Risky Business #365 -- Defence in derpth

PLUS: No more patch Tuesday?
07 May 2015 » Risky Business

This week's show is brought to you by BugCrowd -- crowdsourced security testing. Bugcrowd founder and CEO Casey Ellis will join us in this week's sponsor interview to tell us about the latest trends in bounties and crowdsourced security.

He's got some useful info. It turns out bounty participants are getting better at doing OSINT collection to win when testing. So yeah, creds and stuff in Github and repos that shouldn't be there are giving these guys easy wins... we'll also talk about the latest trends in terms of who's running bounty programs -- it's not just companies testing web and mobile apps these days, they're doing a bunch more work on IoT and installable software. It's a solid trend.

There's no feature interview in this week's show because, well, it was a pretty slow week. I was expecting last week's US House hearing into possible US responses to encryption technology to give me heaps of feature material for this week's show, but it was actually a bit of a fizzer, which is pretty awesome, actually.

Adam Boileau, as usual, joins the show to discuss the week's news headlines.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Windows Update for Business Uproots Patch Tuesday | Threatpost | The first stop for security news

A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent\u2026

Windows 10 bombshell: Microsoft to KILL OFF Patch Tuesday \u2022 The Register

With Lock Research, Another Battle Brews in the War Over Security Holes | WIRED

Vulnerability-Riddled Drug Pumps Open to Takeover | Threatpost | The first stop for security news

Interpol alerted as teenage hacker from Perth flees to Europe | The Australian

Programmer Convicted in Bizarre Goldman Sachs Case-Again | WIRED

WikiLeaks Finally Brings Back Its Submission System for Your Secrets | WIRED

How Selerity reported Twitter's earnings-before Twitter did | Ars Technica

'Just follow the damn Constitution!' FBI, DoJ skewered over demands for crypto backdoors \u2022 The Register

Congress, Crypto and Craziness | Threatpost | The first stop for security news

Zuck'ed up: Facebook opens up free internet in India - but bans HTTPS \u2022 The Register

Foiling Pump Skimmers With GPS - Krebs on Security

PayIvy Sells Your Online Accounts Via PayPal - Krebs on Security

Google Research Reveals Profitable, Pervasive Ad Injector Ecosystem | Threatpost | The first stop for security news

Microsoft LAPS Tool Addresss Local Admin Password Problem | Threatpost | The first stop for security news

Netflix Releases FIDO Incident Response Tool | Threatpost | The first stop for security news

Google Updates Password Alert Extension, But Some Bypasses Still Work | Threatpost | The first stop for security news

Super secretive malware wipes hard drive to prevent analysis | Ars Technica

Dyre Banking Trojan Avoids Sandbox Detection | Threatpost | The first stop for security news

The BACKRONYM MySQL Vulnerability - Blog - Duo Security

Behold: the drop-dead simple exploit that nukes Google's Password Alert | Ars Technica

Actively exploited WordPress bug puts millions of sites at risk | Ars Technica

Spam-blasting malware infects thousands of Linux and FreeBSD servers | Ars Technica

Lenovo System Update Vulnerabilities Patched | Threatpost | The first stop for security news

Sally Beauty Card Breach, Part Deux? - Krebs on Security

02 - Mammal - Think - YouTube