Podcasts

News, analysis and commentary

Risky Business #341 -- Beware of the poodle

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's show we're chatting with Matt Solnik of Accuvant Labs about his stellar presentation at Breakpoint last week. In this interview he describes how he can leverage crappy carrier management client software into full remote compromise attacks against most smartphones, including fully patched iOS8 and Android. It's savage stuff and if you work in telcoland you'd be nuts to miss it.

This week's show is brought to you by tenable network security. Tenable's very own Marcus Ranum will be along in this week's sponsor interview to chime in on desktop virtualisation trends, as well as cloud, remote desktop, the browser as a terminal and enterprise computing in general. The mainframe is dead. Long live the mainframe. It's a great chat.

Show notes

There Is a New Security Vulnerability Named POODLE, and It Is Not Cute | WIRED
http://www.wired.com/2014/10/poodle-explained/

Browser Vendors Move to Disable SSLv3 in Wake of POODLE Attack | Threatpost | The first stop for security news
http://threatpost.com/browser-vendors-move-to-disable-sslv3-in-wake-of-p...

Bahraini Activists Hacked by Their Government Go After UK Spyware Maker | WIRED
http://www.wired.com/2014/10/bahraini-activists-go-after-spyware-source/

NSA May Have Undercover Operatives in Foreign Companies | WIRED
http://www.wired.com/2014/10/nsa-may-undercover-operatives-foreign-compa...

Russian 'Sandworm' Hack Has Been Spying on Foreign Governments for Years | WIRED
http://www.wired.com/2014/10/russian-sandworm-hack-isight/

With This Tiny Box, You Can Anonymize Everything You Do Online | WIRED
http://www.wired.com/2014/10/tiny-box-can-anonymize-everything-online/

Judge Rejects Defense That FBI Illegally Hacked Silk Road-On a Technicality | WIRED
http://www.wired.com/2014/10/silk-road-judge-technicality/

Snapchat Can't Stop the Parasite Apps That Screw Its Users | WIRED
http://www.wired.com/2014/10/snapchat-parasite-apps/

Developer of hacked Snapchat web app says "Snappening" claims are hoax [Updated] | Ars Technica
http://arstechnica.com/security/2014/10/developer-of-hacked-snapchat-web...

Dropbox Denies Hack, Says 'Your Stuff is Safe' | Threatpost | The first stop for security news
http://threatpost.com/dropbox-denies-hack-says-your-stuff-is-safe/108824

Malware Based Credit Card Breach at Kmart - Krebs on Security
http://krebsonsecurity.com/2014/10/malware-based-credit-card-breach-at-k...

Signed Malware = Expensive "Oops" for HP - Krebs on Security
http://krebsonsecurity.com/2014/10/signed-malware-is-expensive-oops-for-hp/

Who's Watching Your WebEx? - Krebs on Security
http://krebsonsecurity.com/2014/10/whos-watching-your-webex/

Doubling up on Ads Code Bounties
https://www.facebook.com/notes/protect-the-graph/doubling-up-on-ads-code...

Heistmeisters crack cost of safecrackers with $150 widget \u2022 The Register
http://www.theregister.co.uk/2014/10/13/heistmeisters_crack_cost_of_safe...

Shellshock Exploits Spreading Mayhem Botnet Malware | Threatpost | The first stop for security news
http://threatpost.com/shellshock-exploits-spreading-mayhem-botnet-malwar...

October 2014 Oracle Java Security Patches | Threatpost | The first stop for security news
http://threatpost.com/java-reflection-api-woes-resurface-in-latest-oracl...

Fixes for IE, Flash Player in October Patch Tuesday Release | Threatpost | The first stop for security news
http://threatpost.com/fixes-for-ie-flash-player-in-october-patch-tuesday...

Firms Detail Zero Days Targeting Windows Kernel | Threatpost | The first stop for security news
http://threatpost.com/two-patched-zero-days-targeting-windows-kernel/108860

Drupal Fixes Highly Critical SQL Injection Flaw | Threatpost | The first stop for security news
http://threatpost.com/drupal-fixes-highly-critical-sql-injection-flaw/10...

SAP Patches Seven Vulnerabilities in Three Products | Threatpost | The first stop for security news
http://threatpost.com/sap-patches-seven-vulnerabilities-in-three-product...

BlackBerry 10 Open to Bug That Allows Malicious App Installation | Threatpost | The first stop for security news
http://threatpost.com/blackberry-10-devices-open-to-bug-that-allows-mali...

Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback
http://googleonlinesecurity.blogspot.co.nz/2014/10/this-poodle-bites-exp...

Speakers \xbb Breakpoint 2014
https://ruxconbreakpoint.com/speakers/#Mathew Solnik

Tower Of Power - Soul Vaccination - YouTube
https://www.youtube.com/watch?v=46hd6DZS0ww

Risky Business #341 -- Beware of the poodle
0:00 / 69:01

Risky Business #340 -- BPX droppin' iOS8 remote jailbreaks like it "ain't no thang"

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

This week's show was recorded on site at the Ruxcon Breakpoint conference in Melbourne. There have been a handful of absolute jaw-droppers among the presentations here, including a demo showcasing remote code exec against *most* mobile devices, including fully patched iOS8.

This week's show is brought to you by Context information security and we've got a great chat coming up with Mark Graham, Context's head of threat intelligence. He spends most of his days hip deep in data Context has gathered on APT groups, and he's seen some interesting trends. Bad guys are apparently using vendor analysis/blog posts to improve their "product", the Russians are getting in on the action and there's a renewed effort in keeping APT campaigns stealthy.

Show notes

Shellshock-like Vulnerability May Affect Windows | Threatpost | The first stop for security news
http://threatpost.com/shellshock-like-weakness-may-affect-windows/108696

White hat claims Yahoo and WinZip hacked by "shellshock" exploiters | Ars Technica
http://arstechnica.com/security/2014/10/white-hat-claims-yahoo-and-winzi...

Yahoo says attack wasn't Shellshock - CNET
http://www.cnet.com/news/yahoo-late-to-fix-shellshock-threat/

That Unpatchable USB Malware Now Has a Patch ... Sort Of | WIRED
http://www.wired.com/2014/10/unpatchable-usb-malware-now-patchsort/

Twitter Sues the Government for Violating Its First Amendment Rights | WIRED
http://www.wired.com/2014/10/twitter-sues-government/

Feds 'Hacked' Silk Road Without a Warrant? Perfectly Legal, Prosecutors Argue | WIRED
http://www.wired.com/2014/10/feds-silk-road-hack-legal/

Finding a Video Poker Bug Made These Guys Rich-Then Vegas Made Them Pay | WIRED
http://www.wired.com/2014/10/cheating-video-poker/

AT&T Hit By Insider Breach | Threatpost | The first stop for security news
http://threatpost.com/att-hit-by-insider-breach/108705

Huge Data Leak at Largest U.S. Bond Insurer - Krebs on Security
http://krebsonsecurity.com/2014/10/huge-data-leak-at-largest-u-s-bond-in...

Arbor: DDoS Attacks Getting Bigger as Reflection Increases | Threatpost | The first stop for security news
http://threatpost.com/arbor-ddos-attacks-getting-bigger-as-reflection-in...

Create app-specific passwords for iCloud - CNET
http://www.cnet.com/how-to/how-to-create-app-specific-passwords-for-icloud/

Bugzilla Zero-Day Exposes Zero-Day Bugs - Krebs on Security
http://krebsonsecurity.com/2014/10/bugzilla-zero-day-exposes-zero-day-bugs/

Tyupkin ATM Malware Discovered by Kaspersky Lab | Threatpost | The first stop for security news
http://threatpost.com/tyupkin-malware-infects-atms-in-eastern-europe/108734

Reddit-powered botnet infected thousands of Macs worldwide | Ars Technica
http://arstechnica.com/security/2014/10/reddit-powered-botnet-infected-t...

FDA: Medical device cybersecurity necessary, but optional | Ars Technica
http://arstechnica.com/security/2014/10/fda-medical-device-cybersecurity...

Adobe's e-book reader sends your reading logs back to Adobe-in plain text [Updated] | Ars Technica
http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-...

October 2014, Melbourne
http://www.contextis.com/events/oasis/october-2014-melbourne/

Alice Russell - Twin Peaks - YouTube
https://www.youtube.com/watch?v=vySmFB_vUeg

Risky Business #340 -- BPX droppin' iOS8 remote jailbreaks like it "ain't no thang"
0:00 / 60:14

Risky Business #339 -- Neel Mehta on Heartbleed, Shellshock

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're chatting with Neel Mehta, a security researcher with Google. Neel is best known for finding the Heartbleed bug, and he joins us this week to talk about Heartbleed, ShellShock, the security of SSL stacks and where he expects vuln research to go in the future.

Funnily enough this is Neel's first interview about Heartbleed, so I guess we can call this a scoop!

This week's show is brought to you by Bromium, makers of fine, fine exploit mitigation software. Personally I'm a real fan of Bromium's stuff. They're relatively new, but if you have a Java problem in your enterprise, as in, you have to have Java in your enterprise, Bromium has a solution for you -- they make micro-vm software that mitigates memory corruption bugs and it's actually quite good.

Bromium's chief security architect Rahul Kashyap joins us this week to talk about some malvertising research he presented at the virus bulletin conference recently, and he also previews the results of Bromium's code audit. That's right, a security software company actually had their software audited! Bowl me over. The audit report will be available next week, but we get the inside scoop on that before it's out.

Show notes

JPMorgan hack exposed data of 83 million, among biggest breaches in history
http://www.theage.com.au/business/world-business/jpmorgan-hack-exposed-d...

Xen Bug Could cause Crashes, Expose Cloud Data | Threatpost | The first stop for security news
http://threatpost.com/serious-hypervisor-bug-fix-causes-unexpected-cloud...

Musings on the recent Xen Security Advisories | Bromium Labs
http://labs.bromium.com/2014/10/01/musings-on-the-recent-xen-security-ad...

Apple patches "Shellshock" Bash bug in OS X 10.9, 10.8, and 10.7 | Ars Technica
http://arstechnica.com/apple/2014/09/apple-patches-shellshock-bash-bug-i...

OpenVPN vulnerable to Shellshock Bash vulnerability | Threatpost | The first stop for security news
http://threatpost.com/openvpn-vulnerable-to-shellshock-bash-vulnerabilit...

Fiora\u202e\u2604anreteA on Twitter: "RT "cmd.exe #shellshock" @dakami: "this is why we can't have nice strings" http://t.co/9LPTbtVazr"
https://twitter.com/FioraAeterna/status/517791046835920897

Silk Road Lawyers Poke Holes in FBI's Story - Krebs on Security
http://krebsonsecurity.com/2014/10/silk-road-lawyers-poke-holes-in-fbis-...

The Unpatchable Malware That Infects USBs Is Now on the Loose | WIRED
http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

Lacoon Discovers Xsser mRAT, the First Advanced iOS Trojan
https://www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-tr...

If the information from https://www.lacoon.com/lacoon-discovers-xsser-mrat-first - Pastebin.com
http://pastebin.com/Zkhpn8bG

Holder urges tech companies to leave device backdoors open for police - The Washington Post
http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/30/holder-urge...

Cops Are Handing Out Spyware to Parents-With Zero Oversight | WIRED
http://www.wired.com/2014/10/cops-giving-parents-spyware/

The Criminal Indictment That Could Finally Hit Spyware Makers Hard | WIRED
http://www.wired.com/2014/10/stealthgenie-indictment/

CloudFlare Rolls Out Free SSL | Threatpost | The first stop for security news
http://threatpost.com/cloudflare-rolls-out-free-ssl/108593

FBI to Open Up Malware Investigator Portal to External Researchers | Threatpost | The first stop for security news
http://threatpost.com/fbi-to-open-up-malware-investigator-portal-to-exte...

Chrome bug hunters, Google's giving you a raise - CNET
http://www.cnet.com/news/chrome-bug-hunters-googles-giving-you-a-raise/

WPScan Vulnerability Database WordPress Security Resource | Threatpost | The first stop for security news
http://threatpost.com/wpscan-vulnerability-database-a-new-wordpress-secu...

Second Same-Origin Policy Bypass Flaw Haunts Android Browser | Threatpost | The first stop for security news
http://threatpost.com/second-same-origin-policy-bypass-flaw-haunts-andro...

Advertising firms struggle to kill malvertisements | Ars Technica
http://arstechnica.com/security/2014/09/advertising-firms-struggle-to-ki...

www.bromium.com/sites/default/files/bromium-report-optimized-mal-ops.pdf
http://www.bromium.com/sites/default/files/bromium-report-optimized-mal-...

The Basics
https://www.facebook.com/thebasics

Leftovers | The Basics
http://thebasics.bandcamp.com/album/leftovers-2

Risky Business #339 -- Neel Mehta on Heartbleed, Shellshock
0:00 / 59:35

Risky Business #338 -- BASHPOCALYPSE 2014

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In addition to covering the end of the world, this week's Risky Business features Don Bailey of Lab Mouse Security on his excellent IoT blog post, written largely in response to a Daily Dave post by Dave Aitel on so-called "junk hacking".

This week's show is brought to you by Context Information Security, big thanks to them! And in this week's sponsor interview we chat with Context's director of research Michael Jordon about his adventures in getting old computer games to work on printer screens. It's actually pretty cool.

Show notes

Shell Shock: Bash bug labelled largest ever to hit the internet
http://www.smh.com.au/it-pro/security-it/shell-shock-bash-bug-labelled-l...

Hackers Are Already Using the Shellshock Bug to Launch Botnet Attacks | WIRED
http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create...

The Internet Braces for the Crazy Shellshock Worm | WIRED
http://www.wired.com/2014/09/internet-braces-crazy-shellshock-worm/

Patching Bash Vulnerability a Challenge for ICS, SCADA | Threatpost | The first stop for security news
http://threatpost.com/patching-bash-vulnerability-a-challenge-for-ics-sc...

Bash Botnet Exploit Found, Bash Patches Incomplete | Threatpost | The first stop for security news
http://threatpost.com/bash-exploit-reported-first-round-of-patches-incom...

Mozilla Patches RSA Signature Forgery in NSS, Firefox | Threatpost | The first stop for security news
http://threatpost.com/mozilla-patches-rsa-signature-forgery-in-firefox-t...

Xen security bug, you say? Amazon readies GLORIOUS GLOBAL CLOUD REBOOT \u2022 The Register
http://www.theregister.co.uk/2014/09/25/amazon_readies_global_glory_reboot/

Amazon forced to reboot EC2 to patch Xen bug - Storage - News - iTnews.com.au
http://www.itnews.com.au/News/396180,amazon-forced-to-reboot-ec2-to-patc...

Terror laws clear Senate, enabling entire Australian web to be monitored and whistleblowers to be jailed
http://www.smh.com.au/digital-life/consumer-security/terror-laws-clear-s...

Senate rejects attempt to limit ASIO's access to devices - Security - Telco/ISP - News - iTnews.com.au
http://www.itnews.com.au/News/396179,senate-rejects-attempt-to-limit-asi...

Charney on Trustworthy Computing: 'I Was the Architect of These Changes' | Threatpost | The first stop for security news
http://threatpost.com/charney-on-trustworthy-computing-i-was-the-archite...

Kevin Mitnick, Once the World's Most Wanted Hacker, Is Now Selling Zero-Day Exploits | WIRED
http://www.wired.com/2014/09/kevin-mitnick-selling-zero-day-exploits/

Home Depot's former security architect had history of techno-sabotage | Ars Technica
http://arstechnica.com/security/2014/09/home-depots-former-security-arch...

Home Depot ignored security warnings for years, employees say | Ars Technica
http://arstechnica.com/security/2014/09/home-depot-ignored-security-warn...

MIT Students Battle State's Demand for Their Bitcoin Miner's Source Code | WIRED
http://www.wired.com/2014/09/mit-students-face-aggressive-subpoena-deman...

PayPal takes second cautious step towards Bitcoin - Finance - Security - News - iTnews.com.au
http://www.itnews.com.au/News/392418,paypal-takes-second-cautious-step-t...

Why the Heyday of Credit Card Fraud Is Almost Over | WIRED
http://www.wired.com/2014/09/emv/

Small Signs of Progress on DNSSEC | Threatpost | The first stop for security news
http://threatpost.com/small-signs-of-progress-on-dnssec/108536

Microsoft Online Services Bug Bounty Program Launches | Threatpost | The first stop for security news
http://threatpost.com/microsoft-starts-online-services-bug-bounty/108486

Blackphone Bug Bounty Program Launches on Bugcrowd | Threatpost | The first stop for security news
http://threatpost.com/blackphone-gets-bug-bounty-program-off-ground/108468

Productivity Trumping Security as BYOD Grows | Threatpost | The first stop for security news
http://threatpost.com/productivity-gains-trumping-security-as-byod-grows...

Researcher Discloses Wi-Fi Thermostat Vulnerabilities | Threatpost | The first stop for security news
http://threatpost.com/researcher-discloses-wi-fi-thermostat-vulnerabilit...

Kali NetHunter turns Android device into hacker Swiss Army knife | Ars Technica
http://arstechnica.com/information-technology/2014/09/kali-nethunter-tur...

The Mouse Trap: No Thing Left Behind
http://blog.securitymouse.com/2014/09/no-thing-left-behind.html

[Dailydave] Junk Hacking Must Stop!
https://lists.immunityinc.com/pipermail/dailydave/2014-September/000746....

Hacking Canon Pixma Printers - Doomed Encryption
http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doo...

Dawn LP/CD | HopeStreet Recordings
http://www.hopestreetrecordings.com/releases/dawn/

Risky Business #338 -- BASHPOCALYPSE 2014
0:00 / 63:05

Risky Business #337 -- The Grugq and John Brooks on invisible.im and Ricochet

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's show we chat with The Grugq about the latest invisible.im announcement and we'll also meet the creator of the Ricochet anonymous messenger software, John Brooks.

In this week's sponsor interview we chat with Senetas CTO Julian Fay about an interesting paper on defeating traffic analysis attacks against encrypted cloud storage, and also a "sign of the times" Kickstarter... a group has managed to get a weird little crypto device funded... basically a hardware crypto module. You plug your phone in on one end and your headset in on the other. They've raised over $40k, but who's going to use this?

Show notes

WikiLeaks - SpyFiles 4
https://wikileaks.org/spyfiles4/customers.html

New Zealand secretly built spying program, report says - CNET
http://www.cnet.com/news/new-zealand-secretly-built-spying-program-repor...

Moment of Truth gifts Team Key a late bounce in polls - National - NZ Herald News
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11327321

'Speargun' program is fantasy, says cable operator \u2022 The Register
http://www.theregister.co.uk/2014/09/16/speargun_program_is_fantasy_says...

Student Freya Newman pleads guilty to hacking Frances Abbott design scholarship files | The Australian
http://www.theaustralian.com.au/news/nation/student-freya-newman-pleads-...

Tim Cook explains Apple's privacy policies in open letter - CNET
http://www.cnet.com/news/tim-cook-explains-apples-privacy-policies-in-op...

Apple takes 'very different view' on customer privacy, Cook says - CNET
http://www.cnet.com/news/apple-takes-very-different-view-on-customer-pri...

Apple - Privacy
http://www.apple.com/privacy/

Apple transparency reports allude to Patriot Act demands - CNET
http://www.cnet.com/news/apple-transparency-reports-allude-to-patriot-ac...

Apple Extends Two-Factor Authentication to iCloud | Threatpost | The first stop for security news
http://threatpost.com/apple-extends-two-factor-authentication-to-icloud/...

Three Things Apple Can Do to Fix iCloud's Awful Security | WIRED
http://www.wired.com/2014/09/three-things-apple-can-fix-iclouds-awful-se...

Despite Apple's Privacy Pledge, Cops Can Still Pull Data Off a Locked iPhone | WIRED
http://www.wired.com/2014/09/apple-iphone-security/

Newest Androids will join iPhones in offering default encryption, blocking police - The Washington Post
http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/18/newest-andr...

Microsoft closing standalone Trustworthy Computing group, folding into other units - GeekWire
http://www.geekwire.com/2014/microsoft-closing-standalone-trustworthy-co...

Home Depot Data Breach Put 56 Million Cards at Risk | Threatpost | The first stop for security news
http://threatpost.com/56-million-payment-cards-at-risk-in-home-depot-dat...

POS Service Confirms Goodwill Breach Lasted 18 Months | Threatpost | The first stop for security news
http://threatpost.com/pos-service-confirms-goodwill-breach-lasted-18-mon...

Heartbleed to blame for Community Health Systems breach | CSO Online
http://www.csoonline.com/article/2466726/data-protection/heartbleed-to-b...

Announcing Keyless SSL\u2122: All the Benefits of CloudFlare Without Having to Turn Over Your Private SSL Keys
http://blog.cloudflare.com/announcing-keyless-ssl-all-the-benefits-of-cl...

SNMP DDoS Attack Spoofs Google DNS Server | Threatpost | The first stop for security news
http://threatpost.com/snmp-based-ddos-attack-spoofs-google-public-dns-se...

OWASP Releases Latest App Sec Testing Guide | Threatpost | The first stop for security news
http://threatpost.com/owasp-releases-latest-app-sec-guide/108396

\u200bInternet's security bug tracker faces its 'Y2K' moment - CNET
http://www.cnet.com/news/internets-security-bug-tracker-faces-its-y2k-mo...

Big Batch of Bugs Fixed in Various Versions of IDA | Threatpost | The first stop for security news
http://threatpost.com/big-batch-of-bugs-fixed-in-various-versions-of-ida...

iOS 8 also comes with bucket of security fixes - CNET
http://www.cnet.com/news/ios-8-also-comes-with-bucket-of-security-fixes/

Android Browser flaw a "privacy disaster" for half of Android users | Ars Technica
http://arstechnica.com/security/2014/09/android-browser-flaw-a-privacy-d...

September 2014 Adobe Reader Acrobat Patches | Threatpost | The first stop for security news
http://threatpost.com/adobe-gets-delayed-reader-update-out-the-door/108310

My Social SherpaPranking My Roommate With Eerily Targeted Facebook Ads
http://mysocialsherpa.com/the-ultimate-retaliation-pranking-my-roommate-...

WikiLeaks posts 'weaponized malware' for all to download | ZDNet
http://www.zdnet.com/astonishingly-irresponsible-wikileaks-posts-weaponi...

Kiwicon CFP
https://kiwicon.org/cfp2014.txt

JackPair: secure your voice phone calls against wiretapping by Jeffrey Chang & the AWIT team - Kickstarter
https://www.kickstarter.com/projects/620001568/jackpair-safeguard-your-p...

MS and University Devs Make The Melbourne Shuffle \u2022 Cloudwards.net
http://www.cloudwards.net/news/ms-and-university-devs-make-the-melbourne...

Middle-School Dropout Codes Clever Chat Program That Foils NSA Spying | WIRED
http://www.wired.com/2014/09/new-encrypted-chat-program-thwarts-nsa-elim...

Why I started invisible.im | Risky Business
http://risky.biz/news_and_opinion/patrick-gray/2014-09-18/why-i-started-...

Risky Business #337 -- The Grugq and John Brooks on invisible.im and Ricochet
0:00 / 58:12

Why I started invisible.im

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Before we get started, Ricochet *isn't* ready for mass consumption. It's a really great starting point, but it's currently unaudited and we're making some big changes to it in the next couple of months that will render it incompatible with current versions. If you're still curious, you can download the binaries anyway and have a play with it.

The biggest change is a reimplementation of the comms protocol Ricochet uses to enable chats. The current protocol is a custom binary thing that John Brooks knocked together and a group decision was made to move to something based on a serialisation library like protobuf. John is working on that now under the guidance of HD Moore and The Grugq.

The new protocol will basically be more resistant to attacks. We want Ricochet to be a secure tool, and we must stress that currently it is unaudited. We're planning a code-scan and an informal audit by the invisible.im team, but that hasn't been done yet. So, you know, use a VM if you're the paranoid type.

We're also adding a file transfer capability. John's working full time on both of these features, which should ship around mid November.

After that release we'll look at tightening up the code and shaking out security bugs. The upshot is, from around February next year you'll be able to download a reasonably secure, anonymous chat utility you can use to transfer files.

You can read the Wired story for the background on Ricochet and how the invisible.im team wound up joining forces with John Brooks. But I wanted to spell out the base motivations behind the invisible.im project here in this post.

I've been an information security journalist since around 2001, when I started submitting occasional infosec stories to The Age newspaper in Melbourne. I went full time with journalism in 2002, worked in the ZDNet newsroom (with a fantastic team -- James Pearce, Andrew Colley and Iain Ferguson) in 2003 before going full-time freelance.

I wrote for the Fairfax papers, ZDNet, Wired, Australian Men's Style and a bunch of others, before launching the Risky Business podcast in 2007. It's been my main gig ever since.

During my time in media I've seen some pretty incredible stuff. I've witnessed the rapid decline of newspapers over the last 10 years as they've succumbed to ad dollars going online. And I've also observed the effect readily accessible metadata has had on journalism.

Governments used to respect the media. Not because they admired the role of the media as the fourth estate, but because they knew the media could hurt them. With the fragmentation of the media landscape, that power has been substantially diluted. It's now much more common for authorities to investigate trivial (but inconvenient) leaks -- both from the corporate and government sector -- and the Wikileaks/Manning fiasco of 2010 only served to accelerate the trend.

Every time a source picks up a telephone to call a journalist, there's a record of it. Every time they email, IM, Skype or SMS a journalist, there's a record of it. Authorities can access these metadata records without court issued warrants, and they frequently do. A polite request on a letterhead is all they need.

They won't be able to access the content of those communications without a warrant, but if I publish a story about a leak from the Attorney General's Department and authorities can see that I spoke to someone from AG the day prior, my source is still burned.

Make no mistake: There are serious news and public interest stories that are going unreported because of this.

I founded invisible.im because it solves a need that I've identified in my work -- I need sources to feel confident that they can contact me with public interest information and not be identified by a metadata trail.

Because Ricochet is serverless, there's simply no third party to request metadata from.

This project will, of course, also be of great benefit to non-journalists. People in oppressive regimes can use Ricochet to shield themselves from passive state surveillance. We think there's a lot of promise there, and we'd like to translate the software into languages like Farsi so ordinary people can conduct their risky conversations a little bit more safely.

A lot of people will spend a lot of time asking whether invisible.im is an "NSA-proof" tool. We can't create an "NSA-proof" tool, and we're not claiming Ricochet is, despite the headline on the Wired piece that suggests otherwise.

What we can do is make sure it requires difficult, time consuming, and targeted effort to identify Ricochet users' associations and intercept their chats. We'll also make retrospective identification of leakers by lesser agencies (state police, for example) more or less impossible. (Well, if they're identified it's not because they used Ricochet.)

And while Ricochet may not be "NSA-proof", it certainly makes mass surveillance of its users very, very difficult. Remember that story about the GCHQ grabbing everyone's IM contact lists off the wire as they flew past? Yeah, good luck doing that with Ricochet.

But what about the "tear-rists", I hear you ask?

Well, we're yet to see evidence that mass surveillance has been responsible for any significant wins in the counter terrorism arena. And running Ricochet on your box isn't going to stop the NSA owning you sideways with 0day if you're a legitimate target. Once you're owned you're owned. If you're running Ricochet, the NSA (or equivalent agency) can still map out your IM contacts. But the nice thing is you have to be a target before they own you and do this to you. Until they access your machine, the only person who has your Ricochet contact list is you. Not your IM provider, not your telco. Just you.

I hope this post does something to help people understand why I decided to get involved and bring together some of the smartest people I know to tackle this problem. Invisible.im is seeking to solve a real world problem -- too much metadata is accessible to too many corporate entities and government agencies.

Simple, really.

You can flame Patrick Gray on Twitter.

Risky Business 336 -- Too many cons

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we've got a great interview with Haroon Meer of Thinkst. Thinkst has a paid service that analysis the output of security conferences and puts together reports. Now, some of you might wonder why such a service would be needed, so let's put things in perspective: there were 2,700 conference presentations in the second quarter of this year at 116 events over 140 conference days. Yikes!

Haroon will be along in a bit to talk about the conference content boom, and he's also made their latest report free for Risky Business listeners! As I say, it's part of Thinkst's paid subscription service, so you'd be nuts not to grab it.

This week's show is brought to you by Tenable Network Security, thanks to the guys and gals over there. In this week's sponsor interview we're chatting with Paul Asadoorian, Tenable's product marketing manager for Nessus.

Paul is also well known as the host of the security weekly podcast! It's an infosec podcast with a massive audience that you've no doubt heard of.

We're chatting with Paul about embedded devices. He co-wrote a book on hacking the WRT54g home wireless gateway some years ago and he's gearing up to teach a SANS course on embedded device assessments. So yeah, Paul's going to stop by and discuss the state of all things embedded.

Show notes

Dread Pirate Sunk By Leaky CAPTCHA - Krebs on Security
http://krebsonsecurity.com/2014/09/dread-pirate-sunk-by-leaky-captcha/

FBI's Story of Finding Silk Road's Server Sounds a Lot Like Hacking | WIRED
http://www.wired.com/2014/09/fbi-silk-road-hacking-question/

Should we be worried? Showing on login page : SilkRoad
http://www.reddit.com/r/SilkRoad/comments/1dmznd/should_we_be_worried_sh...

Troll or thief? User claims Bitcoin founder Satoshi Nakamoto dox sabotage \u2022 The Register
http://www.theregister.co.uk/2014/09/10/troll_or_thief_user_claims_satos...

PayPal goes crypto-currency with Bitcoin \u2022 The Register
http://www.theregister.co.uk/2014/09/11/paypal_goes_cryptocurrency_with_...

Feds Threatened to Fine Yahoo $250K Daily for Not Complying With PRISM | WIRED
http://www.wired.com/2014/09/feds-yahoo-fine-prism/

Five Million Email Passwords, Addresses Leak Russian Forum | Threatpost | The first stop for security news
http://threatpost.com/five-million-email-passwords-addresses-appear-on-r...

Home Depot Data Breach Confirmed | Threatpost | The first stop for security news
http://threatpost.com/home-depot-confirms-breach-transactions-from-april...

BlackPOS malware confirmed in Home Depot US hack - Security - News - iTnews.com.au
http://www.itnews.com.au/News/391880,blackpos-malware-confirmed-in-home-...

Apple Plans to Extend 2FA to iCloud | Threatpost | The first stop for security news
http://threatpost.com/apple-plans-to-extend-2fa-to-icloud/108106

After hacking, Apple to send out more security alerts to users | Ars Technica
http://arstechnica.com/security/2014/09/after-hacking-apple-to-send-out-...

Barclays brings finger-vein biometrics to Internet banking | Ars Technica
http://arstechnica.com/security/2014/09/barclays-brings-finger-vein-biom...

Researchers find data leaks in Instagram, Grindr, OoVoo and more - CNET
http://www.cnet.com/news/researchers-find-data-leaks-in-instagram-grindr...

Salesforce Warns Customers of Dyreza Banker Trojan Attacks | Threatpost | The first stop for security news
http://threatpost.com/salesforce-warns-customers-of-dyreza-banker-trojan...

Traffic Networks Firm Patches Sensor Vulnerabilities | Threatpost | The first stop for security news
http://threatpost.com/traffic-networks-company-patches-sensor-vulnerabil...

Microsoft to patch ASP.NET mess even if you don't \u2022 The Register
http://www.theregister.co.uk/2014/09/11/microsoft_kills_dangerous_aspnet...

Cisco Patches Denial-of-Services Vulnerability in IMC | Threatpost | The first stop for security news
http://threatpost.com/us-cert-warns-of-vulnerability-in-cisco-baseboard-...

September 2014 Microsoft Patch Tuesday security bulletins | Threatpost | The first stop for security news
http://threatpost.com/emet-av-disclosure-leak-plugged-in-ie/108175

Critical Fixes for Adobe, Microsoft Software - Krebs on Security
http://krebsonsecurity.com/2014/09/critical-fixes-for-adobe-microsoft-so...

Apache Warns of Tomcat Remote Code Execution Vulnerability | Threatpost | The first stop for security news
http://threatpost.com/apache-warns-of-tomcat-remote-code-execution-vulne...

Infamous "podcast patent" heads to trial | Ars Technica
http://arstechnica.com/tech-policy/2014/09/jim-logan-says-he-invented-po...

thinkst.com/ts/free/ThinkstScapes-2014-Q2-v1.0.pdf
http://thinkst.com/ts/free/ThinkstScapes-2014-Q2-v1.0.pdf

Embedded Device Security Assessments For The Rest Of Us
http://www.sans.org/course/embedded-device-security-assessments

Risky Business 336 -- Too many cons
0:00 / 70:10

Risky Business #335 -- Whaledump hacker could change NZ government

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

I'm back from a two week holiday in beautiful Indonesia, so we'll be spending most of this show catching up on what I missed while I was away! So there's plenty of news to talk about with Adam Boileau, and also a chat about some very interesting politicking going on in New Zealand.

A hacker going by the name of Whaledump has been dropping leaked emails and documents all over the place that are causing all sorts of headaches for the government. If that wasn't enough, Kim Dot Com has jumped into the fray... apparently he has a big reveal coming on September 15th that could change the course of the NZ election campaign. Is this the future of democracy?

This week's show is brought to you by BugCrowd, big thanks to them.

We'll be chatting with BugCrowd head honcho Casey Ellis all about the skills shortage in infosec, particularly in testing. People interested in a career in infosec are using platforms like BugCrowd as a proving ground, but will that pipeline be enough to satiate the demand for talent out there?

Risky Business #335 -- Whaledump hacker could change NZ government
0:00 / 66:55

RB2: Risky Business EXTRA: Brian Snow on quantum crypto

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Here is the portion of my interview with Brian Snow that I didn't have room for in the main show. Snow is concerned that quantum computing breakthroughs are closer than we think and could invalidate much of the technology we depend on to secure data.

RB2: Risky Business EXTRA: Brian Snow on quantum crypto
0:00 / 11:59

RB2: Risky Business EXTRA: Panel recording, Splendour in the Grass

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

This is a recording of a panel I hosted at the Splendour in the Grass music festival forum. It features NSA whistleblower Thomas Drake, WA Greens Senator Scott Ludlam, Underground author Suelette Dreyfus and Edward Snowden's attorney Jesselyn Radack.

RB2: Risky Business EXTRA: Panel recording, Splendour in the Grass
0:00 / 47:55