Risky Business

In this week’s feature interview we’ll be chatting with Shubham Shah and his friend Lord Tuskington about continuous asset discovery’s impact on testing methodologies. Shubs has worked as both a pentester and as a very successful bug bounty hunter. In fact he’s built an entire asset discovery platform that he and his buddies have been using to rip crazy amounts of cash out of bounty programs over the last few years and he’s turning that platform into a product. So I wanted to talk to him about that, but I also wanted to get a pentester’s perspective on how this type of continuous asset discovery tech could change the testing industry.

This week’s show is brought to you by Exabeam, a next generation SIEM company! And it’s amazing how nicely this week’s feature and sponsor interviews dovetail actually, because Exabeam’s Steve Gailey will be along in this week’s sponsor interview to have a chat about how SIEM technology has changed much faster than SOC operations methodologies. Because basically everyone has structured their operations around three levels of response and the workflows are so ingrained, nobody seems to know know what to do with a next generation SIEM.

Adam Boileau is also along, like always, to talk about the week’s security news.

The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes Alleged CIA Leaker Joshua Schulte Has Some of the Worst Opsec I’ve Ever Seen - Motherboard Accused CIA leaker Joshua Schulte accused of more leaks Alleged CIA Leaker Tweeted That Chelsea Manning ‘Should Be Executed’ - Motherboard Trump feels presidential smartphone security is “too inconvenient” | Ars Technica Trump, Chinese leaders moving forward on deal to save ZTE - The Washington Post House measure asks DHS to share info on potential ZTE cyberthreat Potential Trump deal to ease sanctions on China's ZTE riles Congress Revealed: Pentagon Push to Hack Nuke Missiles Before They Launch Banks Adopt Military-Style Tactics to Fight Cybercrime - The New York Times Inside 'Project Indigo,' the quiet info-sharing program between banks and U.S. Cyber Command Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US - Motherboard LocationSmart bug allowed for leak of location data for nearly any U.S. phone - CyberScoop Who's Afraid of Kaspersky? - Motherboard New speculative-execution vulnerability strikes AMD, ARM, and Intel | Ars Technica After Arrest in Serbia, Netflix Hackers ‘The Dark Overlord’ Say They’re Still Going - Motherboard Cisco's Talos Intelligence Group Blog: TeleGrab - Grizzly Attacks on Secure Messaging North Korea-tied hackers used Google Play and Facebook to infect defectors | Ars Technica The Wayback Machine is Deleting Evidence of Malware Sold to Stalkers - Motherboard Latvian national convicted of running 'VirusTotal-for-criminals' malware scanner Alphabet's Jigsaw offers political campaigns free DDoS protection T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account — Krebs on Security Karin Kosina on Twitter: "So the guy behind the Carbanak malware that stole hundreds of millions of dollars? He was caught because he bought a car for 70k and didn't pay the bill. Can't make this sh** up :) #opsec #fail https://t.co/rRmFzywmVI" GPON Routers Attacked With New Zero-Day Cisco fixes critical ‘DNA’ software flaws Pakistan: Campaign of hacking, spyware and surveillance targets human rights defenders | Amnesty International AUSTRALIA'S DEADLIEST ANIMALS - SONG - YouTube