Risky Business Podcast

April 14, 2016

Risky Business #407 -- Guests HD Moore, Dan Kaminsky, Grugq and Space Rogue

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we chat with HD Moore about the woeful state of security at Panamanian law firms. Mossack Fonseca isn't the only one that truly, truly sucks at security.

We also check in with Dan Kaminsky to get his reaction to the BadLock bug. Tenable Network Security's Cris "Space Rogue" Thomas joins us to talk about what we could expect this year when it comes to security startups. He's expecting quite a few of them to fold.

The Grugq joins the show this week to discuss the week's security news. He's filling in for Adam Boileau who's travelling in Australia.

Oh, and do add Patrick and Grugq on Twitter if that's your thing.

Show notes

Badlock Windows, Samba Man-in-the-Middle Vulnerability | Threatpost | The first stop for security news
https://threatpost.com/badlock-vulnerability-falls-flat-against-its-hype...

Hyping vulnerabilities is no longer helping application security awareness | TechCrunch
http://techcrunch.com/2016/04/11/hyping-vulnerabilities-is-no-longer-hel...

That 'Badlock' Bug Is More Hype Than Hurt | WIRED
http://www.wired.com/2016/04/badlock-bug-hype-hurt/

Yes, Badlock bug was shamelessly hyped, but the threat is real | Ars Technica
http://arstechnica.com/security/2016/04/yes-badlock-bug-was-shamelessly-...

How Reporters Pulled Off the Panama Papers, the Biggest Leak in Whistleblower History | WIRED
http://www.wired.com/2016/04/reporters-pulled-off-panama-papers-biggest-...

The Panama papers: Australia leads OECD response as crime links emerge | afr.com
http://www.afr.com/news/policy/tax/the-panama-papers-oecd-emergency-meet...

The Senate's Draft Encryption Bill Is 'Ludicrous, Dangerous, Technically Illiterate' | WIRED
http://www.wired.com/2016/04/senates-draft-encryption-bill-privacy-night...

Adobe patches Flash bug that's being exploited to install ransomware | Ars Technica
http://arstechnica.com/security/2016/04/adobe-flash-update-ransomware-wi...

OK, panic-newly evolved ransomware is bad news for everyone | Ars Technica
http://arstechnica.com/security/2016/04/ok-panic-newly-evolved-ransomwar...

Meet The Cryptoworm, The Future of Ransomware | Threatpost | The first stop for security news
https://threatpost.com/meet-the-cryptoworm-the-future-of-ransomware/117330/

Crypto ransomware targets called by name in spear-phishing blast | Ars Technica
http://arstechnica.com/security/2016/04/crypto-ransomware-targets-called...

Locky Ransomware Variant Changes C2, Spread Via Nuclear Exploit Kit | Threatpost | The first stop for security news
https://threatpost.com/locky-variant-changes-c2-communication-found-in-n...

Experts crack nasty ransomware that took crypto-extortion to new heights | Ars Technica
http://arstechnica.com/security/2016/04/experts-crack-nasty-ransomware-t...

Google Online Security Blog: Improvements to Safe Browsing Alerts for Network Administrators
https://security.googleblog.com/2016/04/improvements-to-safe-browsing-al...

Apple Bug Exposed Chat History With a Single Click
https://theintercept.com/2016/04/12/apple-bug-exposed-chat-history-with-...

FBI: $2.3 Billion Lost to CEO Email Scams - Krebs on Security
http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/

"This is the IRS regarding your tax filings" says trio of overseas robocallers | Ars Technica
http://arstechnica.com/information-technology/2016/04/three-overseas-fra...

Hack Brief: Turkey Breach Spills Info on More Than Half Its Citizens | WIRED
http://www.wired.com/2016/04/hack-brief-turkey-breach-spills-info-half-c...

Bug Bounty Guru Katie Moussouris Will Help Hackers and Companies Play Nice | WIRED
http://www.wired.com/2016/04/bug-bounty-guru-katie-moussouris-will-help-...

Researchers help shut down spam botnet that enslaved 4,000 Linux machines | Ars Technica
http://arstechnica.com/security/2016/04/researchers-help-shut-down-spam-...

Neutered random number generator let man rig million dollar lotteries | Ars Technica
http://arstechnica.com/security/2016/04/neutered-random-number-generator...

Nation-wide radio station hack airs hours of vulgar "furry sex" ramblings | Ars Technica
http://arstechnica.com/security/2016/04/nation-wide-radio-station-hack-a...

BREACH Revived to Steal Private Messages from Gmail, Facebook | Threatpost | The first stop for security news
https://threatpost.com/breach-attacks-revived-to-steal-private-messages-...

WhatsApp is now most widely used end-to-end crypto tool on the planet | Ars Technica
http://arstechnica.com/tech-policy/2016/04/whatsapp-is-now-most-widely-u...

Steam hacker says more vulnerabilities will be found, but not by him | Ars Technica
http://arstechnica.com/gaming/2016/04/steam-hacker-says-more-vulnerabili...

Sources: Trump Hotels Breached Again - Krebs on Security
http://krebsonsecurity.com/2016/04/sources-trump-hotels-breached-again/

New Threat Can Auto-Brick Apple Devices - Krebs on Security
http://krebsonsecurity.com/2016/04/new-threat-can-auto-brick-apple-devices/

centos7 - Recovering from a rm -rf / - Server Fault
https://serverfault.com/questions/769357/recovering-from-a-rm-rf

The 'Darth Vader' of Cyberwar Sold Services to Canada | VICE News
https://news.vice.com/article/the-darth-vader-of-cyberwar-sold-services-...

Risky Business #407 -- Guests HD Moore, Dan Kaminsky, Grugq and Space Rogue

0:00 / 0:00

Risky Business Podcast

March 31, 2016

Risky Business #406 -- Making a killing from bug bounty programs

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we're chatting with Nathaniel Wakelam, a professional bug bounty participant who, distressingly, at age 20, earns shitloads more money than I do! We'll talk to him about how he got into bug bounties, and how he manages to take down a massive paycheck in such a competitive space.

In this week's sponsor interview we're chatting with Senetas Security's Simon Galbally about the mess that is Australia's data breach notification legislation. This week's episode is sponsored by Senetas, an Australian company that designs and manufactures quite excellent layer 2 encryption gear.

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

The FBI Drops Its Case Against Apple After Finding a Way Into That iPhone | WIRED
http://www.wired.com/2016/03/fbi-drops-case-apple-finding-way-iphone/

iOS forensics expert's theory: FBI will hack shooter's phone by mirroring storage | Ars Technica
http://arstechnica.com/security/2016/03/ios-forensics-experts-theory-fbi...

63 Times the Feds Asked Apple and Google to Help Unlock Phones | Motherboard
http://motherboard.vice.com/en_au/read/63-times-the-feds-used-the-all-wr...

The Government Has Used the All Writs Act on Android Phones At Least 9 Times | Motherboard
http://motherboard.vice.com/en_au/read/google-has-helped-the-feds-access...

Dark Web's Got a Bad Rep: 7 in 10 People Want It Shut Down, Study Shows | WIRED
http://www.wired.com/2016/03/study-finds-7-10-people-want-dark-web-shut/

CloudFlare: 94 percent of the Tor traffic we see is "per se malicious" | Ars Technica
http://arstechnica.com/tech-policy/2016/03/new-data-suggests-94-percent-...

FBI: Er, no, we won't reveal how we unmask and torpedo Tor pedos \u2022 The Register
http://www.theregister.co.uk/2016/03/29/fbi_tor/

Pro-Tip: If You're a Suspected Dark Web Drug Dealer, Don't Trademark Your #Brand | Motherboard
http://motherboard.vice.com/en_au/read/suspected-dark-web-vendor-charged...

New ransomware installs in boot record, encrypts hard disk [Updated] | Ars Technica
http://arstechnica.com/security/2016/03/new-ransomware-installs-in-boot-...

Why Hospitals Are the Perfect Targets for Ransomware | WIRED
http://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-ta...

Crooks Steal, Sell Verizon Enterprise Customer Data - Krebs on Security
http://krebsonsecurity.com/2016/03/crooks-steal-sell-verizon-enterprise-...

Big-Name Law Firms Fall Victim To Hackers | Threatpost | The First Stop For Security News
https://threatpost.com/big-name-law-firms-fall-victim-to-hackers/117096/

Gumtree serves world's worst exploit kit to scores of Aussies \u2022 The Register
http://www.theregister.co.uk/2016/03/29/gumtree_aus_serving_angler/

Certified Ethical Hacker website caught spreading crypto ransomware | Ars Technica
http://arstechnica.com/security/2016/03/certified-ethical-hacker-website...

Mal Men men hit LiveJournal with Angler exploit kit \u2022 The Register
http://www.theregister.co.uk/2016/03/30/angler_malvertising_livejournal/

Stealthy malware targeting air-gapped PCs leaves no trace of infection | Ars Technica
http://arstechnica.com/security/2016/03/stealthy-malware-targeting-air-g...

Hype Around the Mysterious 'Badlock' Bug Raises Criticism | WIRED
http://www.wired.com/2016/03/hype-around-mysterious-badlock-bug-raises-c...

Cops: Lottery terminal hack allowed suspects to print more winning tickets | Ars Technica
http://arstechnica.com/security/2016/03/cops-lottery-terminal-hack-allow...

Phishing Victims Muddle Tax Fraud Fight - Krebs on Security
http://krebsonsecurity.com/2016/03/phishing-victims-muddle-tax-fraud-fight/

Microsoft Deploys Macro-Blocker In Office To Curb Malware | Threatpost | The First Stop For Security News
https://threatpost.com/microsoft-deploys-macro-blocking-feature-in-offic...

1,400+ Vulnerabilities Identified In Medical Supply System | Threatpost | The First Stop For Security News
https://threatpost.com/1400-vulnerabilities-to-remain-unpatched-in-medic...

Apple Intel HD3000 Graphics Kernel Driver Patch | Threatpost | The First Stop For Security News
https://threatpost.com/patched-apple-bug-paved-way-to-root-compromises/1...

Emergency Java Patch Re-Issued For 2013 Vulnerability | Threatpost | The First Stop For Security News
https://threatpost.com/emergency-java-patch-re-issued-for-2013-vulnerabi...

Racist troll says he sent white supremacist flyers to public printers at colleges | Ars Technica
http://arstechnica.com/information-technology/2016/03/public-printers-at...

Let Me Get That Door for You: Remote Root Vulnerability in HID Door Controllers -
http://blog.trendmicro.com/let-get-door-remote-root-vulnerability-hid-do...

Senetas
http://www.senetas.com/

Risky Business #406 -- Making a killing from bug bounty programs

0:00 / 0:00

Risky Business Podcast

March 24, 2016

Risky Business #405 -- Doxing Africa's W2 scammers, FBiOS and more

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we're chatting with myNetWatchman's Donald McCarthy about some research he's done into these crews shaking down US companies for W2 forms. He and his colleagues have identified at least 40 crews involved in this stuff. We'll get the skinny on that in this week's feature interview.

We're also chatting with Haroon Meer this week in the sponsor interview. Haroon is the head honcho over at Thinkst Applied Research and we'll be talking to him some more about the fantastic honeypot product they've released: Canary.Tools.

With thousands of them now sold, we'll be asking Haroon why he's been able to make honeypots a commercial success and a security win after something like 16 years of them going nowhere despite industry people saying they're the next big thing.

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

iOS forensics expert's theory: FBI will hack shooter's phone by mirroring storage | Ars Technica
http://arstechnica.com/security/2016/03/ios-forensics-experts-theory-fbi...

Judge: Order to Compel Apple Has Been 'Unenforceable' All Along | Motherboard
http://motherboard.vice.com/en_au/read/judge-order-to-compel-apple-has-b...

Attention Turns To FBI's 'Outside Party' | Threatpost | The First Stop For Security News
https://threatpost.com/attention-turns-to-fbis-outside-party/116931/

Hack Brief: Update iOS Now to Fix a Serious iMessage Crypto Flaw | WIRED
http://www.wired.com/2016/03/hack-brief-update-ios-fix-serious-imessage-...

'Apple Should Replace the Entirety of iMessage', Warn Encryption Researchers | Motherboard
http://motherboard.vice.com/en_au/read/apple-should-replace-imessage-enc...

Hack Brief: No Need to Freak Out Over That Chinese iPhone Malware | WIRED
http://www.wired.com/2016/03/hack-brief-no-need-freak-chinese-iphone-mal...

Android rooting bug opens Nexus phones to "permanent device compromise" | Ars Technica
http://arstechnica.com/security/2016/03/rooting-bug-in-android-opens-nex...

Stagefright Variant 'Metaphor' Puts Millions Of Samsung, LG And HTC Phones At Risk | Threatpost | The First Stop For Security News
https://threatpost.com/stagefright-variant-metaphor-puts-millions-of-sam...

A Government Error Just Revealed Snowden Was the Target in the Lavabit Case | WIRED
http://www.wired.com/2016/03/government-error-just-revealed-snowden-targ...

Emails show NSA rejected Hillary Clinton's request for secure smartphone - CBS News
http://www.cbsnews.com/news/emails-show-nsa-rejected-hillary-clinton-req...

The FBI Warns That Car Hacking Is a Real Risk | WIRED
http://www.wired.com/2016/03/fbi-warns-car-hacking-real-risk/

Uber Will Pay $10,000 'Bug Bounties' to Friendly Hackers | WIRED
http://www.wired.com/2016/03/uber-bug-bounties/

Paris terrorists used burner phones, not encryption, to evade detection | Ars Technica
http://arstechnica.com/tech-policy/2016/03/paris-terrorist-attacks-burne...

Once thought safe, DDR4 memory shown to be vulnerable to "Rowhammer" | Ars Technica
http://arstechnica.com/security/2016/03/once-thought-safe-ddr4-memory-sh...

Judge Won't Consider EFF's Arguments in FBI Mass Hacking Case | Motherboard
http://motherboard.vice.com/en_au/read/judge-in-fbi-mass-hacking-case-wo...

CanSecWest 2016 Attack Attribution False Flags | Threatpost | The First Stop For Security News
https://threatpost.com/apt-attackers-flying-more-false-flags-than-ever/1...

BinDiff Now Free, To Delight Of Security Researchers | Threatpost | The First Stop For Security News
https://threatpost.com/bindiff-now-free-to-delight-of-security-researche...

Home Depot Agrees $19.5 Million To Settle 2014 Breach | Threatpost | The First Stop For Security News
https://threatpost.com/home-depot-agrees-to-19-5-million-settlement-to-e...

Pwn2Own Day Two: Safari, Microsoft Edge Go Down Winner Announced | Threatpost | The First Stop For Security News
https://threatpost.com/pwn2own-day-two-safari-microsoft-edge-go-down-win...

Hospital Declares 'Internal State of Emergency' After Ransomware Infection - Krebs on Security
http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-e...

How Pirates And Hackers Worked Together To Steal Millions Of Dollars In Diamonds - BuzzFeed News
http://www.buzzfeed.com/josephbernstein/how-pirates-and-hackers-worked-t...

How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript \u2022 The Register
http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos?mt=1458722195866

Company behind the Badlock disclosure says pre-patch hype is good for business | CSO Online
http://www.csoonline.com/article/3047221/techology-business/company-behi...

Special Meetup with Thomas Dullien aka Halvar Flake - Null Singapore - YouTube
https://www.youtube.com/watch?v=fkDD2ea7SD8

HITBSecConf2016 - Amsterdam
http://conference.hitb.org/hitbsecconf2016ams/

Canary - know when it matters
https://canary.tools/

Risky Business #405 -- Doxing Africa's W2 scammers, FBiOS and more

0:00 / 0:00

Risky Business Podcast

March 17, 2016

Risky Business #403 -- Inside Islamic State's doc leak

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we're chatting with David Wells. He's ex GCHQ and ASD but these days he's a counterterrorism boffin with the Lowy Institute. He's joining us to discuss the IS document leak. Depending on which story you read its either the death of the organisation or it won't do anything at all to disrupt it. We get David's thoughts on what this leak will actually for the so-called Caliphate.

In this week's sponsor interview we're doing something a bit different.. following on from last week's interview with Re/Code's Arik Hesseldahl we're chatting with Tenable's CFO, Steve Vintz.

And you know what? It's really interesting getting his perspectives on what's happening in the BUSINESS of security -- the type of analysis a guy like Steve does is different from how security people do it, and he's got some really interesting perspectives on what 2016 could bring. Long story short? Expect consolidation among smaller vendors as CSOs look to trim the number of vendors in their supply chain.

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Apple's Brief Hits the FBI With a Withering Fact Check | WIRED
http://www.wired.com/2016/03/apple-fact-checks-the-feds-in-latest-brief/

Government Calls Apple's iPhone Arguments in San Bernardino Case a 'Diversion' | WIRED
http://www.wired.com/2016/03/government-calls-apples-iphone-arguments-sa...

Apple Lambasts the FBI for Not Asking the NSA to Help Hack San Bernardino iPhone | WIRED
http://www.wired.com/2016/03/apple-lambasts-fbi-not-asking-nsa-help-hack...

Former cyber czar says NSA could crack the San Bernadino shooter's phone | Ars Technica
http://arstechnica.com/tech-policy/2016/03/former-cyber-czar-says-nsa-co...

In the FBI's Crypto War, Apps May Be the Next Target | WIRED
http://www.wired.com/2016/03/fbi-crypto-war-apps/

John Oliver explains why iPhone encryption debate is no joking matter | Ars Technica
http://arstechnica.com/tech-policy/2016/03/john-oliver-explains-why-ipho...

AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device - Palo Alto Networks BlogPalo Alto Networks Blog
http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios...

Spelling mistake prevented hackers taking $1bn in bank heist | Business | The Guardian
http://www.theguardian.com/business/2016/mar/10/spelling-mistake-prevent...

Thousands of Trucks, Buses, and Ambulances May Be Open to Hackers | WIRED
http://www.wired.com/2016/03/thousands-trucks-buses-ambulances-may-open-...

To bypass code-signing checks, malware gang steals lots of certificates | Ars Technica
http://arstechnica.com/security/2016/03/to-bypass-code-signing-checks-ma...

Big-name sites hit by rash of malicious ads spreading crypto ransomware [Updated] | Ars Technica
http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-ma...

Hackers Target Anti-DDoS Firm Staminus - Krebs on Security
http://krebsonsecurity.com/2016/03/hackers-target-anti-ddos-firm-staminus/

Dam you! Justice Dept. to indict Iranians for probing flood control network | Ars Technica
http://arstechnica.com/security/2016/03/dam-you-justice-dept-to-indict-i...

Steam Stealer Malware "Booming Business" For Attackers Targeting Gaming Service | Threatpost | The First Stop For Security News
https://threatpost.com/steam-stealer-malware-booming-business-for-attack...

Thieves Phish Moneytree Employee Tax Data - Krebs on Security
http://krebsonsecurity.com/2016/03/thieves-phish-moneytree-employee-tax-...

Botched Java patch leaves millions vulnerable to 30-month-old attack | Ars Technica
http://arstechnica.com/security/2016/03/botched-java-patch-leaves-millio...

Adobe issues emergency patch for actively exploited code-execution bug | Ars Technica
http://arstechnica.com/security/2016/03/adobe-issues-emergency-patch-for...

Hack Brief: ISIS Data Breach Identifies 22,000 Members | WIRED
http://www.wired.com/2016/03/hack-brief-isis-data-breach-identifies-2200...

The Jihadist List Hyped as the 'Biggest ISIS Intelligence Haul Ever' Is a Bizarre, Inaccurate Mess
http://gizmodo.com/the-jihadist-list-hyped-as-the-biggest-isis-intellige...

Lowy Institute for International Policy | Interpret.Inform.Influence.
http://www.lowyinstitute.org/

Risky Business #403 -- Inside Islamic State's doc leak

0:00 / 0:00

Risky Business Podcast

March 10, 2016

Risky Business #402 -- Why are infosec companies tanking on the NASDAQ?

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we're chatting with re/code's senior editor and "enterprise dude" Arik Hesseldahl about the business of infosec. Information security related stocks and shares are tanking on indexes all over the world... why? How can this be happening in a $75bn sector that is tipped to grow into a $175bn sector in the next four years?

Arik will join us with the skinny on that. But don't panic, tanking infosec share prices might be a good thing for the discipline. We'll find out why a bit later on.

In this week's sponsor interview we chat with BugCrowd CEO Casey Ellis.

This week Casey joins us to discuss the Pentagon's decision to open up a bounty program.

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Hottest Topics To Come Out Of RSA Conference
http://www.darkreading.com/threat-intelligence/hottest-topics-to-come-ou...

Top iPhone Hackers Ask Court to Protect Apple From the FBI | WIRED
http://www.wired.com/2016/03/top-iphone-hackers-ask-court-protect-apple-...

Amazon Backtracks On Encryption Removal | Threatpost | The first stop for security news
https://threatpost.com/amazon-backtracks-on-encryption-removal-mum-on-wh...

Edward Snowden on Twitter: "The global technological consensus is against the FBI. Why? Here's one example: https://t.co/t2JHOLK8iU #FBIvsApple https://t.co/mH1ZXOOQ1E"
https://twitter.com/Snowden/status/707299113449230336

Seagate Phish Exposes All Employee W-2's - Krebs on Security
http://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/

IRS Suspends Insecure 'Get IP PIN' Feature - Krebs on Security
http://krebsonsecurity.com/2016/03/irs-suspends-insecure-get-ip-pin-feat...

Cancer Clinic Warns 2.2 Million Of Records Breach | Threatpost | The first stop for security news
https://threatpost.com/cancer-clinic-warns-2-2-million-patients-of-recor...

Facebook Password Reset Bug Gave Hacker Access To Any Account | Threatpost | The first stop for security news
https://threatpost.com/facebook-password-reset-bug-gave-hackers-access-t...

Hacker who exposed Bush family e-mails, photos will be extradited to US | Ars Technica
http://arstechnica.com/security/2016/03/hacker-who-exposed-bush-family-e...

China is building a big data platform for "precrime" | Ars Technica
http://arstechnica.com/information-technology/2016/03/china-is-building-...

First Mac-targeting ransomware hits Transmission users, researchers say | Ars Technica
http://arstechnica.com/security/2016/03/first-mac-targeting-ransomware-h...

Malware hijacks big four Australian banks apps, steals two-factor SMS codes
http://www.theage.com.au/technology/consumer-security/malware-hijacks-bi...

Google Fixes Critical Mediaserver Bug, Again | Threatpost | The first stop for security news
https://threatpost.com/google-fixes-critical-android-mediaserver-bugs-ag...

John McAfee tells Ars he's fighting a lonely battle, but he's not lying | Ars Technica
http://arstechnica.com/information-technology/2016/03/john-mcafee-tells-...

Issue 758 - google-security-research - Linux netfilter IPT_SO_SET_REPLACE memory corruption - Google Security Research - Google Project Hosting
https://code.google.com/p/google-security-research/issues/detail?id=758

Cybersecurity\u200b \u200bMarket Reaches $75 Billion In 2015\u200b;\u200b \u200bExpected To Reach $170 Billion By 2020 - Forbes
http://www.forbes.com/sites/stevemorgan/2015/12/20/cybersecurity%E2%80%8...

Pentagon Launches the Feds' First 'Bug Bounty' for Hackers | WIRED
http://www.wired.com/2016/03/pentagon-launches-feds-first-bug-bounty-hac...

Home - bugcrowd.com | Bugcrowd | Crowdsourced Cybersecurity. Fully managed bug bounty programs.
https://bugcrowd.com/

Risky Business #402 -- Why are infosec companies tanking on the NASDAQ?

0:00 / 0:00

Risky Business Podcast

March 03, 2016

Risky Business #401 -- Deserialisation attacks are kind of a big deal

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we get into a serious technical discussion about deserialisation attacks with with one of Adam Boileau's colleagues, Brendan Jamieson about the biggest issue in infosec that no one is talking about -- deserialisation vulnerabilities and their exploitation.

This attack class is a serious problem in enterprise environments thanks to the release of the YSoSerial tool about a year ago. Pen-testers who are across this bug class are finding issues everywhere they look, and hardly anyone is talking about it. But we do, this week.

Also this week we'll chat with Chris Gatford, the big Kahuna over at this week's sponsor HackLabs. I was talking to Chris recently and he mentioned that cryptolocker ransomware really isn't just affecting consumers anymore.

There was the recent news about a hospital in California that got hosed by ransomware, but I always thought that was the exception to the rule and that consumers were the most likely group to be affected by this stuff. Nope, wrong. Ransomware is getting inside corporate networks and causing all sorts of drama, Chris joins us soon to talk about that. Big thanks to HackLabs for its sponsorship of this week's show!

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Apple and FBI Take Their iPhone Hacking Fight to Congress | WIRED
http://www.wired.com/2016/03/apple-and-fbi-iphone-hacking-fight-congress...

Judge Says Apple Doesn't Have to Unlock iPhone in Case Similar to San Bernardino | WIRED
http://www.wired.com/2016/02/judge-says-apple-doesnt-have-to-unlock-ipho...

How the Feds Could Get Into iPhones Without Apple's Help | WIRED
http://www.wired.com/2016/03/feds-might-get-iphones-without-apples-help/

Apple vs. the FBI: Catch up on the iPhone encryption hearing
http://www.engadget.com/2016/03/02/apple-fbi-encryption-congress-hearing/

John McAfee better prepare to eat a shoe because he doesn't know how iPhones work | Ars Technica
http://arstechnica.com/security/2016/03/john-mcafee-better-prepare-to-ea...

US to renegotiate rules on exporting "intrusion software" | Ars Technica
http://arstechnica.com/tech-policy/2016/03/us-to-renegotiate-rules-on-ex...

Hackers did indeed cause Ukrainian power outage, US report concludes | Ars Technica
http://arstechnica.com/security/2016/02/hackers-did-indeed-cause-ukraini...

Brazil detains Facebook VP after he failed to give up user data
http://www.engadget.com/2016/03/01/brazil-detains-facebook-vp-after-he-f...

Brazil court orders release of arrested Facebook exec
http://www.engadget.com/2016/03/02/brazil-orders-release-of-facebook-exec/

FBI's Tor Hack Shows the Risk of Subpoenas to Security Researchers | WIRED
http://www.wired.com/2016/02/fbis-tor-hack-shows-risk-subpoenas-security...

Judge Confirms CMU Paid to Break Tor | Threatpost | The first stop for security news
https://threatpost.com/judge-confirms-dod-funded-research-to-decloak-tor...

Pentagon Launches the Feds' First 'Bug Bounty' for Hackers | WIRED
http://www.wired.com/2016/03/pentagon-launches-feds-first-bug-bounty-hac...

More than 11 million HTTPS websites imperiled by new decryption attack | Ars Technica
http://arstechnica.com/security/2016/03/more-than-13-million-https-websi...

Hacker Says He Can Hijack a $35K Police Drone a Mile Away | WIRED
http://www.wired.com/2016/03/hacker-says-can-hijack-35k-police-drone-mil...

Pirates hacked a shipping firm to find boats to raid
http://www.engadget.com/2016/03/01/pirates-hack-shipping-company/

Windows Defender Advanced Threat Protection uses cloud power to figure out you've been pwned | Ars Technica
http://arstechnica.com/information-technology/2016/03/windows-defender-a...

Payroll data leaked for current, former Snapchat employees | Ars Technica
http://arstechnica.com/security/2016/02/payroll-data-leaked-for-current-...

Thieves Nab IRS PINs to Hijack Tax Refunds - Krebs on Security
http://krebsonsecurity.com/2016/03/thieves-nab-irs-pins-to-hijack-tax-re...

Why The Java Deserialization Bug Is A Big Deal
http://www.darkreading.com/informationweek-home/why-the-java-deserializa...

GitHub - frohoff/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
https://github.com/frohoff/ysoserial

Penetration Testing & Web Application Security - HackLabs
http://www.hacklabs.com/

Risky Business #401 -- Deserialisation attacks are kind of a big deal

0:00 / 0:00

Risky Business Podcast

February 25, 2016

Risky Business #400 -- FBiOS with Adam PLUS guest Daniel Hodson

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's podcast we'll hear from Daniel Hodson of Elttam Security here in Australia. Daniel and his business partner Matt Jones have been looking into the security of messaging software that has recommended by the EFF. Does a bunch of ticks from the EFF actually say much about app security? Well, not really, as it turns out.

In this week's sponsor interview we hear from Senetas co-founder and CTO Julian Fay. Senetas, of course, make layer 2 encryption equipment. They'll be releasing a 100Gbps full line rate encryption box soon, they make awesome kit. But this week Julian joins us to weigh in, briefly, on the Apple vs FBI mess, as well as to have a discussion about some interesting use cases he's seen for layer two stuff lately.

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Apple Is Said to Be Trying to Make It Harder to Hack iPhones - The New York Times
http://www.nytimes.com/2016/02/25/technology/apple-is-said-to-be-working...

Apple-FBI Fight Asks: Is Code Protected as Free Speech? - Bloomberg Business
http://www.bloomberg.com/news/articles/2016-02-24/apple-fbi-fight-asks-i...

Apple: Congress, not courts, must decide
http://bigstory.ap.org/article/8c7f8004bac3466dbb7ba27f13c1cc08/apple-co...

Apple Attorney Reveals Dozen Other iPhone Requests from FBI | Threatpost | The first stop for security news
https://threatpost.com/apple-attorney-reveals-dozen-other-iphone-request...

Delicate Hardware Hacks Could Unlock Shooter's iPhone | Threatpost | The first stop for security news
https://threatpost.com/delicate-hardware-hacks-could-unlock-shooters-iph...

Apple Says the Government Bungled Its Chance to Get That iPhone's Data | WIRED
http://www.wired.com/2016/02/apple-says-the-government-bungled-its-chanc...

Encryption isn't at stake, the FBI knows Apple already has the desired key | Ars Technica
http://arstechnica.com/apple/2016/02/encryption-isnt-at-stake-the-fbi-kn...

How the FBI could use acid and lasers to access data stored on seized iPhone | Ars Technica
http://arstechnica.com/security/2016/02/how-the-fbi-could-use-acid-and-l...

Linux Mint hit by malware infection on its website, forum after hack attack | Ars Technica
http://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infect...

Asus lawsuit puts entire industry on notice over shoddy router security | Ars Technica
http://arstechnica.com/security/2016/02/asus-lawsuit-puts-entire-industr...

Troy Hunt: Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs
http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html

Man admits he stole nude celebrity pics from Apple and Gmail accounts | Ars Technica
http://arstechnica.com/tech-policy/2016/02/man-admits-he-stole-nude-cele...

More insecure security software: Comodo's on-by-default VNC app | Ars Technica
http://arstechnica.com/security/2016/02/more-insecure-security-software-...

Tor: 'Mystery' spike in hidden addresses - BBC News
http://www.bbc.com/news/technology-35614335

IRS Email Tax Scams Up 400 Percent | Threatpost | The first stop for security news
https://threatpost.com/irs-warns-tax-related-phishing-malware-surging/11...

Phishers Spoof CEO, Request W2 Forms - Krebs on Security
http://krebsonsecurity.com/2016/02/phishers-spoof-ceo-request-w2-forms/

Google Wants to Save News Sites From Cyberattacks-For Free | WIRED
http://www.wired.com/2016/02/google-wants-save-news-sites-cyberattacks-f...

Joomla Joins WordPress As TeslaCrypt Ransomware Target | Threatpost | The first stop for security news
https://threatpost.com/joomla-sites-join-wordpress-as-teslacrypt-ransomw...

The Sony Hackers Were Causing Mayhem Years Before They Hit the Company | WIRED
http://www.wired.com/2016/02/sony-hackers-causing-mayhem-years-hit-company/

Flaws in Wireless Mice and Keyboards Let Hackers Type on Your PC | WIRED
http://www.wired.com/2016/02/flaws-in-wireless-mice-and-keyboards-let-ha...

Bosses Harness Big Data to Predict Which Workers Might Get Sick - NASDAQ.com
http://www.nasdaq.com/article/bosses-harness-big-data-to-predict-which-w...

Rogue Chinese iOS App Removed from App Store | Threatpost | The first stop for security news
https://threatpost.com/rogue-ios-app-gets-boot-after-slipping-into-app-s...

Angler Exploit Kit Attacks Silverlight Vulnerability | Threatpost | The first stop for security news
https://threatpost.com/new-silverlight-attacks-appear-in-angler-exploit-...

We Could Not Look the Survivors in the Eye if We Did Not Follow this Lead - Lawfare
https://www.lawfareblog.com/we-could-not-look-survivors-eye-if-we-did-no...

A review of the EFF secure messaging scorecard... - elttam
https://www.elttam.com.au/blog/a-review-of-the-eff-secure-messaging-scor...

Senetas
http://www.senetas.com/

Risky Business #400 -- FBiOS with Adam PLUS guest Daniel Hodson

0:00 / 0:00

Risky Business Podcast

February 18, 2016

Risky Business #399 -- Apple vs the Government of the United States

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we chat with Dan Guido from Trail of Bits about the stoush between Apple and the US department of justice.

In this week's sponsor interview we speak with Cris Thomas, a.k.a. Space Rogue. Cris works for Tenable Network Security, this week's sponsor, and he joins us in this week's podcast to talk about NIST's cyber security framework.

Adam Boileau joins the show to discuss the week's security news.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Customer Letter - Apple
http://www.apple.com/customer-letter/

SB-Shooter-Order-Compelling-Apple-Asst-iPhone
https://www.documentcloud.org/documents/2714001-SB-Shooter-Order-Compell...

New report contends mandatory crypto backdoors would be futile | Ars Technica
http://arstechnica.com/tech-policy/2016/02/new-report-contends-mandatory...

Apple can comply with the FBI court order - Trail of Bits Blog
http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-cou...

Magnitude of glibc Vulnerability Coming to Light | Threatpost | The first stop for security news
https://threatpost.com/magnitude-of-glibc-vulnerability-coming-to-light/...

glibc Linux remote code execution vulnerability | Threatpost | The first stop for security news
https://threatpost.com/critical-glibc-vulnerability-puts-all-linux-machi...

Extremely severe bug leaves dizzying number of software and devices vulnerable | Ars Technica
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizz...

#6886 (uClibc segfault in getaddrinfo() when receiving long IPv6 DNS responses (probably stack corruption)) - OpenWrt
https://dev.openwrt.org/ticket/6886

U.S. Had Cyberattack Plan if Iran Nuclear Dispute Led to Conflict - The New York Times
http://www.nytimes.com/2016/02/17/world/middleeast/us-had-cyberattack-pl...

Password cracking attacks on Bitcoin wallets net $103,000 | Ars Technica
http://arstechnica.com/security/2016/02/password-cracking-attacks-on-bit...

Warning: Bug in Adobe Creative Cloud deletes Mac user data without warning | Ars Technica
http://arstechnica.com/apple/2016/02/warning-bug-in-adobe-creative-cloud...

Opsec fail: Baltimore teen car thieves paired phones with Jeep UConnect | Ars Technica
http://arstechnica.com/security/2016/02/opsec-fail-baltimore-teen-car-th...

Patients diverted to other hospitals after ransomware locks down key software | Ars Technica
http://arstechnica.com/security/2016/02/la-hospital-latest-victim-of-tar...

LA hospital coughs up $17,000 to free PCs held to ransom by hackers \u2022 The Register
http://www.theregister.co.uk/2016/02/18/la_hospital_bitcoins/?mt=1455761...

Honeypots Help Illustrate Scores of Vulnerabilities in Medical Devices | Threatpost | The first stop for security news
https://threatpost.com/honeypots-illustrate-scores-of-vulnerabilities-in...

'Ricochet', the Messenger That Beats Metadata, Passes Security Audit | Motherboard
http://motherboard.vice.com/read/ricochet-encrypted-messenger-tackles-me...

ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs
http://eprint.iacr.org/2016/129.pdf

Apple can comply with the FBI court order - Trail of Bits Blog
http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-cou...

Risky Business #399 -- Apple vs the Government of the United States

0:00 / 0:00

Risky Business Podcast

February 11, 2016

Risky Business #398 -- Professor Lawrence Gordon, jcran and more!

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

This week's show is one for the CSOs! It's the economics edition, I guess you'd call it. We'll be chatting with Professor Lawrence Gordon, co-creator of the Gordon Loeb model for Cyber Security investment. We speak to him about contemporary infosec budgets and how spending of $500m a year by some financial institutions in the USA is actually sensible.

We're sticking with the economics theme in this week's feature interview. We'll be chatting with Jonahan Cran, VP of operations for BugCrowd about their recently released Defensive Vulnerability Pricing Model. They've also released their Vulnerability Rating Taxonomy. Both of these documents are really, really interesting, so stay tuned for this week's sponsor interview to hear all about them!

Adam Boileau joins us, as always, to discuss the week's security news.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Execute My Packet | Exodus Intelligence
https://blog.exodusintel.com/2016/01/26/firewall-hacking/

Obama wants you to join CyberCorps Reserve to help feds get their act together | Ars Technica
http://arstechnica.com/tech-policy/2016/02/obama-wants-you-join-the-cybe...

Moscow raids could signal end of global Dyre bank trojan menace \u2022 The Register
http://www.theregister.co.uk/2016/02/10/moscow_raids_could_signal_end_of...

Dridex malware exploit distributes antivirus installer-hack suspected | Ars Technica
http://arstechnica.com/security/2016/02/dridex-malware-exploit-distribut...

Java "RAT-as-a-Service" backdoor openly sold through website to scammers | Ars Technica
http://arstechnica.com/security/2016/02/java-rat-as-a-service-backdoor-o...

Clever bank hack allowed crooks to make unlimited ATM withdrawals | Ars Technica
http://arstechnica.com/security/2016/02/clever-bank-hack-allowed-crooks-...

Skimmers Hijack ATM Network Cables - Krebs on Security
http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/

Relive your worst MS-DOS file-deletion memories at the Malware Museum | Ars Technica
http://arstechnica.com/security/2016/02/relive-your-worst-ms-dos-file-de...

Parents urged to boycott VTech toys after hack - BBC News
http://www.bbc.com/news/technology-35532644

Flash flushed as Google orders almost all ads to adopt HTML5 \u2022 The Register
http://www.theregister.co.uk/2016/02/10/google_orders_advertisers_to_ado...

How to Hack the Power Grid Through Home Air Conditioners | WIRED
http://www.wired.com/2016/02/how-to-hack-the-power-grid-through-home-air...

Julian Assange's 3.5-Year Detainment in Embassy Ruled Unlawful | WIRED
http://www.wired.com/2016/02/julian-assanges-3-5-year-detainment-in-emba...

Gmail to warn you if your friends aren't using secure e-mail | Ars Technica
http://arstechnica.com/information-technology/2016/02/gmail-to-warn-you-...

Chrome picks up bonus security features on Windows 10 | Ars Technica
http://arstechnica.com/information-technology/2016/02/chrome-picks-up-bo...

UC Berkeley profs lambast new "black box" network monitoring hardware | Ars Technica
http://arstechnica.com/tech-policy/2016/02/profs-protest-invasive-cybers...

Zero Day Initiative announces Pwn2Own 2016 - Hewlett Packard Enterprise Community
http://community.hpe.com/t5/Security-Research/Zero-Day-Initiative-announ...

th\xe1i: Exploiting the Diffie-Hellman bug in socat
https://vnhacker.blogspot.co.nz/2016/02/exploiting-diffie-hellman-bug-in...

Gordon-Loeb Model for Cybersecurity Investments - YouTube
https://www.youtube.com/watch?v=cd8dT0FuqQ4

Bugcrowd's Vulnerability Rating Taxonomy
https://pages.bugcrowd.com/vulnerability-rating-taxonomy

Bugcrowd's Defensive Vulnerability Pricing Model
https://pages.bugcrowd.com/whats-a-bug-worth-2015-survey

Risky Business #398 -- Professor Lawrence Gordon, jcran and more!

0:00 / 0:00

Risky Business Podcast

February 05, 2016

Risky Business #397 -- Guest HD Moore joins the show!

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

******Here's a link to the Risky Business listener survey. Please take some time to fill it in! It'll really help the show!********

On this week's show we're checking in with HD Moore. He's left Rapid7 after six years and he'll be along to fill us in on his future plans in this week's feature interview. He'll also be reassuring all you Metasploit users out there that he'll be staying involved. He'll talk about a couple of absolutely awful bugs and he'll also weigh in on NorseGate: The implosion of the world's most cybery cyber advanced threat intelligence derpa derpa firm.

This week's show is brought to you by an Australian security consultancy, HackLabs. It's probably worth noting for our American friends that the Australian exchange rate has shifted pretty substantially over the last six months or so... so Australia might be a pretty good place for you to send some app review work!

In this week's sponsor interview HackLabs founder and head honcho Chris Gatford joins us to discuss strategies for administering unmaintained and hideously vulnerable enterprise apps.

Microsoft has end-of-lifed a stack of old IE versions, Oracle is killing the Java browser plugin... this will leave a lot of legacy apps marooned. So what can you do?

Adam Boileau joins us, as always, to discuss the week's security news. He also discusses Java deserialisation attacks that are shaping up as a major attack vector for 2016.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

------------

Oracle deprecates the Java browser plugin, prepares for its demise | Ars Technica
http://arstechnica.com/information-technology/2016/01/oracle-deprecates-...

Good Riddance to Oracle's Java Plugin - Krebs on Security
http://krebsonsecurity.com/2016/02/good-riddance-to-oracles-java-plugin/

Sources: Security Firm Norse Corp. Imploding - Krebs on Security
http://krebsonsecurity.com/2016/01/sources-security-firm-norse-corp-impl...

NSA Hacker Chief Explains How to Keep Him Out of Your System | WIRED
http://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-him-o...

National Security Agency plans major reorganization - The Washington Post
https://www.washingtonpost.com/world/national-security/national-security...

A technical reading of the "HIMR Data Mining Research Problem Book" | Conspicuous Chatter
https://conspicuouschatter.wordpress.com/2016/02/03/a-technical-reading-...

Default settings in Apache may decloak Tor hidden services | Ars Technica
http://arstechnica.com/security/2016/02/default-settings-in-apache-may-d...

Crypto flaw was so glaring it may be intentional eavesdropping backdoor | Ars Technica
http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-ma...

UN rules in favour of Julian Assange
http://www.theage.com.au/world/un-rules-in-favour-of-assange-20160204-gm...

Corrupt Silk Road Investigator Re-Arrested for Allegedly Trying to Flee the US | WIRED
http://www.wired.com/2016/02/corrupt-silk-road-investigator-re-arrested-...

Former Energy Department employee admits trying to spear phish coworkers | Ars Technica
http://arstechnica.com/tech-policy/2016/02/former-energy-department-empl...

FTC: Tax Fraud Behind 47% Spike in ID Theft - Krebs on Security
http://krebsonsecurity.com/2016/01/ftc-tax-fraud-behind-47-spike-in-id-t...

HSBC online banking suffers major outage, blames DDoS attack | Ars Technica
http://arstechnica.com/security/2016/01/hsbc-online-banking-suffers-majo...

eBay has no plans to fix "severe" bug that allows malware distribution [Updated] | Ars Technica
http://arstechnica.com/security/2016/02/ebay-has-no-plans-to-fix-severe-...

PayPal Java Serialization Vulnerability | Threatpost | The first stop for security news
https://threatpost.com/java-serialization-bug-crops-up-at-paypal/116054/

Government Promises Comment Period on Next Wassenaar Draft | Threatpost | The first stop for security news
https://threatpost.com/government-promises-comment-period-on-next-wassen...

VirusTotal Firmware Malware Implant Scanning | Threatpost | The first stop for security news
https://threatpost.com/virustotal-supports-firmware-scanning/116072/

Mysterious spike in WordPress hacks silently delivers ransomware to visitors | Ars Technica
http://arstechnica.com/security/2016/02/mysterious-spike-in-wordpress-ha...

High-severity bug in OpenSSL allows attackers to decrypt HTTPS traffic | Ars Technica
http://arstechnica.com/security/2016/01/high-severity-bug-in-openssl-all...

Google fixes multiple Wi-Fi flaws, mediaserver bugs in Android | InfoWorld
http://www.infoworld.com/article/3028079/security/google-fixes-multiple-...

Google engineer finds holes in three 'secure' browsers
http://www.engadget.com/2016/02/04/tavis-ormandy-chromium-bug-hunter/

Penetration Testing & Web Application Security - HackLabs
http://www.hacklabs.com/

Risky Business #397 -- Guest HD Moore joins the show!

0:00 / 0:00