Risky Business Podcast

August 31, 2017

Risky Business #467 -- HPKP as an attack vector

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week’s show we recap all the week’s major security news items. St Jude Medical products will be patched in half a million patients, we get the latest with the DreamHost warrant, find out how Hansa marketplace members were de-cloaked by the Dutch cops and more.

In this week’s feature interview we chat with Scott Helme about HTTP Public Key Pinning as an attack vector. If someone manages to hack own your domain registrar, they can now cause all sorts of havoc. First, they redirect people to a box they control, then obtain a free, automated domain validated cert for that box, then flick on the HPKP header and pin every visitor to a certificate and key that they control.

You get your domain back, sure, but then what? Nobody who visited your site while it was under the attacker’s control can visit it. Yay. So Scott will join us this week to talk about HPKP ransom and what we might do about this situation.

This week’s sponsor interview is fascinating. We chat with Homer Strong, director of data science at Cylance, about machine learning explainability and “interrogatability”.

Adam Boileau is on a company retreat this week, so Haroon Meer is filling in. Links to everything are below.

Oh, and you can follow Patrick or Haroon on Twitter if that’s your thing.

Risky Business #467 -- HPKP as an attack vector
0:00 / 0:00

Show notes

465,000 Patients Need Software Updates for Their Hackable Pacemakers, FDA Says - Motherboard

Mexican Governor Spied on President With Hacking Team Spyware, Lawsuit Alleges - Motherboard

Bitcoin: Hacking Coinbase, Cryptocurrency’s ‘Goldman Sachs' | Fortune.com

List Of High Profile Cryptocurrency Hacks So Far (August 24th 2017)

Narrowing the Scope - DreamHost.blog

Troy Hunt: Inside the Massive 711 Million Record Onliner Spambot Dump

Leak of >1,700 valid passwords could make the IoT mess much worse | Ars Technica

The Companies That Will Track Any Phone on the Planet

This Is How Cops Trick Dark-Web Criminals Into Unmasking Themselves

Bit Paymer Ransomware Hits Scottish Hospitals

Researchers Find a Way to Disable Much-Hated Intel ME Component Courtesy of the NSA

China to Impose Real Name Policy for Online Comments

Google Error Causes Widespread Internet Outage in Japan

bgp-bogus-tls.pdf

Researcher Releases Fully Working Exploit Code for iOS Kernel Vulnerability

Zerodium Offers $500K for Secure Messaging App Zero Days | Threatpost | The first stop for security news

Firmware Update Bricks Samsung Smart TVs in the UK

Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet — Krebs on Security

Inside an Epic Hotel Room Hacking Spree | WIRED

Google Reminding Admins HTTP Pages Will Be Marked 'Not Secure' in October | Threatpost | The first stop for security news

Fraudulent Donations Lead to Disbanding of Hutchins Legal Defense Fund | Threatpost | The first stop for security news

Deprecated, Insecure Apple Authorization API Can Be Abused to Run Code at Root | Threatpost | The first stop for security news

ROPEMAKER Exploit Allows for Changing of Email Post-Delivery | Threatpost | The first stop for security news

U.S. spies think the FBI is botching the Kaspersky investigation

Hackers snag a $1 laptop by exploiting flaw in point-of-sale systems | ZDNet

I'm giving up on HPKP