Risky Business #395 -- Alex Stamos on Juniper-gate, SHA-1 and NSA surveillance

We're back!
21 Jan 2016 » Risky Business

In this week's feature interview Facebook CISO Alex Stamos joins us to discuss a few things.

  • We'll be talking about moves by both browser developers and some CAs to deprecate SHA1 signed certificates. He says we need to support SHA-1 for now and he explains why soon.
  • We're also chatting with him about the Juniper fiasco.
  • We also get his thoughts on NSA surveillance now he's responsible for the security of user information at the world's biggest social media platform.

In this week's sponsor interview we chat with Tenable network security CEO Ron Gula about how to collect decent telemetry from both cloud applications and cloud infrastructure services. Just because it's going on outside your network, that doesn't mean you should treat these services as a big blindspot. That's this week's feature interview, with big thanks to Tenable Network Security, this week's sponsor!

Adam Boileau is back this week to discuss the news headlines we missed while we were on break.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

"Unauthorized code" in Juniper firewalls decrypts encrypted VPN traffic | Ars Technica
http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-fir...

New Discovery Around Juniper Backdoor Raises More Questions About the Company | WIRED
http://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raise...

Researchers confirm backdoor password in Juniper firewall code | Ars Technica
http://arstechnica.com/security/2015/12/researchers-confirm-backdoor-pas...

Juniper drops NSA-developed code following new backdoor revelations | Ars Technica
http://arstechnica.com/security/2016/01/juniper-drops-nsa-developed-code...

Et tu, Fortinet? Hard-coded password raises new backdoor eavesdropping fears | Ars Technica
http://arstechnica.com/security/2016/01/et-tu-fortinet-hard-coded-passwo...

Bill aims to thwart strong crypto, demands smartphone makers be able to decrypt | Ars Technica
http://arstechnica.com/tech-policy/2016/01/bill-aims-to-thwart-strong-cr...

Phone crypto scheme "facilitates undetectable mass surveillance" | Ars Technica
http://arstechnica.com/tech-policy/2016/01/phone-crypto-scheme-facilitat...

The Father of Online Anonymity Has a Plan to End the Crypto War | WIRED
http://www.wired.com/2016/01/david-chaum-father-of-online-anonymity-plan...

Everything We Know About Ukraine's Power Plant Hack | WIRED
http://www.wired.com/2016/01/everything-we-know-about-ukraines-power-pla...

Analysis confirms coordinated hack attack caused Ukrainian power outage | Ars Technica
http://arstechnica.com/security/2016/01/analysis-confirms-coordinated-ha...

Royal Melbourne Hospital attacked by damaging computer virus
http://www.theage.com.au/victoria/royal-melbourne-hospital-attacked-by-d...

Internet Explorer End of Support
https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support

Judge Rules Kim Dotcom Can Be Extradited to US to Face Charges | WIRED
http://www.wired.com/2015/12/kim-dotcom-extradition-ruling/

In Silk Road Appeal, Ross Ulbricht's Defense Focuses on Corrupt Feds | WIRED
http://www.wired.com/2016/01/ross-ulbrichts-defense-focuses-on-corrupt-f...

Security firm sued for filing "woefully inadequate" forensics report | Ars Technica
http://arstechnica.com/security/2016/01/security-firm-sued-for-filing-wo...

US Intelligence director's personal e-mail, phone hacked | Ars Technica
http://arstechnica.com/security/2016/01/us-intelligence-directors-person...

Researchers uncover JavaScript-based ransomware-as-service | Ars Technica
http://arstechnica.com/security/2016/01/researchers-uncover-javascript-b...

Microsoft may have your encryption key; here's how to take it back | Ars Technica
http://arstechnica.com/information-technology/2015/12/microsoft-may-have...

Common payment processing protocols found to be full of flaws | Ars Technica
http://arstechnica.com/security/2015/12/common-payment-processing-protoc...

Critical Yahoo Mail Flaw Patched, $10K Bounty Paid | Threatpost | The first stop for security news
https://threatpost.com/critical-yahoo-mail-flaw-patched-10k-bounty-paid/...

GM embraces white-hat hackers with public vulnerability disclosure program | Ars Technica
http://arstechnica.com/security/2016/01/gm-embraces-white-hats-with-publ...

Google slams AVG for exposing Chrome user data with "security" plugin | Ars Technica
http://arstechnica.com/security/2015/12/google-slams-avg-for-exposing-ch...

Google security researcher excoriates TrendMicro for critical AV defects | Ars Technica
http://arstechnica.com/security/2016/01/google-security-researcher-excor...

Fatally weak MD5 function torpedoes crypto protections in HTTPS and IPSEC | Ars Technica
http://arstechnica.com/security/2016/01/fatally-weak-md5-function-torped...

Cisco Patches Hardcoded Password, DoS Vulnerabilities in Software | Threatpost | The first stop for security news
https://threatpost.com/cisco-patches-hardcoded-password-dos-vulnerabilit...

Microsoft Silverlight Zero Day Vulnerability Patched | Threatpost | The first stop for security news
https://threatpost.com/curious-tale-of-a-microsoft-silverlight-zero-day/...

Bug that can leak crypto keys just fixed in widely used OpenSSH | Ars Technica
http://arstechnica.com/security/2016/01/bug-that-can-leak-crypto-keys-ju...

Linux bug imperils tens of millions of PCs, servers, and Android phones | Ars Technica
http://arstechnica.com/security/2016/01/linux-bug-imperils-tens-of-milli...

January 2016 Oracle Critical Patch Update 248 Patches | Threatpost | The first stop for security news
https://threatpost.com/oracle-releases-record-number-of-security-patches...

Oracle settles with FTC over Java's "deceptive" security patching | Ars Technica
http://arstechnica.com/information-technology/2015/12/oracle-settles-wit...

With funds stolen in hack, cryptocurrency company mulls bankruptcy | Reuters
http://www.reuters.com/article/bankruptcy-cryptsy-idUSL2N1530M9

Google considers following Mozilla, Microsoft, and dropping SHA-1 certificates early | Ars Technica
http://arstechnica.com/information-technology/2015/12/google-considers-f...

Firefox ban on SHA-1 certs causing some security issues, Mozilla warns | Ars Technica
http://arstechnica.com/security/2016/01/firefoxs-ban-of-sha-1-certs-caus...