Podcasts

News, analysis and commentary

Risky Business Podcast

November 26, 2015

Risky Business #391 -- Dell fails hard

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're chatting with Darren Kemp of Duo Security. He's one of the authors of a post about the latest example of computer manufacturer shitware introducing catastrophic vulnerabilities into shipped systems. This time it's Dell's turn.

If you haven't heard what they actually did you'll hardly even believe it. That's this week's feature interview.

This week's sponsor guest is Tenable's very own Brian "Jericho" Martin. He's a guy who knows a thing or two about vulnerabilities and the software supply chain. We dodged a bullet with those libpng vulnerabilities of a few weeks ago not really being exploitable. But what if they were? How do you prepare your organisation for some serious bugs dropping in libraries when you're not even sure if you're using that code?

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Clinton Says the US Needs Silicon Valley's Help to Defeat ISIS | WIRED
http://www.wired.com/2015/11/clinton-says-us-needs-silicon-valleys-help-...

Security Manual Reveals the OPSEC Advice ISIS Gives Recruits | WIRED
http://www.wired.com/2015/11/isis-opsec-encryption-manuals-reveal-terror...

The Secret ISIS Cyber Guide Was Actually Just An Arabic Guide For Activists - BuzzFeed News
http://www.buzzfeed.com/sheerafrenkel/the-secret-isis-cyber-guide-was-ac...

Bangladesh mulls blocking WhatsApp and Viber to prevent terror activities
http://www.ibtimes.co.in/bangladesh-mulls-blocking-whatsapp-viber-preven...

Iranian military spear-phish of State Department employees detected first by Facebook | Ars Technica
http://arstechnica.com/security/2015/11/iranian-military-spear-phish-of-...

Breach at IT Automation Firm LANDESK - Krebs on Security
http://krebsonsecurity.com/2015/11/breach-at-it-automation-firm-landesk/

54 Starwood Hotels Hit By Point of Sale Malware | Threatpost | The first stop for security news
https://threatpost.com/starwood-hotel-chain-hit-by-point-of-sale-malware...

Hilton Acknowledges Credit Card Breach - Krebs on Security
http://krebsonsecurity.com/2015/11/hilton-acknowledges-credit-card-breach/

A $10 Tool Can Guess (And Steal) Your Next Credit Card Number | WIRED
http://www.wired.com/2015/11/samy-kamkar-10-dollar-tool-can-guess-and-st...

Certifications Tracking System Outage and Data Exposure - The Cisco Learning Network
https://learningnetwork.cisco.com/blogs/community_cafe/2015/11/21/certif...

FBI Warns Public Officials of Doxing Threat | Threatpost | The first stop for security news
https://threatpost.com/fbi-warns-public-officials-of-doxing-threat/115429/

The Doctor on a Quest to Save Our Medical Devices From Hackers | WIRED
http://www.wired.com/2015/11/the-doctor-on-a-quest-to-save-our-medical-d...

TrueCrypt is safer than previously reported, detailed analysis concludes | Ars Technica
http://arstechnica.com/security/2015/11/truecrypt-is-safer-than-previous...

GlassRAT Remote Access Trojan | Threatpost | The first stop for security news
https://threatpost.com/stealthy-glassrat-spies-on-commercial-targets/115...

VirusTotal Mac OS X App Sandbox Support | Threatpost | The first stop for security news
https://threatpost.com/virustotal-adds-sandbox-execution-for-os-x-apps/1...

Amazon resets account passwords feared compromised - report \u2022 The Register
http://www.theregister.co.uk/2015/11/25/amazon_password_reset/

United Airlines Slow to Patch Mobile App Vulnerability | Threatpost | The first stop for security news
https://threatpost.com/united-airlines-slow-to-patch-mobile-app-vulnerab...

Lenovo Patches Vulnerabilities in System Update Service | Threatpost | The first stop for security news
https://threatpost.com/lenovo-patches-vulnerabilities-in-system-update-s...

600,000 Arris Modems Plagued by 'Backdoor in a Backdoor' | Threatpost | The first stop for security news
https://threatpost.com/backdoor-in-a-backdoor-identified-in-600000-arris...

VMware Patches Pesky XXE Bug in Flex BlazeDS | Threatpost | The first stop for security news
https://threatpost.com/vmware-patches-pesky-xxe-bug-in-flex-blazeds/115443/

Sony employees on the hack, one year later.
http://www.slate.com/articles/technology/users/2015/11/sony_employees_on...

Dell apologizes for HTTPS certificate fiasco, provides removal tool | Ars Technica
http://arstechnica.com/security/2015/11/dell-apologizes-for-https-certif...

Joe Nord personal blog: New Dell computer comes with a eDellRoot trusted root certificate
http://joenord.blogspot.in/2015/11/new-dell-computer-comes-with-edellroo...

Dude, You Got Dell'd: Publishing Your Privates - Blog - Duo Security
https://www.duosecurity.com/blog/dude-you-got-dell-d-publishing-your-pri...

bluejuice - The Reductionist - YouTube
https://www.youtube.com/watch?v=v0N7DDDKsqw

Risky Business #391 -- Dell fails hard
0:00 / 44:30

Risky Business Podcast

November 20, 2015

Risky Business #390 -- Crypto derpery abounds in wake of Paris attacks

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's feature interview we're checking in with FireEye's Jonathan Wrolstad. He's a threat intelligence guy at FireEye and they've just published a really interesting report about what a threat group is doing in terms of target recon. They're using marketing company tricks to recon all sorts of high value targets. It's very interesting stuff, and it's likely tied to the Russian state.

This week's show is brought to you by Senetas Security, makers of terrific layer 2 encryption gear. Senetas CTO Julian Fay stops by in this week's sponsor interview to chat about Network Function Virtualisation. It's a new twist on a concept that's been around for a while. It's getting a second wind thanks to some work being done at Etsy, of all places.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Paris Terror Attacks Stoke Encryption Debate - Krebs on Security
http://krebsonsecurity.com/2015/11/paris-terror-attacks-stoke-encryption...

ISIS using encrypted apps for communications; former intel officials blame Snowden [Updated] | Ars Technica
http://arstechnica.com/information-technology/2015/11/isis-encrypted-com...

After Paris Attacks, Here's What the CIA Director Gets Wrong About Encryption | WIRED
http://www.wired.com/2015/11/paris-attacks-cia-director-john-brennan-wha...

There's no evidence ISIS used PS4 to plan Paris attacks | Ars Technica
http://arstechnica.com/gaming/2015/11/despite-what-the-papers-say-theres...

ISIS: CloudFlare CEO slams Anonymous' claims that he's protecting terrorists' websites
http://www.news.com.au/technology/online/hacking/a-silicon-valley-startu...

Telegram encrypted messaging service cracks down on ISIS broadcasts | Ars Technica
http://arstechnica.com/information-technology/2015/11/telegram-encrypted...

ISIS operates a crypto help desk - report \u2022 The Register
http://www.theregister.co.uk/2015/11/18/isis_help_desk/

Is Anonymous' war on ISIS doing more harm than good? | The Verge
http://www.theverge.com/2015/11/19/9761682/anonymous-isis-vigilante-camp...

Carnegie Mellon Says It Was Subpoenaed-And Not Paid-For Research On Breaking Tor | Threatpost | The first stop for security news
https://threatpost.com/carnegie-mellon-says-it-was-subpoenaed-and-not-pa...

Carnegie Mellon Denies FBI Paid for Tor-Breaking Research | WIRED
http://www.wired.com/2015/11/carnegie-mellon-denies-fbi-paid-for-tor-bre...

Libpng PNG Reference Library Patches Memory Corruption Vulnerabilities | Threatpost | The first stop for security news
https://threatpost.com/patched-libpng-vulnerabilities-have-limited-scope...

Here's a Spy Firm's Price List for Secret Hacker Techniques | WIRED
http://www.wired.com/2015/11/heres-a-spy-firms-price-list-for-secret-hac...

Android adware can install itself even when users explicitly reject it | Ars Technica
http://arstechnica.com/security/2015/11/android-adware-can-install-itsel...

Google to Warn Recipients of Unencrypted Gmail Messages | Threatpost | The first stop for security news
https://threatpost.com/google-to-warn-recipients-of-unencrypted-gmail-me...

Microsoft Blocks Unsigned DLLs in Edge with Update | Threatpost | The first stop for security news
https://threatpost.com/microsoft-cracks-down-on-toolbars-unsigned-dlls-w...

JPMorgan Hackers Breached Anti-Fraud Vendor G2 Web Services - Krebs on Security
http://krebsonsecurity.com/2015/11/jpmorgan-hackers-breached-anti-fraud-...

BitLocker popper uses Windows authentication to attack itself \u2022 The Register
http://www.theregister.co.uk/2015/11/17/bitlocker_blackhat_ian_haken/

Adobe Issues HotFix For ColdFusion | Threatpost | The first stop for security news
https://threatpost.com/adobe-pushes-hotfix-for-coldfusion/115389/

Wad of Stuff: CVE-2015-6357: FirePWNER Exploit for Cisco FireSIGHT Management Center SSL Validation Vulnerability
http://wadofstuff.blogspot.com.au/2015/11/cve-2015-6357-firepwner-exploi...

Issue 539 - google-security-research - Kaspersky Antivirus Certificate handling path traversal - Google Security Research - Google Project Hosting
https://code.google.com/p/google-security-research/issues/detail?id=539&...

https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf
https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf

Eagles of Death Metal - I Want You So Hard - YouTube
https://www.youtube.com/watch?v=MZrctLnsF4M

Risky Business #390 -- Crypto derpery abounds in wake of Paris attacks
0:00 / 51:54

Risky Business Podcast

November 12, 2015

Risky Business #389 -- US law: CFAA isn't a bug, it's a feature!

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're chatting with computer crime lawyer extraordinaire Tor Ekeland! He's worked on a number of high profile CFAA cases. Most recently he's been defending former Reuters and LA Times journalist Matthew Keys on some pretty hefty CFAA charges. He's also the guy who got Andrew Aurenheimer out of jail so he could go and live a free life as a Nazi troll. (Is that really a win?) He also defended Lauri Love... basically if you're a hacker who's fallen foul of the CFAA, this is the guy you want on your team.

He joins us this week to talk about the CFAA, terrorism charges against hackers, and the American cultural influences over crime and punishment in the USA. It's a cracker interview, that one.

This week's show is brought to you by Telstra! Best known as Australia's incumbent telco, Telstra also offers enterprise services. There's a link to their services page in this week's show notes.

In this week's sponsor interview we're chatting with Rachael Falk. She leads the Cyber Influence team in Telstra Security Operations. And she'll be joining us with what I'm calling boardroom ammo. Five questions you can suggest to your CEO or board to get them thinking about good security practices.

Links to everything are in this week's show notes.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Risky Business #389 -- US law: CFAA isn't a bug, it's a feature!
0:00 / 58:36

Risky Business Podcast

November 05, 2015

Risky Business #388 -- Cyber shrinkery, IoT shenanigans and guest Troy Hunt

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

This week's feature interview is with Troy Hunt of HaveIBeenPwned.com. And he's noticing something pretty weird. It's common for people to deface websites for bragging rights, and yeah, it's not new that data dumps are the new bragging fodder. But it seems like these days attackers are seeing Troy's site as the definitive place to get cred. Now they'll steal a bunch of data and Troy is their first stop.

Life is strange on the internets. That's this week's feature interview.

This week's show is brought to you by ContextIS, a security consultancy and research house with offices in England, Germany and Australia. In this week's sponsor interview we chat with Alex Farrant, a senior security researcher with Context in Cheltenham about the risks of IoT to enterprise networks.

Don't worry, this isn't some non-specific, high level chat saying "IoT is bad," we're talking about real examples where they've managed to chain together a couple of bugs for serious effect. We also talk about how enterprises aren't shy about making key company resources accessible over WiFi these days. Yes, the same WiFi network that your vulnerable electric kettle and lightbulbs are on. Happy days.

Adam Boileau, as always, stops in to discuss the week's news, including the delightful Freudian analysis of computer hackers by "cyber psychologist" Mary Aiken.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Hackers Claim Million-Dollar Bounty for iOS Zero Day Attack | WIRED
http://www.wired.com/2015/11/hackers-claim-million-dollar-bounty-for-ios...

UK Government Works on Restricting Encryption, Urges Staff to Use It | Motherboard
http://motherboard.vice.com/read/uk-government-works-on-restricting-stro...

Internet firms to be banned from offering unbreakable encryption under new laws - Telegraph
http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/11970391/Inte...

UK surveillance powers explained - BBC News
http://www.bbc.com/news/uk-34713435

The Lesson of CISA's Success, or How to Fight a Zombie
https://theintercept.com/2015/11/03/lesson-of-cisa-success-or-how-to-fig...

ALBAWABA NEWS: Egypt's military arrests 150 terrorists through "Telegram"
http://www.albawabaeg.com/66794

Teenager arrested in Norwich over TalkTalk cyber-attack bailed | Business | The Guardian
http://www.theguardian.com/business/2015/nov/04/teenager-arrested-in-nor...

vBulletin password hack fuels fears of serious Internet-wide 0-day attacks | Ars Technica
http://arstechnica.com/security/2015/11/vbulletin-password-hack-fuels-fe...

Tor Just Launched the Easiest App Yet for Anonymous, Encrypted IM | WIRED
http://www.wired.com/2015/10/tor-just-launched-the-easiest-app-yet-for-a...

Zerocoin Startup Revives the Dream of Truly Anonymous Money | WIRED
http://www.wired.com/2015/11/zerocoin-startup-revives-the-dream-of-truly...

Signal, the Snowden-Approved Crypto App, Comes to Android | WIRED
http://www.wired.com/2015/11/signals-snowden-approved-phone-crypto-app-c...

Don't count on STARTTLS to automatically encrypt your sensitive e-mails | Ars Technica
http://arstechnica.com/security/2015/10/dont-count-on-starttls-to-automa...

Still fuming over HTTPS mishap, Google makes Symantec an offer it can't refuse | Ars Technica
http://arstechnica.com/security/2015/10/still-fuming-over-https-mishap-g...

How Carders Can Use eBay as a Virtual ATM - Krebs on Security
http://krebsonsecurity.com/2015/11/how-carders-can-use-ebay-as-a-virtual...

Shuanet Adware Roots Android Devices | Threatpost | The first stop for security news
http://threatpost.com/shuanet-adware-rooting-android-devices-via-trojani...

Chinese Mobile Ad Library Backdoored to Spy on iOS Devices | Threatpost | The first stop for security news
http://threatpost.com/chinese-mobile-ad-library-backdoored-to-spy-on-ios...

Samsung Galaxy S6 Edge Security Vulnerabilities | Threatpost | The first stop for security news
http://threatpost.com/google-project-zero-turns-over-11-bugs-in-galaxy-s...

Data-Stealing Android App Impersonates Word Doc | Threatpost | The first stop for security news
http://threatpost.com/malicious-android-app-impersonates-microsoft-word-...

XcodeGhost Malware Supports iOS9 | Threatpost | The first stop for security news
http://threatpost.com/updated-xcodeghost-adds-ios9-support/115244/

November 2015 Android Security Bulletin | Threatpost | The first stop for security news
http://threatpost.com/monthly-android-security-update-patches-more-stage...

Tinba Variant Spotted Targeting Russian, Japanese Banks | Threatpost | The first stop for security news
http://threatpost.com/new-tinba-variant-spotted-targeting-russian-japane...

PageFair Hack Serves Up Fake Flash Update to 500 Sites | Threatpost | The first stop for security news
http://threatpost.com/pagefair-hack-serves-up-fake-flash-update-to-500-s...

Xen patches 7-year-old bug that shattered hypervisor security | Ars Technica
http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-...

Latest EMET Bypass Targets WoW64 Windows Subsystem | Threatpost | The first stop for security news
http://threatpost.com/latest-emet-bypass-targets-wow64-windows-subsystem...

FireEye growth slows as China attacks reportedly abate, stock plunges - MarketWatch
http://www.marketwatch.com/story/fireeye-growth-slows-as-china-attacks-r...

Hackers gonna hack, but why? Maybe Freud has the answer | Technology | The Guardian
http://www.theguardian.com/technology/2015/nov/03/hackers-gonna-hack-but...

Troy Hunt: Breaches, traders, plain text passwords, ethical disclosure and 000webhost
http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html

Music | PLTS
https://pltsmusic.bandcamp.com/

Also, you should absolutely check out Context's Blog. It's really quite good.
http://www.contextis.com/resources/blog/1/

Risky Business #388 -- Cyber shrinkery, IoT shenanigans and guest Troy Hunt
0:00 / 58:18

Risky Business Podcast

October 29, 2015

Risky Business #387 -- Hack people to death!

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's feature interview we're chatting with Chris Rock from Kustodian. Chris did a great presentation at Ruxcon last week about how easy it is to hack people to death!

He's found out just how easy it is to register births and deaths in the united states and Australia via online systems. He says it's a problem that could result in a virtual baby harvest for fraudsters who plan ahead. It's really fun stuff, that's this week's feature.

In this week's sponsor interview we're speaking with Deema Freij, general counsel at Intralinks. This is an interview the CSOs shouldn't miss... we're talking to her about privacy stuff -- about what the invalidation of Safe Harbour provisions really means, what we can expect from the new EU general data protection regulations when they land, and what sort of management challenges that's going to throw up at the boardroom level.

Adam Boileau, as always, stops in to discuss the week's news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

WikiLeaks Is Publishing the CIA Director's Hacked Emails | WIRED
http://www.wired.com/2015/10/wikileaks-publishing-cia-director-john-bren...

Hacker releases new purported personal data for top CIA, DHS officials [Updated] | Ars Technica
http://arstechnica.com/tech-policy/2015/10/hacker-releases-new-purported...

A Second Snowden Has Leaked a Mother Lode of Drone Docs | WIRED
http://www.wired.com/2015/10/a-second-snowden-leaks-a-mother-lode-of-dro...

Who Is Ardit Ferizi? Malaysia Arrests Kosovo National For Hacking US Security Data For ISIS
http://www.ibtimes.com/who-ardit-ferizi-malaysia-arrests-kosovo-national...

Matthew Keys' Hacking Conviction May Not Survive an Appeal | WIRED
http://www.wired.com/2015/10/matthew-keys-journalist-conviction-cfaa-abu...

TalkTalk Hackers Demanded \xa380K in Bitcoin - Krebs on Security
http://krebsonsecurity.com/2015/10/talktalk-hackers-demanded-80k-in-bitc...

TalkTalk Hackers Demand Ransom of CEO Dido Harding | Threatpost | The first stop for security news
https://threatpost.com/talktalk-hackers-demand-ransom-from-ceo/115156/

China Is Still Hacking US Companies After Promising It Would Stop, Report Says | Motherboard
http://motherboard.vice.com/read/china-is-still-hacking-us-companies-aft...

Arrest of Chinese Hackers Not a First for U.S. - Krebs on Security
http://krebsonsecurity.com/2015/10/arrest-of-chinese-hackers-not-a-first...

How is NSA breaking so much crypto?
https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking...

Fewer IPsec VPN Connections at Risk to Weak Diffie-Hellman | Threatpost | The first stop for security news
https://threatpost.com/fewer-ipsec-vpn-connections-at-risk-from-weak-dif...

CISA Passes Senate Without Addressing Privacy Concerns | Threatpost | The first stop for security news
https://threatpost.com/cisa-passes-senate-without-addressing-privacy-con...

A DEA Agent Who Helped Take Down Silk Road Is Going to Prison for Unbelievable Corruption | Mother Jones
http://www.motherjones.com/mixed-media/2015/10/silk-road-investigator-se...

X-Ray Scans Expose an Ingenious Chip-and-Pin Card Hack | WIRED
http://www.wired.com/2015/10/x-ray-scans-expose-an-ingenious-chip-and-pi...

EFF: We found 100+ license plate readers wide open on the Internet | Ars Technica
http://arstechnica.com/tech-policy/2015/10/lprs-exposed-how-public-safet...

Automakers just lost the battle to stop you from hacking your car | The Verge
http://www.theverge.com/2015/10/27/9622150/dmca-exemption-accessing-car-...

New attacks on Network Time Protocol can defeat HTTPS and create chaos | Ars Technica
http://arstechnica.com/security/2015/10/new-attacks-on-network-time-prot...

Unpatched browser weaknesses can be exploited to track millions of Web users | Ars Technica
http://arstechnica.com/security/2015/10/unpatched-browser-weaknesses-can...

This 11-year-old is selling cryptographically secure passwords for $2 each | Ars Technica
http://arstechnica.com/business/2015/10/this-11-year-old-is-selling-cryp...

Microsoft .NET Core, ASP.NET Beta Bug Bounty | Threatpost | The first stop for security news
https://threatpost.com/microsoft-opens-net-core-asp-net-bug-bounties/115...

IBM Runs World's Worst Spam-Hosting ISP? - Krebs on Security
http://krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp/

Let's Encrypt Free HTTPS Secures Cross-Signatures To Be A CA | Threatpost | The first stop for security news
https://threatpost.com/lets-encrypt-hits-another-free-https-milestone/11...

Insecure Internet-Connected Kettles Help Researchers Crack WiFi Networks Across London - Softpedia
http://news.softpedia.com/news/insecure-internet-connected-kettles-help-...

13 million plaintext passwords belonging to webhost users leaked online | Ars Technica
http://arstechnica.com/security/2015/10/13-million-plaintext-passwords-b...

Western Digital self-encrypting hard drives riddled with security flaws | Ars Technica
http://arstechnica.com/security/2015/10/western-digital-self-encrypting-...

Joomla bug puts millions of websites at risk of remote takeover hacks | Ars Technica
http://arstechnica.com/security/2015/10/joomla-bug-puts-millions-of-webs...

New zero-day exploit hits fully patched Adobe Flash [Updated] | Ars Technica
http://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-...

October 2015 Oracle Critical Patch Update | Threatpost | The first stop for security news
https://threatpost.com/oracle-quarterly-security-update-patches-154-vuln...

'10-second' theoretical hack could jog Fitbits into malware-spreading mode \u2022 The Register
http://www.theregister.co.uk/2015/10/21/fitbit_hack/

DEF CON 23 - Chris Rock - I Will Kill You - YouTube
https://www.youtube.com/watch?v=9FdHq3WfJgs

bluejuice - Vitriol - YouTube
https://www.youtube.com/watch?v=ldBhDmvWFXE

Risky Business #387 -- Hack people to death!
0:00 / 65:05

Risky Business Podcast

October 09, 2015

Risky Business #386 -- Katie Moussouris on the (groan) disclosure debate

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're checking in with Katie Moussouris of HackerOne. She's an ex Microsoftie who's spent something like a decade working on vulnerability disclosure policies. She even helped get a vuln disclosure ISO standard ratified!

And she'll be joining us this week to discuss disclosure politics, I guess you'd call it... for those of us who've been around infosec for a while, most of us would rather stick our face in a blender than talk about it, but Katie will be along to point out why people should fight their "disclosure debate fatigue" and get involved.

This week's show is brought to you by Telstra! Telstra is Australia's incumbent telco but also offers a bunch of enterprise services and has invested in some mobile security plays. They took a stake in Zimperium, which is where Risky Business pal Joshua Drake works. They also have a stake in Telesign.

In this week's sponsor interview we're joined by Telstra's Rocky Scopelliti. He's Telstra's finance brain and he'll be along to discuss a report he prepared on the fusion of financial services, mobility and identity. Telstra has collected a lot of *extremely* interesting data and Rocky will be along to fill us in on what it all means. That's this week's sponsor interview, with big thanks to new sponsor Telstra!

Adam Boileau, as always, stops in to discuss the week's news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Hack Brief: Hackers Steal 15M T-Mobile Customers' Data From Experian | WIRED
http://www.wired.com/2015/10/hack-brief-hackers-steal-15m-t-mobile-custo...

Scottrade Breach Hits 4.6 Million Customers - Krebs on Security
http://krebsonsecurity.com/2015/10/scottrade-breach-hits-4-6-million-cus...

Trump Hotel Collection Confirms Card Breach - Krebs on Security
http://krebsonsecurity.com/2015/10/trump-hotel-collection-confirms-card-...

Patreon was warned of serious website flaw 5 days before it was hacked | Ars Technica
http://arstechnica.com/security/2015/10/patreon-was-warned-of-serious-we...

Gigabytes of user data from hack of Patreon donations site dumped online | Ars Technica
http://arstechnica.com/security/2015/10/gigabytes-of-user-data-from-hack...

Exclusive: Uber checks connections between hacker and Lyft | Reuters
http://www.reuters.com/article/2015/10/08/us-uber-tech-lyft-hacking-excl...

Amazon Web Services Inspector Application Security Scanner | Threatpost | The first stop for security news
https://threatpost.com/amazon-inspector-addresses-compliance-and-securit...

Canceled HITB GSEC Singapore Presentation | Threatpost | The first stop for security news
https://threatpost.com/canceled-talk-re-ignites-controversy-over-legitim...

Verizon's zombie cookie gets new life | Ars Technica
http://arstechnica.com/security/2015/10/verizons-zombie-cookie-gets-new-...

Questions raised over Malcolm Turnbull's use of private email server
http://www.theage.com.au/technology/technology-news/questions-raised-ove...

Backdoor infecting Cisco VPNs steals customers' network passwords | Ars Technica
http://arstechnica.com/security/2015/10/backdoor-infecting-cisco-vpns-st...

Cisco shuts down million-dollar ransomware operation | Ars Technica
http://arstechnica.com/security/2015/10/cisco-shuts-down-30-million-rans...

SHA1 algorithm securing e-commerce and software could break by year's end | Ars Technica
http://arstechnica.com/security/2015/10/sha1-crypto-algorithm-securing-i...

Report finds many nuclear power plant systems "insecure by design" | Ars Technica
http://arstechnica.com/security/2015/10/report-finds-many-nuclear-power-...

Microsoft sites expose visitors' profile info in plain text | Ars Technica
http://arstechnica.com/security/2015/10/microsoft-sites-expose-visitors-...

Android adware wields potent root exploits to gain permanent foothold | Ars Technica
http://arstechnica.com/security/2015/10/android-adware-wields-potent-roo...

iPhone Malware Is Hitting China. Let's Not Be Next | WIRED
http://www.wired.com/2015/10/iphone-malware-hitting-china-lets-not-next/

Journalist Convicted of Helping Anonymous Hack Tribune Co. | WIRED
http://www.wired.com/2015/10/matthew-keys-reuters-journalist-convicted-o...

Netgear Router Vulnerabilities Public Exploits | Threatpost | The first stop for security news
https://threatpost.com/disclosed-netgear-router-vulnerability-under-atta...

WikiLeaks Wants to Pay $50K for Video of the Kunduz Hospital Bombing | WIRED
http://www.wired.com/2015/10/wikileaks-wants-pay-50k-video-kunduz-bombing/

Hacking Wireless Printers With Phones on Drones | WIRED
http://www.wired.com/2015/10/drones-robot-vacuums-can-spy-office-printer/

October 2015 Adobe Acrobat Adobe Acrobat Patches | Threatpost | The first stop for security news
https://threatpost.com/adobe-to-patch-reader-and-acrobat-next-week/114966/

When Security Experts Gather to Talk Consensus, Chaos Ensues | WIRED
http://www.wired.com/2015/10/security-experts-gather-talk-consensus-chao...

Mobile Identity
http://www.telstraglobal.com/mobile-identity

L-FRESH The LION
http://l-fresh.com/

Risky Business #386 -- Katie Moussouris on the (groan) disclosure debate
0:00 / 66:44

Risky Business Podcast

October 02, 2015

Risky Business #385 -- Richard Bejtlich talks USA/China espionage agreement

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

******LANGUAGE WARNING: The f-bomb features, unbleeped, once in this week's show. Just a note for those of you with the kids in the car.

On this week's show we're chatting with FireEye's chief security strategist Richard Bejtlich about this new agreement between China and the USA. The two countries have apparently agreed that they won't hack each other with the aim of stealing IP anymore. Questions to Richard include: Are they kidding? And: How did they announce this with a straight face?

This week's show is brought to you by Tenable Network Security, big thanks to them. And we're joined by Tenable's very own Jeffrey Man in this week's sponsor interview.

He's an ex NSA cryptographer who now spends his days dealing with PCI stuff. He's over in Canada attending the PCI community meetings in Vancouver, and I spoke to him about what we learned from the leaked Target pentest report and how third party payment firms are changing scope for all sorts of merchants.

Adam Boileau, as always, stops in to discuss the week's news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Banks: Card Breach at Hilton Hotel Properties - Krebs on Security
http://krebsonsecurity.com/2015/09/banks-card-breach-at-hilton-hotel-pro...

\u200bKmart Australia calls in police over security breach - Computerworld
http://www.computerworld.com.au/article/585784/kmart-australia-calls-pol...

Patreon: Some user names, e-mail and mailing addresses stolen | Ars Technica
http://arstechnica.com/security/2015/10/patreon-some-user-names-e-mail-a...

A billion Android phones are vulnerable to new Stagefright bugs | Ars Technica
http://arstechnica.com/security/2015/10/a-billion-android-phones-are-vul...

CIA officers pulled from China because of OPM breach | Ars Technica
http://arstechnica.com/tech-policy/2015/09/cia-officers-pulled-from-chin...

China PLA Unit 78020 Cyberespionage Naikon APT | Threatpost | The first stop for security news
https://threatpost.com/naikon-apt-group-tied-to-chinas-pla-unit-78020/11...

From Radio to Porn, British Spies Track Web Users' Online Identities
https://theintercept.com/2015/09/25/gchq-radio-porn-spies-track-web-user...

Obama administration explored ways to bypass smartphone encryption - The Washington Post
https://www.washingtonpost.com/world/national-security/obama-administrat...

This New Campaign Wants To Help Surveillance Agents Quit NSA or GCHQ | WIRED
http://www.wired.com/2015/09/campaign-help-surveillance-agents-quit-nsa-...

Car Hack Technique Uses Dealerships to Spread Malware | WIRED
http://www.wired.com/2015/10/car-hacking-tool-turns-repair-shops-malware...

That Big Security Fix for Credit Cards Won't Stop Fraud | WIRED
http://www.wired.com/2015/09/big-security-fix-credit-cards-wont-stop-fraud/

Google's Three Tips for Sabotaging the Cybercrime Economy | WIRED
http://www.wired.com/2015/09/google-offers-3-lessons-crippling-online-cr...

ATM Skimmer Gang Firebombed Antivirus Firm - Krebs on Security
http://krebsonsecurity.com/2015/09/atm-skimmer-gang-firebombed-antivirus...

Dyreza Dyre Trojan Phishing IT Supply Chain Credentials | Threatpost | The first stop for security news
https://threatpost.com/dyreza-trojan-targeting-it-supply-chain-credentia...

JavaScript-Based DDoS Peaks at 275,000 Requests Per Second | Threatpost | The first stop for security news
https://threatpost.com/javascript-ddos-attack-peaks-at-275000-requests-p...

Nerves rattled by highly suspicious Windows Update delivered worldwide [Updated] | Ars Technica
http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-suspici...

Drop-dead simple exploit completely bypasses Mac's malware Gatekeeper | Ars Technica
http://arstechnica.com/security/2015/09/drop-dead-simple-exploit-complet...

Botnet preying on Linux computers delivers potent DDoS attacks | Ars Technica
http://arstechnica.com/security/2015/09/botnet-preying-on-linux-computer...

Storing secret crypto keys in the Amazon cloud? New attack can steal them | Ars Technica
http://arstechnica.com/security/2015/09/storing-secret-crypto-keys-in-th...

How hackers can access iPhone contacts and photos without a password | Ars Technica
http://arstechnica.com/security/2015/09/how-hackers-can-access-iphone-co...

TrueCrypt Security Vulnerabilities Patched in VeraCrypt | Threatpost | The first stop for security news
https://threatpost.com/veracrypt-patched-against-two-critical-truecrypt-...

SAP Fixes A Dozen Vulnerabilities in HANA | Threatpost | The first stop for security news
https://threatpost.com/sap-patches-12-sql-injection-xss-vulnerabilities-...

Mozilla Addresses 14-Year-Old Bug in Firefox 41 | Threatpost | The first stop for security news
https://threatpost.com/mozilla-fixes-14-year-old-bug-in-firefox-41/114818/

Cisco Fixes Denial of Service, Bypass Vulnerabilities in IOS | Threatpost | The first stop for security news
https://threatpost.com/cisco-patches-denial-of-service-bypass-vulnerabil...

Apple Patches 100+ Vulnerabilities in OS X, Safari, iOS | Threatpost | The first stop for security news
https://threatpost.com/apple-patches-100-vulnerabilities-in-os-x-safari-...

US and China Reach Historic Agreement on Economic Espionage | WIRED
http://www.wired.com/2015/09/us-china-reach-historic-agreement-economic-...

Marshall & The Fro - Marshall Okell
http://marshallokell.com/albums/marshall-the-fro

Risky Business #385 -- Richard Bejtlich talks USA/China espionage agreement
0:00 / 63:28

Risky Business Podcast

September 24, 2015

Risky Business #384 -- Mark Dowd talks AirDrop pwnage, XCode iOS scandal

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

We've got a great show for you this week. Mark Dowd drops by to talk about the recent spate of Trojaned iOS apps that made it into Apple's China App Store. We also talk to him about his awesome AirDrop bug. How did it work?

This week's sponsor segment is actually a real cracker. Context IS consultant David Klein tells us how he owned an entire cloud platform by enumerating some shitty 90s-style bugs in some third party libraries they were using. It's comedy gold. This cloud platform that uses security at a selling point. It's bad.

Really embarrassing.

It's great work and the sort of research you expect to see out of a company like Context IS, who are, of course, this week's sponsor.

Adam Boileau, as always, stops in to discuss the week's news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

OPM breach included five times more stolen fingerprints | Ars Technica
http://arstechnica.com/security/2015/09/opm-breach-included-five-times-m...

Inside Target Corp., Days After 2013 Breach - Krebs on Security
http://krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-br...

XcodeGhost apps haunting iOS App Store more numerous than first reported | Ars Technica
http://arstechnica.com/security/2015/09/xcodeghost-apps-haunting-ios-app...

Spy Agency Contractor Puts Out a $1M Bounty for an iPhone Hack | WIRED
http://www.wired.com/2015/09/spy-agency-contractor-puts-1m-bounty-iphone...

Google's own researchers challenge key Android security talking point | Ars Technica
http://arstechnica.com/security/2015/09/googles-own-researchers-challeng...

Symantec employees fired for issuing rogue HTTPS certificate for Google | Ars Technica
http://arstechnica.com/security/2015/09/symantec-employees-fired-for-iss...

In blunder threatening Windows users, D-Link publishes code-signing key | Ars Technica
http://arstechnica.com/security/2015/09/in-blunder-threatening-windows-u...

Active malware campaign uses thousands of WordPress sites to infect visitors | Ars Technica
http://arstechnica.com/security/2015/09/active-malware-campaign-uses-tho...

Serious Imgur bug exploited to execute worm-like attack on 8chan users | Ars Technica
http://arstechnica.com/security/2015/09/serious-imgur-bug-exploited-to-e...

Trojan targets online poker sites, peeks at players' cards | Ars Technica
http://arstechnica.com/security/2015/09/trojan-targets-online-poker-site...

Seven years of malware linked to Russian state-backed cyber espionage | Ars Technica
http://arstechnica.com/security/2015/09/seven-years-of-malware-linked-to...

Security wares like Kaspersky AV can make you more vulnerable to attacks | Ars Technica
http://arstechnica.com/security/2015/09/security-wares-like-kaspersky-av...

China tells US tech companies to sign PRISM-like cyber-loyalty pact | Ars Technica
http://arstechnica.com/tech-policy/2015/09/china-tells-us-tech-companies...

India's daft draft anti-encryption law torn up after world+dog points out its stupidity \u2022 The Register
http://www.theregister.co.uk/2015/09/22/india_encryption_withdrawl/

Malvertisers slam Forbes, Realtor with world's worst exploit kits \u2022 The Register
http://www.theregister.co.uk/2015/09/23/malvertising_forbes/

Hackers Launch Balloon Probe Into the Stratosphere to Spy on Drones | WIRED
http://www.wired.com/2015/09/balloon-spy-probe-deep-sweep/

IT security spending to hit $75.4bn in 2015 despite currency issues, says Gartner \u2022 The Register
http://www.theregister.co.uk/2015/09/23/it_spending_forecast_gartner/

SONY HACK WAS WAR says FBI, and 'we're still struggling to hire talent' \u2022 The Register
http://www.theregister.co.uk/2015/09/18/sony_hack_was_war_says_fbi_still...

Control Flow Guard Mitigation Bypass | Threatpost | The first stop for security news
https://threatpost.com/bypass-developed-for-microsoft-memory-protection-...

Hack Brief: Mobile Manager's Security Hole Would Let Hackers Wipe Phones | WIRED
http://www.wired.com/2015/09/hack-brief-popular-mobile-phone-manager-ope...

Crash Google Chrome with one tiny URL: We cram a probe in this bug \u2022 The Register
http://www.theregister.co.uk/2015/09/20/chrome_url_crash/

Adobe Patches 23 Vulnerabilities in Flash Player | Threatpost | The first stop for security news
https://threatpost.com/adobe-patches-23-critical-vulnerabilities-in-flas...

Bugzilla Privilege Escalation Security Patch | Threatpost | The first stop for security news
https://threatpost.com/details-surface-on-patched-bugzilla-privilege-esc...

Context Information Security
http://www.contextis.com/

HopeStreet Recordings | The heart and soul of Brunswick since 2009
http://www.hopestreetrecordings.com/

Risky Business #384 -- Mark Dowd talks AirDrop pwnage, XCode iOS scandal
0:00 / 53:40

Risky Business Podcast

September 17, 2015

Risky Business #383 -- Inside FireEye's research gag

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we take a look at what the hell it happening in Germany, where FireEye sought and obtained an ex parte injunction against a bunch of security researchers over a presentation they were about to do at 44Con. We speak with infosec lawyer Alex Urbelis -- he was at 44Con when all this came to light and he shares his insights.

This week's show is sponsored by Senetas. They're a publicly listed company based in Melbourne that makes hardware encryption gear. Terribly sexy, layer 2 stuff actually. This week the company's co-founder and CTO Julian Fay joins the show to talk about the NSA's recent push to get people using encryption algorithms that are resistant to quantum computing-based attacks.

Adam Boileau, as always, stops in to discuss the week's news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

beist on Twitter: "Just another stagefright 0day by my coworker, chpie. this one is reasonably reliable, more than 50% against Nexus 5. http://t.co/V5qhKvOr6C"
https://twitter.com/beist/status/643579728687841280

Project Zero: Stagefrightened?
http://googleprojectzero.blogspot.com.au/2015/09/stagefrightened.html

Let's Encrypt Issues First Cert | Threatpost | The first stop for security news
https://threatpost.com/first-lets-encrypt-free-certificate-goes-live/114...

Japan charges Bitcoin exchange CEO with embezzlement - Yahoo News
http://news.yahoo.com/japan-charges-bitcoin-exchange-ceo-embezzlement-ji...

Atlanta's Bitpay got hacked for $1.8 million in bitcoin - Atlanta Business Chronicle
http://www.bizjournals.com/atlanta/news/2015/09/16/atlantas-bitpay-got-h...

Cryptome founder revokes PGP keys after weird 'compromise' \u2022 The Register
http://www.theregister.co.uk/2015/09/16/cryptome_revokes_pgp_keys_after_...

Scan of Internet for Compromised Cisco Routers Finds Fewer Than 100 | Threatpost | The first stop for security news
https://threatpost.com/scan-of-ipv4-space-for-implanted-cisco-routers-fi...

Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked | Ars Technica
http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-mill...

Ashley Madison passwords like "thisiswrong" tap cheaters' guilt and denial | Ars Technica
http://arstechnica.com/security/2015/09/ashley-madison-passwords-like-th...

DARPA Protecting Software From Reverse Engineering Through Obfuscation | Threatpost | The first stop for security news
https://threatpost.com/darpa-protecting-software-from-reverse-engineerin...

Installation of Tor Relays in Libraries Attracts DHS Attention | Threatpost | The first stop for security news
https://threatpost.com/installation-of-tor-relays-in-library-attracts-dh...

Researchers Outline Bugs in Yahoo, PayPal, Magento | Threatpost | The first stop for security news
https://threatpost.com/researchers-outline-vulnerabilities-in-yahoo-payp...

'To read this page, please turn off your ad blocker...' \u2022 The Register
http://www.theregister.co.uk/2015/09/15/to_read_this_page_please_turn_of...

CoreBot Adds New Capabilities, Transitions to Banking Trojan | Threatpost | The first stop for security news
https://threatpost.com/corebot-adds-new-capabilities-transitions-to-bank...

GM Took 5 Years to Fix a Full-Takeover Hack in Millions of OnStar Cars | WIRED
http://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-mill...

Hack Brief: Emergency-Number Hack Bypasses Android Lock Screens | WIRED
http://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily...

Shedload of security bugs squashed in iOS 9 - what the hell went wrong with iOS 8? \u2022 The Register
http://www.theregister.co.uk/2015/09/16/ios_9_security_updates/

AirDrop hole deposits stealth malware on all pre-iOS 9 Apple devices \u2022 The Register
http://www.theregister.co.uk/2015/09/16/airdrop_hole_malware_pre_ios_9/

Apple mitigates but doesn't fully fix critical iOS Airdrop vulnerability | Ars Technica
http://arstechnica.com/security/2015/09/apple-mitigates-but-doesnt-fully...

New Debian Releases Fix PHP, VirtualBox Bugs | Threatpost | The first stop for security news
https://threatpost.com/new-debian-releases-fix-php-virtualbox-bugs/114655/

WordPress Shortcodes Security Patch | Threatpost | The first stop for security news
https://threatpost.com/wordpress-patches-serious-shortcodes-core-engine-...

Bug Bounties, (Non) Lawsuits and Working with the Research Community \xab Executive Perspective | FireEye Inc
https://www.fireeye.com/blog/executive-perspective/2015/09/bug_bounties_...

Lattice-based cryptography - Wikipedia, the free encyclopedia
https://en.wikipedia.org/wiki/Lattice-based_cryptography

Quantum-safe Security : Cloud Security Alliance
https://cloudsecurityalliance.org/group/quantum-safe-security/

NSA preps quantum-resistant algorithms to head off crypto-apocalypse | Ars Technica
http://arstechnica.com/security/2015/08/nsa-preps-quantum-resistant-algo...

Risky Business #383 -- Inside FireEye's research gag
0:00 / 57:38

Risky Business Podcast

September 10, 2015

Risky Business #382 -- Charlie Miller talks car hax, Uber

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're checking in with Charlie Miller. We chat car hacking and we also (kind of) find out what he's up to now he's working at Uber.

This week's show is brought to you by HackLabs, an Australian security consultancy. They're a key sponsor of Australia's Cyber Security Challenge, which is basically a CTF for Australian CS students. What makes this one a bit different is it's being run by the Prime Minister's Office, which is, yeah, unexpected. Chris joins us later to discuss the challenge, that's this week's sponsor interview.

Adam Boileau, as always, stops in to discuss the week's news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Is John McAfee running for US president? 'My campaign manager told me not to comment' \u2022 The Register
http://www.theregister.co.uk/2015/09/08/mcafee2016/

Ex-Ashley Madison CTO Threatens Libel Suit - Krebs on Security
http://krebsonsecurity.com/2015/09/ex-ashley-madison-cto-threatens-libel...

Ashley Madison made dumb security mistakes, researcher says \u2022 The Register
http://www.theregister.co.uk/2015/09/08/ashley_madison_made_dumb_securit...

Extorting money from Ashley Madison customers is actually pretty easy | Ars Technica
http://arstechnica.com/business/2015/09/extorting-money-from-ashley-madi...

Pwn2Own loses HP as its sponsor amid new cyberweapon restrictions | Ars Technica
http://arstechnica.com/tech-policy/2015/09/pwn2own-loses-hp-as-its-spons...

Lockpickers 3-D Print TSA Master Luggage Keys From Leaked Photos | WIRED
http://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leak...

Russian Spy Gang Hijacks Satellite Links to Steal Data | WIRED
http://www.wired.com/2015/09/turla-russian-espionage-gang-hijacks-satell...

The Feds Need a Warrant to Spy With Stingrays From Now On | WIRED
http://www.wired.com/2015/09/feds-need-warrant-spy-stingrays-now/

The Untold Story of Silk Road, Part 2: The Fall | WIRED
http://www.wired.com/2015/05/silk-road-2/

US counter-intel czar to hack victims: "raise shields" against spearphishing | Ars Technica
http://arstechnica.com/security/2015/09/us-counterintelligence-czar-tell...

Director of national intelligence: Snowden forced "needed transparency" | Ars Technica
http://arstechnica.com/tech-policy/2015/09/director-of-national-intellig...

FTC, Experts Push Startups to Think About Security From the Beginning | Threatpost | The first stop for security news
https://threatpost.com/ftc-experts-push-startups-to-think-about-security...

Bitcoin cyberextortionists are blackmailing banks, corporations | Ars Technica
http://arstechnica.com/business/2015/09/uk-banks-corporations-are-being-...

MS researchers claim to crack encrypted database with old simple trick | Ars Technica
http://arstechnica.com/security/2015/09/ms-researchers-claim-to-crack-en...

Researchers respond to developer's accusation that they used crypto wrong | Ars Technica
http://arstechnica.com/information-technology/2015/09/researchers-respon...

Mozilla: data stolen from hacked bug database was used to attack Firefox | Ars Technica
http://arstechnica.com/security/2015/09/mozilla-data-stolen-from-hacked-...

Serious bug causes "quite a few" HTTPS sites to reveal their private keys | Ars Technica
http://arstechnica.com/security/2015/09/serious-bug-causes-quite-a-few-h...

Many new top-level domains have become Internet's "bad neighborhoods" [Updated] | Ars Technica
http://arstechnica.com/security/2015/09/many-new-top-level-domains-have-...

Lateline - 09/09/2015: Its been described by the Government as its latest security weapon, but is the National Facial Biometric Matching Capability open to misuse?
http://www.abc.net.au/lateline/content/2015/s4309519.htm

Gloves on as Googler deposits foul zero-day on Kaspersky lawn \u2022 The Register
http://www.theregister.co.uk/2015/09/08/kaspersky_0day/

Hacker drops zero-day, opens FireEye fire sale \u2022 The Register
http://www.theregister.co.uk/2015/09/08/fireeye_0day/

Attack code exploiting Android's critical Stagefright bugs is now public | Ars Technica
http://arstechnica.com/security/2015/09/attack-code-exploiting-androids-...

It's still 2015, and your Windows PC can still be pwned by a webpage \u2022 The Register
http://www.theregister.co.uk/2015/09/08/patch_tuesday_sept2015/

An Android Porn App Takes Your Photo and Holds It to Ransom
http://gizmodo.com/an-android-porn-app-takes-your-photo-and-holds-it-to-...

Greg! The Stop Sign!! by TISM - a metaphor for our collective mortality | Music | The Guardian
http://www.theguardian.com/music/2014/nov/25/greg-the-stop-sign-by-tism-...

TISM - Greg! The Stop Sign!!! - YouTube
https://www.youtube.com/watch?v=z4Sr63_EDBc

Risky Business #382 -- Charlie Miller talks car hax, Uber
0:00 / 56:23