Risky Business Podcast

Analysis and news podcasts published weekly

Risky Business Podcast

February 18, 2016

Risky Business #399 -- Apple vs the Government of the United States

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we chat with Dan Guido from Trail of Bits about the stoush between Apple and the US department of justice.

In this week's sponsor interview we speak with Cris Thomas, a.k.a. Space Rogue. Cris works for Tenable Network Security, this week's sponsor, and he joins us in this week's podcast to talk about NIST's cyber security framework.

Adam Boileau joins the show to discuss the week's security news.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Customer Letter - Apple
http://www.apple.com/customer-letter/

SB-Shooter-Order-Compelling-Apple-Asst-iPhone
https://www.documentcloud.org/documents/2714001-SB-Shooter-Order-Compell...

New report contends mandatory crypto backdoors would be futile | Ars Technica
http://arstechnica.com/tech-policy/2016/02/new-report-contends-mandatory...

Apple can comply with the FBI court order - Trail of Bits Blog
http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-cou...

Magnitude of glibc Vulnerability Coming to Light | Threatpost | The first stop for security news
https://threatpost.com/magnitude-of-glibc-vulnerability-coming-to-light/...

glibc Linux remote code execution vulnerability | Threatpost | The first stop for security news
https://threatpost.com/critical-glibc-vulnerability-puts-all-linux-machi...

Extremely severe bug leaves dizzying number of software and devices vulnerable | Ars Technica
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizz...

#6886 (uClibc segfault in getaddrinfo() when receiving long IPv6 DNS responses (probably stack corruption)) - OpenWrt
https://dev.openwrt.org/ticket/6886

U.S. Had Cyberattack Plan if Iran Nuclear Dispute Led to Conflict - The New York Times
http://www.nytimes.com/2016/02/17/world/middleeast/us-had-cyberattack-pl...

Password cracking attacks on Bitcoin wallets net $103,000 | Ars Technica
http://arstechnica.com/security/2016/02/password-cracking-attacks-on-bit...

Warning: Bug in Adobe Creative Cloud deletes Mac user data without warning | Ars Technica
http://arstechnica.com/apple/2016/02/warning-bug-in-adobe-creative-cloud...

Opsec fail: Baltimore teen car thieves paired phones with Jeep UConnect | Ars Technica
http://arstechnica.com/security/2016/02/opsec-fail-baltimore-teen-car-th...

Patients diverted to other hospitals after ransomware locks down key software | Ars Technica
http://arstechnica.com/security/2016/02/la-hospital-latest-victim-of-tar...

LA hospital coughs up $17,000 to free PCs held to ransom by hackers \u2022 The Register
http://www.theregister.co.uk/2016/02/18/la_hospital_bitcoins/?mt=1455761...

Honeypots Help Illustrate Scores of Vulnerabilities in Medical Devices | Threatpost | The first stop for security news
https://threatpost.com/honeypots-illustrate-scores-of-vulnerabilities-in...

'Ricochet', the Messenger That Beats Metadata, Passes Security Audit | Motherboard
http://motherboard.vice.com/read/ricochet-encrypted-messenger-tackles-me...

ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs
http://eprint.iacr.org/2016/129.pdf

Apple can comply with the FBI court order - Trail of Bits Blog
http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-cou...

Risky Business #399 -- Apple vs the Government of the United States
0:00 / 50:47

Risky Business Podcast

February 11, 2016

Risky Business #398 -- Professor Lawrence Gordon, jcran and more!

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

This week's show is one for the CSOs! It's the economics edition, I guess you'd call it. We'll be chatting with Professor Lawrence Gordon, co-creator of the Gordon Loeb model for Cyber Security investment. We speak to him about contemporary infosec budgets and how spending of $500m a year by some financial institutions in the USA is actually sensible.

We're sticking with the economics theme in this week's feature interview. We'll be chatting with Jonahan Cran, VP of operations for BugCrowd about their recently released Defensive Vulnerability Pricing Model. They've also released their Vulnerability Rating Taxonomy. Both of these documents are really, really interesting, so stay tuned for this week's sponsor interview to hear all about them!

Adam Boileau joins us, as always, to discuss the week's security news.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Execute My Packet | Exodus Intelligence
https://blog.exodusintel.com/2016/01/26/firewall-hacking/

Obama wants you to join CyberCorps Reserve to help feds get their act together | Ars Technica
http://arstechnica.com/tech-policy/2016/02/obama-wants-you-join-the-cybe...

Moscow raids could signal end of global Dyre bank trojan menace \u2022 The Register
http://www.theregister.co.uk/2016/02/10/moscow_raids_could_signal_end_of...

Dridex malware exploit distributes antivirus installer-hack suspected | Ars Technica
http://arstechnica.com/security/2016/02/dridex-malware-exploit-distribut...

Java "RAT-as-a-Service" backdoor openly sold through website to scammers | Ars Technica
http://arstechnica.com/security/2016/02/java-rat-as-a-service-backdoor-o...

Clever bank hack allowed crooks to make unlimited ATM withdrawals | Ars Technica
http://arstechnica.com/security/2016/02/clever-bank-hack-allowed-crooks-...

Skimmers Hijack ATM Network Cables - Krebs on Security
http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/

Relive your worst MS-DOS file-deletion memories at the Malware Museum | Ars Technica
http://arstechnica.com/security/2016/02/relive-your-worst-ms-dos-file-de...

Parents urged to boycott VTech toys after hack - BBC News
http://www.bbc.com/news/technology-35532644

Flash flushed as Google orders almost all ads to adopt HTML5 \u2022 The Register
http://www.theregister.co.uk/2016/02/10/google_orders_advertisers_to_ado...

How to Hack the Power Grid Through Home Air Conditioners | WIRED
http://www.wired.com/2016/02/how-to-hack-the-power-grid-through-home-air...

Julian Assange's 3.5-Year Detainment in Embassy Ruled Unlawful | WIRED
http://www.wired.com/2016/02/julian-assanges-3-5-year-detainment-in-emba...

Gmail to warn you if your friends aren't using secure e-mail | Ars Technica
http://arstechnica.com/information-technology/2016/02/gmail-to-warn-you-...

Chrome picks up bonus security features on Windows 10 | Ars Technica
http://arstechnica.com/information-technology/2016/02/chrome-picks-up-bo...

UC Berkeley profs lambast new "black box" network monitoring hardware | Ars Technica
http://arstechnica.com/tech-policy/2016/02/profs-protest-invasive-cybers...

Zero Day Initiative announces Pwn2Own 2016 - Hewlett Packard Enterprise Community
http://community.hpe.com/t5/Security-Research/Zero-Day-Initiative-announ...

th\xe1i: Exploiting the Diffie-Hellman bug in socat
https://vnhacker.blogspot.co.nz/2016/02/exploiting-diffie-hellman-bug-in...

Gordon-Loeb Model for Cybersecurity Investments - YouTube
https://www.youtube.com/watch?v=cd8dT0FuqQ4

Bugcrowd's Vulnerability Rating Taxonomy
https://pages.bugcrowd.com/vulnerability-rating-taxonomy

Bugcrowd's Defensive Vulnerability Pricing Model
https://pages.bugcrowd.com/whats-a-bug-worth-2015-survey

Risky Business #398 -- Professor Lawrence Gordon, jcran and more!
0:00 / 51:14

Risky Business Podcast

February 05, 2016

Risky Business #397 -- Guest HD Moore joins the show!

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

******Here's a link to the Risky Business listener survey. Please take some time to fill it in! It'll really help the show!********

On this week's show we're checking in with HD Moore. He's left Rapid7 after six years and he'll be along to fill us in on his future plans in this week's feature interview. He'll also be reassuring all you Metasploit users out there that he'll be staying involved. He'll talk about a couple of absolutely awful bugs and he'll also weigh in on NorseGate: The implosion of the world's most cybery cyber advanced threat intelligence derpa derpa firm.

This week's show is brought to you by an Australian security consultancy, HackLabs. It's probably worth noting for our American friends that the Australian exchange rate has shifted pretty substantially over the last six months or so... so Australia might be a pretty good place for you to send some app review work!

In this week's sponsor interview HackLabs founder and head honcho Chris Gatford joins us to discuss strategies for administering unmaintained and hideously vulnerable enterprise apps.

Microsoft has end-of-lifed a stack of old IE versions, Oracle is killing the Java browser plugin... this will leave a lot of legacy apps marooned. So what can you do?

Adam Boileau joins us, as always, to discuss the week's security news. He also discusses Java deserialisation attacks that are shaping up as a major attack vector for 2016.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

------------

Oracle deprecates the Java browser plugin, prepares for its demise | Ars Technica
http://arstechnica.com/information-technology/2016/01/oracle-deprecates-...

Good Riddance to Oracle's Java Plugin - Krebs on Security
http://krebsonsecurity.com/2016/02/good-riddance-to-oracles-java-plugin/

Sources: Security Firm Norse Corp. Imploding - Krebs on Security
http://krebsonsecurity.com/2016/01/sources-security-firm-norse-corp-impl...

NSA Hacker Chief Explains How to Keep Him Out of Your System | WIRED
http://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-him-o...

National Security Agency plans major reorganization - The Washington Post
https://www.washingtonpost.com/world/national-security/national-security...

A technical reading of the "HIMR Data Mining Research Problem Book" | Conspicuous Chatter
https://conspicuouschatter.wordpress.com/2016/02/03/a-technical-reading-...

Default settings in Apache may decloak Tor hidden services | Ars Technica
http://arstechnica.com/security/2016/02/default-settings-in-apache-may-d...

Crypto flaw was so glaring it may be intentional eavesdropping backdoor | Ars Technica
http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-ma...

UN rules in favour of Julian Assange
http://www.theage.com.au/world/un-rules-in-favour-of-assange-20160204-gm...

Corrupt Silk Road Investigator Re-Arrested for Allegedly Trying to Flee the US | WIRED
http://www.wired.com/2016/02/corrupt-silk-road-investigator-re-arrested-...

Former Energy Department employee admits trying to spear phish coworkers | Ars Technica
http://arstechnica.com/tech-policy/2016/02/former-energy-department-empl...

FTC: Tax Fraud Behind 47% Spike in ID Theft - Krebs on Security
http://krebsonsecurity.com/2016/01/ftc-tax-fraud-behind-47-spike-in-id-t...

HSBC online banking suffers major outage, blames DDoS attack | Ars Technica
http://arstechnica.com/security/2016/01/hsbc-online-banking-suffers-majo...

eBay has no plans to fix "severe" bug that allows malware distribution [Updated] | Ars Technica
http://arstechnica.com/security/2016/02/ebay-has-no-plans-to-fix-severe-...

PayPal Java Serialization Vulnerability | Threatpost | The first stop for security news
https://threatpost.com/java-serialization-bug-crops-up-at-paypal/116054/

Government Promises Comment Period on Next Wassenaar Draft | Threatpost | The first stop for security news
https://threatpost.com/government-promises-comment-period-on-next-wassen...

VirusTotal Firmware Malware Implant Scanning | Threatpost | The first stop for security news
https://threatpost.com/virustotal-supports-firmware-scanning/116072/

Mysterious spike in WordPress hacks silently delivers ransomware to visitors | Ars Technica
http://arstechnica.com/security/2016/02/mysterious-spike-in-wordpress-ha...

High-severity bug in OpenSSL allows attackers to decrypt HTTPS traffic | Ars Technica
http://arstechnica.com/security/2016/01/high-severity-bug-in-openssl-all...

Google fixes multiple Wi-Fi flaws, mediaserver bugs in Android | InfoWorld
http://www.infoworld.com/article/3028079/security/google-fixes-multiple-...

Google engineer finds holes in three 'secure' browsers
http://www.engadget.com/2016/02/04/tavis-ormandy-chromium-bug-hunter/

Penetration Testing & Web Application Security - HackLabs
http://www.hacklabs.com/

Risky Business #397 -- Guest HD Moore joins the show!
0:00 / 52:30

Risky Business Podcast

January 28, 2016

Risky Business #396 -- Chris Wysopal on scanning for backdoors

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we've got two feature interviews!

We're talking to Chris Wysopal from Veracode about using static analysis techniques to find back doors in software. With Juniper, AMX, Fortinet and Cisco all experiencing either maliciously planted or accidental backdoors, this is a hot topic. Chris joins us to talk about how you go about finding this stuff and whether or not vendors are taking this issue seriously enough.

We also check in with Martijn Grooten, editor of Virus Bulletin. We're having a quick chat to him about how the AV industry is reacting to Tavis Ormandy's latest research into the security of its products. He's been reporting bugs in all sorts of AV products lately and apparently the disclosures are having an impact.

This week's sponsor interview is a special one -- it's with Haroon Meer of Thinkst Applied Research. Thinkst has released some free tools that generate and track honey tokens. Old ideas made easy and workable... he'll be along to explain his new tech. Personally think this stuff is great.. just great... and of course he'll plug his even more awesome commercial stuff, Canary Tools.

Adam Boileau, as always, drops in for a chat about the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Israel's electric authority hit by "severe" hack attack [Updated] | Ars Technica
http://arstechnica.com/security/2016/01/israels-electric-grid-hit-by-sev...

Israeli Electric Authority Attacked, Potential Ransomware | Threatpost | The first stop for security news
https://threatpost.com/israeli-electric-authority-hit-by-severe-cyber-at...

SANS Industrial Control Systems Security Blog | Context for the Claim of a Cyber Attack on the Israeli Electric Grid | SANS Institute
https://ics.sans.org/blog/2016/01/27/context-for-the-claim-of-a-cyber-at...

Wendy's Probes Reports of Credit Card Breach - Krebs on Security
https://krebsonsecurity.com/2016/01/wendys-probes-reports-of-credit-card...

Moment of truth: Feds must say if they used backdoored Juniper firewalls | Ars Technica
http://arstechnica.com/tech-policy/2016/01/moment-of-truth-feds-must-say...

Secret SSH backdoor in Fortinet hardware found in more products | Ars Technica
http://arstechnica.com/security/2016/01/secret-ssh-backdoor-in-fortinet-...

Media devices sold to feds have hidden backdoor with sniffing functions | Ars Technica
http://arstechnica.com/security/2016/01/media-devices-sold-to-feds-have-...

Lenovo SHAREit App Hard-Coded Password | Threatpost | The first stop for security news
https://threatpost.com/hard-coded-password-found-in-lenovo-file-sharing-...

Yet another bill seeks to weaken encryption-by-default on smartphones | Ars Technica
http://arstechnica.com/tech-policy/2016/01/yet-another-bill-seeks-to-wea...

Bill aims to thwart strong crypto, demands smartphone makers be able to decrypt | Ars Technica
http://arstechnica.com/tech-policy/2016/01/bill-aims-to-thwart-strong-cr...

How Amazon customer service was the weak link that spilled my data | Ars Technica
http://arstechnica.com/security/2016/01/how-amazon-customer-service-was-...

"Internet of Things" security is hilariously broken and getting worse | Ars Technica
http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-th...

NYC Launches Investigation Into Hackable Baby Monitors | WIRED
http://www.wired.com/2016/01/nyc-investigating-hackable-baby-monitors/

HD Moore Leaves Rapid7 for Venture Capital Opportunity | Threatpost | The first stop for security news
https://threatpost.com/hd-moore-to-build-new-venture-capital-firm/115969/

Zcash, an Untraceable Bitcoin Alternative, Launches in Alpha | WIRED
http://www.wired.com/2016/01/zcash-an-untraceable-bitcoin-alternative-la...

Government Investigation of Alleged Bitcoin Creator Craig Wright Intensifies - CoinDesk
http://www.coindesk.com/australia-government-bitcoin-creator-craig-wrigh...

Firm Sues Cyber Insurer Over $480K Loss - Krebs on Security
http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/

Scarlet Mimic Behind Espionage Campaign Against Tibetan, Uyghur Activists | Threatpost | The first stop for security news
https://threatpost.com/scarlet-mimic-group-behind-four-year-campaign-aga...

Bot Fraud to Cost Advertisers $7 Billion in 2016 | Threatpost | The first stop for security news
https://threatpost.com/bot-fraud-to-cost-advertisers-7-billion-in-2016/1...

Skype Now Hides Your Internet Address - Krebs on Security
http://krebsonsecurity.com/2016/01/skype-now-hides-your-internet-address/

Cisco MiniUPnP Stack Smashing Protection Attack | Threatpost | The first stop for security news
https://threatpost.com/miniupnp-vulnerability-clears-way-for-stack-smash...

January 2016 Apple Security Patches iOS, OS X, Safari | Threatpost | The first stop for security news
https://threatpost.com/apple-releases-patches-for-ios-os-x-and-safari/11...

OpenSSL to Patch Two Vulnerabilities This Week | Threatpost | The first stop for security news
https://threatpost.com/openssl-to-patch-two-vulnerabilities-this-week/11...

Magento Update Addresses XSS, CSRF Vulnerabilities | Threatpost | The first stop for security news
https://threatpost.com/magento-update-addresses-xss-csrf-vulnerabilities...

Hack Brief: Don't Be Trolled by This iPhone-Crashing Link Meme | WIRED
http://www.wired.com/2016/01/hack-brief-dont-be-trolled-by-this-iphone-c...

iOS cookie theft bug allowed hackers to impersonate users | Ars Technica
http://arstechnica.com/security/2016/01/ios-cookie-theft-bug-allowed-hac...

Oracle Pushes Java Fix: Patch It or Pitch It - Krebs on Security
http://krebsonsecurity.com/2016/01/oracle-pushes-java-fix-patch-it-or-pi...

Canary - know when it matters
https://canary.tools/

canarytokens.net
http://canarytokens.org/generate

Risky Business #396 -- Chris Wysopal on scanning for backdoors
0:00 / 54:07

Risky Business Podcast

January 21, 2016

Risky Business #395 -- Alex Stamos on Juniper-gate, SHA-1 and NSA surveillance

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's feature interview Facebook CISO Alex Stamos joins us to discuss a few things.

  • We'll be talking about moves by both browser developers and some CAs to deprecate SHA1 signed certificates. He says we need to support SHA-1 for now and he explains why soon.
  • We're also chatting with him about the Juniper fiasco.
  • We also get his thoughts on NSA surveillance now he's responsible for the security of user information at the world's biggest social media platform.

In this week's sponsor interview we chat with Tenable network security CEO Ron Gula about how to collect decent telemetry from both cloud applications and cloud infrastructure services. Just because it's going on outside your network, that doesn't mean you should treat these services as a big blindspot. That's this week's feature interview, with big thanks to Tenable Network Security, this week's sponsor!

Adam Boileau is back this week to discuss the news headlines we missed while we were on break.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

"Unauthorized code" in Juniper firewalls decrypts encrypted VPN traffic | Ars Technica
http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-fir...

New Discovery Around Juniper Backdoor Raises More Questions About the Company | WIRED
http://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raise...

Researchers confirm backdoor password in Juniper firewall code | Ars Technica
http://arstechnica.com/security/2015/12/researchers-confirm-backdoor-pas...

Juniper drops NSA-developed code following new backdoor revelations | Ars Technica
http://arstechnica.com/security/2016/01/juniper-drops-nsa-developed-code...

Et tu, Fortinet? Hard-coded password raises new backdoor eavesdropping fears | Ars Technica
http://arstechnica.com/security/2016/01/et-tu-fortinet-hard-coded-passwo...

Bill aims to thwart strong crypto, demands smartphone makers be able to decrypt | Ars Technica
http://arstechnica.com/tech-policy/2016/01/bill-aims-to-thwart-strong-cr...

Phone crypto scheme "facilitates undetectable mass surveillance" | Ars Technica
http://arstechnica.com/tech-policy/2016/01/phone-crypto-scheme-facilitat...

The Father of Online Anonymity Has a Plan to End the Crypto War | WIRED
http://www.wired.com/2016/01/david-chaum-father-of-online-anonymity-plan...

Everything We Know About Ukraine's Power Plant Hack | WIRED
http://www.wired.com/2016/01/everything-we-know-about-ukraines-power-pla...

Analysis confirms coordinated hack attack caused Ukrainian power outage | Ars Technica
http://arstechnica.com/security/2016/01/analysis-confirms-coordinated-ha...

Royal Melbourne Hospital attacked by damaging computer virus
http://www.theage.com.au/victoria/royal-melbourne-hospital-attacked-by-d...

Internet Explorer End of Support
https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support

Judge Rules Kim Dotcom Can Be Extradited to US to Face Charges | WIRED
http://www.wired.com/2015/12/kim-dotcom-extradition-ruling/

In Silk Road Appeal, Ross Ulbricht's Defense Focuses on Corrupt Feds | WIRED
http://www.wired.com/2016/01/ross-ulbrichts-defense-focuses-on-corrupt-f...

Security firm sued for filing "woefully inadequate" forensics report | Ars Technica
http://arstechnica.com/security/2016/01/security-firm-sued-for-filing-wo...

US Intelligence director's personal e-mail, phone hacked | Ars Technica
http://arstechnica.com/security/2016/01/us-intelligence-directors-person...

Researchers uncover JavaScript-based ransomware-as-service | Ars Technica
http://arstechnica.com/security/2016/01/researchers-uncover-javascript-b...

Microsoft may have your encryption key; here's how to take it back | Ars Technica
http://arstechnica.com/information-technology/2015/12/microsoft-may-have...

Common payment processing protocols found to be full of flaws | Ars Technica
http://arstechnica.com/security/2015/12/common-payment-processing-protoc...

Critical Yahoo Mail Flaw Patched, $10K Bounty Paid | Threatpost | The first stop for security news
https://threatpost.com/critical-yahoo-mail-flaw-patched-10k-bounty-paid/...

GM embraces white-hat hackers with public vulnerability disclosure program | Ars Technica
http://arstechnica.com/security/2016/01/gm-embraces-white-hats-with-publ...

Google slams AVG for exposing Chrome user data with "security" plugin | Ars Technica
http://arstechnica.com/security/2015/12/google-slams-avg-for-exposing-ch...

Google security researcher excoriates TrendMicro for critical AV defects | Ars Technica
http://arstechnica.com/security/2016/01/google-security-researcher-excor...

Fatally weak MD5 function torpedoes crypto protections in HTTPS and IPSEC | Ars Technica
http://arstechnica.com/security/2016/01/fatally-weak-md5-function-torped...

Cisco Patches Hardcoded Password, DoS Vulnerabilities in Software | Threatpost | The first stop for security news
https://threatpost.com/cisco-patches-hardcoded-password-dos-vulnerabilit...

Microsoft Silverlight Zero Day Vulnerability Patched | Threatpost | The first stop for security news
https://threatpost.com/curious-tale-of-a-microsoft-silverlight-zero-day/...

Bug that can leak crypto keys just fixed in widely used OpenSSH | Ars Technica
http://arstechnica.com/security/2016/01/bug-that-can-leak-crypto-keys-ju...

Linux bug imperils tens of millions of PCs, servers, and Android phones | Ars Technica
http://arstechnica.com/security/2016/01/linux-bug-imperils-tens-of-milli...

January 2016 Oracle Critical Patch Update 248 Patches | Threatpost | The first stop for security news
https://threatpost.com/oracle-releases-record-number-of-security-patches...

Oracle settles with FTC over Java's "deceptive" security patching | Ars Technica
http://arstechnica.com/information-technology/2015/12/oracle-settles-wit...

With funds stolen in hack, cryptocurrency company mulls bankruptcy | Reuters
http://www.reuters.com/article/bankruptcy-cryptsy-idUSL2N1530M9

Google considers following Mozilla, Microsoft, and dropping SHA-1 certificates early | Ars Technica
http://arstechnica.com/information-technology/2015/12/google-considers-f...

Firefox ban on SHA-1 certs causing some security issues, Mozilla warns | Ars Technica
http://arstechnica.com/security/2016/01/firefoxs-ban-of-sha-1-certs-caus...

Risky Business #395 -- Alex Stamos on Juniper-gate, SHA-1 and NSA surveillance
0:00 / 73:05

Risky Business Podcast

December 16, 2015

Risky Business #394 -- Matthew Green talks "crypto bans"

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're chatting with Johns Hopkins University cryptographer Matthew Green about rumblings emanating out of DC with regard to "stopping encryption", whatever the hell that means.

In this week's sponsor interview we're chatting with Oliver Fay from Context about a paper they did in conjunction with UK's CERT about exploit kits. How much do they cost? Are there any that stick out as being particularly good? Or bad, depending on your point of view...

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Man arrested in toymaker hack that exposed data for millions of kids | Ars Technica
http://arstechnica.com/security/2015/12/man-arrested-in-toymaker-hack-sa...

The Bizarre Saga of Craig Wright, the Latest "Inventor of Bitcoin" - The New Yorker
http://www.newyorker.com/business/currency/bizarre-saga-craig-wright-lat...

Julian Assange Will Finally Get His Day in Court-In the Ecuadorean Embassy | WIRED
http://www.wired.com/2015/12/julian-assange-will-finally-get-his-day-in-...

J.P. Morgan, Bank of America, Citibank And Wells Fargo Spending $1.5 Billion To Battle Cyber Crime - Forbes
http://www.forbes.com/sites/stevemorgan/2015/12/13/j-p-morgan-boa-citi-a...

Tor Hires a New Leader to Help It Combat the War on Privacy | WIRED
http://www.wired.com/2015/12/tor-hires-a-new-leader-to-help-it-combat-th...

Beware of state-sponsored hackers, Twitter warns dozens of users | Ars Technica
http://arstechnica.com/tech-policy/2015/12/beware-of-state-sponsored-hac...

13 Million MacKeeper Users Exposed - Krebs on Security
http://krebsonsecurity.com/2015/12/13-million-mackeeper-users-exposed/

SHA1 sunset will block millions from encrypted net, Facebook warns | Ars Technica
http://arstechnica.com/security/2015/12/sha1-sunset-will-block-millions-...

Cisco starts spewing vuln info everywhere, in a good way \u2022 The Register
http://www.theregister.co.uk/2015/12/15/borg_security_boffins_open_tweak...

#BadWinmail Demo - YouTube
https://www.youtube.com/watch?v=ngWVbcLDPm8

Critical 0-day Remote Command Execution Vulnerability in Joomla - Sucuri Blog
https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-i...

Protecting Windows Networks - Kerberos Attacks | DFIR blog
http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-att...

Project Zero: FireEye Exploitation: Project Zero's Vulnerability of the Beast
http://googleprojectzero.blogspot.com.au/2015/12/fireeye-exploitation-pr...

Back to 28: Grub2 Authentication Bypass 0-Day
http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html

FBI on Encryption: 'It's A Business Model Question' | Threatpost | The first stop for security news
https://threatpost.com/fbi-on-encryption-its-a-business-model-question/1...

Fact-checking the debate on encryption | Ars Technica
http://arstechnica.com/security/2015/12/fact-checking-the-debate-on-encr...

New Paper Released: Demystifying the Exploit Kit
http://www.contextis.com/news/new-paper-released-demystifying-exploit-kit/

Tower Of Power - Both Sorry Over Nothin' - YouTube
https://www.youtube.com/watch?v=1Dkh173BAMw

Tower Of Power 1973 - YouTube
https://www.youtube.com/watch?v=JXQ2kMx2xok

Risky Business #394 -- Matthew Green talks "crypto bans"
0:00 / 57:55

Risky Business Podcast

December 10, 2015

Risky Business #393 -- So who's Satoshi this week?

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show -- in addition to covering the latest claims about the true identity of Satoshi Nakamoto -- we're taking a look at a recent deal between a very large bank in Australia and Sydney's University of New South Wales.

UNSW has had a lot of success over the last few years in actually training people to think offensively. They seem to have cracked a formula where others have tried and failed. Now, they've got $1.6m to play with courtesy of the Commonwealth Bank. This could be a model for colleges and universities everywhere. Whether you're a CSO having trouble recruiting good staff or you work in academia, you really want to hear this week's feature interviews with Brendan Hopper and CBA CSO Ben Heyes.

This week's show is brought to you by Bromium.

Bromium makes awesome micro-virtualisation software that really does neutralise the threat of memory corruption exploits in desktop environments. A speed bump for them has been their software requires Intel's virtualisation instruction extensions to work. Well, they've been around long enough now for Bromium to be getting some serious traction at the top end of town. They've also brought out version 3 of their software. with Bromium's Chief Security Architect Rahul Kashyap joins us in this week's sponsor interview to update us on what they've been up to for the last year or so.

The Grugq is in the news chair this week. Adam is busy running Kiwicon in Wellington.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Grugq on Twitter if that's your thing.

Show notes

Bitcoin's Creator Satoshi Nakamoto Is Probably This Unknown Australian Genius | WIRED
http://www.wired.com/2015/12/bitcoins-creator-satoshi-nakamoto-is-probab...

This Australian Says He and His Dead Friend Invented Bitcoin
http://gizmodo.com/this-australian-says-he-and-his-dead-friend-invented-...

Reported bitcoin 'founder' Craig Wright's home raided by Australian police | Technology | The Guardian
http://www.theguardian.com/technology/2015/dec/09/bitcoin-founder-craig-...

Alleged Bitcoin Creator Craig Wright Likely Outed Himself | Fusion
http://fusion.net/story/243056/alleged-bitcoin-creator-craig-wright/

Satoshi's PGP Keys Are Probably Backdated and Point to a Hoax | Motherboard
http://motherboard.vice.com/read/satoshis-pgp-keys-are-probably-backdate...

Variety Jones, Alleged Silk Road Mentor, Arrested in Thailand | WIRED
http://www.wired.com/2015/12/variety-jones-alleged-silk-road-mentor-arre...

Let's Encrypt Initiative Enters Public Beta | Threatpost | The first stop for security news
https://threatpost.com/lets-encrypt-initiative-enters-public-beta/115568/

Trump says "closing that Internet" is a good way to fight terrorism | Ars Technica
http://arstechnica.com/tech-policy/2015/12/trump-wants-bill-gates-to-hel...

France looking at banning Tor, blocking public Wi-Fi | Ars Technica
http://arstechnica.com/tech-policy/2015/12/france-looking-at-banning-tor...

Attack floods Internet root servers with 5 million queries a second | Ars Technica
http://arstechnica.com/security/2015/12/attack-flooded-internet-root-ser...

root-servers.org/news/events-of-20151130.txt
http://root-servers.org/news/events-of-20151130.txt

Hacker Leaks Customer Data After a United Arab Emirates Bank Fails to Pay Ransom | WIRED
http://www.wired.com/2015/12/hacker-leaks-customer-data-after-a-united-a...

Anonymous Leaks Paris Climate Summit Officials' Private Data | WIRED
http://www.wired.com/2015/12/anonymous-leaks-paris-climate-summit-offici...

At first cyber meeting, China claims OPM hack is "criminal case" [Updated] | Ars Technica
http://arstechnica.com/tech-policy/2015/12/at-first-cyber-meeting-china-...

Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record \xab Threat Research | FireEye Inc
https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-r...

Experts Say Bitcoin Extortionist Copycats on the Rise | Threatpost | The first stop for security news
https://threatpost.com/bitcoin-extortionist-copycats-on-the-rise-experts...

Microsoft, Law Enforcement Collaborate in Dorkbot Takedown | Threatpost | The first stop for security news
https://threatpost.com/microsoft-law-enforcement-collaborate-in-dorkbot-...

Mozilla Will Stop Developing And Selling Firefox OS Smartphones | TechCrunch
http://techcrunch.com/2015/12/08/mozilla-will-stop-developing-and-sellin...

December Patch Tuesday avalanche of patches includes leaked Xbox certificate | Ars Technica
http://arstechnica.com/security/2015/12/december-patch-tuesday-avalanche...

Adobe, Microsoft Each Plug 70+ Security Holes - Krebs on Security
http://krebsonsecurity.com/2015/12/adobe-microsoft-each-plug-70-security...

Apple Patches 50+ Vulnerabilities in iOS, OS X, Safari | Threatpost | The first stop for security news
https://threatpost.com/apple-patches-50-vulnerabilities-across-ios-os-x-...

Cisco Warning of CSRF, XSS Vulnerabilities | Threatpost | The first stop for security news
https://threatpost.com/cisco-warning-of-vulnerabilities-in-routers-data-...

Dropbox - Backgrounder_UNSW and CBA Security Engineering.docx
https://www.dropbox.com/s/aqnbfxbcqhujxj1/Backgrounder_UNSW%20and%20CBA%...

Dropbox - Transcript_CyberSecurity_Heyes_Buckland_Dec2015_final.docx
https://www.dropbox.com/s/zod75xl50g1uuhz/Transcript_CyberSecurity_Heyes...

UNSW, Commonwealth Bank to offer cyber Security courses | Cyber security jobs
http://www.news.com.au/finance/business/other-industries/commonwealth-ba...

sec.edu - Security Engineering - Applied Cyber Security on openlearning.com
https://www.openlearning.com/courses/sec

Free ride: students crack ticket algorithm
http://www.smh.com.au/digital-life/consumer-security/free-ride-students-...

Wil Anderson | Chelsea Lately | Comedy Works
https://www.comedyworks.com/comedians/666

Risky Business #393 -- So who's Satoshi this week?
0:00 / 64:59

Risky Business Podcast

December 03, 2015

Risky Business #392 -- A look at Silverpush with Kevin Finisterre

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're chatting with Kevin Finisterre about Silverpush -- the creepy ultrasonic audio-beaconing technology used by advertising companies that was in the press a couple of weeks ago. Kevin was all over it and he joins me to discuss the growing overlap between the techniques used by marketers and blackhats.

This week's show is brought to you by Bugcrowd, big thanks to them. In this week's sponsor interview Bugcrowd CEO Casey Ellis joins us to discuss more on bug economics -- how do you price bugs? How do you determine bounty pools? It's not as simple as saying, well, XXE's are worth $500 each and XSS $200. The dynamics here are actually a little more complex than that.

Adam Boileau, as always, joins the show to discuss the week's news headlines.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Hacker Obtained Children's Headshots and Chatlogs From Toymaker VTech | Motherboard
http://motherboard.vice.com/read/hacker-obtained-childrens-headshots-and...

When children are breached-inside the massive VTech hack | Ars Technica
http://arstechnica.com/security/2015/11/when-children-are-breached-insid...

Adobe sounds death knell for Flash - Software - iTnews
http://www.itnews.com.au/news/adobe-sounds-death-knell-for-flash-412522

China blamed for 'massive' cyber attack on Bureau of Meteorology supercomputer - ABC News (Australian Broadcasting Corporation)
http://www.abc.net.au/news/2015-12-02/china-blamed-for-cyber-attack-on-b...

CNN investigates: How Corporate America keeps huge hacks secret - Nov. 30, 2015
http://money.cnn.com/2015/11/30/technology/secret-deals-hacked-companies...

DHS Giving Firms Free Penetration Tests - Krebs on Security
http://krebsonsecurity.com/2015/12/dhs-giving-firms-free-penetration-tests/

DHS to Silicon Valley: Tell us how to secure this "Internet of Things" | Ars Technica
http://arstechnica.com/information-technology/2015/12/dhs-to-silicon-val...

Hey Reader's Digest: Your site has been attacking visitors for days | Ars Technica
http://arstechnica.com/security/2015/11/hey-readers-digest-your-site-has...

China APT Gang Targets Hong Kong Media via Dropbox | Threatpost | The first stop for security news
https://threatpost.com/china-apt-gang-targets-hong-kong-media-via-dropbo...

BlackBerry to bug out of Pakistan by end of year \u2022 The Register
http://www.theregister.co.uk/2015/12/01/blackberry_to_quit_pakistan/

Kazakhtelecom
http://telecom.kz/en/news/view/18729

Advantech EKI Vulnerable to Shellshock, Heartbleed | Threatpost | The first stop for security news
https://threatpost.com/advantech-ics-gear-still-vulnerable-to-shellshock...

Google Plans to End Chrome for 32-bit Linux, Releases Chrome 47 | Threatpost | The first stop for security news
https://threatpost.com/google-ends-chrome-support-on-32-bit-linux-releas...

Microsoft Revoves Trust for eDellroot Certficates | Threatpost | The first stop for security news
https://threatpost.com/microsoft-removes-trust-for-edellroot-certificate...

Lord Echo - Thinking of you - YouTube
https://www.youtube.com/watch?v=9djfSSTL-qQ

Meet The 'Ultrasonic' Tracking Company Privacy Activists Are Terrified Of - Forbes
http://www.forbes.com/sites/thomasbrewster/2015/11/16/silverpush-ultraso...

Risky Business #392 -- A look at Silverpush with Kevin Finisterre
0:00 / 60:19

Risky Business Podcast

November 26, 2015

Risky Business #391 -- Dell fails hard

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're chatting with Darren Kemp of Duo Security. He's one of the authors of a post about the latest example of computer manufacturer shitware introducing catastrophic vulnerabilities into shipped systems. This time it's Dell's turn.

If you haven't heard what they actually did you'll hardly even believe it. That's this week's feature interview.

This week's sponsor guest is Tenable's very own Brian "Jericho" Martin. He's a guy who knows a thing or two about vulnerabilities and the software supply chain. We dodged a bullet with those libpng vulnerabilities of a few weeks ago not really being exploitable. But what if they were? How do you prepare your organisation for some serious bugs dropping in libraries when you're not even sure if you're using that code?

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Clinton Says the US Needs Silicon Valley's Help to Defeat ISIS | WIRED
http://www.wired.com/2015/11/clinton-says-us-needs-silicon-valleys-help-...

Security Manual Reveals the OPSEC Advice ISIS Gives Recruits | WIRED
http://www.wired.com/2015/11/isis-opsec-encryption-manuals-reveal-terror...

The Secret ISIS Cyber Guide Was Actually Just An Arabic Guide For Activists - BuzzFeed News
http://www.buzzfeed.com/sheerafrenkel/the-secret-isis-cyber-guide-was-ac...

Bangladesh mulls blocking WhatsApp and Viber to prevent terror activities
http://www.ibtimes.co.in/bangladesh-mulls-blocking-whatsapp-viber-preven...

Iranian military spear-phish of State Department employees detected first by Facebook | Ars Technica
http://arstechnica.com/security/2015/11/iranian-military-spear-phish-of-...

Breach at IT Automation Firm LANDESK - Krebs on Security
http://krebsonsecurity.com/2015/11/breach-at-it-automation-firm-landesk/

54 Starwood Hotels Hit By Point of Sale Malware | Threatpost | The first stop for security news
https://threatpost.com/starwood-hotel-chain-hit-by-point-of-sale-malware...

Hilton Acknowledges Credit Card Breach - Krebs on Security
http://krebsonsecurity.com/2015/11/hilton-acknowledges-credit-card-breach/

A $10 Tool Can Guess (And Steal) Your Next Credit Card Number | WIRED
http://www.wired.com/2015/11/samy-kamkar-10-dollar-tool-can-guess-and-st...

Certifications Tracking System Outage and Data Exposure - The Cisco Learning Network
https://learningnetwork.cisco.com/blogs/community_cafe/2015/11/21/certif...

FBI Warns Public Officials of Doxing Threat | Threatpost | The first stop for security news
https://threatpost.com/fbi-warns-public-officials-of-doxing-threat/115429/

The Doctor on a Quest to Save Our Medical Devices From Hackers | WIRED
http://www.wired.com/2015/11/the-doctor-on-a-quest-to-save-our-medical-d...

TrueCrypt is safer than previously reported, detailed analysis concludes | Ars Technica
http://arstechnica.com/security/2015/11/truecrypt-is-safer-than-previous...

GlassRAT Remote Access Trojan | Threatpost | The first stop for security news
https://threatpost.com/stealthy-glassrat-spies-on-commercial-targets/115...

VirusTotal Mac OS X App Sandbox Support | Threatpost | The first stop for security news
https://threatpost.com/virustotal-adds-sandbox-execution-for-os-x-apps/1...

Amazon resets account passwords feared compromised - report \u2022 The Register
http://www.theregister.co.uk/2015/11/25/amazon_password_reset/

United Airlines Slow to Patch Mobile App Vulnerability | Threatpost | The first stop for security news
https://threatpost.com/united-airlines-slow-to-patch-mobile-app-vulnerab...

Lenovo Patches Vulnerabilities in System Update Service | Threatpost | The first stop for security news
https://threatpost.com/lenovo-patches-vulnerabilities-in-system-update-s...

600,000 Arris Modems Plagued by 'Backdoor in a Backdoor' | Threatpost | The first stop for security news
https://threatpost.com/backdoor-in-a-backdoor-identified-in-600000-arris...

VMware Patches Pesky XXE Bug in Flex BlazeDS | Threatpost | The first stop for security news
https://threatpost.com/vmware-patches-pesky-xxe-bug-in-flex-blazeds/115443/

Sony employees on the hack, one year later.
http://www.slate.com/articles/technology/users/2015/11/sony_employees_on...

Dell apologizes for HTTPS certificate fiasco, provides removal tool | Ars Technica
http://arstechnica.com/security/2015/11/dell-apologizes-for-https-certif...

Joe Nord personal blog: New Dell computer comes with a eDellRoot trusted root certificate
http://joenord.blogspot.in/2015/11/new-dell-computer-comes-with-edellroo...

Dude, You Got Dell'd: Publishing Your Privates - Blog - Duo Security
https://www.duosecurity.com/blog/dude-you-got-dell-d-publishing-your-pri...

bluejuice - The Reductionist - YouTube
https://www.youtube.com/watch?v=v0N7DDDKsqw

Risky Business #391 -- Dell fails hard
0:00 / 44:30

Risky Business Podcast

November 20, 2015

Risky Business #390 -- Crypto derpery abounds in wake of Paris attacks

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's feature interview we're checking in with FireEye's Jonathan Wrolstad. He's a threat intelligence guy at FireEye and they've just published a really interesting report about what a threat group is doing in terms of target recon. They're using marketing company tricks to recon all sorts of high value targets. It's very interesting stuff, and it's likely tied to the Russian state.

This week's show is brought to you by Senetas Security, makers of terrific layer 2 encryption gear. Senetas CTO Julian Fay stops by in this week's sponsor interview to chat about Network Function Virtualisation. It's a new twist on a concept that's been around for a while. It's getting a second wind thanks to some work being done at Etsy, of all places.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Paris Terror Attacks Stoke Encryption Debate - Krebs on Security
http://krebsonsecurity.com/2015/11/paris-terror-attacks-stoke-encryption...

ISIS using encrypted apps for communications; former intel officials blame Snowden [Updated] | Ars Technica
http://arstechnica.com/information-technology/2015/11/isis-encrypted-com...

After Paris Attacks, Here's What the CIA Director Gets Wrong About Encryption | WIRED
http://www.wired.com/2015/11/paris-attacks-cia-director-john-brennan-wha...

There's no evidence ISIS used PS4 to plan Paris attacks | Ars Technica
http://arstechnica.com/gaming/2015/11/despite-what-the-papers-say-theres...

ISIS: CloudFlare CEO slams Anonymous' claims that he's protecting terrorists' websites
http://www.news.com.au/technology/online/hacking/a-silicon-valley-startu...

Telegram encrypted messaging service cracks down on ISIS broadcasts | Ars Technica
http://arstechnica.com/information-technology/2015/11/telegram-encrypted...

ISIS operates a crypto help desk - report \u2022 The Register
http://www.theregister.co.uk/2015/11/18/isis_help_desk/

Is Anonymous' war on ISIS doing more harm than good? | The Verge
http://www.theverge.com/2015/11/19/9761682/anonymous-isis-vigilante-camp...

Carnegie Mellon Says It Was Subpoenaed-And Not Paid-For Research On Breaking Tor | Threatpost | The first stop for security news
https://threatpost.com/carnegie-mellon-says-it-was-subpoenaed-and-not-pa...

Carnegie Mellon Denies FBI Paid for Tor-Breaking Research | WIRED
http://www.wired.com/2015/11/carnegie-mellon-denies-fbi-paid-for-tor-bre...

Libpng PNG Reference Library Patches Memory Corruption Vulnerabilities | Threatpost | The first stop for security news
https://threatpost.com/patched-libpng-vulnerabilities-have-limited-scope...

Here's a Spy Firm's Price List for Secret Hacker Techniques | WIRED
http://www.wired.com/2015/11/heres-a-spy-firms-price-list-for-secret-hac...

Android adware can install itself even when users explicitly reject it | Ars Technica
http://arstechnica.com/security/2015/11/android-adware-can-install-itsel...

Google to Warn Recipients of Unencrypted Gmail Messages | Threatpost | The first stop for security news
https://threatpost.com/google-to-warn-recipients-of-unencrypted-gmail-me...

Microsoft Blocks Unsigned DLLs in Edge with Update | Threatpost | The first stop for security news
https://threatpost.com/microsoft-cracks-down-on-toolbars-unsigned-dlls-w...

JPMorgan Hackers Breached Anti-Fraud Vendor G2 Web Services - Krebs on Security
http://krebsonsecurity.com/2015/11/jpmorgan-hackers-breached-anti-fraud-...

BitLocker popper uses Windows authentication to attack itself \u2022 The Register
http://www.theregister.co.uk/2015/11/17/bitlocker_blackhat_ian_haken/

Adobe Issues HotFix For ColdFusion | Threatpost | The first stop for security news
https://threatpost.com/adobe-pushes-hotfix-for-coldfusion/115389/

Wad of Stuff: CVE-2015-6357: FirePWNER Exploit for Cisco FireSIGHT Management Center SSL Validation Vulnerability
http://wadofstuff.blogspot.com.au/2015/11/cve-2015-6357-firepwner-exploi...

Issue 539 - google-security-research - Kaspersky Antivirus Certificate handling path traversal - Google Security Research - Google Project Hosting
https://code.google.com/p/google-security-research/issues/detail?id=539&...

https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf
https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf

Eagles of Death Metal - I Want You So Hard - YouTube
https://www.youtube.com/watch?v=MZrctLnsF4M

Risky Business #390 -- Crypto derpery abounds in wake of Paris attacks
0:00 / 51:54