Risky Business

Risky Business


Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.


Risky Business #468 -- Marcus Hutchins gets "Krebsed," the ICO bubble and more  

On this week’s show we’re going to take a look at the ICO bubble. We’ll hear some excerpts from a chat I had with Coinjar CEO Asher Tan and then Adam and I are going to talk about what the hell is happening with all this crypto madness. We also take a look at the scuttling of the Kenyan election over hacking fears, the latest drama with Kaspersky being caught in the middle of geopolitical intrigue, the FSB’s unconventional BBQ in San Francisco and more.

This week’s show is brought to you by Netsparker.

Netsparker makes an automated webapp testing tool, you can kinda dial up the level of automation you want. They have a few nice tricks in their suite, too, like auto proof of concept exploitation of some bug classes so you can actually prove people need to fix stuff while you drink coffee, that’s nice.

In this week’s sponsor interview we’re speaking with Ferruh Mavituna, the founder and CEO of Netsparker, about automated testing at scale. It’s a sponsor interview, but it’s also a pretty generic chat about how you tackle that problem. Basically he says when you’re doing this scanning at scale you really can start with the bad, dumb stuff, because if you’re in an enterprise of any sort of size at all your automated testing is going to spit out a horror-show list.

Links to everything are below.

Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Who Is Marcus Hutchins? — Krebs on Security Solaris update plan is real, but future looks cloudy by design • The Register Bye Bye Solaris, it seems. | Hackaday Kenya's Supreme Court declares presidential election result null Kenyan Elections and Alleged Hacking: A Look at the available evidence | CIPIT Blog The Russian Company That Is a Danger to Our Security - The New York Times Chinese Agency Linked to Cyber-Espionage Operations Will Review Source Code of Foreign Firms Russia's San Francisco consulate is mysteriously burning stuff before it is shut down — Quartz Man Who Refused to Decrypt Hard Drives Still in Prison After Two Years Four Million Time Warner Cable Records Left on Misconfigured AWS S3 | Threatpost | The first stop for security news Military Contractor's Vendor Leaks Resumes in Misconfigured AWS S3 | Threatpost | The first stop for security news Mastercard Internet Gateway Service: Hashing Design Flaw – Tinyhack.com Massive Wave of MongoDB Ransom Attacks Makes 26,000 New Victims Vulnerabilities Discovered in Mobile Bootloaders of Major Vendors Banking Trojan Now Targets Coinbase Users, Not Just Banking Portals Chinese Man Sentenced to Nine Months in Prison for Selling VPN Software Bitcoin falls as China bans initial coin offerings | Ars Technica ICO Bubble? Startups Are Raising Hundreds of Millions of Dollars Via Initial Coin Offerings | Inc.com Coinschedule - Cryptocurrency ICO Statistics SEC's ICO Ruling: What It Means for Investors and Blockchain | Fortune.com The Paris Coin Got it Right | txsrb Ethereum ICO: people invested thousands of dollars in "Useless Ethereum Token" (UET) — Quartz Digital assets in Ethereum blockchain Scaling-Up & Automating Web Application Security (Infosecurity Europe 2017 Tech Talk) - YouTube
Snake Oilers #2: Part 2: Authentication tech from Yubico and Remediant  

This podcast deals with authentication tech – in particular, if you manage a Windows network, you’ll want to listen to this to get an idea of some different approaches to solving some of your authentication challenges.

This isn’t our weekly show, this is something we do four times a year – we get a bunch of vendors together and they explain their tech. Last week I published interviews with Crowdstrike, Replicated and AttackIQ, go check them out if you haven’t already, but I wanted to break out these two companies into their own podcast.

In this edition we’re going to hear from two companies – Remediant and Yubico.

Yubico, of course, makes yubikeys, the hardware authentication device used by companies like Google and Facebook to lock down accounts. I own one, and it wasn’t a freebie, I paid for it. A lot of security people use these USB devices because they work really, really well.

What I didn’t know, because I’m a dumbass, is there’s native support for Yubikeys in Windows. So if you want to add hardware-backed two factor authentication to your Windows accounts, this is one way to do it.

But before we talk to Yubico, we’re going to hear from Remediant.

Remediant is a start up that also makes some interesting Windows auth tech. Now, a lot of Risky Business listeners operate in high security or compliance heavy environments. This will often mean using password vault technology for better privileged account management. Remediant has something they think is better.

Basically they have created a tech that lets you enable and disable privileged accounts on, like a time-lock basis. If you have to do some admin work on a box, you log in to your Remediant server, enable that account for a set period of time, then off you go. Easy. It’s a very light touch way of solving some pretty serious management headaches, and it’s very easy to audit, which will keep our friends in heavily regulated environments very happy.

Show notes Yubico -- U2F two factor auth hardware, natively supported by Windows Remediant -- an alternative to password vaults
Risky Business #467 -- HPKP as an attack vector  

In this week’s show we recap all the week’s major security news items. St Jude Medical products will be patched in half a million patients, we get the latest with the DreamHost warrant, find out how Hansa marketplace members were de-cloaked by the Dutch cops and more.

In this week’s feature interview we chat with Scott Helme about HTTP Public Key Pinning as an attack vector. If someone manages to hack own your domain registrar, they can now cause all sorts of havoc. First, they redirect people to a box they control, then obtain a free, automated domain validated cert for that box, then flick on the HPKP header and pin every visitor to a certificate and key that they control.

You get your domain back, sure, but then what? Nobody who visited your site while it was under the attacker’s control can visit it. Yay. So Scott will join us this week to talk about HPKP ransom and what we might do about this situation.

This week’s sponsor interview is fascinating. We chat with Homer Strong, director of data science at Cylance, about machine learning explainability and “interrogatability”.

Adam Boileau is on a company retreat this week, so Haroon Meer is filling in. Links to everything are below.

Oh, and you can follow Patrick or Haroon on Twitter if that’s your thing.

Show notes 465,000 Patients Need Software Updates for Their Hackable Pacemakers, FDA Says - Motherboard Mexican Governor Spied on President With Hacking Team Spyware, Lawsuit Alleges - Motherboard Bitcoin: Hacking Coinbase, Cryptocurrency’s ‘Goldman Sachs' | Fortune.com List Of High Profile Cryptocurrency Hacks So Far (August 24th 2017) Narrowing the Scope - DreamHost.blog Troy Hunt: Inside the Massive 711 Million Record Onliner Spambot Dump Leak of >1,700 valid passwords could make the IoT mess much worse | Ars Technica The Companies That Will Track Any Phone on the Planet This Is How Cops Trick Dark-Web Criminals Into Unmasking Themselves Bit Paymer Ransomware Hits Scottish Hospitals Researchers Find a Way to Disable Much-Hated Intel ME Component Courtesy of the NSA China to Impose Real Name Policy for Online Comments Google Error Causes Widespread Internet Outage in Japan bgp-bogus-tls.pdf Researcher Releases Fully Working Exploit Code for iOS Kernel Vulnerability Zerodium Offers $500K for Secure Messaging App Zero Days | Threatpost | The first stop for security news Firmware Update Bricks Samsung Smart TVs in the UK Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet — Krebs on Security Inside an Epic Hotel Room Hacking Spree | WIRED Google Reminding Admins HTTP Pages Will Be Marked 'Not Secure' in October | Threatpost | The first stop for security news Fraudulent Donations Lead to Disbanding of Hutchins Legal Defense Fund | Threatpost | The first stop for security news Deprecated, Insecure Apple Authorization API Can Be Abused to Run Code at Root | Threatpost | The first stop for security news ROPEMAKER Exploit Allows for Changing of Email Post-Delivery | Threatpost | The first stop for security news U.S. spies think the FBI is botching the Kaspersky investigation Hackers snag a $1 laptop by exploiting flaw in point-of-sale systems | ZDNet I'm giving up on HPKP
Snake Oilers #2: Part 1: Crowdstrike, AttackIQ and Replicated explain their tech  

This is part one of our latest Snake Oilers podcast, the sponsored podcast that doesn’t suck! I have to say, when I launched this podcast series I had no idea it would actually wind up being genuinely engaging and interesting. All three interviews in this podcast are top notch and I think anyone working in infosec would do well to listen.

The original idea behind these Snake Oilers podcasts was vendors would come on to the show and aggressively pitch their products. But you know what? What they mostly want to do is actually explain what their technology does so people out there in listener land actually know what they do.

I’ve broken this special into two parts. In this part we’ll hear from CrowdStrike, Replicated and AttackIQ. On Monday next week I’ll be posting part two with Remediant and Yubico, the makers of Yubikeys. Those two companies both make authentication technology, which is why I split them out on to their own.

In this part:

Crowdstrike tell us why they think their EDR and AV solution is the best. A lot of you probably didn’t even know Crowdstrike does AV now… they’ve got a pretty compelling endpoint detection and response plus AV pitch.

AttackIQ will pitch its software as a way to augment red teaming exercises and help you think of security as a continuous feedback loop

Replicated talks through its tech. They take SaaS software and turn it into on-prem or private cloud software

Show notes Crowdstrike -- Endpoint Detection and Response (EDR) and Antivirus (AV) software Replicated -- Turns SaaS/cloud software into on-prem/private cloud software AttackIQ -- Attack simulation software
Risky Business #466 -- Breaking reverse proxies shouldn't be this easy  

On this week’s show we chat with James Kettle of Portswigger Web Security about some adventures he had with reverse proxies and malformed host headers. Using some simple tricks, James was able to do some craaaazy stuff and earn himself about $30k in bounties. He’s turned some of his techniques into tools for Burp Suite, so he’ll be joining us to talk about that.

In this week’s sponsor interview we’re tackling the new European general data protection regulation. With the new regime due to kick in on May 25 next year, there’s a lot of angst out there, and for good reason. The penalties for mishandling info are up to 4% of global turnover, which is a stiff enough penalty to strike fear into the hearts of CEOs everywhere.

Senetas’ is this week’s sponsor. They make layer 2 encryption gear, as well as SureDrop, a GDPR and enterprise friendly dropbox-style service. Senetas Europe’s managing director Graham Wallace joins the show this week to talk about some of the ins and outs of GDPR. Stay tuned for that.

As usual, Adam Boileau also joins the show to talk about the week’s security news. Links to everything are below.

Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking - The New York Times Blowing the Whistle on Bad Attribution — Krebs on Security Email Provider ProtonMail Says It Hacked Back, Then Walks Claim Back - Motherboard Enigma ICO Heist Robs Nearly $500,000 in Ethereum From Investors | WIRED IRS Now Has a Tool to Unmask Bitcoin Tax Cheats Brian Krebs Fan Creates New Cryptocurrency Miner for Linux Devices Cryptocurrency Miner Infects Windows PCs via EternalBlue and WMI Ad Trackers on E-Commerce Sites Can Unmask Bitcoin Transactions It's Not Exactly Open Season on the iOS Secure Enclave | Threatpost | The first stop for security news Secret chips in replacement parts can completely hijack your phone’s security | Ars Technica Google Releases Android 8.0 Oreo Android Spyware Linked to Chinese SDK Forces Google to Boot 500 Apps | Threatpost | The first stop for security news Chrome Adds Warning for When Extensions Take Over Your Internet Connection Couple Accused of Using Lowes Website Flaw to Steal Expensive Goods Maersk Shipping Reports $300M Loss Stemming from NotPetya Attack | Threatpost | The first stop for security news #23270 (Allow Tor relays to be configured to block selected hidden services, including racist hate sites) – Tor Bug Tracker & Wiki Fighting Neo-Nazis and the Future of Free Expression | Electronic Frontier Foundation PortSwigger Web Security Blog: Cracking the Lens: Targeting HTTP's Hidden Attack-Surface
Risky Business #465 -- Charlie Miller on autonomous car security  

On this week’s show we chat with Charlie Miller all about the security of autonomous vehicles. As you’ll hear, he says autonomous vehicle security all comes down to some security fundamentals that are, in fact, being taken seriously by carmakers.

We’ve got an absolutely fantastic sponsor interview for you this week. This week’s show is brought to you by Senrio. They make an IoT network monitoring solution that’s actually really good. Stephen Ridley is the founder and head honcho at Senrio. He’s a very well known researcher and he joins us this week to talk about a few things.

First up he recaps the gSOAP library bugs the Senrio team found. They were a big deal in July, but as you’ll hear, people kinda missed the point. The affected gSOAP library is absolutely everywhere, including in, ahem, browsers. So yeaaaaah. There’s that.

Then we move on to the more sponsor-y part of the sponsor interview, talking about Senrio’s experience running the IoT hacking village at DEFCON. It was a great time for them, throwing their product at the most hostile IoT network the world has ever seen. To round out the Stephen Ridley omnibus experience we’ll also hear about a few training courses he’s offering on Android hacking and software exploitation via hardware exploitation.

Adam Boileau joins the show to talk about the week’s security news, links to everything are below.

Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes The U.S. Is Trying to Seize 1.3 Million Visitor Logs, DreamHost Says - The Atlantic We Fight for the Users - DreamHost.blog After Shutdown, Daily Stormer Users Are Moving to a Dark Web Version of Site - Motherboard Someone Appears to Be DDoSing the Dark Web Version of The Daily Stormer - Motherboard Researcher Who Stopped WannaCry Pleads Not Guilty to Creating Banking Malware - Motherboard Top Security Firm May Be Leaking 'Terabytes' Of Confidential Data From Fortune 100 Companies | Gizmodo Australia Beware of Security by Press Release — Krebs on Security The Shadow Brokers Have Made Almost $90,000 Selling Hacking Tools by Subscription, Researcher Says - Motherboard HBO offered hackers $250,000 'bug bounty', leaked email claims | Technology | The Guardian Russian Hackers Are Targeting Hotels Across Europe, Researchers Say - Motherboard Attackers Backdoor NetSarang Software Update Mechanism | Threatpost | The first stop for security news Seven More Chrome Extensions Compromised | Threatpost | The first stop for security news Blizzard Entertainment Hit With Weekend DDoS Attack | Threatpost | The first stop for security news Cyberattack leaves millions without mobile phone service in Venezuela — Technology — The Guardian Nigeria Newspaper – Nigeria and World News Smart Locks Bricked by Bad Update | Threatpost | The first stop for security news IMSI Catcher Detection Apps Might Not Be All That Good, Research Suggests - Motherboard Ukrainian Man Arrested, Charged in NotPetya Distribution | Threatpost | The first stop for security news Juniper Issues Security Alert Tied to Routers and Switches | Threatpost | The first stop for security news slides_bh_pdf From random block corruption to privilege escalation: A filesystem attack vector for rowhammer-like attacks | USENIX Legal Hacking Tools Can Be Useful for Journalists, Too - Motherboard Experts in Lather Over ‘gSOAP’ Security Flaw — Krebs on Security Devil's Ivy - Senrio Senrio Training
Risky Business #464 -- Why your game theory theories are wrong  

On this week’s show we’ll be chatting with Kelly Shortridge, formerly a detection manager at BAE, all about her Black Hat talk. It’s all about why most of what you hear about applying game theory to detection strategies is total bullshit.

This week’s show is brought to you by Signal Sciences!

Signal Sciences makes a killer product focussed on web application and web server security. It’s really popular with the dev ops crowd, which is interesting, because most security products in devops focus on the dev, whereas Signal Sciences focusses more on the ops component.

This week we speak to Signal Sciences co-founder Zane Lackey about this burgeoning market for security tooling geared towards non-security people. It’s actually a really interesting conversation. Non security groups at large organisations are having to become security self sufficient and it really is a game changer. More on that with Zane Lackey in this week’s sponsor interview.

Adam Boileau is this week’s news guest.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

Show notes WannaCry Researcher Indicted for Allegedly Creating Banking Malware - Motherboard Marcus Hutchins' Only Certainty is Uncertainty | Threatpost | The first stop for security news download Hackers Behind WannaCry Cashed Out Bitcoin While No One Was Watching - Motherboard So, about this Googler’s manifesto. – Yonatan Zunger – Medium Internal Messages Show Some Google Employees Supported James Damore’s Manifesto | WIRED Election Officials Still Haven’t Got Clearance to View Russian Hacking Info - Motherboard Attackers Use Typo-Squatting To Steal npm Credentials | Threatpost | The first stop for security news After phishing attacks, Chrome extensions push adware to millions | Ars Technica The FBI Booby-Trapped a Video to Catch a Suspected Tor Sextortionist - Motherboard Cisco deletes Meraki customer data in config bungle - Networking - iTnews Cisco Fixes DoS, Authentication Bypass Vulnerabilities, OSPF Bug | Threatpost | The first stop for security news What happens when someone steals your domain? - MiVote We Anonymously Controlled a Dildo Through the Tor Network - Motherboard O'Reilly Security Conference, October 29 - November 1, 2017, New York, NY A Next-Gen Web Protection Platform - WAF And RASP | Signal Sciences
Risky Business #463 -- Black Hat's 2017 keynote speaker Alex Stamos joins the show  

This week’s feature interview is with Facebook CSO and Black Hat 2017 keynote speaker Alex Stamos. We’ll be digging a little deeper on some of the points he hit on in his talk in Las Vegas this year. I’ve linked through to a video of his keynote in this week’s show notes (below), and I’d really recommend you watch it. It was just very, very good.

This week’s show is brought to you by Thinkst Canary. They’re best known for their little Canary honeypots, you put them on your network and they’ll alert you to all sorts of lateral movement. Thinkst’s Founder and chief brain Haroon Meer will be along later on to talk about cloud security.

He’ll be echoing some of the points made in our interview a few week’s back with Daniel Grzelak from Atlassian, as well as looking at how you can start to put together a somewhat coherent strategy for detecting when your cloud services get popped.

Adam Boileau is this week’s news guest.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

Show notes Flash & The Future of Interactive Content | Adobe The Very Best Black Hat Hacks | WIRED Hackers Show Proofs of Concept to Beat Hardware-Based 2FA - Motherboard Same Chinese white hat group hacks into Tesla for second year - Xinhua | English.news.cn At DEF CON, I Watched Hackers Take Voting Machines Apart - Motherboard Salesforce vs. MEATPISTOL Kevin Beaumont on Twitter: "After Merck say they are having manufacturing issues from Petya, CDC say Merck Hepatitis vaccine not being distributed. https://t.co/N3KwAx6K2l" Europol Head Tells Us About its Dark Web Market Sting - Motherboard Alleged Dark Web Kingpin Doxed Himself With His Personal Hotmail Address - Motherboard The Dark Web Gun Trade May Be Bigger Than You Think - Motherboard Darknet administrator arrested over Munich massacre gun Legislation Proposed to Secure Connected IoT Devices | Threatpost | The first stop for security news 'Criminal mastermind' of $4bn bitcoin laundering scheme arrested | Technology | The Guardian Suspended Sentence for Mirai Botmaster Daniel Kaye — Krebs on Security Microsoft expands bug bounty program to cover any Windows flaw | Ars Technica Windows 10 will try to combat ransomware by locking up your data | Ars Technica Hackers' Own Tools Are Full of Vulnerabilities - Motherboard For 20 Years, This Man Has Survived Entirely by Hacking Online Games - Motherboard Facebook Security Boss: Empathy, Inclusion Must Come to Security | Threatpost | The first stop for security news Black Hat 2017 Keynote - Alex Stamos, Facebook... (Starts about 35 minutes in) Canary — know when it matters
Risky Business #462 -- Does the Australian government want to break encryption?  

In this week’s feature interview I speak with the Australian Prime Minister’s cyber security advisor Alastair MacGibbon about what it is that the Australian government is pushing for in terms of industry cooperation around surveillance.

There’s been a lot of hype on this one. “Al Mac” joins the show to work through some of it, and honestly, Australia’s push at the moment is the sort of thing I think you can expect to see more of around the world, so this is an interview of global relevance.

Some of that conversation hinges on a blog post I wrote on the weekend. If you want to, you can read that here.

This week’s show is brought to you by Remediant!

Remediant makes a product that’s designed to make lateral movement through a network much harder. Essentially it’s a way to restrict all privileged accounts on your infrastructure until you actually need it. So instead of being able to just log in to your production environment, you can actually set it up so you can enable the privilege you need to a set period of time.

It’s a different approach to privilege management than things like password vaults, so if you work in an authentication group you’re going to want to hear what they have to say. Remediant CEO Tim Keeler is this week’s sponsor guest.

Adam Boileau is this week’s news guest. We talk about all the continuing notPetya drama at Maersk and FedEx/TNT, the Alphabay latest and more.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

Show notes ‘Co-founder’ of AlphaBay dark web for drugs and weapons found dead in cell | The Independent UAE orchestrated hacking of Qatari government sites, sparking regional upheaval, according to U.S. intelligence officials - The Washington Post Advisory Update FedEx’s TNT Express still reeling from Petya cyberattack last month | Air Cargo World FedEx Says Some Damage From NotPetya Ransomware May Be Permanent Damages From a Well Executed Cyber Attack Could Reach $121.4 Billion Experts in Lather Over ‘gSOAP’ Security Flaw — Krebs on Security "Particle" Chrome Extension Sold to New Dev Who Immediately Turns It Into Adware It’s Trivially Easy to Hack into Anybody’s Myspace Account - Motherboard CoinDash Hacked During its ICO | Threatpost | The first stop for security news Cisco Patches Another Critical Ormandy Bug in WebEx Extension | Threatpost | The first stop for security news The Cyber Kill Chain is making us dumber No encryption was harmed in the making of this intercept - Risky Business Why Australia might be on the right encryption-cracking track Remediant
Risky Biz Soap Box: Keep your vendors honest with attack simulation  

This month’s Soap Box podcast is brought to you by AttackIQ, a company that makes attack simulation software.

This is a wholly sponsored podcast that won’t bore you to tears.

There are countless CISOs who listen to this podcast who’ve shovelled an awful lot of money at their organisation’s security controls. Whether that’s endpoint/AV or fancy network kit that’s supposed to detect exfil, the sad truth is most organisations have no way to know if their expensive kit is actually doing what it’s supposed to.

Until, of course, they get breached. Then there is much wailing and gnashing of teeth.

So the idea behind attack simulation is pretty simple. You load a lightweight agent on to your corporate systems, the agent then runs scriptable attack scenarios that can simulate attacker behaviour.

These attack scripts might get some endpoints to start nmapping internal systems. They might start changing some registry keys or stimulate a bunch of disk activity that looks like an encryption/ransomware process. They might start sending off a bunch of dummy data via a DNS exfil technique. Did your endpoint solution catch the funny registry stuff? Did your network controls catch the simulated exfil?

Now imagine you have 1,000 pre-coded attack simulations with all sorts of different combinations and permutations of attacker behaviours. How many of them do you actually need to run through before you can spot the weak points in your defences?

Attack simulation is a great way to test and validate your security controls, and you can do it continuously.

AttackIQ’s cofounder and CEO Stephan Chenette joined me to talk about attack simulation and what it’s good for.

Risky Business #461 -- AWS security with Atlassian's Daniel Grzelak  

On this week’s show we chat with Atlassian’s head of security, Daniel Grzelak, all about some AWS security tools he’s come up with. He also previews a new tool for generating AWS access key honeytokens at scale, which is really neat.

This week’s show is brought to you by Veracode!

Veracode’s director of developer engagement, Peter Chestna, will be along in this week’s sponsor interview to have a yarn about some common misunderstandings between security people and developers. We look at misunderstandings both ways.

Adam Boileau is this week’s news guest. We talk about all the latest dark markets drama, plus the Great Nuclear Hax Freakout of 2017.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

Show notes Hackers Are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say - The New York Times FBI-DHS “amber” alert warns energy industry of attacks on nuke plant operators | Ars Technica As World's Largest Dark Web Market Vanishes, Dodgy Links Promise a Way Back In - Motherboard AlphaBay: Drug Site Remains Shut as Fears of Exit Scam Grow | Fortune.com South Korean Cryptocurrency Exchange Bithumb to Compensate Users Following the Hacking Dark Web Hosting Service Hacked, Some Data Was Stolen Head of Mt Gox bitcoin exchange on trial for embezzlement and loss of millions | Technology | The Guardian Owners of "VirusTotal-for-Crooks" Service Arrested iPhone Bugs Are Too Valuable to Report to Apple - Motherboard Kaspersky under scrutiny after Bloomberg story claims close links to FSB | Ars Technica Russian Cybersecurity CEO Offers Source Code for U.S. Inspection | Fortune.com Russians now need a passport to watch Pornhub – VICE News International Investigatory Group Also Target of Government Spyware | Threatpost | The first stop for security news Sabre Consumer Website - Home Hackers stole credit card info from Trump hotel guests for months | TheHill Let's Encrypt to Offer Wildcard Certificates in 2018 | Threatpost | The first stop for security news Decryption Key to Original Petya Ransomware Released | Threatpost | The first stop for security news Backdoor built in to widely used tax app seeded last week’s NotPetya outbreak | Ars Technica Hackers Linked to NotPetya Ransomware Decrypted a File for Us - Motherboard Broadpwn Bug Affects Millions of Android and iOS Devices OpenBSD Will Get Unique Kernels on Each Reboot. Do You Hear That Linux, Windows? Microsoft Addresses NTLM Bugs That Facilitate Credential Relay Attacks | Threatpost | The first stop for security news The Time I Got Recruited to Collude with the Russians - Lawfare 2016-07-08 Security Notice GitHub - dagrz/aws_pwn: A collection of AWS penetration testing junk Application Security | Veracode
Risky Business #460 -- Haroon Meer talks Kaspersky drama, NotPetya, the cryptowars and more  

Adam Boileau has some out of town business to handle this week so he can’t join us in the news segment. But that’s ok, because industry legend Haroon Meer has very kindly agreed to fill in for him! We chat to Haroon shortly about all the latest NotPetya developments, we’ll also talk about the drama Kaspersky is experiencing right now, as well as dissecting the latest battle reports from the cryptowar! All the news is covered.

This week’s show is brought to you by ICEBRG!

ICEBRG’s co-founder, Will Peteroy, joins the show this week to chat a bit about what they’re up to. Will has an interesting background. He was the technical director of a government agency Red Team. That meant red team exercises against agencies, but he was also responsible for doing assessments on security products. He also put in a bunch of time at Microsoft where he was the endpoint for product security for Windows and Internet Explorer, which meant he was the recipient of oh-so-much-0day for around a year and a half. So yeah, Will knows what he’s doing, and he’s made a thing, and you’re going to hear about that thing after this week’s news.

See links to show notes below, and follow Patrick or Haroon on Twitter if that’s your thing!

Show notes NATO: NotPetya Likely the Work of State Attackers | On the Wire TeleBots are back: supply-chain attacks against Ukraine Researchers Find BlackEnergy APT Links in ExPetr Code | Threatpost | The first stop for security news More Security Firms Confirm NotPetya Shoddy Code Is Making Recovery Impossible Ukrainian police seize software company's servers New Petya Distribution Vectors Bubbling to Surface | Threatpost | The first stop for security news Cyber attack: Ukrainian software company will face charges over security neglect, police suggest - ABC News (Australian Broadcasting Corporation) Family firm in Ukraine says it was not responsible for cyber attack | Reuters iTWire - Kaspersky Lab row: Russian minister warns of blowback Documents could link Russian cybersecurity firm Kaspersky to FSB spy agency - Chicago Tribune G20 summit: Malcolm Turnbull to urge Donald Trump to act against tech terrorists The Medicare machine: patient details of 'any Australian' for sale on darknet | Australia news | The Guardian The “keys to the cyber caliphate”: The daring U.S. raid to seize the ISIS personnel database - Salon.com Man Pleads Guilty to Stealing Bitcoin From Other Dark Web Criminals Hacker "Incursio" Gets Two Years in Prison for Hacking CIA, DHS, DOJ, and FBI This Dark Web Site Creates Robocalls to Steal People’s Credit Card PINs - Motherboard Bugcrowd-2017-State-of-Bug-Bounty-Report.pdf Average Bug Bounty Payments Growing | Threatpost | The first stop for security news HTTPS Certificate Revocation is broken, and it’s time for some new tools | Ars Technica Twitter / ? GitHub - SandboxEscaper/Edge-sandbox-escape ICEBRG | Streaming Network Forensics™ for Real-Time Threat Response
Risky Biz Soap Box: Bugcrowd founder and CEO Casey Ellis on the future of crowdsourced security  

In this edition of the Risky Business Soap Box podcast we chat with the founder and CEO of Bugcrowd, Casey Ellis, about the establishment of the bug bounty market and how things have shaped up. We also look at where it’s going.

The days of bounty programs being operated solely by large technology firms are long gone. Casey predicted that shift years ago. The question becomes, where will bounty programs be in three years from now?

Well, Casey doesn’t shy away from making some bold predictions. He thinks most enterprises will have vulnerability reporting mechanisms within two years, and a substantial proportion of those will offer rewards to bug hunters via companies like Bugcrowd.

He also sees bounty programs increasingly serving the specialist market.

You can find Casey on Twitter here.

Risky Business #459 -- Actually yes, "cyber war" is real for Ukraine  

This week we’ll be chatting with Andy Greenberg from Wired about his cover story for that magazine. He travelled to Ukraine back in March to research his story on Russian attacks against the Ukrainian power network. He joins us this week to share the insights he gleaned during his travels.

This week’s show is brought to you by SensePost.

SensePost are based in South Africa and England, but they are very well known for offering training courses at Black Hat. This year will be the 17th year they’ve run training courses there… as can be expected their brand new devops security course has gone absolutely gangbusters in terms of registrations this year, but they’re also offering a bunch of other courses. They’ll be joining us to chat about trends in training in this week’s sponsor interview.

Adam Boileau, as always, drops by for the week’s news segment. You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

Show notes Complex Petya-Like Ransomware Outbreak Worse than WannaCry | Threatpost | The first stop for security news A new ransomware outbreak similar to WCry is shutting down computers worldwide | Ars Technica Pnyetya: Yet Another Ransomware Outbreak – the grugq – Medium Hacker Behind Massive Ransomware Outbreak Can't Get Emails from Victims Who Paid - Motherboard Is This Ukrainian Company The Source Of The 'NotPetya' Ransomware Explosion? Petya Ransomware Attack – What’s Known | MalwareTech Maersk says global IT breakdown caused by cyber attack | Reuters Honda shuts down factory after finding NSA-derived Wcry in its networks | Ars Technica Web host agrees to pay $1m after it’s hit by Linux-targeting ransomware | Ars Technica Obama reportedly ordered implants to be deployed in key Russian networks | Ars Technica Russia struck at election systems and data of 39 US states | Ars Technica Republican Data Broker Exposes 198M Voter Records | Threatpost | The first stop for security news Al Jazeera Says It’s Under a Massive 'Cyber Attack' - Motherboard Mexican Journalists, Lawyers Focus of Government Spyware | Threatpost | The first stop for security news Russia's Cyberwar on Ukraine Is a Blueprint For What's to Come | WIRED Australia advocates weakening strong crypto at upcoming “Five Eyes” meeting | Ars Technica U.S. Cyberweapons, Used Against Iran and North Korea, Are a Disappointment Against ISIS - The New York Times AES-256 keys sniffed in seconds using €200 of kit a few inches away • The Register How the CIA infects air-gapped networks | Ars Technica Check Point says Fireball malware hit 250 million; Microsoft says no | Ars Technica Conviction for LA Times Hacking Helper Upheld British Hacker Pleads Guilty to Hacking US Military Satellite Phone And Messaging System - Motherboard Some beers, anger at former employer, and root access add up to a year in prison | Ars Technica Microsoft bringing EMET back as a built-in part of Windows 10 | Ars Technica Ohio Gov. Kasich’s website, dozens of others defaced using year-old exploit | Ars Technica China’s All-Seeing Surveillance State Is Reading Its Citizens’ Faces - WSJ SensePost | Events | Blackhat USA - July 2017
Risky Business #458 -- Reality Winner, Qatar hax and Internet regulation calls  

On this week’s show we’re covering off all the big news of the week: the arrest of Reality Winner, the apparent hacks that have ratcheted up the political crisis in Qatar and the renewed calls for Internet companies to be more government-friendly.

In this week’s feature interview we catch up with Samy Kamkar to get his take on what the lowering cost of hardware-based hacking could mean for our increasingly automated world. And in this week’s sponsor interview we chat with Duo Security’s Pepijn Bruienne about some recent attacks against the Mac OS software supply chain.

Big thanks to Duo Security for sponsoring this week’s show. Duo makes all manner of kick-ass two factor authentication solutions, you can check them out at Duo.com.

You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

Patrick is taking a vacation. Risky Business will return on June 28

Show notes Errata Security: How The Intercept Outed Reality Winner Top-Secret NSA Report Details Russian Hacking Effort Days Before 2016 Election Reality Winner: NSA contractor and environmentalist repulsed by Trump | US news | The Guardian Putin: “Patriotic” Russian hackers may have interfered in US election | Ars Technica A TV Hack Appears to Have Sparked the Middle East's Diplomatic Crisis - Motherboard CNN Exclusive: US suspects Russian hackers planted fake news behind Qatar crisis - CNNPolitics.com Theresa May says the internet must now be regulated following London Bridge terror attack | The Independent Social media platforms need to crack down on terror, Malcolm Turnbull says AM - 'Society expects' government-industry cooperation to fight online extremism: cyber security adviser 07/06/2017 Google Translate Silk Road Creator Ross Ulbricht Loses Life Sentence Appeal | WIRED Alleged Dark Web Gun Runners Smuggled Weapons in DVD Players, Karaoke Machines - Motherboard The Rising Price of Bitcoin and Ethereum Is Leading to More Hacking Attempts - Motherboard Hackers Are Crowdfunding Cryptocurrency to Buy Alleged NSA Exploits - Motherboard You’ll never guess where Russian spies are hiding their control servers | Ars Technica WikiLeaks says CIA’s “Pandemic” turns servers into infectious Patient Zero | Ars Technica OneLogin suffers breach—customer data said to be exposed, decrypted | Ars Technica Defense contractor stored intelligence data in Amazon cloud unprotected [Updated] | Ars Technica EternalBlue Exploit Spreading Gh0st RAT, Nitol | Threatpost | The first stop for security news NSA's EternalBlue Exploit Ported to Windows 10 | Threatpost | The first stop for security news Dangerous 'Fireball' Adware Infects a Quarter Billion PCs | WIRED IBM Backup Bug Gets Workaround After Nine Months of Exposure | Threatpost | The first stop for security news 40,000 Subdomains Tied to RIG Exploit Kit Shut Down | Threatpost | The first stop for security news 53 Percent of Enterprise Flash Installs are Outdated | Threatpost | The first stop for security news Duo Collaborates With Google to Provide Verified Access for Chrome OS | Duo Security
Risky Business #457 -- Shadow Brokers turn to ZCash, plus special guest John Safran  

On this week’s show we’re taking a detour: This week’s feature interview has absolutely nothing to do with infosec. But it is related to the Internet. Sort of. If you squint a little.

This week’s feature guest is John Safran. He’s been gracing television screens here in Australia for nearly 20 years, but John is also a rather brilliant author. I’ve just finished reading John’s new book, Depends what you mean by Extremist, Going Rogue with Australian Deplorables. Honestly, it’s fascinating enough for me to just squeeze it into this show.

Basically John wrote a book about the year and a half he spent hanging out with all sorts of extremists; Left-wing Marxists, anarchists, right wing anti-Islam types and even Islamic State supporters, some of whom are now up on terror-related charges.

I speak to John about the Internet’s influence on extremism, as well as extremism in general. I highly, highly recommend this book. It’s a fascinating look at the contemporary political landscape through the eyes of extremist movements of all flavours, and it’s not a tough read. It’s actually quite funny and it really the most on-point thing I’ve read in a long, long time.

This week’s show is brought to you by Bugcrowd, big thanks to them! And in this week’s sponsor interview we’ll chat with Casey Ellis, Bugcrowd’s founder and CEO. Now that outsourced bug bounties have gone mainstream, we know more what they’re for and how people find them useful. So we speak to Casey about how a lot of orgs are basically just throwing the lower value testing out to bounties to free up their infosec teams to do higher value work. We talk about that and a couple of other points.

Adam Boileau, as always, drops in to discuss the week’s security news!

You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

Show notes New Shadow Brokers 0-day subscription forces high-risk gamble on whitehats | Ars Technica Florida Republican Who Teamed Up With Guccifer 2.0 Says Secretly Working With Russia Is NBD E-mails phished from Russian critic were “tainted” before being leaked | Ars Technica Russian Hackers Are Using Google's Own Infrastructure to Hack Gmail Users - Motherboard WannaCry Ransom Note Written by Chinese, English Speaking Authors | Threatpost | The first stop for security news Trump has an iPhone with one app: Twitter | Ars Technica Rash Of Phishing Attacks Use HTTPS To Con Victims | Threatpost | The first stop for security news Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw | Threatpost | The first stop for security news 1Password's Clever New Way to Protect Your Data at the Border Could Also Add Risk | WIRED A wormable code-execution bug has lurked in Samba for 7 years. Patch now! | Ars Technica Awfully Polite Hackers Allegedly Hijacked This Mall Billboard - Motherboard DOJ, FBI Executives Approved Running a Child Porn Site - Motherboard US Law Enforcement Have Spent Hundreds of Thousands on Bitcoin Tracking Tools - Motherboard Canadian Teen Allegedly Behind Notorious Dark Web Hacking Forum - Motherboard Scammers Are Peddling Useless Anti-WannaCry Apps - Motherboard Depends What You Mean by Extremist eBook by John Safran - 9781760142421 | Kobo John Safran vs God - Episode 1 - YouTube
Risky Business #456 -- Your MSP *will* get you owned  

On this week’s show Adam pops in to discuss the week’s news. (Links below) After the news segment Adam and Patrick both chat about topics near and dear to their hearts: Shoddy infosec marketing and shoddy MSP security.

This week’s show is brought to you by WordFence, a company that makes a WordPress security plugin. It’s not so much an enterprise security tool, but it turns out that when you run two million Wordpress plugins you wind up collecting some pretty valuable threat intel and IOCs. WordFence’s Mark Maunder joins the show this week to talk about WordPress security and malware distribution!

You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

Show notes More people infected by recent WCry worm can unlock PCs without paying ransom | Ars Technica There’s new evidence tying WCry ransomware worm to prolific hacking group | Ars Technica Windows 7, not XP, was the reason last week’s WCry worm spread so widely | Ars Technica EternalRocks Worm Spreads Seven NSA SMB Exploits | Threatpost | The first stop for security news PATCH Act Calls for VEP Review Board | Threatpost | The first stop for security news US politicians think companies should be allowed to 'hack back' after WannaCry Sweden Drops Julian Assange's Rape Charge, But the WikiLeaks Founder Won't Go Free | WIRED Examining the FCC claim that DDoS attacks hit net neutrality comment system | Ars Technica Google Elevates Security in Android O | Threatpost | The first stop for security news Android Gets Security Makeover With Google Play Protect | Threatpost | The first stop for security news Any Half-Decent Hacker Could Break Into Mar-a-Lago, We Tested It | Gizmodo Australia Senate's Use of Signal A Good First Step, Experts Say | Threatpost | The first stop for security news Should SaaS Companies Publish Customers Lists? — Krebs on Security Private Eye Allegedly Used Leaky Goverment Tool in Bid to Find Tax Data on Trump — Krebs on Security Yahoo Retires ImageMagick After Bugs Leak Server Memory | Threatpost | The first stop for security news Twitter Bug Allowed Hackers To Tweet From Any Account - Motherboard Breaking the iris scanner locking Samsung’s Galaxy S8 is laughably easy | Ars Technica Subtitle Hack Leaves 200 Million Vulnerable to Remote Code Execution | Threatpost | The first stop for security news Apple Patches Pwn2Own Vulnerabilities in Safari, macOS, iOS | Threatpost | The first stop for security news BostonGlobe.com disables articles when your browser’s in private mode | Ars Technica Gravityscan - Free Website Malware and Vulnerability Scanner WordPress Security Plugin | Wordfence
Risky Business #455 -- What a mess  

On this week’s show, of course, we are taking a deep dive on WannaCry. Most of the coverage of this debacle has actually been pretty bad, and there’s been nothing that I’ve seen that even approaches being comprehensive, so we’re going to try to fix that in this edition of the show.

This week’s show is sponsored by Cylance, which, it must be said, didn’t “ambulance chase” this interview, they booked this sponsor slot in January this year.

Cylance CEO Stuart McClure joins the show this week to talk about ambulance chasing, why it is that we still don’t have a decent technical analysis of WannaCry and he generally gives us an industry view on this thing.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes WCry ransomware worm’s Bitcoin take tops $70k as its spread continues | Ars Technica Virulent WCry ransomware worm may have North Korea’s fingerprints on it | Ars Technica Two days after WCry worm, Microsoft decries exploit stockpiling by governments | Ars Technica WCry is so mean Microsoft issues patch for 3 unsupported Windows versions | Ars Technica WannaCry Variants Pick Up Where Original Left Off | Threatpost | The first stop for security news Microsoft Releases XP Patch for WannaCry Ransomware | Threatpost | The first stop for security news New Jaff Ransomware Part Of Active Necurs Spam Blitz | Threatpost | The first stop for security news NSA officials worried about the day its potent hacking tool would get loose. Then it did. - The Washington Post The WannaCry Ransomware Hackers Made Some Major Mistakes | WIRED What you need to know about the WannaCry Ransomware | Symantec Connect Community OH LORDY! Comey Wanna Cry Edition — Steemit Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry | Ars Technica Trump confirms he shared intel with Russia’s foreign minister | Ars Technica Trump Signs Cybersecurity Executive Order | Threatpost | The first stop for security news WikiLeaks Reveals Two CIA Malware Frameworks | Threatpost | The first stop for security news HP laptops covertly log user keystrokes, researchers warn | Ars Technica Apple Patches Pwn2Own Vulnerabilities in Safari, macOS, iOS | Threatpost | The first stop for security news Dutch Cops Bust Another PGP BlackBerry Company for Alleged Money Laundering - Motherboard Protect Against WannaCry: Microsoft Issues Patch for Unsupported Windows (XP, Vista, 8,...) Chelsea Manning Release: What to Know About Whistleblower | Time.com
Risky Business #454 -- Intel AMT latest, TavisO's horror-show Windows bug, Macron leaks and more!  

We’ve got a real bread-and-butter show for you this week. Adam is along in this week’s news segment to talk about the latest on the Intel AMT bugs, Tavis Ormandy’s horror-show Windows Defender bug, the Macron email dump and more.

In this week’s feature interview we speak with Adobe security engineer and OAuth 2 in Action co-author Antonio Sanso about what companies like Google might be able to do to make their OAuth implementations a little safer for users… Which, you know, might be something worth considering given an OAuth-based phishing attack was able to compromise something like a million Google accounts the other week.

This week’s show is brought to you by Thinkst Canary! Canary is of course the wonderful little hardware honeypot device Thinkst makes that you can plug into your network that’ll let you know when you have attackers on your LAN. Thinkst’s head of development, Macro Slaviero, joins the show this week to talk about the CIA’s leaked watermarking solution Scribbles, as well as to talk a little about Thinkst’s so-called “bird guide”. It’s a document (linked below) with a bunch of advice for those of you considering using Honeypots.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes The hijacking flaw that lurked in Intel chips is worse than anyone thought | Ars Technica mjg59 | Intel AMT on wireless networks Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable | Ars Technica Emergency Update Patches Zero Day in Microsoft Malware Protection Engine | Threatpost | The first stop for security news Microsoft’s recent success in blocking in-the-wild attacks is eerily good | Ars Technica Veritas - Security Response Advisories Hacked Macron Emails Leak Online Ahead of French Presidential Runoff Election | WIRED The NSA Confirms It: Russia Hacked French Election ‘Infrastructure’ | WIRED Patrick Gray on Twitter: "I'm not convinced this is true. At all. Will discuss on this week's show! https://t.co/cvyRahSaxr" Press releases - National Commission for the Control of the Campaign for the Presidential Election Here's How Easy It Is to Get Trump Officials to Click on a Fake Link in Email F.B.I. Director James Comey Is Fired by Trump - The New York Times Google's OSS-Fuzz Finds 1,000 Open Source Bugs | Threatpost | The first stop for security news Ultrasonic Beacons Are Tracking Your Every Movement | Threatpost | The first stop for security news Dark Web Suspects Busted After Visiting Image Sharing Site Outside of Tor - Motherboard Cisco kills leaked CIA 0-day that let attackers commandeer 318 switch models | Ars Technica grugq is creating analysis on applied security, cyber, operational, and otherwise. | Patreon Canarytokens Thinkst Canary Bird Guide:
Risky Biz Soap Box: A microvirtualisation primer with Bromium co-founder Ian Pratt  

This Soap Box edition is all about desktop microvirtualisation! Bromium has been around for about six years now, and they make an endpoint security package that is really, really different to other solutions in the market. The whole thing hinges on what they call a Microvisor, which amounts to hardware-enabled isolation on your desktop.

Bromium’s software is basically a way to virtualise user tasks, whether that’s working on a Word document or browsing an exploit-riddled lyrics website with Java and Flash enabled, the idea is if an exploit gets dropped on you it gets trapped in a micro-VM.

Personally, I’m a big fan of Bromium’s stuff. one of the things that kind of hindered the adoption of this tech in its early days is it relies on CPU features that were basically new six years ago, so not everyone could run it. There was also a bit of a UX hit. But there’s good news! Hardware refresh cycles have taken their course, and now running Bromium’s software is viable in almost all enterprises.

Where this goes from being interesting to downright compelling is if you’re an enterprise forced to run vulnerable software. I’m thinking specifically of old browsers running things like Java. In many organisations, running out-of-date crapware is a business requirement.

Well, running Bromium on those endpoints will basically solve that problem. Sure, nothing is magic, but by the time you’ve finished listening to this conversation with Bromium co-founder and President Ian Pratt, I think you’ll definitely want to take a look at the tech. You should take a look at the tech, because it’s borderline impossible to solve that problem any other way.

I hope you enjoy it!

Video player is in betaClose