On this week's show we're taking a look at the backstory to the ImageMagick bug. There's a fair bit more to that one than has been reported so far and we'll chat with Ryan Huber about that.
This week's show is sponsored by BugCrowd, so in this week's sponsor interview we're joined by Casey Ellis, BugCrowd's CEO. We're also joined by Katie Moussouris, former chief policy officer from HackerOne. She's now a freelance bug bounty consultant working across the whole industry and she's got some interesting stuff to say about where all this bounty madness is headed.
We have a chat about what she's up to, why she launched a consulting business, and I get Casey and Katie's thoughts on what the next five years could look like in bug bounty land.
Adam Boileau, as always, stops by to discuss the week's news headlines.
Oh, and do add Patrick and Adam on Twitter if that's your thing.
Show notes
UPDATE: When these notes were first posted the link to the php bugs discussed wasn't in them. Here it is:
https://github.com/dyntopia/exploits
--
$1B Bangladesh heist: Officials say SWIFT technicians left bank vulnerable | Ars Technica
http://arstechnica.com/security/2016/05/1b-bangladesh-heist-officials-sa...
You Don't See This Often: Simultaneous FBI, DHS, and DoD Cyber Espionage Alerts | Motherboard
http://motherboard.vice.com/read/rare-simultaneous-fbi-dhs-and-dod-cyber...
Yahoo Releases Second Wave Unsealed FISA Documents | Threatpost | The first stop for security news
https://threatpost.com/yahoo-releases-second-wave-of-unsealed-fisc-docum...
Twitter Denies Intelligence Community Fire Hose Access Via Dataminr | Threatpost | The first stop for security news
https://threatpost.com/twitter-turns-off-fire-hose-for-intelligence-comm...
How a security pro's ill-advised hack of a Florida elections site backfired | Ars Technica
http://arstechnica.com/security/2016/05/how-a-security-pros-ill-advised-...
PwnedList Shutdown Unrelated to Parameter Tampering Vulnerability | Threatpost | The first stop for security news
https://threatpost.com/pwnedlist-shutdown-unrelated-to-recent-vulnerabil...
Another Day, Another Hack: Passwords and Sexual Desires for Dating Site 'Fling' | Motherboard
http://motherboard.vice.com/read/another-day-another-hack-passwords-and-...
Another Day, Another Hack: Is Your Fisting Site Updating Its Forum Software? | Motherboard
http://motherboard.vice.com/read/rosebuttboard-ip-board
No more get-out-of-jail-free card for CryptXXX ransomware victims | Ars Technica
http://arstechnica.com/security/2016/05/no-more-get-out-of-jail-free-car...
Someone Replaced Notorious 'Locky' Ransomware With a Dud File | Motherboard
http://motherboard.vice.com/read/someone-replaced-notorious-locky-ransom...
Microsoft and Adobe warn of separate zero-day vulnerabilities under attack | Ars Technica
http://arstechnica.com/security/2016/05/beware-of-in-the-wild-0day-attac...
New Windows 10 build kills controversial password-sharing Wi-Fi Sense | ExtremeTech
http://www.extremetech.com/computing/228259-new-windows-10-build-kills-c...
New Security Flaw Found in Lenovo Solution Center Software | Threatpost | The first stop for security news
https://threatpost.com/new-security-flaw-found-in-lenovo-solution-center...
Tavis Ormandy on Twitter: "Many remote stack overflows in Symantec Endpoint. No big deal, because /GS is the default since 2005, right? Hahaha. https://t.co/ac40M0Ki90"
https://twitter.com/taviso/status/730249521247068162
Critical Qualcomm security bug leaves many phones open to attack | Ars Technica
http://arstechnica.com/security/2016/05/5-year-old-android-vulnerability...
Chinese ARM vendor left developer backdoor in kernel for Android, "Pi" devices | Ars Technica
http://arstechnica.com/security/2016/05/chinese-arm-vendor-left-develope...
Viking Horde Malware Co-Ops Android Devices for Ad Fraud | Threatpost | The first stop for security news
https://threatpost.com/viking-horde-malware-co-ops-android-devices-for-a...
SS7 Attack Circumvents WhatsApp and Telegram Encryption
http://news.softpedia.com/news/ss7-attack-leaves-whatsapp-and-telegram-e...
Feds probe mobile phone industry over the sad state of security updates | Ars Technica
http://arstechnica.com/security/2016/05/feds-probe-mobile-industrys-secu...
Security researcher Stefan Esser releases iPhone & iPad jailbreak detection tool in iOS App Store | 9to5Mac
http://9to5mac.com/2016/05/10/security-research-stefan-esser-releases-ip...
Microsoft Security Intelligence Report: Top Takeaways | Threatpost | The first stop for security news
https://threatpost.com/old-exploits-die-hard-says-microsoft-report/117918/
Attackers Targeting Critical SAP Flaw Since 2013 | Threatpost | The first stop for security news
https://threatpost.com/attackers-targeting-critical-sap-flaw-since-2013/...
Facebook Capture The Flag Platform Open Source | Threatpost | The first stop for security news
https://threatpost.com/facebook-makes-its-ctf-platform-freely-available/...
Snowden's Surveillance Leaks Made People Less Likely to Read About Surveillance | Motherboard
http://motherboard.vice.com/read/snowdens-surveillance-leaks-made-people...
lcamtuf's blog: Clearing up some misconceptions around the "ImageTragick" bug
https://lcamtuf.blogspot.com.br/2016/05/clearing-up-some-misconceptions-...
.:: Phrack Magazine ::.
http://www.phrack.org/issues/69/1.html
Untitled
https://threatbutt.com/press/Threatbutt-DZIR-2016.pdf