Risky Business #384 -- Mark Dowd talks AirDrop pwnage, XCode iOS scandal

PLUS ContextIS consultant David Klein drops some comedy bugs in cloud services...
24 Sep 2015 » Risky Business

We've got a great show for you this week. Mark Dowd drops by to talk about the recent spate of Trojaned iOS apps that made it into Apple's China App Store. We also talk to him about his awesome AirDrop bug. How did it work?

This week's sponsor segment is actually a real cracker. Context IS consultant David Klein tells us how he owned an entire cloud platform by enumerating some shitty 90s-style bugs in some third party libraries they were using. It's comedy gold. This cloud platform that uses security at a selling point. It's bad.

Really embarrassing.

It's great work and the sort of research you expect to see out of a company like Context IS, who are, of course, this week's sponsor.

Adam Boileau, as always, stops in to discuss the week's news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

OPM breach included five times more stolen fingerprints | Ars Technica
http://arstechnica.com/security/2015/09/opm-breach-included-five-times-m...

Inside Target Corp., Days After 2013 Breach - Krebs on Security
http://krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-br...

XcodeGhost apps haunting iOS App Store more numerous than first reported | Ars Technica
http://arstechnica.com/security/2015/09/xcodeghost-apps-haunting-ios-app...

Spy Agency Contractor Puts Out a $1M Bounty for an iPhone Hack | WIRED
http://www.wired.com/2015/09/spy-agency-contractor-puts-1m-bounty-iphone...

Google's own researchers challenge key Android security talking point | Ars Technica
http://arstechnica.com/security/2015/09/googles-own-researchers-challeng...

Symantec employees fired for issuing rogue HTTPS certificate for Google | Ars Technica
http://arstechnica.com/security/2015/09/symantec-employees-fired-for-iss...

In blunder threatening Windows users, D-Link publishes code-signing key | Ars Technica
http://arstechnica.com/security/2015/09/in-blunder-threatening-windows-u...

Active malware campaign uses thousands of WordPress sites to infect visitors | Ars Technica
http://arstechnica.com/security/2015/09/active-malware-campaign-uses-tho...

Serious Imgur bug exploited to execute worm-like attack on 8chan users | Ars Technica
http://arstechnica.com/security/2015/09/serious-imgur-bug-exploited-to-e...

Trojan targets online poker sites, peeks at players' cards | Ars Technica
http://arstechnica.com/security/2015/09/trojan-targets-online-poker-site...

Seven years of malware linked to Russian state-backed cyber espionage | Ars Technica
http://arstechnica.com/security/2015/09/seven-years-of-malware-linked-to...

Security wares like Kaspersky AV can make you more vulnerable to attacks | Ars Technica
http://arstechnica.com/security/2015/09/security-wares-like-kaspersky-av...

China tells US tech companies to sign PRISM-like cyber-loyalty pact | Ars Technica
http://arstechnica.com/tech-policy/2015/09/china-tells-us-tech-companies...

India's daft draft anti-encryption law torn up after world+dog points out its stupidity \u2022 The Register
http://www.theregister.co.uk/2015/09/22/india_encryption_withdrawl/

Malvertisers slam Forbes, Realtor with world's worst exploit kits \u2022 The Register
http://www.theregister.co.uk/2015/09/23/malvertising_forbes/

Hackers Launch Balloon Probe Into the Stratosphere to Spy on Drones | WIRED
http://www.wired.com/2015/09/balloon-spy-probe-deep-sweep/

IT security spending to hit $75.4bn in 2015 despite currency issues, says Gartner \u2022 The Register
http://www.theregister.co.uk/2015/09/23/it_spending_forecast_gartner/

SONY HACK WAS WAR says FBI, and 'we're still struggling to hire talent' \u2022 The Register
http://www.theregister.co.uk/2015/09/18/sony_hack_was_war_says_fbi_still...

Control Flow Guard Mitigation Bypass | Threatpost | The first stop for security news
https://threatpost.com/bypass-developed-for-microsoft-memory-protection-...

Hack Brief: Mobile Manager's Security Hole Would Let Hackers Wipe Phones | WIRED
http://www.wired.com/2015/09/hack-brief-popular-mobile-phone-manager-ope...

Crash Google Chrome with one tiny URL: We cram a probe in this bug \u2022 The Register
http://www.theregister.co.uk/2015/09/20/chrome_url_crash/

Adobe Patches 23 Vulnerabilities in Flash Player | Threatpost | The first stop for security news
https://threatpost.com/adobe-patches-23-critical-vulnerabilities-in-flas...

Bugzilla Privilege Escalation Security Patch | Threatpost | The first stop for security news
https://threatpost.com/details-surface-on-patched-bugzilla-privilege-esc...

Context Information Security
http://www.contextis.com/

HopeStreet Recordings | The heart and soul of Brunswick since 2009
http://www.hopestreetrecordings.com/

SUBSCRIBE NOW:
Risky Business main podcast feed:
Listen on Apple Podcasts Listen on Overcast Listen on Pocket Casts Listen on Spotify Subscribe with RSS
Our extra podcasts feed:
Listen on Apple Podcasts Listen on Overcast Listen on Pocket Casts Listen on Spotify Subscribe with RSS
Subscribe to our newsletters: