Risky Business #447 -- Struts bug owns everyone, RAND 0day report and more

PLUS Dr. Vanessa Teague on computerised voting security...
15 Mar 2017 » Risky Business

On this week’s show Patrick and Adam have a look at the surprisingly great report about 0day prepared by RAND Corporation, as well as the other security news of the week. How ‘bout dat Struts bug, eh?

Dr. Vanessa Teague of the University of Melbourne also joins the show to talk about the latest developments around computerised voting. Vanessa is an expert on e-voting and she’s been in the space for a long time – she’ll be joining us this week to talk about how European authorities have been responding to the risks posed to their elections by outside parties, and we take a look at some voting security ideas for America.

This week’s show is brought to you by Netsparker. Netsparker is a black-box web application testing tool that aims to speed up webapp tests through automation. Netsparker’s creator Ferruh Mavituna is this week’s sponsor guest. He’s joining us to basically talk about what you can actually automate in webapp testing, but also about what you can’t automate. That’s a really interesting chat, one that the pentesters will love I’m sure.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes

Critical vulnerability under “massive” attack imperils high-impact sites [Updated] | Ars Technica
In-the-wild exploits ramp up against high-impact sites using Apache Struts | Ars Technica
Zero Day Exploits Rarely Discovered By More Than One Group, Study Finds - Motherboard
Wikileaks' Cache of Alleged CIA Files Includes Unredacted Names - Motherboard
WikiLeaks: We’ll Work With Software Makers on Zero-Days — Krebs on Security
Apple Says Many of the CIA's Alleged iPhone Hacks Have Already Been Patched - Motherboard
After NSA hacking exposé, CIA staffers asked where Equation Group went wrong | Ars Technica
FBI Director Tells Companies Not to 'Hack Back' Against Hackers - Motherboard
Dutch Cops Say They've Decrypted PGP Messages On Seized Server - Motherboard
Dear Confide: “We would never” isn’t the same as “we can’t” | Ars Technica
Court Says Hacking Victim Can’t Sue a Foreign Government For Hacking Him on US Soil - Motherboard
The NSA's 'Twitter For Spies' Has Over 60,000 Users - Motherboard
Yahoo to give Marissa Mayer $23 million parting gift after sale to Verizon | Ars Technica
38 Android Devices Infected with Malware Preinstalled in Supply Chain | Threatpost | The first stop for security news
Dahua, Hikvision IoT Devices Under Siege — Krebs on Security
Hackers with Credit Card Scrapers Continue to Target Magento | Threatpost | The first stop for security news
Getting Physical With USB Type-C
Patch Tuesday Returns; Microsoft Quiet on Postponement | Threatpost | The first stop for security news
iVote West Australia: Who voted for you? | Pursuit by The University of Melbourne