Risky Business

Risky Business

Australia

Risky Business primary podcast.

Episodes

REPOSTED (SEE NOTE): Risky Biz Snake Oilers: Roll up roll up! We've got a fix for what ails ya!  

NOTE: We had to re-post this. Originally we linked to the wrong mp3 (soapbox1 instead of snakeoilers1). It was rectified within about five minutes, but caches gonna cache, so we’ve reposted it. Sorry if you downloaded it twice!

This is the first ever Snake Oilers podcast from Risky.biz. It’s a wholly sponsored podcast in which vendors pop in and take 10 minutes each to pitch the audience on their stuff. The idea behind this whole thing is so that infosec buyers can actually hear a bunch of ten minute pitches without having to go to lunch with a salesperson with giant shiny teeth who doesn’t really understand what they’re selling.

These are product pitches from people who actually get the technology. And you know what? Even if you’re not a technology buyer, you’ll probably still find a lot of this interesting – it’s good to know how vendors are slicing and dicing some of the challenges we all face in security.

In this edition:

Exabeam says it can save you buttloads of cash compared to other SIEM solutions like Splunk or ArcSight. Senetas urges you not to use babby’s first encryptor cards and opt for its 100gbps full line rate layer 2 encryptor instead Kolide pitches its osquery-based EDR solution. If it’s good enough for Facebook, it’s good enough for you! Senrio pitches its impressive IoT network sensor and developer tools.

Links below!

Show notes Security Intelligence | SIEM & UEBA | Exabeam CN9000 Ultra-Fast 100Gbps Ethernet Encryptor | Senetas Kolide - Black Box Security. Unboxed. Senrio Sponsorship - Risky Business
Risky Business #451 -- Shadowbrokers nothingburger edition  

On this week’s show we talk about the latest Shadowbrokers shenanigans with Adam, as well as all the other major security news of the last couple of weeks.

After that we’ll be chatting with Adam’s colleague at Insomnia Security, Pipes, about the interesting aspects to the dump – what did it teach us about how NSA rolls? Well quite a lot, as it turns out. And yeah, the N0day bugs aren’t the interesting bit.

This week’s show is sponsored by Tenable Network Security. This week Tenable’s VP of federal, Darron Makrokanis, will be along to talk about how to speed up federal government adoption of new tech – what’s the best way for that to happen? That’s this week’s sponsor interview!

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes NSA-leaking Shadow Brokers just dumped its most damaging release yet | Ars Technica In slap at Trump, Shadow Brokers release NSA EquationGroup files | Ars Technica Shadow Brokers Leak Shows NSA Hacked Middle East Banking System and Had Major Windows Exploits | WIRED Alleged NSA Victim Denies Hackers Ever Broke In - Motherboard Mysterious Microsoft patch killed 0-days released by NSA-leaking Shadow Brokers | Ars Technica We Can Calm Down: Microsoft Already Patched Most of the Shadow Brokers Exploits - Motherboard The New Shadow Brokers Leak Connects the NSA to the Stuxnet Cyber Weapon Used on Iran - Motherboard Newly Leaked Hacking Tools Were Worth $2 Million on the Gray Market - Motherboard WikiLeaks just dropped the CIA’s secret how-to for infecting Windows | Ars Technica Found in the wild: Vault7 hacking tools WikiLeaks says come from CIA | Ars Technica Researchers find China tried infiltrating companies lobbying Trump on trade | Ars Technica Brexit: foreign states may have interfered in vote, report says | Politics | The Guardian North Korea: Can the US take out its missiles before launch? - CNN.com Feds deliver fatal blow to botnet that menaced world for 7 years | Ars Technica Rash of in-the-wild attacks permanently destroys poorly secured IoT devices | Ars Technica New processors are now blocked from receiving updates on old Windows | Ars Technica Microsoft Word 0-day was actively exploited by strange bedfellows | Ars Technica Why Did Microsoft Wait Six Months To Patch a Critical Word Zero-Day? - Motherboard Microsoft Word 0-day used to push dangerous Dridex malware on millions | Ars Technica Critical Word 0-day is only 1 of 3 Microsoft bugs under attack | Ars Technica Office Zero Day Delivering FINSPY Spyware to Victims in Russia | Threatpost | The first stop for security news Microsoft Patches Word Zero-Day Spreading Dridex Malware | Threatpost | The first stop for security news Breaking Signal: A Six-Month Journey | Threatpost | The first stop for security news F8 2017: Facebook's Delegated Recovery Will Make It Easier to Get Back Into Locked Accounts | WIRED Charlie Miller on Why Self-Driving Cars Are So Hard to Secure From Hackers | WIRED Meet PINLogger, the drive-by exploit that steals smartphone PINs | Ars Technica Fake News at Work in Spam Kingpin’s Arrest? — Krebs on Security
Risky Business #450 -- From Mirai to mushroom clouds in five easy steps  

This week’s show is a fun one! We’ll be chatting with Josh Corman, the Atlantic Council’s Director of Cyber Statecraft. We’ll be speaking with him about an exercise he did recently with a whole bunch of students. Basically the whole thing was a simulation where students walked through various scenarios and had to respond. Unfortunately, Josh discovered that most students had a predisposition to escalating things unnecessarily. From Mirai to mushroom clouds, that’s this week’s feature interview.

This week’s sponsor interview is also an absolute corker. Rapid7 is this week’s sponsor. In addition to making enterprise security software and running a pentest practice, Rapid7 also spends a considerable amount of time and money on developing Metasploit.

Rapid7 research director Tod Beardsley and director of transportation security Craig Smith join the show this week to talk about some recent changes to Metasploit that I’m amazed haven’t made a bigger splash. You can now run Metasploit against a CAN bus and they’ve built an RF module as well. That is absolutely awesome stuff, coming up in this week’s sponsor interview, with special thanks to Rapid7!

Adam Boileau, as always, joins us to talk about the week’s security news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes Wikileaks releases code that could unmask CIA hacking operations | Ars Technica Smart TV hack embeds attack code into broadcast signal—no access required | Ars Technica Project Zero: Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1) Here's How Not to Get Doxed Like FBI Director James Comey - Motherboard Reinhold Niebuhr on Twitter: "https://t.co/L5ehuMFGat https://t.co/x53gCG7Nvc" Verizon Rebuts Critics of Data-Collecting App | Threatpost | The first stop for security news An Update on Verizon's AppFlash: Pre-Installed Spyware Is Still Spyware | Electronic Frontier Foundation New Mirai Variant Roars into Action With 54 Hour DDoS Attacks | Threatpost | The first stop for security news Publicly Attacked Microsoft IIS Zero Day Unlikely to be Patched | Threatpost | The first stop for security news Microsoft Offers Analysis of Zero-Day Exploited By Zirconium Group | Threatpost | The first stop for security news Hackers Are Emptying ATMs With a Single Drilled Hole and $15 Worth of Gear | WIRED Russian Hackers Have Used the Same Backdoor for Two Decades | WIRED Operation Cloud Hopper Pegasus for Android: the other side of the story emerges | Lookout Blog Someone is putting lots of work into hacking Github developers | Ars Technica FBI Arrests Hacker Who Hacked No One - The Daily Beast Hackers Hit Islamic State Site, Use It to Spread Malware - Motherboard UK Cops Arrest Man Potentially Linked to Apple Extortion - Motherboard Patrick Gray on Twitter: "Heh. I think you could call this "high confidence". https://t.co/zDCbiPmJXV" An Unprecedented Heist Hijacked a Brazilian Bank’s Entire Online Operation | WIRED Samsung's Android Replacement Is a Hacker's Dream - Motherboard Patrick Gray on Twitter: "This is interesting. Apparently RU bots hammer Trump's account with conspiracy-related material when they know he's likely to be using it. https://t.co/f38WB9uIsS" McAfee is once again an independent company - CSO | The Resource for Data Security Executives Fake SEO Plugin Used In WordPress Malware Attacks | Threatpost | The first stop for security news Hackers Can Easily Hijack This Dildo Camera and Livestream the Inside of Your Vagina (Or Butt) - Motherboard Rebuttal to Pen Test Partners Exiting the Matrix: Introducing Metasploit's Ha... |
Risky Biz Soap Box: Senrio tackles IoT problem for CISOs, developers  

Soap Box is back! This time we’re chatting with Stephen Ridley and Jamison Utter about the tech Stephen has launched: Senrio Insight and Senrio Trace!

This is a fully sponsored blabfest about IoT security. Specifically, we drill into two different problems Senrio is trying to solve. The first is how the hell you deal with monitoring IoT on your network, especially when you can’t do DPI because of HIPAA. If you’re a CISO from a hospital, you will be very interested in this part of the podcast.

Then we talk about IoT security approaches for developers. Not only has Senrio developed a boring old network sensor to remedy the dumb but profitable-to-solve problem, they’ve also created a developer toolkit for manufacturers of IoT devices who need to be able to monitor them in the field.

Stephen Ridley is a bona fide expert on IoT. So much so, he used to actually train NSA staff on hacking IoT devices. Personally I think when you’re training NSA on how to own stuff, that makes you a genuine expert.

Jamison Utter, Senrio’s VP of Field Operations, also joins us for this podcast. I hope you enjoy it!

To book a demo with Senrio, click here.

Risky Business #449 -- Machine Learning: Woot or woo?  

On this week’s show I’ll be playing part two of my interview with In-Q-Tel’s chief security officer Dan Geer. That’s all about machine learning in infosec. Is it actually going to turn into something? Or is it just another infosec thought bubble?

This week’s sponsor interview is with Dan Guido of Trail of Bits.

Trail of Bits is a New York-based security engineering and testing company that does very interesting work. They don’t just break apps, they actually work on securing them. With that in mind, Dan’s team has been looking at implementing control flow integrity protections to various software projects. So we speak to him about the llvm versus Microsoft control flow guard approach, which is achievable. We also speak to him about mcsema, a tool they developed for reversing binaries into an intermediate language.

Adam Boileau, as always, joins us to talk about the week’s security news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs [updated] | Ars Technica Here’s the Data Republicans Just Allowed ISPs to Sell Without Your Consent - Motherboard Did China Just Help North Korea Steal $81M From The Fed? New WikiLeaks dump: The CIA built Thunderbolt exploit, implants to target Macs | Ars Technica WikiLeaks Dark Matter Release Shows CIA Interdiction of iPhone Supply Chain | Threatpost | The first stop for security news Think Tank: Cyber Firm at Center of Russian Hacking Charges Misread Data Cyber Firm Rewrites Part of Disputed Russian Hacking Report Michael Koziarski on Twitter: "FedEx’s web tech is so old they’re offering you $5 to enable flash… https://t.co/HRAj1Qgrjq cc @riskybusiness" eBay Asks Users to Downgrade Security — Krebs on Security Doxed by Microsoft’s Docs.com: Users unwittingly shared sensitive docs publicly | Ars Technica Android Security Is Better But Still Has a Long Way to Go | WIRED Shielding MAC addresses from stalkers is hard and Android fails miserably at it | Ars Technica Ransomware scammers exploited Safari bug to extort porn-viewing iOS users | Ars Technica Potent LastPass exploit underscores the dark side of password managers | Ars Technica APT29 Used Domain Fronting, Tor to Execute Backdoor | Threatpost | The first stop for security news Experts Doubt Hacker’s Claim Of Millions Of Breached Apple Credentials | Threatpost | The first stop for security news Whoops: The DOJ May Have Confirmed Some of the Wikileaks CIA Dump - Motherboard Apple Just Banned the App That Tracks US Drone Strikes, Again - Motherboard A Hackable Dishwasher Is Connecting Hospitals to the Internet of Shit - Motherboard McSema: I’m liftin’ it | Trail of Bits Blog The Challenges of Deploying Security Mitigations | Trail of Bits Blog
Risky Business #448 -- Dan Geer on cloud providers: Too big to fail?  

We’ve got a great show for you this week. In-Q-Tel CSO Dan Geer will be along for a very interesting conversation about the major cloud providers. Are they too big to fail the same way some banks are? Does the efficiency of highly concentrated ownership of a large chunk of the world’s Internet service capacity make it less resilient? We talk about that and more in this week’s feature interview.

This week’s sponsor interview is also an absolute cracker. We’re speaking with Mike Hanley of Duo Security. Mike is the senior director of security at Duo, and he’s along this week to talk about Google’s BeyondCorp initiative.

BeyondCorp is Google’s vision for the next generation of enterprise environments and it has a lot to do with deperimiterisation. Mike is along this week to talk about that concept and how solid authentication is basically the first step in moving towards that vision. It’s really, really solid stuff, so do stick around for that one.

Adam Boileau, as always, joins us to talk about the week’s security news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes Comey Confirms a Trump-Russia FBI Investigation Began Last July | WIRED Laptop ban: UK, US ban electronics in carry-on luggage from Middle East airports amid terrorist bomb fears - ABC News (Australian Broadcasting Corporation) Patrick Gray on Twitter: "I've seen a couple of people float this theory and FWIW I think it's bullshit. https://t.co/8PeV3IxdVJ" WikiLeaks Won’t Tell Tech Companies How to Patch CIA Zero-Days Until Its Demands Are Met - Motherboard Patrick Gray on Twitter: "Staff holding clearances didn't stop Microsoft fixing Stuxnet 0days or the Flame md5 collision. More grandstanding bullshit from Assange.
Risky Business #447 -- Struts bug owns everyone, RAND 0day report and more  

On this week’s show Patrick and Adam have a look at the surprisingly great report about 0day prepared by RAND Corporation, as well as the other security news of the week. How ‘bout dat Struts bug, eh?

Dr. Vanessa Teague of the University of Melbourne also joins the show to talk about the latest developments around computerised voting. Vanessa is an expert on e-voting and she’s been in the space for a long time – she’ll be joining us this week to talk about how European authorities have been responding to the risks posed to their elections by outside parties, and we take a look at some voting security ideas for America.

This week’s show is brought to you by Netsparker. Netsparker is a black-box web application testing tool that aims to speed up webapp tests through automation. Netsparker’s creator Ferruh Mavituna is this week’s sponsor guest. He’s joining us to basically talk about what you can actually automate in webapp testing, but also about what you can’t automate. That’s a really interesting chat, one that the pentesters will love I’m sure.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes Critical vulnerability under “massive” attack imperils high-impact sites [Updated] | Ars Technica In-the-wild exploits ramp up against high-impact sites using Apache Struts | Ars Technica Zero Day Exploits Rarely Discovered By More Than One Group, Study Finds - Motherboard Wikileaks' Cache of Alleged CIA Files Includes Unredacted Names - Motherboard WikiLeaks: We’ll Work With Software Makers on Zero-Days — Krebs on Security Apple Says Many of the CIA's Alleged iPhone Hacks Have Already Been Patched - Motherboard After NSA hacking exposé, CIA staffers asked where Equation Group went wrong | Ars Technica FBI Director Tells Companies Not to 'Hack Back' Against Hackers - Motherboard Dutch Cops Say They've Decrypted PGP Messages On Seized Server - Motherboard Dear Confide: “We would never” isn’t the same as “we can’t” | Ars Technica
Risky Business #446 -- CIA tools doxed, plus osquery with Mike Arpaia  

On this week’s news we put Wikileaks’ latest dumps under the microscope and offer a few theories on what’s really going on.

We also have a chat with Mike Arpaia, the creator of osquery. osquery is host-based instrumentation software put together by Mike and his team when they worked at Facebook. It’s open source these days and now Mike is trying to get it adopted.

This week’s show is brought to you by Cyberark! And we’ll be chatting with Cyberark’s Chief Architect Gerrit Lansing. Cyberark makes software that manages privileged accounts, and we’ll be talking to Gerrit about privileged account management automation in this week’s sponsor interview.

Adam Boileau is along to discuss the week’s news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes Trump's Claims That Feds Wiretapped Trump Tower Could Backfire Bigly | WIRED Wikileaks Just Dumped a Cache of Information on Alleged CIA Hacking Tools - Motherboard WikiLeaks publishes docs from what it says is trove of CIA hacking tools | Ars Technica The WikiLeaks CIA Dump Shows Hacking Secrets of Spies | WIRED WikiLeaks: CIA Uses 'Stolen' Malware to 'Attribute' Cyberattacks to Nations Like Russia - Breitbart The CIA Allegedly 'Borrows' Code From Public Malware Samples - Motherboard Trump Inherits a Secret Cyberwar Against North Korean Missiles - The New York Times DOJ Dismisses Playpen Case to Keep Tor Hack Private | Threatpost | The first stop for security news The Fed-Proof Online Market OpenBazaar Is Going Anonymous | WIRED Dark Web Market AlphaBay Staff to Alleged Extortionist: Don't Dox Us, Here's Some Money - Motherboard Users Say They'll Pay for Vanished Dark Web Email Service 'Sigaint' to Return - Motherboard S
Risky Business #445 -- Amazon, CloudFlare and Microsoft join "having a bad week club"  

We’ve got a real bread and butter show for you this week. Troy Hunt will be along to talk about the Cloudflare bug and why everyone freaked out about it, and Haroon Meer of Thinks Canary will be along to talk about RSA.

This week’s show is, of course, brought to you by Canary.Tools, and Haroon will tell us about his first ever RSA conference experience. That’s actually a really fun chat. Funny in parts, too.

Adam Boileau is along to discuss the week’s news. Microsoft, Amazon and a handful of Russians are all having an awful, awful week, and he’ll be talking all about that.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes Amazon S3 Outage Has Broken A Large Chunk Of The Internet Amazon Web Services on Twitter: "The dashboard not changing color is related to S3 issue. See the banner at the top of the dashboard for updates." Treason charges against Russian cyber experts linked to seven-year-old accusations | Reuters At death’s door for years, widely used SHA1 function is now dead | Ars Technica Watershed SHA1 collision just broke the WebKit repository, others may follow | Ars Technica Police Have Arrested a Suspect in a Massive ‘Internet of Things’ Attack - Motherboard BKA - List page for press releases 2017 - The prosecutor's office in Cologne and the Federal Criminal Police Office have been arrested with suspected telecom hackers in London Google reports “high-severity” bug in Edge/IE, no patch available | Ars Technica Unpatched SMB Zero Day Easily Exploitable | Threatpost | The first stop for security news Troy Hunt: Data from connected CloudPets teddy bears leaked and ransomed, exposing kids' voice messages Apple deleted server supplier after finding infected firmware in servers [Updated] | Ars Technica
Risky Business #444 -- $350m! Wiped! Off! Yahoo! Over! Breach!  

<p>On this week’s show we’re chatting with Peter Gutmann about a couple of things that have combined to form a legit problem: The abuse of the Lets-Encrypt domain validated certificate authority combined with recent UI changed in Chrome are a phishers wet dream. We chat with Peter about that. The tl;dr is the browser makers need to get off their asses and do something about that, pronto.</p> <p>This week’s show is sponsored by Exabeam. They just took $30m in funding from a VC and Cisco and they’re looking at doing some really interesting stuff in the SIEM world with, you guessed it, machine learning! In this week’s sponsor interview we’re chatting with Exabeam co-founder Sylvain Gil about a few things – the conversation does veer a bit into their products but it actually stays interesting, mostly because he discusses things like Exabeam’s roadmap in terms of problems they’re trying to solve. So even if you have no desire to buy a new SIEM, you’ll still probably find that one interesting from an academic point of view.</p> <p>Adam Boileau, as always, stops in to discuss the week’s news, and Jake Davis is back with a… reinterpretation(?!) of the Hacker Manifesto.</p> <p>Links to items discussed in this week’s show have moved – they’re now included in this post, below.</p> <p>Oh, and do add <a href="https://twitter.com/riskybusiness">Patrick</a>, <a href="https://twitter.com/doublejake">Jake</a> or <a href="https://twitter.com/metlstorm">Adam</a> on Twitter if that’s your thing.</p> Show notes Hacks all the time. Engineers recently found Yahoo systems remained compromised | Ars Technica Verizon and Yahoo amend terms of definitive agreement Yahoo reveals more breachiness to users victimized by forged cookies [Updated] | Ars Technica JavaScript Attack Breaks ASLR on 22 CPU Architectures Kim Dotcom and co-accused eligible for extradition to US, says High Court - National - NZ Herald News Who Ran Leakedsource.com? — Krebs on Security How to Bury a Major Breach Notification — Krebs on Security Hackers who took control of PC microphones siphon >600 GB from 70 targets | Ars Technica Trump’s apparent security faux-pas-palooza triggers call for House investigation | Ars Technica Trump Cybersecurity Head Tom Bossert Could Be a Voice of Reason | WIRED

Risky Business #443 -- CrowdStrike and NSS face off, Hal Martin charged and more  

On this week's show we'll be chatting with two of the organisers of an event that was held here in Australia -- PlatyPus con. As you'll hear, it wasn't really a typical security con -- attendees had to bring laptops and had to participate. The whole thing was centred around workshops. Everyone I know who went said it was brilliant, and I personally think this is an idea that is going to catch on outside of Australia. We'll be speaking with Snail and Lin_s about that one in this week's feature interview.

read more

Risky Business #443 -- CrowdStrike and NSS face off, Hal Martin charged and more  

<p>On this week’s show we’ll be chatting with two of the organisers of an event that was held here in Australia – PlatyPus con. As you’ll hear, it wasn’t really a typical security con – attendees had to bring laptops and had to participate. The whole thing was centred around workshops. Everyone I know who went said it was brilliant, and I personally think this is an idea that is going to catch on outside of Australia. We’ll be speaking with Snail and Lin_s about that one in this week’s feature interview.</p> <p>This week’s show is brought to you by Veracode, big thanks to them. In this week’s sponsor interview we’ll be chatting with Veracode’s senior product innovation manager Colin Domony about a couple of things. Veracode did a pretty interesting survey recently that really shows that developers are, in fact, finally, becoming security aware in a big way. Not only that, but Veracode has made some pretty significant changes to its products to reflect this switch. Static analysis software security tools are becoming something the developers themselves use, they’re not just for the security teams these days. So we’ll talk about the rationale behind Veracode’s recent release of a scanner that plugs into IDEs: Veracode Greenlight.</p> <p>Adam Boileau joins us, as always, to talk about the week’s security news.</p> <p>Links to everything are in this week’s <a href="http://risky.biz/RB443_notes">show notes</a>.</p> <p>Oh, and do add <a href="https://twitter.com/riskybusiness">Patrick</a>, <a href="https://twitter.com/doublejake">Jake</a> or <a href="https://twitter.com/metlstorm">Adam</a> on Twitter if that’s your thing.</p> Show notes The Alleged NSA Thief Stole Information Impacting At Least Five US Agencies - Motherboard CrowdStrike Initiates Legal Action Against NSS Labs For Misappropriation of Intellectual Property and Engaging in a Sham Transaction to Illegally Obtain Access To Our Falcon Software CrowdStrike attempts to sue NSS Labs to prevent test release, court denies request | CSO Online Explain! yourself! US! senators! yell! at! Yahoo! • The Register Senators Question Yahoo’s Candor on Data Breach - WSJ How to not do presidential opsec: Crisis management over dinner in public | Ars Technica The Cybersecurity Executive Orders: A Tale of Two Trumps | Amnesty International uncovers phishing campaign against human rights activists | Ars Technica A rash of invisible, fileless malware is

Risky Business #442 -- A bad week for Freedomhosting II, Cellebrite and Polish banks  

There's no feature interview in this week's show. Instead, we're going to spend a bit more time with Adam Boileau talking about the week's news, and there's plenty to chew through.

read more

Risky Business #442 -- A bad week for Freedomhosting II, Cellebrite and Polish banks  

<p>There’s no feature interview in this week’s show. Instead, we’re going to spend a bit more time with Adam Boileau talking about the week’s news, and there’s plenty to chew through.</p> <p>This week’s show is brought to you by Tenable Network Security! In this week’s sponsor interview we’ll be chatting with Amit Yoran, Tenable’s new-ish CEO. Amit has an interesting background in infosec and he’ll be joining us to talk about a few things – Tenable’s just launched a whole new platform, which is interesting from a sign-of-the-times perspective. We’ll also get his thoughts on where he sees things going in the industry more generally. This isn’t Amit’s first CEO post – he was previously the big cheese at Netwitness then RSA, so he certainly has the experience to weigh in on trends.</p> <p>Links to everything are in this week’s <a href="http://risky.biz/RB442_notes">show notes</a>.</p> <p>Oh, and do add <a href="https://twitter.com/riskybusiness">Patrick</a>, <a href="https://twitter.com/doublejake">Jake</a> or <a href="https://twitter.com/metlstorm">Adam</a> on Twitter if that’s your thing.</p> Show notes Prosecutors to seek indictment against former NSA contractor as early as this week - The Washington Post Hacker Dumps iOS Cracking Tools Allegedly Stolen from Cellebrite - Motherboard Not Just Windows: Hackers Are Using Mac Malware to Track Iranian Activists - Motherboard Egyptian Human Rights Activists Are Being Targeted in 'Dangerous' Hacking Campaign - Motherboard We Talked to the Hacker Who Took Down a Fifth of the Dark Web - Motherboard Hello? Police? My darknet drug market was just hacked by criminals • The Register Polish banks hit by malware sent through hacked financial regulator • The Register Vizio smart TVs tracked viewers around the clock without consent | Ars Technica The Data That Turned the World Upside Down - Motherboard Google Brain super-resolution image tech makes “zoom, enhance!” real | Ars Technica

Risky Biz Soap Box 1: DevOps, appsec and squandered opportunities  

This is the first ever Risky Business Soap Box Special, produced by Risky.Biz for HP Enterprise Fortify. If you're in infosec you know who they are already -- Fortify makes software development security tools: everything from code scanners to its RASP solution Application Defender to Continuous Application Monitoring Services via Fortify on Demand, etc etc etc.

read more

Risky Biz Soap Box 1: DevOps, appsec and squandered opportunities  

<p>This is the first ever Risky Business Soap Box Special, produced by Risky.Biz for HP Enterprise Fortify. If you’re in infosec you know who they are already – Fortify makes software development security tools: everything from code scanners to its RASP solution Application Defender to Continuous Application Monitoring Services via Fortify on Demand, etc etc etc.</p> <p>The concept behind these special shows is pretty simple – up to once a month I’ll be interviewing an executive from the infosec industry about the field they operate in. Yes, it’s supposed to be promotional, but really, hearing these conversations is something a lot of listeners have told me they’d find extremely valuable. It’s called the Soap Box because it’s about helping men and women in positions of influence in the infosec industry actually access an audience. And they do have a lot to say.</p> <p>Jason Schmitt is the vice president and general manager of the Fortify business within the HP Enterprise Security Products organization. Before HP he held product management and engineering management positions at SPI Dynamics, Barracuda Networks, Steelbox Networks, and Andersen Consulting (now Accenture).</p> <p>In this special edition Jason talks about the impact the shift to DevOps is having on appsec, as well as looking at the results of a survey HPE did last year that yielded some pretty depressing results. (You can find that paper <a href="https://www.hpe.com/h20195/v2/GetPDF.aspx/4AA6-8302ENN.pdf" target="new">here [pdf]</a>.) We’ll also be referencing a talk by then Yahoo! CSO Alex Stamos (currently Facebook CSO) at Appsec USA 2015 titled “Appsec is eating security”. You can watch that one on YouTube <a href="https://www.youtube.com/watch?v=-1kZMn1RueI" target="new">here</a>.</p>

Risky Business #441 -- Gone in 60 seconds: Attacking ephemeral resources  

On this week's show we'll be chatting with information security's enfant terrible Nathaniel Wakelam about some recon tricks he's been using in bug bounty programs. He uses some nice tricks to rapidly identify ephemeral resources that often result in some spectacular hacks, like, say, being able to download all of REDACTED's source code. That one was cool because it was a temporary resource that got popped -- that's something you have to watch these days.

read more

Risky Business #441 -- Gone in 60 seconds: Attacking ephemeral resources  

<p>On this week’s show we’ll be chatting with information security’s enfant terrible Nathaniel Wakelam about some recon tricks he’s been using in bug bounty programs. He uses some nice tricks to rapidly identify ephemeral resources that often result in some spectacular hacks, like, say, being able to download all of REDACTED’s source code. That one was cool because it was a temporary resource that got popped – that’s something you have to watch these days.</p> <p>This week’s show is brought to you by Cylance! Cylance makes machine learning-based AV software that by all reports works really well. Cylance CTO and co-founder Ryan Permeh is this week’s feature guest and we’re talking about something that we touched on last week – gaming machine learning. Does Cylance worry that a determined attacker will be able to gradually input bad data into Cylance’s learning set and game the whole system? Well, no, they’re not worried about it, but it’s definitely something they pay attention to. That’s really interesting stuff and it’s coming up after this week’s feature interview.</p> <p>Adam Boileau, as always, pops in for this week’s news.</p> <p>Links to everything are in this week’s <a href="http://risky.biz/RB441_notes">show notes</a>.</p> <p>Oh, and do add <a href="https://twitter.com/riskybusiness">Patrick</a>, <a href="https://twitter.com/doublejake">Jake</a> or <a href="https://twitter.com/metlstorm">Adam</a> on Twitter if that’s your thing.</p> Show notes Reports: Arrested Russian intel officer allegedly spied for U.S. A Shakeup in Russia’s Top Cybercrime Unit — Krebs on Security Russians Charged With Treason Worked in Office Linked to Election Hacking - The New York Times Kaspersky Lab’s top investigator reportedly arrested in treason probe | Ars Technica Kevin Rothrock on Twitter: "Bombshell scoop by Rosbalt: @b0ltai2′s leader was allegedly arrested last October, and he’s the one who ratted out the two FSB agents." Арестованных офицеров ФСБ обвинили в сотрудничестве с ЦРУ — Meduza Agenti FBI míří do Prahy vyslechnout ruského hackera Nikulina — ČT24 — Česká televize https://apps.washingtonpost.com/g/documents/world/read-the-trump-administrations-draft-of-the-executive-order-on-cybersecurity/2306/ President Trump is still using his “old, unsecured Android phone” | Ars Technica Detenido el presunto autor del ‘hackeo’ de los datos de 5.500 ‘mossos’ | Cataluña

Risky Business #440 -- Matt "PwnAllTheThings" Tait on the politicisation of infosec  

On this week's show we check in with Matt Tait, who's probably better known by his Twitter handle: pwnallthethings. And we'll be talking about the politicisation of infosec and the science of attribution.

read more

Risky Business #440 -- Matt "PwnAllTheThings" Tait on the politicisation of infosec  

<p>On this week’s show we check in with Matt Tait, who’s probably better known by his Twitter handle: pwnallthethings. And we’ll be talking about the politicisation of infosec and the science of attribution.</p> <p>This week’s show is brought to you by Bugcrowd. Bugcrowd’s CEO and co-founder Casey Ellis will be along in this week’s sponsor interview to talk about his adventures running a MongoDB honeypot. Bugcrowd are pretty interested in talking about all those poor MongoDBs getting hosed because, well, if you’ve got a bug bounty program running, open DBs are the sorts of things that tend to get reported.</p> <p>As you’ll hear in that interview, the attackers who made some fast cash taking control of MongoDBs are now going after other stuff – elasticsearch, Hadoop.</p> <p>Adam Boileau, as always, joins the show to discuss the week’s security news, and our good buddy Jake Davis is back for another edition of Story Corner.</p> <p>Links to everything are in this week’s <a href="http://risky.biz/RB440_notes">show notes</a>.</p> <p>Oh, and do add <a href="https://twitter.com/riskybusiness">Patrick</a>, <a href="https://twitter.com/doublejake">Jake</a> or <a href="https://twitter.com/metlstorm">Adam</a> on Twitter if that’s your thing.</p> Show notes Coalition of Cryptographers, Researchers Urge Guardian to Retract WhatsApp Story | Threatpost | The first stop for security news AG Nominee Backs Law Enforcement's Ability to 'Overcome' Encryption | Threatpost | The first stop for security news Who is Anna-Senpai, the Mirai Worm Author? — Krebs on Security Widely used WebEx plugin for Chrome will execute attack code—patch now! | Ars Technica 1096 - Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution - project-zero - Monorail Already on probation, Symantec issues more illegit HTTPS certificates | Ars Technica Newly discovered Mac malware found in the wild also works well on Linux | Ars Technica Secure Email Service Lavabit Relaunches | Threatpost | The first stop for security news Tor Found a Way To Make the Dark Web Even More Secret | WIRED Scammers Say They Got Uber to Pay Them With Fake Rides and Drivers | Motherboard Virulent Android malware returns, gets >2

0:00/0:00
Video player is in betaClose