Risky Business

Risky Business


Risky Business primary podcast.


Risky Biz Soap Box: Keep your vendors honest with attack simulation  

This month’s Soap Box podcast is brought to you by AttackIQ, a company that makes attack simulation software.

This is a wholly sponsored podcast that won’t bore you to tears.

There are countless CISOs who listen to this podcast who’ve shovelled an awful lot of money at their organisation’s security controls. Whether that’s endpoint/AV or fancy network kit that’s supposed to detect exfil, the sad truth is most organisations have no way to know if their expensive kit is actually doing what it’s supposed to.

Until, of course, they get breached. Then there is much wailing and gnashing of teeth.

So the idea behind attack simulation is pretty simple. You load a lightweight agent on to your corporate systems, the agent then runs scriptable attack scenarios that can simulate attacker behaviour.

These attack scripts might get some endpoints to start nmapping internal systems. They might start changing some registry keys or stimulate a bunch of disk activity that looks like an encryption/ransomware process. They might start sending off a bunch of dummy data via a DNS exfil technique. Did your endpoint solution catch the funny registry stuff? Did your network controls catch the simulated exfil?

Now imagine you have 1,000 pre-coded attack simulations with all sorts of different combinations and permutations of attacker behaviours. How many of them do you actually need to run through before you can spot the weak points in your defences?

Attack simulation is a great way to test and validate your security controls, and you can do it continuously.

AttackIQ’s cofounder and CEO Stephan Chenette joined me to talk about attack simulation and what it’s good for.

Risky Business #461 -- AWS security with Atlassian's Daniel Grzelak  

On this week’s show we chat with Atlassian’s head of security, Daniel Grzelak, all about some AWS security tools he’s come up with. He also previews a new tool for generating AWS access key honeytokens at scale, which is really neat.

This week’s show is brought to you by Veracode!

Veracode’s director of developer engagement, Peter Chestna, will be along in this week’s sponsor interview to have a yarn about some common misunderstandings between security people and developers. We look at misunderstandings both ways.

Adam Boileau is this week’s news guest. We talk about all the latest dark markets drama, plus the Great Nuclear Hax Freakout of 2017.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

Show notes Hackers Are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say - The New York Times FBI-DHS “amber” alert warns energy industry of attacks on nuke plant operators | Ars Technica As World's Largest Dark Web Market Vanishes, Dodgy Links Promise a Way Back In - Motherboard AlphaBay: Drug Site Remains Shut as Fears of Exit Scam Grow | Fortune.com South Korean Cryptocurrency Exchange Bithumb to Compensate Users Following the Hacking Dark Web Hosting Service Hacked, Some Data Was Stolen Head of Mt Gox bitcoin exchange on trial for embezzlement and loss of millions | Technology | The Guardian Owners of "VirusTotal-for-Crooks" Service Arrested iPhone Bugs Are Too Valuable to Report to Apple - Motherboard Kaspersky under scrutiny after Bloomberg story claims close links to FSB | Ars Technica Russian Cybersecurity CEO Offers Source Code for U.S. Inspection | Fortune.com Russians now need a passport to watch Pornhub – VICE News International Investigatory Group Also Target of Government Spyware | Threatpost | The first stop for security news Sabre Consumer Website - Home Hackers stole credit card info from Trump hotel guests for months | TheHill Let's Encrypt to Offer Wildcard Certificates in 2018 | Threatpost | The first stop for security news Decryption Key to Original Petya Ransomware Released | Threatpost | The first stop for security news Backdoor built in to widely used tax app seeded last week’s NotPetya outbreak | Ars Technica Hackers Linked to NotPetya Ransomware Decrypted a File for Us - Motherboard Broadpwn Bug Affects Millions of Android and iOS Devices OpenBSD Will Get Unique Kernels on Each Reboot. Do You Hear That Linux, Windows? Microsoft Addresses NTLM Bugs That Facilitate Credential Relay Attacks | Threatpost | The first stop for security news The Time I Got Recruited to Collude with the Russians - Lawfare 2016-07-08 Security Notice GitHub - dagrz/aws_pwn: A collection of AWS penetration testing junk Application Security | Veracode
Risky Business #460 -- Haroon Meer talks Kaspersky's drama, NotPetya, the cryptowars and more  

Adam Boileau has some out of town business to handle this week so he can’t join us in the news segment. But that’s ok, because industry legend Haroon Meer has very kindly agreed to fill in for him! We chat to Haroon shortly about all the latest NotPetya developments, we’ll also talk about the drama Kaspersky is experiencing right now, as well as dissecting the latest battle reports from the cryptowar! All the news is covered.

This week’s show is brought to you by ICEBRG!

ICEBRG’s co-founder, Will Peteroy, joins the show this week to chat a bit about what they’re up to. Will has an interesting background. He was the technical director of a government agency Red Team. That meant red team exercises against agencies, but he was also responsible for doing assessments on security products. He also put in a bunch of time at Microsoft where he was the endpoint for product security for Windows and Internet Explorer, which meant he was the recipient of oh-so-much-0day for around a year and a half. So yeah, Will knows what he’s doing, and he’s made a thing, and you’re going to hear about that thing after this week’s news.

See links to show notes below, and follow Patrick or Haroon on Twitter if that’s your thing!

Show notes NATO: NotPetya Likely the Work of State Attackers | On the Wire TeleBots are back: supply-chain attacks against Ukraine Researchers Find BlackEnergy APT Links in ExPetr Code | Threatpost | The first stop for security news More Security Firms Confirm NotPetya Shoddy Code Is Making Recovery Impossible Ukrainian police seize software company's servers New Petya Distribution Vectors Bubbling to Surface | Threatpost | The first stop for security news Cyber attack: Ukrainian software company will face charges over security neglect, police suggest - ABC News (Australian Broadcasting Corporation) Family firm in Ukraine says it was not responsible for cyber attack | Reuters iTWire - Kaspersky Lab row: Russian minister warns of blowback Documents could link Russian cybersecurity firm Kaspersky to FSB spy agency - Chicago Tribune G20 summit: Malcolm Turnbull to urge Donald Trump to act against tech terrorists The Medicare machine: patient details of 'any Australian' for sale on darknet | Australia news | The Guardian The “keys to the cyber caliphate”: The daring U.S. raid to seize the ISIS personnel database - Salon.com Man Pleads Guilty to Stealing Bitcoin From Other Dark Web Criminals Hacker "Incursio" Gets Two Years in Prison for Hacking CIA, DHS, DOJ, and FBI This Dark Web Site Creates Robocalls to Steal People’s Credit Card PINs - Motherboard Bugcrowd-2017-State-of-Bug-Bounty-Report.pdf Average Bug Bounty Payments Growing | Threatpost | The first stop for security news HTTPS Certificate Revocation is broken, and it’s time for some new tools | Ars Technica Twitter / ? GitHub - SandboxEscaper/Edge-sandbox-escape ICEBRG | Streaming Network Forensics™ for Real-Time Threat Response
Risky Biz Soap Box: Bugcrowd founder and CEO Casey Ellis on the future of crowdsourced security  

In this edition of the Risky Business Soap Box podcast we chat with the founder and CEO of Bugcrowd, Casey Ellis, about the establishment of the bug bounty market and how things have shaped up. We also look at where it’s going.

The days of bounty programs being operated solely by large technology firms are long gone. Casey predicted that shift years ago. The question becomes, where will bounty programs be in three years from now?

Well, Casey doesn’t shy away from making some bold predictions. He thinks most enterprises will have vulnerability reporting mechanisms within two years, and a substantial proportion of those will offer rewards to bug hunters via companies like Bugcrowd.

He also sees bounty programs increasingly serving the specialist market.

You can find Casey on Twitter here.

Risky Business #459 -- Actually yes, "cyber war" is real for Ukraine  

This week we’ll be chatting with Andy Greenberg from Wired about his cover story for that magazine. He travelled to Ukraine back in March to research his story on Russian attacks against the Ukrainian power network. He joins us this week to share the insights he gleaned during his travels.

This week’s show is brought to you by SensePost.

SensePost are based in South Africa and England, but they are very well known for offering training courses at Black Hat. This year will be the 17th year they’ve run training courses there… as can be expected their brand new devops security course has gone absolutely gangbusters in terms of registrations this year, but they’re also offering a bunch of other courses. They’ll be joining us to chat about trends in training in this week’s sponsor interview.

Adam Boileau, as always, drops by for the week’s news segment. You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

Show notes Complex Petya-Like Ransomware Outbreak Worse than WannaCry | Threatpost | The first stop for security news A new ransomware outbreak similar to WCry is shutting down computers worldwide | Ars Technica Pnyetya: Yet Another Ransomware Outbreak – the grugq – Medium Hacker Behind Massive Ransomware Outbreak Can't Get Emails from Victims Who Paid - Motherboard Is This Ukrainian Company The Source Of The 'NotPetya' Ransomware Explosion? Petya Ransomware Attack – What’s Known | MalwareTech Maersk says global IT breakdown caused by cyber attack | Reuters Honda shuts down factory after finding NSA-derived Wcry in its networks | Ars Technica Web host agrees to pay $1m after it’s hit by Linux-targeting ransomware | Ars Technica Obama reportedly ordered implants to be deployed in key Russian networks | Ars Technica Russia struck at election systems and data of 39 US states | Ars Technica Republican Data Broker Exposes 198M Voter Records | Threatpost | The first stop for security news Al Jazeera Says It’s Under a Massive 'Cyber Attack' - Motherboard Mexican Journalists, Lawyers Focus of Government Spyware | Threatpost | The first stop for security news Russia's Cyberwar on Ukraine Is a Blueprint For What's to Come | WIRED Australia advocates weakening strong crypto at upcoming “Five Eyes” meeting | Ars Technica U.S. Cyberweapons, Used Against Iran and North Korea, Are a Disappointment Against ISIS - The New York Times AES-256 keys sniffed in seconds using €200 of kit a few inches away • The Register How the CIA infects air-gapped networks | Ars Technica Check Point says Fireball malware hit 250 million; Microsoft says no | Ars Technica Conviction for LA Times Hacking Helper Upheld British Hacker Pleads Guilty to Hacking US Military Satellite Phone And Messaging System - Motherboard Some beers, anger at former employer, and root access add up to a year in prison | Ars Technica Microsoft bringing EMET back as a built-in part of Windows 10 | Ars Technica Ohio Gov. Kasich’s website, dozens of others defaced using year-old exploit | Ars Technica China’s All-Seeing Surveillance State Is Reading Its Citizens’ Faces - WSJ SensePost | Events | Blackhat USA - July 2017
Risky Business #458 -- Reality Winner, Qatar hax and Internet regulation calls  

On this week’s show we’re covering off all the big news of the week: the arrest of Reality Winner, the apparent hacks that have ratcheted up the political crisis in Qatar and the renewed calls for Internet companies to be more government-friendly.

In this week’s feature interview we catch up with Samy Kamkar to get his take on what the lowering cost of hardware-based hacking could mean for our increasingly automated world. And in this week’s sponsor interview we chat with Duo Security’s Pepijn Bruienne about some recent attacks against the Mac OS software supply chain.

Big thanks to Duo Security for sponsoring this week’s show. Duo makes all manner of kick-ass two factor authentication solutions, you can check them out at Duo.com.

You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

Patrick is taking a vacation. Risky Business will return on June 28

Show notes Errata Security: How The Intercept Outed Reality Winner Top-Secret NSA Report Details Russian Hacking Effort Days Before 2016 Election Reality Winner: NSA contractor and environmentalist repulsed by Trump | US news | The Guardian Putin: “Patriotic” Russian hackers may have interfered in US election | Ars Technica A TV Hack Appears to Have Sparked the Middle East's Diplomatic Crisis - Motherboard CNN Exclusive: US suspects Russian hackers planted fake news behind Qatar crisis - CNNPolitics.com Theresa May says the internet must now be regulated following London Bridge terror attack | The Independent Social media platforms need to crack down on terror, Malcolm Turnbull says AM - 'Society expects' government-industry cooperation to fight online extremism: cyber security adviser 07/06/2017 Google Translate Silk Road Creator Ross Ulbricht Loses Life Sentence Appeal | WIRED Alleged Dark Web Gun Runners Smuggled Weapons in DVD Players, Karaoke Machines - Motherboard The Rising Price of Bitcoin and Ethereum Is Leading to More Hacking Attempts - Motherboard Hackers Are Crowdfunding Cryptocurrency to Buy Alleged NSA Exploits - Motherboard You’ll never guess where Russian spies are hiding their control servers | Ars Technica WikiLeaks says CIA’s “Pandemic” turns servers into infectious Patient Zero | Ars Technica OneLogin suffers breach—customer data said to be exposed, decrypted | Ars Technica Defense contractor stored intelligence data in Amazon cloud unprotected [Updated] | Ars Technica EternalBlue Exploit Spreading Gh0st RAT, Nitol | Threatpost | The first stop for security news NSA's EternalBlue Exploit Ported to Windows 10 | Threatpost | The first stop for security news Dangerous 'Fireball' Adware Infects a Quarter Billion PCs | WIRED IBM Backup Bug Gets Workaround After Nine Months of Exposure | Threatpost | The first stop for security news 40,000 Subdomains Tied to RIG Exploit Kit Shut Down | Threatpost | The first stop for security news 53 Percent of Enterprise Flash Installs are Outdated | Threatpost | The first stop for security news Duo Collaborates With Google to Provide Verified Access for Chrome OS | Duo Security
Risky Business #457 -- Shadow Brokers turn to ZCash, plus special guest John Safran  

On this week’s show we’re taking a detour: This week’s feature interview has absolutely nothing to do with infosec. But it is related to the Internet. Sort of. If you squint a little.

This week’s feature guest is John Safran. He’s been gracing television screens here in Australia for nearly 20 years, but John is also a rather brilliant author. I’ve just finished reading John’s new book, Depends what you mean by Extremist, Going Rogue with Australian Deplorables. Honestly, it’s fascinating enough for me to just squeeze it into this show.

Basically John wrote a book about the year and a half he spent hanging out with all sorts of extremists; Left-wing Marxists, anarchists, right wing anti-Islam types and even Islamic State supporters, some of whom are now up on terror-related charges.

I speak to John about the Internet’s influence on extremism, as well as extremism in general. I highly, highly recommend this book. It’s a fascinating look at the contemporary political landscape through the eyes of extremist movements of all flavours, and it’s not a tough read. It’s actually quite funny and it really the most on-point thing I’ve read in a long, long time.

This week’s show is brought to you by Bugcrowd, big thanks to them! And in this week’s sponsor interview we’ll chat with Casey Ellis, Bugcrowd’s founder and CEO. Now that outsourced bug bounties have gone mainstream, we know more what they’re for and how people find them useful. So we speak to Casey about how a lot of orgs are basically just throwing the lower value testing out to bounties to free up their infosec teams to do higher value work. We talk about that and a couple of other points.

Adam Boileau, as always, drops in to discuss the week’s security news!

You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

Show notes New Shadow Brokers 0-day subscription forces high-risk gamble on whitehats | Ars Technica Florida Republican Who Teamed Up With Guccifer 2.0 Says Secretly Working With Russia Is NBD E-mails phished from Russian critic were “tainted” before being leaked | Ars Technica Russian Hackers Are Using Google's Own Infrastructure to Hack Gmail Users - Motherboard WannaCry Ransom Note Written by Chinese, English Speaking Authors | Threatpost | The first stop for security news Trump has an iPhone with one app: Twitter | Ars Technica Rash Of Phishing Attacks Use HTTPS To Con Victims | Threatpost | The first stop for security news Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw | Threatpost | The first stop for security news 1Password's Clever New Way to Protect Your Data at the Border Could Also Add Risk | WIRED A wormable code-execution bug has lurked in Samba for 7 years. Patch now! | Ars Technica Awfully Polite Hackers Allegedly Hijacked This Mall Billboard - Motherboard DOJ, FBI Executives Approved Running a Child Porn Site - Motherboard US Law Enforcement Have Spent Hundreds of Thousands on Bitcoin Tracking Tools - Motherboard Canadian Teen Allegedly Behind Notorious Dark Web Hacking Forum - Motherboard Scammers Are Peddling Useless Anti-WannaCry Apps - Motherboard Depends What You Mean by Extremist eBook by John Safran - 9781760142421 | Kobo John Safran vs God - Episode 1 - YouTube
Risky Business #456 -- Your MSP *will* get you owned  

On this week’s show Adam pops in to discuss the week’s news. (Links below) After the news segment Adam and Patrick both chat about topics near and dear to their hearts: Shoddy infosec marketing and shoddy MSP security.

This week’s show is brought to you by WordFence, a company that makes a WordPress security plugin. It’s not so much an enterprise security tool, but it turns out that when you run two million Wordpress plugins you wind up collecting some pretty valuable threat intel and IOCs. WordFence’s Mark Maunder joins the show this week to talk about WordPress security and malware distribution!

You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

Show notes More people infected by recent WCry worm can unlock PCs without paying ransom | Ars Technica There’s new evidence tying WCry ransomware worm to prolific hacking group | Ars Technica Windows 7, not XP, was the reason last week’s WCry worm spread so widely | Ars Technica EternalRocks Worm Spreads Seven NSA SMB Exploits | Threatpost | The first stop for security news PATCH Act Calls for VEP Review Board | Threatpost | The first stop for security news US politicians think companies should be allowed to 'hack back' after WannaCry Sweden Drops Julian Assange's Rape Charge, But the WikiLeaks Founder Won't Go Free | WIRED Examining the FCC claim that DDoS attacks hit net neutrality comment system | Ars Technica Google Elevates Security in Android O | Threatpost | The first stop for security news Android Gets Security Makeover With Google Play Protect | Threatpost | The first stop for security news Any Half-Decent Hacker Could Break Into Mar-a-Lago, We Tested It | Gizmodo Australia Senate's Use of Signal A Good First Step, Experts Say | Threatpost | The first stop for security news Should SaaS Companies Publish Customers Lists? — Krebs on Security Private Eye Allegedly Used Leaky Goverment Tool in Bid to Find Tax Data on Trump — Krebs on Security Yahoo Retires ImageMagick After Bugs Leak Server Memory | Threatpost | The first stop for security news Twitter Bug Allowed Hackers To Tweet From Any Account - Motherboard Breaking the iris scanner locking Samsung’s Galaxy S8 is laughably easy | Ars Technica Subtitle Hack Leaves 200 Million Vulnerable to Remote Code Execution | Threatpost | The first stop for security news Apple Patches Pwn2Own Vulnerabilities in Safari, macOS, iOS | Threatpost | The first stop for security news BostonGlobe.com disables articles when your browser’s in private mode | Ars Technica Gravityscan - Free Website Malware and Vulnerability Scanner WordPress Security Plugin | Wordfence
Risky Business #455 -- What a mess  

On this week’s show, of course, we are taking a deep dive on WannaCry. Most of the coverage of this debacle has actually been pretty bad, and there’s been nothing that I’ve seen that even approaches being comprehensive, so we’re going to try to fix that in this edition of the show.

This week’s show is sponsored by Cylance, which, it must be said, didn’t “ambulance chase” this interview, they booked this sponsor slot in January this year.

Cylance CEO Stuart McClure joins the show this week to talk about ambulance chasing, why it is that we still don’t have a decent technical analysis of WannaCry and he generally gives us an industry view on this thing.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes WCry ransomware worm’s Bitcoin take tops $70k as its spread continues | Ars Technica Virulent WCry ransomware worm may have North Korea’s fingerprints on it | Ars Technica Two days after WCry worm, Microsoft decries exploit stockpiling by governments | Ars Technica WCry is so mean Microsoft issues patch for 3 unsupported Windows versions | Ars Technica WannaCry Variants Pick Up Where Original Left Off | Threatpost | The first stop for security news Microsoft Releases XP Patch for WannaCry Ransomware | Threatpost | The first stop for security news New Jaff Ransomware Part Of Active Necurs Spam Blitz | Threatpost | The first stop for security news NSA officials worried about the day its potent hacking tool would get loose. Then it did. - The Washington Post The WannaCry Ransomware Hackers Made Some Major Mistakes | WIRED What you need to know about the WannaCry Ransomware | Symantec Connect Community OH LORDY! Comey Wanna Cry Edition — Steemit Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry | Ars Technica Trump confirms he shared intel with Russia’s foreign minister | Ars Technica Trump Signs Cybersecurity Executive Order | Threatpost | The first stop for security news WikiLeaks Reveals Two CIA Malware Frameworks | Threatpost | The first stop for security news HP laptops covertly log user keystrokes, researchers warn | Ars Technica Apple Patches Pwn2Own Vulnerabilities in Safari, macOS, iOS | Threatpost | The first stop for security news Dutch Cops Bust Another PGP BlackBerry Company for Alleged Money Laundering - Motherboard Protect Against WannaCry: Microsoft Issues Patch for Unsupported Windows (XP, Vista, 8,...) Chelsea Manning Release: What to Know About Whistleblower | Time.com
Risky Business #454 -- Intel AMT latest, TavisO's horror-show Windows bug, Macron leaks and more!  

We’ve got a real bread-and-butter show for you this week. Adam is along in this week’s news segment to talk about the latest on the Intel AMT bugs, Tavis Ormandy’s horror-show Windows Defender bug, the Macron email dump and more.

In this week’s feature interview we speak with Adobe security engineer and OAuth 2 in Action co-author Antonio Sanso about what companies like Google might be able to do to make their OAuth implementations a little safer for users… Which, you know, might be something worth considering given an OAuth-based phishing attack was able to compromise something like a million Google accounts the other week.

This week’s show is brought to you by Thinkst Canary! Canary is of course the wonderful little hardware honeypot device Thinkst makes that you can plug into your network that’ll let you know when you have attackers on your LAN. Thinkst’s head of development, Macro Slaviero, joins the show this week to talk about the CIA’s leaked watermarking solution Scribbles, as well as to talk a little about Thinkst’s so-called “bird guide”. It’s a document (linked below) with a bunch of advice for those of you considering using Honeypots.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes The hijacking flaw that lurked in Intel chips is worse than anyone thought | Ars Technica mjg59 | Intel AMT on wireless networks Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable | Ars Technica Emergency Update Patches Zero Day in Microsoft Malware Protection Engine | Threatpost | The first stop for security news Microsoft’s recent success in blocking in-the-wild attacks is eerily good | Ars Technica Veritas - Security Response Advisories Hacked Macron Emails Leak Online Ahead of French Presidential Runoff Election | WIRED The NSA Confirms It: Russia Hacked French Election ‘Infrastructure’ | WIRED Patrick Gray on Twitter: "I'm not convinced this is true. At all. Will discuss on this week's show! https://t.co/cvyRahSaxr" Press releases - National Commission for the Control of the Campaign for the Presidential Election Here's How Easy It Is to Get Trump Officials to Click on a Fake Link in Email F.B.I. Director James Comey Is Fired by Trump - The New York Times Google's OSS-Fuzz Finds 1,000 Open Source Bugs | Threatpost | The first stop for security news Ultrasonic Beacons Are Tracking Your Every Movement | Threatpost | The first stop for security news Dark Web Suspects Busted After Visiting Image Sharing Site Outside of Tor - Motherboard Cisco kills leaked CIA 0-day that let attackers commandeer 318 switch models | Ars Technica grugq is creating analysis on applied security, cyber, operational, and otherwise. | Patreon Canarytokens Thinkst Canary Bird Guide:
Risky Biz Soap Box: A microvirtualisation primer with Bromium co-founder Ian Pratt  

This Soap Box edition is all about desktop microvirtualisation! Bromium has been around for about six years now, and they make an endpoint security package that is really, really different to other solutions in the market. The whole thing hinges on what they call Microvisors, which amount to hardware-enabled isolation on your desktop.

Bromium’s software is basically a way to virtualise user tasks, whether that’s working on a Word document or browsing an exploit-riddled lyrics website with Java and Flash enabled, the idea is if an exploit gets dropped on you it gets trapped in a micro-VM.

Personally, I’m a big fan of Bromium’s stuff. one of the things that kind of hindered the adoption of this tech in its early days is it relies on CPU features that were basically new six years ago, so not everyone could run it. There was also a bit of a UX hit. But there’s good news! Hardware refresh cycles have taken their course, and now running Bromium’s software is viable in almost all enterprises.

Where this goes from being interesting to downright compelling is if you’re an enterprise forced to run vulnerable software. I’m thinking specifically of old browsers running things like Java. In many organisations, running out-of-date crapware is a business requirement.

Well, running Bromium on those endpoints will basically solve that problem. Sure, nothing is magic, but by the time you’ve finished listening to this conversation with Bromium co-founder and President Ian Pratt, I think you’ll definitely want to take a look at the tech. You should take a look at the tech, because it’s borderline impossible to solve that problem any other way.

I hope you enjoy it!

Risky Business #453 -- The Intel bugs: How freaked out should you be?  

On this week’s show we’re looking at an issue that kicked up last week when creepware scumbags Flexispy announced they were moving their bug bounty program to HackerOne. VICE journalist Josoph Cox asked HackerOne CEO Marten Mickos if he’d be happy to host their program, and his answer is as follows:

“Any company that operates legally within its jurisdiction, treats our hackers with respect and takes vulnerability disclosure seriously is generally welcome to run their program on the HackerOne platform. Improving the integrity of all connected software is to the benefit of the digital society.”

A lot of people, myself included, didn’t react so well to that line of thinking. HackerOne CTO Alex Rice suggested he come on the show to talk about the company’s stance. As you’ll hear, Alex is pushing a much softer line than his CEO, but still says this is complicated. Stay tuned for that, at times, excruciating interview.

This week’s sponsor interview is with Signal Sciences CSO and co-founder Zane Lackey. Zane was the head of security at Etsy, but he moved on to found Signal Sciences, a company that is making webapp security software that by all reports is pretty damn good.

He joins us in the sponsor slot this week to talk about Devops, WAFs and a whole bunch of other fun stuff.

Adam Boileau, as usual, drops by to discuss the week’s news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes Intel Patches Nine-Year-Old Critical CPU Vulnerability | Threatpost | The first stop for security news Intel patches remote hijacking vulnerability that lurked in chips for 7 years | Ars Technica Hacker leaks Orange is the New Black new season after ransom demands ignored | Ars Technica Meet the Hackers Holding Netflix to Ransom - Motherboard All your Googles are belong to us: Look out for the Google Docs phishing worm | Ars Technica Facebook enters war against “information operations,” acknowledges election hijinx | Ars Technica Russian-controlled telecom hijacks financial services’ Internet traffic | Ars Technica Thieves drain 2fa-protected bank accounts by abusing SS7 routing protocol | Ars Technica WikiLeaks Reveals CIA Tool 'Scribbles' For Document Tracking | Threatpost | The first stop for security news Blind Trust in Email Could Cost You Your Home — Krebs on Security Google and Facebook scammed out of $100M in elaborate phishing attack New COOP Attack Method Highlights Weaknesses In Microsoft's CFG Defenses | Threatpost | The first stop for security news Watch Hackers Sabotage an Industrial Robot Arm | WIRED Proposed NIST Password Guidelines Soften Length, Complexity Focus | Threatpost | The first stop for security news geer.tinho.net/geer.source.27iv17.txt A vigilante is putting a huge amount of work into infecting IoT devices | Ars Technica An Obscure App Flaw Creates Backdoors In Millions of Smartphones | WIRED Apple Revokes Certificate Used By OSX/Dok Malware | Threatpost | The first stop for security news IBM: Destroy USBs Infected with Malware Dropper | Threatpost | The first stop for security news Google Patches Six Critical Mediaserver Bugs in Android | Threatpost | The first stop for security news Picture this: Senate staffers’ ID cards have photo of smart chip, no security | Ars Technica nomx: The world's most secure communications protocol Wanna Know If Someone Planted Spyware on Your Computer? - Motherboard Winston Smith on Twitter: "@x0rz @cryptoishard Sorry that was me lol" FlexiSPY on Twitter: "In the interest of transparency, we're moving the bounty program to @Hacker0x01 ..." Modern Application Security from Signal Sciences
Risky Business #452 -- Are Wikileaks charges a threat to press freedom?  

Risky Business #452 – Are Wikileaks charges a threat to press freedom? Brookings fellow and former NSA attorney Susan Hennessey joins the show…

Over the last week or so there’s been mounting speculation that the US government is getting serious about preparing charges against Wikileaks founder Julian Assange. The question is, could these charges threaten press freedom?

Joining us to discuss that this week is Lawfare’s managing editor Susan Hennessey.

This week’s show is brought to you by Senetas. Senetas makes layer two encryption equipment, but today they’re joining us to talk about some work it’s doing with ADVA Optical Networks in marrying its tech with some SDN stuff done at the telco level.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes >10,000 Windows computers may be infected by advanced NSA backdoor | Ars Technica NSA backdoor detected on >55,000 Windows boxes can now be remotely removed | Ars Technica Windows bug used to spread Stuxnet remains world’s most exploited | Ars Technica Tanium CEO admits using real hospital data in sales demos [Updated] | Ars Technica AV provider Webroot melts down as update nukes hundreds of legit files | Ars Technica BrickerBot, the permanent denial-of-service botnet, is back with a vengeance | Ars Technica The Backstory Behind Carder Kingpin Roman Seleznev’s Record 27 Year Prison Sentence — Krebs on Security UK Man Gets Two Years in Jail for Running ‘Titanium Stresser’ Attack-for-Hire Service — Krebs on Security Tracing Spam: Diet Pills from Beltway Bandits — Krebs on Security Researchers claim China trying to hack South Korea missile defense efforts | Ars Technica Russian Hackers ‘Fancy Bear’ Targeted French Presidential Candidate Macron - Motherboard Man sues Confide: I wouldn’t have spent $7/month if I’d known it was flawed | Ars Technica Radio Attack Lets Hackers Steal Cars With Just $20 Worth of Gear | WIRED Chrome, Firefox, and Opera users beware: This isn’t the apple.com you want | Ars Technica https://pastebin.com/raw/Y1yf8kq0 A Week Later, Hacked Spyware Vendors Haven't Warned Their 130,000 Customers - Motherboard Stalkerware Company FlexiSpy Calls Catastrophic Hack ‘Just Some False News' - Motherboard Here's an IRS Contract With a Dark Web Intel Firm - Motherboard A London Police Officer Bought Malware That Can Intercept Calls, Steal Emails, And More - Motherboard 'I'm Going to Burn Them to the Ground': Hackers Explain Why They Hit the Stalkerware Market - Motherboard Zimperium Publishes Exploits for Patched Android Bugs | Threatpost | The first stop for security news No Fix for SquirrelMail Remote Code Execution Vulnerability | Threatpost | The first stop for security news ColdFusion Hotfix Resolves XSS, Java Deserialization Bugs | Threatpost | The first stop for security news The US Charging Julian Assange Could Put Press Freedom on Trial | WIRED ADVA Optical Networking Adds New Members to Its Ensemble Harmony Ecosystem
REPOSTED (SEE NOTE): Risky Biz Snake Oilers: Roll up roll up! We've got a fix for what ails ya!  

NOTE: We had to re-post this. Originally we linked to the wrong mp3 (soapbox1 instead of snakeoilers1). It was rectified within about five minutes, but caches gonna cache, so we’ve reposted it. Sorry if you downloaded it twice!

This is the first ever Snake Oilers podcast from Risky.biz. It’s a wholly sponsored podcast in which vendors pop in and take 10 minutes each to pitch the audience on their stuff. The idea behind this whole thing is so that infosec buyers can actually hear a bunch of ten minute pitches without having to go to lunch with a salesperson with giant shiny teeth who doesn’t really understand what they’re selling.

These are product pitches from people who actually get the technology. And you know what? Even if you’re not a technology buyer, you’ll probably still find a lot of this interesting – it’s good to know how vendors are slicing and dicing some of the challenges we all face in security.

In this edition:

Exabeam says it can save you buttloads of cash compared to other SIEM solutions like Splunk or ArcSight. Senetas urges you not to use babby’s first encryptor cards and opt for its 100gbps full line rate layer 2 encryptor instead Kolide pitches its osquery-based EDR solution. If it’s good enough for Facebook, it’s good enough for you! Senrio pitches its impressive IoT network sensor and developer tools.

Links below!

Show notes Security Intelligence | SIEM & UEBA | Exabeam CN9000 Ultra-Fast 100Gbps Ethernet Encryptor | Senetas Kolide - Black Box Security. Unboxed. Senrio Sponsorship - Risky Business
Risky Business #451 -- Shadowbrokers nothingburger edition  

On this week’s show we talk about the latest Shadowbrokers shenanigans with Adam, as well as all the other major security news of the last couple of weeks.

After that we’ll be chatting with Adam’s colleague at Insomnia Security, Pipes, about the interesting aspects to the dump – what did it teach us about how NSA rolls? Well quite a lot, as it turns out. And yeah, the N0day bugs aren’t the interesting bit.

This week’s show is sponsored by Tenable Network Security. This week Tenable’s VP of federal, Darron Makrokanis, will be along to talk about how to speed up federal government adoption of new tech – what’s the best way for that to happen? That’s this week’s sponsor interview!

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes NSA-leaking Shadow Brokers just dumped its most damaging release yet | Ars Technica In slap at Trump, Shadow Brokers release NSA EquationGroup files | Ars Technica Shadow Brokers Leak Shows NSA Hacked Middle East Banking System and Had Major Windows Exploits | WIRED Alleged NSA Victim Denies Hackers Ever Broke In - Motherboard Mysterious Microsoft patch killed 0-days released by NSA-leaking Shadow Brokers | Ars Technica We Can Calm Down: Microsoft Already Patched Most of the Shadow Brokers Exploits - Motherboard The New Shadow Brokers Leak Connects the NSA to the Stuxnet Cyber Weapon Used on Iran - Motherboard Newly Leaked Hacking Tools Were Worth $2 Million on the Gray Market - Motherboard WikiLeaks just dropped the CIA’s secret how-to for infecting Windows | Ars Technica Found in the wild: Vault7 hacking tools WikiLeaks says come from CIA | Ars Technica Researchers find China tried infiltrating companies lobbying Trump on trade | Ars Technica Brexit: foreign states may have interfered in vote, report says | Politics | The Guardian North Korea: Can the US take out its missiles before launch? - CNN.com Feds deliver fatal blow to botnet that menaced world for 7 years | Ars Technica Rash of in-the-wild attacks permanently destroys poorly secured IoT devices | Ars Technica New processors are now blocked from receiving updates on old Windows | Ars Technica Microsoft Word 0-day was actively exploited by strange bedfellows | Ars Technica Why Did Microsoft Wait Six Months To Patch a Critical Word Zero-Day? - Motherboard Microsoft Word 0-day used to push dangerous Dridex malware on millions | Ars Technica Critical Word 0-day is only 1 of 3 Microsoft bugs under attack | Ars Technica Office Zero Day Delivering FINSPY Spyware to Victims in Russia | Threatpost | The first stop for security news Microsoft Patches Word Zero-Day Spreading Dridex Malware | Threatpost | The first stop for security news Breaking Signal: A Six-Month Journey | Threatpost | The first stop for security news F8 2017: Facebook's Delegated Recovery Will Make It Easier to Get Back Into Locked Accounts | WIRED Charlie Miller on Why Self-Driving Cars Are So Hard to Secure From Hackers | WIRED Meet PINLogger, the drive-by exploit that steals smartphone PINs | Ars Technica Fake News at Work in Spam Kingpin’s Arrest? — Krebs on Security
Risky Business #450 -- From Mirai to mushroom clouds in five easy steps  

This week’s show is a fun one! We’ll be chatting with Josh Corman, the Atlantic Council’s Director of Cyber Statecraft. We’ll be speaking with him about an exercise he did recently with a whole bunch of students. Basically the whole thing was a simulation where students walked through various scenarios and had to respond. Unfortunately, Josh discovered that most students had a predisposition to escalating things unnecessarily. From Mirai to mushroom clouds, that’s this week’s feature interview.

This week’s sponsor interview is also an absolute corker. Rapid7 is this week’s sponsor. In addition to making enterprise security software and running a pentest practice, Rapid7 also spends a considerable amount of time and money on developing Metasploit.

Rapid7 research director Tod Beardsley and director of transportation security Craig Smith join the show this week to talk about some recent changes to Metasploit that I’m amazed haven’t made a bigger splash. You can now run Metasploit against a CAN bus and they’ve built an RF module as well. That is absolutely awesome stuff, coming up in this week’s sponsor interview, with special thanks to Rapid7!

Adam Boileau, as always, joins us to talk about the week’s security news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes Wikileaks releases code that could unmask CIA hacking operations | Ars Technica Smart TV hack embeds attack code into broadcast signal—no access required | Ars Technica Project Zero: Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1) Here's How Not to Get Doxed Like FBI Director James Comey - Motherboard Reinhold Niebuhr on Twitter: "https://t.co/L5ehuMFGat https://t.co/x53gCG7Nvc" Verizon Rebuts Critics of Data-Collecting App | Threatpost | The first stop for security news An Update on Verizon's AppFlash: Pre-Installed Spyware Is Still Spyware | Electronic Frontier Foundation New Mirai Variant Roars into Action With 54 Hour DDoS Attacks | Threatpost | The first stop for security news Publicly Attacked Microsoft IIS Zero Day Unlikely to be Patched | Threatpost | The first stop for security news Microsoft Offers Analysis of Zero-Day Exploited By Zirconium Group | Threatpost | The first stop for security news Hackers Are Emptying ATMs With a Single Drilled Hole and $15 Worth of Gear | WIRED Russian Hackers Have Used the Same Backdoor for Two Decades | WIRED Operation Cloud Hopper Pegasus for Android: the other side of the story emerges | Lookout Blog Someone is putting lots of work into hacking Github developers | Ars Technica FBI Arrests Hacker Who Hacked No One - The Daily Beast Hackers Hit Islamic State Site, Use It to Spread Malware - Motherboard UK Cops Arrest Man Potentially Linked to Apple Extortion - Motherboard Patrick Gray on Twitter: "Heh. I think you could call this "high confidence". https://t.co/zDCbiPmJXV" An Unprecedented Heist Hijacked a Brazilian Bank’s Entire Online Operation | WIRED Samsung's Android Replacement Is a Hacker's Dream - Motherboard Patrick Gray on Twitter: "This is interesting. Apparently RU bots hammer Trump's account with conspiracy-related material when they know he's likely to be using it. https://t.co/f38WB9uIsS" McAfee is once again an independent company - CSO | The Resource for Data Security Executives Fake SEO Plugin Used In WordPress Malware Attacks | Threatpost | The first stop for security news Hackers Can Easily Hijack This Dildo Camera and Livestream the Inside of Your Vagina (Or Butt) - Motherboard Rebuttal to Pen Test Partners Exiting the Matrix: Introducing Metasploit's Ha... |
Risky Biz Soap Box: Senrio tackles IoT problem for CISOs, developers  

Soap Box is back! This time we’re chatting with Stephen Ridley and Jamison Utter about the tech Stephen has launched: Senrio Insight and Senrio Trace!

This is a fully sponsored blabfest about IoT security. Specifically, we drill into two different problems Senrio is trying to solve. The first is how the hell you deal with monitoring IoT on your network, especially when you can’t do DPI because of HIPAA. If you’re a CISO from a hospital, you will be very interested in this part of the podcast.

Then we talk about IoT security approaches for developers. Not only has Senrio developed a boring old network sensor to remedy the dumb but profitable-to-solve problem, they’ve also created a developer toolkit for manufacturers of IoT devices who need to be able to monitor them in the field.

Stephen Ridley is a bona fide expert on IoT. So much so, he used to actually train NSA staff on hacking IoT devices. Personally I think when you’re training NSA on how to own stuff, that makes you a genuine expert.

Jamison Utter, Senrio’s VP of Field Operations, also joins us for this podcast. I hope you enjoy it!

To book a demo with Senrio, click here.

Risky Business #449 -- Machine Learning: Woot or woo?  

On this week’s show I’ll be playing part two of my interview with In-Q-Tel’s chief security officer Dan Geer. That’s all about machine learning in infosec. Is it actually going to turn into something? Or is it just another infosec thought bubble?

This week’s sponsor interview is with Dan Guido of Trail of Bits.

Trail of Bits is a New York-based security engineering and testing company that does very interesting work. They don’t just break apps, they actually work on securing them. With that in mind, Dan’s team has been looking at implementing control flow integrity protections to various software projects. So we speak to him about the llvm versus Microsoft control flow guard approach, which is achievable. We also speak to him about mcsema, a tool they developed for reversing binaries into an intermediate language.

Adam Boileau, as always, joins us to talk about the week’s security news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs [updated] | Ars Technica Here’s the Data Republicans Just Allowed ISPs to Sell Without Your Consent - Motherboard Did China Just Help North Korea Steal $81M From The Fed? New WikiLeaks dump: The CIA built Thunderbolt exploit, implants to target Macs | Ars Technica WikiLeaks Dark Matter Release Shows CIA Interdiction of iPhone Supply Chain | Threatpost | The first stop for security news Think Tank: Cyber Firm at Center of Russian Hacking Charges Misread Data Cyber Firm Rewrites Part of Disputed Russian Hacking Report Michael Koziarski on Twitter: "FedEx’s web tech is so old they’re offering you $5 to enable flash… https://t.co/HRAj1Qgrjq cc @riskybusiness" eBay Asks Users to Downgrade Security — Krebs on Security Doxed by Microsoft’s Docs.com: Users unwittingly shared sensitive docs publicly | Ars Technica Android Security Is Better But Still Has a Long Way to Go | WIRED Shielding MAC addresses from stalkers is hard and Android fails miserably at it | Ars Technica Ransomware scammers exploited Safari bug to extort porn-viewing iOS users | Ars Technica Potent LastPass exploit underscores the dark side of password managers | Ars Technica APT29 Used Domain Fronting, Tor to Execute Backdoor | Threatpost | The first stop for security news Experts Doubt Hacker’s Claim Of Millions Of Breached Apple Credentials | Threatpost | The first stop for security news Whoops: The DOJ May Have Confirmed Some of the Wikileaks CIA Dump - Motherboard Apple Just Banned the App That Tracks US Drone Strikes, Again - Motherboard A Hackable Dishwasher Is Connecting Hospitals to the Internet of Shit - Motherboard McSema: I’m liftin’ it | Trail of Bits Blog The Challenges of Deploying Security Mitigations | Trail of Bits Blog
Risky Business #448 -- Dan Geer on cloud providers: Too big to fail?  

We’ve got a great show for you this week. In-Q-Tel CSO Dan Geer will be along for a very interesting conversation about the major cloud providers. Are they too big to fail the same way some banks are? Does the efficiency of highly concentrated ownership of a large chunk of the world’s Internet service capacity make it less resilient? We talk about that and more in this week’s feature interview.

This week’s sponsor interview is also an absolute cracker. We’re speaking with Mike Hanley of Duo Security. Mike is the senior director of security at Duo, and he’s along this week to talk about Google’s BeyondCorp initiative.

BeyondCorp is Google’s vision for the next generation of enterprise environments and it has a lot to do with deperimiterisation. Mike is along this week to talk about that concept and how solid authentication is basically the first step in moving towards that vision. It’s really, really solid stuff, so do stick around for that one.

Adam Boileau, as always, joins us to talk about the week’s security news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes Comey Confirms a Trump-Russia FBI Investigation Began Last July | WIRED Laptop ban: UK, US ban electronics in carry-on luggage from Middle East airports amid terrorist bomb fears - ABC News (Australian Broadcasting Corporation) Patrick Gray on Twitter: "I've seen a couple of people float this theory and FWIW I think it's bullshit. https://t.co/8PeV3IxdVJ" WikiLeaks Won’t Tell Tech Companies How to Patch CIA Zero-Days Until Its Demands Are Met - Motherboard Patrick Gray on Twitter: "Staff holding clearances didn't stop Microsoft fixing Stuxnet 0days or the Flame md5 collision. More grandstanding bullshit from Assange.
Risky Business #447 -- Struts bug owns everyone, RAND 0day report and more  

On this week’s show Patrick and Adam have a look at the surprisingly great report about 0day prepared by RAND Corporation, as well as the other security news of the week. How ‘bout dat Struts bug, eh?

Dr. Vanessa Teague of the University of Melbourne also joins the show to talk about the latest developments around computerised voting. Vanessa is an expert on e-voting and she’s been in the space for a long time – she’ll be joining us this week to talk about how European authorities have been responding to the risks posed to their elections by outside parties, and we take a look at some voting security ideas for America.

This week’s show is brought to you by Netsparker. Netsparker is a black-box web application testing tool that aims to speed up webapp tests through automation. Netsparker’s creator Ferruh Mavituna is this week’s sponsor guest. He’s joining us to basically talk about what you can actually automate in webapp testing, but also about what you can’t automate. That’s a really interesting chat, one that the pentesters will love I’m sure.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes Critical vulnerability under “massive” attack imperils high-impact sites [Updated] | Ars Technica In-the-wild exploits ramp up against high-impact sites using Apache Struts | Ars Technica Zero Day Exploits Rarely Discovered By More Than One Group, Study Finds - Motherboard Wikileaks' Cache of Alleged CIA Files Includes Unredacted Names - Motherboard WikiLeaks: We’ll Work With Software Makers on Zero-Days — Krebs on Security Apple Says Many of the CIA's Alleged iPhone Hacks Have Already Been Patched - Motherboard After NSA hacking exposé, CIA staffers asked where Equation Group went wrong | Ars Technica FBI Director Tells Companies Not to 'Hack Back' Against Hackers - Motherboard Dutch Cops Say They've Decrypted PGP Messages On Seized Server - Motherboard Dear Confide: “We would never” isn’t the same as “we can’t” | Ars Technica
Video player is in betaClose