Risky Business #453 -- The Intel bugs: How freaked out should you be?

PLUS Claudio Guarnieri and Alex Rice talk Flexispy and bug bounties...
04 May 2017 » Risky Business

On this week’s show we’re looking at an issue that kicked up last week when creepware scumbags Flexispy announced they were moving their bug bounty program to HackerOne. VICE journalist Joseph Cox asked HackerOne CEO Marten Mickos if he’d be happy to host their program, and his answer is as follows:

“Any company that operates legally within its jurisdiction, treats our hackers with respect and takes vulnerability disclosure seriously is generally welcome to run their program on the HackerOne platform. Improving the integrity of all connected software is to the benefit of the digital society.”

A lot of people, myself included, didn’t react so well to that line of thinking. HackerOne CTO Alex Rice suggested he come on the show to talk about the company’s stance. As you’ll hear, Alex is pushing a much softer line than his CEO, but still says this is complicated. Stay tuned for that, at times, excruciating interview.

This week’s sponsor interview is with Signal Sciences CSO and co-founder Zane Lackey. Zane was the head of security at Etsy, but he moved on to found Signal Sciences, a company that is making webapp security software that by all reports is pretty damn good.

He joins us in the sponsor slot this week to talk about Devops, WAFs and a whole bunch of other fun stuff.

Adam Boileau, as usual, drops by to discuss the week’s news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Show notes

Intel Patches Nine-Year-Old Critical CPU Vulnerability | Threatpost | The first stop for security news
Intel patches remote hijacking vulnerability that lurked in chips for 7 years | Ars Technica
Hacker leaks Orange is the New Black new season after ransom demands ignored | Ars Technica
Meet the Hackers Holding Netflix to Ransom - Motherboard
All your Googles are belong to us: Look out for the Google Docs phishing worm | Ars Technica
Facebook enters war against “information operations,” acknowledges election hijinx | Ars Technica
Russian-controlled telecom hijacks financial services’ Internet traffic | Ars Technica
Thieves drain 2fa-protected bank accounts by abusing SS7 routing protocol | Ars Technica
WikiLeaks Reveals CIA Tool 'Scribbles' For Document Tracking | Threatpost | The first stop for security news
Blind Trust in Email Could Cost You Your Home — Krebs on Security
Google and Facebook scammed out of $100M in elaborate phishing attack
New COOP Attack Method Highlights Weaknesses In Microsoft's CFG Defenses | Threatpost | The first stop for security news
Watch Hackers Sabotage an Industrial Robot Arm | WIRED
Proposed NIST Password Guidelines Soften Length, Complexity Focus | Threatpost | The first stop for security news
A vigilante is putting a huge amount of work into infecting IoT devices | Ars Technica
An Obscure App Flaw Creates Backdoors In Millions of Smartphones | WIRED
Apple Revokes Certificate Used By OSX/Dok Malware | Threatpost | The first stop for security news
IBM: Destroy USBs Infected with Malware Dropper | Threatpost | The first stop for security news
Google Patches Six Critical Mediaserver Bugs in Android | Threatpost | The first stop for security news
Picture this: Senate staffers’ ID cards have photo of smart chip, no security | Ars Technica
nomx: The world's most secure communications protocol
Wanna Know If Someone Planted Spyware on Your Computer? - Motherboard
Winston Smith on Twitter: "@x0rz @cryptoishard Sorry that was me lol"
FlexiSPY on Twitter: "In the interest of transparency, we're moving the bounty program to @Hacker0x01 ..."
Modern Application Security from Signal Sciences