Risky Business
By Risky.Biz
About this podcast
Risky Business primary podcast.

Episodes (Total: 75 / Page: 1)
Aug. 16, 2017
On this week’s show we chat with Charlie Miller all about the security of autonomous vehicles. As you’ll hear, he says autonomous vehicle security all comes down to some security fundamentals that are, in fact, being taken seriously by carmakers. We’ve got an absolutely fantastic sponsor interview for you this week. This week’s show is brought to you by Senrio. They make an IoT network monitoring solution that’s actually really good. Stephen Ridley is the founder and head honcho at Senrio. He’s a very well known researcher and he joins us this week to talk about a few things. First up he recaps the gSOAP library bugs he found. They were a big deal in July, but as you’ll hear, people kinda missed the point. The affected gSOAP library is absolutely everywhere, including in, ahem, browsers. So yeaaaaah. There’s that. Then we move on to the more sponsor-y part of the sponsor interview, talking about Senrio’s experience running the IoT hacking village at DEFCON. It was a great time for them, throwing their product at the most hostile IoT network the world has ever seen. To round out the Stephen Ridley omnibus experience we’ll also hear about a few training courses he’s offering on Android hacking and software exploitation via hardware exploitation. Adam Boileau joins the show to talk about the week’s security news, links to everything are below. Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.
Aug. 9, 2017
On this week’s show we’ll be chatting with Kelly Shortridge, formerly a detection manager at BAE, all about her Black Hat talk. It’s all about why most of what you hear about applying game theory to detection strategies is total bullshit. This week’s show is brought to you by Signal Sciences! Signal Sciences makes a killer product focussed on web application and web server security. It’s really popular with the dev ops crowd, which is interesting, because most security products in devops focus on the dev, whereas Signal Sciences focusses more on the ops component. This week we speak to Signal Sciences co-founder Zane Lackey about this burgeoning market for security tooling geared towards non-security people. It’s actually a really interesting conversation. Non security groups at large organisations are having to become security self sufficient and it really is a game changer. More on that with Zane Lackey in this week’s sponsor interview. Adam Boileau is this week’s news guest. See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!
Aug. 3, 2017
This week’s feature interview is with Facebook CSO and Black Hat 2017 keynote speaker Alex Stamos. We’ll be digging a little deeper on some of the points he hit on in his talk in Las Vegas this year. I’ve linked through to a video of his keynote in this week’s show notes (below), and I’d really recommend you watch it. It was just very, very good. This week’s show is brought to you by Thinkst Canary. They’re best known for their little Canary honeypots, you put them on your network and they’ll alert you to all sorts of lateral movement. Thinkst’s Founder and chief brain Haroon Meer will be along later on to talk about cloud security. He’ll be echoing some of the points made in our interview a few week’s back with Daniel Grzelak from Atlassian, as well as looking at how you can start to put together a somewhat coherent strategy for detecting when your cloud services get popped. Adam Boileau is this week’s news guest. See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!
July 19, 2017
In this week’s feature interview I speak with the Australian Prime Minister’s cyber security advisor Alastair MacGibbon about what it is that the Australian government is pushing for in terms of industry cooperation around surveillance. There’s been a lot of hype on this one. “Al Mac” joins the show to work through some of it, and honestly, Australia’s push at the moment is the sort of thing I think you can expect to see more of around the world, so this is an interview of global relevance. Some of that conversation hinges on a blog post I wrote on the weekend. If you want to, you can read that here. This week’s show is brought to you by Remediant! Remediant makes a product that’s designed to make lateral movement through a network much harder. Essentially it’s a way to restrict all privileged accounts on your infrastructure until you actually need it. So instead of being able to just log in to your production environment, you can actually set it up so you can enable the privilege you need to a set period of time. It’s a different approach to privilege management than things like password vaults, so if you work in an authentication group you’re going to want to hear what they have to say. Remediant CEO Tim Keeler is this week’s sponsor guest. Adam Boileau is this week’s news guest. We talk about all the continuing notPetya drama at Maersk and FedEx/TNT, the Alphabay latest and more. See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!
July 18, 2017
This month’s Soap Box podcast is brought to you by AttackIQ, a company that makes attack simulation software. This is a wholly sponsored podcast that won’t bore you to tears. There are countless CISOs who listen to this podcast who’ve shovelled an awful lot of money at their organisation’s security controls. Whether that’s endpoint/AV or fancy network kit that’s supposed to detect exfil, the sad truth is most organisations have no way to know if their expensive kit is actually doing what it’s supposed to. Until, of course, they get breached. Then there is much wailing and gnashing of teeth. So the idea behind attack simulation is pretty simple. You load a lightweight agent on to your corporate systems, the agent then runs scriptable attack scenarios that can simulate attacker behaviour. These attack scripts might get some endpoints to start nmapping internal systems. They might start changing some registry keys or stimulate a bunch of disk activity that looks like an encryption/ransomware process. They might start sending off a bunch of dummy data via a DNS exfil technique. Did your endpoint solution catch the funny registry stuff? Did your network controls catch the simulated exfil? Now imagine you have 1,000 pre-coded attack simulations with all sorts of different combinations and permutations of attacker behaviours. How many of them do you actually need to run through before you can spot the weak points in your defences? Attack simulation is a great way to test and validate your security controls, and you can do it continuously. AttackIQ’s cofounder and CEO Stephan Chenette joined me to talk about attack simulation and what it’s good for.
July 12, 2017
On this week’s show we chat with Atlassian’s head of security, Daniel Grzelak, all about some AWS security tools he’s come up with. He also previews a new tool for generating AWS access key honeytokens at scale, which is really neat. This week’s show is brought to you by Veracode! Veracode’s director of developer engagement, Peter Chestna, will be along in this week’s sponsor interview to have a yarn about some common misunderstandings between security people and developers. We look at misunderstandings both ways. Adam Boileau is this week’s news guest. We talk about all the latest dark markets drama, plus the Great Nuclear Hax Freakout of 2017. See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!
July 5, 2017
Adam Boileau has some out of town business to handle this week so he can’t join us in the news segment. But that’s ok, because industry legend Haroon Meer has very kindly agreed to fill in for him! We chat to Haroon shortly about all the latest NotPetya developments, we’ll also talk about the drama Kaspersky is experiencing right now, as well as dissecting the latest battle reports from the cryptowar! All the news is covered. This week’s show is brought to you by ICEBRG! ICEBRG’s co-founder, Will Peteroy, joins the show this week to chat a bit about what they’re up to. Will has an interesting background. He was the technical director of a government agency Red Team. That meant red team exercises against agencies, but he was also responsible for doing assessments on security products. He also put in a bunch of time at Microsoft where he was the endpoint for product security for Windows and Internet Explorer, which meant he was the recipient of oh-so-much-0day for around a year and a half. So yeah, Will knows what he’s doing, and he’s made a thing, and you’re going to hear about that thing after this week’s news. See links to show notes below, and follow Patrick or Haroon on Twitter if that’s your thing!
July 3, 2017
In this edition of the Risky Business Soap Box podcast we chat with the founder and CEO of Bugcrowd, Casey Ellis, about the establishment of the bug bounty market and how things have shaped up. We also look at where it’s going. The days of bounty programs being operated solely by large technology firms are long gone. Casey predicted that shift years ago. The question becomes, where will bounty programs be in three years from now? Well, Casey doesn’t shy away from making some bold predictions. He thinks most enterprises will have vulnerability reporting mechanisms within two years, and a substantial proportion of those will offer rewards to bug hunters via companies like Bugcrowd. He also sees bounty programs increasingly serving the specialist market. You can find Casey on Twitter here.
June 28, 2017
This week we’ll be chatting with Andy Greenberg from Wired about his cover story for that magazine. He travelled to Ukraine back in March to research his story on Russian attacks against the Ukrainian power network. He joins us this week to share the insights he gleaned during his travels. This week’s show is brought to you by SensePost. SensePost are based in South Africa and England, but they are very well known for offering training courses at Black Hat. This year will be the 17th year they’ve run training courses there… as can be expected their brand new devops security course has gone absolutely gangbusters in terms of registrations this year, but they’re also offering a bunch of other courses. They’ll be joining us to chat about trends in training in this week’s sponsor interview. Adam Boileau, as always, drops by for the week’s news segment. You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…
June 7, 2017
On this week’s show we’re covering off all the big news of the week: the arrest of Reality Winner, the apparent hacks that have ratcheted up the political crisis in Qatar and the renewed calls for Internet companies to be more government-friendly. In this week’s feature interview we catch up with Samy Kamkar to get his take on what the lowering cost of hardware-based hacking could mean for our increasingly automated world. And in this week’s sponsor interview we chat with Duo Security’s Pepijn Bruienne about some recent attacks against the Mac OS software supply chain. Big thanks to Duo Security for sponsoring this week’s show. Duo makes all manner of kick-ass two factor authentication solutions, you can check them out at Duo.com. You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below… Patrick is taking a vacation. Risky Business will return on June 28
May 31, 2017
On this week’s show we’re taking a detour: This week’s feature interview has absolutely nothing to do with infosec. But it is related to the Internet. Sort of. If you squint a little. This week’s feature guest is John Safran. He’s been gracing television screens here in Australia for nearly 20 years, but John is also a rather brilliant author. I’ve just finished reading John’s new book, Depends what you mean by Extremist, Going Rogue with Australian Deplorables. Honestly, it’s fascinating enough for me to just squeeze it into this show. Basically John wrote a book about the year and a half he spent hanging out with all sorts of extremists; Left-wing Marxists, anarchists, right wing anti-Islam types and even Islamic State supporters, some of whom are now up on terror-related charges. I speak to John about the Internet’s influence on extremism, as well as extremism in general. I highly, highly recommend this book. It’s a fascinating look at the contemporary political landscape through the eyes of extremist movements of all flavours, and it’s not a tough read. It’s actually quite funny and it really the most on-point thing I’ve read in a long, long time. This week’s show is brought to you by Bugcrowd, big thanks to them! And in this week’s sponsor interview we’ll chat with Casey Ellis, Bugcrowd’s founder and CEO. Now that outsourced bug bounties have gone mainstream, we know more what they’re for and how people find them useful. So we speak to Casey about how a lot of orgs are basically just throwing the lower value testing out to bounties to free up their infosec teams to do higher value work. We talk about that and a couple of other points. Adam Boileau, as always, drops in to discuss the week’s security news! You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…
May 24, 2017
On this week’s show Adam pops in to discuss the week’s news. (Links below) After the news segment Adam and Patrick both chat about topics near and dear to their hearts: Shoddy infosec marketing and shoddy MSP security. This week’s show is brought to you by WordFence, a company that makes a WordPress security plugin. It’s not so much an enterprise security tool, but it turns out that when you run two million Wordpress plugins you wind up collecting some pretty valuable threat intel and IOCs. WordFence’s Mark Maunder joins the show this week to talk about WordPress security and malware distribution! You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…
May 17, 2017
On this week’s show, of course, we are taking a deep dive on WannaCry. Most of the coverage of this debacle has actually been pretty bad, and there’s been nothing that I’ve seen that even approaches being comprehensive, so we’re going to try to fix that in this edition of the show. This week’s show is sponsored by Cylance, which, it must be said, didn’t “ambulance chase” this interview, they booked this sponsor slot in January this year. Cylance CEO Stuart McClure joins the show this week to talk about ambulance chasing, why it is that we still don’t have a decent technical analysis of WannaCry and he generally gives us an industry view on this thing. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.
May 10, 2017
We’ve got a real bread-and-butter show for you this week. Adam is along in this week’s news segment to talk about the latest on the Intel AMT bugs, Tavis Ormandy’s horror-show Windows Defender bug, the Macron email dump and more. In this week’s feature interview we speak with Adobe security engineer and OAuth 2 in Action co-author Antonio Sanso about what companies like Google might be able to do to make their OAuth implementations a little safer for users… Which, you know, might be something worth considering given an OAuth-based phishing attack was able to compromise something like a million Google accounts the other week. This week’s show is brought to you by Thinkst Canary! Canary is of course the wonderful little hardware honeypot device Thinkst makes that you can plug into your network that’ll let you know when you have attackers on your LAN. Thinkst’s head of development, Macro Slaviero, joins the show this week to talk about the CIA’s leaked watermarking solution Scribbles, as well as to talk a little about Thinkst’s so-called “bird guide”. It’s a document (linked below) with a bunch of advice for those of you considering using Honeypots. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.
May 8, 2017
This Soap Box edition is all about desktop microvirtualisation! Bromium has been around for about six years now, and they make an endpoint security package that is really, really different to other solutions in the market. The whole thing hinges on what they call Microvisors, which amount to hardware-enabled isolation on your desktop. Bromium’s software is basically a way to virtualise user tasks, whether that’s working on a Word document or browsing an exploit-riddled lyrics website with Java and Flash enabled, the idea is if an exploit gets dropped on you it gets trapped in a micro-VM. Personally, I’m a big fan of Bromium’s stuff. one of the things that kind of hindered the adoption of this tech in its early days is it relies on CPU features that were basically new six years ago, so not everyone could run it. There was also a bit of a UX hit. But there’s good news! Hardware refresh cycles have taken their course, and now running Bromium’s software is viable in almost all enterprises. Where this goes from being interesting to downright compelling is if you’re an enterprise forced to run vulnerable software. I’m thinking specifically of old browsers running things like Java. In many organisations, running out-of-date crapware is a business requirement. Well, running Bromium on those endpoints will basically solve that problem. Sure, nothing is magic, but by the time you’ve finished listening to this conversation with Bromium co-founder and President Ian Pratt, I think you’ll definitely want to take a look at the tech. You should take a look at the tech, because it’s borderline impossible to solve that problem any other way. I hope you enjoy it!
May 4, 2017
On this week’s show we’re looking at an issue that kicked up last week when creepware scumbags Flexispy announced they were moving their bug bounty program to HackerOne. VICE journalist Josoph Cox asked HackerOne CEO Marten Mickos if he’d be happy to host their program, and his answer is as follows: “Any company that operates legally within its jurisdiction, treats our hackers with respect and takes vulnerability disclosure seriously is generally welcome to run their program on the HackerOne platform. Improving the integrity of all connected software is to the benefit of the digital society.” A lot of people, myself included, didn’t react so well to that line of thinking. HackerOne CTO Alex Rice suggested he come on the show to talk about the company’s stance. As you’ll hear, Alex is pushing a much softer line than his CEO, but still says this is complicated. Stay tuned for that, at times, excruciating interview. This week’s sponsor interview is with Signal Sciences CSO and co-founder Zane Lackey. Zane was the head of security at Etsy, but he moved on to found Signal Sciences, a company that is making webapp security software that by all reports is pretty damn good. He joins us in the sponsor slot this week to talk about Devops, WAFs and a whole bunch of other fun stuff. Adam Boileau, as usual, drops by to discuss the week’s news. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.
April 26, 2017
Risky Business #452 – Are Wikileaks charges a threat to press freedom? Brookings fellow and former NSA attorney Susan Hennessey joins the show… Over the last week or so there’s been mounting speculation that the US government is getting serious about preparing charges against Wikileaks founder Julian Assange. The question is, could these charges threaten press freedom? Joining us to discuss that this week is Lawfare’s managing editor Susan Hennessey. This week’s show is brought to you by Senetas. Senetas makes layer two encryption equipment, but today they’re joining us to talk about some work it’s doing with ADVA Optical Networks in marrying its tech with some SDN stuff done at the telco level. Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.
April 21, 2017
This is the first ever Snake Oilers podcast from Risky.biz. It’s a wholly sponsored podcast in which vendors pop in and take 10 minutes each to pitch the audience on their stuff. The idea behind this whole thing is so that infosec buyers can actually hear a bunch of ten minute pitches without having to go to lunch with a salesperson with giant shiny teeth who doesn’t really understand what they’re selling. These are product pitches from people who actually get the technology. And you know what? Even if you’re not a technology buyer, you’ll probably still find a lot of this interesting – it’s good to know how vendors are slicing and dicing some of the challenges we all face in security. In this edition: Exabeam says it can save you buttloads of cash compared to other SIEM solutions like Splunk or ArcSight. Senetas urges you not to use babby’s first encryptor cards and opt for its 100gbps full line rate layer 2 encryptor instead Kolide pitches its osquery-based EDR solution. If it’s good enough for Facebook, it’s good enough for you! Senrio pitches its impressive IoT network sensor and developer tools. Links below!
April 21, 2017
NOTE: We had to re-post this. Originally we linked to the wrong mp3 (soapbox1 instead of snakeoilers1). It was rectified within about five minutes, but caches gonna cache, so we’ve reposted it. Sorry if you downloaded it twice! This is the first ever Snake Oilers podcast from Risky.biz. It’s a wholly sponsored podcast in which vendors pop in and take 10 minutes each to pitch the audience on their stuff. The idea behind this whole thing is so that infosec buyers can actually hear a bunch of ten minute pitches without having to go to lunch with a salesperson with giant shiny teeth who doesn’t really understand what they’re selling. These are product pitches from people who actually get the technology. And you know what? Even if you’re not a technology buyer, you’ll probably still find a lot of this interesting – it’s good to know how vendors are slicing and dicing some of the challenges we all face in security. In this edition: Exabeam says it can save you buttloads of cash compared to other SIEM solutions like Splunk or ArcSight. Senetas urges you not to use babby’s first encryptor cards and opt for its 100gbps full line rate layer 2 encryptor instead Kolide pitches its osquery-based EDR solution. If it’s good enough for Facebook, it’s good enough for you! Senrio pitches its impressive IoT network sensor and developer tools. Links below!
April 19, 2017
On this week’s show we talk about the latest Shadowbrokers shenanigans with Adam, as well as all the other major security news of the last couple of weeks. After that we’ll be chatting with Adam’s colleague at Insomnia Security, Pipes, about the interesting aspects to the dump – what did it teach us about how NSA rolls? Well quite a lot, as it turns out. And yeah, the N0day bugs aren’t the interesting bit. This week’s show is sponsored by Tenable Network Security. This week Tenable’s VP of federal, Darron Makrokannis, will be along to talk about how to speed up federal government adoption of new tech – what’s the best way for that to happen? That’s this week’s sponsor interview! Links to items discussed in this week’s show have moved – they’re now included in this post, below. Oh, and do add Patrick, or Adam on Twitter if that’s your thing.