Risky Business Podcast

January 28, 2016

Risky Business #396 -- Chris Wysopal on scanning for backdoors

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we've got two feature interviews!

We're talking to Chris Wysopal from Veracode about using static analysis techniques to find back doors in software. With Juniper, AMX, Fortinet and Cisco all experiencing either maliciously planted or accidental backdoors, this is a hot topic. Chris joins us to talk about how you go about finding this stuff and whether or not vendors are taking this issue seriously enough.

We also check in with Martijn Grooten, editor of Virus Bulletin. We're having a quick chat to him about how the AV industry is reacting to Tavis Ormandy's latest research into the security of its products. He's been reporting bugs in all sorts of AV products lately and apparently the disclosures are having an impact.

This week's sponsor interview is a special one -- it's with Haroon Meer of Thinkst Applied Research. Thinkst has released some free tools that generate and track honey tokens. Old ideas made easy and workable... he'll be along to explain his new tech. Personally think this stuff is great.. just great... and of course he'll plug his even more awesome commercial stuff, Canary Tools.

Adam Boileau, as always, drops in for a chat about the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Israel's electric authority hit by "severe" hack attack [Updated] | Ars Technica
http://arstechnica.com/security/2016/01/israels-electric-grid-hit-by-sev...

Israeli Electric Authority Attacked, Potential Ransomware | Threatpost | The first stop for security news
https://threatpost.com/israeli-electric-authority-hit-by-severe-cyber-at...

SANS Industrial Control Systems Security Blog | Context for the Claim of a Cyber Attack on the Israeli Electric Grid | SANS Institute
https://ics.sans.org/blog/2016/01/27/context-for-the-claim-of-a-cyber-at...

Wendy's Probes Reports of Credit Card Breach - Krebs on Security
https://krebsonsecurity.com/2016/01/wendys-probes-reports-of-credit-card...

Moment of truth: Feds must say if they used backdoored Juniper firewalls | Ars Technica
http://arstechnica.com/tech-policy/2016/01/moment-of-truth-feds-must-say...

Secret SSH backdoor in Fortinet hardware found in more products | Ars Technica
http://arstechnica.com/security/2016/01/secret-ssh-backdoor-in-fortinet-...

Media devices sold to feds have hidden backdoor with sniffing functions | Ars Technica
http://arstechnica.com/security/2016/01/media-devices-sold-to-feds-have-...

Lenovo SHAREit App Hard-Coded Password | Threatpost | The first stop for security news
https://threatpost.com/hard-coded-password-found-in-lenovo-file-sharing-...

Yet another bill seeks to weaken encryption-by-default on smartphones | Ars Technica
http://arstechnica.com/tech-policy/2016/01/yet-another-bill-seeks-to-wea...

Bill aims to thwart strong crypto, demands smartphone makers be able to decrypt | Ars Technica
http://arstechnica.com/tech-policy/2016/01/bill-aims-to-thwart-strong-cr...

How Amazon customer service was the weak link that spilled my data | Ars Technica
http://arstechnica.com/security/2016/01/how-amazon-customer-service-was-...

"Internet of Things" security is hilariously broken and getting worse | Ars Technica
http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-th...

NYC Launches Investigation Into Hackable Baby Monitors | WIRED
http://www.wired.com/2016/01/nyc-investigating-hackable-baby-monitors/

HD Moore Leaves Rapid7 for Venture Capital Opportunity | Threatpost | The first stop for security news
https://threatpost.com/hd-moore-to-build-new-venture-capital-firm/115969/

Zcash, an Untraceable Bitcoin Alternative, Launches in Alpha | WIRED
http://www.wired.com/2016/01/zcash-an-untraceable-bitcoin-alternative-la...

Government Investigation of Alleged Bitcoin Creator Craig Wright Intensifies - CoinDesk
http://www.coindesk.com/australia-government-bitcoin-creator-craig-wrigh...

Firm Sues Cyber Insurer Over $480K Loss - Krebs on Security
http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/

Scarlet Mimic Behind Espionage Campaign Against Tibetan, Uyghur Activists | Threatpost | The first stop for security news
https://threatpost.com/scarlet-mimic-group-behind-four-year-campaign-aga...

Bot Fraud to Cost Advertisers $7 Billion in 2016 | Threatpost | The first stop for security news
https://threatpost.com/bot-fraud-to-cost-advertisers-7-billion-in-2016/1...

Skype Now Hides Your Internet Address - Krebs on Security
http://krebsonsecurity.com/2016/01/skype-now-hides-your-internet-address/

Cisco MiniUPnP Stack Smashing Protection Attack | Threatpost | The first stop for security news
https://threatpost.com/miniupnp-vulnerability-clears-way-for-stack-smash...

January 2016 Apple Security Patches iOS, OS X, Safari | Threatpost | The first stop for security news
https://threatpost.com/apple-releases-patches-for-ios-os-x-and-safari/11...

OpenSSL to Patch Two Vulnerabilities This Week | Threatpost | The first stop for security news
https://threatpost.com/openssl-to-patch-two-vulnerabilities-this-week/11...

Magento Update Addresses XSS, CSRF Vulnerabilities | Threatpost | The first stop for security news
https://threatpost.com/magento-update-addresses-xss-csrf-vulnerabilities...

Hack Brief: Don't Be Trolled by This iPhone-Crashing Link Meme | WIRED
http://www.wired.com/2016/01/hack-brief-dont-be-trolled-by-this-iphone-c...

iOS cookie theft bug allowed hackers to impersonate users | Ars Technica
http://arstechnica.com/security/2016/01/ios-cookie-theft-bug-allowed-hac...

Oracle Pushes Java Fix: Patch It or Pitch It - Krebs on Security
http://krebsonsecurity.com/2016/01/oracle-pushes-java-fix-patch-it-or-pi...

Canary - know when it matters
https://canary.tools/

canarytokens.net
http://canarytokens.org/generate

Risky Business #396 -- Chris Wysopal on scanning for backdoors

0:00 / 0:00

Risky Business Podcast

January 21, 2016

Risky Business #395 -- Alex Stamos on Juniper-gate, SHA-1 and NSA surveillance

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

In this week's feature interview Facebook CISO Alex Stamos joins us to discuss a few things.

We'll be talking about moves by both browser developers and some CAs to deprecate SHA1 signed certificates. He says we need to support SHA-1 for now and he explains why soon.
We're also chatting with him about the Juniper fiasco.
We also get his thoughts on NSA surveillance now he's responsible for the security of user information at the world's biggest social media platform.

In this week's sponsor interview we chat with Tenable network security CEO Ron Gula about how to collect decent telemetry from both cloud applications and cloud infrastructure services. Just because it's going on outside your network, that doesn't mean you should treat these services as a big blindspot. That's this week's feature interview, with big thanks to Tenable Network Security, this week's sponsor!

Adam Boileau is back this week to discuss the news headlines we missed while we were on break.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

"Unauthorized code" in Juniper firewalls decrypts encrypted VPN traffic | Ars Technica
http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-fir...

New Discovery Around Juniper Backdoor Raises More Questions About the Company | WIRED
http://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raise...

Researchers confirm backdoor password in Juniper firewall code | Ars Technica
http://arstechnica.com/security/2015/12/researchers-confirm-backdoor-pas...

Juniper drops NSA-developed code following new backdoor revelations | Ars Technica
http://arstechnica.com/security/2016/01/juniper-drops-nsa-developed-code...

Et tu, Fortinet? Hard-coded password raises new backdoor eavesdropping fears | Ars Technica
http://arstechnica.com/security/2016/01/et-tu-fortinet-hard-coded-passwo...

Bill aims to thwart strong crypto, demands smartphone makers be able to decrypt | Ars Technica
http://arstechnica.com/tech-policy/2016/01/bill-aims-to-thwart-strong-cr...

Phone crypto scheme "facilitates undetectable mass surveillance" | Ars Technica
http://arstechnica.com/tech-policy/2016/01/phone-crypto-scheme-facilitat...

The Father of Online Anonymity Has a Plan to End the Crypto War | WIRED
http://www.wired.com/2016/01/david-chaum-father-of-online-anonymity-plan...

Everything We Know About Ukraine's Power Plant Hack | WIRED
http://www.wired.com/2016/01/everything-we-know-about-ukraines-power-pla...

Analysis confirms coordinated hack attack caused Ukrainian power outage | Ars Technica
http://arstechnica.com/security/2016/01/analysis-confirms-coordinated-ha...

Royal Melbourne Hospital attacked by damaging computer virus
http://www.theage.com.au/victoria/royal-melbourne-hospital-attacked-by-d...

Internet Explorer End of Support
https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support

Judge Rules Kim Dotcom Can Be Extradited to US to Face Charges | WIRED
http://www.wired.com/2015/12/kim-dotcom-extradition-ruling/

In Silk Road Appeal, Ross Ulbricht's Defense Focuses on Corrupt Feds | WIRED
http://www.wired.com/2016/01/ross-ulbrichts-defense-focuses-on-corrupt-f...

Security firm sued for filing "woefully inadequate" forensics report | Ars Technica
http://arstechnica.com/security/2016/01/security-firm-sued-for-filing-wo...

US Intelligence director's personal e-mail, phone hacked | Ars Technica
http://arstechnica.com/security/2016/01/us-intelligence-directors-person...

Researchers uncover JavaScript-based ransomware-as-service | Ars Technica
http://arstechnica.com/security/2016/01/researchers-uncover-javascript-b...

Microsoft may have your encryption key; here's how to take it back | Ars Technica
http://arstechnica.com/information-technology/2015/12/microsoft-may-have...

Common payment processing protocols found to be full of flaws | Ars Technica
http://arstechnica.com/security/2015/12/common-payment-processing-protoc...

Critical Yahoo Mail Flaw Patched, $10K Bounty Paid | Threatpost | The first stop for security news
https://threatpost.com/critical-yahoo-mail-flaw-patched-10k-bounty-paid/...

GM embraces white-hat hackers with public vulnerability disclosure program | Ars Technica
http://arstechnica.com/security/2016/01/gm-embraces-white-hats-with-publ...

Google slams AVG for exposing Chrome user data with "security" plugin | Ars Technica
http://arstechnica.com/security/2015/12/google-slams-avg-for-exposing-ch...

Google security researcher excoriates TrendMicro for critical AV defects | Ars Technica
http://arstechnica.com/security/2016/01/google-security-researcher-excor...

Fatally weak MD5 function torpedoes crypto protections in HTTPS and IPSEC | Ars Technica
http://arstechnica.com/security/2016/01/fatally-weak-md5-function-torped...

Cisco Patches Hardcoded Password, DoS Vulnerabilities in Software | Threatpost | The first stop for security news
https://threatpost.com/cisco-patches-hardcoded-password-dos-vulnerabilit...

Microsoft Silverlight Zero Day Vulnerability Patched | Threatpost | The first stop for security news
https://threatpost.com/curious-tale-of-a-microsoft-silverlight-zero-day/...

Bug that can leak crypto keys just fixed in widely used OpenSSH | Ars Technica
http://arstechnica.com/security/2016/01/bug-that-can-leak-crypto-keys-ju...

Linux bug imperils tens of millions of PCs, servers, and Android phones | Ars Technica
http://arstechnica.com/security/2016/01/linux-bug-imperils-tens-of-milli...

January 2016 Oracle Critical Patch Update 248 Patches | Threatpost | The first stop for security news
https://threatpost.com/oracle-releases-record-number-of-security-patches...

Oracle settles with FTC over Java's "deceptive" security patching | Ars Technica
http://arstechnica.com/information-technology/2015/12/oracle-settles-wit...

With funds stolen in hack, cryptocurrency company mulls bankruptcy | Reuters
http://www.reuters.com/article/bankruptcy-cryptsy-idUSL2N1530M9

Google considers following Mozilla, Microsoft, and dropping SHA-1 certificates early | Ars Technica
http://arstechnica.com/information-technology/2015/12/google-considers-f...

Firefox ban on SHA-1 certs causing some security issues, Mozilla warns | Ars Technica
http://arstechnica.com/security/2016/01/firefoxs-ban-of-sha-1-certs-caus...

Risky Business #395 -- Alex Stamos on Juniper-gate, SHA-1 and NSA surveillance

0:00 / 0:00

Risky Business Podcast

December 16, 2015

Risky Business #394 -- Matthew Green talks "crypto bans"

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we're chatting with Johns Hopkins University cryptographer Matthew Green about rumblings emanating out of DC with regard to "stopping encryption", whatever the hell that means.

In this week's sponsor interview we're chatting with Oliver Fay from Context about a paper they did in conjunction with UK's CERT about exploit kits. How much do they cost? Are there any that stick out as being particularly good? Or bad, depending on your point of view...

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Man arrested in toymaker hack that exposed data for millions of kids | Ars Technica
http://arstechnica.com/security/2015/12/man-arrested-in-toymaker-hack-sa...

The Bizarre Saga of Craig Wright, the Latest "Inventor of Bitcoin" - The New Yorker
http://www.newyorker.com/business/currency/bizarre-saga-craig-wright-lat...

Julian Assange Will Finally Get His Day in Court-In the Ecuadorean Embassy | WIRED
http://www.wired.com/2015/12/julian-assange-will-finally-get-his-day-in-...

J.P. Morgan, Bank of America, Citibank And Wells Fargo Spending $1.5 Billion To Battle Cyber Crime - Forbes
http://www.forbes.com/sites/stevemorgan/2015/12/13/j-p-morgan-boa-citi-a...

Tor Hires a New Leader to Help It Combat the War on Privacy | WIRED
http://www.wired.com/2015/12/tor-hires-a-new-leader-to-help-it-combat-th...

Beware of state-sponsored hackers, Twitter warns dozens of users | Ars Technica
http://arstechnica.com/tech-policy/2015/12/beware-of-state-sponsored-hac...

13 Million MacKeeper Users Exposed - Krebs on Security
http://krebsonsecurity.com/2015/12/13-million-mackeeper-users-exposed/

SHA1 sunset will block millions from encrypted net, Facebook warns | Ars Technica
http://arstechnica.com/security/2015/12/sha1-sunset-will-block-millions-...

Cisco starts spewing vuln info everywhere, in a good way \u2022 The Register
http://www.theregister.co.uk/2015/12/15/borg_security_boffins_open_tweak...

#BadWinmail Demo - YouTube
https://www.youtube.com/watch?v=ngWVbcLDPm8

Critical 0-day Remote Command Execution Vulnerability in Joomla - Sucuri Blog
https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-i...

Protecting Windows Networks - Kerberos Attacks | DFIR blog
http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-att...

Project Zero: FireEye Exploitation: Project Zero's Vulnerability of the Beast
http://googleprojectzero.blogspot.com.au/2015/12/fireeye-exploitation-pr...

Back to 28: Grub2 Authentication Bypass 0-Day
http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html

FBI on Encryption: 'It's A Business Model Question' | Threatpost | The first stop for security news
https://threatpost.com/fbi-on-encryption-its-a-business-model-question/1...

Fact-checking the debate on encryption | Ars Technica
http://arstechnica.com/security/2015/12/fact-checking-the-debate-on-encr...

New Paper Released: Demystifying the Exploit Kit
http://www.contextis.com/news/new-paper-released-demystifying-exploit-kit/

Tower Of Power - Both Sorry Over Nothin' - YouTube
https://www.youtube.com/watch?v=1Dkh173BAMw

Tower Of Power 1973 - YouTube
https://www.youtube.com/watch?v=JXQ2kMx2xok

Risky Business #394 -- Matthew Green talks "crypto bans"

0:00 / 0:00

Risky Business Podcast

December 10, 2015

Risky Business #393 -- So who's Satoshi this week?

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show -- in addition to covering the latest claims about the true identity of Satoshi Nakamoto -- we're taking a look at a recent deal between a very large bank in Australia and Sydney's University of New South Wales.

UNSW has had a lot of success over the last few years in actually training people to think offensively. They seem to have cracked a formula where others have tried and failed. Now, they've got $1.6m to play with courtesy of the Commonwealth Bank. This could be a model for colleges and universities everywhere. Whether you're a CSO having trouble recruiting good staff or you work in academia, you really want to hear this week's feature interviews with Brendan Hopper and CBA CSO Ben Heyes.

This week's show is brought to you by Bromium.

Bromium makes awesome micro-virtualisation software that really does neutralise the threat of memory corruption exploits in desktop environments. A speed bump for them has been their software requires Intel's virtualisation instruction extensions to work. Well, they've been around long enough now for Bromium to be getting some serious traction at the top end of town. They've also brought out version 3 of their software. with Bromium's Chief Security Architect Rahul Kashyap joins us in this week's sponsor interview to update us on what they've been up to for the last year or so.

The Grugq is in the news chair this week. Adam is busy running Kiwicon in Wellington.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Grugq on Twitter if that's your thing.

Show notes

Bitcoin's Creator Satoshi Nakamoto Is Probably This Unknown Australian Genius | WIRED
http://www.wired.com/2015/12/bitcoins-creator-satoshi-nakamoto-is-probab...

This Australian Says He and His Dead Friend Invented Bitcoin
http://gizmodo.com/this-australian-says-he-and-his-dead-friend-invented-...

Reported bitcoin 'founder' Craig Wright's home raided by Australian police | Technology | The Guardian
http://www.theguardian.com/technology/2015/dec/09/bitcoin-founder-craig-...

Alleged Bitcoin Creator Craig Wright Likely Outed Himself | Fusion
http://fusion.net/story/243056/alleged-bitcoin-creator-craig-wright/

Satoshi's PGP Keys Are Probably Backdated and Point to a Hoax | Motherboard
http://motherboard.vice.com/read/satoshis-pgp-keys-are-probably-backdate...

Variety Jones, Alleged Silk Road Mentor, Arrested in Thailand | WIRED
http://www.wired.com/2015/12/variety-jones-alleged-silk-road-mentor-arre...

Let's Encrypt Initiative Enters Public Beta | Threatpost | The first stop for security news
https://threatpost.com/lets-encrypt-initiative-enters-public-beta/115568/

Trump says "closing that Internet" is a good way to fight terrorism | Ars Technica
http://arstechnica.com/tech-policy/2015/12/trump-wants-bill-gates-to-hel...

France looking at banning Tor, blocking public Wi-Fi | Ars Technica
http://arstechnica.com/tech-policy/2015/12/france-looking-at-banning-tor...

Attack floods Internet root servers with 5 million queries a second | Ars Technica
http://arstechnica.com/security/2015/12/attack-flooded-internet-root-ser...

root-servers.org/news/events-of-20151130.txt
http://root-servers.org/news/events-of-20151130.txt

Hacker Leaks Customer Data After a United Arab Emirates Bank Fails to Pay Ransom | WIRED
http://www.wired.com/2015/12/hacker-leaks-customer-data-after-a-united-a...

Anonymous Leaks Paris Climate Summit Officials' Private Data | WIRED
http://www.wired.com/2015/12/anonymous-leaks-paris-climate-summit-offici...

At first cyber meeting, China claims OPM hack is "criminal case" [Updated] | Ars Technica
http://arstechnica.com/tech-policy/2015/12/at-first-cyber-meeting-china-...

Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record \xab Threat Research | FireEye Inc
https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-r...

Experts Say Bitcoin Extortionist Copycats on the Rise | Threatpost | The first stop for security news
https://threatpost.com/bitcoin-extortionist-copycats-on-the-rise-experts...

Microsoft, Law Enforcement Collaborate in Dorkbot Takedown | Threatpost | The first stop for security news
https://threatpost.com/microsoft-law-enforcement-collaborate-in-dorkbot-...

Mozilla Will Stop Developing And Selling Firefox OS Smartphones | TechCrunch
http://techcrunch.com/2015/12/08/mozilla-will-stop-developing-and-sellin...

December Patch Tuesday avalanche of patches includes leaked Xbox certificate | Ars Technica
http://arstechnica.com/security/2015/12/december-patch-tuesday-avalanche...

Adobe, Microsoft Each Plug 70+ Security Holes - Krebs on Security
http://krebsonsecurity.com/2015/12/adobe-microsoft-each-plug-70-security...

Apple Patches 50+ Vulnerabilities in iOS, OS X, Safari | Threatpost | The first stop for security news
https://threatpost.com/apple-patches-50-vulnerabilities-across-ios-os-x-...

Cisco Warning of CSRF, XSS Vulnerabilities | Threatpost | The first stop for security news
https://threatpost.com/cisco-warning-of-vulnerabilities-in-routers-data-...

Dropbox - Backgrounder_UNSW and CBA Security Engineering.docx
https://www.dropbox.com/s/aqnbfxbcqhujxj1/Backgrounder_UNSW%20and%20CBA%...

Dropbox - Transcript_CyberSecurity_Heyes_Buckland_Dec2015_final.docx
https://www.dropbox.com/s/zod75xl50g1uuhz/Transcript_CyberSecurity_Heyes...

UNSW, Commonwealth Bank to offer cyber Security courses | Cyber security jobs
http://www.news.com.au/finance/business/other-industries/commonwealth-ba...

sec.edu - Security Engineering - Applied Cyber Security on openlearning.com
https://www.openlearning.com/courses/sec

Free ride: students crack ticket algorithm
http://www.smh.com.au/digital-life/consumer-security/free-ride-students-...

Wil Anderson | Chelsea Lately | Comedy Works
https://www.comedyworks.com/comedians/666

Risky Business #393 -- So who's Satoshi this week?

0:00 / 0:00

Risky Business Podcast

December 03, 2015

Risky Business #392 -- A look at Silverpush with Kevin Finisterre

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we're chatting with Kevin Finisterre about Silverpush -- the creepy ultrasonic audio-beaconing technology used by advertising companies that was in the press a couple of weeks ago. Kevin was all over it and he joins me to discuss the growing overlap between the techniques used by marketers and blackhats.

This week's show is brought to you by Bugcrowd, big thanks to them. In this week's sponsor interview Bugcrowd CEO Casey Ellis joins us to discuss more on bug economics -- how do you price bugs? How do you determine bounty pools? It's not as simple as saying, well, XXE's are worth $500 each and XSS $200. The dynamics here are actually a little more complex than that.

Adam Boileau, as always, joins the show to discuss the week's news headlines.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Hacker Obtained Children's Headshots and Chatlogs From Toymaker VTech | Motherboard
http://motherboard.vice.com/read/hacker-obtained-childrens-headshots-and...

When children are breached-inside the massive VTech hack | Ars Technica
http://arstechnica.com/security/2015/11/when-children-are-breached-insid...

Adobe sounds death knell for Flash - Software - iTnews
http://www.itnews.com.au/news/adobe-sounds-death-knell-for-flash-412522

China blamed for 'massive' cyber attack on Bureau of Meteorology supercomputer - ABC News (Australian Broadcasting Corporation)
http://www.abc.net.au/news/2015-12-02/china-blamed-for-cyber-attack-on-b...

CNN investigates: How Corporate America keeps huge hacks secret - Nov. 30, 2015
http://money.cnn.com/2015/11/30/technology/secret-deals-hacked-companies...

DHS Giving Firms Free Penetration Tests - Krebs on Security
http://krebsonsecurity.com/2015/12/dhs-giving-firms-free-penetration-tests/

DHS to Silicon Valley: Tell us how to secure this "Internet of Things" | Ars Technica
http://arstechnica.com/information-technology/2015/12/dhs-to-silicon-val...

Hey Reader's Digest: Your site has been attacking visitors for days | Ars Technica
http://arstechnica.com/security/2015/11/hey-readers-digest-your-site-has...

China APT Gang Targets Hong Kong Media via Dropbox | Threatpost | The first stop for security news
https://threatpost.com/china-apt-gang-targets-hong-kong-media-via-dropbo...

BlackBerry to bug out of Pakistan by end of year \u2022 The Register
http://www.theregister.co.uk/2015/12/01/blackberry_to_quit_pakistan/

Kazakhtelecom
http://telecom.kz/en/news/view/18729

Advantech EKI Vulnerable to Shellshock, Heartbleed | Threatpost | The first stop for security news
https://threatpost.com/advantech-ics-gear-still-vulnerable-to-shellshock...

Google Plans to End Chrome for 32-bit Linux, Releases Chrome 47 | Threatpost | The first stop for security news
https://threatpost.com/google-ends-chrome-support-on-32-bit-linux-releas...

Microsoft Revoves Trust for eDellroot Certficates | Threatpost | The first stop for security news
https://threatpost.com/microsoft-removes-trust-for-edellroot-certificate...

Lord Echo - Thinking of you - YouTube
https://www.youtube.com/watch?v=9djfSSTL-qQ

Meet The 'Ultrasonic' Tracking Company Privacy Activists Are Terrified Of - Forbes
http://www.forbes.com/sites/thomasbrewster/2015/11/16/silverpush-ultraso...

Risky Business #392 -- A look at Silverpush with Kevin Finisterre

0:00 / 0:00

Risky Business Podcast

November 26, 2015

Risky Business #391 -- Dell fails hard

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we're chatting with Darren Kemp of Duo Security. He's one of the authors of a post about the latest example of computer manufacturer shitware introducing catastrophic vulnerabilities into shipped systems. This time it's Dell's turn.

If you haven't heard what they actually did you'll hardly even believe it. That's this week's feature interview.

This week's sponsor guest is Tenable's very own Brian "Jericho" Martin. He's a guy who knows a thing or two about vulnerabilities and the software supply chain. We dodged a bullet with those libpng vulnerabilities of a few weeks ago not really being exploitable. But what if they were? How do you prepare your organisation for some serious bugs dropping in libraries when you're not even sure if you're using that code?

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Clinton Says the US Needs Silicon Valley's Help to Defeat ISIS | WIRED
http://www.wired.com/2015/11/clinton-says-us-needs-silicon-valleys-help-...

Security Manual Reveals the OPSEC Advice ISIS Gives Recruits | WIRED
http://www.wired.com/2015/11/isis-opsec-encryption-manuals-reveal-terror...

The Secret ISIS Cyber Guide Was Actually Just An Arabic Guide For Activists - BuzzFeed News
http://www.buzzfeed.com/sheerafrenkel/the-secret-isis-cyber-guide-was-ac...

Bangladesh mulls blocking WhatsApp and Viber to prevent terror activities
http://www.ibtimes.co.in/bangladesh-mulls-blocking-whatsapp-viber-preven...

Iranian military spear-phish of State Department employees detected first by Facebook | Ars Technica
http://arstechnica.com/security/2015/11/iranian-military-spear-phish-of-...

Breach at IT Automation Firm LANDESK - Krebs on Security
http://krebsonsecurity.com/2015/11/breach-at-it-automation-firm-landesk/

54 Starwood Hotels Hit By Point of Sale Malware | Threatpost | The first stop for security news
https://threatpost.com/starwood-hotel-chain-hit-by-point-of-sale-malware...

Hilton Acknowledges Credit Card Breach - Krebs on Security
http://krebsonsecurity.com/2015/11/hilton-acknowledges-credit-card-breach/

A $10 Tool Can Guess (And Steal) Your Next Credit Card Number | WIRED
http://www.wired.com/2015/11/samy-kamkar-10-dollar-tool-can-guess-and-st...

Certifications Tracking System Outage and Data Exposure - The Cisco Learning Network
https://learningnetwork.cisco.com/blogs/community_cafe/2015/11/21/certif...

FBI Warns Public Officials of Doxing Threat | Threatpost | The first stop for security news
https://threatpost.com/fbi-warns-public-officials-of-doxing-threat/115429/

The Doctor on a Quest to Save Our Medical Devices From Hackers | WIRED
http://www.wired.com/2015/11/the-doctor-on-a-quest-to-save-our-medical-d...

TrueCrypt is safer than previously reported, detailed analysis concludes | Ars Technica
http://arstechnica.com/security/2015/11/truecrypt-is-safer-than-previous...

GlassRAT Remote Access Trojan | Threatpost | The first stop for security news
https://threatpost.com/stealthy-glassrat-spies-on-commercial-targets/115...

VirusTotal Mac OS X App Sandbox Support | Threatpost | The first stop for security news
https://threatpost.com/virustotal-adds-sandbox-execution-for-os-x-apps/1...

Amazon resets account passwords feared compromised - report \u2022 The Register
http://www.theregister.co.uk/2015/11/25/amazon_password_reset/

United Airlines Slow to Patch Mobile App Vulnerability | Threatpost | The first stop for security news
https://threatpost.com/united-airlines-slow-to-patch-mobile-app-vulnerab...

Lenovo Patches Vulnerabilities in System Update Service | Threatpost | The first stop for security news
https://threatpost.com/lenovo-patches-vulnerabilities-in-system-update-s...

600,000 Arris Modems Plagued by 'Backdoor in a Backdoor' | Threatpost | The first stop for security news
https://threatpost.com/backdoor-in-a-backdoor-identified-in-600000-arris...

VMware Patches Pesky XXE Bug in Flex BlazeDS | Threatpost | The first stop for security news
https://threatpost.com/vmware-patches-pesky-xxe-bug-in-flex-blazeds/115443/

Sony employees on the hack, one year later.
http://www.slate.com/articles/technology/users/2015/11/sony_employees_on...

Dell apologizes for HTTPS certificate fiasco, provides removal tool | Ars Technica
http://arstechnica.com/security/2015/11/dell-apologizes-for-https-certif...

Joe Nord personal blog: New Dell computer comes with a eDellRoot trusted root certificate
http://joenord.blogspot.in/2015/11/new-dell-computer-comes-with-edellroo...

Dude, You Got Dell'd: Publishing Your Privates - Blog - Duo Security
https://www.duosecurity.com/blog/dude-you-got-dell-d-publishing-your-pri...

bluejuice - The Reductionist - YouTube
https://www.youtube.com/watch?v=v0N7DDDKsqw

Risky Business #391 -- Dell fails hard

0:00 / 0:00

Risky Business Podcast

November 20, 2015

Risky Business #390 -- Crypto derpery abounds in wake of Paris attacks

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

In this week's feature interview we're checking in with FireEye's Jonathan Wrolstad. He's a threat intelligence guy at FireEye and they've just published a really interesting report about what a threat group is doing in terms of target recon. They're using marketing company tricks to recon all sorts of high value targets. It's very interesting stuff, and it's likely tied to the Russian state.

This week's show is brought to you by Senetas Security, makers of terrific layer 2 encryption gear. Senetas CTO Julian Fay stops by in this week's sponsor interview to chat about Network Function Virtualisation. It's a new twist on a concept that's been around for a while. It's getting a second wind thanks to some work being done at Etsy, of all places.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Paris Terror Attacks Stoke Encryption Debate - Krebs on Security
http://krebsonsecurity.com/2015/11/paris-terror-attacks-stoke-encryption...

ISIS using encrypted apps for communications; former intel officials blame Snowden [Updated] | Ars Technica
http://arstechnica.com/information-technology/2015/11/isis-encrypted-com...

After Paris Attacks, Here's What the CIA Director Gets Wrong About Encryption | WIRED
http://www.wired.com/2015/11/paris-attacks-cia-director-john-brennan-wha...

There's no evidence ISIS used PS4 to plan Paris attacks | Ars Technica
http://arstechnica.com/gaming/2015/11/despite-what-the-papers-say-theres...

ISIS: CloudFlare CEO slams Anonymous' claims that he's protecting terrorists' websites
http://www.news.com.au/technology/online/hacking/a-silicon-valley-startu...

Telegram encrypted messaging service cracks down on ISIS broadcasts | Ars Technica
http://arstechnica.com/information-technology/2015/11/telegram-encrypted...

ISIS operates a crypto help desk - report \u2022 The Register
http://www.theregister.co.uk/2015/11/18/isis_help_desk/

Is Anonymous' war on ISIS doing more harm than good? | The Verge
http://www.theverge.com/2015/11/19/9761682/anonymous-isis-vigilante-camp...

Carnegie Mellon Says It Was Subpoenaed-And Not Paid-For Research On Breaking Tor | Threatpost | The first stop for security news
https://threatpost.com/carnegie-mellon-says-it-was-subpoenaed-and-not-pa...

Carnegie Mellon Denies FBI Paid for Tor-Breaking Research | WIRED
http://www.wired.com/2015/11/carnegie-mellon-denies-fbi-paid-for-tor-bre...

Libpng PNG Reference Library Patches Memory Corruption Vulnerabilities | Threatpost | The first stop for security news
https://threatpost.com/patched-libpng-vulnerabilities-have-limited-scope...

Here's a Spy Firm's Price List for Secret Hacker Techniques | WIRED
http://www.wired.com/2015/11/heres-a-spy-firms-price-list-for-secret-hac...

Android adware can install itself even when users explicitly reject it | Ars Technica
http://arstechnica.com/security/2015/11/android-adware-can-install-itsel...

Google to Warn Recipients of Unencrypted Gmail Messages | Threatpost | The first stop for security news
https://threatpost.com/google-to-warn-recipients-of-unencrypted-gmail-me...

Microsoft Blocks Unsigned DLLs in Edge with Update | Threatpost | The first stop for security news
https://threatpost.com/microsoft-cracks-down-on-toolbars-unsigned-dlls-w...

JPMorgan Hackers Breached Anti-Fraud Vendor G2 Web Services - Krebs on Security
http://krebsonsecurity.com/2015/11/jpmorgan-hackers-breached-anti-fraud-...

BitLocker popper uses Windows authentication to attack itself \u2022 The Register
http://www.theregister.co.uk/2015/11/17/bitlocker_blackhat_ian_haken/

Adobe Issues HotFix For ColdFusion | Threatpost | The first stop for security news
https://threatpost.com/adobe-pushes-hotfix-for-coldfusion/115389/

Wad of Stuff: CVE-2015-6357: FirePWNER Exploit for Cisco FireSIGHT Management Center SSL Validation Vulnerability
http://wadofstuff.blogspot.com.au/2015/11/cve-2015-6357-firepwner-exploi...

Issue 539 - google-security-research - Kaspersky Antivirus Certificate handling path traversal - Google Security Research - Google Project Hosting
https://code.google.com/p/google-security-research/issues/detail?id=539&...

https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf
https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf

Eagles of Death Metal - I Want You So Hard - YouTube
https://www.youtube.com/watch?v=MZrctLnsF4M

Risky Business #390 -- Crypto derpery abounds in wake of Paris attacks

0:00 / 0:00

Risky Business Podcast

November 12, 2015

Risky Business #389 -- US law: CFAA isn't a bug, it's a feature!

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we're chatting with computer crime lawyer extraordinaire Tor Ekeland! He's worked on a number of high profile CFAA cases. Most recently he's been defending former Reuters and LA Times journalist Matthew Keys on some pretty hefty CFAA charges. He's also the guy who got Andrew Aurenheimer out of jail so he could go and live a free life as a Nazi troll. (Is that really a win?) He also defended Lauri Love... basically if you're a hacker who's fallen foul of the CFAA, this is the guy you want on your team.

He joins us this week to talk about the CFAA, terrorism charges against hackers, and the American cultural influences over crime and punishment in the USA. It's a cracker interview, that one.

This week's show is brought to you by Telstra! Best known as Australia's incumbent telco, Telstra also offers enterprise services. There's a link to their services page in this week's show notes.

In this week's sponsor interview we're chatting with Rachael Falk. She leads the Cyber Influence team in Telstra Security Operations. And she'll be joining us with what I'm calling boardroom ammo. Five questions you can suggest to your CEO or board to get them thinking about good security practices.

Links to everything are in this week's show notes.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Risky Business #389 -- US law: CFAA isn't a bug, it's a feature!

0:00 / 0:00

Risky Business Podcast

November 05, 2015

Risky Business #388 -- Cyber shrinkery, IoT shenanigans and guest Troy Hunt

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

This week's feature interview is with Troy Hunt of HaveIBeenPwned.com. And he's noticing something pretty weird. It's common for people to deface websites for bragging rights, and yeah, it's not new that data dumps are the new bragging fodder. But it seems like these days attackers are seeing Troy's site as the definitive place to get cred. Now they'll steal a bunch of data and Troy is their first stop.

Life is strange on the internets. That's this week's feature interview.

This week's show is brought to you by ContextIS, a security consultancy and research house with offices in England, Germany and Australia. In this week's sponsor interview we chat with Alex Farrant, a senior security researcher with Context in Cheltenham about the risks of IoT to enterprise networks.

Don't worry, this isn't some non-specific, high level chat saying "IoT is bad," we're talking about real examples where they've managed to chain together a couple of bugs for serious effect. We also talk about how enterprises aren't shy about making key company resources accessible over WiFi these days. Yes, the same WiFi network that your vulnerable electric kettle and lightbulbs are on. Happy days.

Adam Boileau, as always, stops in to discuss the week's news, including the delightful Freudian analysis of computer hackers by "cyber psychologist" Mary Aiken.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Hackers Claim Million-Dollar Bounty for iOS Zero Day Attack | WIRED
http://www.wired.com/2015/11/hackers-claim-million-dollar-bounty-for-ios...

UK Government Works on Restricting Encryption, Urges Staff to Use It | Motherboard
http://motherboard.vice.com/read/uk-government-works-on-restricting-stro...

Internet firms to be banned from offering unbreakable encryption under new laws - Telegraph
http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/11970391/Inte...

UK surveillance powers explained - BBC News
http://www.bbc.com/news/uk-34713435

The Lesson of CISA's Success, or How to Fight a Zombie
https://theintercept.com/2015/11/03/lesson-of-cisa-success-or-how-to-fig...

ALBAWABA NEWS: Egypt's military arrests 150 terrorists through "Telegram"
http://www.albawabaeg.com/66794

Teenager arrested in Norwich over TalkTalk cyber-attack bailed | Business | The Guardian
http://www.theguardian.com/business/2015/nov/04/teenager-arrested-in-nor...

vBulletin password hack fuels fears of serious Internet-wide 0-day attacks | Ars Technica
http://arstechnica.com/security/2015/11/vbulletin-password-hack-fuels-fe...

Tor Just Launched the Easiest App Yet for Anonymous, Encrypted IM | WIRED
http://www.wired.com/2015/10/tor-just-launched-the-easiest-app-yet-for-a...

Zerocoin Startup Revives the Dream of Truly Anonymous Money | WIRED
http://www.wired.com/2015/11/zerocoin-startup-revives-the-dream-of-truly...

Signal, the Snowden-Approved Crypto App, Comes to Android | WIRED
http://www.wired.com/2015/11/signals-snowden-approved-phone-crypto-app-c...

Don't count on STARTTLS to automatically encrypt your sensitive e-mails | Ars Technica
http://arstechnica.com/security/2015/10/dont-count-on-starttls-to-automa...

Still fuming over HTTPS mishap, Google makes Symantec an offer it can't refuse | Ars Technica
http://arstechnica.com/security/2015/10/still-fuming-over-https-mishap-g...

How Carders Can Use eBay as a Virtual ATM - Krebs on Security
http://krebsonsecurity.com/2015/11/how-carders-can-use-ebay-as-a-virtual...

Shuanet Adware Roots Android Devices | Threatpost | The first stop for security news
http://threatpost.com/shuanet-adware-rooting-android-devices-via-trojani...

Chinese Mobile Ad Library Backdoored to Spy on iOS Devices | Threatpost | The first stop for security news
http://threatpost.com/chinese-mobile-ad-library-backdoored-to-spy-on-ios...

Samsung Galaxy S6 Edge Security Vulnerabilities | Threatpost | The first stop for security news
http://threatpost.com/google-project-zero-turns-over-11-bugs-in-galaxy-s...

Data-Stealing Android App Impersonates Word Doc | Threatpost | The first stop for security news
http://threatpost.com/malicious-android-app-impersonates-microsoft-word-...

XcodeGhost Malware Supports iOS9 | Threatpost | The first stop for security news
http://threatpost.com/updated-xcodeghost-adds-ios9-support/115244/

November 2015 Android Security Bulletin | Threatpost | The first stop for security news
http://threatpost.com/monthly-android-security-update-patches-more-stage...

Tinba Variant Spotted Targeting Russian, Japanese Banks | Threatpost | The first stop for security news
http://threatpost.com/new-tinba-variant-spotted-targeting-russian-japane...

PageFair Hack Serves Up Fake Flash Update to 500 Sites | Threatpost | The first stop for security news
http://threatpost.com/pagefair-hack-serves-up-fake-flash-update-to-500-s...

Xen patches 7-year-old bug that shattered hypervisor security | Ars Technica
http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-...

Latest EMET Bypass Targets WoW64 Windows Subsystem | Threatpost | The first stop for security news
http://threatpost.com/latest-emet-bypass-targets-wow64-windows-subsystem...

FireEye growth slows as China attacks reportedly abate, stock plunges - MarketWatch
http://www.marketwatch.com/story/fireeye-growth-slows-as-china-attacks-r...

Hackers gonna hack, but why? Maybe Freud has the answer | Technology | The Guardian
http://www.theguardian.com/technology/2015/nov/03/hackers-gonna-hack-but...

Troy Hunt: Breaches, traders, plain text passwords, ethical disclosure and 000webhost
http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html

Music | PLTS
https://pltsmusic.bandcamp.com/

Also, you should absolutely check out Context's Blog. It's really quite good.
http://www.contextis.com/resources/blog/1/

Risky Business #388 -- Cyber shrinkery, IoT shenanigans and guest Troy Hunt

0:00 / 0:00

Risky Business Podcast

October 29, 2015

Risky Business #387 -- Hack people to death!

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

In this week's feature interview we're chatting with Chris Rock from Kustodian. Chris did a great presentation at Ruxcon last week about how easy it is to hack people to death!

He's found out just how easy it is to register births and deaths in the united states and Australia via online systems. He says it's a problem that could result in a virtual baby harvest for fraudsters who plan ahead. It's really fun stuff, that's this week's feature.

In this week's sponsor interview we're speaking with Deema Freij, general counsel at Intralinks. This is an interview the CSOs shouldn't miss... we're talking to her about privacy stuff -- about what the invalidation of Safe Harbour provisions really means, what we can expect from the new EU general data protection regulations when they land, and what sort of management challenges that's going to throw up at the boardroom level.

Adam Boileau, as always, stops in to discuss the week's news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

WikiLeaks Is Publishing the CIA Director's Hacked Emails | WIRED
http://www.wired.com/2015/10/wikileaks-publishing-cia-director-john-bren...

Hacker releases new purported personal data for top CIA, DHS officials [Updated] | Ars Technica
http://arstechnica.com/tech-policy/2015/10/hacker-releases-new-purported...

A Second Snowden Has Leaked a Mother Lode of Drone Docs | WIRED
http://www.wired.com/2015/10/a-second-snowden-leaks-a-mother-lode-of-dro...

Who Is Ardit Ferizi? Malaysia Arrests Kosovo National For Hacking US Security Data For ISIS
http://www.ibtimes.com/who-ardit-ferizi-malaysia-arrests-kosovo-national...

Matthew Keys' Hacking Conviction May Not Survive an Appeal | WIRED
http://www.wired.com/2015/10/matthew-keys-journalist-conviction-cfaa-abu...

TalkTalk Hackers Demanded \xa380K in Bitcoin - Krebs on Security
http://krebsonsecurity.com/2015/10/talktalk-hackers-demanded-80k-in-bitc...

TalkTalk Hackers Demand Ransom of CEO Dido Harding | Threatpost | The first stop for security news
https://threatpost.com/talktalk-hackers-demand-ransom-from-ceo/115156/

China Is Still Hacking US Companies After Promising It Would Stop, Report Says | Motherboard
http://motherboard.vice.com/read/china-is-still-hacking-us-companies-aft...

Arrest of Chinese Hackers Not a First for U.S. - Krebs on Security
http://krebsonsecurity.com/2015/10/arrest-of-chinese-hackers-not-a-first...

How is NSA breaking so much crypto?
https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking...

Fewer IPsec VPN Connections at Risk to Weak Diffie-Hellman | Threatpost | The first stop for security news
https://threatpost.com/fewer-ipsec-vpn-connections-at-risk-from-weak-dif...

CISA Passes Senate Without Addressing Privacy Concerns | Threatpost | The first stop for security news
https://threatpost.com/cisa-passes-senate-without-addressing-privacy-con...

A DEA Agent Who Helped Take Down Silk Road Is Going to Prison for Unbelievable Corruption | Mother Jones
http://www.motherjones.com/mixed-media/2015/10/silk-road-investigator-se...

X-Ray Scans Expose an Ingenious Chip-and-Pin Card Hack | WIRED
http://www.wired.com/2015/10/x-ray-scans-expose-an-ingenious-chip-and-pi...

EFF: We found 100+ license plate readers wide open on the Internet | Ars Technica
http://arstechnica.com/tech-policy/2015/10/lprs-exposed-how-public-safet...

Automakers just lost the battle to stop you from hacking your car | The Verge
http://www.theverge.com/2015/10/27/9622150/dmca-exemption-accessing-car-...

New attacks on Network Time Protocol can defeat HTTPS and create chaos | Ars Technica
http://arstechnica.com/security/2015/10/new-attacks-on-network-time-prot...

Unpatched browser weaknesses can be exploited to track millions of Web users | Ars Technica
http://arstechnica.com/security/2015/10/unpatched-browser-weaknesses-can...

This 11-year-old is selling cryptographically secure passwords for $2 each | Ars Technica
http://arstechnica.com/business/2015/10/this-11-year-old-is-selling-cryp...

Microsoft .NET Core, ASP.NET Beta Bug Bounty | Threatpost | The first stop for security news
https://threatpost.com/microsoft-opens-net-core-asp-net-bug-bounties/115...

IBM Runs World's Worst Spam-Hosting ISP? - Krebs on Security
http://krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp/

Let's Encrypt Free HTTPS Secures Cross-Signatures To Be A CA | Threatpost | The first stop for security news
https://threatpost.com/lets-encrypt-hits-another-free-https-milestone/11...

Insecure Internet-Connected Kettles Help Researchers Crack WiFi Networks Across London - Softpedia
http://news.softpedia.com/news/insecure-internet-connected-kettles-help-...

13 million plaintext passwords belonging to webhost users leaked online | Ars Technica
http://arstechnica.com/security/2015/10/13-million-plaintext-passwords-b...

Western Digital self-encrypting hard drives riddled with security flaws | Ars Technica
http://arstechnica.com/security/2015/10/western-digital-self-encrypting-...

Joomla bug puts millions of websites at risk of remote takeover hacks | Ars Technica
http://arstechnica.com/security/2015/10/joomla-bug-puts-millions-of-webs...

New zero-day exploit hits fully patched Adobe Flash [Updated] | Ars Technica
http://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-...

October 2015 Oracle Critical Patch Update | Threatpost | The first stop for security news
https://threatpost.com/oracle-quarterly-security-update-patches-154-vuln...

'10-second' theoretical hack could jog Fitbits into malware-spreading mode \u2022 The Register
http://www.theregister.co.uk/2015/10/21/fitbit_hack/

DEF CON 23 - Chris Rock - I Will Kill You - YouTube
https://www.youtube.com/watch?v=9FdHq3WfJgs

bluejuice - Vitriol - YouTube
https://www.youtube.com/watch?v=ldBhDmvWFXE

Risky Business #387 -- Hack people to death!

0:00 / 0:00