Podcasts

News, analysis and commentary

Risky Business Podcast

November 12, 2015

Risky Business #389 -- US law: CFAA isn't a bug, it's a feature!

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're chatting with computer crime lawyer extraordinaire Tor Ekeland! He's worked on a number of high profile CFAA cases. Most recently he's been defending former Reuters and LA Times journalist Matthew Keys on some pretty hefty CFAA charges. He's also the guy who got Andrew Aurenheimer out of jail so he could go and live a free life as a Nazi troll. (Is that really a win?) He also defended Lauri Love... basically if you're a hacker who's fallen foul of the CFAA, this is the guy you want on your team.

He joins us this week to talk about the CFAA, terrorism charges against hackers, and the American cultural influences over crime and punishment in the USA. It's a cracker interview, that one.

This week's show is brought to you by Telstra! Best known as Australia's incumbent telco, Telstra also offers enterprise services. There's a link to their services page in this week's show notes.

In this week's sponsor interview we're chatting with Rachael Falk. She leads the Cyber Influence team in Telstra Security Operations. And she'll be joining us with what I'm calling boardroom ammo. Five questions you can suggest to your CEO or board to get them thinking about good security practices.

Links to everything are in this week's show notes.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Risky Business #389 -- US law: CFAA isn't a bug, it's a feature!
0:00 / 58:36

Risky Business Podcast

November 05, 2015

Risky Business #388 -- Cyber shrinkery, IoT shenanigans and guest Troy Hunt

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

This week's feature interview is with Troy Hunt of HaveIBeenPwned.com. And he's noticing something pretty weird. It's common for people to deface websites for bragging rights, and yeah, it's not new that data dumps are the new bragging fodder. But it seems like these days attackers are seeing Troy's site as the definitive place to get cred. Now they'll steal a bunch of data and Troy is their first stop.

Life is strange on the internets. That's this week's feature interview.

This week's show is brought to you by ContextIS, a security consultancy and research house with offices in England, Germany and Australia. In this week's sponsor interview we chat with Alex Farrant, a senior security researcher with Context in Cheltenham about the risks of IoT to enterprise networks.

Don't worry, this isn't some non-specific, high level chat saying "IoT is bad," we're talking about real examples where they've managed to chain together a couple of bugs for serious effect. We also talk about how enterprises aren't shy about making key company resources accessible over WiFi these days. Yes, the same WiFi network that your vulnerable electric kettle and lightbulbs are on. Happy days.

Adam Boileau, as always, stops in to discuss the week's news, including the delightful Freudian analysis of computer hackers by "cyber psychologist" Mary Aiken.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Hackers Claim Million-Dollar Bounty for iOS Zero Day Attack | WIRED
http://www.wired.com/2015/11/hackers-claim-million-dollar-bounty-for-ios...

UK Government Works on Restricting Encryption, Urges Staff to Use It | Motherboard
http://motherboard.vice.com/read/uk-government-works-on-restricting-stro...

Internet firms to be banned from offering unbreakable encryption under new laws - Telegraph
http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/11970391/Inte...

UK surveillance powers explained - BBC News
http://www.bbc.com/news/uk-34713435

The Lesson of CISA's Success, or How to Fight a Zombie
https://theintercept.com/2015/11/03/lesson-of-cisa-success-or-how-to-fig...

ALBAWABA NEWS: Egypt's military arrests 150 terrorists through "Telegram"
http://www.albawabaeg.com/66794

Teenager arrested in Norwich over TalkTalk cyber-attack bailed | Business | The Guardian
http://www.theguardian.com/business/2015/nov/04/teenager-arrested-in-nor...

vBulletin password hack fuels fears of serious Internet-wide 0-day attacks | Ars Technica
http://arstechnica.com/security/2015/11/vbulletin-password-hack-fuels-fe...

Tor Just Launched the Easiest App Yet for Anonymous, Encrypted IM | WIRED
http://www.wired.com/2015/10/tor-just-launched-the-easiest-app-yet-for-a...

Zerocoin Startup Revives the Dream of Truly Anonymous Money | WIRED
http://www.wired.com/2015/11/zerocoin-startup-revives-the-dream-of-truly...

Signal, the Snowden-Approved Crypto App, Comes to Android | WIRED
http://www.wired.com/2015/11/signals-snowden-approved-phone-crypto-app-c...

Don't count on STARTTLS to automatically encrypt your sensitive e-mails | Ars Technica
http://arstechnica.com/security/2015/10/dont-count-on-starttls-to-automa...

Still fuming over HTTPS mishap, Google makes Symantec an offer it can't refuse | Ars Technica
http://arstechnica.com/security/2015/10/still-fuming-over-https-mishap-g...

How Carders Can Use eBay as a Virtual ATM - Krebs on Security
http://krebsonsecurity.com/2015/11/how-carders-can-use-ebay-as-a-virtual...

Shuanet Adware Roots Android Devices | Threatpost | The first stop for security news
http://threatpost.com/shuanet-adware-rooting-android-devices-via-trojani...

Chinese Mobile Ad Library Backdoored to Spy on iOS Devices | Threatpost | The first stop for security news
http://threatpost.com/chinese-mobile-ad-library-backdoored-to-spy-on-ios...

Samsung Galaxy S6 Edge Security Vulnerabilities | Threatpost | The first stop for security news
http://threatpost.com/google-project-zero-turns-over-11-bugs-in-galaxy-s...

Data-Stealing Android App Impersonates Word Doc | Threatpost | The first stop for security news
http://threatpost.com/malicious-android-app-impersonates-microsoft-word-...

XcodeGhost Malware Supports iOS9 | Threatpost | The first stop for security news
http://threatpost.com/updated-xcodeghost-adds-ios9-support/115244/

November 2015 Android Security Bulletin | Threatpost | The first stop for security news
http://threatpost.com/monthly-android-security-update-patches-more-stage...

Tinba Variant Spotted Targeting Russian, Japanese Banks | Threatpost | The first stop for security news
http://threatpost.com/new-tinba-variant-spotted-targeting-russian-japane...

PageFair Hack Serves Up Fake Flash Update to 500 Sites | Threatpost | The first stop for security news
http://threatpost.com/pagefair-hack-serves-up-fake-flash-update-to-500-s...

Xen patches 7-year-old bug that shattered hypervisor security | Ars Technica
http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-...

Latest EMET Bypass Targets WoW64 Windows Subsystem | Threatpost | The first stop for security news
http://threatpost.com/latest-emet-bypass-targets-wow64-windows-subsystem...

FireEye growth slows as China attacks reportedly abate, stock plunges - MarketWatch
http://www.marketwatch.com/story/fireeye-growth-slows-as-china-attacks-r...

Hackers gonna hack, but why? Maybe Freud has the answer | Technology | The Guardian
http://www.theguardian.com/technology/2015/nov/03/hackers-gonna-hack-but...

Troy Hunt: Breaches, traders, plain text passwords, ethical disclosure and 000webhost
http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html

Music | PLTS
https://pltsmusic.bandcamp.com/

Also, you should absolutely check out Context's Blog. It's really quite good.
http://www.contextis.com/resources/blog/1/

Risky Business #388 -- Cyber shrinkery, IoT shenanigans and guest Troy Hunt
0:00 / 58:18

Risky Business Podcast

October 29, 2015

Risky Business #387 -- Hack people to death!

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's feature interview we're chatting with Chris Rock from Kustodian. Chris did a great presentation at Ruxcon last week about how easy it is to hack people to death!

He's found out just how easy it is to register births and deaths in the united states and Australia via online systems. He says it's a problem that could result in a virtual baby harvest for fraudsters who plan ahead. It's really fun stuff, that's this week's feature.

In this week's sponsor interview we're speaking with Deema Freij, general counsel at Intralinks. This is an interview the CSOs shouldn't miss... we're talking to her about privacy stuff -- about what the invalidation of Safe Harbour provisions really means, what we can expect from the new EU general data protection regulations when they land, and what sort of management challenges that's going to throw up at the boardroom level.

Adam Boileau, as always, stops in to discuss the week's news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

WikiLeaks Is Publishing the CIA Director's Hacked Emails | WIRED
http://www.wired.com/2015/10/wikileaks-publishing-cia-director-john-bren...

Hacker releases new purported personal data for top CIA, DHS officials [Updated] | Ars Technica
http://arstechnica.com/tech-policy/2015/10/hacker-releases-new-purported...

A Second Snowden Has Leaked a Mother Lode of Drone Docs | WIRED
http://www.wired.com/2015/10/a-second-snowden-leaks-a-mother-lode-of-dro...

Who Is Ardit Ferizi? Malaysia Arrests Kosovo National For Hacking US Security Data For ISIS
http://www.ibtimes.com/who-ardit-ferizi-malaysia-arrests-kosovo-national...

Matthew Keys' Hacking Conviction May Not Survive an Appeal | WIRED
http://www.wired.com/2015/10/matthew-keys-journalist-conviction-cfaa-abu...

TalkTalk Hackers Demanded \xa380K in Bitcoin - Krebs on Security
http://krebsonsecurity.com/2015/10/talktalk-hackers-demanded-80k-in-bitc...

TalkTalk Hackers Demand Ransom of CEO Dido Harding | Threatpost | The first stop for security news
https://threatpost.com/talktalk-hackers-demand-ransom-from-ceo/115156/

China Is Still Hacking US Companies After Promising It Would Stop, Report Says | Motherboard
http://motherboard.vice.com/read/china-is-still-hacking-us-companies-aft...

Arrest of Chinese Hackers Not a First for U.S. - Krebs on Security
http://krebsonsecurity.com/2015/10/arrest-of-chinese-hackers-not-a-first...

How is NSA breaking so much crypto?
https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking...

Fewer IPsec VPN Connections at Risk to Weak Diffie-Hellman | Threatpost | The first stop for security news
https://threatpost.com/fewer-ipsec-vpn-connections-at-risk-from-weak-dif...

CISA Passes Senate Without Addressing Privacy Concerns | Threatpost | The first stop for security news
https://threatpost.com/cisa-passes-senate-without-addressing-privacy-con...

A DEA Agent Who Helped Take Down Silk Road Is Going to Prison for Unbelievable Corruption | Mother Jones
http://www.motherjones.com/mixed-media/2015/10/silk-road-investigator-se...

X-Ray Scans Expose an Ingenious Chip-and-Pin Card Hack | WIRED
http://www.wired.com/2015/10/x-ray-scans-expose-an-ingenious-chip-and-pi...

EFF: We found 100+ license plate readers wide open on the Internet | Ars Technica
http://arstechnica.com/tech-policy/2015/10/lprs-exposed-how-public-safet...

Automakers just lost the battle to stop you from hacking your car | The Verge
http://www.theverge.com/2015/10/27/9622150/dmca-exemption-accessing-car-...

New attacks on Network Time Protocol can defeat HTTPS and create chaos | Ars Technica
http://arstechnica.com/security/2015/10/new-attacks-on-network-time-prot...

Unpatched browser weaknesses can be exploited to track millions of Web users | Ars Technica
http://arstechnica.com/security/2015/10/unpatched-browser-weaknesses-can...

This 11-year-old is selling cryptographically secure passwords for $2 each | Ars Technica
http://arstechnica.com/business/2015/10/this-11-year-old-is-selling-cryp...

Microsoft .NET Core, ASP.NET Beta Bug Bounty | Threatpost | The first stop for security news
https://threatpost.com/microsoft-opens-net-core-asp-net-bug-bounties/115...

IBM Runs World's Worst Spam-Hosting ISP? - Krebs on Security
http://krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp/

Let's Encrypt Free HTTPS Secures Cross-Signatures To Be A CA | Threatpost | The first stop for security news
https://threatpost.com/lets-encrypt-hits-another-free-https-milestone/11...

Insecure Internet-Connected Kettles Help Researchers Crack WiFi Networks Across London - Softpedia
http://news.softpedia.com/news/insecure-internet-connected-kettles-help-...

13 million plaintext passwords belonging to webhost users leaked online | Ars Technica
http://arstechnica.com/security/2015/10/13-million-plaintext-passwords-b...

Western Digital self-encrypting hard drives riddled with security flaws | Ars Technica
http://arstechnica.com/security/2015/10/western-digital-self-encrypting-...

Joomla bug puts millions of websites at risk of remote takeover hacks | Ars Technica
http://arstechnica.com/security/2015/10/joomla-bug-puts-millions-of-webs...

New zero-day exploit hits fully patched Adobe Flash [Updated] | Ars Technica
http://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-...

October 2015 Oracle Critical Patch Update | Threatpost | The first stop for security news
https://threatpost.com/oracle-quarterly-security-update-patches-154-vuln...

'10-second' theoretical hack could jog Fitbits into malware-spreading mode \u2022 The Register
http://www.theregister.co.uk/2015/10/21/fitbit_hack/

DEF CON 23 - Chris Rock - I Will Kill You - YouTube
https://www.youtube.com/watch?v=9FdHq3WfJgs

bluejuice - Vitriol - YouTube
https://www.youtube.com/watch?v=ldBhDmvWFXE

Risky Business #387 -- Hack people to death!
0:00 / 65:05

Risky Business Podcast

October 09, 2015

Risky Business #386 -- Katie Moussouris on the (groan) disclosure debate

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're checking in with Katie Moussouris of HackerOne. She's an ex Microsoftie who's spent something like a decade working on vulnerability disclosure policies. She even helped get a vuln disclosure ISO standard ratified!

And she'll be joining us this week to discuss disclosure politics, I guess you'd call it... for those of us who've been around infosec for a while, most of us would rather stick our face in a blender than talk about it, but Katie will be along to point out why people should fight their "disclosure debate fatigue" and get involved.

This week's show is brought to you by Telstra! Telstra is Australia's incumbent telco but also offers a bunch of enterprise services and has invested in some mobile security plays. They took a stake in Zimperium, which is where Risky Business pal Joshua Drake works. They also have a stake in Telesign.

In this week's sponsor interview we're joined by Telstra's Rocky Scopelliti. He's Telstra's finance brain and he'll be along to discuss a report he prepared on the fusion of financial services, mobility and identity. Telstra has collected a lot of *extremely* interesting data and Rocky will be along to fill us in on what it all means. That's this week's sponsor interview, with big thanks to new sponsor Telstra!

Adam Boileau, as always, stops in to discuss the week's news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Hack Brief: Hackers Steal 15M T-Mobile Customers' Data From Experian | WIRED
http://www.wired.com/2015/10/hack-brief-hackers-steal-15m-t-mobile-custo...

Scottrade Breach Hits 4.6 Million Customers - Krebs on Security
http://krebsonsecurity.com/2015/10/scottrade-breach-hits-4-6-million-cus...

Trump Hotel Collection Confirms Card Breach - Krebs on Security
http://krebsonsecurity.com/2015/10/trump-hotel-collection-confirms-card-...

Patreon was warned of serious website flaw 5 days before it was hacked | Ars Technica
http://arstechnica.com/security/2015/10/patreon-was-warned-of-serious-we...

Gigabytes of user data from hack of Patreon donations site dumped online | Ars Technica
http://arstechnica.com/security/2015/10/gigabytes-of-user-data-from-hack...

Exclusive: Uber checks connections between hacker and Lyft | Reuters
http://www.reuters.com/article/2015/10/08/us-uber-tech-lyft-hacking-excl...

Amazon Web Services Inspector Application Security Scanner | Threatpost | The first stop for security news
https://threatpost.com/amazon-inspector-addresses-compliance-and-securit...

Canceled HITB GSEC Singapore Presentation | Threatpost | The first stop for security news
https://threatpost.com/canceled-talk-re-ignites-controversy-over-legitim...

Verizon's zombie cookie gets new life | Ars Technica
http://arstechnica.com/security/2015/10/verizons-zombie-cookie-gets-new-...

Questions raised over Malcolm Turnbull's use of private email server
http://www.theage.com.au/technology/technology-news/questions-raised-ove...

Backdoor infecting Cisco VPNs steals customers' network passwords | Ars Technica
http://arstechnica.com/security/2015/10/backdoor-infecting-cisco-vpns-st...

Cisco shuts down million-dollar ransomware operation | Ars Technica
http://arstechnica.com/security/2015/10/cisco-shuts-down-30-million-rans...

SHA1 algorithm securing e-commerce and software could break by year's end | Ars Technica
http://arstechnica.com/security/2015/10/sha1-crypto-algorithm-securing-i...

Report finds many nuclear power plant systems "insecure by design" | Ars Technica
http://arstechnica.com/security/2015/10/report-finds-many-nuclear-power-...

Microsoft sites expose visitors' profile info in plain text | Ars Technica
http://arstechnica.com/security/2015/10/microsoft-sites-expose-visitors-...

Android adware wields potent root exploits to gain permanent foothold | Ars Technica
http://arstechnica.com/security/2015/10/android-adware-wields-potent-roo...

iPhone Malware Is Hitting China. Let's Not Be Next | WIRED
http://www.wired.com/2015/10/iphone-malware-hitting-china-lets-not-next/

Journalist Convicted of Helping Anonymous Hack Tribune Co. | WIRED
http://www.wired.com/2015/10/matthew-keys-reuters-journalist-convicted-o...

Netgear Router Vulnerabilities Public Exploits | Threatpost | The first stop for security news
https://threatpost.com/disclosed-netgear-router-vulnerability-under-atta...

WikiLeaks Wants to Pay $50K for Video of the Kunduz Hospital Bombing | WIRED
http://www.wired.com/2015/10/wikileaks-wants-pay-50k-video-kunduz-bombing/

Hacking Wireless Printers With Phones on Drones | WIRED
http://www.wired.com/2015/10/drones-robot-vacuums-can-spy-office-printer/

October 2015 Adobe Acrobat Adobe Acrobat Patches | Threatpost | The first stop for security news
https://threatpost.com/adobe-to-patch-reader-and-acrobat-next-week/114966/

When Security Experts Gather to Talk Consensus, Chaos Ensues | WIRED
http://www.wired.com/2015/10/security-experts-gather-talk-consensus-chao...

Mobile Identity
http://www.telstraglobal.com/mobile-identity

L-FRESH The LION
http://l-fresh.com/

Risky Business #386 -- Katie Moussouris on the (groan) disclosure debate
0:00 / 66:44

Risky Business Podcast

October 02, 2015

Risky Business #385 -- Richard Bejtlich talks USA/China espionage agreement

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

******LANGUAGE WARNING: The f-bomb features, unbleeped, once in this week's show. Just a note for those of you with the kids in the car.

On this week's show we're chatting with FireEye's chief security strategist Richard Bejtlich about this new agreement between China and the USA. The two countries have apparently agreed that they won't hack each other with the aim of stealing IP anymore. Questions to Richard include: Are they kidding? And: How did they announce this with a straight face?

This week's show is brought to you by Tenable Network Security, big thanks to them. And we're joined by Tenable's very own Jeffrey Man in this week's sponsor interview.

He's an ex NSA cryptographer who now spends his days dealing with PCI stuff. He's over in Canada attending the PCI community meetings in Vancouver, and I spoke to him about what we learned from the leaked Target pentest report and how third party payment firms are changing scope for all sorts of merchants.

Adam Boileau, as always, stops in to discuss the week's news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Banks: Card Breach at Hilton Hotel Properties - Krebs on Security
http://krebsonsecurity.com/2015/09/banks-card-breach-at-hilton-hotel-pro...

\u200bKmart Australia calls in police over security breach - Computerworld
http://www.computerworld.com.au/article/585784/kmart-australia-calls-pol...

Patreon: Some user names, e-mail and mailing addresses stolen | Ars Technica
http://arstechnica.com/security/2015/10/patreon-some-user-names-e-mail-a...

A billion Android phones are vulnerable to new Stagefright bugs | Ars Technica
http://arstechnica.com/security/2015/10/a-billion-android-phones-are-vul...

CIA officers pulled from China because of OPM breach | Ars Technica
http://arstechnica.com/tech-policy/2015/09/cia-officers-pulled-from-chin...

China PLA Unit 78020 Cyberespionage Naikon APT | Threatpost | The first stop for security news
https://threatpost.com/naikon-apt-group-tied-to-chinas-pla-unit-78020/11...

From Radio to Porn, British Spies Track Web Users' Online Identities
https://theintercept.com/2015/09/25/gchq-radio-porn-spies-track-web-user...

Obama administration explored ways to bypass smartphone encryption - The Washington Post
https://www.washingtonpost.com/world/national-security/obama-administrat...

This New Campaign Wants To Help Surveillance Agents Quit NSA or GCHQ | WIRED
http://www.wired.com/2015/09/campaign-help-surveillance-agents-quit-nsa-...

Car Hack Technique Uses Dealerships to Spread Malware | WIRED
http://www.wired.com/2015/10/car-hacking-tool-turns-repair-shops-malware...

That Big Security Fix for Credit Cards Won't Stop Fraud | WIRED
http://www.wired.com/2015/09/big-security-fix-credit-cards-wont-stop-fraud/

Google's Three Tips for Sabotaging the Cybercrime Economy | WIRED
http://www.wired.com/2015/09/google-offers-3-lessons-crippling-online-cr...

ATM Skimmer Gang Firebombed Antivirus Firm - Krebs on Security
http://krebsonsecurity.com/2015/09/atm-skimmer-gang-firebombed-antivirus...

Dyreza Dyre Trojan Phishing IT Supply Chain Credentials | Threatpost | The first stop for security news
https://threatpost.com/dyreza-trojan-targeting-it-supply-chain-credentia...

JavaScript-Based DDoS Peaks at 275,000 Requests Per Second | Threatpost | The first stop for security news
https://threatpost.com/javascript-ddos-attack-peaks-at-275000-requests-p...

Nerves rattled by highly suspicious Windows Update delivered worldwide [Updated] | Ars Technica
http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-suspici...

Drop-dead simple exploit completely bypasses Mac's malware Gatekeeper | Ars Technica
http://arstechnica.com/security/2015/09/drop-dead-simple-exploit-complet...

Botnet preying on Linux computers delivers potent DDoS attacks | Ars Technica
http://arstechnica.com/security/2015/09/botnet-preying-on-linux-computer...

Storing secret crypto keys in the Amazon cloud? New attack can steal them | Ars Technica
http://arstechnica.com/security/2015/09/storing-secret-crypto-keys-in-th...

How hackers can access iPhone contacts and photos without a password | Ars Technica
http://arstechnica.com/security/2015/09/how-hackers-can-access-iphone-co...

TrueCrypt Security Vulnerabilities Patched in VeraCrypt | Threatpost | The first stop for security news
https://threatpost.com/veracrypt-patched-against-two-critical-truecrypt-...

SAP Fixes A Dozen Vulnerabilities in HANA | Threatpost | The first stop for security news
https://threatpost.com/sap-patches-12-sql-injection-xss-vulnerabilities-...

Mozilla Addresses 14-Year-Old Bug in Firefox 41 | Threatpost | The first stop for security news
https://threatpost.com/mozilla-fixes-14-year-old-bug-in-firefox-41/114818/

Cisco Fixes Denial of Service, Bypass Vulnerabilities in IOS | Threatpost | The first stop for security news
https://threatpost.com/cisco-patches-denial-of-service-bypass-vulnerabil...

Apple Patches 100+ Vulnerabilities in OS X, Safari, iOS | Threatpost | The first stop for security news
https://threatpost.com/apple-patches-100-vulnerabilities-in-os-x-safari-...

US and China Reach Historic Agreement on Economic Espionage | WIRED
http://www.wired.com/2015/09/us-china-reach-historic-agreement-economic-...

Marshall & The Fro - Marshall Okell
http://marshallokell.com/albums/marshall-the-fro

Risky Business #385 -- Richard Bejtlich talks USA/China espionage agreement
0:00 / 63:28

Risky Business Podcast

September 24, 2015

Risky Business #384 -- Mark Dowd talks AirDrop pwnage, XCode iOS scandal

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

We've got a great show for you this week. Mark Dowd drops by to talk about the recent spate of Trojaned iOS apps that made it into Apple's China App Store. We also talk to him about his awesome AirDrop bug. How did it work?

This week's sponsor segment is actually a real cracker. Context IS consultant David Klein tells us how he owned an entire cloud platform by enumerating some shitty 90s-style bugs in some third party libraries they were using. It's comedy gold. This cloud platform that uses security at a selling point. It's bad.

Really embarrassing.

It's great work and the sort of research you expect to see out of a company like Context IS, who are, of course, this week's sponsor.

Adam Boileau, as always, stops in to discuss the week's news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

OPM breach included five times more stolen fingerprints | Ars Technica
http://arstechnica.com/security/2015/09/opm-breach-included-five-times-m...

Inside Target Corp., Days After 2013 Breach - Krebs on Security
http://krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-br...

XcodeGhost apps haunting iOS App Store more numerous than first reported | Ars Technica
http://arstechnica.com/security/2015/09/xcodeghost-apps-haunting-ios-app...

Spy Agency Contractor Puts Out a $1M Bounty for an iPhone Hack | WIRED
http://www.wired.com/2015/09/spy-agency-contractor-puts-1m-bounty-iphone...

Google's own researchers challenge key Android security talking point | Ars Technica
http://arstechnica.com/security/2015/09/googles-own-researchers-challeng...

Symantec employees fired for issuing rogue HTTPS certificate for Google | Ars Technica
http://arstechnica.com/security/2015/09/symantec-employees-fired-for-iss...

In blunder threatening Windows users, D-Link publishes code-signing key | Ars Technica
http://arstechnica.com/security/2015/09/in-blunder-threatening-windows-u...

Active malware campaign uses thousands of WordPress sites to infect visitors | Ars Technica
http://arstechnica.com/security/2015/09/active-malware-campaign-uses-tho...

Serious Imgur bug exploited to execute worm-like attack on 8chan users | Ars Technica
http://arstechnica.com/security/2015/09/serious-imgur-bug-exploited-to-e...

Trojan targets online poker sites, peeks at players' cards | Ars Technica
http://arstechnica.com/security/2015/09/trojan-targets-online-poker-site...

Seven years of malware linked to Russian state-backed cyber espionage | Ars Technica
http://arstechnica.com/security/2015/09/seven-years-of-malware-linked-to...

Security wares like Kaspersky AV can make you more vulnerable to attacks | Ars Technica
http://arstechnica.com/security/2015/09/security-wares-like-kaspersky-av...

China tells US tech companies to sign PRISM-like cyber-loyalty pact | Ars Technica
http://arstechnica.com/tech-policy/2015/09/china-tells-us-tech-companies...

India's daft draft anti-encryption law torn up after world+dog points out its stupidity \u2022 The Register
http://www.theregister.co.uk/2015/09/22/india_encryption_withdrawl/

Malvertisers slam Forbes, Realtor with world's worst exploit kits \u2022 The Register
http://www.theregister.co.uk/2015/09/23/malvertising_forbes/

Hackers Launch Balloon Probe Into the Stratosphere to Spy on Drones | WIRED
http://www.wired.com/2015/09/balloon-spy-probe-deep-sweep/

IT security spending to hit $75.4bn in 2015 despite currency issues, says Gartner \u2022 The Register
http://www.theregister.co.uk/2015/09/23/it_spending_forecast_gartner/

SONY HACK WAS WAR says FBI, and 'we're still struggling to hire talent' \u2022 The Register
http://www.theregister.co.uk/2015/09/18/sony_hack_was_war_says_fbi_still...

Control Flow Guard Mitigation Bypass | Threatpost | The first stop for security news
https://threatpost.com/bypass-developed-for-microsoft-memory-protection-...

Hack Brief: Mobile Manager's Security Hole Would Let Hackers Wipe Phones | WIRED
http://www.wired.com/2015/09/hack-brief-popular-mobile-phone-manager-ope...

Crash Google Chrome with one tiny URL: We cram a probe in this bug \u2022 The Register
http://www.theregister.co.uk/2015/09/20/chrome_url_crash/

Adobe Patches 23 Vulnerabilities in Flash Player | Threatpost | The first stop for security news
https://threatpost.com/adobe-patches-23-critical-vulnerabilities-in-flas...

Bugzilla Privilege Escalation Security Patch | Threatpost | The first stop for security news
https://threatpost.com/details-surface-on-patched-bugzilla-privilege-esc...

Context Information Security
http://www.contextis.com/

HopeStreet Recordings | The heart and soul of Brunswick since 2009
http://www.hopestreetrecordings.com/

Risky Business #384 -- Mark Dowd talks AirDrop pwnage, XCode iOS scandal
0:00 / 53:40

Risky Business Podcast

September 17, 2015

Risky Business #383 -- Inside FireEye's research gag

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we take a look at what the hell it happening in Germany, where FireEye sought and obtained an ex parte injunction against a bunch of security researchers over a presentation they were about to do at 44Con. We speak with infosec lawyer Alex Urbelis -- he was at 44Con when all this came to light and he shares his insights.

This week's show is sponsored by Senetas. They're a publicly listed company based in Melbourne that makes hardware encryption gear. Terribly sexy, layer 2 stuff actually. This week the company's co-founder and CTO Julian Fay joins the show to talk about the NSA's recent push to get people using encryption algorithms that are resistant to quantum computing-based attacks.

Adam Boileau, as always, stops in to discuss the week's news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

beist on Twitter: "Just another stagefright 0day by my coworker, chpie. this one is reasonably reliable, more than 50% against Nexus 5. http://t.co/V5qhKvOr6C"
https://twitter.com/beist/status/643579728687841280

Project Zero: Stagefrightened?
http://googleprojectzero.blogspot.com.au/2015/09/stagefrightened.html

Let's Encrypt Issues First Cert | Threatpost | The first stop for security news
https://threatpost.com/first-lets-encrypt-free-certificate-goes-live/114...

Japan charges Bitcoin exchange CEO with embezzlement - Yahoo News
http://news.yahoo.com/japan-charges-bitcoin-exchange-ceo-embezzlement-ji...

Atlanta's Bitpay got hacked for $1.8 million in bitcoin - Atlanta Business Chronicle
http://www.bizjournals.com/atlanta/news/2015/09/16/atlantas-bitpay-got-h...

Cryptome founder revokes PGP keys after weird 'compromise' \u2022 The Register
http://www.theregister.co.uk/2015/09/16/cryptome_revokes_pgp_keys_after_...

Scan of Internet for Compromised Cisco Routers Finds Fewer Than 100 | Threatpost | The first stop for security news
https://threatpost.com/scan-of-ipv4-space-for-implanted-cisco-routers-fi...

Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked | Ars Technica
http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-mill...

Ashley Madison passwords like "thisiswrong" tap cheaters' guilt and denial | Ars Technica
http://arstechnica.com/security/2015/09/ashley-madison-passwords-like-th...

DARPA Protecting Software From Reverse Engineering Through Obfuscation | Threatpost | The first stop for security news
https://threatpost.com/darpa-protecting-software-from-reverse-engineerin...

Installation of Tor Relays in Libraries Attracts DHS Attention | Threatpost | The first stop for security news
https://threatpost.com/installation-of-tor-relays-in-library-attracts-dh...

Researchers Outline Bugs in Yahoo, PayPal, Magento | Threatpost | The first stop for security news
https://threatpost.com/researchers-outline-vulnerabilities-in-yahoo-payp...

'To read this page, please turn off your ad blocker...' \u2022 The Register
http://www.theregister.co.uk/2015/09/15/to_read_this_page_please_turn_of...

CoreBot Adds New Capabilities, Transitions to Banking Trojan | Threatpost | The first stop for security news
https://threatpost.com/corebot-adds-new-capabilities-transitions-to-bank...

GM Took 5 Years to Fix a Full-Takeover Hack in Millions of OnStar Cars | WIRED
http://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-mill...

Hack Brief: Emergency-Number Hack Bypasses Android Lock Screens | WIRED
http://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily...

Shedload of security bugs squashed in iOS 9 - what the hell went wrong with iOS 8? \u2022 The Register
http://www.theregister.co.uk/2015/09/16/ios_9_security_updates/

AirDrop hole deposits stealth malware on all pre-iOS 9 Apple devices \u2022 The Register
http://www.theregister.co.uk/2015/09/16/airdrop_hole_malware_pre_ios_9/

Apple mitigates but doesn't fully fix critical iOS Airdrop vulnerability | Ars Technica
http://arstechnica.com/security/2015/09/apple-mitigates-but-doesnt-fully...

New Debian Releases Fix PHP, VirtualBox Bugs | Threatpost | The first stop for security news
https://threatpost.com/new-debian-releases-fix-php-virtualbox-bugs/114655/

WordPress Shortcodes Security Patch | Threatpost | The first stop for security news
https://threatpost.com/wordpress-patches-serious-shortcodes-core-engine-...

Bug Bounties, (Non) Lawsuits and Working with the Research Community \xab Executive Perspective | FireEye Inc
https://www.fireeye.com/blog/executive-perspective/2015/09/bug_bounties_...

Lattice-based cryptography - Wikipedia, the free encyclopedia
https://en.wikipedia.org/wiki/Lattice-based_cryptography

Quantum-safe Security : Cloud Security Alliance
https://cloudsecurityalliance.org/group/quantum-safe-security/

NSA preps quantum-resistant algorithms to head off crypto-apocalypse | Ars Technica
http://arstechnica.com/security/2015/08/nsa-preps-quantum-resistant-algo...

Risky Business #383 -- Inside FireEye's research gag
0:00 / 57:38

Risky Business Podcast

September 10, 2015

Risky Business #382 -- Charlie Miller talks car hax, Uber

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're checking in with Charlie Miller. We chat car hacking and we also (kind of) find out what he's up to now he's working at Uber.

This week's show is brought to you by HackLabs, an Australian security consultancy. They're a key sponsor of Australia's Cyber Security Challenge, which is basically a CTF for Australian CS students. What makes this one a bit different is it's being run by the Prime Minister's Office, which is, yeah, unexpected. Chris joins us later to discuss the challenge, that's this week's sponsor interview.

Adam Boileau, as always, stops in to discuss the week's news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Is John McAfee running for US president? 'My campaign manager told me not to comment' \u2022 The Register
http://www.theregister.co.uk/2015/09/08/mcafee2016/

Ex-Ashley Madison CTO Threatens Libel Suit - Krebs on Security
http://krebsonsecurity.com/2015/09/ex-ashley-madison-cto-threatens-libel...

Ashley Madison made dumb security mistakes, researcher says \u2022 The Register
http://www.theregister.co.uk/2015/09/08/ashley_madison_made_dumb_securit...

Extorting money from Ashley Madison customers is actually pretty easy | Ars Technica
http://arstechnica.com/business/2015/09/extorting-money-from-ashley-madi...

Pwn2Own loses HP as its sponsor amid new cyberweapon restrictions | Ars Technica
http://arstechnica.com/tech-policy/2015/09/pwn2own-loses-hp-as-its-spons...

Lockpickers 3-D Print TSA Master Luggage Keys From Leaked Photos | WIRED
http://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leak...

Russian Spy Gang Hijacks Satellite Links to Steal Data | WIRED
http://www.wired.com/2015/09/turla-russian-espionage-gang-hijacks-satell...

The Feds Need a Warrant to Spy With Stingrays From Now On | WIRED
http://www.wired.com/2015/09/feds-need-warrant-spy-stingrays-now/

The Untold Story of Silk Road, Part 2: The Fall | WIRED
http://www.wired.com/2015/05/silk-road-2/

US counter-intel czar to hack victims: "raise shields" against spearphishing | Ars Technica
http://arstechnica.com/security/2015/09/us-counterintelligence-czar-tell...

Director of national intelligence: Snowden forced "needed transparency" | Ars Technica
http://arstechnica.com/tech-policy/2015/09/director-of-national-intellig...

FTC, Experts Push Startups to Think About Security From the Beginning | Threatpost | The first stop for security news
https://threatpost.com/ftc-experts-push-startups-to-think-about-security...

Bitcoin cyberextortionists are blackmailing banks, corporations | Ars Technica
http://arstechnica.com/business/2015/09/uk-banks-corporations-are-being-...

MS researchers claim to crack encrypted database with old simple trick | Ars Technica
http://arstechnica.com/security/2015/09/ms-researchers-claim-to-crack-en...

Researchers respond to developer's accusation that they used crypto wrong | Ars Technica
http://arstechnica.com/information-technology/2015/09/researchers-respon...

Mozilla: data stolen from hacked bug database was used to attack Firefox | Ars Technica
http://arstechnica.com/security/2015/09/mozilla-data-stolen-from-hacked-...

Serious bug causes "quite a few" HTTPS sites to reveal their private keys | Ars Technica
http://arstechnica.com/security/2015/09/serious-bug-causes-quite-a-few-h...

Many new top-level domains have become Internet's "bad neighborhoods" [Updated] | Ars Technica
http://arstechnica.com/security/2015/09/many-new-top-level-domains-have-...

Lateline - 09/09/2015: Its been described by the Government as its latest security weapon, but is the National Facial Biometric Matching Capability open to misuse?
http://www.abc.net.au/lateline/content/2015/s4309519.htm

Gloves on as Googler deposits foul zero-day on Kaspersky lawn \u2022 The Register
http://www.theregister.co.uk/2015/09/08/kaspersky_0day/

Hacker drops zero-day, opens FireEye fire sale \u2022 The Register
http://www.theregister.co.uk/2015/09/08/fireeye_0day/

Attack code exploiting Android's critical Stagefright bugs is now public | Ars Technica
http://arstechnica.com/security/2015/09/attack-code-exploiting-androids-...

It's still 2015, and your Windows PC can still be pwned by a webpage \u2022 The Register
http://www.theregister.co.uk/2015/09/08/patch_tuesday_sept2015/

An Android Porn App Takes Your Photo and Holds It to Ransom
http://gizmodo.com/an-android-porn-app-takes-your-photo-and-holds-it-to-...

Greg! The Stop Sign!! by TISM - a metaphor for our collective mortality | Music | The Guardian
http://www.theguardian.com/music/2014/nov/25/greg-the-stop-sign-by-tism-...

TISM - Greg! The Stop Sign!!! - YouTube
https://www.youtube.com/watch?v=z4Sr63_EDBc

Risky Business #382 -- Charlie Miller talks car hax, Uber
0:00 / 56:23

Other Category

September 07, 2015

Serious Business #5 -- Kanye 2020, vaccination-free childcare and the EU refugee crisis

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Hey everyone and welcome to Serious Business number 5! This is the podcast I do about non infosec related topics. It's less of a professional information security digest and more of an excuse for me to blab with my cohost, comedian Dan Ilic, about serious stuff every few weeks.

WARNING: Contains a fair bit of discussion about Australian politics. You may be permanently scarred after listening.

On this edition of the show we're talking to Dan about a bunch of stuff. Kanye West has apparently announced he's running for president in 2020, we talk about that. We talk about Donald Trump because, wow... just wow...

Then we move on to the depressing stuff, the European refugee crisis. Are the handful of flashpoint images and stories actually going to get people motivated about fixing the wider problem? Or will they result in a few Kickstarters to directly help the affected individuals, absolving donors of their first world guilt? We have a bob each way on that one.

We talk about the vaccination free childcare centre springing up in my 'hood -- geez, what could go wrong there -- and finally we look at the way streaming services are reshaping the media landscape, in particular the types of shows that are being commissioned. Could NetFlix spell the end of high-quality tv news and current affairs?

Serious Business #5 -- Kanye 2020, vaccination-free childcare and the EU refugee crisis
0:00 / 34:54

Risky Business Podcast

September 03, 2015

Risky Business #381 -- Samy Kamkar on his outlaw days

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're chatting with hacker superstar and YouTube phenomenon Samy Kamkar. Samy is a security researcher of note -- his recent hardware hacks have been coming thick and fast. This week I spoke to him about his brush with the law following his unleashing of the Samy worm on MySpace a decade ago, some of his recent research and his plans for the future.

This week's show is brought to you by Tenable Network Security! Big thanks to Tenable for its support of the Risky Business podcast, we sure do appreciate it. So in this week's sponsor interview we're speaking with Tenable's very own Cris Thomas, a.k.a. Space Rogue. He was one of the early l0pht crew and this week we get his thoughts of the encroachment of security into pop culture and mainstream media. Between the Ashley Madison data breach's media impact and the fantastic USA Network television program Mr. Robot, is the security community finally getting the love its been craving all this time?

Adam Boileau, as always, joins the show for a look at the week's news headlines.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

12 Must-Follow Feeds in the World of Security | WIRED
http://www.wired.com/2015/09/12-must-follow-feeds-world-security/

Prepare to be Thunderstruck: What if 'deuszu' ISN'T the Ashley Madison hacker? \u2022 The Register
http://www.theregister.co.uk/2015/09/01/prepare_to_be_thunderstruck_what...

What us worry? Ashley Madison says it added over 100K users last week | Ars Technica
http://arstechnica.com/security/2015/08/what-us-worry-ashley-madison-say...

Ecuador Considered Smuggling Julian Assange to Freedom in a Bag | WIRED
http://www.wired.com/2015/09/ecuador-considered-smuggling-julian-assange...

Uber Hires the Hackers Who Wirelessly Hijacked a Jeep | WIRED
http://www.wired.com/2015/08/uber-hires-hackers-wirelessly-hijacked-jeep/

Malware infecting jailbroken iPhones stole 225,000 Apple account logins | Ars Technica
http://arstechnica.com/security/2015/08/malware-infecting-jailbroken-iph...

China and Russia cross-referencing OPM data, other hacks to out US spies | Ars Technica
http://arstechnica.com/security/2015/08/china-and-russia-cross-referenci...

Lizard Squad launches DDoS against UK law enforcement agency | Ars Technica
http://arstechnica.com/security/2015/09/lizard-squad-launches-ddos-again...

Six Nabbed for Using LizardSquad Attack Tool - Krebs on Security
http://krebsonsecurity.com/2015/08/six-nabbed-for-using-lizardsquad-atta...

Spooks, plod and security industry join to chase bank hacker \u2022 The Register
http://www.theregister.co.uk/2015/08/28/irate_security_posse_intel_spook...

BitTorrent patched against flaw that allowed crippling DoS attacks | Ars Technica
http://arstechnica.com/security/2015/08/bittorrent-patched-against-flaw-...

Former security intern admits developing super-stealthy Android spyware | Ars Technica
http://arstechnica.com/security/2015/08/former-security-intern-admits-de...

Android ransomware uses XMPP chat to call home, claims it's from NSA | Ars Technica
http://arstechnica.com/security/2015/09/android-ransomware-uses-xmpp-cha...

OPM (Mis)Spends $133M on Credit Monitoring - Krebs on Security
http://krebsonsecurity.com/2015/09/opm-misspends-133m-on-credit-monitoring/

White House eyes sanctions for China over cyber-theft of trade secrets | Ars Technica
http://arstechnica.com/tech-policy/2015/08/white-house-eyes-sanctions-fo...

Lawyer: Turkey Arrested Journalists to Deter Foreign Media - ABC News
http://abcnews.go.com/International/wireStory/lawyer-turkey-arrested-jou...

Jihadist Fan Club CryptoCrap - Hacker OPSEC
http://grugq.github.io/blog/2014/08/09/jihadist-fan-crypto/

FBI: $1.2B Lost to Business Email Scams - Krebs on Security
http://krebsonsecurity.com/2015/08/fbi-1-2b-lost-to-business-email-scams/

How a bug in Visual Studio 2015 exposed my source code on GitHub and cost me $6,500 in a few hours
https://www.humankode.com/security/how-a-bug-in-visual-studio-2015-expos...

Associated Press sues FBI for impersonating its site to install spyware \u2022 The Register
http://www.theregister.co.uk/2015/08/28/associated_press_sues_fbi_for_im...

Netflix Sleepy Puppy Cross-Site Scripting Payload Framework | Threatpost | The first stop for security news
https://threatpost.com/netflix-sleepy-puppy-awakens-xss-vulnerabilities-...

xss-filters
https://www.npmjs.com/package/xss-filters

secure-handlebars
https://www.npmjs.com/package/secure-handlebars

Sneaky adware caught accessing users' Mac Keychain without permission | Ars Technica
http://arstechnica.com/security/2015/09/sneaky-adware-caught-accessing-u...

Attacks accessing Mac keychain without permission date back to 2011 | Ars Technica
http://arstechnica.com/security/2015/09/attacks-accessing-mac-keychain-w...

Google Chrome 45 Security Patches, Bug Bounty Awards | Threatpost | The first stop for security news
https://threatpost.com/google-patches-critical-vulnerabilities-in-chrome...

Cyber Security Challenge Australia
https://www.cyberchallenge.com.au/

Combo Breaker - motorized combo lock cracking device - YouTube
https://www.youtube.com/watch?v=YcpSvHpbHQ4

Home by waxheadmusic | Free Listening on SoundCloud
https://soundcloud.com/waxheadmusic/home

InControl Remote Mobile App | Land Rover USA
http://www.landroverusa.com/ownership/incontrol/index.html

Risky Business #381 -- Samy Kamkar on his outlaw days
0:00 / 77:38