Risky Business Podcast

May 14, 2015

Risky Business #366 -- Software defined networking security

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we're chatting with Dave Jorm of IIX -- International Internet Exchange. We're previewing his upcoming AusCERT talk all about software defined networking security. It's fancy tech, but there are some interesting little quirks CSOs should definitely be across.

This week's show is sponsored by Senetas, big thanks to them. Senetas CTO Julian Fay is this week's sponsor guest. We talk about those horrible Open Smart Grid bugs and a few other things, that's coming up later.

Adam Boileau, as usual, joins the show to discuss the week's news headlines.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Venom VM bug called "perfect" for NSA, or for stealing bitcoins and passwords | Ars Technica
http://arstechnica.com/security/2015/05/venom-vm-bug-called-perfect-for-...

Extremely serious virtual machine bug threatens cloud providers everywhere | Ars Technica
http://arstechnica.com/security/2015/05/extremely-serious-virtual-machin...

Cybersecurity firm accused of staging data breaches to extort clients
http://www.engadget.com/2015/05/09/tiversa-whistleblower/

US Government Labeled Al Jazeera Journalist as Al Qaeda
https://firstlook.org/theintercept/2015/05/08/u-s-government-designated-...

Court Rules NSA Bulk Data Collection Was Never Authorized By Congress | WIRED
http://www.wired.com/2015/05/breaking-news-federal-court-rules-nsa-bulk-...

GPU-based rootkit and keylogger offer superior stealth and computing power | Ars Technica
http://arstechnica.com/security/2015/05/gpu-based-rootkit-and-keylogger-...

$7500 DDoS extortion hitting Aussie, Kiwi enterprises \u2022 The Register
http://www.theregister.co.uk/2015/05/08/ddos_hitting_oz_nz/

Microsoft Brings Perfect Forward Secrecy to Windows | Threatpost | The first stop for security news
https://threatpost.com/new-crypto-suites-bring-perfect-forward-secrecy-t...

Tor Cloud Shut Down Amid Lack of Support | Threatpost | The first stop for security news
https://threatpost.com/tor-cloud-shut-down-amid-lack-of-support/112725

MacKeeper Zero Day Patched | Threatpost | The first stop for security news
https://threatpost.com/mackeeper-patches-remote-code-execution-zero-day/...

Remotely Exploitable Vulnerabilities in SAP Compression Algorithms | Threatpost | The first stop for security news
https://threatpost.com/remotely-exploitable-vulnerabilities-in-sap-compr...

Adobe, Microsoft Push Critical Security Fixes - Krebs on Security
http://krebsonsecurity.com/2015/05/adobe-microsoft-push-critical-securit...

Home Automation Protocol Z-Way Vulnerable to Remote Attacks | Threatpost | The first stop for security news
https://threatpost.com/home-automation-protocol-z-way-vulnerable-to-remo...

SDN and Security - David Jorm | ONOS
http://onosproject.org/2015/04/03/sdn-and-security-david-jorm/

CloudRouter\xae | Router Distribution for the Cloud
https://cloudrouter.org/

Meeting Snowden in Princeton | Light Blue Touchpaper
https://www.lightbluetouchpaper.org/2015/05/02/meeting-snowden-in-prince...

Open Smart Grid Protocol Homegrown Crypto Weaknesses | Threatpost | The first stop for security news
https://threatpost.com/weak-homegrown-crypto-dooms-open-smart-grid-proto...

Zuluboy - Mbombela (A Twist of Bayethe) - YouTube
https://www.youtube.com/watch?v=KFS4cSmzjYY

Risky Business #366 -- Software defined networking security

0:00 / 0:00

Risky Business Podcast

May 07, 2015

Risky Business #365 -- Defence in derpth

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

This week's show is brought to you by BugCrowd -- crowdsourced security testing. Bugcrowd founder and CEO Casey Ellis will join us in this week's sponsor interview to tell us about the latest trends in bounties and crowdsourced security.

He's got some useful info. It turns out bounty participants are getting better at doing OSINT collection to win when testing. So yeah, creds and stuff in Github and repos that shouldn't be there are giving these guys easy wins... we'll also talk about the latest trends in terms of who's running bounty programs -- it's not just companies testing web and mobile apps these days, they're doing a bunch more work on IoT and installable software. It's a solid trend.

There's no feature interview in this week's show because, well, it was a pretty slow week. I was expecting last week's US House hearing into possible US responses to encryption technology to give me heaps of feature material for this week's show, but it was actually a bit of a fizzer, which is pretty awesome, actually.

Adam Boileau, as usual, joins the show to discuss the week's news headlines.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Windows Update for Business Uproots Patch Tuesday | Threatpost | The first stop for security news
https://threatpost.com/patch-tuesday-facelift-end-of-an-era/112640

A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent\u2026
https://blogs.windows.com/msedgedev/2015/05/06/a-break-from-the-past-par...

Windows 10 bombshell: Microsoft to KILL OFF Patch Tuesday \u2022 The Register
http://www.theregister.co.uk/2015/05/04/microsoft_windows_10_updates/

With Lock Research, Another Battle Brews in the War Over Security Holes | WIRED
http://www.wired.com/2015/05/lock-research-another-battle-brews-war-secu...

Vulnerability-Riddled Drug Pumps Open to Takeover | Threatpost | The first stop for security news
https://threatpost.com/vulnerability-riddled-drug-pumps-open-to-takeover...

Interpol alerted as teenage hacker from Perth flees to Europe | The Australian
http://www.theaustralian.com.au/news/nation/interpol-alerted-as-teenage-...

Programmer Convicted in Bizarre Goldman Sachs Case-Again | WIRED
http://www.wired.com/2015/05/programmer-convicted-bizarre-goldman-sachs-...

WikiLeaks Finally Brings Back Its Submission System for Your Secrets | WIRED
http://www.wired.com/2015/05/wikileaks-finally-brings-back-submission-sy...

How Selerity reported Twitter's earnings-before Twitter did | Ars Technica
http://arstechnica.com/business/2015/05/how-selerity-reported-twitters-2...

'Just follow the damn Constitution!' FBI, DoJ skewered over demands for crypto backdoors \u2022 The Register
http://www.theregister.co.uk/2015/05/01/congress_gives_bipartisan_bolloc...

Congress, Crypto and Craziness | Threatpost | The first stop for security news
https://threatpost.com/congress-crypto-and-craziness/112508

Zuck'ed up: Facebook opens up free internet in India - but bans HTTPS \u2022 The Register
http://www.theregister.co.uk/2015/05/04/internet_org_facebook/

Foiling Pump Skimmers With GPS - Krebs on Security
http://krebsonsecurity.com/2015/05/foiling-pump-skimmers-with-gps/

PayIvy Sells Your Online Accounts Via PayPal - Krebs on Security
http://krebsonsecurity.com/2015/05/payivy-sells-your-online-accounts-via...

Google Research Reveals Profitable, Pervasive Ad Injector Ecosystem | Threatpost | The first stop for security news
https://threatpost.com/google-research-reveals-profitable-pervasive-ad-i...

Microsoft LAPS Tool Addresss Local Admin Password Problem | Threatpost | The first stop for security news
https://threatpost.com/microsoft-laps-tool-tackles-common-local-admin-pa...

Netflix Releases FIDO Incident Response Tool | Threatpost | The first stop for security news
https://threatpost.com/netflix-releases-fido-incident-response-tool/112618

Google Updates Password Alert Extension, But Some Bypasses Still Work | Threatpost | The first stop for security news
https://threatpost.com/google-updates-password-alert-extension-but-some-...

Super secretive malware wipes hard drive to prevent analysis | Ars Technica
http://arstechnica.com/security/2015/05/super-secretive-malware-wipes-ha...

Dyre Banking Trojan Avoids Sandbox Detection | Threatpost | The first stop for security news
https://threatpost.com/dyre-banking-trojan-jumps-out-of-sandbox/112533

The BACKRONYM MySQL Vulnerability - Blog - Duo Security
https://www.duosecurity.com/blog/backronym-mysql-vulnerability

Behold: the drop-dead simple exploit that nukes Google's Password Alert | Ars Technica
http://arstechnica.com/security/2015/04/behold-the-drop-dead-simply-expl...

Actively exploited WordPress bug puts millions of sites at risk | Ars Technica
http://arstechnica.com/security/2015/05/actively-exploited-wordpress-bug...

Spam-blasting malware infects thousands of Linux and FreeBSD servers | Ars Technica
http://arstechnica.com/security/2015/04/spam-blasting-malware-infects-th...

Lenovo System Update Vulnerabilities Patched | Threatpost | The first stop for security news
https://threatpost.com/lenovo-patches-vulnerabilities-in-system-update-s...

Sally Beauty Card Breach, Part Deux? - Krebs on Security
http://krebsonsecurity.com/2015/05/sally-beauty-card-breach-part-deux/

02 - Mammal - Think - YouTube
https://www.youtube.com/watch?v=mCQXqHr9CwE

Risky Business #365 -- Defence in derpth

0:00 / 0:00

Risky Business Podcast

April 30, 2015

Risky Business #364 -- The cuckoo's carton

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

In this week's feature interview we chat with John Strand, a SANS instructor and co-host of Security Weekly's Webcasts. He runs Black Hills information security and he's a maintainer of the ADHD Linux distro -- it's essentially a curation of active defence tools that you can use to do some funky stuff. But in this case active defence doesn't mean popping shells on boxes in China, it's more about annoying the absolute shit out of your adversaries.

In this week's sponsor interview we're chatting with Chris Gatford, HackLabs' founder and head honcho, all about something that came up last week -- software defined radio security testing. Is there a market for that sort of thing like last week's guest Balint Seeber suggested?

Well, yes and no. That interview is coming up at the end of the show.

Adam Boileau, as usual, stops in to discuss the week's news headlines.

Links to everything are in this week's show notes.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Risky Business #364 -- The cuckoo's carton

0:00 / 0:00

Risky Business Podcast

April 24, 2015

Risky Business #363 -- Software defined radio gets interesting

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

This week's show was cut together from our nation's capital, Canberra!

I've been down here to attend the Australian Cyber Security Centre conference, which was actually pretty good. There were some great technical talks. One of them was by Balint Seeber on Software defined radio haxing, he's our feature guest in this week's show.

We'll talk to him about messing around with aircraft radar, ACARS, keyless entry and all sorts of stuff. He even managed to take control of a satellite 15 million kilometres from Earth from his laptop while he was in a DEFCON talk! (Don't try this at home. Or do. I don't know what advice to give on that one.)

This week's show is brought to you by Tenable Network Security, makes of fine, fine information security software like Nessus. If you aren't familiar with Tenable's stuff you really should be, they make some excellent kit. Head to Tenable.comto check that out.

In this week's sponsor interview we're chatting with Tenable's strategist Jack Daniel. He's over at the RSA conference and he'll be giving us a rundown on what it's like there. Over 500 exhibitors this year. Crazy.

Adam Boileau, as usual, is in the news chair this week.

Links to everything are in this week's show notes.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Risky Business #363 -- Software defined radio gets interesting

0:00 / 0:00

Risky Business Podcast

April 16, 2015

Risky Business #362 -- Bob Rudis on the Verizon Data Breach Investigation report

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

In this week's show we're chatting with Bob Rudis of Verizon about that company's annual data breach investigation report. After what I thought was a bit of a lapse in relevance last year, the 2015 report has come back stronger than ever. There are some genuinely interesting findings.

This week's show is brought to you by Intralinks! In this week's sponsor interview Intralinks North America field CTO Darren Glenister will pop in to talk about data sovereignty in the age of cloud computing. Specifically, how do customer-managed key setups affect things? Is the location of the data important? Or is the location the data is controlled from a bigger deal?

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

April 2015 Microsoft Patch Tuesday Security Bulletins | Threatpost | The first stop for security news
https://threatpost.com/microsoft-patches-critical-http-sys-vulnerability...

Hackers Could Commandeer New Planes Through Passenger Wi-Fi | WIRED
http://www.wired.com/2015/04/hackers-commandeer-new-planes-passenger-wi-fi/

An App That Hides Secret Messages in Starcraft-Style Games | WIRED
http://www.wired.com/2015/04/app-hides-secret-messages-starcraft-style-g...

Hacker Lexicon: What Are Chip and PIN Cards? | WIRED
http://www.wired.com/2015/04/hacker-lexicon-chip-pin-cards/

How Popcorn Time's Piracy App Is Sneaking Onto iPhones | WIRED
http://www.wired.com/2015/04/popcorn-times-piracy-app-sneaking-onto-ipho...

Chrome starts pushing Java off the Web by disabling plugins | Ars Technica
http://arstechnica.com/information-technology/2015/04/chrome-starts-push...

Researchers try to hack the economics of zero-day bugs | Ars Technica
http://arstechnica.com/security/2015/04/researchers-try-to-hack-the-econ...

Prosecutors suspect man hacked lottery computers to score winning ticket | Ars Technica
http://arstechnica.com/tech-policy/2015/04/prosecutors-suspect-man-hacke...

Botnet that enslaved 770,000 PCs worldwide comes crashing down | Ars Technica
http://arstechnica.com/security/2015/04/botnet-that-enslaved-770000-pcs-...

Russia pulls alleged 'Svpeng' kingpin \u2022 The Register
http://www.theregister.co.uk/2015/04/14/russia_pulls_alleged_svpeng_king...

Verizon, NetFlix, KFC ad-men pay traffic cons $500k a month \u2022 The Register
http://www.theregister.co.uk/2015/04/15/verizon_netflix_kfc_admen_pay_tr...

POS Providers Feel Brunt of PoSeidon Malware - Krebs on Security
http://krebsonsecurity.com/2015/04/pos-providers-feel-brunt-of-poseidon-...

Hacked French TV network admits "blunder" that exposed YouTube password | Ars Technica
http://arstechnica.com/security/2015/04/hacked-french-tv-network-admits-...

NSA dreams of smartphones with "split" crypto keys protecting user data | Ars Technica
http://arstechnica.com/tech-policy/2015/04/nsa-dreams-of-smartphones-wit...

Middle school student charged with cybercrime in Holiday | Tampa Bay Times
http://www.tampabay.com/news/publicsafety/crime/middle-school-student-ch...

Meet the e-voting machine so easy to hack, it will take your breath away | Ars Technica
http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-...

Don't Be Fodder for China's 'Great Cannon' - Krebs on Security
http://krebsonsecurity.com/2015/04/dont-be-fodder-for-chinas-great-cannon/

What the Ridiculous Fuck, D-Link?! - /dev/ttyS0
http://www.devttys0.com/2015/04/what-the-ridiculous-fuck-d-link/

Apple splats Safari flaw affecting a BEELLION iThings \u2022 The Register
http://www.theregister.co.uk/2015/04/15/apple_splats_safari_flaw_affecti...

Critical Updates for Windows, Flash, Java - Krebs on Security
http://krebsonsecurity.com/2015/04/critical-updates-for-windows-flash-java/

Latest version of OS X closes backdoor-like bug that gives attackers root | Ars Technica
http://arstechnica.com/security/2015/04/latest-version-of-os-x-closes-ba...

acars security - Google Search
https://www.google.com/search?q=acars&oq=acars&aqs=chrome..69i57j0l5.109...

Multi-faceted enterprise security | Intralinks
https://www.intralinks.com/platform-solutions/platform/security

Screaming Headless Torsos (Smile in a Wave) - YouTube
https://www.youtube.com/watch?v=fYgPU-WnmnA

Support Patrick Gray creating The Risky Business Podcast
https://www.patreon.com/riskybusiness

Risky Business #362 -- Bob Rudis on the Verizon Data Breach Investigation report

0:00 / 0:00

Risky Business Podcast

April 09, 2015

Risky Business #361 -- ISIS pwns French TV, Russians pwn White House

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

We've got a shorter than usual show for you this week. It's actually been a three day week here in Australia because we get Easter Friday and Easter Monday off. So there's no feature interview this week, sorry about that.

But nonetheless we've got a great podcast for you this week. We'll be checking the week's news headlines with Adam Boileau then moving right on into this week's sponsor interview.

This week's show is brought to you by Rapid7, makers of fine, fine information security software. And we're chatting with Rapid7's Wade Woolwine in this week's sponsor interview about how to get the most out of what you have. It can be as simple as rotating some of your smartest people through different areas of your businesses. Make your best pentester deal with the SIEM setup for a month and guess what? You're going to have a much better SIEM setup at the end of it!

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

French TV5Monde channel hit by pro-Islamic State hackers - Yahoo News
http://news.yahoo.com/french-tv5monde-hit-pro-islamic-state-hackers-2221...

French broadcaster TV5Monde hacked: Yahoo News | Reuters
http://www.reuters.com/article/2015/04/08/us-tv5monde-cybercrime-idUSKBN...

'ISIS hackers' overtake French TV station - RT News
http://rt.com/news/248073-islamic-state-hackers-french-tv/

How Russians hacked the White House - CNN.com
http://edition.cnn.com/2015/04/07/politics/how-russians-hacked-the-wh/in...

White House denies CNN report that Russian hackers penetrated sensitive computer systems - ABC News (Australian Broadcasting Corporation)
http://www.abc.net.au/news/2015-04-08/white-house-denies-russian-hacker-...

New lawsuit says DEA phone surveillance was illegal
http://www.usatoday.com/story/news/2015/04/08/eff-lawsuit-dea-telephone-...

On John Oliver, Edward Snowden Says Keep Taking Dick Pics | WIRED
http://www.wired.com/2015/04/john-oliver-edward-snowden-dick-pics/

Popular crypto app uses single-byte XOR and nowt else, hacker says \u2022 The Register
http://www.theregister.co.uk/2015/04/07/uberpopular_crypto_app_uses_xor_...

Anonabox Recalls 350 'Privacy' Routers for Security Flaws | WIRED
http://www.wired.com/2015/04/anonabox-recall/

Review: Anonabox or InvizBox, which Tor router better anonymizes online life? | Ars Technica
http://arstechnica.com/information-technology/2015/04/review-anonabox-or...

Vulnerability Forces Mozilla to Disable Opportunistic Encryption in Firefox | Threatpost | The first stop for security news
https://threatpost.com/vulnerability-forces-mozilla-to-disable-opportuni...

TrueCrypt alternatives VeraCrypt CipherShed Step Up | Threatpost | The first stop for security news
https://threatpost.com/post-cryptanalysis-truecrypt-alternatives-step-fo...

FBI Warns of Fake Govt Sites, ISIS Defacements - Krebs on Security
http://krebsonsecurity.com/2015/04/fbi-warns-of-fake-govt-sites-isis-def...

As many as 1 million sites imperiled by dangerous bug in WordPress plugin | Ars Technica
http://arstechnica.com/security/2015/04/as-many-as-1-million-sites-imper...

Change.org springs a leak, exposes private e-mail addresses [updated] | Ars Technica
http://arstechnica.com/security/2015/04/change-org-springs-a-leak-expose...

Linux Australia Breached by Hackers | Threatpost | The first stop for security news
https://threatpost.com/linux-australia-hit-with-server-breach/112025

In the time it takes you to watch The Hangover, AT&T will pay a $25m fine for privacy scandal \u2022 The Register
http://www.theregister.co.uk/2015/04/08/fcc_at_t_25_million_dollar_fine/

Schneier on Security: Australia Outlaws Warrant Canaries
https://www.schneier.com/blog/archives/2015/03/australia_outla.html

Most top corporates still Heartbleeding over the internet \u2022 The Register
http://www.theregister.co.uk/2015/04/08/still_bleeding_one_year_laterhea...

Police chief: "Paying the Bitcoin ransom was the last resort" | Ars Technica
http://arstechnica.com/tech-policy/2015/04/police-chief-paying-the-bitco...

Chrome extension collects browsing data, uses it for marketing | Ars Technica
http://arstechnica.com/security/2015/04/chrome-extension-collects-browsi...

Bugs in Tor network used in attacks against underground markets | Ars Technica
http://arstechnica.com/security/2015/04/bugs-in-tor-network-used-in-atta...

NTP Symmetric Key Authentication Security Vulnerabilities Patched | Threatpost | The first stop for security news
https://threatpost.com/two-ntp-key-authentication-vulnerabilities-patche...

Aw, snap! How huge HTML links can crash Chrome tabs in one click \u2022 The Register
http://www.theregister.co.uk/2015/04/07/chrome_awsnap_vuln/

Apple Releases Security Updates for OS X, iOS, Safari, and Apple TV | US-CERT
https://www.us-cert.gov/ncas/current-activity/2015/04/08/Apple-Releases-...

Strontium 90 (band) - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Strontium_90_%28band%29

Risky Business #361 -- ISIS pwns French TV, Russians pwn White House

0:00 / 0:00

Risky Business Podcast

April 02, 2015

Risky Business #360 -- The Great GitHub DDoS of 2015

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

In this week's show we chat with Arbor Networks' Roland Dobbins about the Great GitHub DDoS of 2015, Paul Asadoorian of Tenable Network Security about vulnerability management and, of course, Adam Boileau about the week's security news.

Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

DEA Agent Charged With Acting as a Paid Mole for Silk Road | WIRED
http://www.wired.com/2015/03/dea-agent-charged-acting-paid-mole-silk-road/

Silk Road Boss' First Murder-for-Hire Was His Mentor's Idea | WIRED
http://www.wired.com/2015/04/silk-road-boss-first-murder-attempt-mentors...

Feds Demand Reddit Identify Users of a Dark-Web Drug Forum | WIRED
http://www.wired.com/2015/03/dhs-reddit-dark-web-drug-forum/

Massive denial-of-service attack on GitHub tied to Chinese government | Ars Technica
http://arstechnica.com/security/2015/03/massive-denial-of-service-attack...

DDoS Attack on GitHub Linked to Earlier One Against GreatFire.org | Threatpost | The first stop for security news
https://threatpost.com/ddos-attack-on-github-linked-to-earlier-one-again...

Google Online Security Blog: Maintaining digital certificate security
http://googleonlinesecurity.blogspot.co.nz/2015/03/maintaining-digital-c...

New Obama Order Allows Sanctions Against Foreign Hackers | WIRED
http://www.wired.com/2015/04/new-obama-order-allows-sanctions-foreign-ha...

E-mail autofill blunder leaks personal details of G20 world leaders | Ars Technica
http://arstechnica.com/tech-policy/2015/03/e-mail-autofill-blunder-leaks...

Volatile Cedar APT Group First Operating Out of Lebanon | Threatpost | The first stop for security news
https://threatpost.com/volatile-cedar-apt-group-first-operating-out-of-l...

Bitcoin's Blockchain Offers Safe Haven For Malware And Child Abuse, Warns Interpol - Forbes
http://www.forbes.com/sites/thomasbrewster/2015/03/27/bitcoin-blockchain...

Energy companies around the world infected by newly discovered malware | Ars Technica
http://arstechnica.com/security/2015/03/energy-companies-around-the-worl...

Stolen Uber Customer Accounts Are for Sale on the Dark Web for $1 | Motherboard
http://motherboard.vice.com/read/stolen-uber-customer-accounts-are-for-s...

Noose around Internet's TLS system tightens with 2 new decryption attacks | Ars Technica
http://arstechnica.com/security/2015/03/noose-around-internets-tls-syste...

Google joins Apple, others in calling for spying controls, as Patriot Act vote nears - CNET
http://www.cnet.com/news/google-joins-apple-others-in-calling-for-spying...

NSA considered ending phone surveillance program -- report - CNET
http://www.cnet.com/news/nsa-considered-ending-phone-surveillance-progra...

Little Change in Online Behavior Following Snowden Revelations | Threatpost | The first stop for security news
https://threatpost.com/little-change-in-online-behavior-following-snowde...

Cross-dressing blokes storm NSA HQ: One shot dead, one hurt \u2022 The Register
http://www.theregister.co.uk/2015/03/30/nsa_hq_rammed/

New Firefox version says "might as well" to encrypting all Web traffic | Ars Technica
http://arstechnica.com/security/2015/04/new-firefox-version-says-might-a...

Verizon Allows Opt Out of UIDH Mobile Supercookie | Threatpost | The first stop for security news
https://threatpost.com/verizon-allows-opt-out-of-uidh-mobile-supercookie...

Multicast DNS Vulnerability Could Lead to DDOS Amplification | Threatpost | The first stop for security news
https://threatpost.com/multicast-dns-vulnerability-could-lead-to-ddos-am...

Google kills 200 ad-injecting Chrome extensions, says many are malware | Ars Technica
http://arstechnica.com/security/2015/04/google-kills-200-ad-injecting-ch...

'Revolution' Crimeware & EMV Replay Attacks - Krebs on Security
http://krebsonsecurity.com/2015/04/revolution-crimeware-emv-replay-attacks/

Sign Up at irs.gov Before Crooks Do It For You - Krebs on Security
http://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-i...

Who Is the Antidetect Author? - Krebs on Security
http://krebsonsecurity.com/2015/03/who-is-the-antidetect-author/

Critical Vulnerabilities Affecting JSON Web Token Libraries | Threatpost | The first stop for security news
https://threatpost.com/critical-vulnerabilities-affect-json-web-token-li...

This one weird trick deletes any YouTube flick in just a few clicks \u2022 The Register
http://www.theregister.co.uk/2015/04/01/simple_trick_to_delete_any_youtu...

Trailer: Shades of Black - The Valhalla Lights story
https://www.youtube.com/watch?v=ZQdLyNNgYcA

Risky Business #360 -- The Great GitHub DDoS of 2015

0:00 / 0:00

Risky Business Podcast

March 26, 2015

Risky Business #359 -- Whisper? More like shout!

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

This week Risky Business takes you behind the scenes of a spat between the makers of the Whisper App and Stephen Ridley's company Xipiter.

Ridley's crew say they found some 24-carat-facepalm security problems with the app, subsequently publishing a blog post and video detailing the bugs. You'd think whisper would patch the bugs and move on. But no, they decided to accuse Xipiter of making the whole thing up, even going so far as to accuse them of doctoring their proof of concept video!

Stephen Ridley will join the show to discuss all of that.

This week's show is brought to you by FireEye, makers of fine, fine security software and appliances. And this week's guest is Steve Miller. Steve is American, he came from the Mandiant side of FireEye's business, but he's moved to Sydney to head up security operations for FireEye in APJ! We'll be talking to him about some tales from the incident response trenches and how really good target profiling has become a standard part of the contemporary attacker's MO.

Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

You can become a Risky Business patron here:
https://www.patreon.com/riskybusiness

News:

Islamic State doxes US soldiers, airmen, calls on supporters to kill them | Ars Technica
http://arstechnica.com/tech-policy/2015/03/islamic-state-doxes-us-soldie...

All four major browsers take a stomping at Pwn2Own hacking competition | Ars Technica
http://arstechnica.com/security/2015/03/all-four-major-browsers-take-a-s...

Google warns of unauthorized TLS certificates trusted by almost all OSes [Updated] | Ars Technica
http://arstechnica.com/security/2015/03/google-warns-of-unauthorized-tls...

Windows 10 to make the Secure Boot alt-OS lock out a reality | Ars Technica
http://arstechnica.com/information-technology/2015/03/windows-10-to-make...

Google Adds Deceptive Software to Safe Browsing API | Threatpost | The first stop for security news
https://threatpost.com/google-adds-deceptive-software-to-safe-browsing-a...

MRIs show our brains shutting down when we see security prompts | Ars Technica
http://arstechnica.com/security/2015/03/mris-show-our-brains-shutting-do...

Stealing Data From Computers Using Heat | WIRED
http://www.wired.com/2015/03/stealing-data-computers-using-heat/

Hacking BIOS Chips Isn't Just the NSA's Domain Anymore | WIRED
http://www.wired.com/2015/03/researchers-uncover-way-hack-bios-undermine...

Tax Fraud Advice, Straight from the Scammers - Krebs on Security
http://krebsonsecurity.com/2015/03/tax-fraud-advice-straight-from-the-sc...

Malicious user hides trojan links in cloned Steam Greenlight pages | Ars Technica
http://arstechnica.com/gaming/2015/03/malicious-user-hides-trojan-links-...

Twitch resets user passwords following breach | Ars Technica
http://arstechnica.com/security/2015/03/twitch-resets-user-passwords-fol...

Hilton Honors Flaw Exposed All Accounts - Krebs on Security
http://krebsonsecurity.com/2015/03/hilton-honors-flaw-exposed-all-accounts/

Target to pay $10 million to victims of data breach - CNET
http://www.cnet.com/news/target-to-pay-10-million-to-victims-of-data-bre...

A $60 Gadget That Makes Car Hacking Far Easier | WIRED
http://www.wired.com/2015/03/60-gadget-thatll-make-car-hacking-easier-ever/

Dridex Campaign Evades Detection with AutoClose Function | Threatpost | The first stop for security news
https://threatpost.com/latest-dridex-campaign-evades-detection-with-auto...

Adobe CVE-2011-2461 Remains Exploitable Via Flex Four Years After Patch | Threatpost | The first stop for security news
https://threatpost.com/adobe-cve-2011-2461-remains-exploitable-four-year...

Cisco Small Business IP Phones Open to Remote Eavesdropping | Threatpost | The first stop for security news
https://threatpost.com/cisco-small-business-ip-phones-open-to-remote-eav...

Default Setting in Windows 7, 8.1 Could Allow Privilege Escalation | Threatpost | The first stop for security news
https://threatpost.com/default-setting-in-windows-7-8-1-could-allow-priv...

Instagram API Bug Could Allow Malware Downloads | Threatpost | The first stop for security news
https://threatpost.com/instagram-api-bug-could-allow-malicious-file-down...

OpenSSL Patches High Severity DOS Vulnerability | Threatpost | The first stop for security news
https://threatpost.com/openssl-mystery-patch-is-no-heartbleed/111708

Android hijacking bug may allow attackers to install password-stealers | Ars Technica
http://arstechnica.com/security/2015/03/android-hijacking-bug-may-allow-...

Background on The Guardian vs Whisper:

Corrections and clarifications | News | The Guardian
http://www.theguardian.com/news/2015/mar/11/corrections-and-clarifications

The Whisper Campaign That Torched A Guardian Story - BuzzFeed News
http://www.buzzfeed.com/mathonan/the-whisper-campaign-that-torched-a-gua...

"a confederacy of 'privacy' dunces": what we found under the hood of an 'anonymous' chat app used by millions - Xipiter
http://www.xipiter.com/musings/a-confederacy-of-privacy-dunces-what-we-f...

Music!

Pendulum - ABC News Theme Remix Full Version + Download - YouTube
https://www.youtube.com/watch?v=8XbQsjRc7L0

Risky Business #359 -- Whisper? More like shout!

0:00 / 0:00

Risky Business Podcast

March 19, 2015

Risky Business #358 -- HD Moore and Haroon Meer play "king for a day"

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we chat with Rapid7's HD Moore (feature) and Thinkst head honcho Haroon Meer (sponsor) about the big-picture changes that could see enterprise security actually change. They're both high-level interviews with two of the industry's sharpest.

Don't forget to check out this week's Risky Business video!

Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Have you checked out this week's Risky Business YouTube video?
https://www.youtube.com/watch?v=TY0mBzP7qw8

German Police Just Made a Gigantic Dark-Web Drug Bust | WIRED
http://www.wired.com/2015/03/evolution-shiny-flakes-bust-heroin-cocaine-...

The Dark Web's Top Drug Market, Evolution, Just Vanished | WIRED
http://www.wired.com/2015/03/evolution-disappeared-bitcoin-scam-dark-web/

Hackers May Have Taken Medical Records From Insurer Premera | WIRED
http://www.wired.com/2015/03/hackers-may-taken-medical-records-insurer-p...

Bogus SSL certificate for Windows Live could allow man-in-the-middle hacks | Ars Technica
http://arstechnica.com/security/2015/03/bogus-ssl-certificate-for-window...

Man who obtained Windows Live cert said his warnings went unanswered | Ars Technica
http://arstechnica.com/security/2015/03/man-who-obtained-windows-live-ce...

Microsoft takes 4 years to recover privileged TLS certificate addresses | Ars Technica
http://arstechnica.com/security/2015/03/microsoft-takes-4-years-to-recov...

Obama Administration Seeks More Legal Power to Disrupt Botnets | Threatpost | The first stop for security news
https://threatpost.com/obama-administration-seeks-more-legal-power-to-di...

CISA Cybersecurity Bill Advances Despite Privacy Concerns | WIRED
http://www.wired.com/2015/03/cisa-cybersecurity-bill-advances-despite-pr...

Mobile Android, iOS Apps Still Vulnerable to FREAK Attacks | Threatpost | The first stop for security news
https://threatpost.com/mobile-android-ios-apps-still-vulnerable-to-freak...

Shared Keys Simplify, Cheapen FREAK Attacks | Threatpost | The first stop for security news
https://threatpost.com/shared-keys-simplify-cheapen-freak-attacks/111668

Yahoo Previews End To End Email Encryption | Threatpost | The first stop for security news
https://threatpost.com/yahoo-previews-end-to-end-email-encryption-extens...

Yahoo wants to let you forget your Yahoo password - CNET
http://www.cnet.com/news/yahoo-wants-to-let-you-forget-your-yahoo-password/

Guardian backtracks, says Whisper doesn't spy on its users after all | Ars Technica
http://arstechnica.com/security/2015/03/guardian-backtracks-says-whisper...

Strange snafu hijacks UK nuke maker's traffic, routes it through Ukraine | Ars Technica
http://arstechnica.com/security/2015/03/mysterious-snafu-hijacks-uk-nuke...

South Korea claims North hacked nuclear data | Ars Technica
http://arstechnica.com/security/2015/03/south-korea-claims-north-hacked-...

Hey Twitter, Killing Anonymity's a Dumb Way to Fight Trolls | WIRED
http://www.wired.com/2015/03/hey-twitter-killing-anonymitys-dumb-way-fig...

Facebook Messenger will now let you send money to friends | The Verge
http://www.theverge.com/2015/3/17/8235781/facebook-messanger-payments-se...

Microsoft's Windows Hello will make your face, finger or iris the new sign-in - CNET
http://www.cnet.com/news/microsoft-introduces-windows-hello-for-signing-...

Authorities Closing In on Hackers Who Stole Data From JPMorgan Chase - NYTimes.com
http://www.nytimes.com/2015/03/16/business/dealbook/authorities-closing-...

BlackBerry takes another shot at a tablet -- sort of - CNET
http://www.cnet.com/news/blackberry-takes-another-shot-at-a-tablet-sort-of/

State Department takes network offline for security scrub - CNET
http://www.cnet.com/news/state-department-takes-network-offline-for-secu...

Google Apps bug exposes some users' personal info - CNET
http://www.cnet.com/news/bug-in-google-apps-exposes-some-users-personal-...

Stealthy, Persistent DLL Hijacking Works Against OS X | Threatpost | The first stop for security news
https://threatpost.com/stealthy-persistent-dll-hijacking-works-against-o...

Google Fix for Android Memory Leakage Issue In The Works | Threatpost | The first stop for security news
https://threatpost.com/google-aware-of-memory-leakage-issue-in-android-5...

Samsung Patches Social Media Vulnerability in Millions of Devices | Threatpost | The first stop for security news
https://threatpost.com/after-delays-samsung-patches-social-media-vulnera...

MS Update 3033929 Causing Reboot Loop - Krebs on Security
http://krebsonsecurity.com/2015/03/ms-update-3033929-causing-reboot-loop/

OpenSSL Patch to Plug Severe Security Holes - Krebs on Security
http://krebsonsecurity.com/2015/03/openssl-patch-to-plug-severe-security...

Apple Safari WebKit Vulnerabilities Patched | Threatpost | The first stop for security news
https://threatpost.com/apple-patches-webkit-vulnerabilities-in-safari/11...

D-Link Patches Two Vulnerabilities in Router Firmware | Threatpost | The first stop for security news
https://threatpost.com/d-link-patches-two-remotely-exploitable-bugs-in-f...

Adobe Flash Update Plugs 11 Security Holes - Krebs on Security
http://krebsonsecurity.com/2015/03/adobe-flash-update-plugs-11-security-...

ThinkstScapes
http://thinkst.com/thinkstscapes.html

Phish5 - Five minutes from start to phish
https://phish5.com/

The Bamboos - I Got Burned feat Tim Rogers - YouTube
https://www.youtube.com/watch?v=ASS_naRGRZY

Risky Business #358 -- HD Moore and Haroon Meer play "king for a day"

0:00 / 0:00

Risky Business Podcast

March 12, 2015

Risky Business #357 -- Mark Dowd talks Rowhammer

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we're having a chat with Mark Dowd about the so-called Rowhammer exploit. And yeah, if you haven't heard about this one you're in for a treat. It's among the most badass research I've ever seen. You know, you can skin a cat with a knife, or you can do what the Google Project Zero team did and skin it with 300 synchronised lasers.

[NOTE: It's been pointed out that the post on the Project Zero blog is actually a guest post. The work was done by Googlers and published on the Google Zero blog, but these researchers aren't actually a part of the Project Zero team. Sorry for the confusion.]

In this week's sponsor episode we're chatting with Joseph Sokoly of Tenable Network Security about bugs like Freak. The fact is, if you're operating a web property and you were running your SSL config correctly, Freak wouldn't be a risk to your users when they're using your service.

But a lot of organisations just don't bother running best-practice configs. Why not? They're too busy putting out fires in their vuln management programs to deal with the low-hangers. Joseph stops by soon to talk about that.

(Joseph is also one of the voices of the Southern Fried Security Podcast. Check it out here, because I'm guessing if you're reading this you like security podcasts!)

Show notes

Patched Windows PC remained vulnerable to Stuxnet USB exploits since 2010 | Ars Technica
http://arstechnica.com/security/2015/03/patched-windows-pc-remained-vuln...

Stuxnet leak probe stalls for fear of confirming US-Israel involvement | Ars Technica
http://arstechnica.com/tech-policy/2015/03/stuxnet-leak-probe-stalls-for...

UK man arrested on suspicion of US Department of Defense hacking | Ars Technica
http://arstechnica.com/tech-policy/2015/03/uk-man-arrested-on-suspicion-...

iSpy: The CIA Campaign to Steal Apple's Secrets
https://firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-steal-ap...

Errata Security: No, the CIA isn't stealing Apple's secrets
http://blog.erratasec.com/2015/03/no-cia-isnt-stealing-apples-secrets.ht...

Australia to prosecute Heartbleed pentest in desperation to pin charges on Anonymous radio host | ZDNet
http://www.zdnet.com/article/australia-to-prosecute-heartbleed-pentest-i...

OpenSSL Security Audit Ready to Start | Threatpost | The first stop for security news
https://threatpost.com/openssl-security-audit-ready-to-start/111538

Anthem Refuses Audit Following Massive Breach | Threatpost | The first stop for security news
https://threatpost.com/anthem-refusing-oig-security-audit-following-brea...

Why Clinton's Private Email Server Was Such a Security Fail | WIRED
http://www.wired.com/2015/03/clintons-email-server-vulnerable/

Hillary Clinton Says Her Email Was Secure; She Can't Know | WIRED
http://www.wired.com/2015/03/hillary-clinton-says-email-secure-cant-know/

Feds Indict Three in 2011 Epsilon Hack - Krebs on Security
http://krebsonsecurity.com/2015/03/feds-indict-three-in-2011-epsilon-hack/

Stop Spying on Wikipedia Users - NYTimes.com
http://www.nytimes.com/2015/03/10/opinion/stop-spying-on-wikipedia-users...

Litecoin-mining code found in BitTorrent app, freeloaders hit the roof \u2022 The Register
http://www.theregister.co.uk/2015/03/07/utorrent_epic_scale_mining_softw...

Adobe Starts Vulnerability Disclosure Program on HackerOne | Threatpost | The first stop for security news
https://threatpost.com/adobe-starts-vulnerability-disclosure-program-on-...

Apple Fixes FREAK Bug, iCloud Flaw in iOS 8.2 | Threatpost | The first stop for security news
https://threatpost.com/apple-fixes-freak-bug-icloud-flaw-in-ios-8-2/111553

Yahoo Patches Critical Small Business, eCommerce Bugs | Threatpost | The first stop for security news
https://threatpost.com/yahoo-patches-critical-ecommerce-small-business-v...

Dropbox Patches Remotely Exploitable Vulnerability in SDK | Threatpost | The first stop for security news
https://threatpost.com/dropbox-patches-remotely-exploitable-vulnerabilit...

Facebook Users Open to Attack Via Several Security Bugs | Threatpost | The first stop for security news
https://threatpost.com/facebook-users-open-to-attack-via-several-securit...

Patch Tuesday patches FREAK, Universal XSS | Ars Technica
http://arstechnica.com/information-technology/2015/03/patch-tuesday-patc...

Microsoft Fixes Stuxnet Bug, Again - Krebs on Security
http://krebsonsecurity.com/2015/03/microsoft-fixes-stuxnet-bug-again/

You Am I - Soldiers - YouTube
https://www.youtube.com/watch?v=P1SV4v_qtBI

Rowhammer
http://www.rowhammer.com/

Risky Business #357 -- Mark Dowd talks Rowhammer

0:00 / 0:00