Risky Business

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news: We’ve got a great sponsor interview for you this week – we’ll be joined by Haroon Meer of Thinkst Canary. They did something unusual over the last couple of weeks – they removed a feature in their Canary product. We’ll be talking about that, and also about the tendency for security software to be too complicated and configurable. Links to everything that we discussed are below, including...

On this edition of Snake Oilers we hear from three companies, and for one of them, it’s actually their product launch! Assetnote is a cloud asset discovery and security scanning platform spun out of the bug bounty community. If you’re a CSO with any large public attack surface you’ll really want to hear about that one. This platform finds things you didn’t even know your company had online in cloud environments and then scans them for real, actual RCEs. The user interface is awesome,...

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news: This week’s podcast is brought to you by AttackIQ. AttackIQ founder Stephan Chenette will be along in this week’s sponsor interview to talk to us about a few things – the MITRE attack matrix being one. He’ll also share with us his view that EDR is the most commonly misconfigured security technology he sees out there, and he has pretty good visibilty into things like that because AttackIQ,...

The widespread adoption of smart and IoT devices – everything from drones and security cameras to thermostats and routers, mean the developers of non-Windows-based malware have been pretty busy lately In fact, there’s been an almost tenfold increase in the volume of these (ELF) samples submitted to Virus Total over the past two years. That’s according to a cohort of researchers from the Software and System Security group at French graduate school EURECOM, who set out in 2016 to develop an...

We’re going to stick with the revised format this week – we’re going long on news with Adam, then diving right in to the sponsor interview with Zane Lackey of Signal Sciences. A bunch of you heard my long form, Soap Box interview with Zane from a few weeks back. We’re extending that interview out a bit in this week’s interview. Zane will be outlining what he thinks needs to change in DevSecOps tooling and workflow for things to really work nicely – it’s just a solid 12 minutes of good...

We’ve got two vendors pitching their wares in this edition of Snake Oilers. First up we’re talking to Rapid7 about its vulnerability scanning and management software. They’ve made some changes and they’ve got a couple more coming. This is bread and butter infosec stuff. Then we’re going to hear from the team at ITProTV. They’re a video-based online training site, pitching themselves as like a Netflix but for online training. Instead of instructor-led training, they try to make stuff less...

In this podcast you’ll hear an interview I did with Bob Lord, the Chief Security Officer for the Democratic National Committee, the DNC. Bob has previously served as the CISOs for both Yahoo and Twitter, before spending some time in vendorland with Rapid7 as their CISO in residence. The state-sponsored attack against the DNC is without doubt the most politically consequential data theft event the planet has ever witnessed. It trumped both the Manning/Wikileaks disclosures and...

On this week’s show we’ll be running through the week’s security news, then diving right on in to a sponsor interview with Lauren Pearl of Trail of Bits. She’s joining us to talk about something Trail of Bits have been up to lately: adding features to open source software – and auditing open source software – on behalf of its customers. I do have a feature interview this week, but it’s a long one so I’ll be breaking that out in to a separate podcast. It’s a nice long chat with Bob Lord,...

In this breakout podcast we chat with Adam Boileau about the talks that caught his attention in Las Vegas a couple of weeks ago. The Black Hat PR team were kind enough to credential Adam for the con so he could go and see a few talks with his Risky Business hat on. I was at Black Hat but spent most of my time running around like a headless chicken. These days Vegas week for me is mostly about locking in the next year’s sponsorships, as well as catching up with friends I hardly ever see....

Adam and I have just returned from Black Hat and DEF CON in Las Vegas, so in this week’s show we’re going to have a look at the infosec news we missed over last couple of weeks. We did plan to recap Black Hat in this podcast, but we’ve wound up a bit short on space so I’m busting that out into a separate podcast that I’ll publish on Monday. So this podcast will just be a discussion around news plus a sponsor interview. The news we’re covering: Bugcrowd CTO Casey Ellis joins us in this...

On this week’s show we hear from Greg Shipley. Greg works at an initiative spun up by In-Q-Tel called Cyber Reboot. Its goal is to develop open source tools that can push things forward in security – things the private sector aren’t doing. He’ll be telling us about some changes his colleagues have made to tcpdump, which, if they ever manage to get the changes adopted, could actually be quite useful to the security community. This week’s show is brought to you by Duo Security! And Duo’s...

What you’re about to hear is a long form interview with Zane Lackey, a former pentester turned director of security engineering for Etsy turned co-founder and CSO of Signal Sciences. Signal Sciences can be broadly, kinda described as “next generation WAF”. If you do have a requirement for a waffy, raspy thing, then you absolutely need to check out Signal Sciences. They give you visibility in to attacks against your applications, and even auto-blocking a bunch of them without that turning...

We didn’t have space to run a feature in this week’s show, mostly because we had three weeks of news to catch up on because of my holiday. Adam Boileau is away on a company retreat this week, so Haroon Meer is this week’s news guest. We talk about: This week’s sponsor is ICEBRG. And ICEBRG just announced today that it’s been acquired by Gigamon, which is pretty big news for them. So we’ll spend a couple of minutes talking about that with ICEBRG’s Jason Rebholz. Then we’ll be talking to...

There’s no weekly show this week, I’m on a beach somewhere tropical right now and I prepared this one so we’d have something to run while I’m away. The Soap Box is one of our wholly sponsored podcasts here at Risky Biz HQ – vendors pay to come on to talk about what’s on their mind. And this week we’ve got Cylance’s very own Chris Sestito joining us. He heads threat research for Cylance, the AV company. Cylance is a relatively new company – they’ve been around about six years now – and...

Snake Oilers is a wholly sponsored podcast series we a few times a year here at Risky Biz HQ. The idea is we get a bunch of vendors together and they pitch their tech in a straightforward way. Less “stops advanced cyber threats” and more “here’s what our stuff does and how it works”. You’re hearing this instead of a weekly show because I am currently on a beach somewhere tropical. We’ve got two vendors in this edition of ‘Oilers: next-gen SIEM platform company Exabeam and email filtering...

On this week’s show we’re chatting with a PR pro who specialises in information security. Melanie Ensign currently works at Uber, but she also served as a security PR for Facebook and before that, AT&T. She drops in this week to talk about how you can work with the PR professionals in your organisation to help tell your security story to the wider world. She also has some great tips for infosec professionals who might be a bit nervous about dealing with journalists. In this week’s sponsor...

No feature interview in this week’s show, we go long on news instead. Adam Boileau joins the podcast to talk through the week’s infosec news, including: This week’s show is brought to you by Thinkst Canary. Thinkst’s very own Marco Slaviero joins us in this week’s sponsor segment to talk about how some vendors are derping out when it comes to creating needlessly complicated “deception platforms”. Links to everything are below, and you can follow Adam or Patrick on Twitter if that’s your...

First up in this edition of Snake Oilers we speak with Rapid7. Listeners of the regular show would have heard me talk about their UserInsight software for years. That’s because I knew people who used it and they swore by it. UserInsight was user and entity behaviour analytics (UEBA) software that was massively ahead of its time. It was very good at spotting weird things happening on your network when it comes to dumped or compromised creds popping up in weird places. Well, InsightIDR is...

On this week’s show we’re chatting with Alex Tilley. He’s with Secureworks in Australia these days, but before that he spent a big chunk of his career with the Australian Federal Police. He did a presentation a few weeks back at the AusCERT conference all about what fraud crews are up to these days. He’ll be joining us to walk through how much damage West African crime groups are doing with compromised office 365 accounts. We also talk a bit about trends in money muling, because that game...

You might have noticed North Korea’s been in the news over the last couple of days. Well, we’re sticking with the theme – we’ve got a great feature interview for you this week with Andrea Berger. She’s a senior research associate at the US-based James Martin Centre for Nonproliferation Studies and the co-host of the Arms Control Wonk podcast. This week she speaks with Risky Business contributor Hilary Louise about a report the centre did into North Korea’s IT industry. Yep, they have one,...