Risky Business

Risky Business
By Risky.biz
About this podcast
Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.
Latest episodes
Jan. 10, 2018
On this week’s show Matt “pwnallthethings” Tait joins the show to walk us through the so-called Meltdown and Spectre bugs. Most of the coverage of the flaws has either been massively hyped or detail-free, and Matt pops by to untangle the whole mess. He does a great job of it, too. This week’s show is brought to you by Cylance. CTO Rahul Kashyap will be along in the sponsor chair to talk about why so many AV packages were causing Windows boxes to BSOD when Microsoft pushed its Meltdown patch. Adam Boileau is back in the news hotseat, and boy oh boy do we have a lot to cover. Show notes are below, and you can follow Adam or Patrick on Twitter if that’s your thing. Show notes Intel CEO sold all the stock he could after Intel learned of security bug | Ars Technica Bad docs and blue screens make Microsoft suspend Spectre patch for AMD machines | Ars Technica MacOS LPE Exploit Gives Attackers Root Access | Threatpost | The first stop for security news Project Zero: aPAColypse now: Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript NSA contractor pleads guilty to charge of hoarding troves of classified docs - Cyberscoop The Wassenaar Arrangement's latest language is making security researchers very happy White House Bans Staff From Using Personal Mobile Phones at Work - Bloomberg New Rules Announced for Border Inspection of Electronic Devices | Threatpost | The first stop for security news Facebook Is Disrupting North Korean Hacking Operations - Motherboard Game-changing attack on critical infrastructure site causes outage | Ars Technica I’m harvesting credit card numbers and passwords from your site. Here’s how. Man's Life Savings Stolen from Hardware Wallet Supplied by a Reseller - Bitcoin News Electrum Wallet Keys Could Be Snatched by Malicious Websites - Inside Bitcoins - News, Price, Events | Inside Bitcoins – News, Price, Events Mailgun Security Incident and Important Customer Information Reddit admits its email provider was hacked to steal Bitcoin Cash tips Oracle app server hack let one attacker mine $226,000 worth of cryptocoins | Ars Technica Jailed Russian says he can prove hack of DNC on Kremlin's orders Hackers take control of security firm’s domain, steal secret data | Ars Technica How Kaspersky’s Software Fell Under Suspicion of Spying on America - WSJ “Political pressure” reportedly kills Huawei/AT&T smartphone deal | Ars Technica Snowden’s App Probably Can’t Protect You From Targeted State Surveillance - Motherboard Twitter Promoted a Tweet That Steals Your Credit-Card Details Ukrainian hackers turn on own government to make it care about cybersecurity -Euromaidan Press | What Happens If Russia Attacks Undersea Internet Cables | WIRED Cyxtera Technologies to acquire offensive cyber firm Immunity Full Disclosure: CVE-2017-15944: Palo Alto Networks firewalls remote root code execution Ruben Berenguel, PhD on Twitter: "We’ve seen CPU usage go from ~20% to ~40% (and now critical machines with redundancy upscale under loads that before didnt made them blink). Costs this month in AWS will go up 10%, I predict (very least, haven’t checked EMR effect yet, if similar, 20-30%) #spectre #meltdown #fb" A collection of links to PDFs of papers on Micro-Architectural Attacks (sorted by date) by Paul Harvey - kernel, vulnerabilities, meltdown | Peerlyst Joanna Rutkowska on Twitter: "@tehjh @anders_fogh Something much simpler than what you did :) See below. This is part of the work Rafał Wojtczuk and I did back in 2010. It's no longer under… https://t.co/HFkUelrPBn" CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch compatibility Cylance | Meltdown and Spectre Vulnerabilities
Dec. 13, 2017
This is the last show for the year, Risky Business will return on January 10th 2018. In this week’s feature Stephen Moore joins us. He was formerly the Staff Vice President of Cyber Security Analytics at Anthem, the healthcare company that was spectacularly owned by a Chinese APT crew in 2015. Instead of us all just saying “lol they got owned, they’re idiots,” I thought it would be a good idea to actually talk to someone who was there. As you’ll hear, Anthem’s team knew they were being targeted by an APT crew, did its best to fend off the attackers, but sadly they lost anyway. It’s sobering listening. This week’s sponsor interview is also just great. We’ll check in with Casey Ellis of Bugcrowd. He’ll be along to talk about this whole Uber mess. A lot of the reporting around the so-called Uber data breach seemed to fixate a bit on the fact that the attacker was paid via the HackerOne bug bounty platform. The coverage has conflated extortion with bug bounty programs, much to Casey’s dismay. He’ll be along later to share his views on what the Uber snafu means, as well as to share his thoughts on DJI’s disastrous bug bounty program. Adam Boileau, as usual, stops by to discuss the week’s security news, and also to wrap up the 2017 season. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes 1.4 Billion Clear Text Credentials Discovered in a Single Database APT 34 Is an Iran-Linked Hacking Group That Probes Critical Infrastructure | WIRED This country's hacking efforts have become too big to ignore Popular Destinations rerouted to Russia | BGPmon Italian Prosecutor Makes Request to Close Hacking Team Investigation - Motherboard Jailed Russian hacker: I hacked Democrats 'under the command' of Russian intelligence agents | Business Insider Australia Seeks New Gag Laws That Could See Journalists And Whistleblowers Jailed for 20 Years Mark Di Stefano 🤙🏻 on Twitter: "Twitter says it's removing 3.2 million accounts every single week. A staggering number." Phishers Are Upping Their Game. So Should You. — Krebs on Security It's easy to fake Extended Validation certificates, research shows - Cyberscoop On the value of EV - Google Groups Nope, this isn’t the HTTPS-validated Stripe website you think it is | Ars Technica Hackers hit key ATM network in crime spree that clears $10 million | Ars Technica Want to Launder Bitcoins? How Crooks Are Hacking iTunes and Getting Paid by Apple Google Releases Tool To Help iPhone Hackers - Motherboard Android Flaw Allows Attackers to Poison Signed Apps with Malicious Code | Threatpost | The first stop for security news Tim Watts MP on Twitter: "Hey @riskybusiness - can the Australian political figure single tweet hacker be this week's skateboarding dog?" Ambassador Joe Hockey's account 'likes' tweet calling Malcolm Turnbull a 'cranky prick' Mike Arpaia on Twitter: "@dinodaizovi @riskybusiness Even if you're blocking and doing the analysis on the host, that takes cycles for you to make your decision. Nothing is"real time", it's all… https://t.co/qRMSpiY3KN" Airlock Digital - News
Dec. 11, 2017
Today’s Soap Box is brought to you by Bromium. Bromium makes a security suite that wraps key applications in microvisors. It’s a way to get app-specific, hardware-based virtualisation. Historically Bromium has wrapped things like browsers and the office suite into these microvisors. Bromium has also found a lot of success in selling to organisations that have to run out-of-date browsers and Java. Wrapping an old browser in Bromium actually does make it safe to use. Well, now they’ve gone a step further. They’ve launched secure app extensions, which is where they custom-wrap your application, or an application you use, into a microvisor. So if you’re using some awful, old, insecure enterprise app and it’s keeping you awake at night, this might be a solution for you if you can’t rip and replace. Have a listen! Show notes [pdf] Securing Legacy Applications with Bromium Application Isolation and Control
Dec. 6, 2017
On this week’s show we’ll be having a look at the latest OWASP top 10. As many of you would know, the new list is out. A couple of items have been dropped and a couple of items have been introduced. But we’re really using this new top 10 as an excuse to have a broader chat about the top 10 and the OWASP mission more generally. As you’ll hear, everyone seems to agree the list is a good thing, but maybe OWASP needs to sharpen its communication strategy a little to make itself more accessible to the developers it’s trying to help. We’ll hear from OWASP Bristol chapter leader and Veracode consultant Katy Anton on that, as well as Safestack head honcho Laura Bell and penetration tester and founder of Matchme consulting Pam O’Shea. This week’s show is brought to you by a first time sponsor, VMRAY. They make malware analysis software that’s very popular with CERTs, but I suspect a lot of listeners out there in IR will also be interested in what they’re doing. The core offering is a cloud malware analyser that isn’t public, so if you don’t want to fire off a sample to VirusTotal and let the bad guys know you’re on to them, VMRAY is a better option. VMRAY didn’t actually get one of its staff into this week’s sponsor slot, it chose one of its users instead – Koen Van Impe. He pops along to talk through what he uses VMRAY for and to give us a bit of an overview of what it does. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes Uber security executives leave company amid lawsuit and breach investigation Proposed law would jail execs who fail to report data breaches – Naked Security U.K. cyber agency tells government to handle Russian anti-virus software with caution Former N.S.A. Employee Pleads Guilty to Taking Classified Information - The New York Times Ex-NSA Hackers Worry China And Russia Will Try to Arrest Them - Motherboard The US Should Modernize Election Systems to Prevent Hacking | WIRED Russia Wants to Launch Backup DNS System by August 1, 2018 How DJI fumbled its bug bounty program and created a PR nightmare DHS: Drone Maker "Likely" Helping China Spy on US The EU Will Foot the Bill for VLC Player's Public Bug Bounty Program Privacy regulator warns MPs over shared passwords - BBC News SEC Halts a Silly Initial Coin Offering - Bloomberg ‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs | WIRED Andromeda botnet mastermind arrested in Belarus, identified by his ICQ number Hacked Password Service Leakbase Goes Dark — Krebs on Security Dell, Other Vendors Start Shipping Laptops With Intel ME Firmware Disabled Satori Botnet Has Sudden Awakening With Over 280,000 Active Bots Cisco Patches Critical Playback Bugs in WebEx Players | Threatpost | The first stop for security news Flaw Found In Dirty COW Patch | Threatpost | The first stop for security news GitHub will soon warn developers of insecure dependencies, adds news feed, team chat and more Man Hacks Jail Computer Network to Get Friend Released Early Malware Detection & Malware Sandbox Analysis | VMRay Securing Ethereum at Empire Hacking | Trail of Bits Blog Careers at Fitbit
Dec. 4, 2017
We’ll be hearing from three vendors in this edition of Oilers. Dino Dai Zovi will be along first up to talk about his startup, Capsule8, which looks very promising indeed. After we’ve heard from Dino we’ll be chatting with Chris McNab. He used to run incident response for iSec Partners and later NCC Group, but these days he runs AlphaSOC, a company he founded. They’re a very simply play – they do DNS and IP analytics. They offer that as a Splunk application or via an API, and you would be amazed how much bad stuff you can kick off your network with something as simple as DNS and IP analytics. Tor exfil, whole families of malware, BitTorrent, all sorts of stuff. Chris will be along soon to talk about that. Then we’re rounding it out with a conversation with Sylvain Gil, the co-founder of Exabeam. Exabeam started off in analytics and UEBA, but they’ve taken a bunch of money and they’re spending it on building out their SIEM, which is already pretty popular in certain circles because they don’t license it based on volume. Sylvain pops along later on to talk about how that’s changing SIEM use cases for a bunch of people. For example they can pump their EDR logs into their SIEM without wearing a seven figure SIEM consumption bill. He also walks through how they’ve used open source technologies like Hadoop in their products. It’s an all around chat that one, not so much a pitch, but yeah, I found it really interesting and I hope you will too. Links to all three profiled vendors are below! Show notes Capsule8 AlphaSOC GitHub - alphasoc/nfr: A utility to score DNS traffic via the AlphaSOC API and identify security threats Security Intelligence | SIEM & UEBA | Exabeam
Nov. 29, 2017
On this week’s show we’re speaking with Susan Hennessey, a Fellow in National Security in Governance Studies at the Brookings Institution and managing editor of Lawfare. We’re talking to her about cross-border law enforcement in the Internet age. We hear a lot of people in the infosec community expressing some discomfort with the FBI’s use of Network Investigative Techniques designed to de-cloak Tor users. Susan pops by to explain why the FBI and other law enforcement bodies aren’t worried about the international ramifications of dropping de-cloaking technique on the whole planet. We also cover off a few of the other issues around how data can be turned over to various governments. It’s a fascinating chat and it’s coming up after the news. This week’s show is brought to you by Tenable Security. In this week’s sponsor slot we’ll be hearing from Ray Komar, Tenable’s VP of technical alliances. We’re talking to Ray about a partnership Tenable has formed with Siemens. They’re trying to tackle the issue of tracking vulnerabilities in industrial control system equipment, but as you’ll hear, people aren’t actually buying it so much for the vulnerability tracking side, they’re buying it for the visibility side. It turns out dropping a passive scanner on your ICS network is a good way to know what’s actually ON your ICS network. As always, Adam Boileau pops in to discuss the security news. We cover: The Uber hack Apple’s comedy “root” bug Krebs on possible Shadowbrokers link Charges against more Chinese APT operators and Iranian HBO attacker More “hack back” legislation action Intel ME bug details Golden SAML MOAR Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes Uber Hid 57-Million User Data Breach For Over a Year | WIRED Lawmakers demand answers from Uber after massive data breach - Cyberscoop Apple MacOS High Sierra Security Flaw Lets Anyone Get Root Access, No Password Required | WIRED Who Was the NSA Contractor Arrested for Leaking the ‘Shadow Brokers’ Hacking Tools? — Krebs on Security DOJ reveals indictment against Chinese cyber spies that stole U.S. business secrets China hides homegrown hacks from its vulnerability disclosure process Feds Indict Iranian for HBO Hack—But Extradition Isn't Likely | WIRED Guilty plea for Canadian charged in 2014 Yahoo hacking case Rep. Graves: 'Active defense' bill will launch a new industry Intel Management Engine Flaws Leave Millions of PCs Exposed | WIRED mjg59 | Potential impact of the Intel ME vulnerability Researcher discovers classified Army intel app, data on open public AWS bucket | Ars Technica How Bots Broke the FCC's Public Comment System During the Net Neutrality Debate | WIRED Newly Published Exploit Code Used to Spread Mirai Variant | Threatpost | The first stop for security news Fund Targets Victims Scammed Via Western Union — Krebs on Security No Patch Available for RCE Bug Affecting Half of the Internet's Email Servers Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps - CyberArk Could Terrorists Hack an Airplane? The Government Just Did. Symantec Encryption Desktop Local Privilege Escalation – Exploiting an Arbitrary Hard Disk Read/Write Vulnerability Over NTFS – Nettitude Labs Patrick Gray on Twitter: "So the password Wikiloons sent Jnr wasn’t a CMS password, it was just used to get to a content preview. A dozen outlets had the password, so… https://t.co/sYpaR2DgxT"
Nov. 15, 2017
On this week’s show we check in with Mara Tam. She’ll be telling us why the idea of a so-called “Digital Geneva Convention” is silly. Then, after that, Rich Smith of Duo Security will be in the sponsor chair. You may have heard about some recent research Duo Labs did into Apple EFI patches basically not working/sticking. Rich walks us through that research, why Duo did it, how they did it, and what it can tell us. It might be Mac research but the real worry, as you’ll hear, is around Wintel firmware. Adam Boileau pops by for this week’s news discussion. We’ll be covering: Facebook’s plan to combat “non-consensual intimate imagery” Wikileaks Vault8 leaks Assange sending a “guessed” password to Donald Trump Jnr NYTimes reports on the Shadowbears Cracking FaceID with a rubber mask MOAR Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes Facebook Workers, Not an Algorithm, Will Look at Volunteered Nude Photos First to Stop Revenge Porn The Facts: Non-Consensual Intimate Image Pilot | Facebook Newsroom If Facebook Actually Wants to Be Transparent, It Should Talk to Journalists - Motherboard WikiLeaks Starts Releasing Source Code For Alleged CIA Spying Tools - Motherboard Donald Trump Jr. and WikiLeaks Talking Privately on Twitter Makes Perfect Sense | WIRED WikiLeaks on Twitter: "New WikiLeaks publication reveals CIA wrote code to impersonate Kaspersky Labs anti-virus company https://t.co/EvE8GdyAmM https://t.co/geigDgIDsk" Donald Trump Jr. on Twitter: "Here is the entire chain of messages with @wikileaks (with my whopping 3 responses) which one of the congressional committees has chosen to… https://t.co/4C0d2vBOkq" Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core - The New York Times Hackers say they broke Apple’s Face ID. Here’s why we’re not convinced | Ars Technica Hackers Say Plastic Surgeon to the Stars Hacked Back at Them Uber drivers in Lagos, Nigeria use fake Lockito app to boost fares — Quartz CEO who presided over Mt. Gox’s collapse could end up with massive profits | Ars Technica Google Begins Removing Play Store Apps Misusing Android Accessibility Services | Hackbusters OnePlus inadvertently left a backdoor on its phones Muslim activists hack Isis mailing list hours after terrorists claimed it was unhackable | The Independent This AI Bot That Messes With Email Scammers As Long As Possible Is Brilliant - Digg The FBI Blindly Hacked Computers in Russia, China, and Iran Huddle's 'highly secure' work tool exposed KPMG and BBC files - BBC News Microsoft Provides Guidance on Mitigating DDE Attacks | Threatpost | The first stop for security news How AV can open you to attacks that otherwise wouldn’t be possible | Ars Technica Cryptojacking craze that drains your CPU now done by 2,500 sites | Ars Technica Crooks sending fake Apple emails in order to unlock stolen iPhones Hacker Wannabes Fooled by Backdoored IP Scanner Cyber Security | Global Cyber Security Services Provider About the security content of iOS 11 - Apple Support Microsoft's Smith adds 'cyber Red Cross' to his 'digital Geneva Convention' call thinkst Thoughts...: A Geneva convention, for Software thinkst Thoughts...: On anti-patterns for ICT security and international law The need for a Digital Geneva Convention - Microsoft on the Issues The Apple of Your EFI: Mac Firmware Security Research | Duo Security
Nov. 8, 2017
There’s no feature interview in this week’s edition, just a slightly longer news session with Adam Boileau, then it’s straight into this week’s sponsor interview. Adam and I will be speaking about: Charges against Russian officials involved in the DNC hack Confirmation of Russian involvement in Ukraine artillery targeting app Attribution claims in Bad Rabbit campaign “Hack Back” bill is picking up steam 1 million installations of counterfeit WhatsApp clone A properly awful Tor browser bug The cryptocurrency comedies/tragedies of the week MOAR Marco Slaviero is this week’s sponsor guest. He’ll be along with a radical marketing approach: He’ll be telling us what Canaries can’t do! But you know what? It’s a useful thought exercise. He’ll also update us on the latest stuff they’re doing in the cloud. They’ve got some new VMWare virtual canaries too. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes US could charge six Russian officials over DNC email hacking Russia hackers had targets worldwide, beyond US election - The Washington Post Tracing Fancy Bear’s paw prints – Raphael – Medium The GRU-Ukraine Artillery Hack That May Never Have Happened How Hackers Broke Into John Podesta and Colin Powell’s Gmail Accounts - Motherboard Ukraine blames infamous Russian hackers for 'BadRabbit' ransomware attack Chinese hackers starting to return focus to U.S. corporations 'Hack back' bill gains 7 new co-sponsors Ex-NSA Director Says Companies Should Never Hack Back Because They Could Start Wars - Motherboard How Level 3's Tiny Error Shut Off the Internet for Parts of the US | WIRED More Than 1 Million People Downloaded a Fake WhatsApp Android App - Motherboard Beating the iPhone X Face ID Is Hard. We Know, Because We Tried | WIRED Flaw crippling millions of crypto keys is worse than first disclosed | Ars Technica Critical Tor flaw leaks users’ real IP address—update now | Ars Technica Stuxnet-style code signing is more widespread than anyone thought | Ars Technica SEC warns that celebrity cryptocurrency endorsements may be illegal | Ars Technica Dan Guido on Twitter: "Parity likely did not think of their wallet as a classic contract. Their code is in a library, and they delegatecall to execute it directly." One Bitcoin Transaction Now Uses as Much Energy as Your House in a Week - Motherboard More than two years after historic breach, OPM continues to struggle with cybersecurity Texas Shooter's Phone Encrypted | Threatpost | The first stop for security news Chain of 11 Bugs Takes Down Galaxy S8 at Mobile Pwn2Own | Threatpost | The first stop for security news Patrick Gray on Twitter: "Oh my fucking god. https://t.co/oyyXcDQ5ie"
Nov. 6, 2017
In this edition of Snake Oilers we’re taking a look at two Australian companies and their solutions: Kasada and Haventec. Kasada’s product is a simple one – it’s bot prevention using proof of work and a couple of other things, and Haventech’s solution is a bit more out there. They’ve got a couple of products. One uses device fingerprinting plus a secret for authentication, but they’ve actually come up with something else that’ll be really interesting to people in the payment card processing space. Basically they’ve come up with a way to split credit card info into a few pieces so it can be stored in a distributed way. Part of the info with the user, part with the merchant and part with the processor. It’s a better approach than tokenisation, and will drastically reduce the liability and costs that comes with storing huge amounts of card data on the processor side. Oh, and they’ve solved the chargeback problem on that one too. Links to the companies profiled can be found below. I hope you enjoy the show! Show notes Kasada | Security Redefined Haventec | Revolutionising cyber security Home - Australian Cyber Security Growth Network
Nov. 1, 2017
On this week’s show we’re chatting with Zeynep Tufekci about how machine learning accelerates the dissemination of crazy s–t, basically. Zeynep’s September TED talk titled “We’re building a dystopia just to make people click on ads” is a must watch and has been doing the rounds on infosec Twitter over the last couple of weeks. She joins us this week to talk through what we might be able to do about the tendency of online platforms to send people down pretty warped rabbit holes. That’s a fascinating chat. This week’s show is brought to you by Senetas. Senetas is a Melbourne-based company that develops and manufactures layer 2 encryption gear. They also operate the SureDrop secure file sharing platform and are working on a bunch of cloud crypto tech as well. Julian Fay is CTO over at Senetas and he’s along this week to talk us through the bugs Matthew Green and his colleagues found in a bunch of FIPS-certified gear from Fortinet. It’s a really, really illuminating chat. I love it when Julian’s in the sponsor chair because I always learn a lot. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes Infrastructure for the ‘Bad Rabbit’ Ransomware Appears to Have Shut Down - Motherboard Global ransomware attacks tiptoed around Russian anti-virus products NotPetya ransomware cost Merck more than $310 million British security minister says North Korea was behind WannaCry hack on NHS | The Independent Worker who snuck NSA malware home had his PC backdoored, Kaspersky says | Ars Technica Proud to keep on protecting ' no matter the false allegations in the U.S. media. | Nota Bene: Eugene Kaspersky's Official Blog Equifax Was Warned - Motherboard China Tests the Limits of Its US Hacking Truce | WIRED Google: Chrome is backing away from public key pinning, and here's why | ZDNet YubiHSM 2 is here: Providing root of trust for servers and computing devices | Yubico Francisco Partners Acquires Comodo's SSL Security Business Google's reCaptcha Cracked Again | Threatpost | The first stop for security news Unexplained cyberattacks sow chaos among dark web markets The Fight Over Jordan Hamlett’s ‘Hack’ of Trump’s Tax Returns Facebook, Google, Twitter tell Congress their platforms spread Russian-backed propaganda | Ars Technica LSE Business Review – Blockchain and bitcoin: In search of a critique A Guide to Attacking Domain Trusts – harmj0y Fooling Neural Networks in the Physical World with 3D Adversarial Objects · labsix Training Zeynep Tufekci: We're building a dystopia just to make people click on ads | TED Talk | TED.com Attack of the week: DUHK – A Few Thoughts on Cryptographic Engineering Senetas - a leading provider of high-assurance encryption