Risky Business #339 -- Neel Mehta on Heartbleed, Shellshock

PLUS news with Adam, and Rahul Kashyap on malvertising...
03 Oct 2014 » Risky Business

On this week's show we're chatting with Neel Mehta, a security researcher with Google. Neel is best known for finding the Heartbleed bug, and he joins us this week to talk about Heartbleed, ShellShock, the security of SSL stacks and where he expects vuln research to go in the future.

Funnily enough this is Neel's first interview about Heartbleed, so I guess we can call this a scoop!

This week's show is brought to you by Bromium, makers of fine, fine exploit mitigation software. Personally I'm a real fan of Bromium's stuff. They're relatively new, but if you have a Java problem in your enterprise, as in, you have to have Java in your enterprise, Bromium has a solution for you -- they make micro-vm software that mitigates memory corruption bugs and it's actually quite good.

Bromium's chief security architect Rahul Kashyap joins us this week to talk about some malvertising research he presented at the virus bulletin conference recently, and he also previews the results of Bromium's code audit. That's right, a security software company actually had their software audited! Bowl me over. The audit report will be available next week, but we get the inside scoop on that before it's out.

Show notes

JPMorgan hack exposed data of 83 million, among biggest breaches in history
http://www.theage.com.au/business/world-business/jpmorgan-hack-exposed-d...

Xen Bug Could cause Crashes, Expose Cloud Data | Threatpost | The first stop for security news
http://threatpost.com/serious-hypervisor-bug-fix-causes-unexpected-cloud...

Musings on the recent Xen Security Advisories | Bromium Labs
http://labs.bromium.com/2014/10/01/musings-on-the-recent-xen-security-ad...

Apple patches "Shellshock" Bash bug in OS X 10.9, 10.8, and 10.7 | Ars Technica
http://arstechnica.com/apple/2014/09/apple-patches-shellshock-bash-bug-i...

OpenVPN vulnerable to Shellshock Bash vulnerability | Threatpost | The first stop for security news
http://threatpost.com/openvpn-vulnerable-to-shellshock-bash-vulnerabilit...

Fiora\u202e\u2604anreteA on Twitter: "RT "cmd.exe #shellshock" @dakami: "this is why we can't have nice strings" http://t.co/9LPTbtVazr"
https://twitter.com/FioraAeterna/status/517791046835920897

Silk Road Lawyers Poke Holes in FBI's Story - Krebs on Security
http://krebsonsecurity.com/2014/10/silk-road-lawyers-poke-holes-in-fbis-...

The Unpatchable Malware That Infects USBs Is Now on the Loose | WIRED
http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

Lacoon Discovers Xsser mRAT, the First Advanced iOS Trojan
https://www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-tr...

If the information from https://www.lacoon.com/lacoon-discovers-xsser-mrat-first - Pastebin.com
http://pastebin.com/Zkhpn8bG

Holder urges tech companies to leave device backdoors open for police - The Washington Post
http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/30/holder-urge...

Cops Are Handing Out Spyware to Parents-With Zero Oversight | WIRED
http://www.wired.com/2014/10/cops-giving-parents-spyware/

The Criminal Indictment That Could Finally Hit Spyware Makers Hard | WIRED
http://www.wired.com/2014/10/stealthgenie-indictment/

CloudFlare Rolls Out Free SSL | Threatpost | The first stop for security news
http://threatpost.com/cloudflare-rolls-out-free-ssl/108593

FBI to Open Up Malware Investigator Portal to External Researchers | Threatpost | The first stop for security news
http://threatpost.com/fbi-to-open-up-malware-investigator-portal-to-exte...

Chrome bug hunters, Google's giving you a raise - CNET
http://www.cnet.com/news/chrome-bug-hunters-googles-giving-you-a-raise/

WPScan Vulnerability Database WordPress Security Resource | Threatpost | The first stop for security news
http://threatpost.com/wpscan-vulnerability-database-a-new-wordpress-secu...

Second Same-Origin Policy Bypass Flaw Haunts Android Browser | Threatpost | The first stop for security news
http://threatpost.com/second-same-origin-policy-bypass-flaw-haunts-andro...

Advertising firms struggle to kill malvertisements | Ars Technica
http://arstechnica.com/security/2014/09/advertising-firms-struggle-to-ki...

www.bromium.com/sites/default/files/bromium-report-optimized-mal-ops.pdf
http://www.bromium.com/sites/default/files/bromium-report-optimized-mal-...

The Basics
https://www.facebook.com/thebasics

Leftovers | The Basics
http://thebasics.bandcamp.com/album/leftovers-2

SUBSCRIBE NOW:
Risky Business main podcast feed:
Listen on Apple Podcasts Listen on Overcast Listen on Pocket Casts Listen on Spotify Subscribe with RSS
Our extra podcasts feed:
Listen on Apple Podcasts Listen on Overcast Listen on Pocket Casts Listen on Spotify Subscribe with RSS
Subscribe to our newsletters: