Risky Business #497 -- Silvio's greatest hits

It's the computers, stupid...
02 May 2018 » Risky Business

This week’s Risky Business is kind of going back to its roots a bit. As much as we love talking about policy and the intersection of cyber security with global affairs, sometimes it pays to remember that computer security is actually about computers.

With that in mind this week we’ve got two fantastic interviews for you. We’ll be chatting with Dr. Silvio Cesare in this week’s feature interview. Silvio’s dusted off his bug hunting hat and he’s taken to Twitch-streaming his auditing sessions. Dave Aitel described watching Silvio’s Twitch stream as like seeing a Titan ransack a small Greek village. Five months, 100 bugs, 50 of them in kernel stuff.

He’s doing this for a couple of reasons – he wants to show people how it’s done, and he wants people to realise there are still lots of bugs out there to be found. We’ll chat to him about that in this week’s feature.

This week’s sponsor interview is with another old school hacker, Stephen Ridley. Stephen is the founder of Senrio, which is technically an IoT security play, but the thing is the tech he’s developed has turned out to be useful for all sorts of other stuff too.

Senrio is another one of those hacker-led startups in the spirit of Duo Security or Thinkst Canary. Stephen is a really well respected guy and this week he’s joining us to talk about a bunch of stuff. A lot of it is related to the unexpected uses for Senrio’s monitoring platform. He built a classifier for network-connected devices as a part of Senrio’s IoT security platform, and it turns out it’s actually running rings around a bunch of Enterprise Asset Management tools. People are actually using his IoT security monitoring solution to do asset management and figure out install gaps for their EDR solutions.

Totally not what he intended people to use it for, but hey, a win’s a win. So Stephen joins us this week to talk about that, also to talk about recent developments in the IoT space and really a bunch more stuff.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes

Amazon Web Services starts blocking domain-fronting, following Google’s lead - The Verge
Iran blocks Telegram, pushes replacement with “Death to America” emoji | Ars Technica
Chinese Authorities Accidentally Admit to Accessing Deleted WeChat Messages
As two Koreas shake hands, Hidden Cobra hackers wage espionage campaign | Ars Technica
North Korea's Elites Are Ditching Facebook for Chinese Social Networks
After data “clash” report, WhatsApp founder says he’s leaving Facebook | Ars Technica
Can This System of Unlocking Phones Crack the Crypto War?
Ray Ozzie’s plan for unlocking encrypted phones gets a chilly reception | Ars Technica
Matthew Green on Twitter: "This article on WhatsApp suggests that WhatsApp might be weakening its encryption, but doesn’t give any details. That’s pretty worrying. https://t.co/2LfWeqMMPt https://t.co/3n8GDxVLcT"
Tens of Thousands of Malicious Apps Using Facebook APIs | Threatpost | The first stop for security news
Intel Committee blasts FBI for not notifying Russian hacking victims - Cyberscoop
Startup Offers $3 Million to Anyone Who Can Hack the iPhone - Motherboard
This Russian Company Sells Zero-Day Exploits for Hospital Software - Motherboard
Google and Microsoft ask Georgia governor to veto 'hack back' bill
Joy Reid Blames Hackers, Just Like Everyone Else | WIRED
Security Trade-Offs in the New EU Privacy Law — Krebs on Security
A One-Minute Attack Let Hackers Spoof Hotel Master Keys | WIRED
Volkswagen and Audi Cars Vulnerable to Remote Hacking
Charlie Miller on Twitter: "Cool new research out on car hacking: https://t.co/sZ2v0GpwWy. Hang on or mute as I'll give my thoughts on it."
Lojack Becomes a Double-Agent
Europol shuts down one of the largest DDoS marketplaces in the world - CyberScoop
Police Have Seized Revenge Porn Site Anon-IB - Motherboard
Chinese Police Arrest 15 People Who Hid Malware Inside PUBG Cheat Apps
GitHub Accidentally Recorded Some Plaintext Passwords in Its Internal Logs
Starting Today, Google Chrome Will Show Warnings for Non-Logged SSL Certificates
Long Prison Sentence for Man Who Hacked Jail Computer System to Bust Out Friend
State threat-sharing center warns of multiple PHP vulnerabilities - CyberScoop
Escalating Privileges with CylancePROTECT — Atredis Partners
Hackers Scan the Web for Vulnerable WebLogic Servers After Oracle Botches Patch
silviocesare - Twitch
Senrio