Risky Business Podcast

Analysis and news podcasts published weekly

Risky Business Podcast

September 19, 2014

Risky Business #337 -- The Grugq and John Brooks on invisible.im and Ricochet

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's show we chat with The Grugq about the latest invisible.im announcement and we'll also meet the creator of the Ricochet anonymous messenger software, John Brooks.

In this week's sponsor interview we chat with Senetas CTO Julian Fay about an interesting paper on defeating traffic analysis attacks against encrypted cloud storage, and also a "sign of the times" Kickstarter... a group has managed to get a weird little crypto device funded... basically a hardware crypto module. You plug your phone in on one end and your headset in on the other. They've raised over $40k, but who's going to use this?

Show notes

WikiLeaks - SpyFiles 4
https://wikileaks.org/spyfiles4/customers.html

New Zealand secretly built spying program, report says - CNET
http://www.cnet.com/news/new-zealand-secretly-built-spying-program-repor...

Moment of Truth gifts Team Key a late bounce in polls - National - NZ Herald News
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11327321

'Speargun' program is fantasy, says cable operator \u2022 The Register
http://www.theregister.co.uk/2014/09/16/speargun_program_is_fantasy_says...

Student Freya Newman pleads guilty to hacking Frances Abbott design scholarship files | The Australian
http://www.theaustralian.com.au/news/nation/student-freya-newman-pleads-...

Tim Cook explains Apple's privacy policies in open letter - CNET
http://www.cnet.com/news/tim-cook-explains-apples-privacy-policies-in-op...

Apple takes 'very different view' on customer privacy, Cook says - CNET
http://www.cnet.com/news/apple-takes-very-different-view-on-customer-pri...

Apple - Privacy
http://www.apple.com/privacy/

Apple transparency reports allude to Patriot Act demands - CNET
http://www.cnet.com/news/apple-transparency-reports-allude-to-patriot-ac...

Apple Extends Two-Factor Authentication to iCloud | Threatpost | The first stop for security news
http://threatpost.com/apple-extends-two-factor-authentication-to-icloud/...

Three Things Apple Can Do to Fix iCloud's Awful Security | WIRED
http://www.wired.com/2014/09/three-things-apple-can-fix-iclouds-awful-se...

Despite Apple's Privacy Pledge, Cops Can Still Pull Data Off a Locked iPhone | WIRED
http://www.wired.com/2014/09/apple-iphone-security/

Newest Androids will join iPhones in offering default encryption, blocking police - The Washington Post
http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/18/newest-andr...

Microsoft closing standalone Trustworthy Computing group, folding into other units - GeekWire
http://www.geekwire.com/2014/microsoft-closing-standalone-trustworthy-co...

Home Depot Data Breach Put 56 Million Cards at Risk | Threatpost | The first stop for security news
http://threatpost.com/56-million-payment-cards-at-risk-in-home-depot-dat...

POS Service Confirms Goodwill Breach Lasted 18 Months | Threatpost | The first stop for security news
http://threatpost.com/pos-service-confirms-goodwill-breach-lasted-18-mon...

Heartbleed to blame for Community Health Systems breach | CSO Online
http://www.csoonline.com/article/2466726/data-protection/heartbleed-to-b...

Announcing Keyless SSL\u2122: All the Benefits of CloudFlare Without Having to Turn Over Your Private SSL Keys
http://blog.cloudflare.com/announcing-keyless-ssl-all-the-benefits-of-cl...

SNMP DDoS Attack Spoofs Google DNS Server | Threatpost | The first stop for security news
http://threatpost.com/snmp-based-ddos-attack-spoofs-google-public-dns-se...

OWASP Releases Latest App Sec Testing Guide | Threatpost | The first stop for security news
http://threatpost.com/owasp-releases-latest-app-sec-guide/108396

\u200bInternet's security bug tracker faces its 'Y2K' moment - CNET
http://www.cnet.com/news/internets-security-bug-tracker-faces-its-y2k-mo...

Big Batch of Bugs Fixed in Various Versions of IDA | Threatpost | The first stop for security news
http://threatpost.com/big-batch-of-bugs-fixed-in-various-versions-of-ida...

iOS 8 also comes with bucket of security fixes - CNET
http://www.cnet.com/news/ios-8-also-comes-with-bucket-of-security-fixes/

Android Browser flaw a "privacy disaster" for half of Android users | Ars Technica
http://arstechnica.com/security/2014/09/android-browser-flaw-a-privacy-d...

September 2014 Adobe Reader Acrobat Patches | Threatpost | The first stop for security news
http://threatpost.com/adobe-gets-delayed-reader-update-out-the-door/108310

My Social SherpaPranking My Roommate With Eerily Targeted Facebook Ads
http://mysocialsherpa.com/the-ultimate-retaliation-pranking-my-roommate-...

WikiLeaks posts 'weaponized malware' for all to download | ZDNet
http://www.zdnet.com/astonishingly-irresponsible-wikileaks-posts-weaponi...

Kiwicon CFP
https://kiwicon.org/cfp2014.txt

JackPair: secure your voice phone calls against wiretapping by Jeffrey Chang & the AWIT team - Kickstarter
https://www.kickstarter.com/projects/620001568/jackpair-safeguard-your-p...

MS and University Devs Make The Melbourne Shuffle \u2022 Cloudwards.net
http://www.cloudwards.net/news/ms-and-university-devs-make-the-melbourne...

Middle-School Dropout Codes Clever Chat Program That Foils NSA Spying | WIRED
http://www.wired.com/2014/09/new-encrypted-chat-program-thwarts-nsa-elim...

Why I started invisible.im | Risky Business
http://risky.biz/news_and_opinion/patrick-gray/2014-09-18/why-i-started-...

Risky Business #337 -- The Grugq and John Brooks on invisible.im and Ricochet
0:00 / 0:00

Risky Business Podcast

September 12, 2014

Risky Business 336 -- Too many cons

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we've got a great interview with Haroon Meer of Thinkst. Thinkst has a paid service that analysis the output of security conferences and puts together reports. Now, some of you might wonder why such a service would be needed, so let's put things in perspective: there were 2,700 conference presentations in the second quarter of this year at 116 events over 140 conference days. Yikes!

Haroon will be along in a bit to talk about the conference content boom, and he's also made their latest report free for Risky Business listeners! As I say, it's part of Thinkst's paid subscription service, so you'd be nuts not to grab it.

This week's show is brought to you by Tenable Network Security, thanks to the guys and gals over there. In this week's sponsor interview we're chatting with Paul Asadoorian, Tenable's product marketing manager for Nessus.

Paul is also well known as the host of the security weekly podcast! It's an infosec podcast with a massive audience that you've no doubt heard of.

We're chatting with Paul about embedded devices. He co-wrote a book on hacking the WRT54g home wireless gateway some years ago and he's gearing up to teach a SANS course on embedded device assessments. So yeah, Paul's going to stop by and discuss the state of all things embedded.

Show notes

Dread Pirate Sunk By Leaky CAPTCHA - Krebs on Security
http://krebsonsecurity.com/2014/09/dread-pirate-sunk-by-leaky-captcha/

FBI's Story of Finding Silk Road's Server Sounds a Lot Like Hacking | WIRED
http://www.wired.com/2014/09/fbi-silk-road-hacking-question/

Should we be worried? Showing on login page : SilkRoad
http://www.reddit.com/r/SilkRoad/comments/1dmznd/should_we_be_worried_sh...

Troll or thief? User claims Bitcoin founder Satoshi Nakamoto dox sabotage \u2022 The Register
http://www.theregister.co.uk/2014/09/10/troll_or_thief_user_claims_satos...

PayPal goes crypto-currency with Bitcoin \u2022 The Register
http://www.theregister.co.uk/2014/09/11/paypal_goes_cryptocurrency_with_...

Feds Threatened to Fine Yahoo $250K Daily for Not Complying With PRISM | WIRED
http://www.wired.com/2014/09/feds-yahoo-fine-prism/

Five Million Email Passwords, Addresses Leak Russian Forum | Threatpost | The first stop for security news
http://threatpost.com/five-million-email-passwords-addresses-appear-on-r...

Home Depot Data Breach Confirmed | Threatpost | The first stop for security news
http://threatpost.com/home-depot-confirms-breach-transactions-from-april...

BlackPOS malware confirmed in Home Depot US hack - Security - News - iTnews.com.au
http://www.itnews.com.au/News/391880,blackpos-malware-confirmed-in-home-...

Apple Plans to Extend 2FA to iCloud | Threatpost | The first stop for security news
http://threatpost.com/apple-plans-to-extend-2fa-to-icloud/108106

After hacking, Apple to send out more security alerts to users | Ars Technica
http://arstechnica.com/security/2014/09/after-hacking-apple-to-send-out-...

Barclays brings finger-vein biometrics to Internet banking | Ars Technica
http://arstechnica.com/security/2014/09/barclays-brings-finger-vein-biom...

Researchers find data leaks in Instagram, Grindr, OoVoo and more - CNET
http://www.cnet.com/news/researchers-find-data-leaks-in-instagram-grindr...

Salesforce Warns Customers of Dyreza Banker Trojan Attacks | Threatpost | The first stop for security news
http://threatpost.com/salesforce-warns-customers-of-dyreza-banker-trojan...

Traffic Networks Firm Patches Sensor Vulnerabilities | Threatpost | The first stop for security news
http://threatpost.com/traffic-networks-company-patches-sensor-vulnerabil...

Microsoft to patch ASP.NET mess even if you don't \u2022 The Register
http://www.theregister.co.uk/2014/09/11/microsoft_kills_dangerous_aspnet...

Cisco Patches Denial-of-Services Vulnerability in IMC | Threatpost | The first stop for security news
http://threatpost.com/us-cert-warns-of-vulnerability-in-cisco-baseboard-...

September 2014 Microsoft Patch Tuesday security bulletins | Threatpost | The first stop for security news
http://threatpost.com/emet-av-disclosure-leak-plugged-in-ie/108175

Critical Fixes for Adobe, Microsoft Software - Krebs on Security
http://krebsonsecurity.com/2014/09/critical-fixes-for-adobe-microsoft-so...

Apache Warns of Tomcat Remote Code Execution Vulnerability | Threatpost | The first stop for security news
http://threatpost.com/apache-warns-of-tomcat-remote-code-execution-vulne...

Infamous "podcast patent" heads to trial | Ars Technica
http://arstechnica.com/tech-policy/2014/09/jim-logan-says-he-invented-po...

thinkst.com/ts/free/ThinkstScapes-2014-Q2-v1.0.pdf
http://thinkst.com/ts/free/ThinkstScapes-2014-Q2-v1.0.pdf

Embedded Device Security Assessments For The Rest Of Us
http://www.sans.org/course/embedded-device-security-assessments

Risky Business 336 -- Too many cons
0:00 / 0:00

Risky Business Podcast

September 05, 2014

Risky Business #335 -- Whaledump hacker could change NZ government

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

I'm back from a two week holiday in beautiful Indonesia, so we'll be spending most of this show catching up on what I missed while I was away! So there's plenty of news to talk about with Adam Boileau, and also a chat about some very interesting politicking going on in New Zealand.

A hacker going by the name of Whaledump has been dropping leaked emails and documents all over the place that are causing all sorts of headaches for the government. If that wasn't enough, Kim Dot Com has jumped into the fray... apparently he has a big reveal coming on September 15th that could change the course of the NZ election campaign. Is this the future of democracy?

This week's show is brought to you by BugCrowd, big thanks to them.

We'll be chatting with BugCrowd head honcho Casey Ellis all about the skills shortage in infosec, particularly in testing. People interested in a career in infosec are using platforms like BugCrowd as a proving ground, but will that pipeline be enough to satiate the demand for talent out there?

Risky Business #335 -- Whaledump hacker could change NZ government
0:00 / 0:00

Risky Business Podcast

August 14, 2014

Risky Business #334 -- Brian Snow reflects on 34 years at NSA, Snowden

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're having an extended chat with 34-year NSA veteran Brian Snow. During his career he rose to director level -- he acted as technical director of three divisions within the agency -- before he retired in 2006.

Brian joins us to talk about the Snowden disclosures and how the NSA's culture changed post 9/11.

Brian also had some great comments on quantum crypto concerns that I've broken out into a separate podcast - I've put that one in the RB2 feed along with a recording of a panel I hosted at the Splendour in the Grass music festival a few weeks ago. You can find them in the RB2 feed.

This week's show is brought to you by Tenable Network Security, thanks to them, and in this week's sponsor interview we're chatting with Tenable CEO Ron Gula about continuous monitoring.

Adam Boileau joins us for this week's news, as does special guest Andrew Colley.

Show notes

Why surveillance companies hate the iPhone - The Washington Post
http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/11/why-surveil...

Edward Snowden: The Untold Story | Threat Level | WIRED
http://www.wired.com/2014/08/edward-snowden/#ch-1

Snowden: I Left the NSA Clues, But They Couldn't Find Them | Threat Level | WIRED
http://www.wired.com/2014/08/snowden-breadcrumbs/

Blackphone DEF CON Vulnerabilities Difficult to Exploit | Threatpost | The first stop for security news
http://threatpost.com/fog-lifts-on-rooted-blackphone-merry-go-round/107711

Techno-Archaeologists Used an Abandoned McDonald's to Hijack a Satellite | Motherboard
http://motherboard.vice.com/read/techno-archaeologists-used-an-abandoned...

Anonymous Posts St. Louis Police Dispatch Tapes From Day of Ferguson Shooting | Mother Jones
http://www.motherjones.com/politics/2014/08/anonymous-releases-st-louis-...

Dan Tentler (Viss) on Twitter
https://twitter.com/viss

Obama picks former Googler to head federal tech overhaul - CNET
http://www.cnet.com/news/obama-picks-former-googler-to-head-federal-tech...

Millions of PCs Affected by Mysterious Computrace Backdoor | Threatpost | The first stop for security news
http://threatpost.com/millions-of-pcs-affected-by-mysterious-computrace-...

Study: Uyghur Remain in Crosshairs of Targeted Attacks | Threatpost | The first stop for security news
http://threatpost.com/study-confirms-uyghur-remain-in-crosshairs-of-targ...

The Dole Bludger's Revenge | newmatilda.com
https://newmatilda.com/2014/08/12/dole-bludgers-revenge

Disqus Patches CSRF, Other Flaws in Plugin | Threatpost | The first stop for security news
http://threatpost.com/disqus-patches-csrf-other-flaws-in-plugin/107738

Authentication Bypass Bug Fixed in BlackBerry Z10 | Threatpost | The first stop for security news
http://threatpost.com/authentication-bypass-bug-fixed-in-blackberry-z10/...

IE to Block Older ActiveX Controls, Starting with Java | Threatpost | The first stop for security news
http://threatpost.com/ie-to-block-older-activex-controls-starting-with-j...

Adobe, Microsoft Push Critical Security Fixes - Krebs on Security
http://krebsonsecurity.com/2014/08/adobe-microsoft-push-critical-securit...

Book alleges dirty National Party politics; Greens, Slater to lay complaints - National - NZ Herald News
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11308458

Q&A: Malcolm Turnbull on data retention - Networking - Security - Software - Telco/ISP - News - iTnews.com.au
http://www.itnews.com.au/News/390859,qa-malcolm-turnbull-on-data-retenti...

PILOTS EP | PILOTS
http://pilotsmusicau.bandcamp.com/releases

Risky Business #334 -- Brian Snow reflects on 34 years at NSA, Snowden
0:00 / 0:00

Risky Business Podcast

August 08, 2014

Risky Business #333 -- Yahoo CISO Alex Stamos joins the show

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

We've got an absolute cracker of a show for you this week. I've let it run longer than usual because we've just got some great news and interviews this week.

Our feature interview is with Alex Stamos, Yahoo's CISO. We hear from him on what his job looks like -- Yahoo has a billion users and its business and technology is incredibly diverse. So what has Alex been up to since he took the helm earlier this year? Tune in to find out!

In this week's sponsor interview we chat with Rahul Kashyap, Bromium's Chief Security Architect. Bromium has taken a look at endpoint exploitation trends and it might surprise you to know that in 2014 there have been more public exploits for IE than for Java!

Show notes

Gamma FinFisher hacked: 40 GB of internal documents and source code of government malware published | netzpolitik.org
https://netzpolitik.org/2014/gamma-finfisher-hacked-40-gb-of-internal-do...

Phineas Fisher (GammaGroupPR) on Twitter
https://twitter.com/gammagrouppr

Leaked Files: German Spy Company Helped Bahrain Hack Arab Spring Protesters - The Intercept
https://firstlook.org/theintercept/2014/08/07/leaked-files-german-spy-co...

Russian Hackers Amass Over a Billion Internet Passwords - NYTimes.com
http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-...

Files containing 360 million credentials, 1.25 billion email addresses, located on Deep Web - SC Magazine
http://www.scmagazine.com/files-containing-360-million-credentials-125-b...

Q&A on the Reported Theft of 1.2B Email Accounts - Krebs on Security
http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-emai...

CIA Insider: U.S. Should Buy All Security Exploits, Then Disclose Them | Threat Level | WIRED
http://www.wired.com/2014/08/cia-0day-bounty/

Security expert calls home routers a clear and present danger | Ars Technica
http://arstechnica.com/security/2014/08/security-expert-calls-home-route...

Visit the Wrong Website, and the FBI Could End Up in Your Computer | Threat Level | WIRED
http://www.wired.com/2014/08/operation_torpedo/

Feds' Silk Road Investigation Broke Privacy Laws, Defendant Tells Court | Threat Level | WIRED
http://www.wired.com/2014/08/feds-silk-road-investigation-violated-priva...

Snowden's Russia asylum extended three more years - CNET
http://www.cnet.com/au/news/snowdens-russia-asylum-extended-three-more-y...

Schneier on Security: The US Intelligence Community has a Third Leaker
https://www.schneier.com/blog/archives/2014/08/the_us_intellig.html

Terrorists embracing new Android crypto in wake of Snowden revelations | Ars Technica
http://arstechnica.com/tech-policy/2014/08/terrorists-embracing-new-andr...

Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins | Threat Level | WIRED
http://www.wired.com/2014/08/isp-bitcoin-theft/

How Hackable Is Your Car? Consult This Handy Chart | Autopia | WIRED
http://www.wired.com/2014/08/car-hacking-chart/

Watch This Wireless Hack Pop a Car's Locks in Minutes | Threat Level | WIRED
http://www.wired.com/2014/08/wireless-car-hack/

Can a plane be hacked via in-flight Wi-Fi? Researcher says it's so - CNET
http://www.cnet.com/au/news/can-a-plane-be-hacked-via-inflight-wi-fi-res...

Yes, Hackers Could Build an iPhone Botnet-Thanks to Windows | Threat Level | WIRED
http://www.wired.com/2014/08/yes-hackers-could-build-an-iphone-botnettha...

New Site Recovers Files Locked by Cryptolocker Ransomware - Krebs on Security
http://krebsonsecurity.com/2014/08/new-site-recovers-files-locked-by-cry...

In major shift, Google boosts search rankings of HTTPS-protected sites | Ars Technica
http://arstechnica.com/security/2014/08/in-major-shift-google-boosts-sea...

Thousands of Mozilla developers' e-mail addresses, password hashes exposed | Ars Technica
http://arstechnica.com/security/2014/08/thousands-of-mozilla-developers-...

Oracle Database Redaction 'Trivial to Bypass' | Threatpost | The first stop for security news
http://threatpost.com/oracle-database-redaction-trivial-to-bypass/107631

Critical code execution bug in Samba gives attackers superuser powers | Ars Technica
http://arstechnica.com/security/2014/08/critical-code-execution-bug-in-s...

Microsoft security sandbox for IE: Still broken after all these years | Ars Technica
http://arstechnica.com/security/2014/08/microsoft-security-sandbox-for-i...

Help Australia's PM and attorney-general to define metadata \u2022 The Register
http://www.theregister.co.uk/2014/08/06/help_australias_pm_and_attorneyg...

Conservative Party Web Security
http://www.joshbrodie.co.nz/2014/08/08/conservative-party-web-security.html

Yahoo to begin offering PGP encryption support in Yahoo Mail service | Ars Technica
http://arstechnica.com/security/2014/08/yahoo-to-begin-offering-pgp-encr...

www.bromium.com/sites/default/files/bromium-h1-2014-threat_report.pdf
http://www.bromium.com/sites/default/files/bromium-h1-2014-threat_report...

Dilo by HopeStreet Recordings on SoundCloud - Hear the world's sounds
https://soundcloud.com/hopestreet-recordings/dilo?in=hopestreet-recordin...

Risky Business #333 -- Yahoo CISO Alex Stamos joins the show
0:00 / 0:00

Risky Business Podcast

August 01, 2014

Risky Business #332 -- Evading IDS with Multipath TCP

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's feature interview we're chat with Catherine Pearce of Neohapsis about some research she'll be presenting at BlackHat next week with her colleague Patrick Thomas. They're doing a talk all about Multipath TCP, and yes, it's exactly what it sounds like and yes, it's great for doing stuff like IDS evasion and confusing firewalls.

In this week's sponsor interview we speak with Senetas CTO Julian Fay about the so-called BADA55 paper. Senetas is about to ship elliptic curve algos with its gear -- is it reconsidering now we know that elliptic curves can be subverted? No way! Tune in to find out why.

Show notes

WikiLeaks publishes court suppression order over what Julian Assange calls 'unprecedented' case of censorship | News.com.au
http://www.news.com.au/technology/online/wikileaks-publishes-court-suppr...

Tor security advisory: "relay early" traffic confirmation attack | The Tor Blog
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traff...

Tor hidden services attacks deanonymize users | Threatpost | The first stop for security news
http://threatpost.com/tor-sniffs-out-attacks-trying-to-deanonymize-hidde...

Russia publicly joins war on Tor privacy with $111,000 bounty | Ars Technica
http://arstechnica.com/security/2014/07/russia-publicly-joins-war-on-tor...

Why the Security of USB Is Fundamentally Broken | Threat Level | WIRED
http://www.wired.com/2014/07/usb-security/

Dark Reading Radio: Data Loss Prevention (DLP) Fail
http://www.darkreading.com/perimeter/dark-reading-radio-data-loss-prevention-(dlp)-fail/a/d-id/1297650?

Your iPhone Can Finally Make Free, Encrypted Calls | Threat Level | WIRED
http://www.wired.com/2014/07/free-encrypted-calling-finally-comes-to-the...

arxiv.org/pdf/1407.4923v1.pdf
http://arxiv.org/pdf/1407.4923v1.pdf

Instasheep: Coder builds tool to hijack Instagram accounts over Wi-Fi | Ars Technica
http://arstechnica.com/security/2014/07/instasheep-coder-builds-tool-to-...

seL4 Secure Microkernel Made Open Source | Threatpost | The first stop for security news
http://threatpost.com/secure-microkernel-sel4-code-goes-open-source/107506

Hackers Plundered Israeli Defense Firms that Built 'Iron Dome' Missile Defense System - Krebs on Security
http://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-fir...

CIA admits to spying on Senate committee - CNET
http://www.cnet.com/au/news/cia-admits-to-spying-on-senate-computers/

China rebuffs Canada for 'irresponsible' hacking claims - CNET
http://www.cnet.com/au/news/china-rebuffs-canada-for-irresponsible-hacki...

Service Drains Competitors' Online Ad Budget - Krebs on Security
http://krebsonsecurity.com/2014/07/service-drains-competitors-online-ad-...

The App I Used to Break Into My Neighbor's Home | Threat Level | WIRED
http://www.wired.com/2014/07/keyme-let-me-break-in/

Microsoft Releases EMET 5.0 Exploit Mitigation Tool | Threatpost | The first stop for security news
http://threatpost.com/microsoft-releases-new-version-of-emet-exploit-mit...

Crouching Yeti APT Campaign Stretches Back Four Years | Threatpost | The first stop for security news
http://threatpost.com/crouching-yeti-apt-campaign-stretches-back-four-ye...

New Backoff PoS Malware Identified in Several Attacks | Threatpost | The first stop for security news
http://threatpost.com/new-backoff-pos-malware-identified-in-several-atta...

Neohapsis Labs | Multipath TCP - BlackHat Briefings Teaser
http://labs.neohapsis.com/2014/07/29/multipath-tcp-blackhat-briefings-te...

We Never Change | Every Day Carry
http://everydaycarry.bandcamp.com/track/we-never-change

Risky Business #332 -- Evading IDS with Multipath TCP
0:00 / 0:00

Risky Business Podcast

July 25, 2014

Risky Business #331 -- The Tails bug that wasn't, the Tor talk that isn't

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

Earlier this week Twitter was abuzz with talk of a serious bug in the Tails live OS, a bootable on-a-DVD or USB device OS used by pro-democracy activists. And by pro democracy activists I mean, you know, potheads buying a few ounces on Silk Road, but whatever...

Well according to the Twitters there was a Tails bug that was going to be a big deal... right? Riiight? Well, maybe not.

The Grugq joins the show to discuss that, and the pulling of a scheduled BlackHat talk on Tor.

This week's show is brought to you by Microsoft. Alas my interview with the scheduled MS spokesperson fell through so there's no sponsor interview this week. I'd ask you to check out Microsoft Interflow anyway though, particularly if you're in IR.

Adam drops in for the week's news segment, you can find links to everything discussed here.

Risky Business #331 -- The Tails bug that wasn't, the Tor talk that isn't
0:00 / 0:00

Risky Business Podcast

July 18, 2014

Risky Business #330 -- Setting the infosec agenda

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're chatting with infosec journalist turned PR strategist Elinor Mills. For eight years Elinor wrote about security for CNet News.com, before joining Bateman group as a content and media strategist in 2012.

We're chatting with Elinor about how the infosec media agenda is set. Do massive advertising, marketing and PR budgets give disproportionate media influence to companies that don't deserve it? Drum roll please... yup. Yes. Yes they do. But we'll chat to Elinor about that after the news.

In this week's sponsor interview we're chatting with Holly Stewart, Microsoft's senior program manager in its malware protection centre. We're talking about coordinated malware eradication.

Microsoft has launched a new program designed to attack the malware ecosystem at all levels. That means working with the ad distribution networks, online payment companies, ISPs... choke off the distribution, choke off the cash. It's a much more comprehensive approach than we've seen before and Holly will tell us how you might get involved.

Show notes

GCHQ's "Chinese menu" of tools spreads disinformation across Internet | Ars Technica
http://arstechnica.com/security/2014/07/ghcqs-chinese-menu-of-tools-spre...

JTRIG Tools and Techniques
https://www.documentcloud.org/documents/1217406-jtrigall.html

Journalists will face jail over spy leaks under new security laws | World news | theguardian.com
http://www.theguardian.com/world/2014/jul/16/journalists-face-jail-leaks...

NSA spies just LOVE swapping your sexts, says Snowden: 'It's a fringe benefit' \u2022 The Register
http://www.theregister.co.uk/2014/07/17/snowden_says_analysts_swapping_s...

Outside Panel Finds Over-Reliance on NSA Advice Led to Dual EC Problems | Threatpost | The first stop for security news
http://threatpost.com/outside-panel-finds-over-reliance-on-nsa-advice-le...

Swedish Court to Julian Assange: You're Not Going Anywhere | Threat Level | WIRED
http://www.wired.com/2014/07/swedish-court-to-julian-assange-youre-not-g...

Supposed 'leader' of LulzSec pleads guilty to hacking, hubris \u2022 The Register
http://www.theregister.co.uk/2014/07/17/lulzsec_leaderthatwasnt_pleads_g...

Meet 'Project Zero,' Google's Secret Team of Bug-Hunting Hackers | Threat Level | WIRED
http://www.wired.com/2014/07/google-project-zero/

Yahoo Full Application Source Code Disclosure Vulnerability | Security Down!
http://www.sec-down.com/wordpress/?p=440

Chinese hackers take command of Tesla Model S - CNET
http://www.cnet.com/au/news/chinese-hackers-take-command-of-tesla-model-s/

Malware hidden in Chinese inventory scanners targeted logistics, shipping firms | PCWorld
http://www.pcworld.com/article/2453100/malware-hidden-in-chinese-invento...

China calls Apple's iPhone a national security threat - CNET
http://www.cnet.com/au/news/china-calls-apples-iphone-a-national-securit...

Chinese businessman charged with hacking Boeing, Lockheed Martin | Ars Technica
http://arstechnica.com/tech-policy/2014/07/chinese-businessman-charged-w...

FBI: We found US MILITARY AIRCRAFT INTEL during raid on alleged Chinese hacker \u2022 The Register
http://www.theregister.co.uk/2014/07/14/us_military_aircraft_intel_captu...

How elite hackers (almost) stole the NASDAQ | Ars Technica
http://arstechnica.com/security/2014/07/how-elite-hackers-almost-stole-t...

Bitcoin pool GHash.io commits to 40% hashrate limit after its 51% breach | Ars Technica
http://arstechnica.com/business/2014/07/bitcoin-pool-ghash-io-commits-to...

"Severe" password manager attacks steal digital keys and data en masse | Ars Technica
http://arstechnica.com/security/2014/07/severe-password-manager-attacks-...

Mathematics makes strong case that "snoopy2" can be just fine as a password | Ars Technica
http://arstechnica.com/security/2014/07/mathematics-makes-strong-case-th...

DDoS attacks intensified in first half of 2014 - CNET
http://www.cnet.com/au/news/ddos-attacks-intensified-in-first-half-of-2014/

Beware Keyloggers at Hotel Business Centers - Krebs on Security
http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-c...

Here's How Easy It Could Be for Hackers to Control Your Hotel Room | Threat Level | WIRED
http://www.wired.com/2014/07/hacking-hotel-room-controls/

SSL Black List Aims to Publicize Certificates Associated With Malware | Threatpost | The first stop for security news
http://threatpost.com/ssl-black-list-aims-to-publicize-certificates-asso...

CNET attacked by Russian hacker group - CNET
http://www.cnet.com/au/news/cnet-attacked-by-russian-hacker-group/

Microsoft: No-IP takedown cleansed 4.7m PCs - Security - News - iTnews.com.au
http://www.itnews.com.au/News/389598,microsoft-no-ip-takedown-cleansed-4...

Exploit emerges for LZO algo hole \u2022 The Register
http://www.theregister.co.uk/2014/07/11/firefox_lzo_rce/

LibreSSL PRNG Vulnerability Patched | Threatpost | The first stop for security news
http://threatpost.com/overblown-libressl-prng-vulnerability-patched/107245

Cisco Patches Wireless Residential Gateway Vulnerabilities | Threatpost | The first stop for security news
http://threatpost.com/cisco-patches-wireless-residential-gateway-vulnera...

Apple blocks older, risky Flash plug-ins, forcing you to upgrade - CNET
http://www.cnet.com/au/news/apple-blocks-older-risky-flash-plug-ins-forc...

Five Vulnerabilities Fixed in Apache Web Server | Threatpost | The first stop for security news
http://threatpost.com/five-vulnerabilities-fixed-in-apache-web-server/10...

Active Directory flaw allows credentials theft - Security - News - iTnews.com.au
http://www.itnews.com.au/News/389747,active-directory-flaw-allows-creden...

Chrome for Android Update Patches URL Spoofing Bug | Threatpost | The first stop for security news
http://threatpost.com/chrome-for-android-update-fixes-critical-url-spoof...

Rickroll Innocent Televisions With This Google Chromecast Hack | Threat Level | WIRED
http://www.wired.com/2014/07/rickroll-innocent-televisions-with-this-goo...

Win/lose Whirlywirld original.m4v - YouTube
https://www.youtube.com/watch?v=8elKjPxMp98&feature=kp

Risky Business #330 -- Setting the infosec agenda
0:00 / 0:00

Risky Business Podcast

July 11, 2014

Risky Business #329 -- BitCoins ARE money, Snowden seeks Russia stay

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

There is no feature interview in this week's show. If you tuned in last week you would have heard HD Moore and I talking about a project called Invisible.im. Well, we launched a FAQ and the Internet liked it... the Internet *really* liked it... so I've spent much of the week working on invisible.im. There's some really cool stuff happening there that I can't really talk about yet, but I can say the project has picked up a lot of interest.

There's some very cool stuff happening and I'll be able to talk more about it soon.

So, in this week's show we're going to have a chat about the week's infosec news with Adam Boileau, then we'll have a really interesting talk with Chris Gatford, head honcho with this week's sponsor Hacklabs. We're chatting with Chris all about the case of the public transport Victoria website receiving a "free pentest" from a 16-year-old kid. He reported a bug, didn't hear anything back after a couple of days, then went to the press. The whole thing blew up and he wound up in a bunch of hot water with the police.

Anyway, the whole episode came to a conclusion this week. The kid had to sign a statement acknowledging that he'd committed a crime, but beyond that there was no further sanction.

"Unsolicited pentests" are a murky, murky area. Chris joins us to chat about this case and how we might move towards some sort of consensus on how things should actually happen in these situations.

Show notes

Judge Shoots Down 'Bitcoin Isn't Money' Argument in Silk Road Case | Threat Level | WIRED
http://www.wired.com/2014/07/silkroad-bitcoin-isnt-money/

Snowden asks for extension on Russian asylum - CNET
http://www.cnet.com/au/news/snowden-asks-for-extension-on-russian-asylum/

US arrests Russian politician's son over hacking theft - Security - News - iTnews.com.au
http://www.itnews.com.au/News/389424,us-arrests-russian-politicians-son-...

In NSA-intercepted data, those not targeted far outnumber the foreigners who are - The Washington Post
http://www.washingtonpost.com/world/national-security/in-nsa-intercepted...

Latest Snowden Leaks: FBI Targeted Muslim-American Lawyers | Threat Level | WIRED
http://www.wired.com/2014/07/snowden-leaks/

Researcher: I Was Suspended For Finding Flaws In FireEye Security Kit
http://www.forbes.com/sites/thomasbrewster/2014/07/09/researcher-i-was-s...

Google confronts more site certificate problems - CNET
http://www.cnet.com/au/news/google-confronts-more-site-certificate-probl...

Google blocks leaked Goldman Sachs email - Security - Software - News - iTnews.com.au
http://www.itnews.com.au/News/389105,google-blocks-leaked-goldman-sachs-...

Microsoft Settles With No-IP Over Malware Takedown | Threatpost | The first stop for security news
http://threatpost.com/microsoft-settles-with-no-ip-over-malware-takedown...

Chinese Hackers Pursue Key Data on U.S. Workers - NYTimes.com
http://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-us-workers.html?hp&action=click&pgtype=Homepage&version=LedeSum&module=first-column-region\xaeion=top-news&WT.nav=top-news&_r=2

China cyberspies hit US national security think tanks - CNET
http://www.cnet.com/au/news/china-cyberspies-hit-us-national-security-th...

Android factory reset doesn't delete all data - CNET
http://www.cnet.com/au/news/android-factory-reset-doesnt-delete-all-data/

How Google Map Hackers Can Destroy a Business at Will | Business | WIRED
http://www.wired.com/2014/07/hacking-google-maps/

Aussies dodge US mobile device flight bans - Security - News - iTnews.com.au
http://www.itnews.com.au/News/389388,aussies-dodge-us-mobile-device-flig...

Minister defends NZ's slow migration off XP - Security - Software - News - iTnews.com.au
http://www.itnews.com.au/News/389391,minister-defends-nzs-slow-migration...

Oracle ends Java support for Windows XP - Security - Software - News - iTnews.com.au
http://www.itnews.com.au/News/389378,oracle-ends-java-support-for-window...

Brute-Forcing Botnet Sniffs Out Lax POS Systems | Threatpost | The first stop for security news
http://threatpost.com/brute-forcing-botnet-sniffs-out-lax-pos-systems/10...

DHS Releases Hundreds of Documents on Wrong Project Aurora | Threatpost | The first stop for security news
http://threatpost.com/dhs-releases-hundreds-of-documents-on-wrong-aurora...

Android Exploited to Make, End Phone Calls; Send USSD Codes | Threatpost | The first stop for security news
http://threatpost.com/android-exploited-to-make-and-end-phone-calls-send...

Yahoo Fixes Trio of Bugs in Mail, Messenger, Flickr | Threatpost | The first stop for security news
http://threatpost.com/yahoo-fixes-trio-of-bugs-in-mail-messenger-flickr/...

July 2014 Adobe Flash Player patch | Threatpost | The first stop for security news
http://threatpost.com/adobe-patches-flash-vulnerability-exploited-by-ros...

Microsoft July 2014 Patch Tuesday fixes 29 IE Vulnerabilities | Threatpost | The first stop for security news
http://threatpost.com/microsoft-july-patch-tuesday-updates-patch-29-ie-v...

The Ex-Google Hacker Taking on the World's Spy Agencies | Threat Level | WIRED
http://www.wired.com/2014/07/morgan-marquis-boire-first-look-media/

Just Another Security Blog: PTV; The police, and the aftermath.
http://blog.internot.info/2014/07/ptv-police-and-aftermath.html

Little band scene - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Little_band_scene

Dogs in Space - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Dogs_in_Space

Risky Business #329 -- BitCoins ARE money, Snowden seeks Russia stay
0:00 / 0:00

Risky Business Podcast

July 04, 2014

Risky Business #328 -- HD Moore talks massive scanning and invisible.im

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

This week's show is brought to you by Rapid7, big, big thanks to them.

This week's sponsor interview is with Rapid7's Chief Research Officer HD Moore. But you know what? One interview with HD just isn't enough, is it? So he's also joining us in the feature segment to discuss a project I'm putting together called Invisible.im.

It's an instant messenger system that I designed... it feels very, very weird saying that because I suffer from acute imposter syndrome, but yeah, I designed an IM system for journalists and other privacy conscious people and HD actually made it work! He has created a prototype, and much to everyone's surprise it actually works... we're on to something, so he'll be along after the news to talk about
invisible.im!

Then we're going to chat with HD some more in this week's sponsor interview. The research team at Rapid7's has been doing some really interesting work on massive internet scanning. That sort of thing has become pretty trendy in the last couple of years, but the Rapid7 team have really pushed this stuff towards the
cutting edge. They've also discovered some hilarious vulnerabilities out there in the process. Rapid7's Mark Schloesser will be at BlackHat to talk about their latest research, but HD joins the show today to preview it.

Adam Boileau, as always, joins us for a check of the week's news headlines.

Risky Business #328 -- HD Moore talks massive scanning and invisible.im
0:00 / 0:00