Risky Business #474 -- Inside new, "invisible" Rowhammer attacks

PLUS: How bad are these Wifi bugs, really?
18 Oct 2017 » Risky Business

On this week’s show we’re chatting with Daniel Gruss an infosec researcher doing a postdoc in the Secure Systems group at the Graz University of Technology in Austria.

Daniel was one of the authors of a recent paper on a new Rowhammer technique. This one’s pretty clever, basically because it evades all known detection techniques by executing in an Intel SGX enclave.

In this week’s feature interview we chat with Dan Guido from Trail of Bits. He’s along this week to talk about his experience in helping to build secure software and security tools for his clients.

Of course the big news this week are the so-called “KRACK” attacks against WPA2. Adam’s done his homework on that and joins the news segment to tell you all how bad it is. We also look at the RNG bugs making life hard for smart card vendors and all the other news of the week!

Links to everything are below.

Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

What You Should Know About the ‘KRACK’ WiFi Security Weakness — Krebs on Security
Falling through the KRACKs – A Few Thoughts on Cryptographic Engineering
Factorization Flaw in TPM Chips Makes Attacks on RSA Private Keys Feasible | Threatpost | The first stop for security news
Millions of high-security crypto keys crippled by newly discovered flaw | Ars Technica
'Hacking back' legislation is back in Congress
The World Once Laughed at North Korean Cyberpower. No More. - The New York Times
North Korean Hackers Used Hermes Ransomware to Hide Recent Bank Heist
Beaumont Porg, Esq. on Twitter: "Ukraine Intelligence Agency warning of planned large scale disk wiping attack using supply chain: https://t.co/Scm6kcgXSI https://t.co/EebTrrLwzu"
October Price Adjustment — Steemit
Secret F-35, P-8, C-130 data stolen in Australian defence contractor hack | ZDNet
Cyberespionage Group Steps Up Campaigns Against Japanese Firms | Threatpost | The first stop for security news
Middle Eastern hacking group is using FinFisher malware to conduct international espionage
Exclusive: Microsoft responded quietly after detecting secret database hack in 2013
Equifax website borked again, this time to redirect to fake Flash update | Ars Technica
Google’s strongest security, for those who need it most
Russia Fines Telegram $14,000 for Not Giving FSB an Encryption Backdoor
Web-connected household devices to face mandatory rating over spying fears
Want to see something crazy? Open this link on your phone with WiFi turned off.
Sexual assault allegations levied against high profile security researcher and activist - The Verge
Leveraging the Analog Domain for Security (LADS)
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
KRACK Attacks: Bypassing WPA2 against Android and Linux - YouTube
[1710.00551] Another Flip in the Wall of Rowhammer Defenses