On this week's show we're having a chat with Mark Dowd about the so-called Rowhammer exploit. And yeah, if you haven't heard about this one you're in for a treat. It's among the most badass research I've ever seen. You know, you can skin a cat with a knife, or you can do what the Google Project Zero team did and skin it with 300 synchronised lasers.
[NOTE: It's been pointed out that the post on the Project Zero blog is actually a guest post. The work was done by Googlers and published on the Google Zero blog, but these researchers aren't actually a part of the Project Zero team. Sorry for the confusion.]
In this week's sponsor episode we're chatting with Joseph Sokoly of Tenable Network Security about bugs like Freak. The fact is, if you're operating a web property and you were running your SSL config correctly, Freak wouldn't be a risk to your users when they're using your service.
But a lot of organisations just don't bother running best-practice configs. Why not? They're too busy putting out fires in their vuln management programs to deal with the low-hangers. Joseph stops by soon to talk about that.
(Joseph is also one of the voices of the Southern Fried Security Podcast. Check it out here, because I'm guessing if you're reading this you like security podcasts!)
Show notes
Patched Windows PC remained vulnerable to Stuxnet USB exploits since 2010 | Ars Technica
http://arstechnica.com/security/2015/03/patched-windows-pc-remained-vuln...
Stuxnet leak probe stalls for fear of confirming US-Israel involvement | Ars Technica
http://arstechnica.com/tech-policy/2015/03/stuxnet-leak-probe-stalls-for...
UK man arrested on suspicion of US Department of Defense hacking | Ars Technica
http://arstechnica.com/tech-policy/2015/03/uk-man-arrested-on-suspicion-...
iSpy: The CIA Campaign to Steal Apple's Secrets
https://firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-steal-ap...
Errata Security: No, the CIA isn't stealing Apple's secrets
http://blog.erratasec.com/2015/03/no-cia-isnt-stealing-apples-secrets.ht...
Australia to prosecute Heartbleed pentest in desperation to pin charges on Anonymous radio host | ZDNet
http://www.zdnet.com/article/australia-to-prosecute-heartbleed-pentest-i...
OpenSSL Security Audit Ready to Start | Threatpost | The first stop for security news
https://threatpost.com/openssl-security-audit-ready-to-start/111538
Anthem Refuses Audit Following Massive Breach | Threatpost | The first stop for security news
https://threatpost.com/anthem-refusing-oig-security-audit-following-brea...
Why Clinton's Private Email Server Was Such a Security Fail | WIRED
http://www.wired.com/2015/03/clintons-email-server-vulnerable/
Hillary Clinton Says Her Email Was Secure; She Can't Know | WIRED
http://www.wired.com/2015/03/hillary-clinton-says-email-secure-cant-know/
Feds Indict Three in 2011 Epsilon Hack - Krebs on Security
http://krebsonsecurity.com/2015/03/feds-indict-three-in-2011-epsilon-hack/
Stop Spying on Wikipedia Users - NYTimes.com
http://www.nytimes.com/2015/03/10/opinion/stop-spying-on-wikipedia-users...
Litecoin-mining code found in BitTorrent app, freeloaders hit the roof \u2022 The Register
http://www.theregister.co.uk/2015/03/07/utorrent_epic_scale_mining_softw...
Adobe Starts Vulnerability Disclosure Program on HackerOne | Threatpost | The first stop for security news
https://threatpost.com/adobe-starts-vulnerability-disclosure-program-on-...
Apple Fixes FREAK Bug, iCloud Flaw in iOS 8.2 | Threatpost | The first stop for security news
https://threatpost.com/apple-fixes-freak-bug-icloud-flaw-in-ios-8-2/111553
Yahoo Patches Critical Small Business, eCommerce Bugs | Threatpost | The first stop for security news
https://threatpost.com/yahoo-patches-critical-ecommerce-small-business-v...
Dropbox Patches Remotely Exploitable Vulnerability in SDK | Threatpost | The first stop for security news
https://threatpost.com/dropbox-patches-remotely-exploitable-vulnerabilit...
Facebook Users Open to Attack Via Several Security Bugs | Threatpost | The first stop for security news
https://threatpost.com/facebook-users-open-to-attack-via-several-securit...
Patch Tuesday patches FREAK, Universal XSS | Ars Technica
http://arstechnica.com/information-technology/2015/03/patch-tuesday-patc...
Microsoft Fixes Stuxnet Bug, Again - Krebs on Security
http://krebsonsecurity.com/2015/03/microsoft-fixes-stuxnet-bug-again/
You Am I - Soldiers - YouTube
https://www.youtube.com/watch?v=P1SV4v_qtBI
Rowhammer
http://www.rowhammer.com/