Risky Business #441 -- Gone in 60 seconds: Attacking ephemeral resources

PLUS: How resistant is machine learning to evil input?
01 Feb 2017 » Risky Business

On this week’s show we’ll be chatting with information security’s enfant terrible Nathaniel Wakelam about some recon tricks he’s been using in bug bounty programs. He uses some nice tricks to rapidly identify ephemeral resources that often result in some spectacular hacks, like, say, being able to download all of REDACTED’s source code. That one was cool because it was a temporary resource that got popped – that’s something you have to watch these days.

This week’s show is brought to you by Cylance! Cylance makes machine learning-based AV software that by all reports works really well. Cylance CTO and co-founder Ryan Permeh is this week’s feature guest and we’re talking about something that we touched on last week – gaming machine learning. Does Cylance worry that a determined attacker will be able to gradually input bad data into Cylance’s learning set and game the whole system? Well, no, they’re not worried about it, but it’s definitely something they pay attention to. That’s really interesting stuff and it’s coming up after this week’s feature interview.

Adam Boileau, as always, pops in for this week’s news.

Links to everything are in this week’s show notes.

Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

Show notes

Reports: Arrested Russian intel officer allegedly spied for U.S.
A Shakeup in Russia’s Top Cybercrime Unit — Krebs on Security
Russians Charged With Treason Worked in Office Linked to Election Hacking - The New York Times
Kaspersky Lab’s top investigator reportedly arrested in treason probe | Ars Technica
Kevin Rothrock on Twitter: "Bombshell scoop by Rosbalt: @b0ltai2′s leader was allegedly arrested last October, and he’s the one who ratted out the two FSB agents."
Арестованных офицеров ФСБ обвинили в сотрудничестве с ЦРУ — Meduza
Agenti FBI míří do Prahy vyslechnout ruského hackera Nikulina — ČT24 — Česká televize
https://apps.washingtonpost.com/g/documents/world/read-the-trump-administrations-draft-of-the-executive-order-on-cybersecurity/2306/
President Trump is still using his “old, unsecured Android phone” | Ars Technica
Detenido el presunto autor del ‘hackeo’ de los datos de 5.500 ‘mossos’ | Cataluña | EL PAÍS
Notorious Hacker Phineas Fisher: I'm Alive and Well | Motherboard
Site that sold access to 3.1 billion passwords vanishes after reported raid | Ars Technica
Hotel ransomed by hackers as guests locked out of rooms - The Local
DC police surveillance cameras were infected with ransomware before inauguration | Ars Technica
Now there’s a better way to prevent Facebook account takeovers | Ars Technica
Forgotten passwords are bane of the Internet. Facebook wants to fix that | Ars Technica
Majority of Android VPNs can’t be trusted to make users more secure | Ars Technica
It might be time to stop using antivirus | Ars Technica
Dridex Returns With Windows UAC Bypass Method | Threatpost | The first stop for security news
Forget Recounts. Next Election, Encrypt the Vote Instead | WIRED
Cryptocurrency Monero Is Skyrocketing Thanks to Darknet Druglords | WIRED
Telemarketing Firm Leaks 400,000 Recorded Calls | Threatpost | The first stop for security news
Google to Operate its Own Root CA | Threatpost | The first stop for security news
Google Is Battling a Russian Spammer Over the Use of the Letter 'G' | Motherboard