Risky Business Podcast

Analysis and news podcasts published weekly

Risky Business Podcast

July 30, 2015

Risky Business #376 -- Sniper rifles, bank safes and Android all pwned

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

This week we're checking in with Josh Drake of Zimperium. With exploitation of Stagefright via Josh's sweet, sweet exploit you'd think the mother of all worms is coming. Well, probably not. Later versions of Android are tricky to exploit, and the diversity of hardware in earlier versions means coming up with one exploit to rule them all isn't really feasible. We'll drill down into that with Josh in a little while.

This week's show is brought to you by Tenable Network Security. Tenable's very own Jack Daniel will be along in this week's sponsor interview to add a bit of context to recent car hacking news. Jack was a mechanic in a previous life. I myself worked for Bosch as an engineer designing automotive electronics in the 90s. So we put our old man pants on and talk about how we arrived in a world where 1.4 million Chrysler owners are patching their vehicles against security flaws using a mailed out USB stick.

Adam Boileau, as usual, joins the show to discuss the week's news headlines.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Hackers Can Disable a Sniper Rifle-Or Change Its Target | WIRED
http://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-t...

Brinks' Super-Secure Smart Safes: Not So Secure | WIRED
http://www.wired.com/2015/07/brinks-super-secure-smart-safes-not-secure/

Researchers Hack Air-Gapped Computer With Simple Cell Phone | WIRED
http://www.wired.com/2015/07/researchers-hack-air-gapped-computer-simple...

US Census Bureau IT systems hacked, data leaked by Anonymous \u2022 The Register
http://www.theregister.co.uk/2015/07/23/us_census_bureau_hacked/

NSA: We'll move your metadata into /dev/null when you stop suing us \u2022 The Register
http://www.theregister.co.uk/2015/07/27/nsa_phone_metadata_latest/

White House Says No Thanks to Snowden Pardon Petition | Threatpost | The first stop for security news
https://threatpost.com/white-house-says-no-thanks-to-snowden-pardon-peti...

New Chrome Extension Helps Combat Keyboard Biometrics | Threatpost | The first stop for security news
https://threatpost.com/new-chrome-extension-helps-combat-keyboard-biomet...

Researchers claim they've developed a better, faster Tor | Ars Technica
http://arstechnica.com/information-technology/2015/07/researchers-claim-...

A public marketplace for hackers-what could possibly go wrong? | Ars Technica
http://arstechnica.com/security/2015/07/a-public-marketplace-for-hackers...

Pakistan bans BlackBerry messaging, e-mail for "security reasons" | Ars Technica
http://arstechnica.com/security/2015/07/pakistan-bans-blackberry-messagi...

What amateurs can learn from security pros about staying safe online | Ars Technica
http://arstechnica.com/security/2015/07/what-amateurs-can-learn-from-sec...

Yahoo Touts Success of Bug Bounty Program | Threatpost | The first stop for security news
https://threatpost.com/yahoo-touts-success-of-bug-bounty-program/114019

Malvertising campaign hits 10 MEELLION users in 10 days \u2022 The Register
http://www.theregister.co.uk/2015/07/29/malvertising_affects_10_million/

Click-Fraud Malware Spreading via JavaScript Attachments | Threatpost | The first stop for security news
https://threatpost.com/click-fraud-malware-spreading-via-javascript-atta...

Group that hacked Anthem shared weaponized 0-days with rival attackers | Ars Technica
http://arstechnica.com/security/2015/07/group-that-hacked-anthem-shared-...

Apple Patches Remote 'Invoice Vulnerability' in iTunes, App Store | Threatpost | The first stop for security news
https://threatpost.com/apple-patches-remote-invoice-vulnerability-in-itu...

Xen reports new guest-host escape, this time through CD-ROMs \u2022 The Register
http://www.theregister.co.uk/2015/07/28/xen_reports_new_guesthost_escape...

PHP File Manager Riddled With Vulnerabilities, Including Backdoor | Threatpost | The first stop for security news
https://threatpost.com/php-file-manager-riddled-with-vulnerabilities-inc...

New vulnerability can put Android phones into permanent vegetative state | Ars Technica
http://arstechnica.com/security/2015/07/new-vulnerability-can-put-androi...

WordPress Patches Critical XSS Vulnerability in All Builds | Threatpost | The first stop for security news
https://threatpost.com/wordpress-patches-critical-xss-vulnerability-in-a...

Valve patches security hole that enabled takeover of Steam accounts | Ars Technica
http://arstechnica.com/gaming/2015/07/valve-patches-security-hole-that-e...

Critical Remotely Exploitable Bug Haunts BIND | Threatpost | The first stop for security news
https://threatpost.com/critical-remotely-exploitable-bug-haunts-bind/114008

950 million Android phones can be hijacked by malicious text messages | Ars Technica
http://arstechnica.com/security/2015/07/950-million-android-phones-can-b...

La Polic\xeda by labjacd | Free Listening on SoundCloud
https://soundcloud.com/labjacd/la-policia

Risky Business #376 -- Sniper rifles, bank safes and Android all pwned
0:00 / 0:00

Risky Business Podcast

July 23, 2015

Risky Business #375 -- Ashley Madison, Jeep hacks drive news agenda

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's feature interview we're chatting with Dave Jorm, our resident North Korea watcher. Some of you might remember Dave, he was on the show a couple of years ago talking about his OSINT satellite data analysis of North Korea and more recently he popped by to talk about software defined networking security.

Well, some recent analysis of North Korea's official Red Star OS has found it has a nasty habit -- it watermarks media files that users open with a unique ID. This will of course help the North Korean regime to track down the smugglers of digital media, whether that's activist material or South Korean soaps, which are most definitely verboten in the hermit kingdom.

This week's show is brought to you by Intralinks -- these guys do secure document exchange and storage. Intralinks very own Todd Partridge drops by to talk about how their customers are actually customising these types of document services.

Adam Boileau, as usual, joins the show to discuss the week's news headlines.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Online Cheating Site AshleyMadison Hacked - Krebs on Security
http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-ha...

Hackers Remotely Kill a Jeep on the Highway-With Me in It | WIRED
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

Patch Your Chrysler Now Against a Wireless Hacking Attack | WIRED
http://www.wired.com/2015/07/patch-chrysler-vehicle-now-wireless-hacking...

Senate Bill Seeks Standards For Cars' Defenses From Hackers | WIRED
http://www.wired.com/2015/07/senate-bill-seeks-standards-cars-defenses-h...

Google Calls Proposed U.S. Wassenaar Rules 'Not Feasible' | Threatpost | The first stop for security news
https://threatpost.com/google-calls-proposed-u-s-wassenaar-rules-not-fea...

Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-...

SSD Advisory - Trend Micro Threat Intelligence Manager Multiple Vulnerabilities Remote Code Execution | SecuriTeam Blogs
https://blogs.securiteam.com/index.php/archives/2502

Hacking Team apparently violated EU rules in sale of spyware to Russian agency | Ars Technica
http://arstechnica.com/tech-policy/2015/07/hacking-teams-surveillance-so...

Hacking Team Says It Always Sold 'Strictly Within the Law' | Threatpost | The first stop for security news
https://threatpost.com/hacking-team-claims-it-always-sold-strictly-withi...

Netragard Shutters Controversial Exploit Acquisition Program | Threatpost | The first stop for security news
https://threatpost.com/netragard-shutters-controversial-exploit-acquisit...

Researcher angry after finding his code in Hacking Team malware | Ars Technica
http://arstechnica.com/security/2015/07/researcher-takes-umbrage-after-f...

Obama administration decides not to blame China publicly for OPM hack | Ars Technica
http://arstechnica.com/tech-policy/2015/07/obama-administration-decides-...

Four men reportedly arrested in connection to JPMorgan Chase hack | Ars Technica
http://arstechnica.com/tech-policy/2015/07/4-men-reportedly-arrested-in-...

UK man accused of hacking spree on US government is arrested (again) | Ars Technica
http://arstechnica.com/security/2015/07/uk-man-accused-of-hacking-spree-...

Experian Hit With Class Action Over ID Theft Service - Krebs on Security
http://krebsonsecurity.com/2015/07/experian-hit-with-class-action-over-i...

Hacking Team's evil Android app had code to bypass Google Play screening | Ars Technica
http://arstechnica.com/security/2015/07/hackingteams-evil-android-app-ha...

Dozens of phone apps with 300M downloads vulnerable to password cracking | Ars Technica
http://arstechnica.com/security/2015/07/dozens-of-phone-apps-with-300m-d...

New Campaign Targeting Japanese with Hacking Team Zero Day | Threatpost | The first stop for security news
https://threatpost.com/new-campaign-targeting-japanese-with-hackingteam-...

Free Tool Looks for HackingTeam Malware | Threatpost | The first stop for security news
https://threatpost.com/free-tool-looks-for-hackingteam-malware/113850

OpenDNS BGP Stream Twitter Feed | Threatpost | The first stop for security news
https://threatpost.com/bgp-security-alerts-coming-to-twitter/113843

Bug in widely used OpenSSH opens servers to password cracking | Ars Technica
http://arstechnica.com/security/2015/07/bug-in-widely-used-openssh-opens...

Google Patches 43 Bugs in Chrome | Threatpost | The first stop for security news
https://threatpost.com/google-patches-43-bugs-in-chrome/113892

Bug in latest version of OS X gives attackers unfettered root privileges | Ars Technica
http://arstechnica.com/security/2015/07/bug-in-latest-version-of-os-x-gi...

Microsoft Issues Critical, Out-of-Band Patch for All Versions of Windows | Threatpost | The first stop for security news
https://threatpost.com/microsoft-issues-critical-out-of-band-patch-for-a...

RedStar OS Watermarking - Insinuator
http://www.insinuator.net/2015/07/redstar-os-watermarking/

Secure Collaboration + Content Management | Intralinks
https://www.intralinks.com/

Risky Business #375 -- Ashley Madison, Jeep hacks drive news agenda
0:00 / 0:00

Risky Business Podcast

July 16, 2015

Risky Business #374 -- Anti-Flash sentiment sweeps the globe

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we'll be checking in with Richard Forno on the fallout from the OPM breach. Richard has been kicking around in DC infosec circles for a long time now and he let's us know what the mood is like inside the beltway.

In this week's sponsor interview we chat with Chris Gatford of HackLabs! HackLabs is an Australia-based pentesting and consulting firm and we're speaking to Chris about the changing nature of security consultancies.

Adam Boileau, as usual, joins the show to discuss the week's news, which has been dominated by calls for the axing of the Flash plugin and the continued fallout from the Hacking Team breach.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Flash. Must. Die. | WIRED
http://www.wired.com/2015/07/adobe-flash-player-die/

Microsoft nixes A-V updates for XP, exposes 180 MEEELLION luddites \u2022 The Register
http://www.theregister.co.uk/2015/07/15/xp_antimalware_support_axed/

Ubuntu PC maker System76 abandons Flash, says it's too dangerous | Ars Technica
http://arstechnica.com/information-technology/2015/07/ubuntu-pc-maker-sy...

Firefox blacklists Flash player due to unpatched 0-day vulnerabilities | Ars Technica
http://arstechnica.com/security/2015/07/firefox-blacklists-flash-player-...

Adobe: We REALLY are taking Flash security seriously - honest \u2022 The Register
http://www.theregister.co.uk/2015/07/14/adobe_response_to_security_holes/

Once again, Adobe releases emergency Flash patch for Hacking Team 0-days | Ars Technica
http://arstechnica.com/security/2015/07/once-again-adobe-releases-emerge...

Hacking Team's Flash 0-day: Potent enough to infect actual Chrome user | Ars Technica
http://arstechnica.com/security/2015/07/hacking-teams-flash-0day-potent-...

Hacking Team Used Spammer Tricks to Resurrect Spy Network - Krebs on Security
http://krebsonsecurity.com/2015/07/hacking-team-used-spammer-tricks-to-r...

Hacking Team spyware rootkit: Even a new HARD DRIVE wouldn't get rid of it \u2022 The Register
http://www.theregister.co.uk/2015/07/14/hacking_team_stealth_rootkit/

How a Russian hacker made $45,000 selling a 0-day Flash exploit to Hacking Team | Ars Technica
http://arstechnica.com/security/2015/07/how-a-russian-hacker-made-45000-...

Hacking Team's snoopware 'spied on anti-communist activists in Vietnam' \u2022 The Register
http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/

Hacking Team touts new spyware suite, calls leaks now "obsolete" | Ars Technica
http://arstechnica.com/security/2015/07/hacking-team-remains-defiant-tou...

Critical OpenSSL bug allows attackers to impersonate any trusted server | Ars Technica
http://arstechnica.com/security/2015/07/critical-openssl-bug-allows-atta...

Dozens Nabbed in Takedown of Cybercrime Forum Darkode | WIRED
http://www.wired.com/2015/07/dozens-nabbed-takedown-cybercrime-forum-dar...

As Predicted, OPM Director Resigns in Wake of Epic Hack | WIRED
http://www.wired.com/2015/07/predicted-opm-director-katherine-archuleta-...

New Bill Would Grant Lifetime Credit Monitoring to OPM Victims | Threatpost | The first stop for security news
https://threatpost.com/new-bill-would-grant-lifetime-credit-monitoring-t...

A $200 privacy device has been killed, and no one knows why | Ars Technica
http://arstechnica.com/security/2015/07/a-200-privacy-device-has-been-ki...

ProxyGambit - anonymize net over GSM or PTP link
http://samy.pl/proxygambit/

Sixty-five THOUSAND Range Rovers recalled over DOOR software glitch \u2022 The Register
http://www.theregister.co.uk/2015/07/14/range_rover_recall/

Hackers sell 79,267 Cloudminr accounts for ONE Bitcoin \u2022 The Register
http://www.theregister.co.uk/2015/07/14/cloudminr_hack_80000_bitcoin_min...

DEA agent slugged a MEELLION dollars for Silk Road snipe \u2022 The Register
http://www.theregister.co.uk/2015/07/13/silkroad_dea_agent_outofpocket_b...

Papa don't breach: Wannabe singer jailed for hacking Madonna \u2022 The Register
http://www.theregister.co.uk/2015/07/10/madonna_hacker_sentencing/

Wow, another NSA leak: Network security code appears on GitHub \u2022 The Register
http://www.theregister.co.uk/2015/07/09/nsa_network_security_code_leaks_...

New RC4 Attack Dramatically Reduces Plaintext Recovery Time | Threatpost | The first stop for security news
https://threatpost.com/new-rc4-attack-dramatically-reduces-plaintext-rec...

Oracle Patches Java Zero Day | Threatpost | The first stop for security news
https://threatpost.com/oracle-patches-java-zero-day/113792

New PHP Releases Fix BACRONYM MySQL Flaw | Threatpost | The first stop for security news
https://threatpost.com/new-php-releases-fix-bacronym-mysql-flaw/113740

Firefox 39 Out With Patches for Four Critical Vulnerabilities | Threatpost | The first stop for security news
https://threatpost.com/firefox-39-out-with-patches-for-four-critical-vul...

MS kills critical IE 11 bug after exploit was shopped to Hacking Team | Ars Technica
http://arstechnica.com/security/2015/07/ms-kills-critical-ie-11-bug-afte...

Microsoft Security Bulletin MS15-058 - Important
https://technet.microsoft.com/en-us/library/security/MS15-058

Microsoft Security Bulletin MS15-068 - Critical
https://technet.microsoft.com/en-us/library/security/ms15-068.aspx

Microsoft Security Bulletin MS15-067 - Critical
https://technet.microsoft.com/en-us/library/security/ms15-067.aspx

Job search | Employment and jobs | Queensland Government
https://smartjobs.qld.gov.au/jobtools/jncustomsearch.viewFullSingle?in_o...

[ - infowarrior.org - ]
http://infowarrior.org/about.html

Penetration Testing & Web Application Security - HackLabs
http://www.hacklabs.com/

Screaming Headless Torsos (Live in New York -- Knitting Factory 1996) - YouTube
https://www.youtube.com/watch?v=FAKhafsFslE

Screaming Headless Torsos - 2 Bruce Wayne featuring Jimmy Valentine - YouTube
https://www.youtube.com/watch?v=Pzdd2mUiDF0

Risky Business #374 -- Anti-Flash sentiment sweeps the globe
0:00 / 0:00

Risky Business Podcast

July 09, 2015

Risky Business #373 -- Hacking Team gets owned. Quite a lot.

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

Obviously the Hacking Team breach is the big story of the week and we'll be jumping right into that.

It's a jam packed podcast this week -- we check in with Dave Aitel of Immunity to talk about the impending Wassenaar Arrangement disaster about to hit America. We're also joined by Claudio Guarnieri.

Claudio has spent years tracking Hacking Team's malware to the darkest regions of the planet. For a long time he's been claiming Hacking Team were up to no good, now we know he was right. We get him on to the show for a well-earned gloat.

This week's show is brought to you by Xipiter! Do you want to learn how to exploit and reverse engineer IoT, mobile and embedded devices? Xipiter is teaching their SexViaHex and ARM Exploitation classes in September in the Hague. Both their Blackhat classes have sold out four years in a row, and they are indeed sold out this year. Go to SexViaHex.com to book your spot.

Adam Boileau, as usual, joins us to discuss the week's security news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Hacking Team Breach Shows a Global Spying Firm Run Amok | WIRED
http://www.wired.com/2015/07/hacking-team-breach-shows-global-spying-fir...

Despite Hacking Team's poor opsec, CEO came from early days of PGP | Ars Technica
http://arstechnica.com/security/2015/07/despite-hacking-teams-poor-opsec...

Hacking Team responds to data breach, issues public threats and denials | CSO Online
http://www.csoonline.com/article/2944333/data-breach/hacking-team-respon...

Days after Hacking Team breach, nobody fired, no customers lost | Ars Technica
http://arstechnica.com/security/2015/07/days-after-hacking-team-breach-n...

Hacking Team Flash Zero Day Weaponized in Exploit Kits | Threatpost | The first stop for security news
https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit...

Hacking Team Couldn't Hack Your iPhone | Threatpost | The first stop for security news
https://threatpost.com/hacking-team-couldnt-hack-your-iphone/113636

Dutch MEP whacks Hacking Team over embargo-busting \u2022 The Register
http://www.theregister.co.uk/2015/07/08/dutch_mep_whacks_hacking_team_ov...

Latest News
http://www.hackingteam.it/index.php/about-us

Student claims Wassenaar Arrangement prevents him from publishing dissertation | Ars Technica
http://arstechnica.com/security/2015/07/student-claims-wassenaar-agreeme...

Berlin pours bucket of flat beer on Patriot missile hack report \u2022 The Register
http://www.theregister.co.uk/2015/07/08/german_hackers_hijack_missiles/

Meet the hackers who break into Microsoft and Apple to steal insider info | Ars Technica
http://arstechnica.com/security/2015/07/meet-the-hackers-who-break-into-...

Finnish Decision is Win for Internet Trolls - Krebs on Security
http://krebsonsecurity.com/2015/07/finnish-decision-is-win-for-internet-...

Ford's 400,000-car recall could be the tip of an auto security iceberg \u2022 The Register
http://www.theregister.co.uk/2015/07/08/ford_car_software_recall_analysis/

Kali Linux 2.0 to launch at DEFCON 23 \u2022 The Register
http://www.theregister.co.uk/2015/07/08/kali_20/

Heart of Darkness: Mass of clone scam sites appear \u2022 The Register
http://www.theregister.co.uk/2015/07/07/dark_web_cloned_site_scam_resurg...

SyncStop / USB Condom - Charge Your Mobile Phone Safely
http://syncstop.com/

Software Exploitation via Hardware exploitation training (LITE) - SexViaHex
http://www.sexviahex.com/

Xipiter - Home
http://www.xipiter.com/

Colin Hay - Beautiful World - YouTube
https://www.youtube.com/watch?v=xe3RqgnXaT4

Risky Business #373 -- Hacking Team gets owned. Quite a lot.
0:00 / 0:00

Risky Business Podcast

July 02, 2015

Risky Business #372 -- Airbus pilot talks plane hacking

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

This week's feature interview is a bit left of field With all the talk about plane hacking flying around over the last couple of months (zing) I thought it might be an idea to talk to an actual airliner pilot. So this week we're joined by an Australian Airbus pilot. He works for an Asian airline but he was in Australia recently and I caught up with him to ask him for his thoughts on the topic.

As you'll hear, there's a bit more to an Airbus than it just being a flying computer. It's more like a flying computer warehouse with multiple redundant systems. Our anonymous pilot says stopping a hacker on a plane might be as simple as just killing power to the cabin with the flick of a switch -- BUT, he says there are no procedures or training around troubleshooting for malicious attackers and in such a heavily process-oriented environment that could cause problems.

This week's show is brought to you by our friends at Tenable Network Security, big thanks to them! Tenable's very own Marcus Ranum will be along in this week's sponsor interview to talk about detection concepts. He pulls on his grumpy pants and doles out some stone-cold old school advice for people out there building networks. That's a fun one.

Adam Boileau, as usual, joins us to discuss the week's security news.

Links to everything can be found in this week's show notes.

Links to everything are in this week's show notes.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Risky Business #372 -- Airbus pilot talks plane hacking
0:00 / 0:00

Risky Business Podcast

June 25, 2015

Risky Business #371 -- Special guest Richard Bejtlich

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's feature interview we chat with Richard Bejtlich. He serves as the chief security strategist at FireEye. He's a nonresident fellow with the Brookings Institute and he joins me this week to talk about the OPM breach, honeypots, China and Edward Snowden.

This week's show is sponsored by Palo Alto Networks. This week's sponsor interview is with Ryan Olson of Palo's Threat Intelligence Unit 42 -- yes, that is a hitchhikers guide reference. He'll be joining us to discuss an APT campaign they uncovered in Asia -- it's called Lotus Blossom and it's yet another example of likely state sponsored APT activity targeting the region. Depressingly, it uses CVEs that start with 2012. Ugh.

Adam Boileau, as usual, joins us to discuss the week's security news.

Links to everything can be found in this week's show notes.

Links to everything are in this week's show notes.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Risky Business #371 -- Special guest Richard Bejtlich
0:00 / 0:00

Risky Business Podcast

June 18, 2015

Risky Business #370 -- Samsung screws the pooch in extravagant fashion

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we chat with Dan Guido of Trail of Bits about DARPA's Cyber Grand Challenge. There was a competition round last week and he tells us all about it.

Participants have to stand up simple network services on a LAN and keep them up. They also have to write attack code that targets other peoples services. When another participant attacks you, you have to defend against the attack and even patch your service so it's immune from the attacks it's being faced with... all of this is automated. You write your software before the event, drop it on the LAN and off you go. Dan tells us where the competition is at.

This week's show is brought to you by Tenable Network Security. Tenable CEO Ron Gula joins the show to talk about the OPM breach. He's encouraging Risky Business listeners to get in touch with their empathy in this instance -- sometimes politics stop organisations from being able to do the right thing when it comes to security. It's a great chat, so stick around for it.

Adam Boileau, as usual, joins us to discuss the week's security news.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

New exploit turns Samsung Galaxy phones into remote bugging devices | Ars Technica
http://arstechnica.com/security/2015/06/new-exploit-turns-samsung-galaxy...

Questions over Samsung's handling of security flaw in millions of smartphones
http://www.smh.com.au/digital-life/consumer-security/questions-over-sams...

Hack Brief: Password Manager LastPass Got Breached Hard | WIRED
http://www.wired.com/2015/06/hack-brief-password-manager-lastpass-got-br...

Catching Up on the OPM Breach - Krebs on Security
http://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/

Encryption "would not have helped" at OPM, says DHS official | Ars Technica
http://arstechnica.com/security/2015/06/encryption-would-not-have-helped...

Report: Hack of government employee records discovered by product demo | Ars Technica
http://arstechnica.com/security/2015/06/report-hack-of-government-employ...

Attackers Stole Certificate From Foxconn to Hack Kaspersky With Duqu 2.0 | WIRED
http://www.wired.com/2015/06/foxconn-hack-kaspersky-duqu-2/

China and Russia Almost Definitely Have the Snowden Docs | WIRED
http://www.wired.com/2015/06/course-china-russia-snowden-documents/

Serious OS X and iOS flaws let hackers steal keychain, 1Password contents | Ars Technica
http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-h...

Blackhats exploiting MacKeeper hole to foist dangerous trojan \u2022 The Register
http://www.theregister.co.uk/2015/06/16/blackhats_exploiting_mackeeper_h...

US anti-fraud law makes deleting browser history a crime punishable by 20yrs in jail - RT USA
http://rt.com/usa/266389-browsing-history-obstruction-justice/

Hack Brief: The Cardinals May Have Hacked the Astros | WIRED
http://www.wired.com/2015/06/hack-brief-cardinals-astros/

Magazine publisher loses $1.5M in cyberfraud | New York Post
http://nypost.com/2015/06/16/magazine-publisher-swindled-out-of-1-5-mill...

Data-stealing component of 'Stegoloader' hides in PNG images - SC Magazine
http://www.scmagazine.com/stegoloader-malware-uses-png-files-to-hide-dat...

AdBlock aims to send filthy malverts on one-way LSD trip \u2022 The Register
http://www.theregister.co.uk/2015/06/17/adblock_revamps_for_enterprise_l...

Vapourware no more: Let's Encrypt announces first cert dates \u2022 The Register
http://www.theregister.co.uk/2015/06/17/vapourware_no_more_lets_encrypt_...

Google extends vulnerability bounties to Android; offers up to $30,000 | Ars Technica
http://arstechnica.com/security/2015/06/google-extends-vulnerability-bou...

Wikipedia goes all-HTTPS, starting immediately | Ars Technica
http://arstechnica.com/security/2015/06/wikipedia-goes-all-https-startin...

Cisco Patches IPv6 Vulnerability in Carrier Routers | Threatpost | The first stop for security news
https://threatpost.com/cisco-patches-ipv6-vulnerability-in-carrier-grade...

ProjectVault/orp \xb7 GitHub
https://github.com/projectvault/orp

devstreaming.apple.com/videos/wwdc/2015/706nu20qkag/706/706_security_and_your_apps.pdf
http://devstreaming.apple.com/videos/wwdc/2015/706nu20qkag/706/706_secur...

DROP LEGS | triple j Unearthed
https://www.triplejunearthed.com/artist/drop-legs

Risky Business #370 -- Samsung screws the pooch in extravagant fashion
0:00 / 0:00

Risky Business Podcast

June 11, 2015

Risky Business #369 -- Kaspersky pwned by Duqu, bye bye 215 and more

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we speak with Laura Bell about scanning people for vulnerabilities. Who in your organisation do you most need to worry about protecting? Well, it's not who you think. She'll be along soon to discuss that.

This week's show is brought to you by Rapid7.

Rapid7's SVP of Products and Engineering Lee Weiner will be along in this week's sponsor interview to talk about how to get security and IT departments both thinking about risk-based approaches to patching. Hey, sure, you've got 8,000 boxes that can all be Heartbleeded, but do you need to worry about all of them right now? Or just the accessible ones with all the customer data on them?

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Kaspersky Finds New Nation-State Attack-In Its Own Network | WIRED
http://www.wired.com/2015/06/kaspersky-finds-new-nation-state-attack-net...

The Senate Finally Passes NSA Surveillance Reform | WIRED
http://www.wired.com/2015/06/senate-finally-passes-bit-nsa-reform/

Senate Shoots Down All Bad Amendments to the NSA Reform Bill | WIRED
http://www.wired.com/2015/06/senate-shoots-bad-amendments-nsa-reform-bill/

Federal agency hit by Chinese hackers, around 4 million employees affected | Ars Technica
http://arstechnica.com/security/2015/06/federal-agency-hit-by-chinese-ha...

Why the "biggest government hack ever" got past the feds | Ars Technica
http://arstechnica.com/security/2015/06/why-the-biggest-government-hack-...

New Snowden documents reveal secret memos expanding spying | Ars Technica
http://arstechnica.com/tech-policy/2015/06/new-snowden-documents-reveal-...

All U.S. United Flights Grounded Over Mysterious Problem | WIRED
http://www.wired.com/2015/06/united-flights-grounded-mysterious-problem/

Exclusive: U.S. tried Stuxnet-style campaign against North Korea but failed - sources | Reuters
http://www.reuters.com/article/2015/05/29/us-usa-northkorea-stuxnet-idUS...

TV5 Monde attack 'by Russia-based hackers' - BBC News
http://www.bbc.com/news/world-europe-33072034

Nonlinear warfare - A new system of political control 2014 Adam Curtis - YouTube
https://www.youtube.com/watch?v=tyop0d30UqQ

Vladislav Surkov - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Vladislav_Surkov

California senate wants warrants to be required for phone searches
http://www.engadget.com/2015/06/04/california-warrant-phone-search-bill/

Intercepted WhatsApp messages led to Belgian terror arrests [Updated] | Ars Technica
http://arstechnica.com/tech-policy/2015/06/intercepted-whatsapp-messages...

Sen. McCain: How to Get Silicon Valley to Help the Pentagon | WIRED
http://www.wired.com/2015/06/sen-mccain-get-silicon-valley-help-pentagon/

Feds Want to ID Web Trolls Who 'Threatened' Silk Road Judge | WIRED
http://www.wired.com/2015/06/feds-want-id-web-trolls-threatened-silk-roa...

This Hacked Kids' Toy Opens Garage Doors in Seconds | WIRED
http://www.wired.com/2015/06/hacked-kids-toy-opens-garage-doors-seconds/

'MEDJACK' tactic allows cyber criminals to enter healthcare networks undetected - SC Magazine
http://www.scmagazine.com/trapx-profiles-medjack-threat/article/418811/

Bitcoin blackmail gang start hurling DDoSes at Scandinavia \u2022 The Register
http://www.theregister.co.uk/2015/06/09/ddos_blackmail_gang_scandinavian...

iiNet investigates alleged theft of customer database - Security - News - iTnews.com.au
http://www.itnews.com.au/News/404959,iinet-investigates-alleged-theft-of...

Crypto flaws in Blockchain Android app sent bitcoins to the wrong address | Ars Technica
http://arstechnica.com/security/2015/05/crypto-flaws-in-blockchain-andro...

Beware of the text message that crashes iPhones | Ars Technica
http://arstechnica.com/security/2015/05/beware-of-the-text-message-that-...

US Army website defaced by Syrian Electronic Army [Updated] | Ars Technica
http://arstechnica.com/security/2015/06/us-army-website-defaced-by-syria...

Assume your GitHub account is hacked, users with weak crypto keys told | Ars Technica
http://arstechnica.com/security/2015/06/assume-your-github-account-is-ha...

June 2015 Adobe Flash Player Security Update | Threatpost | The first stop for security news
https://threatpost.com/adobe-patches-13-vulnerabilities-in-flash-player/...

June 2015 Microsoft Patch Tuesday Security Bulletins | Threatpost | The first stop for security news
https://threatpost.com/critical-ie-update-one-of-eight-microsoft-securit...

FAQs
http://www.bis.doc.gov/index.php/policy-guidance/faqs#subcat200

SafeStack - Agile Application Security
http://safestack.io/

IT Security & Analytics, Pen Testing, Compliance - Rapid7
http://www.rapid7.com/

The Isley Brothers - Fight The Power (Part 1 & 2) (1975) - YouTube
https://www.youtube.com/watch?v=wO2ebiuV3hU

Risky Business #369 -- Kaspersky pwned by Duqu, bye bye 215 and more
0:00 / 0:00

Risky Business Podcast

June 05, 2015

Risky Business #368 -- AusCERT edition: Brian Krebs, Eva Galperin and more!

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

This week's edition of the show is a special edition recorded at AusCERT's 2015 conference on the Gold Coast, brought to you by Datacom TSS.

In it, we speak with:

\t* Brian Krebs, who talks about the weird symbiotic relationship he has with the criminal underworld
\t* Eva Galperin of the EFF talks Wassenaar
\t* David Litchfield who discusses his new database security tool
\t* Datacom TSS practice manager Lou Robertson on outcomes-based security service contracts

I hope you enjoy it!

Risky Business #368 -- AusCERT edition: Brian Krebs, Eva Galperin and more!
0:00 / 0:00

Risky Business Podcast

May 28, 2015

Risky Business #367 -- Tor Project lead Roger Dingledine

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

This week's show is a bit different. I've prepared it while in South Africa. I've been here for two weeks now, one week of holidays and another week at the ITWeb Security Summit in Johannesburg.

While here I got a chance to meet and interview Roger Dingledine, the Tor Project leader, about the future of hidden services, the Anonabox controversy, and the possibility of major browser manufactures integrating Tor into their private browsing modes. That's this week's feature.

This week's news guest is Haroon Meer of Thinkst.

Thinkst is actually this week's sponsor as well. But as Haroon is a super smart guy who also happens to be funny and eloquent, I invited him to do this week's news segment with me from the conference centre in Midrand.

For the sponsor segment Haroon filled us in on his latest invention, Canary.

It's a honeypot you put on your LAN that can detect all sorts of lateral movement. It's an awesome idea and you'll get the skinny in this week's sponsor interview!

Show notes

Proposed U.S. Wassenaar Rules on Intrusion Software | Threatpost | The first stop for security news
https://threatpost.com/head-scratching-begins-on-proposed-wassenaar-expo...

Researchers Wary of Wassenaar Arrangement Proposed Rules | Threatpost | The first stop for security news
https://threatpost.com/security-researchers-wary-of-proposed-wassenaar-r...

US aims to limit zero-day sales to Five Eyes - Security - News - iTnews.com.au
http://www.itnews.com.au/News/404272,us-aims-to-limit-zero-day-sales-to-...

New Logjam Attack on Diffie-Hellman Threatens Security of Browsers, VPNs | Threatpost | The first stop for security news
https://threatpost.com/new-logjam-attack-on-diffie-hellman-threatens-sec...

HTTPS-crippling attack threatens tens of thousands of Web and mail servers | Ars Technica
http://arstechnica.com/security/2015/05/https-crippling-attack-threatens...

Feds Say That Banned Researcher Commandeered a Plane | WIRED
http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/

Alleged plane hacker said he pierced Boeing jet's firewall in 2012 | Ars Technica
http://arstechnica.com/security/2015/05/alleged-plane-hacker-said-he-pie...

Is It Possible for Passengers to Hack Commercial Aircraft? | WIRED
http://www.wired.com/2015/05/possible-passengers-hack-commercial-aircraft/

Silk Road Prosecutors Ask Judge to 'Send a Message' In Ulbricht Sentencing | WIRED
http://www.wired.com/2015/05/silk-road-prosecutors-ask-judge-send-messag...

Silk Road from the inside: Moderator SSBD tells his story | All Things VICE
http://allthingsvice.com/2015/05/27/silk-road-from-the-inside-moderator-...

Database of 4 million Adult Friend Finder users leaked for all to see | Ars Technica
http://arstechnica.com/security/2015/05/database-of-4-million-adult-frie...

Five Eyes spies sought to subvert Google, Samsung app stores - Security - News - iTnews.com.au
http://www.itnews.com.au/News/404297,five-eyes-spies-sought-to-subvert-g...

IRS system mined for over 100,000 taxpayer records by fraudsters [Updated] | Ars Technica
http://arstechnica.com/security/2015/05/report-irs-admits-its-been-hacke...

Researcher who exploits bug in Starbucks gift cards gets rebuke, not love | Ars Technica
http://arstechnica.com/security/2015/05/researcher-who-exploits-bug-in-s...

'90s-style security flaw puts "millions" of routers at risk | Ars Technica
http://arstechnica.com/security/2015/05/90s-style-security-flaw-puts-mil...

The Moose is loose: Linux-based worm turns routers into social network bots | Ars Technica
http://arstechnica.com/security/2015/05/the-moose-is-loose-linux-based-w...

Flawed Android factory reset leaves crypto and login keys ripe for picking | Ars Technica
http://arstechnica.com/security/2015/05/flawed-android-factory-reset-lea...

SQL Attack Results in Breach of Telstra Telecom Pacnet | Threatpost | The first stop for security news
https://threatpost.com/sql-attack-results-in-breach-of-telstra-owned-tel...

"The media is always lying" hacked WaPo website says | Ars Technica
http://arstechnica.com/security/2015/05/the-media-is-always-lying-hacked...

Penn State severs engineering network after "incredibly serious" intrusion | Ars Technica
http://arstechnica.com/security/2015/05/penn-state-severs-engineering-ne...

Researcher turns tables, discloses unpatched bugs in Google cloud platform | Ars Technica
http://arstechnica.com/security/2015/05/researcher-turns-tables-disclose...

Google Fixes Sandbox Escape in Chrome | Threatpost | The first stop for security news
https://threatpost.com/google-fixes-sandbox-escape-in-chrome/112899

Apple Releases Patches For a Watch | Threatpost | The first stop for security news
https://threatpost.com/apple-releases-patches-for-a-watch/112920

Risky Business #83 -- The Military Digital Complex | Risky Business
http://risky.biz/netcasts/risky-business/risky-business-83-military-digi...

Why changes to Wassenaar make oppression and surveillance easier, not harder
http://addxorrol.blogspot.com/2015/05/why-changes-to-wassenaar-make.html

Canary box aims to lure hackers into honeypots before they make headlines | Ars Technica
http://arstechnica.com/security/2015/05/canary-box-aims-to-lure-hackers-...

Canary - know when it matters
https://canary.tools/

Risky Business #367 -- Tor Project lead Roger Dingledine
0:00 / 0:00