Risky Business Podcast

Analysis and news podcasts published weekly

Risky Business Podcast

March 17, 2016

Risky Business #403 -- Inside Islamic State's doc leak

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're chatting with David Wells. He's ex GCHQ and ASD but these days he's a counterterrorism boffin with the Lowy Institute. He's joining us to discuss the IS document leak. Depending on which story you read its either the death of the organisation or it won't do anything at all to disrupt it. We get David's thoughts on what this leak will actually for the so-called Caliphate.

In this week's sponsor interview we're doing something a bit different.. following on from last week's interview with Re/Code's Arik Hesseldahl we're chatting with Tenable's CFO, Steve Vintz.

And you know what? It's really interesting getting his perspectives on what's happening in the BUSINESS of security -- the type of analysis a guy like Steve does is different from how security people do it, and he's got some really interesting perspectives on what 2016 could bring. Long story short? Expect consolidation among smaller vendors as CSOs look to trim the number of vendors in their supply chain.

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Apple's Brief Hits the FBI With a Withering Fact Check | WIRED
http://www.wired.com/2016/03/apple-fact-checks-the-feds-in-latest-brief/

Government Calls Apple's iPhone Arguments in San Bernardino Case a 'Diversion' | WIRED
http://www.wired.com/2016/03/government-calls-apples-iphone-arguments-sa...

Apple Lambasts the FBI for Not Asking the NSA to Help Hack San Bernardino iPhone | WIRED
http://www.wired.com/2016/03/apple-lambasts-fbi-not-asking-nsa-help-hack...

Former cyber czar says NSA could crack the San Bernadino shooter's phone | Ars Technica
http://arstechnica.com/tech-policy/2016/03/former-cyber-czar-says-nsa-co...

In the FBI's Crypto War, Apps May Be the Next Target | WIRED
http://www.wired.com/2016/03/fbi-crypto-war-apps/

John Oliver explains why iPhone encryption debate is no joking matter | Ars Technica
http://arstechnica.com/tech-policy/2016/03/john-oliver-explains-why-ipho...

AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device - Palo Alto Networks BlogPalo Alto Networks Blog
http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios...

Spelling mistake prevented hackers taking $1bn in bank heist | Business | The Guardian
http://www.theguardian.com/business/2016/mar/10/spelling-mistake-prevent...

Thousands of Trucks, Buses, and Ambulances May Be Open to Hackers | WIRED
http://www.wired.com/2016/03/thousands-trucks-buses-ambulances-may-open-...

To bypass code-signing checks, malware gang steals lots of certificates | Ars Technica
http://arstechnica.com/security/2016/03/to-bypass-code-signing-checks-ma...

Big-name sites hit by rash of malicious ads spreading crypto ransomware [Updated] | Ars Technica
http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-ma...

Hackers Target Anti-DDoS Firm Staminus - Krebs on Security
http://krebsonsecurity.com/2016/03/hackers-target-anti-ddos-firm-staminus/

Dam you! Justice Dept. to indict Iranians for probing flood control network | Ars Technica
http://arstechnica.com/security/2016/03/dam-you-justice-dept-to-indict-i...

Steam Stealer Malware "Booming Business" For Attackers Targeting Gaming Service | Threatpost | The First Stop For Security News
https://threatpost.com/steam-stealer-malware-booming-business-for-attack...

Thieves Phish Moneytree Employee Tax Data - Krebs on Security
http://krebsonsecurity.com/2016/03/thieves-phish-moneytree-employee-tax-...

Botched Java patch leaves millions vulnerable to 30-month-old attack | Ars Technica
http://arstechnica.com/security/2016/03/botched-java-patch-leaves-millio...

Adobe issues emergency patch for actively exploited code-execution bug | Ars Technica
http://arstechnica.com/security/2016/03/adobe-issues-emergency-patch-for...

Hack Brief: ISIS Data Breach Identifies 22,000 Members | WIRED
http://www.wired.com/2016/03/hack-brief-isis-data-breach-identifies-2200...

The Jihadist List Hyped as the 'Biggest ISIS Intelligence Haul Ever' Is a Bizarre, Inaccurate Mess
http://gizmodo.com/the-jihadist-list-hyped-as-the-biggest-isis-intellige...

Lowy Institute for International Policy | Interpret.Inform.Influence.
http://www.lowyinstitute.org/

Risky Business #403 -- Inside Islamic State's doc leak
0:00 / 52:41

Risky Business Podcast

March 10, 2016

Risky Business #402 -- Why are infosec companies tanking on the NASDAQ?

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're chatting with re/code's senior editor and "enterprise dude" Arik Hesseldahl about the business of infosec. Information security related stocks and shares are tanking on indexes all over the world... why? How can this be happening in a $75bn sector that is tipped to grow into a $175bn sector in the next four years?

Arik will join us with the skinny on that. But don't panic, tanking infosec share prices might be a good thing for the discipline. We'll find out why a bit later on.

In this week's sponsor interview we chat with BugCrowd CEO Casey Ellis.

This week Casey joins us to discuss the Pentagon's decision to open up a bounty program.

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Hottest Topics To Come Out Of RSA Conference
http://www.darkreading.com/threat-intelligence/hottest-topics-to-come-ou...

Top iPhone Hackers Ask Court to Protect Apple From the FBI | WIRED
http://www.wired.com/2016/03/top-iphone-hackers-ask-court-protect-apple-...

Amazon Backtracks On Encryption Removal | Threatpost | The first stop for security news
https://threatpost.com/amazon-backtracks-on-encryption-removal-mum-on-wh...

Edward Snowden on Twitter: "The global technological consensus is against the FBI. Why? Here's one example: https://t.co/t2JHOLK8iU #FBIvsApple https://t.co/mH1ZXOOQ1E"
https://twitter.com/Snowden/status/707299113449230336

Seagate Phish Exposes All Employee W-2's - Krebs on Security
http://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/

IRS Suspends Insecure 'Get IP PIN' Feature - Krebs on Security
http://krebsonsecurity.com/2016/03/irs-suspends-insecure-get-ip-pin-feat...

Cancer Clinic Warns 2.2 Million Of Records Breach | Threatpost | The first stop for security news
https://threatpost.com/cancer-clinic-warns-2-2-million-patients-of-recor...

Facebook Password Reset Bug Gave Hacker Access To Any Account | Threatpost | The first stop for security news
https://threatpost.com/facebook-password-reset-bug-gave-hackers-access-t...

Hacker who exposed Bush family e-mails, photos will be extradited to US | Ars Technica
http://arstechnica.com/security/2016/03/hacker-who-exposed-bush-family-e...

China is building a big data platform for "precrime" | Ars Technica
http://arstechnica.com/information-technology/2016/03/china-is-building-...

First Mac-targeting ransomware hits Transmission users, researchers say | Ars Technica
http://arstechnica.com/security/2016/03/first-mac-targeting-ransomware-h...

Malware hijacks big four Australian banks apps, steals two-factor SMS codes
http://www.theage.com.au/technology/consumer-security/malware-hijacks-bi...

Google Fixes Critical Mediaserver Bug, Again | Threatpost | The first stop for security news
https://threatpost.com/google-fixes-critical-android-mediaserver-bugs-ag...

John McAfee tells Ars he's fighting a lonely battle, but he's not lying | Ars Technica
http://arstechnica.com/information-technology/2016/03/john-mcafee-tells-...

Issue 758 - google-security-research - Linux netfilter IPT_SO_SET_REPLACE memory corruption - Google Security Research - Google Project Hosting
https://code.google.com/p/google-security-research/issues/detail?id=758

Cybersecurity\u200b \u200bMarket Reaches $75 Billion In 2015\u200b;\u200b \u200bExpected To Reach $170 Billion By 2020 - Forbes
http://www.forbes.com/sites/stevemorgan/2015/12/20/cybersecurity%E2%80%8...

Pentagon Launches the Feds' First 'Bug Bounty' for Hackers | WIRED
http://www.wired.com/2016/03/pentagon-launches-feds-first-bug-bounty-hac...

Home - bugcrowd.com | Bugcrowd | Crowdsourced Cybersecurity. Fully managed bug bounty programs.
https://bugcrowd.com/

Risky Business #402 -- Why are infosec companies tanking on the NASDAQ?
0:00 / 50:26

Risky Business Podcast

March 03, 2016

Risky Business #401 -- Deserialisation attacks are kind of a big deal

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we get into a serious technical discussion about deserialisation attacks with with one of Adam Boileau's colleagues, Brendan Jamieson about the biggest issue in infosec that no one is talking about -- deserialisation vulnerabilities and their exploitation.

This attack class is a serious problem in enterprise environments thanks to the release of the YSoSerial tool about a year ago. Pen-testers who are across this bug class are finding issues everywhere they look, and hardly anyone is talking about it. But we do, this week.

Also this week we'll chat with Chris Gatford, the big Kahuna over at this week's sponsor HackLabs. I was talking to Chris recently and he mentioned that cryptolocker ransomware really isn't just affecting consumers anymore.

There was the recent news about a hospital in California that got hosed by ransomware, but I always thought that was the exception to the rule and that consumers were the most likely group to be affected by this stuff. Nope, wrong. Ransomware is getting inside corporate networks and causing all sorts of drama, Chris joins us soon to talk about that. Big thanks to HackLabs for its sponsorship of this week's show!

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Apple and FBI Take Their iPhone Hacking Fight to Congress | WIRED
http://www.wired.com/2016/03/apple-and-fbi-iphone-hacking-fight-congress...

Judge Says Apple Doesn't Have to Unlock iPhone in Case Similar to San Bernardino | WIRED
http://www.wired.com/2016/02/judge-says-apple-doesnt-have-to-unlock-ipho...

How the Feds Could Get Into iPhones Without Apple's Help | WIRED
http://www.wired.com/2016/03/feds-might-get-iphones-without-apples-help/

Apple vs. the FBI: Catch up on the iPhone encryption hearing
http://www.engadget.com/2016/03/02/apple-fbi-encryption-congress-hearing/

John McAfee better prepare to eat a shoe because he doesn't know how iPhones work | Ars Technica
http://arstechnica.com/security/2016/03/john-mcafee-better-prepare-to-ea...

US to renegotiate rules on exporting "intrusion software" | Ars Technica
http://arstechnica.com/tech-policy/2016/03/us-to-renegotiate-rules-on-ex...

Hackers did indeed cause Ukrainian power outage, US report concludes | Ars Technica
http://arstechnica.com/security/2016/02/hackers-did-indeed-cause-ukraini...

Brazil detains Facebook VP after he failed to give up user data
http://www.engadget.com/2016/03/01/brazil-detains-facebook-vp-after-he-f...

Brazil court orders release of arrested Facebook exec
http://www.engadget.com/2016/03/02/brazil-orders-release-of-facebook-exec/

FBI's Tor Hack Shows the Risk of Subpoenas to Security Researchers | WIRED
http://www.wired.com/2016/02/fbis-tor-hack-shows-risk-subpoenas-security...

Judge Confirms CMU Paid to Break Tor | Threatpost | The first stop for security news
https://threatpost.com/judge-confirms-dod-funded-research-to-decloak-tor...

Pentagon Launches the Feds' First 'Bug Bounty' for Hackers | WIRED
http://www.wired.com/2016/03/pentagon-launches-feds-first-bug-bounty-hac...

More than 11 million HTTPS websites imperiled by new decryption attack | Ars Technica
http://arstechnica.com/security/2016/03/more-than-13-million-https-websi...

Hacker Says He Can Hijack a $35K Police Drone a Mile Away | WIRED
http://www.wired.com/2016/03/hacker-says-can-hijack-35k-police-drone-mil...

Pirates hacked a shipping firm to find boats to raid
http://www.engadget.com/2016/03/01/pirates-hack-shipping-company/

Windows Defender Advanced Threat Protection uses cloud power to figure out you've been pwned | Ars Technica
http://arstechnica.com/information-technology/2016/03/windows-defender-a...

Payroll data leaked for current, former Snapchat employees | Ars Technica
http://arstechnica.com/security/2016/02/payroll-data-leaked-for-current-...

Thieves Nab IRS PINs to Hijack Tax Refunds - Krebs on Security
http://krebsonsecurity.com/2016/03/thieves-nab-irs-pins-to-hijack-tax-re...

Why The Java Deserialization Bug Is A Big Deal
http://www.darkreading.com/informationweek-home/why-the-java-deserializa...

GitHub - frohoff/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
https://github.com/frohoff/ysoserial

Penetration Testing & Web Application Security - HackLabs
http://www.hacklabs.com/

Risky Business #401 -- Deserialisation attacks are kind of a big deal
0:00 / 49:51

Risky Business Podcast

February 25, 2016

Risky Business #400 -- FBiOS with Adam PLUS guest Daniel Hodson

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's podcast we'll hear from Daniel Hodson of Elttam Security here in Australia. Daniel and his business partner Matt Jones have been looking into the security of messaging software that has recommended by the EFF. Does a bunch of ticks from the EFF actually say much about app security? Well, not really, as it turns out.

In this week's sponsor interview we hear from Senetas co-founder and CTO Julian Fay. Senetas, of course, make layer 2 encryption equipment. They'll be releasing a 100Gbps full line rate encryption box soon, they make awesome kit. But this week Julian joins us to weigh in, briefly, on the Apple vs FBI mess, as well as to have a discussion about some interesting use cases he's seen for layer two stuff lately.

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Apple Is Said to Be Trying to Make It Harder to Hack iPhones - The New York Times
http://www.nytimes.com/2016/02/25/technology/apple-is-said-to-be-working...

Apple-FBI Fight Asks: Is Code Protected as Free Speech? - Bloomberg Business
http://www.bloomberg.com/news/articles/2016-02-24/apple-fbi-fight-asks-i...

Apple: Congress, not courts, must decide
http://bigstory.ap.org/article/8c7f8004bac3466dbb7ba27f13c1cc08/apple-co...

Apple Attorney Reveals Dozen Other iPhone Requests from FBI | Threatpost | The first stop for security news
https://threatpost.com/apple-attorney-reveals-dozen-other-iphone-request...

Delicate Hardware Hacks Could Unlock Shooter's iPhone | Threatpost | The first stop for security news
https://threatpost.com/delicate-hardware-hacks-could-unlock-shooters-iph...

Apple Says the Government Bungled Its Chance to Get That iPhone's Data | WIRED
http://www.wired.com/2016/02/apple-says-the-government-bungled-its-chanc...

Encryption isn't at stake, the FBI knows Apple already has the desired key | Ars Technica
http://arstechnica.com/apple/2016/02/encryption-isnt-at-stake-the-fbi-kn...

How the FBI could use acid and lasers to access data stored on seized iPhone | Ars Technica
http://arstechnica.com/security/2016/02/how-the-fbi-could-use-acid-and-l...

Linux Mint hit by malware infection on its website, forum after hack attack | Ars Technica
http://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infect...

Asus lawsuit puts entire industry on notice over shoddy router security | Ars Technica
http://arstechnica.com/security/2016/02/asus-lawsuit-puts-entire-industr...

Troy Hunt: Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs
http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html

Man admits he stole nude celebrity pics from Apple and Gmail accounts | Ars Technica
http://arstechnica.com/tech-policy/2016/02/man-admits-he-stole-nude-cele...

More insecure security software: Comodo's on-by-default VNC app | Ars Technica
http://arstechnica.com/security/2016/02/more-insecure-security-software-...

Tor: 'Mystery' spike in hidden addresses - BBC News
http://www.bbc.com/news/technology-35614335

IRS Email Tax Scams Up 400 Percent | Threatpost | The first stop for security news
https://threatpost.com/irs-warns-tax-related-phishing-malware-surging/11...

Phishers Spoof CEO, Request W2 Forms - Krebs on Security
http://krebsonsecurity.com/2016/02/phishers-spoof-ceo-request-w2-forms/

Google Wants to Save News Sites From Cyberattacks-For Free | WIRED
http://www.wired.com/2016/02/google-wants-save-news-sites-cyberattacks-f...

Joomla Joins WordPress As TeslaCrypt Ransomware Target | Threatpost | The first stop for security news
https://threatpost.com/joomla-sites-join-wordpress-as-teslacrypt-ransomw...

The Sony Hackers Were Causing Mayhem Years Before They Hit the Company | WIRED
http://www.wired.com/2016/02/sony-hackers-causing-mayhem-years-hit-company/

Flaws in Wireless Mice and Keyboards Let Hackers Type on Your PC | WIRED
http://www.wired.com/2016/02/flaws-in-wireless-mice-and-keyboards-let-ha...

Bosses Harness Big Data to Predict Which Workers Might Get Sick - NASDAQ.com
http://www.nasdaq.com/article/bosses-harness-big-data-to-predict-which-w...

Rogue Chinese iOS App Removed from App Store | Threatpost | The first stop for security news
https://threatpost.com/rogue-ios-app-gets-boot-after-slipping-into-app-s...

Angler Exploit Kit Attacks Silverlight Vulnerability | Threatpost | The first stop for security news
https://threatpost.com/new-silverlight-attacks-appear-in-angler-exploit-...

We Could Not Look the Survivors in the Eye if We Did Not Follow this Lead - Lawfare
https://www.lawfareblog.com/we-could-not-look-survivors-eye-if-we-did-no...

A review of the EFF secure messaging scorecard... - elttam
https://www.elttam.com.au/blog/a-review-of-the-eff-secure-messaging-scor...

Senetas
http://www.senetas.com/

Risky Business #400 -- FBiOS with Adam PLUS guest Daniel Hodson
0:00 / 53:28

Risky Business Podcast

February 18, 2016

Risky Business #399 -- Apple vs the Government of the United States

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we chat with Dan Guido from Trail of Bits about the stoush between Apple and the US department of justice.

In this week's sponsor interview we speak with Cris Thomas, a.k.a. Space Rogue. Cris works for Tenable Network Security, this week's sponsor, and he joins us in this week's podcast to talk about NIST's cyber security framework.

Adam Boileau joins the show to discuss the week's security news.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Customer Letter - Apple
http://www.apple.com/customer-letter/

SB-Shooter-Order-Compelling-Apple-Asst-iPhone
https://www.documentcloud.org/documents/2714001-SB-Shooter-Order-Compell...

New report contends mandatory crypto backdoors would be futile | Ars Technica
http://arstechnica.com/tech-policy/2016/02/new-report-contends-mandatory...

Apple can comply with the FBI court order - Trail of Bits Blog
http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-cou...

Magnitude of glibc Vulnerability Coming to Light | Threatpost | The first stop for security news
https://threatpost.com/magnitude-of-glibc-vulnerability-coming-to-light/...

glibc Linux remote code execution vulnerability | Threatpost | The first stop for security news
https://threatpost.com/critical-glibc-vulnerability-puts-all-linux-machi...

Extremely severe bug leaves dizzying number of software and devices vulnerable | Ars Technica
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizz...

#6886 (uClibc segfault in getaddrinfo() when receiving long IPv6 DNS responses (probably stack corruption)) - OpenWrt
https://dev.openwrt.org/ticket/6886

U.S. Had Cyberattack Plan if Iran Nuclear Dispute Led to Conflict - The New York Times
http://www.nytimes.com/2016/02/17/world/middleeast/us-had-cyberattack-pl...

Password cracking attacks on Bitcoin wallets net $103,000 | Ars Technica
http://arstechnica.com/security/2016/02/password-cracking-attacks-on-bit...

Warning: Bug in Adobe Creative Cloud deletes Mac user data without warning | Ars Technica
http://arstechnica.com/apple/2016/02/warning-bug-in-adobe-creative-cloud...

Opsec fail: Baltimore teen car thieves paired phones with Jeep UConnect | Ars Technica
http://arstechnica.com/security/2016/02/opsec-fail-baltimore-teen-car-th...

Patients diverted to other hospitals after ransomware locks down key software | Ars Technica
http://arstechnica.com/security/2016/02/la-hospital-latest-victim-of-tar...

LA hospital coughs up $17,000 to free PCs held to ransom by hackers \u2022 The Register
http://www.theregister.co.uk/2016/02/18/la_hospital_bitcoins/?mt=1455761...

Honeypots Help Illustrate Scores of Vulnerabilities in Medical Devices | Threatpost | The first stop for security news
https://threatpost.com/honeypots-illustrate-scores-of-vulnerabilities-in...

'Ricochet', the Messenger That Beats Metadata, Passes Security Audit | Motherboard
http://motherboard.vice.com/read/ricochet-encrypted-messenger-tackles-me...

ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs
http://eprint.iacr.org/2016/129.pdf

Apple can comply with the FBI court order - Trail of Bits Blog
http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-cou...

Risky Business #399 -- Apple vs the Government of the United States
0:00 / 50:47

Risky Business Podcast

February 11, 2016

Risky Business #398 -- Professor Lawrence Gordon, jcran and more!

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

This week's show is one for the CSOs! It's the economics edition, I guess you'd call it. We'll be chatting with Professor Lawrence Gordon, co-creator of the Gordon Loeb model for Cyber Security investment. We speak to him about contemporary infosec budgets and how spending of $500m a year by some financial institutions in the USA is actually sensible.

We're sticking with the economics theme in this week's feature interview. We'll be chatting with Jonahan Cran, VP of operations for BugCrowd about their recently released Defensive Vulnerability Pricing Model. They've also released their Vulnerability Rating Taxonomy. Both of these documents are really, really interesting, so stay tuned for this week's sponsor interview to hear all about them!

Adam Boileau joins us, as always, to discuss the week's security news.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Execute My Packet | Exodus Intelligence
https://blog.exodusintel.com/2016/01/26/firewall-hacking/

Obama wants you to join CyberCorps Reserve to help feds get their act together | Ars Technica
http://arstechnica.com/tech-policy/2016/02/obama-wants-you-join-the-cybe...

Moscow raids could signal end of global Dyre bank trojan menace \u2022 The Register
http://www.theregister.co.uk/2016/02/10/moscow_raids_could_signal_end_of...

Dridex malware exploit distributes antivirus installer-hack suspected | Ars Technica
http://arstechnica.com/security/2016/02/dridex-malware-exploit-distribut...

Java "RAT-as-a-Service" backdoor openly sold through website to scammers | Ars Technica
http://arstechnica.com/security/2016/02/java-rat-as-a-service-backdoor-o...

Clever bank hack allowed crooks to make unlimited ATM withdrawals | Ars Technica
http://arstechnica.com/security/2016/02/clever-bank-hack-allowed-crooks-...

Skimmers Hijack ATM Network Cables - Krebs on Security
http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/

Relive your worst MS-DOS file-deletion memories at the Malware Museum | Ars Technica
http://arstechnica.com/security/2016/02/relive-your-worst-ms-dos-file-de...

Parents urged to boycott VTech toys after hack - BBC News
http://www.bbc.com/news/technology-35532644

Flash flushed as Google orders almost all ads to adopt HTML5 \u2022 The Register
http://www.theregister.co.uk/2016/02/10/google_orders_advertisers_to_ado...

How to Hack the Power Grid Through Home Air Conditioners | WIRED
http://www.wired.com/2016/02/how-to-hack-the-power-grid-through-home-air...

Julian Assange's 3.5-Year Detainment in Embassy Ruled Unlawful | WIRED
http://www.wired.com/2016/02/julian-assanges-3-5-year-detainment-in-emba...

Gmail to warn you if your friends aren't using secure e-mail | Ars Technica
http://arstechnica.com/information-technology/2016/02/gmail-to-warn-you-...

Chrome picks up bonus security features on Windows 10 | Ars Technica
http://arstechnica.com/information-technology/2016/02/chrome-picks-up-bo...

UC Berkeley profs lambast new "black box" network monitoring hardware | Ars Technica
http://arstechnica.com/tech-policy/2016/02/profs-protest-invasive-cybers...

Zero Day Initiative announces Pwn2Own 2016 - Hewlett Packard Enterprise Community
http://community.hpe.com/t5/Security-Research/Zero-Day-Initiative-announ...

th\xe1i: Exploiting the Diffie-Hellman bug in socat
https://vnhacker.blogspot.co.nz/2016/02/exploiting-diffie-hellman-bug-in...

Gordon-Loeb Model for Cybersecurity Investments - YouTube
https://www.youtube.com/watch?v=cd8dT0FuqQ4

Bugcrowd's Vulnerability Rating Taxonomy
https://pages.bugcrowd.com/vulnerability-rating-taxonomy

Bugcrowd's Defensive Vulnerability Pricing Model
https://pages.bugcrowd.com/whats-a-bug-worth-2015-survey

Risky Business #398 -- Professor Lawrence Gordon, jcran and more!
0:00 / 51:14

Risky Business Podcast

February 05, 2016

Risky Business #397 -- Guest HD Moore joins the show!

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

******Here's a link to the Risky Business listener survey. Please take some time to fill it in! It'll really help the show!********

On this week's show we're checking in with HD Moore. He's left Rapid7 after six years and he'll be along to fill us in on his future plans in this week's feature interview. He'll also be reassuring all you Metasploit users out there that he'll be staying involved. He'll talk about a couple of absolutely awful bugs and he'll also weigh in on NorseGate: The implosion of the world's most cybery cyber advanced threat intelligence derpa derpa firm.

This week's show is brought to you by an Australian security consultancy, HackLabs. It's probably worth noting for our American friends that the Australian exchange rate has shifted pretty substantially over the last six months or so... so Australia might be a pretty good place for you to send some app review work!

In this week's sponsor interview HackLabs founder and head honcho Chris Gatford joins us to discuss strategies for administering unmaintained and hideously vulnerable enterprise apps.

Microsoft has end-of-lifed a stack of old IE versions, Oracle is killing the Java browser plugin... this will leave a lot of legacy apps marooned. So what can you do?

Adam Boileau joins us, as always, to discuss the week's security news. He also discusses Java deserialisation attacks that are shaping up as a major attack vector for 2016.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

------------

Oracle deprecates the Java browser plugin, prepares for its demise | Ars Technica
http://arstechnica.com/information-technology/2016/01/oracle-deprecates-...

Good Riddance to Oracle's Java Plugin - Krebs on Security
http://krebsonsecurity.com/2016/02/good-riddance-to-oracles-java-plugin/

Sources: Security Firm Norse Corp. Imploding - Krebs on Security
http://krebsonsecurity.com/2016/01/sources-security-firm-norse-corp-impl...

NSA Hacker Chief Explains How to Keep Him Out of Your System | WIRED
http://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-him-o...

National Security Agency plans major reorganization - The Washington Post
https://www.washingtonpost.com/world/national-security/national-security...

A technical reading of the "HIMR Data Mining Research Problem Book" | Conspicuous Chatter
https://conspicuouschatter.wordpress.com/2016/02/03/a-technical-reading-...

Default settings in Apache may decloak Tor hidden services | Ars Technica
http://arstechnica.com/security/2016/02/default-settings-in-apache-may-d...

Crypto flaw was so glaring it may be intentional eavesdropping backdoor | Ars Technica
http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-ma...

UN rules in favour of Julian Assange
http://www.theage.com.au/world/un-rules-in-favour-of-assange-20160204-gm...

Corrupt Silk Road Investigator Re-Arrested for Allegedly Trying to Flee the US | WIRED
http://www.wired.com/2016/02/corrupt-silk-road-investigator-re-arrested-...

Former Energy Department employee admits trying to spear phish coworkers | Ars Technica
http://arstechnica.com/tech-policy/2016/02/former-energy-department-empl...

FTC: Tax Fraud Behind 47% Spike in ID Theft - Krebs on Security
http://krebsonsecurity.com/2016/01/ftc-tax-fraud-behind-47-spike-in-id-t...

HSBC online banking suffers major outage, blames DDoS attack | Ars Technica
http://arstechnica.com/security/2016/01/hsbc-online-banking-suffers-majo...

eBay has no plans to fix "severe" bug that allows malware distribution [Updated] | Ars Technica
http://arstechnica.com/security/2016/02/ebay-has-no-plans-to-fix-severe-...

PayPal Java Serialization Vulnerability | Threatpost | The first stop for security news
https://threatpost.com/java-serialization-bug-crops-up-at-paypal/116054/

Government Promises Comment Period on Next Wassenaar Draft | Threatpost | The first stop for security news
https://threatpost.com/government-promises-comment-period-on-next-wassen...

VirusTotal Firmware Malware Implant Scanning | Threatpost | The first stop for security news
https://threatpost.com/virustotal-supports-firmware-scanning/116072/

Mysterious spike in WordPress hacks silently delivers ransomware to visitors | Ars Technica
http://arstechnica.com/security/2016/02/mysterious-spike-in-wordpress-ha...

High-severity bug in OpenSSL allows attackers to decrypt HTTPS traffic | Ars Technica
http://arstechnica.com/security/2016/01/high-severity-bug-in-openssl-all...

Google fixes multiple Wi-Fi flaws, mediaserver bugs in Android | InfoWorld
http://www.infoworld.com/article/3028079/security/google-fixes-multiple-...

Google engineer finds holes in three 'secure' browsers
http://www.engadget.com/2016/02/04/tavis-ormandy-chromium-bug-hunter/

Penetration Testing & Web Application Security - HackLabs
http://www.hacklabs.com/

Risky Business #397 -- Guest HD Moore joins the show!
0:00 / 52:30

Risky Business Podcast

January 28, 2016

Risky Business #396 -- Chris Wysopal on scanning for backdoors

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we've got two feature interviews!

We're talking to Chris Wysopal from Veracode about using static analysis techniques to find back doors in software. With Juniper, AMX, Fortinet and Cisco all experiencing either maliciously planted or accidental backdoors, this is a hot topic. Chris joins us to talk about how you go about finding this stuff and whether or not vendors are taking this issue seriously enough.

We also check in with Martijn Grooten, editor of Virus Bulletin. We're having a quick chat to him about how the AV industry is reacting to Tavis Ormandy's latest research into the security of its products. He's been reporting bugs in all sorts of AV products lately and apparently the disclosures are having an impact.

This week's sponsor interview is a special one -- it's with Haroon Meer of Thinkst Applied Research. Thinkst has released some free tools that generate and track honey tokens. Old ideas made easy and workable... he'll be along to explain his new tech. Personally think this stuff is great.. just great... and of course he'll plug his even more awesome commercial stuff, Canary Tools.

Adam Boileau, as always, drops in for a chat about the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Israel's electric authority hit by "severe" hack attack [Updated] | Ars Technica
http://arstechnica.com/security/2016/01/israels-electric-grid-hit-by-sev...

Israeli Electric Authority Attacked, Potential Ransomware | Threatpost | The first stop for security news
https://threatpost.com/israeli-electric-authority-hit-by-severe-cyber-at...

SANS Industrial Control Systems Security Blog | Context for the Claim of a Cyber Attack on the Israeli Electric Grid | SANS Institute
https://ics.sans.org/blog/2016/01/27/context-for-the-claim-of-a-cyber-at...

Wendy's Probes Reports of Credit Card Breach - Krebs on Security
https://krebsonsecurity.com/2016/01/wendys-probes-reports-of-credit-card...

Moment of truth: Feds must say if they used backdoored Juniper firewalls | Ars Technica
http://arstechnica.com/tech-policy/2016/01/moment-of-truth-feds-must-say...

Secret SSH backdoor in Fortinet hardware found in more products | Ars Technica
http://arstechnica.com/security/2016/01/secret-ssh-backdoor-in-fortinet-...

Media devices sold to feds have hidden backdoor with sniffing functions | Ars Technica
http://arstechnica.com/security/2016/01/media-devices-sold-to-feds-have-...

Lenovo SHAREit App Hard-Coded Password | Threatpost | The first stop for security news
https://threatpost.com/hard-coded-password-found-in-lenovo-file-sharing-...

Yet another bill seeks to weaken encryption-by-default on smartphones | Ars Technica
http://arstechnica.com/tech-policy/2016/01/yet-another-bill-seeks-to-wea...

Bill aims to thwart strong crypto, demands smartphone makers be able to decrypt | Ars Technica
http://arstechnica.com/tech-policy/2016/01/bill-aims-to-thwart-strong-cr...

How Amazon customer service was the weak link that spilled my data | Ars Technica
http://arstechnica.com/security/2016/01/how-amazon-customer-service-was-...

"Internet of Things" security is hilariously broken and getting worse | Ars Technica
http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-th...

NYC Launches Investigation Into Hackable Baby Monitors | WIRED
http://www.wired.com/2016/01/nyc-investigating-hackable-baby-monitors/

HD Moore Leaves Rapid7 for Venture Capital Opportunity | Threatpost | The first stop for security news
https://threatpost.com/hd-moore-to-build-new-venture-capital-firm/115969/

Zcash, an Untraceable Bitcoin Alternative, Launches in Alpha | WIRED
http://www.wired.com/2016/01/zcash-an-untraceable-bitcoin-alternative-la...

Government Investigation of Alleged Bitcoin Creator Craig Wright Intensifies - CoinDesk
http://www.coindesk.com/australia-government-bitcoin-creator-craig-wrigh...

Firm Sues Cyber Insurer Over $480K Loss - Krebs on Security
http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/

Scarlet Mimic Behind Espionage Campaign Against Tibetan, Uyghur Activists | Threatpost | The first stop for security news
https://threatpost.com/scarlet-mimic-group-behind-four-year-campaign-aga...

Bot Fraud to Cost Advertisers $7 Billion in 2016 | Threatpost | The first stop for security news
https://threatpost.com/bot-fraud-to-cost-advertisers-7-billion-in-2016/1...

Skype Now Hides Your Internet Address - Krebs on Security
http://krebsonsecurity.com/2016/01/skype-now-hides-your-internet-address/

Cisco MiniUPnP Stack Smashing Protection Attack | Threatpost | The first stop for security news
https://threatpost.com/miniupnp-vulnerability-clears-way-for-stack-smash...

January 2016 Apple Security Patches iOS, OS X, Safari | Threatpost | The first stop for security news
https://threatpost.com/apple-releases-patches-for-ios-os-x-and-safari/11...

OpenSSL to Patch Two Vulnerabilities This Week | Threatpost | The first stop for security news
https://threatpost.com/openssl-to-patch-two-vulnerabilities-this-week/11...

Magento Update Addresses XSS, CSRF Vulnerabilities | Threatpost | The first stop for security news
https://threatpost.com/magento-update-addresses-xss-csrf-vulnerabilities...

Hack Brief: Don't Be Trolled by This iPhone-Crashing Link Meme | WIRED
http://www.wired.com/2016/01/hack-brief-dont-be-trolled-by-this-iphone-c...

iOS cookie theft bug allowed hackers to impersonate users | Ars Technica
http://arstechnica.com/security/2016/01/ios-cookie-theft-bug-allowed-hac...

Oracle Pushes Java Fix: Patch It or Pitch It - Krebs on Security
http://krebsonsecurity.com/2016/01/oracle-pushes-java-fix-patch-it-or-pi...

Canary - know when it matters
https://canary.tools/

canarytokens.net
http://canarytokens.org/generate

Risky Business #396 -- Chris Wysopal on scanning for backdoors
0:00 / 54:07

Risky Business Podcast

January 21, 2016

Risky Business #395 -- Alex Stamos on Juniper-gate, SHA-1 and NSA surveillance

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's feature interview Facebook CISO Alex Stamos joins us to discuss a few things.

  • We'll be talking about moves by both browser developers and some CAs to deprecate SHA1 signed certificates. He says we need to support SHA-1 for now and he explains why soon.
  • We're also chatting with him about the Juniper fiasco.
  • We also get his thoughts on NSA surveillance now he's responsible for the security of user information at the world's biggest social media platform.

In this week's sponsor interview we chat with Tenable network security CEO Ron Gula about how to collect decent telemetry from both cloud applications and cloud infrastructure services. Just because it's going on outside your network, that doesn't mean you should treat these services as a big blindspot. That's this week's feature interview, with big thanks to Tenable Network Security, this week's sponsor!

Adam Boileau is back this week to discuss the news headlines we missed while we were on break.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

"Unauthorized code" in Juniper firewalls decrypts encrypted VPN traffic | Ars Technica
http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-fir...

New Discovery Around Juniper Backdoor Raises More Questions About the Company | WIRED
http://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raise...

Researchers confirm backdoor password in Juniper firewall code | Ars Technica
http://arstechnica.com/security/2015/12/researchers-confirm-backdoor-pas...

Juniper drops NSA-developed code following new backdoor revelations | Ars Technica
http://arstechnica.com/security/2016/01/juniper-drops-nsa-developed-code...

Et tu, Fortinet? Hard-coded password raises new backdoor eavesdropping fears | Ars Technica
http://arstechnica.com/security/2016/01/et-tu-fortinet-hard-coded-passwo...

Bill aims to thwart strong crypto, demands smartphone makers be able to decrypt | Ars Technica
http://arstechnica.com/tech-policy/2016/01/bill-aims-to-thwart-strong-cr...

Phone crypto scheme "facilitates undetectable mass surveillance" | Ars Technica
http://arstechnica.com/tech-policy/2016/01/phone-crypto-scheme-facilitat...

The Father of Online Anonymity Has a Plan to End the Crypto War | WIRED
http://www.wired.com/2016/01/david-chaum-father-of-online-anonymity-plan...

Everything We Know About Ukraine's Power Plant Hack | WIRED
http://www.wired.com/2016/01/everything-we-know-about-ukraines-power-pla...

Analysis confirms coordinated hack attack caused Ukrainian power outage | Ars Technica
http://arstechnica.com/security/2016/01/analysis-confirms-coordinated-ha...

Royal Melbourne Hospital attacked by damaging computer virus
http://www.theage.com.au/victoria/royal-melbourne-hospital-attacked-by-d...

Internet Explorer End of Support
https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support

Judge Rules Kim Dotcom Can Be Extradited to US to Face Charges | WIRED
http://www.wired.com/2015/12/kim-dotcom-extradition-ruling/

In Silk Road Appeal, Ross Ulbricht's Defense Focuses on Corrupt Feds | WIRED
http://www.wired.com/2016/01/ross-ulbrichts-defense-focuses-on-corrupt-f...

Security firm sued for filing "woefully inadequate" forensics report | Ars Technica
http://arstechnica.com/security/2016/01/security-firm-sued-for-filing-wo...

US Intelligence director's personal e-mail, phone hacked | Ars Technica
http://arstechnica.com/security/2016/01/us-intelligence-directors-person...

Researchers uncover JavaScript-based ransomware-as-service | Ars Technica
http://arstechnica.com/security/2016/01/researchers-uncover-javascript-b...

Microsoft may have your encryption key; here's how to take it back | Ars Technica
http://arstechnica.com/information-technology/2015/12/microsoft-may-have...

Common payment processing protocols found to be full of flaws | Ars Technica
http://arstechnica.com/security/2015/12/common-payment-processing-protoc...

Critical Yahoo Mail Flaw Patched, $10K Bounty Paid | Threatpost | The first stop for security news
https://threatpost.com/critical-yahoo-mail-flaw-patched-10k-bounty-paid/...

GM embraces white-hat hackers with public vulnerability disclosure program | Ars Technica
http://arstechnica.com/security/2016/01/gm-embraces-white-hats-with-publ...

Google slams AVG for exposing Chrome user data with "security" plugin | Ars Technica
http://arstechnica.com/security/2015/12/google-slams-avg-for-exposing-ch...

Google security researcher excoriates TrendMicro for critical AV defects | Ars Technica
http://arstechnica.com/security/2016/01/google-security-researcher-excor...

Fatally weak MD5 function torpedoes crypto protections in HTTPS and IPSEC | Ars Technica
http://arstechnica.com/security/2016/01/fatally-weak-md5-function-torped...

Cisco Patches Hardcoded Password, DoS Vulnerabilities in Software | Threatpost | The first stop for security news
https://threatpost.com/cisco-patches-hardcoded-password-dos-vulnerabilit...

Microsoft Silverlight Zero Day Vulnerability Patched | Threatpost | The first stop for security news
https://threatpost.com/curious-tale-of-a-microsoft-silverlight-zero-day/...

Bug that can leak crypto keys just fixed in widely used OpenSSH | Ars Technica
http://arstechnica.com/security/2016/01/bug-that-can-leak-crypto-keys-ju...

Linux bug imperils tens of millions of PCs, servers, and Android phones | Ars Technica
http://arstechnica.com/security/2016/01/linux-bug-imperils-tens-of-milli...

January 2016 Oracle Critical Patch Update 248 Patches | Threatpost | The first stop for security news
https://threatpost.com/oracle-releases-record-number-of-security-patches...

Oracle settles with FTC over Java's "deceptive" security patching | Ars Technica
http://arstechnica.com/information-technology/2015/12/oracle-settles-wit...

With funds stolen in hack, cryptocurrency company mulls bankruptcy | Reuters
http://www.reuters.com/article/bankruptcy-cryptsy-idUSL2N1530M9

Google considers following Mozilla, Microsoft, and dropping SHA-1 certificates early | Ars Technica
http://arstechnica.com/information-technology/2015/12/google-considers-f...

Firefox ban on SHA-1 certs causing some security issues, Mozilla warns | Ars Technica
http://arstechnica.com/security/2016/01/firefoxs-ban-of-sha-1-certs-caus...

Risky Business #395 -- Alex Stamos on Juniper-gate, SHA-1 and NSA surveillance
0:00 / 73:05

Risky Business Podcast

December 16, 2015

Risky Business #394 -- Matthew Green talks "crypto bans"

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're chatting with Johns Hopkins University cryptographer Matthew Green about rumblings emanating out of DC with regard to "stopping encryption", whatever the hell that means.

In this week's sponsor interview we're chatting with Oliver Fay from Context about a paper they did in conjunction with UK's CERT about exploit kits. How much do they cost? Are there any that stick out as being particularly good? Or bad, depending on your point of view...

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Man arrested in toymaker hack that exposed data for millions of kids | Ars Technica
http://arstechnica.com/security/2015/12/man-arrested-in-toymaker-hack-sa...

The Bizarre Saga of Craig Wright, the Latest "Inventor of Bitcoin" - The New Yorker
http://www.newyorker.com/business/currency/bizarre-saga-craig-wright-lat...

Julian Assange Will Finally Get His Day in Court-In the Ecuadorean Embassy | WIRED
http://www.wired.com/2015/12/julian-assange-will-finally-get-his-day-in-...

J.P. Morgan, Bank of America, Citibank And Wells Fargo Spending $1.5 Billion To Battle Cyber Crime - Forbes
http://www.forbes.com/sites/stevemorgan/2015/12/13/j-p-morgan-boa-citi-a...

Tor Hires a New Leader to Help It Combat the War on Privacy | WIRED
http://www.wired.com/2015/12/tor-hires-a-new-leader-to-help-it-combat-th...

Beware of state-sponsored hackers, Twitter warns dozens of users | Ars Technica
http://arstechnica.com/tech-policy/2015/12/beware-of-state-sponsored-hac...

13 Million MacKeeper Users Exposed - Krebs on Security
http://krebsonsecurity.com/2015/12/13-million-mackeeper-users-exposed/

SHA1 sunset will block millions from encrypted net, Facebook warns | Ars Technica
http://arstechnica.com/security/2015/12/sha1-sunset-will-block-millions-...

Cisco starts spewing vuln info everywhere, in a good way \u2022 The Register
http://www.theregister.co.uk/2015/12/15/borg_security_boffins_open_tweak...

#BadWinmail Demo - YouTube
https://www.youtube.com/watch?v=ngWVbcLDPm8

Critical 0-day Remote Command Execution Vulnerability in Joomla - Sucuri Blog
https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-i...

Protecting Windows Networks - Kerberos Attacks | DFIR blog
http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-att...

Project Zero: FireEye Exploitation: Project Zero's Vulnerability of the Beast
http://googleprojectzero.blogspot.com.au/2015/12/fireeye-exploitation-pr...

Back to 28: Grub2 Authentication Bypass 0-Day
http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html

FBI on Encryption: 'It's A Business Model Question' | Threatpost | The first stop for security news
https://threatpost.com/fbi-on-encryption-its-a-business-model-question/1...

Fact-checking the debate on encryption | Ars Technica
http://arstechnica.com/security/2015/12/fact-checking-the-debate-on-encr...

New Paper Released: Demystifying the Exploit Kit
http://www.contextis.com/news/new-paper-released-demystifying-exploit-kit/

Tower Of Power - Both Sorry Over Nothin' - YouTube
https://www.youtube.com/watch?v=1Dkh173BAMw

Tower Of Power 1973 - YouTube
https://www.youtube.com/watch?v=JXQ2kMx2xok

Risky Business #394 -- Matthew Green talks "crypto bans"
0:00 / 57:55