Risky Business #357 -- Mark Dowd talks Rowhammer

12 Mar 2015 » Risky Business

On this week's show we're having a chat with Mark Dowd about the so-called Rowhammer exploit. And yeah, if you haven't heard about this one you're in for a treat. It's among the most badass research I've ever seen. You know, you can skin a cat with a knife, or you can do what the Google Project Zero team did and skin it with 300 synchronised lasers.

[NOTE: It's been pointed out that the post on the Project Zero blog is actually a guest post. The work was done by Googlers and published on the Google Zero blog, but these researchers aren't actually a part of the Project Zero team. Sorry for the confusion.]

In this week's sponsor episode we're chatting with Joseph Sokoly of Tenable Network Security about bugs like Freak. The fact is, if you're operating a web property and you were running your SSL config correctly, Freak wouldn't be a risk to your users when they're using your service.

But a lot of organisations just don't bother running best-practice configs. Why not? They're too busy putting out fires in their vuln management programs to deal with the low-hangers. Joseph stops by soon to talk about that.

(Joseph is also one of the voices of the Southern Fried Security Podcast. Check it out here, because I'm guessing if you're reading this you like security podcasts!)

Show notes

Patched Windows PC remained vulnerable to Stuxnet USB exploits since 2010 | Ars Technica

Stuxnet leak probe stalls for fear of confirming US-Israel involvement | Ars Technica

UK man arrested on suspicion of US Department of Defense hacking | Ars Technica

iSpy: The CIA Campaign to Steal Apple's Secrets

Errata Security: No, the CIA isn't stealing Apple's secrets

Australia to prosecute Heartbleed pentest in desperation to pin charges on Anonymous radio host | ZDNet

OpenSSL Security Audit Ready to Start | Threatpost | The first stop for security news

Anthem Refuses Audit Following Massive Breach | Threatpost | The first stop for security news

Why Clinton's Private Email Server Was Such a Security Fail | WIRED

Hillary Clinton Says Her Email Was Secure; She Can't Know | WIRED

Feds Indict Three in 2011 Epsilon Hack - Krebs on Security

Stop Spying on Wikipedia Users - NYTimes.com

Litecoin-mining code found in BitTorrent app, freeloaders hit the roof \u2022 The Register

Adobe Starts Vulnerability Disclosure Program on HackerOne | Threatpost | The first stop for security news

Apple Fixes FREAK Bug, iCloud Flaw in iOS 8.2 | Threatpost | The first stop for security news

Yahoo Patches Critical Small Business, eCommerce Bugs | Threatpost | The first stop for security news

Dropbox Patches Remotely Exploitable Vulnerability in SDK | Threatpost | The first stop for security news

Facebook Users Open to Attack Via Several Security Bugs | Threatpost | The first stop for security news

Patch Tuesday patches FREAK, Universal XSS | Ars Technica

Microsoft Fixes Stuxnet Bug, Again - Krebs on Security

You Am I - Soldiers - YouTube