they mostly want to do is actually explain what their technology does so people out there in listener land actually know what they do. I’ve broken this special into two parts. In this part we’ll hear from CrowdStrike, Replicated and AttackIQ. On Monday next week I’ll be posting part two with Remediant and Yubico, the makers of Yubikeys. Those two companies both make authentication technology, which is why I split them out on to their own. In this part: Crowdstrike tell us why they think their EDR and AV solution is the best. A lot of you probably didn’t even know Crowdstrike does AV now… they’ve got a pretty compelling endpoint detection and response plus AV pitch. AttackIQ will pitch its software as a way to augment red teaming exercises and help you think of security as a continuous feedback loop Replicated talks through its tech. They take SaaS software and turn it into on-prem or private cloud software

Risky Business #466 -- Breaking reverse proxies shouldn't be this easy

Patrick Gray — Wed, 23 Aug 2017 00:00:00 +1000

On this week’s show we chat with James Kettle of Portswigger Web Security about some adventures he had with reverse proxies and malformed host headers. Using some simple tricks, James was able to do some craaaazy stuff and earn himself about $30k in bounties. He’s turned some of his techniques into tools for Burp Suite, so he’ll be joining us to talk about that. In this week’s sponsor interview we’re tackling the new European general data protection regulation. With the new regime due to kick in on May 25 next year, there’s a lot of angst out there, and for good reason. The penalties for mishandling info are up to 4% of global turnover, which is a stiff enough penalty to strike fear into the hearts of CEOs everywhere. Senetas’ is this week’s sponsor. They make layer 2 encryption gear, as well as SureDrop, a GDPR and enterprise friendly dropbox-style service. Senetas Europe’s managing director Graham Wallace joins the show this week to talk about some of the ins and outs of GDPR. Stay tuned for that. As usual, Adam Boileau also joins the show to talk about the week’s security news. Links to everything are below. Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #465 -- Charlie Miller on autonomous car security

Patrick Gray — Wed, 16 Aug 2017 00:00:00 +1000

On this week’s show we chat with Charlie Miller all about the security of autonomous vehicles. As you’ll hear, he says autonomous vehicle security all comes down to some security fundamentals that are, in fact, being taken seriously by carmakers. We’ve got an absolutely fantastic sponsor interview for you this week. This week’s show is brought to you by Senrio. They make an IoT network monitoring solution that’s actually really good. Stephen Ridley is the founder and head honcho at Senrio. He’s a very well known researcher and he joins us this week to talk about a few things. First up he recaps the gSOAP library bugs the Senrio team found. They were a big deal in July, but as you’ll hear, people kinda missed the point. The affected gSOAP library is absolutely everywhere, including in, ahem, browsers. So yeaaaaah. There’s that. Then we move on to the more sponsor-y part of the sponsor interview, talking about Senrio’s experience running the IoT hacking village at DEFCON. It was a great time for them, throwing their product at the most hostile IoT network the world has ever seen. To round out the Stephen Ridley omnibus experience we’ll also hear about a few training courses he’s offering on Android hacking and software exploitation via hardware exploitation. Adam Boileau joins the show to talk about the week’s security news, links to everything are below. Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #464 -- Why your game theory theories are wrong

Patrick Gray — Wed, 09 Aug 2017 00:00:00 +1000

On this week’s show we’ll be chatting with Kelly Shortridge, formerly a detection manager at BAE, all about her Black Hat talk. It’s all about why most of what you hear about applying game theory to detection strategies is total bullshit. This week’s show is brought to you by Signal Sciences! Signal Sciences makes a killer product focussed on web application and web server security. It’s really popular with the dev ops crowd, which is interesting, because most security products in devops focus on the dev, whereas Signal Sciences focusses more on the ops component. This week we speak to Signal Sciences co-founder Zane Lackey about this burgeoning market for security tooling geared towards non-security people. It’s actually a really interesting conversation. Non security groups at large organisations are having to become security self sufficient and it really is a game changer. More on that with Zane Lackey in this week’s sponsor interview. Adam Boileau is this week’s news guest. See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

Risky Business #463 -- Black Hat's 2017 keynote speaker Alex Stamos joins the show

Patrick Gray — Thu, 03 Aug 2017 00:00:00 +1000

This week’s feature interview is with Facebook CSO and Black Hat 2017 keynote speaker Alex Stamos. We’ll be digging a little deeper on some of the points he hit on in his talk in Las Vegas this year. I’ve linked through to a video of his keynote in this week’s show notes (below), and I’d really recommend you watch it. It was just very, very good. This week’s show is brought to you by Thinkst Canary. They’re best known for their little Canary honeypots, you put them on your network and they’ll alert you to all sorts of lateral movement. Thinkst’s Founder and chief brain Haroon Meer will be along later on to talk about cloud security. He’ll be echoing some of the points made in our interview a few week’s back with Daniel Grzelak from Atlassian, as well as looking at how you can start to put together a somewhat coherent strategy for detecting when your cloud services get popped. Adam Boileau is this week’s news guest. See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

Risky Business #462 -- Does the Australian government want to break encryption?

Patrick Gray — Wed, 19 Jul 2017 00:00:00 +1000

In this week’s feature interview I speak with the Australian Prime Minister’s cyber security advisor Alastair MacGibbon about what it is that the Australian government is pushing for in terms of industry cooperation around surveillance. There’s been a lot of hype on this one. “Al Mac” joins the show to work through some of it, and honestly, Australia’s push at the moment is the sort of thing I think you can expect to see more of around the world, so this is an interview of global relevance. Some of that conversation hinges on a blog post I wrote on the weekend. If you want to, you can read that here. This week’s show is brought to you by Remediant! Remediant makes a product that’s designed to make lateral movement through a network much harder. Essentially it’s a way to restrict all privileged accounts on your infrastructure until you actually need it. So instead of being able to just log in to your production environment, you can actually set it up so you can enable the privilege you need to a set period of time. It’s a different approach to privilege management than things like password vaults, so if you work in an authentication group you’re going to want to hear what they have to say. Remediant CEO Tim Keeler is this week’s sponsor guest. Adam Boileau is this week’s news guest. We talk about all the continuing notPetya drama at Maersk and FedEx/TNT, the Alphabay latest and more. See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

Risky Biz Soap Box: Keep your vendors honest with attack simulation

Patrick Gray — Tue, 18 Jul 2017 00:00:00 +1000

This month’s Soap Box podcast is brought to you by AttackIQ, a company that makes attack simulation software. This is a wholly sponsored podcast that won’t bore you to tears. There are countless CISOs who listen to this podcast who’ve shovelled an awful lot of money at their organisation’s security controls. Whether that’s endpoint/AV or fancy network kit that’s supposed to detect exfil, the sad truth is most organisations have no way to know if their expensive kit is actually doing what it’s supposed to. Until, of course, they get breached. Then there is much wailing and gnashing of teeth. So the idea behind attack simulation is pretty simple. You load a lightweight agent on to your corporate systems, the agent then runs scriptable attack scenarios that can simulate attacker behaviour. These attack scripts might get some endpoints to start nmapping internal systems. They might start changing some registry keys or stimulate a bunch of disk activity that looks like an encryption/ransomware process. They might start sending off a bunch of dummy data via a DNS exfil technique. Did your endpoint solution catch the funny registry stuff? Did your network controls catch the simulated exfil? Now imagine you have 1,000 pre-coded attack simulations with all sorts of different combinations and permutations of attacker behaviours. How many of them do you actually need to run through before you can spot the weak points in your defences? Attack simulation is a great way to test and validate your security controls, and you can do it continuously. AttackIQ’s cofounder and CEO Stephan Chenette joined me to talk about attack simulation and what it’s good for.

No encryption was harmed in the making of this intercept

Patrick Gray — Sun, 16 Jul 2017 00:00:00 +1000

(UPDATE 17/7/17: The original version of this post implied major technology companies were only handing over user metadata via Mutual Legal Assistance Treaties. That is not the case and the piece has been edited for clarity.) Over the last few days people have been losing their minds over an announcement by the Australian government that it will soon introduce laws to compel technology companies to hand over the communications of their users. This has largely been portrayed as some sort of anti-encryption push, but that’s not my take. At all. Before we look at the government’s proposed “solution,” it might make sense to define some problems, as far as law enforcement and intelligence agencies are concerned. The first problem has very little to do with end-to-end encryption and a lot more to do with access to messaging metadata. If you’re Australian and you’re reading this blog, you’d most likely know that Australia passed a metadata retention law that came into effect in April this year. It requires telecommunications companies and ISPs (i.e. carriage service providers, or CSPs) to keep a record of things like the IPs assigned to internet users (useful for matching against seized logs) as well as details around phone, SMS and email use. The problem is, people have moved towards offshore-based services that are not required, under Australian law, to keep or hand over such metadata. Think of iMessage, WhatsApp, Signal, Wickr and Telegram. Australian authorities do have options when it comes to requesting metadata from these companies. They can just ask, and depending on the company they might get something back. I’m told the major companies generally help out, especially those with a presence here. Companies like Berlin-based Telegram? Not so much. Some other companies might just tell you to go away. Then the only way forward, depending on where the app maker is based, might be an MLAT – a request through a Mutual Legal Assistance Treaty, specifically, the Mutual Assistance in Criminal Matters Act of 1987. Detective plod draws up the paperwork, then the request goes off to our Attorney General’s Department, then to the US AG, then to the FBI, and then you might get something back about a year later. If you’re lucky. If you’re seeking useful metadata involving communications that took place via Signal, you won’t get anything back anyway because they just don’t log much. (This is also an issue for US law enforcement.) Currently, metadata access is at the whim of a patchwork of company policies, and the metadata tap – in the case of some communications apps – has been turned off completely. And as far as law enforcement is concerned, blocks to obtaining metadata are a very big problem. There are no easy solutions here, but it’s part of the reason you’ve heard our Attorney General George Brandis talk a lot about treaties and mutual assistance over the last few months. Currently, there’s nothing the Australian government can do to speed up the process when authorities are dealing with offshore organisations. The second problem involves messaging content. Now that we live in a world where anyone can buy a secure mobile handset (an iPhone) and use an end-to-end (e2e) encrypted messaging application (WhatsApp, Signal etc), there are serious challenges around intercepting communications. Currently, if you ask Facebook for some WhatsApp messaging data, they can simply say they don’t have it. That’s the beauty of end-to-end encryption. But the Australian government has announced proposed laws that will seek to compel tech companies to hand over the content of user communications, e2e encrypted or not. It’s very, very important to note at this point that there are legal barriers to obtaining communications content that simply don’t apply to metadata. Metadata is made available by request in most jurisdictions (i.e. without a warrant), but content is a whole other ballgame. In the case of a typical criminal investigation the police need a telecommunications intercept warrant to tap someone’s phone or internet connection. They can’t simply request it. It’s here that people have spun off planet earth into frankly bizarre speculation as to what the government wants. I’ve seen an awful lot of people suggesting that the government will compel tech companies to downgrade the encryption they use in their products, either by forcing them to adopt weak ciphers or maybe some sort of funny curve, reminiscent of the suspect Dual Elliptic Curve Deterministic Random Bit Generator incorporated into RSA’s BSAFE library. (That’s a mouthful, but you can read about that here.) The thinking is, if everyone starts running crap crypto, the coppers can sniff the communications off the wire. Let me put this bluntly: If this is what the government winds up suggesting, then by all means hand me a bullhorn and show me where to point it. It is a ridiculous idea that would erode so many of the security gains that we’ve made over the last decade. But this is not what the government will suggest. If you want to know what this will look like from a technical perspective, just look at how authorities currently address this problem. Thanks to our pal Phineas Fisher, we’ve had a glimpse into the sausage factory that is the law enforcement trojanware industry. Gamma Group and Hacking Team, two companies that make surveillance software for mobile phones, were both hacked by Mr. Fisher and the gory details of their operations laid bare. What we learned is that law enforcement organisations already have perfectly functional trojans that they can install on a target’s phone. These trojans can already intercept communications from encrypted apps. If you can access the endpoint – the phone – then you can access the user’s messages. No weakening of encryption is required. These types of law enforcement trojans have typically been delivered to handsets by exploiting security vulnerabilities in mobile operating systems. Unfortunately for law enforcement, but fortunately for us, exploiting vulnerabilities on mobile handsets has become more and more difficult, time consuming and expensive. iOS is the leader here, a damn fine operating system, but Android is definitely catching up. I want to spell this out clearly so there’s no confusion: The government already has the legal authority to access your end-to-end encrypted messages if they have a warrant. The barrier is not a legal one, it’s a technical one. Access to the expensive exploits used to deliver interception software to handsets is being rationed due to cost, feeds an industry full of shady players like Hacking Team, and in some cases agencies are simply unable to install surveillance software on to the phones of some really god-awful people, even though they have a warrant. So, the government wants the tech companies to “fix” this for them. That’s why they’re not talking technical details. The regime will not be prescriptive, and thankfully the government knows that it’s probably not the most appropriate organisation to advise Apple or Google on the finer points of technology. The feeling is non-US law enforcement and intelligence agencies aren’t getting the coverage they’d need to do their jobs. This is why we’ve seen New Zealand and the UK pass laws that supposedly compel US companies to assist them when they ask. (I hear they’re not being enforced yet.) So let’s break down how it may work: Under this law, the AFP might ask Facebook, which owns WhatsApp, to hand over the message history and future messages of user X, because they have a court-issued warrant. Now it’s all very well and good for WhatsApp to argue that it doesn’t have the technical means to do so, which is a response that has lead to all sorts of tangles in Brazil’s courts, but the Australian law will simply say “we don’t care. Get them.”. In practice, there are a number of ways to skin this cat that don’t involve weakening encryption. For example, Until May this year, WhatsApp backups weren’t even encrypted. (That’s right, all this song and dance about your messages being end-to-end encrypted, only to have them shunted into services like Apple’s iCloud, and we all know how well protected iCloud is!) Even now, the precise encryption technique used by WhatsApp isn’t clear. Are they using a key generated on your device to encrypt your messages? That would be of limited use, considering the point of a backup is to restore your message history when you lose your phone and the corresponding encryption key. So my guess is it’s a form of encryption that is recoverable by WhatsApp. What if the user doesn’t have backups turned on? Well, I’m sure there are some clever people out there at WhatsApp HQ who could figure out how to turn on a user’s backups for them. A retort I often hear when I lay out a scenario like that one is that users will just move to another app, maybe something like Telegram, which is based in Germany. At that point, an enterprising police officer might contact either Google or Apple, two companies that control something like 99% of the cellphone market share, and ask them to devise a way to retrieve the requested data from that device. Like, say, pushing a signed update to the target handset that will be tied to that device’s UDID (Unique Device Identifier). That way there’s no chance the coppers can intercept that update and re-use it on whomever they want. Again, no encryption was harmed in the making of this intercept. There are some legitimate concerns around how a regime like this could be abused. However, the legal bar for content interception here in Australia is much higher than for metadata. Content access requires a warrant. If cops were looking to abuse this access then they’d need to engage in some pretty serious criminality, like forging warrants. And if the access regime revolves around asking the tech companies to do the grunt-work on behalf of the authorities, all intercepts should actually be easy to audit periodically. In other words it would be a stupid way to spy on your girlfriend. Now look, I’m not advocating for these laws. I’m not. What I am trying to do is move the goalposts for this discussion. The responses that I’ve seen to this proposal from the Twitterati have mostly been really daffy. People will insist the government doesn’t know what the hell it’s asking for (it does), that it wants to break maths (it doesn’t) and that it’s impossible for technology companies to provide law enforcement with what they need without introducing unacceptable new vulnerabilities and risks into our technology ecosystem (depends on your definition of “unacceptable”.). I’d like to see the goalposts set up around a much simpler discussion than one about technology and encryption: To what degree do we believe, as a society, that the right to privacy is absolute? Do we believe that law enforcement bodies should have the authority to monitor the communications of people suspected of serious criminal offences? If so, what should the legal process for provisioning that access look like? I mentioned auditing access under this scheme a couple of paragraphs ago. If we’re going to have a regime like this, can we have a decent access auditing scheme please? These are the sorts of things I would prefer to be talking about. It’s also important to remember that Australia is not America. We don’t really have the same libertarian streak as our US cousins, so it’s entirely possible there won’t be a substantial backlash to these proposals. That makes framing this discussion properly – as a conversation about balancing our need for privacy with our desire for safety – vitally important. If people who want to participate in this debate keep screaming that the government consists of a bunch of idiots who want to outlaw maths, well, the real conversation just won’t happen and no meaningful controls around the extent of access and the oversight of that access will be granted. Not that you can expect grown up conversations between the tech firms and the government. The tech companies will fight this tooth and nail, both on libertarian/political grounds, and on business grounds. The government will do the usual scaremongering around terrorists and pedophiles. Expect some downright misleading information from both sides and absolutely bonkers salvos fired in both directions. Can’t wait. PS: Blind Freddy could have seen this coming.

Risky Business #461 -- AWS security with Atlassian's Daniel Grzelak

Patrick Gray — Wed, 12 Jul 2017 00:00:00 +1000

On this week’s show we chat with Atlassian’s head of security, Daniel Grzelak, all about some AWS security tools he’s come up with. He also previews a new tool for generating AWS access key honeytokens at scale, which is really neat. This week’s show is brought to you by Veracode! Veracode’s director of developer engagement, Peter Chestna, will be along in this week’s sponsor interview to have a yarn about some common misunderstandings between security people and developers. We look at misunderstandings both ways. Adam Boileau is this week’s news guest. We talk about all the latest dark markets drama, plus the Great Nuclear Hax Freakout of 2017. See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

Risky Business #460 -- Haroon Meer talks Kaspersky drama, NotPetya, the cryptowars and more

Patrick Gray — Wed, 05 Jul 2017 00:00:00 +1000

Adam Boileau has some out of town business to handle this week so he can’t join us in the news segment. But that’s ok, because industry legend Haroon Meer has very kindly agreed to fill in for him! We chat to Haroon shortly about all the latest NotPetya developments, we’ll also talk about the drama Kaspersky is experiencing right now, as well as dissecting the latest battle reports from the cryptowar! All the news is covered. This week’s show is brought to you by ICEBRG! ICEBRG’s co-founder, Will Peteroy, joins the show this week to chat a bit about what they’re up to. Will has an interesting background. He was the technical director of a government agency Red Team. That meant red team exercises against agencies, but he was also responsible for doing assessments on security products. He also put in a bunch of time at Microsoft where he was the endpoint for product security for Windows and Internet Explorer, which meant he was the recipient of oh-so-much-0day for around a year and a half. So yeah, Will knows what he’s doing, and he’s made a thing, and you’re going to hear about that thing after this week’s news. See links to show notes below, and follow Patrick or Haroon on Twitter if that’s your thing!

Risky Biz Soap Box: Bugcrowd founder and CEO Casey Ellis on the future of crowdsourced security

Patrick Gray — Mon, 03 Jul 2017 00:00:00 +1000

In this edition of the Risky Business Soap Box podcast we chat with the founder and CEO of Bugcrowd, Casey Ellis, about the establishment of the bug bounty market and how things have shaped up. We also look at where it’s going. The days of bounty programs being operated solely by large technology firms are long gone. Casey predicted that shift years ago. The question becomes, where will bounty programs be in three years from now? Well, Casey doesn’t shy away from making some bold predictions. He thinks most enterprises will have vulnerability reporting mechanisms within two years, and a substantial proportion of those will offer rewards to bug hunters via companies like Bugcrowd. He also sees bounty programs increasingly serving the specialist market. You can find Casey on Twitter here.

Risky Business #459 -- Actually yes, "cyber war" is real for Ukraine

Patrick Gray — Wed, 28 Jun 2017 00:00:00 +1000

This week we’ll be chatting with Andy Greenberg from Wired about his cover story for that magazine. He travelled to Ukraine back in March to research his story on Russian attacks against the Ukrainian power network. He joins us this week to share the insights he gleaned during his travels. This week’s show is brought to you by SensePost. SensePost are based in South Africa and England, but they are very well known for offering training courses at Black Hat. This year will be the 17th year they’ve run training courses there… as can be expected their brand new devops security course has gone absolutely gangbusters in terms of registrations this year, but they’re also offering a bunch of other courses. They’ll be joining us to chat about trends in training in this week’s sponsor interview. Adam Boileau, as always, drops by for the week’s news segment. You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

Risky Business #458 -- Reality Winner, Qatar hax and Internet regulation calls

Patrick Gray — Wed, 07 Jun 2017 00:00:00 +1000

On this week’s show we’re covering off all the big news of the week: the arrest of Reality Winner, the apparent hacks that have ratcheted up the political crisis in Qatar and the renewed calls for Internet companies to be more government-friendly. In this week’s feature interview we catch up with Samy Kamkar to get his take on what the lowering cost of hardware-based hacking could mean for our increasingly automated world. And in this week’s sponsor interview we chat with Duo Security’s Pepijn Bruienne about some recent attacks against the Mac OS software supply chain. Big thanks to Duo Security for sponsoring this week’s show. Duo makes all manner of kick-ass two factor authentication solutions, you can check them out at Duo.com. You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below… Patrick is taking a vacation. Risky Business will return on June 28

Risky Business #457 -- Shadow Brokers turn to ZCash, plus special guest John Safran

Patrick Gray — Wed, 31 May 2017 00:00:00 +1000

On this week’s show we’re taking a detour: This week’s feature interview has absolutely nothing to do with infosec. But it is related to the Internet. Sort of. If you squint a little. This week’s feature guest is John Safran. He’s been gracing television screens here in Australia for nearly 20 years, but John is also a rather brilliant author. I’ve just finished reading John’s new book, Depends what you mean by Extremist, Going Rogue with Australian Deplorables. Honestly, it’s fascinating enough for me to just squeeze it into this show. Basically John wrote a book about the year and a half he spent hanging out with all sorts of extremists; Left-wing Marxists, anarchists, right wing anti-Islam types and even Islamic State supporters, some of whom are now up on terror-related charges. I speak to John about the Internet’s influence on extremism, as well as extremism in general. I highly, highly recommend this book. It’s a fascinating look at the contemporary political landscape through the eyes of extremist movements of all flavours, and it’s not a tough read. It’s actually quite funny and it really the most on-point thing I’ve read in a long, long time. This week’s show is brought to you by Bugcrowd, big thanks to them! And in this week’s sponsor interview we’ll chat with Casey Ellis, Bugcrowd’s founder and CEO. Now that outsourced bug bounties have gone mainstream, we know more what they’re for and how people find them useful. So we speak to Casey about how a lot of orgs are basically just throwing the lower value testing out to bounties to free up their infosec teams to do higher value work. We talk about that and a couple of other points. Adam Boileau, as always, drops in to discuss the week’s security news! You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

I got a detail wrong in my latest conference talk

Patrick Gray — Tue, 30 May 2017 00:00:00 +1000

During last week’s AusCERT conference I did a 50 minute talk that reflected on a 15 year career writing about information security. It was a repeat of the talk I did at BSides Canberra in March. It covered thoughts on attribution, fake activist groups (Guardians of Peace, Cutting Sword of Justice etc), the possible motivations of high-impact leakers (Mark Felt, Chelsea Manning, Edward Snowden) and the need to create norms around acceptable state behaviour when it comes to computer network operations. In the leakers section I got a detail wrong and I want to correct it. Hopefully I’ll convince you that in context of what I was talking about the error doesn’t actually change all that much. That whole section of the talk was really written to put forward the case that leakers have complicated motives. Even when leaks are in the public interest, it doesn’t mean that the leakers’ motives are as pure as the driven snow. I speculated that perhaps FBI deputy director Mark Felt, better known as Watergate source Deep Throat, might have been tactically leaking against people who stood in between him and the FBI directorship. He loathed both Nixon and FBI director L Patrick Gray (no relation) and only lasted another month at the bureau after Gray got the knife and was replaced by William Ruckelshaus. So that’s a theory: His leaks brought down the people in his path, but in the end he didn’t get the top job, so he resigned. I wasn’t trying to prove Felt was motivated by self interest, just that it’s a plausible motivator. I also spoke about Chelsea Manning. She was relentlessly bullied during her time in the army, frequently clashing with both her superiors and the rank and file. I have no doubt that Manning is indeed, as she claims, a pacifist. But I also have no doubt that the relentless bullying influenced her decision to leak. She was isolated and miserable, but found a friend in Wikileaks’ Julian Assange. I sincerely believe there was an element of rage underpinning those leaks. Some revenge. (And honestly? Fair enough. The military failed her, big time.) Eventually I boil the whole thing down to these factors: Self interest, public interest, ego, rage and combinations of the four. To explore ego as a possible motivator, I spoke about Edward Snowden. Snowden always strived for great things but didn’t quite make the grade. He wanted to be a special forces soldier, he failed. He wanted to be NSA TAO, he failed. But when he leaked massive amounts of NSA documents, he could invent himself as anything he wanted, and he has. But a bunch of his public statements about his experience at NSA seem pretty shaky, bordering on outright bullshit. It’s been nearly four years since Snowden went public with his leaks. In the talk I said it feels to me like something is off about the guy. Details have filtered out through the grapevine, and they tend to clash with his public statements. It’s clear, for example, that he massively overstated his seniority at NSA. And parts of his story just don’t line up. I’m not talking about the conspiracy theories that a foreign power put him up to it or he was some sort of spy – I think that’s really, really unlikely – it’s more that he mislead on things that are basically inconsequential, like his reason for washing out of his military training. He also failed to correct some really shitty reporting on his leaks. We’re getting to the mistake, hang in there. As an example of Snowden coming across as less than totally honest I cited his non-reaction to an article written for The Guardian about the so-called PRISM program in 2013. In that piece, Greenwald writes: “The Prism program allows the NSA, the world’s largest surveillance organisation, to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders.” In my talk I described that as totally wrong, but it’s actually only mostly wrong. There was no “direct access” and NSA did actually have to request this material from the service providers. That’s been established. The part I got wrong is NSA doesn’t actually have to obtain an individual court order for every selector tasked from a court. In my talk I said it did. Selectors are created under FISC oversight, but the court’s job is to ensure the compliance of those selectors to the rules it established and maintains, not to green-light each selector. Over the last few years I’ve chatted with people who are familiar with this program. For their part, the technology companies mentioned in the PRISM program stories were all baffled when the story broke, both publicly and privately. Greenwald made it seem that the NSA had unfettered access to their servers. Their response, in most cases, is that they would only hand over data to the authorities if there was a valid court order. So, over the years I’ve asked some people who’d know to tell me about the process that NSA goes through to “task” collection on an individual using PRISM. They said that in order to obtain information from a company like, say, Facebook, they’d have to start by preparing a “FISA package”. This means they’d have to put together a case that could show the proposed target isn’t a US citizen, is not in the USA, and that intercepting their data is likely to reveal something of importance to national security. These packages are worked up – that process involves senior NSA staff – then the package is sent up the chain for authorisation. When authorisation is granted, it’s the FBI, not the NSA, that approaches the technology company and asks it to hand over the data. And here’s where I made the mistake: The tech companies said they hand over data based on court orders. People familiar with the NSA side of this program described the authorisation process for each individual target. I mistook these two data points as meaning the FISA court was authorising each individual collection. They don’t. The package is actually sent off to the Office of the Director of National Intelligence (ODNI) and Department of Justice (DoJ) for post-tasking review. You can read about that process here. That’s the detail I got wrong. But the FISA court is involved. It oversees and mandates the process through which the validity of selectors is determined, and there was regular review of the rules around tasking. Everyone tells me these rules were strict and adhered to rigidly. That’s not to say mistakes aren’t made. In a post-Snowden review, NSA found 0.4% of PRISM tasking accidentally collected the information of people who were either located in the USA (not allowed) or US citizens (also not allowed). I realised I got this detail wrong when fellow AusCERT attendee Troy Hunt posted a picture of my slide that referenced FISC authorisations for individual selectors. Just looking at that slide in isolation I had a funny feeling. So I went back to my notes and some source documents and realised I’d made the mistake. I asked Troy to remove the Tweet, not because I’m trying to hide my mistake, but because I don’t want people to believe something that isn’t true. It was a typical case of a non-lawyer getting something law-related wrong. That said, I don’t think it really changes my argument with regard to Snowden. Even though some people may see ODNI and DoJ selector authorisation as inferior to direct authorisation by a court, albeit a secret one, the fact remains that none of the reporting even acknowledged any oversight or even a process for tasking. Take this Ed Snowden quote: “I, sitting at my desk, certainly had the authorities to wiretap anyone, from you or your accountant, to a federal judge or even the President, if I had a personal e-mail,” he told The Guardian. No, Ed, you didn’t. In the case of PRISM I’m pretty sure the NSA senior staff might object, given collection against US citizens is verboten under 702. If they didn’t then ODNI or DoJ might have some feelings about it. And if they let it through my guess is the FBI might actually think something was wrong if you were trying to task collection on the US president. Even if he wasn’t talking specifically about the PRISM program in that instance, everyone I’ve ever known who spent any time at a five eyes SIGINT agency tells me the same thing – everyone’s searches are logged and audited no matter what the program. The compliance hurdles and internal rules are universally described as a pretty serious (but necessary) pain in the ass. This next part is important: I’m not an expert in intelligence oversight, and I can’t say whether the NSA’s oversight is appropriate or not. But I can say that it’s just crazy to write up stories about these programs without even mentioning the tasking procedures, auditing and oversight. These stories have convinced people that individual NSA operators could simply spy on whoever they like, using direct access to the back-end servers of major Internet companies. It’s just not correct. My argument is Snowden’s silence following the publication of some of these stories is a massive red flag when it comes to his credibility. But because he painted himself as a truth-telling whistleblower, Snowden was able to convince some journalists and many among the public that he was the only source who could be trusted when it came to discussing these programs. Everything else, his supporters say, is disinformation. Of course, there has been legitimate public interest in Snowden’s disclosures. The NSA had been doing some pretty shady shit, most notably the (since discontinued) 215 phone metadata collection program. But that doesn’t make Snowden himself a saint. He’s not. He is what I’d charitably describe as “properly weird”. In telling that story, I did get a detail about oversight wrong. Sorry about that!

Risky Business #456 -- Your MSP will get you owned

Patrick Gray — Wed, 24 May 2017 00:00:00 +1000

On this week’s show Adam pops in to discuss the week’s news. (Links below) After the news segment Adam and Patrick both chat about topics near and dear to their hearts: Shoddy infosec marketing and shoddy MSP security. This week’s show is brought to you by WordFence, a company that makes a WordPress security plugin. It’s not so much an enterprise security tool, but it turns out that when you run two million Wordpress plugins you wind up collecting some pretty valuable threat intel and IOCs. WordFence’s Mark Maunder joins the show this week to talk about WordPress security and malware distribution! You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

Risky Business #455 -- What a mess

Patrick Gray — Wed, 17 May 2017 00:00:00 +1000

On this week’s show, of course, we are taking a deep dive on WannaCry. Most of the coverage of this debacle has actually been pretty bad, and there’s been nothing that I’ve seen that even approaches being comprehensive, so we’re going to try to fix that in this edition of the show. This week’s show is sponsored by Cylance, which, it must be said, didn’t “ambulance chase” this interview, they booked this sponsor slot in January this year. Cylance CEO Stuart McClure joins the show this week to talk about ambulance chasing, why it is that we still don’t have a decent technical analysis of WannaCry and he generally gives us an industry view on this thing. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Risky Business #454 -- Intel AMT latest, TavisO's horror-show Windows bug, Macron leaks and more!

Patrick Gray — Wed, 10 May 2017 00:00:00 +1000

We’ve got a real bread-and-butter show for you this week. Adam is along in this week’s news segment to talk about the latest on the Intel AMT bugs, Tavis Ormandy’s horror-show Windows Defender bug, the Macron email dump and more. In this week’s feature interview we speak with Adobe security engineer and OAuth 2 in Action co-author Antonio Sanso about what companies like Google might be able to do to make their OAuth implementations a little safer for users… Which, you know, might be something worth considering given an OAuth-based phishing attack was able to compromise something like a million Google accounts the other week. This week’s show is brought to you by Thinkst Canary! Canary is of course the wonderful little hardware honeypot device Thinkst makes that you can plug into your network that’ll let you know when you have attackers on your LAN. Thinkst’s head of development, Macro Slaviero, joins the show this week to talk about the CIA’s leaked watermarking solution Scribbles, as well as to talk a little about Thinkst’s so-called “bird guide”. It’s a document (linked below) with a bunch of advice for those of you considering using Honeypots. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: A microvirtualisation primer with Bromium co-founder Ian Pratt

Patrick Gray — Mon, 08 May 2017 00:00:00 +1000

This Soap Box edition is all about desktop microvirtualisation! Bromium has been around for about six years now, and they make an endpoint security package that is really, really different to other solutions in the market. The whole thing hinges on what they call a Microvisor, which amounts to hardware-enabled isolation on your desktop. Bromium’s software is basically a way to virtualise user tasks, whether that’s working on a Word document or browsing an exploit-riddled lyrics website with Java and Flash enabled, the idea is if an exploit gets dropped on you it gets trapped in a micro-VM. Personally, I’m a big fan of Bromium’s stuff. one of the things that kind of hindered the adoption of this tech in its early days is it relies on CPU features that were basically new six years ago, so not everyone could run it. There was also a bit of a UX hit. But there’s good news! Hardware refresh cycles have taken their course, and now running Bromium’s software is viable in almost all enterprises. Where this goes from being interesting to downright compelling is if you’re an enterprise forced to run vulnerable software. I’m thinking specifically of old browsers running things like Java. In many organisations, running out-of-date crapware is a business requirement. Well, running Bromium on those endpoints will basically solve that problem. Sure, nothing is magic, but by the time you’ve finished listening to this conversation with Bromium co-founder and President Ian Pratt, I think you’ll definitely want to take a look at the tech. You should take a look at the tech, because it’s borderline impossible to solve that problem any other way. I hope you enjoy it!

Risky Business #453 -- The Intel bugs: How freaked out should you be?

Patrick Gray — Thu, 04 May 2017 00:00:00 +1000

On this week’s show we’re looking at an issue that kicked up last week when creepware scumbags Flexispy announced they were moving their bug bounty program to HackerOne. VICE journalist Joseph Cox asked HackerOne CEO Marten Mickos if he’d be happy to host their program, and his answer is as follows: “Any company that operates legally within its jurisdiction, treats our hackers with respect and takes vulnerability disclosure seriously is generally welcome to run their program on the HackerOne platform. Improving the integrity of all connected software is to the benefit of the digital society.” A lot of people, myself included, didn’t react so well to that line of thinking. HackerOne CTO Alex Rice suggested he come on the show to talk about the company’s stance. As you’ll hear, Alex is pushing a much softer line than his CEO, but still says this is complicated. Stay tuned for that, at times, excruciating interview. This week’s sponsor interview is with Signal Sciences CSO and co-founder Zane Lackey. Zane was the head of security at Etsy, but he moved on to found Signal Sciences, a company that is making webapp security software that by all reports is pretty damn good. He joins us in the sponsor slot this week to talk about Devops, WAFs and a whole bunch of other fun stuff. Adam Boileau, as usual, drops by to discuss the week’s news. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Risky Business #452 -- Are Wikileaks charges a threat to press freedom?

Patrick Gray — Wed, 26 Apr 2017 00:00:00 +1000

Risky Business #452 – Are Wikileaks charges a threat to press freedom? Brookings fellow and former NSA attorney Susan Hennessey joins the show… Over the last week or so there’s been mounting speculation that the US government is getting serious about preparing charges against Wikileaks founder Julian Assange. The question is, could these charges threaten press freedom? Joining us to discuss that this week is Lawfare’s managing editor Susan Hennessey. This week’s show is brought to you by Senetas. Senetas makes layer two encryption equipment, but today they’re joining us to talk about some work it’s doing with ADVA Optical Networks in marrying its tech with some SDN stuff done at the telco level. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

REPOSTED (SEE NOTE): Risky Biz Snake Oilers: Roll up roll up! We've got a fix for what ails ya!

Patrick Gray — Fri, 21 Apr 2017 00:00:00 +1000

NOTE: We had to re-post this. Originally we linked to the wrong mp3 (soapbox1 instead of snakeoilers1). It was rectified within about five minutes, but caches gonna cache, so we’ve reposted it. Sorry if you downloaded it twice! This is the first ever Snake Oilers podcast from Risky.biz. It’s a wholly sponsored podcast in which vendors pop in and take 10 minutes each to pitch the audience on their stuff. The idea behind this whole thing is so that infosec buyers can actually hear a bunch of ten minute pitches without having to go to lunch with a salesperson with giant shiny teeth who doesn’t really understand what they’re selling. These are product pitches from people who actually get the technology. And you know what? Even if you’re not a technology buyer, you’ll probably still find a lot of this interesting – it’s good to know how vendors are slicing and dicing some of the challenges we all face in security. In this edition: Exabeam says it can save you buttloads of cash compared to other SIEM solutions like Splunk or ArcSight. Senetas urges you not to use babby’s first encryptor cards and opt for its 100gbps full line rate layer 2 encryptor instead Kolide pitches its osquery-based EDR solution. If it’s good enough for Facebook, it’s good enough for you! Senrio pitches its impressive IoT network sensor and developer tools. Links below!

Risky Business #451 -- Shadowbrokers nothingburger edition

Patrick Gray — Wed, 19 Apr 2017 00:00:00 +1000

On this week’s show we talk about the latest Shadowbrokers shenanigans with Adam, as well as all the other major security news of the last couple of weeks. After that we’ll be chatting with Adam’s colleague at Insomnia Security, Pipes, about the interesting aspects to the dump – what did it teach us about how NSA rolls? Well quite a lot, as it turns out. And yeah, the N0day bugs aren’t the interesting bit. This week’s show is sponsored by Tenable Network Security. This week Tenable’s VP of federal, Darron Makrokanis, will be along to talk about how to speed up federal government adoption of new tech – what’s the best way for that to happen? That’s this week’s sponsor interview! Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Risky Business #450 -- From Mirai to mushroom clouds in five easy steps

Patrick Gray — Wed, 05 Apr 2017 00:00:00 +1000

This week’s show is a fun one! We’ll be chatting with Josh Corman, the Atlantic Council’s Director of Cyber Statecraft. We’ll be speaking with him about an exercise he did recently with a whole bunch of students. Basically the whole thing was a simulation where students walked through various scenarios and had to respond. Unfortunately, Josh discovered that most students had a predisposition to escalating things unnecessarily. From Mirai to mushroom clouds, that’s this week’s feature interview. This week’s sponsor interview is also an absolute corker. Rapid7 is this week’s sponsor. In addition to making enterprise security software and running a pentest practice, Rapid7 also spends a considerable amount of time and money on developing Metasploit. Rapid7 research director Tod Beardsley and director of transportation security Craig Smith join the show this week to talk about some recent changes to Metasploit that I’m amazed haven’t made a bigger splash. You can now run Metasploit against a CAN bus and they’ve built an RF module as well. That is absolutely awesome stuff, coming up in this week’s sponsor interview, with special thanks to Rapid7! Adam Boileau, as always, joins us to talk about the week’s security news. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Risky Biz Soap Box: Senrio tackles IoT problem for CISOs, developers

Patrick Gray — Fri, 31 Mar 2017 00:00:00 +1100

Soap Box is back! This time we’re chatting with Stephen Ridley and Jamison Utter about the tech Stephen has launched: Senrio Insight and Senrio Trace! This is a fully sponsored blabfest about IoT security. Specifically, we drill into two different problems Senrio is trying to solve. The first is how the hell you deal with monitoring IoT on your network, especially when you can’t do DPI because of HIPAA. If you’re a CISO from a hospital, you will be very interested in this part of the podcast. Then we talk about IoT security approaches for developers. Not only has Senrio developed a boring old network sensor to remedy the dumb but profitable-to-solve problem, they’ve also created a developer toolkit for manufacturers of IoT devices who need to be able to monitor them in the field. Stephen Ridley is a bona fide expert on IoT. So much so, he used to actually train NSA staff on hacking IoT devices. Personally I think when you’re training NSA on how to own stuff, that makes you a genuine expert. Jamison Utter, Senrio’s VP of Field Operations, also joins us for this podcast. I hope you enjoy it! To book a demo with Senrio, click here.

Risky Business #449 -- Machine Learning: Woot or woo?

Patrick Gray — Wed, 29 Mar 2017 00:00:00 +1100

On this week’s show I’ll be playing part two of my interview with In-Q-Tel’s chief security officer Dan Geer. That’s all about machine learning in infosec. Is it actually going to turn into something? Or is it just another infosec thought bubble? This week’s sponsor interview is with Dan Guido of Trail of Bits. Trail of Bits is a New York-based security engineering and testing company that does very interesting work. They don’t just break apps, they actually work on securing them. With that in mind, Dan’s team has been looking at implementing control flow integrity protections to various software projects. So we speak to him about the llvm versus Microsoft control flow guard approach, which is achievable. We also speak to him about mcsema, a tool they developed for reversing binaries into an intermediate language. Adam Boileau, as always, joins us to talk about the week’s security news. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Risky Business #448 -- Dan Geer on cloud providers: Too big to fail?

Patrick Gray — Wed, 22 Mar 2017 00:00:00 +1100

We’ve got a great show for you this week. In-Q-Tel CSO Dan Geer will be along for a very interesting conversation about the major cloud providers. Are they too big to fail the same way some banks are? Does the efficiency of highly concentrated ownership of a large chunk of the world’s Internet service capacity make it less resilient? We talk about that and more in this week’s feature interview. This week’s sponsor interview is also an absolute cracker. We’re speaking with Mike Hanley of Duo Security. Mike is the senior director of security at Duo, and he’s along this week to talk about Google’s BeyondCorp initiative. BeyondCorp is Google’s vision for the next generation of enterprise environments and it has a lot to do with deperimiterisation. Mike is along this week to talk about that concept and how solid authentication is basically the first step in moving towards that vision. It’s really, really solid stuff, so do stick around for that one. Adam Boileau, as always, joins us to talk about the week’s security news. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Risky Business #447 -- Struts bug owns everyone, RAND 0day report and more

Patrick Gray — Wed, 15 Mar 2017 00:00:00 +1100

On this week’s show Patrick and Adam have a look at the surprisingly great report about 0day prepared by RAND Corporation, as well as the other security news of the week. How ‘bout dat Struts bug, eh? Dr. Vanessa Teague of the University of Melbourne also joins the show to talk about the latest developments around computerised voting. Vanessa is an expert on e-voting and she’s been in the space for a long time – she’ll be joining us this week to talk about how European authorities have been responding to the risks posed to their elections by outside parties, and we take a look at some voting security ideas for America. This week’s show is brought to you by Netsparker. Netsparker is a black-box web application testing tool that aims to speed up webapp tests through automation. Netsparker’s creator Ferruh Mavituna is this week’s sponsor guest. He’s joining us to basically talk about what you can actually automate in webapp testing, but also about what you can’t automate. That’s a really interesting chat, one that the pentesters will love I’m sure. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Russia is targeting "military digital" contractors

Patrick Gray — Fri, 10 Mar 2017 00:00:00 +1100

A couple of days ago I suggested the “Vault 7” material posted by Wikileaks may have in fact been obtained from Hal Martin’s unauthorised exploit stash. Now I think we’re dealing with something a little more, ahem, “comprehensive”. For those who are unfamiliar, Hal Martin was an intelligence contractor working for Booz Allen Hamilton who, as it turned out, was also performing “unauthorised offsite backups” of some of NSA’s most sensitive material. He was arrested by the FBI last August. The thinking is the data he took home included the Tailored Access Operations (TAO) implants and exploits disclosed by a group called “Shadow Brokers”, who were likely a front for Russian intelligence. Martin’s “backups” were discovered when Shadow Brokers started auctioning the NSA implants on the Internet. The assumption we’re working under here is investigators took a look at some logs pertaining to the Shadow Brokers files and saw Martin had accessed the lot. From there, they no doubt would have done a full audit of his network activities. Cue arrest. He’d hoarded an incredible volume of material relating to CNE over his 23 years of intelligence contracting. Thanks to a recent court appearance, we also know that he had access to CIA files as well as NSA files. (Also NRO, DoD etc etc.) Was Hal Martin the source of the Shadow Brokers files? Well, maybe, but he’s been charged with mishandling information, not working in cahoots with a foreign intelligence service. That leads us to a tantalising theory: Hal Martin hoarded all these documents, and at some point an enterprising Russian CNE type took a poke around his home network and found them there. After all, he held a top clearance and did work for Tailored Access Operations as a contractor. That’s a home network I’d take a look at if I worked for an FIS, that’s for sure. Flash forward to this week, and it’s the Wikileaks Vault 7 dump that has everyone talking. Again, everyone’s talking about contractors. In a media release, Wikileaks says the CIA “lost control” of the material, and it was being circulated among “contractors” who then provided the material to Assange and his buddies. There are more than a couple of curiosities in all of this: CIA insiders have been quoted in recent reports as saying they already knew this material was “out there,” yet other reports claim the FBI is investigating the leak. But these two narratives bump into each other. How could CIA know, months in advance, about the specifics of what was leaked, but not know who leaked them? Have they and their NSA cousins been popping a few shells on a laptop at a certain Latin American embassy? Could they see the material arrive, but not tell where it came from? Or does it mean that the FBI found this stuff on Hal Martin’s network when they kicked his door in and worked under the assumption that it was in Russian hands? But, if Martin was the source, why investigate? So there’s obviously a piece missing, and I think I might have it. What if this is bigger than just Hal Martin? It’s not widely known, but Russia has been collecting the personal information of “cyber” contractors with high clearances – like Martin – via human intelligence operations for at least several years. Counterintelligence officers know about this. So let’s run another theory up the flagpole, that being: Russian intelligence services have realised intelligence contractors aren’t required to take their opsec and counter-intelligence training as seriously as their “on staff” counterparts. They have collected as much information on these contractors as possible via passive and active campaigns. They have then used that information to either directly compromise the contractors, or, more likely, their home networks. People have been taking stuff home they shouldn’t have. For whatever reason, Russia decided to burn its own campaign last year. That led to the Shadow Brokers fiasco. After weathering some opsec disasters related to the DNC and Podesta hacks, they decided to just dump the rest of the material on Wikileaks, knowing that Assange would do his job and launder the documents for them. So it’s all just a theory, but it’s one worth floating: Russian intelligence services have owned the home networks of as many cleared contractors as possible, waiting for them to bring material home that they shouldn’t. If that’s what they’ve done you’ve got to hand it to them, it’s definitely lateral thinking. What a pipeline of information! If we see some leaked memos from the likes of Booz and Raytheon in coming weeks suggesting that hey, really, taking your work home with you is a really fucking bad idea, we’ll know there’s something to this. It’s just a theory, but let’s see.

Risky Business #446 -- CIA tools doxed, plus osquery with Mike Arpaia

Patrick Gray — Wed, 08 Mar 2017 00:00:00 +1100

On this week’s news we put Wikileaks’ latest dumps under the microscope and offer a few theories on what’s really going on. We also have a chat with Mike Arpaia, the creator of osquery. osquery is host-based instrumentation software put together by Mike and his team when they worked at Facebook. It’s open source these days and now Mike is trying to get it adopted. This week’s show is brought to you by Cyberark! And we’ll be chatting with Cyberark’s Chief Architect Gerrit Lansing. Cyberark makes software that manages privileged accounts, and we’ll be talking to Gerrit about privileged account management automation in this week’s sponsor interview. Adam Boileau is along to discuss the week’s news. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Cyberwar via Cyberwar during War

The Grugq — Mon, 06 Mar 2017 00:00:00 +1100

The Russians go to a lot of effort to hack the Ukrainian electrical grid and do “flick the light” cyber attacks. These last a few hours, don’t really cause that much damage (compared to say, shelling) and the military objective is clearly missing as there is never any follow up or attempt to use “light flicking” as part of a combined arms operation. It is just some considerable effort put into flicking the lights. Heres the thing: The only people absolutely terrified of flicking the lights as a cyberwar activity are the Americans (and the West in general). “Cyber light flicking” isn’t militarily useful and isn’t even some sort of “strategic bombing” version of cyber war. The Ukrainians, modern as they are, are probably stoic enough to suffer threw a few hours of power outages in the middle of a shooting war. Even American civilians have been known to survive for several hours without power, see CyberSquirrel1 for examples. This light flicking costs money and burns some cyber capabilities these operations cost resources: the malware gets discovered, the vulnerabilities patched, etc. This isn’t free. Just planning and managing the operation is going to consume considerable time and resources. So these are expensive little ops with no apparent military objective. Why would the Russian forces do something like this? There is one very obvious answer, but it seems to get lost in the excitement over “real” cyberwar. I think this is a layer deeper, using cyber for PSYOPS. Russia is signalling a capability to the US, one that they know the US (and the West) is uniquely terrified of. The spectre of cyberwar as the West understands it: “light flicking”. There is a long history of Russia and the US using wars as a way of signalling to each other. Here’s my speculation: The American cyberwar industry is currently all caught up in trying to figure out what counts as deterrence in the cyber domain. This a silly idea, but basically they are mentally modelling cyber like nuclear weapons. Just like generals always fight the last war rather than the current one, the West are trying to model cyber as the last war that never happened. I think this is a completely foolish idea, but then again I don’t run a think tank. The West believes that cyberwar is only real when there is a kinetic effect (eg light flicking), and they are also postulating that deterrence happens when you demonstrate your capability to your opponent so they know you can fuck them up. Russia is just demonstrating capability to deter the West from engaging in active cyber kinetic assaults. I don’t believe that Russia has adopted the “demonstrate capability to deter activity” theory, but they know the West has, or at the very least is contemplating it. It’s a game they’re happy to play in the hope the West will follow through on their theories as praxis. Flicking lights doesn’t match Russian doctrine. These actions are designed for a western audience. This expensive light flicking makes more sense when viewed as an influence operation to signal the West that Russia has what the West itself believes are “real cyberwar cyberweapons”. I also think that Russia knows how to run a conflict in the informatics sphere and completely dominate. They have a much better understanding of how the use of the internet as an information platform can be used to manipulate the way that the adversary thinks. Long story short? They know what they’re doing. The infosec industry and the cyber military complex have been extremely excited figuring out and talking about the “how” of the Russian cyberwar operations in Ukraine, but maybe it is time they starting asking about the “why”. Russia has flicked Ukraine’s lights twice now. The first one wasn’t a test run to see if the system was operational – there was no military followup with the second event – and it wasn’t to gauge the response to the use of this new “cyberweapon.” We know this because there was no response, even after the second attack. There is no reason to run two tests of an offensive operation if the first is successful. They want to make sure the West gets the signal. @thegrugq I dunno. There's really no history of Russia and West signaling each other through conflict in third party countries. pic.twitter.com/dkXpm6ZOHv— John Hultquist (@JohnHultquist) March 3, 2017

Risky Business #445 -- Amazon, CloudFlare and Microsoft join "having a bad week club"

Patrick Gray — Wed, 01 Mar 2017 00:00:00 +1100

We’ve got a real bread and butter show for you this week. Troy Hunt will be along to talk about the Cloudflare bug and why everyone freaked out about it, and Haroon Meer of Thinks Canary will be along to talk about RSA. This week’s show is, of course, brought to you by Canary.Tools, and Haroon will tell us about his first ever RSA conference experience. That’s actually a really fun chat. Funny in parts, too. Adam Boileau is along to discuss the week’s news. Microsoft, Amazon and a handful of Russians are all having an awful, awful week, and he’ll be talking all about that. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Introducing Snake Oil, a new podcast from Risky.Biz!

Patrick Gray — Thu, 23 Feb 2017 00:00:00 +1100

As many of you would know, Risky Business has been through a bit of change over the last couple of years. What started as an Australian security podcast launched with the intention of making me just enough money not to have to write about enterprise storage systems for magazines anymore (the horror) has actually become a popular media outlet for infosec pros. These days, each episode of Risky Business clocks up about 16,000 downloads, with approximately 50% of the audience in the USA and the rest scattered all over the globe. That means we actually have a really great reach into the industry. Last year I set my mind to “modernising” Risky.Biz. I wanted to be able to grow the business side of things without killing off the thing that makes it worth listening to – the fact that we don’t take ourselves too seriously, and the fact that we cast a critical eye over the infosec industry. As some of you will know, the Risky Business weekly sponsorships are ridiculously popular. Our weekly show sponsorships are currently booked out until 2018 and have been since January. With that in mind, I came up with two new podcast ideas that would be commercially successful yet still deliver something valuable to the audience: The Soap Box podcast and the Snake Oil podcast. The idea behind the Soap Box podcasts is pretty simple – a CTO or other senior exec from a major vendor can spend 45 minutes chatting with me about the way they see things, and the company they work for sponsors the exercise. Some people were concerned it would consist of 45 minutes of a CTO just pushing product, but that’s not the way it’s worked out, and it was never the intention. We’ve already published one of these, with HPE Fortify’s Jason Schmitt talking about DevOps and security. You can listen to that one here. We’ll be running a maximum of one of those per month, pushed to the main feed. The nice thing about doing a podcast like Risky Business in 2017 is the vendors are capable of having really interesting discussions about security concepts. That wasn’t possible in 2007 when we launched, and it’s what Soap Box is designed to facilitate and I think it’s working well. The other podcast series we’re launching is something we’ll be doing four or five times a year called Snake Oil. The idea behind the Snake Oil series is to get five vendors together into an hourlong podcast to each pitch a specific product for about 10 minutes. Now, before you think “ye gads, I don’t want to listen to sales people prattle on about their box with lights that goes BING!” I want you to consider that a lot of Risky Business listeners are technology buyers. And where can you actually go for decent product information? The copy on most infosec vendors’ websites consists primarily of indecipherable gibberish and Gartner reports are more of a guide to what people are using than specific product capabilities. This is different. You remember those lift-outs infosec magazines used to do that were pay-to-play product information guides? Think of this as an audio equivalent of that. The idea behind this product series is listeners who actually have to buy tech can get five, high-quality pitches that actually answer such questions as: * What are you selling us today? * Who is the typical buyer? (Operations? Management? Development?) * What does your product actually do? * Who are your competitors? * Why do you think yours is better? * How much does it cost? This will save them approximately five hours of lunches with vendor salespeople who can’t actually answer those questions. We’re not offering any endorsement of the products on sale, we’re just a conduit, connecting distilled vendor pitches to the 16,000 or so weekly Risky Business listeners. Of course the name “Snake Oil” is a gag. For a long time the products peddled by the information security industry were indeed about as affective as carnival-sold snake oil for arthritis. Thankfully there’s been a trend towards more useful stuff these days, but hey, we still want to have fun with the name. As I say, we’ll only be doing four or five of these a year, and we genuinely think they’ll be useful for a whole bunch of our listeners. Even those of you who aren’t actually tech buyers should find it an efficient way to figure out which vendor sells which product and what they claim it does. So that’s it! We’re hoping to publish the first Snake Oil podcast in late March, but that’ll really depend on what the demand is like from the vendor side. But the tl;dr is you can expect 10-11 Soap Box podcasts in your feed every year, and maybe 4-5 Snake Oil podcasts. We’re going from 44 podcasts a year to 58-60. Also, I hope it goes without saying that buying any Risky Business sponsorship product doesn’t shield any vendor a free pass from criticism in the weekly show. Credibility is currency in media, especially in infosec, and we know who really butters our bread: the listeners. Of course if you’re not interested in listening to the Snake Oil stuff, just don’t download it! Listening isn’t mandatory. That said, we think you’ll probably quite like it. And if you’re a vendor who’s interested in participating in a Snake Oil podcast, please contact sales@risky.biz. We’re quite familiar with what marketing products in the infosec space look like, and if you can’t find budget to do this, frankly you’re mental.

Risky Business #444 -- $350m! Wiped! Off! Yahoo! Over! Breach!

Patrick Gray — Wed, 22 Feb 2017 00:00:00 +1100

On this week’s show we’re chatting with Peter Gutmann about a couple of things that have combined to form a legit problem: The abuse of the Lets-Encrypt domain validated certificate authority combined with recent UI changed in Chrome are a phishers wet dream. We chat with Peter about that. The tl;dr is the browser makers need to get off their asses and do something about that, pronto. This week’s show is sponsored by Exabeam. They just took $30m in funding from a VC and Cisco and they’re looking at doing some really interesting stuff in the SIEM world with, you guessed it, machine learning! In this week’s sponsor interview we’re chatting with Exabeam co-founder Sylvain Gil about a few things – the conversation does veer a bit into their products but it actually stays interesting, mostly because he discusses things like Exabeam’s roadmap in terms of problems they’re trying to solve. So even if you have no desire to buy a new SIEM, you’ll still probably find that one interesting from an academic point of view. Adam Boileau, as always, stops in to discuss the week’s news, and Jake Davis is back with a… reinterpretation(?!) of the Hacker Manifesto. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

Risky Business #443 -- CrowdStrike and NSS face off, Hal Martin charged and more

Patrick Gray — Wed, 15 Feb 2017 00:00:00 +1100

On this week’s show we’ll be chatting with two of the organisers of an event that was held here in Australia – PlatyPus con. As you’ll hear, it wasn’t really a typical security con – attendees had to bring laptops and had to participate. The whole thing was centred around workshops. Everyone I know who went said it was brilliant, and I personally think this is an idea that is going to catch on outside of Australia. We’ll be speaking with Snail and Lin_s about that one in this week’s feature interview. This week’s show is brought to you by Veracode, big thanks to them. In this week’s sponsor interview we’ll be chatting with Veracode’s senior product innovation manager Colin Domony about a couple of things. Veracode did a pretty interesting survey recently that really shows that developers are, in fact, finally, becoming security aware in a big way. Not only that, but Veracode has made some pretty significant changes to its products to reflect this switch. Static analysis software security tools are becoming something the developers themselves use, they’re not just for the security teams these days. So we’ll talk about the rationale behind Veracode’s recent release of a scanner that plugs into IDEs: Veracode Greenlight. Adam Boileau joins us, as always, to talk about the week’s security news. Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

Risky Business #442 -- A bad week for Freedomhosting II, Cellebrite and Polish banks

Patrick Gray — Wed, 08 Feb 2017 00:00:00 +1100

There’s no feature interview in this week’s show. Instead, we’re going to spend a bit more time with Adam Boileau talking about the week’s news, and there’s plenty to chew through. This week’s show is brought to you by Tenable Network Security! In this week’s sponsor interview we’ll be chatting with Amit Yoran, Tenable’s new-ish CEO. Amit has an interesting background in infosec and he’ll be joining us to talk about a few things – Tenable’s just launched a whole new platform, which is interesting from a sign-of-the-times perspective. We’ll also get his thoughts on where he sees things going in the industry more generally. This isn’t Amit’s first CEO post – he was previously the big cheese at Netwitness then RSA, so he certainly has the experience to weigh in on trends. Links to everything are in this week’s show notes. Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

Risky Biz Soap Box 1: DevOps, appsec and squandered opportunities

Patrick Gray — Fri, 03 Feb 2017 00:00:00 +1100

This is the first ever Risky Business Soap Box Special, produced by Risky.Biz for HP Enterprise Fortify. If you’re in infosec you know who they are already – Fortify makes software development security tools: everything from code scanners to its RASP solution Application Defender to Continuous Application Monitoring Services via Fortify on Demand, etc etc etc. The concept behind these special shows is pretty simple – up to once a month I’ll be interviewing an executive from the infosec industry about the field they operate in. Yes, it’s supposed to be promotional, but really, hearing these conversations is something a lot of listeners have told me they’d find extremely valuable. It’s called the Soap Box because it’s about helping men and women in positions of influence in the infosec industry actually access an audience. And they do have a lot to say. Jason Schmitt is the vice president and general manager of the Fortify business within the HP Enterprise Security Products organization. Before HP he held product management and engineering management positions at SPI Dynamics, Barracuda Networks, Steelbox Networks, and Andersen Consulting (now Accenture). In this special edition Jason talks about the impact the shift to DevOps is having on appsec, as well as looking at the results of a survey HPE did last year that yielded some pretty depressing results. (You can find that paper here [pdf].) We’ll also be referencing a talk by then Yahoo! CSO Alex Stamos (currently Facebook CSO) at Appsec USA 2015 titled “Appsec is eating security”. You can watch that one on YouTube here.

Risky Business #441 -- Gone in 60 seconds: Attacking ephemeral resources

Patrick Gray — Wed, 01 Feb 2017 00:00:00 +1100

On this week’s show we’ll be chatting with information security’s enfant terrible Nathaniel Wakelam about some recon tricks he’s been using in bug bounty programs. He uses some nice tricks to rapidly identify ephemeral resources that often result in some spectacular hacks, like, say, being able to download all of REDACTED’s source code. That one was cool because it was a temporary resource that got popped – that’s something you have to watch these days. This week’s show is brought to you by Cylance! Cylance makes machine learning-based AV software that by all reports works really well. Cylance CTO and co-founder Ryan Permeh is this week’s feature guest and we’re talking about something that we touched on last week – gaming machine learning. Does Cylance worry that a determined attacker will be able to gradually input bad data into Cylance’s learning set and game the whole system? Well, no, they’re not worried about it, but it’s definitely something they pay attention to. That’s really interesting stuff and it’s coming up after this week’s feature interview. Adam Boileau, as always, pops in for this week’s news. Links to everything are in this week’s show notes. Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

Risky Business #440 -- Matt "PwnAllTheThings" Tait on the politicisation of infosec

Patrick Gray — Wed, 25 Jan 2017 00:00:00 +1100

On this week’s show we check in with Matt Tait, who’s probably better known by his Twitter handle: pwnallthethings. And we’ll be talking about the politicisation of infosec and the science of attribution. This week’s show is brought to you by Bugcrowd. Bugcrowd’s CEO and co-founder Casey Ellis will be along in this week’s sponsor interview to talk about his adventures running a MongoDB honeypot. Bugcrowd are pretty interested in talking about all those poor MongoDBs getting hosed because, well, if you’ve got a bug bounty program running, open DBs are the sorts of things that tend to get reported. As you’ll hear in that interview, the attackers who made some fast cash taking control of MongoDBs are now going after other stuff – elasticsearch, Hadoop. Adam Boileau, as always, joins the show to discuss the week’s security news, and our good buddy Jake Davis is back for another edition of Story Corner. Links to everything are in this week’s show notes. Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

Risky Business #439 -- Does WhatsApp have an NSA backdoor? Well, nope.

Patrick Gray — Wed, 18 Jan 2017 00:00:00 +1100

On this week’s show we’re chatting with Alec Muffett about an absolutely awful bit of journalism run by The Guardian. Unless you’ve been hiding under a rock the last few days you would have seen a story circulating about a supposed government-friendly backdoor in the popular messaging app WhatsApp. Alec joins us this week to explain why that story is, put simply, bullshit. This week’s show is brought to you by Senetas, makers of layer 2 encryption gear. Senetas co-founder and CTO Julian Fay is along for the sponsor interview and we’re talking to him about what the charge to the cloud means for things like network encryption. Julian listened to last week’s interview with Rich Mogull, and he has some thoughts he’d like to share. Also this week, a new segment that I hope will become regular – story corner, with Jake Davis. Do stick around for that at the closing of this week’s show. Adam Boileau, as usual, joins us for this week’s news segment. Links to everything are in this week’s show notes. Oh, and do add Patrick and Adam on Twitter if that’s your thing.

Risky Business #438 -- Rich Mogull: Infosec as we know it is over

Patrick Gray — Wed, 11 Jan 2017 00:00:00 +1100

On this week’s show we’ll be speaking with industry analyst Rich Mogull about what he sees as tidal forces that are going to rip the information security industry as we know it apart – he has some compelling ideas on that, that’s this week’s feature. We also check in with Mara Tam who spent today attending the Senate Select Committee on Intelligence in DC. It was a public hearing, but a few things shook out of it were pretty interesting. This week’s show is brought to you by Canary.tools, makers of honeypot tech, or, if you’re a wanker, Deception Technology. I’m guessing I’ll capitulate eventually and start using that terminology, but not yet, dammit! Haroon joins us to look at how Geopolitics now looks like an IRC war from 1999! We also look at some industry trends, in particular, very smart people building very good tech. Adam Boileau is back in the news hotseat to talk about all the stuff we missed over the last six weeks. From Trumpleaks (lol) to Wassenaar, hax and more. Links to everything are in this week’s show notes. Oh, and do add Patrick and Adam on Twitter if that’s your thing.

Risky Business #437 -- The news, plus "this year in cyber" with Adam Boileau

Patrick Gray — Thu, 24 Nov 2016 00:00:00 +1100

This is the last episode for the year – the last episode of the 10th season! On this week’s show Adam and I will discuss the week’s news and then we’re going to reflect on the major events in 2016; the stuff that stuck out for us. I don’t think it’ll come as a surprise that the cyber intrigue surrounding the 2016 US presidential election is what peaked our interest this year. This week’s show is brought to you by Canary.Tools. Canaries are of course those awesome little honeypots you can deploy on your network for excellent signalling. They will tell you if you have an attacker on your network, they’re cost effective and really nicely designed. Canary’s very own Marco Slaviero will be along a bit later to talk through a recent Tweetstorm that centred on honeypots, as well as to preview Canary’s next release. In a few weeks you will be able to buy a purpose-built ICS honeypot, as well as one that mimics a code repository, so if you work with ICS gear or for a dev shop, you’ll really want to tune in to that one. **RISKY BUSINESS WILL BE BACK ON JANUARY 12, 2017** Links to everything are in this week’s show notes. Oh, and do add Patrick and Adam on Twitter if that’s your thing.

Risky Business #436 -- Do you know your supply chain is horrible?

Patrick Gray — Thu, 17 Nov 2016 00:00:00 +1100

On this week’s show we’re chatting with Fitbit security director Sasha Biskup and his colleague Marc Bown about how to build secure embedded devices from insecure components. During the development phase of some Fitbit products, the Fitbit security team has discovered some hideous vulnerabilities that could have compromised security downstream. They’ve been able to mitigate these issues, but they worry other embedded device manufacturers aren’t even looking at the security implications of their suppliers’ mistakes. This week’s show is brought to you by CyberArk! CyberArk’s Jeffrey Kok is this week’s sponsor guest. He joins the show to talk about what CyberArk knows best – privileged account management. It’s such a basic thing, but it’s hard to do right. This week’s news segment was recorded at Kiwicon in Wellington, NZ, and features Assurance.com.au’s Neal Wise, plus Rob Fuller and David Jorm.

Risky Business #435 -- Former NSA general counsel Stewart Baker talks Trump

Patrick Gray — Thu, 10 Nov 2016 00:00:00 +1100

In this week’s show we’re going to have a chat with former NSA general counsel and cyberlaw podcast host Stewart A Baker. We’ll get his thoughts on what a Trump presidency could mean when it comes to cyber security. This week’s show is sponsored by Senetas, and you know what? They’re branching out. Senetas has some new goodies that can replace all the crappy tools like dropbox that are in your organisation despite you not approving of them. The Senetas solution is actually good enough that it’s being used to handle classified data, because hey, Senetas does a lot of business with SafeNet, which is owned by Gemalto – so if the idea of a HSM-authenticated and locked down dropbox-style platform appeals, hang about for this week’s sponsor interview! Adam Boileau is this week’s news guest. Links to everything are in this week’s show notes. Oh, and do add Patrick and Adam on Twitter if that’s your thing.

Risky Business #434 -- Mirai v2 is coming, Shadowbrokers latest and more

Patrick Gray — Thu, 03 Nov 2016 00:00:00 +1100

On this week’s show we chat with Errata Security’s Robert Graham about a ridiculous non-story that had readers in the USA convinced that Slate magazine had uncovered a covert communication channel between Donald Trump and a state-linked Russian bank. The basis of this jaw-dropping conclusion? Cherry-picked DNS query logs. We’ll find out why that story was total, utter bullshit in this week’s feature. In this week’s sponsor interview we’re chatting with the former CEO and CTOs of Flawcheck, a company that made vulnerability scanning tools for Docker containers. Flawcheck has been acquired by this week’s sponsor, Tenable Network Security, and it’s a really handy thing to use if your company makes use of Docker. You can actually register for a free trial of Flawcheck here. We’ll find out why you need specialist kit to do container scanning. Adam Boileau is this week’s news guest. Links to everything are in this week’s show notes. Oh, and do add Patrick and Adam on Twitter if that’s your thing.

Risky Business #433 -- Mirai ain't going anywhere

Patrick Gray — Thu, 27 Oct 2016 00:00:00 +1100

On this week’s show we’re taking a look at the Great DDoSSening of 2016! Yep, we’ll be having a look at the attacks against Dyn, but perhaps more importantly we’ll be asking the question: With a zillion perma-owned things out there able to launch some pretty serious DDoS attacks: What now? IoT device security specialist Stephen Ridley will join us in this week’s feature slot to discuss that. This week’s sponsor interview is a cracker. We’ll be chatting with Cyalnce chief research officer Jon Miller about how the hell you’re supposed to benchmark AV these days. It’s actually trickier than you’d think, for reasons we’ll get into later. We also talk about managing false positives and hit on a few other topics in that one. Jon’s ex ISS X-Force, he’s been around the traps for a long time and really knows what he’s talking about. That’s a good interview… big thanks to Cylance for sponsoring this week’s show. Adam Boileau is this week’s news guest. Links to everything are in this week’s show notes. Oh, and do add Patrick and Adam on Twitter if that’s your thing.

Risky Business #432 -- We need to talk about John

Patrick Gray — Thu, 20 Oct 2016 00:00:00 +1100

On this week’s show we’re taking a look at the business dealings of John McAfee. Earlier today the NYSE announced the company that arranged to hire McAfee, MGT Capital, would be de-listed from the NYSE: MKT small cap exchange. This follows a class action investor lawsuit and the unearthing of a remuneration agreement between the company and McAfee that have lead some to suggest the whole company could be a pump and dump scam. This comes hot on the heels of a release of a Showtime documentary that alleges McAfee’s involvement in two murders and the rape of a scientist working for him. We’ll hear from respected industry analyst Rich Mogull about MGT’s proposed product line while Georgetown Law’s Visiting Professor Russell Stevenson takes a look at MGT’s somewhat strange remuneration agreement with McAfee. This week’s show is brought to you by Canary.Tools.. If you’re a regular listener you’ve heard me sing the praises of Canary in the past. It’s basically a little honeypot that you can configure to look like anything, you put it on your LAN somewhere and wait for an attacker to mess with it. It’s a great product that’s experiencing amazing growth. Canary.Tools head honcho Haroon Meer will be along in this week’s sponsor interview to talk about how little hacks can help defenders as well as attackers. Adam is away on his company retreat this week so I’ve actually asked Haroon to fill in for him in the news segment, too. It’s your double dose of Haroon Meer! Oh, and do add Patrick and Haroon on Twitter if that’s your thing.

Risky Business #431 -- What should the USA do about Russian hacks?

Patrick Gray — Thu, 06 Oct 2016 00:00:00 +1100

On this week’s show we’re taking a look at what the hell the USA should do in response to Russia’s hacks against the DNC. A few days ago the Director of National Intelligence and DHS issued a joint statement that officially puts blame for the DNC hacks squarely on Russia. Since then the Internets have been in meltdown over what exactly should be done in response. Cyber policy lady Mara Tam is this week’s feature guest. She’ll tell us what sort of reaction we can expect to see, as well as give us some context around why all this is happening in the first place. That’s this week’s feature interview. This week’s show is brought to you by the fine folks at Bugcrowd. This week’s sponsor interview is with Bugcrowd founder and CEO Casey Ellis. Recently a company that makes static analysis software took a bit of a poke at bug bounties in its marketing. If anything it was kind of an acknowledgement that Bugcrowd and its competitors have had a pretty substantial impact on how testing actually gets done. But are people actually thinking of services like managed bug bounties as a substitute for static analysis? And why is every single company that makes developer tools scrambling to become agile or devops ready when hardly anyone is actually doing it yet? Adam Boileau is this week’s news guest. Oh, and do add Patrick and Adam on Twitter if that’s your thing.

Risky Business #430 -- LulzSec's Tflow talks NSA exploits, justice and remorse

Patrick Gray — Thu, 06 Oct 2016 00:00:00 +1100

On this week’s show we are catching up with Mustafa Al-Bassam. He’s a lovely young chap from England who was once upon a time one of the LulzSec crew. Like all the other guys in that crew he got busted, but he didn’t spend any time in prison and these days he is doing really well. He has finished his undergrad, works with some blockchain technology and is about to start a PhD. He joins us this week to talk about his in depth analysis of the Shadowbrokers dump, as well as to reflect on his crimes. As you’ll hear, he has some regrets. This week’s show is brought to you by Bromium! And last week you might have caught an announcement that Microsoft has moved virtualisation based security up into the app stack. The Edge browser is getting thrown into a micro VM in certain circumstances. Of course Microsoft worked with Bromium on all this stuff, so Bromium CTO, Simon Crosby will be along to talk about what Microsoft has actually done here. Bromium, of course, makes fully featured micro VM security software in addition to helping Microsoft improve windows, so that chat is interesting stuff and it’s coming up after this week’s feature. Adam Boileau is this week’s news guest. Oh, and do add Patrick and Adam on Twitter if that’s your thing.

Risky Business #429 -- Kreb's dumped, satellite hacking, election insecurity and more

Patrick Gray — Thu, 29 Sep 2016 00:00:00 +1000

This week we’ll be having a chat to Paul Marsh about a recent report from UK think tank Chatham House that says there’s a looming cyber security crisis about to wreak havoc on the satellite ecosystem. But as you’ll hear, Paul thinks the concerns are somewhat overhyped. In this week’s sponsor interview we chat with Space Rogue, aka Tenable Network Security’s very own Cris Thomas. He’s joining us this week to talk about election security. Two new bills dealing with the security of voting computers have been proposed in the USA. We’ll get Cris’s thoughts on how likely they are to actually make a difference. We also have a general discussion around the security of e-voting infrastructure. Adam Boileau is this week’s news guest. Oh, and do add Patrick and Adam on Twitter if that’s your thing.

Risky Business #428 -- Cross-platform Tor Browser pwnership with Ryan Duff

Patrick Gray — Thu, 22 Sep 2016 00:00:00 +1000

On this week’s show we’ll be chatting with security researcher Ryan Duff about the rabbit hole that is the Tor Browser Bundle certificate pinning bug. The bug itself is interesting, but the questions it raises about how suitable Tor is for genuinely critical use are, you know, substantial. That’s a really, really interesting chat with Ryan Duff, coming up after the news. This week’s show is brought to you by Hewlett Packard Enterprise Fortify! Of course HPE Fortify makes both static and dynamic analysis tools to help their customers weed out bugs in their software… but what are the relative strengths of static versus dynamic? Where should you use these tools? As this week’s sponsor guest Michael Farnum explains, the trend these days is to not only use both, but move them both as far to the left as possible in the development cycle. That’s this week’s sponsor interview, coming up a bit later. Mark Piper is this week’s news guest. Oh, and do add Patrick on Twitter if that’s your thing.

Risky Business #427 -- Cahill law partner Brad Bondi on MedSec suit

Patrick Gray — Thu, 15 Sep 2016 00:00:00 +1000

We have a great feature interview this week. Risky Business contributor Brian Donohue spoke with Cahill law firm partner Brad Bondi about the suit St Jude Medical has brought against MedSec and Muddy Waters over the short-sell of the medical device manufacturer’s shares. That is an illuminating chat that certainly gave me an understanding of where this all could be heading, both in terms of the upcoming trial and how likely it is we’ll see similar stuff in the future. This week’s show is brought to you by Cylance! These guys basically offer an AV solution that works differently. But you know what? I’ve asked a dozen people what they actually do, and no one has really been able to tell me. So, I talk to Cylance founder and CEO Stuart McClure about the fall out from the House Oversight report into the OPM breach – a report that went in to some detail on Cylance’s role in determining the extent of the breach – but I also talk to him more generally about what it is that Cylance actually does. Adam Boileau is back in the news chair this week to talk about the week’s information security headlines. Oh, and do add Patrick or Adam on Twitter if that’s your thing.

Risky Business #426 -- House Oversight Committee drops OPM breach report PLUS St Jude sues MedSec

Patrick Gray — Thu, 08 Sep 2016 00:00:00 +1000

In this week’s feature interview we chat with Stephen Ridley about all things IoT. Stephen is a researcher turned entrepreneur and he’ll be along to talk about the platform consolidation we’re going to see when it comes to “things”. Once that settles, he argues, we’ll get a better idea of the security risks we should really, actually be worried about. In this week’s sponsor interview we’re chatting with Simon Galbally at Senetas. Senetas, of course, makes high assurance network encryptors and Simon joins us this week to talk about where certification schemes might be headed. Did you know there are no sunset clauses on many of the certification schemes out there? So yeah, you can be using a FIPS certified box that’s riddled with known bugs and yep, it’s still certified. Certifications could start moving towards more continuous models. Insomnia Security’s Mark Piper is this week’s news guest. Oh, and do add Patrick on Twitter if that’s your thing.

Risky Business #425 -- MedSec CEO Justine Bone on the Muddy Waters short

Patrick Gray — Thu, 01 Sep 2016 00:00:00 +1000

On this week's show we've landed what looks to be a fairly exclusive interview -- at least as far as the tech press is concerned. Justine Bone will be joining us to explain why the company she works with, MedSec, decided to use vulnerability information on implantable medical devices to drive a short-selling scheme in partnership with Muddy Waters. This week's show is sponsored by Tenable Network Security. We're doing something a bit different in this week's sponsor interview -- we're chatting with one of Tenable's customers, City of San Diego CISO Gary Hayslip. They've just invested heavily in Nessus, among other things. Gary drops by to explain what he's been doing since he took the CISO position a few years ago. If you're a CISO it's actually a pretty interesting interview. That team has to deal with everything from embedded devices in cop cars to control systems to its very own POS network. Hey, citizens have to pay for government services somehow, right? Trail of Bits head honcho Dan Guido is this week's news guest. Oh, and do add Patrick and Dan on Twitter if that's your thing.

Risky Business #424 -- Jess Frazelle on Docker. So hot right now.

Patrick Gray — Thu, 25 Aug 2016 00:00:00 +1000

On this week's show we chat with Jessie Frazelle. Jessie is a former Docker maintainer who now works at Google on all things "containery". So we talk to her about what's up with containers, basically, and where the security pitfalls are. Like it or not, containers are likely going to be used in your environment, so getting to know them is a must. That's this week's feature. This week's show is brought to you by HP Enterprise Security's Fortify! These guys and gals are a new sponsor, and I'm sure most of you know them. They make both static analysis and dynamic analysis code security tools, and this week we're joined by HPE Fortify's James "Jimmy" Rabon to talk about how this whole newfangled devops/agile thing has changed things for them. The Grugq also joins the show to talk about the week's security news. He's filling in for Adam Boileau who's frantically getting Kiwicon 10 organised. Oh, and do add Patrick and The Grugq on Twitter if that's your thing. Show notes Completely Wrong - Medium https://medium.com/@thegrugq/completely-wrong-a300246ad316#.h7zsu81sg CyberSecPolitics: Why EQGRP Leak is Russia http://cybersecpolitics.blogspot.com.au/2016/08/why-eqgrp-leak-is-russia... Shadow Broker Breakdown - Medium https://medium.com/@thegrugq/shadow-broker-breakdown-b05099eb2f4a#.eqou5... The NSA Leak Is Real, Snowden Documents Confirm https://theintercept.com/2016/08/19/the-nsa-was-hacked-snowden-documents... NSA-linked Cisco exploit poses bigger threat than previously thought | Ars Technica http://arstechnica.com/security/2016/08/nsa-linked-cisco-exploit-poses-b... Juniper Acknowledges Equation Group Targeted ScreenOS | Threatpost | The first stop for security news https://threatpost.com/juniper-acknowledges-equation-group-exploits-targ... Former NSA Staffers: Rogue Insider Could Be Behind NSA Data Dump | Motherboard http://motherboard.vice.com/read/former-nsa-staffers-rogue-insider-shado... The Shadow Brokers Mess Is What Happens When the NSA Hoards Zero-Days | WIRED https://www.wired.com/2016/08/shadow-brokers-mess-happens-nsa-hoards-zer... Researcher Grabs VPN Password With Tool From NSA Dump | Motherboard http://motherboard.vice.com/read/researcher-grabs-cisco-vpn-password-wit... Commentary: Evidence points to another Snowden at the NSA | Reuters http://www.reuters.com/article/us-intelligence-nsa-commentary-idUSKCN10X01P The NSA Data Leakers Might Be Faking Their Awful English To Deceive Us | Motherboard http://motherboard.vice.com/read/the-shadow-brokers-nsa-leakers-linguist... Someone Rickrolled the Bitcoin Auction for NSA Exploits | Motherboard http://motherboard.vice.com/read/someone-rickrolled-the-bitcoin-auction-... Californian gets 50 months in prison for Chinese 'technology spy' work \u2022 The Register http://www.theregister.co.uk/2016/08/23/50_months_for_chinese_tech_spy_w... Lawyer: Dark Web Child Porn Site Ran Better When It Was Taken Over by the FBI | Motherboard http://motherboard.vice.com/read/lawyer-dark-web-child-porn-site-ran-bet... A 'Tor General Strike' Wants to Shut Down the Tor Network for a Day | Motherboard http://motherboard.vice.com/read/a-tor-general-strike-wants-to-shut-down... EFF Blasts Microsoft Over Windows 10 Rollout | Threatpost | The first stop for security news https://threatpost.com/eff-blasts-microsoft-over-malicious-windows-10-ro... Australia Post says use blockchain for voting. Expert: you're kidding \u2022 The Register http://www.theregister.co.uk/2016/08/22/australia_postblockchain_for_vot... SSA: Ixnay on txt msg reqmnt 4 e-acct, sry - Krebs on Security http://krebsonsecurity.com/2016/08/ssa-ixnay-on-txt-msg-reqmnt-4-e-acct-... Epic Games Forums Hacked, 800,000 User Accounts Exposed | Threatpost | The first stop for security news https://threatpost.com/epic-games-forums-hacked-sql-injection-vulnerabil... Malware Infected All Eddie Bauer Stores in U.S., Canada - Krebs on Security http://krebsonsecurity.com/2016/08/malware-infected-all-eddie-bauer-stor... Massive Email Bombs Target .Gov Addresses - Krebs on Security http://krebsonsecurity.com/2016/08/massive-email-bombs-target-gov-addres... New Brazilian Banking Trojan Uses Windows PowerShell Utility | Threatpost | The first stop for security news https://threatpost.com/new-brazilian-banking-trojan-uses-windows-powersh... Browser Address Bar Spoofing Vulnerability Disclosed | Threatpost | The first stop for security news https://threatpost.com/browser-address-bar-spoofing-vulnerability-disclo... Software-defined networking is dangerously sniffable \u2022 The Register http://www.theregister.co.uk/2016/08/23/sdns_normal_behaviour_is_sniffab... How to Dramatically Improve Corporate IT Security Without Spending Millions - Praetorian.pdf https://www.praetorian.com/downloads/report/How%20to%20Dramatically%20Im...

Risky Business #423 -- ShadowBrokers PLUS how2pwn Apple's Secure Enclave

Patrick Gray — Thu, 18 Aug 2016 00:00:00 +1000

This week's feature interview is incredible. We're speaking with David Wang from Azimuth Security. He, his colleague Tarjei Mandt and Mat Solnik of OffCell Research delivered an absolutely blockbuster talk at Black Hat. I didn't see the talk at the time but I got a chance to review the slides and oh-my-god I can't believe this one got so little attention. While everyone was running around talking about hackable lightbulbs, jeeps and trucks, these three guys basically dropped a how2pwn guide for Apple's Secure Enclave Processor. So, you know, you can basically take their slide deck, add a couple of little tweaks and you're unlocking an iPhone 6s and messing around with a thing you're really not supposed to be messing around with. It's really, really good reversing work and you need to hear this interview. This week's show is brought to you by Bugcrowd, outsourced bug bounty programs. Bugcrowd founder and CEO Casey Ellis is along this week to talk about Apple's newly launched bounty program. Even though other software companies already have bounty programs, the large rewards involved in this one make it a big deal. We'll get his thoughts on that. Adam Boileau joins us in this week's news segment to discuss the NSA's shiny toys being all over teh torrentz, as well as other assorted infosec news. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes What We Know About the Exploits Dumped in NSA-Linked Hack | Motherboard http://motherboard.vice.com/read/what-we-know-about-the-exploits-dumped-... The Equation Giveaway - Securelist https://securelist.com/blog/incidents/75812/the-equation-giveaway/ \u200bWhy Github Removed Links to Alleged NSA Data | Motherboard http://motherboard.vice.com/read/why-github-removed-links-to-alleged-nsa... Former NSA Staffers: Rogue Insider Could Be Behind NSA Data Dump | Motherboard http://motherboard.vice.com/read/former-nsa-staffers-rogue-insider-shado... The Current Highest Bid for Alleged NSA Data is 999,998.371 Bitcoin Short | Motherboard http://motherboard.vice.com/read/the-shadow-brokers-auction-nsa-data-bit... Hack of NSA-Linked Group Signals a Cyber Cold War | Motherboard http://motherboard.vice.com/read/hack-nsa-linked-equation-group-cyber-co... Why Did Guccifer 2.0 Evolve from Sloppy Hacktivist to Professional Leaker? | Motherboard http://motherboard.vice.com/read/guccifer-20-evolution-sloppy-hacktivist... Patrick Gray on Twitter: "Well this basically confirms it's Russia, right? Trolololol-lolol-lolol-lalalalaaaaa!!! https://t.co/YZ4etnZgO3" https://twitter.com/riskybusiness/status/765347661587238916 Snowden speculates leak of NSA spying tools is tied to Russian DNC hack | Ars Technica http://arstechnica.com/tech-policy/2016/08/snowden-speculates-leak-of-ns... Shadow Brokers NSA exploits: doubts about Edward Snowden's tweets | The Cold War Daily https://coldwardaily.com/2016/08/17/shadow-brokers-nsa-exploits-doubts-a... Guccifer 2.0 doxes hundreds of House Democrats with massive document dump | Ars Technica http://arstechnica.com/tech-policy/2016/08/guccifer-2-0-doxes-hundreds-o... Democratic, GOP leaders got a secret briefing on DNC hack last year | Ars Technica http://arstechnica.com/tech-policy/2016/08/democrat-gop-leaders-got-a-se... Court Rules to Extradite Suspected Silk Road Admin From Ireland to the US | Motherboard http://motherboard.vice.com/read/court-rules-to-extradite-suspected-silk... \u200bAustralian Authorities Hacked Computers in the US | Motherboard http://motherboard.vice.com/read/australian-authorities-hacked-computers... How Researchers Exposed Iranian Cyberattacks Against Hundreds of Activists | Motherboard http://motherboard.vice.com/read/iran-cyberattacks-against-activists Wave of Spoofed Encryption Keys Shows Weakness in PGP Implementation | Motherboard http://motherboard.vice.com/read/wave-of-spoofed-encryption-keys-shows-w... Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks | Ars Technica http://arstechnica.com/security/2016/08/linux-bug-leaves-1-4-billion-and... Almost every Volkswagen sold since 1995 can be unlocked with an Arduino | Ars Technica http://arstechnica.com/cars/2016/08/hackers-use-arduino-to-unlock-100-mi... Security Fuckup Megathread - v12.1.4 - i need tp-link for my security hole - The Something Awful Forums https://forums.somethingawful.com/showthread.php?threadid=3771497&pagenu... Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open | Ars Technica http://arstechnica.com/security/2016/08/microsoft-secure-boot-firmware-s... Adobe Patches Experience Manager; No Flash Update | Threatpost | The first stop for security news https://threatpost.com/a-month-without-adobe-flash-player-patches/119770/ Cisco confirms NSA-linked zeroday targeted its firewalls for years | Ars Technica http://arstechnica.com/security/2016/08/cisco-confirms-nsa-linked-zeroda... Cisco Patches ASA Zero Day Exposed by ShadowBrokers | Threatpost | The first stop for security news https://threatpost.com/cisco-patches-asa-zero-day-exposed-by-shadowbroke... us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-T...

Censusfail and the fog of war

Patrick Gray — Mon, 15 Aug 2016 00:00:00 +1000

Last week I dashed off a very quick post about #CensusFail that went stupid viral. I think it was retweeted about 1200 times and it sort of became "the story" of what happened. As far as I know the information I posted is accurate, but I wanted to write this to add a bit more context and look at where it's shaky. I literally wrote that thing up in about 10 minutes while I was working on last week's show. I was doubly under the pump because The Project had a camera guy coming to my house that evening to record an interview about the whole debacle. I'd also just arrived back in Australia after spending six days in Las Vegas attending Black Hat, B-Sides and Defcon. Prior to that I was in Brazil. So yes, long story short, I was exhausted, jet lagged, slammed with work and I didn't really have much time to write a decent post. I certainly wasn't expecting what I did write to be spread so widely. So, now that I've had a minute to breathe, let's look back through the bullet points in original post to see where it's solid and where it isn't. The information I put together came from multiple sources, some closer to the action that others. IBM and the ABS were offered DDoS prevention services from their upstream provider, NextGen Networks, and said they didn't need it. I'm pretty firm on this one. They may have worked with their upstream provider on a contingency plan (geoblocking) but I've got pretty solid information that they opted not to have DDoS gear installed at the edge of the census network. That was a mistake. The edge gear can detect certain types of DDoS activity and send a signal to the upstream provider for its filtering/blocking to begin. If you don't have it, you're basically running naked if your geoblocking isn't effective. Oops. Their plan was to just ask NextGen to geoblock all traffic outside of Australia in the event of an attack. Again, as far as I know this is solid and supported by statements made by officials since. This plan was activated when there was a small-scale attack against the census website. As far as I know this is also solid. There was a DDoS attack targeting the Census website and they asked NextGen to block all non-Australia packets. This worked, for a time. Unfortunately another attack hit them from inside Australia. This was a straight up DNS reflection attack with a bit of ICMP thrown in for good measure. It filled up their firewall's state tables. Their solution was to reboot their firewall, which was operating in a pair. This is the part I suspect *could* be wrong. Whether this attack actually happened or not I can't be sure. One source told me there was attack traffic hitting the Census website from within Australia, but the more I think of it the more I realise this could have just been legit traffic mischaracterised as DDoS traffic. That's the thing with stories like these. It's like reporting on a battle: The fog of war kicks in and details get lost or smudged. I am very firm on the census website firewall being rebooted at some point and the secondary not being synced. I'm not 100% on whether this was because of Australia-based DDoS traffic hitting the census website or it was a result of straight-up shitty capacity planning. So was it an attack or their connection filling up? I can't be 100% sure. I doubt they are either. They hadn't synced the ruleset when they rebooted the firewall so the secondary was essentially operating as a very expensive paperweight. This resulted in a short outage. Again, very solid on this having happened. Just not sure on the why. Some time later IBM's monitoring equipment spat out some alerts that were interpreted by the people receiving them as data exfiltration. Already jittery from the DDoS disaster and wonky firewalls, they became convinced they'd been owned and the DDoS attack was a distraction to draw their focus away from the exfil. I am absolutely, 100% rock solid on this one. We even saw the relevant minister and senior bureaucrats support this one in statements made to the media. The bit they left out is the traffic that triggered the alarm was entirely normal and should never have resulted in a false positive. They pulled the pin and ASD was called in. Public statements support this. The IBM alerts were false positives incorrectly characterising offshore-bound system information/logs as exfil. This is the part that's most hilarious. I'm told it was bog-stock traffic behvaiour that set off the alerts. I am confident there was no valid reason behind those alerts triggering. I'm actually pretty sympathetic here and it's hard to say the person who decided to unplug made the wrong call. If you suspect you've been owned and all your data is being siphoned off, it's probably the right thing to do. It's the people who set up such shitty monitoring that are to blame for this part of the disaster, not the people who pulled the pin. ASD still needs to roll incident response before they can send the website live again. Even though it was false positives that triggered the investigation, there still needs to be an investigation. This is just standard. Once you call an IR team they need to investigate.So. That's where I stand on what I wrote last week. I'm sure about most of it, but the timeline and details around whether there was Australian attack traffic? I can't 100% substantiate that. I'm highly confident the firewall thing happened. They did reboot without a synced secondary. But that's just sort of funny, and if it happened in isolation no one would think it's a big deal. There's other stuff I haven't mentioned, too, like routes changing on the night to send traffic around the primary connectivity provider. This might be due to the "geoblocking falling over," something our fearless leaders have mentioned once or twice in interviews and at press conferences. If I had to guess, they tried to route around NextGen and get Telstra to pull together some last-minute DDoS filtering. That's just speculation, but if I had to guess, that's how it went down. Either way it was amateur hour. The next question becomes: Who's responsible? Predictably, the government is trying to shift blame for the debacle on to ABS bureaucrats and IBM. That's mostly fair enough. Telling a company like IBM that they should prepare for DDoS attacks is sort of like telling your babysitter not to put the kids in the oven while you're out for the night. It's just so weird that they didn't adequately prepare for it. That said, we don't know who made the final decision. It could have been an IBMer telling the ABS that they absolutely had it under control, or it could have been an executive-level public servant trying to shave a few bucks off the budget. We just don't know. The thing I'd really like to know is why the ASD wasn't given authority to actually look at this set up before it went live. If its only involvement was asking high-level, compliance-like questions ("Do you have a DDoS mitigation plan? Y/N") then honestly that's not good enough. I suspect that's what's happened in this instance and this is where you'd go looking for ministerial accountability if you were so inclined. If you're interested in infosec stuff beyond CensusFail, do check out my podcast, Risky Business. RSS feed here. iTunes subscription link here. Or follow me on Twitter here.

What I've been told about #censusfail

Patrick Gray — Thu, 11 Aug 2016 00:00:00 +1000

I have been able to cobble together the following by talking to my sources. Sorry this post is so brief, but I'm still trying to get this week's show out and I'm massively under the pump. So here it is: Set your faces to stunned. IBM and the ABS were offered DDoS prevention services from their upstream provider, NextGen Networks, and said they didn't need it. Their plan was to just ask NextGen to geoblock all traffic outside of Australia in the event of an attack. This plan was activated when there was a small-scale attack against the census website. Unfortunately another attack hit them from inside Australia. This was a straight up DNS reflection attack with a bit of ICMP thrown in for good measure. It filled up their firewall's state tables. Their solution was to reboot their firewall, which was operating in a pair. They hadn't synced the ruleset when they rebooted the firewall so the secondary was essentially operating as a very expensive paperweight. This resulted in a short outage. Some time later IBM's monitoring equipment spat out some alerts that were interpreted by the people receiving them as data exfiltration. Already jittery from the DDoS disaster and wonky firewalls, they became convinced they'd been owned and the DDoS attack was a distraction to draw their focus away from the exfil. They pulled the pin and ASD was called in. The IBM alerts were false positives incorrectly characterising offshore-bound system information/logs as exfil. ASD still needs to roll incident response before they can send the website live again. Even though it was false positives that triggered the investigation, there still needs to be an investigation. At least IBM got to bump their margins up a bit by not paying for the DDoS prevention though... amirite?!

Risky Business #422 -- #CensusFail, news with Adam and MOAR

Patrick Gray — Thu, 11 Aug 2016 00:00:00 +1000

On this week's show we talk about the week's security news with Adam Boileau and I spill on what my sources have told me about #censusfail. This week's show is brought to you by Canary.tools. Canary is a fantastic bit of kit -- it's essentially an easily configurable, compact honeypot you can just drop on your network like a dropbox to detect attacks. No begging the data centre people for rack space, just drop it and go. We'll be talking to Canary.tools head honcho Haroon Meer this week about the disconnect between what some startups are pitching to venture capitalists versus what users actually need. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Census Australia 2016 fail: ABS says website was hacked http://www.news.com.au/technology/census-fail-abs-spent-nearly-500000-on... Patrick Gray on Twitter: "Analysis from trusted source of trusted source. Someone's getting fired. I'm a fucking journo and I'm not this dumb: https://t.co/gyQajFDQcQ" https://twitter.com/riskybusiness/status/763189895292555264 'Angry, bitterly disappointed': Malcolm Turnbull lashes ABS for census failures http://www.theage.com.au/federal-politics/political-news/angry-bitterly-... Starting this fall, Apple will pay up to $200,000 for iOS and iCloud bugs | Ars Technica http://arstechnica.com/apple/2016/08/starting-this-fall-apple-will-pay-u... Zero-Day Hunters Will Pay Over Twice as Much as Apple's New Bug Bounty Programme | Motherboard http://motherboard.vice.com/read/zero-day-hunters-will-pay-over-twice-as... Linux bug leaves USA Today, other top sites vulnerable to serious hijacking attacks | Ars Technica http://arstechnica.com/security/2016/08/linux-bug-leaves-usa-today-other... Researchers crack open unusually advanced malware that hid for 5 years | Ars Technica http://arstechnica.com/security/2016/08/researchers-crack-open-unusually... Data Breach At Oracle's MICROS Point-of-Sale Division - Krebs on Security http://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-o... Apple, Intel, Google Employee Accounts Exposed in Data Breach of Developer Forum | Motherboard http://motherboard.vice.com/read/apple-intel-google-employee-accounts-ex... Copperhead OS: The startup that wants to solve Android's woeful security | Ars Technica http://arstechnica.com/security/2016/08/copperhead-os-fix-android-security/ Major Qualcomm chip security flaws expose 900M Android users | Ars Technica http://arstechnica.com/security/2016/08/qualcomm-chip-flaws-expose-900-m... Hackers Could Break Into Your Monitor To Spy on You and Manipulate Your Pixels | Motherboard http://motherboard.vice.com/read/hackers-could-break-into-your-monitor-t... Hackers Make the First-Ever Ransomware for Smart Thermostats | Motherboard http://motherboard.vice.com/read/internet-of-things-ransomware-smart-the... Afraid of the Dark? Too Bad, Your Smart Bulbs Can Be Hacked | Motherboard http://motherboard.vice.com/read/hackers-could-take-control-of-your-smar... Good news-the robocalling scourge may not be unstoppable after all | Ars Technica http://arstechnica.com/security/2016/08/good-news-the-robocalling-scourg... IPv6 router bug: Juniper spins out hotfix to thwart DDoS attacks | Ars Technica http://arstechnica.com/security/2016/08/ipv6-router-bug-juniper-cisco-dd... PLC Blaster Worm Targets Industrial Control PLCs | Threatpost | The first stop for security news https://threatpost.com/plc-blaster-worm-targets-industrial-control-syste... Secure Golden Key Boot: (MS16-094 / CVE-2016-3287, and MS16-100 / CVE-2016-3320) https://rol.im/securegoldenkeyboot/ Flip Feng Shui - VUSec https://www.vusec.net/projects/flip-feng-shui/ FreeBSD \xb7 GitHub https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f

Risky Business #421 -- Las Vegas edition with Dan Guido, Andy Greenberg and Zane Lackey

Patrick Gray — Sat, 06 Aug 2016 00:00:00 +1000

On this week's show we speak with Signal Sciences' co-founder Zane Lackey about hackers building defensive tools and software companies. Dan Guido and Andy Greenberg talk about car hacking and the week's security news, and Wade Woolwine of Rapid7 is in the sponsor slot talking about EDR/IDR software. Show notes Hackers Fool Tesla S's Autopilot to Hide and Spoof Obstacles | WIRED https://www.wired.com/2016/08/hackers-fool-tesla-ss-autopilot-hide-spoof... The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse | WIRED https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-ac... Hackers Hijack a Big Rig Truck's Accelerator and Brakes | WIRED https://www.wired.com/2016/08/researchers-hack-big-rig-truck-hijack-acce... LastPass Patches Ormandy Remote Compromise Flaw | Threatpost | The first stop for security news https://threatpost.com/lastpass-patches-ormandy-remote-compromise-flaw/1... Researchers Bypass Chip and Pin Protections at Black Hat | Threatpost | The first stop for security news https://threatpost.com/researchers-bypass-chip-and-pin-protections-at-bl... Oracle EBusiness Suite 'Massive' Attack Surface Assessed | Threatpost | The first stop for security news https://threatpost.com/oracle-ebusiness-suite-massive-attack-surface-ass... Yahoo Investigates 200 Million Alleged Accounts For Sale On Dark Web | Threatpost | The first stop for security news https://threatpost.com/yahoo-investigates-200-million-alleged-accounts-f... Report claims more than half of UK firms have been hit by ransomware | Ars Technica http://arstechnica.com/security/2016/08/more-than-half-of-uk-firms-have-... DNC staffers: FBI didn't tell us for months about possible Russian hack | Ars Technica http://arstechnica.com/security/2016/08/dnc-staffers-fbi-didnt-tell-us-f... New attack steals SSNs, e-mail addresses, and more from HTTPS pages | Ars Technica http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-ad... Bitcoin value falls off cliff after $77M stolen in Hong Kong exchange hack | Ars Technica http://arstechnica.com/security/2016/08/bitcoin-value-falls-off-cliff-af... Social Security Administration Now Requires Two-Factor Authentication - Krebs on Security http://krebsonsecurity.com/2016/08/social-security-administration-now-re... The Administrator of the Dark Web's Infamous Hacking Market Has Vanished | Motherboard http://motherboard.vice.com/read/the-administrator-of-the-dark-webs-infa... Privacy Activists Launch Database to Track Global Sales of Surveillance Tech | Motherboard http://motherboard.vice.com/read/privacy-activists-launch-database-to-tr... How Drones Could Help Hackers Shut Down Power Plants | Motherboard http://motherboard.vice.com/read/how-drones-could-help-hackers-shut-down... Home https://signalsciences.com/ rapid7 edr - Google Search https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF...

Risky Business #420 -- What we don't know about Watergate 2.0

Patrick Gray — Fri, 29 Jul 2016 00:00:00 +1000

On this week's show we're taking a look at the DNC leaks, but don't worry, we won't be getting bogged down in the same old angles. Instead, we're going to chat to Lorenzo Franceschi-Bicchierai from VICE motherboard about his experience in interviewing the Guccifer 2 persona. Then we'll hear from Kevin Poulsen about what these latest developments mean for Wikileaks. It's a topic you're probably sick of hearing about this week, but stick with us, we've got some new angles, and they're relevant. This week's sponsor interview is an absolute, certified, 24-carat cracker. Bromium is this week's sponsor and its CTO and co-founder, Simon Crosby, pops along to talk about his experience in dealing with the wrath of Tavis Ormandy. Tavis actually managed to dig a custom build of Bromium's software out of VirusTotal and find a really cool bug in it. But there's actually a fair bit more to that story and Simon fills us in. Adam Boileau, as usual, joins us to discuss the week's security news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes WikiLeaks Dumps 'Erdogan Emails' After Turkey's Failed Coup | WIRED https://www.wired.com/2016/07/wikileaks-dumps-erdogan-emails-turkeys-fai... WikiLeaks Put Women in Turkey in Danger, for No Reason http://www.huffingtonpost.com/zeynep-tufekci/wikileaks-erdogan-emails_b_... Notorious Hacker 'Phineas Fisher' Says He Hacked The Turkish Government | Motherboard http://motherboard.vice.com/read/phineas-fisher-turkish-government-hack ZeroBin https://zerobin.net/?28625085e55bf0fb#QFl/7wV7jpgLG6aXm3YLzDtFklBTWZtJ3G... bellingcat - "We've shot four people. Everything's fine." The Turkish Coup through the Eyes of its Plotters - bellingcat https://www.bellingcat.com/news/mena/2016/07/24/the-turkey-coup-through-... Snowden Designs a Device to Warn if Your iPhone's Radios Are Snitching | WIRED https://www.wired.com/2016/07/snowden-designs-device-warn-iphones-radio-... Edward Snowden on Twitter: "The aversion to sharing #NSA evidence is fear of revealing "sources and methods" of intel collection, but #XKEYSCORE is now publicly known." https://twitter.com/Snowden/status/757577614873755648 Robert M. Lee on Twitter: "Since my colleagues are afraid to comment - @Snowden this is ridiculous. Also weren't you in T group. Just stop. https://t.co/6Gv5hK7qMi" https://twitter.com/RobertMLee/status/757715572461219841 Keys to Chimera crypto ransomware allegedly leaked by rival crime gang | Ars Technica http://arstechnica.com/security/2016/07/keys-to-chimera-crypto-ransomwar... SentinelOne Offers $1 Million Guarantee To Stop Ransomware http://www.darkreading.com/vulnerabilities---threats/sentinelone-offers-$1-million-guarantee-to-stop-ransomware/d/d-id/1326363 EFF Files Lawsuit Challenging DMCA's Restrictions Security Researchers | Threatpost | The first stop for security news https://threatpost.com/eff-files-lawsuit-challenging-dmcas-restrictions-... Malicious computers caught snooping on Tor-anonymized Dark Web sites | Ars Technica http://arstechnica.com/security/2016/07/malicious-computers-caught-snoop... Upcoming Tor Design Battles Hidden Services Snooping | Threatpost | The first stop for security news https://threatpost.com/upcoming-tor-design-battles-hidden-services-snoop... NIST Recommends SMS Two-Factor Authentication Deprecation | Threatpost | The first stop for security news https://threatpost.com/nist-recommends-sms-two-factor-authentication-dep... How I made LastPass give me all your passwords https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-yo... Yahoo Ordered to Explain Data Gathering Procedures in Deleted Email Case | Threatpost | The first stop for security news https://threatpost.com/yahoo-ordered-to-explain-data-gathering-procedure... Verizon to End Yahoo Survival Fight With $4.8 Billion Deal - Bloomberg http://www.bloomberg.com/news/articles/2016-07-24/verizon-said-to-announ... New attack bypasses HTTPS protection on Macs, Windows, and Linux | Ars Technica http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-c... Pornhub Hack Earns Researchers $22,000 | Threatpost | The first stop for security news https://threatpost.com/pornhub-hack-earns-researchers-22000/119450/ Firefox to Block Flash in August, Disable in 2017 | Threatpost | The first stop for security news https://threatpost.com/firefox-to-block-flash-in-august-disable-in-2017/... Alan on Twitter: "spend $150 on a fancy pet feeder that doesn't feed your cat when their servers are offline what a great design https://t.co/ZXMiGuWNFE" https://twitter.com/alanzeino/status/758209842477604864 15 Vulnerabilities in SAP HANA Outlined | Threatpost | The first stop for security news https://threatpost.com/15-vulnerabilities-in-sap-hana-outlined/119406/ Wikileaks Dismantling of DNC Is Clear Attack by Putin on Clinton | Observer http://observer.com/2016/07/wikileaks-dismantling-of-dnc-is-clear-attack... Why Does DNC Hacker 'Guccifer 2.0' Talk Like This? | Motherboard https://motherboard.vice.com/read/why-does-dnc-hacker-guccifer-20-talk-l... A Hat Tip to a White Hat | A Collection of Bromides on Infrastructure https://blogs.bromium.com/2016/06/21/a-hat-tip-to-a-white-hat/

Risky Business #419 -- Brian Krebs on future of bank cybercrime

Patrick Gray — Fri, 22 Jul 2016 00:00:00 +1000

On this week's show we're catching up with Brian Krebs of Krebs On Security. He'll be talking to us about recent trends in cybercrime, and he's got a warning for security teams in the banking sector. He says things are going to get pretty sticky, and he's usually right on this stuff. This week's show is brought to you by Bugcrowd, big thanks to them. And in the sponsor slot we're speaking with HD Moore, who recently joined the company's advisory board. I know HD well and I can tell you he was initially quite sceptical of bounties. So he joins us to talk about why he changed his mind and how he plans on helping Bugcrowd do stuff better. Adam Boileau, as usual, joins us to discuss the week's security news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes WikiLeaks Dumps 'Erdogan Emails' After Turkey's Failed Coup | WIRED https://www.wired.com/2016/07/wikileaks-dumps-erdogan-emails-turkeys-fai... Turkey Blocks WikiLeaks After Dump of Government Emails | Motherboard http://motherboard.vice.com/read/turkey-erdogan-blocks-wikileaks-after-d... Ethereum Inventor: We Got 'Very Lucky' In Gamble to Save $56M From Hacker | Motherboard http://motherboard.vice.com/read/ethereum-56m-hacker-the-dao-vitalik-but... Clever Tool Shields Your Car From Hacks by Watching Its Internal Clocks | WIRED https://www.wired.com/2016/07/clever-tool-shields-car-hacks-watching-int... Big Privacy Ruling Says Feds Can't Grab Data Abroad With a Warrant | WIRED https://www.wired.com/2016/07/big-privacy-ruling-says-feds-cant-grab-dat... Baseball exec gets 46 months in prison after guessing rival team's password | Ars Technica http://arstechnica.com/tech-policy/2016/07/baseball-exec-gets-46-months-... FDIC was hacked by China, and CIO covered it up | Ars Technica http://arstechnica.com/security/2016/07/fdic-was-hacked-by-china-and-cio... Hacker 'Phineas Fisher' Speaks on Camera for the First Time-Through a Puppet | Motherboard http://motherboard.vice.com/read/hacker-phineas-fisher-hacking-team-puppet Hacker Claims to Have Sold Leaked Terrorism Watchlist 'World-Check' For $20,000 | Motherboard http://motherboard.vice.com/read/hacker-leaked-terrorism-watchlist-world... Two Million Passwords Breached in Ubuntu Hack | Threatpost | The first stop for security news https://threatpost.com/two-million-passwords-breached-in-ubuntu-hack/119... 'Prominent' Admin of Top ISIS Forum Hacked | Motherboard http://motherboard.vice.com/read/prominent-admin-of-top-isis-jihadi-foru... Activists Release Nearly 100 Years of TIME Magazine Issues For Free | Motherboard http://motherboard.vice.com/read/activists-release-nearly-100-years-of-t... httpoxy https://httpoxy.org/ Software flaw puts mobile phones and networks at risk of complete takeover | Ars Technica http://arstechnica.com/security/2016/07/software-flaw-puts-mobile-phones... Google Chrome Malware Leads to Sketchy Facebook Likes | Threatpost | The first stop for security news https://threatpost.com/google-chrome-malware-leads-to-sketchy-facebook-l... Oracle Fixes 276 Vulnerabilites in July Critical Patch Update | Threatpost | The first stop for security news https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-ju... Apple Fixes Vulnerabilities Across OS X, iOS, Safari | Threatpost | The first stop for security news https://threatpost.com/apple-fixes-vulnerabilities-across-os-x-ios-safar... Cisco Talos - Talos 2016 0171 http://www.talosintelligence.com/reports/TALOS-2016-0171/ Crypto flaw made it easy for attackers to snoop on Juniper customers | Ars Technica http://arstechnica.com/security/2016/07/crypto-flaw-made-it-easy-for-att... Meet The Cyber Mercenaries Selling Spyware To Governments | Motherboard http://motherboard.vice.com/read/meet-the-cyber-mercenaries-selling-spyw... Carbanak Gang Tied to Russian Security Firm? - Krebs on Security http://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-securit...

Risky Business #418 -- The rise of the crypto-Taliban

Patrick Gray — Fri, 15 Jul 2016 00:00:00 +1000

On this week's show we're chatting with The Grugq about secure messaging. Facebook has announced it's rolling out an end-to-end encryption feature and the reaction to this wonderful announcement has been somewhat bizarre. We'll be talking to Grugq about why crypto absolutists are hating on companies that are rolling out non-default e2e features. We'll also talk about a couple of interesting case studies in which e2e encryption did absolutely nothing for the people using it. This week's show is brought to you by Sensepost, an absolutely fantastic security firm that operates in England and South Africa. Sensepost has been an academy for security luminaries over the years. Haroon Meer of Thinkst was an early stage employee, Maltego creator Roelof Temmingh was a co-founder. So, they're smart. And one of the things SensePost does is security training at BlackHat in Las Vegas. They've been doing this for 15 years and Sensepost's Daniel Cuthbert will be joining us in this week's sponsor interview to talk about what courses they're offering and who winds up actually taking them. The really interesting part is it's not always security professionals in those courses. Adam Boileau, as usual, joins us to discuss the week's security news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes iOS version of Pok\xe9mon Go is a possible privacy trainwreck [Updated] | Ars Technica http://arstechnica.com/gaming/2016/07/pokemon-go-on-ios-gets-full-access... Malicious Pok\xe9mon Go Features Backdoor, RAT | Threatpost | The first stop for security news https://threatpost.com/malicious-pokemon-go-app-installs-backdoor-on-and... Chrysler Launches Detroit's First 'Bug Bounty' for Hackers | WIRED https://www.wired.com/2016/07/chrysler-launches-detroits-first-bug-bount... Paint it black: Revisiting the Blackphone and its cloudy future | Ars Technica http://arstechnica.com/information-technology/2016/07/paint-it-black-rev... Tor Project, a Digital Privacy Group, Reboots With New Board - The New York Times http://www.nytimes.com/2016/07/14/technology/tor-project-a-digital-priva... MIT Anonymity Network Riffle Promises Efficiency, Security | Threatpost | The first stop for security news https://threatpost.com/mit-anonymity-network-riffle-promises-efficiency-... Putin signs new anti-terror law in Russia. Edward Snowden is upset. - The Washington Post https://www.washingtonpost.com/world/europe/putin-signs-law-to-bolster-r... VPN Company Claims Russian Government Seized Its Servers | Motherboard http://motherboard.vice.com/read/vpn-company-private-internet-access-cla... Google Tests New Crypto in Chrome to Fend Off Quantum Attacks | WIRED https://www.wired.com/2016/07/google-tests-new-crypto-chrome-fend-off-qu... Now it's easy to see if leaked passwords work on other sites | Ars Technica http://arstechnica.com/security/2016/07/password-reuse-tool-makes-it-eas... Florida U boffins think they've defeated all ransomware \u2022 The Register http://www.theregister.co.uk/2016/07/12/ransomware_defeated/ Nation-backed malware that infected energy firm is 1 of 2016's sneakiest | Ars Technica http://arstechnica.com/security/2016/07/nation-backed-malware-that-infec... Criminal Forums Ban Hacker Linked to Myspace, LinkedIn Breaches | Motherboard http://motherboard.vice.com/read/criminal-forums-ban-hacker-linked-to-my... Taiwan banks suspend Wincor Nixdorf ATM withdrawals after crooks st... https://www.finextra.com/newsarticle/29161/taiwan-banks-suspend-wincor-n... Hacker Finds Bug to Edit or Delete Any Medium Post | Motherboard http://motherboard.vice.com/read/hacker-finds-bug-to-edit-or-delete-any-... 20-year-old Windows bug lets printers install malware-patch now | Ars Technica http://arstechnica.com/security/2016/07/20-year-old-windows-bug-lets-pri... D-Link Wi-Fi Camera Flaw Extends to 120 Products | Threatpost | The first stop for security news https://threatpost.com/d-link-wi-fi-camera-flaw-extends-to-120-products/... TP-Link forgets to register domain name, leaves config pages open to hijack | Ars Technica http://arstechnica.com/security/2016/07/tp-link-forgets-to-register-doma... July 2016 Adobe Flash Player Patches | Threatpost | The first stop for security news https://threatpost.com/adobe-patches-52-vulnerabilities-in-flash-player/... Facebook Messenger End-to-End Encryption Not On By Default | Threatpost | The first stop for security news https://threatpost.com/facebook-messenger-end-to-end-encryption-not-on-b... 'Secret Conversations:' End-to-End Encryption Comes to Facebook Messenger | WIRED https://www.wired.com/2016/07/secret-conversations-end-end-encryption-fa... Kylie Auldist - Sensational - YouTube https://www.youtube.com/watch?v=MqDDceJleh0 SensePost | Sensepost at blackhat & defcon 2016 https://www.sensepost.com/blog/2016/sensepost-at-blackhat-defcon-2016/

Risky Business #417 -- PlayPen ruling to let FBI off leash?

Patrick Gray — Fri, 08 Jul 2016 00:00:00 +1000

In this week's feature interview we're chatting with Stanford's very own Jennifer Granick about a recent ruling in a Virginia court that appears to give the FBI permission to hack into any computer it wants, sans warrant. Well that's what the headlines are screaming, anyway. But as you'll hear, it's not quite that black and white. This week's edition of the show is brought to you by Senetas, big thanks to them. We'll of course be hearing from Senetas founder and CTO Julian Fay later on in this week's sponsor segment. He's joining us to talk about the latest guidance from NIST with regard to moving towards quantum resistant encryption. You've heard Julian and I discuss why NIST thinks the industry should do this, now we're going to talk about the how. Adam Boileau, as usual, joins us to discuss the week's security news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes FBI - Statement by FBI Director James B. Comey on the Investigation of Secretary Hillary Clinton's Use of a Personal E-Mail System https://www.fbi.gov/news/pressrel/press-releases/statement-by-fbi-direct... Infidelity website Ashley Madison facing FTC probe, CEO apologizes | Reuters http://www.reuters.com/article/us-ashleymadison-cyber-idUSKCN0ZL09J Chelsea Manning 'rushed to hospital after trying to take own life' | Americas | News | The Independent http://www.independent.co.uk/news/world/americas/chelsea-manning-rushed-... Sorry Privacy Lovers, The Blackphone Is Flirting With Failure - Forbes http://www.forbes.com/sites/thomasbrewster/2016/07/06/silent-circle-blac... Researchers Sue the Government Over Computer Hacking Law | WIRED https://www.wired.com/2016/06/researchers-sue-government-computer-hackin... Over 100 Snooping Tor Nodes Have Been Spying on Dark Web Sites | Motherboard http://motherboard.vice.com/read/over-100-snooping-tor-nodes-have-been-s... These Maps Show What the Dark Web Looks Like | Motherboard http://motherboard.vice.com/read/these-maps-show-what-the-dark-web-looks... After hiatus, in-the-wild Mac backdoors are suddenly back | Ars Technica http://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-bac... How a Hacker Is Gaming the Media to Extort His Victims | Motherboard http://motherboard.vice.com/read/how-a-hacker-is-gaming-the-media-to-ext... Scope of ThinkPwn UEFI Zero Day Expands | Threatpost | The first stop for security news https://threatpost.com/scope-of-thinkpwn-uefi-zero-day-expands/119027/ HummingBad Android Malware Connected to YiSpecter iOS Attacks | Threatpost | The first stop for security news https://threatpost.com/chinese-ad-firm-raking-in-300k-a-month-through-ad... Android's full-disk encryption just got much weaker-here's why | Ars Technica http://arstechnica.com/security/2016/07/androids-full-disk-encryption-ju... Most Post-Intrusion Cyber Attacks Involve Everyday Admin Tools | Threatpost | The first stop for security news https://threatpost.com/most-post-intrusion-cyber-attacks-involve-everyda... SSD Advisory - Wget Arbitrary Commands Execution - SecuriTeam Blogs https://blogs.securiteam.com/index.php/archives/2701 DOJ Deploys Highly-Questionable Legal Arguments In Attempt To Save FBI's Hacking Warrants | Techdirt https://www.techdirt.com/articles/20160503/17463334339/doj-deploys-highl... Another Court Finds FBI's NIT Warrants To Be Invalid, But Credits Agents' 'Good Faith' To Deny Suppression | Techdirt https://www.techdirt.com/articles/20160523/09060034525/another-court-fin... U.S. court rules that FBI can hack into a computer without a warrant | PCWorld http://www.pcworld.com/article/3088354/security/us-court-rules-that-fbi-... Senetas http://www.senetas.com/

Risky Business #416 -- Post holiday carnage edition

Patrick Gray — Fri, 01 Jul 2016 00:00:00 +1000

On this week's show we'll be catching up on the news of the last few weeks with Adam Boileau, then it's straight into the sponsor segment. And we're really lucky this week to have Dan Guido joining us from the sponsor's chair. Dan is a semi regular feature guest on Risky Business. He is of course the head honcho over at Trail of Bits, a very interesting security problem solving organisation. He'll be along to talk about some developer tools they've just open sourced for iOS, to preview DARPA's Cyber Grand challenge final at DEFCON and to discuss an investment hack/secure has made into a company building serious host based protection agents out of osquery, the endpoint visibility tool created by Facebook. One of Trail of Bits current gigs is actually developing osquery for Facebook, and Dan is pretty excited about it. Find out why after the news... Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes If you only read one item from this week's notes, make it this excellent write up from Matt Levine on the DAO fiasco: http://www.bloomberg.com/view/articles/2016-06-17/blockchain-company-s-s... Hackers invade Dems' servers, steal entire Trump opposition file | Ars Technica http://arstechnica.com/security/2016/06/hackers-invade-dems-servers-stea... "Guccifer" leak of DNC Trump research has a Russian's fingerprints on it | Ars Technica http://arstechnica.com/security/2016/06/guccifer-leak-of-dnc-trump-resea... A Chaotic Whodunnit Follows the DNC's Trump Research Hack | WIRED https://www.wired.com/2016/06/chaotic-whodunnit-follows-dncs-trump-resea... Hack Brief: Russia's Breach of the DNC Is About More Than Trump's Dirt | WIRED https://www.wired.com/2016/06/hack-brief-russias-breach-dnc-trumps-dirt/ EXCLUSIVE: Brexit '2nd Referendum Petition' A 4 Chan Prank: BBC Report It As Real | Heat Street https://heatst.com/uk/exclusive-brexit-2nd-referendum-petition-a-4-chan-... Bitcoin rival Ethereum fights for its survival after $50 million heist | Ars Technica http://arstechnica.com/security/2016/06/bitcoin-rival-ethereum-fights-fo... Anti-Surveillance Measure Quashed: Orlando Massacre Cited as Reason | Threatpost | The first stop for security news https://threatpost.com/anti-surveillance-measure-quashed-orlando-massacr... Senate Narrowly Rejects Controversial FBI Surveillance Expansion-For Now https://theintercept.com/2016/06/22/senate-narrowly-rejects-controversia... Bangladesh unlikely to extend FireEye contract for heist probe | Reuters http://www.reuters.com/article/us-cyber-heist-bangladesh-idUSKCN0Z81U6 Ukrainian bank cyber-heist: Hackers take off with $10m http://www.ibtimes.co.uk/ukrainian-bank-cyber-heist-hackers-compromise-s... Authorities Arrest an IT Worker From the Panama Papers Law Firm | WIRED https://www.wired.com/2016/06/worker-panama-papers-law-firm-arrested/ 800-pound Comodo tries to trademark upstart rival's "Let's Encrypt" name | Ars Technica http://arstechnica.com/tech-policy/2016/06/800-pound-comodo-tries-to-tra... IRS Re-Enables 'Get Transcript' Feature - Krebs on Security http://krebsonsecurity.com/2016/06/irs-re-enables-get-transcript-feature/ Rise of Darknet Stokes Fear of The Insider - Krebs on Security http://krebsonsecurity.com/2016/06/rise-of-darknet-stokes-fear-of-the-in... Citing Attack, GoToMyPC Resets All Passwords - Krebs on Security http://krebsonsecurity.com/2016/06/citing-attack-gotomypc-resets-all-pas... Thousands of Hacked Government and Corporate Servers Selling for $6 on Black Market | WIRED https://www.wired.com/2016/06/xdedic-server-trading-forum-kaspersky/ 655,000 Healthcare Records Being Sold on Dark Web | Threatpost | The first stop for security news https://threatpost.com/655000-healthcare-records-being-sold-on-dark-web/... Large botnet of CCTV devices knock the snot out of jewelry website | Ars Technica http://arstechnica.com/security/2016/06/large-botnet-of-cctv-devices-kno... Report: FBI Doing Poor Job Securing 411 Million Facial Recognition Photos | Threatpost | The first stop for security news https://threatpost.com/report-fbi-doing-poor-job-securing-411-million-fa... iOS 10 beta still encrypts user data, but not the kernel | Ars Technica http://arstechnica.com/apple/2016/06/ios-10-beta-still-encrypts-user-dat... "Godless" apps, some found in Google Play, can root 90% of Android phones | Ars Technica http://arstechnica.com/security/2016/06/godless-apps-some-found-in-googl... $90K Windows Zero Day Gets a Price Cut | Threatpost | The first stop for security news https://threatpost.com/90k-windows-zero-day-gets-a-price-cut/118594/ Patched BadTunnel Windows Bug Has 'Extensive' Impact | Threatpost | The first stop for security news https://threatpost.com/patched-badtunnel-windows-bug-has-extensive-impac... High-severity bugs in 25 Symantec/Norton products imperil millions | Ars Technica http://arstechnica.com/security/2016/06/25-symantec-products-open-to-wor... Apple Patches AirPort Remote Code Execution Flaw | Threatpost | The first stop for security news https://threatpost.com/apple-patches-airport-remote-code-execution-flaw/... A Bug in Chrome Makes It Easy to Pirate Movies | WIRED https://www.wired.com/2016/06/bug-chrome-makes-easy-pirate-movies/ 7 Ways the Cops Will Bust You on the Dark Web | Motherboard http://motherboard.vice.com/read/7-ways-the-cops-will-bust-you-on-the-da... Trail of bits stuff, including links to new open source dev tools: ---------------------------------------------------------------------------- Trail of Bits | Home https://www.trailofbits.com/ Trail of Bits | Products https://www.trailofbits.com/products/#mast Tidas \xb7 GitHub https://github.com/tidas GitHub - trailofbits/SecureEnclaveCrypto: Crypto with the Secure Enclave https://github.com/trailofbits/SecureEnclaveCrypto

Risky Business #415 -- Lauri Love talks extradition

Patrick Gray — Fri, 10 Jun 2016 00:00:00 +1000

On this week's show we're chatting with Lauri Love. Lauri is an activist facing extradition to the United States where prosecutors hope to charge him with a raft of offences relating to attacks against US government computers... he'll tell us about what's going on with his extradition hearing and why he really, really doesn't want to go to the USA. This week's show is sponsored by Tenable Network Security, big thanks to them. If you're looking for some vulnerability scanning and management software you really should talk to Tenable! In this week's sponsor interview we're chatting with Chris Cleary. He's a director of business development at Tenable. His focus is on the US federal government, so we'll be chatting to him about the fallout from the OPM breach, one year on. There have been some significant changes to the way things are done, Chris says, but it's too soon to see if they'll pan out as intended. Adam Boileau, as always, stops by to discuss the week's news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Jacob Appelbaum Has Allegedly Engaged in Sexual Misconduct for Over a Decade http://gizmodo.com/jacob-appelbaum-has-allegedly-engaged-in-sexual-misco... Eyewitnesses Recount Tor Developer Jacob Appelbaum's Unwanted Sexual Advances http://gizmodo.com/eyewitnesses-recount-tor-developer-jacob-appelbaum-s-... He said, they said - hypatia dot ca https://hypatia.ca/2016/06/07/he-said-they-said/ Jacob Appelbaum http://jacobappelbaum.net/ Jacob Appelbaum allegedly intimidated victims into silence and anonymity | The Daily Dot http://www.dailydot.com/politics/jacob-appelbaum-tor-project-suspension-... What Jake Appelbaum did to me - Medium https://medium.com/@nickf4rr/hi-im-nick-farr-nickf4rr-35c32f13da4d#.eqfi... Tor Developer Jacob Appelbaum Resigns Amid Sex Abuse Claims | WIRED https://www.wired.com/2016/06/tor-developer-jacob-appelbaum-resigns-amid... Jacob Appelbaum allegedly intimidated victims into silence and anonymity | The Daily Dot http://www.dailydot.com/politics/jacob-appelbaum-tor-project-suspension-... Statement | The Tor Blog https://blog.torproject.org/blog/statement TwitLonger - When you talk too much for Twitter http://www.twitlonger.com/show/n_1soorlp No internet for Singapore public servants - BBC News http://www.bbc.com/news/world-asia-36476422 TeamViewer confirms number of abused user accounts is "significant" | Ars Technica http://arstechnica.com/security/2016/06/teamviewer-says-theres-no-eviden... Mark Zuckerberg's Twitter, Pinterest accounts compromised | Ars Technica http://arstechnica.com/security/2016/06/mark-zuckerberg-twitter-pinteres... FTC's chief technologist gets her mobile phone number hijacked by ID thief | Ars Technica http://arstechnica.com/tech-policy/2016/06/ftcs-chief-technologist-gets-... University pays almost $16,000 to recover crucial data held hostage | Ars Technica http://arstechnica.com/security/2016/06/university-pays-almost-16000-to-... 100M Credentials From 'Russian Facebook' VK.com For Sale | Threatpost | The first stop for security news https://threatpost.com/100m-russian-facebook-credentials-for-sale/118483/ \u200bOne of the World's Largest Botnets Has Vanished | Motherboard http://motherboard.vice.com/read/one-of-the-worlds-largest-botnets-has-v... The Troubling Metadata Sharing Program That Was Just Revealed in the UK | Motherboard http://motherboard.vice.com/read/gchq-gives-uk-police-access-to-metadata... It Takes Mere Minutes to Make a Fake, Potentially Malicious Facebook Ad | Motherboard http://motherboard.vice.com/read/it-takes-mere-minutes-to-make-a-fake-po... There's a Stuxnet Copycat, and We Have No Idea Where It Came From | Motherboard http://motherboard.vice.com/read/theres-a-stuxnet-copycat-and-we-have-no... ISIS worries that fake Android apps are spying on its ranks http://www.engadget.com/2016/06/05/isis-worries-about-fake-android-apps/ IT Admin Faces Felony for Deleting Files Under Flawed Hacking Law | WIRED https://www.wired.com/2016/06/admin-faces-felony-deleting-files-flawed-h... WordPress plugin with 10,000+ installations being exploited in the wild | Ars Technica http://arstechnica.com/security/2016/06/10000-wordpress-sites-imperilled... New Angler Exploits Bypass EMET Mitigations | Threatpost | The first stop for security news https://threatpost.com/new-angler-exploits-bypass-emet-mitigations/118485/ NTP Patches Flaws That Enable DDoS | Threatpost | The first stop for security news https://threatpost.com/ntp-patches-flaws-that-enable-ddos/118470/ June 2016 Android Security Bulletin | Threatpost | The first stop for security news https://threatpost.com/latest-android-security-bulletin-heavy-on-critica... Lenovo Tells Users to Uninstall Vulnerable Updater | Threatpost | The first stop for security news https://threatpost.com/lenovo-tells-users-to-uninstall-vulnerable-update... Uber Pays Researcher $10K for Login Bypass Exploit | Threatpost | The first stop for security news https://threatpost.com/uber-pays-researcher-10k-for-login-bypass-exploit... Facebook Messenger Vulnerability Patched | Threatpost | The first stop for security news https://threatpost.com/facebook-messenger-vulnerability-patched/118511/

Risky Business #414 - Trading on OSINT for fun and profit

Patrick Gray — Fri, 03 Jun 2016 00:00:00 +1000

On this week's show we're chatting with Australian security researcher Nik Cubrilovic. He's been doing some fascinating research into using OSINT techniques to obtain market-sensitive information. It's OSINT for fun and profit! That's this week's feature. In this week's sponsor interview we chat with Marco Slaviero, lead researcher from Thinkst Applied Research. Thinkst is, of course, the company behind Canary.tools, and Marco is along this week to talk about some free services and tools Thinkst has developed. You may have heard Haroon Meer talking about honey tokens on a previous episode. Well, the team at Thinkst have created some new honeytokens that use Microsoft's cryptoAPI to do all sorts of really funky stuff. Adam Boileau, as always, stops by to discuss the week's news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing.

Risky Business #413 -- Matthew Green: The case against backdoors

Patrick Gray — Fri, 27 May 2016 00:00:00 +1000

In this week’s feature slot we’re joined by cryptographer Matthew Green of Johns Hopkins University. He’ll be arguing against the subversion of encryption technologies this week. Consider it a counterpoint to last week’s discussion with Stewart A Baker, former NSA general counsel. This week we get the other side of the argument! This week’s sponsor interview is also a cracker. We’re chatting with Bromium’s co-founder and CTO Simon Crosby. He’s been spending a fair bit of time lately trolling rival CTOs on Twitter, which has been somewhat hilarious to watch. We talk to him about that, and how that attitude actually informs Bromium’s strategy. We also talk about the work Bromium has been working with Microsoft to introduce microvirtualisation into Windows where it can be useful to the masses. We chat about all of that in this week’s sponsor interview with Bromium CTO and co-founder, Simon Crosby. Adam Boileau, as always, stops by to discuss the week’s news headlines. Oh, and do add Patrick and Adam on Twitter if that’s your thing.

Risky Business #412 -- Former NSA general counsel Stewart A Baker

Patrick Gray — Fri, 20 May 2016 00:00:00 +1000

On this week's show we're chatting with former NSA general counsel and Steptoe & Johnson law partner Stewart A Baker about the cryptowars! Stewart was NSA general counsel during the Clipper Chip period at NSA, and he joins us this week to talk about the second cryptowar, Apple versus the FBI and more. In this week's sponsor interview we're chatting with Senetas CTO Julian Fay about some work they've been doing with Avaya on encrypting and locking down virtual and software defined networks... The networks of the future are getting more complicated in structure but simpler to run thanks to better automation and centralised control. It's complicated stuff and I admit I was a little bit out of my depth in that interview, but it is very interesting and Julian explains it well. Adam Boileau, as always, stops by to discuss the week's news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Chrome Defaults to HTML5 over Adobe Flash Starting in Q4 | Threatpost | The first stop for security news https://threatpost.com/chrome-defaults-to-html5-over-adobe-flash-startin... Google Set to Kill SSLv3, RC4 in SMTP, Gmail in June | Threatpost | The first stop for security news https://threatpost.com/google-set-to-kill-sslv3-and-rc4-in-smtp-gmail-in... Tavis Ormandy on Twitter: "Kernel memory corruption in Symantec/Norton antivirus, CVE-2016-2208 (more patches soon). https://t.co/Sqhm0a48Fp https://t.co/F22xDIelSU" https://twitter.com/taviso/status/732365178872856577 Patrick Gray on Twitter: "Inspecting malicious code in the kernel? That's like the bomb squad bringing a suspicious package into a kindergarten to open it. CC @taviso" https://twitter.com/riskybusiness/status/732374512449277952 TeslaCrypt shuts down and Releases Master Decryption Key http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-... The Intercept https://theintercept.com/snowden-sidtoday/ 2011 7 27 Culture Shock NSA From the Perspective of Summer Interns https://www.documentcloud.org/documents/2830624-2011-7-27-Culture-Shock-... The curious case of Besa Mafia | All Things VICE https://allthingsvice.com/2016/05/14/the-curious-case-of-besa-mafia/ Hitting on the Aussies - the Besa Mafia files | All Things VICE https://allthingsvice.com/2016/05/15/hitting-on-the-aussies-the-besa-maf... Breach of Nulled.io crime forum could cause a world of pain for members | Ars Technica http://arstechnica.com/security/2016/05/breach-of-nulled-io-crime-forum-... Tumblr Requires Password Reset | Threatpost | The first stop for security news https://threatpost.com/tumblr-accounts-must-reset-passwords/118084/ That time a patient's heart procedure was interrupted by a virus scan | Ars Technica http://arstechnica.com/security/2016/05/faulty-av-scan-disrupts-patients... Hacker fans give Mr. Robot website free security checkup | Ars Technica http://arstechnica.com/security/2016/05/hacker-fans-give-mr-robot-websit... That Insane, $81M Bangladesh Bank Heist? Here's What We Know | WIRED https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/ SWIFT Warns of Second Bank Attack via PDF Malware | Threatpost | The first stop for security news https://threatpost.com/swift-warns-of-second-bank-attack-via-pdf-malware... U.S. banks scrutinize SWIFT security after hacks: reports | Reuters http://www.reuters.com/article/us-cyber-heist-swift-banks-idUSKCN0Y82HW Exclusive: UK banks ordered to review cyber security after SWIFT heist | Reuters http://www.reuters.com/article/us-cyber-heist-bankofengland-idUSKCN0Y92KR Judge Changes Mind, Says FBI Doesn't Have to Reveal Tor Browser Hack | Motherboard http://motherboard.vice.com/read/judge-changes-mind-says-fbi-doesnt-have... Motion Filed Asking FBI To Disclose Tor Browser Zero Day | Threatpost | The first stop for security news https://threatpost.com/motion-filed-asking-fbi-to-disclose-tor-browser-z... Academics Make Theoretical Breakthrough in Random Number Generation | Threatpost | The first stop for security news https://threatpost.com/academics-make-theoretical-breakthrough-in-random... Gaping Security Hole in Android Platform Grows Larger, Researchers Claim | Threatpost | The first stop for security news https://threatpost.com/scope-of-gaping-android-security-hole-grows/118161/ Banking Trojan Outwits Google Play Malware Scanner | Threatpost | The first stop for security news https://threatpost.com/banking-trojan-outwits-google-verify-apps-scanner... Malware-Laced Porn Apps Behind Wave of Android Lockscreen Attacks | Threatpost | The first stop for security news https://threatpost.com/malware-laced-porn-apps-behind-wave-of-android-lo... Don't Use Allo | Motherboard http://motherboard.vice.com/read/dont-use-google-allo John McAfee Apparently Tried to Trick Reporters Into Thinking He Hacked WhatsApp http://gizmodo.com/john-mcafee-apparently-tried-to-trick-reporters-into-... Adobe Emergency Update Patches Flash Zero Day | Threatpost | The first stop for security news https://threatpost.com/emergency-flash-update-patches-public-zero-day/11... Major Remote SSH Security Issue in CoreOS Linux Alpha, Subset of Users Affected https://coreos.com/blog/alpha-security-incident-subset-of-users-affected... The Bank Job https://boris.in/blog/2016/the-bank-job/ Stewart Baker - Wikipedia, the free encyclopedia https://en.wikipedia.org/wiki/Stewart_Baker RSS Feed http://www.steptoe.com/feed-Cyberlaw.rss France votes to penalize companies for refusing to decrypt devices, messages | Ars Technica http://arstechnica.com/tech-policy/2016/03/france-votes-to-penalise-comp... complementing_avaya_fabric_connect_with_senetas_encryption_dn7794.pdf https://www.avaya.com/usa/documents/complementing_avaya_fabric_connect_w...

Risky Business #411 -- Ruining the ImageMagick party

Patrick Gray — Fri, 13 May 2016 00:00:00 +1000

On this week's show we're taking a look at the backstory to the ImageMagick bug. There's a fair bit more to that one than has been reported so far and we'll chat with Ryan Huber about that. This week's show is sponsored by BugCrowd, so in this week's sponsor interview we're joined by Casey Ellis, BugCrowd's CEO. We're also joined by Katie Moussouris, former chief policy officer from HackerOne. She's now a freelance bug bounty consultant working across the whole industry and she's got some interesting stuff to say about where all this bounty madness is headed. We have a chat about what she's up to, why she launched a consulting business, and I get Casey and Katie's thoughts on what the next five years could look like in bug bounty land. Adam Boileau, as always, stops by to discuss the week's news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes UPDATE: When these notes were first posted the link to the php bugs discussed wasn't in them. Here it is: https://github.com/dyntopia/exploits -- $1B Bangladesh heist: Officials say SWIFT technicians left bank vulnerable | Ars Technica http://arstechnica.com/security/2016/05/1b-bangladesh-heist-officials-sa... You Don't See This Often: Simultaneous FBI, DHS, and DoD Cyber Espionage Alerts | Motherboard http://motherboard.vice.com/read/rare-simultaneous-fbi-dhs-and-dod-cyber... Yahoo Releases Second Wave Unsealed FISA Documents | Threatpost | The first stop for security news https://threatpost.com/yahoo-releases-second-wave-of-unsealed-fisc-docum... Twitter Denies Intelligence Community Fire Hose Access Via Dataminr | Threatpost | The first stop for security news https://threatpost.com/twitter-turns-off-fire-hose-for-intelligence-comm... How a security pro's ill-advised hack of a Florida elections site backfired | Ars Technica http://arstechnica.com/security/2016/05/how-a-security-pros-ill-advised-... PwnedList Shutdown Unrelated to Parameter Tampering Vulnerability | Threatpost | The first stop for security news https://threatpost.com/pwnedlist-shutdown-unrelated-to-recent-vulnerabil... Another Day, Another Hack: Passwords and Sexual Desires for Dating Site 'Fling' | Motherboard http://motherboard.vice.com/read/another-day-another-hack-passwords-and-... Another Day, Another Hack: Is Your Fisting Site Updating Its Forum Software? | Motherboard http://motherboard.vice.com/read/rosebuttboard-ip-board No more get-out-of-jail-free card for CryptXXX ransomware victims | Ars Technica http://arstechnica.com/security/2016/05/no-more-get-out-of-jail-free-car... Someone Replaced Notorious 'Locky' Ransomware With a Dud File | Motherboard http://motherboard.vice.com/read/someone-replaced-notorious-locky-ransom... Microsoft and Adobe warn of separate zero-day vulnerabilities under attack | Ars Technica http://arstechnica.com/security/2016/05/beware-of-in-the-wild-0day-attac... New Windows 10 build kills controversial password-sharing Wi-Fi Sense | ExtremeTech http://www.extremetech.com/computing/228259-new-windows-10-build-kills-c... New Security Flaw Found in Lenovo Solution Center Software | Threatpost | The first stop for security news https://threatpost.com/new-security-flaw-found-in-lenovo-solution-center... Tavis Ormandy on Twitter: "Many remote stack overflows in Symantec Endpoint. No big deal, because /GS is the default since 2005, right? Hahaha. https://t.co/ac40M0Ki90" https://twitter.com/taviso/status/730249521247068162 Critical Qualcomm security bug leaves many phones open to attack | Ars Technica http://arstechnica.com/security/2016/05/5-year-old-android-vulnerability... Chinese ARM vendor left developer backdoor in kernel for Android, "Pi" devices | Ars Technica http://arstechnica.com/security/2016/05/chinese-arm-vendor-left-develope... Viking Horde Malware Co-Ops Android Devices for Ad Fraud | Threatpost | The first stop for security news https://threatpost.com/viking-horde-malware-co-ops-android-devices-for-a... SS7 Attack Circumvents WhatsApp and Telegram Encryption http://news.softpedia.com/news/ss7-attack-leaves-whatsapp-and-telegram-e... Feds probe mobile phone industry over the sad state of security updates | Ars Technica http://arstechnica.com/security/2016/05/feds-probe-mobile-industrys-secu... Security researcher Stefan Esser releases iPhone & iPad jailbreak detection tool in iOS App Store | 9to5Mac http://9to5mac.com/2016/05/10/security-research-stefan-esser-releases-ip... Microsoft Security Intelligence Report: Top Takeaways | Threatpost | The first stop for security news https://threatpost.com/old-exploits-die-hard-says-microsoft-report/117918/ Attackers Targeting Critical SAP Flaw Since 2013 | Threatpost | The first stop for security news https://threatpost.com/attackers-targeting-critical-sap-flaw-since-2013/... Facebook Capture The Flag Platform Open Source | Threatpost | The first stop for security news https://threatpost.com/facebook-makes-its-ctf-platform-freely-available/... Snowden's Surveillance Leaks Made People Less Likely to Read About Surveillance | Motherboard http://motherboard.vice.com/read/snowdens-surveillance-leaks-made-people... lcamtuf's blog: Clearing up some misconceptions around the "ImageTragick" bug https://lcamtuf.blogspot.com.br/2016/05/clearing-up-some-misconceptions-... .:: Phrack Magazine ::. http://www.phrack.org/issues/69/1.html Untitled https://threatbutt.com/press/Threatbutt-DZIR-2016.pdf

Risky Business #410 -- Mainframe security: Too big to fail?

Patrick Gray — Fri, 06 May 2016 00:00:00 +1000

On this week's show we're chatting with Chad Rikansrud about mainframe security. Yes, they're old school, but there are many, many reasons why large organisations still use these hunks of big iron. And as you'll hear, because they're so important to the companies they basically run, management can get a bit twitchy when you want to do crazy stuff to them, like, you know, pentest them. We'll find out what mainframe security issues look like with Chad Rikansrud, after this week's news. In this week's sponsor interview we're chatting with Jack Daniel about this year's Data Breach Investigation Report. If I'm being honest, and with total respect to Verizon's RISK team, this year's report was a little dull and contained some really bizarre numbers regarding vulnerability exploitation. We'll get Jack's thoughts on that in this week's sponsor interview. As (mostly) always, Adam Boileau joins the show to discuss this week's news. Also the not news. About certain people not being the creators of certain cryptocurrencies. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Craig Wright is not Satoshi Nakamoto - New Web Order https://www.nikcub.com/posts/craig-wright-is-not-satoshi-nakamoto/ Extraordinary Claims Require Extraordinary Proof - Dr. Craig Wright BlogDr. Craig Wright Blog http://www.drcraigwright.net/extraordinary-claims-require-extraordinary-... I am Craig Wright, inventor of Craig Wright \u2022 The Register http://www.theregister.co.uk/2016/05/03/bitcoin_craig_wright/ ImageMagick Security Issue - ImageMagick https://www.imagemagick.org/discourse-server/viewtopic.php?t=29588 Public Exploits Available for ImageMagick Vulnerabilities | Threatpost | The first stop for security news https://threatpost.com/public-exploits-available-for-imagemagick-vulnera... Bipartisan Committee Leaders Seek Briefings from Communications Providers on Vulnerabilities of SS7 | Energy and Commerce Committee https://energycommerce.house.gov/news-center/press-releases/bipartisan-c... So \u2026 Now the Government Wants to Hack Cybercrime Victims | WIRED https://www.wired.com/2016/05/now-government-wants-hack-cybercrime-victims/ Tuesday 10 May: Lauri Love ruling may create dangerous new police powers | Courage Love https://freelauri.com/2016/04/28/tuesday-10-may-lauri-love-ruling-may-cr... Eurocops get new cyber powers to hunt down terrorists, criminals | Ars Technica http://arstechnica.com/tech-policy/2016/05/eurocops-get-new-cyber-powers... Brazilian Judge Overturns 72-Hour WhatsApp Suspension | Threatpost | The first stop for security news https://threatpost.com/brazilian-judge-overturns-72-hour-whatsapp-suspen... Privacy Activists Cheer Passage of Email Privacy Act, Brace for Senate Battle | Threatpost | The first stop for security news https://threatpost.com/privacy-activists-cheer-passage-of-email-privacy-... Please Don't Pay Ransoms, FBI Urges - DataBreachToday http://www.databreachtoday.com/blogs/please-dont-pay-ransoms-fbi-urges-p... Hacking Slack accounts: As easy as searching GitHub | Ars Technica http://arstechnica.com/security/2016/04/hacking-slack-accounts-as-easy-a... Rainbow Six: Siege reportedly reveals your IP address to potential attackers | Ars Technica http://arstechnica.com/gaming/2016/04/rainbow-six-siege-reportedly-revea... Fraudsters Steal Tax, Salary Data From ADP - Krebs on Security http://krebsonsecurity.com/2016/05/fraudsters-steal-tax-salary-data-from... How the Pwnedlist Got Pwned - Krebs on Security http://krebsonsecurity.com/2016/05/how-the-pwnedlist-got-pwned/ A Dramatic Rise in ATM Skimming Attacks - Krebs on Security http://krebsonsecurity.com/2016/04/a-dramatic-rise-in-atm-skimming-attacks/ Dental Assn Mails Malware to Members - Krebs on Security http://krebsonsecurity.com/2016/04/dental-assn-mails-malware-to-members/ 10-Year-Old Hacks Instagram; Wins $10K From Facebook - Forbes http://www.forbes.com/sites/thomasbrewster/2016/05/03/facebook-10-year-o... Unskilled Pro-ISIS Hackers A Growing Threat | Threatpost | The first stop for security news https://threatpost.com/unskilled-pro-isis-hackers-a-growing-threat/117726/ Q1 Summary from Chrome Security - Google Groups https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/2e-bkPdHvfE Scourge of Android Overlay Malware on Rise | Threatpost | The first stop for security news https://threatpost.com/scourge-of-android-overlay-malware-on-rise/117720/ Google Patches More Trouble in Mediaserver | Threatpost | The first stop for security news https://threatpost.com/google-patches-more-trouble-in-mediaserver/117758/ Office 365 Vulnerability Exposed Any Federated Account | Threatpost | The first stop for security news https://threatpost.com/office-365-vulnerability-exposed-any-federated-ac... Microsoft Expands Bug Bounty Program, Preps Windows Server 2016 for Final Release | Threatpost | The first stop for security news https://threatpost.com/nano-server-added-to-microsoft-bug-bounty-program... Linux Foundation Badge Program Boost Open Source Security | Threatpost | The first stop for security news https://threatpost.com/linux-foundation-badge-program-to-boost-open-sour... Aging and bloated OpenSSL is purged of 2 high-severity bugs | Ars Technica http://arstechnica.com/security/2016/05/aging-and-bloated-openssl-is-pur... Commercial software chokkas with ancient brutal open source vulns \u2022 The Register http://www.theregister.co.uk/2016/05/04/commercial_software_chokkas_with... NIST readies 'post-quantum' crypto competition \u2022 The Register http://www.theregister.co.uk/2016/05/04/nist_readies_postquantum_crypto_... Flaws in Samsung's 'Smart' Home Let Hackers Unlock Doors and Set Off Fire Alarms | WIRED https://www.wired.com/2016/05/flaws-samsungs-smart-home-let-hackers-unlo... Defence bankrolls Oz Govt's infosec threat sharing strategy \u2022 The Register http://www.theregister.co.uk/2016/05/04/defence_bankrolls_oz_govts_infos... Wi-Fi network named 'mobile detonation device' grounds plane \u2022 The Register http://www.theregister.co.uk/2016/05/03/wifi_hotspot_named_mobile_detona... A Note on the Verizon DBIR 2016 Vulnerabilities Claims | OSVDB https://blog.osvdb.org/2016/04/27/a-note-on-the-verizon-dbir-2016-vulner... Collaborative Data Science - Inside the 2016 Verizon DBIR Vulnerability Section. - Kenna Blog http://blog.kennasecurity.com/2016/05/collaborative-data-science-inside-...

Risky Business #409 -- Talking SWIFT hacks, news, with Adam Boileau

Patrick Gray — Thu, 28 Apr 2016 00:00:00 +1000

On this week's show Adam Boileau and Patrick Gray talk about the week's information security news before diving into a detailed look at multiple recent attacks against banks' SWIFT infrastructure. It's the Metlstorm hour of power! Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes James Clapper: Snowden sped up sophistication of crypto, "it's not a good thing" | Ars Technica http://arstechnica.com/tech-policy/2016/04/top-intelligence-official-sno... Viber Heats Up Crypto-Debate: Adds Encryption to 711 Million Users | Threatpost | The first stop for security news https://threatpost.com/viber-heats-up-cypto-debate-adds-encryption-to-71... UK intel agencies spy indiscriminately on millions of innocent folks | Ars Technica http://arstechnica.com/tech-policy/2016/04/uk-secret-police-surveillance... FBI paid at least $1.3M for zero-day to get into San Bernardino iPhone | Ars Technica http://arstechnica.com/tech-policy/2016/04/fbi-paid-at-least-1-3m-for-ze... The Other Reason the FBI Doesn't Want to Reveal Its Hacking Techniques | Motherboard http://motherboard.vice.com/read/fbi-hacking-techniques In a first, US military plans to drop "cyberbombs" on ISIS, NYT says | Ars Technica http://arstechnica.com/security/2016/04/us-military-plans-to-drop-cyberb... Hacking group "PLATINUM" used Windows' own patching system against it | Ars Technica http://arstechnica.com/security/2016/04/hacking-group-platinum-used-wind... The Uber scammers who take users for a (very expensive) ride | Money | The Guardian http://www.theguardian.com/money/2016/apr/22/uber-scam-hacking-account-p... German nuclear plant's fuel rod system swarming with old malware | Ars Technica http://arstechnica.com/security/2016/04/german-nuclear-plants-fuel-rod-s... Active drive-by exploits critical Android bugs, care of Hacking Team | Ars Technica http://arstechnica.com/security/2016/04/active-drive-by-attacks-exploit-... SpyEye Makers Get 24 Years in Prison - Krebs on Security http://krebsonsecurity.com/2016/04/spyeye-makers-get-24-years-in-prison/ PoS Attack Net Crooks 20 Million Bank Cards, Up to $400 Million | Threatpost | The first stop for security news https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-car... New Decryptor Unlocks CryptXXX Ransomware | Threatpost | The first stop for security news https://threatpost.com/new-decryptor-unlocks-cryptxxx-ransomware/117668/ Latest TeslaCrypt Targets New File Extensions, Invests Heavily in Evasion | Threatpost | The first stop for security news https://threatpost.com/latest-teslacrypt-targets-new-file-extensions-inv... Empty DDoS Threats: Meet the Armada Collective https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/ Core Windows Utility Can Be Used to Bypass AppLocker | Threatpost | The first stop for security news https://threatpost.com/core-windows-utility-can-be-used-to-bypass-apploc... One Million Access Facebook Over Tor | Threatpost | The first stop for security news https://threatpost.com/one-million-access-facebook-over-tor/117653/ DRAM bitflipping exploits that hijack computers just got easier | Ars Technica http://arstechnica.com/security/2016/04/dram-bitflipping-exploits-that-h... How I Hacked Facebook, and Found Someone's Backdoor Script | DEVCORE \u6234\u592b\u5bc7\u723e http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones... The Ingenious Way Iranians Are Using Satellite TV to Beam in Banned Internet | WIRED http://www.wired.com/2016/04/ingenious-way-iranians-using-satellite-tv-b... Hector Martin on Twitter: "How to panic a current @grsecurity kernel as any user: $ script /dev/null https://www.reddit.com/r/programming/comments/4gn0dr/hector_martin_on_tw... Trent Smith on Twitter: "@riskybusiness I'm hoping @NSAGov just missed April Fools day by a couple of weeks https://t.co/CXe8dd0Isc" https://twitter.com/TrentatESD/status/724598800921194496 Here are a bunch of links related to SWIFT: $10 router blamed in Bangladesh bank hack - BBC News http://www.bbc.com/news/technology-36110421 BAE Systems Threat Research Blog: Two bytes to $951m http://baesystemsai.blogspot.com.br/2016/04/two-bytes-to-951m.html CyberCrime & Doing Time: Is the Bank of Bangladesh ready for the Global Economy? http://garwarner.blogspot.com.br/2016/04/is-bank-of-bangladesh-ready-for... Exclusive: SWIFT warns customers of multiple cyber fraud cases | Reuters http://in.reuters.com/article/us-cyber-banking-swift-exclusive-idINKCN0X... Lessons Learned from Biggest Bank Heist in History -- CIO Update http://www.cioupdate.com/trends/article.php/3600126/Lessons-Learned-from... Bangladesh Bank hackers compromised SWIFT software, warning issued | Reuters http://www.reuters.com/article/us-usa-nyfed-bangladesh-malware-exclusiv-... 'Crypto Wars' timeline: A history of the new encryption debate http://www.dailydot.com/politics/encryption-crypto-wars-backdoors-timeli... Brazilian Cybercrime Bills Threaten Open Internet for 200 Million People https://theintercept.com/2016/04/26/brazilian-cybercrime-bills-threaten-...

Risky Business #408 -- Advertising ecosystem security with Dan Kaminsky, news with Grugq

Patrick Gray — Thu, 21 Apr 2016 00:00:00 +1000

On this week's show, as promised, we'll be checking in with Dan Kaminsky of WhiteOps to discuss their bread and butter -- click fraud prevention. We also get his thoughts on what the ad industry could do to stamp out malvertising. As you'll hear, he thinks the only way forward is to actually fix browsers. Seems sensible to us! Adam Boileau is taking a well-deserved week off, so The Grugq pops in to fill in. We'll chat to him about all the infosec news of the last week. Oh, and do add Patrick and Grugq on Twitter if that's your thing. Show notes How Hacking Team got hacked | Ars Technica http://arstechnica.com/security/2016/04/how-hacking-team-got-hacked-phin... How hackers eavesdropped on a US Congressman using only his phone number | Ars Technica http://arstechnica.com/security/2016/04/how-hackers-eavesdropped-on-a-us... Apple stops patching QuickTime for Windows despite 2 active vulnerabilities | Ars Technica http://arstechnica.com/security/2016/04/apple-stops-patching-quicktime-f... Adobe warns that uninstalling vulnerable QuickTime for Windows can break Creative Cloud | ZDNet http://www.zdnet.com/article/adobe-warns-that-uninstalling-vulnerable-qu... Microsoft Wins Widespread Support in Privacy Clash With Govt. | Threatpost | The first stop for security news https://threatpost.com/microsoft-wins-widespread-support-in-privacy-clas... Apple and FBI Faceoff at House Encryption Hearing | Threatpost | The first stop for security news https://threatpost.com/apple-and-fbi-faceoff-at-house-encryption-hearing... BlackBerry CEO Defends Lawful Access Principles, Supports Phone Hack | Threatpost | The first stop for security news https://threatpost.com/blackberry-ceo-defends-lawful-access-principles-s... 2015 Google Android Security Report | Threatpost | The first stop for security news https://threatpost.com/android-security-report-29-percent-of-active-devi... Cisco Talos Blog: Widespread JBoss Backdoors a Major Threat http://blog.talosintel.com/2016/04/jboss-backdoor.html IRS Chief: Agency Faces Loss of Key InfoSec Personnel http://www.govinfosecurity.com/irs-chief-agency-faces-loss-key-infosec-p... Matthew Keys Sentenced to Two Years for Aiding Anonymous | WIRED http://www.wired.com/2016/04/journalist-matthew-keys-sentenced-two-years... A Scheme to Encrypt the Entire Web Is Actually Working | WIRED http://www.wired.com/2016/04/scheme-encrypt-entire-web-actually-working/ Researchers Crack Microsoft and Google's Shortened URLs to Spy on People | WIRED http://www.wired.com/2016/04/researchers-cracked-microsoft-googles-short... Flashback: Declassified 1970 DOD cybersecurity document still relevant | Ars Technica http://arstechnica.com/security/2016/04/flashback-declassified-1970-dod-... Underwriters Labs refuses to share new IoT cybersecurity standard | Ars Technica http://arstechnica.com/security/2016/04/underwriters-labs-refuses-to-sha... New MIT Scanner Finds Web App Flaws in a Minute | Threatpost | The first stop for security news https://threatpost.com/new-mit-scanner-finds-web-app-flaws-in-a-minute/1... VMware Patches Critical Session Handling Vulnerability | Threatpost | The first stop for security news https://threatpost.com/vmware-patches-critical-session-handling-vulnerab... 'Blackhole' Exploit Kit Author Gets 7 Years - Krebs on Security http://krebsonsecurity.com/2016/04/blackhole-exploit-kit-author-gets-8-y...

Risky Business #407 -- Guests HD Moore, Dan Kaminsky, Grugq and Space Rogue

Patrick Gray — Thu, 14 Apr 2016 00:00:00 +1000

On this week's show we chat with HD Moore about the woeful state of security at Panamanian law firms. Mossack Fonseca isn't the only one that truly, truly sucks at security. We also check in with Dan Kaminsky to get his reaction to the BadLock bug. Tenable Network Security's Cris "Space Rogue" Thomas joins us to talk about what we could expect this year when it comes to security startups. He's expecting quite a few of them to fold. The Grugq joins the show this week to discuss the week's security news. He's filling in for Adam Boileau who's travelling in Australia. Oh, and do add Patrick and Grugq on Twitter if that's your thing. Show notes Badlock Windows, Samba Man-in-the-Middle Vulnerability | Threatpost | The first stop for security news https://threatpost.com/badlock-vulnerability-falls-flat-against-its-hype... Hyping vulnerabilities is no longer helping application security awareness | TechCrunch http://techcrunch.com/2016/04/11/hyping-vulnerabilities-is-no-longer-hel... That 'Badlock' Bug Is More Hype Than Hurt | WIRED http://www.wired.com/2016/04/badlock-bug-hype-hurt/ Yes, Badlock bug was shamelessly hyped, but the threat is real | Ars Technica http://arstechnica.com/security/2016/04/yes-badlock-bug-was-shamelessly-... How Reporters Pulled Off the Panama Papers, the Biggest Leak in Whistleblower History | WIRED http://www.wired.com/2016/04/reporters-pulled-off-panama-papers-biggest-... The Panama papers: Australia leads OECD response as crime links emerge | afr.com http://www.afr.com/news/policy/tax/the-panama-papers-oecd-emergency-meet... The Senate's Draft Encryption Bill Is 'Ludicrous, Dangerous, Technically Illiterate' | WIRED http://www.wired.com/2016/04/senates-draft-encryption-bill-privacy-night... Adobe patches Flash bug that's being exploited to install ransomware | Ars Technica http://arstechnica.com/security/2016/04/adobe-flash-update-ransomware-wi... OK, panic-newly evolved ransomware is bad news for everyone | Ars Technica http://arstechnica.com/security/2016/04/ok-panic-newly-evolved-ransomwar... Meet The Cryptoworm, The Future of Ransomware | Threatpost | The first stop for security news https://threatpost.com/meet-the-cryptoworm-the-future-of-ransomware/117330/ Crypto ransomware targets called by name in spear-phishing blast | Ars Technica http://arstechnica.com/security/2016/04/crypto-ransomware-targets-called... Locky Ransomware Variant Changes C2, Spread Via Nuclear Exploit Kit | Threatpost | The first stop for security news https://threatpost.com/locky-variant-changes-c2-communication-found-in-n... Experts crack nasty ransomware that took crypto-extortion to new heights | Ars Technica http://arstechnica.com/security/2016/04/experts-crack-nasty-ransomware-t... Google Online Security Blog: Improvements to Safe Browsing Alerts for Network Administrators https://security.googleblog.com/2016/04/improvements-to-safe-browsing-al... Apple Bug Exposed Chat History With a Single Click https://theintercept.com/2016/04/12/apple-bug-exposed-chat-history-with-... FBI: $2.3 Billion Lost to CEO Email Scams - Krebs on Security http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/ "This is the IRS regarding your tax filings" says trio of overseas robocallers | Ars Technica http://arstechnica.com/information-technology/2016/04/three-overseas-fra... Hack Brief: Turkey Breach Spills Info on More Than Half Its Citizens | WIRED http://www.wired.com/2016/04/hack-brief-turkey-breach-spills-info-half-c... Bug Bounty Guru Katie Moussouris Will Help Hackers and Companies Play Nice | WIRED http://www.wired.com/2016/04/bug-bounty-guru-katie-moussouris-will-help-... Researchers help shut down spam botnet that enslaved 4,000 Linux machines | Ars Technica http://arstechnica.com/security/2016/04/researchers-help-shut-down-spam-... Neutered random number generator let man rig million dollar lotteries | Ars Technica http://arstechnica.com/security/2016/04/neutered-random-number-generator... Nation-wide radio station hack airs hours of vulgar "furry sex" ramblings | Ars Technica http://arstechnica.com/security/2016/04/nation-wide-radio-station-hack-a... BREACH Revived to Steal Private Messages from Gmail, Facebook | Threatpost | The first stop for security news https://threatpost.com/breach-attacks-revived-to-steal-private-messages-... WhatsApp is now most widely used end-to-end crypto tool on the planet | Ars Technica http://arstechnica.com/tech-policy/2016/04/whatsapp-is-now-most-widely-u... Steam hacker says more vulnerabilities will be found, but not by him | Ars Technica http://arstechnica.com/gaming/2016/04/steam-hacker-says-more-vulnerabili... Sources: Trump Hotels Breached Again - Krebs on Security http://krebsonsecurity.com/2016/04/sources-trump-hotels-breached-again/ New Threat Can Auto-Brick Apple Devices - Krebs on Security http://krebsonsecurity.com/2016/04/new-threat-can-auto-brick-apple-devices/ centos7 - Recovering from a rm -rf / - Server Fault https://serverfault.com/questions/769357/recovering-from-a-rm-rf The 'Darth Vader' of Cyberwar Sold Services to Canada | VICE News https://news.vice.com/article/the-darth-vader-of-cyberwar-sold-services-...

Risky Business #406 -- Making a killing from bug bounty programs

Patrick Gray — Thu, 31 Mar 2016 00:00:00 +1100

On this week's show we're chatting with Nathaniel Wakelam, a professional bug bounty participant who, distressingly, at age 20, earns shitloads more money than I do! We'll talk to him about how he got into bug bounties, and how he manages to take down a massive paycheck in such a competitive space. In this week's sponsor interview we're chatting with Senetas Security's Simon Galbally about the mess that is Australia's data breach notification legislation. This week's episode is sponsored by Senetas, an Australian company that designs and manufactures quite excellent layer 2 encryption gear. Adam Boileau, as always, will also pop in to discuss the week's news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes The FBI Drops Its Case Against Apple After Finding a Way Into That iPhone | WIRED http://www.wired.com/2016/03/fbi-drops-case-apple-finding-way-iphone/ iOS forensics expert's theory: FBI will hack shooter's phone by mirroring storage | Ars Technica http://arstechnica.com/security/2016/03/ios-forensics-experts-theory-fbi... 63 Times the Feds Asked Apple and Google to Help Unlock Phones | Motherboard http://motherboard.vice.com/en_au/read/63-times-the-feds-used-the-all-wr... The Government Has Used the All Writs Act on Android Phones At Least 9 Times | Motherboard http://motherboard.vice.com/en_au/read/google-has-helped-the-feds-access... Dark Web's Got a Bad Rep: 7 in 10 People Want It Shut Down, Study Shows | WIRED http://www.wired.com/2016/03/study-finds-7-10-people-want-dark-web-shut/ CloudFlare: 94 percent of the Tor traffic we see is "per se malicious" | Ars Technica http://arstechnica.com/tech-policy/2016/03/new-data-suggests-94-percent-... FBI: Er, no, we won't reveal how we unmask and torpedo Tor pedos \u2022 The Register http://www.theregister.co.uk/2016/03/29/fbi_tor/ Pro-Tip: If You're a Suspected Dark Web Drug Dealer, Don't Trademark Your #Brand | Motherboard http://motherboard.vice.com/en_au/read/suspected-dark-web-vendor-charged... New ransomware installs in boot record, encrypts hard disk [Updated] | Ars Technica http://arstechnica.com/security/2016/03/new-ransomware-installs-in-boot-... Why Hospitals Are the Perfect Targets for Ransomware | WIRED http://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-ta... Crooks Steal, Sell Verizon Enterprise Customer Data - Krebs on Security http://krebsonsecurity.com/2016/03/crooks-steal-sell-verizon-enterprise-... Big-Name Law Firms Fall Victim To Hackers | Threatpost | The First Stop For Security News https://threatpost.com/big-name-law-firms-fall-victim-to-hackers/117096/ Gumtree serves world's worst exploit kit to scores of Aussies \u2022 The Register http://www.theregister.co.uk/2016/03/29/gumtree_aus_serving_angler/ Certified Ethical Hacker website caught spreading crypto ransomware | Ars Technica http://arstechnica.com/security/2016/03/certified-ethical-hacker-website... Mal Men men hit LiveJournal with Angler exploit kit \u2022 The Register http://www.theregister.co.uk/2016/03/30/angler_malvertising_livejournal/ Stealthy malware targeting air-gapped PCs leaves no trace of infection | Ars Technica http://arstechnica.com/security/2016/03/stealthy-malware-targeting-air-g... Hype Around the Mysterious 'Badlock' Bug Raises Criticism | WIRED http://www.wired.com/2016/03/hype-around-mysterious-badlock-bug-raises-c... Cops: Lottery terminal hack allowed suspects to print more winning tickets | Ars Technica http://arstechnica.com/security/2016/03/cops-lottery-terminal-hack-allow... Phishing Victims Muddle Tax Fraud Fight - Krebs on Security http://krebsonsecurity.com/2016/03/phishing-victims-muddle-tax-fraud-fight/ Microsoft Deploys Macro-Blocker In Office To Curb Malware | Threatpost | The First Stop For Security News https://threatpost.com/microsoft-deploys-macro-blocking-feature-in-offic... 1,400+ Vulnerabilities Identified In Medical Supply System | Threatpost | The First Stop For Security News https://threatpost.com/1400-vulnerabilities-to-remain-unpatched-in-medic... Apple Intel HD3000 Graphics Kernel Driver Patch | Threatpost | The First Stop For Security News https://threatpost.com/patched-apple-bug-paved-way-to-root-compromises/1... Emergency Java Patch Re-Issued For 2013 Vulnerability | Threatpost | The First Stop For Security News https://threatpost.com/emergency-java-patch-re-issued-for-2013-vulnerabi... Racist troll says he sent white supremacist flyers to public printers at colleges | Ars Technica http://arstechnica.com/information-technology/2016/03/public-printers-at... Let Me Get That Door for You: Remote Root Vulnerability in HID Door Controllers - http://blog.trendmicro.com/let-get-door-remote-root-vulnerability-hid-do... Senetas http://www.senetas.com/

Risky Business #405 -- Doxing Africa's W2 scammers, FBiOS and more

Patrick Gray — Thu, 24 Mar 2016 00:00:00 +1100

On this week's show we're chatting with myNetWatchman's Donald McCarthy about some research he's done into these crews shaking down US companies for W2 forms. He and his colleagues have identified at least 40 crews involved in this stuff. We'll get the skinny on that in this week's feature interview. We're also chatting with Haroon Meer this week in the sponsor interview. Haroon is the head honcho over at Thinkst Applied Research and we'll be talking to him some more about the fantastic honeypot product they've released: Canary.Tools. With thousands of them now sold, we'll be asking Haroon why he's been able to make honeypots a commercial success and a security win after something like 16 years of them going nowhere despite industry people saying they're the next big thing. Adam Boileau, as always, will also pop in to discuss the week's news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes iOS forensics expert's theory: FBI will hack shooter's phone by mirroring storage | Ars Technica http://arstechnica.com/security/2016/03/ios-forensics-experts-theory-fbi... Judge: Order to Compel Apple Has Been 'Unenforceable' All Along | Motherboard http://motherboard.vice.com/en_au/read/judge-order-to-compel-apple-has-b... Attention Turns To FBI's 'Outside Party' | Threatpost | The First Stop For Security News https://threatpost.com/attention-turns-to-fbis-outside-party/116931/ Hack Brief: Update iOS Now to Fix a Serious iMessage Crypto Flaw | WIRED http://www.wired.com/2016/03/hack-brief-update-ios-fix-serious-imessage-... 'Apple Should Replace the Entirety of iMessage', Warn Encryption Researchers | Motherboard http://motherboard.vice.com/en_au/read/apple-should-replace-imessage-enc... Hack Brief: No Need to Freak Out Over That Chinese iPhone Malware | WIRED http://www.wired.com/2016/03/hack-brief-no-need-freak-chinese-iphone-mal... Android rooting bug opens Nexus phones to "permanent device compromise" | Ars Technica http://arstechnica.com/security/2016/03/rooting-bug-in-android-opens-nex... Stagefright Variant 'Metaphor' Puts Millions Of Samsung, LG And HTC Phones At Risk | Threatpost | The First Stop For Security News https://threatpost.com/stagefright-variant-metaphor-puts-millions-of-sam... A Government Error Just Revealed Snowden Was the Target in the Lavabit Case | WIRED http://www.wired.com/2016/03/government-error-just-revealed-snowden-targ... Emails show NSA rejected Hillary Clinton's request for secure smartphone - CBS News http://www.cbsnews.com/news/emails-show-nsa-rejected-hillary-clinton-req... The FBI Warns That Car Hacking Is a Real Risk | WIRED http://www.wired.com/2016/03/fbi-warns-car-hacking-real-risk/ Uber Will Pay $10,000 'Bug Bounties' to Friendly Hackers | WIRED http://www.wired.com/2016/03/uber-bug-bounties/ Paris terrorists used burner phones, not encryption, to evade detection | Ars Technica http://arstechnica.com/tech-policy/2016/03/paris-terrorist-attacks-burne... Once thought safe, DDR4 memory shown to be vulnerable to "Rowhammer" | Ars Technica http://arstechnica.com/security/2016/03/once-thought-safe-ddr4-memory-sh... Judge Won't Consider EFF's Arguments in FBI Mass Hacking Case | Motherboard http://motherboard.vice.com/en_au/read/judge-in-fbi-mass-hacking-case-wo... CanSecWest 2016 Attack Attribution False Flags | Threatpost | The First Stop For Security News https://threatpost.com/apt-attackers-flying-more-false-flags-than-ever/1... BinDiff Now Free, To Delight Of Security Researchers | Threatpost | The First Stop For Security News https://threatpost.com/bindiff-now-free-to-delight-of-security-researche... Home Depot Agrees $19.5 Million To Settle 2014 Breach | Threatpost | The First Stop For Security News https://threatpost.com/home-depot-agrees-to-19-5-million-settlement-to-e... Pwn2Own Day Two: Safari, Microsoft Edge Go Down Winner Announced | Threatpost | The First Stop For Security News https://threatpost.com/pwn2own-day-two-safari-microsoft-edge-go-down-win... Hospital Declares 'Internal State of Emergency' After Ransomware Infection - Krebs on Security http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-e... How Pirates And Hackers Worked Together To Steal Millions Of Dollars In Diamonds - BuzzFeed News http://www.buzzfeed.com/josephbernstein/how-pirates-and-hackers-worked-t... How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript \u2022 The Register http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos?mt=1458722195866 Company behind the Badlock disclosure says pre-patch hype is good for business | CSO Online http://www.csoonline.com/article/3047221/techology-business/company-behi... Special Meetup with Thomas Dullien aka Halvar Flake - Null Singapore - YouTube https://www.youtube.com/watch?v=fkDD2ea7SD8 HITBSecConf2016 - Amsterdam http://conference.hitb.org/hitbsecconf2016ams/ Canary - know when it matters https://canary.tools/

Risky Business #403 -- Inside Islamic State's doc leak

Patrick Gray — Thu, 17 Mar 2016 00:00:00 +1100

On this week's show we're chatting with David Wells. He's ex GCHQ and ASD but these days he's a counterterrorism boffin with the Lowy Institute. He's joining us to discuss the IS document leak. Depending on which story you read its either the death of the organisation or it won't do anything at all to disrupt it. We get David's thoughts on what this leak will actually for the so-called Caliphate. In this week's sponsor interview we're doing something a bit different.. following on from last week's interview with Re/Code's Arik Hesseldahl we're chatting with Tenable's CFO, Steve Vintz. And you know what? It's really interesting getting his perspectives on what's happening in the BUSINESS of security -- the type of analysis a guy like Steve does is different from how security people do it, and he's got some really interesting perspectives on what 2016 could bring. Long story short? Expect consolidation among smaller vendors as CSOs look to trim the number of vendors in their supply chain. Adam Boileau, as always, will also pop in to discuss the week's news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Apple's Brief Hits the FBI With a Withering Fact Check | WIRED http://www.wired.com/2016/03/apple-fact-checks-the-feds-in-latest-brief/ Government Calls Apple's iPhone Arguments in San Bernardino Case a 'Diversion' | WIRED http://www.wired.com/2016/03/government-calls-apples-iphone-arguments-sa... Apple Lambasts the FBI for Not Asking the NSA to Help Hack San Bernardino iPhone | WIRED http://www.wired.com/2016/03/apple-lambasts-fbi-not-asking-nsa-help-hack... Former cyber czar says NSA could crack the San Bernadino shooter's phone | Ars Technica http://arstechnica.com/tech-policy/2016/03/former-cyber-czar-says-nsa-co... In the FBI's Crypto War, Apps May Be the Next Target | WIRED http://www.wired.com/2016/03/fbi-crypto-war-apps/ John Oliver explains why iPhone encryption debate is no joking matter | Ars Technica http://arstechnica.com/tech-policy/2016/03/john-oliver-explains-why-ipho... AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device - Palo Alto Networks BlogPalo Alto Networks Blog http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios... Spelling mistake prevented hackers taking $1bn in bank heist | Business | The Guardian http://www.theguardian.com/business/2016/mar/10/spelling-mistake-prevent... Thousands of Trucks, Buses, and Ambulances May Be Open to Hackers | WIRED http://www.wired.com/2016/03/thousands-trucks-buses-ambulances-may-open-... To bypass code-signing checks, malware gang steals lots of certificates | Ars Technica http://arstechnica.com/security/2016/03/to-bypass-code-signing-checks-ma... Big-name sites hit by rash of malicious ads spreading crypto ransomware [Updated] | Ars Technica http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-ma... Hackers Target Anti-DDoS Firm Staminus - Krebs on Security http://krebsonsecurity.com/2016/03/hackers-target-anti-ddos-firm-staminus/ Dam you! Justice Dept. to indict Iranians for probing flood control network | Ars Technica http://arstechnica.com/security/2016/03/dam-you-justice-dept-to-indict-i... Steam Stealer Malware "Booming Business" For Attackers Targeting Gaming Service | Threatpost | The First Stop For Security News https://threatpost.com/steam-stealer-malware-booming-business-for-attack... Thieves Phish Moneytree Employee Tax Data - Krebs on Security http://krebsonsecurity.com/2016/03/thieves-phish-moneytree-employee-tax-... Botched Java patch leaves millions vulnerable to 30-month-old attack | Ars Technica http://arstechnica.com/security/2016/03/botched-java-patch-leaves-millio... Adobe issues emergency patch for actively exploited code-execution bug | Ars Technica http://arstechnica.com/security/2016/03/adobe-issues-emergency-patch-for... Hack Brief: ISIS Data Breach Identifies 22,000 Members | WIRED http://www.wired.com/2016/03/hack-brief-isis-data-breach-identifies-2200... The Jihadist List Hyped as the 'Biggest ISIS Intelligence Haul Ever' Is a Bizarre, Inaccurate Mess http://gizmodo.com/the-jihadist-list-hyped-as-the-biggest-isis-intellige... Lowy Institute for International Policy | Interpret.Inform.Influence. http://www.lowyinstitute.org/

Risky Business #402 -- Why are infosec companies tanking on the NASDAQ?

Patrick Gray — Thu, 10 Mar 2016 00:00:00 +1100

On this week's show we're chatting with re/code's senior editor and "enterprise dude" Arik Hesseldahl about the business of infosec. Information security related stocks and shares are tanking on indexes all over the world... why? How can this be happening in a $75bn sector that is tipped to grow into a $175bn sector in the next four years? Arik will join us with the skinny on that. But don't panic, tanking infosec share prices might be a good thing for the discipline. We'll find out why a bit later on. In this week's sponsor interview we chat with BugCrowd CEO Casey Ellis. This week Casey joins us to discuss the Pentagon's decision to open up a bounty program. Adam Boileau, as always, will also pop in to discuss the week's news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Hottest Topics To Come Out Of RSA Conference http://www.darkreading.com/threat-intelligence/hottest-topics-to-come-ou... Top iPhone Hackers Ask Court to Protect Apple From the FBI | WIRED http://www.wired.com/2016/03/top-iphone-hackers-ask-court-protect-apple-... Amazon Backtracks On Encryption Removal | Threatpost | The first stop for security news https://threatpost.com/amazon-backtracks-on-encryption-removal-mum-on-wh... Edward Snowden on Twitter: "The global technological consensus is against the FBI. Why? Here's one example: https://t.co/t2JHOLK8iU #FBIvsApple https://t.co/mH1ZXOOQ1E" https://twitter.com/Snowden/status/707299113449230336 Seagate Phish Exposes All Employee W-2's - Krebs on Security http://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/ IRS Suspends Insecure 'Get IP PIN' Feature - Krebs on Security http://krebsonsecurity.com/2016/03/irs-suspends-insecure-get-ip-pin-feat... Cancer Clinic Warns 2.2 Million Of Records Breach | Threatpost | The first stop for security news https://threatpost.com/cancer-clinic-warns-2-2-million-patients-of-recor... Facebook Password Reset Bug Gave Hacker Access To Any Account | Threatpost | The first stop for security news https://threatpost.com/facebook-password-reset-bug-gave-hackers-access-t... Hacker who exposed Bush family e-mails, photos will be extradited to US | Ars Technica http://arstechnica.com/security/2016/03/hacker-who-exposed-bush-family-e... China is building a big data platform for "precrime" | Ars Technica http://arstechnica.com/information-technology/2016/03/china-is-building-... First Mac-targeting ransomware hits Transmission users, researchers say | Ars Technica http://arstechnica.com/security/2016/03/first-mac-targeting-ransomware-h... Malware hijacks big four Australian banks apps, steals two-factor SMS codes http://www.theage.com.au/technology/consumer-security/malware-hijacks-bi... Google Fixes Critical Mediaserver Bug, Again | Threatpost | The first stop for security news https://threatpost.com/google-fixes-critical-android-mediaserver-bugs-ag... John McAfee tells Ars he's fighting a lonely battle, but he's not lying | Ars Technica http://arstechnica.com/information-technology/2016/03/john-mcafee-tells-... Issue 758 - google-security-research - Linux netfilter IPT_SO_SET_REPLACE memory corruption - Google Security Research - Google Project Hosting https://code.google.com/p/google-security-research/issues/detail?id=758 Cybersecurity\u200b \u200bMarket Reaches $75 Billion In 2015\u200b;\u200b \u200bExpected To Reach $170 Billion By 2020 - Forbes http://www.forbes.com/sites/stevemorgan/2015/12/20/cybersecurity%E2%80%8... Pentagon Launches the Feds' First 'Bug Bounty' for Hackers | WIRED http://www.wired.com/2016/03/pentagon-launches-feds-first-bug-bounty-hac... Home - bugcrowd.com | Bugcrowd | Crowdsourced Cybersecurity. Fully managed bug bounty programs. https://bugcrowd.com/

Risky Business #401 -- Deserialisation attacks are kind of a big deal

Patrick Gray — Thu, 03 Mar 2016 00:00:00 +1100

On this week's show we get into a serious technical discussion about deserialisation attacks with with one of Adam Boileau's colleagues, Brendan Jamieson about the biggest issue in infosec that no one is talking about -- deserialisation vulnerabilities and their exploitation. This attack class is a serious problem in enterprise environments thanks to the release of the YSoSerial tool about a year ago. Pen-testers who are across this bug class are finding issues everywhere they look, and hardly anyone is talking about it. But we do, this week. Also this week we'll chat with Chris Gatford, the big Kahuna over at this week's sponsor HackLabs. I was talking to Chris recently and he mentioned that cryptolocker ransomware really isn't just affecting consumers anymore. There was the recent news about a hospital in California that got hosed by ransomware, but I always thought that was the exception to the rule and that consumers were the most likely group to be affected by this stuff. Nope, wrong. Ransomware is getting inside corporate networks and causing all sorts of drama, Chris joins us soon to talk about that. Big thanks to HackLabs for its sponsorship of this week's show! Adam Boileau, as always, will also pop in to discuss the week's news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Apple and FBI Take Their iPhone Hacking Fight to Congress | WIRED http://www.wired.com/2016/03/apple-and-fbi-iphone-hacking-fight-congress... Judge Says Apple Doesn't Have to Unlock iPhone in Case Similar to San Bernardino | WIRED http://www.wired.com/2016/02/judge-says-apple-doesnt-have-to-unlock-ipho... How the Feds Could Get Into iPhones Without Apple's Help | WIRED http://www.wired.com/2016/03/feds-might-get-iphones-without-apples-help/ Apple vs. the FBI: Catch up on the iPhone encryption hearing http://www.engadget.com/2016/03/02/apple-fbi-encryption-congress-hearing/ John McAfee better prepare to eat a shoe because he doesn't know how iPhones work | Ars Technica http://arstechnica.com/security/2016/03/john-mcafee-better-prepare-to-ea... US to renegotiate rules on exporting "intrusion software" | Ars Technica http://arstechnica.com/tech-policy/2016/03/us-to-renegotiate-rules-on-ex... Hackers did indeed cause Ukrainian power outage, US report concludes | Ars Technica http://arstechnica.com/security/2016/02/hackers-did-indeed-cause-ukraini... Brazil detains Facebook VP after he failed to give up user data http://www.engadget.com/2016/03/01/brazil-detains-facebook-vp-after-he-f... Brazil court orders release of arrested Facebook exec http://www.engadget.com/2016/03/02/brazil-orders-release-of-facebook-exec/ FBI's Tor Hack Shows the Risk of Subpoenas to Security Researchers | WIRED http://www.wired.com/2016/02/fbis-tor-hack-shows-risk-subpoenas-security... Judge Confirms CMU Paid to Break Tor | Threatpost | The first stop for security news https://threatpost.com/judge-confirms-dod-funded-research-to-decloak-tor... Pentagon Launches the Feds' First 'Bug Bounty' for Hackers | WIRED http://www.wired.com/2016/03/pentagon-launches-feds-first-bug-bounty-hac... More than 11 million HTTPS websites imperiled by new decryption attack | Ars Technica http://arstechnica.com/security/2016/03/more-than-13-million-https-websi... Hacker Says He Can Hijack a $35K Police Drone a Mile Away | WIRED http://www.wired.com/2016/03/hacker-says-can-hijack-35k-police-drone-mil... Pirates hacked a shipping firm to find boats to raid http://www.engadget.com/2016/03/01/pirates-hack-shipping-company/ Windows Defender Advanced Threat Protection uses cloud power to figure out you've been pwned | Ars Technica http://arstechnica.com/information-technology/2016/03/windows-defender-a... Payroll data leaked for current, former Snapchat employees | Ars Technica http://arstechnica.com/security/2016/02/payroll-data-leaked-for-current-... Thieves Nab IRS PINs to Hijack Tax Refunds - Krebs on Security http://krebsonsecurity.com/2016/03/thieves-nab-irs-pins-to-hijack-tax-re... Why The Java Deserialization Bug Is A Big Deal http://www.darkreading.com/informationweek-home/why-the-java-deserializa... GitHub - frohoff/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. https://github.com/frohoff/ysoserial Penetration Testing & Web Application Security - HackLabs http://www.hacklabs.com/

Risky Business #400 -- FBiOS with Adam PLUS guest Daniel Hodson

Patrick Gray — Thu, 25 Feb 2016 00:00:00 +1100

On this week's podcast we'll hear from Daniel Hodson of Elttam Security here in Australia. Daniel and his business partner Matt Jones have been looking into the security of messaging software that has recommended by the EFF. Does a bunch of ticks from the EFF actually say much about app security? Well, not really, as it turns out. In this week's sponsor interview we hear from Senetas co-founder and CTO Julian Fay. Senetas, of course, make layer 2 encryption equipment. They'll be releasing a 100Gbps full line rate encryption box soon, they make awesome kit. But this week Julian joins us to weigh in, briefly, on the Apple vs FBI mess, as well as to have a discussion about some interesting use cases he's seen for layer two stuff lately. Adam Boileau, as always, will also pop in to discuss the week's news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Apple Is Said to Be Trying to Make It Harder to Hack iPhones - The New York Times http://www.nytimes.com/2016/02/25/technology/apple-is-said-to-be-working... Apple-FBI Fight Asks: Is Code Protected as Free Speech? - Bloomberg Business http://www.bloomberg.com/news/articles/2016-02-24/apple-fbi-fight-asks-i... Apple: Congress, not courts, must decide http://bigstory.ap.org/article/8c7f8004bac3466dbb7ba27f13c1cc08/apple-co... Apple Attorney Reveals Dozen Other iPhone Requests from FBI | Threatpost | The first stop for security news https://threatpost.com/apple-attorney-reveals-dozen-other-iphone-request... Delicate Hardware Hacks Could Unlock Shooter's iPhone | Threatpost | The first stop for security news https://threatpost.com/delicate-hardware-hacks-could-unlock-shooters-iph... Apple Says the Government Bungled Its Chance to Get That iPhone's Data | WIRED http://www.wired.com/2016/02/apple-says-the-government-bungled-its-chanc... Encryption isn't at stake, the FBI knows Apple already has the desired key | Ars Technica http://arstechnica.com/apple/2016/02/encryption-isnt-at-stake-the-fbi-kn... How the FBI could use acid and lasers to access data stored on seized iPhone | Ars Technica http://arstechnica.com/security/2016/02/how-the-fbi-could-use-acid-and-l... Linux Mint hit by malware infection on its website, forum after hack attack | Ars Technica http://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infect... Asus lawsuit puts entire industry on notice over shoddy router security | Ars Technica http://arstechnica.com/security/2016/02/asus-lawsuit-puts-entire-industr... Troy Hunt: Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html Man admits he stole nude celebrity pics from Apple and Gmail accounts | Ars Technica http://arstechnica.com/tech-policy/2016/02/man-admits-he-stole-nude-cele... More insecure security software: Comodo's on-by-default VNC app | Ars Technica http://arstechnica.com/security/2016/02/more-insecure-security-software-... Tor: 'Mystery' spike in hidden addresses - BBC News http://www.bbc.com/news/technology-35614335 IRS Email Tax Scams Up 400 Percent | Threatpost | The first stop for security news https://threatpost.com/irs-warns-tax-related-phishing-malware-surging/11... Phishers Spoof CEO, Request W2 Forms - Krebs on Security http://krebsonsecurity.com/2016/02/phishers-spoof-ceo-request-w2-forms/ Google Wants to Save News Sites From Cyberattacks-For Free | WIRED http://www.wired.com/2016/02/google-wants-save-news-sites-cyberattacks-f... Joomla Joins WordPress As TeslaCrypt Ransomware Target | Threatpost | The first stop for security news https://threatpost.com/joomla-sites-join-wordpress-as-teslacrypt-ransomw... The Sony Hackers Were Causing Mayhem Years Before They Hit the Company | WIRED http://www.wired.com/2016/02/sony-hackers-causing-mayhem-years-hit-company/ Flaws in Wireless Mice and Keyboards Let Hackers Type on Your PC | WIRED http://www.wired.com/2016/02/flaws-in-wireless-mice-and-keyboards-let-ha... Bosses Harness Big Data to Predict Which Workers Might Get Sick - NASDAQ.com http://www.nasdaq.com/article/bosses-harness-big-data-to-predict-which-w... Rogue Chinese iOS App Removed from App Store | Threatpost | The first stop for security news https://threatpost.com/rogue-ios-app-gets-boot-after-slipping-into-app-s... Angler Exploit Kit Attacks Silverlight Vulnerability | Threatpost | The first stop for security news https://threatpost.com/new-silverlight-attacks-appear-in-angler-exploit-... We Could Not Look the Survivors in the Eye if We Did Not Follow this Lead - Lawfare https://www.lawfareblog.com/we-could-not-look-survivors-eye-if-we-did-no... A review of the EFF secure messaging scorecard... - elttam https://www.elttam.com.au/blog/a-review-of-the-eff-secure-messaging-scor... Senetas http://www.senetas.com/

Risky Business #399 -- Apple vs the Government of the United States

Patrick Gray — Thu, 18 Feb 2016 00:00:00 +1100

On this week's show we chat with Dan Guido from Trail of Bits about the stoush between Apple and the US department of justice. In this week's sponsor interview we speak with Cris Thomas, a.k.a. Space Rogue. Cris works for Tenable Network Security, this week's sponsor, and he joins us in this week's podcast to talk about NIST's cyber security framework. Adam Boileau joins the show to discuss the week's security news. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Customer Letter - Apple http://www.apple.com/customer-letter/ SB-Shooter-Order-Compelling-Apple-Asst-iPhone https://www.documentcloud.org/documents/2714001-SB-Shooter-Order-Compell... New report contends mandatory crypto backdoors would be futile | Ars Technica http://arstechnica.com/tech-policy/2016/02/new-report-contends-mandatory... Apple can comply with the FBI court order - Trail of Bits Blog http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-cou... Magnitude of glibc Vulnerability Coming to Light | Threatpost | The first stop for security news https://threatpost.com/magnitude-of-glibc-vulnerability-coming-to-light/... glibc Linux remote code execution vulnerability | Threatpost | The first stop for security news https://threatpost.com/critical-glibc-vulnerability-puts-all-linux-machi... Extremely severe bug leaves dizzying number of software and devices vulnerable | Ars Technica http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizz... #6886 (uClibc segfault in getaddrinfo() when receiving long IPv6 DNS responses (probably stack corruption)) - OpenWrt https://dev.openwrt.org/ticket/6886 U.S. Had Cyberattack Plan if Iran Nuclear Dispute Led to Conflict - The New York Times http://www.nytimes.com/2016/02/17/world/middleeast/us-had-cyberattack-pl... Password cracking attacks on Bitcoin wallets net $103,000 | Ars Technica http://arstechnica.com/security/2016/02/password-cracking-attacks-on-bit... Warning: Bug in Adobe Creative Cloud deletes Mac user data without warning | Ars Technica http://arstechnica.com/apple/2016/02/warning-bug-in-adobe-creative-cloud... Opsec fail: Baltimore teen car thieves paired phones with Jeep UConnect | Ars Technica http://arstechnica.com/security/2016/02/opsec-fail-baltimore-teen-car-th... Patients diverted to other hospitals after ransomware locks down key software | Ars Technica http://arstechnica.com/security/2016/02/la-hospital-latest-victim-of-tar... LA hospital coughs up $17,000 to free PCs held to ransom by hackers \u2022 The Register http://www.theregister.co.uk/2016/02/18/la_hospital_bitcoins/?mt=1455761... Honeypots Help Illustrate Scores of Vulnerabilities in Medical Devices | Threatpost | The first stop for security news https://threatpost.com/honeypots-illustrate-scores-of-vulnerabilities-in... 'Ricochet', the Messenger That Beats Metadata, Passes Security Audit | Motherboard http://motherboard.vice.com/read/ricochet-encrypted-messenger-tackles-me... ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs http://eprint.iacr.org/2016/129.pdf Apple can comply with the FBI court order - Trail of Bits Blog http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-cou...

Risky Business #398 -- Professor Lawrence Gordon, jcran and more!

Patrick Gray — Thu, 11 Feb 2016 00:00:00 +1100

This week's show is one for the CSOs! It's the economics edition, I guess you'd call it. We'll be chatting with Professor Lawrence Gordon, co-creator of the Gordon Loeb model for Cyber Security investment. We speak to him about contemporary infosec budgets and how spending of $500m a year by some financial institutions in the USA is actually sensible. We're sticking with the economics theme in this week's feature interview. We'll be chatting with Jonahan Cran, VP of operations for BugCrowd about their recently released Defensive Vulnerability Pricing Model. They've also released their Vulnerability Rating Taxonomy. Both of these documents are really, really interesting, so stay tuned for this week's sponsor interview to hear all about them! Adam Boileau joins us, as always, to discuss the week's security news. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Execute My Packet | Exodus Intelligence https://blog.exodusintel.com/2016/01/26/firewall-hacking/ Obama wants you to join CyberCorps Reserve to help feds get their act together | Ars Technica http://arstechnica.com/tech-policy/2016/02/obama-wants-you-join-the-cybe... Moscow raids could signal end of global Dyre bank trojan menace \u2022 The Register http://www.theregister.co.uk/2016/02/10/moscow_raids_could_signal_end_of... Dridex malware exploit distributes antivirus installer-hack suspected | Ars Technica http://arstechnica.com/security/2016/02/dridex-malware-exploit-distribut... Java "RAT-as-a-Service" backdoor openly sold through website to scammers | Ars Technica http://arstechnica.com/security/2016/02/java-rat-as-a-service-backdoor-o... Clever bank hack allowed crooks to make unlimited ATM withdrawals | Ars Technica http://arstechnica.com/security/2016/02/clever-bank-hack-allowed-crooks-... Skimmers Hijack ATM Network Cables - Krebs on Security http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/ Relive your worst MS-DOS file-deletion memories at the Malware Museum | Ars Technica http://arstechnica.com/security/2016/02/relive-your-worst-ms-dos-file-de... Parents urged to boycott VTech toys after hack - BBC News http://www.bbc.com/news/technology-35532644 Flash flushed as Google orders almost all ads to adopt HTML5 \u2022 The Register http://www.theregister.co.uk/2016/02/10/google_orders_advertisers_to_ado... How to Hack the Power Grid Through Home Air Conditioners | WIRED http://www.wired.com/2016/02/how-to-hack-the-power-grid-through-home-air... Julian Assange's 3.5-Year Detainment in Embassy Ruled Unlawful | WIRED http://www.wired.com/2016/02/julian-assanges-3-5-year-detainment-in-emba... Gmail to warn you if your friends aren't using secure e-mail | Ars Technica http://arstechnica.com/information-technology/2016/02/gmail-to-warn-you-... Chrome picks up bonus security features on Windows 10 | Ars Technica http://arstechnica.com/information-technology/2016/02/chrome-picks-up-bo... UC Berkeley profs lambast new "black box" network monitoring hardware | Ars Technica http://arstechnica.com/tech-policy/2016/02/profs-protest-invasive-cybers... Zero Day Initiative announces Pwn2Own 2016 - Hewlett Packard Enterprise Community http://community.hpe.com/t5/Security-Research/Zero-Day-Initiative-announ... th\xe1i: Exploiting the Diffie-Hellman bug in socat https://vnhacker.blogspot.co.nz/2016/02/exploiting-diffie-hellman-bug-in... Gordon-Loeb Model for Cybersecurity Investments - YouTube https://www.youtube.com/watch?v=cd8dT0FuqQ4 Bugcrowd's Vulnerability Rating Taxonomy https://pages.bugcrowd.com/vulnerability-rating-taxonomy Bugcrowd's Defensive Vulnerability Pricing Model https://pages.bugcrowd.com/whats-a-bug-worth-2015-survey

Things I've learned from the Risky Business listener survey

Patrick Gray — Tue, 09 Feb 2016 00:00:00 +1100

As many of you would know, last week I posted a listener survey to SurveyMonkey. I dropped the link on Twitter and then mentioned it in the show. I wasn't really expecting much of a response, but after about a week, 500 of you have already spent the time to fill out the questionnaire. Thanks! A few of you are a bit nervous that Risky Business is about to radically change. It won't. The plan is to add more content -- yes, sponsored content -- and to leave the main show more or less completely untouched. There will be a maximum of fourteen new individual podcasts added per calendar year. That will bring the total number of podcasts posted in a year to 58 from 44. The addition of those extra, wholly sponsored podcasts will do things like fund an interview booker, producer and researcher. This is going to mean a MUCH better main podcast, and I'd also encourage you to bear with me when it comes to the additional sponsored stuff -- I think I can make it not suck. I'll write another post that spells out these changes in more detail soon. Back to the survey -- there were two reasons for doing it: To collect a bit more demographic data on listeners for advertisers, as well as get some feedback on possible new content ideas and improvements I could be making to the show. The data collected so far has been pretty interesting. Prior to this survey I've only been able to guess about who my listeners are and how they actually feel about the show. So here's what I've learned after 500 responses: 1. Your demographics are... The majority of listeners are aged between 35-50, with the remaining listeners are mostly in the 21-35 bracket. 72% of you work in the infosec discipline, and 54% of all listeners have been working in infosec for more than four years. 81% of respondents listen to Risky Business every week. Around a third of you work on staff for a large enterprise and 10% of you work for a federal or state government. There's a smattering of consultants, contractors and engineers in the audience mix and surprisingly, 15% of you are software developers! Here's something the advertisers will love: 24% of the audience are upper-mid to upper management. That means they're a C-level executive (includes CSO), information security director/manager, IT manager/director or a product security manager. 15% of you work for organisations with large networks -- over 50,000 endpoints. The overwhelming majority of you (80%) listen to Risky Business during your commute, but some of you listen at home and others sneak in some audio at work. 2. You all love the news segment. Universally, everyone loves the news segment and finds Adam hilarious. You've noticed that we don't disagree as much as we used to, you miss that friction, and you wish we wouldn't cover things like vendor patches unless they're particularly noteworthy. It's true. When Adam replaced Munir Kotadia as the regular News Guy seven(ish) years ago, we would often fire up at each other. The thing is, our opinions and perspectives have largely converged over the last (almost) decade. Adam used to be a pretty rabid beardy hacker guy who held complete disdain for CSOs and big business in general. I used to be a freelance (former staff reporter) newspaper journalist who regarded arguing as a bloodsport. But these days Adam's a serious biz security consultant who runs a shit-hot professional services firm and I'm someone who realises listening to someone berating their guests in an audio program isn't actually entertaining; you can still draw out uncomfortable truths in an interview without being a dick about it. The agenda has also changed in that time and there is much more consensus in the infosec community on certain key issues than there used to be. Our arguing each week was a reflection of the bigger argument happening all around us. I like to think we gave a voice to some of these conversations at a time when the majority of the tech media was talking about stuff infosec practitioners weren't actually interested in. Now the norms are established, there's less to argue about. I agree that it makes for slightly less entertaining listening, but hey, what can you do? A lot of the big issues have simply been worked out. But we will stop covering patches at the end of the news. A few people have commented that it's the wrong medium for that sort of information and they're absolutely right. Now for something surprising: All of you love Adam, but some of you like a bit of diversity every now and then in the news segment. You enjoy mixing it up with special news guests like Adam's colleague Mark "Pipes" Piper, HD Moore, Haroon Meer or The Grugq. This is something for us to work out on this end. Over the last few years Adam has become increasingly busy being a Cyber Hacker Entrepreneur(tm) so he'd probably relish the chance to sit out a few episodes. Or maybe not. We don't know yet. But don't worry, we'll likely do another survey before we make any changes. 3. You demand the show stays critical of vendors and the industry It's sad but it's true, it's hard to find media outlets in infosec (and tech in general) that are as critical of the industry as they should be. To tell you the truth, when I first started Risky Business and it actually made money I was stunned. There was no way I thought it would actually *last*. I thought the vendors would figure out that they were paying for us to piss all over them and I'd wind up on some sort of blacklist. But the thing is, if you do it right, vendors don't mind a little kick in the ass, as long as it's fair, and as long as it's not in the segment they're sponsoring. (Do it in the news beforehand!) Maintaining editorial independence has always been extremely important to me and it's great to see that it's one of the things the audience values most about the show. I've found it downright amazing that the vendors who pick up the tab also respect that. Have I ever pulled a punch because of sponsorship arrangements? I'd be lying if I said no. On a few rare occasions over the last decade I have. But in my defence I'd say the punches I've pulled have been cheap shots to begin with. When it comes to anything substantive I've always played it straight, and I *have* lost a couple of advertisers/sponsors over the years because of critical coverage. But that's what's great about having multiple sponsors. You take a little hit, you keep quiet about it, and you know what? They come back eventually. Hakuna matata. 4. You love/hate the music segment at the end Results here are proof you can't make everyone happy. People either love the music segment at the end of the show or they flat out hate it. Considering it's right at the end of the program I don't see why the haters get annoyed by it. Just press stop! But while we're on the topic, it's gotten a lot harder for me to find music for every week's show. I have to find stuff that's sufficiently obscure that I won't wind up sued by rights holders but of sufficient quality to be entertaining. I'm 396 episodes deep and I'm running out of ideas. I don't go to as many gigs as I used to so these days I'm just exposed to less indie music. So from now on I'll only be including music when I've come across something interesting. I'm going to stop searching for it. The pressure of finding something new every week is getting to me. 5. You want some little changes You want the show notes in the podcast description not a separate post, you want full post content in RSS and you want more than eight historical episodes available through iTunes. The main website is pretty ugly and that bothers some of you (a new one is coming) and you think it's ridiculous that it serves via http. (It is, and that's changing.) You'd love it if we released merch, but none of that "CafePress junk"; you want it done properly. One thing you don't want to change is the length. An hour is about right, but some of you would like even more, and a few of you a bit less. I'll be writing a couple of other blog posts over the next week or two spelling out some of the mooted changes to risky.biz, and what I plan to do with the site in the medium term. Thanks so much to everyone who filled in the survey!

Risky Business #397 -- Guest HD Moore joins the show!

Patrick Gray — Fri, 05 Feb 2016 00:00:00 +1100

******Here's a link to the Risky Business listener survey. Please take some time to fill it in! It'll really help the show!******** On this week's show we're checking in with HD Moore. He's left Rapid7 after six years and he'll be along to fill us in on his future plans in this week's feature interview. He'll also be reassuring all you Metasploit users out there that he'll be staying involved. He'll talk about a couple of absolutely awful bugs and he'll also weigh in on NorseGate: The implosion of the world's most cybery cyber advanced threat intelligence derpa derpa firm. This week's show is brought to you by an Australian security consultancy, HackLabs. It's probably worth noting for our American friends that the Australian exchange rate has shifted pretty substantially over the last six months or so... so Australia might be a pretty good place for you to send some app review work! In this week's sponsor interview HackLabs founder and head honcho Chris Gatford joins us to discuss strategies for administering unmaintained and hideously vulnerable enterprise apps. Microsoft has end-of-lifed a stack of old IE versions, Oracle is killing the Java browser plugin... this will leave a lot of legacy apps marooned. So what can you do? Adam Boileau joins us, as always, to discuss the week's security news. He also discusses Java deserialisation attacks that are shaping up as a major attack vector for 2016. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes ------------ Oracle deprecates the Java browser plugin, prepares for its demise | Ars Technica http://arstechnica.com/information-technology/2016/01/oracle-deprecates-... Good Riddance to Oracle's Java Plugin - Krebs on Security http://krebsonsecurity.com/2016/02/good-riddance-to-oracles-java-plugin/ Sources: Security Firm Norse Corp. Imploding - Krebs on Security http://krebsonsecurity.com/2016/01/sources-security-firm-norse-corp-impl... NSA Hacker Chief Explains How to Keep Him Out of Your System | WIRED http://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-him-o... National Security Agency plans major reorganization - The Washington Post https://www.washingtonpost.com/world/national-security/national-security... A technical reading of the "HIMR Data Mining Research Problem Book" | Conspicuous Chatter https://conspicuouschatter.wordpress.com/2016/02/03/a-technical-reading-... Default settings in Apache may decloak Tor hidden services | Ars Technica http://arstechnica.com/security/2016/02/default-settings-in-apache-may-d... Crypto flaw was so glaring it may be intentional eavesdropping backdoor | Ars Technica http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-ma... UN rules in favour of Julian Assange http://www.theage.com.au/world/un-rules-in-favour-of-assange-20160204-gm... Corrupt Silk Road Investigator Re-Arrested for Allegedly Trying to Flee the US | WIRED http://www.wired.com/2016/02/corrupt-silk-road-investigator-re-arrested-... Former Energy Department employee admits trying to spear phish coworkers | Ars Technica http://arstechnica.com/tech-policy/2016/02/former-energy-department-empl... FTC: Tax Fraud Behind 47% Spike in ID Theft - Krebs on Security http://krebsonsecurity.com/2016/01/ftc-tax-fraud-behind-47-spike-in-id-t... HSBC online banking suffers major outage, blames DDoS attack | Ars Technica http://arstechnica.com/security/2016/01/hsbc-online-banking-suffers-majo... eBay has no plans to fix "severe" bug that allows malware distribution [Updated] | Ars Technica http://arstechnica.com/security/2016/02/ebay-has-no-plans-to-fix-severe-... PayPal Java Serialization Vulnerability | Threatpost | The first stop for security news https://threatpost.com/java-serialization-bug-crops-up-at-paypal/116054/ Government Promises Comment Period on Next Wassenaar Draft | Threatpost | The first stop for security news https://threatpost.com/government-promises-comment-period-on-next-wassen... VirusTotal Firmware Malware Implant Scanning | Threatpost | The first stop for security news https://threatpost.com/virustotal-supports-firmware-scanning/116072/ Mysterious spike in WordPress hacks silently delivers ransomware to visitors | Ars Technica http://arstechnica.com/security/2016/02/mysterious-spike-in-wordpress-ha... High-severity bug in OpenSSL allows attackers to decrypt HTTPS traffic | Ars Technica http://arstechnica.com/security/2016/01/high-severity-bug-in-openssl-all... Google fixes multiple Wi-Fi flaws, mediaserver bugs in Android | InfoWorld http://www.infoworld.com/article/3028079/security/google-fixes-multiple-... Google engineer finds holes in three 'secure' browsers http://www.engadget.com/2016/02/04/tavis-ormandy-chromium-bug-hunter/ Penetration Testing & Web Application Security - HackLabs http://www.hacklabs.com/

Risky Business #396 -- Chris Wysopal on scanning for backdoors

Patrick Gray — Thu, 28 Jan 2016 00:00:00 +1100

On this week's show we've got two feature interviews! We're talking to Chris Wysopal from Veracode about using static analysis techniques to find back doors in software. With Juniper, AMX, Fortinet and Cisco all experiencing either maliciously planted or accidental backdoors, this is a hot topic. Chris joins us to talk about how you go about finding this stuff and whether or not vendors are taking this issue seriously enough. We also check in with Martijn Grooten, editor of Virus Bulletin. We're having a quick chat to him about how the AV industry is reacting to Tavis Ormandy's latest research into the security of its products. He's been reporting bugs in all sorts of AV products lately and apparently the disclosures are having an impact. This week's sponsor interview is a special one -- it's with Haroon Meer of Thinkst Applied Research. Thinkst has released some free tools that generate and track honey tokens. Old ideas made easy and workable... he'll be along to explain his new tech. Personally think this stuff is great.. just great... and of course he'll plug his even more awesome commercial stuff, Canary Tools. Adam Boileau, as always, drops in for a chat about the week's news headlines. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Israel's electric authority hit by "severe" hack attack [Updated] | Ars Technica http://arstechnica.com/security/2016/01/israels-electric-grid-hit-by-sev... Israeli Electric Authority Attacked, Potential Ransomware | Threatpost | The first stop for security news https://threatpost.com/israeli-electric-authority-hit-by-severe-cyber-at... SANS Industrial Control Systems Security Blog | Context for the Claim of a Cyber Attack on the Israeli Electric Grid | SANS Institute https://ics.sans.org/blog/2016/01/27/context-for-the-claim-of-a-cyber-at... Wendy's Probes Reports of Credit Card Breach - Krebs on Security https://krebsonsecurity.com/2016/01/wendys-probes-reports-of-credit-card... Moment of truth: Feds must say if they used backdoored Juniper firewalls | Ars Technica http://arstechnica.com/tech-policy/2016/01/moment-of-truth-feds-must-say... Secret SSH backdoor in Fortinet hardware found in more products | Ars Technica http://arstechnica.com/security/2016/01/secret-ssh-backdoor-in-fortinet-... Media devices sold to feds have hidden backdoor with sniffing functions | Ars Technica http://arstechnica.com/security/2016/01/media-devices-sold-to-feds-have-... Lenovo SHAREit App Hard-Coded Password | Threatpost | The first stop for security news https://threatpost.com/hard-coded-password-found-in-lenovo-file-sharing-... Yet another bill seeks to weaken encryption-by-default on smartphones | Ars Technica http://arstechnica.com/tech-policy/2016/01/yet-another-bill-seeks-to-wea... Bill aims to thwart strong crypto, demands smartphone makers be able to decrypt | Ars Technica http://arstechnica.com/tech-policy/2016/01/bill-aims-to-thwart-strong-cr... How Amazon customer service was the weak link that spilled my data | Ars Technica http://arstechnica.com/security/2016/01/how-amazon-customer-service-was-... "Internet of Things" security is hilariously broken and getting worse | Ars Technica http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-th... NYC Launches Investigation Into Hackable Baby Monitors | WIRED http://www.wired.com/2016/01/nyc-investigating-hackable-baby-monitors/ HD Moore Leaves Rapid7 for Venture Capital Opportunity | Threatpost | The first stop for security news https://threatpost.com/hd-moore-to-build-new-venture-capital-firm/115969/ Zcash, an Untraceable Bitcoin Alternative, Launches in Alpha | WIRED http://www.wired.com/2016/01/zcash-an-untraceable-bitcoin-alternative-la... Government Investigation of Alleged Bitcoin Creator Craig Wright Intensifies - CoinDesk http://www.coindesk.com/australia-government-bitcoin-creator-craig-wrigh... Firm Sues Cyber Insurer Over $480K Loss - Krebs on Security http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/ Scarlet Mimic Behind Espionage Campaign Against Tibetan, Uyghur Activists | Threatpost | The first stop for security news https://threatpost.com/scarlet-mimic-group-behind-four-year-campaign-aga... Bot Fraud to Cost Advertisers $7 Billion in 2016 | Threatpost | The first stop for security news https://threatpost.com/bot-fraud-to-cost-advertisers-7-billion-in-2016/1... Skype Now Hides Your Internet Address - Krebs on Security http://krebsonsecurity.com/2016/01/skype-now-hides-your-internet-address/ Cisco MiniUPnP Stack Smashing Protection Attack | Threatpost | The first stop for security news https://threatpost.com/miniupnp-vulnerability-clears-way-for-stack-smash... January 2016 Apple Security Patches iOS, OS X, Safari | Threatpost | The first stop for security news https://threatpost.com/apple-releases-patches-for-ios-os-x-and-safari/11... OpenSSL to Patch Two Vulnerabilities This Week | Threatpost | The first stop for security news https://threatpost.com/openssl-to-patch-two-vulnerabilities-this-week/11... Magento Update Addresses XSS, CSRF Vulnerabilities | Threatpost | The first stop for security news https://threatpost.com/magento-update-addresses-xss-csrf-vulnerabilities... Hack Brief: Don't Be Trolled by This iPhone-Crashing Link Meme | WIRED http://www.wired.com/2016/01/hack-brief-dont-be-trolled-by-this-iphone-c... iOS cookie theft bug allowed hackers to impersonate users | Ars Technica http://arstechnica.com/security/2016/01/ios-cookie-theft-bug-allowed-hac... Oracle Pushes Java Fix: Patch It or Pitch It - Krebs on Security http://krebsonsecurity.com/2016/01/oracle-pushes-java-fix-patch-it-or-pi... Canary - know when it matters https://canary.tools/ canarytokens.net http://canarytokens.org/generate

Risky Business #395 -- Alex Stamos on Juniper-gate, SHA-1 and NSA surveillance

Patrick Gray — Thu, 21 Jan 2016 00:00:00 +1100

In this week's feature interview Facebook CISO Alex Stamos joins us to discuss a few things. We'll be talking about moves by both browser developers and some CAs to deprecate SHA1 signed certificates. He says we need to support SHA-1 for now and he explains why soon. We're also chatting with him about the Juniper fiasco. We also get his thoughts on NSA surveillance now he's responsible for the security of user information at the world's biggest social media platform. In this week's sponsor interview we chat with Tenable network security CEO Ron Gula about how to collect decent telemetry from both cloud applications and cloud infrastructure services. Just because it's going on outside your network, that doesn't mean you should treat these services as a big blindspot. That's this week's feature interview, with big thanks to Tenable Network Security, this week's sponsor! Adam Boileau is back this week to discuss the news headlines we missed while we were on break. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes "Unauthorized code" in Juniper firewalls decrypts encrypted VPN traffic | Ars Technica http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-fir... New Discovery Around Juniper Backdoor Raises More Questions About the Company | WIRED http://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raise... Researchers confirm backdoor password in Juniper firewall code | Ars Technica http://arstechnica.com/security/2015/12/researchers-confirm-backdoor-pas... Juniper drops NSA-developed code following new backdoor revelations | Ars Technica http://arstechnica.com/security/2016/01/juniper-drops-nsa-developed-code... Et tu, Fortinet? Hard-coded password raises new backdoor eavesdropping fears | Ars Technica http://arstechnica.com/security/2016/01/et-tu-fortinet-hard-coded-passwo... Bill aims to thwart strong crypto, demands smartphone makers be able to decrypt | Ars Technica http://arstechnica.com/tech-policy/2016/01/bill-aims-to-thwart-strong-cr... Phone crypto scheme "facilitates undetectable mass surveillance" | Ars Technica http://arstechnica.com/tech-policy/2016/01/phone-crypto-scheme-facilitat... The Father of Online Anonymity Has a Plan to End the Crypto War | WIRED http://www.wired.com/2016/01/david-chaum-father-of-online-anonymity-plan... Everything We Know About Ukraine's Power Plant Hack | WIRED http://www.wired.com/2016/01/everything-we-know-about-ukraines-power-pla... Analysis confirms coordinated hack attack caused Ukrainian power outage | Ars Technica http://arstechnica.com/security/2016/01/analysis-confirms-coordinated-ha... Royal Melbourne Hospital attacked by damaging computer virus http://www.theage.com.au/victoria/royal-melbourne-hospital-attacked-by-d... Internet Explorer End of Support https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support Judge Rules Kim Dotcom Can Be Extradited to US to Face Charges | WIRED http://www.wired.com/2015/12/kim-dotcom-extradition-ruling/ In Silk Road Appeal, Ross Ulbricht's Defense Focuses on Corrupt Feds | WIRED http://www.wired.com/2016/01/ross-ulbrichts-defense-focuses-on-corrupt-f... Security firm sued for filing "woefully inadequate" forensics report | Ars Technica http://arstechnica.com/security/2016/01/security-firm-sued-for-filing-wo... US Intelligence director's personal e-mail, phone hacked | Ars Technica http://arstechnica.com/security/2016/01/us-intelligence-directors-person... Researchers uncover JavaScript-based ransomware-as-service | Ars Technica http://arstechnica.com/security/2016/01/researchers-uncover-javascript-b... Microsoft may have your encryption key; here's how to take it back | Ars Technica http://arstechnica.com/information-technology/2015/12/microsoft-may-have... Common payment processing protocols found to be full of flaws | Ars Technica http://arstechnica.com/security/2015/12/common-payment-processing-protoc... Critical Yahoo Mail Flaw Patched, $10K Bounty Paid | Threatpost | The first stop for security news https://threatpost.com/critical-yahoo-mail-flaw-patched-10k-bounty-paid/... GM embraces white-hat hackers with public vulnerability disclosure program | Ars Technica http://arstechnica.com/security/2016/01/gm-embraces-white-hats-with-publ... Google slams AVG for exposing Chrome user data with "security" plugin | Ars Technica http://arstechnica.com/security/2015/12/google-slams-avg-for-exposing-ch... Google security researcher excoriates TrendMicro for critical AV defects | Ars Technica http://arstechnica.com/security/2016/01/google-security-researcher-excor... Fatally weak MD5 function torpedoes crypto protections in HTTPS and IPSEC | Ars Technica http://arstechnica.com/security/2016/01/fatally-weak-md5-function-torped... Cisco Patches Hardcoded Password, DoS Vulnerabilities in Software | Threatpost | The first stop for security news https://threatpost.com/cisco-patches-hardcoded-password-dos-vulnerabilit... Microsoft Silverlight Zero Day Vulnerability Patched | Threatpost | The first stop for security news https://threatpost.com/curious-tale-of-a-microsoft-silverlight-zero-day/... Bug that can leak crypto keys just fixed in widely used OpenSSH | Ars Technica http://arstechnica.com/security/2016/01/bug-that-can-leak-crypto-keys-ju... Linux bug imperils tens of millions of PCs, servers, and Android phones | Ars Technica http://arstechnica.com/security/2016/01/linux-bug-imperils-tens-of-milli... January 2016 Oracle Critical Patch Update 248 Patches | Threatpost | The first stop for security news https://threatpost.com/oracle-releases-record-number-of-security-patches... Oracle settles with FTC over Java's "deceptive" security patching | Ars Technica http://arstechnica.com/information-technology/2015/12/oracle-settles-wit... With funds stolen in hack, cryptocurrency company mulls bankruptcy | Reuters http://www.reuters.com/article/bankruptcy-cryptsy-idUSL2N1530M9 Google considers following Mozilla, Microsoft, and dropping SHA-1 certificates early | Ars Technica http://arstechnica.com/information-technology/2015/12/google-considers-f... Firefox ban on SHA-1 certs causing some security issues, Mozilla warns | Ars Technica http://arstechnica.com/security/2016/01/firefoxs-ban-of-sha-1-certs-caus...

Risky Business #394 -- Matthew Green talks "crypto bans"

Patrick Gray — Wed, 16 Dec 2015 00:00:00 +1100

On this week's show we're chatting with Johns Hopkins University cryptographer Matthew Green about rumblings emanating out of DC with regard to "stopping encryption", whatever the hell that means. In this week's sponsor interview we're chatting with Oliver Fay from Context about a paper they did in conjunction with UK's CERT about exploit kits. How much do they cost? Are there any that stick out as being particularly good? Or bad, depending on your point of view... Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Man arrested in toymaker hack that exposed data for millions of kids | Ars Technica http://arstechnica.com/security/2015/12/man-arrested-in-toymaker-hack-sa... The Bizarre Saga of Craig Wright, the Latest "Inventor of Bitcoin" - The New Yorker http://www.newyorker.com/business/currency/bizarre-saga-craig-wright-lat... Julian Assange Will Finally Get His Day in Court-In the Ecuadorean Embassy | WIRED http://www.wired.com/2015/12/julian-assange-will-finally-get-his-day-in-... J.P. Morgan, Bank of America, Citibank And Wells Fargo Spending $1.5 Billion To Battle Cyber Crime - Forbes http://www.forbes.com/sites/stevemorgan/2015/12/13/j-p-morgan-boa-citi-a... Tor Hires a New Leader to Help It Combat the War on Privacy | WIRED http://www.wired.com/2015/12/tor-hires-a-new-leader-to-help-it-combat-th... Beware of state-sponsored hackers, Twitter warns dozens of users | Ars Technica http://arstechnica.com/tech-policy/2015/12/beware-of-state-sponsored-hac... 13 Million MacKeeper Users Exposed - Krebs on Security http://krebsonsecurity.com/2015/12/13-million-mackeeper-users-exposed/ SHA1 sunset will block millions from encrypted net, Facebook warns | Ars Technica http://arstechnica.com/security/2015/12/sha1-sunset-will-block-millions-... Cisco starts spewing vuln info everywhere, in a good way \u2022 The Register http://www.theregister.co.uk/2015/12/15/borg_security_boffins_open_tweak... #BadWinmail Demo - YouTube https://www.youtube.com/watch?v=ngWVbcLDPm8 Critical 0-day Remote Command Execution Vulnerability in Joomla - Sucuri Blog https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-i... Protecting Windows Networks - Kerberos Attacks | DFIR blog http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-att... Project Zero: FireEye Exploitation: Project Zero's Vulnerability of the Beast http://googleprojectzero.blogspot.com.au/2015/12/fireeye-exploitation-pr... Back to 28: Grub2 Authentication Bypass 0-Day http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html FBI on Encryption: 'It's A Business Model Question' | Threatpost | The first stop for security news https://threatpost.com/fbi-on-encryption-its-a-business-model-question/1... Fact-checking the debate on encryption | Ars Technica http://arstechnica.com/security/2015/12/fact-checking-the-debate-on-encr... New Paper Released: Demystifying the Exploit Kit http://www.contextis.com/news/new-paper-released-demystifying-exploit-kit/ Tower Of Power - Both Sorry Over Nothin' - YouTube https://www.youtube.com/watch?v=1Dkh173BAMw Tower Of Power 1973 - YouTube https://www.youtube.com/watch?v=JXQ2kMx2xok

Risky Business #393 -- So who's Satoshi this week?

Patrick Gray — Thu, 10 Dec 2015 00:00:00 +1100

On this week's show -- in addition to covering the latest claims about the true identity of Satoshi Nakamoto -- we're taking a look at a recent deal between a very large bank in Australia and Sydney's University of New South Wales. UNSW has had a lot of success over the last few years in actually training people to think offensively. They seem to have cracked a formula where others have tried and failed. Now, they've got $1.6m to play with courtesy of the Commonwealth Bank. This could be a model for colleges and universities everywhere. Whether you're a CSO having trouble recruiting good staff or you work in academia, you really want to hear this week's feature interviews with Brendan Hopper and CBA CSO Ben Heyes. This week's show is brought to you by Bromium. Bromium makes awesome micro-virtualisation software that really does neutralise the threat of memory corruption exploits in desktop environments. A speed bump for them has been their software requires Intel's virtualisation instruction extensions to work. Well, they've been around long enough now for Bromium to be getting some serious traction at the top end of town. They've also brought out version 3 of their software. with Bromium's Chief Security Architect Rahul Kashyap joins us in this week's sponsor interview to update us on what they've been up to for the last year or so. The Grugq is in the news chair this week. Adam is busy running Kiwicon in Wellington. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Grugq on Twitter if that's your thing. Show notes Bitcoin's Creator Satoshi Nakamoto Is Probably This Unknown Australian Genius | WIRED http://www.wired.com/2015/12/bitcoins-creator-satoshi-nakamoto-is-probab... This Australian Says He and His Dead Friend Invented Bitcoin http://gizmodo.com/this-australian-says-he-and-his-dead-friend-invented-... Reported bitcoin 'founder' Craig Wright's home raided by Australian police | Technology | The Guardian http://www.theguardian.com/technology/2015/dec/09/bitcoin-founder-craig-... Alleged Bitcoin Creator Craig Wright Likely Outed Himself | Fusion http://fusion.net/story/243056/alleged-bitcoin-creator-craig-wright/ Satoshi's PGP Keys Are Probably Backdated and Point to a Hoax | Motherboard http://motherboard.vice.com/read/satoshis-pgp-keys-are-probably-backdate... Variety Jones, Alleged Silk Road Mentor, Arrested in Thailand | WIRED http://www.wired.com/2015/12/variety-jones-alleged-silk-road-mentor-arre... Let's Encrypt Initiative Enters Public Beta | Threatpost | The first stop for security news https://threatpost.com/lets-encrypt-initiative-enters-public-beta/115568/ Trump says "closing that Internet" is a good way to fight terrorism | Ars Technica http://arstechnica.com/tech-policy/2015/12/trump-wants-bill-gates-to-hel... France looking at banning Tor, blocking public Wi-Fi | Ars Technica http://arstechnica.com/tech-policy/2015/12/france-looking-at-banning-tor... Attack floods Internet root servers with 5 million queries a second | Ars Technica http://arstechnica.com/security/2015/12/attack-flooded-internet-root-ser... root-servers.org/news/events-of-20151130.txt http://root-servers.org/news/events-of-20151130.txt Hacker Leaks Customer Data After a United Arab Emirates Bank Fails to Pay Ransom | WIRED http://www.wired.com/2015/12/hacker-leaks-customer-data-after-a-united-a... Anonymous Leaks Paris Climate Summit Officials' Private Data | WIRED http://www.wired.com/2015/12/anonymous-leaks-paris-climate-summit-offici... At first cyber meeting, China claims OPM hack is "criminal case" [Updated] | Ars Technica http://arstechnica.com/tech-policy/2015/12/at-first-cyber-meeting-china-... Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record \xab Threat Research | FireEye Inc https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-r... Experts Say Bitcoin Extortionist Copycats on the Rise | Threatpost | The first stop for security news https://threatpost.com/bitcoin-extortionist-copycats-on-the-rise-experts... Microsoft, Law Enforcement Collaborate in Dorkbot Takedown | Threatpost | The first stop for security news https://threatpost.com/microsoft-law-enforcement-collaborate-in-dorkbot-... Mozilla Will Stop Developing And Selling Firefox OS Smartphones | TechCrunch http://techcrunch.com/2015/12/08/mozilla-will-stop-developing-and-sellin... December Patch Tuesday avalanche of patches includes leaked Xbox certificate | Ars Technica http://arstechnica.com/security/2015/12/december-patch-tuesday-avalanche... Adobe, Microsoft Each Plug 70+ Security Holes - Krebs on Security http://krebsonsecurity.com/2015/12/adobe-microsoft-each-plug-70-security... Apple Patches 50+ Vulnerabilities in iOS, OS X, Safari | Threatpost | The first stop for security news https://threatpost.com/apple-patches-50-vulnerabilities-across-ios-os-x-... Cisco Warning of CSRF, XSS Vulnerabilities | Threatpost | The first stop for security news https://threatpost.com/cisco-warning-of-vulnerabilities-in-routers-data-... Dropbox - Backgrounder_UNSW and CBA Security Engineering.docx https://www.dropbox.com/s/aqnbfxbcqhujxj1/Backgrounder_UNSW%20and%20CBA%... Dropbox - Transcript_CyberSecurity_Heyes_Buckland_Dec2015_final.docx https://www.dropbox.com/s/zod75xl50g1uuhz/Transcript_CyberSecurity_Heyes... UNSW, Commonwealth Bank to offer cyber Security courses | Cyber security jobs http://www.news.com.au/finance/business/other-industries/commonwealth-ba... sec.edu - Security Engineering - Applied Cyber Security on openlearning.com https://www.openlearning.com/courses/sec Free ride: students crack ticket algorithm http://www.smh.com.au/digital-life/consumer-security/free-ride-students-... Wil Anderson | Chelsea Lately | Comedy Works https://www.comedyworks.com/comedians/666

Risky Business #392 -- A look at Silverpush with Kevin Finisterre

Patrick Gray — Thu, 03 Dec 2015 00:00:00 +1100

On this week's show we're chatting with Kevin Finisterre about Silverpush -- the creepy ultrasonic audio-beaconing technology used by advertising companies that was in the press a couple of weeks ago. Kevin was all over it and he joins me to discuss the growing overlap between the techniques used by marketers and blackhats. This week's show is brought to you by Bugcrowd, big thanks to them. In this week's sponsor interview Bugcrowd CEO Casey Ellis joins us to discuss more on bug economics -- how do you price bugs? How do you determine bounty pools? It's not as simple as saying, well, XXE's are worth $500 each and XSS $200. The dynamics here are actually a little more complex than that. Adam Boileau, as always, joins the show to discuss the week's news headlines. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Hacker Obtained Children's Headshots and Chatlogs From Toymaker VTech | Motherboard http://motherboard.vice.com/read/hacker-obtained-childrens-headshots-and... When children are breached-inside the massive VTech hack | Ars Technica http://arstechnica.com/security/2015/11/when-children-are-breached-insid... Adobe sounds death knell for Flash - Software - iTnews http://www.itnews.com.au/news/adobe-sounds-death-knell-for-flash-412522 China blamed for 'massive' cyber attack on Bureau of Meteorology supercomputer - ABC News (Australian Broadcasting Corporation) http://www.abc.net.au/news/2015-12-02/china-blamed-for-cyber-attack-on-b... CNN investigates: How Corporate America keeps huge hacks secret - Nov. 30, 2015 http://money.cnn.com/2015/11/30/technology/secret-deals-hacked-companies... DHS Giving Firms Free Penetration Tests - Krebs on Security http://krebsonsecurity.com/2015/12/dhs-giving-firms-free-penetration-tests/ DHS to Silicon Valley: Tell us how to secure this "Internet of Things" | Ars Technica http://arstechnica.com/information-technology/2015/12/dhs-to-silicon-val... Hey Reader's Digest: Your site has been attacking visitors for days | Ars Technica http://arstechnica.com/security/2015/11/hey-readers-digest-your-site-has... China APT Gang Targets Hong Kong Media via Dropbox | Threatpost | The first stop for security news https://threatpost.com/china-apt-gang-targets-hong-kong-media-via-dropbo... BlackBerry to bug out of Pakistan by end of year \u2022 The Register http://www.theregister.co.uk/2015/12/01/blackberry_to_quit_pakistan/ Kazakhtelecom http://telecom.kz/en/news/view/18729 Advantech EKI Vulnerable to Shellshock, Heartbleed | Threatpost | The first stop for security news https://threatpost.com/advantech-ics-gear-still-vulnerable-to-shellshock... Google Plans to End Chrome for 32-bit Linux, Releases Chrome 47 | Threatpost | The first stop for security news https://threatpost.com/google-ends-chrome-support-on-32-bit-linux-releas... Microsoft Revoves Trust for eDellroot Certficates | Threatpost | The first stop for security news https://threatpost.com/microsoft-removes-trust-for-edellroot-certificate... Lord Echo - Thinking of you - YouTube https://www.youtube.com/watch?v=9djfSSTL-qQ Meet The 'Ultrasonic' Tracking Company Privacy Activists Are Terrified Of - Forbes http://www.forbes.com/sites/thomasbrewster/2015/11/16/silverpush-ultraso...

Risky Business #391 -- Dell fails hard

Patrick Gray — Thu, 26 Nov 2015 00:00:00 +1100

On this week's show we're chatting with Darren Kemp of Duo Security. He's one of the authors of a post about the latest example of computer manufacturer shitware introducing catastrophic vulnerabilities into shipped systems. This time it's Dell's turn. If you haven't heard what they actually did you'll hardly even believe it. That's this week's feature interview. This week's sponsor guest is Tenable's very own Brian "Jericho" Martin. He's a guy who knows a thing or two about vulnerabilities and the software supply chain. We dodged a bullet with those libpng vulnerabilities of a few weeks ago not really being exploitable. But what if they were? How do you prepare your organisation for some serious bugs dropping in libraries when you're not even sure if you're using that code? Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Clinton Says the US Needs Silicon Valley's Help to Defeat ISIS | WIRED http://www.wired.com/2015/11/clinton-says-us-needs-silicon-valleys-help-... Security Manual Reveals the OPSEC Advice ISIS Gives Recruits | WIRED http://www.wired.com/2015/11/isis-opsec-encryption-manuals-reveal-terror... The Secret ISIS Cyber Guide Was Actually Just An Arabic Guide For Activists - BuzzFeed News http://www.buzzfeed.com/sheerafrenkel/the-secret-isis-cyber-guide-was-ac... Bangladesh mulls blocking WhatsApp and Viber to prevent terror activities http://www.ibtimes.co.in/bangladesh-mulls-blocking-whatsapp-viber-preven... Iranian military spear-phish of State Department employees detected first by Facebook | Ars Technica http://arstechnica.com/security/2015/11/iranian-military-spear-phish-of-... Breach at IT Automation Firm LANDESK - Krebs on Security http://krebsonsecurity.com/2015/11/breach-at-it-automation-firm-landesk/ 54 Starwood Hotels Hit By Point of Sale Malware | Threatpost | The first stop for security news https://threatpost.com/starwood-hotel-chain-hit-by-point-of-sale-malware... Hilton Acknowledges Credit Card Breach - Krebs on Security http://krebsonsecurity.com/2015/11/hilton-acknowledges-credit-card-breach/ A $10 Tool Can Guess (And Steal) Your Next Credit Card Number | WIRED http://www.wired.com/2015/11/samy-kamkar-10-dollar-tool-can-guess-and-st... Certifications Tracking System Outage and Data Exposure - The Cisco Learning Network https://learningnetwork.cisco.com/blogs/community_cafe/2015/11/21/certif... FBI Warns Public Officials of Doxing Threat | Threatpost | The first stop for security news https://threatpost.com/fbi-warns-public-officials-of-doxing-threat/115429/ The Doctor on a Quest to Save Our Medical Devices From Hackers | WIRED http://www.wired.com/2015/11/the-doctor-on-a-quest-to-save-our-medical-d... TrueCrypt is safer than previously reported, detailed analysis concludes | Ars Technica http://arstechnica.com/security/2015/11/truecrypt-is-safer-than-previous... GlassRAT Remote Access Trojan | Threatpost | The first stop for security news https://threatpost.com/stealthy-glassrat-spies-on-commercial-targets/115... VirusTotal Mac OS X App Sandbox Support | Threatpost | The first stop for security news https://threatpost.com/virustotal-adds-sandbox-execution-for-os-x-apps/1... Amazon resets account passwords feared compromised - report \u2022 The Register http://www.theregister.co.uk/2015/11/25/amazon_password_reset/ United Airlines Slow to Patch Mobile App Vulnerability | Threatpost | The first stop for security news https://threatpost.com/united-airlines-slow-to-patch-mobile-app-vulnerab... Lenovo Patches Vulnerabilities in System Update Service | Threatpost | The first stop for security news https://threatpost.com/lenovo-patches-vulnerabilities-in-system-update-s... 600,000 Arris Modems Plagued by 'Backdoor in a Backdoor' | Threatpost | The first stop for security news https://threatpost.com/backdoor-in-a-backdoor-identified-in-600000-arris... VMware Patches Pesky XXE Bug in Flex BlazeDS | Threatpost | The first stop for security news https://threatpost.com/vmware-patches-pesky-xxe-bug-in-flex-blazeds/115443/ Sony employees on the hack, one year later. http://www.slate.com/articles/technology/users/2015/11/sony_employees_on... Dell apologizes for HTTPS certificate fiasco, provides removal tool | Ars Technica http://arstechnica.com/security/2015/11/dell-apologizes-for-https-certif... Joe Nord personal blog: New Dell computer comes with a eDellRoot trusted root certificate http://joenord.blogspot.in/2015/11/new-dell-computer-comes-with-edellroo... Dude, You Got Dell'd: Publishing Your Privates - Blog - Duo Security https://www.duosecurity.com/blog/dude-you-got-dell-d-publishing-your-pri... bluejuice - The Reductionist - YouTube https://www.youtube.com/watch?v=v0N7DDDKsqw

Risky Business #390 -- Crypto derpery abounds in wake of Paris attacks

Patrick Gray — Fri, 20 Nov 2015 00:00:00 +1100

In this week's feature interview we're checking in with FireEye's Jonathan Wrolstad. He's a threat intelligence guy at FireEye and they've just published a really interesting report about what a threat group is doing in terms of target recon. They're using marketing company tricks to recon all sorts of high value targets. It's very interesting stuff, and it's likely tied to the Russian state. This week's show is brought to you by Senetas Security, makers of terrific layer 2 encryption gear. Senetas CTO Julian Fay stops by in this week's sponsor interview to chat about Network Function Virtualisation. It's a new twist on a concept that's been around for a while. It's getting a second wind thanks to some work being done at Etsy, of all places. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Paris Terror Attacks Stoke Encryption Debate - Krebs on Security http://krebsonsecurity.com/2015/11/paris-terror-attacks-stoke-encryption... ISIS using encrypted apps for communications; former intel officials blame Snowden [Updated] | Ars Technica http://arstechnica.com/information-technology/2015/11/isis-encrypted-com... After Paris Attacks, Here's What the CIA Director Gets Wrong About Encryption | WIRED http://www.wired.com/2015/11/paris-attacks-cia-director-john-brennan-wha... There's no evidence ISIS used PS4 to plan Paris attacks | Ars Technica http://arstechnica.com/gaming/2015/11/despite-what-the-papers-say-theres... ISIS: CloudFlare CEO slams Anonymous' claims that he's protecting terrorists' websites http://www.news.com.au/technology/online/hacking/a-silicon-valley-startu... Telegram encrypted messaging service cracks down on ISIS broadcasts | Ars Technica http://arstechnica.com/information-technology/2015/11/telegram-encrypted... ISIS operates a crypto help desk - report \u2022 The Register http://www.theregister.co.uk/2015/11/18/isis_help_desk/ Is Anonymous' war on ISIS doing more harm than good? | The Verge http://www.theverge.com/2015/11/19/9761682/anonymous-isis-vigilante-camp... Carnegie Mellon Says It Was Subpoenaed-And Not Paid-For Research On Breaking Tor | Threatpost | The first stop for security news https://threatpost.com/carnegie-mellon-says-it-was-subpoenaed-and-not-pa... Carnegie Mellon Denies FBI Paid for Tor-Breaking Research | WIRED http://www.wired.com/2015/11/carnegie-mellon-denies-fbi-paid-for-tor-bre... Libpng PNG Reference Library Patches Memory Corruption Vulnerabilities | Threatpost | The first stop for security news https://threatpost.com/patched-libpng-vulnerabilities-have-limited-scope... Here's a Spy Firm's Price List for Secret Hacker Techniques | WIRED http://www.wired.com/2015/11/heres-a-spy-firms-price-list-for-secret-hac... Android adware can install itself even when users explicitly reject it | Ars Technica http://arstechnica.com/security/2015/11/android-adware-can-install-itsel... Google to Warn Recipients of Unencrypted Gmail Messages | Threatpost | The first stop for security news https://threatpost.com/google-to-warn-recipients-of-unencrypted-gmail-me... Microsoft Blocks Unsigned DLLs in Edge with Update | Threatpost | The first stop for security news https://threatpost.com/microsoft-cracks-down-on-toolbars-unsigned-dlls-w... JPMorgan Hackers Breached Anti-Fraud Vendor G2 Web Services - Krebs on Security http://krebsonsecurity.com/2015/11/jpmorgan-hackers-breached-anti-fraud-... BitLocker popper uses Windows authentication to attack itself \u2022 The Register http://www.theregister.co.uk/2015/11/17/bitlocker_blackhat_ian_haken/ Adobe Issues HotFix For ColdFusion | Threatpost | The first stop for security news https://threatpost.com/adobe-pushes-hotfix-for-coldfusion/115389/ Wad of Stuff: CVE-2015-6357: FirePWNER Exploit for Cisco FireSIGHT Management Center SSL Validation Vulnerability http://wadofstuff.blogspot.com.au/2015/11/cve-2015-6357-firepwner-exploi... Issue 539 - google-security-research - Kaspersky Antivirus Certificate handling path traversal - Google Security Research - Google Project Hosting https://code.google.com/p/google-security-research/issues/detail?id=539&... https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf Eagles of Death Metal - I Want You So Hard - YouTube https://www.youtube.com/watch?v=MZrctLnsF4M

Risky Business #389 -- US law: CFAA isn't a bug, it's a feature!

Patrick Gray — Thu, 12 Nov 2015 00:00:00 +1100

On this week's show we're chatting with computer crime lawyer extraordinaire Tor Ekeland! He's worked on a number of high profile CFAA cases. Most recently he's been defending former Reuters and LA Times journalist Matthew Keys on some pretty hefty CFAA charges. He's also the guy who got Andrew Aurenheimer out of jail so he could go and live a free life as a Nazi troll. (Is that really a win?) He also defended Lauri Love... basically if you're a hacker who's fallen foul of the CFAA, this is the guy you want on your team. He joins us this week to talk about the CFAA, terrorism charges against hackers, and the American cultural influences over crime and punishment in the USA. It's a cracker interview, that one. This week's show is brought to you by Telstra! Best known as Australia's incumbent telco, Telstra also offers enterprise services. There's a link to their services page in this week's show notes. In this week's sponsor interview we're chatting with Rachael Falk. She leads the Cyber Influence team in Telstra Security Operations. And she'll be joining us with what I'm calling boardroom ammo. Five questions you can suggest to your CEO or board to get them thinking about good security practices. Links to everything are in this week's show notes. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing.

Risky Business #388 -- Cyber shrinkery, IoT shenanigans and guest Troy Hunt

Patrick Gray — Thu, 05 Nov 2015 00:00:00 +1100

This week's feature interview is with Troy Hunt of HaveIBeenPwned.com. And he's noticing something pretty weird. It's common for people to deface websites for bragging rights, and yeah, it's not new that data dumps are the new bragging fodder. But it seems like these days attackers are seeing Troy's site as the definitive place to get cred. Now they'll steal a bunch of data and Troy is their first stop. Life is strange on the internets. That's this week's feature interview. This week's show is brought to you by ContextIS, a security consultancy and research house with offices in England, Germany and Australia. In this week's sponsor interview we chat with Alex Farrant, a senior security researcher with Context in Cheltenham about the risks of IoT to enterprise networks. Don't worry, this isn't some non-specific, high level chat saying "IoT is bad," we're talking about real examples where they've managed to chain together a couple of bugs for serious effect. We also talk about how enterprises aren't shy about making key company resources accessible over WiFi these days. Yes, the same WiFi network that your vulnerable electric kettle and lightbulbs are on. Happy days. Adam Boileau, as always, stops in to discuss the week's news, including the delightful Freudian analysis of computer hackers by "cyber psychologist" Mary Aiken. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Hackers Claim Million-Dollar Bounty for iOS Zero Day Attack | WIRED http://www.wired.com/2015/11/hackers-claim-million-dollar-bounty-for-ios... UK Government Works on Restricting Encryption, Urges Staff to Use It | Motherboard http://motherboard.vice.com/read/uk-government-works-on-restricting-stro... Internet firms to be banned from offering unbreakable encryption under new laws - Telegraph http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/11970391/Inte... UK surveillance powers explained - BBC News http://www.bbc.com/news/uk-34713435 The Lesson of CISA's Success, or How to Fight a Zombie https://theintercept.com/2015/11/03/lesson-of-cisa-success-or-how-to-fig... ALBAWABA NEWS: Egypt's military arrests 150 terrorists through "Telegram" http://www.albawabaeg.com/66794 Teenager arrested in Norwich over TalkTalk cyber-attack bailed | Business | The Guardian http://www.theguardian.com/business/2015/nov/04/teenager-arrested-in-nor... vBulletin password hack fuels fears of serious Internet-wide 0-day attacks | Ars Technica http://arstechnica.com/security/2015/11/vbulletin-password-hack-fuels-fe... Tor Just Launched the Easiest App Yet for Anonymous, Encrypted IM | WIRED http://www.wired.com/2015/10/tor-just-launched-the-easiest-app-yet-for-a... Zerocoin Startup Revives the Dream of Truly Anonymous Money | WIRED http://www.wired.com/2015/11/zerocoin-startup-revives-the-dream-of-truly... Signal, the Snowden-Approved Crypto App, Comes to Android | WIRED http://www.wired.com/2015/11/signals-snowden-approved-phone-crypto-app-c... Don't count on STARTTLS to automatically encrypt your sensitive e-mails | Ars Technica http://arstechnica.com/security/2015/10/dont-count-on-starttls-to-automa... Still fuming over HTTPS mishap, Google makes Symantec an offer it can't refuse | Ars Technica http://arstechnica.com/security/2015/10/still-fuming-over-https-mishap-g... How Carders Can Use eBay as a Virtual ATM - Krebs on Security http://krebsonsecurity.com/2015/11/how-carders-can-use-ebay-as-a-virtual... Shuanet Adware Roots Android Devices | Threatpost | The first stop for security news http://threatpost.com/shuanet-adware-rooting-android-devices-via-trojani... Chinese Mobile Ad Library Backdoored to Spy on iOS Devices | Threatpost | The first stop for security news http://threatpost.com/chinese-mobile-ad-library-backdoored-to-spy-on-ios... Samsung Galaxy S6 Edge Security Vulnerabilities | Threatpost | The first stop for security news http://threatpost.com/google-project-zero-turns-over-11-bugs-in-galaxy-s... Data-Stealing Android App Impersonates Word Doc | Threatpost | The first stop for security news http://threatpost.com/malicious-android-app-impersonates-microsoft-word-... XcodeGhost Malware Supports iOS9 | Threatpost | The first stop for security news http://threatpost.com/updated-xcodeghost-adds-ios9-support/115244/ November 2015 Android Security Bulletin | Threatpost | The first stop for security news http://threatpost.com/monthly-android-security-update-patches-more-stage... Tinba Variant Spotted Targeting Russian, Japanese Banks | Threatpost | The first stop for security news http://threatpost.com/new-tinba-variant-spotted-targeting-russian-japane... PageFair Hack Serves Up Fake Flash Update to 500 Sites | Threatpost | The first stop for security news http://threatpost.com/pagefair-hack-serves-up-fake-flash-update-to-500-s... Xen patches 7-year-old bug that shattered hypervisor security | Ars Technica http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-... Latest EMET Bypass Targets WoW64 Windows Subsystem | Threatpost | The first stop for security news http://threatpost.com/latest-emet-bypass-targets-wow64-windows-subsystem... FireEye growth slows as China attacks reportedly abate, stock plunges - MarketWatch http://www.marketwatch.com/story/fireeye-growth-slows-as-china-attacks-r... Hackers gonna hack, but why? Maybe Freud has the answer | Technology | The Guardian http://www.theguardian.com/technology/2015/nov/03/hackers-gonna-hack-but... Troy Hunt: Breaches, traders, plain text passwords, ethical disclosure and 000webhost http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html Music | PLTS https://pltsmusic.bandcamp.com/ Also, you should absolutely check out Context's Blog. It's really quite good. http://www.contextis.com/resources/blog/1/

Risky Business #387 -- Hack people to death!

Patrick Gray — Thu, 29 Oct 2015 00:00:00 +1100

In this week's feature interview we're chatting with Chris Rock from Kustodian. Chris did a great presentation at Ruxcon last week about how easy it is to hack people to death! He's found out just how easy it is to register births and deaths in the united states and Australia via online systems. He says it's a problem that could result in a virtual baby harvest for fraudsters who plan ahead. It's really fun stuff, that's this week's feature. In this week's sponsor interview we're speaking with Deema Freij, general counsel at Intralinks. This is an interview the CSOs shouldn't miss... we're talking to her about privacy stuff -- about what the invalidation of Safe Harbour provisions really means, what we can expect from the new EU general data protection regulations when they land, and what sort of management challenges that's going to throw up at the boardroom level. Adam Boileau, as always, stops in to discuss the week's news. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes WikiLeaks Is Publishing the CIA Director's Hacked Emails | WIRED http://www.wired.com/2015/10/wikileaks-publishing-cia-director-john-bren... Hacker releases new purported personal data for top CIA, DHS officials [Updated] | Ars Technica http://arstechnica.com/tech-policy/2015/10/hacker-releases-new-purported... A Second Snowden Has Leaked a Mother Lode of Drone Docs | WIRED http://www.wired.com/2015/10/a-second-snowden-leaks-a-mother-lode-of-dro... Who Is Ardit Ferizi? Malaysia Arrests Kosovo National For Hacking US Security Data For ISIS http://www.ibtimes.com/who-ardit-ferizi-malaysia-arrests-kosovo-national... Matthew Keys' Hacking Conviction May Not Survive an Appeal | WIRED http://www.wired.com/2015/10/matthew-keys-journalist-conviction-cfaa-abu... TalkTalk Hackers Demanded \xa380K in Bitcoin - Krebs on Security http://krebsonsecurity.com/2015/10/talktalk-hackers-demanded-80k-in-bitc... TalkTalk Hackers Demand Ransom of CEO Dido Harding | Threatpost | The first stop for security news https://threatpost.com/talktalk-hackers-demand-ransom-from-ceo/115156/ China Is Still Hacking US Companies After Promising It Would Stop, Report Says | Motherboard http://motherboard.vice.com/read/china-is-still-hacking-us-companies-aft... Arrest of Chinese Hackers Not a First for U.S. - Krebs on Security http://krebsonsecurity.com/2015/10/arrest-of-chinese-hackers-not-a-first... How is NSA breaking so much crypto? https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking... Fewer IPsec VPN Connections at Risk to Weak Diffie-Hellman | Threatpost | The first stop for security news https://threatpost.com/fewer-ipsec-vpn-connections-at-risk-from-weak-dif... CISA Passes Senate Without Addressing Privacy Concerns | Threatpost | The first stop for security news https://threatpost.com/cisa-passes-senate-without-addressing-privacy-con... A DEA Agent Who Helped Take Down Silk Road Is Going to Prison for Unbelievable Corruption | Mother Jones http://www.motherjones.com/mixed-media/2015/10/silk-road-investigator-se... X-Ray Scans Expose an Ingenious Chip-and-Pin Card Hack | WIRED http://www.wired.com/2015/10/x-ray-scans-expose-an-ingenious-chip-and-pi... EFF: We found 100+ license plate readers wide open on the Internet | Ars Technica http://arstechnica.com/tech-policy/2015/10/lprs-exposed-how-public-safet... Automakers just lost the battle to stop you from hacking your car | The Verge http://www.theverge.com/2015/10/27/9622150/dmca-exemption-accessing-car-... New attacks on Network Time Protocol can defeat HTTPS and create chaos | Ars Technica http://arstechnica.com/security/2015/10/new-attacks-on-network-time-prot... Unpatched browser weaknesses can be exploited to track millions of Web users | Ars Technica http://arstechnica.com/security/2015/10/unpatched-browser-weaknesses-can... This 11-year-old is selling cryptographically secure passwords for $2 each | Ars Technica http://arstechnica.com/business/2015/10/this-11-year-old-is-selling-cryp... Microsoft .NET Core, ASP.NET Beta Bug Bounty | Threatpost | The first stop for security news https://threatpost.com/microsoft-opens-net-core-asp-net-bug-bounties/115... IBM Runs World's Worst Spam-Hosting ISP? - Krebs on Security http://krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp/ Let's Encrypt Free HTTPS Secures Cross-Signatures To Be A CA | Threatpost | The first stop for security news https://threatpost.com/lets-encrypt-hits-another-free-https-milestone/11... Insecure Internet-Connected Kettles Help Researchers Crack WiFi Networks Across London - Softpedia http://news.softpedia.com/news/insecure-internet-connected-kettles-help-... 13 million plaintext passwords belonging to webhost users leaked online | Ars Technica http://arstechnica.com/security/2015/10/13-million-plaintext-passwords-b... Western Digital self-encrypting hard drives riddled with security flaws | Ars Technica http://arstechnica.com/security/2015/10/western-digital-self-encrypting-... Joomla bug puts millions of websites at risk of remote takeover hacks | Ars Technica http://arstechnica.com/security/2015/10/joomla-bug-puts-millions-of-webs... New zero-day exploit hits fully patched Adobe Flash [Updated] | Ars Technica http://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-... October 2015 Oracle Critical Patch Update | Threatpost | The first stop for security news https://threatpost.com/oracle-quarterly-security-update-patches-154-vuln... '10-second' theoretical hack could jog Fitbits into malware-spreading mode \u2022 The Register http://www.theregister.co.uk/2015/10/21/fitbit_hack/ DEF CON 23 - Chris Rock - I Will Kill You - YouTube https://www.youtube.com/watch?v=9FdHq3WfJgs bluejuice - Vitriol - YouTube https://www.youtube.com/watch?v=ldBhDmvWFXE

Risky Business #386 -- Katie Moussouris on the (groan) disclosure debate

Patrick Gray — Fri, 09 Oct 2015 00:00:00 +1100

On this week's show we're checking in with Katie Moussouris of HackerOne. She's an ex Microsoftie who's spent something like a decade working on vulnerability disclosure policies. She even helped get a vuln disclosure ISO standard ratified! And she'll be joining us this week to discuss disclosure politics, I guess you'd call it... for those of us who've been around infosec for a while, most of us would rather stick our face in a blender than talk about it, but Katie will be along to point out why people should fight their "disclosure debate fatigue" and get involved. This week's show is brought to you by Telstra! Telstra is Australia's incumbent telco but also offers a bunch of enterprise services and has invested in some mobile security plays. They took a stake in Zimperium, which is where Risky Business pal Joshua Drake works. They also have a stake in Telesign. In this week's sponsor interview we're joined by Telstra's Rocky Scopelliti. He's Telstra's finance brain and he'll be along to discuss a report he prepared on the fusion of financial services, mobility and identity. Telstra has collected a lot of *extremely* interesting data and Rocky will be along to fill us in on what it all means. That's this week's sponsor interview, with big thanks to new sponsor Telstra! Adam Boileau, as always, stops in to discuss the week's news. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Hack Brief: Hackers Steal 15M T-Mobile Customers' Data From Experian | WIRED http://www.wired.com/2015/10/hack-brief-hackers-steal-15m-t-mobile-custo... Scottrade Breach Hits 4.6 Million Customers - Krebs on Security http://krebsonsecurity.com/2015/10/scottrade-breach-hits-4-6-million-cus... Trump Hotel Collection Confirms Card Breach - Krebs on Security http://krebsonsecurity.com/2015/10/trump-hotel-collection-confirms-card-... Patreon was warned of serious website flaw 5 days before it was hacked | Ars Technica http://arstechnica.com/security/2015/10/patreon-was-warned-of-serious-we... Gigabytes of user data from hack of Patreon donations site dumped online | Ars Technica http://arstechnica.com/security/2015/10/gigabytes-of-user-data-from-hack... Exclusive: Uber checks connections between hacker and Lyft | Reuters http://www.reuters.com/article/2015/10/08/us-uber-tech-lyft-hacking-excl... Amazon Web Services Inspector Application Security Scanner | Threatpost | The first stop for security news https://threatpost.com/amazon-inspector-addresses-compliance-and-securit... Canceled HITB GSEC Singapore Presentation | Threatpost | The first stop for security news https://threatpost.com/canceled-talk-re-ignites-controversy-over-legitim... Verizon's zombie cookie gets new life | Ars Technica http://arstechnica.com/security/2015/10/verizons-zombie-cookie-gets-new-... Questions raised over Malcolm Turnbull's use of private email server http://www.theage.com.au/technology/technology-news/questions-raised-ove... Backdoor infecting Cisco VPNs steals customers' network passwords | Ars Technica http://arstechnica.com/security/2015/10/backdoor-infecting-cisco-vpns-st... Cisco shuts down million-dollar ransomware operation | Ars Technica http://arstechnica.com/security/2015/10/cisco-shuts-down-30-million-rans... SHA1 algorithm securing e-commerce and software could break by year's end | Ars Technica http://arstechnica.com/security/2015/10/sha1-crypto-algorithm-securing-i... Report finds many nuclear power plant systems "insecure by design" | Ars Technica http://arstechnica.com/security/2015/10/report-finds-many-nuclear-power-... Microsoft sites expose visitors' profile info in plain text | Ars Technica http://arstechnica.com/security/2015/10/microsoft-sites-expose-visitors-... Android adware wields potent root exploits to gain permanent foothold | Ars Technica http://arstechnica.com/security/2015/10/android-adware-wields-potent-roo... iPhone Malware Is Hitting China. Let's Not Be Next | WIRED http://www.wired.com/2015/10/iphone-malware-hitting-china-lets-not-next/ Journalist Convicted of Helping Anonymous Hack Tribune Co. | WIRED http://www.wired.com/2015/10/matthew-keys-reuters-journalist-convicted-o... Netgear Router Vulnerabilities Public Exploits | Threatpost | The first stop for security news https://threatpost.com/disclosed-netgear-router-vulnerability-under-atta... WikiLeaks Wants to Pay $50K for Video of the Kunduz Hospital Bombing | WIRED http://www.wired.com/2015/10/wikileaks-wants-pay-50k-video-kunduz-bombing/ Hacking Wireless Printers With Phones on Drones | WIRED http://www.wired.com/2015/10/drones-robot-vacuums-can-spy-office-printer/ October 2015 Adobe Acrobat Adobe Acrobat Patches | Threatpost | The first stop for security news https://threatpost.com/adobe-to-patch-reader-and-acrobat-next-week/114966/ When Security Experts Gather to Talk Consensus, Chaos Ensues | WIRED http://www.wired.com/2015/10/security-experts-gather-talk-consensus-chao... Mobile Identity http://www.telstraglobal.com/mobile-identity L-FRESH The LION http://l-fresh.com/

Risky Business #385 -- Richard Bejtlich talks USA/China espionage agreement

Patrick Gray — Fri, 02 Oct 2015 00:00:00 +1000

******LANGUAGE WARNING: The f-bomb features, unbleeped, once in this week's show. Just a note for those of you with the kids in the car. On this week's show we're chatting with FireEye's chief security strategist Richard Bejtlich about this new agreement between China and the USA. The two countries have apparently agreed that they won't hack each other with the aim of stealing IP anymore. Questions to Richard include: Are they kidding? And: How did they announce this with a straight face? This week's show is brought to you by Tenable Network Security, big thanks to them. And we're joined by Tenable's very own Jeffrey Man in this week's sponsor interview. He's an ex NSA cryptographer who now spends his days dealing with PCI stuff. He's over in Canada attending the PCI community meetings in Vancouver, and I spoke to him about what we learned from the leaked Target pentest report and how third party payment firms are changing scope for all sorts of merchants. Adam Boileau, as always, stops in to discuss the week's news. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Banks: Card Breach at Hilton Hotel Properties - Krebs on Security http://krebsonsecurity.com/2015/09/banks-card-breach-at-hilton-hotel-pro... \u200bKmart Australia calls in police over security breach - Computerworld http://www.computerworld.com.au/article/585784/kmart-australia-calls-pol... Patreon: Some user names, e-mail and mailing addresses stolen | Ars Technica http://arstechnica.com/security/2015/10/patreon-some-user-names-e-mail-a... A billion Android phones are vulnerable to new Stagefright bugs | Ars Technica http://arstechnica.com/security/2015/10/a-billion-android-phones-are-vul... CIA officers pulled from China because of OPM breach | Ars Technica http://arstechnica.com/tech-policy/2015/09/cia-officers-pulled-from-chin... China PLA Unit 78020 Cyberespionage Naikon APT | Threatpost | The first stop for security news https://threatpost.com/naikon-apt-group-tied-to-chinas-pla-unit-78020/11... From Radio to Porn, British Spies Track Web Users' Online Identities https://theintercept.com/2015/09/25/gchq-radio-porn-spies-track-web-user... Obama administration explored ways to bypass smartphone encryption - The Washington Post https://www.washingtonpost.com/world/national-security/obama-administrat... This New Campaign Wants To Help Surveillance Agents Quit NSA or GCHQ | WIRED http://www.wired.com/2015/09/campaign-help-surveillance-agents-quit-nsa-... Car Hack Technique Uses Dealerships to Spread Malware | WIRED http://www.wired.com/2015/10/car-hacking-tool-turns-repair-shops-malware... That Big Security Fix for Credit Cards Won't Stop Fraud | WIRED http://www.wired.com/2015/09/big-security-fix-credit-cards-wont-stop-fraud/ Google's Three Tips for Sabotaging the Cybercrime Economy | WIRED http://www.wired.com/2015/09/google-offers-3-lessons-crippling-online-cr... ATM Skimmer Gang Firebombed Antivirus Firm - Krebs on Security http://krebsonsecurity.com/2015/09/atm-skimmer-gang-firebombed-antivirus... Dyreza Dyre Trojan Phishing IT Supply Chain Credentials | Threatpost | The first stop for security news https://threatpost.com/dyreza-trojan-targeting-it-supply-chain-credentia... JavaScript-Based DDoS Peaks at 275,000 Requests Per Second | Threatpost | The first stop for security news https://threatpost.com/javascript-ddos-attack-peaks-at-275000-requests-p... Nerves rattled by highly suspicious Windows Update delivered worldwide [Updated] | Ars Technica http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-suspici... Drop-dead simple exploit completely bypasses Mac's malware Gatekeeper | Ars Technica http://arstechnica.com/security/2015/09/drop-dead-simple-exploit-complet... Botnet preying on Linux computers delivers potent DDoS attacks | Ars Technica http://arstechnica.com/security/2015/09/botnet-preying-on-linux-computer... Storing secret crypto keys in the Amazon cloud? New attack can steal them | Ars Technica http://arstechnica.com/security/2015/09/storing-secret-crypto-keys-in-th... How hackers can access iPhone contacts and photos without a password | Ars Technica http://arstechnica.com/security/2015/09/how-hackers-can-access-iphone-co... TrueCrypt Security Vulnerabilities Patched in VeraCrypt | Threatpost | The first stop for security news https://threatpost.com/veracrypt-patched-against-two-critical-truecrypt-... SAP Fixes A Dozen Vulnerabilities in HANA | Threatpost | The first stop for security news https://threatpost.com/sap-patches-12-sql-injection-xss-vulnerabilities-... Mozilla Addresses 14-Year-Old Bug in Firefox 41 | Threatpost | The first stop for security news https://threatpost.com/mozilla-fixes-14-year-old-bug-in-firefox-41/114818/ Cisco Fixes Denial of Service, Bypass Vulnerabilities in IOS | Threatpost | The first stop for security news https://threatpost.com/cisco-patches-denial-of-service-bypass-vulnerabil... Apple Patches 100+ Vulnerabilities in OS X, Safari, iOS | Threatpost | The first stop for security news https://threatpost.com/apple-patches-100-vulnerabilities-in-os-x-safari-... US and China Reach Historic Agreement on Economic Espionage | WIRED http://www.wired.com/2015/09/us-china-reach-historic-agreement-economic-... Marshall & The Fro - Marshall Okell http://marshallokell.com/albums/marshall-the-fro

Risky Business #384 -- Mark Dowd talks AirDrop pwnage, XCode iOS scandal

Patrick Gray — Thu, 24 Sep 2015 00:00:00 +1000

We've got a great show for you this week. Mark Dowd drops by to talk about the recent spate of Trojaned iOS apps that made it into Apple's China App Store. We also talk to him about his awesome AirDrop bug. How did it work? This week's sponsor segment is actually a real cracker. Context IS consultant David Klein tells us how he owned an entire cloud platform by enumerating some shitty 90s-style bugs in some third party libraries they were using. It's comedy gold. This cloud platform that uses security at a selling point. It's bad. Really embarrassing. It's great work and the sort of research you expect to see out of a company like Context IS, who are, of course, this week's sponsor. Adam Boileau, as always, stops in to discuss the week's news. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes OPM breach included five times more stolen fingerprints | Ars Technica http://arstechnica.com/security/2015/09/opm-breach-included-five-times-m... Inside Target Corp., Days After 2013 Breach - Krebs on Security http://krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-br... XcodeGhost apps haunting iOS App Store more numerous than first reported | Ars Technica http://arstechnica.com/security/2015/09/xcodeghost-apps-haunting-ios-app... Spy Agency Contractor Puts Out a $1M Bounty for an iPhone Hack | WIRED http://www.wired.com/2015/09/spy-agency-contractor-puts-1m-bounty-iphone... Google's own researchers challenge key Android security talking point | Ars Technica http://arstechnica.com/security/2015/09/googles-own-researchers-challeng... Symantec employees fired for issuing rogue HTTPS certificate for Google | Ars Technica http://arstechnica.com/security/2015/09/symantec-employees-fired-for-iss... In blunder threatening Windows users, D-Link publishes code-signing key | Ars Technica http://arstechnica.com/security/2015/09/in-blunder-threatening-windows-u... Active malware campaign uses thousands of WordPress sites to infect visitors | Ars Technica http://arstechnica.com/security/2015/09/active-malware-campaign-uses-tho... Serious Imgur bug exploited to execute worm-like attack on 8chan users | Ars Technica http://arstechnica.com/security/2015/09/serious-imgur-bug-exploited-to-e... Trojan targets online poker sites, peeks at players' cards | Ars Technica http://arstechnica.com/security/2015/09/trojan-targets-online-poker-site... Seven years of malware linked to Russian state-backed cyber espionage | Ars Technica http://arstechnica.com/security/2015/09/seven-years-of-malware-linked-to... Security wares like Kaspersky AV can make you more vulnerable to attacks | Ars Technica http://arstechnica.com/security/2015/09/security-wares-like-kaspersky-av... China tells US tech companies to sign PRISM-like cyber-loyalty pact | Ars Technica http://arstechnica.com/tech-policy/2015/09/china-tells-us-tech-companies... India's daft draft anti-encryption law torn up after world+dog points out its stupidity \u2022 The Register http://www.theregister.co.uk/2015/09/22/india_encryption_withdrawl/ Malvertisers slam Forbes, Realtor with world's worst exploit kits \u2022 The Register http://www.theregister.co.uk/2015/09/23/malvertising_forbes/ Hackers Launch Balloon Probe Into the Stratosphere to Spy on Drones | WIRED http://www.wired.com/2015/09/balloon-spy-probe-deep-sweep/ IT security spending to hit $75.4bn in 2015 despite currency issues, says Gartner \u2022 The Register http://www.theregister.co.uk/2015/09/23/it_spending_forecast_gartner/ SONY HACK WAS WAR says FBI, and 'we're still struggling to hire talent' \u2022 The Register http://www.theregister.co.uk/2015/09/18/sony_hack_was_war_says_fbi_still... Control Flow Guard Mitigation Bypass | Threatpost | The first stop for security news https://threatpost.com/bypass-developed-for-microsoft-memory-protection-... Hack Brief: Mobile Manager's Security Hole Would Let Hackers Wipe Phones | WIRED http://www.wired.com/2015/09/hack-brief-popular-mobile-phone-manager-ope... Crash Google Chrome with one tiny URL: We cram a probe in this bug \u2022 The Register http://www.theregister.co.uk/2015/09/20/chrome_url_crash/ Adobe Patches 23 Vulnerabilities in Flash Player | Threatpost | The first stop for security news https://threatpost.com/adobe-patches-23-critical-vulnerabilities-in-flas... Bugzilla Privilege Escalation Security Patch | Threatpost | The first stop for security news https://threatpost.com/details-surface-on-patched-bugzilla-privilege-esc... Context Information Security http://www.contextis.com/ HopeStreet Recordings | The heart and soul of Brunswick since 2009 http://www.hopestreetrecordings.com/

Risky Business #383 -- Inside FireEye's research gag

Patrick Gray — Thu, 17 Sep 2015 00:00:00 +1000

On this week's show we take a look at what the hell it happening in Germany, where FireEye sought and obtained an ex parte injunction against a bunch of security researchers over a presentation they were about to do at 44Con. We speak with infosec lawyer Alex Urbelis -- he was at 44Con when all this came to light and he shares his insights. This week's show is sponsored by Senetas. They're a publicly listed company based in Melbourne that makes hardware encryption gear. Terribly sexy, layer 2 stuff actually. This week the company's co-founder and CTO Julian Fay joins the show to talk about the NSA's recent push to get people using encryption algorithms that are resistant to quantum computing-based attacks. Adam Boileau, as always, stops in to discuss the week's news. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes beist on Twitter: "Just another stagefright 0day by my coworker, chpie. this one is reasonably reliable, more than 50% against Nexus 5. http://t.co/V5qhKvOr6C" https://twitter.com/beist/status/643579728687841280 Project Zero: Stagefrightened? http://googleprojectzero.blogspot.com.au/2015/09/stagefrightened.html Let's Encrypt Issues First Cert | Threatpost | The first stop for security news https://threatpost.com/first-lets-encrypt-free-certificate-goes-live/114... Japan charges Bitcoin exchange CEO with embezzlement - Yahoo News http://news.yahoo.com/japan-charges-bitcoin-exchange-ceo-embezzlement-ji... Atlanta's Bitpay got hacked for $1.8 million in bitcoin - Atlanta Business Chronicle http://www.bizjournals.com/atlanta/news/2015/09/16/atlantas-bitpay-got-h... Cryptome founder revokes PGP keys after weird 'compromise' \u2022 The Register http://www.theregister.co.uk/2015/09/16/cryptome_revokes_pgp_keys_after_... Scan of Internet for Compromised Cisco Routers Finds Fewer Than 100 | Threatpost | The first stop for security news https://threatpost.com/scan-of-ipv4-space-for-implanted-cisco-routers-fi... Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked | Ars Technica http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-mill... Ashley Madison passwords like "thisiswrong" tap cheaters' guilt and denial | Ars Technica http://arstechnica.com/security/2015/09/ashley-madison-passwords-like-th... DARPA Protecting Software From Reverse Engineering Through Obfuscation | Threatpost | The first stop for security news https://threatpost.com/darpa-protecting-software-from-reverse-engineerin... Installation of Tor Relays in Libraries Attracts DHS Attention | Threatpost | The first stop for security news https://threatpost.com/installation-of-tor-relays-in-library-attracts-dh... Researchers Outline Bugs in Yahoo, PayPal, Magento | Threatpost | The first stop for security news https://threatpost.com/researchers-outline-vulnerabilities-in-yahoo-payp... 'To read this page, please turn off your ad blocker...' \u2022 The Register http://www.theregister.co.uk/2015/09/15/to_read_this_page_please_turn_of... CoreBot Adds New Capabilities, Transitions to Banking Trojan | Threatpost | The first stop for security news https://threatpost.com/corebot-adds-new-capabilities-transitions-to-bank... GM Took 5 Years to Fix a Full-Takeover Hack in Millions of OnStar Cars | WIRED http://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-mill... Hack Brief: Emergency-Number Hack Bypasses Android Lock Screens | WIRED http://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily... Shedload of security bugs squashed in iOS 9 - what the hell went wrong with iOS 8? \u2022 The Register http://www.theregister.co.uk/2015/09/16/ios_9_security_updates/ AirDrop hole deposits stealth malware on all pre-iOS 9 Apple devices \u2022 The Register http://www.theregister.co.uk/2015/09/16/airdrop_hole_malware_pre_ios_9/ Apple mitigates but doesn't fully fix critical iOS Airdrop vulnerability | Ars Technica http://arstechnica.com/security/2015/09/apple-mitigates-but-doesnt-fully... New Debian Releases Fix PHP, VirtualBox Bugs | Threatpost | The first stop for security news https://threatpost.com/new-debian-releases-fix-php-virtualbox-bugs/114655/ WordPress Shortcodes Security Patch | Threatpost | The first stop for security news https://threatpost.com/wordpress-patches-serious-shortcodes-core-engine-... Bug Bounties, (Non) Lawsuits and Working with the Research Community \xab Executive Perspective | FireEye Inc https://www.fireeye.com/blog/executive-perspective/2015/09/bug_bounties_... Lattice-based cryptography - Wikipedia, the free encyclopedia https://en.wikipedia.org/wiki/Lattice-based_cryptography Quantum-safe Security : Cloud Security Alliance https://cloudsecurityalliance.org/group/quantum-safe-security/ NSA preps quantum-resistant algorithms to head off crypto-apocalypse | Ars Technica http://arstechnica.com/security/2015/08/nsa-preps-quantum-resistant-algo...

Risky Business #382 -- Charlie Miller talks car hax, Uber

Patrick Gray — Thu, 10 Sep 2015 00:00:00 +1000

On this week's show we're checking in with Charlie Miller. We chat car hacking and we also (kind of) find out what he's up to now he's working at Uber. This week's show is brought to you by HackLabs, an Australian security consultancy. They're a key sponsor of Australia's Cyber Security Challenge, which is basically a CTF for Australian CS students. What makes this one a bit different is it's being run by the Prime Minister's Office, which is, yeah, unexpected. Chris joins us later to discuss the challenge, that's this week's sponsor interview. Adam Boileau, as always, stops in to discuss the week's news. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Is John McAfee running for US president? 'My campaign manager told me not to comment' \u2022 The Register http://www.theregister.co.uk/2015/09/08/mcafee2016/ Ex-Ashley Madison CTO Threatens Libel Suit - Krebs on Security http://krebsonsecurity.com/2015/09/ex-ashley-madison-cto-threatens-libel... Ashley Madison made dumb security mistakes, researcher says \u2022 The Register http://www.theregister.co.uk/2015/09/08/ashley_madison_made_dumb_securit... Extorting money from Ashley Madison customers is actually pretty easy | Ars Technica http://arstechnica.com/business/2015/09/extorting-money-from-ashley-madi... Pwn2Own loses HP as its sponsor amid new cyberweapon restrictions | Ars Technica http://arstechnica.com/tech-policy/2015/09/pwn2own-loses-hp-as-its-spons... Lockpickers 3-D Print TSA Master Luggage Keys From Leaked Photos | WIRED http://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leak... Russian Spy Gang Hijacks Satellite Links to Steal Data | WIRED http://www.wired.com/2015/09/turla-russian-espionage-gang-hijacks-satell... The Feds Need a Warrant to Spy With Stingrays From Now On | WIRED http://www.wired.com/2015/09/feds-need-warrant-spy-stingrays-now/ The Untold Story of Silk Road, Part 2: The Fall | WIRED http://www.wired.com/2015/05/silk-road-2/ US counter-intel czar to hack victims: "raise shields" against spearphishing | Ars Technica http://arstechnica.com/security/2015/09/us-counterintelligence-czar-tell... Director of national intelligence: Snowden forced "needed transparency" | Ars Technica http://arstechnica.com/tech-policy/2015/09/director-of-national-intellig... FTC, Experts Push Startups to Think About Security From the Beginning | Threatpost | The first stop for security news https://threatpost.com/ftc-experts-push-startups-to-think-about-security... Bitcoin cyberextortionists are blackmailing banks, corporations | Ars Technica http://arstechnica.com/business/2015/09/uk-banks-corporations-are-being-... MS researchers claim to crack encrypted database with old simple trick | Ars Technica http://arstechnica.com/security/2015/09/ms-researchers-claim-to-crack-en... Researchers respond to developer's accusation that they used crypto wrong | Ars Technica http://arstechnica.com/information-technology/2015/09/researchers-respon... Mozilla: data stolen from hacked bug database was used to attack Firefox | Ars Technica http://arstechnica.com/security/2015/09/mozilla-data-stolen-from-hacked-... Serious bug causes "quite a few" HTTPS sites to reveal their private keys | Ars Technica http://arstechnica.com/security/2015/09/serious-bug-causes-quite-a-few-h... Many new top-level domains have become Internet's "bad neighborhoods" [Updated] | Ars Technica http://arstechnica.com/security/2015/09/many-new-top-level-domains-have-... Lateline - 09/09/2015: Its been described by the Government as its latest security weapon, but is the National Facial Biometric Matching Capability open to misuse? http://www.abc.net.au/lateline/content/2015/s4309519.htm Gloves on as Googler deposits foul zero-day on Kaspersky lawn \u2022 The Register http://www.theregister.co.uk/2015/09/08/kaspersky_0day/ Hacker drops zero-day, opens FireEye fire sale \u2022 The Register http://www.theregister.co.uk/2015/09/08/fireeye_0day/ Attack code exploiting Android's critical Stagefright bugs is now public | Ars Technica http://arstechnica.com/security/2015/09/attack-code-exploiting-androids-... It's still 2015, and your Windows PC can still be pwned by a webpage \u2022 The Register http://www.theregister.co.uk/2015/09/08/patch_tuesday_sept2015/ An Android Porn App Takes Your Photo and Holds It to Ransom http://gizmodo.com/an-android-porn-app-takes-your-photo-and-holds-it-to-... Greg! The Stop Sign!! by TISM - a metaphor for our collective mortality | Music | The Guardian http://www.theguardian.com/music/2014/nov/25/greg-the-stop-sign-by-tism-... TISM - Greg! The Stop Sign!!! - YouTube https://www.youtube.com/watch?v=z4Sr63_EDBc

Serious Business #5 -- Kanye 2020, vaccination-free childcare and the EU refugee crisis

Patrick Gray — Mon, 07 Sep 2015 00:00:00 +1000

Hey everyone and welcome to Serious Business number 5! This is the podcast I do about non infosec related topics. It's less of a professional information security digest and more of an excuse for me to blab with my cohost, comedian Dan Ilic, about serious stuff every few weeks. WARNING: Contains a fair bit of discussion about Australian politics. You may be permanently scarred after listening. On this edition of the show we're talking to Dan about a bunch of stuff. Kanye West has apparently announced he's running for president in 2020, we talk about that. We talk about Donald Trump because, wow... just wow... Then we move on to the depressing stuff, the European refugee crisis. Are the handful of flashpoint images and stories actually going to get people motivated about fixing the wider problem? Or will they result in a few Kickstarters to directly help the affected individuals, absolving donors of their first world guilt? We have a bob each way on that one. We talk about the vaccination free childcare centre springing up in my 'hood -- geez, what could go wrong there -- and finally we look at the way streaming services are reshaping the media landscape, in particular the types of shows that are being commissioned. Could NetFlix spell the end of high-quality tv news and current affairs?

Risky Business #381 -- Samy Kamkar on his outlaw days

Patrick Gray — Thu, 03 Sep 2015 00:00:00 +1000

On this week's show we're chatting with hacker superstar and YouTube phenomenon Samy Kamkar. Samy is a security researcher of note -- his recent hardware hacks have been coming thick and fast. This week I spoke to him about his brush with the law following his unleashing of the Samy worm on MySpace a decade ago, some of his recent research and his plans for the future. This week's show is brought to you by Tenable Network Security! Big thanks to Tenable for its support of the Risky Business podcast, we sure do appreciate it. So in this week's sponsor interview we're speaking with Tenable's very own Cris Thomas, a.k.a. Space Rogue. He was one of the early l0pht crew and this week we get his thoughts of the encroachment of security into pop culture and mainstream media. Between the Ashley Madison data breach's media impact and the fantastic USA Network television program Mr. Robot, is the security community finally getting the love its been craving all this time? Adam Boileau, as always, joins the show for a look at the week's news headlines. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes 12 Must-Follow Feeds in the World of Security | WIRED http://www.wired.com/2015/09/12-must-follow-feeds-world-security/ Prepare to be Thunderstruck: What if 'deuszu' ISN'T the Ashley Madison hacker? \u2022 The Register http://www.theregister.co.uk/2015/09/01/prepare_to_be_thunderstruck_what... What us worry? Ashley Madison says it added over 100K users last week | Ars Technica http://arstechnica.com/security/2015/08/what-us-worry-ashley-madison-say... Ecuador Considered Smuggling Julian Assange to Freedom in a Bag | WIRED http://www.wired.com/2015/09/ecuador-considered-smuggling-julian-assange... Uber Hires the Hackers Who Wirelessly Hijacked a Jeep | WIRED http://www.wired.com/2015/08/uber-hires-hackers-wirelessly-hijacked-jeep/ Malware infecting jailbroken iPhones stole 225,000 Apple account logins | Ars Technica http://arstechnica.com/security/2015/08/malware-infecting-jailbroken-iph... China and Russia cross-referencing OPM data, other hacks to out US spies | Ars Technica http://arstechnica.com/security/2015/08/china-and-russia-cross-referenci... Lizard Squad launches DDoS against UK law enforcement agency | Ars Technica http://arstechnica.com/security/2015/09/lizard-squad-launches-ddos-again... Six Nabbed for Using LizardSquad Attack Tool - Krebs on Security http://krebsonsecurity.com/2015/08/six-nabbed-for-using-lizardsquad-atta... Spooks, plod and security industry join to chase bank hacker \u2022 The Register http://www.theregister.co.uk/2015/08/28/irate_security_posse_intel_spook... BitTorrent patched against flaw that allowed crippling DoS attacks | Ars Technica http://arstechnica.com/security/2015/08/bittorrent-patched-against-flaw-... Former security intern admits developing super-stealthy Android spyware | Ars Technica http://arstechnica.com/security/2015/08/former-security-intern-admits-de... Android ransomware uses XMPP chat to call home, claims it's from NSA | Ars Technica http://arstechnica.com/security/2015/09/android-ransomware-uses-xmpp-cha... OPM (Mis)Spends $133M on Credit Monitoring - Krebs on Security http://krebsonsecurity.com/2015/09/opm-misspends-133m-on-credit-monitoring/ White House eyes sanctions for China over cyber-theft of trade secrets | Ars Technica http://arstechnica.com/tech-policy/2015/08/white-house-eyes-sanctions-fo... Lawyer: Turkey Arrested Journalists to Deter Foreign Media - ABC News http://abcnews.go.com/International/wireStory/lawyer-turkey-arrested-jou... Jihadist Fan Club CryptoCrap - Hacker OPSEC http://grugq.github.io/blog/2014/08/09/jihadist-fan-crypto/ FBI: $1.2B Lost to Business Email Scams - Krebs on Security http://krebsonsecurity.com/2015/08/fbi-1-2b-lost-to-business-email-scams/ How a bug in Visual Studio 2015 exposed my source code on GitHub and cost me $6,500 in a few hours https://www.humankode.com/security/how-a-bug-in-visual-studio-2015-expos... Associated Press sues FBI for impersonating its site to install spyware \u2022 The Register http://www.theregister.co.uk/2015/08/28/associated_press_sues_fbi_for_im... Netflix Sleepy Puppy Cross-Site Scripting Payload Framework | Threatpost | The first stop for security news https://threatpost.com/netflix-sleepy-puppy-awakens-xss-vulnerabilities-... xss-filters https://www.npmjs.com/package/xss-filters secure-handlebars https://www.npmjs.com/package/secure-handlebars Sneaky adware caught accessing users' Mac Keychain without permission | Ars Technica http://arstechnica.com/security/2015/09/sneaky-adware-caught-accessing-u... Attacks accessing Mac keychain without permission date back to 2011 | Ars Technica http://arstechnica.com/security/2015/09/attacks-accessing-mac-keychain-w... Google Chrome 45 Security Patches, Bug Bounty Awards | Threatpost | The first stop for security news https://threatpost.com/google-patches-critical-vulnerabilities-in-chrome... Cyber Security Challenge Australia https://www.cyberchallenge.com.au/ Combo Breaker - motorized combo lock cracking device - YouTube https://www.youtube.com/watch?v=YcpSvHpbHQ4 Home by waxheadmusic | Free Listening on SoundCloud https://soundcloud.com/waxheadmusic/home InControl Remote Mobile App | Land Rover USA http://www.landroverusa.com/ownership/incontrol/index.html

Risky Business #380 -- AshMad fallout: Attackers doxed, suicides and mayhem

Patrick Gray — Thu, 27 Aug 2015 00:00:00 +1000

On this week's show we look at the fallout from the Ashley Madison attack. Did Brian Krebs just dox the Impact Team ringleader? Is he Australian? Adam Boileau and I talk about all the AshMad fallout and other infosec news. This week's show is brought to you by RSA. And in this week's sponsor interview we're chatting with RSA's Brett Williams about vendor trends; looking at the big endpoint push of 2015. I also picked his brain on the SIEM vs full packet capture/big data approach. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Ashley Madison: 'Suicides' over website hack - BBC News http://www.bbc.com/news/technology-34044506 AshleyMadison: $500K Bounty for Hackers - Krebs on Security http://krebsonsecurity.com/2015/08/ashleymadison-500k-bounty-for-hackers/ Ashley Madison Hackers Release an Even Bigger Batch of Data | WIRED http://www.wired.com/2015/08/ashley-madison-hackers-release-even-bigger-... Leaked AshleyMadison Emails Suggest Execs Hacked Competitors - Krebs on Security http://krebsonsecurity.com/2015/08/leaked-ashleymadison-emails-suggest-e... Ashley Madison Hit With $500 Million in Lawsuits | WIRED http://www.wired.com/2015/08/ashley-madison-hit-500-million-lawsuits/ Ashley Madison Offering $500K Reward for Info on Hackers | WIRED http://www.wired.com/2015/08/ashley-madison-offering-500k-reward-info-ha... Almost None of the Women in the Ashley Madison Database Ever Used the Site http://gizmodo.com/almost-none-of-the-women-in-the-ashley-madison-databa... Exposed Ashley Madison members targeted by scammers and extortionists | Ars Technica http://arstechnica.com/security/2015/08/exposed-ashley-madison-members-t... Ashley Madison hackers leave footprints that may help investigators | Ars Technica http://arstechnica.com/security/2015/08/ashley-madison-hackers-leave-foo... Who Hacked Ashley Madison? - Krebs on Security http://krebsonsecurity.com/2015/08/who-hacked-ashley-madison/ Street Gangs, Tax Fraud and 'Drop Hoes' - Krebs on Security http://krebsonsecurity.com/2015/08/street-gangs-tax-fraud-and-drop-hoes/ IRS' estimate of tax records stolen by fraudsters soars to over 300,000 | Ars Technica http://arstechnica.com/security/2015/08/irs-estimate-of-tax-records-stol... Agora, the Dark Web's Biggest Drug Market, Is Going Offline | WIRED http://www.wired.com/2015/08/agora-dark-webs-biggest-drug-market-going-o... GitHub attacked again as Chinese developers forced by police to pull code | Ars Technica http://arstechnica.com/security/2015/08/github-attacked-again-as-chinese... Court Says the FTC Can Slap Companies for Getting Hacked | WIRED http://www.wired.com/2015/08/court-says-ftc-can-slap-companies-getting-h... Spotify Clears Up Its Controversial Privacy Policy | WIRED http://www.wired.com/2015/08/spotify-clears-up-its-privacy-policy/ Mr. Robot Finale Postponed in Wake of Virginia TV Station Shooting | WIRED http://www.wired.com/2015/08/mr-robot-finale-postponed-virginia-shooting/ Pro-Government Twitter Bots Try to Hush Mexican Activists | WIRED http://www.wired.com/2015/08/pro-government-twitter-bots-try-hush-mexica... Facebook ThreatExchange Information Sharing | Threatpost | The first stop for security news https://threatpost.com/facebook-updates-information-sharing-platform/114370 Facebook Opens ThreatExchange Information Sharing Platform | Threatpost | The first stop for security news https://threatpost.com/facebook-threatexchange-platform-latest-hope-for-... Google Pulls App Exploiting Certifi-Gate Vulnerability | Threatpost | The first stop for security news https://threatpost.com/google-pulls-app-exploiting-certifi-gate-vulnerab... Details Surface on Patched Sandbox Violation Vulnerability in iOS | Threatpost | The first stop for security news https://threatpost.com/details-surface-on-patched-sandbox-violation-vuln... Apple Patches iOS Ins0mnia Vulnerability | Threatpost | The first stop for security news https://threatpost.com/patched-ins0mnia-vulnerability-keeps-malicious-io... August 2015 Apple QuickTime Security Patches | Threatpost | The first stop for security news https://threatpost.com/apple-patches-quicktime-crash-and-code-execution-... MT WARNING | Free Listening on SoundCloud https://soundcloud.com/mtwarningmusic MT WARNING http://mtwarningmusic.com/shows/

Risky Business #379 -- Ashley Madison dump, Troy Hunt and The Grugq

Patrick Gray — Thu, 20 Aug 2015 00:00:00 +1000

In this week's podcast we check in with Troy Hunt from HaveIBeenPwned.com. Troy has done the responsible thing in adding the Ashley Madison dataset to his service -- you can only search for email addresses in the dump after you've verified that you control them. We'll talk to him about why he did that. This week's show is brought to you by FireEye and FireEye senior systems engineer Ben Wilson stops by to have a chat about some neat tricks attackers and malware authors are getting up to with various scripts on Windows. WMI for persistence is a thing now, for example. It's a really interesting chat that one and it's coming up a bit later. The Grugq is in the news chair this week, filling in for Adam Boileau. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and The Grugq on Twitter if that's your thing. Show notes Was the Ashley Madison Database Leaked? - Krebs on Security http://krebsonsecurity.com/2015/08/was-the-ashley-madison-database-leaked/ Ashley Madison hack is not only real, it's worse than we thought | Ars Technica http://arstechnica.com/security/2015/08/ashley-madison-hack-is-not-only-... Microsoft issues emergency patch for critical IE bug under active exploit | Ars Technica http://arstechnica.com/security/2015/08/microsoft-issues-emergency-patch... Exclusive: Russian antivirus firm faked malware to harm rivals - Ex-employees | Reuters http://www.reuters.com/article/2015/08/14/us-kaspersky-rivals-idUSKCN0QJ... Crackdowns Haven't Stopped the Dark Web's $100M Yearly Drug Sales | WIRED http://www.wired.com/2015/08/crackdowns-havent-stopped-dark-webs-100m-ye... What We Know About the NSA and AT&T's Spying Pact | WIRED http://www.wired.com/2015/08/know-nsa-atts-spying-pact/ Busting the Biggest Myth of CISA---That the Program Is Voluntary | WIRED http://www.wired.com/2015/08/access-cisa-myth-of-voluntary-info-sharing/ Virginia Finally Drops America's 'Worst Voting Machines' | WIRED http://www.wired.com/2015/08/virginia-finally-drops-americas-worst-votin... How Not to Start an Encryption Company - Krebs on Security http://krebsonsecurity.com/2015/08/how-not-to-start-an-encryption-company/ How BitTorrent could let lone DDoS attackers bring down big sites | Ars Technica http://arstechnica.com/security/2015/08/how-bittorrent-could-let-lone-dd... RPC Portmapper Reflective DDoS Attacks | Threatpost | The first stop for security news https://threatpost.com/reflection-ddos-attacks-abusing-rpc-portmapper/11... Android security on the ropes with one-two punch from researchers | Ars Technica http://arstechnica.com/security/2015/08/android-security-on-the-ropes-wi... Your BMW or Benz Could Also Be Vulnerable to That GM OnStar Hack | WIRED http://www.wired.com/2015/08/bmw-benz-also-vulnerable-gm-onstar-hack/ My browser visited Weather.com and all I got was this lousy malware (Updated) | Ars Technica http://arstechnica.com/security/2015/08/my-browser-visited-drudgereport-... Luca Todesco OS X Zero Day Vulnerabilities | Threatpost | The first stop for security news https://threatpost.com/inside-the-unpatched-os-x-vulnerabilities/114344 Bugged, Tracked, Hacked | 60 Minutes | 9Jumpin http://www.9jumpin.com.au/show/60minutes/stories/2015/august/phone-hacking/ Troy Hunt: Here's how I'm going to handle the Ashley Madison data http://www.troyhunt.com/2015/07/heres-how-im-going-to-handle-ashley.html fireeye/flare-wmi \xb7 GitHub https://github.com/fireeye/flare-wmi https://www.insomniasec.com/downloads/publications/shellgame.pdf

An open letter to Risky Business Patreon supporters

Patrick Gray — Wed, 19 Aug 2015 00:00:00 +1000

Hey to all you Patreon people! First up, a big thanks to you for helping out the show. It's been really heartening to see so many of you value Risky Business enough to put your hands in your pockets and make a contribution. The original idea behind the Patreon campaign was that if I hit the target I could take that money and throw it at an industrial unit here in Byron Bay and turn it into a proper studio. After 11.5 years working from home full time, I've been feeling a bit cooped up. The plan was to buy one and use the Patreon contributions to help service the debt. I'd get an office to work in, and over time I'd be building some equity in some bricks and mortar which will come in handy if I'm lucky enough to get too old to work. Well, we haven't hit the target (it was ambitious) and property prices have gone berserk here in Australia over the last 12 months. Also, commercial finance in this country is fraught. I wouldn't be able to get a loan for a commercial property anyway. (Not without a fully paid-off house as security.) So I'm switching my plans up and it looks like the most realistic thing I can do is to eventually build a backyard office designed for sound production. (Carpeted walls, right shape etc.) I've got enough room for something small in the backyard (Maybe 2.5m x 3m), and while I don't absolutely need it right now, I'm going to eventually. So the plan that I had with the money raised via the Patreon campaign has changed. The unit idea is out, but the backyard studio is in. The thing is, I have no idea when I'll be able to do that. It's a hell of a thing to organise and I'm pretty busy renovating my house at the moment. And there's still the possibility that I'll just say "You know what? I like that patch of lawn just the way it is". I doubt it, but it's a consideration. Patreon pledges are up to about $1100 a month from around 200 patrons, so an average of about $5 a month each, which works out to $1.35 per patron per podcast. I could pay down a small garden studio in a few years at this rate, purely with listener contributions. That's pretty awesome. But again, I'm not sure when I'll pull the trigger on that. So that's my mini rant in the interests of transparency. I don't want to wind up like Bronwyn Bishop in some sort of misappropriation scandal, so I'm letting you all know that the original idea isn't going to happen. I'm pretty sure most of you are happy to just support the podcast and you don't really care where the money goes, but it's important to be open I think. If you don't want to support the show in this way anymore I respect it, but it's helping and I appreciate it. Many thanks to all of you, Pat

Risky Business #378 -- Mary Ann Davidson vs Krebs and Dowd

Patrick Gray — Thu, 13 Aug 2015 00:00:00 +1000

On this week's show we're chatting with Mark Dowd and Brian Krebs about Oracle CSO Mary Ann Davidson's somewhat odd blog post from earlier this week. In the post she laid into security researchers for violating Oracle's EULA when reverse engineering their products. The post got pulled, much drama, we sift through the ashes of that. Plus we chat to Brian about the daring $46.7m online heist against Ubiquiti Networks. This week's show is brought to you by BugCrowd. But in this week's sponsor interview we're not chatting with a BugCrowd representative, we're speaking to one of its customers instead. Paul Moreno from Pinterest drops by to talk about his experience in operating a bug bounty through an outsourced provider. Adam Boileau, as always, joins the show to discuss the week's news headlines. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Doubts cast on Islamic State's so-called leak of US .mil, .gov passwords \u2022 The Register http://www.theregister.co.uk/2015/08/12/islamic_panic/ Attackers are hijacking critical networking gear from Cisco, company warns | Ars Technica http://arstechnica.com/security/2015/08/attackers-are-hijacking-critical... Why Not Insider Trade on Every Company? - Bloomberg View http://www.bloombergview.com/articles/2015-08-11/why-not-insider-trade-o... Sen. Warren Worried About Banks' New Encrypted Messaging Platform | Threatpost | The first stop for security news https://threatpost.com/sen-warren-worried-about-banks-new-encrypted-mess... Russia hacks Pentagon computers: NBC, citing sources http://www.cnbc.com/2015/08/06/russia-hacks-pentagon-computers-nbc-citin... Manipulating Microsoft WSUS to Own Enterprises | Threatpost | The first stop for security news https://threatpost.com/manipulating-wsus-to-own-enterprises/114168 Imploding Barrels and Other Highlights From Hackfest DefCon | WIRED http://www.wired.com/2015/08/highlights-from-defcon-2015/ Hackers Cut a Corvette's Brakes Via a Common Car Gadget | WIRED http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car... Internet-Connected Gas Pumps Are a Lure for Hackers | WIRED http://www.wired.com/2015/08/internet-connected-gas-pumps-lure-hackers/ Researchers Hacked a Model S, But Tesla's Already Released a Patch | WIRED http://www.wired.com/2015/08/researchers-hacked-model-s-teslas-already/ Meet RollJam, the $30 device that jimmies car and garage doors | Ars Technica http://arstechnica.com/security/2015/08/meet-rolljam-the-30-device-that-... Researchers reveal electronic car lock hack after 2-year injunction by Volkswagen | Ars Technica http://arstechnica.com/security/2015/08/researchers-reveal-electronic-ca... "Funtenna" software hack turns a laser printer into a covert radio | Ars Technica http://arstechnica.com/security/2015/08/funtenna-software-hack-turns-a-l... Hack of telematics device lets attackers mess with car's brakes | Ars Technica http://arstechnica.com/cars/2015/08/hack-of-telematics-device-lets-attac... The Windows 10 Security Settings You Need to Know | WIRED http://www.wired.com/2015/08/windows-10-security-settings-need-know/ Lenovo used Windows anti-theft feature to install persistent crapware | Ars Technica http://arstechnica.com/information-technology/2015/08/lenovo-used-window... Darkhotel APT Latest to Use Hacking Team Zero Day | Threatpost | The first stop for security news https://threatpost.com/darkhotel-apt-latest-to-use-hacking-team-zero-day... 0-day attack on Firefox users stole password and key data: Patch now! | Ars Technica http://arstechnica.com/security/2015/08/0-day-attack-on-firefox-users-st... Attackers actively exploit Windows bug that uses USB sticks to infect PCs | Ars Technica http://arstechnica.com/security/2015/08/attackers-actively-exploit-windo... Microsoft Patches USB-Related Flaw Used in Targeted Attacks | Threatpost | The first stop for security news https://threatpost.com/microsoft-patches-usb-related-flaw-used-in-target... August 2015 Microsoft Patch Tuesday Security Bulletins | Threatpost | The first stop for security news https://threatpost.com/microsoft-patches-critical-vulnerabilities-in-new... Severe weaknesses in Android handsets could leak user fingerprints | Ars Technica http://arstechnica.com/security/2015/08/severe-weaknesses-in-android-han... Android 'Serialization' Vulnerability Affects 55 Percent of Devices | Threatpost | The first stop for security news https://threatpost.com/patched-android-serialization-vulnerability-affec... Huge Flash Update Patches More Than 30 Vulnerabilities | Threatpost | The first stop for security news https://threatpost.com/huge-flash-update-patches-more-than-30-vulnerabil... Oracle security chief to customers: Stop checking our code for vulnerabilities [Updated] | Ars Technica http://arstechnica.com/information-technology/2015/08/oracle-security-ch... Tech Firm Ubiquiti Suffers $46M Cyberheist - Krebs on Security http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberh... History | DAN WARNER http://danwarner.com.au/history/

Risky Business #377 -- Wassenaar back to drawing board, latest from BlackHat

Patrick Gray — Thu, 06 Aug 2015 00:00:00 +1000

On this week's show we discuss the BIS decision to ditch its car-a-zay plans for Wassenaar regulation, the latest car hacking news and more. We also check in with Trey Ford in this week's feature slot. Trey was the General Manager of the BlackHat conference, these days he works at Rapid7, and he joins us to talk about the vibe in Vegas at this year's conference. This week's show is brought to you by RSA Security! Big thanks to RSA for making this week's show possible. RSA's very own Chris Thomas will be joining us in this week's sponsor interview to talk about the role industry should be playing in education. RSA is helping a few universities set up "learning SOCs", but where to from there? Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Government Takes Second Look at US Wassenaar Rules | Threatpost | The first stop for security news https://threatpost.com/unusual-re-do-of-us-wassenaar-rules-applauded/114096 Chrysler and Harman Hit With a Class Action Complaint After Jeep Hack | WIRED http://www.wired.com/2015/08/chrysler-harman-hit-class-action-complaint-... Patch Your OnStar iOS App to Avoid Getting Your Car Hacked | WIRED http://www.wired.com/2015/07/patch-gm-onstar-ios-app-avoid-wireless-car-... This Gadget Hacks GM Cars to Locate, Unlock, and Start Them (UPDATED) | WIRED http://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/ Hackers Could Heist Semis by Exploiting This Satellite Flaw | WIRED http://www.wired.com/2015/07/hackers-heist-semis-exploiting-satellite-flaw/ Hackers Can Seize Control of Electric Skateboards and Toss Riders | WIRED http://www.wired.com/2015/08/hackers-can-seize-control-of-electric-skate... DRAM "Bitflipping" exploit for attacking PCs: Just add JavaScript | Ars Technica http://arstechnica.com/security/2015/08/dram-bitflipping-exploit-for-att... "Thunderstrike 2" rootkit uses Thunderbolt accessories to infect Mac firmware [Updated] | Ars Technica http://arstechnica.com/apple/2015/08/thunderstrike-2-rootkit-uses-thunde... 0-day bug in fully patched OS X comes under active exploit to bypass password protection | Ars Technica http://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-... Inside the $100M 'Business Club' Crime Gang - Krebs on Security http://krebsonsecurity.com/2015/08/inside-the-100m-business-club-crime-g... Chinese VPN Service as Attack Platform? - Krebs on Security http://krebsonsecurity.com/2015/08/chinese-vpn-service-as-attack-platform/ Newly discovered Chinese hacking group hacked 100+ websites to use as "watering holes" | Ars Technica http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking... China-Tied Hackers That Hit U.S. Said to Breach United Airlines - Bloomberg Business http://www.bloomberg.com/news/articles/2015-07-29/china-tied-hackers-tha... Russian hacker targets CommSec, E*TRADE retail accounts http://www.theage.com.au/business/markets/russian-hacker-targets-commsec... New attack on Tor can deanonymize hidden services with surprising accuracy | Ars Technica http://arstechnica.com/security/2015/07/new-attack-on-tor-can-deanonymiz... Bound to happen: BIND bug exploits now in the wild \u2022 The Register http://www.theregister.co.uk/2015/08/04/bind_bug_exploits_now_in_the_wild/ Windows 10 Upgrade Spam Carries CTB-Locker Ransomware | Threatpost | The first stop for security news https://threatpost.com/windows-10-upgrade-spam-carries-ctb-locker-ransom... drspringfield / cabletables - Bitbucket https://bitbucket.org/drspringfield/cabletables John McAfee cuffed by Tennessee cops, faces drug-driving, gun rap \u2022 The Register http://www.theregister.co.uk/2015/08/05/tennessee_cops_stops_john_mcafee... McAfee tells El Reg: 'My shootout with the police was highly exaggerated' \u2022 The Register http://www.theregister.co.uk/2015/08/05/john_mcafee_says_police_shootout... Office Lip Dub - Everything's Under Control by Peregrine - YouTube https://www.youtube.com/watch?v=o8DQKieBPNU

Risky Business #376 -- Sniper rifles, bank safes and Android all pwned

Patrick Gray — Thu, 30 Jul 2015 00:00:00 +1000

This week we're checking in with Josh Drake of Zimperium. With exploitation of Stagefright via Josh's sweet, sweet exploit you'd think the mother of all worms is coming. Well, probably not. Later versions of Android are tricky to exploit, and the diversity of hardware in earlier versions means coming up with one exploit to rule them all isn't really feasible. We'll drill down into that with Josh in a little while. This week's show is brought to you by Tenable Network Security. Tenable's very own Jack Daniel will be along in this week's sponsor interview to add a bit of context to recent car hacking news. Jack was a mechanic in a previous life. I myself worked for Bosch as an engineer designing automotive electronics in the 90s. So we put our old man pants on and talk about how we arrived in a world where 1.4 million Chrysler owners are patching their vehicles against security flaws using a mailed out USB stick. Adam Boileau, as usual, joins the show to discuss the week's news headlines. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Hackers Can Disable a Sniper Rifle-Or Change Its Target | WIRED http://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-t... Brinks' Super-Secure Smart Safes: Not So Secure | WIRED http://www.wired.com/2015/07/brinks-super-secure-smart-safes-not-secure/ Researchers Hack Air-Gapped Computer With Simple Cell Phone | WIRED http://www.wired.com/2015/07/researchers-hack-air-gapped-computer-simple... US Census Bureau IT systems hacked, data leaked by Anonymous \u2022 The Register http://www.theregister.co.uk/2015/07/23/us_census_bureau_hacked/ NSA: We'll move your metadata into /dev/null when you stop suing us \u2022 The Register http://www.theregister.co.uk/2015/07/27/nsa_phone_metadata_latest/ White House Says No Thanks to Snowden Pardon Petition | Threatpost | The first stop for security news https://threatpost.com/white-house-says-no-thanks-to-snowden-pardon-peti... New Chrome Extension Helps Combat Keyboard Biometrics | Threatpost | The first stop for security news https://threatpost.com/new-chrome-extension-helps-combat-keyboard-biomet... Researchers claim they've developed a better, faster Tor | Ars Technica http://arstechnica.com/information-technology/2015/07/researchers-claim-... A public marketplace for hackers-what could possibly go wrong? | Ars Technica http://arstechnica.com/security/2015/07/a-public-marketplace-for-hackers... Pakistan bans BlackBerry messaging, e-mail for "security reasons" | Ars Technica http://arstechnica.com/security/2015/07/pakistan-bans-blackberry-messagi... What amateurs can learn from security pros about staying safe online | Ars Technica http://arstechnica.com/security/2015/07/what-amateurs-can-learn-from-sec... Yahoo Touts Success of Bug Bounty Program | Threatpost | The first stop for security news https://threatpost.com/yahoo-touts-success-of-bug-bounty-program/114019 Malvertising campaign hits 10 MEELLION users in 10 days \u2022 The Register http://www.theregister.co.uk/2015/07/29/malvertising_affects_10_million/ Click-Fraud Malware Spreading via JavaScript Attachments | Threatpost | The first stop for security news https://threatpost.com/click-fraud-malware-spreading-via-javascript-atta... Group that hacked Anthem shared weaponized 0-days with rival attackers | Ars Technica http://arstechnica.com/security/2015/07/group-that-hacked-anthem-shared-... Apple Patches Remote 'Invoice Vulnerability' in iTunes, App Store | Threatpost | The first stop for security news https://threatpost.com/apple-patches-remote-invoice-vulnerability-in-itu... Xen reports new guest-host escape, this time through CD-ROMs \u2022 The Register http://www.theregister.co.uk/2015/07/28/xen_reports_new_guesthost_escape... PHP File Manager Riddled With Vulnerabilities, Including Backdoor | Threatpost | The first stop for security news https://threatpost.com/php-file-manager-riddled-with-vulnerabilities-inc... New vulnerability can put Android phones into permanent vegetative state | Ars Technica http://arstechnica.com/security/2015/07/new-vulnerability-can-put-androi... WordPress Patches Critical XSS Vulnerability in All Builds | Threatpost | The first stop for security news https://threatpost.com/wordpress-patches-critical-xss-vulnerability-in-a... Valve patches security hole that enabled takeover of Steam accounts | Ars Technica http://arstechnica.com/gaming/2015/07/valve-patches-security-hole-that-e... Critical Remotely Exploitable Bug Haunts BIND | Threatpost | The first stop for security news https://threatpost.com/critical-remotely-exploitable-bug-haunts-bind/114008 950 million Android phones can be hijacked by malicious text messages | Ars Technica http://arstechnica.com/security/2015/07/950-million-android-phones-can-b... La Polic\xeda by labjacd | Free Listening on SoundCloud https://soundcloud.com/labjacd/la-policia

Serious Business #4 -- Reclaim Australia, Donald Trump and Ashley Madison

Patrick Gray — Fri, 24 Jul 2015 00:00:00 +1000

This is the podcast I do for shiggles with Australian comedian, radio and TV personality Dan Ilic. This week we're talking about the nationalist, anti-Islam rallies held across Australia over the last week or so. We also chat about Donald Trump being a douche and Barack Obama's new lease of life as a lame duck president. Oh, and we also talk about the Ashley Madison hack because, hey, who isn't...

Risky Business #375 -- Ashley Madison, Jeep hacks drive news agenda

Patrick Gray — Thu, 23 Jul 2015 00:00:00 +1000

In this week's feature interview we're chatting with Dave Jorm, our resident North Korea watcher. Some of you might remember Dave, he was on the show a couple of years ago talking about his OSINT satellite data analysis of North Korea and more recently he popped by to talk about software defined networking security. Well, some recent analysis of North Korea's official Red Star OS has found it has a nasty habit -- it watermarks media files that users open with a unique ID. This will of course help the North Korean regime to track down the smugglers of digital media, whether that's activist material or South Korean soaps, which are most definitely verboten in the hermit kingdom. This week's show is brought to you by Intralinks -- these guys do secure document exchange and storage. Intralinks very own Todd Partridge drops by to talk about how their customers are actually customising these types of document services. Adam Boileau, as usual, joins the show to discuss the week's news headlines. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Online Cheating Site AshleyMadison Hacked - Krebs on Security http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-ha... Hackers Remotely Kill a Jeep on the Highway-With Me in It | WIRED http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ Patch Your Chrysler Now Against a Wireless Hacking Attack | WIRED http://www.wired.com/2015/07/patch-chrysler-vehicle-now-wireless-hacking... Senate Bill Seeks Standards For Cars' Defenses From Hackers | WIRED http://www.wired.com/2015/07/senate-bill-seeks-standards-cars-defenses-h... Google Calls Proposed U.S. Wassenaar Rules 'Not Feasible' | Threatpost | The first stop for security news https://threatpost.com/google-calls-proposed-u-s-wassenaar-rules-not-fea... Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-... SSD Advisory - Trend Micro Threat Intelligence Manager Multiple Vulnerabilities Remote Code Execution | SecuriTeam Blogs https://blogs.securiteam.com/index.php/archives/2502 Hacking Team apparently violated EU rules in sale of spyware to Russian agency | Ars Technica http://arstechnica.com/tech-policy/2015/07/hacking-teams-surveillance-so... Hacking Team Says It Always Sold 'Strictly Within the Law' | Threatpost | The first stop for security news https://threatpost.com/hacking-team-claims-it-always-sold-strictly-withi... Netragard Shutters Controversial Exploit Acquisition Program | Threatpost | The first stop for security news https://threatpost.com/netragard-shutters-controversial-exploit-acquisit... Researcher angry after finding his code in Hacking Team malware | Ars Technica http://arstechnica.com/security/2015/07/researcher-takes-umbrage-after-f... Obama administration decides not to blame China publicly for OPM hack | Ars Technica http://arstechnica.com/tech-policy/2015/07/obama-administration-decides-... Four men reportedly arrested in connection to JPMorgan Chase hack | Ars Technica http://arstechnica.com/tech-policy/2015/07/4-men-reportedly-arrested-in-... UK man accused of hacking spree on US government is arrested (again) | Ars Technica http://arstechnica.com/security/2015/07/uk-man-accused-of-hacking-spree-... Experian Hit With Class Action Over ID Theft Service - Krebs on Security http://krebsonsecurity.com/2015/07/experian-hit-with-class-action-over-i... Hacking Team's evil Android app had code to bypass Google Play screening | Ars Technica http://arstechnica.com/security/2015/07/hackingteams-evil-android-app-ha... Dozens of phone apps with 300M downloads vulnerable to password cracking | Ars Technica http://arstechnica.com/security/2015/07/dozens-of-phone-apps-with-300m-d... New Campaign Targeting Japanese with Hacking Team Zero Day | Threatpost | The first stop for security news https://threatpost.com/new-campaign-targeting-japanese-with-hackingteam-... Free Tool Looks for HackingTeam Malware | Threatpost | The first stop for security news https://threatpost.com/free-tool-looks-for-hackingteam-malware/113850 OpenDNS BGP Stream Twitter Feed | Threatpost | The first stop for security news https://threatpost.com/bgp-security-alerts-coming-to-twitter/113843 Bug in widely used OpenSSH opens servers to password cracking | Ars Technica http://arstechnica.com/security/2015/07/bug-in-widely-used-openssh-opens... Google Patches 43 Bugs in Chrome | Threatpost | The first stop for security news https://threatpost.com/google-patches-43-bugs-in-chrome/113892 Bug in latest version of OS X gives attackers unfettered root privileges | Ars Technica http://arstechnica.com/security/2015/07/bug-in-latest-version-of-os-x-gi... Microsoft Issues Critical, Out-of-Band Patch for All Versions of Windows | Threatpost | The first stop for security news https://threatpost.com/microsoft-issues-critical-out-of-band-patch-for-a... RedStar OS Watermarking - Insinuator http://www.insinuator.net/2015/07/redstar-os-watermarking/ Secure Collaboration + Content Management | Intralinks https://www.intralinks.com/

Risky Business #374 -- Anti-Flash sentiment sweeps the globe

Patrick Gray — Thu, 16 Jul 2015 00:00:00 +1000

On this week's show we'll be checking in with Richard Forno on the fallout from the OPM breach. Richard has been kicking around in DC infosec circles for a long time now and he let's us know what the mood is like inside the beltway. In this week's sponsor interview we chat with Chris Gatford of HackLabs! HackLabs is an Australia-based pentesting and consulting firm and we're speaking to Chris about the changing nature of security consultancies. Adam Boileau, as usual, joins the show to discuss the week's news, which has been dominated by calls for the axing of the Flash plugin and the continued fallout from the Hacking Team breach. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Flash. Must. Die. | WIRED http://www.wired.com/2015/07/adobe-flash-player-die/ Microsoft nixes A-V updates for XP, exposes 180 MEEELLION luddites \u2022 The Register http://www.theregister.co.uk/2015/07/15/xp_antimalware_support_axed/ Ubuntu PC maker System76 abandons Flash, says it's too dangerous | Ars Technica http://arstechnica.com/information-technology/2015/07/ubuntu-pc-maker-sy... Firefox blacklists Flash player due to unpatched 0-day vulnerabilities | Ars Technica http://arstechnica.com/security/2015/07/firefox-blacklists-flash-player-... Adobe: We REALLY are taking Flash security seriously - honest \u2022 The Register http://www.theregister.co.uk/2015/07/14/adobe_response_to_security_holes/ Once again, Adobe releases emergency Flash patch for Hacking Team 0-days | Ars Technica http://arstechnica.com/security/2015/07/once-again-adobe-releases-emerge... Hacking Team's Flash 0-day: Potent enough to infect actual Chrome user | Ars Technica http://arstechnica.com/security/2015/07/hacking-teams-flash-0day-potent-... Hacking Team Used Spammer Tricks to Resurrect Spy Network - Krebs on Security http://krebsonsecurity.com/2015/07/hacking-team-used-spammer-tricks-to-r... Hacking Team spyware rootkit: Even a new HARD DRIVE wouldn't get rid of it \u2022 The Register http://www.theregister.co.uk/2015/07/14/hacking_team_stealth_rootkit/ How a Russian hacker made $45,000 selling a 0-day Flash exploit to Hacking Team | Ars Technica http://arstechnica.com/security/2015/07/how-a-russian-hacker-made-45000-... Hacking Team's snoopware 'spied on anti-communist activists in Vietnam' \u2022 The Register http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/ Hacking Team touts new spyware suite, calls leaks now "obsolete" | Ars Technica http://arstechnica.com/security/2015/07/hacking-team-remains-defiant-tou... Critical OpenSSL bug allows attackers to impersonate any trusted server | Ars Technica http://arstechnica.com/security/2015/07/critical-openssl-bug-allows-atta... Dozens Nabbed in Takedown of Cybercrime Forum Darkode | WIRED http://www.wired.com/2015/07/dozens-nabbed-takedown-cybercrime-forum-dar... As Predicted, OPM Director Resigns in Wake of Epic Hack | WIRED http://www.wired.com/2015/07/predicted-opm-director-katherine-archuleta-... New Bill Would Grant Lifetime Credit Monitoring to OPM Victims | Threatpost | The first stop for security news https://threatpost.com/new-bill-would-grant-lifetime-credit-monitoring-t... A $200 privacy device has been killed, and no one knows why | Ars Technica http://arstechnica.com/security/2015/07/a-200-privacy-device-has-been-ki... ProxyGambit - anonymize net over GSM or PTP link http://samy.pl/proxygambit/ Sixty-five THOUSAND Range Rovers recalled over DOOR software glitch \u2022 The Register http://www.theregister.co.uk/2015/07/14/range_rover_recall/ Hackers sell 79,267 Cloudminr accounts for ONE Bitcoin \u2022 The Register http://www.theregister.co.uk/2015/07/14/cloudminr_hack_80000_bitcoin_min... DEA agent slugged a MEELLION dollars for Silk Road snipe \u2022 The Register http://www.theregister.co.uk/2015/07/13/silkroad_dea_agent_outofpocket_b... Papa don't breach: Wannabe singer jailed for hacking Madonna \u2022 The Register http://www.theregister.co.uk/2015/07/10/madonna_hacker_sentencing/ Wow, another NSA leak: Network security code appears on GitHub \u2022 The Register http://www.theregister.co.uk/2015/07/09/nsa_network_security_code_leaks_... New RC4 Attack Dramatically Reduces Plaintext Recovery Time | Threatpost | The first stop for security news https://threatpost.com/new-rc4-attack-dramatically-reduces-plaintext-rec... Oracle Patches Java Zero Day | Threatpost | The first stop for security news https://threatpost.com/oracle-patches-java-zero-day/113792 New PHP Releases Fix BACRONYM MySQL Flaw | Threatpost | The first stop for security news https://threatpost.com/new-php-releases-fix-bacronym-mysql-flaw/113740 Firefox 39 Out With Patches for Four Critical Vulnerabilities | Threatpost | The first stop for security news https://threatpost.com/firefox-39-out-with-patches-for-four-critical-vul... MS kills critical IE 11 bug after exploit was shopped to Hacking Team | Ars Technica http://arstechnica.com/security/2015/07/ms-kills-critical-ie-11-bug-afte... Microsoft Security Bulletin MS15-058 - Important https://technet.microsoft.com/en-us/library/security/MS15-058 Microsoft Security Bulletin MS15-068 - Critical https://technet.microsoft.com/en-us/library/security/ms15-068.aspx Microsoft Security Bulletin MS15-067 - Critical https://technet.microsoft.com/en-us/library/security/ms15-067.aspx Job search | Employment and jobs | Queensland Government https://smartjobs.qld.gov.au/jobtools/jncustomsearch.viewFullSingle?in_o... [ - infowarrior.org - ] http://infowarrior.org/about.html Penetration Testing & Web Application Security - HackLabs http://www.hacklabs.com/ Screaming Headless Torsos (Live in New York -- Knitting Factory 1996) - YouTube https://www.youtube.com/watch?v=FAKhafsFslE Screaming Headless Torsos - 2 Bruce Wayne featuring Jimmy Valentine - YouTube https://www.youtube.com/watch?v=Pzdd2mUiDF0

Risky Business #373 -- Hacking Team gets owned. Quite a lot.

Patrick Gray — Thu, 09 Jul 2015 00:00:00 +1000

Obviously the Hacking Team breach is the big story of the week and we'll be jumping right into that. It's a jam packed podcast this week -- we check in with Dave Aitel of Immunity to talk about the impending Wassenaar Arrangement disaster about to hit America. We're also joined by Claudio Guarnieri. Claudio has spent years tracking Hacking Team's malware to the darkest regions of the planet. For a long time he's been claiming Hacking Team were up to no good, now we know he was right. We get him on to the show for a well-earned gloat. This week's show is brought to you by Xipiter! Do you want to learn how to exploit and reverse engineer IoT, mobile and embedded devices? Xipiter is teaching their SexViaHex and ARM Exploitation classes in September in the Hague. Both their Blackhat classes have sold out four years in a row, and they are indeed sold out this year. Go to SexViaHex.com to book your spot. Adam Boileau, as usual, joins us to discuss the week's security news. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Hacking Team Breach Shows a Global Spying Firm Run Amok | WIRED http://www.wired.com/2015/07/hacking-team-breach-shows-global-spying-fir... Despite Hacking Team's poor opsec, CEO came from early days of PGP | Ars Technica http://arstechnica.com/security/2015/07/despite-hacking-teams-poor-opsec... Hacking Team responds to data breach, issues public threats and denials | CSO Online http://www.csoonline.com/article/2944333/data-breach/hacking-team-respon... Days after Hacking Team breach, nobody fired, no customers lost | Ars Technica http://arstechnica.com/security/2015/07/days-after-hacking-team-breach-n... Hacking Team Flash Zero Day Weaponized in Exploit Kits | Threatpost | The first stop for security news https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit... Hacking Team Couldn't Hack Your iPhone | Threatpost | The first stop for security news https://threatpost.com/hacking-team-couldnt-hack-your-iphone/113636 Dutch MEP whacks Hacking Team over embargo-busting \u2022 The Register http://www.theregister.co.uk/2015/07/08/dutch_mep_whacks_hacking_team_ov... Latest News http://www.hackingteam.it/index.php/about-us Student claims Wassenaar Arrangement prevents him from publishing dissertation | Ars Technica http://arstechnica.com/security/2015/07/student-claims-wassenaar-agreeme... Berlin pours bucket of flat beer on Patriot missile hack report \u2022 The Register http://www.theregister.co.uk/2015/07/08/german_hackers_hijack_missiles/ Meet the hackers who break into Microsoft and Apple to steal insider info | Ars Technica http://arstechnica.com/security/2015/07/meet-the-hackers-who-break-into-... Finnish Decision is Win for Internet Trolls - Krebs on Security http://krebsonsecurity.com/2015/07/finnish-decision-is-win-for-internet-... Ford's 400,000-car recall could be the tip of an auto security iceberg \u2022 The Register http://www.theregister.co.uk/2015/07/08/ford_car_software_recall_analysis/ Kali Linux 2.0 to launch at DEFCON 23 \u2022 The Register http://www.theregister.co.uk/2015/07/08/kali_20/ Heart of Darkness: Mass of clone scam sites appear \u2022 The Register http://www.theregister.co.uk/2015/07/07/dark_web_cloned_site_scam_resurg... SyncStop / USB Condom - Charge Your Mobile Phone Safely http://syncstop.com/ Software Exploitation via Hardware exploitation training (LITE) - SexViaHex http://www.sexviahex.com/ Xipiter - Home http://www.xipiter.com/ Colin Hay - Beautiful World - YouTube https://www.youtube.com/watch?v=xe3RqgnXaT4

Risky Business #372 -- Airbus pilot talks plane hacking

Patrick Gray — Thu, 02 Jul 2015 00:00:00 +1000

This week's feature interview is a bit left of field With all the talk about plane hacking flying around over the last couple of months (zing) I thought it might be an idea to talk to an actual airliner pilot. So this week we're joined by an Australian Airbus pilot. He works for an Asian airline but he was in Australia recently and I caught up with him to ask him for his thoughts on the topic. As you'll hear, there's a bit more to an Airbus than it just being a flying computer. It's more like a flying computer warehouse with multiple redundant systems. Our anonymous pilot says stopping a hacker on a plane might be as simple as just killing power to the cabin with the flick of a switch -- BUT, he says there are no procedures or training around troubleshooting for malicious attackers and in such a heavily process-oriented environment that could cause problems. This week's show is brought to you by our friends at Tenable Network Security, big thanks to them! Tenable's very own Marcus Ranum will be along in this week's sponsor interview to talk about detection concepts. He pulls on his grumpy pants and doles out some stone-cold old school advice for people out there building networks. That's a fun one. Adam Boileau, as usual, joins us to discuss the week's security news. Links to everything can be found in this week's show notes. Links to everything are in this week's show notes. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing.

Risky Business #371 -- Special guest Richard Bejtlich

Patrick Gray — Thu, 25 Jun 2015 00:00:00 +1000

In this week's feature interview we chat with Richard Bejtlich. He serves as the chief security strategist at FireEye. He's a nonresident fellow with the Brookings Institute and he joins me this week to talk about the OPM breach, honeypots, China and Edward Snowden. This week's show is sponsored by Palo Alto Networks. This week's sponsor interview is with Ryan Olson of Palo's Threat Intelligence Unit 42 -- yes, that is a hitchhikers guide reference. He'll be joining us to discuss an APT campaign they uncovered in Asia -- it's called Lotus Blossom and it's yet another example of likely state sponsored APT activity targeting the region. Depressingly, it uses CVEs that start with 2012. Ugh. Adam Boileau, as usual, joins us to discuss the week's security news. Links to everything can be found in this week's show notes. Links to everything are in this week's show notes. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing.

Risky Business #370 -- Samsung screws the pooch in extravagant fashion

Patrick Gray — Thu, 18 Jun 2015 00:00:00 +1000

On this week's show we chat with Dan Guido of Trail of Bits about DARPA's Cyber Grand Challenge. There was a competition round last week and he tells us all about it. Participants have to stand up simple network services on a LAN and keep them up. They also have to write attack code that targets other peoples services. When another participant attacks you, you have to defend against the attack and even patch your service so it's immune from the attacks it's being faced with... all of this is automated. You write your software before the event, drop it on the LAN and off you go. Dan tells us where the competition is at. This week's show is brought to you by Tenable Network Security. Tenable CEO Ron Gula joins the show to talk about the OPM breach. He's encouraging Risky Business listeners to get in touch with their empathy in this instance -- sometimes politics stop organisations from being able to do the right thing when it comes to security. It's a great chat, so stick around for it. Adam Boileau, as usual, joins us to discuss the week's security news. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes New exploit turns Samsung Galaxy phones into remote bugging devices | Ars Technica http://arstechnica.com/security/2015/06/new-exploit-turns-samsung-galaxy... Questions over Samsung's handling of security flaw in millions of smartphones http://www.smh.com.au/digital-life/consumer-security/questions-over-sams... Hack Brief: Password Manager LastPass Got Breached Hard | WIRED http://www.wired.com/2015/06/hack-brief-password-manager-lastpass-got-br... Catching Up on the OPM Breach - Krebs on Security http://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/ Encryption "would not have helped" at OPM, says DHS official | Ars Technica http://arstechnica.com/security/2015/06/encryption-would-not-have-helped... Report: Hack of government employee records discovered by product demo | Ars Technica http://arstechnica.com/security/2015/06/report-hack-of-government-employ... Attackers Stole Certificate From Foxconn to Hack Kaspersky With Duqu 2.0 | WIRED http://www.wired.com/2015/06/foxconn-hack-kaspersky-duqu-2/ China and Russia Almost Definitely Have the Snowden Docs | WIRED http://www.wired.com/2015/06/course-china-russia-snowden-documents/ Serious OS X and iOS flaws let hackers steal keychain, 1Password contents | Ars Technica http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-h... Blackhats exploiting MacKeeper hole to foist dangerous trojan \u2022 The Register http://www.theregister.co.uk/2015/06/16/blackhats_exploiting_mackeeper_h... US anti-fraud law makes deleting browser history a crime punishable by 20yrs in jail - RT USA http://rt.com/usa/266389-browsing-history-obstruction-justice/ Hack Brief: The Cardinals May Have Hacked the Astros | WIRED http://www.wired.com/2015/06/hack-brief-cardinals-astros/ Magazine publisher loses $1.5M in cyberfraud | New York Post http://nypost.com/2015/06/16/magazine-publisher-swindled-out-of-1-5-mill... Data-stealing component of 'Stegoloader' hides in PNG images - SC Magazine http://www.scmagazine.com/stegoloader-malware-uses-png-files-to-hide-dat... AdBlock aims to send filthy malverts on one-way LSD trip \u2022 The Register http://www.theregister.co.uk/2015/06/17/adblock_revamps_for_enterprise_l... Vapourware no more: Let's Encrypt announces first cert dates \u2022 The Register http://www.theregister.co.uk/2015/06/17/vapourware_no_more_lets_encrypt_... Google extends vulnerability bounties to Android; offers up to $30,000 | Ars Technica http://arstechnica.com/security/2015/06/google-extends-vulnerability-bou... Wikipedia goes all-HTTPS, starting immediately | Ars Technica http://arstechnica.com/security/2015/06/wikipedia-goes-all-https-startin... Cisco Patches IPv6 Vulnerability in Carrier Routers | Threatpost | The first stop for security news https://threatpost.com/cisco-patches-ipv6-vulnerability-in-carrier-grade... ProjectVault/orp \xb7 GitHub https://github.com/projectvault/orp devstreaming.apple.com/videos/wwdc/2015/706nu20qkag/706/706_security_and_your_apps.pdf http://devstreaming.apple.com/videos/wwdc/2015/706nu20qkag/706/706_secur... DROP LEGS | triple j Unearthed https://www.triplejunearthed.com/artist/drop-legs

Risky Business #369 -- Kaspersky pwned by Duqu, bye bye 215 and more

Patrick Gray — Thu, 11 Jun 2015 00:00:00 +1000

On this week's show we speak with Laura Bell about scanning people for vulnerabilities. Who in your organisation do you most need to worry about protecting? Well, it's not who you think. She'll be along soon to discuss that. This week's show is brought to you by Rapid7. Rapid7's SVP of Products and Engineering Lee Weiner will be along in this week's sponsor interview to talk about how to get security and IT departments both thinking about risk-based approaches to patching. Hey, sure, you've got 8,000 boxes that can all be Heartbleeded, but do you need to worry about all of them right now? Or just the accessible ones with all the customer data on them? Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Kaspersky Finds New Nation-State Attack-In Its Own Network | WIRED http://www.wired.com/2015/06/kaspersky-finds-new-nation-state-attack-net... The Senate Finally Passes NSA Surveillance Reform | WIRED http://www.wired.com/2015/06/senate-finally-passes-bit-nsa-reform/ Senate Shoots Down All Bad Amendments to the NSA Reform Bill | WIRED http://www.wired.com/2015/06/senate-shoots-bad-amendments-nsa-reform-bill/ Federal agency hit by Chinese hackers, around 4 million employees affected | Ars Technica http://arstechnica.com/security/2015/06/federal-agency-hit-by-chinese-ha... Why the "biggest government hack ever" got past the feds | Ars Technica http://arstechnica.com/security/2015/06/why-the-biggest-government-hack-... New Snowden documents reveal secret memos expanding spying | Ars Technica http://arstechnica.com/tech-policy/2015/06/new-snowden-documents-reveal-... All U.S. United Flights Grounded Over Mysterious Problem | WIRED http://www.wired.com/2015/06/united-flights-grounded-mysterious-problem/ Exclusive: U.S. tried Stuxnet-style campaign against North Korea but failed - sources | Reuters http://www.reuters.com/article/2015/05/29/us-usa-northkorea-stuxnet-idUS... TV5 Monde attack 'by Russia-based hackers' - BBC News http://www.bbc.com/news/world-europe-33072034 Nonlinear warfare - A new system of political control 2014 Adam Curtis - YouTube https://www.youtube.com/watch?v=tyop0d30UqQ Vladislav Surkov - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Vladislav_Surkov California senate wants warrants to be required for phone searches http://www.engadget.com/2015/06/04/california-warrant-phone-search-bill/ Intercepted WhatsApp messages led to Belgian terror arrests [Updated] | Ars Technica http://arstechnica.com/tech-policy/2015/06/intercepted-whatsapp-messages... Sen. McCain: How to Get Silicon Valley to Help the Pentagon | WIRED http://www.wired.com/2015/06/sen-mccain-get-silicon-valley-help-pentagon/ Feds Want to ID Web Trolls Who 'Threatened' Silk Road Judge | WIRED http://www.wired.com/2015/06/feds-want-id-web-trolls-threatened-silk-roa... This Hacked Kids' Toy Opens Garage Doors in Seconds | WIRED http://www.wired.com/2015/06/hacked-kids-toy-opens-garage-doors-seconds/ 'MEDJACK' tactic allows cyber criminals to enter healthcare networks undetected - SC Magazine http://www.scmagazine.com/trapx-profiles-medjack-threat/article/418811/ Bitcoin blackmail gang start hurling DDoSes at Scandinavia \u2022 The Register http://www.theregister.co.uk/2015/06/09/ddos_blackmail_gang_scandinavian... iiNet investigates alleged theft of customer database - Security - News - iTnews.com.au http://www.itnews.com.au/News/404959,iinet-investigates-alleged-theft-of... Crypto flaws in Blockchain Android app sent bitcoins to the wrong address | Ars Technica http://arstechnica.com/security/2015/05/crypto-flaws-in-blockchain-andro... Beware of the text message that crashes iPhones | Ars Technica http://arstechnica.com/security/2015/05/beware-of-the-text-message-that-... US Army website defaced by Syrian Electronic Army [Updated] | Ars Technica http://arstechnica.com/security/2015/06/us-army-website-defaced-by-syria... Assume your GitHub account is hacked, users with weak crypto keys told | Ars Technica http://arstechnica.com/security/2015/06/assume-your-github-account-is-ha... June 2015 Adobe Flash Player Security Update | Threatpost | The first stop for security news https://threatpost.com/adobe-patches-13-vulnerabilities-in-flash-player/... June 2015 Microsoft Patch Tuesday Security Bulletins | Threatpost | The first stop for security news https://threatpost.com/critical-ie-update-one-of-eight-microsoft-securit... FAQs http://www.bis.doc.gov/index.php/policy-guidance/faqs#subcat200 SafeStack - Agile Application Security http://safestack.io/ IT Security & Analytics, Pen Testing, Compliance - Rapid7 http://www.rapid7.com/ The Isley Brothers - Fight The Power (Part 1 & 2) (1975) - YouTube https://www.youtube.com/watch?v=wO2ebiuV3hU

Risky Business #368 -- AusCERT edition: Brian Krebs, Eva Galperin and more!

Patrick Gray — Fri, 05 Jun 2015 00:00:00 +1000

This week's edition of the show is a special edition recorded at AusCERT's 2015 conference on the Gold Coast, brought to you by Datacom TSS. In it, we speak with: \t* Brian Krebs, who talks about the weird symbiotic relationship he has with the criminal underworld \t* Eva Galperin of the EFF talks Wassenaar \t* David Litchfield who discusses his new database security tool \t* Datacom TSS practice manager Lou Robertson on outcomes-based security service contracts I hope you enjoy it!

Risky Business #367 -- Tor Project lead Roger Dingledine

Patrick Gray — Thu, 28 May 2015 00:00:00 +1000

This week's show is a bit different. I've prepared it while in South Africa. I've been here for two weeks now, one week of holidays and another week at the ITWeb Security Summit in Johannesburg. While here I got a chance to meet and interview Roger Dingledine, the Tor Project leader, about the future of hidden services, the Anonabox controversy, and the possibility of major browser manufactures integrating Tor into their private browsing modes. That's this week's feature. This week's news guest is Haroon Meer of Thinkst. Thinkst is actually this week's sponsor as well. But as Haroon is a super smart guy who also happens to be funny and eloquent, I invited him to do this week's news segment with me from the conference centre in Midrand. For the sponsor segment Haroon filled us in on his latest invention, Canary. It's a honeypot you put on your LAN that can detect all sorts of lateral movement. It's an awesome idea and you'll get the skinny in this week's sponsor interview! Show notes Proposed U.S. Wassenaar Rules on Intrusion Software | Threatpost | The first stop for security news https://threatpost.com/head-scratching-begins-on-proposed-wassenaar-expo... Researchers Wary of Wassenaar Arrangement Proposed Rules | Threatpost | The first stop for security news https://threatpost.com/security-researchers-wary-of-proposed-wassenaar-r... US aims to limit zero-day sales to Five Eyes - Security - News - iTnews.com.au http://www.itnews.com.au/News/404272,us-aims-to-limit-zero-day-sales-to-... New Logjam Attack on Diffie-Hellman Threatens Security of Browsers, VPNs | Threatpost | The first stop for security news https://threatpost.com/new-logjam-attack-on-diffie-hellman-threatens-sec... HTTPS-crippling attack threatens tens of thousands of Web and mail servers | Ars Technica http://arstechnica.com/security/2015/05/https-crippling-attack-threatens... Feds Say That Banned Researcher Commandeered a Plane | WIRED http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/ Alleged plane hacker said he pierced Boeing jet's firewall in 2012 | Ars Technica http://arstechnica.com/security/2015/05/alleged-plane-hacker-said-he-pie... Is It Possible for Passengers to Hack Commercial Aircraft? | WIRED http://www.wired.com/2015/05/possible-passengers-hack-commercial-aircraft/ Silk Road Prosecutors Ask Judge to 'Send a Message' In Ulbricht Sentencing | WIRED http://www.wired.com/2015/05/silk-road-prosecutors-ask-judge-send-messag... Silk Road from the inside: Moderator SSBD tells his story | All Things VICE http://allthingsvice.com/2015/05/27/silk-road-from-the-inside-moderator-... Database of 4 million Adult Friend Finder users leaked for all to see | Ars Technica http://arstechnica.com/security/2015/05/database-of-4-million-adult-frie... Five Eyes spies sought to subvert Google, Samsung app stores - Security - News - iTnews.com.au http://www.itnews.com.au/News/404297,five-eyes-spies-sought-to-subvert-g... IRS system mined for over 100,000 taxpayer records by fraudsters [Updated] | Ars Technica http://arstechnica.com/security/2015/05/report-irs-admits-its-been-hacke... Researcher who exploits bug in Starbucks gift cards gets rebuke, not love | Ars Technica http://arstechnica.com/security/2015/05/researcher-who-exploits-bug-in-s... '90s-style security flaw puts "millions" of routers at risk | Ars Technica http://arstechnica.com/security/2015/05/90s-style-security-flaw-puts-mil... The Moose is loose: Linux-based worm turns routers into social network bots | Ars Technica http://arstechnica.com/security/2015/05/the-moose-is-loose-linux-based-w... Flawed Android factory reset leaves crypto and login keys ripe for picking | Ars Technica http://arstechnica.com/security/2015/05/flawed-android-factory-reset-lea... SQL Attack Results in Breach of Telstra Telecom Pacnet | Threatpost | The first stop for security news https://threatpost.com/sql-attack-results-in-breach-of-telstra-owned-tel... "The media is always lying" hacked WaPo website says | Ars Technica http://arstechnica.com/security/2015/05/the-media-is-always-lying-hacked... Penn State severs engineering network after "incredibly serious" intrusion | Ars Technica http://arstechnica.com/security/2015/05/penn-state-severs-engineering-ne... Researcher turns tables, discloses unpatched bugs in Google cloud platform | Ars Technica http://arstechnica.com/security/2015/05/researcher-turns-tables-disclose... Google Fixes Sandbox Escape in Chrome | Threatpost | The first stop for security news https://threatpost.com/google-fixes-sandbox-escape-in-chrome/112899 Apple Releases Patches For a Watch | Threatpost | The first stop for security news https://threatpost.com/apple-releases-patches-for-a-watch/112920 Risky Business #83 -- The Military Digital Complex | Risky Business http://risky.biz/netcasts/risky-business/risky-business-83-military-digi... Why changes to Wassenaar make oppression and surveillance easier, not harder http://addxorrol.blogspot.com/2015/05/why-changes-to-wassenaar-make.html Canary box aims to lure hackers into honeypots before they make headlines | Ars Technica http://arstechnica.com/security/2015/05/canary-box-aims-to-lure-hackers-... Canary - know when it matters https://canary.tools/

Risky Business #366 -- Software defined networking security

Patrick Gray — Thu, 14 May 2015 00:00:00 +1000

On this week's show we're chatting with Dave Jorm of IIX -- International Internet Exchange. We're previewing his upcoming AusCERT talk all about software defined networking security. It's fancy tech, but there are some interesting little quirks CSOs should definitely be across. This week's show is sponsored by Senetas, big thanks to them. Senetas CTO Julian Fay is this week's sponsor guest. We talk about those horrible Open Smart Grid bugs and a few other things, that's coming up later. Adam Boileau, as usual, joins the show to discuss the week's news headlines. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Venom VM bug called "perfect" for NSA, or for stealing bitcoins and passwords | Ars Technica http://arstechnica.com/security/2015/05/venom-vm-bug-called-perfect-for-... Extremely serious virtual machine bug threatens cloud providers everywhere | Ars Technica http://arstechnica.com/security/2015/05/extremely-serious-virtual-machin... Cybersecurity firm accused of staging data breaches to extort clients http://www.engadget.com/2015/05/09/tiversa-whistleblower/ US Government Labeled Al Jazeera Journalist as Al Qaeda https://firstlook.org/theintercept/2015/05/08/u-s-government-designated-... Court Rules NSA Bulk Data Collection Was Never Authorized By Congress | WIRED http://www.wired.com/2015/05/breaking-news-federal-court-rules-nsa-bulk-... GPU-based rootkit and keylogger offer superior stealth and computing power | Ars Technica http://arstechnica.com/security/2015/05/gpu-based-rootkit-and-keylogger-... $7500 DDoS extortion hitting Aussie, Kiwi enterprises \u2022 The Register http://www.theregister.co.uk/2015/05/08/ddos_hitting_oz_nz/ Microsoft Brings Perfect Forward Secrecy to Windows | Threatpost | The first stop for security news https://threatpost.com/new-crypto-suites-bring-perfect-forward-secrecy-t... Tor Cloud Shut Down Amid Lack of Support | Threatpost | The first stop for security news https://threatpost.com/tor-cloud-shut-down-amid-lack-of-support/112725 MacKeeper Zero Day Patched | Threatpost | The first stop for security news https://threatpost.com/mackeeper-patches-remote-code-execution-zero-day/... Remotely Exploitable Vulnerabilities in SAP Compression Algorithms | Threatpost | The first stop for security news https://threatpost.com/remotely-exploitable-vulnerabilities-in-sap-compr... Adobe, Microsoft Push Critical Security Fixes - Krebs on Security http://krebsonsecurity.com/2015/05/adobe-microsoft-push-critical-securit... Home Automation Protocol Z-Way Vulnerable to Remote Attacks | Threatpost | The first stop for security news https://threatpost.com/home-automation-protocol-z-way-vulnerable-to-remo... SDN and Security - David Jorm | ONOS http://onosproject.org/2015/04/03/sdn-and-security-david-jorm/ CloudRouter\xae | Router Distribution for the Cloud https://cloudrouter.org/ Meeting Snowden in Princeton | Light Blue Touchpaper https://www.lightbluetouchpaper.org/2015/05/02/meeting-snowden-in-prince... Open Smart Grid Protocol Homegrown Crypto Weaknesses | Threatpost | The first stop for security news https://threatpost.com/weak-homegrown-crypto-dooms-open-smart-grid-proto... Zuluboy - Mbombela (A Twist of Bayethe) - YouTube https://www.youtube.com/watch?v=KFS4cSmzjYY

Serious Business #3 -- Sy Hersh can't melt steel beams

Patrick Gray — Wed, 13 May 2015 00:00:00 +1000

As usual for Serious Business I'm joined by AJ+ satirist, Australian comedian Dan Ilic, to discuss a few topical items of the last week, and boy, we've got some good stuff for you.. we're talking about journalist Seymour Hersh's latest investigative work -- is it pure fiction? We're talking about DeflateGate, we're talking Elon Musk being a douche and we're talking MAD MAX, Fury Road...

Risky Business #365 -- Defence in derpth

Patrick Gray — Thu, 07 May 2015 00:00:00 +1000

This week's show is brought to you by BugCrowd -- crowdsourced security testing. Bugcrowd founder and CEO Casey Ellis will join us in this week's sponsor interview to tell us about the latest trends in bounties and crowdsourced security. He's got some useful info. It turns out bounty participants are getting better at doing OSINT collection to win when testing. So yeah, creds and stuff in Github and repos that shouldn't be there are giving these guys easy wins... we'll also talk about the latest trends in terms of who's running bounty programs -- it's not just companies testing web and mobile apps these days, they're doing a bunch more work on IoT and installable software. It's a solid trend. There's no feature interview in this week's show because, well, it was a pretty slow week. I was expecting last week's US House hearing into possible US responses to encryption technology to give me heaps of feature material for this week's show, but it was actually a bit of a fizzer, which is pretty awesome, actually. Adam Boileau, as usual, joins the show to discuss the week's news headlines. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Windows Update for Business Uproots Patch Tuesday | Threatpost | The first stop for security news https://threatpost.com/patch-tuesday-facelift-end-of-an-era/112640 A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent\u2026 https://blogs.windows.com/msedgedev/2015/05/06/a-break-from-the-past-par... Windows 10 bombshell: Microsoft to KILL OFF Patch Tuesday \u2022 The Register http://www.theregister.co.uk/2015/05/04/microsoft_windows_10_updates/ With Lock Research, Another Battle Brews in the War Over Security Holes | WIRED http://www.wired.com/2015/05/lock-research-another-battle-brews-war-secu... Vulnerability-Riddled Drug Pumps Open to Takeover | Threatpost | The first stop for security news https://threatpost.com/vulnerability-riddled-drug-pumps-open-to-takeover... Interpol alerted as teenage hacker from Perth flees to Europe | The Australian http://www.theaustralian.com.au/news/nation/interpol-alerted-as-teenage-... Programmer Convicted in Bizarre Goldman Sachs Case-Again | WIRED http://www.wired.com/2015/05/programmer-convicted-bizarre-goldman-sachs-... WikiLeaks Finally Brings Back Its Submission System for Your Secrets | WIRED http://www.wired.com/2015/05/wikileaks-finally-brings-back-submission-sy... How Selerity reported Twitter's earnings-before Twitter did | Ars Technica http://arstechnica.com/business/2015/05/how-selerity-reported-twitters-2... 'Just follow the damn Constitution!' FBI, DoJ skewered over demands for crypto backdoors \u2022 The Register http://www.theregister.co.uk/2015/05/01/congress_gives_bipartisan_bolloc... Congress, Crypto and Craziness | Threatpost | The first stop for security news https://threatpost.com/congress-crypto-and-craziness/112508 Zuck'ed up: Facebook opens up free internet in India - but bans HTTPS \u2022 The Register http://www.theregister.co.uk/2015/05/04/internet_org_facebook/ Foiling Pump Skimmers With GPS - Krebs on Security http://krebsonsecurity.com/2015/05/foiling-pump-skimmers-with-gps/ PayIvy Sells Your Online Accounts Via PayPal - Krebs on Security http://krebsonsecurity.com/2015/05/payivy-sells-your-online-accounts-via... Google Research Reveals Profitable, Pervasive Ad Injector Ecosystem | Threatpost | The first stop for security news https://threatpost.com/google-research-reveals-profitable-pervasive-ad-i... Microsoft LAPS Tool Addresss Local Admin Password Problem | Threatpost | The first stop for security news https://threatpost.com/microsoft-laps-tool-tackles-common-local-admin-pa... Netflix Releases FIDO Incident Response Tool | Threatpost | The first stop for security news https://threatpost.com/netflix-releases-fido-incident-response-tool/112618 Google Updates Password Alert Extension, But Some Bypasses Still Work | Threatpost | The first stop for security news https://threatpost.com/google-updates-password-alert-extension-but-some-... Super secretive malware wipes hard drive to prevent analysis | Ars Technica http://arstechnica.com/security/2015/05/super-secretive-malware-wipes-ha... Dyre Banking Trojan Avoids Sandbox Detection | Threatpost | The first stop for security news https://threatpost.com/dyre-banking-trojan-jumps-out-of-sandbox/112533 The BACKRONYM MySQL Vulnerability - Blog - Duo Security https://www.duosecurity.com/blog/backronym-mysql-vulnerability Behold: the drop-dead simple exploit that nukes Google's Password Alert | Ars Technica http://arstechnica.com/security/2015/04/behold-the-drop-dead-simply-expl... Actively exploited WordPress bug puts millions of sites at risk | Ars Technica http://arstechnica.com/security/2015/05/actively-exploited-wordpress-bug... Spam-blasting malware infects thousands of Linux and FreeBSD servers | Ars Technica http://arstechnica.com/security/2015/04/spam-blasting-malware-infects-th... Lenovo System Update Vulnerabilities Patched | Threatpost | The first stop for security news https://threatpost.com/lenovo-patches-vulnerabilities-in-system-update-s... Sally Beauty Card Breach, Part Deux? - Krebs on Security http://krebsonsecurity.com/2015/05/sally-beauty-card-breach-part-deux/ 02 - Mammal - Think - YouTube https://www.youtube.com/watch?v=mCQXqHr9CwE

Serious Business #2 -- Can we stop it with the Muhammad cartoons already?

Patrick Gray — Tue, 05 May 2015 00:00:00 +1000

In this edition of Serious Business, Australia's Most Hated Man (tm) Dan Ilic and I speak about the (failed) shooting attack against a group of very silly Americans who got together to denigrate Islam. We also speak about Apple's stupid watch. I should warn you, too, I don't edit this podcast for bad language and there are f-bombs aplenty. So if you have your kids in your car and you don't want them hearing my awful, awful language, please turn off this podcast now.

Risky Business #364 -- The cuckoo's carton

Patrick Gray — Thu, 30 Apr 2015 00:00:00 +1000

In this week's feature interview we chat with John Strand, a SANS instructor and co-host of Security Weekly's Webcasts. He runs Black Hills information security and he's a maintainer of the ADHD Linux distro -- it's essentially a curation of active defence tools that you can use to do some funky stuff. But in this case active defence doesn't mean popping shells on boxes in China, it's more about annoying the absolute shit out of your adversaries. In this week's sponsor interview we're chatting with Chris Gatford, HackLabs' founder and head honcho, all about something that came up last week -- software defined radio security testing. Is there a market for that sort of thing like last week's guest Balint Seeber suggested? Well, yes and no. That interview is coming up at the end of the show. Adam Boileau, as usual, stops in to discuss the week's news headlines. Links to everything are in this week's show notes. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing.

Serious Business #1 -- Dan Ilic and Pat talk about stuff [EXPLICIT]

Patrick Gray — Wed, 29 Apr 2015 00:00:00 +1000

Risky Business host Patrick Gray and Australian comedian Dan Ilic talk about topics that have nothing to do with information security. Like: * Australia's obsession with the Gallipoli campaign and the sacking of Scott McIntyre from the SBS. * Australia's new vaccination requirements for parents who still want all those tasty, tasty tax benefits. * The "ISIS doctor", Tareq Kamleh. Is he doing anything wrong? PLEASE NOTE: I didn't bother editing out naughty words in this one, so if you have kids in the car you may not wish to expose them to our awful language.

Risky Business #363 -- Software defined radio gets interesting

Patrick Gray — Fri, 24 Apr 2015 00:00:00 +1000

This week's show was cut together from our nation's capital, Canberra! I've been down here to attend the Australian Cyber Security Centre conference, which was actually pretty good. There were some great technical talks. One of them was by Balint Seeber on Software defined radio haxing, he's our feature guest in this week's show. We'll talk to him about messing around with aircraft radar, ACARS, keyless entry and all sorts of stuff. He even managed to take control of a satellite 15 million kilometres from Earth from his laptop while he was in a DEFCON talk! (Don't try this at home. Or do. I don't know what advice to give on that one.) This week's show is brought to you by Tenable Network Security, makes of fine, fine information security software like Nessus. If you aren't familiar with Tenable's stuff you really should be, they make some excellent kit. Head to Tenable.comto check that out. In this week's sponsor interview we're chatting with Tenable's strategist Jack Daniel. He's over at the RSA conference and he'll be giving us a rundown on what it's like there. Over 500 exhibitors this year. Crazy. Adam Boileau, as usual, is in the news chair this week. Links to everything are in this week's show notes. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing.

Risky Business #362 -- Bob Rudis on the Verizon Data Breach Investigation report

Patrick Gray — Thu, 16 Apr 2015 00:00:00 +1000

In this week's show we're chatting with Bob Rudis of Verizon about that company's annual data breach investigation report. After what I thought was a bit of a lapse in relevance last year, the 2015 report has come back stronger than ever. There are some genuinely interesting findings. This week's show is brought to you by Intralinks! In this week's sponsor interview Intralinks North America field CTO Darren Glenister will pop in to talk about data sovereignty in the age of cloud computing. Specifically, how do customer-managed key setups affect things? Is the location of the data important? Or is the location the data is controlled from a bigger deal? Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes April 2015 Microsoft Patch Tuesday Security Bulletins | Threatpost | The first stop for security news https://threatpost.com/microsoft-patches-critical-http-sys-vulnerability... Hackers Could Commandeer New Planes Through Passenger Wi-Fi | WIRED http://www.wired.com/2015/04/hackers-commandeer-new-planes-passenger-wi-fi/ An App That Hides Secret Messages in Starcraft-Style Games | WIRED http://www.wired.com/2015/04/app-hides-secret-messages-starcraft-style-g... Hacker Lexicon: What Are Chip and PIN Cards? | WIRED http://www.wired.com/2015/04/hacker-lexicon-chip-pin-cards/ How Popcorn Time's Piracy App Is Sneaking Onto iPhones | WIRED http://www.wired.com/2015/04/popcorn-times-piracy-app-sneaking-onto-ipho... Chrome starts pushing Java off the Web by disabling plugins | Ars Technica http://arstechnica.com/information-technology/2015/04/chrome-starts-push... Researchers try to hack the economics of zero-day bugs | Ars Technica http://arstechnica.com/security/2015/04/researchers-try-to-hack-the-econ... Prosecutors suspect man hacked lottery computers to score winning ticket | Ars Technica http://arstechnica.com/tech-policy/2015/04/prosecutors-suspect-man-hacke... Botnet that enslaved 770,000 PCs worldwide comes crashing down | Ars Technica http://arstechnica.com/security/2015/04/botnet-that-enslaved-770000-pcs-... Russia pulls alleged 'Svpeng' kingpin \u2022 The Register http://www.theregister.co.uk/2015/04/14/russia_pulls_alleged_svpeng_king... Verizon, NetFlix, KFC ad-men pay traffic cons $500k a month \u2022 The Register http://www.theregister.co.uk/2015/04/15/verizon_netflix_kfc_admen_pay_tr... POS Providers Feel Brunt of PoSeidon Malware - Krebs on Security http://krebsonsecurity.com/2015/04/pos-providers-feel-brunt-of-poseidon-... Hacked French TV network admits "blunder" that exposed YouTube password | Ars Technica http://arstechnica.com/security/2015/04/hacked-french-tv-network-admits-... NSA dreams of smartphones with "split" crypto keys protecting user data | Ars Technica http://arstechnica.com/tech-policy/2015/04/nsa-dreams-of-smartphones-wit... Middle school student charged with cybercrime in Holiday | Tampa Bay Times http://www.tampabay.com/news/publicsafety/crime/middle-school-student-ch... Meet the e-voting machine so easy to hack, it will take your breath away | Ars Technica http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-... Don't Be Fodder for China's 'Great Cannon' - Krebs on Security http://krebsonsecurity.com/2015/04/dont-be-fodder-for-chinas-great-cannon/ What the Ridiculous Fuck, D-Link?! - /dev/ttyS0 http://www.devttys0.com/2015/04/what-the-ridiculous-fuck-d-link/ Apple splats Safari flaw affecting a BEELLION iThings \u2022 The Register http://www.theregister.co.uk/2015/04/15/apple_splats_safari_flaw_affecti... Critical Updates for Windows, Flash, Java - Krebs on Security http://krebsonsecurity.com/2015/04/critical-updates-for-windows-flash-java/ Latest version of OS X closes backdoor-like bug that gives attackers root | Ars Technica http://arstechnica.com/security/2015/04/latest-version-of-os-x-closes-ba... acars security - Google Search https://www.google.com/search?q=acars&oq=acars&aqs=chrome..69i57j0l5.109... Multi-faceted enterprise security | Intralinks https://www.intralinks.com/platform-solutions/platform/security Screaming Headless Torsos (Smile in a Wave) - YouTube https://www.youtube.com/watch?v=fYgPU-WnmnA Support Patrick Gray creating The Risky Business Podcast https://www.patreon.com/riskybusiness

Risky Business #361 -- ISIS pwns French TV, Russians pwn White House

Patrick Gray — Thu, 09 Apr 2015 00:00:00 +1000

We've got a shorter than usual show for you this week. It's actually been a three day week here in Australia because we get Easter Friday and Easter Monday off. So there's no feature interview this week, sorry about that. But nonetheless we've got a great podcast for you this week. We'll be checking the week's news headlines with Adam Boileau then moving right on into this week's sponsor interview. This week's show is brought to you by Rapid7, makers of fine, fine information security software. And we're chatting with Rapid7's Wade Woolwine in this week's sponsor interview about how to get the most out of what you have. It can be as simple as rotating some of your smartest people through different areas of your businesses. Make your best pentester deal with the SIEM setup for a month and guess what? You're going to have a much better SIEM setup at the end of it! Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes French TV5Monde channel hit by pro-Islamic State hackers - Yahoo News http://news.yahoo.com/french-tv5monde-hit-pro-islamic-state-hackers-2221... French broadcaster TV5Monde hacked: Yahoo News | Reuters http://www.reuters.com/article/2015/04/08/us-tv5monde-cybercrime-idUSKBN... 'ISIS hackers' overtake French TV station - RT News http://rt.com/news/248073-islamic-state-hackers-french-tv/ How Russians hacked the White House - CNN.com http://edition.cnn.com/2015/04/07/politics/how-russians-hacked-the-wh/in... White House denies CNN report that Russian hackers penetrated sensitive computer systems - ABC News (Australian Broadcasting Corporation) http://www.abc.net.au/news/2015-04-08/white-house-denies-russian-hacker-... New lawsuit says DEA phone surveillance was illegal http://www.usatoday.com/story/news/2015/04/08/eff-lawsuit-dea-telephone-... On John Oliver, Edward Snowden Says Keep Taking Dick Pics | WIRED http://www.wired.com/2015/04/john-oliver-edward-snowden-dick-pics/ Popular crypto app uses single-byte XOR and nowt else, hacker says \u2022 The Register http://www.theregister.co.uk/2015/04/07/uberpopular_crypto_app_uses_xor_... Anonabox Recalls 350 'Privacy' Routers for Security Flaws | WIRED http://www.wired.com/2015/04/anonabox-recall/ Review: Anonabox or InvizBox, which Tor router better anonymizes online life? | Ars Technica http://arstechnica.com/information-technology/2015/04/review-anonabox-or... Vulnerability Forces Mozilla to Disable Opportunistic Encryption in Firefox | Threatpost | The first stop for security news https://threatpost.com/vulnerability-forces-mozilla-to-disable-opportuni... TrueCrypt alternatives VeraCrypt CipherShed Step Up | Threatpost | The first stop for security news https://threatpost.com/post-cryptanalysis-truecrypt-alternatives-step-fo... FBI Warns of Fake Govt Sites, ISIS Defacements - Krebs on Security http://krebsonsecurity.com/2015/04/fbi-warns-of-fake-govt-sites-isis-def... As many as 1 million sites imperiled by dangerous bug in WordPress plugin | Ars Technica http://arstechnica.com/security/2015/04/as-many-as-1-million-sites-imper... Change.org springs a leak, exposes private e-mail addresses [updated] | Ars Technica http://arstechnica.com/security/2015/04/change-org-springs-a-leak-expose... Linux Australia Breached by Hackers | Threatpost | The first stop for security news https://threatpost.com/linux-australia-hit-with-server-breach/112025 In the time it takes you to watch The Hangover, AT&T will pay a $25m fine for privacy scandal \u2022 The Register http://www.theregister.co.uk/2015/04/08/fcc_at_t_25_million_dollar_fine/ Schneier on Security: Australia Outlaws Warrant Canaries https://www.schneier.com/blog/archives/2015/03/australia_outla.html Most top corporates still Heartbleeding over the internet \u2022 The Register http://www.theregister.co.uk/2015/04/08/still_bleeding_one_year_laterhea... Police chief: "Paying the Bitcoin ransom was the last resort" | Ars Technica http://arstechnica.com/tech-policy/2015/04/police-chief-paying-the-bitco... Chrome extension collects browsing data, uses it for marketing | Ars Technica http://arstechnica.com/security/2015/04/chrome-extension-collects-browsi... Bugs in Tor network used in attacks against underground markets | Ars Technica http://arstechnica.com/security/2015/04/bugs-in-tor-network-used-in-atta... NTP Symmetric Key Authentication Security Vulnerabilities Patched | Threatpost | The first stop for security news https://threatpost.com/two-ntp-key-authentication-vulnerabilities-patche... Aw, snap! How huge HTML links can crash Chrome tabs in one click \u2022 The Register http://www.theregister.co.uk/2015/04/07/chrome_awsnap_vuln/ Apple Releases Security Updates for OS X, iOS, Safari, and Apple TV | US-CERT https://www.us-cert.gov/ncas/current-activity/2015/04/08/Apple-Releases-... Strontium 90 (band) - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Strontium_90_%28band%29

Risky Business #360 -- The Great GitHub DDoS of 2015

Patrick Gray — Thu, 02 Apr 2015 00:00:00 +1100

In this week's show we chat with Arbor Networks' Roland Dobbins about the Great GitHub DDoS of 2015, Paul Asadoorian of Tenable Network Security about vulnerability management and, of course, Adam Boileau about the week's security news. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes DEA Agent Charged With Acting as a Paid Mole for Silk Road | WIRED http://www.wired.com/2015/03/dea-agent-charged-acting-paid-mole-silk-road/ Silk Road Boss' First Murder-for-Hire Was His Mentor's Idea | WIRED http://www.wired.com/2015/04/silk-road-boss-first-murder-attempt-mentors... Feds Demand Reddit Identify Users of a Dark-Web Drug Forum | WIRED http://www.wired.com/2015/03/dhs-reddit-dark-web-drug-forum/ Massive denial-of-service attack on GitHub tied to Chinese government | Ars Technica http://arstechnica.com/security/2015/03/massive-denial-of-service-attack... DDoS Attack on GitHub Linked to Earlier One Against GreatFire.org | Threatpost | The first stop for security news https://threatpost.com/ddos-attack-on-github-linked-to-earlier-one-again... Google Online Security Blog: Maintaining digital certificate security http://googleonlinesecurity.blogspot.co.nz/2015/03/maintaining-digital-c... New Obama Order Allows Sanctions Against Foreign Hackers | WIRED http://www.wired.com/2015/04/new-obama-order-allows-sanctions-foreign-ha... E-mail autofill blunder leaks personal details of G20 world leaders | Ars Technica http://arstechnica.com/tech-policy/2015/03/e-mail-autofill-blunder-leaks... Volatile Cedar APT Group First Operating Out of Lebanon | Threatpost | The first stop for security news https://threatpost.com/volatile-cedar-apt-group-first-operating-out-of-l... Bitcoin's Blockchain Offers Safe Haven For Malware And Child Abuse, Warns Interpol - Forbes http://www.forbes.com/sites/thomasbrewster/2015/03/27/bitcoin-blockchain... Energy companies around the world infected by newly discovered malware | Ars Technica http://arstechnica.com/security/2015/03/energy-companies-around-the-worl... Stolen Uber Customer Accounts Are for Sale on the Dark Web for $1 | Motherboard http://motherboard.vice.com/read/stolen-uber-customer-accounts-are-for-s... Noose around Internet's TLS system tightens with 2 new decryption attacks | Ars Technica http://arstechnica.com/security/2015/03/noose-around-internets-tls-syste... Google joins Apple, others in calling for spying controls, as Patriot Act vote nears - CNET http://www.cnet.com/news/google-joins-apple-others-in-calling-for-spying... NSA considered ending phone surveillance program -- report - CNET http://www.cnet.com/news/nsa-considered-ending-phone-surveillance-progra... Little Change in Online Behavior Following Snowden Revelations | Threatpost | The first stop for security news https://threatpost.com/little-change-in-online-behavior-following-snowde... Cross-dressing blokes storm NSA HQ: One shot dead, one hurt \u2022 The Register http://www.theregister.co.uk/2015/03/30/nsa_hq_rammed/ New Firefox version says "might as well" to encrypting all Web traffic | Ars Technica http://arstechnica.com/security/2015/04/new-firefox-version-says-might-a... Verizon Allows Opt Out of UIDH Mobile Supercookie | Threatpost | The first stop for security news https://threatpost.com/verizon-allows-opt-out-of-uidh-mobile-supercookie... Multicast DNS Vulnerability Could Lead to DDOS Amplification | Threatpost | The first stop for security news https://threatpost.com/multicast-dns-vulnerability-could-lead-to-ddos-am... Google kills 200 ad-injecting Chrome extensions, says many are malware | Ars Technica http://arstechnica.com/security/2015/04/google-kills-200-ad-injecting-ch... 'Revolution' Crimeware & EMV Replay Attacks - Krebs on Security http://krebsonsecurity.com/2015/04/revolution-crimeware-emv-replay-attacks/ Sign Up at irs.gov Before Crooks Do It For You - Krebs on Security http://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-i... Who Is the Antidetect Author? - Krebs on Security http://krebsonsecurity.com/2015/03/who-is-the-antidetect-author/ Critical Vulnerabilities Affecting JSON Web Token Libraries | Threatpost | The first stop for security news https://threatpost.com/critical-vulnerabilities-affect-json-web-token-li... This one weird trick deletes any YouTube flick in just a few clicks \u2022 The Register http://www.theregister.co.uk/2015/04/01/simple_trick_to_delete_any_youtu... Trailer: Shades of Black - The Valhalla Lights story https://www.youtube.com/watch?v=ZQdLyNNgYcA

Risky Business #359 -- Whisper? More like shout!

Patrick Gray — Thu, 26 Mar 2015 00:00:00 +1100

This week Risky Business takes you behind the scenes of a spat between the makers of the Whisper App and Stephen Ridley's company Xipiter. Ridley's crew say they found some 24-carat-facepalm security problems with the app, subsequently publishing a blog post and video detailing the bugs. You'd think whisper would patch the bugs and move on. But no, they decided to accuse Xipiter of making the whole thing up, even going so far as to accuse them of doctoring their proof of concept video! Stephen Ridley will join the show to discuss all of that. This week's show is brought to you by FireEye, makers of fine, fine security software and appliances. And this week's guest is Steve Miller. Steve is American, he came from the Mandiant side of FireEye's business, but he's moved to Sydney to head up security operations for FireEye in APJ! We'll be talking to him about some tales from the incident response trenches and how really good target profiling has become a standard part of the contemporary attacker's MO. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes You can become a Risky Business patron here: https://www.patreon.com/riskybusiness News: Islamic State doxes US soldiers, airmen, calls on supporters to kill them | Ars Technica http://arstechnica.com/tech-policy/2015/03/islamic-state-doxes-us-soldie... All four major browsers take a stomping at Pwn2Own hacking competition | Ars Technica http://arstechnica.com/security/2015/03/all-four-major-browsers-take-a-s... Google warns of unauthorized TLS certificates trusted by almost all OSes [Updated] | Ars Technica http://arstechnica.com/security/2015/03/google-warns-of-unauthorized-tls... Windows 10 to make the Secure Boot alt-OS lock out a reality | Ars Technica http://arstechnica.com/information-technology/2015/03/windows-10-to-make... Google Adds Deceptive Software to Safe Browsing API | Threatpost | The first stop for security news https://threatpost.com/google-adds-deceptive-software-to-safe-browsing-a... MRIs show our brains shutting down when we see security prompts | Ars Technica http://arstechnica.com/security/2015/03/mris-show-our-brains-shutting-do... Stealing Data From Computers Using Heat | WIRED http://www.wired.com/2015/03/stealing-data-computers-using-heat/ Hacking BIOS Chips Isn't Just the NSA's Domain Anymore | WIRED http://www.wired.com/2015/03/researchers-uncover-way-hack-bios-undermine... Tax Fraud Advice, Straight from the Scammers - Krebs on Security http://krebsonsecurity.com/2015/03/tax-fraud-advice-straight-from-the-sc... Malicious user hides trojan links in cloned Steam Greenlight pages | Ars Technica http://arstechnica.com/gaming/2015/03/malicious-user-hides-trojan-links-... Twitch resets user passwords following breach | Ars Technica http://arstechnica.com/security/2015/03/twitch-resets-user-passwords-fol... Hilton Honors Flaw Exposed All Accounts - Krebs on Security http://krebsonsecurity.com/2015/03/hilton-honors-flaw-exposed-all-accounts/ Target to pay $10 million to victims of data breach - CNET http://www.cnet.com/news/target-to-pay-10-million-to-victims-of-data-bre... A $60 Gadget That Makes Car Hacking Far Easier | WIRED http://www.wired.com/2015/03/60-gadget-thatll-make-car-hacking-easier-ever/ Dridex Campaign Evades Detection with AutoClose Function | Threatpost | The first stop for security news https://threatpost.com/latest-dridex-campaign-evades-detection-with-auto... Adobe CVE-2011-2461 Remains Exploitable Via Flex Four Years After Patch | Threatpost | The first stop for security news https://threatpost.com/adobe-cve-2011-2461-remains-exploitable-four-year... Cisco Small Business IP Phones Open to Remote Eavesdropping | Threatpost | The first stop for security news https://threatpost.com/cisco-small-business-ip-phones-open-to-remote-eav... Default Setting in Windows 7, 8.1 Could Allow Privilege Escalation | Threatpost | The first stop for security news https://threatpost.com/default-setting-in-windows-7-8-1-could-allow-priv... Instagram API Bug Could Allow Malware Downloads | Threatpost | The first stop for security news https://threatpost.com/instagram-api-bug-could-allow-malicious-file-down... OpenSSL Patches High Severity DOS Vulnerability | Threatpost | The first stop for security news https://threatpost.com/openssl-mystery-patch-is-no-heartbleed/111708 Android hijacking bug may allow attackers to install password-stealers | Ars Technica http://arstechnica.com/security/2015/03/android-hijacking-bug-may-allow-... Background on The Guardian vs Whisper: Corrections and clarifications | News | The Guardian http://www.theguardian.com/news/2015/mar/11/corrections-and-clarifications The Whisper Campaign That Torched A Guardian Story - BuzzFeed News http://www.buzzfeed.com/mathonan/the-whisper-campaign-that-torched-a-gua... "a confederacy of 'privacy' dunces": what we found under the hood of an 'anonymous' chat app used by millions - Xipiter http://www.xipiter.com/musings/a-confederacy-of-privacy-dunces-what-we-f... Music! Pendulum - ABC News Theme Remix Full Version + Download - YouTube https://www.youtube.com/watch?v=8XbQsjRc7L0

Risky Business #358 -- HD Moore and Haroon Meer play "king for a day"

Patrick Gray — Thu, 19 Mar 2015 00:00:00 +1100

On this week's show we chat with Rapid7's HD Moore (feature) and Thinkst head honcho Haroon Meer (sponsor) about the big-picture changes that could see enterprise security actually change. They're both high-level interviews with two of the industry's sharpest. Don't forget to check out this week's Risky Business video! Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Have you checked out this week's Risky Business YouTube video? https://www.youtube.com/watch?v=TY0mBzP7qw8 German Police Just Made a Gigantic Dark-Web Drug Bust | WIRED http://www.wired.com/2015/03/evolution-shiny-flakes-bust-heroin-cocaine-... The Dark Web's Top Drug Market, Evolution, Just Vanished | WIRED http://www.wired.com/2015/03/evolution-disappeared-bitcoin-scam-dark-web/ Hackers May Have Taken Medical Records From Insurer Premera | WIRED http://www.wired.com/2015/03/hackers-may-taken-medical-records-insurer-p... Bogus SSL certificate for Windows Live could allow man-in-the-middle hacks | Ars Technica http://arstechnica.com/security/2015/03/bogus-ssl-certificate-for-window... Man who obtained Windows Live cert said his warnings went unanswered | Ars Technica http://arstechnica.com/security/2015/03/man-who-obtained-windows-live-ce... Microsoft takes 4 years to recover privileged TLS certificate addresses | Ars Technica http://arstechnica.com/security/2015/03/microsoft-takes-4-years-to-recov... Obama Administration Seeks More Legal Power to Disrupt Botnets | Threatpost | The first stop for security news https://threatpost.com/obama-administration-seeks-more-legal-power-to-di... CISA Cybersecurity Bill Advances Despite Privacy Concerns | WIRED http://www.wired.com/2015/03/cisa-cybersecurity-bill-advances-despite-pr... Mobile Android, iOS Apps Still Vulnerable to FREAK Attacks | Threatpost | The first stop for security news https://threatpost.com/mobile-android-ios-apps-still-vulnerable-to-freak... Shared Keys Simplify, Cheapen FREAK Attacks | Threatpost | The first stop for security news https://threatpost.com/shared-keys-simplify-cheapen-freak-attacks/111668 Yahoo Previews End To End Email Encryption | Threatpost | The first stop for security news https://threatpost.com/yahoo-previews-end-to-end-email-encryption-extens... Yahoo wants to let you forget your Yahoo password - CNET http://www.cnet.com/news/yahoo-wants-to-let-you-forget-your-yahoo-password/ Guardian backtracks, says Whisper doesn't spy on its users after all | Ars Technica http://arstechnica.com/security/2015/03/guardian-backtracks-says-whisper... Strange snafu hijacks UK nuke maker's traffic, routes it through Ukraine | Ars Technica http://arstechnica.com/security/2015/03/mysterious-snafu-hijacks-uk-nuke... South Korea claims North hacked nuclear data | Ars Technica http://arstechnica.com/security/2015/03/south-korea-claims-north-hacked-... Hey Twitter, Killing Anonymity's a Dumb Way to Fight Trolls | WIRED http://www.wired.com/2015/03/hey-twitter-killing-anonymitys-dumb-way-fig... Facebook Messenger will now let you send money to friends | The Verge http://www.theverge.com/2015/3/17/8235781/facebook-messanger-payments-se... Microsoft's Windows Hello will make your face, finger or iris the new sign-in - CNET http://www.cnet.com/news/microsoft-introduces-windows-hello-for-signing-... Authorities Closing In on Hackers Who Stole Data From JPMorgan Chase - NYTimes.com http://www.nytimes.com/2015/03/16/business/dealbook/authorities-closing-... BlackBerry takes another shot at a tablet -- sort of - CNET http://www.cnet.com/news/blackberry-takes-another-shot-at-a-tablet-sort-of/ State Department takes network offline for security scrub - CNET http://www.cnet.com/news/state-department-takes-network-offline-for-secu... Google Apps bug exposes some users' personal info - CNET http://www.cnet.com/news/bug-in-google-apps-exposes-some-users-personal-... Stealthy, Persistent DLL Hijacking Works Against OS X | Threatpost | The first stop for security news https://threatpost.com/stealthy-persistent-dll-hijacking-works-against-o... Google Fix for Android Memory Leakage Issue In The Works | Threatpost | The first stop for security news https://threatpost.com/google-aware-of-memory-leakage-issue-in-android-5... Samsung Patches Social Media Vulnerability in Millions of Devices | Threatpost | The first stop for security news https://threatpost.com/after-delays-samsung-patches-social-media-vulnera... MS Update 3033929 Causing Reboot Loop - Krebs on Security http://krebsonsecurity.com/2015/03/ms-update-3033929-causing-reboot-loop/ OpenSSL Patch to Plug Severe Security Holes - Krebs on Security http://krebsonsecurity.com/2015/03/openssl-patch-to-plug-severe-security... Apple Safari WebKit Vulnerabilities Patched | Threatpost | The first stop for security news https://threatpost.com/apple-patches-webkit-vulnerabilities-in-safari/11... D-Link Patches Two Vulnerabilities in Router Firmware | Threatpost | The first stop for security news https://threatpost.com/d-link-patches-two-remotely-exploitable-bugs-in-f... Adobe Flash Update Plugs 11 Security Holes - Krebs on Security http://krebsonsecurity.com/2015/03/adobe-flash-update-plugs-11-security-... ThinkstScapes http://thinkst.com/thinkstscapes.html Phish5 - Five minutes from start to phish https://phish5.com/ The Bamboos - I Got Burned feat Tim Rogers - YouTube https://www.youtube.com/watch?v=ASS_naRGRZY

Risky Business on YouTube! Episode 3: Victim shaming

Patrick Gray — Tue, 17 Mar 2015 00:00:00 +1100

The infosec industry has failed to protect the Internet and networks attached to it. So why do people who work in it engage in victim-shaming?

Risky Business #357 -- Mark Dowd talks Rowhammer

Patrick Gray — Thu, 12 Mar 2015 00:00:00 +1100

On this week's show we're having a chat with Mark Dowd about the so-called Rowhammer exploit. And yeah, if you haven't heard about this one you're in for a treat. It's among the most badass research I've ever seen. You know, you can skin a cat with a knife, or you can do what the Google Project Zero team did and skin it with 300 synchronised lasers. [NOTE: It's been pointed out that the post on the Project Zero blog is actually a guest post. The work was done by Googlers and published on the Google Zero blog, but these researchers aren't actually a part of the Project Zero team. Sorry for the confusion.] In this week's sponsor episode we're chatting with Joseph Sokoly of Tenable Network Security about bugs like Freak. The fact is, if you're operating a web property and you were running your SSL config correctly, Freak wouldn't be a risk to your users when they're using your service. But a lot of organisations just don't bother running best-practice configs. Why not? They're too busy putting out fires in their vuln management programs to deal with the low-hangers. Joseph stops by soon to talk about that. (Joseph is also one of the voices of the Southern Fried Security Podcast. Check it out here, because I'm guessing if you're reading this you like security podcasts!) Show notes Patched Windows PC remained vulnerable to Stuxnet USB exploits since 2010 | Ars Technica http://arstechnica.com/security/2015/03/patched-windows-pc-remained-vuln... Stuxnet leak probe stalls for fear of confirming US-Israel involvement | Ars Technica http://arstechnica.com/tech-policy/2015/03/stuxnet-leak-probe-stalls-for... UK man arrested on suspicion of US Department of Defense hacking | Ars Technica http://arstechnica.com/tech-policy/2015/03/uk-man-arrested-on-suspicion-... iSpy: The CIA Campaign to Steal Apple's Secrets https://firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-steal-ap... Errata Security: No, the CIA isn't stealing Apple's secrets http://blog.erratasec.com/2015/03/no-cia-isnt-stealing-apples-secrets.ht... Australia to prosecute Heartbleed pentest in desperation to pin charges on Anonymous radio host | ZDNet http://www.zdnet.com/article/australia-to-prosecute-heartbleed-pentest-i... OpenSSL Security Audit Ready to Start | Threatpost | The first stop for security news https://threatpost.com/openssl-security-audit-ready-to-start/111538 Anthem Refuses Audit Following Massive Breach | Threatpost | The first stop for security news https://threatpost.com/anthem-refusing-oig-security-audit-following-brea... Why Clinton's Private Email Server Was Such a Security Fail | WIRED http://www.wired.com/2015/03/clintons-email-server-vulnerable/ Hillary Clinton Says Her Email Was Secure; She Can't Know | WIRED http://www.wired.com/2015/03/hillary-clinton-says-email-secure-cant-know/ Feds Indict Three in 2011 Epsilon Hack - Krebs on Security http://krebsonsecurity.com/2015/03/feds-indict-three-in-2011-epsilon-hack/ Stop Spying on Wikipedia Users - NYTimes.com http://www.nytimes.com/2015/03/10/opinion/stop-spying-on-wikipedia-users... Litecoin-mining code found in BitTorrent app, freeloaders hit the roof \u2022 The Register http://www.theregister.co.uk/2015/03/07/utorrent_epic_scale_mining_softw... Adobe Starts Vulnerability Disclosure Program on HackerOne | Threatpost | The first stop for security news https://threatpost.com/adobe-starts-vulnerability-disclosure-program-on-... Apple Fixes FREAK Bug, iCloud Flaw in iOS 8.2 | Threatpost | The first stop for security news https://threatpost.com/apple-fixes-freak-bug-icloud-flaw-in-ios-8-2/111553 Yahoo Patches Critical Small Business, eCommerce Bugs | Threatpost | The first stop for security news https://threatpost.com/yahoo-patches-critical-ecommerce-small-business-v... Dropbox Patches Remotely Exploitable Vulnerability in SDK | Threatpost | The first stop for security news https://threatpost.com/dropbox-patches-remotely-exploitable-vulnerabilit... Facebook Users Open to Attack Via Several Security Bugs | Threatpost | The first stop for security news https://threatpost.com/facebook-users-open-to-attack-via-several-securit... Patch Tuesday patches FREAK, Universal XSS | Ars Technica http://arstechnica.com/information-technology/2015/03/patch-tuesday-patc... Microsoft Fixes Stuxnet Bug, Again - Krebs on Security http://krebsonsecurity.com/2015/03/microsoft-fixes-stuxnet-bug-again/ You Am I - Soldiers - YouTube https://www.youtube.com/watch?v=P1SV4v_qtBI Rowhammer http://www.rowhammer.com/

Risky Business Extra: Senator Scott Ludlam on mandatory metadata retention

Patrick Gray — Mon, 09 Mar 2015 00:00:00 +1100

Senator Scott Ludlam of the Greens party is the only Australian politician kicking up a stink about the government's metadata retention bill. And we're glad about that, it's a pretty defective bill, even if some recent amendments recommended by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) have made it much more palatable. Scott was passing through my town last week campaigning on behalf of the local Greens state election candidate for Ballina -- the NSW election is coming up at the end of March. So, we caught up and did this interview all about the latest with the bill and the politics behind it. The Green's full metadata video is here. Check out the full text of Scott's senate speech here.

Risky Business #356 -- Crypto Wars 2.0 with guest Alex Stamos

Patrick Gray — Thu, 05 Mar 2015 00:00:00 +1100

This week's feature interview is with Alex Stamos, CISO of Yahoo. Alex did a fantastic AppSec keynote in early February that I wanted to ask him about, so we booked this interview a couple of weeks ago. Then, last week, Alex made the news. Big time. While on a panel with Admiral Mike Rogers, Alex challenged the NSA chief on the government's apparent desire to mandate the introduction of interception capabilities into products made by technology companies. Alex asked if companies that agreed to introduce back doors for the US government should also agree to provide similar back doors to other countries as well, ones that might not be democratic. From there, there was some to and fro. It was a cordial exchange but it was written up as a stoush. Alex joined me via Skype to discuss that exchange, security at scale and bug bounties. It's time for this week's sponsor interview now with Julian Fay, CTO and co-founder of Senetas, makers of fine, fine hardware security equipment. Julian joined me this week to discuss a raft of crypto news, starting off with the Freak vulnerability, which, as best I can tell, isn't actually a giant fireball heading towards earth, despite what some of the tech press might be saying. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes Google quietly backs away from encrypting new Lollipop devices by default [Updated] | Ars Technica http://arstechnica.com/gadgets/2015/03/google-quietly-backs-away-from-en... Buyout puts supersecure Blackphone in one company's hands - CNET http://www.cnet.com/news/silent-circle-buys-out-secure-blackphone-hardwa... There's Now a Free iPhone App That Encrypts Calls and Texts | WIRED http://www.wired.com/2015/03/iphone-app-encrypted-voice-texts/ Sailfish Secure wants to be an Android alternative safe from spies' prying eyes - CNET http://www.cnet.com/news/sailfish-secure-wants-to-be-an-android-alternat... Tim Cook to governments: Lay off our privacy - CNET http://www.cnet.com/news/tim-cook-to-governments-lay-off-our-privacy/ US court rubber-stamps dragnet metadata surveillance (again) \u2022 The Register http://www.theregister.co.uk/2015/03/02/dragnet_metadata_surveillance_ex... Komodia Certificate Manipulation Enabled Man-In-The-Middle Attacks | Threatpost | The first stop for security news http://threatpost.com/komodia-certificate-manipulation-likely-led-to-man... Lenovo.com hijack reportedly pulled off by hack on upstream registrar | Ars Technica http://arstechnica.com/security/2015/02/lenovo-com-hijack-reportedly-pul... More IoT insecurity: This Blu-ray disc pwns PCs and DVD players | Ars Technica http://arstechnica.com/security/2015/03/more-iot-insecurity-this-blu-ray... In major goof, Uber stored sensitive database key on public GitHub page | Ars Technica http://arstechnica.com/security/2015/03/in-major-goof-uber-stored-sensit... 50,000 Uber driver names, license numbers exposed in a data breach | Ars Technica http://arstechnica.com/business/2015/02/50000-uber-driver-names-license-... Apple Pay a haven for 'rampant' credit card fraud, say experts \u2022 The Register http://www.theregister.co.uk/2015/03/03/apple_pay_plastic_fraud/ Credit Card Breach at Mandarin Oriental - Krebs on Security http://krebsonsecurity.com/2015/03/credit-card-breach-at-mandarian-orien... Iran hacks America where it hurts: Las Vegas casinos \u2022 The Register http://www.theregister.co.uk/2015/02/27/iran_behind_us_casino_hack/ Alleged Aussie Anon hauled in for Indonesia phone tap hacking spat \u2022 The Register http://www.theregister.co.uk/2015/02/27/alledged_aussie_anon_hauled_in_f... Hospital Sues Bank of America Over Million-Dollar Cyberheist - Krebs on Security http://krebsonsecurity.com/2015/03/hospital-sues-bank-of-america-over-mi... Natural Grocers Investigating Card Breach - Krebs on Security http://krebsonsecurity.com/2015/03/natural-grocers-investigating-card-br... Government moves quickly to adopt metadata retention law review recommendations http://www.smh.com.au/it-pro/government-it/government-moves-quickly-to-a... Federal MPs hit in phone prank | Herald Sun http://www.heraldsun.com.au/news/federal-mps-hit-in-phone-prank/story-fn... Seagate Business NAS Firmware Vulnerabilities Disclosed | Threatpost | The first stop for security news http://threatpost.com/seagate-business-nas-firmware-vulnerabilities-disc... D-Link Working on Firmware Updates for Three Critical Bugs | Threatpost | The first stop for security news http://threatpost.com/d-link-working-on-firmware-updates-for-three-criti... Spam Uses Default Passwords to Hack Routers - Krebs on Security http://krebsonsecurity.com/2015/02/spam-uses-default-passwords-to-hack-r... Firefox 37 to Include New OneCRL Certificate Blocklist | Threatpost | The first stop for security news http://threatpost.com/firefox-37-to-include-new-onecrl-certificate-block... Patrick Gray on the State of Security and State Security | Threatpost | The first stop for security news http://threatpost.com/patrick-gray-on-the-state-of-security-and-state-se... New Zealand Spies on Neighbors in Secret 'Five Eyes' Global Surveillance - The Intercept https://firstlook.org/theintercept/2015/03/04/new-zealand-gcsb-surveilla... Snowden revelations / The price of the Five Eyes club: Mass spying on friendly nations - National - NZ Herald News http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11411759 "FREAK" flaw in Android and Apple devices cripples HTTPS crypto protection | Ars Technica http://arstechnica.com/security/2015/03/freak-flaw-in-android-and-apple-... Surveillance-based manipulation: How Facebook or Google could tilt elections | Ars Technica http://arstechnica.com/security/2015/02/surveillance-based-manipulation-... House committee subpoenas Clinton emails in Benghazi probe http://bigstory.ap.org/article/b78ba433af3a45209668f745158d994c/clinton-... AppSec is Eating Security - Opening Keynote - AppSec California 2015 - Alex Stamos - YouTube https://www.youtube.com/watch?v=-1kZMn1RueI Here's how the clash between the NSA Director and a senior Yahoo executive went down. - The Washington Post http://www.washingtonpost.com/blogs/the-switch/wp/2015/02/23/heres-how-t... Senetas http://www.senetas.com/ Rainy Day Women | triple j Unearthed https://www.triplejunearthed.com/artist/rainy-day-women

Risky Business #355 -- Gemalto op exposes cellphone crypto flaws

Patrick Gray — Thu, 26 Feb 2015 00:00:00 +1100

On this week's show we're speaking with Philippe Langlois. You may remember him as the founder of Qualys in the 90s, but these days he's the CEO and founder of P1 Security, a telecommunications security firm. He'll be joining us to discuss the NSA and GCHQ operation against SIM card manufacturer Gemalto. Last week The Intercept reported on some Snowden dox that said NSA and GCHQ were basically scooping up SIM card private keys from anywhere they could, including from within Gemalto's network. Because cellphone encryption schemes are symmetric, this is bad. It's very, very bad. We'll talk to Philippe about that. This week's show is sponsored by Palo Alto Networks, big thanks to them. PAN CSO Rick Howard will be along in this week's sponsor interview to talk about one of his passion projects, the Cybersecurity Canon. It's basically his book club idea that PAN is now sponsoring and it's got a LOT of potential. Find out how you can get involved in this week's sponsor interview, with big thanks to Palo Alto Networks. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing. Show notes The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle https://firstlook.org/theintercept/2015/02/19/great-sim-heist/ PCS Harvesting at Scale - The Intercept https://firstlook.org/theintercept/document/2015/02/19/pcs-harvesting-sc... Gemalto Doesn't Know What It Doesn't Know - The Intercept https://firstlook.org/theintercept/2015/02/25/gemalto-doesnt-know-doesnt... Lenovo Superfish Certificate Password Cracked | Threatpost | The first stop for security news http://threatpost.com/lenovo-superfish-certificate-password-cracked/111165 Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections [Updated] | Ars Technica http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-... How to remove the Superfish malware: What Lenovo doesn't tell you | Ars Technica http://arstechnica.com/security/2015/02/how-to-remove-the-superfish-malw... Get your Snort rules here: SuperFish Detection - SquareLemon http://blog.squarelemon.com/blog/2015/02/20/superfish-detection/ ------------------------ Support Risky Business on Patreon: https://patreon.com/riskybusiness ------------------------ Security software found using Superfish-style code, as attacks get simpler | Ars Technica http://arstechnica.com/security/2015/02/security-software-found-using-su... Here's how the clash between the NSA Director and a senior Yahoo executive went down. - The Washington Post http://www.washingtonpost.com/blogs/the-switch/wp/2015/02/23/heres-how-t... Spies Can Track You Just by Watching Your Phone's Power Use | WIRED http://www.wired.com/2015/02/powerspy-phone-tracking/ LenoLOL! 'Lizard Squad HACKS lenovo.com' \u2022 The Register http://www.theregister.co.uk/2015/02/25/thought_things_couldnt_get_worse... TrueCrypt Audit Cryptanalysis Handed Off to NCC Group | Threatpost | The first stop for security news http://threatpost.com/truecrypt-audit-stirs-back-to-life/111162 Moxie Marlinspike >> Blog >> GPG And Me http://www.thoughtcrime.org/blog/gpg-and-me/ Hackers Cut in Line at the Burning Man Ticket Sale-And Get Caught | WIRED http://www.wired.com/2015/02/hacking-burning-man-tickets/ How Hackers Abused Tor To Rob Blockchain, Steal Bitcoin, Target Private Email And Get Away With It - Forbes http://www.forbes.com/sites/thomasbrewster/2015/02/24/blockchain-and-dar... Hacker Claims Feds Hit Him With 44 Felonies When He Refused to Be an FBI Spy | WIRED http://www.wired.com/2015/02/hacker-claims-feds-hit-44-felonies-refused-... Accused British hacker, wanted for crimes in US, won't give up crypto keys | Ars Technica http://arstechnica.com/tech-policy/2015/02/accused-british-hacker-wanted... LinkedIn premium users to get $1 each in password-leak settlement | Ars Technica http://arstechnica.com/tech-policy/2015/02/linkedin-premium-users-to-get... FBI: $3M Bounty for ZeuS Trojan Author - Krebs on Security http://krebsonsecurity.com/2015/02/fbi-3m-bounty-for-zeus-trojan-author/ Europol cracks down on botnet infecting 3.2 million computers | Ars Technica http://arstechnica.com/tech-policy/2015/02/europol-cracks-down-on-botnet... Snowden's favourite Linux - Tails - rushes sec-fix version to market \u2022 The Register http://www.theregister.co.uk/2015/02/25/tails_project_rushes_secfix_vers... Cybersecurity Canon https://www.paloaltonetworks.com/threat-research/cybercanon.html P1 Security http://www.p1sec.com/corp/ The Shins - Phantom Limb [OFFICIAL VIDEO] - YouTube https://www.youtube.com/watch?v=OkITsv3Nk6M

Risky Business #354 -- Breaking exploit automation

Patrick Gray — Fri, 20 Feb 2015 00:00:00 +1100

On this week's show we're chatting with Assured Information Security senior research engineer Jacob Torrey about some work he's due to present at SysCAN and Infiltrate. It's called HARES, and it's basically a pretty impressive party trick that makes reverse engineering malware payloads a lot harder. He's also been following some work around some compile-time tricks that make software builds unique. This can make your 0day a lot less useful because exploit has to be custom built for each target... think of it as a compile-time ASLR trick, but better. NOTE: Originally this post said the compile-time tricks were Jacob's research. They're not, I got that mixed up. Soz. Been crook this week and I guess I've been a bit sloppy. The podcast still contains the incorrect assertion that the research Jacob is talking about is his own. I'll put a clarifying statement in next week's show. - Pat This week's show is brought to you by BugCrowd, crowdsourced bug bounties. And we'll be chatting with Bugcrowd founder and CEO Casey Ellis about some interesting stuff this week -- like how to you take bug reports from people who don't speak english? Will a video do it? We also chat about some comments made by Alex Stamos, the CISO of Yahoo, in a recent AppSec conference keynote. He says bug bounty crowds need to chill out; that until a few years ago they would have gone to prison for running SQLMap against a target and now they're getting paid. He also says the CFAA makes bounty programs legally risky for participants and we're one prosecution away from blowing the whole model up. We'll find out what Casey thinks about that. Adam Boileau, as usual, joins us to discuss the week's news headlines. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing.

Risky Business #353 -- Andy Greenberg: Why I feel sorry for Ross Ulbricht

Patrick Gray — Thu, 12 Feb 2015 00:00:00 +1100

This week's feature interview is with Andy Greenberg, senior writer with WIRED. He's covered Silk Road from the get go, even scoring an in depth interview with DPR before he was caught and unmasked as Ross Ulbricht. He attended every day of Ulbricht's trial and says he was there every minute the jury was. He joined me via Skype earlier this week to talk about the trial of Ross Ulbricht, the future of underground markets and the disconnect between Ross Ulbricht's real life and online personas. In fact, that disconnect is so great that Andy actually feels sorry for Ross Ulbricht, despite the allegation that as the Dread Pirate Roberts he commissioned as many as six murders for hire. This week's show is brought to you by a new sponsor, Intralinks! These guys have a background doing very specialist work in facilitating mergers and acquisitions, but they're pushing into the enterprise space with a really interesting product which you can think of as an enterprise-grade file sharing service with built in IRM. Intralinks Richard Anstey joins us a bit later on for a chat about the security challenge presented by file sharing services, and what some solutions might look like. And I've gotta say, even though we talk about their product a bit, it's a very interesting interview. Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing.

Risky Business on YouTube! Episode 2: The Great Australian Metadata Debate

Patrick Gray — Wed, 11 Feb 2015 00:00:00 +1100

Despite Australian Attorney General George Brandis's stellar explanation, some people are still a tad confused about what proposed law changes mean. Funny, that.

Risky Business #352 -- Bye bye DPR, plus special guest Dave Aitel

Patrick Gray — Thu, 05 Feb 2015 00:00:00 +1100

In this week's feature we're chatting with Dave Aitel of Immunity Inc. We chat to him about the Sony hack being a demonstration of North Korean capability as opposed to genuine revenge... we also talk about security conferences in 2015 and chat to him about his rage-inspiring musings on so-called junk hacking from last year. In this week's sponsor interview we speak with HackLabs big cheese Chris Gatford about the so-called Ghost vulnerability. As it turned out, it was a bit of a fizzer, but it's still an interesting bug from a management point of view. How the hell do you figure out what the impact of something like that is on your network? The gethostbyname code is, of course, all over your nix boxes, but it's no doubt statically included in a whole bunch of your enterprise crapware as well. And the thing is, the fact that it's causing heart palpitations out there in some enterprise teams proves one thing: We don't trust out upstream software providers to patch this stuff... we don't even trust them to know what code is in their own products! It's a contemporary pickle and Chris Gatford of Hacklabs will be along in a bit to discuss it. Don't forget you can now support Risky Business via our Patreon campaign! You can follow Patrick on Twitter here and Adam here.

Risky Business #351 -- Kim Zetter talks Stuxnet: Countdown to Zero Day

Patrick Gray — Fri, 30 Jan 2015 00:00:00 +1100

In this week's feature interview we're chatting with Wired journalist Kim Zetter about her fantastic book Stuxnet: Countdown to Zero Day. As it turns out, the assumption that US and Israeli intelligence agencies had "boots on ground" intelligence to design the malicious code could very well be bunkum! This week's show is brought to you by Tenable Network Security, so in this week's sponsor interview we're chatting with Tenable's very own Marcus Ranum about attribution. No, not just the North Korea angle... we cover off what sort of focus the average enterprise needs to put on attributing attacks. Does it even matter? Adam Boileau, as always, joins the show to discuss the week's security news. You can become a Risky Business patron thanks to our Patreon campaign. And you can also follow Patrick or Adam on Twitter, if that's your thing. Show notes First ever Risky.Biz YouTube rant with Patrick Gray - YouTube https://www.youtube.com/watch?v=0o5PRIrQq48 Support Risky Business via our Patreon campaign! https://patreon.com/riskybusiness Kim Zetter's awesome Stuxnet book on Amazon: http://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/077043617X Prosecutors Trace $13.4M in Bitcoins From the Silk Road to Ulbricht's Laptop | WIRED http://www.wired.com/2015/01/prosecutors-trace-13-4-million-bitcoins-sil... A Heroin Dealer Tells the Silk Road Jury What It Was Like to Sell Drugs Online | WIRED http://www.wired.com/2015/01/silk-road-heroin-dealer-testifies/ Here's the Secret Silk Road Journal From the Laptop of Ross Ulbricht | WIRED http://www.wired.com/2015/01/heres-secret-silk-road-journal-laptop-ross-... Silk Road paid off hackers to keep site running - CNET http://www.cnet.com/news/hackers-blackmailed-silk-road-underground/ No, Department of Justice, 80 Percent of Tor Traffic Is Not Child Porn | WIRED http://www.wired.com/2015/01/department-justice-80-percent-tor-traffic-c... Bitcoin Exchange Operator Sentenced to 4 Years for Silk Road Transactions | WIRED http://www.wired.com/2015/01/bitcoin-exchange-operator-sentenced-4-years... Aspiring Singer Arrested in Israel on Suspicion of Hacking Madonna | WIRED http://www.wired.com/2015/01/aspiring-singer-arrested-israel-suspicion-h... Barrett Brown Sentenced to 5 Years in Prison in Connection to Stratfor Hack | WIRED http://www.wired.com/2015/01/barrett-brown-sentenced-5-years-prison-conn... Dutch judge allows alleged "sophisticated" Russian hacker to be sent to US | Ars Technica http://arstechnica.com/tech-policy/2015/01/dutch-judge-allows-alleged-so... New Rules in China Upset Western Tech Companies - NYTimes.com http://www.nytimes.com/2015/01/29/technology/in-china-new-cybersecurity-... FCC Warns Businesses WiFi Blocking is Illegal | Threatpost | The first stop for security news http://threatpost.com/fcc-warns-businesses-wifi-blocking-is-illegal/110728 Snowden reveals LEVITATION technique of Canada's spies \u2022 The Register http://www.theregister.co.uk/2015/01/29/snowden_reveals_levitation_techn... Researcher says Aussie spooks help code Five Eyes mega malware \u2022 The Register http://www.theregister.co.uk/2015/01/29/did_aussie_spooks_write_regin/ Oz spooks hack, wreck Middle East 'cooling system': report \u2022 The Register http://www.theregister.co.uk/2015/01/28/skip_spooks_hack_wreck_middle_ea... Australia launches cyber-weapons in global counter-terrorist operations http://www.afr.com/p/technology/australia_launches_cyber_weapons_hR1B30q... Facebook: Oi, Lizard Squad - we can take down our own site, ta \u2022 The Register http://www.theregister.co.uk/2015/01/27/facebook_lizardsquad_takedown_cl... Information Security: The Internet of Gas Stati... | SecurityStreet https://community.rapid7.com/community/infosec/blog/2015/01/22/the-inter... Google drops three OS X 0days on Apple | Ars Technica http://arstechnica.com/security/2015/01/google-drops-three-os-x-0days-on... iTunes Connect bug logs developers in to other developers' accounts at random | Ars Technica http://arstechnica.com/apple/2015/01/itunes-connect-bug-logs-developers-... PHP Applications, WordPress Vulnerable to Ghost glibc Bug | Threatpost | The first stop for security news http://threatpost.com/php-applications-wordpress-subject-to-ghost-glibc-... Critical "GHOST" Vulnerability Released | Sucuri Blog http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html Thunderstrike Patch Slated for Inclusion in New OS X Build | Threatpost | The first stop for security news http://threatpost.com/thunderstrike-patch-slated-for-new-os-x-build/110649 Bug in ultra secure BlackPhone let attackers decrypt texts, stalk users | Ars Technica http://arstechnica.com/security/2015/01/bug-in-ultra-secure-blackphone-l... Chrome 40 Patches 62 Security Vulnerabilities | Threatpost | The first stop for security news http://threatpost.com/chrome-40-patches-62-security-vulnerabilities-pays... Medeski Martin & Wood http://www.mmw.net/

Risky Business TV: Episode 1

Patrick Gray — Thu, 29 Jan 2015 00:00:00 +1100

Here it is, my first ever YouTube rant! I hope you enjoy it... https://www.youtube.com/watch?v=0o5PRIrQq48 Yeah I haven't figured out how to embed it yet.

Risky Business #350 -- We're baaaaaack

Patrick Gray — Thu, 22 Jan 2015 00:00:00 +1100

Welcome back to Risky Business for another year. This is the ninth year of weekly Risky Business podcasts, we're stoked you're sticking around for more. In this week's show Patrick Gray and Adam Boileau discuss the last month's crazy CyberNews(tm) and Palo Alto CTO and founder Nir Zuk stops by for the sponsor interview. You can now support Risky Business by becoming a Patron.

Risky Business #349 -- 2014 in review

Patrick Gray — Thu, 11 Dec 2014 00:00:00 +1100

In this special edition we take a look back over the big news items of 2014.

Risky Business #348 -- Did DPRK pwn Sony? PLUS Dan Guido on DARPA's Cyber Grand Challenge

Patrick Gray — Fri, 05 Dec 2014 00:00:00 +1100

On this week's show Adam and I establish that it's actually quite possible the disaster unfolding at Sony Pictures is, in fact, a North Korean government plot. I know, I know, there are sceptics, but any way you slice or dice it, it actually looks plausible. Tune in to find out why. In this week's feature interview we chat with Dan Guido, CEO of Trail of Bits, about his company's approach to DARPA's Cyber Grand Challenge. It's an initiative that will see automated attack and defence rigs do battle at DEF CON in Las Vegas in 2016. It's a fascinating idea that involves a lot of cutting edge research. Don't miss that interview. In this week's sponsor interview Matt Alderman of Tenable joins us to talk about what tech is going to be hot in 2015. Will a clear definition of threat intelligence (besides herpa derp) emerge in 2015? What about the skills shortage? Will that put even more impetus behind the push to security automation? Show notes Sony Got Hacked Hard: What We Know and Don't Know So Far | WIRED http://www.wired.com/2014/12/sony-hack-what-we-know/ Sony Pictures hack gets uglier; North Korea won't deny responsibility [Updated] | Ars Technica http://arstechnica.com/security/2014/12/sony-pictures-hack-gets-uglier-n... Inside the "wiper" malware that brought Sony Pictures to its knees [Update] | Ars Technica http://arstechnica.com/security/2014/12/inside-the-wiper-malware-that-br... Sony Pictures malware tied to Seoul, "Shamoon" cyber-attacks | Ars Technica http://arstechnica.com/security/2014/12/sony-pictures-malware-tied-to-se... Sony Breach May Have Exposed Employee Healthcare, Salary Data - Krebs on Security http://krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee... An alleged 27GB Sony Pictures data dump. 65 PlayStation web servers. One baffling mystery \u2022 The Register http://www.theregister.co.uk/2014/12/03/strange_things_afoot_with_great_... Iranian CLEAVER hacks through airport security, Cisco boxen \u2022 The Register http://www.theregister.co.uk/2014/12/03/operation_cleaver/ Critical networks in US, 15 other nations, completely owned, possibly by Iran | Ars Technica http://arstechnica.com/security/2014/12/critical-networks-in-us-15-natio... An Interview With Darkside, Russia's Favorite Dark Web Drug Lord | WIRED http://www.wired.com/2014/12/interview-darkside-russias-favorite-dark-we... GCHQ boffins quantum-busted its OWN crypto primitive \u2022 The Register http://www.theregister.co.uk/2014/12/03/gchq_boffins_quantumbusted_own_c... Sites certified as secure often more vulnerable to hacking, scientists find | Ars Technica http://arstechnica.com/security/2014/12/sites-certified-as-secure-often-... Google kills CAPTCHAs: Are we human or are we spammer? \u2022 The Register http://www.theregister.co.uk/2014/12/03/google_moves_beyond_text_puzzles... Hawking: RISE of the MACHINES could DESTROY HUMANITY \u2022 The Register http://www.theregister.co.uk/2014/12/03/stephen_hawking_says_ai_will_sup... Australian Government funds effort to secure wearable data pulses \u2022 The Register http://www.theregister.co.uk/2014/12/02/govt_backs_security_probe_to_fee... December 2014 Microsoft Patch Tuesday Advance Notification | Threatpost | The first stop for security news http://threatpost.com/missing-exchange-patch-expected-among-december-pat... Apple Pulls Back Safari Patches | Threatpost | The first stop for security news http://threatpost.com/apple-pulls-latest-round-of-safari-patches/109712 Cyber Grand Challenge - Mike Walker on Vimeo http://vimeo.com/81340884 DARPA | Cyber Grand Challenge http://www.cybergrandchallenge.com/ National Tour - Augie March http://www.augiemarch.com.au/national-tour/

Risky Business #347 -- So what does Detekt... detect?

Patrick Gray — Fri, 28 Nov 2014 00:00:00 +1100

There's lots of fun news in this week's show. Sony Pictures got absolutely flattened, Regin is all the rage and the SEA has been enjoying some success. In this week's feature interview we're chatting with Claudio Guarnieri about his tool Detekt. It copped an absolute tonne of criticism on Twitter over the last week or so, but as you'll hear, most of the critics were kind of missing the point about what Claudio was trying to achieve. I know, I know, the idea that someone on Twitter might have been wrong is crazy, but just listen to the interview and see what you think. Claudio joins us via Skype from Berlin for a chat about Detekt! This week's show is brought to you by Websense, big thanks to them. Websense principal security researcher Carl Leonard will join us from London to do something very, very brave. He's going to make some predictions for what we could see in the malware space in 2015. Brave is the soul who makes predictions in this discipline. That's this week's sponsor interview, with thanks again to Websense! Show notes Sony Pictures hackers release list of stolen corporate files | Ars Technica http://arstechnica.com/security/2014/11/sony-pictures-hackers-release-li... 'Hacked by #GOP': staff at Sony Pictures resort to paper and pen after hack shuts computer system http://www.watoday.com.au/it-pro/security-it/hacked-by-gop-staff-at-sony... I used to work for Sony Pictures. My friend still works there and sent me this. It's on every computer all over Sony Pictures nationwide. : hacking https://www.reddit.com/r/hacking/comments/2n9zhv/i_used_to_work_for_sony... Syrian Electronic Army claims hack of news sites, including CBC - Technology & Science - CBC News http://www.cbc.ca/news/technology/syrian-electronic-army-claims-hack-of-... Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer | WIRED http://www.wired.com/2014/11/mysteries-of-the-malware-regin/ Regin Cyberespionage Malware Platform Targets GSM Networks | Threatpost | The first stop for security news http://threatpost.com/regin-cyberespionage-platform-also-spies-on-gsm-ne... Oops: After Threatening Hacker With 440 Years, Prosecutors Settle for a Misdemeanor | WIRED http://www.wired.com/2014/11/from-440-years-to-misdemeanor/ Freya Newman escapes conviction for leaking Frances Abbott scholarship details http://www.smh.com.au/nsw/freya-newman-escapes-conviction-for-leaking-fr... Laughing Hacker Who Hit Sony, FBI Now Seeks Legal Lols - Businessweek http://www.businessweek.com/news/2014-11-26/lulzsec-hacker-out-of-jail-w... Icelandic hacker says guilty of stealing money from Wikileaks | Reuters http://www.reuters.com/article/2014/11/26/iceland-wikileaks-idUSL6N0TG4U... Apple, Google encryption 'not helping' criminal investigation: AFP | ZDNet http://www.zdnet.com/au/apple-google-encryption-not-helping-criminal-inv... ATO bitcoin treatment could see business move offshore | ZDNet http://www.zdnet.com/ato-bitcoin-treatment-could-see-business-move-offsh... Home Depot Breach Cost Company $43 Million in Third Quarter | Threatpost | The first stop for security news http://threatpost.com/home-depot-breach-cost-company-43-million-in-third... Home Depot hit with "at least 44 civil lawsuits" due to data breach | Ars Technica http://arstechnica.com/tech-policy/2014/11/home-depot-hit-with-at-least-... Craigslist Back Online Following DNS Hijack | Threatpost | The first stop for security news http://threatpost.com/craigslist-back-online-following-dns-hijack/109559 New Google Security Dashboard Manages Device Activity | Threatpost | The first stop for security news http://threatpost.com/new-google-security-dashboard-manages-device-activ... Using a password manager on Android? It may be wide open to sniffing attacks | Ars Technica http://arstechnica.com/security/2014/11/using-a-password-manager-on-andr... Skimmer Innovation: 'Wiretapping' ATMs - Krebs on Security http://krebsonsecurity.com/2014/11/skimmer-innovation-wiretapping-atms/ Siemens issues emergency SCADA patch \u2022 The Register http://www.theregister.co.uk/2014/11/27/siemens_issues_emergency_scada_p... Siemens Patches WinCC Vulnerabilities Likely Being Exploited | Threatpost | The first stop for security news http://threatpost.com/siemens-patches-wincc-vulnerabilities-likely-being... Four-year-old comment security bug affects 86 percent of WordPress sites | Ars Technica http://arstechnica.com/security/2014/11/four-year-old-comment-security-b... Adobe Releases Emergency Flash Player Patch | Threatpost | The first stop for security news http://threatpost.com/adobe-releases-emergency-flash-player-patch/109623 Adobe Reader sandbox popped says Google researcher \u2022 The Register http://www.theregister.co.uk/2014/11/27/adobe_reader_sandbox_popped/ Privacy bods Detekt FinFisher dressed as bookmark manager \u2022 The Register http://www.theregister.co.uk/2014/11/26/privacy_bods_detekt_finisher_dre... Resist Surveillance https://resistsurveillance.org/intentions.html Augie March - A Dog Starved (official video) - YouTube https://www.youtube.com/watch?v=DCE0zKxgyKI

Risky Business #346 -- Haters gonna hate, Americans gonna 'muric

Patrick Gray — Fri, 21 Nov 2014 00:00:00 +1100

On this week's show we're chatting with Peter Fillmore about payment card security. He was able to clone a contactless card and use it to do his shopping here in Australia -- this is something you shouldn't be able to do. So the question becomes, how can the USA, which is taking tentative steps towards chip cards, avoid some of the mistakes made in more advanced markets like ours? We also find out chip-enabled ATMs pass card data through the chip reader straight into a parser running on the main ATM OS... which, yeah... That's pretty bad. This week's show is brought to you by Senetas, makers of fine, fine encryption technology. They make layer 2 encryption gear... Senetas CTO Julian Fay, says the Snowden leaks are continuing to have a massive impact on the business landscape out there. These guys are shipping equipment to encrypt hundreds and hundreds of gigabits of data flowing between data centres that are increasingly located in Europe. So all that talk about companies moving their equipment out of the USA? Well, it IS happening. He's got some fascinating insights for us. Show notes Critical NSA Reform Bill Fails in the Senate | WIRED http://www.wired.com/2014/11/usa-freedom-act-fails-in-senate/ Beefed up iPhone crypto will lead to a child dying, DOJ warned Apple execs | Ars Technica http://arstechnica.com/tech-policy/2014/11/beefed-up-iphone-crypto-will-... U.S. Gov Insists It Doesn't Stockpile Zero-Day Exploits to Hack Enemies | WIRED http://www.wired.com/2014/11/michael-daniel-no-zero-day-stockpile/ EFF, Others Plan to Make Encrypting the Web Easier in 2015 | Threatpost | The first stop for security news http://threatpost.com/eff-others-plan-to-make-encrypting-the-web-easier-... Whatsapp Just Switched on End-to-End Encryption for Hundreds of Millions of Users | WIRED http://www.wired.com/2014/11/whatsapp-encrypted-messaging/ IAB Urges Designers to Make Encryption the Default | Threatpost | The first stop for security news http://threatpost.com/iab-urges-designers-to-make-encryption-the-default... Paper: NetFlow Data De-Anonymizes Tor Users | Threatpost | The first stop for security news http://threatpost.com/tor-reins-in-concerns-after-academic-paper-on-de-a... For a year, gang operating rogue Tor node infected Windows executables | Ars Technica http://arstechnica.com/security/2014/11/for-a-year-one-rogue-tor-node-ad... SMS pwnage on MEELLIONS of flawed SIM cards, popular 4G modems \u2022 The Register http://www.theregister.co.uk/2014/11/19/sms_pwnage_on_meellions_of_flawe... Google Releases Open Source XSS Web App Scanner | Threatpost | The first stop for security news http://threatpost.com/google-releases-open-source-xss-web-app-scanner/10... Open Source OpenSOC Security Analytics Framework Released | Threatpost | The first stop for security news http://threatpost.com/cisco-releases-security-analytics-framework-to-ope... Visa, MasterCard Remove Passwords from 3D Secure | Threatpost | The first stop for security news http://threatpost.com/visa-mastercard-removing-passwords-from-3d-secure/... Swedish Court Rejects Julian Assange's Appeal to Dismiss His Arrest Warrant | WIRED http://www.wired.com/2014/11/sweden-rejects-assange-appeal/ How the Dark Web's New Favorite Drug Market Is Profiting From Silk Road 2's Demise | WIRED http://www.wired.com/2014/11/the-evolution-of-evolution-after-silk-road/ AT&T Stops Using Invasive 'Perma-Cookies,' But It May Turn Them Back On | WIRED http://www.wired.com/2014/11/att-hits-pause-privacy-busting-perma-cookie... UK.gov teams up with moneymen on HACK ATTACK INSURANCE \u2022 The Register http://www.theregister.co.uk/2014/11/13/cyber_insurance_analysis/ Network Hijackers Exploit Technical Loophole - Krebs on Security http://krebsonsecurity.com/2014/11/network-hijackers-exploit-technical-l... Attackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign | Threatpost | The first stop for security news http://threatpost.com/attackers-using-compromised-web-plug-ins-in-crypto... A neverending story: PC users lose another $120M to tech support scams | Ars Technica http://arstechnica.com/information-technology/2014/11/ftc-windows-tech-s... State Department shuts down email system after suspected hacker attack | US news | theguardian.com http://www.theguardian.com/us-news/2014/nov/16/state-department-shuts-do... Malware's new target: your password manager's password | Ars Technica http://arstechnica.com/security/2014/11/citadel-attackers-aim-to-steal-v... Apple iOS 8.1.1 Fixes Several Code-Execution Flaws | Threatpost | The first stop for security news http://threatpost.com/apple-ios-8-1-1-fixes-several-code-execution-flaws... Nasty Security Bug Fixed in Android Lollipop 5.0 | Threatpost | The first stop for security news http://threatpost.com/nasty-security-bug-fixed-in-android-lollipop-5-0/1... Windows Phone security sandbox survives Pwn2Own unscathed | Ars Technica http://arstechnica.com/security/2014/11/windows-phone-security-sandbox-s... Microsoft Releases Emergency Security Update - Krebs on Security http://krebsonsecurity.com/2014/11/microsoft-releases-emergency-security... WinShock PoC clocked: But DON'T PANIC... It's no Heartbleed \u2022 The Register http://www.theregister.co.uk/2014/11/17/ms_schannel_crypto_poc/ Drupal Denial of Service Session Hijacking Patch | Threatpost | The first stop for security news http://threatpost.com/drupal-patches-denial-of-service-vulnerability-det... EMVCo http://emvco.com/approvals.aspx?id=85 Payment Security Consulting http://pscco.com.au/ the loved ones - ever lovin' man - YouTube https://www.youtube.com/watch?v=Ajdqk8ZN1jM

Risky Business #345 -- Advanced sock puppetry and news website manipulation

Patrick Gray — Thu, 13 Nov 2014 00:00:00 +1100

On this week's show we're taking a look at how you -- YES YOU -- can game online media. Find out how you can make comments on major news sites just disappear with one line of bash! Find out how you can drive a cupcake recipe into the "most popular" stories box on the world's major news sites! That's a chat with Azhar Desai of Thinkst and it's this week's feature. This week's show is brought to you be Tenable Network Security, thanks to them. And in this week's sponsor interview we're speaking with Tenable strategist Jack Daniel about his latest project Shoulders of Infosec. It's essentially a history project that seeks to record the achievements of infosec discipline pioneers. Adam Boileau, as always, joins the show to talk about the week's infosec news. Show notes Silk Road, other Tor "darknet" sites may have been "decloaked" through DDoS [Updated] | Ars Technica http://arstechnica.com/security/2014/11/silk-road-other-tor-darknet-site... How Did The FBI Break Tor? http://www.forbes.com/sites/kashmirhill/2014/11/07/how-did-law-enforceme... So Far Feds Have Only Confirmed Seizing 27 "Dark Market" Sites In Operation Onymous - Forbes http://www.forbes.com/sites/katevinton/2014/11/07/operation-onymous-dark... the grugq on Twitter: "http://t.co/mLVVT9NHzF" https://twitter.com/thegrugq/status/530411690676875264 129 Of the Seized ".Onion" Domains Were at a Single Bulgarian Hosting - Deep Dot Web http://www.deepdotweb.com/2014/11/08/129-seized-onion-domains-single-bul... Law enforcement seized Tor nodes and may have run some of its own | Ars Technica http://arstechnica.com/security/2014/11/law-enforcement-seized-tor-nodes... TORpedo'd dev dumps Doxbin files after police raids \u2022 The Register http://www.theregister.co.uk/2014/11/09/torpedod_dev_dumps_doxbin_files_... Supporting Anonymous Use of Facebook in Tor - DigiCert Blog https://blog.digicert.com/anonymous-facebook-via-tor/ New Mozilla Privacy Initiative to Include High-Capacity Tor Relays | Threatpost | The first stop for security news http://threatpost.com/new-mozilla-privacy-initiative-to-include-high-cap... Did the government hack a CBS journalist? Maybe. [Updated] | Ars Technica http://arstechnica.com/tech-policy/2014/11/did-the-government-hack-a-cbs... Sharyl Attkisson Changes Hacking Story Again: Now She Doesn't Know Who Did It | Blog | Media Matters for America http://mediamatters.org/blog/2014/11/05/sharyl-attkisson-changes-hacking... Australian Federal Police methods under question after 'LulzSec hacker' claims he was wrongly accused - ABC News (Australian Broadcasting Corporation) http://mobile.abc.net.au/news/2014-11-10/afp-methods-questioned-as-hacke... Hacker Emails Testing Service BrowserStack's Customers, Says Company Lied About Security | TechCrunch http://techcrunch.com/2014/11/10/hacker-emails-testing-service-browserst... gist:9b16e436e035f90ec35f https://gist.github.com/simonsarris/9b16e436e035f90ec35f Masque Attack: All Your iOS Apps Belong to Us | FireEye Blog http://www.fireeye.com/blog/technical/cyber-exploits/2014/11/masque-atta... DarkHotel: A Sophisticated New Hacking Attack Targets High-Profile Hotel Guests | WIRED http://www.wired.com/2014/11/darkhotel-malware/ FBI defends "ruse" of undercover agents posing as hotel cable guys | Ars Technica http://arstechnica.com/tech-policy/2014/11/fbi-defends-ruse-of-undercove... Only Half of USB Devices Have an Unpatchable Flaw, But No One Knows Which Half | WIRED http://www.wired.com/2014/11/badusb-only-affects-half-of-usbs/ Chinese hack U.S. weather systems, satellite network - The Washington Post http://www.washingtonpost.com/local/chinese-hack-us-weather-systems-sate... All US Postal Service employees' personal data exposed by hackers | Ars Technica http://arstechnica.com/security/2014/11/all-us-postal-service-employees-... Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon: Kim Zetter: 9780770436179: Amazon.com: Books http://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/077043617X/r... Lonely Planet 2001 Out to Eat San Francisco (Out to Eat Series): Kim Zetter, Andrew Dean Nystrom: 9781864500844: Amazon.com: Books http://www.amazon.com/Lonely-Planet-2001-Francisco-Series/dp/1864500840 Stuxnet worm infected high-profile targets before hitting Iran nukes | Ars Technica http://arstechnica.com/security/2014/11/stuxnet-worm-infected-high-profi... iPhone, Galaxy S5, Nexus 5, and Fire Phone fall like dominoes at Pwn2Own | Ars Technica http://arstechnica.com/security/2014/11/iphone-galaxy-s5-nexus-5-and-fir... Don't blame Obama, but DDoS attacks are now using his press releases | Ars Technica http://arstechnica.com/security/2014/11/dont-blame-obama-but-ddos-attack... WTF, Russia's domestic Internet traffic mysteriously passes through Chinese routers | Ars Technica http://arstechnica.com/security/2014/11/wtf-russias-domestic-internet-tr... Emoticons blast three security holes in Pidgin :-( \u2022 The Register http://www.theregister.co.uk/2014/11/10/cisco_security_bods_hunt_pidgin/ Potentially catastrophic bug bites all versions of Windows. Patch now | Ars Technica http://arstechnica.com/security/2014/11/potentially-catastrophic-bug-bit... Adobe, Microsoft Issue Critical Security Fixes - Krebs on Security http://krebsonsecurity.com/2014/11/adobe-microsoft-issue-critical-securi... thinkst.com/stuff/hitb2014/HITB_Thinkst_2014_No_notes.pdf http://thinkst.com/stuff/hitb2014/HITB_Thinkst_2014_No_notes.pdf LABJACD | Unearthed https://www.triplejunearthed.com/artist/labjacd shouldersofinfosec [licensed for non-commercial use only] / The Shoulders of InfoSec Project http://shouldersofinfosec.pbworks.com/w/page/85415119/The%20Shoulders%20...

Risky Business #344 -- Super Mario Cisco adventures

Patrick Gray — Fri, 07 Nov 2014 00:00:00 +1100

On this week's show we're chatting with Alec Stuart Muirk about some of his research into Cisco appliance security. That interview is not so much a blow by blow of the bugs he found, which were pretty devastating by the way, but more about how accessibility is a major hurdle when researching various bits of kit. As you'll hear, many security vendors are starting to release their kit as VMs, which means researchers will be more likely to poke at them. Does that mean more boneheaded bugs like the stuff he found? Well, probably. This week's show is brought to you by Bromium. In this week's sponsor interview we're chatting with Bromium's chief security architect Rahul Kashyap about some of his reflections on 2014. Well, two in particular. He says the decision of retailers to skip POS refresh programs during the US recession that began in 2008 is preeeetty much how the retail sector in the USA wound up in so much strife now. And he also shares some interesting thoughts on how standardised indicators of compromise may be turned against attack victims in 2015. Show notes Feds Arrest Alleged 'Silk Road 2\u2032 Admin, Seize Servers - Krebs on Security http://krebsonsecurity.com/2014/11/feds-arrest-alleged-silk-road-2-admin... Blake Benthall Criminal Complaint http://www.scribd.com/doc/245744857/Blake-Benthall-Criminal-Complaint Not Just Silk Road 2: Feds Seize Two Other Drug Markets and Counting | WIRED http://www.wired.com/2014/11/dark-web-seizures/ US Attorney's office: Whoops, Silk Road 2.0 hired a fed [Updated] | Ars Technica http://arstechnica.com/tech-policy/2014/11/feds-claim-silkroad-2-0-taken... Why Facebook Just Launched Its Own 'Dark Web' Site | WIRED http://www.wired.com/2014/10/facebook-tor-dark-site/ Active "WireLurker" iPhone infection ushers in new era for iOS users | Ars Technica http://arstechnica.com/security/2014/11/active-wirelurker-iphone-infecti... WireLurker Mac OS X Malware Shut Down | Threatpost | The first stop for security news http://threatpost.com/wirelurker-mac-os-x-malware-shut-down/109204 Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide - The Intercept https://firstlook.org/theintercept/2014/10/30/hacking-team/ Hacking Team Responds in Defense of Its Spyware - The Intercept https://firstlook.org/theintercept/2014/11/03/hacking-team-responds-defe... How to leak sensitive data from an isolated computer (air-gap) to a near by mobile phone - AirHopper | Cyber Security Labs @ Ben-Gurion University of the Negev http://cyber.bgu.ac.il/content/how-leak-sensitive-data-isolated-computer... Crypto attack that hijacked Windows Update goes mainstream in Amazon Cloud | Ars Technica http://arstechnica.com/security/2014/11/crypto-attack-that-hijacked-wind... Nat McHugh: How I created two images with the same MD5 hash http://natmchugh.blogspot.co.uk/2014/10/how-i-created-two-images-with-sa... Flaw in New 'Secure' Credit Cards Would Let Hackers Steal $1M Per Card | WIRED http://www.wired.com/2014/11/chip-n-pin-foreign-currency-vulnerability/ Who wants to be A MILLIONAIRE? Not so fast, Visa tells wannabe pay-by-bonk thieves \u2022 The Register http://www.theregister.co.uk/2014/11/05/visa_contactless_card_flaw/ Pirate Bay Founder Convicted on Hacking Charges, Sentenced to 3.5 Years | WIRED http://www.wired.com/2014/10/pirate-bay-founder-hacking/ Thai police question The Pirate Bay founder | Stuff.co.nz http://www.stuff.co.nz/technology/digital-living/62971785/thai-police-qu... Cell carrier was weakest link in hack of Google, Instagram accounts | Ars Technica http://arstechnica.com/security/2014/11/cell-carrier-was-weakest-link-in... Ericsson boss sticks a pin in Google's loony Loon bubble \u2022 The Register http://www.theregister.co.uk/2014/11/06/ericsson_chief_pops_googles_loon... Microsoft releases free anti-malware for Azure VMs \u2022 The Register http://www.theregister.co.uk/2014/11/06/microsoft_releases_free_antimalw... EFF: VPNs will crumble Verizon's creepy supercookie stalkers \u2022 The Register http://www.theregister.co.uk/2014/11/06/mobile_vpns_will_save_you_from_v... Feds investigate Homeland Security background checker security breach \u2022 The Register http://www.theregister.co.uk/2014/11/05/feds_investigate_dhs_background_... Russia to ban iCloud.. to PROTECT iPhone fiddlers' pics 'n' sh*t \u2022 The Register http://www.theregister.co.uk/2014/11/05/russia_set_to_ban_icloud/ Critics chafe as Macs send sensitive docs to iCloud without warning | Ars Technica http://arstechnica.com/security/2014/11/critics-chafe-as-macs-send-sensi... Thieves Cash Out Rewards, Points Accounts - Krebs on Security http://krebsonsecurity.com/2014/11/thieves-cash-out-rewards-points-accou... Does your phone company track you? | Ars Technica http://arstechnica.com/security/2014/11/does-your-phone-company-track-you/ Google releases "nogotofail" to detect HTTPS bugs before they bite users | Ars Technica http://arstechnica.com/security/2014/11/google-releases-nogotofail-to-de... Yosemite infested by nasty 'Rootpipe' vuln \u2022 The Register http://www.theregister.co.uk/2014/11/04/rootpipe_another_os_x_vuln/ Fatback Band - Tour http://fatbackband.com/tour.html https://ruxcon.org.au/assets/2014/slides/Breaking Bricks Ruxcon 2014.pdf https://ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%2020...

Risky Business #343 -- Special news guest HD Moore

Patrick Gray — Thu, 30 Oct 2014 00:00:00 +1100

This week's show is brought to you by the fine folks at BugCrowd, big thanks to them. BugCrowd CEO Casey Ellis will be along in this week's sponsor interview to talk about what's shakin' in the bounty world. And you know what? There are some interesting engagement models emerging out of the whole paid bounty scene, he's going to talk about that. We also find out that, according to Casey, bug bounty programs will get you a PCI compliance tick from an auditor, which isn't something I knew! Show notes Verizon's 'Perma-Cookie' Is a Privacy-Killing Machine | WIRED http://www.wired.com/2014/10/verizons-perma-cookie/ Facebook, Google, and the Rise of Open Source Security Software | WIRED http://www.wired.com/2014/10/facebook-builder-osquery/ GCHQ views data without a warrant, government admits | UK news | The Guardian http://www.theguardian.com/uk-news/2014/oct/29/gchq-nsa-data-surveillance Feds identify suspected 'second leaker' for Snowden reporters - Yahoo News http://news.yahoo.com/feds-identify-suspected--second-leaker--for-snowde... NY Senator Calls for Renewed Crackdown on Dark Web Drug Sales | WIRED http://www.wired.com/2014/10/schumer-crackdown-on-dark-web-drug-sales/ Now Everyone Wants to Sell You a Magical Anonymity Router. Choose Wisely | WIRED http://www.wired.com/2014/10/anonymity-routers/ White House unclassified network hacked, apparently by Russians | Ars Technica http://arstechnica.com/tech-policy/2014/10/white-house-unclassified-netw... Research links massive cyber spying ring to Russia | Ars Technica http://arstechnica.com/security/2014/10/research-links-massive-cyber-spy... Researchers identify sophisticated Chinese cyberespionage group - The Washington Post http://www.washingtonpost.com/world/national-security/researchers-identi... Moscow, Beijing poised to sign deal on joint cyber security ops \u2022 The Register http://www.theregister.co.uk/2014/10/24/moscow_beijing_poised_to_sign_de... 'Replay' Attacks Spoof Chip Card Charges - Krebs on Security http://krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-card-charges/ Hackers Are Using Gmail Drafts to Update Their Malware and Steal Data | WIRED http://www.wired.com/2014/10/hackers-using-gmail-drafts-update-malware-s... FBI created fake Seattle Times Web page to nab bomb-threat suspect | Local News | The Seattle Times http://seattletimes.com/html/localnews/2024888170_fbinewspaper1xml.html Intel bods to detail RSA birko crypto man-in-the-middle diddle \u2022 The Register http://www.theregister.co.uk/2014/10/28/intel_bods_to_detail_rsa_crypto_... Shellshock over SMTP attacks mean you can now ignore your email \u2022 The Register http://www.theregister.co.uk/2014/10/28/shellshocked_via_email_smtp_atta... MacOS X 10.10 & FreeBSD10 ftp Remote Comand Execution - CXSecurity.com http://cxsecurity.com/issue/WLB-2014100174 Spiderbait - Run - YouTube https://www.youtube.com/watch?v=H7ociMW-_hs

Risky Business #342 -- The NSA Playset, cloud woes and more!

Patrick Gray — Fri, 24 Oct 2014 00:00:00 +1100

Despite some technical challenges we have a great show for you all this week. We'll be chatting with Mike Ryan of iSec Partners and his pal, independent hardware hacker Joe Fitzpatrick, all about the NSA Playset! It's a hobbyist project that aims to recreate all the awesome tools in the leaked NSA ANT catalogue. Such fun! We'll also be hearing a tale of cloud woe from the trenches of enterprise IT. A friend of the show had his entire global email infrastructure pulled offline by Symantec with what he says was inadequate warning. And he might just have a point there. Have a listen to the interview and make your own mind up. This week's show is brought to you by the fine folks at Websense! Websense does Web, email and data security, and this week's sponsoe guest is Neil Thacker, head of information security and strategy for Europe, middle east and africa at Websense. And he's going to tell us that DLP is back baby... it's finding new life for a few reasons... the most interesting of which, I reckon, is as a confirmation tool for detecting when a positive is most definitely not false! Show notes Palo Alto Networks boxes spray firewall creds across the net \u2022 The Register http://www.theregister.co.uk/2014/10/21/palo_alto_customers_spray_net_wi... Is your home or office internet gateway one of '1.2 MILLION' wide open to hijacking? \u2022 The Register http://www.theregister.co.uk/2014/10/22/home_router_security_threat_rapid7/ Chipmaker FTDI bricking counterfeit kit \u2022 The Register http://www.theregister.co.uk/2014/10/23/ftdi_turning_counterfeit_chips_i... Kickstarter Freezes Anonabox Privacy Router Project for Misleading Funders | WIRED http://www.wired.com/2014/10/kickstarter-suspends-anonabox/ In wake of Anonabox, more crowdsourced Tor router projects make their pitch | Ars Technica http://arstechnica.com/information-technology/2014/10/in-wake-of-anonabo... The Case of the Modified Binaries | Leviathan Security Group http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/ Google Accounts Now Support Security Keys - Krebs on Security http://krebsonsecurity.com/2014/10/google-accounts-now-support-security-... How to Stop Apple From Snooping on Your OS X Yosemite Searches | WIRED http://www.wired.com/2014/10/how-to-fix-os-x-yosemite-search/ Apple dumps SSL 3.0 for push notifications due to Poodle flaw - CNET http://www.cnet.com/news/apple-dumps-ssl-3-0-for-push-notifications-due-... Whisper CTO says tracking "anonymous" users not a big deal, really | Ars Technica http://arstechnica.com/security/2014/10/whisper-cto-says-tracking-anonym... Guns don't scare people, hackers do: Americans fear identity theft more than shooting sprees \u2022 The Register http://www.theregister.co.uk/2014/10/22/americans_more_afraid_of_identit... Obama Executive Order Forces Chip & Pin, EMV on Government | Threatpost | The first stop for security news http://threatpost.com/obama-executive-order-forces-chip-pin-payment-on-g... Xen says its security policies might be buggier than its software \u2022 The Register http://www.theregister.co.uk/2014/10/23/xen_says_its_security_policies_h... NIST Publishes Draft Hypervisor Security Guide | Threatpost | The first stop for security news https://threatpost.com/nist-publishes-draft-hypervisor-security-guide/10... Chinese APT groups targeting Australian lawyers \u2022 The Register http://www.theregister.co.uk/2014/10/21/bakers_dozen_of_apt_groups_poppi... Chinese government launches man-in-middle attack against iCloud [Updated] | Ars Technica http://arstechnica.com/security/2014/10/chinese-government-launches-man-... Quick PHP patch beats slow research reveal \u2022 The Register http://www.theregister.co.uk/2014/10/23/quick_php_patch_beats_slow_resea... DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides \u2022 The Register http://www.theregister.co.uk/2014/10/22/powerpoint_attacks_exploit_ms_0day/ Cisco Patches Three-Year-Old Telnet Remote Code Execution Bug in Security Appliances | Threatpost | The first stop for security news http://threatpost.com/cisco-patches-three-year-old-telnet-remote-code-ex...

Risky Business #341 -- Beware of the poodle

Patrick Gray — Thu, 16 Oct 2014 00:00:00 +1100

In this week's show we're chatting with Matt Solnik of Accuvant Labs about his stellar presentation at Breakpoint last week. In this interview he describes how he can leverage crappy carrier management client software into full remote compromise attacks against most smartphones, including fully patched iOS8 and Android. It's savage stuff and if you work in telcoland you'd be nuts to miss it. This week's show is brought to you by tenable network security. Tenable's very own Marcus Ranum will be along in this week's sponsor interview to chime in on desktop virtualisation trends, as well as cloud, remote desktop, the browser as a terminal and enterprise computing in general. The mainframe is dead. Long live the mainframe. It's a great chat. Show notes There Is a New Security Vulnerability Named POODLE, and It Is Not Cute | WIRED http://www.wired.com/2014/10/poodle-explained/ Browser Vendors Move to Disable SSLv3 in Wake of POODLE Attack | Threatpost | The first stop for security news http://threatpost.com/browser-vendors-move-to-disable-sslv3-in-wake-of-p... Bahraini Activists Hacked by Their Government Go After UK Spyware Maker | WIRED http://www.wired.com/2014/10/bahraini-activists-go-after-spyware-source/ NSA May Have Undercover Operatives in Foreign Companies | WIRED http://www.wired.com/2014/10/nsa-may-undercover-operatives-foreign-compa... Russian 'Sandworm' Hack Has Been Spying on Foreign Governments for Years | WIRED http://www.wired.com/2014/10/russian-sandworm-hack-isight/ With This Tiny Box, You Can Anonymize Everything You Do Online | WIRED http://www.wired.com/2014/10/tiny-box-can-anonymize-everything-online/ Judge Rejects Defense That FBI Illegally Hacked Silk Road-On a Technicality | WIRED http://www.wired.com/2014/10/silk-road-judge-technicality/ Snapchat Can't Stop the Parasite Apps That Screw Its Users | WIRED http://www.wired.com/2014/10/snapchat-parasite-apps/ Developer of hacked Snapchat web app says "Snappening" claims are hoax [Updated] | Ars Technica http://arstechnica.com/security/2014/10/developer-of-hacked-snapchat-web... Dropbox Denies Hack, Says 'Your Stuff is Safe' | Threatpost | The first stop for security news http://threatpost.com/dropbox-denies-hack-says-your-stuff-is-safe/108824 Malware Based Credit Card Breach at Kmart - Krebs on Security http://krebsonsecurity.com/2014/10/malware-based-credit-card-breach-at-k... Signed Malware = Expensive "Oops" for HP - Krebs on Security http://krebsonsecurity.com/2014/10/signed-malware-is-expensive-oops-for-hp/ Who's Watching Your WebEx? - Krebs on Security http://krebsonsecurity.com/2014/10/whos-watching-your-webex/ Doubling up on Ads Code Bounties https://www.facebook.com/notes/protect-the-graph/doubling-up-on-ads-code... Heistmeisters crack cost of safecrackers with $150 widget \u2022 The Register http://www.theregister.co.uk/2014/10/13/heistmeisters_crack_cost_of_safe... Shellshock Exploits Spreading Mayhem Botnet Malware | Threatpost | The first stop for security news http://threatpost.com/shellshock-exploits-spreading-mayhem-botnet-malwar... October 2014 Oracle Java Security Patches | Threatpost | The first stop for security news http://threatpost.com/java-reflection-api-woes-resurface-in-latest-oracl... Fixes for IE, Flash Player in October Patch Tuesday Release | Threatpost | The first stop for security news http://threatpost.com/fixes-for-ie-flash-player-in-october-patch-tuesday... Firms Detail Zero Days Targeting Windows Kernel | Threatpost | The first stop for security news http://threatpost.com/two-patched-zero-days-targeting-windows-kernel/108860 Drupal Fixes Highly Critical SQL Injection Flaw | Threatpost | The first stop for security news http://threatpost.com/drupal-fixes-highly-critical-sql-injection-flaw/10... SAP Patches Seven Vulnerabilities in Three Products | Threatpost | The first stop for security news http://threatpost.com/sap-patches-seven-vulnerabilities-in-three-product... BlackBerry 10 Open to Bug That Allows Malicious App Installation | Threatpost | The first stop for security news http://threatpost.com/blackberry-10-devices-open-to-bug-that-allows-mali... Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback http://googleonlinesecurity.blogspot.co.nz/2014/10/this-poodle-bites-exp... Speakers \xbb Breakpoint 2014 https://ruxconbreakpoint.com/speakers/#Mathew Solnik Tower Of Power - Soul Vaccination - YouTube https://www.youtube.com/watch?v=46hd6DZS0ww

Risky Business #340 -- BPX droppin' iOS8 remote jailbreaks like it "ain't no thang"

Patrick Gray — Thu, 09 Oct 2014 00:00:00 +1100

This week's show was recorded on site at the Ruxcon Breakpoint conference in Melbourne. There have been a handful of absolute jaw-droppers among the presentations here, including a demo showcasing remote code exec against *most* mobile devices, including fully patched iOS8. This week's show is brought to you by Context information security and we've got a great chat coming up with Mark Graham, Context's head of threat intelligence. He spends most of his days hip deep in data Context has gathered on APT groups, and he's seen some interesting trends. Bad guys are apparently using vendor analysis/blog posts to improve their "product", the Russians are getting in on the action and there's a renewed effort in keeping APT campaigns stealthy. Show notes Shellshock-like Vulnerability May Affect Windows | Threatpost | The first stop for security news http://threatpost.com/shellshock-like-weakness-may-affect-windows/108696 White hat claims Yahoo and WinZip hacked by "shellshock" exploiters | Ars Technica http://arstechnica.com/security/2014/10/white-hat-claims-yahoo-and-winzi... Yahoo says attack wasn't Shellshock - CNET http://www.cnet.com/news/yahoo-late-to-fix-shellshock-threat/ That Unpatchable USB Malware Now Has a Patch ... Sort Of | WIRED http://www.wired.com/2014/10/unpatchable-usb-malware-now-patchsort/ Twitter Sues the Government for Violating Its First Amendment Rights | WIRED http://www.wired.com/2014/10/twitter-sues-government/ Feds 'Hacked' Silk Road Without a Warrant? Perfectly Legal, Prosecutors Argue | WIRED http://www.wired.com/2014/10/feds-silk-road-hack-legal/ Finding a Video Poker Bug Made These Guys Rich-Then Vegas Made Them Pay | WIRED http://www.wired.com/2014/10/cheating-video-poker/ AT&T Hit By Insider Breach | Threatpost | The first stop for security news http://threatpost.com/att-hit-by-insider-breach/108705 Huge Data Leak at Largest U.S. Bond Insurer - Krebs on Security http://krebsonsecurity.com/2014/10/huge-data-leak-at-largest-u-s-bond-in... Arbor: DDoS Attacks Getting Bigger as Reflection Increases | Threatpost | The first stop for security news http://threatpost.com/arbor-ddos-attacks-getting-bigger-as-reflection-in... Create app-specific passwords for iCloud - CNET http://www.cnet.com/how-to/how-to-create-app-specific-passwords-for-icloud/ Bugzilla Zero-Day Exposes Zero-Day Bugs - Krebs on Security http://krebsonsecurity.com/2014/10/bugzilla-zero-day-exposes-zero-day-bugs/ Tyupkin ATM Malware Discovered by Kaspersky Lab | Threatpost | The first stop for security news http://threatpost.com/tyupkin-malware-infects-atms-in-eastern-europe/108734 Reddit-powered botnet infected thousands of Macs worldwide | Ars Technica http://arstechnica.com/security/2014/10/reddit-powered-botnet-infected-t... FDA: Medical device cybersecurity necessary, but optional | Ars Technica http://arstechnica.com/security/2014/10/fda-medical-device-cybersecurity... Adobe's e-book reader sends your reading logs back to Adobe-in plain text [Updated] | Ars Technica http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-... October 2014, Melbourne http://www.contextis.com/events/oasis/october-2014-melbourne/ Alice Russell - Twin Peaks - YouTube https://www.youtube.com/watch?v=vySmFB_vUeg

Risky Business #339 -- Neel Mehta on Heartbleed, Shellshock

Patrick Gray — Fri, 03 Oct 2014 00:00:00 +1000

On this week's show we're chatting with Neel Mehta, a security researcher with Google. Neel is best known for finding the Heartbleed bug, and he joins us this week to talk about Heartbleed, ShellShock, the security of SSL stacks and where he expects vuln research to go in the future. Funnily enough this is Neel's first interview about Heartbleed, so I guess we can call this a scoop! This week's show is brought to you by Bromium, makers of fine, fine exploit mitigation software. Personally I'm a real fan of Bromium's stuff. They're relatively new, but if you have a Java problem in your enterprise, as in, you have to have Java in your enterprise, Bromium has a solution for you -- they make micro-vm software that mitigates memory corruption bugs and it's actually quite good. Bromium's chief security architect Rahul Kashyap joins us this week to talk about some malvertising research he presented at the virus bulletin conference recently, and he also previews the results of Bromium's code audit. That's right, a security software company actually had their software audited! Bowl me over. The audit report will be available next week, but we get the inside scoop on that before it's out. Show notes JPMorgan hack exposed data of 83 million, among biggest breaches in history http://www.theage.com.au/business/world-business/jpmorgan-hack-exposed-d... Xen Bug Could cause Crashes, Expose Cloud Data | Threatpost | The first stop for security news http://threatpost.com/serious-hypervisor-bug-fix-causes-unexpected-cloud... Musings on the recent Xen Security Advisories | Bromium Labs http://labs.bromium.com/2014/10/01/musings-on-the-recent-xen-security-ad... Apple patches "Shellshock" Bash bug in OS X 10.9, 10.8, and 10.7 | Ars Technica http://arstechnica.com/apple/2014/09/apple-patches-shellshock-bash-bug-i... OpenVPN vulnerable to Shellshock Bash vulnerability | Threatpost | The first stop for security news http://threatpost.com/openvpn-vulnerable-to-shellshock-bash-vulnerabilit... Fiora\u202e\u2604anreteA on Twitter: "RT "cmd.exe #shellshock" @dakami: "this is why we can't have nice strings" http://t.co/9LPTbtVazr" https://twitter.com/FioraAeterna/status/517791046835920897 Silk Road Lawyers Poke Holes in FBI's Story - Krebs on Security http://krebsonsecurity.com/2014/10/silk-road-lawyers-poke-holes-in-fbis-... The Unpatchable Malware That Infects USBs Is Now on the Loose | WIRED http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/ Lacoon Discovers Xsser mRAT, the First Advanced iOS Trojan https://www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-tr... If the information from https://www.lacoon.com/lacoon-discovers-xsser-mrat-first - Pastebin.com http://pastebin.com/Zkhpn8bG Holder urges tech companies to leave device backdoors open for police - The Washington Post http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/30/holder-urge... Cops Are Handing Out Spyware to Parents-With Zero Oversight | WIRED http://www.wired.com/2014/10/cops-giving-parents-spyware/ The Criminal Indictment That Could Finally Hit Spyware Makers Hard | WIRED http://www.wired.com/2014/10/stealthgenie-indictment/ CloudFlare Rolls Out Free SSL | Threatpost | The first stop for security news http://threatpost.com/cloudflare-rolls-out-free-ssl/108593 FBI to Open Up Malware Investigator Portal to External Researchers | Threatpost | The first stop for security news http://threatpost.com/fbi-to-open-up-malware-investigator-portal-to-exte... Chrome bug hunters, Google's giving you a raise - CNET http://www.cnet.com/news/chrome-bug-hunters-googles-giving-you-a-raise/ WPScan Vulnerability Database WordPress Security Resource | Threatpost | The first stop for security news http://threatpost.com/wpscan-vulnerability-database-a-new-wordpress-secu... Second Same-Origin Policy Bypass Flaw Haunts Android Browser | Threatpost | The first stop for security news http://threatpost.com/second-same-origin-policy-bypass-flaw-haunts-andro... Advertising firms struggle to kill malvertisements | Ars Technica http://arstechnica.com/security/2014/09/advertising-firms-struggle-to-ki... www.bromium.com/sites/default/files/bromium-report-optimized-mal-ops.pdf http://www.bromium.com/sites/default/files/bromium-report-optimized-mal-... The Basics https://www.facebook.com/thebasics Leftovers | The Basics http://thebasics.bandcamp.com/album/leftovers-2

Risky Business #338 -- BASHPOCALYPSE 2014

Patrick Gray — Fri, 26 Sep 2014 00:00:00 +1000

In addition to covering the end of the world, this week's Risky Business features Don Bailey of Lab Mouse Security on his excellent IoT blog post, written largely in response to a Daily Dave post by Dave Aitel on so-called "junk hacking". This week's show is brought to you by Context Information Security, big thanks to them! And in this week's sponsor interview we chat with Context's director of research Michael Jordon about his adventures in getting old computer games to work on printer screens. It's actually pretty cool. Show notes Shell Shock: Bash bug labelled largest ever to hit the internet http://www.smh.com.au/it-pro/security-it/shell-shock-bash-bug-labelled-l... Hackers Are Already Using the Shellshock Bug to Launch Botnet Attacks | WIRED http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create... The Internet Braces for the Crazy Shellshock Worm | WIRED http://www.wired.com/2014/09/internet-braces-crazy-shellshock-worm/ Patching Bash Vulnerability a Challenge for ICS, SCADA | Threatpost | The first stop for security news http://threatpost.com/patching-bash-vulnerability-a-challenge-for-ics-sc... Bash Botnet Exploit Found, Bash Patches Incomplete | Threatpost | The first stop for security news http://threatpost.com/bash-exploit-reported-first-round-of-patches-incom... Mozilla Patches RSA Signature Forgery in NSS, Firefox | Threatpost | The first stop for security news http://threatpost.com/mozilla-patches-rsa-signature-forgery-in-firefox-t... Xen security bug, you say? Amazon readies GLORIOUS GLOBAL CLOUD REBOOT \u2022 The Register http://www.theregister.co.uk/2014/09/25/amazon_readies_global_glory_reboot/ Amazon forced to reboot EC2 to patch Xen bug - Storage - News - iTnews.com.au http://www.itnews.com.au/News/396180,amazon-forced-to-reboot-ec2-to-patc... Terror laws clear Senate, enabling entire Australian web to be monitored and whistleblowers to be jailed http://www.smh.com.au/digital-life/consumer-security/terror-laws-clear-s... Senate rejects attempt to limit ASIO's access to devices - Security - Telco/ISP - News - iTnews.com.au http://www.itnews.com.au/News/396179,senate-rejects-attempt-to-limit-asi... Charney on Trustworthy Computing: 'I Was the Architect of These Changes' | Threatpost | The first stop for security news http://threatpost.com/charney-on-trustworthy-computing-i-was-the-archite... Kevin Mitnick, Once the World's Most Wanted Hacker, Is Now Selling Zero-Day Exploits | WIRED http://www.wired.com/2014/09/kevin-mitnick-selling-zero-day-exploits/ Home Depot's former security architect had history of techno-sabotage | Ars Technica http://arstechnica.com/security/2014/09/home-depots-former-security-arch... Home Depot ignored security warnings for years, employees say | Ars Technica http://arstechnica.com/security/2014/09/home-depot-ignored-security-warn... MIT Students Battle State's Demand for Their Bitcoin Miner's Source Code | WIRED http://www.wired.com/2014/09/mit-students-face-aggressive-subpoena-deman... PayPal takes second cautious step towards Bitcoin - Finance - Security - News - iTnews.com.au http://www.itnews.com.au/News/392418,paypal-takes-second-cautious-step-t... Why the Heyday of Credit Card Fraud Is Almost Over | WIRED http://www.wired.com/2014/09/emv/ Small Signs of Progress on DNSSEC | Threatpost | The first stop for security news http://threatpost.com/small-signs-of-progress-on-dnssec/108536 Microsoft Online Services Bug Bounty Program Launches | Threatpost | The first stop for security news http://threatpost.com/microsoft-starts-online-services-bug-bounty/108486 Blackphone Bug Bounty Program Launches on Bugcrowd | Threatpost | The first stop for security news http://threatpost.com/blackphone-gets-bug-bounty-program-off-ground/108468 Productivity Trumping Security as BYOD Grows | Threatpost | The first stop for security news http://threatpost.com/productivity-gains-trumping-security-as-byod-grows... Researcher Discloses Wi-Fi Thermostat Vulnerabilities | Threatpost | The first stop for security news http://threatpost.com/researcher-discloses-wi-fi-thermostat-vulnerabilit... Kali NetHunter turns Android device into hacker Swiss Army knife | Ars Technica http://arstechnica.com/information-technology/2014/09/kali-nethunter-tur... The Mouse Trap: No Thing Left Behind http://blog.securitymouse.com/2014/09/no-thing-left-behind.html [Dailydave] Junk Hacking Must Stop! https://lists.immunityinc.com/pipermail/dailydave/2014-September/000746.... Hacking Canon Pixma Printers - Doomed Encryption http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doo... Dawn LP/CD | HopeStreet Recordings http://www.hopestreetrecordings.com/releases/dawn/

Risky Business #337 -- The Grugq and John Brooks on invisible.im and Ricochet

Patrick Gray — Fri, 19 Sep 2014 00:00:00 +1000

In this week's show we chat with The Grugq about the latest invisible.im announcement and we'll also meet the creator of the Ricochet anonymous messenger software, John Brooks. In this week's sponsor interview we chat with Senetas CTO Julian Fay about an interesting paper on defeating traffic analysis attacks against encrypted cloud storage, and also a "sign of the times" Kickstarter... a group has managed to get a weird little crypto device funded... basically a hardware crypto module. You plug your phone in on one end and your headset in on the other. They've raised over $40k, but who's going to use this? Show notes WikiLeaks - SpyFiles 4 https://wikileaks.org/spyfiles4/customers.html New Zealand secretly built spying program, report says - CNET http://www.cnet.com/news/new-zealand-secretly-built-spying-program-repor... Moment of Truth gifts Team Key a late bounce in polls - National - NZ Herald News http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11327321 'Speargun' program is fantasy, says cable operator \u2022 The Register http://www.theregister.co.uk/2014/09/16/speargun_program_is_fantasy_says... Student Freya Newman pleads guilty to hacking Frances Abbott design scholarship files | The Australian http://www.theaustralian.com.au/news/nation/student-freya-newman-pleads-... Tim Cook explains Apple's privacy policies in open letter - CNET http://www.cnet.com/news/tim-cook-explains-apples-privacy-policies-in-op... Apple takes 'very different view' on customer privacy, Cook says - CNET http://www.cnet.com/news/apple-takes-very-different-view-on-customer-pri... Apple - Privacy http://www.apple.com/privacy/ Apple transparency reports allude to Patriot Act demands - CNET http://www.cnet.com/news/apple-transparency-reports-allude-to-patriot-ac... Apple Extends Two-Factor Authentication to iCloud | Threatpost | The first stop for security news http://threatpost.com/apple-extends-two-factor-authentication-to-icloud/... Three Things Apple Can Do to Fix iCloud's Awful Security | WIRED http://www.wired.com/2014/09/three-things-apple-can-fix-iclouds-awful-se... Despite Apple's Privacy Pledge, Cops Can Still Pull Data Off a Locked iPhone | WIRED http://www.wired.com/2014/09/apple-iphone-security/ Newest Androids will join iPhones in offering default encryption, blocking police - The Washington Post http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/18/newest-andr... Microsoft closing standalone Trustworthy Computing group, folding into other units - GeekWire http://www.geekwire.com/2014/microsoft-closing-standalone-trustworthy-co... Home Depot Data Breach Put 56 Million Cards at Risk | Threatpost | The first stop for security news http://threatpost.com/56-million-payment-cards-at-risk-in-home-depot-dat... POS Service Confirms Goodwill Breach Lasted 18 Months | Threatpost | The first stop for security news http://threatpost.com/pos-service-confirms-goodwill-breach-lasted-18-mon... Heartbleed to blame for Community Health Systems breach | CSO Online http://www.csoonline.com/article/2466726/data-protection/heartbleed-to-b... Announcing Keyless SSL\u2122: All the Benefits of CloudFlare Without Having to Turn Over Your Private SSL Keys http://blog.cloudflare.com/announcing-keyless-ssl-all-the-benefits-of-cl... SNMP DDoS Attack Spoofs Google DNS Server | Threatpost | The first stop for security news http://threatpost.com/snmp-based-ddos-attack-spoofs-google-public-dns-se... OWASP Releases Latest App Sec Testing Guide | Threatpost | The first stop for security news http://threatpost.com/owasp-releases-latest-app-sec-guide/108396 \u200bInternet's security bug tracker faces its 'Y2K' moment - CNET http://www.cnet.com/news/internets-security-bug-tracker-faces-its-y2k-mo... Big Batch of Bugs Fixed in Various Versions of IDA | Threatpost | The first stop for security news http://threatpost.com/big-batch-of-bugs-fixed-in-various-versions-of-ida... iOS 8 also comes with bucket of security fixes - CNET http://www.cnet.com/news/ios-8-also-comes-with-bucket-of-security-fixes/ Android Browser flaw a "privacy disaster" for half of Android users | Ars Technica http://arstechnica.com/security/2014/09/android-browser-flaw-a-privacy-d... September 2014 Adobe Reader Acrobat Patches | Threatpost | The first stop for security news http://threatpost.com/adobe-gets-delayed-reader-update-out-the-door/108310 My Social SherpaPranking My Roommate With Eerily Targeted Facebook Ads http://mysocialsherpa.com/the-ultimate-retaliation-pranking-my-roommate-... WikiLeaks posts 'weaponized malware' for all to download | ZDNet http://www.zdnet.com/astonishingly-irresponsible-wikileaks-posts-weaponi... Kiwicon CFP https://kiwicon.org/cfp2014.txt JackPair: secure your voice phone calls against wiretapping by Jeffrey Chang & the AWIT team - Kickstarter https://www.kickstarter.com/projects/620001568/jackpair-safeguard-your-p... MS and University Devs Make The Melbourne Shuffle \u2022 Cloudwards.net http://www.cloudwards.net/news/ms-and-university-devs-make-the-melbourne... Middle-School Dropout Codes Clever Chat Program That Foils NSA Spying | WIRED http://www.wired.com/2014/09/new-encrypted-chat-program-thwarts-nsa-elim... Why I started invisible.im | Risky Business http://risky.biz/news_and_opinion/patrick-gray/2014-09-18/why-i-started-...

Why I started invisible.im

Patrick Gray — Thu, 18 Sep 2014 00:00:00 +1000

Before we get started, Ricochet *isn't* ready for mass consumption. It's a really great starting point, but it's currently unaudited and we're making some big changes to it in the next couple of months that will render it incompatible with current versions. If you're still curious, you can download the binaries anyway and have a play with it. The biggest change is a reimplementation of the comms protocol Ricochet uses to enable chats. The current protocol is a custom binary thing that John Brooks knocked together and a group decision was made to move to something based on a serialisation library like protobuf. John is working on that now under the guidance of HD Moore and The Grugq. The new protocol will basically be more resistant to attacks. We want Ricochet to be a secure tool, and we must stress that currently it is unaudited. We're planning a code-scan and an informal audit by the invisible.im team, but that hasn't been done yet. So, you know, use a VM if you're the paranoid type. We're also adding a file transfer capability. John's working full time on both of these features, which should ship around mid November. After that release we'll look at tightening up the code and shaking out security bugs. The upshot is, from around February next year you'll be able to download a reasonably secure, anonymous chat utility you can use to transfer files. You can read the Wired story for the background on Ricochet and how the invisible.im team wound up joining forces with John Brooks. But I wanted to spell out the base motivations behind the invisible.im project here in this post. I've been an information security journalist since around 2001, when I started submitting occasional infosec stories to The Age newspaper in Melbourne. I went full time with journalism in 2002, worked in the ZDNet newsroom (with a fantastic team -- James Pearce, Andrew Colley and Iain Ferguson) in 2003 before going full-time freelance. I wrote for the Fairfax papers, ZDNet, Wired, Australian Men's Style and a bunch of others, before launching the Risky Business podcast in 2007. It's been my main gig ever since. During my time in media I've seen some pretty incredible stuff. I've witnessed the rapid decline of newspapers over the last 10 years as they've succumbed to ad dollars going online. And I've also observed the effect readily accessible metadata has had on journalism. Governments used to respect the media. Not because they admired the role of the media as the fourth estate, but because they knew the media could hurt them. With the fragmentation of the media landscape, that power has been substantially diluted. It's now much more common for authorities to investigate trivial (but inconvenient) leaks -- both from the corporate and government sector -- and the Wikileaks/Manning fiasco of 2010 only served to accelerate the trend. Every time a source picks up a telephone to call a journalist, there's a record of it. Every time they email, IM, Skype or SMS a journalist, there's a record of it. Authorities can access these metadata records without court issued warrants, and they frequently do. A polite request on a letterhead is all they need. They won't be able to access the content of those communications without a warrant, but if I publish a story about a leak from the Attorney General's Department and authorities can see that I spoke to someone from AG the day prior, my source is still burned. Make no mistake: There are serious news and public interest stories that are going unreported because of this. I founded invisible.im because it solves a need that I've identified in my work -- I need sources to feel confident that they can contact me with public interest information and not be identified by a metadata trail. Because Ricochet is serverless, there's simply no third party to request metadata from. This project will, of course, also be of great benefit to non-journalists. People in oppressive regimes can use Ricochet to shield themselves from passive state surveillance. We think there's a lot of promise there, and we'd like to translate the software into languages like Farsi so ordinary people can conduct their risky conversations a little bit more safely. A lot of people will spend a lot of time asking whether invisible.im is an "NSA-proof" tool. We can't create an "NSA-proof" tool, and we're not claiming Ricochet is, despite the headline on the Wired piece that suggests otherwise. What we can do is make sure it requires difficult, time consuming, and targeted effort to identify Ricochet users' associations and intercept their chats. We'll also make retrospective identification of leakers by lesser agencies (state police, for example) more or less impossible. (Well, if they're identified it's not because they used Ricochet.) And while Ricochet may not be "NSA-proof", it certainly makes mass surveillance of its users very, very difficult. Remember that story about the GCHQ grabbing everyone's IM contact lists off the wire as they flew past? Yeah, good luck doing that with Ricochet. But what about the "tear-rists", I hear you ask? Well, we're yet to see evidence that mass surveillance has been responsible for any significant wins in the counter terrorism arena. And running Ricochet on your box isn't going to stop the NSA owning you sideways with 0day if you're a legitimate target. Once you're owned you're owned. If you're running Ricochet, the NSA (or equivalent agency) can still map out your IM contacts. But the nice thing is you have to be a target before they own you and do this to you. Until they access your machine, the only person who has your Ricochet contact list is you. Not your IM provider, not your telco. Just you. I hope this post does something to help people understand why I decided to get involved and bring together some of the smartest people I know to tackle this problem. Invisible.im is seeking to solve a real world problem -- too much metadata is accessible to too many corporate entities and government agencies. Simple, really. You can flame Patrick Gray on Twitter.

Risky Business 336 -- Too many cons

Patrick Gray — Fri, 12 Sep 2014 00:00:00 +1000

On this week's show we've got a great interview with Haroon Meer of Thinkst. Thinkst has a paid service that analysis the output of security conferences and puts together reports. Now, some of you might wonder why such a service would be needed, so let's put things in perspective: there were 2,700 conference presentations in the second quarter of this year at 116 events over 140 conference days. Yikes! Haroon will be along in a bit to talk about the conference content boom, and he's also made their latest report free for Risky Business listeners! As I say, it's part of Thinkst's paid subscription service, so you'd be nuts not to grab it. This week's show is brought to you by Tenable Network Security, thanks to the guys and gals over there. In this week's sponsor interview we're chatting with Paul Asadoorian, Tenable's product marketing manager for Nessus. Paul is also well known as the host of the security weekly podcast! It's an infosec podcast with a massive audience that you've no doubt heard of. We're chatting with Paul about embedded devices. He co-wrote a book on hacking the WRT54g home wireless gateway some years ago and he's gearing up to teach a SANS course on embedded device assessments. So yeah, Paul's going to stop by and discuss the state of all things embedded. Show notes Dread Pirate Sunk By Leaky CAPTCHA - Krebs on Security http://krebsonsecurity.com/2014/09/dread-pirate-sunk-by-leaky-captcha/ FBI's Story of Finding Silk Road's Server Sounds a Lot Like Hacking | WIRED http://www.wired.com/2014/09/fbi-silk-road-hacking-question/ Should we be worried? Showing on login page : SilkRoad http://www.reddit.com/r/SilkRoad/comments/1dmznd/should_we_be_worried_sh... Troll or thief? User claims Bitcoin founder Satoshi Nakamoto dox sabotage \u2022 The Register http://www.theregister.co.uk/2014/09/10/troll_or_thief_user_claims_satos... PayPal goes crypto-currency with Bitcoin \u2022 The Register http://www.theregister.co.uk/2014/09/11/paypal_goes_cryptocurrency_with_... Feds Threatened to Fine Yahoo $250K Daily for Not Complying With PRISM | WIRED http://www.wired.com/2014/09/feds-yahoo-fine-prism/ Five Million Email Passwords, Addresses Leak Russian Forum | Threatpost | The first stop for security news http://threatpost.com/five-million-email-passwords-addresses-appear-on-r... Home Depot Data Breach Confirmed | Threatpost | The first stop for security news http://threatpost.com/home-depot-confirms-breach-transactions-from-april... BlackPOS malware confirmed in Home Depot US hack - Security - News - iTnews.com.au http://www.itnews.com.au/News/391880,blackpos-malware-confirmed-in-home-... Apple Plans to Extend 2FA to iCloud | Threatpost | The first stop for security news http://threatpost.com/apple-plans-to-extend-2fa-to-icloud/108106 After hacking, Apple to send out more security alerts to users | Ars Technica http://arstechnica.com/security/2014/09/after-hacking-apple-to-send-out-... Barclays brings finger-vein biometrics to Internet banking | Ars Technica http://arstechnica.com/security/2014/09/barclays-brings-finger-vein-biom... Researchers find data leaks in Instagram, Grindr, OoVoo and more - CNET http://www.cnet.com/news/researchers-find-data-leaks-in-instagram-grindr... Salesforce Warns Customers of Dyreza Banker Trojan Attacks | Threatpost | The first stop for security news http://threatpost.com/salesforce-warns-customers-of-dyreza-banker-trojan... Traffic Networks Firm Patches Sensor Vulnerabilities | Threatpost | The first stop for security news http://threatpost.com/traffic-networks-company-patches-sensor-vulnerabil... Microsoft to patch ASP.NET mess even if you don't \u2022 The Register http://www.theregister.co.uk/2014/09/11/microsoft_kills_dangerous_aspnet... Cisco Patches Denial-of-Services Vulnerability in IMC | Threatpost | The first stop for security news http://threatpost.com/us-cert-warns-of-vulnerability-in-cisco-baseboard-... September 2014 Microsoft Patch Tuesday security bulletins | Threatpost | The first stop for security news http://threatpost.com/emet-av-disclosure-leak-plugged-in-ie/108175 Critical Fixes for Adobe, Microsoft Software - Krebs on Security http://krebsonsecurity.com/2014/09/critical-fixes-for-adobe-microsoft-so... Apache Warns of Tomcat Remote Code Execution Vulnerability | Threatpost | The first stop for security news http://threatpost.com/apache-warns-of-tomcat-remote-code-execution-vulne... Infamous "podcast patent" heads to trial | Ars Technica http://arstechnica.com/tech-policy/2014/09/jim-logan-says-he-invented-po... thinkst.com/ts/free/ThinkstScapes-2014-Q2-v1.0.pdf http://thinkst.com/ts/free/ThinkstScapes-2014-Q2-v1.0.pdf Embedded Device Security Assessments For The Rest Of Us http://www.sans.org/course/embedded-device-security-assessments

Risky Business #335 -- Whaledump hacker could change NZ government

Patrick Gray — Fri, 05 Sep 2014 00:00:00 +1000

I'm back from a two week holiday in beautiful Indonesia, so we'll be spending most of this show catching up on what I missed while I was away! So there's plenty of news to talk about with Adam Boileau, and also a chat about some very interesting politicking going on in New Zealand. A hacker going by the name of Whaledump has been dropping leaked emails and documents all over the place that are causing all sorts of headaches for the government. If that wasn't enough, Kim Dot Com has jumped into the fray... apparently he has a big reveal coming on September 15th that could change the course of the NZ election campaign. Is this the future of democracy? This week's show is brought to you by BugCrowd, big thanks to them. We'll be chatting with BugCrowd head honcho Casey Ellis all about the skills shortage in infosec, particularly in testing. People interested in a career in infosec are using platforms like BugCrowd as a proving ground, but will that pipeline be enough to satiate the demand for talent out there?

RB2: Risky Business EXTRA: Brian Snow on quantum crypto

Patrick Gray — Thu, 14 Aug 2014 00:00:00 +1000

Here is the portion of my interview with Brian Snow that I didn't have room for in the main show. Snow is concerned that quantum computing breakthroughs are closer than we think and could invalidate much of the technology we depend on to secure data.

RB2: Risky Business EXTRA: Panel recording, Splendour in the Grass

Patrick Gray — Thu, 14 Aug 2014 00:00:00 +1000

This is a recording of a panel I hosted at the Splendour in the Grass music festival forum. It features NSA whistleblower Thomas Drake, WA Greens Senator Scott Ludlam, Underground author Suelette Dreyfus and Edward Snowden's attorney Jesselyn Radack.

Risky Business #334 -- Brian Snow reflects on 34 years at NSA, Snowden

Patrick Gray — Thu, 14 Aug 2014 00:00:00 +1000

On this week's show we're having an extended chat with 34-year NSA veteran Brian Snow. During his career he rose to director level -- he acted as technical director of three divisions within the agency -- before he retired in 2006. Brian joins us to talk about the Snowden disclosures and how the NSA's culture changed post 9/11. Brian also had some great comments on quantum crypto concerns that I've broken out into a separate podcast - I've put that one in the RB2 feed along with a recording of a panel I hosted at the Splendour in the Grass music festival a few weeks ago. You can find them in the RB2 feed. This week's show is brought to you by Tenable Network Security, thanks to them, and in this week's sponsor interview we're chatting with Tenable CEO Ron Gula about continuous monitoring. Adam Boileau joins us for this week's news, as does special guest Andrew Colley. Show notes Why surveillance companies hate the iPhone - The Washington Post http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/11/why-surveil... Edward Snowden: The Untold Story | Threat Level | WIRED http://www.wired.com/2014/08/edward-snowden/#ch-1 Snowden: I Left the NSA Clues, But They Couldn't Find Them | Threat Level | WIRED http://www.wired.com/2014/08/snowden-breadcrumbs/ Blackphone DEF CON Vulnerabilities Difficult to Exploit | Threatpost | The first stop for security news http://threatpost.com/fog-lifts-on-rooted-blackphone-merry-go-round/107711 Techno-Archaeologists Used an Abandoned McDonald's to Hijack a Satellite | Motherboard http://motherboard.vice.com/read/techno-archaeologists-used-an-abandoned... Anonymous Posts St. Louis Police Dispatch Tapes From Day of Ferguson Shooting | Mother Jones http://www.motherjones.com/politics/2014/08/anonymous-releases-st-louis-... Dan Tentler (Viss) on Twitter https://twitter.com/viss Obama picks former Googler to head federal tech overhaul - CNET http://www.cnet.com/news/obama-picks-former-googler-to-head-federal-tech... Millions of PCs Affected by Mysterious Computrace Backdoor | Threatpost | The first stop for security news http://threatpost.com/millions-of-pcs-affected-by-mysterious-computrace-... Study: Uyghur Remain in Crosshairs of Targeted Attacks | Threatpost | The first stop for security news http://threatpost.com/study-confirms-uyghur-remain-in-crosshairs-of-targ... The Dole Bludger's Revenge | newmatilda.com https://newmatilda.com/2014/08/12/dole-bludgers-revenge Disqus Patches CSRF, Other Flaws in Plugin | Threatpost | The first stop for security news http://threatpost.com/disqus-patches-csrf-other-flaws-in-plugin/107738 Authentication Bypass Bug Fixed in BlackBerry Z10 | Threatpost | The first stop for security news http://threatpost.com/authentication-bypass-bug-fixed-in-blackberry-z10/... IE to Block Older ActiveX Controls, Starting with Java | Threatpost | The first stop for security news http://threatpost.com/ie-to-block-older-activex-controls-starting-with-j... Adobe, Microsoft Push Critical Security Fixes - Krebs on Security http://krebsonsecurity.com/2014/08/adobe-microsoft-push-critical-securit... Book alleges dirty National Party politics; Greens, Slater to lay complaints - National - NZ Herald News http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11308458 Q&A: Malcolm Turnbull on data retention - Networking - Security - Software - Telco/ISP - News - iTnews.com.au http://www.itnews.com.au/News/390859,qa-malcolm-turnbull-on-data-retenti... PILOTS EP | PILOTS http://pilotsmusicau.bandcamp.com/releases

Risky Business #333 -- Yahoo CISO Alex Stamos joins the show

Patrick Gray — Fri, 08 Aug 2014 00:00:00 +1000

We've got an absolute cracker of a show for you this week. I've let it run longer than usual because we've just got some great news and interviews this week. Our feature interview is with Alex Stamos, Yahoo's CISO. We hear from him on what his job looks like -- Yahoo has a billion users and its business and technology is incredibly diverse. So what has Alex been up to since he took the helm earlier this year? Tune in to find out! In this week's sponsor interview we chat with Rahul Kashyap, Bromium's Chief Security Architect. Bromium has taken a look at endpoint exploitation trends and it might surprise you to know that in 2014 there have been more public exploits for IE than for Java! Show notes Gamma FinFisher hacked: 40 GB of internal documents and source code of government malware published | netzpolitik.org https://netzpolitik.org/2014/gamma-finfisher-hacked-40-gb-of-internal-do... Phineas Fisher (GammaGroupPR) on Twitter https://twitter.com/gammagrouppr Leaked Files: German Spy Company Helped Bahrain Hack Arab Spring Protesters - The Intercept https://firstlook.org/theintercept/2014/08/07/leaked-files-german-spy-co... Russian Hackers Amass Over a Billion Internet Passwords - NYTimes.com http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-... Files containing 360 million credentials, 1.25 billion email addresses, located on Deep Web - SC Magazine http://www.scmagazine.com/files-containing-360-million-credentials-125-b... Q&A on the Reported Theft of 1.2B Email Accounts - Krebs on Security http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-emai... CIA Insider: U.S. Should Buy All Security Exploits, Then Disclose Them | Threat Level | WIRED http://www.wired.com/2014/08/cia-0day-bounty/ Security expert calls home routers a clear and present danger | Ars Technica http://arstechnica.com/security/2014/08/security-expert-calls-home-route... Visit the Wrong Website, and the FBI Could End Up in Your Computer | Threat Level | WIRED http://www.wired.com/2014/08/operation_torpedo/ Feds' Silk Road Investigation Broke Privacy Laws, Defendant Tells Court | Threat Level | WIRED http://www.wired.com/2014/08/feds-silk-road-investigation-violated-priva... Snowden's Russia asylum extended three more years - CNET http://www.cnet.com/au/news/snowdens-russia-asylum-extended-three-more-y... Schneier on Security: The US Intelligence Community has a Third Leaker https://www.schneier.com/blog/archives/2014/08/the_us_intellig.html Terrorists embracing new Android crypto in wake of Snowden revelations | Ars Technica http://arstechnica.com/tech-policy/2014/08/terrorists-embracing-new-andr... Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins | Threat Level | WIRED http://www.wired.com/2014/08/isp-bitcoin-theft/ How Hackable Is Your Car? Consult This Handy Chart | Autopia | WIRED http://www.wired.com/2014/08/car-hacking-chart/ Watch This Wireless Hack Pop a Car's Locks in Minutes | Threat Level | WIRED http://www.wired.com/2014/08/wireless-car-hack/ Can a plane be hacked via in-flight Wi-Fi? Researcher says it's so - CNET http://www.cnet.com/au/news/can-a-plane-be-hacked-via-inflight-wi-fi-res... Yes, Hackers Could Build an iPhone Botnet-Thanks to Windows | Threat Level | WIRED http://www.wired.com/2014/08/yes-hackers-could-build-an-iphone-botnettha... New Site Recovers Files Locked by Cryptolocker Ransomware - Krebs on Security http://krebsonsecurity.com/2014/08/new-site-recovers-files-locked-by-cry... In major shift, Google boosts search rankings of HTTPS-protected sites | Ars Technica http://arstechnica.com/security/2014/08/in-major-shift-google-boosts-sea... Thousands of Mozilla developers' e-mail addresses, password hashes exposed | Ars Technica http://arstechnica.com/security/2014/08/thousands-of-mozilla-developers-... Oracle Database Redaction 'Trivial to Bypass' | Threatpost | The first stop for security news http://threatpost.com/oracle-database-redaction-trivial-to-bypass/107631 Critical code execution bug in Samba gives attackers superuser powers | Ars Technica http://arstechnica.com/security/2014/08/critical-code-execution-bug-in-s... Microsoft security sandbox for IE: Still broken after all these years | Ars Technica http://arstechnica.com/security/2014/08/microsoft-security-sandbox-for-i... Help Australia's PM and attorney-general to define metadata \u2022 The Register http://www.theregister.co.uk/2014/08/06/help_australias_pm_and_attorneyg... Conservative Party Web Security http://www.joshbrodie.co.nz/2014/08/08/conservative-party-web-security.html Yahoo to begin offering PGP encryption support in Yahoo Mail service | Ars Technica http://arstechnica.com/security/2014/08/yahoo-to-begin-offering-pgp-encr... www.bromium.com/sites/default/files/bromium-h1-2014-threat_report.pdf http://www.bromium.com/sites/default/files/bromium-h1-2014-threat_report... Dilo by HopeStreet Recordings on SoundCloud - Hear the world's sounds https://soundcloud.com/hopestreet-recordings/dilo?in=hopestreet-recordin...

Risky Business #332 -- Evading IDS with Multipath TCP

Patrick Gray — Fri, 01 Aug 2014 00:00:00 +1000

In this week's feature interview we're chat with Catherine Pearce of Neohapsis about some research she'll be presenting at BlackHat next week with her colleague Patrick Thomas. They're doing a talk all about Multipath TCP, and yes, it's exactly what it sounds like and yes, it's great for doing stuff like IDS evasion and confusing firewalls. In this week's sponsor interview we speak with Senetas CTO Julian Fay about the so-called BADA55 paper. Senetas is about to ship elliptic curve algos with its gear -- is it reconsidering now we know that elliptic curves can be subverted? No way! Tune in to find out why. Show notes WikiLeaks publishes court suppression order over what Julian Assange calls 'unprecedented' case of censorship | News.com.au http://www.news.com.au/technology/online/wikileaks-publishes-court-suppr... Tor security advisory: "relay early" traffic confirmation attack | The Tor Blog https://blog.torproject.org/blog/tor-security-advisory-relay-early-traff... Tor hidden services attacks deanonymize users | Threatpost | The first stop for security news http://threatpost.com/tor-sniffs-out-attacks-trying-to-deanonymize-hidde... Russia publicly joins war on Tor privacy with $111,000 bounty | Ars Technica http://arstechnica.com/security/2014/07/russia-publicly-joins-war-on-tor... Why the Security of USB Is Fundamentally Broken | Threat Level | WIRED http://www.wired.com/2014/07/usb-security/ Dark Reading Radio: Data Loss Prevention (DLP) Fail http://www.darkreading.com/perimeter/dark-reading-radio-data-loss-prevention-(dlp)-fail/a/d-id/1297650? Your iPhone Can Finally Make Free, Encrypted Calls | Threat Level | WIRED http://www.wired.com/2014/07/free-encrypted-calling-finally-comes-to-the... arxiv.org/pdf/1407.4923v1.pdf http://arxiv.org/pdf/1407.4923v1.pdf Instasheep: Coder builds tool to hijack Instagram accounts over Wi-Fi | Ars Technica http://arstechnica.com/security/2014/07/instasheep-coder-builds-tool-to-... seL4 Secure Microkernel Made Open Source | Threatpost | The first stop for security news http://threatpost.com/secure-microkernel-sel4-code-goes-open-source/107506 Hackers Plundered Israeli Defense Firms that Built 'Iron Dome' Missile Defense System - Krebs on Security http://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-fir... CIA admits to spying on Senate committee - CNET http://www.cnet.com/au/news/cia-admits-to-spying-on-senate-computers/ China rebuffs Canada for 'irresponsible' hacking claims - CNET http://www.cnet.com/au/news/china-rebuffs-canada-for-irresponsible-hacki... Service Drains Competitors' Online Ad Budget - Krebs on Security http://krebsonsecurity.com/2014/07/service-drains-competitors-online-ad-... The App I Used to Break Into My Neighbor's Home | Threat Level | WIRED http://www.wired.com/2014/07/keyme-let-me-break-in/ Microsoft Releases EMET 5.0 Exploit Mitigation Tool | Threatpost | The first stop for security news http://threatpost.com/microsoft-releases-new-version-of-emet-exploit-mit... Crouching Yeti APT Campaign Stretches Back Four Years | Threatpost | The first stop for security news http://threatpost.com/crouching-yeti-apt-campaign-stretches-back-four-ye... New Backoff PoS Malware Identified in Several Attacks | Threatpost | The first stop for security news http://threatpost.com/new-backoff-pos-malware-identified-in-several-atta... Neohapsis Labs | Multipath TCP - BlackHat Briefings Teaser http://labs.neohapsis.com/2014/07/29/multipath-tcp-blackhat-briefings-te... We Never Change | Every Day Carry http://everydaycarry.bandcamp.com/track/we-never-change

Risky Business #331 -- The Tails bug that wasn't, the Tor talk that isn't

Patrick Gray — Fri, 25 Jul 2014 00:00:00 +1000

Earlier this week Twitter was abuzz with talk of a serious bug in the Tails live OS, a bootable on-a-DVD or USB device OS used by pro-democracy activists. And by pro democracy activists I mean, you know, potheads buying a few ounces on Silk Road, but whatever... Well according to the Twitters there was a Tails bug that was going to be a big deal... right? Riiight? Well, maybe not. The Grugq joins the show to discuss that, and the pulling of a scheduled BlackHat talk on Tor. This week's show is brought to you by Microsoft. Alas my interview with the scheduled MS spokesperson fell through so there's no sponsor interview this week. I'd ask you to check out Microsoft Interflow anyway though, particularly if you're in IR. Adam drops in for the week's news segment, you can find links to everything discussed here.

Risky Business #330 -- Setting the infosec agenda

Patrick Gray — Fri, 18 Jul 2014 00:00:00 +1000

On this week's show we're chatting with infosec journalist turned PR strategist Elinor Mills. For eight years Elinor wrote about security for CNet News.com, before joining Bateman group as a content and media strategist in 2012. We're chatting with Elinor about how the infosec media agenda is set. Do massive advertising, marketing and PR budgets give disproportionate media influence to companies that don't deserve it? Drum roll please... yup. Yes. Yes they do. But we'll chat to Elinor about that after the news. In this week's sponsor interview we're chatting with Holly Stewart, Microsoft's senior program manager in its malware protection centre. We're talking about coordinated malware eradication. Microsoft has launched a new program designed to attack the malware ecosystem at all levels. That means working with the ad distribution networks, online payment companies, ISPs... choke off the distribution, choke off the cash. It's a much more comprehensive approach than we've seen before and Holly will tell us how you might get involved. Show notes GCHQ's "Chinese menu" of tools spreads disinformation across Internet | Ars Technica http://arstechnica.com/security/2014/07/ghcqs-chinese-menu-of-tools-spre... JTRIG Tools and Techniques https://www.documentcloud.org/documents/1217406-jtrigall.html Journalists will face jail over spy leaks under new security laws | World news | theguardian.com http://www.theguardian.com/world/2014/jul/16/journalists-face-jail-leaks... NSA spies just LOVE swapping your sexts, says Snowden: 'It's a fringe benefit' \u2022 The Register http://www.theregister.co.uk/2014/07/17/snowden_says_analysts_swapping_s... Outside Panel Finds Over-Reliance on NSA Advice Led to Dual EC Problems | Threatpost | The first stop for security news http://threatpost.com/outside-panel-finds-over-reliance-on-nsa-advice-le... Swedish Court to Julian Assange: You're Not Going Anywhere | Threat Level | WIRED http://www.wired.com/2014/07/swedish-court-to-julian-assange-youre-not-g... Supposed 'leader' of LulzSec pleads guilty to hacking, hubris \u2022 The Register http://www.theregister.co.uk/2014/07/17/lulzsec_leaderthatwasnt_pleads_g... Meet 'Project Zero,' Google's Secret Team of Bug-Hunting Hackers | Threat Level | WIRED http://www.wired.com/2014/07/google-project-zero/ Yahoo Full Application Source Code Disclosure Vulnerability | Security Down! http://www.sec-down.com/wordpress/?p=440 Chinese hackers take command of Tesla Model S - CNET http://www.cnet.com/au/news/chinese-hackers-take-command-of-tesla-model-s/ Malware hidden in Chinese inventory scanners targeted logistics, shipping firms | PCWorld http://www.pcworld.com/article/2453100/malware-hidden-in-chinese-invento... China calls Apple's iPhone a national security threat - CNET http://www.cnet.com/au/news/china-calls-apples-iphone-a-national-securit... Chinese businessman charged with hacking Boeing, Lockheed Martin | Ars Technica http://arstechnica.com/tech-policy/2014/07/chinese-businessman-charged-w... FBI: We found US MILITARY AIRCRAFT INTEL during raid on alleged Chinese hacker \u2022 The Register http://www.theregister.co.uk/2014/07/14/us_military_aircraft_intel_captu... How elite hackers (almost) stole the NASDAQ | Ars Technica http://arstechnica.com/security/2014/07/how-elite-hackers-almost-stole-t... Bitcoin pool GHash.io commits to 40% hashrate limit after its 51% breach | Ars Technica http://arstechnica.com/business/2014/07/bitcoin-pool-ghash-io-commits-to... "Severe" password manager attacks steal digital keys and data en masse | Ars Technica http://arstechnica.com/security/2014/07/severe-password-manager-attacks-... Mathematics makes strong case that "snoopy2" can be just fine as a password | Ars Technica http://arstechnica.com/security/2014/07/mathematics-makes-strong-case-th... DDoS attacks intensified in first half of 2014 - CNET http://www.cnet.com/au/news/ddos-attacks-intensified-in-first-half-of-2014/ Beware Keyloggers at Hotel Business Centers - Krebs on Security http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-c... Here's How Easy It Could Be for Hackers to Control Your Hotel Room | Threat Level | WIRED http://www.wired.com/2014/07/hacking-hotel-room-controls/ SSL Black List Aims to Publicize Certificates Associated With Malware | Threatpost | The first stop for security news http://threatpost.com/ssl-black-list-aims-to-publicize-certificates-asso... CNET attacked by Russian hacker group - CNET http://www.cnet.com/au/news/cnet-attacked-by-russian-hacker-group/ Microsoft: No-IP takedown cleansed 4.7m PCs - Security - News - iTnews.com.au http://www.itnews.com.au/News/389598,microsoft-no-ip-takedown-cleansed-4... Exploit emerges for LZO algo hole \u2022 The Register http://www.theregister.co.uk/2014/07/11/firefox_lzo_rce/ LibreSSL PRNG Vulnerability Patched | Threatpost | The first stop for security news http://threatpost.com/overblown-libressl-prng-vulnerability-patched/107245 Cisco Patches Wireless Residential Gateway Vulnerabilities | Threatpost | The first stop for security news http://threatpost.com/cisco-patches-wireless-residential-gateway-vulnera... Apple blocks older, risky Flash plug-ins, forcing you to upgrade - CNET http://www.cnet.com/au/news/apple-blocks-older-risky-flash-plug-ins-forc... Five Vulnerabilities Fixed in Apache Web Server | Threatpost | The first stop for security news http://threatpost.com/five-vulnerabilities-fixed-in-apache-web-server/10... Active Directory flaw allows credentials theft - Security - News - iTnews.com.au http://www.itnews.com.au/News/389747,active-directory-flaw-allows-creden... Chrome for Android Update Patches URL Spoofing Bug | Threatpost | The first stop for security news http://threatpost.com/chrome-for-android-update-fixes-critical-url-spoof... Rickroll Innocent Televisions With This Google Chromecast Hack | Threat Level | WIRED http://www.wired.com/2014/07/rickroll-innocent-televisions-with-this-goo... Win/lose Whirlywirld original.m4v - YouTube https://www.youtube.com/watch?v=8elKjPxMp98&feature=kp

Risky Business #329 -- BitCoins ARE money, Snowden seeks Russia stay

Patrick Gray — Fri, 11 Jul 2014 00:00:00 +1000

There is no feature interview in this week's show. If you tuned in last week you would have heard HD Moore and I talking about a project called Invisible.im. Well, we launched a FAQ and the Internet liked it... the Internet *really* liked it... so I've spent much of the week working on invisible.im. There's some really cool stuff happening there that I can't really talk about yet, but I can say the project has picked up a lot of interest. There's some very cool stuff happening and I'll be able to talk more about it soon. So, in this week's show we're going to have a chat about the week's infosec news with Adam Boileau, then we'll have a really interesting talk with Chris Gatford, head honcho with this week's sponsor Hacklabs. We're chatting with Chris all about the case of the public transport Victoria website receiving a "free pentest" from a 16-year-old kid. He reported a bug, didn't hear anything back after a couple of days, then went to the press. The whole thing blew up and he wound up in a bunch of hot water with the police. Anyway, the whole episode came to a conclusion this week. The kid had to sign a statement acknowledging that he'd committed a crime, but beyond that there was no further sanction. "Unsolicited pentests" are a murky, murky area. Chris joins us to chat about this case and how we might move towards some sort of consensus on how things should actually happen in these situations. Show notes Judge Shoots Down 'Bitcoin Isn't Money' Argument in Silk Road Case | Threat Level | WIRED http://www.wired.com/2014/07/silkroad-bitcoin-isnt-money/ Snowden asks for extension on Russian asylum - CNET http://www.cnet.com/au/news/snowden-asks-for-extension-on-russian-asylum/ US arrests Russian politician's son over hacking theft - Security - News - iTnews.com.au http://www.itnews.com.au/News/389424,us-arrests-russian-politicians-son-... In NSA-intercepted data, those not targeted far outnumber the foreigners who are - The Washington Post http://www.washingtonpost.com/world/national-security/in-nsa-intercepted... Latest Snowden Leaks: FBI Targeted Muslim-American Lawyers | Threat Level | WIRED http://www.wired.com/2014/07/snowden-leaks/ Researcher: I Was Suspended For Finding Flaws In FireEye Security Kit http://www.forbes.com/sites/thomasbrewster/2014/07/09/researcher-i-was-s... Google confronts more site certificate problems - CNET http://www.cnet.com/au/news/google-confronts-more-site-certificate-probl... Google blocks leaked Goldman Sachs email - Security - Software - News - iTnews.com.au http://www.itnews.com.au/News/389105,google-blocks-leaked-goldman-sachs-... Microsoft Settles With No-IP Over Malware Takedown | Threatpost | The first stop for security news http://threatpost.com/microsoft-settles-with-no-ip-over-malware-takedown... Chinese Hackers Pursue Key Data on U.S. Workers - NYTimes.com http://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-us-workers.html?hp&action=click&pgtype=Homepage&version=LedeSum&module=first-column-region\xaeion=top-news&WT.nav=top-news&_r=2 China cyberspies hit US national security think tanks - CNET http://www.cnet.com/au/news/china-cyberspies-hit-us-national-security-th... Android factory reset doesn't delete all data - CNET http://www.cnet.com/au/news/android-factory-reset-doesnt-delete-all-data/ How Google Map Hackers Can Destroy a Business at Will | Business | WIRED http://www.wired.com/2014/07/hacking-google-maps/ Aussies dodge US mobile device flight bans - Security - News - iTnews.com.au http://www.itnews.com.au/News/389388,aussies-dodge-us-mobile-device-flig... Minister defends NZ's slow migration off XP - Security - Software - News - iTnews.com.au http://www.itnews.com.au/News/389391,minister-defends-nzs-slow-migration... Oracle ends Java support for Windows XP - Security - Software - News - iTnews.com.au http://www.itnews.com.au/News/389378,oracle-ends-java-support-for-window... Brute-Forcing Botnet Sniffs Out Lax POS Systems | Threatpost | The first stop for security news http://threatpost.com/brute-forcing-botnet-sniffs-out-lax-pos-systems/10... DHS Releases Hundreds of Documents on Wrong Project Aurora | Threatpost | The first stop for security news http://threatpost.com/dhs-releases-hundreds-of-documents-on-wrong-aurora... Android Exploited to Make, End Phone Calls; Send USSD Codes | Threatpost | The first stop for security news http://threatpost.com/android-exploited-to-make-and-end-phone-calls-send... Yahoo Fixes Trio of Bugs in Mail, Messenger, Flickr | Threatpost | The first stop for security news http://threatpost.com/yahoo-fixes-trio-of-bugs-in-mail-messenger-flickr/... July 2014 Adobe Flash Player patch | Threatpost | The first stop for security news http://threatpost.com/adobe-patches-flash-vulnerability-exploited-by-ros... Microsoft July 2014 Patch Tuesday fixes 29 IE Vulnerabilities | Threatpost | The first stop for security news http://threatpost.com/microsoft-july-patch-tuesday-updates-patch-29-ie-v... The Ex-Google Hacker Taking on the World's Spy Agencies | Threat Level | WIRED http://www.wired.com/2014/07/morgan-marquis-boire-first-look-media/ Just Another Security Blog: PTV; The police, and the aftermath. http://blog.internot.info/2014/07/ptv-police-and-aftermath.html Little band scene - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Little_band_scene Dogs in Space - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Dogs_in_Space

Risky Business #328 -- HD Moore talks massive scanning and invisible.im

Patrick Gray — Fri, 04 Jul 2014 00:00:00 +1000

This week's show is brought to you by Rapid7, big, big thanks to them. This week's sponsor interview is with Rapid7's Chief Research Officer HD Moore. But you know what? One interview with HD just isn't enough, is it? So he's also joining us in the feature segment to discuss a project I'm putting together called Invisible.im. It's an instant messenger system that I designed... it feels very, very weird saying that because I suffer from acute imposter syndrome, but yeah, I designed an IM system for journalists and other privacy conscious people and HD actually made it work! He has created a prototype, and much to everyone's surprise it actually works... we're on to something, so he'll be along after the news to talk about invisible.im! Then we're going to chat with HD some more in this week's sponsor interview. The research team at Rapid7's has been doing some really interesting work on massive internet scanning. That sort of thing has become pretty trendy in the last couple of years, but the Rapid7 team have really pushed this stuff towards the cutting edge. They've also discovered some hilarious vulnerabilities out there in the process. Rapid7's Mark Schloesser will be at BlackHat to talk about their latest research, but HD joins the show today to preview it. Adam Boileau, as always, joins us for a check of the week's news headlines.

Risky Business #327 -- PayPal grounded by Flight Mode

Patrick Gray — Fri, 27 Jun 2014 00:00:00 +1000

On this week's show we're chatting with Zach Lanier of Duo Security about some work he did on bypassing PayPal's two-factor authentication. In short, PayPal's implementation had an absolute clanger of a logic bug in it that these guys were able to find. The secret sauce to the attack? Flight mode! No joke. This week's show is sponsored by Tenable Network Security, thanks to them! In this week's sponsor interview we'll hear from Tenable's Marcus Ranum about whether or not law enforcement agencies actually have their priorities straight when it comes to computer crime. Are they going after targets that most harm society? Or are they just hitting soft targets? Adam Boileau, as always, joins us to discuss the week's news headlines. Show notes are here.

Risky Business #326 -- Code Spaces, Nokia blackmailed in hacks

Patrick Gray — Fri, 20 Jun 2014 00:00:00 +1000

On this week's show we have a quick chat with The Register's Darren Pauli about XP still being bloody everywhere. You'd think organisations out there would realise how absolutely crackheaded it is to keep running XP since support ended, but nope... Even the police are happily chugging away on perennially vulnerable boxes. Great. This week's show is brought to you by BugCrowd: outsourced bug bounty programs. BugCrowd founder and CEO Casey Ellis will be along in this week's sponsor interview to talk about how you can scope a bounty program. If someone does something out of scope should you still pay? It surprised me but Casey says there's a golden rule of thumb in these circumstances -- did you change code? Then pay a bounty. We also get his thoughts on whether or not a bounty program would have turned up the bug that smashed Tweetdeck last week. Adam Boileau, as usual, joins us for the week's news headlines. Show notes here. Follow Pat on Twitter here. Follow Adam on Twitter here.

Risky Business #325 -- China's old stuff more popular than its new stuff

Patrick Gray — Fri, 13 Jun 2014 00:00:00 +1000

In this week's show we chat to The Grugq about the Chinese cyber espionage campaign unmasking that has no one talking. Unlike the unit 61398 report from Mandiant last February, CrowdStrike's unit 61486 report has really fallen flat. We'll talk to The Grugq about why that is in this week's feature interview. In this week's sponsor interview we're chatting with Ron Gula, Tenable Network Security's co-founder and CEO. OpenSSL issues have actually become a genuine pain in the ass for most enterprises, we'll get Ron's observations on that. Show notes TweetDeck Hacked-Panic (And Rickrolling) Ensues | Threat Level | WIRED http://www.wired.com/2014/06/tweetdeck-hacked/ Austrian Teen Ground Zero Of TweetDeck Hack | Threatpost | The first stop for security news http://threatpost.com/a-day-to-forget-for-teen-at-center-of-tweetdeck-sh... Personal data for Twitter founders leaked on Tor network - CNET http://www.cnet.com/au/news/personal-data-for-twitter-founders-leaked-on... Yahoo Toolbar Vulnerability Triggers Non-Exploitable XSS Payload on All Websites - The Hacker News http://thehackernews.com/2014/06/yahoo-toolbar-vulnerability-triggers_10... Gmail Bug Could Have Exposed Every User's Address | Threat Level | WIRED http://www.wired.com/2014/06/gmail-bug-could-have-exposed-every-users-ad... Feedly And Evernote Go Down As Attackers Demand Ransom [Update: Second attack brings Feedly down again] http://www.forbes.com/sites/jaymcgregor/2014/06/11/feedly-and-evernote-g... Audit Project Released Verified Repositories of TrueCrypt 7.1a | Threatpost | The first stop for security news http://threatpost.com/audit-project-releases-verified-repositories-of-tr... Alleged Oleg Pliss iPhone Hackers Arrested in Russia | Threatpost | The first stop for security news http://threatpost.com/alleged-oleg-pliss-iphone-hackers-arrested-in-russ... The Feds Are Auctioning a Small Fortune in Silk Road Bitcoins | Threat Level | WIRED http://www.wired.com/2014/06/silkroad-bitcoin-auction/ USMS Asset Forfeiture Sale http://www.usmarshals.gov/assets/2014/bitcoins/ China Putter Panda APT Attacks Linked to PLA Unit 61486 | Threatpost | The first stop for security news http://threatpost.com/attacks-against-space-satellite-companies-linked-t... China lashes out at Google, Apple for allegedly stealing state secrets - CNET http://www.cnet.com/au/news/china-lashes-out-at-google-apple-for-alleged... Inside Edward Snowden's Life as a Robot | Threat Level | WIRED http://www.wired.com/2014/06/inside-edward-snowdens-life-as-a-robot/ Cops Can't Collect Your Cell Tower Data Without a Warrant, Court Rules | Threat Level | WIRED http://www.wired.com/2014/06/cell-tower-data-requires-warrant/ Some Governments Have Backdoor Access to Listen in on Calls, Vodafone Says | Threat Level | WIRED http://www.wired.com/2014/06/vodafone-transparency-report/ Microsoft fights US warrant for customer data stored overseas - CNET http://www.cnet.com/au/news/microsoft-fights-us-warrant-for-customer-dat... Quantum Random Number Generator Created Using A Smartphone Camera - Medium https://medium.com/@arxivblog/quantum-random-number-generator-created-us... After Heartbleed, We're Overreacting to Bugs That Aren't a Big Deal | Threat Level | WIRED http://www.wired.com/2014/06/bleed/ Red Button Attack Could Compromise Smart TVs | Threatpost | The first stop for security news http://threatpost.com/red-button-attack-could-compromise-some-smart-tvs/... iOS 8 Will Randomize MAC Addresses to Help Stop Tracking | Threatpost | The first stop for security news http://threatpost.com/ios-8-will-randomize-mac-addresses-to-help-stop-tr... Google Play App Permissions Privacy, Security Concerns | Threatpost | The first stop for security news http://threatpost.com/hot-cold-reactions-to-new-google-play-app-permissi... Edit Google account permissions from an Android device - CNET http://www.cnet.com/au/how-to/edit-google-account-permissions-from-an-an... Pinkie Pie Linux Kernel Patch Available | Threatpost | The first stop for security news http://threatpost.com/debian-urging-users-patch-linux-kernel-flaw/106516 VMware Patches ESXi Against OpenSSL Flaw, But Many Other Products Still Vulnerable | Threatpost | The first stop for security news http://threatpost.com/vmware-patches-esxi-against-openssl-flaw-but-many-... Adobe, Microsoft Push Critical Security Fixes - Krebs on Security http://krebsonsecurity.com/2014/06/adobe-microsoft-push-critical-securit... Hat-tribution to PLA Unit 61486 | CrowdStrike http://www.crowdstrike.com/blog/hat-tribution-pla-unit-61486/index.html The Cat Empire - Till The Ocean Takes Us All - YouTube https://www.youtube.com/watch?v=u0hMf6pO66E&feature=kp We Love the Iraqi Information Minister http://www.welovetheiraqiinformationminister.com/

Risky Business #324 -- More SSL bugs, plus a chat with Andy Greenberg

Patrick Gray — Fri, 06 Jun 2014 00:00:00 +1000

In this week's show we're joined by Wired journalist Andy Greenberg to chat about one of his areas of interest and coverage -- underground markets and crypto currencies. We also chat to Andy about his views on post-Wikileaks leaking. Why did Snowden go to Glenn Greenwald instead of Wikileaks and what does that tell us about Wikileaks' founding philosophy? Tune in to hear all about it. In this week's sponsor interview we chat with Julian Fay, CTO of Senetas. Senetas is a publicly listed Australian company that makes awesome, awesome layer 2 encryption technology, check out their stuff at Senetas.com. Julian joins us in this week's show to talk about the demise of Truecrypt and discuss various models for ensuring quality in encryption standards and code. Show notes Heartbleed Redux: Another Gaping Wound in Web Encryption Uncovered | Threat Level | WIRED http://www.wired.com/2014/06/heartbleed-redux-another-gaping-wound-in-ss... Heartbleed Cupid Wireless Attacks Expose OpenSSL Over WPA | Threatpost | The first stop for security news http://threatpost.com/heartbleed-exploitable-over-enterprise-wireless-ne... GnuTLS Patches Critical Remote Code Execution Bug | Threatpost | The first stop for security news http://threatpost.com/gnutls-patches-critical-remote-code-execution-bug/... Google Releases End-to-End Encryption Extension | Threatpost | The first stop for security news http://threatpost.com/google-releases-end-to-end-encryption-extension/10... Google mocks the NSA with an Easter egg found in email encryption plugin - Neowin http://www.neowin.net/news/google-mocks-the-nsa-with-an-easter-egg-found... Crowdsourcing to be Part of Phase Two of TrueCrypt Audit | Threatpost | The first stop for security news http://threatpost.com/truecrypt-cryptanalysis-to-include-crowdsourcing-a... NIST Seeking Public Comment on SHA-3 Crypto Algorithm | Threatpost | The first stop for security news http://threatpost.com/nist-seeks-public-comment-on-sha-3-crypto-algorith... N.S.A. Collecting Millions of Faces From Web Images - NYTimes.com http://www.nytimes.com/2014/06/01/us/nsa-collecting-millions-of-faces-fr... Cut Off Glassholes' Wi-Fi With This Google Glass Detector | Threat Level | WIRED http://www.wired.com/2014/06/find-and-ban-glassholes-with-this-artists-g... Iranian Spies Pose as Reporters to Target Lawmakers, Defense Contractors | Threat Level | WIRED http://www.wired.com/2014/05/iranian-spying/ Dan Farmer Presents Research on IPMI Vulnerabilities | Threatpost | The first stop for security news http://threatpost.com/vulnerabilities-in-ipmi-protocol-have-long-shelf-l... Fake 'Placebo Apps' Booted From Google Play, Amazon | Threatpost | The first stop for security news http://threatpost.com/placebo-security-apps-booted-from-google-play-amaz... US disrupts $100M GameOver Zeus malware cybercrime ring - CNET http://www.cnet.com/au/news/us-disrupts-100m-gameover-zeus-malware-cyber... Spammer sprung to run Russian national payment system \u2022 The Register http://www.theregister.co.uk/2014/06/04/hacker_hired_to_build_russias_na... Hackers Infiltrate Desk Phones for Epic Office Pranks | Threat Level | WIRED http://www.wired.com/2014/06/desk-phone-hacks/ Monsanto Suffers Data Breach at Precision Planting Unit | Threatpost | The first stop for security news http://threatpost.com/monsanto-suffers-data-breach-at-precision-planting... #Operation Irongeek #opirongeek Facts: On Thursday June 5 it was learned - Pastebin.com http://pastebin.com/X9QxnX8k Apache Patches Bugs in Tomcat | Threatpost | The first stop for security news http://threatpost.com/apache-patches-dos-information-disclosure-bugs-in-... June 2014 Microsoft Patch Tuesday Security Updates | Threatpost | The first stop for security news http://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch... The Perch Creek Family Jugband - The Great Unknown - YouTube https://www.youtube.com/watch?v=6on7qCRpHGY Home http://www.perchcreek.com/ True Goodbye: 'Using TrueCrypt Is Not Secure' - Krebs on Security http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-s...

Blog post: Pipes talks TrueCrypt

Patrick Gray — Fri, 30 May 2014 00:00:00 +1000

Our good buddy Mark Piper of Insomnia Security wrote up a Facebook note (seriously, who does that?) about the TrueCrypt situation. It's a little bit of FAQ with a dollop of history, sprinkled with speculation. Instead of let it languish on the social media platform of yesterday, we figured we'd give it a run at Risky Business. Here it is! TL;DR The TrueCrypt project's website was updated asserting that the software is no longer considered safe to use and is EoL (End of Life). The reason for this decision is unknown and subject to a large amount of speculation. If you're a user of TrueCrypt don't panic. It's simply time to find an alternative encryption solution to stash your data in. Introduction First of all—I'm no expert on TrueCrypt—but felt the need to write a post for some friends who are not in information security but are possibly users of the app. In a nutshell: TrueCrypt is a bit of software which can be used to encrypt files on disk. "Disk" can be many things including the whole disk (full-disk encryption), portable disks (usb keys and the like) and certain containers on disk (think of it as a portable folder). It also supports many strong encryption features which are considered complex, but wraps it all up with a useful User Interface. Before I go into what's just happened I want to briefly touch on TrueCrypts history. Some history In February 2004, TrueCrypt 1.0 was released to the world. This initial release supported Windows platforms only (98, ME, 2000 and XP). It allowed users to encrypt data on Windows platforms with a friendly UI. At the core of this release was the source code for E4M (Encryption For the Masses). It was released as a Freeware binary with with "source available" (that is to say, not strictly open source). E4M was originally developed to enhance the DriveCrypt software being developed by a company called SecurStar. The release of 1.0 quickly attracted legal action from SecurStar's owners with accusations that the software was stolen. As a result, the 1.0 release was promptly updated (1.0a) which removed support for Windows 98 and ME as a result of the E4M driver being pulled. A few months later (June 7, 2004), TrueCrypt 2.0 was released. This release included support for AES and was released under an actual Open Source license (GPLv2). This release, was again quickly updated with a new license (again, relating to E4M discussions) but set the basis for the version of TrueCrypt that we know up until today. One observation to make about this time in TrueCrypt's history is that between the 1.0 and 2.0 releases, the GPG signature used to verify disturbed binaries and source archives was changed to 0xF0D6B1E0, "The TrueCrypt Foundation". This key has been the official key used to sign all subsequent releases. What ensued over the coming years was a number of releases. While there's a lot going on during this time, there's nothing major to consider. Primarily these releases included introducing a number of features including plausible deniability (hidden volumes), cross-platform support (to include OSX and Linux), full-disk encryption support, portable mode (also referred to as traveller mode), multi-core processing support and hardware acceleration support. The last official release before today was over two years ago (7.1a on the 7th February 2012). It was, by all accounts, simply a bug-fix release. As a result of the numerous features and more importantly, user-friendly interface, TrueCrypt rapidly gained popularity. It's peak point of fame was when it was revealed that it's the product of choice for Ed Snowden in sharing the documents with Greenwald and co for his releases. It also hasn't been without some controversy. This is worth some quick exploration because previous issues may confuse the current situation. A question of integrity While TrueCrypt rapidly gained popularity, a number of debates have raged regarding it's integrity. While the debates have been many, in my mind these can be classified as two core issues. The first, is licensing. Throughout the release history of TrueCrypt (from 1.0 through to 7.1a), there has been confusion about the "Open Source" license status of the software. Given the questions around the integrity of the roots of the software (the fact that E4M was stolen) and the number of times the License has changed across releases, a number of projects and developers refused to support the adoption of TrueCrypt as a solution. The second debate regards the peer-review process and integrity of authorship. The authors of the software, while not named, have always maintained that the source is available and may be reviewed at any time. But really, this in itself carried with it two core issues: Encryption is hard to get right Really hard. It takes a long time and very specialised knowledge to be able to do a complete and throughout review of such a complex code base. So, how do we know these authors have got it right? While many have looked (for example, to see if keys are cleared from memory at appropriate times etc), there are so many places where code could go wrong (inadvertently or maliciously) and it would be hard for people to notice (for a great example of open software going wrong, look at the OpenSSL Heartbleed bug). As a result, up until very recently, TrueCrypt has not undergone what may be considered a very throughout peer review process or independent code audit. While this may not be a big deal for many software products, given the sensitive locations encryption can be used (think life or death in some countries), it is considered critical by many. People feel more comfortable storing secrets when they know the identity of the software authors There's a kind of "catch 22" to be had when authoring software designed for anonymity. As the author, you're motivation may very well be that you wish to write the software to enhance your privacy and anonymity and as such, do not want the world to know that you have written it. This can be achieved, and anonymously developed software CAN be adopted, it just depends on how it is presented to the world (see BitCoin for example). There is of course, lots of other discussion relating to TrueCrypt security. One example, for some time now, people have debated that their lack of TPM support means that the authors do not take security seriously. This is (in my mind at least) a much larger debate and one for another day. As a result of the above concerns, a crowd-funded project to conduct an audit of TrueCrypt was initiated in 2013. Details of which are over at istruecryptauditedyet.com. The 28th May 2014 Sometime on the 28th May 2014 (noticed approximately 8am on the 29th, NZST), the truecrypt.org domain started pointing to a new site instance on truecrypt.sourceforge.net. This updated site is pretty crude, and contains the following in big red text: WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues It goes on to state that the page only exists to support migration from TrueCrypt to other solutions. It also states that since XP is now officially end of life, more native solutions (namely bit locker on Windows) should be adopted. The rest of the page is a set of instructions on how to migrate data from TrueCrypt to Bitlocker on Windows, FileValut on OS X and pretty much anything that works on GNU/Linux. It also hosts a new release, 7.2. This release provides read-only support for TrueCrypt volumes to assist users in the migration process. And that's all we know And that's it. This is all we know. TrueCrypt was supported and considered "secure" on the 27th May 2014 and no longer is true for either of these things as of the 28th May 2014. The 7.2 release is signed with 0xF0D6B1E0 and by all accounts is the last official drop. This wouldn't be the internet without a large number of armchair theories getting bantered around and sure enough, there are plenty. Many of these are out of this world and many are quite plausible. I do not want to go into intense debate on each of the ones I've seen and heard so far, but figured I'd drop them in here for completeness: It's just time to put the project to rest It's been over 10 years since the initial release of TrueCrypt. Supporting a software packaged used by a large number of people (potentially millions) across three platforms is a hell of an effort. As such it may be that the authors have decided to just call it a day. Retiring software is usually a fairly straight forward process but when encryption is concerned, not so much. In the western world we consider software expendable. Yet when you write encryption software (especially a package as ubiquitous as TrueCrypt) it may be used in jurisdictions by users who lives depend on it. As such, in an ideal world, encryption software is not a thing you wish to leave unmaintained and therefore potentially vulnerable for the future. An audit has found catastrophic bugs We know there's at least one co-ordinated effort to conduct a complete and comprehensive audit of key TrueCrypt parts (see istruecryptauditedyet.com). From history, we can also assert if there is one group looking at TrueCrypt for security holes, there are other groups looking. It is possible that an audit of TrueCrypt has unveiled some sort of catastrophic bug in the application. It is also possible that the developers response has been to just "give up and let it go". Maybe as a result of no longer having time to do a quality release. Maybe with the hope that someone else will pick up the project, resolve the issues and give it new life. The TrueCrypt team has been compromised People get hacked. All the time. It's a thing that happens. There is no reason why (albeit without significant effort to identify the authors first) this has not happened. As previously mentioned, on the 28th we saw 7.2 of TrueCrypt released. This release is signed with the official key (the aforementioned 0xF0D6B1E0 key). This signing does not mean that the release was signed by the TrueCrypt team, just that it is by their official key. There is always a possibility that this key has been stolen (along with other access, such as to the DNS for truecrypt.org) and used as part of an attack against TrueCrypt and the development team. Something else altogether There are of course, numerous other possibilities. It's a NSA or other IC backflip. It's always been a hoax. The developers did some bath salts and thought it would be a laugh. The list goes on and on. The reality is, the possibilities are endless and we just don't know. So now what? At this stage, it's pretty safe to assume that TrueCrypt itself is done as a project. Even if this is a hoax, or the result of a key compromise, placing faith back into a product for which many's faith was shaky to begin with is a big ask. The project is likely to be forked (it does after all, release it's source) but there are still a number of questions around licensing. So what to do? For Windows Users The TrueCrypt authors recommend migration to Bitlocker which is Microsofts native encryption solution. It has it's limitations but of course, the main concern is Windows is closed source and there is no way of verifying the integrity of Bitlocker solutions. I'm not aware of any independent audits being released regarding Bitlocker (if there is, let me know and I'll add it here). For OSX Users For full-disk encryption use File Vault 2. Do NOT upload the recovery key to iCloud. It is recommended that you use a separate user for the File Vault encryption rather than tying this to your own primary user account. It is also possible to create portable DMG files with encryption using the Disk Utility application. For Linux Users The majority of distributions support booting full-disk encryption leveraging dm-crypt. There is also eCryptfs which supports TPM. If you need a easy and quick migration, I think td-play is also worth checking out. Effectively this was a development effort to implement TrueCrypt functions but using dm-crypt as the core. You can Tweet at Pipes at @pipes.

Risky Business #323 -- Sabu, TrueCrypt march into history?

Patrick Gray — Thu, 29 May 2014 00:00:00 +1000

On this week's show we've got a great interview with Micah Lee. He works for The Intercept, the publication Glenn Greenwald set up to report on the Snowden leaks. He's developed a very simple file transfer tool for ToR called Onionshare. It's a very simple utility that has a bunch of interesting applications. This week's show is brought to you by Rapid7, thanks a bunch to the guys and gals there. Rapid7's Lee Weiner drops in to talk about how we lock down corporate security in a world where most of your users re-use their VPN passwords on every website they ever join. Show notes Lulzsec Leader and Informant 'Sabu' Let Off With Time Served | Threat Level | WIRED http://www.wired.com/2014/05/hector-monsegur-sabu-sentencing/ US states to investigate eBay security practices - Security - Technology - News - iTnews.com.au http://www.itnews.com.au/News/386257,us-states-to-investigate-ebay-secur... Apple Ransomware Targeting iCloud Users Hits Australia | Threatpost | The first stop for security news http://threatpost.com/apple-ransomware-targeting-icloud-users-hits-austr... TrueCrypt Warns Software 'Not Secure,' Development Shut Down | Threatpost | The first stop for security news http://threatpost.com/ominous-warning-or-hoax-truecrypt-warns-software-n... China accuses US of 'large-scale' cyberspying - CNET http://www.cnet.com/au/news/china-accuses-us-of-large-scale-cyberspying/ China looks to Linux as Windows alternative - Security - Technology - News - iTnews.com.au http://www.itnews.com.au/News/386577,china-looks-to-linux-as-windows-alt... Spotify alerts Android users to upgrade, citing breach - CNET http://www.cnet.com/au/news/spotify-alerts-android-users-to-upgrade-citi... Freedom Act passes US House, despite Silicon Valley concerns - CNET http://www.cnet.com/au/news/freedom-act-passes-us-house-despite-silicon-... House Initiates NIST-NSA Separation on Crypto Standards | Threatpost | The first stop for security news http://threatpost.com/house-committee-initiates-nist-nsa-separation-on-c... Microsoft: Ignore Unofficial XP Update Workaround http://www.darkreading.com/microsoft-ignore-unofficial-xp-update-workaro...? Avast support forum hack snags usernames, passwords - CNET http://www.cnet.com/au/news/avast-support-forum-hack-snags-usernames-pas... Complexity as the Enemy of Security - Krebs on Security http://krebsonsecurity.com/2014/05/complexity-as-the-enemy-of-security/ HackerOne Bug Bounty Platform Lands Top Microsoft Security Expert | Threatpost | The first stop for security news http://threatpost.com/hackerone-bug-bounty-platform-lands-top-microsoft-... Pinterest Launches Bug Bounty Program | Threatpost | The first stop for security news http://threatpost.com/pinterest-launches-bug-bounty-program/106321 Darpa Turns Oculus Into a Weapon for Cyberwar | Threat Level | WIRED http://www.wired.com/2014/05/darpa-is-using-oculus-rift-to-prep-for-cybe... NZ meteorology supercomputer hacked - Security - Technology - News - iTnews.com.au http://www.itnews.com.au/News/386441,nz-meteorology-supercomputer-hacked... CryptoLocker Ransomware Competitor May Have Fatal Flaw | Threatpost | The first stop for security news http://threatpost.com/cryptolocker-ransomware-competitor-may-have-fatal-... Backdoor in Call Monitoring, Surveillance Gear - Krebs on Security http://krebsonsecurity.com/2014/05/backdoor-in-call-monitoring-surveilla... micahflee/onionshare \xb7 GitHub https://github.com/micahflee/onionshare Kiwicon 8: It Is On https://www.kiwicon.org/blog/kiwicon-8-it-is-on/ LABJACD | Unearthed https://www.triplejunearthed.com/artist/labjacd

Risky Business #322 -- China charges: Just what is America doing?

Patrick Gray — Fri, 23 May 2014 00:00:00 +1000

On this week's show we've got a cracking interview with ANU Professor and former prime ministerial advisor Hugh White about the charges brought against alleged Chinese military hackers by the US Department of Justice. That one's coming up after the news. This week's show is brought to you by Tenable Network Security. Jack Daniel of Tenable stops by in this week's sponsor interview to talk about password managers in light of the eBay breach. Is it time we really started encouraging people to use them? Show notes Hackers raid eBay in historic breach, access 145 million records | Reuters http://uk.reuters.com/article/2014/05/22/uk-ebay-password-idUKKBN0E10ZL2... Expert: Fake eBay Customer List is Bitcoin Bait - Krebs on Security http://krebsonsecurity.com/2014/05/expert-fake-ebay-customer-list-is-bit... 'Blackshades' Trojan Users Had It Coming - Krebs on Security http://krebsonsecurity.com/2014/05/blackshades-trojan-users-had-it-coming/ U.S. Indictment of Chinese Hackers Could Be Awkward for the NSA | Enterprise | WIRED http://www.wired.com/2014/05/us-indictments-of-chinese-military-hackers-... USDOJ: U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage http://www.justice.gov/opa/pr/2014/May/14-ag-528.html NSA reportedly installing spyware on US-made hardware - CNET http://www.cnet.com/au/news/nsa-reportedly-installing-spyware-on-us-made... China ups security checks on tech suppliers as US tensions mount - CNET http://www.cnet.com/au/news/china-ups-security-checks-on-tech-suppliers-... Why did China ban Windows 8? - Security - Technology - News - iTnews.com.au http://www.itnews.com.au/News/386140,why-did-china-ban-windows-8.aspx Cisco CEO asks Obama to control NSA surveillance - CNET http://www.cnet.com/au/news/cisco-ceo-asks-obama-to-control-nsa-surveill... NSA Reform Bill Passes the House-With a Gaping Loophole | Threat Level | WIRED http://www.wired.com/2014/05/usa-freedom-act-2/ Free App Lets the Next Snowden Send Big Files Securely and Anonymously | Threat Level | WIRED http://www.wired.com/2014/05/onionshare/ Pro-Privacy Blackphone Pulls $30M Into Silent Circle | TechCrunch http://techcrunch.com/2014/05/21/silent-circle-funding/ Whistleblowers Beware: Apps Like Whisper and Secret Will Rat You Out | Business | WIRED http://www.wired.com/2014/05/whistleblowers-beware/ Secrets, lies and Snowden's email: why I was forced to shut down Lavabit | Comment is free | theguardian.com http://www.theguardian.com/commentisfree/2014/may/20/why-did-lavabit-shu... Darkcoin, the Shadowy Cousin of Bitcoin, Is Booming | Threat Level | WIRED http://www.wired.com/2014/05/darkcoin-is-booming/ AFP arrests man over Melbourne IT hack - Security - Technology - News - iTnews.com.au http://www.itnews.com.au/News/386200,afp-arrests-man-over-melbourne-it-h... SNMP DDoS Attacks Spike http://www.darkreading.com/attacks-breaches/snmp-ddos-attacks-spike/d/d-...? SNMP Public Community String Zero Day in Routers Disclosed | Threatpost | The first stop for security news http://threatpost.com/embedded-devices-leak-authentication-data-via-snmp... XMPP Mandating Encryption on Messaging Service Operators | Threatpost | The first stop for security news http://threatpost.com/xmpp-mandating-encryption-on-messaging-service-ope... Remove metadata from Office files, PDFs, and images - CNET http://www.cnet.com/au/how-to/remove-metadata-from-office-files-pdfs-and... Chip and PIN EMV Protocol security vulnerabilities found | Threatpost | The first stop for security news http://threatpost.com/researchers-find-serious-problems-in-chip-and-pin-... Privileged User Access Lacking Trust But Verify | Threatpost | The first stop for security news http://threatpost.com/enterprises-still-lax-on-privileged-user-access-co... ICS-CERT Confirms Public Utility Compromised Recently | Threatpost | The first stop for security news http://threatpost.com/ics-cert-confirms-public-utility-compromised-recen... Samsung Eyeing Iris Recognition for New Phones | Threatpost | The first stop for security news http://threatpost.com/samsung-eyeing-iris-recognition-for-new-phones/106222 Why You Should Ditch Adobe Shockwave - Krebs on Security http://krebsonsecurity.com/2014/05/why-you-should-ditch-adobe-shockwave/ Malvertising Redirecting to Angler EK, Silverlight Exploits | Threatpost | The first stop for security news http://threatpost.com/malvertising-redirecting-to-microsoft-silverlight-... Android Outlook App Could Expose Emails, Attachments | Threatpost | The first stop for security news http://threatpost.com/android-outlook-app-could-expose-emails-attachment... Microsoft Working on Patch for IE 8 Zero Day | Threatpost | The first stop for security news http://threatpost.com/microsoft-working-on-patch-for-ie-8-zero-day/106247 Chrome 35 Fixes 23 Security Flaws | Threatpost | The first stop for security news http://threatpost.com/chrome-35-fixes-23-security-flaws/106188 Professor Hugh White - Researchers - ANU https://researchers.anu.edu.au/researchers/white-hj 02 - Mammal - Think - YouTube https://www.youtube.com/watch?v=mCQXqHr9CwE&feature=kp

SPONSOR INTERVIEW: What's new in big data security analytics?

Patrick Gray — Mon, 19 May 2014 00:00:00 +1000

Scott Crane is Arbor Networks product manager for its Pravail line of big data security analytics division. Scott was a part of the original PacketLoop team -- PacketLoop was an Australian start up that created some pretty impressive big data security analytics technology. It was so impressive that it wound up being acquired by Arbor Networks and is now sold under the Pravail brand. Somehow the original team managed to convince Arbor to keep the bulk of the R&D on those products based right here in Australia. So you could say we're all pretty big fans of Scott and his team for scoring some runs for the home team. They've got 12 staff in Sydney, and they're growing. It's been eight months since the deal was struck, so I caught up with Scott to talk about what's new in the field of big data security analytics. And interestingly enough, the Pravail tech wound up being pretty useful lately. Because it performs packet-capture based analysis, the Pravail team could help their clients roll back through their stored packet captures to see if anyone had used the Heartbleed flaw against them. Somewhat reassuringly, the Pravail guys at Arbor did not find any evidence of Heartbleed actually being used in the wild.

SPONSOR INTERVIEW: FireEye CTO Dave Merkel

Patrick Gray — Mon, 19 May 2014 00:00:00 +1000

In this sponsor cast we're chatting with Dave Merkel, the CTO of FireEye. Dave has been around the infosec traps since the 90s -- long enough to see how things have changed. One of the things that has changed is the acknowledgement by the market that you can't really keep attackers from gaining a foothold on at least *a* device within your environment. It's the reason we're seeing a lot of gear hit the market that will help you post intrusion. I started off by asking Dave if he'd noticed this shift in thinking in the market.

PRESENTATION: AusCERT speed debate 2014

Patrick Gray — Mon, 19 May 2014 00:00:00 +1000

We're going to close out this year's coverage the way we normally do it: with a recording of the AusCERT speed debate! I was a debater this year and as you'll hear I had zero time to prepare, so my contributions are pretty lame, but there was a hell of a panel like always. The whole thing was moderated by Adam Spencer. Most of it makes no sense, some of it is funny, some of it is just stupid. Like it or loathe it, it's almost become an institution at this point so we absolutely have to include it. So here it is! The speed debate! The closing event from AusCERT 2014, I hope you enjoy it.

INTERVIEW: Peter Gutmann: The NSA isn't that organised

Patrick Gray — Mon, 19 May 2014 00:00:00 +1000

I've already podcasted Peter's presentation, but I thought a follow up interview was warranted. To cut a long story short, he does believe some crypto standards have been subverted by the NSA, but says some fears about government crypto-fiddling are misplaced. In general, he says, it's a lot easier for attackers to bypass encryption than it is for them to break it. Peter knows crypto. He's a professor at Auckland University, has written crypto libraries and even had a hand in writing PGP. I started off by asking Peter for his thoughts on the controversial dual elliptic curve number generator. Was it really backdoored by the NSA?

INTERVIEW: Dr. Jason Fox on gamification

Patrick Gray — Mon, 19 May 2014 00:00:00 +1000

On the final day of AusCERT last week delegates were treated to a fascinating talk by Dr. Jason Fox, gamification expert and author of the book The Game Changer. Jason's expertise is in finding out how to take the motivational aspects of games and apply them to work processes. We all know that sitting your staff down in a dimly lit auditorium to lecture them on spear phishing does precisely nothing to change user behaviour. But what if you made the hunt for spear phishing messages a game? I sat down with Jason Fox after his presentation and recorded this interview.

SPONSOR PODCAST: Is SNMP-geddon coming?

Patrick Gray — Fri, 16 May 2014 00:00:00 +1000

This is a sponsor interview with Marc Eisenbarth, Arbor Networks' security architect and the manager of research for its Arbor Security Engineering and Response Team (ASERT). I spoke to Mark about the massive influx of NTP-based DDoS traffic we've seen this year. Can we expect attackers to move on to other protocols and services like SNMP and Chargen? He thinks so. But it's not until we start seeing SNMP-based DDoS capabilities built into generic malware that we'll really have big problems.

SPONSOR PODCAST: How to batten down for the G20

Patrick Gray — Fri, 16 May 2014 00:00:00 +1000

This is a sponsor interview with Kate McInnes of Datacom TSS. Kate is ex-DSD and currently serves as a principal consultant with Datacom TSS in Perth. She's been doing a bunch of work with a bunch of different organisations on preparing them for the looming G20 summit in Brisbane. What do the threats look like? Where are they coming from? And what can be done about them?

PRESENTATION: Why break crypto when you can bypass it?

Patrick Gray — Fri, 16 May 2014 00:00:00 +1000

You're about to hear a recording of Peter Gutmann's speech here which is all about crypto. Well, it's sort of about crypto. With newspapers filled with stories about the NSA subverting crypto standards, Peter asks us whether that really matters. Why would an attacker bother breaking crypto when they can just bypass it? Peter is well positioned to do this talk. He's a researcher in the Department of Computer Science at the University of Auckland and works on the design and analysis of cryptographic security architectures and security usability. He helped write PGP, has authored a number of papers and RFC's on security and encryption, and is the author of the open source cryptlib security toolkit. And luckily for us, he's a fairly regular guest on Risky Business.

INTERVIEW: Klout for infosec?

Patrick Gray — Fri, 16 May 2014 00:00:00 +1000

You're about to hear my interview with Matt Jones, a security consultant who runs a small outfit named Volvent. He's been working on a very interesting side project for a couple of years now. Essentially it's a social media analyser that identifies sources of high-quality information. Users can tap in a keyword and drill through the conversations on social media that actually matter -- the conversations that influence the influencers. The project was born of Matt's desire to never have to log in to Twitter again.

INTERVIEW: Hacking supercomputers with y011

Patrick Gray — Fri, 16 May 2014 00:00:00 +1000

In this interview we're chatting with Neal Wise of Assurance.com.au. Don't let the accent fool you, Neal is based in Melbourne and has been for as long as I can remember, and he did a great talk here at the AusCERT conference called Hacking the Gibson, which was all about pwning supercomputers. I warn you in advance that there are a few references from the movie Hackers in this interview... sorry about that... HACK THE PLANET!! .... but yeah, Neal has been doing some work involving supercomputers and I decided to interview him about them. They make excellent bitcoin mining boxes!

INTERVIEW: Bob Clark on the CFAA

Patrick Gray — Fri, 16 May 2014 00:00:00 +1000

You're about to hear an interview I recorded with Bob Clark. He currently teaches law at the US Naval Academy, but he's been doing military law for a long time, even serving as the operational attorney for the US Army Cyber Command at one point. I posted his talk yesterday... he touched on the Weev vs AT&T trial in that and I thought it would be interesting to get his perspective on the CFAA, precisely because it's not the sort of thing he normally concerns himself with. He has less of an agenda than a defence attorney or a prosecutor. (If you haven't heard the episode of the regular Risky Business podcast where I had a chat with Weev and recapped that whole thing you might want to check it out because we reference it in this interview. It's here.)

SPONSOR PODCAST: David Litchfield on hacking â€˜dem databases

Patrick Gray — Thu, 15 May 2014 00:00:00 +1000

David Litchfield is a very well known researcher in the field of database security. He's been at it for over a decade, and managed to be a permanent pain in Oracle's neck since he first started dropping database 0day a million years ago. So I asked him what has changed in the field of database security. Has Oracle improved its procedures?

SPONSOR PODCAST: Attacker MOs are changing

Patrick Gray — Thu, 15 May 2014 00:00:00 +1000

In this sponsor podcast we hear from FireEye's APAC CTO Bryce Boland about the effect next generation antimalware gear is having on the modus operandi of sophisticated attackers. The possibility of burning their sweet, sweet 0days is actually turning some attackers away from well-resourced targets and towards secondary targeting; attacking their targets' partners and suppliers.

PRESENTATION: When is a cyberwar (drink!) a cyberwar (drink!)?

Patrick Gray — Thu, 15 May 2014 00:00:00 +1000

PRESENTATION: When is a cyberwar (drink!) a cyberwar (drink!)? Bob Clark returns to AusCERT\u2026 This is a recording of a presentation by Bob Clark, who these days teaches at the US Naval Academy. He has a long history as a department of defence lawyer including a stint as the counsel for the US Army Cyber Command. In this talk Bob covers some ground he has covered before -- looking at when an online action represents an act of war under the laws of armed conflict -- but also takes a look at some legal cases in the civilian world involving the CFAA.

PRESENTATION: Felix “FX” Lindner’s AusCERT keynote

Patrick Gray — Thu, 15 May 2014 00:00:00 +1000

We're going to kick things off with a recording of the opening keynote from the conference... this talk is by Felix "FX" Lindner of Recurity Labs. Felix is a very well known hacker and researcher, and his talk is titled we come in peace, they don't. As you'll hear, he's not exactly Google's number one fan. Here he is, I hope you enjoy it!

PRESENTATION: Ed Felton on security in the surveillance age

Patrick Gray — Thu, 15 May 2014 00:00:00 +1000

This is a recording of Ed Felton's plenary session from AusCERT 2014. Ed Felton is a professor of computer science and public affairs at Princeton's centre for information technology policy. From 2011 to 2012 he was the first Chief Technologist for the Federal Trade Commission. He's a very well known and highly regarded researcher and academic and he spoke at AusCERT on security in a surveilled world.

INTERVIEW: Information leaks into North Korea

Patrick Gray — Thu, 15 May 2014 00:00:00 +1000

Our coverage continues now with an interview I recorded with Olivia Maree and Dave Jorm. Olivia holds a law degree and just finished a six month stint as a community manager with BugCrowd\u2026 Dave Jorm studies geology and mathematics at UQ and has worked in the software industry for around 14 years. Some of you would remember the interview I did with Dave last year about his OSINT analysis of North Korea, I also recorded and published his AusCERT talk on that topic last year. Well, this year he returned to AusCERT with his pal Olivia Maree to do another North Korea-themed presentation. This time the pair presented a talk about the information cordon - how information gets in and out of the country. Between USB thumb drives attached to home-made air balloons to tiny radios smuggled in to the Democratic People's Republic of Korea, you'll hear that state control of information entering the country isn't what it used to be, and, you know, that's a pretty big deal. and yes, I know this isn't your typical info sec story but you all loved my interview with Dave last year so I figured you'd all want to hear about this anyway\u2026 I started off by asking Olivia how the regime seeks to control information flowing into North Korea\u2026 **************EDITOR'S NOTE: This post originally referred to Olivia Maree as a lawyer. While she has a law degree, Olivia has never worked as a lawyer or completed articles. Apologies for any confusion. The audio introduction to this interview is still incorrect and will not be updated. - PG

Risky Business 321 -- Silvio goes to Bunnings

Patrick Gray — Fri, 09 May 2014 00:00:00 +1000

On this week's show we're chatting with Silvio Cesare about his new pastime of messing around with home alarm systems, garage door remotes and car immobilisers. How secure do you think your little key ring transmitters are? Well, not very. But the interesting thing is, the tools that you need to crack these things are now very cheap -- could we see thieves roaming the streets with software defined radios, opening up your neighbourhood's garages? Tune in to find out This week's show is brought to you by HackLabs, an Australian penetration testing and security consulting firm. HackLabs head honcho Chris Gatford joins us in this week's sponsor interview to have a yarn about inadvertent disclosures. It seems every week we're reading another story about sensitive information being uploaded to a web accessible directory and indexed by Google. It's true that there's no cure for stupid, but is there anything we can do to stop these things happening? Adam Boileau, as always, joins the show to discuss the week's security news. Show notes and links to everything can be found here.

Risky Business #320 -- Hacking cars with Charlie Miller

Patrick Gray — Fri, 02 May 2014 00:00:00 +1000

On this week's show we're chatting with security researcher Charlie Miller about the work he's been doing with Chris Valasek on hacking cars. It's fun stuff, but yeah, it might make you want to go back to driving an older car. This week's show is sponsored by BugCrowd. We've got a great interview with BugCrowd founder and CEO Casey Ellis about a really, really interesting little case study he went through involving a random bug-hunter who'd tried blackmailing a BugCrowd client. The solution they came up with was ingenious and spectacularly lulzy. Show notes Microsoft fixes big IE bug -- even on Windows XP - CNET http://www.cnet.com/news/microsoft-fixes-big-ie-bug-on-windows-xp-even/ Microsoft tells IE users how to defend against zero-day bug - CNET http://www.cnet.com/news/microsoft-tells-ie-users-how-to-defend-against-... Flash Zero Day Used to Target Victims in Syria | Threatpost | The first stop for security news http://threatpost.com/flash-zero-day-used-to-target-victims-in-syria/105726 Mozilla Redesigns Firefox, Fixes Security Vulnerabilities | Threatpost | The first stop for security news http://threatpost.com/mozilla-redesigns-firefox-browser-fixes-security-v... Mozilla Offers Bug Bounty for Heartbleed-like Crypto Bugs | Threatpost | The first stop for security news http://threatpost.com/mozilla-offers-bug-bounty-for-new-certificate-veri... After Heartbleed, NSA reveals some flaws are kept secret - CNET http://www.cnet.com/news/after-heartbleed-nsa-reveals-some-flaws-are-kep... Obama Policy on Zero Days Craps Out - Forbes http://www.forbes.com/sites/jennifergranick/2014/04/29/obama-policy-on-z... Target Accelerates Chip-and-Pin Roll Out, Hires New CIO | Threatpost | The first stop for security news http://threatpost.com/target-accelerates-chip-and-pin-roll-out-hires-new... Anonymous activist pleads guilty to threatening FBI agent - CNET http://www.cnet.com/news/anonymous-activist-pleads-guilty-to-threatening... Inside the 'DarkMarket' Prototype, a Silk Road the FBI Can Never Seize | Threat Level | WIRED http://www.wired.com/2014/04/darkmarket/ It's Insanely Easy to Hack Hospital Equipment | Threat Level | WIRED http://www.wired.com/2014/04/hospital-equipment-vulnerable/ Hackers Can Mess With Traffic Lights to Jam Roads and Reroute Cars | Threat Level | WIRED http://www.wired.com/2014/04/traffic-lights-hacking/ Exploiting Facebook Notes to Launch DDoS | Threatpost | The first stop for security news http://threatpost.com/exploiting-facebook-notes-to-launch-ddos/105701 UltraDNS Dealing with DDoS Attack | Threatpost | The first stop for security news http://threatpost.com/ultradns-dealing-with-ddos-attack/105806 Vishing Attacks Targeting Dozens of Banks, Users' Card Data | Threatpost | The first stop for security news http://threatpost.com/vishing-attacks-targeting-dozens-of-banks/105774 AOL Breached, Investigating Spam from Spoofed Accounts | Threatpost | The first stop for security news http://threatpost.com/aol-investigating-breach-urges-users-to-change-pas... Apache Struts Zero Day Vulnerability Patch to be Re-Issued | Threatpost | The first stop for security news http://threatpost.com/apache-warns-of-faulty-zero-day-patch-for-struts/1... Vulnerability in Viber Allows Snooping of Images, Videos | Threatpost | The first stop for security news http://threatpost.com/vulnerability-in-viber-allows-intercept-of-images-... 60 Minutes shocked to find 8-inch floppies drive nuclear deterrent | Ars Technica http://arstechnica.com/information-technology/2014/04/60-minutes-shocked... RIP | Every Day Carry http://everydaycarry.bandcamp.com/releases

Risky Business #319 -- The one with weev in it

Patrick Gray — Thu, 24 Apr 2014 00:00:00 +1000

Please note we have disabled access to this recording. It was published before the interview subject outed himself as a committed Nazi. If you're a journalist or researcher and you'd like access to the recording, please email us and we can provide you with a copy. This week's show is brought to you by Adobe! Big thanks to Adobe for making this week's show possible. And we've got an... err... *interesting* program for you this week... we'll be chatting with Andrew Auernheimer, aka weev, about the recent appeal victory that saw him out of prison after 14 months inside. Is he going to pull his head in after his scrape with the law? He says no way! Also this week we chat with Wade Baker of Verizon Business Security Solutions about the latest Verizon Data Breach Investigation Report and the nine attack patterns they've observed from 10 years of breach data. Adam Boileau, as always, pops in to discuss the week's news headlines. Show notes are here.

Risky Business #318 -- TrueCrypt passes audit, Weev off the hook and more

Patrick Gray — Thu, 17 Apr 2014 00:00:00 +1000

It's a four day week this week and a four day next week so I'm afraid I couldn't organise feature interviews for both, so this week you're getting an extra long news section and a sponsor interview! This week's show is brought to you by Senetas, makers of fine, fine layer 2 encryption gear. If you're planning a greenfields network you have absolutely no excuse to not check out their stuff, it rocks like a banana on its back. This week we're joined by Senetas CEO Andrew Wilson in the sponsor slot. He'll be talking about a privacy act readiness survey Senetas did that yielded some genuinely depressing results. He also compares director-level attitudes to infosec to director-level attitudes to occupational health and safety issues 50 years ago. It's a really, really interesting take so do stick around for that. Show notes are here.

Risky Business #317 -- Cryptocalypse news plus Dave DeWalt interview

Patrick Gray — Fri, 11 Apr 2014 00:00:00 +1000

This week's feature guest is the man with the Midas touch -- former McAfee president and current FireEye CEO Dave DeWalt. This is the guy who sold McAfee to Intel for $7.8 billion dollars, so I chat to him about a whole bunch of topics, from his thoughts on how Intel has handled that deal, through to Snowden, to the security business overall. It's a great chat with one of the most interesting executives in this whole industry. Also this week we chat with Marcus Ranum who's in the sponsor chair on behalf of Tenable Network Security. He's along this week to look back on his very popular 2005 blog post "The six dumbest ideas in computer security". Are they still dumb? Unsurprisingly they are, but the landscape has shifted a bit. That's a great chat and it's coming up later. Adam Boileau joins the program to discuss the Heartbleed bug and some other infosec news from the last week. Show notes are here.

Risky Business #316 -- Data breach suits could have legs

Patrick Gray — Fri, 04 Apr 2014 00:00:00 +1100

On this week's show we're taking a look at the Target/Trustwave suit. A couple of banks were suing Target and its alleged security auditor Trustwave over the massive credit card data breach last year. That suit has been withdrawn, possibly temporarily, and another has been filed on behalf of some other banks. We speak with former New York assistant DA and infosec law specialist Dave Stampley about these types of suits. Do they have legs? This week we welcome a new sponsor -- Rapid7. Rapid7 is launching an interesting campaign right now to try to fix the Computer Fraud and Abuse Act (CFAA) in America. They say it's stifling research. Rapid7's global security strategist Trey Ford joins the show to fill us in on that. As news regulars Adam Boileau and The Grugq are both in Singapore for Syscan and probably nursing cripping hangovers, this week we're joined by a special guest in the news chair, Christopher Hoff. Hoff is the Vice President of Strategy for Juniper Networks' security business unit, but you may know him as Beaker on Twitter. Show notes Microsoft to Fix Word Zero Day with Final XP Patch | Threatpost | The first stop for security news http://threatpost.com/microsoft-to-fix-word-zero-day-with-final-xp-patch... Barrett Brown Signs Plea Deal in Case Involving Stratfor Hack | Threat Level | WIRED http://www.wired.com/2014/04/barrett-brown-plea-agreement/ Alleged Silk Road Founder's Lawyer Moves to Dismiss Charges Against His Client | Threat Level | WIRED http://www.wired.com/2014/04/threatlevel_0401_silkroad_motion/ Will Target's Lawsuit Finally Expose the Failings of Security Audits? | Threat Level | WIRED http://www.wired.com/2014/03/trustwave-target-audit/ Information Security | Compliance | Trustwave https://www.trustwave.com/Trustwave-Announcement/ http://www.smh.com.au/it-pro/security-it/default-password-leaves-tens-of... is not available http://www.smh.com.au/it-pro/security-it/default-password-leaves-tens-of... Cyber Tool Estimates Incident Response Cost for Businesses | Threatpost | The first stop for security news http://threatpost.com/tool-estimates-incident-response-cost-for-business... FTC Settles With Fandango, Credit Karma Over SSL Issues in Mobile Apps | Threatpost | The first stop for security news http://threatpost.com/ftc-settles-with-fandango-credit-karma-over-ssl-is... Amazon Web Services Combing Third Parties for Credentials | Threatpost | The first stop for security news http://threatpost.com/amazon-web-services-combing-third-parties-for-expo... Yahoo Encrypts Data Center Communication Links | Threatpost | The first stop for security news http://threatpost.com/yahoo-encrypts-data-center-links-boosts-other-serv... April Fools' Day prank: parents sent SMS saying school closed http://www.smh.com.au/technology/technology-news/april-fools-day-prank-p... DVR Infected with Bitcoin Mining Malware | Threatpost | The first stop for security news http://threatpost.com/dvr-infected-with-bitcoin-mining-malware/105167 Extended Random: The PHANTOM NSA-RSA backdoor that never was \u2022 The Register http://www.theregister.co.uk/2014/04/02/extended_random_nsa_rsa_bsafe/ Researcher Identifies Potential Security Issues in Tesla S | Threatpost | The first stop for security news http://threatpost.com/researcher-identifies-potential-security-issues-wi... Google DNS Intercepted in Turkey | Threatpost | The first stop for security news http://threatpost.com/google-dns-intercepted-in-turkey/105136 DOJ Pushes to Expand Hacking Abilities Against Cyber-Criminals - Law Blog - WSJ http://blogs.wsj.com/law/2014/03/27/doj-pushes-to-expand-hacking-abiliti... Watch out, journalists: Hackers are after you - CNET http://www.cnet.com/news/watch-out-journalists-hackers-are-after-you-goo... Facebook Bug Bounty Submissions Dramatically Increase | Threatpost | The first stop for security news http://threatpost.com/facebook-bug-bounty-submissions-dramatically-incre... Android Botnet Targets Middle East Banks - Krebs on Security http://krebsonsecurity.com/2014/04/android-botnet-targets-middle-east-ba... Home Routers at Core of DNS-Based DDoS Amplification Attacks | Threatpost | The first stop for security news http://threatpost.com/dns-based-amplification-attacks-key-on-home-router... Patch Available for Schneider Electric Serial Modbus Driver | Threatpost | The first stop for security news http://threatpost.com/critical-vulnerabilities-patched-in-schneider-elec... Cisco Patches Denial-of-Service Vulnerabilities in IOS | Threatpost | The first stop for security news http://threatpost.com/cisco-patches-denial-of-service-vulnerabilities-in... Researchers Divulge 30 Oracle Java Cloud Service Bugs | Threatpost | The first stop for security news http://threatpost.com/researchers-divulge-30-oracle-java-cloud-service-b... Apple Fixes More Than 25 Flaws in Safari | Threatpost | The first stop for security news http://threatpost.com/apple-fixes-more-than-25-flaws-in-safari/105197 GOLDEN THREAD - Passenger featuring Matt Corby - YouTube https://www.youtube.com/watch?v=Ms0A7pXPySc&feature=kp KamberLaw | New York & California | Defending your legal rights in a digital world http://www.kamberlaw.com/ IT Security Data & Analytics, Risk Management, Compliance | Rapid7 http://www.rapid7.com/

Risky Business #315 -- Nmap's Fyodor talks FD relaunch

Patrick Gray — Fri, 28 Mar 2014 00:00:00 +1100

This week's feature interview is with nmap creator Gordon Lyon, who's probably better known by his handle: Fyodor. Last week we brought you the news that the Full Disclosure mailing list was shuttered following legal threats from someone describing themselves as a security researcher. Fyodor runs the seclists.org mailing list archive and he's decided to bring FD back from the dead. I got him on the line and asked him why. This week's show is brought to you by Bridgepoint -- a Queensland-based company that does all sorts of stuff -- systems integration, pen testing and PCI. With the G20 coming up we chat with the company's principal security consultant Michael Trott about the preparations underway. When the world shines its spotlight on Brisbane in November boy oh boy, everyone with a gripe is going to be trying to deface pretty much every website with the word "Queensland" on it. That's coming up soon. Adam Boileau, as always, joins us to discuss the week's security news headlines. Show notes are here.

Risky Business #314 -- FD closure foreshadows cyberpocalypse

Patrick Gray — Fri, 21 Mar 2014 00:00:00 +1100

On this week's show we're taking a look at some absolutely awesome research by Azimuth Security's Tarjei Mandt on the pseudo random number generators used by iOS 6 and 7. Tarjei has figured out a way to blow away iOS's memory mitigations with some very cool tricks. This week's show is sponsored by Tenable Network Security, and this week we're joined by Carlos Perez, Tenable's Director of Reverse Engineering in the sponsor slot. He heard last week's interview all about using PowerShell as a post exploitation tool, and as it turns out, he's one of the leading experts out there on using PowerShell to do sneaky stuff. So he'll be along to pretty much pick up where we left off last week. More PowerShell! That's this week's sponsor interview. Adam Boileau, as usual, joins us for the week's news headlines. Show notes are here.

Risky Business #313 -- Why you should know PowerShell

Patrick Gray — Fri, 14 Mar 2014 00:00:00 +1100

On this week's show we have a look at PowerShell, the Microsoft sorta scripting language admin thingy. As it turns out, PowerShell can be an attacker's best friend when it comes to lateral movement through a network. We'll chat with Kieran Jacobson about that in this week's feature interview. He did a cracker presentation at CrikeyCon where he demo'd owning a domain controller and dumping all its creds with something like five lines of PowerShell. I mean, there are caveats there, but wow... the demotime was food for thought. This week's show is sponsored by HackLabs. HackLabs head honcho Chris Gatford joins the program in this week's sponsor interview to have a yarn about the upcoming great XP switch of 2014. Ditching XP in your environment shouldn't be a supreme challenge, but what about specialist devices? Like the heart monitor that you can't patch but needs to be networked so you can know Mr. Jones in 14F is about to have a heart attack? Yeah, that'd be one of those intractable problems. Yay. Show notes Study Shows 'Metadata is Highly Sensitive' | Threatpost | The first stop for security news http://threatpost.com/study-shows-phone-metadata-is-highly-sensitive/104767 HTTPS Traffic Attacks Leak Sensitive Personal Details | Threatpost | The first stop for security news http://threatpost.com/new-attacks-on-https-traffic-reveal-plenty-about-y... NSA Has Been Hijacking the Botnets of Other Hackers | Threat Level | Wired.com http://www.wired.com/threatlevel/2014/03/nsa-botnet/ NSA Denies Impersonating Facebook to Exploit Targets | Threatpost | The first stop for security news http://threatpost.com/nsa-denies-impersonating-facebook-to-exploit-targe... Charitable Prelude to Pwn2Own Not Without Its Critics | Threatpost | The first stop for security news http://threatpost.com/charitable-prelude-to-pwn2own-not-without-its-crit... Vupen Cashes in Four Times at Pwn2Own 2014 | Threatpost | The first stop for security news http://threatpost.com/vupen-cashes-in-four-times-at-pwn2own/104754 Weak Early Random PRNG Threatens iOS 7 Kernel Mitigations | Threatpost | The first stop for security news http://threatpost.com/weak-random-number-generator-threatens-ios-7-kerne... Researcher Eric Filiol Withdraws CanSecWest Presentation | Threatpost | The first stop for security news http://threatpost.com/cansecwest-presenter-self-censors-risky-critical-i... 162,000 WordPress Sites Used in DDoS Attack | Threatpost | The first stop for security news http://threatpost.com/162000-wordpress-sites-used-in-ddos-attack/104745 NTP Amplification DDoS Attacks Increasing | Threatpost | The first stop for security news http://threatpost.com/ntp-amplified-ddos-attacks-on-the-rise/104741 Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records - Krebs on Security http://krebsonsecurity.com/2014/03/experian-lapse-allowed-id-theft-servi... Energy Watering Hole Attack Used LightsOut Exploit Kit | Threatpost | The first stop for security news http://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit... Malware Analysis: The Final Frontier: LightsOut EK: "By the way... How much is the fish!?" http://malwageddon.blogspot.com.au/2013/09/unknown-ek-by-way-how-much-is... MelbourneIT stores domain passwords in cleartext - Security - Technology - News - iTnews.com.au http://www.itnews.com.au/News/374095,melbourneit-stores-domain-passwords... How Target detected hack but failed to act -- Bloomberg | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57620289-83/how-target-detected-hack-bu... Backdoor in Samsung Galaxy Devices Could Give Attackers Access | Threatpost | The first stop for security news http://threatpost.com/backdoor-in-samsung-galaxy-devices-could-give-atta... Google Fixes Four High-Risk Flaws in Chrome Before Pwn2Own | Threatpost | The first stop for security news http://threatpost.com/google-fixes-four-high-risk-flaws-in-chrome-before... Microsoft Resolves IE Zero Day with Patch Tuesday Release | Threatpost | The first stop for security news http://threatpost.com/microsoft-closes-ie-zero-day-ships-final-xp-patch-... IE Zero Day Exploits Increase Just Before Patch | Threatpost | The first stop for security news http://threatpost.com/hackers-milk-ie-zero-day-before-patch/104713 Apple iOS 7.1 Fixes More Than 20 Code-Execution Flaws | Threatpost | The first stop for security news http://threatpost.com/apple-ios-7-1-fixes-more-than-20-code-execution-fl...

Risky Business #312 -- RSA special edition

Patrick Gray — Fri, 07 Mar 2014 00:00:00 +1100

It's a solid week for BitCoin news. The (maybe) outing of the elusive Satoshi Nakamoto, the MtGox mystery, dead exchanges and even, unfortunately, a suicide of a former BitCoin exchange CEO in Singapore. But there's been plenty of other news! Apple's gotofail bug, GnuTLS issues, more NTP amplification attacks, and of course YahooWebcamGate. You can find links to the news items discussed in this week's show here. There's also a stack of interviews in this week's podcast, including a bunch recorded in San Francisco last week. The run sheet looks like this: \t- The Grugq discussing the news headlines of the last two weeks \t- Marcus Ranum on the RSA trade floor discourse \t- RSA CEO Art Coviello on the NSA controversy \t- ACLU principal technologist Chris Soghoian \t- RSA Chief Architect Robert Griffin \t- Jack Daniel of Tenable Network Security (sponsor interview) on the "Threat Intelligence" buzzword craze

Risky Business #311 -- Does NameCoin have legs?

Patrick Gray — Thu, 20 Feb 2014 00:00:00 +1100

This week we chat with a local consultant, Mark Brand of Datacom TSS, about the general topic of authentication. We've seen some interesting cases of things going wrong with auth on consumer sources lately. The @n Twitter username hijacking, the Matt Honan disaster of 2012. Now Google's run off and bought SlickLogin, a novel approach to mobile app auth. Will that get us anywhere? And what about NameCoin -- a BitCoin protocol-derived peer-to-peer authentication scheme? I'd never heard of it, but the concept is fascinating. Mark pops by to fill us in. This week's show is brought to you by Senetas. In this week's sponsor interview we're chatting with Senetas CTO Julian Fay about some work they've been doing on their Ethernet products. As it turns out, variable frame sizes can give up too much info to an attacker, so they've worked on some neat new tech that basically forces their stuff to send fixed length frames and make sure everything stays random. Adam Boileau pops by as usual to chat about the week's security news. Show notes, including links, are here.

Risky Business #310 -- Export exploits? Wassenaar says no

Patrick Gray — Fri, 14 Feb 2014 00:00:00 +1100

On this week's show we're chatting with COSEINC's Thomas Lim about the Wassenaar Arrangement. It's basically a worldwide framework that restricts the sale of munitions and dual use technologies, and it has exploits in its sites. COSEINC is a security research company that engages in exploit development, and Lim thinks extending regulations to exploit sales is pointless. This week's show is brought to you by BugCrowd, a company that was founded in Australia but is now based in San Francisco thanks to VC investment. Bugcrowd runs outsourced bug bounties, and its founder and CEO Casey Ellis joins the show in this week's sponsor interview to talk about the latest goings on in the burgeoning bug bounty industry! Show notes Top U.S. Spy Claims 'Terrorists Are Going to School' on Snowden Leaks | Threat Level | Wired.com http://www.wired.com/threatlevel/2014/02/clapper-snowden-fallout/ Hacked X-Rays Could Slip Guns Past Airport Security | Threat Level | Wired.com http://www.wired.com/threatlevel/2014/02/tsa-airport-scanners/ Sophisticated Spy Tool 'The Mask' Rages Undetected for 7 Years | Threat Level | Wired.com http://www.wired.com/threatlevel/2014/02/mask/ Public servant Peter Nash allegedly ran drug ring from Wacol prison | The Courier-Mail http://www.couriermail.com.au/news/queensland/public-servant-peter-nash-... 400 Gbps NTP Amplification DDoS Attack Alarmingly Simple | Threatpost | The first stop for security news http://threatpost.com/400-gbps-ntp-amplification-attack-alarmingly-simpl... HVAC Vendor: Data Connection to Target was Billing System | Threatpost | The first stop for security news http://threatpost.com/hvac-integrators-billing-connection-led-to-target-... faziomechanical.com/Target-Breach-Statement.pdf http://faziomechanical.com/Target-Breach-Statement.pdf Websites of Las Vegas Sands casinos hacked, including Venetian, Palazzo on Las Vegas Strip | Star Tribune http://www.startribune.com/lifestyle/244922181.html Errata Security: That NBC story 100% fraudulent http://blog.erratasec.com/2014/02/that-nbc-story-100-fraudulent.html#.Uv... Detecting Car Hacks | Threatpost | The first stop for security news http://threatpost.com/detecting-car-hacks/104190 illmatics.com/car_hacking.pdf http://illmatics.com/car_hacking.pdf CoinThief Bitcoin Trojan Found on Popular Download Sites | Threatpost | The first stop for security news http://threatpost.com/cointhief-bitcoin-trojan-found-on-popular-download... Bitcoin Foundation, Mt. Gox spar over purported bug | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57618646-83/bitcoin-foundation-mt-gox-s... Florida Targets High-Dollar Bitcoin Exchangers - Krebs on Security http://krebsonsecurity.com/2014/02/florida-targets-high-dollar-bitcoin-e... LinkedIn Intro Service to Shut Down March 7 | Threatpost | The first stop for security news http://threatpost.com/controversial-linkedin-intro-service-to-shut-down/... Snapchat hack spams users with smoothie photos | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57618782-83/snapchat-hack-spams-users-w... Facebook Fixes CSRF Vulnerability in Instagram | Threatpost | The first stop for security news http://threatpost.com/facebook-fixes-instagram-csrf-vulnerability-to-kee... Five OAuth Bugs Lead to Github Hack | Threatpost | The first stop for security news http://threatpost.com/five-oauth-bugs-lead-to-github-hack/104178 Adobe Patches Shockwave, Fixes Two Vulnerabilities | Threatpost | The first stop for security news http://threatpost.com/adobe-patches-critical-vulnerabilities-in-shockwav... February 2014 Microsoft Patch Tuesday Security Bulletins | Threatpost | The first stop for security news http://threatpost.com/microsoft-adds-critical-ie-patches-under-the-wire/... New IE Zero-Day Found in Watering Hole Attack | FireEye Blog http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero... Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website | FireEye Blog http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-depu... Changes to Export Control Arrangement Apply to Computer Exploits and More | Center for Internet and Society https://cyberlaw.stanford.edu/publications/changes-export-control-arrang... Bugcrowd | Managed bug bounty programs, better security testing https://bugcrowd.com/mobile-application-security Pumped Up Kicks by Hailey-Marie on SoundCloud - Hear the world's sounds https://soundcloud.com/hailey-marie-mcfadden/pumped-up-kicks

Risky Business #309 -- All your clipboards R belong 2 OJ

Patrick Gray — Fri, 07 Feb 2014 00:00:00 +1100

We're back after a nice long rest, and boy oh boy did a lot of stuff happen during the break. Adam Boileau joins the show to discuss the choicest selection of news items to emerge over the last six weeks. In this week's feature slot we chat to OJ Reeves about his work in upgrading Meterpreter, the Metasploit payload. There are some cool new features on the way, he'll clue us in on those. This week's show is brought to you by Tenable Network Security. Tenable's very own Marcus Ranum will be joining us to have a chat about security metrics in this week's sponsor interview, stick around for that. Show notes for this week's episode are here. Patrick Gray on Twitter. Adam Boileau on Twitter.

Risky Business #308 -- 2013 in review

Patrick Gray — Fri, 13 Dec 2013 00:00:00 +1100

This is the final Risky Business podcast for 2013. The show will resume its weekly schedule in February 2014. Oh, and there are still three sponsor slots left between now and July. If you're interested, drop us a line with the contact form... This week's show looks back over the key events and trends of 2013; how media focus shifted from focussing on China's cyber-espionage to the scandalous revelations of the Snowden leaks. We also take a quick look at the Silk Road bust, say goodbye to some friends and check in with Insomnia Security's Brett Moore in this week's sponsor interview.

Risky Business #307 -- So, what about that Bromium stuff?

Patrick Gray — Fri, 06 Dec 2013 00:00:00 +1100

On this week's show we speak to Bromium co-founder and CTO Simon Crosby all about its tech. We don't normally interview vendors about their technology in the feature slots, but Bromium is very interesting stuff. It's all about hardware-enabled task isolation with Xen-based micro VMs. The way they've implemented this makes it quite difficult for an attacker to gain persistence on a target machine. Simon is a very technical guy, it's a great interview and it's after the news. This week's show is brought to you by Tenable Network Security, makers of fine, fine, vulnerability scanning tools like Nessus. And in this week's sponsor interview we chat with Tenable's chief architect for the Asia Pacific region Dick Bussiere. Dick is based in Singapore, and surprisingly enough the infosec agenda there isn't being set by the Snowden leaks. So what's driving the infosec narrative in .sg? Dick joins the show with his view. Show notes $100 Million Worth of Bitcoins Stolen | Threatpost | The First Stop For Security News http://threatpost.com/thieves-covering-tracks-following-100m-bitcoin-hei... Malware jumps 'air gap' between non-networked devices | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57614442-83/malware-jumps-air-gap-betwe... Huawei reportedly decides to abandon the US market | Mobile - CNET News http://news.cnet.com/8301-1035_3-57614292-94/huawei-reportedly-decides-t... Farsnews http://english.farsnews.com/newstext.aspx?nn=13920909000362 Phone records of Australians may have been offered to foreign spy agencies http://www.smh.com.au/federal-politics/political-news/phone-records-of-a... A Few Thoughts on Cryptographic Engineering: How does the NSA break SSL? http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html SkyJack - autonomous drone hacking http://samy.pl/skyjack/ JPMorgan warns 465,000 card users on data loss after cyber attack | Reuters http://www.reuters.com/article/2013/12/05/us-jpmorgan-dataexposed-idUSBR... Researchers discover database with 2M stolen login credentials | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57614479-83/researchers-discover-databa... New Dexter Point-of-Sale Malware Campaigns Discovered | Threatpost | The First Stop For Security News http://threatpost.com/new-dexter-point-of-sale-malware-campaigns-discove... Google Nexus phones reportedly susceptible to SMS attacks | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57614074-83/google-nexus-phones-reporte... Bad apps bypasses Android locks - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/366459,bad-apps-bypasses-android-locks... IE Reflective Cross-Site Scripting Filter Bypass Discovered | Threatpost | The First Stop For Security News http://threatpost.com/bypass-of-internet-explorer-cross-site-scripting-f... TIFF Zero Day Patch Among December 2013 Microsoft updates | Threatpost | The First Stop For Security News http://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-yea... VMware Patches Fix Privilege Escalation Vulnerability | Threatpost | The First Stop For Security News http://threatpost.com/vmware-patches-privilege-escalation-vulnerability/... PM - Discovery of more than one whistleblower in East Timor bugging case 05/12/2013 http://www.abc.net.au/pm/content/2013/s3905928.htm Fact Sheet- Online news sites to be placed on a more consistent licensing framework http://www.mda.gov.sg/NewsAndEvents/PressRelease/2013/Pages/28052013.aspx

Risky Business #306 -- Healthcare.gov. Yes. It's that bad.

Patrick Gray — Fri, 29 Nov 2013 00:00:00 +1100

In this week's show we speak with TrustedSec CEO Dave Kennedy about his testimony to the US congress about the Obama administration's healthcare.gov website. It cost over $600m and it's riddled with infosec 101 bugs. We find out just how bad it is and what can be done about it. This week's show is brought to you by Senetas, makers of fine, fine layer 2 encryption software. In this week's sponsor interview we speak with Senetas CTO and co-founder Julian Fay about the sudden popularity of the layer 2 crypto gear they've been selling for something like 15 years. Have the Snowden revelations actually changed things for encryption companies? Julian says yes, big time, in a tangible way. Adam Boileau, as always, joins us for a discussion of the week's security news headlines. Links to the news items discussed, plus some other stuff, can be found here.

Risky Business #305 -- Secure, anonymous IM not a pipe dream

Patrick Gray — Fri, 22 Nov 2013 00:00:00 +1100

On this week's show, can you have your cake and eat it too? Is it possible to build a usable instant messenger platform that is secure and immune to traffic and metadata analysis? We speak with international man of mystery The Grugq all about creating a platform that ticks these boxes. As it turns out, it can be done. So goodbye Yahoo, MSN, AOL and Skype... hello to something completely new! This week's show is brought to you by Tenable Network Security! In this week's sponsor interview we chat with Jeffrey Man of Tenable about why using point to point encryption to dodge PCI scope is an awful idea. Adam Boileau, as always, stops by to chat about the week's news. Show notes, including links to the week's news items, can be found here.

Risky Business #304 -- Tech heavyweights target NSA

Patrick Gray — Fri, 15 Nov 2013 00:00:00 +1100

In this week's show Adam Boileau and I take a look at the technology industry's latest response to the Snowden revelations. The pushback is definitely gaining momentum. This week's show is brought to you by Tenable Network Security, big thanks to them. And this week's sponsor interview is with Tenable's very own Jack Daniel We're chatting to him about the bad patches that have been dispatched from Redmond lately. It's been a long time since we've seen dud patches out of Microsoft, but lately, boy, there have been a few. Will you need to change your operating procedures over this? Stay tuned to find out. Show notes Google's Eric Schmidt calls NSA's spying 'outrageous' | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57610710-83/googles-eric-schmidt-calls-... Microsoft may ramp up encryption of customer data post-Snowden - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/363998,microsoft-may-ramp-up-encryptio... HTTP/2 Supports only HTTPS URIs | Threatpost | The First Stop For Security News http://threatpost.com/http2-chair-says-protocol-will-work-only-with-http... NIST Reviews Crypto Standards Development | Threatpost | The First Stop For Security News http://threatpost.com/nist-initiates-review-of-its-crypto-standards-deve... Google: We're bombarded by gov't requests on user data | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57612322-83/google-were-bombarded-by-go... Microsoft, Facebook unite for Internet Bug Bounty program | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57611325-83/microsoft-facebook-unite-fo... Microsoft Changes Bug Bounty Program to Include Incident Responders, Forensics Specialists | Threatpost | The First Stop For Security News http://threatpost.com/microsoft-changes-bug-bounty-program-to-include-in... In Lavabit Appeal, U.S. Doubles Down on Access to Web Crypto Keys | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/11/lavabit-doj/ NSA workers reportedly shared their passwords with Snowden | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57611528-83/nsa-workers-reportedly-shar... White House reportedly considers civilian NSA chief | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57611652-83/white-house-reportedly-cons... British Spies Hacked Telecom Network by Feeding Engineers Fake LinkedIn Pages | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/11/british-spies-hacked-telecom/ Power Plants and Other Vital Systems Are Totally Exposed on the Internet | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/11/internet-exposed/ iOS, Samsung apps popped at Pwn2Own - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/364113,ios-samsung-apps-popped-at-pwn2... MacRumors Forums Hacked, Passwords Stolen | Threatpost | The First Stop For Security News http://threatpost.com/macrumors-forums-hacker-says-passwords-wont-be-lea... Vice.com hacked by Syrian Electronic Army - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/364015,vicecom-hacked-by-syrian-electr... millions stolen in Bitcoin heist | Threatpost | The First Stop For Security News http://threatpost.com/attackers-lift-1-2m-from-bitcoin-wallet-service/10... Bitcoin Selfish Miners | Threatpost | The First Stop For Security News http://threatpost.com/selfish-miners-could-exploit-p2p-nature-of-bitcoin... Pen test firms Securus Global, Hacklabs to merge - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/363334,pen-test-firms-securus-global-h... Microsoft Warns Customers Away From RC4, SHA-1 | Threatpost | The First Stop For Security News http://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/... New zero-day bug targets IE users in drive-by attack | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57611691-83/new-zero-day-bug-targets-ie... November 2013 Adobe Flash, ColdFusion security patches | Threatpost | The First Stop For Security News http://threatpost.com/adobe-patches-flash-coldfusion-flaws-unrelated-to-... New security holes found in D-Link router | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57611824-83/new-security-holes-found-in... OpenSSH Fixes Memory Corruption Bug With Update | Threatpost | The First Stop For Security News http://threatpost.com/openssh-fixes-memory-corruption-bug-with-update/10... Windows XP End of Life a Security Milestone | Threatpost | The First Stop For Security News http://threatpost.com/microsoft-xp-end-of-life-an-important-security-mil... Super Micro IPMI zero-day vulnerabilities disclosed | Threatpost | The First Stop For Security News http://threatpost.com/seven-ipmi-firmware-zero-days-disclosed/102848 Cisco Fixes Blank Admin Password Flaw in TelePresence Product | Threatpost | The First Stop For Security News http://threatpost.com/cisco-fixes-blank-admin-password-flaw-in-teleprese... ANZ Falcon 24 7 Credit Card Security - YouTube http://www.youtube.com/watch?v=0dYhc4ciqEo PILOTS - Artist - triple j Unearthed - free music | new Australian music | independent music http://www.triplejunearthed.com/PILOTS , Yes, you are really back. That is the attitude we all want to have right there. - James Cullem

Risky Business #303 -- The one with John McAfee

Patrick Gray — Fri, 01 Nov 2013 00:00:00 +1100

In this week's show we chat to McAfee antivirus founder John McAfee about his D-Central project and touch on the events of the last 12 months. Is he funny "ha ha" or funny "look out"? Have a listen, judge for yourself. This week's show is brought to you by Context Information Security, and we've got a great sponsor chat with Context's Alex Chapman this week about an evaluation they did on mobile platforms and MDM solutions for the Communications-Electronics Security Group, the part of GCHQ that handles the defensive side of things. Does Android suck as badly as everyone thinks it does? Is Good for Enterprise... umm... good for the enterprise? Adam Boileau, as always, stops in for the week's news headlines. Show notes, including links to the items discussed, can be found here.

Risky Business #302 -- Poking the FireEye

Patrick Gray — Fri, 25 Oct 2013 00:00:00 +1100

This week's show was recorded at the Ruxcon Breakpoint security conference at the Intercontinental Hotel in Melbourne. So this week's feature interview is a chat with Jonathan Brossard of Toucan Security, we're talking to him about his presentation on bypassing and generally messing with sandbox malware scanners. Poking the FireEye! That's a fun chat. This week's show is brought to you by HackLabs, the Australian penetration testing firm. So in this week's sponsor interview we chat with HackLabs head honcho Chris Gatford about an early implementation of an over-the-'net NFC authentication scheme developed by IBM Switzerland. Will it catch on? That's coming up a bit later. Show notes Intelligence chief: Le Monde's allegations against NSA 'false' | Security & Privacy - CNET News: http://news.cnet.com/8301-1009_3-57608909-83/intelligence-chief-le-monde... German chancellor Angela Merkel says US spying is an unacceptable breach of trust - ABC News (Australian Broadcasting Corporation): http://www.abc.net.au/news/2013-10-25/angela-merkel-obama-nsa-spying-spi... Inside Julian Assange's Alleged Plot to Steal The Fifth Estate Book | Threat Level | Wired.com: http://www.wired.com/threatlevel/2013/10/assange-house/ LinkedIn Intro App a Man in the Middle Attack | Threatpost | The First Stop For Security News: http://threatpost.com/linkedin-intro-app-equivalent-to-man-in-the-middle... DARPA Cyber Grand Challenge Offers $2M to Winners | Threatpost | The First Stop For Security News: http://threatpost.com/darpa-contest-to-pay-2m-for-automated-network-defe... Google Ideas aids online rebels with digital defenses | Security & Privacy - CNET News: http://news.cnet.com/8301-1009_3-57608525-83/google-ideas-aids-online-re... Real-world 'Do Not Track' coming to retail stores | Security & Privacy - CNET News: http://news.cnet.com/8301-1009_3-57608726-83/real-world-do-not-track-com... FBstalker Does Data Mining on Facebook Graph Search | Threatpost | The First Stop For Security News: http://threatpost.com/fbstalker-automates-facebook-graph-search-data-min... Experian Sold Consumer Data to ID Theft Service - Krebs on Security: http://krebsonsecurity.com/2013/10/experian-sold-consumer-data-to-id-the... Apple reasserts claim it doesn't want to spy on your iMessages | Security & Privacy - CNET News: http://news.cnet.com/8301-1009_3-57608139-83/apple-reasserts-claim-it-do... Snoopy Project mobile tracking and intelligence grows up | Threatpost | The First Stop For Security News: http://threatpost.com/snoopy-mobile-tracking-profiling-project-gets-a-bo... 7 Eastern Europeans Indicted in Multimillion-Dollar eBay Fraud Scheme | Threat Level | Wired.com: http://www.wired.com/threatlevel/2013/10/romanians-indicted-cyber-fraud/ Report: UN Nuclear Regulator Infected with Malware | Threatpost | The First Stop For Security News: http://threatpost.com/report-un-nuclear-regulator-infected-with-malware/... Safari matches rivals with sandboxed Flash for better security | Security & Privacy - CNET News: http://news.cnet.com/8301-1009_3-57609053-83/safari-matches-rivals-with-... Months Later, EAS Equipment Still Vulnerable to SSH Bugs | Threatpost | The First Stop For Security News: http://threatpost.com/months-later-eas-equipment-still-vulnerable/102647 Google, FireEye Demand Change from Vulna Ad Network | Threatpost | The First Stop For Security News: http://threatpost.com/overzealous-android-vulna-ad-network-put-in-its-pl... ProSoft Technology RadioLinx ControlScape PRNG vulnerability | Threatpost | The First Stop For Security News: http://threatpost.com/weak-key-generation-plagues-wireless-industrial-au... Cisco Fixes DoS, Remote Code Execution Bugs in Six Products | Threatpost | The First Stop For Security News: http://threatpost.com/cisco-fixes-dos-remote-code-execution-bugs-in-six-... Apple Patches Fix More Than 100 Vulnerabilities | Threatpost | The First Stop For Security News: http://threatpost.com/apple-patches-fix-more-than-100-vulnerabilities/10... Critical NETGEAR ReadyNAS Frontview security vulnerability | Threatpost | The First Stop For Security News: http://threatpost.com/netgear-readynas-storage-vulnerable-to-serious-com... Simple Bug Exposed Verizon Wireless Users' SMS History | Threatpost | The First Stop For Security News: http://threatpost.com/simple-bug-exposed-verizon-wireless-users-sms-hist... [Syscan360 2013] Brossard Jonathan: http://www.slideshare.net/endrazine/syscan360-2013 , It is always like that. When people claim something, we all say it is not true. - Kris Krohn Strongbrook

Risky Business #301 -- Hack your way to the top of the charts

Patrick Gray — Fri, 18 Oct 2013 00:00:00 +1100

On this week's show we're having a chat with Peter Fillmore about his upcoming talk at Ruxcon. It's all about gaming online music services like Rdio and Spotify. We've heard of clickfraud, but it's time to get ready for streamfraud! Also this week we're chatting with the CEO of Swiss company ID Quantique about quantum random number generators. With recent revelations that NIST-backed RNGs might have been subverted by the NSA, it seems interest in quantum-based technology is hitting fever pitch. In fact ID Quantique just raised US$5.6m in funding to expand its operations. Show notes NSA collects millions of e-mail address books globally - The Washington Post: http://www.washingtonpost.com/world/national-security/nsa-collects-milli... NSA report says Aust spooks swiped 311,113 contacts in one day - Messaging - SC Magazine Australia - Secure Business Intelligence: http://www.scmagazine.com.au/News/360603,nsa-report-says-aust-spooks-swi... How to Design - And Defend Against - The Perfect Security Backdoor | Wired Opinion | Wired.com: http://www.wired.com/opinion/2013/10/how-to-design-and-defend-against-th... Feds Sued for Hiding NSA Spying From Terror Defendants | Threat Level | Wired.com: http://www.wired.com/threatlevel/2013/10/fisa-amendments-act-concealing/ NSA tool may track burner mobiles - Applications - SC Magazine Australia - Secure Business Intelligence: http://www.scmagazine.com.au/News/360571,nsa-tool-may-track-burner-mobil... Feds Demand Supreme Court Thwart Challenge to NSA Phone Spying | Threat Level | Wired.com: http://www.wired.com/threatlevel/2013/10/scotus-nsa-phone-metadata/ NSA Leaks Prompt Rethinking of U.S. Control Over the Internet's Infrastructure | Threat Level | Wired.com: http://www.wired.com/threatlevel/2013/10/global-net-infrastructure/ NSA phone taps deterred a 'few' terrorists, not 54 - Networks - SC Magazine Australia - Secure Business Intelligence: http://www.scmagazine.com.au/News/360842,nsa-phone-taps-deterred-a-few-t... NSA chief tightens up retirement plans | Security & Privacy - CNET News: http://news.cnet.com/8301-1009_3-57607864-83/nsa-chief-tightens-up-retir... Lavabit to reopen briefly to allow former clients to retrieve data | Security & Privacy - CNET News: http://news.cnet.com/8301-1009_3-57607490-83/lavabit-to-reopen-briefly-t... Yahoo Mail finally turns on SSL | Security & Privacy - CNET News: http://news.cnet.com/8301-1009_3-57607486-83/yahoo-mail-finally-turns-on... Stallman: How Much Surveillance Can Democracy Withstand? | Wired Opinion | Wired.com: http://www.wired.com/opinion/2013/10/a-necessary-evil-what-it-takes-for-... Metasploit Registrar Duped by Social Engineering, Not Fax | Threatpost: http://threatpost.com/registrar-in-metasploit-dns-hijacking-not-duped-by... Apple iMessage Open to Man in the Middle, Spoofing Attacks | Threatpost: http://threatpost.com/apple-imessage-open-to-man-in-the-middle-spoofing-... Snapchat Complies with Govt., Sends Images to Law Enforcement | Threatpost: http://threatpost.com/snapchat-complies-with-government-requests-sends-i... 35,000 sites including Fortune 1000 hacked via nasty vBulletin hole - Applications - SC Magazine Australia - Secure Business Intelligence: http://www.scmagazine.com.au/News/360840,35000-sites-including-fortune-1... MPAA Claims Victory as File-Sharing Service IsoHunt Shuts Down | Threat Level | Wired.com: http://www.wired.com/threatlevel/2013/10/isohunt-shutters/ Compromised certs spread email and browser -jacking malware - Web/client - SC Magazine Australia - Secure Business Intelligence: http://www.scmagazine.com.au/News/360841,compromised-certs-spread-email-... Indonesia tops China as source of Internet attacks | Security & Privacy - CNET News: http://news.cnet.com/8301-1009_3-57607917-83/indonesia-tops-china-as-sou... Google Fixes Three High-Risk Flaws in Chrome | Threatpost: http://threatpost.com/google-fixes-three-high-risk-flaws-in-chrome/102586 Researchers Uncover Holes That Open Power Stations to Hacking | Threat Level | Wired.com: http://www.wired.com/threatlevel/2013/10/ics/ 51 Java holes patched - Applications - SC Magazine Australia - Secure Business Intelligence: http://www.scmagazine.com.au/News/360843,51-java-holes-patched.aspx D-Link Planning to Patch Router Backdoor Bug | Threatpost: http://threatpost.com/d-link-planning-to-patch-router-backdoor-bug/102581 Quantum-mechanics security firm nabs $5.6M investment | Security & Privacy - CNET News: http://news.cnet.com/8301-1009_3-57607540-83/quantum-mechanics-security-firm-nabs-$5.6m-investment/ Senetas: http://www.senetas.com/ JaFFer - Artist - triple j Unearthed - free music | new Australian music | independent music: http://www.triplejunearthed.com.au/artists/view.aspx?artistid=48312 , The NSA is snooping with our emails, that is for sure. That seems to be a creepy move from them. - Sandra Dyche

Risky business #300 -- Will there be more Silk Roads?

Patrick Gray — Fri, 11 Oct 2013 00:00:00 +1100

On this week's show we're chatting with The Grugq about the takedown of Silk Road. How was the service located and taken down? Also this week, Tenable Network Security CSO Marcus Ranum joins us in the sponsor slot to discuss the proposition that the Internet is, in his words, a US colony. Could we see a balkanisation of the 'net? Adam Boileau, as always, joins us for the week's news segment. Show notes and links are here.

Risky Business #299 -- Christopher Boyce on the CIA's betrayal of Australia

Patrick Gray — Fri, 04 Oct 2013 00:00:00 +1000

This week's show will feature part two of my interview with convicted spy Christopher Boyce. He went on a one man mission to damage his country's military and intelligence apparatus in the 70s. He says he did it because the US was undermining the democratically elected government of Australia. So this week we go back to the 70s with Chris Boyce to chat about the Whitlam years. Australian Prime Minister Gough Whitlam lost government in 1975 when the Australian senate blocked budget supply and caused a shutdown of the federal government. Sound familiar? That's coming up after the news. This week's show is brought to you Adobe, and man, they've had a rough week. We don't have Brad Arkin in this week's sponsor slot because he's busy dealing with a crisis over there, but we DO have an interview with Karthik Raman, a security researcher at Adobe who'll be talking about how Adobe runs its secure product lifecycle program. Mark Piper is filling in for Adam Boileau in this week's news segment. Find links to what we discuss here.

Risky Business #298 -- With feature guest Christopher Boyce

Patrick Gray — Fri, 27 Sep 2013 00:00:00 +1000

We've got a great feature interview for you all this week. We're chatting with convicted spy, prison escapee and bank robber Christopher Boyce, aka The Falcon. We speak to him about the changing face of espionage; Wikileaks, Manning, Snowden and the radically changed world that awaited him when he walked out of prison. This week's show is brought to you by Context Information Security, and in this week's sponsor interview we're chatting with Context consultant Paul Stone about the research he presented at the most recent BlackHat USA conference in Vegas. It picked up a lot of buzz -- his was the talk about doing pixel-by-pixel screen scraping with html5-based timing attacks. It's ingenious stuff, that's a cracker interview, so big thanks again to Context IS for sponsoring this week's show. Show notes British Spy Agency GCHQ Hacked Belgian Telecoms Firm - SPIEGEL ONLINE http://www.spiegel.de/international/europe/british-spy-agency-gchq-hacke... SPIEGEL Exclusive: NSA Spies on International Bank Transactions - SPIEGEL ONLINE http://www.spiegel.de/international/world/spiegel-exclusive-nsa-spies-on... RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/ How a Crypto 'Backdoor' Pitted the Tech World Against the NSA | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/09/nsa-backdoor/ NSA Bought Exploit Service From VUPEN, Contract Shows | Threatpost http://threatpost.com/nsa-bought-exploit-service-from-vupen-contract-sho... Congress unveils bill to limit NSA's powers | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57604756-83/congress-unveils-bill-to-li... Kim Dotcom sues New Zealand over electronic snooping | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57602815-83/kim-dotcom-sues-new-zealand... Dropbox Requests National Security Letter Transparency | Threatpost http://threatpost.com/dropbox-argues-to-publish-number-of-national-secur... Google's Gmail Keyword Scanning Might Violate Wiretap Law, Judge Finds | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/09/gmail-wiretap-ruling/ Data Broker Giants Hacked by ID Theft Service - Krebs on Security http://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft... Researchers Build Undetectable Dopant Hardware Trojans | Threatpost http://threatpost.com/researchers-develop-undetectable-hardware-trojans/... Research detects dangerous malware hiding in peripherals - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/358265,research-detects-dangerous-malw... BEAST Cryptographic Attack Mitigations Overturned | Threatpost http://threatpost.com/not-so-fast-on-beast-attack-mitigations/102308 Pirate Bay Co-Founder's Sentence Is Reduced - WSJ.com http://online.wsj.com/article/SB1000142405270230379640457909709168768263... German Hackers Say They Cracked iPhone's New Fingerprint Scanner | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/09/iphone-fingerprint-cracked/ Google to Block Many Plug-Ins Starting in 2014 | Threatpost http://threatpost.com/google-to-block-many-plug-ins-starting-in-2014/102393 iMessage Chat app for Android Worries Security Experts | Threatpost http://threatpost.com/steer-clear-of-android-imessage-app-experts-say/10... Yahoo recycled ID users warn of security risk | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57604441-83/yahoo-recycled-id-users-war... Sefnit Click-Fraud Malware Related to Mevade Tor Botnet | Threatpost http://threatpost.com/stealthy-new-click-fraud-malware-related-to-tor-bo... Microsoft Warns of New IE Zero Day | Threatpost http://threatpost.com/microsoft-warns-of-new-ie-zero-day/102327 IE Zero Day Used in Targeted Attacks Against Japanese Firms | Threatpost http://threatpost.com/compromised-japanese-media-sites-serving-exploits-... ICS Vendor Fixes Hard-Coded Credential Bugs Nearly Two Years After Advisory | Threatpost http://threatpost.com/ics-vendor-fixes-hard-coded-credential-bugs-nearly... Apple's iOS 7 Update Fixes 80 Security Bugs | Threatpost http://threatpost.com/apples-ios-7-update-fixes-80-security-bugs/102356 Apple Releases Apple TV 6.0, Fixes 50+ Bugs | Threatpost http://threatpost.com/after-botched-update-apple-releases-apple-tv-6-0-f... Some Versions of Ruby on Rails Could Expose Cookies | Threatpost http://threatpost.com/security-issue-in-ruby-on-rails-could-expose-cooki... Apache Upgrade Repairs Struts, Fixes Two Vulnerabilities | Threatpost http://threatpost.com/apache-upgrade-repairs-struts-fixes-two-vulnerabil... Cisco IOS Update Patches Eight Vulnerabilities | Threatpost http://threatpost.com/cisco-ios-update-patches-eight-vulnerabilities/102436 Facebook Android Bug Sent Users' Photos in the Clear | Threatpost http://threatpost.com/facebook-android-bug-sent-users-photos-in-the-clea... \u25b6 (2000) David Bowie / This is not America ~ Absolute Beginners (2/5) - YouTube http://www.youtube.com/watch?v=n_bzqyu_4N0 www.contextis.com/files/Browser_Timing_Attacks.pdf http://www.contextis.com/files/Browser_Timing_Attacks.pdf , The Belgians were surprised that they were hacked. They never thought that this could be possible until now. - Kris Krohn

Risky Business #297 -- Matthew Green tells his story

Patrick Gray — Fri, 20 Sep 2013 00:00:00 +1000

This week's show, like last week's, is a bit different. I am still moving house, which includes moving the Risky Business office and studio, but everything should be back to normal next week. So there's no news segment in this week's show, but we have two great feature interviews with academic cryptographers. The first is with Johns Hopkins University's Matthew Green who was actually asked to remove a blog post critical of the NSA from the university's servers last week, leading to a massive controversy. We're going to get his side of the story, that's a great chat. Peter Gutmann of the University of Auckland also joins us in this week's podcast. He's another well-known crypto academic and I'll be getting his thoughts on the NSA's covert program to subvert public crypto. I cover some of the same ground with Peter as I do with Matthew, but as you'll hear they have slightly different perspectives on these things. This week's show is brought to you by Tenable Network Security, makers of fine, fine vulnerability scanning software. And you know what? The vuln scanning world has changed pretty substantially in the last 5-10 years. You used to use vuln scanners to prioritise which of your awfully out of date windows boxes you'd patch. But these days you're more likely to use that stuff to find boxes that simply aren't managed. Ron joins us to talk about that.

Risky Business #296 -- Chilling effect in full swing

Patrick Gray — Fri, 13 Sep 2013 00:00:00 +1000

This week's show is a shorter one -- there's no feature interview for two reasons. The first is that I'm in the process of moving house, which includes moving my office and studio, so I'm dealing with house painters, bond cleaners and a million other things. But the second reason is because the person I had wanted to interview has been silenced. I had reached out to Matthew Green, a cryptography researcher at Johns Hopkins University, to do an interview about last week's stunning revelations about the NSA undermining public cryptography standards. Matthew has done some great blog posts on that topic. I tweeted. No response. I emailed. No response. I called. No response. Then I realised the likely reason why. The university had actually demanded he remove one of the blog posts -- possibly at the behest of the NSA -- in an utterly disgraceful violation of academic freedom. We'll find out more about that in the news segment. This week's show is brought to you by HackLabs, the Australian security consultancy. And HackLabs head honcho Chris Gatford joins the show to have a chat about the Syrian Electronic Army. Will the SEA stimulate the same type of security spend that LulzSec triggered in 2011? Chris says they probably won't, mostly because the SEA just isn't mysterious and enigmatic enough to intrigue the media. Adam Boileau joins us for an epic news segment that is mostly concerned with giving the NSA a big can of FU. You can find links to the stories discussed here.

Risky Business #295 -- Behind Arbor's Packetloop acquisition

Patrick Gray — Fri, 06 Sep 2013 00:00:00 +1000

In this week's show we're taking a look at Arbor Networks' acquisition of Packetloop, a two-year-old Australian start up that makes big data security analytics software. You'd think that Arbor would want to move the company to the USA, but that's not what's happened in this case. Packetloop co-founder Michael Baker joins the show to fill us in. This week's show is brought to you by the fine folks at Adobe Systems. And in this week's sponsor interview Adobe CSO Brad Arkin joins the podcast to talk about how he manages the security aspect of all the different cloud technologies various arms of the company use. It's a situation made infinitely more complicated by Adobe's habit of buying software companies at a rate of something like one a month. Not surprisingly, some of these acquired companies can leave a little to be desired in the security department. How does the Adobe security team bring these new services into the fold? Show notes The NSA's Secret Campaign to Crack, Undermine Internet Encryption - ProPublica http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-unde... Patriot Act Author Says NSA Is Abusing Spy Law | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/09/nsa-abusing-patriot-act/ NRA joins ACLU in suit against NSA's surveillance program | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57601445-83/nra-joins-aclu-in-suit-agai... Government to Release Hundreds of Documents Related to NSA Surveillance | Threatpost http://threatpost.com/government-to-release-hundreds-of-documents-relate... NSA Laughs at PCs, Prefers Hacking Routers and Switches | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/ What Exactly Are the NSA's 'Groundbreaking Cryptanalytic Capabilities'? | Wired Opinion | Wired.com http://www.wired.com/opinion/2013/09/black-budget-what-exactly-are-the-n... Developers Scramble to Build NSA-Proof Email | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/09/the-scramble-to-build-encryption/ Facebook flaw allowed hackers to delete posted photos | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57600991-83/facebook-flaw-allowed-hacke... Russia Issues International Travel Advisory to Its Hackers | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/09/dont-leave-home/ Aussie linked to US Govt supercomputer hack - Hackers - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/355480,aussie-linked-to-us-govt-superc... Symantec source code hack lawsuit dismissed - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/355201,symantec-source-code-hack-lawsu... California Abruptly Drops Plan to Implant RFID Chips in Driver's Licenses | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/09/drivers-license-rfid-chips/ Huge Botnet Found Using Tor Network for Communications | Threatpost http://threatpost.com/huge-botnet-found-using-tor-network-for-communicat... Obad Trojan First to Spread Via Mobile Botnet | Threatpost http://threatpost.com/obad-trojan-first-to-spread-via-mobile-botnet/102184 Hand of Thief Linux Banking Trojan Not Ready For Primetime | Threatpost http://threatpost.com/hand-of-thief-trojan-not-ready-for-primetime/102159 NetTraveler Now Using Java Exploits, Watering Hole Attacks | Threatpost http://threatpost.com/nettraveler-variant-adds-java-exploits-watering-ho... FTC and TrendNet settle claim over hacked security cameras | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57601430-83/ftc-and-trendnet-settle-cla... Syrian Electronic Army Denies New Data Leaks - Krebs on Security http://krebsonsecurity.com/2013/08/syrian-electronic-army-denies-new-dat... Updated: Coalition backflips on proof of age net filter - Web/client - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/355904,updated-coalition-backflips-on-... Update to Bitcoin Client Fixes DoS Bug, Password Strength | Threatpost http://threatpost.com/update-to-bitcoin-client-fixes-dos-bug-password-st... Windows 8 Picture Gesture Authentication Research | Threatpost http://threatpost.com/picture-based-password-schemes-have-their-weakness... Apple Safari Vulnerable to Buffer Overflow Exploit | Threatpost http://threatpost.com/public-exploit-available-for-patched-safari-bug/10... Watchwatch-like Heartbeat Monitor to Replace Passwords | Threatpost http://threatpost.com/watch-like-heartbeat-monitor-seeks-to-replace-pass... Researchers: Oracle's Java Security Fails - Krebs on Security http://krebsonsecurity.com/2013/09/researchers-oracles-java-security-fails/ Cisco Issues Four Security Advisories | Threatpost http://threatpost.com/cisco-warns-users-of-four-vulnerabilities/102158 Samsung to build Lookout into KNOX protection | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57601382-83/samsung-to-build-lookout-in... Office, SharePoint Patches Await September Patch Tuesday | Threatpost http://threatpost.com/critical-office-sharepoint-patches-await-september... Sydney's Bugcrowd raises $1.6 million - Risk - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/355761,sydneys-bugcrowd-raises-16-mill... Arbor Networks buys Sydney startup PacketLoop - Cloud - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/355620,arbor-networks-buys-sydney-star... Packetloop https://www.packetloop.com// SoundCloud - Hear the world's sounds https://soundcloud.com/lawrence-kennedy/sonny/s-AM7Jg , That is one risky business right there. If you have that one, then it will be great. - Roger Stanton

Risky Business #294 -- Five Eyes fights terrorists! (And MegaUpload.)

Patrick Gray — Fri, 30 Aug 2013 00:00:00 +1000

We've got a pretty heavily spook-themed show for you this week. The feature interview is with New Zealand-based blogger and writer Keith Ng. He was trawling the Kim Dotcom affidavits in New Zealand and noticed that documents pertaining to the illegal GCSB surveillance on Mr. Dotcom had Five Eyes stamped all over them. So, err, it looks like the surveillance apparatus established by five eyes to combat national security threats and terrorism was used indirectly by the NZ police force to spy on a guy over a copyright case. Interesting stuff. And Senetas co-founder and CTO Julian Fay joins in this week's sponsor interview to a chat about the types of demands customers are making in the wake of Edward Snowden's leaks. Traffic analysis is king! Adam Boileau, as usual, stops in to discuss the week's news headlines. Show notes These are the show notes for episode 294 of Risky Business Tech Companies and Government May Soon Go to War Over Surveillance | Wired Opinion | Wired.com http://www.wired.com/opinion/2013/08/stop-clumping-tech-companies-in-wit... NSA seeks 'groundbreaking' spying powers, new leak reveals | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57600647-83/nsa-seeks-groundbreaking-sp... Internet Giants Got Millions From Taxpayers to Cover PRISM Spying Costs | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/08/millions-paid-prism-compliance/ Facebook Gave 38K Users' Data to Governments in 6 Months | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/08/facebook-divulged-user-data/ US intercepted UN comms: report - Networks - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/354652,us-intercepted-un-comms-report.... School district hires company to follow kids' Facebook, Twitter | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57600251-83/school-district-hires-compa... German government denies Windows 'back door' claims | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57599735-83/german-government-denies-wi... Open Secret About Google's Surveillance Case No Longer Secret - Digits - WSJ http://blogs.wsj.com/digits/2013/08/26/open-secret-about-googles-surveil... My Dinner With NSA Director Keith Alexander - Forbes http://www.forbes.com/sites/jennifergranick/2013/08/22/my-dinner-with-ge... Melbourne IT compromise redirects NY Times, HuffPo readers - Networks - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/354935,melbourne-it-compromise-redirec... Who Built the Syrian Electronic Army? - Krebs on Security http://krebsonsecurity.com/2013/08/who-built-the-syrian-electronic-army/ China's Internet hit by DDoS attack; sites down for hours | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57600083-83/chinas-internet-hit-by-ddos... Google Palestine domain hacked - Web/client - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/354811,google-palestine-domain-hacked.... LulzSec hacker Sabu's sentencing delayed - Hackers - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/354643,lulzsec-hacker-sabus-sentencing... Hacker Pleads Guilty to Selling FBI Access to U.S. Supercomputers | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/08/hacker-super-computer-access/ Firefox Extension HTTP Nowhere Allows Users to Surf in Encrypted-Only Mode | Threatpost http://threatpost.com/firefox-extension-http-nowhere-allows-users-to-bro... Arabic Text String Crashes iOS, Mac OS X | Threatpost http://threatpost.com/arabic-text-string-taking-down-apps-clients-browse... Metasploit Module Adds Sudo Vulnerability for OS X | Threatpost http://threatpost.com/metasploit-module-adds-sudo-vulnerability-for-os-x... Phone Hack Could Block Messages, Calls on GSM Networks | Threatpost http://threatpost.com/phone-hack-could-block-messages-calls-on-some-mobi... New Mozilla Plug-N-Hack Tool Integrates Browsers and Security Tools | Threatpost http://threatpost.com/mozilla-plug-n-hack-integrates-browsers-and-securi... Ransomware snares victims with NSA PRISM ruse - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/354787,ransomware-snares-victims-with-... VMware Patches Root Privilege-Escalation Flaw | Threatpost http://threatpost.com/vmware-patches-root-privilege-escalation-flaw/102067 Remote Unauthenticated Bug Haunts Cisco ACS Server | Threatpost http://threatpost.com/remote-unauthenticated-bug-haunts-cisco-acs-server... Opera 16 Fixes Bugs, Improves HTML5 Performance | Threatpost http://threatpost.com/opera-16-fixes-bugs-improves-html5-performance/102129 Another Java 6 Vulnerability Found in the Wild | Threatpost http://threatpost.com/java-6-zero-day-a-reminder-to-upgrade-browser-plug... OnPoint \u2022 Public Address http://publicaddress.net/onpoint/ Midnight Oil - Dreamworld - YouTube http://www.youtube.com/watch?v=OcKcjpSWmm0 , That is one serious stuff right there. I guess that would be the thing we all are concerned of. - Adam LaFavre

Risky Business #293 -- Phishing for (whitehat) fun and profit

Patrick Gray — Fri, 23 Aug 2013 00:00:00 +1000

This week's feature guest is Haroon Meer of Thinkst Applied Research. He's launched an awesome new site called Phish5.com that allows sysadmins and security consultants to automate phishing campaigns against their own networks and clients. It's a brilliant idea and well executed. This week's show is brought to you by the fine folks at Microsoft, and we chat with Microsoft's Jerry Bryant later on about the expansion of the company's MAPP program. If you're an incident responder you really want to hear about this -- you can now submit suspect samples to Microsoft and they'll inspect them for 0day. World-class triage at your fingertips. Show notes The following stories were discussed in episode 293 of the Risky Business podcast. Bradley Manning Sentenced to 35 Years in Prison | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/08/bradley-manning-sentenced/ BBC News - Bradley Manning: 'I am a woman named Chelsea' http://www.bbc.co.uk/news/world-us-canada-23798253 Julian Assange's WikiLeaks Party running mate Leslie Cannold quits http://www.theage.com.au/federal-politics/federal-election-2013/julian-a... Statement of Resignation from Wikileaks Party National Council at Dan's blog http://danielmathews.info/blog/2013/08/statement-of-resignation-from-wik... Security Community Raises Money for Researcher Snubbed by Facebook Bounty Program | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/08/researcher-denied-facebook-bounty/ Twitter OAuth Data Leaked From Third-Party App | Threatpost http://threatpost.com/twitter-oauth-data-leaked-from-third-party-app/102035 NSA Broke Privacy Rules Thousands of Times, Contrary to Official Claims | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/08/nsa-violated-privacy-rules/ Declassified 2011 FISC Opinion Shows Court Found Some NSA Surveillance Unconstitutional | Threatpost http://threatpost.com/declassified-2011-fisc-opinion-shows-court-found-s... China eyes IBM, Oracle, EMC over possible security issues | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57598827-83/china-eyes-ibm-oracle-emc-o... U.K. Ordered Guardian to Destroy Snowden Files Because Its Servers Weren't Secure | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/08/guardian-snowden-files-destroyed/ FDA Issues Recommendations on the Security of Wireless Medical Devices | Threatpost http://threatpost.com/fda-issues-recommendations-on-the-security-of-wire... NSA and Intelligence Community turn to Tumblr -- weird but true | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57599622-83/nsa-and-intelligence-commun... Scanning the Internet in 45 Minutes | Threatpost http://threatpost.com/scanning-the-internet-in-45-minutes/102025 Nasdaq Stock Exchange Goes Dark After Tech Glitch | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/08/nasdaq-outage/ IP Cloaking Violates Computer Fraud and Abuse Act, Judge Rules | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/08/ip-cloaking-cfaa/ Prison Computer 'Glitch' Blamed for Opening Cell Doors in Maximum-Security Wing | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/08/computer-prison-door-mishap/ Cybercrooks use DDoS attacks to mask theft of banks' millions | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57599646-83/cybercrooks-use-ddos-attack... How Not to DDoS Your Former Employer - Krebs on Security http://krebsonsecurity.com/2013/08/how-not-to-ddos-your-former-employer/ Joburg billing leak not a hack: whistle blower http://businesstech.co.za/news/government/44593/joburg-billing-leak-not-... Google, Mozilla Considering Limiting Certificate Validity to 60 Months | Threatpost http://threatpost.com/google-mozilla-considering-limiting-certificate-va... League of Legends is hacked, with crucial user info accessed | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57599450-83/league-of-legends-is-hacked... Google Chrome 29 Fixes 25 Vulnerabilities | Threatpost http://threatpost.com/google-chrome-29-fixes-25-vulnerabilities/102038 Microsoft Reissues MS13-066 Windows Server Patch | Threatpost http://threatpost.com/microsoft-reissues-ms13-066-windows-server-patch/1... Jumping Out of IE's Sandbox With One Click | Threatpost http://threatpost.com/jumping-out-of-ies-sandbox-with-one-click/102054 Cisco Patches DoS, Buffer Overflow Vulnerabilities in UCM | Threatpost http://threatpost.com/cisco-patches-dos-buffer-overflow-vulnerabilities-... IT Security News, Security Product Reviews and Opinion - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/ Phish5 - Phish your company in five easy steps https://phish5.com/ Microsoft Extends MAPP To Incident Responders And Offers Free Online http://www.darkreading.com/vulnerability/microsoft-extends-mapp-to-incid... The Bombay Royale http://thebombayroyale.com/index.html , The notes are really good. If you can read it, then that would be better. - Roger Stanton

Special Las Vegas edition -- Keith Alexander, Moxie and more!

Patrick Gray — Fri, 16 Aug 2013 00:00:00 +1000

This is a special edition of the Risky Business podcast, produced with material recorded at BlackHat and Defcon in Las Vegas. Features: \t* Excerpts of Keith Alexander's keynote \t* An interview with Moxie Marlinspike \t* A sponsor interview with SensePost trainer Glenn Wilkinson

Risky Business #292 -- Jon Callas: Why Silent Mail got the bullet

Patrick Gray — Fri, 16 Aug 2013 00:00:00 +1000

On this week's show we chat with Silent Circle founder Jon Callas about the decision to shutter the Silent Mail service, as well as what Silent Circle is doing to bolster product security in the wake of some pretty nasty bug disclosures by our pal Mark Dowd. In this week's sponsor interview we chat with Tenable CEO Ron Gula about innovation trends in infosec -- he was working the trade floor like a boss at BlackHat, so I asked him what tickled his fancy. A shaken but not stirred Adam Boileau joins us from the earthquake-ravaged, lawless badlands of Wellington to discuss the week's news headlines. Show notes, including links to the stories we discussed in the news segment, can be found here.

Risky Business #291 â€“ All your SIMs are belong to Karsten Nohl

Patrick Gray — Fri, 09 Aug 2013 00:00:00 +1000

In this week's feature slot we chat with Karsten Nohl about his research into pillaging SIM cards. It turns out Karsten's research into SIM security was much, much cooler than we initially thought. In this week's sponsor interview we chat with Jonathan Ness about the all new singing and dancing EMET 4.0. Adam Boileau pops by for the week's news. Show notes BREACH Compression Attack Steals HTTPS Response Secrets | Threatpost https://threatpost.com/breach-compression-attack-steals-https-secrets-in... Experts Urge ECC crytpo over RSA algorithm | Threatpost http://threatpost.com/crypto-gains-ramp-up-calls-to-get-ahead-of-inevita... JavaScript and Timing Attacks Used to Steal Browser Data | Threatpost https://threatpost.com/javascript-and-timing-attacks-used-to-steal-brows... Car hacking code released at Defcon | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57596847-83/car-hacking-code-released-a... Feds Are Suspects in New Malware That Attacks Tor Anonymity | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/08/freedom-hosting/ Firefox Zero-Day Used in Child Porn Hunt? - Krebs on Security http://krebsonsecurity.com/2013/08/firefox-zero-day-used-in-child-porn-h... Tor Users Should Leave Insecure Windows Operating System | Threatpost http://threatpost.com/tor-urges-users-to-leave-windows/101825 Software Obfuscation Mechanism Hampers Reverse Engineering | Threatpost http://threatpost.com/new-software-obfuscation-throws-wrench-into-revers... Edward Snowden Granted Asylum, Leaves Moscow Airport | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/08/edward-snowden-granted-asylum-l... Newly leaked NSA program sees 'nearly everything' you do | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57596313-83/newly-leaked-nsa-program-se... House Rejects Amendment to Sever NSA Data Collection Funding | Threatpost http://threatpost.com/house-rejects-amendment-to-sever-nsa-data-collecti... Lawmakers Who Upheld NSA Phone Spying Received Double the Defense Industry Cash | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/07/money-nsa-vote/ Declassified Memos Confirm Dragnet Phone Surveillance Program Was No Secret From Congress | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/07/phone-dragnet-no-secret/ Edward Snowden's Email Provider Shuts Down After Secret Court Battle | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/08/lavabit-snowden/ Bradley Manning Acquitted of Aiding the Enemy, Guilty of Espionage Act Violations | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/07/bradley-manning-not-guilty-aidi... Twitter's Killer New Two-Factor Solution Kicks SMS to the Curb | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/08/twitter-new-two-facto/ Mozilla, Blackberry To Test Website Security Via Fuzzing | Threatpost http://threatpost.com/mozilla-blackberry-join-forces-to-advance-peach-fu... Fort Disco Botnet Uses Brute-Force Attacks Against CMS Sites | Threatpost http://threatpost.com/fort-disco-brute-force-attack-campaign-targets-cms... Google WebLogin Tokens Expose Google Apps, User Data | Threatpost http://threatpost.com/convenient-google-weblogin-tokens-can-expose-user-... Chrome Security Shocker Creates Password Anxiety - Security - http://www.informationweek.com/security/application-security/chrome-secu... Apple to Fix Malicious Fake USB Charger Flaw | Threatpost http://threatpost.com/apple-to-fix-fake-usb-charger-flaw-in-ios-7/101554 Windows 8 Phone Authentication Protocol Weakness | Threatpost http://threatpost.com/microsoft-warns-of-weakness-in-authentication-prot... Remotely Exploitable Bug Affects Wide Range of Cisco TelePresence Systems | Threatpost http://threatpost.com/remotely-exploitable-bug-affects-wide-range-of-cis... Russian man doctors credit card contract, sues bank after non-repayments - Risk - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/352756,russian-man-doctors-credit-card... August 2013 Microsoft Patch Tuesday Security Updates | Threatpost http://threatpost.com/critical-ie-exchange-updates-on-tap-in-august-patc... Karsten Nohl Demonstrates SIM Card Root Attack At Black Hat | Threatpost http://threatpost.com/weak-encryption-enables-sim-card-root-attack/101557 Download Enhanced Mitigation Experience Toolkit 4.0 from Official Microsoft Download Centre http://www.microsoft.com/en-au/download/details.aspx?id=39273 , The response threats are really good. If you have that one in your record, then that would be great. - Adam LaFavre

Risky Business #290 -- A chat with Howard Schmidt

Patrick Gray — Wed, 24 Jul 2013 00:00:00 +1000

This week's show features a fantastic, extended interview with Howard Schmidt, the former White House cyber security co-ordinator and special Assistant to the US President. We spend about 35 minutes talking about what information security looks like from a high-level policy perspective. It's a long interview but there are some gems in there. We talk about some of the initiatives Howard kicked off at the White House, about the critical infrastructure legislation ping-pong game the executive branch played with congress, about Edward Snowden's leaks, and what it was like to work for Barack Obama. This week's show is brought to you by a new sponsor -- Context Information Security. ContextIS is a global consultancy and managed service provider and its Australian general manager Scott Ceely joins us this week to talk about watering hole attacks. More specifically he's talking to us about a watering hole attack that managed to hose a few high value targets with some pretty basic exploitation techniques. The Crouching Tiger watering hole attack, a case study, if you will. Adam Boileau, as usual, joins us to talk about the week's news headlines. Show notes here.

Risky Business #289 -- Smart TVs are kinda stoopid

Patrick Gray — Fri, 19 Jul 2013 00:00:00 +1000

This week's show is brought to you by the fine, fine people at Tenable Network Security, big thanks to Tenable for all its support over the years. And on this week's show we chat briefly with South Korean researcher SeungJin Lee about Smart TV security. They're equipped with cameras and microphones and they're popping up in living rooms everywhere. Now, smart phones have cameras and microphones on them, so a lot of the hype around connected home devices seems a bit unreasonable. It's not like this is the first type consumer device that can be turned into a surveillance device. But as you'll hear, Smart TV operating systems are pretty insecure and vulnerable to some pretty basic forms of exploitation, so some of these concerns are actually quite reasonable. SeungJin Lee will be dropping in to discuss his research into Smart TV security, research he'll be presenting at BlackHat in Las Vegas the week after next! In this week's sponsor interview we chat with Ron Gula, the CEO of Tenable Network Security. This week we ask Ron if Ed Snowden's revelations on NSA spying could drive non-US companies away from doing business with American cloud service providers. And we check the week's security news stories with Adam Boileau. Show notes here.

Risky Business #288 -- Planet Android safe from flaming pwncomet

Patrick Gray — Fri, 12 Jul 2013 00:00:00 +1000

On this week's show we take an axe to all the crazy hype around BlueBox's Android research. It's been a shameful, shameful week for the tech media. I half expected to walk outside this week and find crowds of consumers holding pitchforks and burning their Android devices based on the headlines we've been seeing about 99% of all 'droid devices being open to attack! As you'll hear in this week's interview with Justin Case (jcase), the research is cool -- it's a code signing check bypass for android install packages -- but you can put down the matches and the lighter fluid. It's not that bad. In this week's sponsor interview we continue the conversation about code signing with Brad Arkin, the CSO of Adobe. Adobe itself had some trouble with an attacker compromising its systems and signing malware with its HSM. Last week, as you would have heard, someone managed to do the same thing at Opera, only that case was worse because they also jacked the browser's update boxes for a short time and served up bogus patches. Last time Brad was on the show he was the head of security and privacy at Adobe so handling the operational security and code signing wasn't actually his responsibility. But it is now so he's been doing some thinking. What do these recent developments tell us about distributed trust models for code signing? Are desktop OS's moving towards the mobile app signing model that has worked so spectacularly well for Apple? Well, Brad says they are, with caveats. Adam Boileau, as usual, joins the show to discuss the week's news headlines. Show notes are here.

Risky Business #287 -- In Soviet Russia, bugs exploit you!

Patrick Gray — Fri, 05 Jul 2013 00:00:00 +1000

We've got a great show for you this week. Mark Dowd of Azimuth Security pops in to talk about the bugs he found in libraries used by secure telephony providers like Silent Circle. They're serious, serious bugs, and they were easy to find. Also this week we talk to Les Goldsmith of ESD America. ESD is a pretty interesting outfit. They sell the German-developed GSMK Cryptophone, a product that has been around for a very, very long time and is mostly used by militaries and police. They also sell counter surveillance training, bug sweeping gear, armoured vehicles, tactical training and explosives detection dogs, but hey, today we're focussing on the electronic stuff. We get Les's reaction to the news that the US has been bugging the offices of the European Union, the Ecuadorian embassy and, well, pretty much everyone all the time. He's got some really interesting perspectives on that. In this week's sponsor interview we chat with Chris Gatford about these awful, awful IPMI vulnerabilities. The Intelligent Platform Management Interface turns out to be anything but! If you haven't heard, it turns out there are serious, protocol-level design flaws in IPMI which are going to make life tough for anyone who's actually using it. it's the sort of thing that will take a long time to truly fix, too.

Risky Business #286 -- The one where we talk about Snowden

Patrick Gray — Fri, 28 Jun 2013 00:00:00 +1000

This week's show is a bit shorter than usual. We've got a discussion of the week's news then a great chat with Brian Contos, the VP and CISO of Blue Coat Systems Advanced Threat Protection Group. It's this week's sponsor interview and we'll be chatting about whether or not cyber warfare is really asymmetrical. It's the accepted wisdom that it is, but I gotta say, when we look at who's using it -- the US and Israel against Iran and Syria, Russia versus Estonia -- it looks to me like it's something used by the big guys to smash the little guys. Brian disagrees, so it's a nice lively discussion and it's coming up after the news. Show notes You can find that episode here. Stolen Opera Code-Signing Certificate Used to Sign Malware | Threatpost http://threatpost.com/opera-code-signing-certificate-stolen-malware-sign... Google Adds Feature to Keep Malware Out of Chrome Web Store | Threatpost http://threatpost.com/google-fortifies-chromes-web-store-vetting-process/ Researcher Hijacks Facebook Accounts Via Mobile | Threatpost http://threatpost.com/sms-account-hijack-exploit-fixed-by-facebook/ Facebook bug exposed contact info of 6M users | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57590528-83/facebook-bug-exposed-contac... Senate urged to pass data breach notification law - Risk - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/347895,senate-urged-to-pass-data-breac... Australian AG scraps ISP data retention plans | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57590675-83/australian-ag-scraps-isp-da... Hackers reportedly release data on U.S. troops in Korea | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57591048-83/hackers-reportedly-release-... Mobile malware grows by 614 percent in last year | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57591042-83/mobile-malware-grows-by-614... LG Android Backup Software Vulnerable to Root Exploit | Threatpost http://threatpost.com/pre-installed-backup-software-on-lg-android-phones... Researchers Uncover PinkStats APT Toolkit | Threatpost http://threatpost.com/researchers-uncover-pinkstats-apt-toolkit/ WikiLeaks Volunteer Was a Paid Informant for the FBI | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/06/wikileaks-mole/ 14 Vulnerabilities Fixed in Firefox 22 | Threatpost http://threatpost.com/14-vulnerabilities-fixed-in-firefox-22/ WordPress Update 3.5.2 Patches Seven Vulnerabilities | Threatpost http://threatpost.com/latest-wordpress-update-patches-seven-vulnerabilit... NSA collected Americans' email records in bulk for two years under Obama | World news | The Guardian http://www.guardian.co.uk/world/2013/jun/27/nsa-data-mining-authorised-o... U.K. Spy Agency Secretly Taps Over 200 Fiber-Optic Cables, Shares Data With the NSA | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/06/gchq-tapped-200-cables/ Student group files complaint against U.S. firms over NSA data snooping | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57591122-83/student-group-files-complai... Whistle-blower update: Snowden lands in Moscow; WikiLeaker's Gmail searched | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57590599-83/whistle-blower-update-snowd... NSA Surveillance Leaks Prompt Legislation | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/06/nsa-spy-legislation/ Feds charge Snowden with espionage | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57590549-83/feds-charge-snowden-with-es... Handling of Encryption, Tor Exposed in Leaked NSA Documents | Threatpost http://threatpost.com/new-nsa-leak-sheds-light-on-encrypted-data-retention/ Udall: NSA states "significant" errors about privacy protections - The Denver Post http://www.denverpost.com/ci_23530383/udall-nsa-states-significant-error... Putin says Snowden is not technically in Russia http://www.usatoday.com/story/news/world/2013/06/25/snowden-russia-china... you am i - rumble [audio only] - YouTube http://www.youtube.com/watch?v=S1wp2D5DM_s , Google is trying to step up their game. They are really aggressively making the right steps towards customer satisfaction. - Adam LaFavre

Risky Business #285 -- Beating the G20 Internet cafe

Patrick Gray — Fri, 21 Jun 2013 00:00:00 +1000

In this week's show we talk opsec with international man of mystery The Grugq. In light of revelations the Internet lounge at the G20 summit was essentially an intelligence collection system set up by GCHQ, we thought we'd look at what travelling diplomats and executives can do to protect their data when entering a hostile environment where all infrastructure is assumed to be controlled by your adversary. There's some great practical advice in that segment, and it's after the news. In this week's sponsor interview we speak with Jack Daniel, Tenable Network Security's product manager about Microsoft's bug bounty program. $100k for a good exploit! The times, they change. And we check in with Adam Boileau to discuss the week's news headlines. Show notes can be found here.

Risky Business #284 -- Snowden and the Internet counter-culture

Patrick Gray — Thu, 13 Jun 2013 00:00:00 +1000

In this week's feature interview we chat with author and speaker Richard Thieme about what they used to call the generation gap. NSA leaker Edward Snowden is "Internet generation". Are the ideals espoused by people like Snowden rooted in counter-cultural ideals or are they just generational norms? Are these ideas around online liberty becoming mainstream? Now that we have so many gen-Ys and millennials actually running the information infrastructure that powers our institutions, could we be on the cusp of serious changes in the way the establishment works? That is an interesting chat. In this week's sponsor interview we're chatting to John Vecchi, Solera's VP of Product Strategy, all about whether or not we're neglecting mundane threats because we're so focussed on identifying APT. Adam Boileau joins us for this week's news segment. Show notes, including links to the articles discussed, can be found here.

Risky Business #283 -- America, we need to talk

Patrick Gray — Fri, 07 Jun 2013 00:00:00 +1000

On this week's show we take a look at PRISM, the NSA's recently exposed massive surveillance program. Leaked PowerPoint slides from NSA describe a surveillance system that allows the agency to effortlessly capture a target's YouTube, Google, Facebook and Skype. This has been reported as these companies allowing the US government access to "back doors" on their systems. In this week's episode we look at an alternative theory: The NSA is actually capturing information on "persons of interest" in real-time via fibre taps, decrypting it with private keys, then storing it. It's our theory and we're sticking with it. Listen to this week's episode to see if you agree! Also this week we've got Tenable's chief of security, Marcus Ranum, stopping by in this week's sponsor interview to follow up on his keynote speech at AusCERT. The speech was called Never Fight a Land War in Cyber Space and it's really about the idea that conventional military thinking doesn't apply to the Internet. I published a recording of his talk and it got a great reaction, but I was left with some questions after I saw it. So I rang him up and asked them! It's actually a really, really interesting interview so make sure you tune in for it. ****EDITOR'S NOTE: During the discussion on PRISM, I referenced 5Tb/s of traffic between "the US, Canada and US". That should have been "The US, Canada and Europe". Sorry about that! Show notes Report: NSA Was Granted Order to Snag Millions of Verizon Call Records for 3 Months | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/06/nsa-verizon-call-records/ Assange no concern of ours, says Carr http://www.smh.com.au/opinion/political-news/assange-no-concern-of-ours-... Google push for faster zero day fixes hits a wall: Other companies | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57587178-83/google-push-for-faster-zero... NetTraveler Espionage Malware Campaign Ties to Gh0st RAT | Threatpost http://threatpost.com/net-traveler-espionage-campaign-uncovered-links-to... Oracle Java Security Enhancements Get Mixed Reviews | Threatpost http://threatpost.com/mixed-reviews-on-oracles-java-security-update/ FDIC: 2011 FIS Breach Worse Than Reported - Krebs on Security http://krebsonsecurity.com/2013/06/fdic-2011-fis-breach-worse-than-repor... Peer-to-Peer Botnets Grow Fivefold | Threatpost http://threatpost.com/number-of-peer-to-peer-botnets-grows-5x/ Systems are now secure: Govt CIO | Computerworld New Zealand http://computerworld.co.nz/news.nsf/news/systems-are-now-secure-govt-cio Windows 8.1 to let you secure folders with your fingerprint | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57587535-83/windows-8.1-to-let-you-secu... Two-Factor Authentication Options for Web Services | Threatpost http://threatpost.com/web-services-finding-religion-with-two-factor-auth... Pills and Tattoos to Replace Passwords for Authentication | Threatpost http://threatpost.com/former-darpa-head-proposes-pills-and-tattoos-to-re... Microsoft, feds disrupt massive Citadel botnet | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57587935-83/microsoft-feds-disrupt-mass... Schneider Patches 18-Month Old SCADA Bugs | Threatpost http://threatpost.com/schneider-patches-18-month-old-scada-bugs/ Five Bulletins, One Critical in Microsoft's June Patch | Threatpost http://threatpost.com/five-bulletins-one-critical-in-microsofts-june-patch/ Google Fixes Security Vulnerabilities with Chrome Update | Threatpost http://threatpost.com/google-ships-12-security-patches-in-latest-chrome-... Apple Patches Mass of Security Bugs in OS X and Safari | Threatpost http://threatpost.com/apple-patches-mass-of-security-bugs-in-os-x-and-sa... Internet Systems Consortium Resolves Critical BIND Flaw | Threatpost http://threatpost.com/isc-patches-known-bind-9-dos-vulnerability/ STORIES DISCUSSED IN FEATURE SEGMENT: U.S. intelligence mining data from nine U.S. Internet companies in broad secret program - The Washington Post http://www.washingtonpost.com/investigations/us-intelligence-mining-data... Verizon Breaks Silence on Top-Secret Surveillance of Its Customers | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/06/verizon-responds/ DHS Watchdog: 'Intuition and Hunch' Are Enough to Search Your Gadgets at Border | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/06/border-gadget-searches/ Teen Jailed for Rap Lyrics Posted After Boston Bombings | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/06/teen-jailed-for-terror-rap/ PRESENTATION: Marcus Ranum on militarisation trends | Risky Business http://risky.biz/ranum_auscert , Oracle has really embraced the fact that they should be more careful with their security. They need to do that. - Kris Krohn Strongbrook

Risky Business #282 -- The future of hacktivism

Patrick Gray — Fri, 31 May 2013 00:00:00 +1000

This week's show is a cracker! We've got a great feature interview with journalist and author Parmy Olson about what the future might hold for Anonymous. Is it time for the Anonymous brand to be retired? The media has largely lost interest in its activities -- how could the hacktivism phenomenon bounce back to the same levels of notoriety as it experienced in 2011? Tune in to find out! This week's show is brought to you by Senetas, makers of absolutely kick-ass layer 2 encryption equipment. In this week's sponsor interview we're chatting with Senetas co-founder and CTO Julian Fay about homomorphic encryption. This is where you can actually perform operations on data while it's still encrypted! It's all a bit twisted, but it's fascinating stuff and it's this week's sponsor interview topic. Show notes You can click through to the recording page here. ASIO blueprints, Defence documents stolen - Hackers - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/344763,asio-blueprints-defence-documen... Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies - The Washington Post http://www.washingtonpost.com/world/national-security/confidential-repor... U.S. Government Seizes LibertyReserve.com - Krebs on Security http://krebsonsecurity.com/2013/05/u-s-government-seizes-libertyreserve-... Liberty Reserve Founder Indicted on $6 Billion Money-Laundering Charges | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/liberty-reserve-indicted/ Anonymous Hacktivist Jeremy Hammond Pleads Guilty to Stratfor Attack | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/hammond-plea/ Guantanamo Wi-Fi shuttered after Anonymous hacking threat | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57585420-83/guantanamo-wi-fi-shuttered-... Twitter Enables Two-Factor Authentication | Threatpost http://threatpost.com/twitter-enables-two-factor-authentication/ Kim Dotcom Claims Ownership of Two-Factor Authentication | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/kim-dotcom-two-factor/ Holder Signed Off on Warrant Identifying Fox News Reporter as Criminal Conspirator | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/holder-signed-off-on-warrant/ WikiLeaks Donations Down to a Trickle | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/wikileaks-donations-down/ Drupal hacked, resets passwords after millions of accounts exposed \u2022 The Register http://www.theregister.co.uk/2013/05/30/drupal_sites_hacked/ Ruby on Rails Exploit Harvests IRC Botnet | Threatpost http://threatpost.com/ruby-on-rails-exploit-builds-irc-botnet-of-comprom... Report Says Active Recovery Efforts Could Deter IP Theft By Foreign Attackers | Threatpost http://threatpost.com/report-says-active-recovery-efforts-could-deter-ip... Hackers Who Breached Google in 2010 Accessed Company's Surveillance Database | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/google-surveillance-database/ ReVuln Discovers Zero Day Vulns in Gaming Clients | Threatpost http://threatpost.com/researchers-discover-dozens-of-gaming-client-and-s... PayPal to Fix XSS Flaw, But No Reward For Researcher | Threatpost http://threatpost.com/paypal-to-fix-xss-flaw-but-no-reward-for-researcher/ Vulnerabilities Plague File Lite, File Pro iOS Apps | Threatpost http://threatpost.com/remote-code-injection-vulnerabilities-discovered-i... Click-Fraud Falls as Microsoft Fights ZeroAccess Malware | Threatpost http://threatpost.com/microsofts-curbs-click-fraud-in-zeroaccess-fight/ Mac OS X Backdoor Found in Wild | Threatpost http://threatpost.com/another-mac-os-x-backdoor-reported/ Apple Patches QuickTime on Windows, Fixes 12 Bugs | Threatpost http://threatpost.com/new-apple-quicktime-update-patches-12-vulnerabilit... Google Fixes More Than a Dozen Flaws in Chrome 27 | Threatpost http://threatpost.com/google-fixes-more-than-a-dozen-flaws-in-chrome-27/ Skype Beta Plugs IP Resolver Privacy Leak - Krebs on Security http://krebsonsecurity.com/2013/05/skype-beta-plugs-ip-resolver-privacy-... Google Strengthening Keys on SSL Certificates to 2048 Bits | Threatpost http://threatpost.com/google-strengthening-keys-on-ssl-certificates-to-2... IBM open sources new approach to crypto \u2022 The Register http://www.theregister.co.uk/2013/05/03/ibm_open_source_homomorphic_crypto/ Rokia Traor\xe9 "Sikey" - Acoustic / TV5MONDE - YouTube http://www.youtube.com/watch?v=U2OnJvbEiHc We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency: Parmy Olson: 9780316213523: Amazon.com: Books http://www.amazon.com/dp/0316213527 Senetas - Data Protection through Encryption http://www.senetas.com/ , The blueprints are already laid out. They need to execute the plan right there. - Mission Maids

PRESENTATION: Marcus Ranum on militarisation trends

Patrick Gray — Wed, 29 May 2013 00:00:00 +1000

The following is a recording of Marcus Ranum's AusCERT keynote speech on CYBER WAR. Marcus was doing the circuit a few years ago with a talk titled "Cyber war is bullshit", which I think makes clear his position, but this one is titled Never Fight a Land War in Cyberspace. He basically argues that the application of traditional military thinking to the cyber domain is flawed. He also argues there's a massive money and power grab taking place as the military and the private sector defence base tries to set the agenda so it can profit from it. It's a really worthwhile talk, and delivered with typical MjR flair. Enjoy.

SPONSOR INTERVIEW: Reflections on reflections on trusting trust

Patrick Gray — Wed, 29 May 2013 00:00:00 +1000

In this sponsor interview with chat with Paul Ducklin of Sophos, and the topic is reflections -- 30 years on -- on the paper Reflections on Trusting Trust by Ken Thompson. So we're reflecting on reflections on trusting trust. I started off by asking Paul to recap the paper for people who aren't familiar with it.

PRESENTATION: Does Anonymous have a future?

Patrick Gray — Wed, 29 May 2013 00:00:00 +1000

You're about to hear Parmy Olson's presentation from AusCERT's 2013 conference. Parmy is a journalist for Forbes, but she's also an author -- she wrote We Are Anonymous, Inside the Hacker world of LulzSec, Anonymous and the Global Cyber Insurgency. She got amazing access to the LulzSec crew and the book is well worth reading. In this presentation she looks at why these young men got involved in such risky activity. What drove them, and what does the future of Anonymous look like?

PRESENTATION: Dmitri Alperovitch pitches active defence

Patrick Gray — Wed, 29 May 2013 00:00:00 +1000

Active defence is the new black. It's the issue of 2013. One of the organisations that helped put the issue on to the agenda is CrowdStrike, a business founded by some senior ex technologists from McAfee. CrowdStrike was founded on the premise that simply relying on defensive measures in information security isn't enough -- you need to be able to mess with your adversaries. One of CrowdStrike's founders was Dmitri Alperovitch. He was at AusCERT and used his speaking slot to basically deliver the thinking behind CrowdStrike's pitch. It's nothing earth shattering, but it's a really well packaged speech that presents a cogent argument for the concept of active defence. So here it is, Dmitri Alperovitch's AusCERT talk titled Offence as the Best Defence.

SPONSOR INTERVIEW: Did APT1 put "cyber" on the boardroom agenda?

Patrick Gray — Wed, 29 May 2013 00:00:00 +1000

In this sponsor interview we're chatting with Declan Ingram of Datacom TSS. Datacom TSS is a Canberra-based, national security firm founded by ex Australian government security specialists. These guys specialise in dealing with highly skilled adversaries... Now, when they founded this business a few years ago, there was awareness in government that highly skilled adversaries were a real challenge... but it's really been 2013 where executives at the boardroom level have sat up and taken note of security issues, particularly the issue of APT. They've realised it isn't just the Google's of the world who are being attacked by state sponsored adversaries -- Oil companies, broadcasters and insurance companies have been absolutely nailed by teams working for the governments of North Korea and Iran, for example. Furthermore, Mandiant's APT1 report really put the issue on the map for a lot of people who previously just weren't aware of the issues. It's that whole chicken versus egg thing -- are people becoming aware of it because of the media attention or is the media reporting on it because people are becoming aware? So how has this affected things for a business like Datacom TSS? Declan Ingram joined me to discuss. I started off by asking him how perceptions of sophisticated threats have changed over the last couple of years.

PRESENTATION: AusCERT speed debate

Patrick Gray — Wed, 29 May 2013 00:00:00 +1000

The following is a recording of the traditional closing event of the AusCERT event -- the speed debate. It's hosted by Australian television and radio presenter Adam Spencer, and it's a bit of light fun to end the whole thing on... debaters include Eugene Kaspersky, Bill Caelli, Charlie Miller, Scott McIntyre and more. I'll drop you in here as Adam sets the whole thing up. Enjoy.

PRESENTATION: Charlie Miller pwns Android NFC

Patrick Gray — Fri, 24 May 2013 00:00:00 +1000

Some time ago security researcher Charlie Miller published some research that showed he could take over NFC-equipped phones just by holding them near a malicious RFID sticker. This talk takes you through his research process -- how he fuzzed devices, what he found\u2026 and how he came to realise that attacking the higher level functions of NFC functionality turned out to be the shortest path to victory.

SPONSOR INTERVIEW: Using BYOD devices for 3G/LTE exfiltration

Patrick Gray — Fri, 24 May 2013 00:00:00 +1000

Datacom TSS is a Canberra-based, national security firm founded by ex Australian government security specialists. These guys specialise in dealing with highly skilled adversaries. One of their services is running some pretty intense Red Team exercises. The team at Datacom TSS recnetly ported its Red Team Trojan over to the Android platform, and it's surprisingly easy to trick people into installing it. You just email it to them and ask them to install the APK package. And what you get once you're on someone's phone is quite awesome. Not only can you turn on the microphone and snoop on boardroom conversations, but you can use the 3G or LTE connection on the device to do your exfiltration. That way you're completely bypassing the heavily watched gateway. You can also use it to bypass SMS-based authentication. Mark Brand is the Datacom TSS guy who did the Android port. He joined me by phone to tell us all about it.

PRESENTATION: OSINT observation of DPRK

Patrick Gray — Fri, 24 May 2013 00:00:00 +1000

The following is a recording of David Jorm's AusCERT presentation. You might have heard Dave preview his talk on last week's episode of the regular Risky Business podcast. Dave, who works as a security response engineer for a vendor, studies geography and mathematics at the University of Queensland and recently completed a study on long-term remote-sensing analysis of North Korea. In his talk he looks at an OSINT analysis of North Korea\u2026 he talks about the work he did as well as looking at what other North Korea watchers are up to. There's some really cool stuff in there about Red Star Linux, too -- it's a North Korean Linux distribution that's surprisingly polished. So here he is -- it's Dave Jorm's AusCERT talk. Enjoy.

PRESENTATION: All your SCADAS are belong 2 Mark Fabro

Patrick Gray — Fri, 24 May 2013 00:00:00 +1000

This is a recording of Mark Fabro's day two keynote speech from AusCERT. Mark is a control systems security expert and a terrific speaker. He's the president and chief security scientist for Lofty Perch, a control system security consultancy. He's extremely well plugged in to the SCADA security scene, he's done a bunch of strategy consulting to the US government. Basically Mark is Mr. SCADA. It's his thing. In this talk Mark argues that we're focussing on the wrong stuff when it comes to SCADA security. He gives us an experts view on the conversation we should be having if we actually want to fix things. Here's Mark Fabro, I hope you enjoy it.

SPONSOR INTERVIEW: Security investment in Silicon Valley

Patrick Gray — Fri, 24 May 2013 00:00:00 +1000

In this sponsor interview with chat with Casey Ellis, the founder of BugCrowd. BugCrowd is an Australian business, but Casey is currently in the USA where the appetite for information security investment opportunities is apparently hitting fever pitch. In this interview I ask him how one might get started off on the path to massive phatcash through their cybersecurity startup.

PRESENTATION: AusCERT opening keynote with Google's Michael Jones

Patrick Gray — Thu, 23 May 2013 00:00:00 +1000

We're kicking off our AusCERT 2013 coverage today with the conference's opening keynote by Michael Jones, Google's chief technology advocate. He's charged with advancing technology to organise the world's information and make it universally accessible and useful. Michael has worked as chief technologist of Google Maps, Earth, was the CTO of Keyhole Corporation, the company that developed the technology behind Google Earth and was also CEO of Intrinsic Graphics, and was director of advanced graphics at Silicon Graphics. His presentation was called Security's Biggest Risk, and it basically boils down to the dumb stuff bringing us unstuck. It's a very high level talk that definitely has its moments, and I hope you enjoy it. Here he is.

PRESENTATION: HD Moore's AusCERT plenary

Patrick Gray — Thu, 23 May 2013 00:00:00 +1000

The following is a recording of HD Moore's AusCERT plenary, all about the research he's done scanning the entire Internet. HD is one of the smartest guys in the business, and it's a great talk. But you might actually need to slow it down a bit, because I don't think I've ever encountered anyone in my life who can speak as fast as HD does. He sometimes speaks at a pace that is faster than my ability to comprehend what he's saying. But as I say, it's a great talk -- it's called Global Vulnerability Analysis.

SPONSOR INTERVIEW: Paul Ducklin on code signing cert pinning

Patrick Gray — Thu, 23 May 2013 00:00:00 +1000

In this sponsor interview we chat with Paul Ducklin of Sophos about trends in code signing technology designed to combat malware. During the great "SSL wars" of 2011, when hackers like Comodohacker went cyber-berserk owning CAs and minting their own certificates for sites like Gmail and Facebook, valuable lessons were learned. It's becoming the norm for browsers to pin certs for well known websites... and now this same approach to certificate sanity checking is finding its way into code signing checks. Microsoft's latest EMET, version 4.0 which I think is still in Beta, will pin certs for signed applications. It's a good idea -- it makes life a little tougher for the bad guys, but as you'll hear, it's not going to kick the can THAT far down the road, as Paul Ducklin explains.

PRESENTATION: BYOD in government, a high level talk

Patrick Gray — Thu, 23 May 2013 00:00:00 +1000

The following is a recorded presentation from AusCERT. It's by Al Blake, the Chief Information Officer of the Department of Sustainability, Environment, Water, Population and Communities. In it he talks about BYOD, basically, from an Australian government perspective. It's not an overly technical talk, but it is a good overview of what a CIO like him has to consider when allowing staff to use their own devices in a heavily regulated environment.

SPONSOR INTERVIEW: Are bug bounties more effective than pentesting?

Patrick Gray — Thu, 23 May 2013 00:00:00 +1000

In this sponsor interview with chat with Casey Ellis, the founder of BugCrowd. When Casey co-founded the business the idea was simple -- the company would host outsourced bug bounty programs for clients that didn't have the expertise to run their own. As some of you may know, the idea really took off, but what no one expected was for BugCrowd's registered testers to do a better job than many penetration testing teams. It's cheaper than a pentest, and in the case of Web application or mobile application security testing, these bug bounty programs are turning up more actionable issues than penetration testing teams. Could these types of programs be disruptive to the penetration testing services industry? Casey joined me to discuss.

Risky Business #281 -- Eyes on DPRK

Patrick Gray — Fri, 17 May 2013 00:00:00 +1000

This week's feature interview is with Dave Jorm, a Brisbane-based security geek and environmental science aficionado who's done some really interesting OSINT analysis of agricultural efficiency in North Korea with publicly available satellite data. He's presenting his findings at AusCERT's annual conference on the Gold Coast next week; he joins the podcast to talk about his work and the online community of North Korea watchers. Ok, so it's not exactly about infosec, but it's really interesting stuff and I hope you all enjoy it! This week's show is brought to you by the fine folks at HackLabs, the Australian pentesting firm. If you need your pens tested, get in touch with the team at HackLabs.com. This week's sponsor interview is with HackLabs head honcho Chris Gatford. We chat to him about a tale of two banks -- one big Middle Eastern bank and one small Australian bank. They're two organisations with very different approaches to security and very different security postures, but both eventually failed penetration tests by making the same simple mistakes. Show notes LulzSec Hackers Sentenced to Prison by London Court | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/lulzsec-sony-hackers-sentenced/ Hacker Aush0k fronts Sydney court - Hackers - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/343301,hacker-aush0k-fronts-sydney-cou... $45M Bank Hack Suspect Was Shot Dead While Playing Dominoes | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/bank-cashing-suspect-killed/ Judge Allows Evidence Gathered From FBI's Spoofed Cell Tower | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/rigmaiden-cell-tower-evidence/ Saudi Telecom Sought U.S. Researcher's Help in Spying on Mobile Users | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/saudi-telecom-sought-spy-help/ Bloomberg Leaks Private Messages from Data-Mining Project | Threatpost http://threatpost.com/bloomberg-posts-10000-private-messages-over-the-in... Obama Administration Secretly Obtains Phone Records of AP Journalists | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/doj-got-reporter-phone-records/ Lawmakers Introduce Bill Requiring Court Order to Seize Phone Records | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/court-order-for-phone-records/ FBI's Latest Proposal for a Wiretap-Ready Internet Should Be Trashed | Wired Opinion | Wired.com http://www.wired.com/opinion/2013/05/the-fbis-plan-for-a-wiretap-ready-i... Biometric Database of All Adult Americans Hidden in Immigration Reform | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/immigration-reform-dossiers/ Syrian Internet Connection Cut Off Again | Threatpost http://threatpost.com/syria-severed-from-internet-again/ Trade Sanctions Cited in Hundreds of Syrian Domain Seizures - Krebs on Security http://krebsonsecurity.com/2013/05/trade-sanctions-cited-in-hundreds-of-... DDoS Services Advertise Openly, Take PayPal - Krebs on Security http://krebsonsecurity.com/2013/05/ddos-services-advertise-openly-take-p... Honeynet Project Researchers Build ICS Honeypot | Threatpost http://threatpost.com/honeynet-project-researchers-build-publicly-availa... Attackers Target Older Java Bugs | Threatpost http://threatpost.com/attackers-target-older-java-bugs/ Malicious Firefox, Chrome Extensions Target Facebook Users | Threatpost http://threatpost.com/malicious-browser-extensions-target-facebook-profi... Spyware Campaign Originating in India Targeting Pakistanis | Threatpost http://threatpost.com/new-india-based-spy-malware-campaign-targeting-pak... Firefox 21 Update Patches 8 Vulnerabilities, 3 Critical | Threatpost http://threatpost.com/firefox-21-fixes-three-critical-flaws-introduces-n... Microsoft Patches IE Zero Day Used In Watering Hole Attack | Threatpost http://threatpost.com/microsoft-patches-department-of-labor-pwn2own-ie-v... Adobe Patches ColdFusion Flaws Exploited in Wild | Threatpost http://threatpost.com/adobe-patches-coldfusion-flash-reader-vulnerabilit... How a Career Con Man Led a Federal Sting That Cost Google $500 Million | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/google-pharma-whitaker-sting/all/ Zuluboy - Mbombela (A Twist of Bayethe) - YouTube http://www.youtube.com/watch?v=KFS4cSmzjYY , With that sentencing, they will know be very vigilant of what they are all about. I guess they are all ears on that one. - Mission Maids , Hi Patrick!! Thanks for your show. I am an avid listener, still a computer security student. :) So, thanks again.

Risky Business #280 -- South Africa edition

Patrick Gray — Thu, 09 May 2013 00:00:00 +1000

This week's show was being produced on the road so it's a bit of a different format -- I did a longer than usual news panel session from the conference floor! Our news discussion panel consists of: The Grugq Dominic White, SensePost Charl van der Walt, SensePost Andrew MacPherson, Paterva (Maltego) After that we've got this week's sponsor interview with Peleus Uhley of Adobe. Adobe is this week's sponsor, big thanks to them, and Peleus joins the show to talk about throwing a spanner in the works of mass malware customisation. We look at some of the approaches large vendors are using these days to disrupt the development lifecycle of the bad guys. It's interesting stuff and it's after the news. Show notes You can find episode 280 here. LivingSocial Ups its Password Encryption After Breach | Threatpost http://threatpost.com/livingsocial-ups-its-password-encryption-following... Hacker Jailbreaks Google Glass for Root Access Unlock | Threatpost http://threatpost.com/google-glass-cracked/ Dutchman Arrested in Spamhaus DDoS - Krebs on Security http://krebsonsecurity.com/2013/04/dutchman-arrested-in-spamhaus-ddos/ Alleged SpyEye Seller 'Bx1\u2032 Extradited to U.S. - Krebs on Security http://krebsonsecurity.com/2013/05/alleged-spyeye-seller-bx1-extradited-... Two-Factor Authentication Won't Stop Twitter Compromises | Threatpost http://threatpost.com/two-factor-authentication-no-cure-all-for-twitter-... More Malware Showing Up as Fake SourceForge Web Sites | Threatpost http://threatpost.com/more-malware-showing-up-on-fake-sourceforge-web-si... Ramnit Man-in-the-Browser Attack Targets UK Banks | Threatpost http://threatpost.com/ramnit-variant-targets-uk-banks-with-otp-attack/ Google Play Android Apps Must Update in Google Store | Threatpost http://threatpost.com/google-mandates-app-updates-come-from-google-play/ Obama Expands Surveillance to Critical Infrastructure | Threatpost http://threatpost.com/executive-order-expands-warrantless-network-monito... CISPA Is Dead. Now Let's Do a Cybersecurity Bill Right | Wired Opinion | Wired.com http://www.wired.com/opinion/2013/04/cispas-dead-now-lets-resurrect-it/ Law Requiring Warrants for E-Mail Wins Senate Committee Approval | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/04/email-warrants-bill/ Man Convicted of Hacking Despite Not Hacking | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/04/man-convicted-of-hacking-despit... Oracle Delays Java 8 Features for Security Overhaul | Threatpost http://threatpost.com/does-java-8-delay-mean-oracle-finally-serious-abou... Security Explorations Finds Seven New Flaws in IBM SDK | Threatpost http://threatpost.com/java-bugs-new-and-old-affecting-ibm-sdk/ IE 8 Zero Day Widens Scope of DoL Watering Hole Attack | Threatpost http://threatpost.com/ie-8-zero-day-found-as-dol-watering-hole-attack-sp... Pentagon Approves Samsung KNOX Android Platform for DoD | Threatpost http://threatpost.com/samsungs-secure-version-of-android-gets-dod-blessing/ Australian police arrest alleged leader of LulzSec hacking group | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57581074-83/australian-police-arrest-al... Researchers Hack Building Control System at Google Australia Office | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/googles-control-system-hacked/ Hacker Breached U.S. Army Database Containing Sensitive Information on Dams | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/05/hacker-breached-dam-database/ Bank Sues Cyberheist Victim to Recover Funds - Krebs on Security http://krebsonsecurity.com/2013/04/bank-sues-cyberheist-victim-to-recove... Senators propose law to go after foreign cybercriminals | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57583379-83/senators-propose-law-to-go-... Brad Arkin Named Adobe CSO | Threatpost http://threatpost.com/brad-arkin-named-adobe-seo/ Freddie Hubbard - Red Clay (Complete) - YouTube http://www.youtube.com/watch?v=wA1ZelIbUfI , I can't figure out how cats and dogs live together. This is cool. - Kris Krohn Strongbrook

Risky Business #279 -- Retarded Persistent Threat

Patrick Gray — Thu, 25 Apr 2013 00:00:00 +1000

This week's edition of the show is pre-recorded because I'm off surfing in Jeffreys Bay, South Africa. There will be no show next week, but the week after that I'll be bringing you an episode from the ITWeb Security Summit in Johannesburg where I'm speaking. In this week's show we've got a great interview with Wade Baker, the managing principal of Verizon's RISK team, and the topic, of course, is this year's Verizon Data Breach Investigations Report. We've also got a sponsor interview with Marcus Ranum of Tenable Network Security. Tenable is this week's sponsor, so you can thank them for making this week's show possible. Do check out Tenable.com for all your vulnerability scanning and SIEM needs! We chat with Marcus about what he calls economic spoiler attacks -- these are the disruptive, state-sponsored attacks we've seen against Saudi Aramco and South Korea. If you'd like to download this week's track, you can grab it for free from the TripleJ Unearthed website here.

Risky Business #278 -- Pentest revenue figures puzzling

Patrick Gray — Fri, 19 Apr 2013 00:00:00 +1000

This week's show is jam packed. We'll be hearing from our favourite firmware hacker, sneaky Snare, all about the leak of AMI's UEFI implementation source code and firmware signing key. What will it mean for firmware research? We'll also be chatting with Nick Ellsmore. Nick founded a company here in Australia called SIFT, which eventually merged with Stratsec, which was then bought by BAE. These days, apart from being ridiculously wealthy, Nick has put together Delling Advisory, a consultancy focussing on mergers and acquisitions in information security. And he's been writing some very interesting blog posts about the Australian information security market. He might be focussing on things downunder, but I'm pretty sure what we're talking about today applies everywhere -- penetration testing revenue estimates just don't add up. Nick believes a lot of mandated pentesting work in Australia is actually being done by IT systems integrators that don't actually have appropriate skills, or isn't being done at all. This week's show is brought to you by Senetas, an absolutely awesome company that makes layer two crypto gear. You should go to Senetas.com and buy all their things. In this week's sponsor interview we're chatting with Senetas CTO Julian Fay about a proposed extension to BitCoin called Zerocoin. The extension is designed to make Bitcoin anonymous. As always, Adam Boileau joins us for the week's news headlines. Show notes are here.

Risky Business #277 -- Vuln research trends with Mark Dowd

Patrick Gray — Thu, 11 Apr 2013 00:00:00 +1000

This week's feature interview is with Mark Dowd of Azimuth Security. Mark joins the show to fill us in on the latest trends in vulnerability research and exploit development. We recap CanSecWest's Pwn2Own competition and look at what 2013 has in store research-wise. Risky.Biz is pleased to welcome a new sponsor to the lineup -- Solera Networks, makers of fine, big data security software. These guys make packet capture-based security kit that I'm told is pretty impressive. And we've got an interesting chat in this week's sponsor interview with Solera's chief technology officer Joe Levy. We chat to him about some of the basics of big data security, as well as looking at how point solution providers are increasingly integrating their kit with established SIEM gear and log management consoles. Insomnia Security's Adam Boileau joins us for a discussion of the week's news. Show notes here.

Risky Business #276 -- Cold and flu edition

Patrick Gray — Sat, 06 Apr 2013 00:00:00 +1100

This week's show is another shorter one! I've been sick so I just couldn't pull together a feature interview. We've also got a chat with this week's sponsor guest Chris Gatford of the Australian security consulting firm HackLabs. We chat to Chris about the whole Spamhaus DDoS disaster. How damaging is it when the world's media distracts business and government leaders with stuff like this? What *should* these leaders really be concerned with? Show notes You can find this week's show here. DDoS Attack, Database Breach Take Down Two Bitcoin Services | threatpost http://threatpost.com/en_us/blogs/ddos-attack-database-breach-take-down-... Adaptive Glass - Mobile Trends | Open Letter to Instawallet http://www.adaptiveglass.com/?p=656 Daily chart: A Bit expensive | The Economist http://www.economist.com/blogs/graphicdetail/2013/03/daily-chart-12 Justin Schuh - Google+ - What Blink means for Chrome Security The Chromium project\u2026 https://plus.google.com/116560594978217291380/posts/AeCnq76cAXb Vulnerability Patched in PostgreSQL Database Server | threatpost http://threatpost.com/en_us/blogs/vulnerability-patched-postgresql-datab... PostgreSQL: 2013-04-04 Security Release FAQ http://www.postgresql.org/support/security/faq/2013-04-04/ SEC Consult Vulnerability Alert: Critical Vulnerabilities In Sophos Web Protection Appliance - Dark Reading http://www.darkreading.com/vulnerability-management/167901026/security/n... iMessage denial of service 'prank' spams users rapidly with messages, crashes iOS Messages app - The Next Web http://thenextweb.com/apple/2013/03/29/imessage-denial-of-service-prank-... Anonymous hacks North Korea's Twitter and Flickr accounts | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57577904-83/anonymous-hacks-north-korea... Who Wrote the Flashback OS X Worm? - Krebs on Security https://krebsonsecurity.com/2013/04/who-wrote-the-flashback-os-x-worm/ Huawei exec sees no growth in U.S. this year | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57577715-83/huawei-exec-sees-no-growth-... How the Spamhaus DDoS attack could have been prevented | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57576947-83/how-the-spamhaus-ddos-attac... FTC Announces Winners of Death-to-Robocalls Challenge | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/04/death-to-robocalls/ DHS Warns of 'TDos' Extortion Attacks on Public Emergency Networks - Krebs on Security http://krebsonsecurity.com/2013/04/dhs-warns-of-tdos-extortion-attacks-o... Skype, Dropbox Patch Critical Facebook Authentication Bugs | threatpost http://threatpost.com/en_us/blogs/skype-dropbox-patch-critical-facebook-... Using Customer Premise Equipment to Take Over the Internet | threatpost http://threatpost.com/en_us/blogs/using-customer-premise-equipment-take-... Phishing Campaign Using Military, Illicit Attachments | threatpost http://threatpost.com/en_us/blogs/phishing-campaign-using-military-illic... Has Anyone Seen a Missing Scroll Bar? Phony Flash Update Redirects to Malware | threatpost http://threatpost.com/en_us/blogs/has-anyone-seen-missing-scroll-bar-pho... Spammers Finding Favor with Google Translate | threatpost http://threatpost.com/en_us/blogs/spammers-finding-favor-google-translat... Android malware again targets Tibetans - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/338469,android-malware-again-targets-t... Backdoor Uses Evernote as Command and Control Server | Security Intelligence Blog | Trend Micro http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-uses... Government Fights for Use of Spy Tool That Spoofs Cell Towers | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/03/gov-fights-stingray-case/ Secret Files Expose Offshore's Global Impact | International Consortium of Investigative Journalists http://www.icij.org/offshore/secret-files-expose-offshores-global-impact Aussie software ferrets out hidden money - Strategy - Business - News - iTnews.com.au http://www.itnews.com.au/News/338723,aussie-software-ferrets-out-hidden-... Hackers in Uganda: A Documentary by Jeremy Zerechak - Kickstarter http://www.kickstarter.com/projects/1456247168/hackers-in-uganda-a-docum... Penetration Testing & Web Application Security - HackLabs http://www.hacklabs.com/ , The dream they have is really good. I guess they need to get the whole thing going. - Roger Stanton

Risky Business #275 -- Patch Tuesday, Indicator Wednesday?

Patrick Gray — Thu, 28 Mar 2013 00:00:00 +1100

This week's show is brought to you by our longest term sponsor, Tenable Network Security, thanks guys. In this week's sponsor interview we chat with the CEO and co-founder of Tenable, industry stalwart Ron Gula. We're chatting to him about a funny idea -- that the release of indicators of compromise might become so regular that they'll have to be handled in regular info sec team workflow. So we'll have Patch Tuesday and "which IPs owned us" Wednesday. It's a really interesting chat and it's after the news. It's a short week this week because of Easter, plus I'm in Melbourne taking care of a few things, so there's no feature interview this week. Show notes Spamhaus DDoS Attacks Triple Size of Attacks on US Banks | threatpost http://threatpost.com/en_us/blogs/spamhaus-ddos-attacks-triple-size-atta... That Internet War Apocalypse Is a Lie http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie South Korean cyberattack may not have come from China | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57575767-83/south-korean-cyberattack-ma... Spear Phishing Cause of South Korean Cyber Attack | threatpost http://threatpost.com/en_us/blogs/spear-phishing-cause-south-korean-cybe... Legal Experts: Stuxnet Attack on Iran Was Illegal 'Act of Force' | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/03/stuxnet-act-of-force/ Top Chinese university linked to alleged military cybercrime unit | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57576051-83/top-chinese-university-link... Don't Just Hate CISPA - Fix It | Wired Opinion | Wired.com http://www.wired.com/opinion/2013/03/dont-hate-cispa-fix-it/ Draft US cyber bill seeks 10 years jail for passwords 'traffickers' - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/337906,draft-us-cyber-bill-seeks-10-ye... Outdated Java weak spots are widespread, Websense says | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57576504-83/outdated-java-weak-spots-ar... Apple ID security issue fixed, password page back online | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57575955-83/apple-id-security-issue-fix... Apple Sets May 1 End Date for Apps that Want UDIDs | threatpost http://threatpost.com/en_us/blogs/apple-sets-may-1-end-date-apps-want-ud... Missouri Court Rules Against $440,000 Cyberheist Victim - Krebs on Security http://krebsonsecurity.com/2013/03/missouri-court-rules-against-440000-c... Attackers Shifting to Delivering Unknown Malware Via FTP and Web Pages | threatpost http://threatpost.com/en_us/blogs/new-report-confronts-unknown-malware-p... Privacy 101: Skype Leaks Your Location - Krebs on Security http://krebsonsecurity.com/2013/03/privacy-101-skype-leaks-your-location/ Researchers Uncover Targeted Attack Campaign Using Android Malware | threatpost http://threatpost.com/en_us/blogs/researchers-uncover-targeted-attack-ca... Anonymized Phone Location Data Not So Anonymous, Researchers Find | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/03/anonymous-phone-location-data/ ICS Vulnerabilities Surface as Monitoring Systems Integrate with Digital Backends | threatpost http://threatpost.com/en_us/blogs/ics-vulnerabilities-surface-monitoring... Sensitive Enterprise Data Exposed in Amazon S3 Public Buckets | threatpost http://threatpost.com/en_us/blogs/sensitive-enterprise-data-exposed-amaz... 83,000 Kiwis exposed in email blunder - Messaging - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/337920,83000-kiwis-exposed-in-email-bl... Google Fixes 11 Flaws in Chrome | threatpost http://threatpost.com/en_us/blogs/google-fixes-11-flaws-chrome-032613 Egyptian navy captures divers trying to cut undersea internet cables \u2022 The Register http://www.theregister.co.uk/2013/03/27/egypt_cables_cut_arrest/ We have Microsoft Tuesday, so how long until we have Indicator Wednesday? | Tenable Network Security http://www.tenable.com/blog/we-have-microsoft-tuesday-so-how-long-until-... SW&theE | The Simon Wright Band http://simonwright.com.au/album/sw-thee , Of course, the internet apocalypse is a lie. I guess we can be so sure about that one. - James Cullem

Risky Business #274 -- Is "active defence" legal?

Patrick Gray — Fri, 22 Mar 2013 00:00:00 +1100

In this week's feature interview we chat with Jennifer Granick, the Head of Civil Liberties at Stanford University's Centre for Internet and Society. Jennifer has extensive experience with cyberlaw -- she has acted for clients as diverse as Aaron Swartz and HBGary! She's done it all! And she joins the show to talk about a few things -- is active defence ever legal? And what the hell is going on with the Computer Abuse and Fraud Act over there in the USA? This week's show is brought to you by Senetas, makers of fine, fine crypto hardware. If you need some crypto in your second layer, I'd suggest you get in touch with these guys. Awesome gear and as you'll hear in this week's sponsor interview with Senetas co-founder and CTO Julian Fay, these guys really know their stuff. Julian joins the show a bit later on to talk about what happens when his customers ask them to roll with custom algos because some of them don't trust those published crypto techniques. Show notes You can find this week's episode here. South Korea: Chinese address source of attack http://bigstory.ap.org/article/south-korean-banks-media-report-network-c... South Korea traces cyberattack to IP address in China | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57575494-83/south-korea-traces-cyberatt... Theories Abound on Wiper Malware Attack Against South Korea | threatpost http://threatpost.com/en_us/blogs/theories-abound-wiper-malware-attack-a... Twitter / LukeCleary: @W7VOA http://t.co/EGMq34ssk6 https://twitter.com/LukeCleary/status/314268284029661186 CCD COE - The Tallinn Manual http://www.ccdcoe.org/249.html NATO cyberwar directive declares hackers military targets - RT USA http://rt.com/usa/nato-publishes-cyberwar-guidelines-502/ What 420,000 insecure devices reveal about Web security | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57574919-83/what-420000-insecure-device... Internet Census 2012 http://internetcensus2012.bitbucket.org/paper.html Decade-old espionage malware found targeting government computers | Ars Technica http://arstechnica.com/security/2013/03/decade-old-espionage-malware-fou... CIA $600 Million Deal For Amazon's Cloud - Business Insider http://www.businessinsider.com/cia-600-million-deal-for-amazons-cloud-20... Firm faces scrutiny over hacked ABC website http://www.smh.com.au/it-pro/security-it/firm-faces-scrutiny-over-hacked... Experts Tell Congress Serious Deterrence Needed to Impede Foreign Cyber Attacks | threatpost http://threatpost.com/en_us/blogs/experts-tell-congress-serious-deterren... AT&T Hacker 'Weev' Sentenced to 3.5 Years in Prison | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/03/att-hacker-gets-3-years/ Keys denies giving Tribune log-in credentials to Anonymous | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57575499-83/keys-denies-giving-tribune-... Cautious Optimism over Google DNSSEC Deployment | threatpost http://threatpost.com/en_us/blogs/cautious-optimism-over-google-dnssec-d... Java Code, Details Released for Potential Sandbox Bypass Issue | threatpost http://threatpost.com/en_us/blogs/java-bug-code-details-released-allowed... Vulnerabilities Continue to Weigh Down Samsung Android Phones | threatpost http://threatpost.com/en_us/blogs/vulnerabilities-continue-weigh-down-sa... www.revuln.com/files/ReVuln_EA_Origin_Insecurity.pdf http://www.revuln.com/files/ReVuln_EA_Origin_Insecurity.pdf Cisco switches to weaker hashing scheme, passwords cracked wide open | Ars Technica http://arstechnica.com/security/2013/03/cisco-switches-to-weaker-hashing... Apple adds two-step verification option for Apple IDs | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57575655-83/apple-adds-two-step-verific... Crown casino made no formal complaint to police after $32 million scam | News.com.au http://www.news.com.au/national-news/victoria/crown-casino-made-no-forma... Crown casino hi-tech scam nets $32 million | News.com.au http://www.news.com.au/breaking-news/crown-casino-hi-tech-scam-nets-32-m... 'Chameleon Botnet' takes $6-million-a-month in ad money | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57575320-83/chameleon-botnet-takes-$6-million-a-month-in-ad-money/ Security reporter hit by 'swatting' attack | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57574677-83/security-reporter-hit-by-sw... Jennifer Granick | Center for Internet and Society http://cyberlaw.stanford.edu/about/people/jennifer-granick Senetas grants master distribution status to SafeNet - SafeNet, Senetas, distribution deals - ARN http://www.arnnet.com.au/article/455608/senetas_grants_master_distributi... Ash Grunwald - Longtime - YouTube https://www.youtube.com/watch?v=n2jI1xlzjCo&playnext=1&list=PL64A7F7A1AC... , The source of attack will be very good. They need to get the whole thing very good. - James Cullem

Risky Business #273 -- The birth of the online Pinkertons?

Patrick Gray — Fri, 15 Mar 2013 00:00:00 +1100

In this week's feature interview we're chatting to industry legend and In-Q-Tel CSO Dan Geer about the idea of offence as defence. If someone's attacking you do you have the moral right to attack them back? Dan actually thinks you do. This week's show is brought to you by Adobe. Adobe's head of product security and privacy Brad Arkin pops along to have a bit of a chat about the busy few months they've been having at Adobe dealing with some interesting bugs. Show notes Intelligence chief offers dire warning on cyberattacks | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57573902-83/intelligence-chief-offers-d... Spy Chief Says Little Danger of Cyber 'Pearl Harbor' in Next Two Years | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/03/no-cyber-pearl-harbor/ RBA Chinese hack attack not an online security threat | Crikey http://www.crikey.com.au/2013/03/12/reserve-bank-hacking-raises-question... Twitter OAuth API Keys Leaked | threatpost http://threatpost.com/en_us/blogs/twitter-oauth-api-keys-leaked-030713 Spy Agencies to Get Access to U.S. Bank Transactions Database | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/03/spy-agencies-to-get-access-to-u... Secret Courtroom Audio Gives WikiLeaker Bradley Manning a Voice | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/03/manning_audio/ Retailer Sues Visa Over $13 Million 'Fine' for Being Hacked | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/03/genesco-sues-visa/ LinkedIn Data Breach Lawsuit Dismissed | threatpost http://threatpost.com/en_us/blogs/linkedin-data-breach-lawsuit-dismissed... Doctors 'used fake fingers' to clock in for colleagues at ER | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57574079-83/doctors-used-fake-fingers-t... Google rolls out initiative to help hacked sites | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57573986-83/google-rolls-out-initiative... FBI investigating how sensitive celebrity data landed on Web | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57573983-83/fbi-investigating-how-sensi... White House demands China cease alleged hacking activity | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57573715-83/white-house-demands-china-c... China claims it's willing to talk to U.S. about cybersecurity | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57573805-83/china-claims-its-willing-to... How Skype monitors and censors its Chinese users | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57573243-83/how-skype-monitors-and-cens... Many Watering Holes, Targets In Hacks That Netted Facebook, Twitter and Apple | The Security Ledger http://securityledger.com/many-watering-holes-targets-in-hacks-that-nett... Colin Powell's Facebook page defaced | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57573607-83/colin-powells-facebook-page... Researchers highlight potential security risk to iOS users | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57573765-83/researchers-highlight-poten... Apple marketing chief jabs Android security on Twitter | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57573152-83/apple-marketing-chief-jabs-... Apple Finally Fixes App Store Vulnerabilities | threatpost http://threatpost.com/en_us/blogs/apple-finally-fixes-app-store-vulnerab... Researchers win $100,000 for Chrome hack that leaves Windows vulnerable | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57573064-83/researchers-win-$100000-for-chrome-hack-that-leaves-windows-vulnerable/ Microsoft patches against evil maid attack - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/336293,microsoft-patches-against-evil-... Adobe Fixes Four Critical Flaws in Flash | threatpost http://threatpost.com/en_us/blogs/adobe-fixes-four-critical-flaws-flash-... 'Herp Derp EFTPOS' update goes public - Security - Technology - News - iTnews.com.au http://www.itnews.com.au/News/336046,herp-derp-eftpos-update-goes-public... Hijacked webcam footage paraded online - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/336184,hijacked-webcam-footage-paraded... Indian Govt pays bounty for botnet probe - Networks - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/336271,indian-govt-pays-bounty-for-bot... DOWNLOAD: Kenneth Bager - Fragment Seven (Les Fleurs) (Jesse Rose remix) - RCRD LBL http://rcrdlbl.com/2009/01/21/download_kenneth_bager_fragment_seven_les_... , Those cyber attacks are imminent. I guess we all should be aware of that one. - Kris Krohn

Risky Business #272 -- Jon Callas talks Silent Circle

Patrick Gray — Thu, 07 Mar 2013 00:00:00 +1100

On this week's show we chat to PGP Corporation co-founder Jon Callas. Jon's been in the security business for a long time and he's bringing us up to speed on his latest venture, Silent Circle. This week's show is brought to you by the Australian security consulting and penetration testing firm HackLabs. And we've got a really interesting sponsor interview with HackLabs head honcho Chris Gatford about how many, many organisations simply don't do any foot-printing... and it means they miss so much! Come on people, it's a two-day job! Adam Boileau, as usual, joins us for this week's news segment. Show notes Episode 272 can be found here. The Java Zero-Day Procession Continues | threatpost http://threatpost.com/en_us/blogs/java-zero-day-procession-continues-030113 New Java 0-Day Attack Echoes Bit9 Breach - Krebs on Security http://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-bre... Oracle issues emergency Java update to patch vulnerabilities | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57572496-83/oracle-issues-emergency-jav... Prompted by Oracle Rejection, Researcher Finds Five New Java Sandbox Vulnerabilities | threatpost http://threatpost.com/en_us/blogs/prompted-oracle-rejection-researcher-f... More Java-based malware plagues the cross-platform runtime | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57572168-83/more-java-based-malware-pla... Jailed hacker allowed into IT class, hacks prison computers | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57572282-83/jailed-hacker-allowed-into-... Groundbreaking Cyber Fast Track Research Program Ending | threatpost http://threatpost.com/en_us/blogs/groundbreaking-cyber-fast-track-resear... Google Says the FBI Is Secretly Spying on Some of Its Customers | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/03/google-nsl-range/ Attorney General: Aaron Swartz Case Was a 'Good Use of Prosecutorial Discretion' | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/03/holder-swartz-case/ White House, FCC Chairman Support Legalizing Unlocking of Mobile Phones | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/03/mobile-phone-unlock/ Mobile Malcoders Pay to (Google) Play - Krebs on Security http://krebsonsecurity.com/2013/03/mobile-malcoders-pay-to-google-play/ APT1-Themed Spear Phishing Campaign Linked to China | threatpost http://threatpost.com/en_us/blogs/apt1-themed-spear-phishing-campaign-li... Google Patches 10 Chrome Flaws Ahead of Pwn2Own, Pwnium | threatpost http://threatpost.com/en_us/blogs/google-patches-10-chrome-flaws-ahead-p... Time Stamp Bug in Sudo Could Have Allowed Code Entry | threatpost http://threatpost.com/en_us/blogs/time-stamp-bug-sudo-could-have-allowed... MiniDuke Espionage Campaign Began About a Year Earlier Than First Thought | threatpost http://threatpost.com/en_us/blogs/miniduke-espionage-campaign-began-abou... Apple Begins to Blacklist Old Versions of Flash for Safari | threatpost http://threatpost.com/en_us/blogs/apple-begins-blacklist-old-versions-fl... Evernote Compromised, But Says No User Data Affected | threatpost http://threatpost.com/en_us/blogs/evernote-compromised-says-no-user-data... Locked-down BlackBerry offers classified, personal use | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57572337-83/locked-down-blackberry-offe... CloudFlare security service goes down after router failure | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57572259-83/cloudflare-security-service... The most secure Android phone in the world (maybe) | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57571961-83/the-most-secure-android-pho... Sudden death of U.S. engineer in Singapore linked to cyber espionage? | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57572070-83/sudden-death-of-u.s-enginee... Dropbox users getting spammed, might be from earlier hack | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57571968-83/dropbox-users-getting-spamm... Anonymous leaks alleged data on BofA execs, surveillance | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57571955-83/anonymous-leaks-alleged-dat... Dell builds sinkhole data-sharing platform - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/335362,dell-builds-sinkhole-data-shari... CommBank builds security fault tree after RSA breach - Networks - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/335102,commbank-builds-security-fault-... Use decoy and deception to mess with hackers - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/335049,use-decoy-and-deception-to-mess... Hackers focus energy on solar sector - Networks - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/335003,hackers-focus-energy-on-solar-s... silent circle - Google Search https://www.google.com/search?q=silent+circle&aq=f&oq=silent+circle&aqs=... Here's this week's sponsor: Buy their stuff!!! Penetration Testing & Web Application Security - HackLabs http://www.hacklabs.com/ , The zero day attack is really good. I guess they are aware of what they have. - Kris Krohn

Risky Business #271 -- All your funnycats R belong 2 APT1

Patrick Gray — Fri, 01 Mar 2013 00:00:00 +1100

On this week's show we're chatting with Mandiant's Managing Director of Threat Intelligence, Dan McWhorter, about that company's report into Chinese cyber espionage activity. Mandiant dropped the report last week and it's caused quite a stir, even eliciting a response from the Whitehouse and Chinese officials. That's an interesting conversation and it's after the news. This week's show is brought to you by Tenable Network Security, makers of fine vulnerability scanning and SIEM software. Tenable's product manager and all-round nice guy Jack Daniel will be along in this week's sponsor interview to discuss some other aspects of this APT1 issue. Like, for example, how the attackers were using executable trojans embedded in zip files and still managed to own half the Western world's intellectual property. That's this week's sponsor interview -- an interesting blend of hilarious and depressing. Show notes Bradley Manning Takes "Full Responsibility" for Giving WikiLeaks Huge Government Data Trove | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/02/bradley-manning/ The Incredible Rise and Fall of a Hacker Who Found the Secrets of the Next Xbox and PlayStation-And Maybe More http://kotaku.com/5986239/the-rise-and-fall-of-superdae-a-most-unusual-v... Sentencing of LulzSec double agent postponed | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57570764-83/sentencing-of-lulzsec-doubl... Stuxnet Missing Link Found, Resolves Some Mysteries Around the Cyberweapon | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/02/new-stuxnet-variant-found/ EXCLUSIVE: Hacked ABC website likely breached by crooks in 2011 | Risky Business http://risky.biz/opwilders MiniDuke Espionage Malware Hits Governments in Europe Using Adobe Exploits | threatpost http://threatpost.com/en_us/blogs/miniduke-espionage-malware-hits-govern... Adobe Patches Two Critical Flash Player Vulnerabilities | threatpost http://threatpost.com/en_us/blogs/adobe-patches-two-critical-flash-playe... Chrome 25 Fixes Nine High-Risk Vulnerabilities | threatpost http://threatpost.com/en_us/blogs/chrome-25-fixes-nine-high-risk-vulnera... Latest Kelihos Botnet Shut Down Live at RSA Conference 2013 | threatpost http://threatpost.com/en_us/blogs/latest-kelihos-botnet-shut-down-live-r... RSA Conference 2013: Experts Say It's Time to Prepare for a 'Post-Crypto' World | threatpost http://threatpost.com/en_us/blogs/rsa-conference-2013-experts-say-its-ti... Two More Java Zero Days Found by Polish Research Team | threatpost http://threatpost.com/en_us/blogs/two-more-java-zero-days-found-polish-r... Microsoft Azure Cloud Storage Suffers Major Outage Over Expired SSL Certificate | threatpost http://threatpost.com/en_us/blogs/microsoft-azure-cloud-storage-suffers-... Feds Used Aaron Swartz's Political Manifesto Against Him | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/02/aaron-swartz-manifesto/ Facebook Patches OAuth Authentication Vulnerability | threatpost http://threatpost.com/en_us/blogs/facebook-patches-oauth-authentication-... China blames U.S. for most cyberattacks against military Web sites | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57571811-83/china-blames-u.s-for-most-c... Add Microsoft to list of hacked companies | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57570861-83/add-microsoft-to-list-of-ha... ATO passwords stored in clear text - Web/client - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/334921,ato-passwords-stored-in-clear-t... Mandiant Intelligence Center Report | Mandiant\xae http://intelreport.mandiant.com/ Tenable Network Security http://www.tenable.com/ Das EFX - Straight Out The Sewer - YouTube http://www.youtube.com/watch?v=xXSsLa3PlDc Patrick Gray on ABC television, discussing ABC breach http://www.abc.net.au/7.30/content/2013/s3699924.htm , Xbox and Playstation has its secret? Wow, this is a conspiracy theory in one way or another. - Mission Maids

EXCLUSIVE: Hacked ABC website likely breached by crooks in 2011

Patrick Gray — Wed, 27 Feb 2013 00:00:00 +1100

The ABC Website compromised by anonymous attackers overnight was likely already breached by cyber-criminals active on Russian forums as far back as 2011. The user database of the Making Australia Happy television program was published overnight with the emails and hashed passwords of its 50,000 users dumped on paste websites. The pastes were released under the tag "#OpWilders"; the breach ostensibly a revenge attack over the ABC's decision to air an interview with controversial anti-Muslim Dutch politician Geert Wilders, who visited Australia last week. But strong circumstantial evidence has emerged that suggests the site had already been compromised by criminals. The first two password hashes in the compromised database appeared on a Russian cybercrime website, in sequence, in 2011. Forum user "prevedma1" posted a thread in October 2011 titled "Need crack hashes" before pasting in two SHA1 hashes. The hashes are identical to the first two contained in the leaked user database. One of them corresponds to an ABC user account with moderator privileges. You can see a screen capture here. If this database was indeed obtained by cybercrooks back then it's likely it was used in phishing and malware campaigns. It is unclear why the supposed attacker was seeking to crack those hashes, but the ABC moderator account would have presumably afforded simple and privileged access to the site's content management system. It's also possible the attacker was hoping the ABC admin account password was re-used elsewhere. Cracking it would be an excellent way to further propagate an attack deeper into the ABC network. Opinion seems divided as to whether the latest hack, or "operation" in Anonspeak, was met with approval from the Anonymous community. An attack against a media organisation by a protest "brand" that supports free speech seems to run contrary to the anti-censorship ideals of the Anonymous movement. Follow Patrick Gray on Twitter here. Check out the Risky Business podcast here.

Risky Business #270 -- Red teaming your law firm for fun and profit

Patrick Gray — Fri, 22 Feb 2013 00:00:00 +1100

On this week's show we're taking a look at the issue of secondary targeting. These days it's borderline likely that attackers who want information on your company's upcoming mergers and acquisition activity won't even bother attacking you to get the intel. They'll go for your law firm instead... or your accountants... or another partner. CERT Australia Executive Manager Dr. Carolyn Patterson joins the show to talk about that. This week's show is brought to you by Senetas, makers of fine, layer 2 encryption hardware boxens! If you're planning a greenfields development, please, please, please go visit the Senetas website. They're a publicly listed company and they make really good gear. This week's sponsor interview is with Senetas co-founder and CTO Julian Fay, who as you'll discover, really knows what he's talking about. This week we chat to Julian about the various certification schemes out there -- FIPS, Common Criteria and CAPS. We talk about some of the problems with these schemes, and also about some of the changes that are being made to them. Certification is changing, big time, so make sure you listen to that one.

Risky Business #269 -- Dave Aitel on the end of clientsides

Patrick Gray — Fri, 15 Feb 2013 00:00:00 +1100

On this week's show we have a chat with industry stalwart Dave Aitel of Immunity Inc. Dave joins us to chat about a few things -- like what it will be like when clientside memory corruption exploits become as rare as server side corruption exploits are now. How will that change the security discipline? We also have a chat about El Jefe and sneaky ways of handling command and control. This week's show is brought to you by NCC Group, the global information security firm. NCC Group's Asia Pacific General Manager and BeEF project creator Wade Alcorn joins us in this week's sponsor slot to chat about recent Ruby on Rails bugs. It's been patched three times in the last month! But how much of a problem is that for you? Is Ruby on Rails being used for serious business? Should it be? You can find Patrick on Twitter here and Adam here. Show notes Security Firm Bit9 Hacked, Used to Spread Malware - Krebs on Security http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spr... Microsoft Report Examines Socio-Economic Relationships to Malware Infections | threatpost http://threatpost.com/en_us/blogs/microsoft-report-examines-socio-econom... Cybersecurity Executive Order Short on Action, Long on Voluntary Initiatives | threatpost http://threatpost.com/en_us/blogs/cybersecurity-executive-order-short-ac... White House Must Respond to Petition Seeking Swartz Prosecutor's Firing | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/02/swartz-prosecutor-petition/ DHS Watchdog OKs 'Suspicionless' Seizure of Electronic Devices Along Border | Threat Level | Wired.com http://www.wired.com/threatlevel/2013/02/electronics-border-seizures/ Malware Intelligence Lab from FireEye - Research & Analysis of Zero-Day & Advanced Targeted Threats:In Turn, It's PDF Time http://blog.fireeye.com/research/2013/02/in-turn-its-pdf-time.html Emergency Adobe Flash Player Patches Fix Pair of Zero Days | threatpost http://threatpost.com/en_us/blogs/emergency-adobe-flash-player-patched-f... Microsoft's next Patch Tuesday to fix 57 security bugs | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57568412-83/microsofts-next-patch-tuesd... Hackers can easily breach Emergency Alert Systems | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57569322-83/hackers-can-easily-breach-e... Ransomware cybercrime ring dismantled in Europe | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57569321-83/ransomware-cybercrime-ring-... Old OS X malware used in increased attacks against Uyghur groups | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57569252-83/old-os-x-malware-used-in-in... Anonymous fails to shut down live streams of Obama address | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57569098-83/anonymous-fails-to-shut-dow... Gmail of journalists in Myanmar said to be hacked | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57568840-83/gmail-of-journalists-in-mya... Audacious Hack Exposes Bush Family Pix, E-Mail | The Smoking Gun http://www.thesmokinggun.com/documents/bush-family-hacked-589132 Telecom NZ says 22,500 Xtra email accounts hacked - Networks - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/333169,telecom-nz-says-22500-xtra-emai... Yahoo! Pushing Java Version Released in 2008 - Krebs on Security http://krebsonsecurity.com/2013/02/yahoo-pushing-java-version-released-i... Mega security bugs detailed - Web/client - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/331952,mega-security-bugs-detailed.aspx Australian Tax System Breached By Criminals http://www.smh.com.au/it-pro/security-it/criminals-breach-australian-tax... CERT Australia rebuffs ex-staff criticism - Networks - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/331618,cert-australia-rebuffs-ex-staff... Theoretical Lucky Thirteen TLS Attacks Could Turn Practical | threatpost http://threatpost.com/en_us/blogs/theoretical-lucky-thirteen-tls-attacks... VMware Fixes Privilege Escalation Vulnerability | threatpost http://threatpost.com/en_us/blogs/vmware-fixes-privilege-escalation-vuln... Ballot-stuffing bot hits News Ltd polls - Web/client - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/331994,ballot-stuffing-bot-hits-news-l... The Ubermotive Guide to Media Influence | http://www.ubermotive.com/?p=68 Media Watch: News gets gamed (11/02/2013) http://www.abc.net.au/mediawatch/transcripts/s3688053.htm?site=westernvic Anonymous intends to block Webcasts of State of the Union | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57569044-83/anonymous-intends-to-block-... IMMUNITY : Knowing You're Secure http://www.immunityinc.com/products-eljefe.shtml IMMUNITY : Knowing You're Secure http://www.immunityinc.com/products-swarm.shtml JaFFer Music, Lyrics, Songs, and Videos http://www.reverbnation.com/jafferband BeEF - The Browser Exploitation Framework Project http://beefproject.com/ Information Security, Escrow & Other Solutions - NCC Group http://www.nccgroup.com/ , This week's show should not be missed. i am definite for the real thing that we will learn on this show. looking forward to it. - Flemings Ultimate Garage

Risky Business #268 -- Outsource your bug bounty program?

Patrick Gray — Fri, 08 Feb 2013 00:00:00 +1100

This week's feature interview is with Casey Ellis of BugCrowd.com -- a new business that runs outsourced bug bounty programs. It's a great idea and it's one that I personally think will really take off over the next couple of years. This week's show is brought to you by our good friends at Adobe. Adobe's director of product security and privacy Brad Arkin will be along a bit later on with an update on the phantom 0day issue the company experienced last year, as well as filling us in on some efforts designed to combat spearphishing attacks that use dodgy Flash objects embedded in Office files. It's more interesting than it sounds! Adam Boileau is back in the news seat for a chat about recent headlines. You can find links to all the articles we discussed here.

Risky Business #267 -- 2012 in review

Patrick Gray — Thu, 13 Dec 2012 00:00:00 +1100

This week's show takes a look back at some of the big issues and stories of 2012: The arrest of the Lulzsec crew, the release of Stratfor's email by Wikileaks and the Australian government ban on Huawei participating in the NBN rollout. With bonus lulz. This is the final episode of Risky Business for 2012. We'll be back in February 2013!

Risky Business #266 -- ToR, BitCoin, crooks and quantum key distribution

Patrick Gray — Fri, 07 Dec 2012 00:00:00 +1100

On this week's show we're talking ToR and BitCoin with Alice Hutchings, a Senior Researcher and Analyst with the Australian Institute of Criminology's Global, Economic and Electronic Crime Program. ToR helps dissidents in foreign countries access information their governments deem unsavoury -- but it also provides a layer of protection to the consumers of child porn. Combine it with technology like BitCoin and bang, you've got Silk Road. Given the illicit uses of such technology, is volunteering to run a ToR server moral? It's a fun, completely pointless academic conversation and it's coming up after the news! This week's show is brought to you by Senetas, makers of fine layer 2 encryption technology. Senetas CTO Julian Fay joins us in this week's sponsor interview and we're talking all about Quantum Key Distribution. It's a technology that is available commercially and after listening to that interview you'll actually know what it does and how it works! I learned a lot doing that interview. It's good stuff. Show notes John McAfee Hospitalized in Guatemala | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/12/threatlevel_1206_mcafeehospital/ Sophisticated botnet steals more than $47M by infecting PCs and phones | Ars Technica http://arstechnica.com/security/2012/12/sophisticated-botnet-steals-more... Bank Agrees to Reimburse Hacking Victim $300K in Precedent-Setting Case | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/11/bank-to-pay-hacking-victim/ Massive worm hits Tumblr, spams big blogs like USA Today | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57556784-83/massive-worm-hits-tumblr-sp... Pentagon Deploying DARPA to Wage War on Backdoors | threatpost http://threatpost.com/en_us/blogs/pentagon-deploying-darpa-wage-war-back... Google Launches Private Android App Stores | threatpost http://threatpost.com/en_us/blogs/google-launches-private-android-app-st... Hackers steal customer info from insurance provider Nationwide | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57557408-83/hackers-steal-customer-info... U.S., U.K. caught in middle of huge Swiss spy data leak -- report | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57557004-83/u.s-u.k-caught-in-middle-of... ATM Thieves Swap Security Camera for Keyboard - Krebs on Security http://krebsonsecurity.com/2012/12/atm-thieves-swap-security-camera-for-... Twitter SMS bug lets hackers tweet via other users' accounts | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57557050-83/twitter-sms-bug-lets-hacker... Security Essentials fails latest AV-Test | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57556340-83/security-essentials-fails-l... Judge Gives Bradley Manning Permission to Plead Guilty for WikiLeaks Dumps | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/11/manning-plea-terms-accepted/ Congress Demands United Nations Keep Hands Off the Internet | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/12/united-nations-internet-regs/ Mac malware follows Flashback - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/325137,mac-malware-follows-flashback.aspx Six Security Flaws Fixed in BIND 9.9.2 | threatpost http://threatpost.com/en_us/blogs/six-security-flaws-fixed-bind-992-120512 Microsoft Fixing 11 Vulnerabilities for December Patch Tuesday | threatpost http://threatpost.com/en_us/blogs/microsoft-fixing-11-vulnerabilities-de... Experts Downplay MySQL Database Zero-Days | threatpost http://threatpost.com/en_us/blogs/experts-downplay-mysql-database-zero-d... Austrian Police Raid ToR Exit Node Admin http://www.scmagazine.com.au/News/324804,tor-exit-node-operator-raided-b... Senetas - Hybrid Quantum Encryption http://www.senetas.com/products/products/hybrid-quantum-encryption.htm , Being hospitalized in Guatemala is really interesting. I would want to know what the hospital looks like in there. - Feed the Children Reviews

Risky Business #265 -- Reliably detecting 0day with crash dumps

Patrick Gray — Fri, 30 Nov 2012 00:00:00 +1100

On this week's show were chatting with Rex Warren of Leviathan Security in the United States. Leviathan has been working with DARPA on an interesting new system that can reliably detect failed 0day exploitation attempts against hosts. Basically these guys are just grabbing Dr. Watson crash dumps at the gateway, but where it gets interesting is when we look at what they do with those crash dumps. Emulation FTW. This week's show is brought to you by the fine folk at Tenable Network Security. If you need vulnerability scanning or SIEM software you really need to go visit their website. On this week's show we're revisiting the topic of phantom 0day with Ron Gula, the chief executive and co-founder of Tenable. We'll also be chatting to him about whether or not the biggest threat to users in the future could be social engineering. Show notes Zero-day hotel keycard hack goes unfixed, now being used by Texas thieves | ExtremeTech http://www.extremetech.com/electronics/141557-zero-day-hotel-keycard-hac... UN nuclear watchdog confirms data leak | ZDNet http://www.zdnet.com/un-nuclear-watchdog-confirms-data-leak-7000008001/ Chrome Zero-Day Presentation Gives Way to Mandatory Military Service | threatpost http://threatpost.com/en_us/blogs/chrome-zero-day-presentation-gives-way... Google Repairs High-Risk Flaw in Chrome | threatpost http://threatpost.com/en_us/blogs/google-repairs-high-risk-flaw-chrome-1... Cisco and "8 Diamonds" threaten Chinese security http://tech.sina.com.cn/t/2012-11-27/09207834698.shtml Update: Attack on Romanian TLD Register led to Google, Yahoo Defacements and DNS Redirects | threatpost http://threatpost.com/en_us/blogs/update-attack-romanian-tld-register-le... DSD issues advice for executives tackling BYOD | ZDNet http://www.zdnet.com/au/dsd-issues-advice-for-executives-tackling-byod-7... Credit card companies' WikiLeaks block just fine, EU says | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57554855-83/credit-card-companies-wikil... Romanian hackers behind $30m Australian credit card theft - ABC News (Australian Broadcasting Corporation) http://www.abc.net.au/news/2012-11-29/afp-uncovers-romanian-card-hacking... Second person guilty in AT&T iPad prank hack - Hackers - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/324412,second-person-guilty-in-att-ipa... Researcher reveals backdoor access in Samsung printers | ZDNet http://www.zdnet.com/researcher-reveals-backdoor-access-in-samsung-print... Java Zero-Day Exploit on Sale for 'Five Digits' - Krebs on Security https://krebsonsecurity.com/2012/11/java-zero-day-exploit-on-sale-for-fi... Kaseya patches platform vulnerability - Web/client - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/323797,kaseya-patches-platform-vulnera... Piwik Update Infected with Backdoor Malware | threatpost http://threatpost.com/en_us/blogs/piwik-update-infected-backdoor-malware... Researcher Finds Nearly Two Dozen SCADA Bugs in a Few Hours' Time | threatpost http://threatpost.com/en_us/blogs/researcher-finds-nearly-two-dozen-scad... Symantec Warns of New Malware Targeting SQL Databases | threatpost http://threatpost.com/en_us/blogs/symantec-warns-new-malware-targeting-s... , Good blog post!! Thank you a lot for providing individuals with an exceptionally terrific opportunity to read from this site. It's usually very ideal and also full of amusement for me and my office peers to search the blog the equivalent of three times in a week to read through the fresh secrets you have got. villa rental koh samui , The hack has been pretty good so far. We all need to get the whole thing involved. - Feed the Children Reviews

Risky Business #264 -- Three Guys With Ponytails Talk About Security

Patrick Gray — Fri, 23 Nov 2012 00:00:00 +1100

On this week's show I'll being playing an excerpt from a panel discussion that took place at Kiwicon -- the session was called Three Guys with Ponytails Talk Security. The three guys are PGP Corporation co-founder Jon Callas, nCipher co-founder Nicko van Someren and the University of Auckland's Peter Gutmann. The topics include quantum computing and Peter's oddly overkill print server. This week's show is brought to you by Adobe! Adobe's head of product security and privacy Brad Arkin joins the show in this week's sponsor segment to talk about what he's calling "phantom 0day". Show notes U.S. accused of cyberattack on French government | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57553153-83/u.s-accused-of-cyberattack-... FreeBSD Servers Compromised; Third-Party Software Packages Could be Impacted | threatpost http://threatpost.com/en_us/blogs/freebsd-servers-compromised-third-part... Hacker found guilty of massive AT&T-iPad site breach | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57552852-83/hacker-found-guilty-of-mass... Attackers Had Access for Months in South Carolina Data Breach | threatpost http://threatpost.com/en_us/blogs/attackers-had-access-months-south-caro... Researchers Remotely Control Smart Cards with Malware PoC | threatpost http://threatpost.com/en_us/blogs/researchers-remotely-control-smart-car... John McAfee, Unhinged: His Bizarre Breaks From Reality | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/11/mcafee-unhinged/ Megaupload Assisted U.S. Prosecution of Smaller File-Sharing Service | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/11/megaupload-investigation-roots/ Microsoft hands Windows 8 Pro to pirates by mistake | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57552960-83/microsoft-hands-windows-8-p... Anonymous escalates its 'cyberwar' against Israel | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57552168-83/anonymous-escalates-its-cyb... Obama reportedly signs secretive cybersecurity policy directive | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57550092-83/obama-reportedly-signs-secr... Facebook Enabling HTTPS by Default for North American Users | threatpost http://threatpost.com/en_us/blogs/facebook-enabling-https-default-north-... Aussie researchers paid to make US drones unhackable - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/323047,aussie-researchers-paid-to-make... Operation High Roller Now Targets Europe's SEPA Network and Large US Bank | threatpost http://threatpost.com/en_us/blogs/operation-high-roller-now-targets-euro... Pwning Androids, iPhones with Exchange - Messaging - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/323360,pwning-androids-iphones-with-ex... Researcher owns blue chip managed service platforms - Cloud - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/323288,researcher-owns-blue-chip-manag... Judge throws out Steam breach lawsuit over lack of "harm" - SC Magazine http://www.scmagazine.com/judge-throws-out-steam-breach-lawsuit-over-lac... Who is McAfee? | The official Blog of John McAfee. -[ www.whoismcafee.com ]- http://www.whoismcafee.com/ This week's feature track: Can't Get Enough by Supergroove http://www.youtube.com/watch?v=9gEy2FJ_AiA , Does the French government know how to back up what they are saying? If so, they might have to get themselves a good evidence. - Feed the Children Reviews

Risky Business #263 -- Data retention and the national security review

Patrick Gray — Thu, 15 Nov 2012 00:00:00 +1100

In this week's feature interview we're chatting with the Assistant Commissioner of the Australian Federal Police, Neil Gaughan. He's the national manager of High Tech Crime Operations and he's joining us to discuss the ongoing national security review. As a part of that review the government is introducing laws that will force ISPs and other Carriage Service Providers (CSPs) to store information on Australian citizens for two years. It sounds scary, but as you'll hear the data covered by the proposed new law is actually pretty mundane stuff like DHCP and SIP logs. We have a new Risky Business sponsor this week, an Australian company named Senetas. These guys make layer 2 crypto gear which I find very, very interesting. So in this week's sponsor interview I basically just had a yarn with Senetas co-founder and CTO Julian Fay about where that sort of gear is most useful. As you'll hear, Julian knows networks and he knows crypto. Adam Boileau, as usual, joins us for the week's news headlines. Show notes This week's feature interview source material: ------------------------------------------------------------------------ The AFP's definition of communications metadata: http://scott-ludlam.greensmps.org.au/sites/default/files/afpdoc.pdf This week's news items: ------------------------------------------------------------------------ John McAfee, in Hiding, Condemns Belizean Government as 'Pirates' | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/11/mcafee-essay/ Skype Restores Password Resets, Repairs Flaw that Allows Account Hijacking | threatpost http://threatpost.com/en_us/blogs/skype-suspends-password-resets-investi... Attackers Compromise Adobe Connect User Site | threatpost http://threatpost.com/en_us/blogs/attackers-compromise-adobe-connect-use... Google Puts Flash in a Sandbox on OS X | threatpost http://threatpost.com/en_us/blogs/google-puts-flash-sandbox-os-x-111412 Bradley Manning Offers to Plead Guilty to Partial Charges, Including Leaking to WikiLeaks | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/11/bradley-manning-plea-notice/ ============================================ SPONSORED WHITEPAPERS. READ 'EM TO SUPPORT RISKY BUSINESS! Senetas - Security Products White Papers http://www.senetas.com/products/resources/white-papers.htm ============================================ Given Tablets but No Teachers, Ethiopian Children Teach Themselves | MIT Technology Review http://www.technologyreview.com/news/506466/given-tablets-but-no-teacher... Dictionary apps post false piracy confessions on Twitter - Crave http://www.cnet.com.au/dictionary-apps-post-false-piracy-confessions-on-... Hong Kong stock exchange hacker sentenced to jail | ZDNet http://www.zdnet.com/cn/hong-kong-stock-exchange-hacker-sentenced-to-jai... Blizzard Sued Over Data Breach, Authenticator Sales | threatpost http://threatpost.com/en_us/blogs/blizzard-sued-over-data-breach-authent... Twitter Resets More Passwords Than Accounts Hacked | threatpost http://threatpost.com/en_us/blogs/twitter-resets-more-passwords-accounts... Ransomware a growing menace, says Symantec | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57548314-83/ransomware-a-growing-menace... Microsoft Update Includes Critical Security Update for IE 9, First Patches for Windows 8, RT | threatpost http://threatpost.com/en_us/blogs/microsoft-update-includes-critical-sec... Variant of Mac Malware Targets Tibetan Activists | threatpost http://threatpost.com/en_us/blogs/variant-mac-malware-targets-tibetan-ac... Memory Bug Fixed in Tor Client | threatpost http://threatpost.com/en_us/blogs/memory-bug-fixed-tor-client-110912 This week's feature track: ------------------------------------------------------------------------ The Afrobiotics - Don't Play With Fire on Official.fm http://official.fm/tracks/yG16

Risky Business #262 -- Side channel VM crypto attacks are badass

Patrick Gray — Thu, 08 Nov 2012 00:00:00 +1100

On this week's show we're chatting with renowned megabrain Peter Gutmann about a paper on side channel attacks against crypto keys in virtualised environments. It's really complicated stuff, but very, very interesting. Peter didn't do this research or write the paper, but I always like getting his take on this stuff because... well... he's really smart and he doesn't overhype stuff. That's after the news. This week's show is brought to you by a new sponsor! NCC Group! Yay! These guys have been the acquisition monster over the last couple of years, picking up NGS Security, iSec Partners and Matasano, among others. They're a large infosec company these days with a lot of extremely clever people working for them. Joining us in this week's sponsor interview is Wade Alcorn, the Australia country manager for NCC Group... he's also the founder of the BeEF project and a very smart guy. He's joining us to have a chat about some interesting developments in Japan where a bunch of people have been arrested and charged with criminal offences for writing grey-market and downright illegal mobile apps. Show notes Experts Warn of Zero-Day Exploit for Adobe Reader - Krebs on Security http://krebsonsecurity.com/2012/11/experts-warn-of-zero-day-exploit-for-... Adobe Patches Critical Memory Vulnerabilities in Flash Player, AIR | threatpost http://threatpost.com/en_us/blogs/adobe-patches-critical-memory-vulnerab... COLUMBIA, S.C. - Lawsuit over SC Revenue security breach expanded - State & Regional - TheState.com http://www.thestate.com/2012/11/05/2508579/lawsuit-over-sc-revenue-secur... PixSteal-A Trojan Steals Images, Uploads to Iraqi FTP Server | threatpost http://threatpost.com/en_us/blogs/pixsteal-trojan-steals-images-uploads-... M3AAWG Recommends New DKIM Best Practices | threatpost http://threatpost.com/en_us/blogs/m3aawg-recommends-new-dkim-best-practi... Google Adds Malware Scanner to Jelly Bean 4.2 | threatpost http://threatpost.com/en_us/blogs/google-adds-malware-scanner-jelly-bean... Android Smishing Vulnerability Found in Android Open Source Project Firmware | threatpost http://threatpost.com/en_us/blogs/android-smishing-vulnerability-found-a... Coke Gets Hacked And Doesn't Tell Anyone - Businessweek http://www.businessweek.com/news/2012-11-04/coke-hacked-and-doesn-t-tell More VMware ESX Source Code Posted Online | threatpost http://threatpost.com/en_us/blogs/more-vmware-esx-source-code-posted-onl... Team Ghostshell Allegedly Spills 2.5 M Russian Records | threatpost http://threatpost.com/en_us/blogs/team-ghostshell-allegedly-spills-25-m-... Apple Patches Kernel, Passcode Lock and WebKit Flaws in iOS 6.0.1 | threatpost http://threatpost.com/en_us/blogs/apple-patches-kernel-passcode-lock-and... Apache Server-Status Publicly Viewable on Top Sites | threatpost http://threatpost.com/en_us/blogs/apache-server-status-publicly-viewable... China Most Threatening Cyberspace Force, U.S. Panel Says - Bloomberg http://www.bloomberg.com/news/2012-11-05/china-most-threatening-cyberspa... Facebook password-bypass flaw fixed | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57544933-83/facebook-password-bypass-fl... Hotmail Takes on Election Duties as Servers in New Jersey Crash | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/11/new-jersey-email-fai/ Hackers expose British Navy email logins - Hackers - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/322232,hackers-expose-british-navy-ema... Fraudsters launder cash though grants startup - Risk - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/322118,fraudsters-launder-cash-though-... www.cs.unc.edu/~reiter/papers/2012/CCS.pdf http://www.cs.unc.edu/~reiter/papers/2012/CCS.pdf Japanese Android developers arrested for infecting 10 million users - Hacker News , Security updates http://thehackernews.com/2012/10/japanese-android-developers-arrested.ht... , The critical memory it has is really something. We need to get ourselves busy with that one. - Flemings Ultimate Garage , Link to Sophail: Applied attacks against Sophos Antivirus https://lock.cmpxchg8b.com/sophailv2.pdf

Risky Business #261 -- Divide by zero, destroy power grid

Patrick Gray — Fri, 02 Nov 2012 00:00:00 +1100

We've got a great feature interview in this week's show with a computer science undergrad in the US who worked on a paper dealing with GPS security. You'll find out how you can melt down power lines with GPS haxx! Fun for the whole family! This week's show is sponsored by Tenable Network Security. We'll be having Tenable product manager Jack Daniel on the line to talk about the death of periodical vulnerbility scanning. Apparently continuous scanning is all the rage these days! I've spent the entire week down with the manflu, as you will probably hear, so apologies if the energy levels are down a bit this week. Show notes VUPEN Researchers Say They Have Zero-Day Windows 8 Exploit | threatpost http://threatpost.com/en_us/blogs/vupen-researchers-say-they-have-zero-d... Deloitte audit report that makes NZ government look like jerks: http://www.msd.govt.nz/documents/about-msd-and-our-work/newsroom/media-r... NY Post Pisses Its Pants Over Terrorism Homework; And You Should Too | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/10/terrorism-homework/ Homeland Security chief: Banks 'under attack' by hackers | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57543300-83/homeland-security-chief-ban... Huawei looks to German security researchers for help | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57542809-83/huawei-looks-to-german-secu... Anonymous takes aim at Zynga | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57541801-83/anonymous-takes-aim-at-zynga/ Millions of SSNs lifted from South Carolina database | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57541481-83/millions-of-ssns-lifted-fro... Feds charge 14 with making ATM cashouts appear like one - SC Magazine http://www.scmagazine.com/feds-charge-14-with-making-atm-cashouts-appear... Outages hit Google App Engine, Dropbox, Tumblr, and more | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57541195-83/outages-hit-google-app-engi... China blocks NY Times over story on leader's 'hidden fortune' | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57541137-83/china-blocks-ny-times-over-... U.S. looks to replace human surveillance with computers | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57540826-83/u.s-looks-to-replace-human-... Cisco Patches Vulnerabilities in Data Center and Web Conferencing Products | threatpost http://threatpost.com/en_us/blogs/cisco-patches-vulnerabilities-data-cen... ZeroAccess Botnet Cashing in on Click Fraud and Bitcoin Mining | threatpost http://threatpost.com/en_us/blogs/zeroaccess-botnet-cashing-click-fraud-... Here's the paper discussed in this week's feature interview! http://users.ece.cmu.edu/~dbrumley/courses/18487-f12/readings/Nov28_GPS.pdf If you enjoyed the music in this week's show, buy it! Shop \xab Andrea Soler http://andreasoler.com/shop/ , Windows 8 is really good. I don't really think it will be particularly good in there. - ReputationAdvocate.com

INTERVIEW: Musclenerd on Qualcomm baseband hacking

Patrick Gray — Wed, 31 Oct 2012 00:00:00 +1100

This podcast is an interview with Eric "Musclenerd" McDonald. Eric is a renowned iPhone jailbreaker and as such has a very detailed understanding of smartphone platforms. His talk at Ruxcon Breakpoint was all about the security of baseband chipsets. If you follow this stuff you might know that the baseband chipsets in these smartphones -- which handle all the basic communications functions of the phones -- are actually quite sophisticated. And where there's sophistication, there are potential problems. As you'll hear, there's research going into attacking baseband chipsets through two vectors -- directly through the cell network, if you control it, or if you can trick your targets handset into associating with your fake networks... or indeed through the OS. It's interesting stuff.

INTERVIEW: Sniffing USB firmware with FaceDancer

Patrick Gray — Wed, 31 Oct 2012 00:00:00 +1100

This podcast is an interview I did at the Breakpoint security conference with security researcher Travis Goodspeed. He's come up with a hardware device called FaceDancer that allows him to capture USB device firmware by emulating the devices. What can you do with that? Well, you can start messing with those devices, loading up custom firmware, and even use modified USB devices to attack hosts.

Risky Business #260 -- News, Ducklin, Arkin and more!

Patrick Gray — Fri, 26 Oct 2012 00:00:00 +1100

This week's show is brought to you by our benevolent overlords at Adobe! And this week's sponsor interview is a must listen. Adobe's director of product security and privacy Brad Arkin joins us to discuss the breach at Adobe HQ that lead to malicious binaries being signed as valid by their code signing boxes. Yes, it's a sponsor interview but Brad does a great job at answering some tough questions about the known extent of the compromise. I found that conversation extremely interesting and I suspect you will too. We also chat to him about some new security features in Flash Player and Reader. Also this week we're chatting with Paul Ducklin of Sophos Australia. Duck is well known to most Risky Business listeners, he's a regular guest, and this week he's joining us to talk about a few items of interest -- Oracle's awful patching schedule, a Sony lawsuit getting tossed and some weak DKIM issues that affected Google. Insomnia Security's Mark Piper joins us to discuss the week's news headlines. You can find links to all our news in this week's show notes.

INTERVIEW: Did Google dodge the Android pwnbullet?

Patrick Gray — Thu, 25 Oct 2012 00:00:00 +1100

This podcast is an interview I did with Accuvant's Joshua Drake, aka jduck. His Breakpoint presentation was on the topic of Android security. As regular listeners of the Risky Business podcast would know, we're pretty much convinced Android was rushed to market -- it was insecure, immature, way too open and a big, glaring risk to its users. Combine that with the inherent problems with the Android ecosystem and you had a recipe for disaster. For those unfamiliar with those ecosystem problems, Android is very difficult to patch. Android users must wait for Google to update the OS, then ship the updates to the manufacturers who customise them for their hardware, then in turn they have to pass them on to the carriers, who may or may not customise those OS builds for compatibility with their apps and then pass the updates out over the air. Long story short, most Android devices wind up remaining unpatched. Well, things have changed. As Joshua outlined in his presentation, Google has built a lot of exploit mitigations into the mobile OS and they're starting to look pretty effective. Is it possible that Google has dodged what many saw as an inevitable bullet?

INTERVIEW: Barnaby Jack on hacking implantable medical devices

Patrick Gray — Thu, 25 Oct 2012 00:00:00 +1100

This podcast is an interview I did with Barnaby Jack, a security researcher with IOActive. Barnes is probably best known for his work on ATM security. He famously "jackpotted" an ATM live on stage at BlackHat in 2010, but if he were to do a live demo of his latest research he'd probably wind up in prison. That's because he's been looking at implantable defibrillators and pacemakers. As it turns out they have wireless interfaces that allow you to connect to them. You can bypass their rudimentary authentication and start sending 830 volt zaps into your victim's heart which, obviously, isn't ideal. Jack says these techniques could be used for targeted assassinations, or perhaps even more worryingly, a maliciously motivated person could actually create an auto-propagating worm designed to kill people!

SPONSOR INTERVIEW: Pcap analysis in the cloud

Patrick Gray — Thu, 25 Oct 2012 00:00:00 +1100

All our coverage of the Breakpoint security conference was made possible by our sponsor PacketLoop. PacketLoop is a new Australian business that applies big data analysis techniques to your packet captures... you can visualise your captures, drill down into them, and even spot successful 0day attacks against your organisation after the event -- that's a simple trick, that one, they just loop your packet captures through IPSs after the fact... when they get signature updates, they loop them through again. Hence the name, PacketLoop. You can sign up to a Beta at PacketLoop.com, and I suggest you do. Think of this stuff as like NetWitness in the cloud. I caught up with PacketLoop co-founder Michael Baker to discuss his presentation at the Ruxcon conference, which was all about Big Data security analytics. I started off by asking him roughly what he planned to talk about.

Risky Business #259 -- MSDfail, Brett Moore and moooore!

Patrick Gray — Sat, 20 Oct 2012 00:00:00 +1100

This week's show is being produced entirely on the ground at the Ruxcon Breakpoint security conference in my old home town of Melbourne Australia! And it's a shorter show than usual because I'm pretty busy down here producing a bunch of podcasts as a part of some joint coverage I'm doing for both Risky.Biz and The Register. If you want to check out some audio and blog posts from Breakpoint, head to http://risky.biz/breakpoint. They're not up yet, but you'll soon find some interviews with people like Barnaby Jack and Joshua Drake (jduck) there\u2026 or you can subscribe to the RB2 podcast feed at http://risky.biz/feeds if you want that content automagically. In this week's sponsor interview we're chatting with Insomnia Security founder Brett Moore. Thanks to Insomnia security for all its support of this podcast. If you're a CSO in New Zealand and you've never had a pen test from these guys you're doing it wrong. It's a company founded by Brett Moore and staffed by the likes of our regular news co-host Adam Boileau and his sometime fill in Mark Piper, as well as a few other guys. Brett joins us to recap Breakpoint and tell us what he thinks of the epic MSDfail in NZ. Why do organisations commission expert advice if they're just going to ignore it? Show notes MSD admits not acting on early system breach alerts... | Stuff.co.nz http://www.stuff.co.nz/technology/digital-living/7826984/MSD-admits-not-... Russian Anti-Virus Firm Plans Secure Operating System to Combat Stuxnet | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/10/kaspersky-operating-system/ Second LulzSec member pleads out in Sony Pictures attack - SC Magazine http://www.scmagazine.com/second-lulzsec-member-pleads-out-in-sony-pictu... Pentagon Hacker McKinnon Wins 10-Year Extradition Battle | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/10/mckinnon-extradition-win/ State-Sponsored Malware 'Flame' Has Smaller, More Devious Cousin | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/10/miniflame-espionage-tool/ WikiLeaks Goes Behind Paywall, Anonymous Cries Foul | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/10/wikileaks-paywall-anonymous/ Cyberthieves steal $400,000 from Bank of America | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57533007-83/cyberthieves-steal-$400000-from-bank-of-america/ Hackers target Fairfax holiday site Stayz, altering bank details on listings | News.com.au http://www.news.com.au/travel/australia/hackers-target-fairfax-holiday-s... Roxon issues discussion paper on mandatory data breach laws - Risk - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/319578,roxon-issues-discussion-paper-o... Zero-day attacks last much longer than most would believe - SC Magazine http://www.scmagazine.com/zero-day-attacks-last-much-longer-than-most-wo... Pacemakers, defibrillators open to attack \u2022 The Register http://www.theregister.co.uk/2012/10/17/pacemakers_open_to_wireless_attack/ Information Disclosure Zero-Day Discovered in Novell ZENworks | threatpost http://threatpost.com/en_us/blogs/information-disclosure-zero-day-discov... Oracle Patch Update to Include 109 Patches | threatpost http://threatpost.com/en_us/blogs/oracle-patch-update-include-109-patche... Oracle Leaves Fix for Java SE Zero Day Until February Patch Update | threatpost http://threatpost.com/en_us/blogs/oracle-leaves-fix-java-se-zero-day-unt... Adobe Extends Security of Reader and Acrobat With Better Sandbox, Force ASLR | threatpost http://threatpost.com/en_us/blogs/adobe-extends-security-reader-and-acro... Exploit Code Released Targeting Firefox 16 Vulnerability | threatpost http://threatpost.com/en_us/blogs/exploit-code-released-targeting-firefo... The Cactus Channel - Official Site http://www.thecactuschannel.com/ , The breach in the system is always there. We need to get used to it sometimes. - Mission Maids

Ruxcon Breakpoint kicks off with a bang

Patrick Gray — Wed, 17 Oct 2012 00:00:00 +1100

This morning's first presentation was a talk by Roelof Temmingh, the creator of Maltego. The Maltego software, for those who don't know it, is essentially a data analysis and reconnaissance tool with some pretty powerful features. It was a fascinating presentation that gave conference delegates some real out-of-the-box ideas on target acquisition. Using Maltego it's possible to geographically target random people, for example. If you're interested in targeting agents at a spy agency, you might look for geotagged tweets that originated from the agency's vicinity. Once you have a list of users who are sloppy with their geodata you can start narrowing down your selection, seeing where else they go, what other social media accounts they have and so on. Temmingh played a video demonstration of this type of target acquisition, honing in on one poor sap who likes to send geo-tagged tweets from the car park of a well known intelligence agency. From there he established the target's full name, email address, date of birth, education history, employment history, family member identities, travel history, phone make and model, plus camera make, model and serial number. Temmingh also demonstrated some of the automated network reconnaissance features in the newest release of Maltego, Radium. He's one of the only people on the planet who can turn up to a conference like this and do a one hour product demonstration and still impress people. Roelof discussed Radium on episode 253 of Risky Business. Check it out here. The next talk was by famed ATM hacker and all-round nice guy Barnaby Jack. Barnes turned his attention to medical device security some time ago, with his initial research focussing on insulin pumps. Today, however, he went a step further, unveiling research that would enable him to quite literally kill hundreds of thousands of people by creating a peer-to-peer spreading pacemaker and defibrillator device worm. It would be hilarious if it wasn't so serious. I filed a piece on this for The Register, so go check it out if you're interested. Following that was a talk by Azimuth Security's Mark Dowd and Tarjei Mandt on the security of Apple's iOS 6 operating system security. It's a topic that Mark has discussed on the Risky Business podcast before, so if you're interested in a broad-brush description of his talk, check out episode 246 here. His interview runs after the news segment. Matt Miller, who develops exploit mitigation technology at Microsoft, gave a fascinating talk about his challenge in disrupting the workflow of exploit writers. It's more of a niche topic primarily of interest to people working at the cutting edge of exploit creation and mitigation. That's right, we're only half way through the fourth talk and this is what we've already seen. Risky.Biz will be bringing you blog posts and audio from the event over the next few days. It might take us a few days to edit and process the audio, so be patient. In the mean time, big thanks to our Breakpoint coverage sponsor PacketLoop. Without those guys none of this coverage would be possible, so go check out their website and sign up for their pre-launch Beta. , The kicks are really good. We all have been pretty cool about that one. - Lindsay Rosenwald

Pacemakers, defibrillators open to attack (The Register)

Patrick Gray — Wed, 17 Oct 2012 00:00:00 +1100

The researcher in question, Barnaby Jack, today told the Ruxcon Breakpoint security conference in Melbourne, Australia that "the most obvious scenario would be a targeted attack against a high profile individual." Jack also warned of a worst-case scenario "worm with the ability to commit mass murder". Such devices are accessible through a wireless interface designed to deliver telemetry and allow maintenance. But Jack, who works for US-based security company IOActive, has subverted security in that interface and showed delegates a video demonstration of a wireless attack against an Implantable Cardioverter-Defibrillator (ICD). "There's 830 volts going into the heart there, which is a bummer," he said as an audible zap played over the conference audio system. The attacks work at a range of up to 50 feet. Read the rest of this piece at The Register. , The pacemakers are something they have been making sure of. I guess they are up to the task. - Flemings Ultimate Garage , Hello, Scary stuff. For me, this type of article is where disclosure of security research crosses the line as people could actually get hurt. I think in this case, a code of ethics in disclosure would be useful - i.e "You found the bug, you fix the bug" before disclosure? If the company doesn't want to fix it after taking account of the research, they should be held liable. Interesting to note that before drugs come to the market they have to undergo strict testing. What happened to the code audit before the device was deemed fit to be implanted? Perhaps a new area of IT compliance to be introduced?

Risky Business #258 -- Kevin Mitnick on identity verification

Patrick Gray — Thu, 11 Oct 2012 00:00:00 +1100

On this week's show we're chatting with Kevin Mitnick! Arguably the world's best known hacker, Kevin used to be a very naughty boy, and that saw him sent to prison a few times... but since his most recent release over 12 years ago he's established himself as a security consultant, author and globetrotting public speaker. We're chatting to him about the fundamentals of identity verification. How can you be sure that person on the phone requesting a password reset really is your customer? Can you rely solely on static identity information in this day and age? This week's show is brought to you by PacketLoop, an Australian start-up doing really interesting packet capture analysis. It's big data security analytics! It's really interesting stuff and we're thrilled to have the support of a local company doing new things. We'll be chatting to PacketLoop co-founder and CTO Michael Baker in this week's sponsor interview about roughly what they're doing. PacketLoop is also sponsoring our coverage of Ruxcon Breakpoint next week. Just head to http://risky.biz/breakpoint for all our breakpoint coverage, with thanks to PacketLoop. I'll be down there dual filing stories and audio for Risky.Biz and The Register. Show notes Report: Chinese Tech Firms Should Be Viewed With Suspicion, Barred From U.S. Networks | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/10/chinese-telecoms-suspicious/ Hackable Huawei - F-Secure Weblog : News from the Lab http://www.f-secure.com/weblog/archives/00002442.html Philippines court halts a contentious cybercrime law | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57529298-83/philippines-court-halts-a-c... Worm spreading on Skype IM installs ransomware | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57528353-83/worm-spreading-on-skype-im-... Symantec: Russian criminals sell Web 'proxy' with backdoors | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57528254-83/symantec-russian-criminals-... Middle East cyberattacks on Google users increasing | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57525334-83/middle-east-cyberattacks-on... Microsoft Patches Critical Word Flaw; Certificate Key Length Changes are Official | threatpost http://threatpost.com/en_us/blogs/microsoft-patches-critical-word-flaw-c... Adobe, Microsoft Issue Updates for Critical Flaws in Flash Player | threatpost http://threatpost.com/en_us/blogs/adobe-microsoft-issue-updates-critical... New Tactics Helping Toll Fraud Malware on Android Avoid Detection | threatpost http://threatpost.com/en_us/blogs/new-tactics-helping-toll-fraud-malware... Zitmo Growing More Sophisticated, Prevalent in Android | threatpost http://threatpost.com/en_us/blogs/zitmo-growing-more-sophisticated-preva... Malware Signed by Adobe Certificate Only Used in Limited Targeted Attacks | threatpost http://threatpost.com/en_us/blogs/malware-signed-adobe-certificate-only-... Hack In The Box: Pirate Bay MIA, Chrome vulnerability found | ZDNet http://www.zdnet.com/hack-in-the-box-pirate-bay-mia-chrome-vulnerability... Proof-of-Concept Exploits HTML5 Fullscreen API for Social Engineering | threatpost http://threatpost.com/en_us/blogs/proof-concept-exploits-html5-fullscree... \ufeffGoogle App Engine open to session jacking - Web/client - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/318610,65279google-app-engine-open-to-... Flaws allow 3G devices to be tracked - Networks - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/317819,flaws-allow-3g-devices-to-be-tr... 3000 EU infosec pros engage in mock attacks - Networks - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/318261,3000-eu-infosec-pros-engage-in-... Twitter outage caused by human error, domain briefly yanked | Internet & Media - CNET News http://news.cnet.com/8301-1023_3-57528165-93/twitter-outage-caused-by-hu... Hacker Goes on Massive WoW Killing Spree; World Survives | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/10/hacker-kills-thousands-in-wow/ Packetloop http://www.packetloop.com/ The Izzys: Change Your Mind http://www.shazam.com/music/web/track?id=57992307 , The US are really careful of China. They have these kind of measures to ensure they don't get so far. - James D. Sterling

Kernel crimps make Windows 8 a hacker hassle (The Register)

Patrick Gray — Wed, 10 Oct 2012 00:00:00 +1100

Now chief architect at CrowdStrke, a security company focused on nation-state adversaries, Ionescu says Windows 8 builds on the usermode exploit mitigations introduced into Windows Vista and 7 with new approaches to security that attempt to mitigate kernel mode attacks. Ionescu will outline those new defences at the Ruxcon Breakpoint security conference in Melbourne, Australia, next week. He'll tell the audience that many pathways to exploitation will be sealed off in the latest Windows release. "As usermode's been getting tighter and tighter to attack and as in the Windows case more and more services have been moved to the kernel, it's become quite a target \u2026 and the rewards are quite great," Ionescu says. "It'll be interesting to see how attackers deal with the new landscape [after the release of Windows 8]." That Windows will be targeted is hard to doubt, given that in the past hackers have treated security in Microsoft's flagship as an unmitigated joke. Writing exploits for Windows XP was extremely easy and the resulting boom in malware affecting Windows users was unprecedented. But companies like Microsoft and Adobe have made significant headway in recent years by introducing exploit mitigations to their products. That's not to say the vulnerabilities have all gone away, but features like application sandboxing, Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR) make them difficult to exploit. Microsoft's efforts started taking shape around 2004, when Service Pack 2 for Windows XP was released. It introduced a basic firewall to the operating system and pestered users into installing anti-virus software and opting for automatic OS updates. Next came Vista with its much-loathed UAC feature and some basic memory mitigations like DEP and ASLR, with those features tweaked and carried over into Windows 7. All of a sudden, exploiting bugs on current-generation Windows became suddenly significantly harder and the number of usable exploits dropped off. The deluge, today, looks more like a trickle. READ THE REST OF THIS PIECE AT THE REGISTER. , The hacker has been a good one. He really made sure that he leaves an imprint of what he has done. - James D. Sterling , Peck of pickled peppers? We felt all over her and it turned out that she had sore peck!Click www.n8fan.net for more information. MARIZ www.n8fan.net , Still we find application are vulnerable enough to be exploited and which could not be prevented by so called OS security feature.

Risky Business #257 -- Exploits for Win8 no mean feat

Patrick Gray — Fri, 05 Oct 2012 00:00:00 +1000

On this week's show we're taking a look at Windows 8 with Alex Ionescu. Alex works for Crowdstrike, he's a genuine expert in Windows internals and he says exploit writing and persistence when it comes to owning windows boxes is about to get a whole lot harder. That's after the news. This week's show is brought to you by Insomnia Security. Insomnia is a New Zealand-based consultancy founded by Brett Moore. But these days Insomnia is much bigger than Brett. It has six full timers and they're all very clever chaps. Adam Boileau works there, as does this week's sponsor guest Mark Piper! We're chatting to Mark about what "typical" APT attackers get up to. What does the run of the mill APT MO actually look like? Show notes Hackers Breached Adobe Server in Order to Sign Their Malware | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/09/adobe-digital-cert-hacked/ Adobe to revoke code signing certificate | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57521794-83/adobe-to-revoke-code-signin... White House confirms 'spearphishing' intrusion | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57523621-83/white-house-confirms-spearp... Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent - Krebs on Security https://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion... Regulators shut down global PC 'tech support' scam | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57525250-83/regulators-shut-down-global... Australia Post customers exposed in direct object reference flaw - Web/client - SC Magazine Australia http://www.scmagazine.com.au/News/317651,australia-post-customers-expose... FTC Takes On Scareware Marketers, Court Imposes $163M Judgment | threatpost http://threatpost.com/en_us/blogs/ftc-takes-scareware-marketers-court-im... Web security protocol HSTS wins proposed standard status | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57524915-83/web-security-protocol-hsts-... SHA-3 Winner Chosen, But It May Be Years Before Keccak Has an Effect | threatpost http://threatpost.com/en_us/blogs/sha-3-winner-chosen-it-may-be-years-ke... Authentication Implications in Uniquely Identifiable Graphics Cards | threatpost http://threatpost.com/en_us/blogs/authentication-implications-uniquely-i... Microsoft Reaches Settlement with Site Linked to Nitol Botnet | threatpost http://threatpost.com/en_us/blogs/microsoft-reaches-settlement-site-link... Mozilla's Persona Web Authentication System Moves into Beta | threatpost http://threatpost.com/en_us/blogs/mozillas-persona-web-authentication-sy... DHS Issued False 'Water Pump Hack' Report; Called It a 'Success' | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/10/dhs-false-water-pump-hack/ Cisco Patches Numerous Bugs in IOS, UCM | threatpost http://threatpost.com/en_us/blogs/cisco-patches-numerous-bugs-ios-ucm-09... City of Tulsa website not hacked after all | Tulsa World http://www.tulsaworld.com/news/article.aspx?subjectid=334&articleid=2012... IBM - My notifications http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&... Nmap Development: Re: Hakin9's new Nmap Guide http://seclists.org/nmap-dev/2012/q4/18 Breakpoint 2012 Speakers List http://www.ruxconbreakpoint.com/speakers/#Alex Ionescu Insomnia Security, New Zealand http://www.insomniasec.com/ Breakpoint 2012 Training List http://www.ruxconbreakpoint.com/training/ Bag Raiders - So Demanding - YouTube http://www.youtube.com/watch?v=_Q0VERQxy_w , The signing certificate has been pretty good so far. That is really good if we need to do that. - Flemings Ultimate Garage

Risky Business #256 -- NFC and public transport ticketing

Patrick Gray — Thu, 27 Sep 2012 00:00:00 +1000

On this week's show we're taking a look at public transport ticketing security. Some clever fellows from the US of A have figured out how to reset their RFID tickets with a nifty little app for NFC-enabled smartphones. All this due to some positively boneheaded mistakes made during the initial rollout of some ticketing systems. That interview is with Corey Benninger of Intrepidus Group. This week's show is brought to you by Tenable Network Security. Tenable's co-founder and CEO Ron Gula will be joining the program to talk about the possibility of US president Obama issuing an executive order designed to replace the doomed Cybersecurity Act of 2012, which was shot down by the US congress. Insomnia Security's Mark Piper fills in for Adam Boileau in this week's news segment. Show notes New Java flaw could hit 1 billion users | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57520532-83/new-java-flaw-could-hit-1-b... Microsoft Releases Out-Of-Band IE Zero-Day Patch | threatpost http://threatpost.com/en_us/blogs/microsoft-releases-out-band-ie-zero-da... SourceForge Investigates Backdoor Code Found in Copy of phpMyAdmin | threatpost http://threatpost.com/en_us/blogs/sourceforge-investigates-backdoor-code... Researcher Finds 100k IEEE.org Passwords Stored in Plain-Text on Public FTP Server | threatpost http://threatpost.com/en_us/blogs/researcher-finds-100k-ieeeorg-password... Samsung offers up patch for Galaxy S3 remote wipe vulnerability | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57520467-83/samsung-offers-up-patch-for... Apple TV vulnerabilities closed after being watched for months | ZDNet http://www.zdnet.com/apple-tv-vulnerabilities-closed-after-being-watched... Large-Scale Water Holing Attack Campaigns Hitting Key Targets | threatpost http://threatpost.com/en_us/blogs/large-scale-water-holing-attack-campai... Forthcoming SHA-3 Hash Function May Be Unnecessary | threatpost http://threatpost.com/en_us/blogs/forthcoming-sha-3-hash-function-may-be... New Zealand Intel Agency Investigated for Unlawful Spying on Kim Dotcom | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/09/illegal-spying-on-kim-dotcom/ Google pays bug hunters for finding Windows flaw | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57520440-83/google-pays-bug-hunters-for... ACLU sues to get U.S. agencies' license plate tracking records | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57520336-83/aclu-sues-to-get-u.s-agenci... How long will it be before iOS 6 Maps kills someone? | ZDNet http://www.zdnet.com/how-long-will-it-be-before-ios-6-maps-kills-someone... Australian police want telco customer data retained forever | ZDNet http://www.zdnet.com/australian-police-want-telco-customer-data-retained... Special Report: iOS app piracy soars - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/316996,special-report-ios-app-piracy-s... Hackers ransom $3000 from NT business - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/316663,hackers-ransom-3000-from-nt-bus... Adobe releases open-source coding typeface - Boing Boing http://boingboing.net/2012/09/24/adobe-releases-open-source-cod.html UltraReset - Bypassing NFC access control with your smartphone - Intrepidus Group - Insight http://intrepidusgroup.com/insight/2012/09/ultrareset-bypassing-nfc-acce... Video of Intrepidus demonstrating NFC ticketing resets: http://vimeo.com/49664045 Slide deck: https://media3.risky.biz/EUSecWest-SoBenn-Transit2012-Preview.pdf The Public Opinion Afro Orchestra - Shake on Official.fm http://official.fm/tracks/daLt/file , That out of brand IE is really getting my attention. What would that be if I may ask? - Steven Wyer

Risky Business #255 -- IE 0days are news? WINNING

Patrick Gray — Fri, 21 Sep 2012 00:00:00 +1000

This week's show is a shorter one than usual -- we've just got the news segment with Adam and a sponsor interview. This week's show is sponsored by our benevolent overlords at Adobe! Big thanks to them. And we've got a fascinating chat in this week's show with Adobe's Steve Gotwalls about auto updaters. How have they been architected? What do the update mechanisms look like? Are the update packages served via https or http? Can you cache them at your border? Should enterprise networks swallow updates without doing independent QA? This is a surprisingly interesting topic, when we think about how much patch management has changed over the years. Show notes Microsoft Will Patch IE Zero-Day on Friday; Fixit Available as Stopgap | threatpost http://threatpost.com/en_us/blogs/microsoft-will-patch-ie-zero-day-frida... Sophos antivirus detects own update as false positive malware | ZDNet http://www.zdnet.com/sophos-antivirus-detects-own-update-as-false-positi... Feds Charge Activist with 13 Felonies for Rogue Downloading of Academic Articles | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/09/aaron-swartz-felony/ Virgin Mobile Shrugs as Coder Warns Accounts Are Easily Hijacked | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/09/virgin-mobile/ Sprint says Virgin Mobile users are safe from account hijacks - Computerworld http://www.computerworld.com/s/article/9231470/Sprint_says_Virgin_Mobile... Coders Behind the Flame Malware Left Incriminating Clues on Control Servers | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/09/flame-coders-left-fingerprints/ Grum Botnet Attempts Another Comeback, Fails Again | threatpost http://threatpost.com/en_us/blogs/grum-botnet-attempts-another-comeback-... iPhone 4S, Samsung Galaxy S3 hacked in contest | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57516966-83/iphone-4s-samsung-galaxy-s3... iOS 6 allows tweets, Facebook posts from locked device | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57517364-83/ios-6-allows-tweets-faceboo... Apple provides 197 security reasons to upgrade to iOS 6 | ZDNet http://www.zdnet.com/apple-provides-197-security-reasons-to-upgrade-to-i... Flaw in Oracle Logon Protocol Leads to Easy Password Cracking | threatpost http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-... Chat app used by activists has security flaws, say critics | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57513530-83/chat-app-used-by-activists-... Researchers poke holes through Fortinet, SonicWall UTMs - Applications - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/316308,researchers-poke-holes-through-... Anonymous' Barrett Brown Raided by FBI During Online Chat | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/09/barret-brown-raid/ Executive order drafted following failed Cybersecurity Act - SC Magazine http://www.scmagazine.com/executive-order-drafted-following-failed-cyber... Researcher Charlie Miller Joins Twitter Security Team | threatpost http://threatpost.com/en_us/blogs/researcher-charlie-miller-joins-twitte... Calendar config triggers Canberra security scare - Risk - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/316099,calendar-config-triggers-canber... Bromium secures computers by holding apps in isolation | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57515558-83/bromium-secures-computers-b... Bromium ships vSentry micro-hypervisor for foolproof Windows 7 security | ZDNet http://www.zdnet.com/bromium-ships-vsentry-micro-hypervisor-for-foolproo... Romanian carders plead guilty to Subway hack - Hackers - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/316131,romanian-carders-plead-guilty-t... Home http://www.saskwatch.com.au/Saskwatch/Home.html Breakpoint 2012 Security Conference http://www.ruxconbreakpoint.com/ , They are pretty geeky with that one. They are really good at computers and that is good. - Kris Krohn

Risky Business #254 -- Does your pentester team know what it's doing?

Patrick Gray — Fri, 14 Sep 2012 00:00:00 +1000

This week's feature interview is with Wayne Ronaldson. Wayne's a security consultant with a company here called CQR, but he's cobbled together a fascinating little side project called Exploitable Labs. In essence, Exploitable Labs is an online capture the flag environment. Participants connect to it, then go about finding various types of vulnerabilities -- in Web applications, servers and network devices. At the end of the exercise, the system spits out a report that can tell the participant where they're hot and where they're not. Wayne designed the service to be used by people who hire penetration testers -- it's not a certification like CREST, it's an evaluation. It's an interesting idea! Adam Boileau, as always, joins the show for a chat about the news headlines. Show notes Pirate Bay Co-Founder Arrested at Airport on Hacking Charges | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/09/pirate-bay-airport-arrest/ Apple Device IDs Leaked by Anonymous Traced to App Developer Blue Toad | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/09/udid-leak-traced-to-blue-toad/ Sleuths Trace New Zero-Day Attacks to Hackers Who Hit Google | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/09/google-hacker-gang-returns/all/ Report: Half of Android devices have unpatched holes | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57512467-83/report-half-of-android-devi... Microsoft finds malware hidden in new computers in China | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57512703-83/microsoft-finds-malware-hid... Phony Al-Jazeera text messages sent by pro-Syrian gov't hackers | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57509104-83/phony-al-jazeera-text-messa... Microsoft axes many of its Forefront enterprise security products | ZDNet http://www.zdnet.com/microsoft-axes-many-of-its-forefront-enterprise-sec... Careful Who You Friend: Taliban Posing as 'Attractive Women' Online | Danger Room | Wired.com http://www.wired.com/dangerroom/2012/09/taliban-facebook/ Microsoft Carries out Nitol Botnet Takedown | threatpost http://threatpost.com/en_us/blogs/microsoft-carries-out-nitol-botnet-tak... Apple Fixes Huge Number of Flaws With iTunes 10.7 | threatpost http://threatpost.com/en_us/blogs/apple-fixes-huge-number-flaws-itunes-1... CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions | threatpost http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tl... Go Daddy CEO Denies Hackers Behind Major Outage | threatpost http://threatpost.com/en_us/blogs/go-daddy-ceo-disputes-hack-behind-majo... Etsy handcrafts rewards for security bug hunters | ZDNet http://www.zdnet.com/au/etsy-handcrafts-rewards-for-security-bug-hunters... Google Adds Online Malware Scanner VirusTotal To Security Lineup | threatpost http://threatpost.com/en_us/blogs/google-adds-online-malware-scanner-vir... Red Hat Security Advisory 2012-1259-01 \u2248 Packet Storm http://packetstormsecurity.org/files/116469 No Right Turn: Hacking the Budget http://norightturn.blogspot.co.nz/2012/09/hacking-budget.html BitFloor breached, hacker makes off with $250,000 in BitCoins - TechSpot News http://www.techspot.com/news/50043-bitfloor-breached-hacker-makes-off-wi... ssl - CRIME - How to beat the BEAST successor? - IT Security http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-... Exploitable Labs http://exploitablelabs.com/ PentesterLab.com https://pentesterlab.com/ My interview with Gotye: http://media.risky.biz/fots.mp3 , The hackers are having their way right now. I guess that is going to be pretty right? - Roger Stanton St. Mary's College , Now I am able to take the next phase in my profession and after working security for quite a few years, I would love to improve up on my current knowledge and gain a few new ones. Where's the best place to get started on I wonder?

Risky Business #253 -- All your internal IP ranges R belong 2 Maltego

Patrick Gray — Thu, 06 Sep 2012 00:00:00 +1000

On this week's show we're taking a look at the new release of the data mining and network footprinting tool Maltego. it's called Radium and the focus is very much on automation. One click network footprinting for the win! Maltego creator Roelof Temmingh will be along in this week's feature interview to walk us through the new features. There's some interesting stuff in that interview about network information leaks. All your internal IP ranges R belong to Roelof! This week's show is brought to you by HackLabs. In this week's sponsor interview we chat with HackLabs head honcho Chris Gatford about the insider threat. What can you do to minimise your chances of getting hosed by a disgruntled former staffer? That's an interesting segment that touches on account and access management, DLP and ghost account audits. Speaking of sponsorship, we've got some sponsor vacancies opening up from next week and intro next year. So if you fancy sponsoring Risky Business, let me know. Risky.Biz gets around 25,000 unique visitors a month from all over the globe, with around 16,000-20,000 episodes downloaded each month! And you know what? It's a high quality audience. If you'd like to see some listener testimonials from enterprise security folks or talk about sponsorship, get in touch with me: patrick [at] risky.biz.

Risky Business #252 -- Attacks on Aramco likely state sponsored

Patrick Gray — Fri, 31 Aug 2012 00:00:00 +1000

On this week's show we're talking to Rapid7's HD Moore about recent attacks against the Saudi Aramco oil company that saw 30,000 of 40,000 machines rendered inoperable for around 10 days. It's the single most destructive attack I've ever heard of. This week's show is brought to you by Insomnia Security. You might know this week's sponsor guest -- it's out news buddy Adam Boileau, aka Metlstorm. Adam works for Insomnia! So it's the MOAR METL edition this week! He'll be along a bit later to talk about new trends in security assessments; new ways of doing things that can gauge how effective organisations are at detecting what he calls the "lateral movement" of attackers through networks. As you'd expect, it's very interesting stuff and it's coming up after this week's feature interview. Show notes Oracle reportedly knew of critical Java bugs under attack for 4 months | Ars Technica http://arstechnica.com/security/2012/08/critical-java-bugs-reported-4-mo... Second accused LulzSec hacker arrested in Sony breach | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57502233-83/second-accused-lulzsec-hack... Researchers Hack Brainwaves to Reveal PINs, Other Personal Data | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/08/brainwave-hacking/ Researcher reports a CSRF vulnerability in Facebook's App Center, earns $5,000 | ZDNet http://www.zdnet.com/researcher-reports-a-csrf-vulnerability-in-facebook... Air Force Openly Seeking Cyber-Weapons | threatpost http://threatpost.com/en_us/blogs/air-force-openly-seeking-cyber-weapons... Hackers vow 'hellfire' in latest major data leak | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57501931-83/hackers-vow-hellfire-in-lat... Looking to Bolster Security, Dropbox Adds Two-Factor Authentication | threatpost http://threatpost.com/en_us/blogs/looking-bolster-security-dropbox-adds-... Analysis Shows Traces of Wiper Malware, But No Links to Flame | threatpost http://threatpost.com/en_us/blogs/analysis-shows-traces-wiper-malware-no... New Gauss and Flame link was a mistake, researchers say | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57499508-83/new-gauss-and-flame-link-wa... Citrix Systems \xbb Most Americans Confused By Cloud Computing According to National Survey http://www.citrix.com/English/NE/news/news.asp?newsID=2328309 Gauss: Abnormal Distribution - Securelist http://www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution Virus Shuts RasGas Office Computers, LNG Output Unaffected - Bloomberg http://www.bloomberg.com/news/2012-08-30/virus-shuts-rasgas-office-compu... Gh0stRat paper: http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf Insomnia Security, New Zealand http://www.insomniasec.com/ , The hackers surely know what they are doing. They did a good job in making a grand entrance. - Kris Krohn Strongbrook

Risky Business #251 -- Thunderbolt strikes Mac EFI

Patrick Gray — Thu, 23 Aug 2012 00:00:00 +1000

In this week's feature interview we're getting an update on some research we looked at last year. Loukas of Assurance.com.au in Melbourne had been playing around with some "evil maid" EFI hacks on Macs, but he's done some more work on them and presented his findings at BlackHat in July. He joins the show to discuss his latest EFI work. See this week's show notes for links to his slide deck and paper, as well as links to this week's news. This week's show is brought to you by Adobe! Adobe's head of product security Brad Arkin joins us to give us some development tips for smaller coding teams. He also discusses his involvement with the RSA conference -- he'll be helping to select some talks.

Risky Business #250 -- Hack it like it's 1999

Patrick Gray — Tue, 14 Aug 2012 00:00:00 +1000

On this week's show we chat with Recurity Labs' Felix "FX" Lindner and Greg Kopf in the feature segment. These guys recently shredded some Huawei equipment. They owned it hard and turned it into a DEFCON talk [pdf]. They'll be along a bit later on to tell us why hacking away at Huawei kit made them feel nostalgic. This week's show is brought to you by the fine folks at Australian pentesting firm HackLabs, so I hope you'll keep them in mind next time you're firing off those RFPs! HackLabs founder and main man Chris Gatford joins us in this week's sponsor slot to discuss the extremely clever social engineering attack against accounts belonging to technology journalist Mat Honan. he got owned pretty hard. No clientsides, no exploits, no bruteforcing. Just a few phone calls. Show notes http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf THIS WEEK'S NEWS ITEMS: Stratfor emails reveal secret, widespread TrapWire surveillance system - RT http://rt.com/usa/news/stratfor-trapwire-abraxas-wikileaks-313/ Is TrapWire surveillance really spying on Americans? - Technolog on NBCNews.com http://www.technolog.msnbc.msn.com/technology/technolog/trapwire-surveil... New Gauss Malware, Descended From Flame and Stuxnet, Found On Thousands of PCs in Middle East | threatpost http://threatpost.com/en_us/blogs/new-gauss-malware-descended-flame-and-... Amazon addresses security exploit after journalist hack | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57488759-83/amazon-addresses-security-e... Apple responds to journalist's iCloud hack | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57487873-83/apple-responds-to-journalis... One way to make passwords obsolete -- just keep typing | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57492355-83/one-way-to-make-passwords-o... DOJ Won't Ask Supreme Court to Review Hacking Case | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/08/computer-fraud-supreme-court/ Goldman Sachs Programmer Back in Court on New Charges | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/08/sergey-aleynikov-new-charges/ FTC Dings Google $22.5M in Safari Cookie Flap | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/08/ftc-google-cookie/ Microsoft Releases Attack Surface Analyzer Tool | threatpost http://threatpost.com/en_us/blogs/microsoft-releases-attack-surface-anal... #684121 - libotr2: Buffer overflows in libotr - Debian Bug report logs http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684121 Anonymous targets ASIO, government websites | ZDNet http://www.zdnet.com/au/anonymous-targets-asio-government-websites-70000... Oracle Warns Users About Privilege Escalation Bug in Database Server | threatpost http://threatpost.com/en_us/blogs/oracle-warns-users-about-privilege-esc... , The secret is already out there. You don't need to become so sensitive about that one. - James Cullem

Risky Business #249 -- Did the BlueHat prize experiment succeed?

Patrick Gray — Fri, 03 Aug 2012 00:00:00 +1000

On this week's show we chat with Microsoft's Katie Moussouris about the company's BlueHat prize. How successful was the prize, and did it get Microsoft value for money in terms of quality entries? Katie took some time out from her maternity leave to join the show. This week's show is brought to you by Tenable Network Security. In this week's sponsor interview with Tenable founder and CEO Ron Gula we get a bit philosophical. Has it become culturally acceptable in the business world to get owned? If LinkedIn and Sony can have such a bad time, are major incidents therefore seen as routine? Follow Patrick Gray on Twitter. Show notes Get the podcast here. Expert: Huawei routers are riddled with vulnerabilities | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57482813-83/expert-huawei-routers-are-r... Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ Full Disclosure: nvidia linux binary driver priv escalation exploit http://seclists.org/fulldisclosure/2012/Aug/4 Firm Sees More DDoS Attacks Aimed at Telecom Systems | threatpost http://threatpost.com/en_us/blogs/firm-sees-more-ddos-attacks-aimed-tele... Republicans block vote on cybersecurity bill | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57485404-83/republicans-block-vote-on-c... Vasillis Pappas Wins $200,000 Microsoft Blue Hat Prize | threatpost http://threatpost.com/en_us/blogs/vasillis-pappas-wins-200000-microsoft-... In First Black Hat Talk, Apple Reveals Little New About iOS Security | threatpost http://threatpost.com/en_us/blogs/first-black-hat-talk-apple-reveals-lit... Facebook aims 'bug bounty' at in-house network | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57480383-83/facebook-aims-bug-bounty-at... More information on Security Advisory 2737111 - Security Research & Defense - Site Home - TechNet Blogs http://blogs.technet.com/b/srd/archive/2012/07/24/more-information-on-se... Anonymous in a tizzy over logo trademark | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57484468-83/anonymous-in-a-tizzy-over-l... Does Cybercrime Really Cost $1 Trillion? | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/08/cybercrime-trillion/all/ Illinois Outlaws Employer Requests for Facebook Passwords | threatpost http://threatpost.com/en_us/blogs/illinois-outlaws-employer-requests-fac... Anonymous dumps hacked AAPT data - Hackers - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/310159,anonymous-dumps-hacked-aapt-dat... OAuth 2.0 and the Road to Hell \xab hueniverse http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ FX's Huawei slides: http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf , A VERY ENTERTAINING SITE! vacation rental koh samui , They surely are riddled with uncertainties. It will become a little bit better if you ask me. - Reputation Advocate

Risky Business #248 -- Being Big Brother on a budget

Patrick Gray — Thu, 26 Jul 2012 00:00:00 +1000

I've been busy preparing my debate speech for tomorrow's Splendour in the Grass music festival, so this week's show is a shorter one than usual; there's no feature interview. But we've got a fascinating sponsor interview with SensePost's Glenn Wilkinson coming up. He's a lead security analyst with SensePost in its London office. He and his colleague Daniel Cuthbert are doing a talk and tool release at 44con in September called Terrorism, Tracking, Privacy and Human Interactions. They set about writing some really creepy Big Brother-style tools for doing massive surveillance by dropping a few wireless access points around London. And you know what? As it turns out it's really easy to be really creepy! Show notes Australia, Canada 'primary spy targets' http://www.theage.com.au/opinion/political-news/australia-canada-primary... Nearly 5 Million People Have Government Security Clearances | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/07/security-clearances-increasing/ AAPT hacked by Anonymous - Security - Technology - News - CRN Australia http://www.crn.com.au/News/309915,aapt-hacked-by-anonymous.aspx Anonymous hackers cripple Aussie government websites | Information, Gadgets, Mobile Phones News & Reviews | News.com.au http://www.news.com.au/technology/anonymous-hackers-cripples-aussie-gove... Par:AnoIA | Meanwhile in Australia http://par-anoia.net/queensland/ Watching the crooks: Researcher monitors cyber-espionage ring | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57479682-83/watching-the-crooks-researc... Microsoft implements BlueHat prize tech | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57479407-83/microsoft-implements-blueha... Charlie Miller Takes on NFC, Charlie Miller Wins | threatpost http://threatpost.com/en_us/blogs/charlie-miller-takes-nfc-charlie-mille... Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/07/reverse-engineering-iris-scans/ Siemens Patches Stuxnet-Like SCADA Bugs | threatpost http://threatpost.com/en_us/blogs/siemens-patches-stuxnet-scada-bugs-072... Grum Botnet Briefly Revived, Now Dead Again | threatpost http://threatpost.com/en_us/blogs/grum-botnet-briefly-revived-now-dead-a... Black Hat: Phishing E-Mail Scare A False Alarm | threatpost http://threatpost.com/en_us/blogs/black-hat-phishing-e-mail-scare-false-... Termineter Security Framework for Smart Meters Released | threatpost http://threatpost.com/en_us/blogs/termineter-security-framework-smart-me... This Xbox HDMI cable has 'anti-virus protection' | ZDNet http://www.zdnet.com/this-xbox-hdmi-cable-has-anti-virus-protection-7000... Skype makes chats and user data more available to police - The Washington Post http://www.washingtonpost.com/business/economy/skype-makes-chats-and-use... McKinnon extradition decision date set for mid-October | ZDNet http://www.zdnet.com/mckinnon-extradition-decision-date-set-for-mid-octo... Power Pwn: This DARPA-funded power strip will hack your network | ZDNet http://www.zdnet.com/power-pwn-this-darpa-funded-power-strip-will-hack-y... Eight million passwords stolen from gaming site - Crypto - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/309627,eight-million-passwords-stolen-... , And why is Canada a target of spies? I don't quite see what is with Canada that makes them so. - Feed the Children Reviews , Following on from the uses of smart-phone wifi detection comes the interesting idea from GM - identify pedestrians before you see them in low-visibility situations. http://mobile.slashdot.org/story/12/07/29/1412252/gm-working-on-wi-fi-di... Great show - high point of weeks technical listening

Risky Business #247 -- Could a quantum leap spell the end of crypto?

Patrick Gray — Fri, 20 Jul 2012 00:00:00 +1000

On this week's show the NSA's former Technical Director of Information Assurance, Brian Snow, joins the program to warn us that recent advancements in quantum computing could invalidate all of our cryptographic systems within 15 years. So we'd better get cracking on finding alternatives! This week's show is brought to you by the security team at Adobe! Big thanks to them. And Adobe's head of security and privacy Brad Arkin will be along later in the show to discuss Adobe's planned deprecation of Flash on mobile devices. As of September 2013 the whole lot goes dark permanently, so how DO you manage that sort of support withdrawal? That's this week's sponsor interview. Show notes Password Leaks Continue: Billabong, NVIDIA Accounts Compromised | threatpost http://threatpost.com/en_us/blogs/password-leaks-continue-billabong-nvid... Hacker Claims Compromise of IT Recruiter | threatpost http://threatpost.com/en_us/blogs/hacker-claims-compromise-wall-street-i... Yahoo gives all clear after hack attack | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57472023-83/yahoo-gives-all-clear-after... Microsoft: Fake Skype For Android App Linked To SMS Scams | threatpost http://threatpost.com/en_us/blogs/microsoft-fake-skype-android-app-linke... Google Hardens Chrome To Block Malicious Extensions | threatpost http://threatpost.com/en_us/blogs/google-hardens-chrome-block-malicious-... Former Pentagon Analyst Warns China Has Back Doors To Global Telcos | threatpost http://threatpost.com/en_us/blogs/former-pentagon-analyst-warns-china-ha... FBI Investigating Major Chinese Firm for Selling Spy Gear to Iran | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/07/fbi-zte/ Senators introduce amended cybersecurity measure | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57476215-83/senators-introduce-amended-... Skype squashes bug that sends messages to random contacts | ZDNet http://www.zdnet.com/skype-squashes-bug-that-sends-messages-to-random-co... Symantec antivirus software update crashes some PCs | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57472624-83/symantec-antivirus-software... Oracle won't patch zero-day hole in Database | ZDNet http://www.zdnet.com/oracle-wont-patch-zero-day-hole-in-database-7000001... Nike hacker steals over $80,000 | ZDNet http://www.zdnet.com/nike-hacker-steals-over-80000-7000001177/ Officials attack Grum: World's third largest botnet (18% of spam) | ZDNet http://www.zdnet.com/officials-attack-grum-worlds-third-largest-botnet-1... Security flaw found in Amazon's Kindle Touch | ZDNet http://www.zdnet.com/security-flaw-found-in-amazons-kindle-touch-7000001... Apple iOS in-app purchases hacked; everything is free (video) | ZDNet http://www.zdnet.com/apple-ios-in-app-purchases-hacked-everything-is-fre... Charlie Miller: 'Difficult to write exploits' for Android 4.1 | ZDNet http://www.zdnet.com/charlie-miller-difficult-to-write-exploits-for-andr... Assad's sexist email jokes leaked | Herald Sun http://www.heraldsun.com.au/news/breaking-news/assads-sexist-email-jokes... [Event] Information Security Awareness Tour 2012 - Registration Open and Call for Speakers/Sponsors | in2securITy http://www.in2security.org.nz/?q=node/153 , The recruiter is going to be hunted. He messed up with the wrong people. - Feed the Children Reviews

Risky Business #246 -- Here lies password authentication. RIP.

Patrick Gray — Fri, 13 Jul 2012 00:00:00 +1000

On this week's edition of the show we catch up with Mark Dowd of Azimuth security for a bit of a chat about Apple's upcoming iOS 6 operating system and its security features. We also wind up chatting about Apple's approach to OS security in general and the whole signed code appstore thing, it's fun stuff! This week's show is brought to you by Tenable Network Security -- the most long term and loyal supporter of this podcast. Tenable founder and CEO Ron Gula joins us later on in the show to chat about the media hype surrounding DNSChanger and Flame, as well as talking about some really, really rudimentary approaches to picking up stuff your AV may have missed. That's this week's sponsor interview. In this week's news segment, Insomnia Security's Adam Boileau joins the program to discuss the following stories: Govt defends need to snoop on online and phone records | Information, Gadgets, Mobile Phones News & Reviews | News.com.au http://www.news.com.au/technology/govt-defends-need-to-keep-internet-dat... 1.3M Cellphone Snooping Requests Yearly? It's Time for Privacy and Transparency Laws | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/07/mobile-data-transparency/ AusCERT loses passwords to Govt service - Web/client - SC Magazine Australia - Secure Business Intelligence http://www.scmagazine.com.au/News/307954,auscert-loses-passwords-to-govt... Gone in 3 Minutes: Keyless BMWs a Boon to Hacker Thieves | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/07/keyless-bmw-gone/ Android forum site hacked; data swiped on 1 million users | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57471297-83/android-forum-site-hacked-d... Top domains and passwords compromised by Yahoo breach | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57471299-83/top-domains-and-passwords-c... Formspring disables user passwords in security breach | Security & Privacy - CNET News http://news.cnet.com/8301-1009_3-57469944-83/formspring-disables-user-pa... Apple Receives NFC Patent, But Takes It Slow with Mobile Payments | threatpost http://threatpost.com/en_us/blogs/apple-receives-nfc-patent-taking-it-sl... Anonymous Group Says It Gave Syrian E-mails to WikiLeaks | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/07/anonymous-syrian-emails/ WikiLeaks Wins Icelandic Court Battle Against Visa for Blocking Donations | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/07/wikileaks-visa-blockade/ Instagram Patches "Friendship Vulnerability" Privacy Hole | threatpost http://threatpost.com/en_us/blogs/instagram-patches-friendship-vulnerabi... Google Adds Full Flash Sandbox to Chrome 21 | threatpost http://threatpost.com/en_us/blogs/google-adds-full-flash-sandbox-chrome-... Google Patches Three High-Priority Flaws in Chrome 20 | threatpost http://threatpost.com/en_us/blogs/google-patches-three-high-priority-fla... Microsoft Revokes Trust in 28 of Its Own Certificates | threatpost http://threatpost.com/en_us/blogs/microsoft-revokes-trust-28-its-own-cer... NSA Chief Says Today's Cyber Attacks Amount to 'Greatest Transfer of Wealth in History' | threatpost http://threatpost.com/en_us/blogs/nsa-chief-says-todays-cyber-attacks-am... Deep Packet Inspection Firm Cyberoam Issues Fix Following Private Key Leak | threatpost http://threatpost.com/en_us/blogs/deep-packet-inspection-firm-cyberoam-i... Hackers can break into your Cisco TelePresence sessions | ZDNet http://www.zdnet.com/hackers-can-break-into-your-cisco-telepresence-sess... Data-breach laws are coming: OAIC assistant | ZDNet http://www.zdnet.com/data-breach-laws-are-coming-oaic-assistant-7000000761/ Stratfor Class Action Settlement Email http://cryptome.org/2012/07/sterling-stratfor-email.htm

Risky Business #245 -- Drop boxes for the win

Patrick Gray — Fri, 06 Jul 2012 00:00:00 +1000

In this week's podcast we're chatting with Jonathan Cran of Pwnie Express. Pwnie Express makes dropboxes that were designed to be used by pentesters. Funnily enough people have actually found all sorts of non-illicit uses for them. In this week's sponsor interview we chat with HackLabs' penetration tester Jody Melbourne to ask if there's a future for hacktivists after SQLi bugs are a thing of the past. In this week's news segment with Adam Boileau we discuss the following items: 'DNSChanger' Malware Could Strand Thousands When Domains Go Dark on Monday | Threat Level | Wired.com http://www.wired.com/threatlevel/2012/07/dns-changer-going-dark/ Report: Wireless Hacking Suspected In Air Raid Siren Miscues | threatpost http://threatpost.com/en_us/blogs/report-wireless-hacking-suspected-air-raid-siren-miscues-070512 Cisco Pulls Back on Routers' 'Supplemental Privacy Policy' | threatpost http://threatpost.com/en_us/blogs/cisco-pulls-back-routers-supplemental-privacy-policy-070312 There is No Reason to Take a Picture of Your Debit Card ...Ever | threatpost http://threatpost.com/en_us/blogs/there-no-reason-take-picture-your-debit-card-ever-070312 New Version of Sykipot Trojan Linked To Targeted Attacks On Aerospace Industry | threatpost http://threatpost.com/en_us/blogs/new-version-sykipot-trojan-linked-targeted-attacks-aerospace-industry-070312 Mac OS X, Windows Backdoors Used in New APT Attacks | threatposthttp://threatpost.com/en_us/blogs/mac-os-x-windows-backdoors-used-new-apt-attacks-062912 Microsoft Names Two Alleged Zeus Botnet Operators | threatpost http://threatpost.com/en_us/blogs/microsoft-names-two-alleged-zeus-botnet-operators-070312 Appeals Court Calls Bank's Security "Commercially Unreasonable" | threatpost http://threatpost.com/en_us/blogs/appeals-court-calls-bank-s-security-commercially-unreasonable-070512 Senator Seeks to Strengthen SEC-Required Cybercrime Reporting | threatpost http://threatpost.com/en_us/blogs/senator-seeks-strengthen-sec-required-cybercrime-reporting-070212 Adobe: No Flash Player For Future Android Versions | threatpost http://threatpost.com/en_us/blogs/adobe-no-flash-player-future-android-versions-062912 Iran state TV: The BBC hacked us | ZDNet http://www.zdnet.com/iran-state-tv-the-bbc-hacked-us-7000000334/ WikiLeaks starts publishing millions of 'Syria Files' emails | ZDNet http://www.zdnet.com/wikileaks-starts-publishing-millions-of-syria-files-emails-7000000316/ Want cheaper insurance? Brush up on your IT security | ZDNet http://www.zdnet.com/want-cheaper-insurance-brush-up-on-your-it-security-7000000251/ NBN Co: Huawei FOI could harm national security | ZDNet http://www.zdnet.com/nbn-co-huawei-foi-could-harm-national-security-7000000106/

Risky Business #244 -- Padding oracle attacks on crypto tokens: How bad?

Patrick Gray — Thu, 28 Jun 2012 00:00:00 +1000

There's a lot of really interesting news this week. Adam Boileau is back on deck at the top of the show to discuss shitty security at the Ecuadorian embassy in London, the new tool DroidSheep, DARPA's (DERPA? Lol.) attempts at securing the architectural mess that is Android, dudes going to prison, other dudes getting away with stuff and much, much more! In this week's feature interview we chat with Matthew D Greene, Assistant Research Professor at Johns Hopkins University's Information Security Institute. We're talking to him about some recently unveiled attacks against hardware tokens that enable attackers to extract key material that's supposed to be protected. Oops! Matthew blogged about it here, and the paper we discuss is here [pdf]. This week's show is brought to you by our good friends at SensePost! Sensepost founder and director Charl Van Der Walt will be along in this week's sponsor interview to discuss what he's learned from teaching BlackHat courses for 10 years.

Risky Business #243 -- Quickly! To Ecuador!

Patrick Gray — Fri, 22 Jun 2012 00:00:00 +1000

In this week's news segment we cover Julian Assange's attempt at martyrdom in style, claims of a Twitter outage, the cracking of 923-bit pairing-based encryption in Japan, the blackmailing of an American firm by hackers, Face.com's tragic fail, The Washington Post's stunning (not) revelation that Flame was the work of the US and Israel, AutoCAD worms, bug bounties and more! Insomnia Security's Mark Piper tackles all that at the top of the show. He's filling in for Adam Boileau. Also in this week's show we're chatting with Adobe's director of product security and privacy Brad Arkin. We're talking to him all about an opinion piece Bruce Schneier wrote for Forbes about twisted incentives in the vulnerability market. It's interesting stuff. That's this week's sponsor interview. There's no feature interview this week and possibly no podcast next week. Family stuff.

Risky Business #242 -- Massive recon with HD Moore

Patrick Gray — Fri, 15 Jun 2012 00:00:00 +1000

On this week's show we chat with Rapid7's H D Moore about massive recon in both the IPv4 and IPv6 worlds. He's been busy basically banner grabbing the entire Internet and he's found some really, really weird stuff out there. There are some very interesting nuggets in that interview. Check it out. This week's show is brought to you by Tenable Network Security so in this week's sponsor interview we're chatting with Tenable's CSO Marcus Ranum about why the hell people are still using fast hashing algorithms for password storage. We also talk about a couple of novel approaches to authenticating high-value clients in the finance world. Normally we'd start off with the week's news segment with Adam Boileau, but he's off in Estonia at the moment, so filling in for him this week is his colleague at Insomnia Security, Mark "Pipes" Piper.

Risky Business #241 -- Parmy Olson discusses her book on LulzSec

Patrick Gray — Fri, 08 Jun 2012 00:00:00 +1000

On this week's show we'll be chatting with Forbes' London bureau chief Parmy Olson. Parmy did a great job of covering the whole LulzSec fiasco last year for Forbes, but she's gone one better and written a book about the whole thing. It's called We Are Anonymous: Inside the hacker world of LulzSec and you know what? It's pretty good! Actually, it's really, really good. I'm about a third of the way through a review copy. Parmy will joins us to talk about what it was like to stitch a story like this together. This week's show is brought to you by those fine folk at HackLabs, a Sydney-based penetration testing firm. Its founder and big cheese Chris Gatford will be along in this week's sponsor interview to chat about two factor via cellphones. There was a really interesting attack against 4chan through its hosting provider ClousdFlare this week that involved some telephone trickery. Do people place too much trust on out of band second factors? Find out in this week's sponsor interview! Adam Boileau, as always, joins us to talk about ABSOLUTELY EVERYONE GETTING OWNED! Between LinkedIn, eHarmony and Last.fm getting popped, the US as good as claiming credit for Stuxnet, Flame man in the middling Windows Update and all sorts of other crazy stuff, well, it's been a hell of a week for news!

Risky Business #240 -- FPGA "back doors"

Patrick Gray — Thu, 31 May 2012 00:00:00 +1000

On this week's show we're taking a look at some research out of Cambridge University that's drawn a lot of attention. It involves a claim that researchers found a hardware back door on a Chinese-made FPGA (Field Programmable Gate Array). That FPGA is apparently used in military hardware. You can find links to the draft paper and a write-up here. So was this "back door" put there by super-secret Chinese cyber-warriors? Or is it something much less interesting like an undocumented debugging interface? Peter Gutmann is this week's feature guest and he'll be telling us all about it. This week's show is sponsored by SensePost. SensePost is a South African security consultancy that also has a presence in Europe. They are some seriously, seriously smart people and we're thrilled to have them as a sponsor. In this week's sponsor interview we're taking a look at some research the company has done into cloning RSA soft tokens. We all know that soft tokens are theoretically weak, but SensePost's Behrang Fouladi set his mind to actually reversing them and seeing just how easy it is. As it turns out, very. Adam Boileau, as always, stops by to discuss the week's news.

New book claims to expose direct LulzSec-Wikileaks ties

Patrick Gray — Wed, 30 May 2012 00:00:00 +1000

If people are wondering why on Earth Wikileaks' chief Julian Assange is apparently being pursued by the US Department of Justice, a new book by Forbes' London Bureau chief Parmy Olson might help to clear things up for you. Assange likes to proclaim that the DoJ investigation is a case of the big bad gummint being out to persecute him for being a truth-teller, but if Olson's book (Amazon) is to be believed it looks like he's been a very naughty boy. This excerpt [pdf] from the book, published by the pre-Wikileaks leak site Cryptome, describes verified IRC contact between LulzSec ringleader turned FBI snitch Sabu and Assange in which the latter apparently urged the digital outlaws to attack specific targets in Iceland. Bad activist! No biscuit! All this under the watchful eye of the FBI's inside man. This is speculation, but if any of Wikileaks staff were "directing" LulzSec's illegal activities, particularly the exfiltration of stolen information from any of the group's victims -- like Stratfor, for example -- it's my guess the entire organisation is legally fux0red. IANAL, but read the excerpt and tell me if you arrive at the same hunch as me. Encouraging an FBI snitch to attack systems in Iceland on your behalf when the heat is already on is remarkably daft. I'll be interviewing Parmy about her book next week.

Risky Business #239 -- The Zetas cartel and social media

Patrick Gray — Fri, 25 May 2012 00:00:00 +1000

This week's feature audio is an excerpt from an AusCERT presentation I recorded last week. The talk, by Brad Barker of the HALO Corporation, discusses the Zeta drug cartel's use of technology and social media. HALO Corporation does everything from intelligence support to kidnap and ransom consulting. Barker has an interesting analysis of how civilian technology is altering methods of operation and the wider battlefield. It's good stuff. Adobe's director of product security Brad Arkin will be along for this week's sponsor interview to talk about Apple's decision to block vulnerable versions of Flash Player in OS X. Brad also discusses Adobe's controversial -- and subsequently reversed decision -- to NOT patch its CS5 suite of products against a code execution bug. Adam Boileau, as always, drops by to discuss the week's news headlines.

DEBATE: AusCERT speed debate 2012

Patrick Gray — Tue, 22 May 2012 00:00:00 +1000

The following is the closing session from AusCERT's 2012 conference, the speed debate. It's a chance to have a bit of a laugh at all things security and it's hosted by ABC personality Adam Spencer. Enjoy!

SPONSOR PODCAST: Why do we expect users to make good decisions?

Patrick Gray — Tue, 22 May 2012 00:00:00 +1000

At AusCERT last week I caught up with Phil Piotrowski, a threat researcher with Sophos, as well as Rob Forsyth, a director of Sophos here in Australia. Really what this chat is all about is interface. We cover a few topics; how users are finding it increasingly difficult to determine when a warning dialogue or popup is genuine or fake, how online crime syndicated are investing a great deal more effort into pretty graphics and good copywriting, and then we chat about how mobile operating systems like Android have succeeded by making extraordinarily complicated things appear very very simple, and what the security implications of that are.

PRESENTATION: The risks posed by new wiretapping technologies

Patrick Gray — Fri, 18 May 2012 00:00:00 +1000

The following is a recording Susan Landau's plenary presentation. She's a Visiting Scholar in the Computer Science Department at Harvard University. Prior to that she worked as a Distinguished Engineer at Sun Microsystems, and held faculty positions at the University of Massachusetts and Wesleyan University. Her talk is titled Surveillance or Security? The Risks Posed by New Wiretapping Technologies.

SPONSOR PODCAST: When pentesting doesn't make sense

Patrick Gray — Fri, 18 May 2012 00:00:00 +1000

In this sponsor podcast we're chatting with Declan Ingram, Principal Security Consultant with Datacom TSS. Datacom TSS is a relatively new Aussie company that offers all the usual services, like penetration testing and app review, and we're going to chat with Declan about when those types of services can be best deployed. Dropping massive amounts of budget on pentesting might not be the best way to use your resources, he says.

PRESENTATION: Forensics and SCADA/DCS

Patrick Gray — Fri, 18 May 2012 00:00:00 +1000

The following is a recording of Mark Fabro's AusCERT plenary. As soon as you listen to Mark for more than five minutes you'll quickly realise he really knows what he's talking about. This talk is about performing incident response and forensic analysis on live SCADA networks. It's very interesting stuff and Mark is a great presenter.

INTERVIEW: Is the regulation of SCADA networks futile?

Patrick Gray — Fri, 18 May 2012 00:00:00 +1000

Yesterday I caught up with SCADA security expert and AusCERT speaker Mark Fabro of Lofty Perch. We spoke about attempts by governments to mandate minimum security requirements for critical infrastructure through regulation. I started off by asking him what regulation attempts in North America look like now.

SPONSOR PODCAST: Volumetric versus application DDoS

Patrick Gray — Fri, 18 May 2012 00:00:00 +1000

In this sponsored podcast we chat with both Arbor Networks' Nick Race and Matt Hollis of Vocus. We discuss the state of both application and volumetric based DDoS techniques. As you'd no doubt be aware, Arbor makes DDoS mitigation equipment -- there's the enterprise stuff that blocks application-based attacks, like attacks that exhaust resources on the target, then there's the telco stuff that blocks the volumetric attacks -- a.k.a. bandwidth exhaustion attacks. I started off by speaking with Matt Hollis of ASX - listed connectivity provider Vocus. These guys have some serious tubes, so they're used to seeing a lot of volumetric attacks. Then I got on the line with Arbor Networks' Nick Race to discuss app-based attacks.

INTERVIEW: Connecting the physical with the virtual

Patrick Gray — Thu, 17 May 2012 00:00:00 +1000

In this interview we chat with Juniper Networks' chief security architect Christopher Hoff. I posted the audio of Chris's plenary talk yesterday... it was very interesting stuff, so check it out if you get a chance. He basically outlined his vision for security automation -- security at scale. A part of that vision is advocating a more communication and integration between apps and infrastructure. He says apps should be able to interact directly with networking infrastructure through APIs. It sounds great, but could it be a disaster?

PRESENTATION: Contactless payments with Peter Gutmann

Patrick Gray — Thu, 17 May 2012 00:00:00 +1000

The following is a full recording of a presentation by the University of Auckland's Peter Gutmann discussing contactless payment systems. It's a nice overview that points out some of the dumber implementation mistakes that have been made by card brands and issuers. There's a reference to a Shmoocon talk in this recording. You can find the whole thing here.

INTERVIEW: Robert Clark on legal aspects of cyber espionage

Patrick Gray — Thu, 17 May 2012 00:00:00 +1000

This is an interview with Robert Clark, the operational attorney for the US Army Cyber Command. I posted audio of his talk yesterday... he spoke a lot about international law as it applies to cyber war. But I wanted to pick his brains about something he briefly mentioned. During his presentation he mentioned that espionage is actually legal under international law. I asked him to expand on that and we had a great chat about the legal aspects of online espionage.

SPONSOR PODCAST: DDoS attacks against mobile networks

Patrick Gray — Thu, 17 May 2012 00:00:00 +1000

In this sponsored Arbor Networks founder and CTO Rob Malan. If you're lucky enough to have met Rob, you'd know that not only has he built a crazily successful business, but he's one of the most technologically savvy people you will ever meet. He lives and breathes his business, and lately he's been focussing on what he sees as a future problem area: Denial of service attacks against mobile 3G and 4G/LTE networks. As you'll hear, Rob says the average mobile network is a bit of a disaster and there'll be plenty of opportunities for miscreants to wreak havoc on them.

PRESENTATION: Mikko Hypponen on "The Enemy"

Patrick Gray — Wed, 16 May 2012 00:00:00 +1000

The following is a complete recording of Mikko Hyppponen's opening keynote to the AusCERT 2012 conference. Mikko is the chief research officer for the Finnish antivirus firm F-Secure. It takes him a few minutes to pick up steam, but I definitely recommend sticking with his talk. It starts out good and winds up fascinating. The title of his talk is The Enemy, and in it he examines three groups of attackers -- Criminals, Hacktivists and Nation States. It sounds like well worn material, but Mikko's take is definitely worth listening to.

PRESENTATION: Christopher Hoff on virtualisation, cloud, deperimiterisation

Patrick Gray — Wed, 16 May 2012 00:00:00 +1000

The following is a complete recording of Christopher Hoff's AusCERT presentation. He's the chief security architect with Juniper Networks. He has a vendor-heavy background, but don't hold that against him -- he's got some very interesting ideas around virtualisation, cloud computing and deperimiterisation. His talk is about automating security at scale, but he starts off, off all things, with a history innovation in toilets, which surprisingly works pretty well. Here he is: Christopher Hoff, chief security architect of Juniper Networks. Enjoy.

SPONSOR PODCAST: Apple's security marketing comes unstuck

Patrick Gray — Wed, 16 May 2012 00:00:00 +1000

In this sponsor podcast we chat with Paul Ducklin of Sophos about the recent spate of Mac Malware. In light of malware like Flashback, is it fair to say the public perception that Mac computers are more secure has been busted?

PRESENTATION: US Army lawyer Robert Clark

Patrick Gray — Wed, 16 May 2012 00:00:00 +1000

The following is a complete recording of an absolutely fascinating presentation by Robert Clark -- the operational attorney for the US Army Cyber Command. His presentation examines the legal regime surrounding cyberspace operations. He looks at the legal underpinnings of computer network security; defense; exploitation; and, attack. It is absolutely riveting stuff and I hope to be catching up with Mr. Clark at some point during the conference to ask him about six million questions.

SPONSOR PODCAST: Commercial sector versus intelligence world

Patrick Gray — Wed, 16 May 2012 00:00:00 +1000

In this sponsor podcast we chat with Richard Byfield, co-founder and general manager of Datacom TSS. Datacom TSS is a relatively new Australian company backed by the Datacom group, the large integrator. They're an independent company offering the usual stuff, like penetration testing and app review, but what makes them a little different are its founders. They used to work in the security and intelligence community for the Australian government, which means they've spent a lot of time viewing the threat environment with a slightly different perspective to the rest of us. With that in mind, I thought it would be interesting to ask Richard what it was like for him to transition from his previous place of employment into the private sector. Here's what he had to say.

Risky Business #238 -- BYOD is here whether you like it or not

Patrick Gray — Fri, 11 May 2012 00:00:00 +1000

In this week's show we take a look at the big burning issue of BYOD. Neal Wise of Assurance.com.au joins us to discuss some common approaches. Neal says one reason companies are starting to address the issue is because staff are already bringing devices in and connecting them to corporate resources regardless of company policy. In other words it's happening whether you like it or not. This week's show is brought to you by Tenable Network Security -- if you need some vulnerability detection and management software, or some whiz bang security information event management kit, you'd best get your butt into gear and head to tenable.com. In this week's sponsor interview Tenable Network Security CEO Ron Gula also weighs in on the debate. He says the BYOD phenomenon is doing a fantastic job at resuscitating NAC and NAP vendors. Adam Boileau, as always, joins us for this week's news headlines.

Risky Business #237 -- Opsec for dummies

Patrick Gray — Thu, 03 May 2012 00:00:00 +1000

On this week's show we're taking a look at basic opsec with an incident responder friend of ours. We'll be talking about some sensible strategies people can use when they're up to illegal stuff on the Internets, because, you know, watching all these guys getting busted for owning FBI websites from their own IPs is getting boring. This is useful stuff to understand on the defensive side, too. Plus Adam Boileau joins the show with his take on the week's news.

Risky Business #236 -- What to do with 300mb of VMware source?

Patrick Gray — Fri, 27 Apr 2012 00:00:00 +1000

In this week's feature interview we're chatting with reverse engineer Jonathan Brossard about the theft of VMware source code from a third party. Lulzsec-linked hax0rs have owned up around 300mb of VMWare source and they say they're dropping it on May 5. We believe them. Predictably, VMware says it's no big deal, but Jonathan says that line is basically horseshit. He'll be joining us to tell us why. Jonathan is the CEO of Toucan Systems and an organiser of Hackito Ergo Sum. In this week's sponsor interview we're chatting with Adobe Software's product security chief Mr. Brad Arkin. He'll be bringing us up to speed on what he's been up to over the last four weeks or so, and boy, has he been busy. They've been releasing silent auto-updaters for Flash player, open source malware triage tools, making major updates to Adobe Reader 9 for the poor souls who are unable to upgrade to 10; all sorts of good stuff. Adam Boileau, as usual, joins the show for the week's news. ***EDITOR'S NOTE: There was a small error in this week's introduction script to the sponsor interview. Changes were made to Adobe Reader 9. The introduction script mistakenly said Adobe had introduced changes to Flash Player 9.

Risky Business judged Australia's best technology audio program

Patrick Gray — Mon, 23 Apr 2012 00:00:00 +1000

Risky Business has scooped another Lizzie award for excellence in IT media at this year's Mediaconnect IT Journalism Awards. The podcast edged out competition from other IT publishers and the ABC to take the award for Best Technology Audio Program for the third year running. Big thanks go out to all the listeners who make Risky Business a viable media outlet, the guests who take the time to appear on the show and to the sponsors who keep a roof over my head. But of course biggest thanks of all go to Adam Boileau for his consistently insightful and lulzy turns as our regular news guest. And congratulations to all the other winners.

Risky Business #235 -- Why you really should read Mark Dowd's book

Patrick Gray — Fri, 20 Apr 2012 00:00:00 +1000

We've got a jam-packed show this week! We'll be hearing from Ruxcon organiser Chris Spencer about a new conference he's putting together. It's called BreakPoint and he's trying to establish it as a truly international conference. We'll also be chatting with Mark Dowd about his, shall we say, more interesting vulnerability disclosure practices. And in this week's sponsor interview we're chatting with RSA Security's Ian Farqhuar about BYOD -- bring your own devices. He says it's possible to spin the BYOD phenomenon into a security positive, basically because you now have an excuse to treat all your endpoints as hostile. It makes sense. Adam Boileau, as usual, joins us for the week's news headlines. *********When I initially posted this episode I linked through to the wrong mp3. Fixed now!

Risky Business #234 -- UK spy laws under the microscope

Patrick Gray — Sat, 14 Apr 2012 00:00:00 +1000

On this week's show we're taking a look at new laws in the United Kingdom that are designed to automate the collection of certain types of intelligence from telcos and ISPs. The information itself has previously been accessible without warrant by UK intelligence agencies, but now they'll be able to bring up the data with a few keystrokes in real time. That simple change could result in grave invasions of privacy, according to this week's guest, Roelof Temmingh of , the makers of Maltego. Also this week Chris Gatford of HackLabs drops by for this week's sponsor interview. In it we discuss some statistics he's cobbled together from HackLabs last 100 or so penetration tests. They're not so much surprising as, you know, depressing. Adam Boileau, as always, is along to discuss this week's news. And this, spectacular fail.

So long, CabinCr3w, and thanks for the mammarys

Patrick Gray — Thu, 12 Apr 2012 00:00:00 +1000

Melbourne's Age newspaper is carrying a delicious little item today. The long arm of the law has caught up with the alleged ringleader of the CabinCr3w hacking group. Over the last few months CabinCr3w have pwned a bunch of law enforcement websites, even doxing a bunch of officers. Pretty ballsy stuff, right? You'd think if you're starting a war with law enforcement you'd have your opsec shit in order, yeah? Well, apparently not! Criminal mastermind Higinio O. Ochoa III -- his real name, apparently -- has been tracked down via a photo of his girlfriend's boobies. He allegedly posted it on a website along with information stolen from various police services. The woman, from Wantirna South in the Australian city of Melbourne, was pictured holding a sign that reads ''PwNd by w0rmer & CabinCr3w <3 u BiTch's''. Unfortunately for Mr. Ochoa The Third, he didn't scrub the EXIF data from the photo. The GPS coordinates within lead police right to his girlfriend's house. Oops. You can't make this shit up.

Apple struggles to contain Flashback

Patrick Gray — Wed, 11 Apr 2012 00:00:00 +1000

Reports say up to 600k boxes have been hosed, and if recent statements out of Cupertino are any indication, Apple staffers are running around like the proverbial headless chickens trying to contain this outbreak. It seems the Apple security team has taken a leaf out of Microsoft's book -- they're targeting Flashback's C&C servers and will issue a removal tool through its software update service. "The Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions," today's statement reads. "Apple is working with ISPs worldwide to disable this command and control network." Apple tardily released a patch for the Java vulnerability that allowed this malware to propagate in the first place. But considering Java is a bottomless pit of vulnerabilities, you might want to disable it system-wide. You can actually do that on OS X -- it's under Java preferences in System Settings.

Risky Business #233 -- Max pwnage

Patrick Gray — Thu, 05 Apr 2012 00:00:00 +1000

On this week's show Adam Boileau and Patrick Gray talk through the week's security news headlines, including: Up to 500,000 Macs pwned by the Flashback Trojan Auto-updater finally out for Flash UK proposes completely stupid laws 1.5m credit card numbers looted Zeus still active after MS takedown Tenable Network Security CSO Marcus Ranum stops by for this week's sponsor segment. Big thanks for Tenable for making this week's show possible!

Risky Business #232 -- Huawei, the NBN and Chewbacca

Patrick Gray — Thu, 29 Mar 2012 00:00:00 +1100

This week we talk to CommsDay founder and publisher Grahame Lynch about the Australian Government's decision to ban Chinese Networking vendor Huawei from supplying equipment to the National Broadband Network. The government says it will block Huawei's participation in the rollout of the $36 billion network on security grounds following a negative assessment by Australian spy agency ASIO. Read Grahame's take here. Is this a decision that really makes sense from a pure political point of view? Or could there be some political considerations at play here? Grahame clues us in. This week's show is brought to you by Adobe. Adobe's head of product security Brad Arkin is along in this week's show to talk about its new open source tool that helps incident responders pull apart suspicious flash objects. Don't forget you can 'like' the Risky Business podcast on Facebook, if that's your thing, or follow Patrick Gray on Twitter. Also this week, SC Magazine Australia's editor Darren "Dazza" Pauli joins us to discuss the week's news headlines. He's filling in for Adam Boileau who's off having his beard permed and dyed.

Risky Business #231 -- Hacktivism a genuine threat: DBIR

Patrick Gray — Fri, 23 Mar 2012 00:00:00 +1100

This week's feature interview is a chat with Verizon Business Security Solutions' Bryan Sartin about the annual Data Breach Investigations Report, or DBIR. Risky Business covers the report [pdf] every year. It's basically a post mortem of the previous year -- what sort of records were breached and by who? What were their motivations? What were their techniques? The US Secret Service cooperates with the report, as does Australia's own Federal Police. When you throw in Verizon's own caseload, you wind up with something approaching an authoritative report. It's rare for a vendor to actually put out something this good. The 2012 report, which focuses on 2011 incidents, arrived at a very interesting conclusion -- in 2011, more records were breached by hacktivists than criminals. In this week's sponsor interview we chat with RSA Australia's acting country manager Geoff Noble. Geoff normally heads up sales, but don't hold that against him, because as you'll hear he's actually got a deep understanding of trends in enterprise security. I got Geoff on the phone earlier this week and asked him to tell us what trends emerged at the most recent RSA conference in San Francisco.

Risky Business #230 -- Can security tester accreditation work?

Patrick Gray — Fri, 16 Mar 2012 00:00:00 +1100

This week's feature interview is with Alastiar MacGibbon, CEO of CREST Australia -- the Council of Registered Ethical Security Testers. In the UK CREST is a big deal, and now it's on its way to Australia and NZ. There's even a similar organisation in the USA that is doing things the CREST way. So this approach could actually become a worldwide, accepted accreditation for security testers. I know one extremely capable tester who flew over to the UK to take the CREST tests and wound up flunking the team leader portion of one of them, so it's not your typical rubber stamp. But! With such a lack of talented security testers out there, it seems possible from where I sit that CREST may have to lower its standards to get enough people certified. And security is such a fast moving discipline -- how will we ensure that CREST certified testers have current skills? That's this week's feature. Adam Boileau, as always, stops by to chat about this week's news headlines.

CREST launches in Australia

Patrick Gray — Fri, 09 Mar 2012 00:00:00 +1100

The Australian government has announced the establishment of the Council of Registered Ethical Security Testers, or CREST. CREST is a pretty big deal in the UK. Over there it's an extremely serious series of tests that can give hiring organisations a semi-reliable indication that a tester knows what they're doing. If you don't have your CREST certification, there's work you simply can't do. But who knows what it'll morph into here -- the jury isn't just out, it hasn't even been empanelled yet. Government involvement isn't usually a good start. You can read the Attorney General's announcement here. Interesting to note that former Australian Federal Police agent (that was years ago now) Alastair MacGibbon is the CEO of CREST Australia. He has zero background in security testing but his appointment makes sense -- it wouldn't be politically possible to appoint a CEO from a professional services organisation. This way there's no conflict of interests.

Risky Business #229 -- Adrian Lamo on the LulzSec arrests

Patrick Gray — Fri, 09 Mar 2012 00:00:00 +1100

On this week's show we're catching up with Mr. Popular himself, Adrian Lamo. Adrian is best known as the guy who turned in alleged Wikileaks source Bradley Manning, but he also has some very interesting perspectives on the LulzSec arrests. This week's show is sponsored by Tenable Network Security! In this week's sponsor interview Tenable product Manager Jack Daniel will be along to chat about a recent Tenable Webinar that was all about the internal politics of security. If you're struggling to get your colleagues on side, you want to listen to that interview! Adam Boileau, as always, joins the show to discuss the week's news.

Wikileaks Stratfor email dump could be FBI sting

Patrick Gray — Wed, 07 Mar 2012 00:00:00 +1100

Global law enforcement swooped overnight, arresting a handful of online miscreants who, between them, have generated more headlines than the rest of the online underground put together. That's right, LulzSec has been comprehensively pwnt. Some were arrested yesterday in raids, others, arrested some time ago, had their indictments unsealed by the courts. But it was the news that online Anonymous hero Sabu, aka Hector Xavier Monsegur, had been acting as an FBI snitch since August 2011 that came as a shock to many. It shouldn't have. Back in September 2011, Sabu returned to Twitter after a one month hiatus as rumours of his arrest swept the Internet. He had indeed been arrested and flipped. By the time he logged back on to Twitter he was an active asset of the FBI. The game had been up for Sabu since June 2011 at the latest. His identity had been well and truly exposed, with multiple pastebin posts unmasking him. You would think anyone with half a brain would keep their distance from a high-profile target who was rumoured to be arrested, disappeared for a month, then reappeared. But no. Everyone stayed tight. That's how the attackers allegedly behind the HBGary Federal attack, Stratfor's mail leak, the law-enforcement con call wiretap and attacks against Sony Entertainment have all wound up in the clink. None of this matters. The real play here could be for Wikileaks and its founder Julian Assange. We know these are the people who stole Stratfor's e-mail. This is the e-mail Wikileaks recently began publishing and releasing to its "media partners". We also know that this particular group of hackers had been completely and utterly compromised by the FBI. Is it possible that the idea of passing Stratfor's mail on to Wikileaks, instead of just publishing it to the Internet, was in fact the FBI's idea? This group published HBGary's stolen mail directly to the Internet, why change now? Could it be that Sabu, at the behest of the FBI, was advocating a different approach? You would think that the negotiated handover of illegally obtained data could open up all sorts of conversational possibilities. If a Wikileaks staffer asked these anon contacts to illegally obtain more information from other targets, I imagine that would be legally problematic. The trick for the US Department of Justice could be trying to portray Wikileaks as the document laundering arm of Anonymous. You can bet your bottom dollar that any communications between Wikileaks and this group were monitored, but it will be some time before we know if prosecutors can make hay from them. Listen to Wired.com's news editor Kevin Poulsen discuss the Stratfor email dump. (24 mins in.) Patrick Gray on Twitter.

Risky Business #228 -- Wikileaks the new Anonymous?

Patrick Gray — Fri, 02 Mar 2012 00:00:00 +1100

This week we'll be joined by Wired.com's news editor Kevin Poulsen for a chat about the big news of the week -- Wikileaks' gigantic dump of private intelligence contractor STRATFOR's allegedly stolen e-mails. This week's show is sponsored by Adobe, and Adobe's head of product security, Brad Arkin, will be along to discuss the way ISV's view white-hat research. You might love your latest sandbox bypass technique, but he doesn't! That's this week's sponsor interview with Adobe's Brad Arkin. As always, Adam Boileau stops by for a check of the week's news headlines.

Risky Business #227 -- Surveillance, the state and fascism

Patrick Gray — Fri, 24 Feb 2012 00:00:00 +1100

In this week's feature interview you'll hear part two of my interview with In-Q-Tel's CSO Dan Geer. We chat with Dan about electronic surveillance, the state, fascism and even the "digital Amish". He is, as always, fascinating. This week's edition of the show is brought to you by Hacklabs, an Australian penetration testing firm. Some homegrown support! Thanks, guys. Hacklabs very own Chris Gatford will be along in this week's sponsor interview to have a chat about Glenn Mangham, the Brit who's now serving a prison term for hacking Facebook despite his claim to be all very, very white-hatty. Adam Boileau, as always, checks in to discuss the week's news headlines.

Risky Business #226 -- "Digital Exhaust" with Dan Geer

Patrick Gray — Fri, 17 Feb 2012 00:00:00 +1100

On this week's show we chat with information security legend Dan Geer about traffic analysis and "digital exhaust". Everything we do online produces a tonne of metadata. What can be inferred through the analysis of this metadata and who's likely to analyse it? Part one of my chat with Dan Geer is this week's feature interview. This week's show is sponsored by RSA Security, the security division of EMC. So in this week's sponsor interview we're chatting with RSA's Mason Hooper about the company's 2012 Cybercrime Trends Report. Is Zeus still Zeusy? Still Godlike? We'll find out at the back of this week's show. Adam Boileau, of course, drops in to discuss the week's news headlines.

Risky Business #225 -- Will DMARC actually help anyone?

Patrick Gray — Fri, 10 Feb 2012 00:00:00 +1100

On this week's show we're taking a look at the DMARC anti-phishing effort. we mentioned it on the news last week, but we're going to get into it properly with our good buddy Paul Ducklin. He's along after the news. This week's show is sponsored by Tenable Network Security. Tenable's chief executive Ron Gula will be along in this week's sponsor interview to chat about the theft of Symantec's source code. He doesn't think it's a world ender, and you know what, he's probably right! He's along after this week's feature interview. There's also plenty of news to discuss with our news co-host Adam Boileau! You can "like" Risky Business on Facebook here. Find Patrick Gray on Twitter here.

Symantec light on AV compromise specifics

Patrick Gray — Thu, 09 Feb 2012 00:00:00 +1100

Symantec claims customers using its endpoint protection and antivirus products are not at risk following revelations the company's AV source code was stolen in 2006. But when it comes to providing specifics, Symantec is guarded. Following yesterday's blog post, Symantec has claimed recycled source code from its corporate antivirus product of 2006 makes up only 5% of current endpoint protection software. But it won't say which 5%. Furthermore, 5% of Symantec's latest bells-and-whistles endpoint security products is a lot of code; basic corporate AV solutions from 2006 were pretty small by comparison to today's bloatware. So it could well be that a large proportion of the stolen code is actually in the current product. THAT's the percentage I'd like to see. Here's the company's response to yesterday's questions, and below that my lingering unease about the company's answers. We have definitely analyzed the 5% of the code and have determined it to be benign enough in nature not to present a security threat to current Symantec and Norton users if an attempt was made to exploit it for the purposes of a cyber attack. Furthermore, as mentioned in the previous e-mails, the combination of features in the current Symantec and Norton software would protect customers against an attack. For competitive purposes and protection of our intellectual property, we are not going to get into the specifics of the exact functionality of the 5% of that code. Given the visibility of this incident, i.e. there is consistent monitoring of our communications by hackers and the Anonymous group, we're hesitant to provide specifics on the size of the code for NAV CE and SEP 10.2 (hence someone may be able to tell what they have or don’t have based on the size alone). However, you are correct that the total amount of code for Symantec Endpoint Protection is demonstrably larger than NAV CE, again, if for no other reasons than to accommodate all of the new features and functionalities layered upon over the previous six years. More technical readers would know that the claims that extra features in the company's newer endpoint protection software would make exploitability impossible are quite simply bunk. Sure, they might provide some defence-in-depth protection against malware, but I fail to see how a new, whiz-bang file reputation ranking engine will prevent targeted exploitation of vulnerable AV scanning engine code, for example. Further, Symantec has stated it analysed the relevant code and determined it's not vulnerable, but won't say which chunks of that code have found their way into current products. Why? Surely if the code is good it can say which component is still being used in current source trees. Also, calling Anonymous a "group" is a bit silly, especially in this instance as it was a bunch of people calling themselves the Lords of Dharmaraja who claimed credit for the attack. Anons have just been chuckling along with them. For a company like Symantec to conflate this compromise with the activities of a broader meme/movement like Anonymous may be convenient for PR purposes, but it's not really accurate. So, brass tacks time: It's unlikely the Symantec AV source code that's doing its rounds over the Internet is going to really help attackers out there in a meaningful way. That said, I get the impression that Twitter user @GMKnowBoulder was right yesterday when they said Symantec seems stuck in the "quantum void between the engineering force and the marketing dark side". So who out there can be bothered bindiffing NAV CE circa 2006 against current endpoint protection products? Find Patrick Gray on Twitter.

UPDATED: Symantec's spin department at work?

Patrick Gray — Wed, 08 Feb 2012 00:00:00 +1100

UPDATED WITH COMMENT FROM SYMANTEC BELOW So it's happened -- a significant chunk of Symantec's source code has been made available online as a torrent. This followed the release of a pretty loltastic Pastebin dump which purports to show e-mail negotiations between a Symantec staffer and the hackers who obtained the source. In the alleged correspondence the Symantec rep offers said hackers $50,000, paid in $2,500 monthly instalments, in exchange for guarantees they won't publish the source and issue a statement saying the breach never happened. Symantec claims the whole thing was a setup designed to draw the attackers out. That claim is entirely credible. The publication of the correspondence is nonetheless embarrassing for Symantec, which has actually handled this whole situation pretty well. When it realised its source code for PC Anywhere had been walked in 2006 it initiated an urgent audit of the relevant code and found some major problems. It recommended users stop using PC Anywhere until it issued a series of patches correcting the bugs. Those patches are out. Of course the question remains as to why they took until now to review the security of the PC Anywhere source. The bugs they found were really, really serious. And obvious. And had been there for five years at the very least. But what really puzzles me is the company's attitude towards the publication of its corporate antivirus software. PC Magazine published an article that quoted a Symantec representative as saying: To be correct, the code is for Norton Antivirus Corporate Edition, i.e., what used to be used by enterprises. As it is, customers face no security threats if the code is posted. It's a product that is no longer available, supported, or sold. The code is so old that even if there were attempts to generate a cyber attack, it would take on the characteristics of a 2006 attack. The age of the code inherently limits what can be done with it. It is, essentially, worthless code. At this point, Anonymous would be releasing it for PR purposes and that's it. That's a bold statement but it could well be true. But what exactly is Symantec saying here? Is it saying that absolutely no source code from its old Corporate Edition has found its way into current enterprise software? Also, what characteristics, exactly, do "2006 attacks" possess? How does the "age of the code" limit what can be done with it? That whole statement is just weird and until we get more information out of the big yellow S it just raises more questions that it answers. I'll be firing off some questions to Symantec PR on this and we'll see what they say. UPDATE: The PR gnomes at Symantec have issued this response: "Based on our analysis, the Norton Antivirus Corporate Edition code in question represents a small percentage of the pre-release source for the Symantec AntiVirus 10.2 product, accounting for less than 5% of the product. As such, that is not enough of a percentage to mount or develop a successful cyber attack against current Symantec and Norton solutions. If customers are using current version of their Symantec or Norton products, they will be protected against attacks that might result of the theft and possible disclosure of the code." I've pushed back again to ask a few followups... like, WHICH 5% is still in the product? Was the other 95% of code rewritten from scratch? Or was some of it just "updated" from the original source? Did they have the AV products audited in the same way PC Anywhere got the once over? etc etc. Will hopefully have an update soon. Find Patrick Gray on Twitter.

Verisign pwnz0red: Reuters report

Patrick Gray — Fri, 03 Feb 2012 00:00:00 +1100

An interesting news piece hit the wires overnight describing the 2010 breach of a handful of Verisign's corporate systems. The story was broken by the Reuters news agency and is peppered with sensational quotes like a former NSA and DHS guy saying "ZOMG this will end the interwebz" despite the fact the guy knows about as much as we do about the breach. You can read the whole thing here. It’s interesting for several reasons. Firstly, the reason we know about this event is because it was disclosed in the company’s SEC filings. Secondly, Verisign is a very important company when it comes to the issuance of digital certificates. And finally, the story is made all the more fascinating by the vagaries of the disclosure. The filing is a tad light on specifics, like what data was actually "exfiltrated". It’s also a sad sign of what's become of the technology media. The breach was disclosed in an SEC filing back in October, but has only hit the news now. Symantec says there's no evidence to suggest the breach affected its SSL systems, which, if true, means the story as reported is a bit of a beat up. I suspect this breach is unlikely to be of the magnitude of the RSA hack or Aurora attacks against Google. If anything it tells us more about the sorts of disclosures we're likely to see in future SEC filings in the USA. But who knows? Sometimes these stories are slow burners... Either way, the fact that no one would be surprised if Verisign's SSL boxes got pwned is proof enough that browser manufacturers need to redouble their efforts in protecting users from man-in-the-middle attacks performed with illicitly issued but "technically legitimate" certificates. I believe Chrome already pins certs for most major websites and IE might already do it too. What does your gut feel say? Drop us a comment! Find Patrick Gray on Twitter.

Risky Business #224 -- Lost source and open relays: 2012 is here

Patrick Gray — Wed, 01 Feb 2012 00:00:00 +1100

Risky Business is back for 2012! This week's edition of the show is sponsored by Adobe. And as it's our first week back we're focussing mostly on catching up on the news of the last six weeks or so. Between McAfee turning its customers into open relays -- that wound up being used by spammers -- and Symantec realising its source code walked six years ago, it's been a cracking start to the year. Risky Business news co-host Adam Boileau joins the show to run through the key highlights of the last six weeks. Also in this week's show, Adobe's product security chief Brad Arkin joins the show to talk about the virtues of silent patching. Brad's been on board with Adobe since 2008 and says the company has actually made progress in the product security arena. Have a listen to him and judge for yourself! The production of this week's show did not go smoothly. My SSD died, with the entire, unedited show on it. Two people really, really helped out and saved this week's podcast. Adam Pointon donated a couple of hours of his Tuesday evening and managed to recover the interviews from the dead drive. Massive thanks to him. Jonathan Wrigley of Xero Computing in Calrton let me use one of his display systems to finish cutting together the show. So big, big thanks to both of them. If you live in Melbourne, by all means pop into Jonno's shop and pick up some stuff for your Mac. Enjoy the show!

Risky Business #223 -- Summer edition: Drones pwned?

Patrick Gray — Tue, 20 Dec 2011 00:00:00 +1100

This is a special summer edition of the Risky Business podcast. There's no feature interview or sponsor interview -- just Adam Boileau and Patrick Gray discussing the most interesting security news items of the last three weeks, including: Did Persians pwn Drones? Bradley Manning faces court HP to face printer vulnerability lawsuit Could the USA's SOPA law break DNSSEC? GlobalSign says its CA systems were never compromised New guidelines for issuance of SSL certs Microsoft to silently update IE in 2012 Fun fact: Ukranian general arrested for online fraud Putin's Twitterbots drown anti-regime hashtags Mexican government dismantles Los Zetas' massive comms network CNet's Download.com bundles crapware with nmap

Risky Business #222 -- Never pay for roaming data again

Patrick Gray — Fri, 02 Dec 2011 00:00:00 +1100

I thought we'd just have a bit of a fun feature for the last show of the year. It's an interview with Edith Cowan University's Peter Hannay about a presentation he did at Ruxcon back in 2010, all about turning Amazon's Kindle into a completely free internet access device that works all over the world. That's right, no subscriber fees and 3G access in a zillion countries. He'll tell you how you can hack your kindle to use it as a completely free USB Internet access device pretty much anywhere in the world. No more data roaming for you! W00t w00t! SSH everywhere! Astaro's Angelo Comazzetto takes a look back on Sony's 2011 woes in this week's sponsor interview and Adam Boileau joins us, as always, to discuss the week's news. Peter Hannay's Kindle code can be found here.

Oops! McAfee discloses 1k customer e-mails

Patrick Gray — Wed, 30 Nov 2011 00:00:00 +1100

McAfee Australia leaked 971 customer e-mail addresses in a botched e-mail marketing campaign last week. The addresses of the recipients were placed in the visible TO field instead of the BCC field. It's an all-too-common mistake, made especially embarrassing for McAfee because it's not the first time in recent memory something like this has happened. In July, 2009, the company accidentally attached the full contact details of 1,400 customers to a marketing mailout. The latest e-mails to leak are those of enterprise and government contacts, not consumers. In response to a query from Risky.Biz, McAfee released the following statement through its public relations firm Spectrum Communications: Late last week McAfee sent an email inviting a small percentage of McAfee customers, based in New South Wales, to its Enterprise Mobility Management webinar. Due to human error and contrary to McAfee policy and procedure, the email inadvertently revealed the recipient email addresses. This error has been investigated and we are in the process of contacting the people affected to apologise, provide information and request that recipients delete the email addresses we have shared in error. We are taking this opportunity to remind all staff of the importance of our processes around customer communications. This sort of thing is always so embarrassing... Follow Patrick Gray on Twitter.

Risky Business #221 -- Browser GFX security with Ben Hawkes

Patrick Gray — Fri, 25 Nov 2011 00:00:00 +1100

In this week's feature interview we're chatting with Google's Ben Hawkes about the risks posed to browsers by new developments in the way they handle graphics. WebGL and Flash Stage3G allow Websites easy access to graphics cards but introduces a bunch of potential security issues. What if there's a bug in your graphics card driver? Can you then exploit that through the browser? That, for want of a better word, would be... bad. It's a topic that's been picking up a bit of coverage over the last six months or so, but is it overhyped? In this week's sponsor interview we're hearing from Eddie Schwartz the Chief Security Officer of RSA security. We're chatting to him about the notion that keeping attackers out of networks just isn't realistic anymore. CSOs need to cop to that fact, Eddie says, and start looking at some fresh approaches. We have a good chat about some of the Jericho Forum's security principles [totally legit PDF], too, and how consumer devices entering the enterprise is actually driving a deperimiterisation approach to infosec. Adam Boileau, as always, drops in for the week's news headlines!

Risky Business #220 -- All your Macs are belong to Snare

Patrick Gray — Thu, 17 Nov 2011 00:00:00 +1100

On this week's podcast we take a look at doing some fairly unnatural things to the OS X operating system. We'll hear how to best rootkit OS X and also how messing with EFI bootloaders can be a whole bunch of fun in terms of installing persistent rootkits in PCI firmware. That's this week's feature interview, with our buddy Loukas from Assurance.com.au. Also this week we're joined by Tenable Network Security's product manager Jack Daniel in the sponsor interview. He'll be chatting to us all about Dan Geer's new cybersecurity research agenda. Adam Boileau, as always, joins us to chat about the week's news.

Risky Business #219 -- NFC puts chip readers everywhere

Patrick Gray — Fri, 11 Nov 2011 00:00:00 +1100

On this week's show we're talking Near Field Communications (NFC) with New Zealand's Nick von Dadelszen. NFC is set to become the next big thing for micropayments, alas it looks likely there's potential to conduct all sorts of mischief using NFC-equipped mobile phones like Google's Nexus S. NFC equipped phones are RFID readers, and Nick reckons we're about six months away from being able to use them as card emulators as well. Let the fun begin! Also this week, RSA Australia's Mason Hooper joins us to discuss Apple's decision to expel vulnerability researcher Charlie Miller from its developer program. Miller had snuck a dodgy app into the company's official appstore that was capable of running unsigned arbitrary code. Nice trick. Apple unimpressed. But did they overreact? That's this week's sponsor interview. Adam Boileau, of course, is this week's news guest.

RB2: Nick von Dadelszen's Kiwicon presentation on NFC

Patrick Gray — Fri, 11 Nov 2011 00:00:00 +1100

NFC on mobile phones is a new phenomenon and opens a lot of possibilities for research, particularly when talking about mobile payment platforms. Lateral Security's Nick discusses the good, the bad and the ugly of mobile NFC. RAW AUDIO.

Risky Business #218 -- Precisely how badly does Android support suck?

Patrick Gray — Thu, 03 Nov 2011 00:00:00 +1100

On this week's show we're taking a look at support for Android devices. If you're a regular listener you would have heard us whingeing about Android's woeful support. We've often said most Android devices out there are running old and insecure versions of the software, and now we have proof. This week's feature guest, Michael DeGusta, has done a bit of research on this topic and found, well, Android support is even WORSE than we first thought. He turned his research into a chart that went viral. Here it is: Also this week, Sophos Network Security's Bill Prout joins us for a chinwag about webapp security in online retail. Adam Boileau, of course, stops in to discuss the week's news headlines. | \t Show Player | Play in Popup | Download

Risky Business #217 -- Patrick Webster joins the show

Patrick Gray — Fri, 28 Oct 2011 00:00:00 +1100

In this week's feature we chat to Patrick Webster about his tangle with First State Superannuation. This is a story we've covered on the show over the last few weeks. If you haven't heard what happened, Pat spotted a bug in First State Super's statements system, probed it, let them know 12 hours later and then wound up with the police on his door! Since then the whole saga has turned into a pretty big deal here in Australia. The police and civil actions against Webster have both been dropped and First State Super -- and its administrator -- has wound up in a bunch of trouble. In this week's sponsor interview we're chatting with Tenable CEO Ron Gula about a recent edict from the Securities and Exchange Commission in the USA that advises companies on what sort of cyber risks and incidents they should be disclosing in their quarterly filings. Ron has an interesting take -- initially I disagreed with him but he won me over, I hope you'll stick around for that. Adam Boileau joins the show, as usual to discuss the week's news.

RSA attackers pwnz0r Australians

Patrick Gray — Wed, 26 Oct 2011 00:00:00 +1100

Infosec reporter Brian Krebs published a splendid post a couple of days ago that apparently unmasks 760 victims of the same group that owned RSA. I've had a look through the list and pulled out all the Australian organisations I could find. From the looks of things this list was compiled by observing computers connecting back to evil C&C in China. That would explain why there are so many ISPs listed -- it's likely it wasn't the ISPs that got pwnz0riz3d, it was their customers. This full list is apparently doing the rounds among congressional staff in the USA. So, Australia-centric highlights of the reverse-lookups include: * CITEC-AU-AP QLD Government Business (IT) Basically all QLD Government IT is outsourced to CITEC. It's the QLD state govt's IT agency. * DSE-VIC-GOV-AS Department of Sustainability & Environment, Also affectionately known in political circles as the Department of Scorched Earth, it looks like DSE got popped. Not much mining in Victoria, so your guess is as good as mine as to why. * CSC-IGN-AUNZ-AP Computer Sciences Corporation I'm guessing this was CSC itself or one of its customers. Does CSC operate a few gateways? It does here, from memory... a few in Canberra, too. *cough* Then there are the ISPs. * AMNET-AU-AP Amnet IT Services Pty Ltd * TPG-INTERNET-AP TPG Internet Pty Ltd * MICRON21-AS-AU-AP Micron21 Melbourne Australia Datacentre. Co-Location Dedicated Servers Web Hosting * PI-AU Pacific Internet (Australia) Pty Ltd * TELSTRA Telstra Pty Ltd * VZB-AU-AS Verizon Australia PTY Limited * MPX-AS Microplex PTY LTD * IINET iiNet Limited * MCT-SYDNEY Macquarie Telecom * AAPT AAPT Limited Then there's this: * TEAM-CYMRU – Team Cymru Inc. Some of you will know why that's equal parts funny and bad.

Risky Business #216 -- WebScarab for SAP!

Patrick Gray — Thu, 20 Oct 2011 00:00:00 +1100

This week's feature interview is with Ian De Villiers of the South African security firm Sensepost. Ian recently dropped a couple of interesting SAP security tools at 44con in London and ZACon in South Africa. SAP makes Enterprise Resource Planning (ERP) solutions... CRM, SCM, PLM... you know, all that three-lettered, thick client enterprise stuff. It's everywhere and as it turns out, one of the only things that has saved it from thorough examination in the past has been the obscurity of its protocol. Well, Ian, extending the work of Ukranian security guy Dennis Yurichev, has written a couple of tools that will let you play around with SAP software. He's written a protocol decoder, SAPcap, and SAProx, which Ian describes as being like Webscarab for the SAP protocol. Also this week, Adam Boileau and I have a chat about the week's news, PLUS the latest twists in the First State Superannuation saga.

BREAKING: First State Superannuation threatens researcher

Patrick Gray — Fri, 14 Oct 2011 00:00:00 +1100

Australian security researcher Patrick Webster has received a letter from commercial law firm Minter Ellison demanding he turn over his computer to its client First State Superannuation. The legal threat follows Webster's disclosure of a serious and trivially exploitable security vulnerability in First State Superannuation's website to the company in September. Listen to my interview with First State Superannuation's Chief Executive Michael Dwyer AM here. The flaw allowed any logged in member to access other member's statements by changing a single digit in their browser's URL bar. The letter, received today, threatens to pursue Webster for costs incurred "in dealing with this matter" if he does not agree to delete all information he obtained by demonstrating the flaw and promise to never attempt to access other member information again. Webster claims he deleted the information in September. He says some member information, around 500 statements, was downloaded to his computer when he tested a bash script that would demonstrate the flaw to the company's IT staff. He ran it while he made a cup of tea, saw that it worked, deleted the information and sent the script to First State Superannuation's IT staff so they could independently verify the glaring security hole. You can read the letter here. Editorialising for a minute, if Webster had planned to do something untoward with the information he obtained in his four minutes of testing, why would he inform the company of their security issue? Why would he now retain the member information he was trying to protect by reporting the bug in the first place? If he'd found the bug in a Facebook or Google Web application, Webster would have actually received compensation for his time, not reported to the police and threatened. Now the company is threatening to recoup costs from him if he doesn't allow them to get their grubby, insecure mitts all over his computer. Why not just ask for a signed statutory declaration? Why resort to threats? The irony here is it's entirely possible that the glaringly obvious, boneheaded direct object reference bug that Webster exposed puts First State Superannuation completely on the wrong side of various compliance regimes and acts, including the Australian Privacy Act which stipulates organisations must take reasonable steps to secure personal information.

Risky Business #215 -- Aussie researcher heavied, Mitnick and more!

Patrick Gray — Fri, 14 Oct 2011 00:00:00 +1100

On this week's show we're delving into a troubling story emerging here in Australia. A local security researcher and consultant, Patrick Webster, has been threatened with criminal and civil prosecution after he disclosed a direct object reference bug in his pension fund's systems. We'll be discussing this in the news with Adam, then we'll be hearing from First State Superannuation's Chief Executive Michael Dwyer himself! Also on this week's show I'll be playing part two of my interview with famed hacker Kevin Mitnick. There's a very funny story in there about what happened when I asked him to track down Christopher Boyce, aka the Falcon of the Falcon and the Snowman fame. Boyce is an American who, at the time, had just been released from prison after serving a lengthy sentence for treason. A big news story over the last week was the Chaos Computer Club's discovery of a piece of malware thought to be used by law enforcement in Germany. Over there, government agencies are allowed to use malware to Intercept internet telephony, but nothing else. As it turns out the trojan was packed with all sorts of extra features that just shouldn't have been there. We'll be discussing that whole thing in this week's sponsor interview with Markus Hennig -- the co-founder of Astaro, which is now the network security division of Sophos. Adam Boileau, of course, stops by for this week's news segment. To subscribe to the Risky Business podcast via iTunes, click here.

EXCLUSIVE: NSW cops quiz Aussie security researcher

Patrick Gray — Thu, 13 Oct 2011 00:00:00 +1100

Well-known Australian information security professional Patrick Webster has been visited by NSW Police officers following his disclosure of an embarrassing Web application security bug to his superannuation fund. Webster had noticed his pension fund, First State Superannuation, allowed logged in members to access online statements via "direct object reference," a security lapse so boneheaded it's included in OWASP's infamous top ten list of Web application security bugs. For those unfamiliar with direct object reference, it means documents are served up by way of a direct ID in a URL. The problem is that by changing the document ID in the browser's URL bar, another document will be accessed and served to the user. Direct object reference issues have been well known for over a decade. The Australian Treasury's GST Web Site was affected by a similar glitch in 2000. Sure enough when Webster incremented the document ID number in the URL linking to his super statement, up popped another member's statement. He contacted First State Superannuation's administration arm, Pillar Administration, to notify them of the problem the morning after he discovered the company's shoddy coding. He even sent one of the fund's IT staffers a bash script to demonstrate the issue. The script enumerated document IDs and downloaded statements. "It needed to be fixed ASAP," Webster, who runs information security company OSI Security and is a prolific Metasploit contributor, told Risky.Biz. "That's why I made a script and sent it to [redacted], so he could run the script himself and see what I meant." The initial response from the fund was positive, with e-mails seen by Risky.Biz praising Webster for taking the time to notify the right people. First State Superannuation has 770,000 members, mostly working for the NSW State Government. Members include everyone from magistrates to police officers and nurses. It was two of those NSW police officers that turned up at Webster's front door at around 9pm last night. "They just rocked up on the doorstep and said 'We're after Patrick'," he said. "They said it was about downloading files from First State Super. They said they didn't really understand it. They were the local Police. "The annoying part is that I contacted First State straight up. I gave them my number, email... and full details in my email including LinkedIn and they called the cops," Webster said. It is generally understood in the information security industry that data accessed via a URL without further authentication has, in essence, been made public by the system allowing the access. It is difficult to argue that the access of such material is the bypass of a security control; it is merely proof of the absence of a security control. Webster demonstrated that any logged in First State Superannuation member could access the online statements of any other member via URL manipulation alone. It was Pillar Administration and First State Superannuation's diabolical violation of good practice that exposed members' details, not Webster's actions. For background on just how dysfunctional and negligent an organisation has to be to allow direct object reference to sensitive information, click here. Perhaps instead of contacting the law, First State Superannuation would have done well to send Webster, who ironically enough spent much of his career working in information security for NSW Police, a nice bottle of single malt and a sun hat. The company has suspended online access to Webster's account. Passing the buck, wasting taxpayers' money and police time FTW. Calls to Pillar Administration's head office and individual staffers were not returned. Staffers reached would not comment. Comment from NSW Police could not be obtained by time of publication and detectives reached would not comment. Pillar Administration and First State Superannuation have since fixed the direct access bug and notified members whose information was accessed by Webster's script. See the letter here [pdf]. The only silver lining that could come out of Webster being charged with something -- what, exactly is a bit foggy -- would be watching a prosecutor try to explain to a magistrate that changing a single digit in a browser bar is a computer crime. Lawl/snort/chortle etc. Follow Patrick Gray on Twitter here. Check out the Risky Business podcast here. Subscribe to podcast feeds here.

German "government trojan" debate is infantile

Patrick Gray — Tue, 11 Oct 2011 00:00:00 +1100

By now you've likely read about the German Chaos Computer Club's (CCC) reverse engineering of the so-called "Bundestrojaner," or "federal trojan". Someone found a copy of a remote access trojan in the wild, claimed it was government spyware and submitted it to CCC for analysis. The resulting publications give us a bit of an insight into at least one country's alleged "computer tapping" capabilities. The German government has actually denied the malware is used by any of its federal agencies. Who knows about state police services or agencies. But if it turns out the trojan is indeed 'legit' then we can safely say, drum roll please, governments write pretty shitty malware. I've been moved to write about this whole drama by the reaction to CCC's analysis. Some people out there are actually shocked that governments have this capability. I'm shocked they're shocked! Every time one of these (allegedly) government-created remote access trojans pops up the tinfoil hatters scream Big Brother; they seem to think the existence of this sort of technology proves governments are conducting illegal surveillance on a massive scale. They think the feds are rattling around in their computer already looking for evidence of subversive political thought. Kids, the government isn't using this technology to obtain advance copies of the anti-globalisation manifesto you're writing for Pastebin. You're a 21-year-old arts undergraduate with 320 Twitter followers. You're a nobody and no one cares about you. Deal with it. (QQ) Reaction from the fringe-dwellers aside, the CCC analysis was a truly worthwhile exercise. It managed to expose a few things, like the fact the trojan was shipping with features explicitly forbidden under German law pertaining to surveillance. The German government, under warrant, can lawfully intercept IP-based telephony with spyware, but it's not allowed to snoop on, say, files on the infected host's hard disk. Bundestrojaner's features explicitly allowed this. As mentioned, the German (federal) government has denied Bundestrojaner is its creation, but you can bet your bottom dollar any similar badware used by ze Germans is now getting some proper attention and oversight from up on high. This whole exercise has raised awareness at the very top and that's a hell of an accomplishment. The CCC deserves a pat on the back -- genuine kudos -- for bringing these issues to light. CCC also found the Trojan was a big pile of insecure, bug-riddled shit that anyone with half a brain could reverse and learn how to control; unencrypted command and control For The Win. Even if this trojan isn't government spyware, you can bet the real stuff is likely just as bad. But like it or not, governments today actually need these capabilities for legitimate reasons. So let's cool the debate a bit. Just like a court approved telephone intercept, there are entirely valid reasons for law enforcement to conduct covert searches of suspects' computers. There's simply no problem with governments having this capability as long as the judicial oversight is sufficient. [ADDED 25/11/11: I've reflected a bit on this and I don't think you can actually introduce sufficient oversight in this case. In the case of intercepting communications like Skype? Maybe. But in the case of just going nuts snooping on someone's hard drive? That's just a situation ripe for abuse. So colour me convinced!] If a law enforcement body is looking for specific evidence pertaining to a serious crime, has a prima facie case and there's no other practical way to obtain the evidence, how is a court granting a warrant allowing this sort of snooping a bad idea? [ADDED 25/11/11: Again, I'm convinced there's no effective oversight you could introduce here. In the case of phone/Skype intercepts I think you probably can have appropriate oversight, but remote, covert searches of someones' computer are a genuinely shitty idea. Mea culpa. I think I was just being contrarian to annoy the tinfoil hatters.] We do not have an absolute right to privacy from government, even in Western democratic nations. The state can intrude on the privacy of its citizens if there's a good reason. [ADDED 25/11/11: I absolutely stand by this as a general principle.] Should governments be installing completely bug-riddled, insecure trojans on peoples systems? Nope. Should they creating features that allow the controller of the malware to easily exceed their authority? Again, no. But let's not throw the baby out with the bathwater here. These government-created RATs are valuable as investigative tools in serious crime investigations. That's good for all of us. Let's look at this CCC analysis for what it is: A good excuse for Attorneys-general and police ministers all over the world to make sure this technology is being implemented in accordance with each country's wiretapping and surveillance legislation. What do you think? Post a comment here. Follow Patrick Gray on Twitter here. Check out the Risky Business podcast here. Subscribe to podcast feeds here.

Risky Business #214 -- Special guest Kevin Mitnick

Patrick Gray — Fri, 07 Oct 2011 00:00:00 +1100

This week's feature guest is Kevin Mitnick! Possibly one of the world's best known computer hackers, Kevin has been the subject of several books and even a B-Grade movie. He spent years on the run evading capture by the FBI, eventually winding up in prison for something like five years. Since his release in January 2000 he's become a successful public speaker, security consultant and author. His latest work, however, is his most well received. Kevin, with writer William L. Simon, has finally written an autobiography, and from nowhere it's become a New York Times bestseller. I've read it, it's heaps of fun... Kevin will be popping in later in the show to tell us why he's written his biography now... and I get to quiz him on some stuff that's not actually in the book. Hope you'll stick around for that. This week's show is brought to you by RSA Security so in this week's sponsor interview we chat with Mason Hooper about RSA's investigation into a particularly badass Zeus variant. They actually managed to seize around 200Gb of filtered financial information out of its C&C. That's a fair bit of dataz! Also, Adam Boileau is back from Europe and rejoins the show to discuss the week's news headlines! *****WARNING... we use the sh** word a lot in this episode. I have no idea why.

Risky Business #213 -- BEAST slayed, doxing galore

Patrick Gray — Fri, 30 Sep 2011 00:00:00 +1000

There's no feature interview in this week's show, instead we're focussing on news instead! And what a week it's been. Browser makers have slayed the SSL BEAST attacks, Goldman Sachs' CEO got dox'd, as did Sgt. Douchebag of the NYPD. You know the one... he's the guy who maced a bunch of peaceful protestors in the face. Microsoft even got in on the action and dox'd the operator of the Kelihos botnet! Meanwhile if you're a Cisco admin you're likely having a tough week, as are the folks at Diebold, who apparently STILL can't make secure e-voting machines. Also this week, Tenable Network CEO Ron Gula joined us to talk about log analysis. Sounds dry, but it's not. This week's show is, of course, sponsored by Tenable!

Risky Business #212 -- FBI makes LulzSec arrests, Diginotar folds

Patrick Gray — Fri, 23 Sep 2011 00:00:00 +1000

This week's feature guest is the head honcho of the Beef Project, NGS Secure's Wade Alcorn. Wade joins the program to talk about the SSL/TLS flaw that Juliano Rizzo and Thai Duong plan to demonstrate at the Ekoparty security conference. They've found some really nice flaws in TLS 1.0 that mean you can, under some circumstances, when six planets align in the June dawn, extract session cookies from SSL connections. It's not a bug that marks the end of the world, but it's just a really interesting one so Wade will be along to discuss it. And this week we check the news headlines with Mark "Longpipes" Piper.

Norton's cybercrime numbers don't add up

Patrick Gray — Wed, 21 Sep 2011 00:00:00 +1000

Over the last couple of weeks you may have spotted some news stories floating about claiming cybercrime costs society US$388bn annually, with Australia alone suffering A$4.6bn in yearly losses. If the numbers are to be believed, these reports say, that means cybercrime costs us nearly as much as the global trade in illicit drugs. It's a sensational claim and makes an awesome headline, but any way you slice or dice the numbers they just simply don't stack up. What's more frustrating is the most cursory analysis of these figures is enough to show they're fanciful. Yet lazy media outlets, spurred on by reports carried by the sycophantic technology media, happily parroted these claims as fact without doing the most basic checking. Institutional fraud measurements here in Australia blow the claimed numbers out of the water immediately. Direct losses from all personal fraud in Australia, online and offline, is estimated at A$1bn a year. So where did the claim involving a A$4.6bn annual impact come from? The numbers were dug out of a survey report released by Norton, the consumer division of Symantec, a company that makes computer security software. Norton engaged an online survey company, Strategy One, to quiz around 20,000 people in 24 countries about their experience with cybercrime. It asked respondents to nominate both direct and indirect losses they experienced as a result of online crime. Based on the responses Strategy One received, direct annual consumer losses extrapolate to USD$114bn a year. That includes losses that consumers experienced that were reimbursed, as is the case with the vast majority of credit card fraud. That figure seems high enough, but where things get comical is when Norton throws indirect losses into the mix. When asked to nominate how much these cybercrime experiences were worth in terms of "time lost," Strategy One extrapolated a figure of USD$274bn. Now, here's where it gets into Twilight Zone territory. According to Norton, United Nations figures estimate the illicit trade in heroin, cocaine and marijuana is worth US$288bn a year. The total illicit drugs trade is worth, apparently, US$411bn per annum. But if you add the USD$114bn figure for direct cybercrime losses to the USD$274bn "time lost" figure, you wind up with a total just under the figure for drug sales (USD$402bn). The result is the claim that "cybercrime is... approaching the value of all global drug trafficking". You see what they did there? Voila! Instant headlines! Norton is actually equating a fictional "time lost dollars" -- that never actually existed -- with actual dollars spent on marijuana. You'd think the marketroids were smoking the green stuff themselves when they came up with that comparison. They must be regular users, too, because Norton put out a press release on September 11, 2009, claiming cybercrime actually eclipsed the global drug trade. The press release was titled: "Cyber Crime has Surpassed Illegal Drug Trafficking as a Criminal Moneymaker; 1 in 5 will be a victim". As a moneymaker? Really? That's not even what Norton is claiming now! If that wasn't loose enough, it seems obvious that if we included "time loss" figures stemming from the illicit drug trade the comparison would be blown apart immediately. Just think of the harm being inflicted on Mexico right now by the drug cartels, not to mention narco-related drama in countries like Afghanistan. Then there's the money spent on the "War on Drugs," keeping drug dealers in prison and the productive capacity society loses to all those dope-smoking young males glued to their PlayStation 3s. While we're doing things the Norton way, why don't we include lost income that unemployed heroin users could be making if they straighten up? It'll be a completely meaningless number, but as long as it's big, apparently, it gets a run. Norton's definition of cybercrime is also fairly liberal. It defines "online harassment" as a cybercrime, along with being "approached online by a sexual predators". Online credit card fraud is defined as "someone made an unauthorized use of my credit/debit card, or card number, to fraudulently obtain my money or property". The word "online" doesn't even appear in the definition. This question, as written, will catch all credit card fraud. It gets better. In June two researchers from Microsoft, Dinei Floręncio and Cormac Herley, wrote a brilliant paper titled "Sex, Lies and Cyber Crime Surveys". You can read it here, but the general thrust of the paper is self-nominated loss figures are notoriously unreliable. Floręncio and Herley say surveys of sexual behaviour demonstrate people lie when asked to nominate how many sexual partners they've had. In a random sample, it stands that the average number of sexual partners for both men and women would be the same. But they're not. Women generally tell the truth, albeit shaving the number slightly. Men also generally tell the truth. Unfortunately, some men, the research says, massively overstate their notches-on-the-bedpost quota, and that throws the reliability of the survey more or less out the window. Floręncio and Herley argue overstated loss figures cause the same problems in cybercrime surveys. Cybercrime surveys that rely on self-nominated losses require multi-layer sampling and a sample size of up to several million respondents in order to be regarded as accurate, the Microsoft paper claims. The problem boils down to concentration. Overstated losses can massively skew data sets. In a survey based on 1,000 respondents, Microsoft says, a claim of a single loss of $50,000 would translate to a loss figure of $10bn over the whole population. A nominated loss of $7,500 translates to $1.5bn. So, they say, we should "discard" any survey that doesn't disclose both the median and mean figures for responses. These two figures give the reader an idea of how concentrated the responses are. The Norton survey does not disclose these figures. There are places we can look to find more trustworthy sources of information relating to crime and fraud. The Australian Bureau of Statistics, for example, estimates all personal fraud, both online and offline, costs Australians AUD$1bn a year (2007). The Australian Payments Clearing Association (APCA) calculated Australian Issued Payment Instrument (credit store and debit cards, cheques etc) at around A$210m for 2010. Sure, a body representing financial institutions might have an interest in understating these figures, but Norton's report claims direct cybercrime losses in Australia are A$1.8bn a year (roughly A$300 per household) with a further A$2.8bn in indirect losses! Put simply, Norton's figures just do not look credible next to institutional measurements, and Microsoft's research tells us these types of cybercrime surveys are unreliable. For its part, Norton says the discrepancies can be explained because much cybercrime goes unreported. "We are confident that the Norton Cybercrime Report is a valid representation of the current state of consumer cybercrime," the company wrote in response to questions. It's understandable that a company with a vested interest in overstating a problem will release this sort of marketing material. It's another thing for the media to just run with it without questioning the numbers.

Risky Business #211 -- Ruxcon's Chris Spencer plus news galore

Patrick Gray — Fri, 16 Sep 2011 00:00:00 +1000

On this week's show we chat with Ruxcon organiser and vulnerability researcher Chris Spencer. Chris pops by to offer a five percent discount on Ruxcon training to Risky Business listeners, and we also have a quick chat to him about trends in the vulnerability research game. Chris was popping shells and publishing exploits since the nineties, so he's seen a few things change! Also this week, RSA's Mason Hooper joins the show for this week's sponsor interview. We ask Mason for his thoughts on a not-particularly-convincing Norton survey report that estimates cybercrime is now bigger than the illegal drugs industry. Ha! Mark "Longpipes" Piper is this week's news guest. He's filling in while Adam Boileau is in Afghanistan seeking advanced beard grooming tips.

RB2: Wikileaks discussion panel, Splendour in the Grass 2011

Patrick Gray — Thu, 15 Sep 2011 00:00:00 +1000

The following is a recording of a panel discussion about Wikileaks that took place at the Splendour in the Grass music festival in Woodford, QLD, Friday, 29 July 2011. Moderating the panel is The Chaser's Julian Morrow. On the panel: * Nicholas Hayden, Hungry Beast, ABC TV * Marc Fennell, Hungry Beast, ABC TV * Grace Morgan, Julian Assange's Australia-based solicitor * Suelette Dreyfus, Author, Underground * Patrick Gray, Host of the Risky Business podcast * Christine Assange, Julian Assange's mother The recording is unedited. Enjoy!

Spam and phishing run targets Australians

Patrick Gray — Wed, 14 Sep 2011 00:00:00 +1000

It seems the bad guys are targeting Australian Internet users this week. I got a few of these this morning, as did a couple of Risky.Biz listeners: From: rules@abr.gov.au Date: 14 September 2011 10:05:53 AM AEST To: Subject: Attention for the ABN owners x-original-to: REDACTED x-mailer: azzgnshjz.46 Australian Taxation Office together with Australian Business Register wants to inform you that starting from January, 1 2012 new rules of use of ABN number are being introduced. The changes will concern:- GST credits;- Australian domain names registration More detailed information about the coming changes in the rules you can find HERE. Australian Business Register www.abr.gov.au All links in the e-mail go to the domain australianbusiness-store.com. That site drops an executable named updateTax15sept.pdf.exe. Geez. I wonder if I should run it? I also received a couple of other, similar messages purporting to come from the ATO. Again, all links pointed to the domain australianbusiness-store.com. TL;DR: Drop domain australianbusiness-store.com at your gateway. UPDATE: Our buddy Neal Wise at Assurance.com.au says the same spam run makes use of the domain australian-businesssite.com, too... Some on Twitter have reported hundreds of these spams coming through their gateway just this morning. Seems very tightly focussed on an Australian audience. Patrick Gray on Twitter.

Risky Business #210 -- Attacking JIT compilers, SSL woes and more

Patrick Gray — Fri, 09 Sep 2011 00:00:00 +1000

On this week's show we take a look at the security of browser JIT engines with two extremely smart guys: Chris Rohlf and Yan Ivnitskiy of Matasano Security. They presented a paper in Vegas all about attacking clientside JIT compilers. It's good, old-fashioned security research -- the type of research that's increasingly being withheld from the public these days. What is a JIT compiler? How does it work? Do they present inherent security problems? Tune in to find out! This week's show is brought to you by Sophos Network Security. In this week's sponsor interview we're joined by that company's product manager Angelo Comazzetto to discuss network visibility and application aware firewalls. Normally Adam Boileau joins the show to discuss the week's news, but he's off globetrotting for the next few weeks, so instead his buddy Mark "Longpipes" Piper steps into the news slot to fill in. Thanks Mark!

Risky Business #209 -- Senator Scott Ludlam discusses the Cybercrime Bill

Patrick Gray — Fri, 02 Sep 2011 00:00:00 +1000

What a week in information security! Between Kernel.org getting owned, the Iranian Government apparently hacking a Dutch CA to mint around 250 valid certs for stuff like *.google.com and Wikileaks experiencing a spectacular opsec fail, there's plenty to talk about in this week's news segment with Adam Boileau. In this week's feature interview we speak with Greens Senator Scott Ludlam about the governments proposed Cybercrime Legislation Amendment Bill. There's been a lot of FUD out there on this one and Senator Ludlam joins the show to dispel some myths and discuss some specific improvements the Greens would like to see made to the package of legislation. This week's sponsor interview is with Ron Gula, CEO of Tenable Network Security. Ron says some people out there in the market are forming a consensus that preventing attacks is just too hard, and so they're focussing too much on merely detecting compromises. Ron says a balanced approach is better. He joined me by phone to discuss. * By the way, the company Ron mentions a company named Kyrus. Wasn't very clear in the recording.

Risky Business #208 -- Time for a cyber knife fight, says Diocyde

Patrick Gray — Fri, 26 Aug 2011 00:00:00 +1000

This week's feature interview is with anonymous infosec blogger Diocyde. He has access to some fairly sensitive shit, so we can't tell you his name and we've had to disguise his voice. Diocyde is best known as the author of the Veiled Shadows blog. On it, he's written volumes about state-sponsored attacks against the United States. He's tracked who he says are Chinese malware writers and basically doxed them on the blog. He's advocated a hot cyber-war against China to stop that country from continuing to siphon off US-developed intellectual property and intelligence and he's written it all under the influence of pure fury. Chinese attacks against the USA make this guy angry, as does the idea that attribution in the cyber sphere is difficult. Interest in Diocyde's blog really took off when links to it popped up in e-mail stolen from HBGary Federal. Things got even more interesting when a few of his posts not only disappeared from the blog, but also disappeared from Google's cache. In particular, one post titled "Busting the APT can wide open" went missing. It contained a large amount of intelligence on Chinese malware writers. It was a fascinating read, and it's been completely removed from the Internet. Doicyde joined me to discuss his blog, the missing posts, Chinese cyber espionage and attribution. This week's sponsor interview is with RSA Product Manager Jeffery Carpenter. This week we're chatting to Jeff about RSA's vision for the future of two-factor authentication. Are soft tokens becoming more popular? Is that a problem? What role will mobile device features like NFC play in the 2FA equation in the future? Also this week, Adam Boileau joins us with the week's news headlines.

Risky Business #207 -- Is Microsoft's Blue Hat Prize for losers?

Patrick Gray — Fri, 19 Aug 2011 00:00:00 +1000

You may have heard about Microsoft's Blue Hat Prize for defensive security research. The company is running a contest for the best memory corruption bug mitigation technology. So, if you reckon you've found the next DEP or ASLR, you could be eligible for the company's $200,000 first prize. It marks a departure from bug bounties -- this is a contest that rewards defensive research, not just new attacks. There has, however, been a limited but vocal backlash. Security development firm Supreption took to its blog to describe the contest as a "late April Fools joke". Winners of the contest maintain ownership of their ideas and intellectual property, but Microsoft assumes right to implement any entries it chooses into its operating systems. The guys at Supreption say that means Microsoft is getting way too good a deal for its prizemoney. The blog claims the PaX team, creators of ASLR, support the company's position. Microsoft's Katie Moussouris joins the show to face the criticisms and defend the prize. Adam Boileau, of course, joins the show to discuss the week's news headlines.

EXCLUSIVE: Leaked "RSA dump" appears authentic

Patrick Gray — Thu, 18 Aug 2011 00:00:00 +1000

A massive Pastebin dump of domain names and IP addresses supposedly linked to a cyber espionage ring appears to be the real deal. The Pastebin dump, dated August 15, lists around 850 entries containing domain names and IP addresses, supposedly leaked by "RSA Employee #15666". The dump asserts the IP addresses and domain names listed are used in command and control operations by a cyber-espionage ring. "My sincerest apologies go out to those with ongoing monitoring operations on any of the IP addresses involved," the dump reads. "These attacks have targeted US and Canadian companies almost exclusively for at least five years... and continue to be extremely effective." The dump claims the operation targets include private US defence firms. The dump also makes the explosive claim that many of the IP addresses are monitored by private information security companies "...for the purpose of supplying stolen information back to the affected companies." "Stolen data is effectively held hostage for the price of doing business with the company in the know," the dump reads. The idea might sound like an unlikely conspiracy theory, but it's lent some serious credibility by a leaked HBGary analysis of some of the same IP addresses and domain names. That analysis appears to confirm their authenticity as espionage-linked callback IPs. The analysis, which was leaked by an attack on HBGary Federal by Anonymous in February this year, identifies each IP address as a callback address for custom malware used in espionage operations, presumably operating out of China. The IP addresses serve a configuration file that re-directs infected hosts to an interactive command and control IP based in Hong Kong. The vast majority of the leaked IP addresses are physically located in the US. HBGary codenamed the operation "Soysauce". "The soysauce group targets a large number of defense contractors who service the U.S.A," the analysis begins. Alarmingly, the HBGary document suggests that each sub-domain of each registered domain name corresponds to a successfully compromised target. Booz Allen Hamilton via bah001.blackcake.net, Mantech Corporation via mantech.blackcake.net and man001.blackcake.net. So on, so forth. This means each of the 850 entries in the dump potentially corresponds to a custom callback address for each successfully compromised victim. To cut a long story short, if you find any of those IPs in your logs, you're likely owned by the Chinese government. If you don't find them, you're probably owned anyway. Risky.Biz has no reason to believe Pastebin data was actually leaked by an RSA employee. Subscribe to the Risky Business podcast here. Check out our podcast directory here.

Risky Business #206 -- Dino A Dai Zovi talks Mac hacking

Patrick Gray — Fri, 12 Aug 2011 00:00:00 +1000

In this week's feature interview we're chatting with Dino A Dai Zovi about Mac security -- Dino's well known as a Mac hacker and he's just done a BlackHat talk in which he evaluated Apple's IOS 4.x operating system for enterprise suitability. How did it stack up? Find out after the news! Also this week we check in with Sophos Network Security director of support Alan Toews about Moxie Marlinspike's latest work, an alternative way of doing SSL certificates that completely does away with CAs. That's this week's sponsor interview. Adam Boileau, of course, joins us for this week's news.

Risky Business #205 -- Who's the real Shady RAT?

Patrick Gray — Fri, 05 Aug 2011 00:00:00 +1000

On this week's show we're taking a look at the most devastating state sponsored planet melting, child eating APT the world has ever seen... according to Gizmodo it's the BIGGEST CYBER ATTACK IN HISTORY. Ummm... actually no, it's a fairly unsophisticated botnet comprising of 70 targeted infections. It seems like the tech guys and analysts at McAfee did some interesting work in seizing control of a small botnet, then the salesbots, marketroids and public relationamatrons got their hands on it and spun it way out of perspective. The result? The media describing a fairly run-of-the-mill spooky botnet as the end of the world. We'll be joined by Searn Duca of McAfee -- a very nice chap -- to have a chat about some of the detail of the so-called operation Shady RAT, which to me, seems more like operation shady AV vendor sales and marketing pitch. The media has spun this one way out of control, much, I'm sure, to the delight of the PRs at McAfee and the irritation of the wider infosec industry! Also in this week's show we're joined by Marcus Ranum in the sponsor interview. Marcus is, of course, Tenable Network Security's CSO, and he joins me to discuss the US military's new cyber warfare doctrine -- you know, the one that explicitly states the US can use kinetic retribution in the event of a cyber attack. So, like, doesn't that mean Iran can go and air-strike US nuclear refineries now? Heh... heh... yeah. :'( Marcus joins us to discuss that toward the end of the show -- that's actually a really interesting chat. We're also joined by Adam Boileau, as usual, to go over the week's news headlines.

Risky Business #204 -- The Empire Strikes Back

Patrick Gray — Thu, 28 Jul 2011 00:00:00 +1000

This week we're chatting with Detective Superintendent Brad Marden of the Australian Federal Police. While the FBI are out locking up Low Orbit Ion Cannon users on no-bail warrants, Mr. Marden and his team, apparently, are out doing real, actual police work to catch real, alleged criminals. How refreshing! Listeners to this program would have heard of the case of Distribute.IT -- an Australian domain name registrar and hosting company that got majorly worked by a hacker calling himself "Evil from efnet". After entry, the attacker rm -rf'd the entire company and basically destroyed the business. What remained of the company's assets were sold at presumably fire-sale prices to NetRegistry, another Australian company. Well, earlier this week the AFP arrested an unemployed truck driver as a result of its investigation into the distribute.it matter. The suspect, 25-year-old David Cecil, has been charged with 49 offences relating a breach at a company called Platform Networks, but police have hinted that further charges are to come. Marden joins the program to discuss the arrest. Adam Boileau drops in to discuss the week's news, including the arrest of alleged LulzSec member Topiary in Scotland.

Risky Business #203 -- LulzSec: They're baaaaaaaack

Patrick Gray — Fri, 22 Jul 2011 00:00:00 +1000

In this week's feature interview we're chatting with Silvio Cesare. Silvio's an extremely well regarded infosec guy down here in Oz. He'll be chatting to us about his experience in academia. Silvio argues much criticism of academia in industry largely misses the point, and academia actually serves infosec quite well. Cryptography anyone? This was also the week that saw LulzSec make a spectacular return to the public eye. It was also the week the FBI rounded up around 16 "cyber criminals". Well, actually it was more like 14 LOIC users and a couple of scripty-tardos. More on that in the news. In this week's sponsor interview we catch up with RSA's CSO Eddie Schwartz to chat about everything from crappy marketing to problems with mobile device-based 2FA. It's good stuff. Adam Boileau, of course, takes a break from grooming his spectacular, manly beard to discuss the week's news headlines.

Anonymous shut down! Ringleaders brought to justice!

Patrick Gray — Wed, 20 Jul 2011 00:00:00 +1000

As many readers would no doubt already be aware, the FBI has just arrested 16 "members" of Anonymous in relation to DDoS attacks and intrusions. The US Department of Justice swiftly issued a press release with the catchy, ALL CAPS title of "SIXTEEN INDIVIDUALS ARRESTED IN THE UNITED STATES FOR ALLEGED ROLES IN CYBER ATTACKS". So this is a massive blow to "Anonymous" and its sophisticated campaign of mayhem, right? Wrong. One of the complaints details charges to be laid against Scott Matthew Arciszewski, 22. He's alleged to have somehow created an account on Infragard Tampa's Website and successfully uploaded a couple of files. By the looks of things he made no attempt to hide his actions -- using his own IP address to conduct the "attack" -- then Tweeted about it and directed his followers toward his Website. How stealthy. What a criminal mastermind. I'll sure sleep better tonight knowing this criminal genius has been taken off the streets. Another complaint alleges former AT&T contractor Lance Moore uploaded a bunch of commercially sensitive material to Fileape. That information was subsequently "redistributed" by LulzSec. This guy isn't even alleged to be sailing aboard the Lulz Boat, but hey, at least the DoJ got to use the word "LulzSec" in an indictment. What a win! The remaining 14 arrests deal with a DDoS attack against PayPal, apparently in retribution for that company's decision to suspend payment processing for Wikileaks. They were using LOIC. How 1337. So what does this all amount to? A leaker with internal access (AT&T), a young guy who was able to pwn Infragard in about five minutes (great security, guys) and a bunch of LOIC users. And yet the coverage I'm seeing still persists with this ridiculous idea that the arrests will be some sort of strike against Anonymous, the "group". So here, let's try to get something straight, once and for all: Anonymous is not a group. It's not a hydra. It's not a "loose collective". Anonymous is just a designation. Why is that so hard to understand? Let's try an analogy. 17th century pirates liked to steal booty. They sailed the high seas and pillaged. They had a common flag. But they WERE NOT A GROUP. Sure, there were groups of pirates that sailed on ships together. There was a common outlook -- that plundering booty was a worthwhile activity, ho ho and a bottle of rum, all of that. But they were not a group. There were pirate hangouts like pirate taverns, so there was congregation, but no leadership. Pirates were not a collective. So let's clear it all up. The anons are the pirates, IRC channels and imageboards like 4chan are their pirate taverns, and the various Anonymous outfits like @AnonymousIRC and @AnonOPS are pirate ships with multiple pirates aboard. They're groups of pirates! Simple! See? So when the Spanish, Turkish, British or whichever police force claims to have arrested "key members" of Anonymous I wonder if they're deliberately misleading the public and their masters, or if they genuinely just don't get it. This current batch of arrests will "bring to justice" a bunch of people who made no attempt to conceal their actions because they're either technically useless or just didn't care. They're "low hanging anons". But that won't stop the mainstream media from portraying this as the establishment striking back at online troublemakers. Sigh. TL;DR: Feds arrest dummies, MSM hails capture of anon masterminds.

Risky Business #202 -- Sonyland, where hamburgers eat people

Patrick Gray — Fri, 15 Jul 2011 00:00:00 +1000

This week's show is all about the news -- a 30 minute dose of Metl! With Anons being arrested, parties unknown pwning defence contractors in the name of #antisec, Sony doing (even more) dumb stuff, Zeus-grade viruses smashing Android devices, India trying to wiretap Skype, support for XP running out in less than three years, Microsoft Security Centre dishing out porn and Morgan Stanley losing customer info on unencrypted disks, we just didn't have time for a feature interview this week! In this week's sponsor interview Astaro founder Markus Hennig joins us to discuss Sony's curious statement that its brand is recovering from all the negative press surrounding its security woes. Are they dreaming?

Risky Business #201 -- BitCoin, the crypto currency

Patrick Gray — Fri, 08 Jul 2011 00:00:00 +1000

This week's edition of the show is brought to you by Tenable Network Security, thanks guys. In this episode we're taking an in depth look at BitCoins. Most listeners would have heard of the fledgling online currency by now, but there are a number of things that make BitCoins extremely interesting. It's the world's first popular virtual, cryptographically supported commodity, and once you wrap your head around it, it's very cool stuff, regardless of whether or not you think it has a future. I'll be joined by regular guest Paul Ducklin to talk about BitCoin, after the news. In this week's sponsor interview we're joined by Tenable Network Security's Brian "Jericho" Martin. He's stopping by to discuss the trojaning of vsftpd. Some wise-ass modified the source so using a username against vsftpd that contains a smilie spawns a shell on 6200. Subtle. Brian chats about that and his work with Attrition.org, tracking Sony's woes. The Sownage! That's all coming up after this week's feature interview. Before all of that we check the week's news with our very own beardy guy Adam Boileau!

AusCERT jumps the gun on BIND bug release

Patrick Gray — Tue, 05 Jul 2011 00:00:00 +1000

AusCERT has broken an embargo, accidentally and prematurely broadcasting a security bulletin pertaining to multiple vulnerabilities in the BIND DNS server earlier today. The accidental disclosure comes as the United States celebrates the evening of July 4, its independence day. The bulletin was supposed to be issued on the morning of July 6, US time. Instead, it was mailed to AusCERT's subscribers a short time ago. The bugs themselves aren't Earth-shattering; two remote DoS conditions, including a packet-of-death-style attack. But operators of "important" BIND installations will likely be annoyed by the holiday-destroying timing of the release. "We made a mistake, we weren't supposed to issue them," AusCERT's general manager Graham Ingram told Risky.Biz. "We've apologised to group involved, we didn't quite understand the embargo, we missed it, and we accidentally released it." AusCERT sent a bulletin recall a short time ago. In part, it reads: "We apologise if the premature announcement has caused you to initiate any action for which you are unprepared and which must now be interrupted. Please do not distribute the AusCERT bulletin. Please delete it from your system immediately and permanently." The extra two days lead time would-be attackers may have up their sleeve due to the disclosure is unlikely to be sufficient for the bug to be weaponised before ISC2 releases the relevant patches, said a security professional who declined to be named. "It looks like the new code/version isn't up yet, but given the statement says there's no known workarounds, it would still be of concern to an admin," our uber-sekr3t source says. "But it's an unauthenticated remote DoS. If it was a remote code execution issue, the information in the bulletin would be more useful to an attacker." TL;DR: AusCERT make boo boo. Drunk/hungover/angry BIND admins work holiday. Check out the latest Risky Business podcast here.

Risky Business #200 -- Your Google-fu is strong

Patrick Gray — Thu, 30 Jun 2011 00:00:00 +1000

Episode 200 FTW! In this week's feature interview we'll be chatting with Daniel Grzelak. Dan's the founder of shouldichangemypassword.com -- and interesting little website that pulls together compromised information and lets you see if you've been affected. Dan was searching Google for .sql files that had inadvertently been made accessible online and indexed... aaaaand he found the entire database for Groupon India including plaintext passwords FOR THE LOSE!!! He'll be telling us all about that after the news. Adam Boileau, of course, joins the show to discuss the week's security news. NOTE: CONTAINS EXPLICIT LANGUAGE. NO NAUGHTY WORD EDITS THIS WEEK.

Groupon leaks entire Indian user database

Patrick Gray — Tue, 28 Jun 2011 00:00:00 +1000

The entire user database of Groupon's Indian subsidiary Sosasta.com was accidentally published to the Internet and indexed by Google. The database includes the e-mail addresses and clear-text passwords of the site's 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs. Grzelak used Google to search for SQL database files that were web accessible and contained keywords like "password" and "gmail". "A few hours and tweaks later, this database came up," he said. "I started scrolling, and scrolling and I couldn't get to the bottom of the file. Then I realised how big it actually was." Since leaving a security consulting position with Australian information security company Stratsec, Grzelak has been working on a start-up gaming media company with two friends. As a side project, he created shouldichangemypassword.com, a website that allows any Internet user to search a database of known-compromised e-mail address and password pairs to see if their password has been compromised. Grzelak was searching for more compromised accounts to add to the website's database when he stumbled across the Sosasta database. The shouldichangemypassword.com database includes leaked or stolen account information from 17 recent high-profile breaches. "There are now... 1.3 million records on the site," he said. "All the LulzSec releases are included as well as data from other high profile incidents such as the Mt. Gox Bitcoin exchange hack and the Gawker breach from a year ago." Grzelak contacted Risky.Biz after the Sosasta discovery to seek advice on disclosure. This website contacted the CEO of Groupon, Andrew Mason, who called back personally within 24 hours of initial contact. The database was removed immediately and the company has launched an internal investigation to find out how it wound up publicly accessible in the first place. Groupon is notifying all its Sosasta users of the incident and is advising them that the passwords they used on the website are now compromised and cannot be relied upon to secure other accounts. Grzelak, meanwhile, says this type of accidental disclosure is actually quite common. "There are thousands of these databases indexed by Google," he said. "This just happened to be by far the biggest I found." Groupon's statement is below: On Friday morning India time (Thursday night Central US time), Groupon was alerted to a security issue potentially affecting subscribers of Sosasta, a website acquired by Groupon in January 2011. After being alerted to this issue by an information security expert, we corrected the problem immediately. We have begun notifying our subscribers and advising them to change their Sosasta passwords as soon as possible. We will keep our Indian subscribers fully informed as we learn more. Sosasta runs on its own platform and servers, and is not connected to Groupon sites in other countries. We are thoroughly reviewing our security procedures for Sosasta and are implementing measures designed to prevent this kind of issue from recurring. This issue does not affect data from any other country or region. Groupon takes security and privacy very seriously. Our users' trust is of paramount importance to us and we deeply regret this incident. We will provide more information as soon as possible. Ed: Some of the search string in the Google search screen capture has been redacted. It brought up more exposed databases... Click here for the latest Risky Business podcast.

Risky Business #199 -- The way, way, wayback machine

Patrick Gray — Thu, 23 Jun 2011 00:00:00 +1000

Put on your Hypercolor t-shirts and Swatch watches, because this week's show features an interview with Jason Scott, the founder of Textfiles.com. If you don't remember the BBS scene in the late 80s or early nineties, well, that doesn't matter; Jason has archived all of the quirky stuff that made the BBS scene what it was back then. [ED NOTE: CONTAINS EXPLICIT LANGUAGE (MISSED SOME EDITS)] Textfiles.com is a culture bearer for the pre-Internet hacking scene. It's a massive archive of textfiles on everything from early hacking, phreaking and all sorts of other illicit stuff like bombmaking. w00t w00t! Those were the days! In this week's sponsor interview we're chatting with NetWitness security researcher Alex Cox about operational security. How concerned should you be with the operational security of your vendors? How critical is it? We also chat with him about the opsec of those on the other side of the law. Is it possible groups like LulzSec can operate for a long period without being caught? If they're careful do the authorities stand a chance? Adam Boileau, as usual, joins us for this week's show. Be nice to Adam. He's a sad panda at the moment because there's a bug he can't trigger. :'(

Universal-backed Wikileaks docco to shoot in Melbourne

Patrick Gray — Wed, 22 Jun 2011 00:00:00 +1000

A documentary crew are looking to interview people who remember the Melbourne BBS and hacking scene in the late 1980s, early 1990s. They're coming to Melbourne in a few weeks to film. I've seen one of their documentaries before: Enron: The Smartest Guys in the Room, and it was pretty good. I've had a chat with the producers and it seems unlikely to me that the docco will be a hatchet job. That said, I don't know these guys from a bar of soap, I can't make any guarantees as to their professionalism or ethical conduct. They've asked me to assist them in finding some sources who can talk about the Melbourne "scene" in the early 90s. I agreed to post a direct message from producer Alexis Bloom (below) on this blog because, as a journalist, I think it's important for producers of documentaries like these to have access to sources that can provide them with accurate information and context. If you feel you can contribute or you'd like a bit more info, get in touch with me for the producer's contact details. Patrick at risky dot biz. MESSAGE: I'm a documentary film producer at Jigsaw Productions in New York. We’ve made films like Academy Award-winning "Taxi to the Dark Side," and "Enron: The Smartest Guys in the Room." In essence, we're a small, independent production company that tries to call truth to power -- that takes a stand against corporate greed, military overstep, and bad governance. You can read more about our films here: http://www.jigsawprods.com/ (Apologies for website, which is being updated.) We've been commissioned by Universal Studios to make a documentary featuring WikiLeaks, and the ideas connected to it. I know many of you probably think this subject’s been done to death -- and so did we, at least initially. Then we started to realize that the coverage out there has been pretty thin -- the big picture is missing. And some of the reporting's been mystifyingly wrong. We want to use WikiLeaks as a springboard to explore key issues such as information security, digital privacy, and government transparency in the 21st century. It's not a Julian Assange biopic. It's not a Bradley Manning biopic either. Of course, part of the story of WikiLeaks deals with its protagonists, and how they came to hold the ideals that drive them today. Character is not incidental to narrative, and with Proff in particular, the years he spent in the vibrant Melbourne scene are important in terms of understanding his later goals and ideals. We've been talking to hacker collectives in Boston, in Berlin, and in the UK. It's clear that each country has its own incubator of ideas – and Melbourne in the late 1980s and early 1990s strikes us as a pretty pioneering, interesting place, with its own distinct character. BBS's were obviously a big part of all this. Dispel the stereotype of hackers as video-gaming, pornography downloading isolationists. We're looking for people who remember the energy of the scene. The exploration. The fun. We living in a time when non-traditional actors are giving the suits a run for their money, and we want to capture a sense of the spirit. Our film will be distributed by Universal, for wide release in theatres. With many thanks, Alexis Bloom www.jigsawprods.com

Distribute.IT: A cautionary tale

Patrick Gray — Tue, 21 Jun 2011 00:00:00 +1000

It looks like Melbourne-based hosting company and ICANN-accredited domain name registrar Distribute.IT is fighting for its very survival. The company has posted this depressing notice on what's left of its Web-site. It might seem crazy, but Distribute.IT is facing nothing short of an existential crisis because, absurdly, it didn't take offline backups. As the company itself put it: "Our Data Recovery teams have been working around the clock in an attempt to recover data from the affected servers shared Servers [sic]. At this time, we regret to inform that the data, sites and emails that were hosted on Drought, Hurricane, Blizzard and Cyclone can be considered by all the experts to be unrecoverable... our greatest fears have been confirmed that not only was the production data erased during the attack, but also key backups, snapshots and other information that would allow us to reconstruct these Servers from the remaining data." This is exactly the scenario I discussed with the host of the PaulDotCom Security Weekly podcast Paul Asadoorian during an interview in Risky Business back in episode 188 [42:05]. During that discussion I suggested to Paul that the current information security risk models were ineffective in dealing with high-impact, low likelihood events. You know, like some really determined and destructive attackers burning down a business. Paul's summed it up thusly: "We can tell management about the risk all day long and they're not going to believe us until it happens to them. If you told an executive at any one of these companies... 'with our current defences in place and the risk management tactic that we're taking now, there's a probability that this could still happen and it would be really, really bad. They're probably just going to say 'yeah, well we think the business can just recover from that,' and what you're saying, Patrick, is that's not always the case, and our current risk management thinking is allowing for these cases to happen where, are you really going to be able to recover?" From the Distribute.IT page again: "This leaves us little choice but to assist you in any way possible to transfer your hosting and email needs to other hosting providers." Distribute.IT has not been able to recover. Furthermore, it seemed the company did not think this type of attack was a serious enough risk to warrant implementing a strict offline backup regimen. This is just one example of a poor risk decision. But there are plenty of other examples of these sorts of decisions being made in large information technology environments. Some manager, somewhere, just decides to "wear the risk" because the assumption has always been that the organisation will recover if its risk controls fail. It's not their fault; often it's the information security "experts" from outside the organisation who actually encourage these sorts of decisions. "Risk management methodologies" are the information security industry's attempt to pretend everything's under control. It's not, and the Distribute.IT case proves it's not always possible to recover. Distribute.IT might be a small business in the grand scheme of things, but do we really think we couldn't see similar sorts of existential threats to larger, IT dependent businesses that might not be as risk savvy as, say, a bank? What about a shipping company? What about a taxi service? A manufacturer? An online retailer? To what extent are businesses and government departments vulnerable to total annihilation from external attackers? If anyone's interested in diving a bit deeper into flaws in risk-based information security practices, check out this interview with former NSA Technical Director, Information Assurance, Brian Snow. The interview with him kicks in at around 25:21 and I thoroughly recommend it. Brian is an extremely sharp guy and makes some very salient points. The Distribute.IT story is a sad one. But it's a great example of what happens when people ignore risks they shouldn't. Sure, you might have tape/offline backups, but are there other risks you're wearing that you shouldn't? What do you think? Tell us in our forum thread on this topic here.

Lulzsec, Ranum and I Told You So!

Patrick Gray — Mon, 20 Jun 2011 00:00:00 +1000

Lulzsec has featured prominently in security discussions after their hacks of PBS, Sony, Nintendo and a raft of gaming companies in the past month. There were even more discussions when they took aim at the CIA and went on to proclaim victory. Patrick wrote an interesting piece which went viral titled: Why we secretly love LulzSec. His argument was simple: So why do we like LulzSec? "I told you so." That's why. The article clearly struck a chord with many who added cries of "hell yeah!" all over the twittersphere. There's a part of me that wants to agree, and scream "we've been telling 'em since 2000... Maybe now they will listen". Among those who've been "telling 'em since 2000" is industry stalwart Marcus Ranum. Ranum says a lot of things. Some things I disagree with on principle, and other times he is just being contrarian. But at BlackHat 2000 he gave a keynote titled "Script Kiddiez Suck" that has turned out to be remarkably prophetic. The audio is still available online, and the talk is worth hearing if only for the final line: "The Huns didn’t know how to build a Rome -- they only knew how to sack it". Quoting from his talk: 4:00: "My suspicion is that if we as a community aren't able to change that mindset in house, we're going to have the brutal jackboots of the government going to come along and do it for you... you don't want to be in the situation five years from now where what you've got is some senior guy from the FBI telling you how all those security tools you have been using for years are illegal now. And that's where it's going to go down if you're not careful". Do we really think the same people who brought us the Patriot Act, Guantanamo and Rendition are not currently licking their lips, and preparing to "save us" from the evil hackers? Ranum went on to warn: 07:29: "I believe the public at large is getting sick and tired of hacking... It's no longer your companies IS department that has got a problem with people getting into your firewall... It's starting to happen. Joe Average is starting to wake up and realise that the hackers and script kiddies are not his friend and what generally happens in America when Joe Average wakes up is he lashes out in anger by calling up congressmen and so forth and you get stupid knee jerk legislation out of Washington so unless we can clean this problem up.... we going to have Washington helping us with knee jerk legislation.... either way the situation is going to have to change once Joe Average gets involved". His talk also made specific mention of the folly of attacking news/media sites. "Don't bite the hand that feeds you," he said. The LulzSec hacks hit all three marks so perfectly, it almost reads like a script (and has to get conspiracy theorists wondering). 1. Target the media: CHECK 2. Target government installations: CHECK 3. Target Joe Average: CHECK When average people get their Facebook accounts hacked because some site they once used was compromised by some people they never met, anger levels are bound to rise. Ranum predicted that the next stage would be governments using the change in public sentiment to "take the fight to the attackers", that governments would target the supply chains regulating the creation and use of security tools. Some good might come out of the recent attacks, and mega-corps like Sony may finally have learned (through crisis) the insanity of not having a CSO role, but Governments rarely leave a crisis unexploited. It's the perfect setup for them to offer us a cure, to step in and "save" us, and in this case, I fear that that the cure will be far worse than the condition we are in. Haroon Meer is the head honcho at Thinkst in South Africa. @haroonmeer Click here to check out the latest Risky Business podcast and here to subscribe via iTunes.

Risky Business #198 -- Sex, Lies and Cyber Crime Surveys

Patrick Gray — Thu, 16 Jun 2011 00:00:00 +1000

In this week's feature interview we're chatting with Gartner Research Director Andrew Walls about a fascinating research paper released by Microsoft. It's called Sex, Lies and Cyber-Crime Surveys [pdf]. It basically says most cyber crime surveys are misleading. Tenable founder and CEO Ron Gula also joins the show to discuss the sudden popularity of so-called cyber insurance in light of the massive number of high-profile attacks that have occurred recently. Adam, of course, drops in to discuss the week's news headlines, and boy, has it been a busy week!

Primitive Persistent Threat

Patrick Gray — Wed, 15 Jun 2011 00:00:00 +1000

According to The New York Times, "sophisticated attackers" stole large quantities of customer data from Citi, using computers. You can read the article here. We know the attackers used computers, because they typed an account number into a URL bar, and computers have URL bars. Computers are sophisticated, and anyone who uses them is, apparently, "especially ingenious". Just read the article. But the quote that really got me was this one: "[The attackers] leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar." The report quoted a security expert familiar with the investigation as saying "it would have been hard to prepare for this type of vulnerability" and this attack is only one of a "wave of more and more sophisticated breaches by hi-tech thieves". Now I've tested a few Web apps in my time as an information security consultant, so I guess I am moderately sophisticated with these here com-putars by the standards of The New York Times, but as far as I can tell the OWASP Top 10 Number 4: "Insecure Direct Object Reference" is a fancy way of saying "herp a derp, lets put the account number in the URL bar, and just hope no one increments it". So lets just come right out and say it: If this NYTimes piece is correct, these are not sophisticated attacks. Sony getting SQL injected? Not sophisticated. Citi account-in-the-URLbar? Not ingenious. The sad thing is nearly every in the wild, for actual profit cyber-crime is carried out using bog-standard, basic flaws that have been well understood, documented, taxonomised, discussed, weaponised and used in the wild for years. Anyone from a 13 year old kid to the Russian mafia can and will break into almost anything in minutes using common garden flaws that even the slightest attempt at planning an approach to the foothills of the snowy, cloud-lost peaks of Mt Best Practice would have spotted. If, as per the reports, Citi got 200,000 customer records stolen through changing the account number in the URL string, then it's almost certain it never got that Web site tested for security. Can we all just say that out loud? It's possible that the world's largest financial services network didn't get this system tested for security. The NYT breaks it down for mom-n-pop: "Think of it as a mansion with a high-tech security system -- but the front door wasn’t locked tight." No: They. Didn't. Test. It. Hell, even if you fired an automated webappsec tool at something like that, you'd find it. Same as with all Sony's SQL injection. These are not "high-tech security systems" that aren't "locked tight". If the NYT report is accurate, this is straight out negligence. In Maine last week, the judge in the case of Patco vs Ocean Bank concluded "the law does not require the bank to implement the 'best' security measures available and that the bank is clear to customers when they sign up about the level of security it provides". Sure, perhaps expecting diamond-studded RSA tokens when you sign up for Internet banking is a bit much, but how about basic security testing? Companies like Citi aren't the only class of sinners. Recently a large, name-brand software vendor admitted to our mutual customer that it, too, had never actually commissioned external penetration testing of its security focused product. The product is marketed as an enabler of robust multi-tenanted security boundaries. The software maker had never tested it: "Nope, not at all, why do you ask?" One of the bugs involved just typing the name of another customer into an input box, instead of clicking your own from a list. Or perhaps you'd like more irony? How about arbitrary file read via ../../../ in the URL bar in Trend Micro's "Data Loss Prevention Virtual Appliance"? Your bank gets owned because computers are sophisticated. Computers are hard. Building, deploying and maintaining secure business computer systems is fiendishly hard. But, NYTimes, don't tell me that Citi lost 200,000 customers worth of information because of a sophisticated attacker. Tell me the truth: it lost the information because it failed to test its systems. It failed to take even what limited basic options we as an infosec industry can offer -- the OWASP Top 10, some basic Web app penetration testing, and perhaps hiring a security consultant who might better prepare the company against an earth-shatteringly sophisticated attack involving the alteration of an account number in the URL bar. TL;DR Typed account number into browser, owned bank. Editor's note: The funny thing is we hear good things about Citi's in-house pentesters. Either the NYTimes article is incorrect, or somehow this bug just slipped through to the keeper. We have no idea. It's hardly the point: Even if Citi didn't get owned this way, plenty of others do and it makes us all very sad pandas at Risky Business HQ. :'(

Risky Business #197 -- RSA comes clean

Patrick Gray — Fri, 10 Jun 2011 00:00:00 +1000

In this week's feature interview we're chatting with Neal Wise of Assurance.com.au about RSA's decision to finally admit what we all knew already -- that its SecurID product line has been compromised. RSA is offering to replace tokens... we'll chat with Neal about whether it will make sense to do that or not. In this week's sponsor interview we're joined by Astaro's director of Support Alan Toews. We're talking about the silver lining to all the chaos out there at the moment -- does the awareness raised by the actions of groups like LulzSec offset the harm they cause to their victims? Adam Boileau, as usual, pops in to discuss the week's news.

Why we secretly love LulzSec

Patrick Gray — Wed, 08 Jun 2011 00:00:00 +1000

Although large sections of the security community will deny it if you ask them, they're secretly enjoying watching LulzSec's campaign of mayhem unfold. So far the "hacker group" has penetrated systems owned by Sony, PBS, the "FBI affiliate site" Infragard, security company (hah!) Unveillance and Nintendo, among others. They're posting proprietary developer code. They're bringing back Tupac and Biggie. They're advising Nintendo on more secure httpd configurations. And they're issuing funny press releases via Twitter and Pastebin. In the last few weeks these guys have picked up around 96,000 Twitter followers. That's 20,000 more than when I looked yesterday. Twitter has given LulzSec a stage to show off on, and showing off they are. The Internetz, largely, are loving it. It might be surprising to external observers, but security professionals are also secretly getting a kick out of watching these guys go nuts. I wrote my first article on information security around May 2001. It was about the Sadmind worm and it ran on the letters page of the IT section of The Age newspaper in Melbourne. "Geez," I thought to myself. "If awareness isn't raised about the unsuitability of these computamajiggies for srs bizness, we could encounter some problems down the track." So for the last ten years I've been working in media, trying to raise awareness of the idea that maybe, just maybe, using insecure computers to hold your secrets, conduct your commerce and run your infrastructure is a shitty idea. No one who mattered listened. Executives think it's FUD. They honestly think that if they keep paying their annual AV subscriptions they'll be shielded by Mr. Norton's magic cloak. Security types like LulzSec because they're proving what a mess we're in. They're pointing at the elephant in the room and saying "LOOK AT THE GIGANTIC FUCKING ELEPHANT IN THE ROOM ZOMG WHY CAN'T YOU SEE IT??? ITS TRUNK IS IN YR COFFEE FFS!!!" There is no security, there will be no security. The horse has bolted, and it's not going to be the infrastructure that's going to change, it's going to be us. LulzSec is running around pummelling some of the world's most powerful organisations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any. The mainstream media are having fun criticising Sony for its poor security, but do we honestly think for a second that the XBox Live network can't be similarly pwnt? (I know the PSN breach hasn't been pinned on LulzSec, but the point stands.) Is there any target out there that can't be "gotten"? State-sponsored attackers, likely Chinese, have even wormed their merry way through the networks of the US military industrial complex, buggering off with the blueprints for the next Lockheed Martin death-ray-lasermatron or similarly diabolical, geo-strategically altering super-weapon. Yay! Human rights abusers with US-designed military technology! w00t w00t! Thanks, RSA. <3 Don't even get me started on them. As BlackHat organiser turned US Department of Homeland Security advisor Jeff Moss Tweeted yesterday, "When I heard RSA had a shiny new half million dollar HSM to store seed files I wondered where had they been stored before". We're relying on these boneheads to lock down our most sensitive R&D? Shoot me now. What about privacy? Oh, well that's out the window too. Did you hear Facebook has facial recognition now? Great, huh? Plus the bloatware that is Facebook's Web application is full of bugs anyway, so we really do just have to assume all our Facebook accounts are pwnt. Our telcos are owned, our mobile devices track us, as the iPhone/Android tracking scandal showed us. Privacy is dead. So why do we like LulzSec? "I told you so." That's why. Check out the latest Risky Business podcast here.

Risky Business #196 -- Mark Dowd on infosec software bugs

Patrick Gray — Thu, 02 Jun 2011 00:00:00 +1000

On this week's show we're taking a look at the issue of failkit. Why is it that the very software designed to keep our networks secure is full of bugs? A pen tester buddy of mine recently found an 0day XSS in a single sign on product... on ITS FRONT PAGE. Another friend found an auth bypass in a two-factor authentication management console. ON ITS FRONT PAGE. It's impossible to find AV engines that don't come preloaded with a zillion format string vulnerabilities, and as you'll hear in this week's news, even Cisco's VPN solution is a nice way to actually own organisations. WTF. Bug hunter extraordinaire, Azimuth Security's Mark Dowd, joins us after the news to chat about that. We'll also have a quick chat with Josh Corman, an analyst with 451 group in the USA and co-founder of the Rugged Software initiative. Adam Boileau, as always, stops by for a check of the week's news headlines.

Risky Business #195 -- HD Moore on the new, 'legit underground'

Patrick Gray — Thu, 26 May 2011 00:00:00 +1000

On this week's show we're chatting with HD Moore all about a recent decision by research house VUPEN to refuse to share their research into Chrome vulnerabilities with Google. The French group likely sells 0days to governments, militaries and intelligence agencies to use on offensive operations -- so of course sharing its exploit information wouldn't make much sense for them. But what does this mean? Will we see any bugs in the open anymore? Or will they all go underground and be sold to governments? This week's edition of the show is brought to you by NetWitness. Eddie Shwartz will be along after this week's feature interview to discuss the role of vendor marketing in making our situation worse. It's the job of marketing and salespeople to dazzle executives with bulldust -- but is it driving enterprise security investment in the best direction? Find out in this week's sponsor interview with Eddie Shwartz. Adam Boileau stops by for a look at the week's news.

SPONSOR PODCAST: Microsoft's Maarten Van Horenbeeck on vulnerability scoring

Patrick Gray — Tue, 24 May 2011 00:00:00 +1000

Microsoft was kind enough to sponsor our coverage of AusCERT's 2011 conference and as a part of that sponsorship arrangement we're doing these sponsored podcasts. We've already posted two interviews with Microsoft peeps about security issues, but we're posting this full talk as well. Maarten Van Horenbeeck works in the Microsoft Security Response Center managing Microsoft's efforts to share information on security vulnerabilities with third party security software providers, government agencies and national CERT teams. This talk is about how Microsoft applies ratings to its product vulnerabilities... there are a bunch of ratings systems out there... Maarten covers off some of these and discuss how MS boils down its own scores. I hope you enjoy this talk.

PRESENTATION: Cambridge University's Ross Anderson on the economics of information security

Patrick Gray — Tue, 24 May 2011 00:00:00 +1000

This is a full presentation by AusCERT's day three keynote speaker Ross Anderson. Ross has kindly allowed us to podcast his entire talk. Ross is professor of security engineering at Cambridge University, and author of the bestselling textbook "Security Engineering: A Guide to Building Dependable Distributed Systems". He was a pioneer of peer-to-peer systems, of hardware tamper-resistance, and of the economics of information security. Ross will discuss the economics of information security in two contexts: frauds against payment networks, and the resilience of the Internet. The talk will draw on a recent major study Cambridge did on the resilience of the Internet.

Stuxnet, Wikileaks and the militarisation of the digital security discipline: An interview

Patrick Gray — Mon, 23 May 2011 00:00:00 +1000

Tony Oliver and the Pubcast crew interviewed me about the talk I did at ITWeb's Security Summit in South Africa the other week. My talk was all about militarisation trends in the digital security field. I drew parallels between the Cold War and what's happening now. You can find it here. Thanks to Tony and the rest of his gang for having me on their show. It's good to be on the other end of an interview every now and then!

PRESENTATION: AusCERT speed debates

Patrick Gray — Fri, 20 May 2011 00:00:00 +1000

You're about to hear one of the highlights of AusCERT's annual conference -- the speed debates! Not to be taken too seriously, the speed debate happens at the end of the con -- it's a chance to have a laugh and shed some lighter perspectives on the security discipline. It's hosted by Australian broadcaster and journalist Adam Spencer. I hope you enjoy it.

PRESENTATION: APNIC's Geoff Huston on routing system "lies"

Patrick Gray — Fri, 20 May 2011 00:00:00 +1000

This podcast is a complete presentation by APNIC's Geoff Huston. According to the official synopsis: This presentation will outline the role of addresses and routing and the potential attack vectors, and will also report on the progress to establish a secure framework for addresses and their use in the Internet, highlighting the progress in establishing a secure routing environment for the Internet. As regular RB listeners would know, we've followed APNIC's work and papers in this area and they have a habit of pushing out good stuff... so this should be a decent talk. Enjoy!

SPONSOR PODCAST: Stuart Strathdee on the PSN breach

Patrick Gray — Fri, 20 May 2011 00:00:00 +1000

Microsoft was kind enough to sponsor our coverage of AusCERT's 2011 conference and as a part of that sponsorship arrangement we're doing these sponsored podcasts. They're general chats with Microsoft peeps about security issues. And in this interview we're chatting with Microsoft Australia's Chief Security Advisor Stuart Strathdee about the affect the PSN network breach has had on large organisations' security outlook. As you'll hear, Stuart says a lot of security projects that had been on the back burner are now being brought forward. Enjoy!

Dumb and dumber: Media circus meets police thuggery at AusCERT

Patrick Gray — Thu, 19 May 2011 00:00:00 +1000

The publication of allegedly stolen, private photographs by Fairfax Online was eclipsed in stupidity only by the QLD Police Service's decision to seize the iPad of journalist Ben Grubb at the AusCERT conference on Tuesday. Every time the coppers raid media organisations to seize computers and documents in order to track down, say, the source of an embarrassing political leak, it pisses me off something awful. The lack of respect shown to the media and its sources by governments in this country, both state and federal, is pretty astonishing. The Australian Federal Police (AFP) actually investigates public service leaks that harm nothing more than the incumbent's polling figures. It's ridiculous. A media that operates freely of this sort of intimidation is vital to maintaining a healthy democracy. As for the Ben Grubb incident, it's my view that police should simply not have the powers at their disposal that enabled them to seize his iPad in connection with an investigation into the alleged theft of private photos from a Facebook account. Background on that is here if you need it. Despite the fact there's an argument brewing about whether QLD Police actually acted within the law in seizing Ben's gadget, the action, in my view, was categorically the wrong thing for the police to do. Some of you out there on teh Twitters got up me yesterday over my failure to discuss the media freedom aspect of this whole AusCERT-gate thingamajig. I didn't bother because the police were just acting like police. The whole thing was just so predictable. It's what happens in any jurisdiction that hasn't passed shield laws. In this instance, it seems likely the intention of the officers in seizing the device was to obtain evidence to use against another individual. In fact, the coppers likely knew the evidence was on the iPad because Ben may have showed it to them himself! It's not explicitly stated in his piece, but you get the impression it's possible he pulled up some correspondence on his tablet. It's likely that when they realised that a treasure-trove of evidence was likely stored on the iPad (correspondence between Ben and his source pertaining to a security conference presentation that may have crossed a few lines), they asked Ben to surrender it and he refused. That's when they arrested him in a meeting room at AusCERT for a short time and seized his iPad. The police claim they were within their rights to seize the iPad because it had allegedly stolen photos on it; tainted goods. It's a clumsy argument, but it's a great example of coppers doing what coppers do -- taking the shortest path from A to B. Should they be allowed to do that? Absolutely not. Can you understand why they did? Absolutely! It's also a bit difficult to defend Fairfax chose to publish allegedly stolen private photos. It gets REALLY difficult to defend Fairfax when you find out that the subject of the allegedly stolen photo contacted the editorial team and asked them to remove the private photo and they refused. I know this because the subject of the photo told me. It gets IMPOSSIBLE to defend Fairfax when we hear its justification for publishing the photos: It had legal advice that as the photos were published "on the Internet" they were fair game, regardless of whether they were posted to a private photo album on Facebook. (NOTE: It's possible that the image in question was obtained by Fairfax via a Facebook Content Distribution Network URL that had been brute-forced during the research done during for Sunday's presentation. Technically that would mean the image was "on the Internet" and available without authentication, so probably fair game legally, but ethical questions remain.) Legal advice aside, I'm amazed they didn't realise what 24-karat knobs they were being. Needlessly publishing private material is just a really shitty thing to do. One of the photos featured the subject and his young child. Sure, they blurred the child's face, but it was a private photo. To keep the photos up there AFTER the subject and owner of the image copyright has asked you to remove it is tabloid asshattery at its most extreme. Sure, they cropped out the kid after an angry phone call, but they left the allegedly private picture identifying the subject up. So are the laws that allowed the coppers to seize Ben's iPad daft? Yes. Were the coppers themselves acting like supreme dopes when they briefly detained Ben? Yes. But really, if you had the ringside view I did when this whole thing played out, you'd find it a bit tough to muster up much sympathy for Fairfax and its now iPadless journalist Ben Grubb. The nice side affect of the big hoo-ha is it's brought up a debate on press freedom in Australia. If anything, this whole episode will nudge proposed shield laws along quite nicely. We need those shield laws to pass to prevent this sort of idiocy. So to end with the same summary that accompanied yesterday's piece: Meh.

The big BSides Facebook hoo-ha

Patrick Gray — Wed, 18 May 2011 00:00:00 +1000

Well, hasn't this been an interesting AusCERT... If you haven't heard by now, Fairfax IT journalist Ben Grubb was briefly detained by QLD police yesterday afternoon in connection to a BSides Australia security presentation delivered on Sunday. The presentation, by Christian Heinrich, demonstrated a brute-force attack against Facebook's Content Distribution Network. I didn't see the presentation myself, but the long and short of it is the vulnerability demonstrated allows the attacker to obtain Facebook users' private photos. So how did the police become involved? Well it's no secret that Christian doesn't particularly enjoy the company of Chris Gatford, a security consultant who runs a small outfit called HackLabs. I should point out right now that I, myself, don't particularly enjoy Christian's company. In the past he has been a very vocal critic of the Risky Business podcast and me in particular. I don't like him, and I'm fairly certain he doesn't like me. Where the presentation became an issue for police is when Christian demonstrated the attack against Gatford's wife's Facebook account. He brute-forced some of her photos and displayed a photo of Chris with his young son to the BSides attendees. I believe he may have blurred out the child's photo, but I haven't confirmed that. Chris Gatford was livid. Most of the journalists attending the conference were aware of the presentation but chose not to pursue it as a story. It looked like a case of rivalry between two guys who don't particularly like each other. The Facebook bug is a good one and I planned to mention it in the show, but the angle around the photos, in my view, just wasn't worth bringing to the world's attention. Sydney Morning Herald online reporter Ben Grubb took a different view. He published this story, along with the photo of Chris Gatford and his son. The face of Chris's child was definitely blurred for publication, but I believe posting it was a poor decision on Fairfax's behalf. The Herald editors eventually cropped Gatford's child from the picture, then pulled the picture in its entirety later. So why was Ben detained? Well it seems he had been in communication with Heinrich in regard to the attack against Gatford's wife's Facebook account. It is my belief that Ben was detained and his iPad seized so the police could obtain evidence from the iPad in order to consider the preparation of a prosecution brief against Heinrich. This is just my suspicion -- I don't have any solid evidence at all to suggest that a prosecution brief is being prepared or that Heinrich has broken any laws. If the police decide to pursue the matter, it's possible there could be some issues around unauthorised access to data. A solicitor also might have an opinion on whether cyber-bullying laws apply here -- using a carriage service provider to stalk, intimidate or harass -- that sort of thing. Those offences are taken quite seriously under Australian law. To be clear, at this point no one has suggested that Heinrich has used the Internet to stalk, intimidate or harass anyone. The reason it was easy for the coppers to seize Ben's iPad is it may be possible for the police to argue he had committed an offence that's in some way equivalent to being in possession of stolen goods, the photos. I sincerely doubt he will be charged with anything, and it remains to see if a prosecution is brought against Christian. It may not be. And that's pretty much it. Brian Hay of QLD police did a press conference this morning that I didn't bother attending. Of course this whole event is getting way more attention than it should. It's also important to note that Heinrich's presentation was to BSides Australia, a pre-AusCERT event. It wasn't an AusCERT talk as has been reported. I haven't approached anyone to ask them for a response to this post. It's just a summary of what I believe to be the case. I'm sick with a cold, jetlagged as hell, and frankly there's other work I'd rather be focussing on. To sum up: Meh.

PRESENTATION: Scott McIntyre on the security "generation gap"

Patrick Gray — Wed, 18 May 2011 00:00:00 +1000

You're about to hear a full presentation recorded at the AusCERT conference. Scott McIntyre is a recent immigrant to Australia... he used to work for XS4all in the Netherlands, but these days he works as the Senior Technology Architecture Specialist in Security Operations for Telstra in Melbourne. His presentation is all about his views though, not those of Telstra. Disclaimer. Etc. His talk focuses on what he calls the IT Security Generation Gap. Too often are today's security policies written and enforced by people who don't "get" social media, the public Internet, iPads and BitTorrent. But at the same time, anyone with an infrastructure to secure needs workable procedures and tooling to protect their data and systems. His talk covers common failings in this generation gap and provides guiding principles to close the gap and reduce exposure.

PRESENTATION: Mark Newton makes IPv6 security interesting!

Patrick Gray — Wed, 18 May 2011 00:00:00 +1000

You're about to hear a full presentation recorded at the AusCERT conference: a great presentation by Mark Newton, an engineer with Internode, all about IPv6 security. Internode is an ISP and Mark really knows his stuff. We all know security considerations in IPv6 aren't exactly thrilling, but Mark managed to actually make this presentation interesting and a little bit thought provoking. I was popping in and out throughout this session and yeah, it was definitely more interesting than I was expecting. So here it is!

SPONSOR PODCAST: Microsoft's Paul Conroy on what's hip in identity management

Patrick Gray — Wed, 18 May 2011 00:00:00 +1000

Our coverage of the conference is brought to you by the fine folks at Microsoft -- without their support, there would be no AusCERT podcasts, so big thanks to MS! As a part of that sponsorship Risky Business is posting a few sponsored podcasts -- this is one of them, an interview with Microsoft's Identity specialist Paul Conroy. In it, we discuss what enterprise customers out there are actually looking for, as well as having a bit of a chat about SAML 2.0 -- an authentication protocol that you can use... and I can't believe I'm going to say this. In the... cloud. I said cloud. I'm sorry. But listen to the interview, it'll make sense.

Risky Business Media

Between Two Nerds: An internet blackout won't stop NSA in Iran

Risky Bulletin: New White House EO prioritizes fight against scams and cybercrime

Sponsored: What it means to be a learning organisation

Risky Bulletin: Iranian hackers are scanning for security cameras to aid missile strikes

Being a wartime CISO

Srsly Risky Biz: The four hour cyber war on Iran

Risky Business #827 -- Iranian cyber threat actors are down but not out

Risky Bulletin: Cyber Command conducted cyberattacks ahead of Iran strikes

Between Two Nerds: The evolution of cyber ops in Ukraine

Risky Bulletin: LLMs can deanonymize internet users based on their comments

Sponsored: AI Agents need distinct identities

What to do about North Korean remote workers

Risky Bulletin: Russian man extorts Conti ransomware group

Srsly Risky Biz: Is Claude too woke for war?

Risky Business #826 -- A week of AI mishaps and skulduggery

Risky Bulletin: Russia starts criminal probe of Telegram founder Pavel Durov

Between Two Nerds: How NSA will use AI

Risky Bulletin: AI-driven hacking campaign breaches 600+ Fortinet devices

Sponsored: The smouldering trashfire of AI and open source

Risky Bulletin: RPKI infrastructure sits on shaky ground

Risky Biz Soap Box: The lethal trifecta of AI risks

Former Adobe, Cisco and Salesforce CISO talks AI pentesting

Srsly Risky Biz: Cyber bullets can't replace political will

Risky Business #825 -- Palo Alto Networks blames it on the boogie

Risky Bulletin: Supply chain attack plants backdoor on Android tablets

History Repeats: Security in the AI Agent Era

Between Two Nerds: Buying the magic weapon

Risky Bulletin: Cambodia promises to dismantle scam compounds by April

Sponsored: Filtering the KEV was really hard … Until now!

Risky Bulletin: IcedID malware developer fakes his own death to escape the FBI

Srsly Risky Biz: Microsoft forgoes its secure future

Risky Business #824 -- Microsoft's Secure Future is looking a bit wobbly

Risky Bulletin: Chinese cyber-spies breached all of Singapore's telcos

Between Two Nerds: Why we are doomed to insecurity

Risky Bulletin: SmarterTools hacked via its own product

Sponsored: Trail of Bits going all-in on AI

Risky Bulletin: Denmark recruits hackers for offensive cyber operations

Srsly Risky Biz: Google's cyber disruption unit kicks its first goal

Risky Business #823 -- Humans impersonate clawdbots impersonating humans

Risky Bulletin: Plone CMS stops supply-chain attack

Between Two Nerds: The internal logic of Russian power grid attacks

Risky Bulletin: StopICE blames hack on "a CBP agent here in SoCal"

Sponsored: AI is critical to the future of cyber defence

Risky Bulletin: eScan antivirus distributes backdoor in latest supply chain attack

Srsly Risky Biz: Punish the wicked and reward the righteous

Risky Business #822 -- France will ditch American tech over security risks

Risky Bulletin: Cyberattack cripples cars across Russia

Between Two Nerds: Getting pinged and the fog of war

Sponsored: Push Security on ConsentFix attacks

Risky Bulletin: Russia deployed wipers on Poland's energy grid

Risky Bulletin: Improperly patched bug exploited again in Fortinet firewalls

Srsly Risky Biz: You can't block space internet

Risky Business #821 -- Wiz researchers could have owned every AWS customer

Risky Bulletin: Domain resurrection attacks come to Canonical's Snap Store

Between Two Nerds: Why the West sucks at Information Warfare

Risky Bulletin: Germany seeks more hacking and surveillance powers for its intel service

Sponsored: Seeing into the seams

Risky Bulletin: China bans Israeli and US cybersecurity products

Srsly Risky Biz: China Fights Scam Compounds … For China

Risky Bulletin: Russia fines 33 telcos for surveillance non-compliance

Risky Business #820 -- Asian fraud kingpin will face Chinese justice (pew pew!)

Between Two Nerds: Lights out!

Risky Bulletin: Apex Legends streamers hacked again

Sponsored: What AI workloads mean for Cloud security

How the World Got Owned Episode 1: The 1980s

How the World Got Owned Episode 1: The 1980s

Risky Bulletin: Belarus deploys spyware on journalists' phones

Srsly Risky Biz: Like Huawei, but for electricity

Risky Business #819 -- Venezuela (credibly?!) blames USA for wiper attack

Risky Bulletin: Most smart devices run outdated web browsers

Between Three Nerds: The evolution of Iranian cyber espionage

Risky Bulletin: African freelancers behind anti-US and anti-French disinfo campaigns

Sponsored: ConsentFix and Push Security's browser attack taxonomy

Risky Bulletin: EU has a problem attracting and retaining cyber talent

Risky Biz Soap Box: Graph the planet!

Risky Business #818 -- React2Shell is a fun one

Risky Bulletin: Linux adds PCIe encryption to help secure cloud servers

Risky Bulletin: APTs go after the React2Shell vulnerability within hours

Srsly Risky Biz: When cyber campaigns cross a line