Risky Business #339 -- Neel Mehta on Heartbleed, Shellshock

PLUS news with Adam, and Rahul Kashyap on malvertising...
03 Oct 2014 » Risky Business

On this week's show we're chatting with Neel Mehta, a security researcher with Google. Neel is best known for finding the Heartbleed bug, and he joins us this week to talk about Heartbleed, ShellShock, the security of SSL stacks and where he expects vuln research to go in the future.

Funnily enough this is Neel's first interview about Heartbleed, so I guess we can call this a scoop!

This week's show is brought to you by Bromium, makers of fine, fine exploit mitigation software. Personally I'm a real fan of Bromium's stuff. They're relatively new, but if you have a Java problem in your enterprise, as in, you have to have Java in your enterprise, Bromium has a solution for you -- they make micro-vm software that mitigates memory corruption bugs and it's actually quite good.

Bromium's chief security architect Rahul Kashyap joins us this week to talk about some malvertising research he presented at the virus bulletin conference recently, and he also previews the results of Bromium's code audit. That's right, a security software company actually had their software audited! Bowl me over. The audit report will be available next week, but we get the inside scoop on that before it's out.

Show notes

JPMorgan hack exposed data of 83 million, among biggest breaches in history

Xen Bug Could cause Crashes, Expose Cloud Data | Threatpost | The first stop for security news

Musings on the recent Xen Security Advisories | Bromium Labs

Apple patches "Shellshock" Bash bug in OS X 10.9, 10.8, and 10.7 | Ars Technica

OpenVPN vulnerable to Shellshock Bash vulnerability | Threatpost | The first stop for security news

Fiora\u202e\u2604anreteA on Twitter: "RT "cmd.exe #shellshock" @dakami: "this is why we can't have nice strings" http://t.co/9LPTbtVazr"

Silk Road Lawyers Poke Holes in FBI's Story - Krebs on Security

The Unpatchable Malware That Infects USBs Is Now on the Loose | WIRED

Lacoon Discovers Xsser mRAT, the First Advanced iOS Trojan

If the information from https://www.lacoon.com/lacoon-discovers-xsser-mrat-first - Pastebin.com

Holder urges tech companies to leave device backdoors open for police - The Washington Post

Cops Are Handing Out Spyware to Parents-With Zero Oversight | WIRED

The Criminal Indictment That Could Finally Hit Spyware Makers Hard | WIRED

CloudFlare Rolls Out Free SSL | Threatpost | The first stop for security news

FBI to Open Up Malware Investigator Portal to External Researchers | Threatpost | The first stop for security news

Chrome bug hunters, Google's giving you a raise - CNET

WPScan Vulnerability Database WordPress Security Resource | Threatpost | The first stop for security news

Second Same-Origin Policy Bypass Flaw Haunts Android Browser | Threatpost | The first stop for security news

Advertising firms struggle to kill malvertisements | Ars Technica


The Basics

Leftovers | The Basics