Risky Business #444 -- $350m! Wiped! Off! Yahoo! Over! Breach!

PLUS: Peter Gutmann on Chrome's derpo UI change and MOAR...
22 Feb 2017 » Risky Business

On this week’s show we’re chatting with Peter Gutmann about a couple of things that have combined to form a legit problem: The abuse of the Lets-Encrypt domain validated certificate authority combined with recent UI changed in Chrome are a phishers wet dream. We chat with Peter about that. The tl;dr is the browser makers need to get off their asses and do something about that, pronto.

This week’s show is sponsored by Exabeam. They just took $30m in funding from a VC and Cisco and they’re looking at doing some really interesting stuff in the SIEM world with, you guessed it, machine learning! In this week’s sponsor interview we’re chatting with Exabeam co-founder Sylvain Gil about a few things – the conversation does veer a bit into their products but it actually stays interesting, mostly because he discusses things like Exabeam’s roadmap in terms of problems they’re trying to solve. So even if you have no desire to buy a new SIEM, you’ll still probably find that one interesting from an academic point of view.

Adam Boileau, as always, stops in to discuss the week’s news, and Jake Davis is back with a… reinterpretation(?!) of the Hacker Manifesto.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, Jake or Adam on Twitter if that’s your thing.

Show notes

Hacks all the time. Engineers recently found Yahoo systems remained compromised | Ars Technica
Verizon and Yahoo amend terms of definitive agreement
Yahoo reveals more breachiness to users victimized by forged cookies [Updated] | Ars Technica
JavaScript Attack Breaks ASLR on 22 CPU Architectures
Kim Dotcom and co-accused eligible for extradition to US, says High Court - National - NZ Herald News
Who Ran Leakedsource.com? — Krebs on Security
How to Bury a Major Breach Notification — Krebs on Security
Hackers who took control of PC microphones siphon >600 GB from 70 targets | Ars Technica
Trump’s apparent security faux-pas-palooza triggers call for House investigation | Ars Technica
Trump Cybersecurity Head Tom Bossert Could Be a Voice of Reason | WIRED
Car Apps Are Vulnerable To Hacks That Could Unlock Millions of Vehicles | WIRED
A Glimpse Into How Much Google Knows About Russian Government Hackers - Motherboard
Convicted TalkTalk Blackmailer Warns Young Hackers About Falling Into Crime - Motherboard
CEO of Company Behind Tor Browser Exploit: 'I Wanted to Help Take a Person Down' - Motherboard
The Best Defense: Threats to journalists' safety demand fresh approach - Committee to Protect Journalists
SMTP STS Coming Soon to Gmail, Other Webmail Providers | Threatpost | The first stop for security news
Google Discloses Unpatched Microsoft Vulnerability | Threatpost | The first stop for security news
Aleksey Palazhchenko on Twitter: "TIL: There are bots on Github that create pull requests to projects using CI replacing all code with bitcoin-mining code."
The CA's Role in Fighting Phishing and Malware - Let's Encrypt - Free SSL/TLS Certificates
Patrick Gray on Twitter: "@KimDotcom Get some perspective dickhead."
Certified Malice – text/plain
Security Intelligence | Exabeam