On this week’s show we chat with James Kettle of Portswigger Web Security about some adventures he had with reverse proxies and malformed host headers. Using some simple tricks, James was able to do some craaaazy stuff and earn himself about $30k in bounties. He’s turned some of his techniques into tools for Burp Suite, so he’ll be joining us to talk about that.
In this week’s sponsor interview we’re tackling the new European general data protection regulation. With the new regime due to kick in on May 25 next year, there’s a lot of angst out there, and for good reason. The penalties for mishandling info are up to 4% of global turnover, which is a stiff enough penalty to strike fear into the hearts of CEOs everywhere.
Senetas’ is this week’s sponsor. They make layer 2 encryption gear, as well as SureDrop, a GDPR and enterprise friendly dropbox-style service. Senetas Europe’s managing director Graham Wallace joins the show this week to talk about some of the ins and outs of GDPR. Stay tuned for that.
As usual, Adam Boileau also joins the show to talk about the week’s security news. Links to everything are below.
- In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking - The New York Times
- Blowing the Whistle on Bad Attribution — Krebs on Security
- Email Provider ProtonMail Says It Hacked Back, Then Walks Claim Back - Motherboard
- Enigma ICO Heist Robs Nearly $500,000 in Ethereum From Investors | WIRED
- IRS Now Has a Tool to Unmask Bitcoin Tax Cheats
- Brian Krebs Fan Creates New Cryptocurrency Miner for Linux Devices
- Cryptocurrency Miner Infects Windows PCs via EternalBlue and WMI
- Ad Trackers on E-Commerce Sites Can Unmask Bitcoin Transactions
- It's Not Exactly Open Season on the iOS Secure Enclave | Threatpost | The first stop for security news
- Secret chips in replacement parts can completely hijack your phone’s security | Ars Technica
- Google Releases Android 8.0 Oreo
- Android Spyware Linked to Chinese SDK Forces Google to Boot 500 Apps | Threatpost | The first stop for security news
- Chrome Adds Warning for When Extensions Take Over Your Internet Connection
- Couple Accused of Using Lowes Website Flaw to Steal Expensive Goods
- Maersk Shipping Reports $300M Loss Stemming from NotPetya Attack | Threatpost | The first stop for security news
- #23270 (Allow Tor relays to be configured to block selected hidden services, including racist hate sites) – Tor Bug Tracker & Wiki
- Fighting Neo-Nazis and the Future of Free Expression | Electronic Frontier Foundation
- PortSwigger Web Security Blog: Cracking the Lens: Targeting HTTP's Hidden Attack-Surface