Risky Business #467 -- HPKP as an attack vector

Scott Helme talks HPKP ransom, suicide...
31 Aug 2017 » Risky Business

In this week’s show we recap all the week’s major security news items. St Jude Medical products will be patched in half a million patients, we get the latest with the DreamHost warrant, find out how Hansa marketplace members were de-cloaked by the Dutch cops and more.

In this week’s feature interview we chat with Scott Helme about HTTP Public Key Pinning as an attack vector. If someone manages to hack own your domain registrar, they can now cause all sorts of havoc. First, they redirect people to a box they control, then obtain a free, automated domain validated cert for that box, then flick on the HPKP header and pin every visitor to a certificate and key that they control.

You get your domain back, sure, but then what? Nobody who visited your site while it was under the attacker’s control can visit it. Yay. So Scott will join us this week to talk about HPKP ransom and what we might do about this situation.

This week’s sponsor interview is fascinating. We chat with Homer Strong, director of data science at Cylance, about machine learning explainability and “interrogatability”.

Adam Boileau is on a company retreat this week, so Haroon Meer is filling in. Links to everything are below.

Oh, and you can follow Patrick or Haroon on Twitter if that’s your thing.

Show notes

465,000 Patients Need Software Updates for Their Hackable Pacemakers, FDA Says - Motherboard
Mexican Governor Spied on President With Hacking Team Spyware, Lawsuit Alleges - Motherboard
Bitcoin: Hacking Coinbase, Cryptocurrency’s ‘Goldman Sachs' | Fortune.com
List Of High Profile Cryptocurrency Hacks So Far (August 24th 2017)
Narrowing the Scope - DreamHost.blog
Troy Hunt: Inside the Massive 711 Million Record Onliner Spambot Dump
Leak of >1,700 valid passwords could make the IoT mess much worse | Ars Technica
The Companies That Will Track Any Phone on the Planet
This Is How Cops Trick Dark-Web Criminals Into Unmasking Themselves
Bit Paymer Ransomware Hits Scottish Hospitals
Researchers Find a Way to Disable Much-Hated Intel ME Component Courtesy of the NSA
China to Impose Real Name Policy for Online Comments
Google Error Causes Widespread Internet Outage in Japan
bgp-bogus-tls.pdf
Researcher Releases Fully Working Exploit Code for iOS Kernel Vulnerability
Zerodium Offers $500K for Secure Messaging App Zero Days | Threatpost | The first stop for security news
Firmware Update Bricks Samsung Smart TVs in the UK
Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet — Krebs on Security
Inside an Epic Hotel Room Hacking Spree | WIRED
Google Reminding Admins HTTP Pages Will Be Marked 'Not Secure' in October | Threatpost | The first stop for security news
Fraudulent Donations Lead to Disbanding of Hutchins Legal Defense Fund | Threatpost | The first stop for security news
Deprecated, Insecure Apple Authorization API Can Be Abused to Run Code at Root | Threatpost | The first stop for security news
ROPEMAKER Exploit Allows for Changing of Email Post-Delivery | Threatpost | The first stop for security news
U.S. spies think the FBI is botching the Kaspersky investigation
Hackers snag a $1 laptop by exploiting flaw in point-of-sale systems | ZDNet
I'm giving up on HPKP