Risky Business

By Patrick Gray

Listen to a podcast, please open Podcast Republic app. Available on Google Play Store.

Category: Tech News

Open in iTunes

Open RSS feed

Open Website

Rate for this podcast

 Oct 10, 2018


Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.

Episode Date
Snake Oilers 8 part 2: Forticode's Cipherise, device features from Exabeam and SentinelOne on "active EDR"

Snake Oilers is the podcast where we get a bunch of vendors together to pitch their stuff – they all pay to participate, just so you know – and today we’re going to hear three pitches from tech companies: one from Forticode, one from Exabeam and one from SentinelOne.

That’s right, we talk to vendors to get their best pitches so you don’t have to!

Forticode joins us to pitch its Cipherise platform – applied PKI wrapped into a slick mobile platform that helps large organisations authenticate their users, and helps their users authenticate them.

Exabeam will be talking about how they’re doing more device analytics in their SIEM platform and SentinelOne will be talking about how they differentiate themselves in the highly competitive EDR space.

Links to all of these companies are below.

Dec 10, 2018
Risky Business #523 -- So many breaches

This week’s show features Patrick Gray and Adam Boileau discussing the week’s security news, including:

  • The Marriott, Quora, Dell and Sky Brazil data breaches
  • Kashoggi associate to sue NSO Group
  • Australia’s AA Bill set to pass
  • NZ give Huawei the boot
  • AutoCAD malware targets key verticals
  • Republicans’ 2018 campaign hacked
  • Czech government blames Russia for intrusions into key systems
  • Horror-show bug in Kubernetes

This week’s show is brought to you by Duo Security, big thanks to Duo for that! In this week’s sponsor interview we’ll be chatting with Duo Security’s very own Dave Lewis about some Beyond Corp stuff. Beyond Corp is the enterprise computing model of the future and Dave will be along after this week’s news to talk about some of its finer points.

Links to everything that we discussed are below. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Marriott: Data on 500 Million Guests Stolen in 4-Year Breach — Krebs on Security
Marriott sued hours after announcing data breach | ZDNet
Quora Announces Data Breach of 100 Million Users - Motherboard
Dell announces security breach | ZDNet
Sky Brasil exposes data of 32 million subscribers | ZDNet
Israeli Software Helped Saudis Spy on Khashoggi, Lawsuit Says - The New York Times
Police, spies gain powers to access encrypted messages after political deal struck
GCHQ’s not-so-smart idea to spy on encrypted messaging apps is branded ‘absolute madness’ | TechCrunch
Principles for a More Informed Exceptional Access Debate - Lawfare
Defence department exposed by Chinese hackers
'Watering hole' attacks: How China's hackers went after think tanks and universities
Huawei banned from New Zealand's 5G mobile network over security concerns - ABC News (Australian Broadcasting Corporation)
UK and Germany grow wary of Huawei as US turns up pressure | Financial Times
New industrial espionage campaign leverages AutoCAD-based malware | ZDNet
House Republican campaign arm hacked during 2018 election
Czech Republic blames Russia for multiple government network hacks | ZDNet
Magecart Group Ups Ante: Now Goes After Admin Credentials | Threatpost | The first stop for security news
FBI dismantles gigantic ad fraud scheme operating across over one million IPs | ZDNet
After Microsoft complaints, Indian police arrest tech support scammers at 26 call centers | ZDNet
"WeChat Payment" ransomware makers are locked in transmission, harm and epidemic ultimate decryption
​Kubernetes' first major security hole discovered | ZDNet
Researchers discover SplitSpectre, a new Spectre-like CPU attack | ZDNet
Hackers are opening SMB ports on routers so they can infect PCs with NSA malware | ZDNet
Microsoft warns about two apps that installed root certificates then leaked the private keys | ZDNet
Project Zero: Adventures in Video Conferencing Part 1: The Wild World of WebRTC
Cyber attack victims face disputes with insurers | Financial Times
unprivileged users with UID > INT_MAX can successfully execute any systemctl command (#74) · Issues · polkit / polkit · GitLab
Dec 05, 2018
Snake Oilers 8 part 1: Rapid7's InsightAppSec, WhiteSource and Virus Total Enterprise

This is the first part of our final Snake Oilers edition for 2018.

Snake OIlers, for people don’t know it, is the podcast where vendors pay to come on to the show to promote their wares. This series actually turned out to be way more popular than we expected. People quite like listening to security companies actually explaining what they do in clear terms.

We have six vendors participating in this last round of Snake Oilers for the year – we’ve split the podcast into two podcasts containing three vendor pitches each, and in this part you’ll be hearing pitches from Rapid7, WhiteSource and Chronicle.

  • Dan Kuykendall of Rapid7 talks InsightAppSec, its DAST solution.
  • David Habusha of WhiteSource talks software composition analysis
  • Brandon Levene of Chronicle on VirusTotal Enterprise

Part two is up next week!

Dec 03, 2018
Risky Business #522 -- Alex Stamos co-hosts the show, reflects on Snowden disclosures

We’ve got a slightly different edition of the show this week – Alex Stamos is filling in for Adam Boileau this week in the news slot.

Most of you know him as Facebook’s recently departed chief security officer. Alex also served as the CSO at Yahoo for a time, but his security career stretches back a long way. He co-founded iSEC Partners back in 2004, and before that he did some time with @Stake.

The @Stake mafia is everywhere.

These days Alex is an adjunct professor at Stanford University. He joined me to talk about the week’s security news, as well as to have a chat about the Edward Snowden disclosures, five years on.

This week’s show is brought to you by Thinkst Canary, big thanks to them for that. And instead of one of their staff being on the show this week in the sponsor chair, they asked me to interview this week’s sponsor guest, their customer, Mike Ruth, a security engineer with Cruise Automation.

Mike did a presentation at a conference called QCon recently all about automating the deployment of canary tokens at scale using some nifty CI/CD tricks. He’ll be joining us after the news to tell us all about that.

Items discussed in this week’s news:

  • NSO Group busted to selling to Saudi Arabia
  • NSO malware targets Mexican journalists
  • Edward Snowden claims NSO connection in Khashoggi case
  • Australia’s AA Bill latest
  • npm supply-chain attack targets Bitcoiners
  • Guardian reports Manafort met Assange, denials, lawsuits flying already
  • UK parliament seizes Facebook documents
  • Uber fined over 2016 breach coverup
  • UK cops decline to charge bug reporter
  • USPS finally fixes data exposure after Krebs intervention
  • Rowhammer attack bypasses ECC protections
  • Bloomberg is investigating its own reporting on Supermicro
  • Magecart is everywhere
  • Google, Mozilla plan browser access to file systems

Links to everything that we discussed are below and you can follow Patrick or Alex on Twitter if that’s your thing.

Show notes

Israeli hacking firm NSO Group offered Saudis cellphone spy tools - report | The Times of Israel
Edward Snowden: Israeli spyware was used to track and eventually kill Jamal Khashoggi | Business Insider
A Journalist Was Killed in Mexico. Then His Colleagues Were Hacked. - The New York Times
Home Affairs attempts to allay concerns about Australian exporters for encryption-busting Bill | ZDNet
Widely used open source software contained bitcoin-stealing backdoor | Ars Technica
I don't know what to say. · Issue #116 · dominictarr/event-stream · GitHub
Manafort held secret talks with Assange in Ecuadorian embassy, sources say | US news | The Guardian
UK parliament seizes cache of internal Facebook documents to further privacy probe | TechCrunch
Uber fined $1.17 million by U.K., Dutch authorities for 2016 breach
UK cops won't go after researcher who reported security issue to York city officials | ZDNet
USPS Site Exposed Data on 60 Million Users — Krebs on Security
Potentially disastrous Rowhammer bitflips can bypass ECC protections | Ars Technica
Bloomberg is still reporting on challenged story regarding China hardware hack - The Washington Post
Magecart group hilariously sabotages competitor | ZDNet
Amazon admits it exposed customer email addresses, but refuses to give details | TechCrunch
Google, Mozilla working on letting web apps edit files despite warning it could be 'abused in terrible ways' - TechRepublic
Germany proposes router security guidelines | ZDNet
Half of all Phishing Sites Now Have the Padlock — Krebs on Security
The Snowden Legacy, part one: What’s changed, really? | Ars Technica
QConSF18 - Canaries - Google Drive
Canary — know when it matters
Nov 28, 2018
Risky Biz Soap Box: MITRE ATT&CK Matrix, misconfigured security controls, attack sim and more!

The Soap Box podcast series is a wholly sponsored podcast series we do here at Risky.Biz – vendors pay to participate. This Soap Box edition is brought to you by AttackIQ.

AttackIQ is a five-year-old company that makes an attack simulation platform. The idea is you agitate a network with suspicious traffic and activities, then measure what the response looks like on the other side. As you’ll hear, Stephan argues this is a better way to test your controls than trying to do it after an incident has been and gone.

Mostly people are using it to verify the effectiveness of their security controls. They already have endpoint security software, IDS, various monitoring bits and pieces, but quite often this stuff just isn’t tuned right. So, you throw some attack traffic and behaviour at your systems and see what bubbles up

One piece of work that has been absolutely vital to AttackIQ’s success is the MITRE ATT&CK Matrix. Like AttackIQ, the ATT&CK Matrix has been around for five years.

Stephan Chenette is AttackIQ’s CTO and he joined me to talk all about how they’re trying to use the ATT&CK Matrix to drive their whole outlook, and, conversely, how they’re spending time talking to MITRE about where the whole thing is going.

Nov 25, 2018
Risky Business #521 -- Bears everywhere

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • Cozy Bear is back, Fancy Bear has new tooling
  • Russian government wants DNC lawsuit thrown out
  • Cyber Command submitting samples to VirusTotal
  • Google BGP shenanigans
  • Australian/China Telecom BGP shenanigans
  • All the recent Facebook drama
  • More speculative execution bugs
  • Julian Assange likely to be charged
  • Vault7 leaker facing new charges
  • Phineas Fisher investigation abandoned
  • Bitcoin/Tether link probed by DoJ, btc in free-fall

This week’s show is brought to you by Proofpoint.

Sherrod DeGrippo, Proofpoint’s director of threat research and detection is this week’s sponsor guest. Surprisingly, she tells us that ransomware via email is a dead duck.

Links to everything that we discussed are below. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Russia’s Cozy Bear comes out of hiding with post-election spear-phishing blitz | Ars Technica
Russia's Fancy Bear and Cozy Bear Hackers May Have New Phishing Tricks | WIRED
Russia wants DNC hack lawsuit thrown out, citing international conventions | ZDNet
Russian Trolls Sue Facebook, Their Old Propaganda Machine
Ukraine detects new Pterodo backdoor malware, warns of Russian cyberattack | Ars Technica
US Cyber Command starts uploading foreign APT malware to VirusTotal | ZDNet
Google goes down after major BGP mishap routes traffic through China | Ars Technica
How China diverts, then spies on Australia's internet traffic
Rob Joyce on Twitter: "I hope this latest fiasco of traffic rerouting through China is the wakeup call for all of us to get serious about addressing the massive and unacceptable vulnerability inherent in today’s BGP routing architecture. https://t.co/dSTVIOltsF"
Everything you need to know about Facebook’s latest crisis - Recode
Facebook has been accused of peddling anti-Semitic conspiracy theories - Vox
Yes, Facebook made mistakes in 2016. But we weren’t the only ones. - The Washington Post
Researchers discover seven new Meltdown and Spectre attacks | ZDNet
The US Department of Justice is reportedly preparing to indict WikiLeaks founder Julian Assange | Business Insider
Julian Assange has been charged, prosecutors reveal inadvertently in court filing
Accused 'Vault 7' leaker to face new charges
Hacking Team Hacker Phineas Fisher Has Gotten Away With It - Motherboard
Bitcoin Price Manipulated by Tether? Justice Department Probing - Bloomberg
A Browser Extension Apparently Stole The Private Facebook Messages Of At Least 81,000 Accounts | Gizmodo Australia
The Hack Millions of People Are Installing Themselves - Motherboard
Facebook patches another bug that could have allowed mass-harvesting of user data | ZDNet
Trump signs bill that creates the Cybersecurity and Infrastructure Security Agency | ZDNet
AWS rolls out new security feature to prevent accidental S3 data leaks | ZDNet
Most ATMs can be hacked in under 20 minutes | ZDNet
Deserialization issues also affect Ruby, not just Java, PHP, and .NET | ZDNet
Adobe ColdFusion servers under attack from APT group | ZDNet
VirtualBox zero-day published by disgruntled researcher | ZDNet
Office 365, Azure users are locked out after a global multi-factor authentication outage | TechCrunch
Cisco says a flaw in its Adaptive Security Appliance allows remote attacks
He Helped People Cheat at Grand Theft Auto. Then His Home Was Raided. - The New York Times
Nov 21, 2018
Risky Business #520 -- Tanya Janca talks security in the curriculum

We’ve got a great podcast for you this week. Tanya Janca will be talking about some volunteer work she’s been doing with a Canadian government panel on getting security content into children’s school curriculums.

In this week’s sponsor interview we’ll be talking with Ferruh Mavituna of Netsparker.

They launched Netsparker Cloud a while ago so now they have some decent telemetry I wanted to ask Ferruh what he’s found surprising now he’s sitting on a mountain of scan results. The types of bugs being turned up aren’t really a surprise, but the extent to which old software is a problem was actually pretty surprising to him. He knew it was bad, he says, but he didn’t know it’s this bad.

Adam Boileau, as usual, joins the show this week to talk about all the week’s security news:

  • More Chinese MSS officers indicted by the US DoJ
  • ASD chief speaks publicly on 5G Huawei ban
  • China playing funny buggers with BGP
  • Russia is still messing with the US during the midterms
  • Facebook boots more Iranian influence pages
  • New privacy features in Signal
  • Plus much, much more!

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Chinese Intelligence Officers and Their Recruited Hackers and Insiders Conspired to Steal Sensitive Commercial Aviation and Technological Data for Years | OPA | Department of Justice
U.S. charges Chinese intelligence officers for jet engine data hack
Huawei's ban to 5G network 'supported by technical advice', spy agency chief says - ABC News (Australian Broadcasting Corporation)
Canadian security boss ain't afraid of no Huawei, sees no reason for ban • The Register
US bans exports to Chinese DRAM maker citing national security risk | ZDNet
China has been 'hijacking the vital internet backbone of western countries' | ZDNet
Russia Is Meddling In The Midterms. The White House Just Isn't Talking About It.
The Crisis of Election Security - The New York Times
DHS: Election officials inundated, confused by free cyber-security offerings | ZDNet
Facebook removes more Iran-linked accounts, this time targeting the US & UK | ZDNet
We posed as 100 senators to run ads on Facebook. Facebook approved all of them. – VICE News
NYT: Chinese and Russian spies routinely eavesdrop on Trump’s iPhone calls | Ars Technica
North Korea blamed for two cryptocurrency scams, five trading platform hacks | ZDNet
New Signal privacy feature removes sender ID from metadata | Ars Technica
Windows Defender becomes first antivirus to run inside a sandbox | ZDNet
Pakistani bank denies losing $6 million in country's 'biggest cyber attack' | ZDNet
Many CMS plugins are disabling TLS certificate validation... and that's very bad | ZDNet
Twelve malicious Python libraries found and removed from PyPI | ZDNet
How ‘Mr. Hashtag’ Helped Saudi Arabia Spy on Dissidents - Motherboard
Government Spyware Vendor Left Customer, Victim Data Online for Everyone to See - Motherboard
Apple's T2 Security Chip Makes It Harder to Tap MacBook Mics | WIRED
Microsoft Windows zero-day disclosed on Twitter, again | ZDNet
Digital DASH – ICTC - Focus on Information Technology (FIT)
Oct 31, 2018
Risky Biz Soap Box: Duo's Olabode Anise recap's his Black Hat talk on Twitter bots

Soap Box is the wholly sponsored podcast series we do where vendors pay to participate. They sometimes want to talk about their products, other times they want to talk about general ecosystem stuff, other times they want to talk about research they’ve done.

And that’s what’s happening today! Olabode Anise is a data scientist at Duo Security. He and his colleague Jordan Wright put together a talk for Black Hat this year all about Twitter bots. It was called Don’t @ me, hunting Twitter bots at scale.

As you’ll hear, finding bots on Twitter at scale isn’t that hard, but doing so with 100% confidence isn’t as easy as you’d think.

You can check out a blog post from Olabode in the show note below.

Oct 26, 2018
Risky Business #519 -- '90s IRC war between US and Russia intensifies

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • CYBERCOM doxing Russian operators. No, really.
  • Arrest over Russian midterm info-op
  • Bloomberg dumpster fire is now a tyre fire
  • Equifax insider sentenced for insider trading
  • Twitter releases bot dataset
  • Saudi insider responsible for 2015 Twitter breach
  • Trisis/Triton now linked to Russia
  • Kaspersky doxes NSA op
  • Risky Business cited by Senate Estimates, AA Bill faces possible delay
  • Much, much more!

This week’s show is sponsored by Cylance, and this week’s sponsor interview is with Josh Lemos.

That’s an interesting chat – Cylance has succeeded in applying machine learning to classifying binaries, but what next? Where does it make sense to apply machine learning next, from their point of view? As you’ll hear, a binary classifier is one thing, but applying ML to something like endpoint detection and response or network traffic is actually a lot more complicated.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

U.S. Begins First Cyberoperation Against Russia Aimed at Protecting Elections - The New York Times
Russian woman charged with attempted meddling in upcoming U.S. midterms
Apple CEO Tim Cook Is Calling For Bloomberg To Retract Its Chinese Spy Chip Story
Amazon exec joins Apple in calling for a retraction of Bloomberg’s explosive microchip spying report | Business Insider
Coats: ODNI has seen 'no evidence' of supply chain hack detailed in Bloomberg story
Super Micro trashes Bloomberg chip hack story in recent customer letter | ZDNet
Equifax engineer who designed breach portal gets 8 months of house arrest for insider trading | ZDNet
Twitter publishes dump of accounts tied to Russian, Iranian influence campaigns | Ars Technica
A Twitter employee groomed by the Saudi government prompted 2015 state-sponsored hacking warning | TechCrunch
FireEye links Russian research lab to Triton ICS malware attacks | ZDNet
Kaspersky says it detected infections with DarkPulsar, alleged NSA malware | ZDNet
Patrick ☠️SMBv1☠️ Gray on Twitter: "Risky Biz gets a shout out in senate estimates... 2018 is weird. https://t.co/Y25bukriKU… "
Magecart group leverages zero-days in 20 Magento extensions | ZDNet
WordPress team working on "wiping older versions from existence on the internet" | ZDNet
Trade.io loses $7.5Mil worth of cryptocurrency in mysterious cold wallet hack | ZDNet
Hackers steal data of 75,000 users after Healthcare.gov FFE breach | ZDNet
Lawfare editor on persistent DDoS attack: 'We wish they'd knock it off'
Vendors confirm products affected by libssh bug as PoC code pops up on GitHub | ZDNet
Advertisers can track users across the Internet via TLS Session Resumption | ZDNet
Open source web hosting software compromised with DDoS malware | ZDNet
Legal and Constitutional Affairs Legislation Committee_2018_10_22_6688.pdf;fileType=application/pdf
I forgot to talk about this in the show... this week's sponsor guest recommends people interested in machine learning check out the papers and slide decks here:
CylanceOPTICS | Products | Cylance
Oct 24, 2018
Risky Business #518 -- "Russian Cambridge Analytica" booted off Facebook after token hack

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • More info on the Facebook token hack
  • Facebook boots “Russian Cambridge Analytica” off platform
  • Chinese MSS officer extradited to USA after being lured to Belgium
  • NotPetya linked to Sandworm crew
  • Czech intelligence services kill Hezbollah APT
  • Pentagon travel records pwnt
  • No, Khashoggi’s Apple Watch didn’t record his death
  • Apple takes aim at Australia’s AA Bill
  • US voter records for sale in hack forums
  • PHP 5 support ends soon, netpocalypse to commence shortly afterward
  • The world’s most hilarious libssh bug

This week’s show is sponsored by Senrio.

Senrio is best known for doing IoT identification, classification, visualisation and anomaly detection, but they’ve now applied the same approach to general IT. Stephen will be along later in the show to talk about what they’ve been able to engineer here. I’ve actually been working with them on this (in a limited capacity) for a few months and it’s very interesting stuff.

So yeah he’s talking about a feature release, then he’ll be releasing some open source tooling that mine your network metadata and spot interactive shells in your environment, which is handy, and then he’s going to preview some free training he’s doing with some other very well respected security people in New York soon.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Facebook Says 14 Million People Got Their Location Data and Private Search History Stolen - Motherboard
Facebook disables accounts for Russian firm claiming to sell scraped user data - CNET
In a first, a Chinese spy is extradited to the U.S. after stealing technology secrets, Justice Dept. says - The Washington Post
Researchers link tools used in NotPetya and Ukraine grid hacks
Czech intelligence service shuts down Hezbollah hacking operation | ZDNet
Breach of Pentagon travel records exposes defense personnel PII
Why missing Saudi journalist’s Apple Watch is an interesting, but unlikely, lead | TechCrunch
Apple rebukes Australia’s “dangerously ambiguous” anti-encryption bill | TechCrunch
US voter records from 19 states sold on hacking forum | ZDNet
Ransomware hits computer networks of North Carolina water utility
Around 62 percent of all Internet sites will run an unsupported PHP version in 10 weeks | ZDNet
A mysterious grey-hat is patching people's outdated MikroTik routers | ZDNet
Sony working on a fix for bug that's crashing PlayStation 4 consoles | ZDNet
Microsoft JET vulnerability still open to attacks, despite recent patch | ZDNet
Proof-of-concept code published for Microsoft Edge remote code execution bug | ZDNet
WhatsApp fixes bug that let hackers take over app when answering a video call | ZDNet
Kanye's Password, a WhatsApp Bug, and More Security News This Week | WIRED
The ‘Donald Daters’ Trump Dating App Exposed Its Users’ Data - Motherboard
libssh 0.8.4 and 0.7.6 security and bugfix release – libssh
Senrio Quick Product Demo on Vimeo
Oct 17, 2018
Risky Business #517 -- Bloomberg's dumpster fire lights up infosec

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • Bloomberg’s shaky, disputed report on hardware back doors
  • A look back on other false reports about imaginary incidents published by Bloomberg
  • GRU operations doxed by GCHQ
  • DOJ charges Russian intelligence officers
  • APT crews targeting MSPs
  • Google+ API exposure the final straw
  • Enterprise TLS interception gear is woefully insecure

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

(9+)Turkish Pipeline Explosion Probably No Cyber ​​Attack - Digital - Süddeutsche.de
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies - Bloomberg
Codebook - October 10, 2018 - Axios
Patrick Gray on Twitter: "Just got this from Bloomberg PR.… "
Apple Bloomberg Congressional Letter
Patrick Gray on Twitter: "Holy shit… "
Report: Apple designing its own servers to avoid snooping | Ars Technica
Apple deleted server supplier after finding infected firmware in servers [Updated] | Ars Technica
New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom - Bloomberg
HHM22137A2 TDK | Mouser Australia
Reckless campaign of cyber attacks by Russian military intelligence service exposed - NCSC Site
Justice Department charges 7 Russian intelligence officers
U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations | OPA | Department of Justice
Gordon Corera on Twitter: "Breaking - Dutch intelligence (with help of British) disrupted a Russian GRU cyber operation targeting OPCW on April 13th. Four Russian intelligence officers escorted out of country."
Advanced Persistent Threat Activity Exploiting Managed Service Providers | US-CERT
Google shuts down Google+ after API bug exposed details for over 500,000 users | ZDNet
Google Plus Will Be Shut Down After User Information Was Exposed - The New York Times
Google forcibly enables G Suite alerts for government-backed attacks | ZDNet
SandboxEscaper on Twitter: "Why did gmail just throw a notification that government attackers are trying to get into my account. Not even kidding -.-"
Google sets new rules for third-party apps to access Gmail data | ZDNet
It's 2018, and network middleware still can't handle TLS without breaking encryption | ZDNet
CEO Pleads Guilty to Selling Encrypted Phones to Organized Crime - Motherboard
Project Zero: 365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools
Microsoft October 2018 Patch Tuesday fixes zero-day exploited by FruityArmor APT | ZDNet
U.S. GAO - Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities
Senetas, a leading provider of encryption technology
Oct 10, 2018
Risky Business Feature: Named source in "The Big Hack" has doubts about the story

In this podcast hardware security expert Joe Fitzpatrick, a named source in Bloomberg’s “Big Hack” piece, explains why he felt uncomfortable reading the story when it was published.

He also provided Risky.Biz with emails he sent to Bloomberg, prior to the story’s publication, that said the hardware back-dooring the article described “didn’t make sense”.

Oct 09, 2018
Risky Biz Soap Box: What's up with the ZDI these days?

The Soap Box podcast series is a wholly sponsored podcast series we do here at Risky.Biz – vendors pay to participate. This soap box edition is brought to you by Trend Micro.

And in this edition we’re speaking with Dustin Childs who works for the Zero Day Initiative. ZDI is the entity responsible for the pwn2own competition. But not just that – they’ve been buying bugs since before it was cool. Everything from enterprise software, to linux bugs.. whatever. You find it, they’ll buy it.

Trend Micro actually owns the ZDI, and there’s a story right there in how that came to pass… but you know what? Trend seems to really be behind the ZDI program.

As you’ll hear, the original idea behind ZDI when it was a TippingPoint thing was so they could write IDS signatures for vulnerabilities that ZDI unearthed. We know today that spinning up sigs for bugs you’re paying for isn’t really a winning strategy for picking up 0day attempts against your computers, so, the question becomes, what do you do with a program like ZDI when you’re Trend Micro?

As it turns out, you do two things with it – there’s the marketing side, but there’s also the constant stream of exploit submissions that come in handy when you’re making endpoint security software.

We’ll also be hearing from Eric Skinner in this podcast – he’s Trend’s VP of Solution Marketing at Trend. Trend is pushing a major release of its endpoint security software and he’s along to spruik that a bit, as well as chiming in on some of the ZDI stuff.

Oct 08, 2018
[CORRECTED] Risky Business feature: A podcast on Bloomberg's absolutely wild Supermicro story

In this podcast I interview Stephen Ridley about Bloomberg’s blockbuster – but so far uncorroborated – story about possible hardware supply chain subversion by the Chinese government.

I also lay out some facts I’ve learned since the story broke.

[CORRECTED] I’ve added a correction to this podcast because the only source I could turn up who would corroborate the Bloomberg piece has retracted their claims.

This is a source who has provided me with good information in the past, I’ve known them for about 15 years and they’re very well plugged in. They showed me photos they said were from a teardown of a supermicro motherboard. These photos showed an unlabelled integrated circuit the source said was likely a hardware back door.

Further, the source said there were other problems with the Supermicro gear, including vulnerable firmware and security functions that just didn’t work properly.

Now the source says the photos were from different equipment, not their teardown of the Supermicro gear, and that they did not find hardware back doors on the Supermicro equipment.

So basically that source’s credibility with me is pretty shot right now, and the best I can do is retract my repetition of the source’s claim that they had verified backdoors in the Supermicro equipment.

Oct 05, 2018
Risky Business #516 -- The Facebook breach, e2e VOIP court verdict, Uber's record fine and more

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • Facebook breach impacts 50m accounts
  • US courts deny authorities’ attempted FB messenger wiretap
  • Uber fined $148m for nondisclosure of 2016 breach
  • Fancy Bear-linked UEFI malware appears in wild
  • UK Conservative party conference app leaks like sieve
  • Twitter bans distribution of “hacked material”
  • VPNFilter botnet gets more capabilities
  • Duo arrested over $14m cryptocurrency SIM-swap heist
  • MOAR

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

50 million Facebook accounts breached by access-token-harvesting attack | Ars Technica
Facebook says it detected security breach after traffic spike | ZDNet
Facebook sued hours after announcing security breach | ZDNet
Facebook finds ‘no evidence’ hackers accessed connected apps | TechCrunch
Exclusive: In test case, U.S. fails to force Facebook to wiretap Messenger calls - sources | Reuters
Uber to pay $148 million to states for 2016 data breach - CyberScoop
First UEFI malware discovered in wild is laptop security software hijacked by Russians | Ars Technica
Report: Zoho's domain regularly exploited to move keylogger data
UK Conservative Party conference app leaks MPs' personal details | ZDNet
Twitter bans distribution of hacked materials ahead of US midterm elections | ZDNet
Talos Blog || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: VPNFilter III: More Tools for the Swiss Army Knife of Malware
Gigantic 100,000-strong botnet used to hijack traffic meant for Brazilian banks | ZDNet
2 men arrested in Oklahoma, suspected in $14 million cryptocurrency theft, hacking of California company | KFOR.com
Hackers Are Holding High Profile Instagram Accounts Hostage - Motherboard
Feds Force Suspect To Unlock An Apple iPhone X With Their Face
U.S. looks to restart talks on global cyber norms
Canadian restaurant chain suffers country-wide outage after malware outbreak | ZDNet
Port of San Diego suffers cyber-attack, second port in a week after Barcelona | ZDNet
Some Apple laptops shipped with Intel chips in "manufacturing mode" | ZDNet
Google to no longer allow Chrome extensions that use obfuscated code | ZDNet
Phishing campaign targets developers of Chrome extensions | ZDNet
US sentences to prison its first ATM jackpotter | ZDNet
FBI solves mystery surrounding 15-year-old Fruitfly Mac malware | ZDNet
Hackers Can Stealthily Avoid Traps Set to Defend Amazon's Cloud | WIRED
Alphabet launches VirusTotal Enterprise | ZDNet
Researchers find vulnerability in Apple's MDM DEP process | ZDNet
HD Moore on Twitter: "Estimate how old a device is based on it's MAC address with mac-ages.csv: https://t.co/GaMSvWDdAP (a huge thanks to @jedimercer for https://t.co/UaVcqxc1m4)… https://t.co/Vnm85fnM5s"
Adobe Releases Security Updates for Acrobat that Fix 86 Vulnerabilities
Security Update for Foxit PDF Reader Fixes 118 Vulnerabilities
(PDF) Weaponizing the haters: The Last Jedi and the strategic politicization of pop culture through social media manipulation.
Gigamon Insight | Gigamon
Oct 03, 2018
Risky Business #515 -- NSA staffer at centre of Kaspersky scandal jailed

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • Former NSA staffer gets 66 months over incident at heart of Kaspersky scandal
  • Zoho has a very bad week
  • Telco lobby group raises some legit concerns over Australia’s “anti-encryption” legislation
  • Twitter API leaks DMs
  • Equifax fined by UK
  • Yubikey 5 enables passwordless Windows logins
  • Privacy International has an aneurism
  • NSS Labs launches antitrust suit against security software makers
  • MOAR

This week’s show is brought to you by Rapid7.

Jen Andre is this week’s sponsor guest. She was the founder of Komand, which was a security automation and orchestration company but is now a part of Rapid7 as of about mid way through last year. I spoke to Jen a bit about how she came to start Komand and where the security automation and orchestration discipline is at right now.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Ex-NSA employee gets 5.5 years in prison for taking home classified info | ZDNet
Domain registrar oversteps taking down Zoho domain, impacts over 30Mil users | ZDNet
Peter Dutton to push through new security legislation as fears of "severely damaging" spyware murmur
Twitter API bug leaked private data to other accounts
Equifax fined maximum penalty under 1998 UK data protection law
The Series 5 YubiKey Will Help Kill the Password | WIRED
Press release: UK intelligence agency admits unlawfully spying on Privacy International | Privacy International
UK spooks fess up to snooping on Privacy International's private data
GCHQ's mass surveillance violates citizens' right to privacy, ECHR rules
NSS Labs files antitrust suit against multiple cybersecurity vendors
Hacking for ca$h | The Strategist
Operator of 'VirusTotal for criminals' gets 14-year prison sentence
Tencent engineer attending cybersecurity event fined for hotel WiFi hacking
Snyk gets $22 million for platform that tracks security flaws in open source projects
They Got 'Everything': Inside a Demo of NSO Group's Powerful iPhone Malware - Motherboard
Content Moderator Sues Facebook, Says Job Gave Her PTSD - Motherboard
Microsoft Rolls Out Confidential Computing for Azure
Cloudflare Improves Privacy by Encrypting the SNI During TLS Negotiation
This Windows file may be secretly hoarding your passwords and emails | ZDNet
Security researcher claims macOS Mojave privacy bug on launch day | TechCrunch
0Day Windows JET Database Vulnerability disclosed by Zero Day Initiative
Over 80 Cisco Products Affected by FragmentSmack DoS Bug
Cisco patches 'critical' credential bug in video surveillance software
Security Orchestration and Automation with InsightConnect | Rapid7
Security Orchestration and Automation for Security Operations | Rapid7
Sep 26, 2018
Risky Biz Soap Box: Yubico launches Yubikey 5, ushers in passwordless Windows logins

Soap Box is the wholly sponsored podcast series we do where vendors pay to participate.

Our guest in this edition is Jerrod Chong, the SVP of product at Yubico, the makers of Yubikeys. We were originally going to publish this Soap Box with Yubico a few weeks ago, but we delayed it for a very good reason.

This podcast is going out at the same time as a press release from Yubico – they’re releasing the Yubikey 5, and it’s a very significant update.

Regular listeners would have heard me talk about seeing Yubico’s booth at Black Hat – it was like a mosh pit, and I think there are two reasons for that. Firstly, they were giving away keys, (haha) but secondly, they were demonstrating FIDO2 Windows logins over NFC.

With the launch of the Yubikey 5, Yubico has actually delivered passwordless logins for Windows networks. You can do tap only via NFC, tap and pin via NFC, or you can roll old school with USB.

So, Jerrod Chong joined me for this conversation. We talk about the Yubikey 5, and more broadly about the future of authentication and authentication devices.

Sep 24, 2018
Risky Business feature: iOS exploits just got a lot more expensive

We’re going to be talking to two people in this podcast and the topic is, for the most part, the introduction of pointer authentication on the latest Apple iPhones. This is a development that flew under the radar of most of the infosec media and it’s significant because it is going to basically wipe out ROP exploits as we know them. There’s no such thing as a perfect mitigation, but Apple has leveraged some recent ARM features to really lock down their devices.

In addition to the pointer authentication suff they’ve also made some changes that will affect the ability of companies like Cellebrite to unlock phones. Again, this won’t kill unlocks completely, but in one release Apple really has made life a lot harder for people in the offence game.

This will eventually have some consequences for the crypto debate. These devices are just getting more and more secure through some really cool engineering.

So we’ll be talking to Chris Wade about this, he’s the brain behind Corellium, an iOS emulator. His clients include everyone from exploit developers to the publishers of very popular iOS applications. If you want to back-test an app change on 15 different versions of iOS Corellium is the way to do that… or if you want to, you know, test your latest 0day it’s good for that, too.

Then we’re going to hear from Dr. Silvio Cesare of Infosect here in Oz. He’s going to talk about whether we might see similar mitigations on intel and weigh in on Apple’s changes.

Sep 21, 2018
Risky Business #514 -- New NSO Group report released and another State Department email breach. Drink!

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • Citizen Lab drops NSO Group report
  • “Weaponised Stuxnet” claims are idiotic
  • Another State Department email breach! Drink!
  • Dutch foil planned attack against Swiss Novichok lab
  • Mirai botnet authors working for FBI
  • US telcos want to be consumer auth brokers
  • US fails to extradite “Mr Bitcoin”
  • Much, much more

This week’s show is brought to you by Remediant. They make a just-in-time access solution for privileged account management (PAM), and we’re doing something a little different in this week’s sponsor interview.

Paul Lanzi of Remediant will be along, but so will Harry Perper of MITRE corporation. Harry’s pay-cheques say MITRE, but he’s been working on a NIST project. The National Cybersecurity Center of Excellence (NCCoE) at NIST has been working on a project to provide guidance on the secure usage and management of privileged accounts. The so-called 1800-18 document is a practical guide and reference architecture for privileged account management and we’ll talk to both Harry and Paul about that after the news.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Cyber Sleuths Find Traces of Infamous iPhone and Android Spyware ‘Pegasus’ in 45 Countries - Motherboard
HIDE AND SEEK: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries - The Citizen Lab
iOS Security Guide iOS 12 September 2018
US military given more authority to launch preventative cyberattacks - CNNPolitics
People Are Recklessly Speculating That the Massachusetts Gas Explosions Were a Stuxnet-Related Hack - Motherboard
State Department email breach exposed employees' personal information - POLITICO
Novichok poisoning: Russians expelled from Switzerland
The Mirai Botnet Architects Are Now Fighting Crime With the FBI | WIRED
U.S. Mobile Giants Want to be Your Online Identity — Krebs on Security
Senior Google Scientist Resigns Over “Forfeiture of Our Values” in China
Google Plans to Launch Censored Search Engine in China, Leaked Documents Reveal
Google's prototype Chinese search engine links searches to phone numbers | Technology | The Guardian
Vijay Boyapati on Twitter: "When I worked at Google, as an engineer on Google News, I was asked to write code to censor news articles in China (circa 2006). I refused and they took me off the project and put someone else on it. Doesn't surprise me Google is back at it. "Don't be Evil" is a Google myth.… https://t.co/1geUCURHay"
US loses extradition battle with Russia for Bitcoin kingpin | ZDNet
US lawmakers introduce bill to fight cybersecurity workforce shortage | ZDNet
Ransomware attack blacks out screens at Bristol Airport | ZDNet
Security flaw can leak Intel ME encryption keys | ZDNet
Nasty piece of CSS code crashes and restarts iPhones | ZDNet
New cold boot attack affects 'nearly all modern computers' | ZDNet
Uproar after Adobe winds down Magento rewards-based bug bounty program | ZDNet
Jason Woosley on Twitter: "The demise of #BugBounty at @Magento has been greatly exaggerated. Yesterday we announced the transition of this program to the @Adobe @HackerOne system. We failed to mention that we will continue to pay out for this incredibly valuable work. Hack on!"
Proofpoint: One month out from deadline, half of agency domains are DMARC compliant
Cloudflare’s new ‘one-click’ DNSSEC setup will make it far more difficult to spoof websites | TechCrunch
Facebook pilots new political campaign security tools — just 50 days before Election Day | TechCrunch
Facebook Broadens Its Bug Bounty to Include Third-Party Apps | WIRED
Google remotely changed the settings on a bunch of phones running Android 9 Pie - The Verge
Zero day in popular video surveillance technology goes public, unpatched
Privileged Account Management | NCCoE
Sep 19, 2018
Risky Business #513 -- The DPRK indictment, BA gets owned, Webauthn issues and more [CORRECTED]


This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • The DPRK indictment and subsequent fall out
  • British Airways gets owned
  • Webauthn hits some roadblocks
  • The latest action from Washington DC
  • Trend Micro has a bad time
  • Tesla pays out for key-fob clone attack
  • Tor browser 0day hits Twitter
  • Much, much more

We’ve got a great sponsor interview for you this week – we’ll be joined by Haroon Meer of Thinkst Canary. They did something unusual over the last couple of weeks – they removed a feature in their Canary product. We’ll be talking about that, and also about the tendency for security software to be too complicated and configurable.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.


The original release of this podcast included discussion of some rumours that turned out to amount to nothing. We had mentioned three data points:

  • The CISO of American Airlines, Dan Glass, departing a few weeks ago
  • Someone I know had their AA/Citi credit card re-issued, despite saying they only ever used that card to buy AA fares
  • A rumour an FBI computer crime investigator is on site at American Airlines

Well, it turns out Dan Glass is a listener, and he got in touch with us after the podcast ran to clear this up. He says the reason he left is actually because AA was offering some very attractive redundancy packages. Following AA’s merger with US Airways the combined group eventually found itself in the position of having too many executives. As many listeners will know, being a CISO is a pretty hardcore job so Dan jumped at the chance to bounce out and have some time off.

As for the FBI being on-site, Dan says that’s not unusual. They’re one of the largest airlines in the world so they’re frequently liaising with LE. As for my pal’s card getting re-issued… who knows?

The point is it looks like these rumours and data points don’t actually add up to much. This is why I rarely run rumour in the podcast and at least try to do some verification. In this case I just didn’t have time, but still, I just should have just held it over until I’d had a chance to make some basic enquiries. It was sloppy. Sorry.

In particular I’d like to apologise to the fraud teams who may have been asked to follow this up, the PR teams who’ve no doubt been fielding questions about this and also to Dan Glass. Although, it must be said Dan and I had a very nice chat and he didn’t seem upset. Thanks for being a chiller, Dan!

Again, I’m sorry. I’ll do better in the future.


Show notes

U.S. charges North Korean hacker over Sony, WannaCry incidents
US indicts North Korean agent for WannaCry, Sony attacks [Updated] | Ars Technica
Analysts expect Lazarus Group to evolve, clean up opsec
Don't Punish A North Korean Hacker Just For Following Orders
The North Korean Hacker Charges: Line-Drawing as a Necessary but not Sufficient Part of Deterrence - Lawfare
British Airways breach caused by the same group that hit Ticketmaster | ZDNet
Card-Skimming Malware Campaign Hits Dozens of Sites Daily
Worries arise about security of new WebAuthn protocol | ZDNet
A call for principle-based international agreements to govern law enforcement access to data - Microsoft on the Issues
Exclusive: Trump to target foreign meddling in U.S. elections with sanctions order - sources | Reuters
House passes deterrence bill that would call out nation-state hackers
First IoT security bill reaches governor's desk in California | ZDNet
DHS supply chain and CDM bills pass the House
Former Facebook security chief Alex Stamos: Being a CSO can be a ‘crappy job’ | TechCrunch
Alex Stamos: Pretty clear GRU's goal was to weaken a future Clinton presidency | ZDNet
'We simply haven't done enough': Facebook and Twitter execs testify on foreign influence campaigns
Trend Micro blames data collection issue on code library re-use
Apple Removes Top Security App For Stealing Data and Sending it to China
Tesla offers 'goodwill' to security researchers hacking its cars
Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob | WIRED
U.S. extradites Russian accused in hack of JPMorgan Chase
Standard to protect against BGP hijack attacks gets first official draft | ZDNet
Exploit Affecting Tor Browser Burned In A Tweet
Exploit vendor drops Tor Browser zero-day on Twitter | ZDNet
Tor launches official anonymous Android browser
US government releases post-mortem report on Equifax hack | ZDNet
GAO-18-559, DATA PROTECTION: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach
Thinkst Canary on Twitter: "This week we totally announced an un-feature. We are removing SNMP as an available service on Canaries. (Turns out its signal to noise ratio is terribad, and everyone we’ve ever caught through SNMP also tripped over other services too)… https://t.co/kiNx6GZPtj"
Sep 12, 2018