Risky Business Podcast

October 16, 2014

Risky Business #341 -- Beware of the poodle

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

In this week's show we're chatting with Matt Solnik of Accuvant Labs about his stellar presentation at Breakpoint last week. In this interview he describes how he can leverage crappy carrier management client software into full remote compromise attacks against most smartphones, including fully patched iOS8 and Android. It's savage stuff and if you work in telcoland you'd be nuts to miss it.

This week's show is brought to you by tenable network security. Tenable's very own Marcus Ranum will be along in this week's sponsor interview to chime in on desktop virtualisation trends, as well as cloud, remote desktop, the browser as a terminal and enterprise computing in general. The mainframe is dead. Long live the mainframe. It's a great chat.

Show notes

There Is a New Security Vulnerability Named POODLE, and It Is Not Cute | WIRED
http://www.wired.com/2014/10/poodle-explained/

Browser Vendors Move to Disable SSLv3 in Wake of POODLE Attack | Threatpost | The first stop for security news
http://threatpost.com/browser-vendors-move-to-disable-sslv3-in-wake-of-p...

Bahraini Activists Hacked by Their Government Go After UK Spyware Maker | WIRED
http://www.wired.com/2014/10/bahraini-activists-go-after-spyware-source/

NSA May Have Undercover Operatives in Foreign Companies | WIRED
http://www.wired.com/2014/10/nsa-may-undercover-operatives-foreign-compa...

Russian 'Sandworm' Hack Has Been Spying on Foreign Governments for Years | WIRED
http://www.wired.com/2014/10/russian-sandworm-hack-isight/

With This Tiny Box, You Can Anonymize Everything You Do Online | WIRED
http://www.wired.com/2014/10/tiny-box-can-anonymize-everything-online/

Judge Rejects Defense That FBI Illegally Hacked Silk Road-On a Technicality | WIRED
http://www.wired.com/2014/10/silk-road-judge-technicality/

Snapchat Can't Stop the Parasite Apps That Screw Its Users | WIRED
http://www.wired.com/2014/10/snapchat-parasite-apps/

Developer of hacked Snapchat web app says "Snappening" claims are hoax [Updated] | Ars Technica
http://arstechnica.com/security/2014/10/developer-of-hacked-snapchat-web...

Dropbox Denies Hack, Says 'Your Stuff is Safe' | Threatpost | The first stop for security news
http://threatpost.com/dropbox-denies-hack-says-your-stuff-is-safe/108824

Malware Based Credit Card Breach at Kmart - Krebs on Security
http://krebsonsecurity.com/2014/10/malware-based-credit-card-breach-at-k...

Signed Malware = Expensive "Oops" for HP - Krebs on Security
http://krebsonsecurity.com/2014/10/signed-malware-is-expensive-oops-for-hp/

Who's Watching Your WebEx? - Krebs on Security
http://krebsonsecurity.com/2014/10/whos-watching-your-webex/

Doubling up on Ads Code Bounties
https://www.facebook.com/notes/protect-the-graph/doubling-up-on-ads-code...

Heistmeisters crack cost of safecrackers with $150 widget \u2022 The Register
http://www.theregister.co.uk/2014/10/13/heistmeisters_crack_cost_of_safe...

Shellshock Exploits Spreading Mayhem Botnet Malware | Threatpost | The first stop for security news
http://threatpost.com/shellshock-exploits-spreading-mayhem-botnet-malwar...

October 2014 Oracle Java Security Patches | Threatpost | The first stop for security news
http://threatpost.com/java-reflection-api-woes-resurface-in-latest-oracl...

Fixes for IE, Flash Player in October Patch Tuesday Release | Threatpost | The first stop for security news
http://threatpost.com/fixes-for-ie-flash-player-in-october-patch-tuesday...

Firms Detail Zero Days Targeting Windows Kernel | Threatpost | The first stop for security news
http://threatpost.com/two-patched-zero-days-targeting-windows-kernel/108860

Drupal Fixes Highly Critical SQL Injection Flaw | Threatpost | The first stop for security news
http://threatpost.com/drupal-fixes-highly-critical-sql-injection-flaw/10...

SAP Patches Seven Vulnerabilities in Three Products | Threatpost | The first stop for security news
http://threatpost.com/sap-patches-seven-vulnerabilities-in-three-product...

BlackBerry 10 Open to Bug That Allows Malicious App Installation | Threatpost | The first stop for security news
http://threatpost.com/blackberry-10-devices-open-to-bug-that-allows-mali...

Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback
http://googleonlinesecurity.blogspot.co.nz/2014/10/this-poodle-bites-exp...

Speakers \xbb Breakpoint 2014
https://ruxconbreakpoint.com/speakers/#Mathew Solnik

Tower Of Power - Soul Vaccination - YouTube
https://www.youtube.com/watch?v=46hd6DZS0ww

Risky Business #341 -- Beware of the poodle

0:00 / 69:01

Risky Business Podcast

October 09, 2014

Risky Business #340 -- BPX droppin' iOS8 remote jailbreaks like it "ain't no thang"

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

This week's show was recorded on site at the Ruxcon Breakpoint conference in Melbourne. There have been a handful of absolute jaw-droppers among the presentations here, including a demo showcasing remote code exec against *most* mobile devices, including fully patched iOS8.

This week's show is brought to you by Context information security and we've got a great chat coming up with Mark Graham, Context's head of threat intelligence. He spends most of his days hip deep in data Context has gathered on APT groups, and he's seen some interesting trends. Bad guys are apparently using vendor analysis/blog posts to improve their "product", the Russians are getting in on the action and there's a renewed effort in keeping APT campaigns stealthy.

Show notes

Shellshock-like Vulnerability May Affect Windows | Threatpost | The first stop for security news
http://threatpost.com/shellshock-like-weakness-may-affect-windows/108696

White hat claims Yahoo and WinZip hacked by "shellshock" exploiters | Ars Technica
http://arstechnica.com/security/2014/10/white-hat-claims-yahoo-and-winzi...

Yahoo says attack wasn't Shellshock - CNET
http://www.cnet.com/news/yahoo-late-to-fix-shellshock-threat/

That Unpatchable USB Malware Now Has a Patch ... Sort Of | WIRED
http://www.wired.com/2014/10/unpatchable-usb-malware-now-patchsort/

Twitter Sues the Government for Violating Its First Amendment Rights | WIRED
http://www.wired.com/2014/10/twitter-sues-government/

Feds 'Hacked' Silk Road Without a Warrant? Perfectly Legal, Prosecutors Argue | WIRED
http://www.wired.com/2014/10/feds-silk-road-hack-legal/

Finding a Video Poker Bug Made These Guys Rich-Then Vegas Made Them Pay | WIRED
http://www.wired.com/2014/10/cheating-video-poker/

AT&T Hit By Insider Breach | Threatpost | The first stop for security news
http://threatpost.com/att-hit-by-insider-breach/108705

Huge Data Leak at Largest U.S. Bond Insurer - Krebs on Security
http://krebsonsecurity.com/2014/10/huge-data-leak-at-largest-u-s-bond-in...

Arbor: DDoS Attacks Getting Bigger as Reflection Increases | Threatpost | The first stop for security news
http://threatpost.com/arbor-ddos-attacks-getting-bigger-as-reflection-in...

Create app-specific passwords for iCloud - CNET
http://www.cnet.com/how-to/how-to-create-app-specific-passwords-for-icloud/

Bugzilla Zero-Day Exposes Zero-Day Bugs - Krebs on Security
http://krebsonsecurity.com/2014/10/bugzilla-zero-day-exposes-zero-day-bugs/

Tyupkin ATM Malware Discovered by Kaspersky Lab | Threatpost | The first stop for security news
http://threatpost.com/tyupkin-malware-infects-atms-in-eastern-europe/108734

Reddit-powered botnet infected thousands of Macs worldwide | Ars Technica
http://arstechnica.com/security/2014/10/reddit-powered-botnet-infected-t...

FDA: Medical device cybersecurity necessary, but optional | Ars Technica
http://arstechnica.com/security/2014/10/fda-medical-device-cybersecurity...

Adobe's e-book reader sends your reading logs back to Adobe-in plain text [Updated] | Ars Technica
http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-...

October 2014, Melbourne
http://www.contextis.com/events/oasis/october-2014-melbourne/

Alice Russell - Twin Peaks - YouTube
https://www.youtube.com/watch?v=vySmFB_vUeg

Risky Business #340 -- BPX droppin' iOS8 remote jailbreaks like it "ain't no thang"

0:00 / 60:14

Risky Business Podcast

October 03, 2014

Risky Business #339 -- Neel Mehta on Heartbleed, Shellshock

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we're chatting with Neel Mehta, a security researcher with Google. Neel is best known for finding the Heartbleed bug, and he joins us this week to talk about Heartbleed, ShellShock, the security of SSL stacks and where he expects vuln research to go in the future.

Funnily enough this is Neel's first interview about Heartbleed, so I guess we can call this a scoop!

This week's show is brought to you by Bromium, makers of fine, fine exploit mitigation software. Personally I'm a real fan of Bromium's stuff. They're relatively new, but if you have a Java problem in your enterprise, as in, you have to have Java in your enterprise, Bromium has a solution for you -- they make micro-vm software that mitigates memory corruption bugs and it's actually quite good.

Bromium's chief security architect Rahul Kashyap joins us this week to talk about some malvertising research he presented at the virus bulletin conference recently, and he also previews the results of Bromium's code audit. That's right, a security software company actually had their software audited! Bowl me over. The audit report will be available next week, but we get the inside scoop on that before it's out.

Show notes

JPMorgan hack exposed data of 83 million, among biggest breaches in history
http://www.theage.com.au/business/world-business/jpmorgan-hack-exposed-d...

Xen Bug Could cause Crashes, Expose Cloud Data | Threatpost | The first stop for security news
http://threatpost.com/serious-hypervisor-bug-fix-causes-unexpected-cloud...

Musings on the recent Xen Security Advisories | Bromium Labs
http://labs.bromium.com/2014/10/01/musings-on-the-recent-xen-security-ad...

Apple patches "Shellshock" Bash bug in OS X 10.9, 10.8, and 10.7 | Ars Technica
http://arstechnica.com/apple/2014/09/apple-patches-shellshock-bash-bug-i...

OpenVPN vulnerable to Shellshock Bash vulnerability | Threatpost | The first stop for security news
http://threatpost.com/openvpn-vulnerable-to-shellshock-bash-vulnerabilit...

Fiora\u202e\u2604anreteA on Twitter: "RT "cmd.exe #shellshock" @dakami: "this is why we can't have nice strings" http://t.co/9LPTbtVazr"
https://twitter.com/FioraAeterna/status/517791046835920897

Silk Road Lawyers Poke Holes in FBI's Story - Krebs on Security
http://krebsonsecurity.com/2014/10/silk-road-lawyers-poke-holes-in-fbis-...

The Unpatchable Malware That Infects USBs Is Now on the Loose | WIRED
http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

Lacoon Discovers Xsser mRAT, the First Advanced iOS Trojan
https://www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-tr...

If the information from https://www.lacoon.com/lacoon-discovers-xsser-mrat-first - Pastebin.com
http://pastebin.com/Zkhpn8bG

Holder urges tech companies to leave device backdoors open for police - The Washington Post
http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/30/holder-urge...

Cops Are Handing Out Spyware to Parents-With Zero Oversight | WIRED
http://www.wired.com/2014/10/cops-giving-parents-spyware/

The Criminal Indictment That Could Finally Hit Spyware Makers Hard | WIRED
http://www.wired.com/2014/10/stealthgenie-indictment/

CloudFlare Rolls Out Free SSL | Threatpost | The first stop for security news
http://threatpost.com/cloudflare-rolls-out-free-ssl/108593

FBI to Open Up Malware Investigator Portal to External Researchers | Threatpost | The first stop for security news
http://threatpost.com/fbi-to-open-up-malware-investigator-portal-to-exte...

Chrome bug hunters, Google's giving you a raise - CNET
http://www.cnet.com/news/chrome-bug-hunters-googles-giving-you-a-raise/

WPScan Vulnerability Database WordPress Security Resource | Threatpost | The first stop for security news
http://threatpost.com/wpscan-vulnerability-database-a-new-wordpress-secu...

Second Same-Origin Policy Bypass Flaw Haunts Android Browser | Threatpost | The first stop for security news
http://threatpost.com/second-same-origin-policy-bypass-flaw-haunts-andro...

Advertising firms struggle to kill malvertisements | Ars Technica
http://arstechnica.com/security/2014/09/advertising-firms-struggle-to-ki...

www.bromium.com/sites/default/files/bromium-report-optimized-mal-ops.pdf
http://www.bromium.com/sites/default/files/bromium-report-optimized-mal-...

The Basics
https://www.facebook.com/thebasics

Leftovers | The Basics
http://thebasics.bandcamp.com/album/leftovers-2

Risky Business #339 -- Neel Mehta on Heartbleed, Shellshock

0:00 / 59:35

Risky Business Podcast

September 26, 2014

Risky Business #338 -- BASHPOCALYPSE 2014

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

In addition to covering the end of the world, this week's Risky Business features Don Bailey of Lab Mouse Security on his excellent IoT blog post, written largely in response to a Daily Dave post by Dave Aitel on so-called "junk hacking".

This week's show is brought to you by Context Information Security, big thanks to them! And in this week's sponsor interview we chat with Context's director of research Michael Jordon about his adventures in getting old computer games to work on printer screens. It's actually pretty cool.

Show notes

Shell Shock: Bash bug labelled largest ever to hit the internet
http://www.smh.com.au/it-pro/security-it/shell-shock-bash-bug-labelled-l...

Hackers Are Already Using the Shellshock Bug to Launch Botnet Attacks | WIRED
http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create...

The Internet Braces for the Crazy Shellshock Worm | WIRED
http://www.wired.com/2014/09/internet-braces-crazy-shellshock-worm/

Patching Bash Vulnerability a Challenge for ICS, SCADA | Threatpost | The first stop for security news
http://threatpost.com/patching-bash-vulnerability-a-challenge-for-ics-sc...

Bash Botnet Exploit Found, Bash Patches Incomplete | Threatpost | The first stop for security news
http://threatpost.com/bash-exploit-reported-first-round-of-patches-incom...

Mozilla Patches RSA Signature Forgery in NSS, Firefox | Threatpost | The first stop for security news
http://threatpost.com/mozilla-patches-rsa-signature-forgery-in-firefox-t...

Xen security bug, you say? Amazon readies GLORIOUS GLOBAL CLOUD REBOOT \u2022 The Register
http://www.theregister.co.uk/2014/09/25/amazon_readies_global_glory_reboot/

Amazon forced to reboot EC2 to patch Xen bug - Storage - News - iTnews.com.au
http://www.itnews.com.au/News/396180,amazon-forced-to-reboot-ec2-to-patc...

Terror laws clear Senate, enabling entire Australian web to be monitored and whistleblowers to be jailed
http://www.smh.com.au/digital-life/consumer-security/terror-laws-clear-s...

Senate rejects attempt to limit ASIO's access to devices - Security - Telco/ISP - News - iTnews.com.au
http://www.itnews.com.au/News/396179,senate-rejects-attempt-to-limit-asi...

Charney on Trustworthy Computing: 'I Was the Architect of These Changes' | Threatpost | The first stop for security news
http://threatpost.com/charney-on-trustworthy-computing-i-was-the-archite...

Kevin Mitnick, Once the World's Most Wanted Hacker, Is Now Selling Zero-Day Exploits | WIRED
http://www.wired.com/2014/09/kevin-mitnick-selling-zero-day-exploits/

Home Depot's former security architect had history of techno-sabotage | Ars Technica
http://arstechnica.com/security/2014/09/home-depots-former-security-arch...

Home Depot ignored security warnings for years, employees say | Ars Technica
http://arstechnica.com/security/2014/09/home-depot-ignored-security-warn...

MIT Students Battle State's Demand for Their Bitcoin Miner's Source Code | WIRED
http://www.wired.com/2014/09/mit-students-face-aggressive-subpoena-deman...

PayPal takes second cautious step towards Bitcoin - Finance - Security - News - iTnews.com.au
http://www.itnews.com.au/News/392418,paypal-takes-second-cautious-step-t...

Why the Heyday of Credit Card Fraud Is Almost Over | WIRED
http://www.wired.com/2014/09/emv/

Small Signs of Progress on DNSSEC | Threatpost | The first stop for security news
http://threatpost.com/small-signs-of-progress-on-dnssec/108536

Microsoft Online Services Bug Bounty Program Launches | Threatpost | The first stop for security news
http://threatpost.com/microsoft-starts-online-services-bug-bounty/108486

Blackphone Bug Bounty Program Launches on Bugcrowd | Threatpost | The first stop for security news
http://threatpost.com/blackphone-gets-bug-bounty-program-off-ground/108468

Productivity Trumping Security as BYOD Grows | Threatpost | The first stop for security news
http://threatpost.com/productivity-gains-trumping-security-as-byod-grows...

Researcher Discloses Wi-Fi Thermostat Vulnerabilities | Threatpost | The first stop for security news
http://threatpost.com/researcher-discloses-wi-fi-thermostat-vulnerabilit...

Kali NetHunter turns Android device into hacker Swiss Army knife | Ars Technica
http://arstechnica.com/information-technology/2014/09/kali-nethunter-tur...

The Mouse Trap: No Thing Left Behind
http://blog.securitymouse.com/2014/09/no-thing-left-behind.html

[Dailydave] Junk Hacking Must Stop!
https://lists.immunityinc.com/pipermail/dailydave/2014-September/000746....

Hacking Canon Pixma Printers - Doomed Encryption
http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doo...

Dawn LP/CD | HopeStreet Recordings
http://www.hopestreetrecordings.com/releases/dawn/

Risky Business #338 -- BASHPOCALYPSE 2014

0:00 / 63:05

Risky Business Podcast

September 19, 2014

Risky Business #337 -- The Grugq and John Brooks on invisible.im and Ricochet

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

In this week's show we chat with The Grugq about the latest invisible.im announcement and we'll also meet the creator of the Ricochet anonymous messenger software, John Brooks.

In this week's sponsor interview we chat with Senetas CTO Julian Fay about an interesting paper on defeating traffic analysis attacks against encrypted cloud storage, and also a "sign of the times" Kickstarter... a group has managed to get a weird little crypto device funded... basically a hardware crypto module. You plug your phone in on one end and your headset in on the other. They've raised over $40k, but who's going to use this?

Show notes

WikiLeaks - SpyFiles 4
https://wikileaks.org/spyfiles4/customers.html

New Zealand secretly built spying program, report says - CNET
http://www.cnet.com/news/new-zealand-secretly-built-spying-program-repor...

Moment of Truth gifts Team Key a late bounce in polls - National - NZ Herald News
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11327321

'Speargun' program is fantasy, says cable operator \u2022 The Register
http://www.theregister.co.uk/2014/09/16/speargun_program_is_fantasy_says...

Student Freya Newman pleads guilty to hacking Frances Abbott design scholarship files | The Australian
http://www.theaustralian.com.au/news/nation/student-freya-newman-pleads-...

Tim Cook explains Apple's privacy policies in open letter - CNET
http://www.cnet.com/news/tim-cook-explains-apples-privacy-policies-in-op...

Apple takes 'very different view' on customer privacy, Cook says - CNET
http://www.cnet.com/news/apple-takes-very-different-view-on-customer-pri...

Apple - Privacy
http://www.apple.com/privacy/

Apple transparency reports allude to Patriot Act demands - CNET
http://www.cnet.com/news/apple-transparency-reports-allude-to-patriot-ac...

Apple Extends Two-Factor Authentication to iCloud | Threatpost | The first stop for security news
http://threatpost.com/apple-extends-two-factor-authentication-to-icloud/...

Three Things Apple Can Do to Fix iCloud's Awful Security | WIRED
http://www.wired.com/2014/09/three-things-apple-can-fix-iclouds-awful-se...

Despite Apple's Privacy Pledge, Cops Can Still Pull Data Off a Locked iPhone | WIRED
http://www.wired.com/2014/09/apple-iphone-security/

Newest Androids will join iPhones in offering default encryption, blocking police - The Washington Post
http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/18/newest-andr...

Microsoft closing standalone Trustworthy Computing group, folding into other units - GeekWire
http://www.geekwire.com/2014/microsoft-closing-standalone-trustworthy-co...

Home Depot Data Breach Put 56 Million Cards at Risk | Threatpost | The first stop for security news
http://threatpost.com/56-million-payment-cards-at-risk-in-home-depot-dat...

POS Service Confirms Goodwill Breach Lasted 18 Months | Threatpost | The first stop for security news
http://threatpost.com/pos-service-confirms-goodwill-breach-lasted-18-mon...

Heartbleed to blame for Community Health Systems breach | CSO Online
http://www.csoonline.com/article/2466726/data-protection/heartbleed-to-b...

Announcing Keyless SSL\u2122: All the Benefits of CloudFlare Without Having to Turn Over Your Private SSL Keys
http://blog.cloudflare.com/announcing-keyless-ssl-all-the-benefits-of-cl...

SNMP DDoS Attack Spoofs Google DNS Server | Threatpost | The first stop for security news
http://threatpost.com/snmp-based-ddos-attack-spoofs-google-public-dns-se...

OWASP Releases Latest App Sec Testing Guide | Threatpost | The first stop for security news
http://threatpost.com/owasp-releases-latest-app-sec-guide/108396

\u200bInternet's security bug tracker faces its 'Y2K' moment - CNET
http://www.cnet.com/news/internets-security-bug-tracker-faces-its-y2k-mo...

Big Batch of Bugs Fixed in Various Versions of IDA | Threatpost | The first stop for security news
http://threatpost.com/big-batch-of-bugs-fixed-in-various-versions-of-ida...

iOS 8 also comes with bucket of security fixes - CNET
http://www.cnet.com/news/ios-8-also-comes-with-bucket-of-security-fixes/

Android Browser flaw a "privacy disaster" for half of Android users | Ars Technica
http://arstechnica.com/security/2014/09/android-browser-flaw-a-privacy-d...

September 2014 Adobe Reader Acrobat Patches | Threatpost | The first stop for security news
http://threatpost.com/adobe-gets-delayed-reader-update-out-the-door/108310

My Social SherpaPranking My Roommate With Eerily Targeted Facebook Ads
http://mysocialsherpa.com/the-ultimate-retaliation-pranking-my-roommate-...

WikiLeaks posts 'weaponized malware' for all to download | ZDNet
http://www.zdnet.com/astonishingly-irresponsible-wikileaks-posts-weaponi...

Kiwicon CFP
https://kiwicon.org/cfp2014.txt

JackPair: secure your voice phone calls against wiretapping by Jeffrey Chang & the AWIT team - Kickstarter
https://www.kickstarter.com/projects/620001568/jackpair-safeguard-your-p...

MS and University Devs Make The Melbourne Shuffle \u2022 Cloudwards.net
http://www.cloudwards.net/news/ms-and-university-devs-make-the-melbourne...

Middle-School Dropout Codes Clever Chat Program That Foils NSA Spying | WIRED
http://www.wired.com/2014/09/new-encrypted-chat-program-thwarts-nsa-elim...

Why I started invisible.im | Risky Business
http://risky.biz/news_and_opinion/patrick-gray/2014-09-18/why-i-started-...

Risky Business #337 -- The Grugq and John Brooks on invisible.im and Ricochet

0:00 / 58:12

Risky Business Podcast

September 12, 2014

Risky Business 336 -- Too many cons

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we've got a great interview with Haroon Meer of Thinkst. Thinkst has a paid service that analysis the output of security conferences and puts together reports. Now, some of you might wonder why such a service would be needed, so let's put things in perspective: there were 2,700 conference presentations in the second quarter of this year at 116 events over 140 conference days. Yikes!

Haroon will be along in a bit to talk about the conference content boom, and he's also made their latest report free for Risky Business listeners! As I say, it's part of Thinkst's paid subscription service, so you'd be nuts not to grab it.

This week's show is brought to you by Tenable Network Security, thanks to the guys and gals over there. In this week's sponsor interview we're chatting with Paul Asadoorian, Tenable's product marketing manager for Nessus.

Paul is also well known as the host of the security weekly podcast! It's an infosec podcast with a massive audience that you've no doubt heard of.

We're chatting with Paul about embedded devices. He co-wrote a book on hacking the WRT54g home wireless gateway some years ago and he's gearing up to teach a SANS course on embedded device assessments. So yeah, Paul's going to stop by and discuss the state of all things embedded.

Show notes

Dread Pirate Sunk By Leaky CAPTCHA - Krebs on Security
http://krebsonsecurity.com/2014/09/dread-pirate-sunk-by-leaky-captcha/

FBI's Story of Finding Silk Road's Server Sounds a Lot Like Hacking | WIRED
http://www.wired.com/2014/09/fbi-silk-road-hacking-question/

Should we be worried? Showing on login page : SilkRoad
http://www.reddit.com/r/SilkRoad/comments/1dmznd/should_we_be_worried_sh...

Troll or thief? User claims Bitcoin founder Satoshi Nakamoto dox sabotage \u2022 The Register
http://www.theregister.co.uk/2014/09/10/troll_or_thief_user_claims_satos...

PayPal goes crypto-currency with Bitcoin \u2022 The Register
http://www.theregister.co.uk/2014/09/11/paypal_goes_cryptocurrency_with_...

Feds Threatened to Fine Yahoo $250K Daily for Not Complying With PRISM | WIRED
http://www.wired.com/2014/09/feds-yahoo-fine-prism/

Five Million Email Passwords, Addresses Leak Russian Forum | Threatpost | The first stop for security news
http://threatpost.com/five-million-email-passwords-addresses-appear-on-r...

Home Depot Data Breach Confirmed | Threatpost | The first stop for security news
http://threatpost.com/home-depot-confirms-breach-transactions-from-april...

BlackPOS malware confirmed in Home Depot US hack - Security - News - iTnews.com.au
http://www.itnews.com.au/News/391880,blackpos-malware-confirmed-in-home-...

Apple Plans to Extend 2FA to iCloud | Threatpost | The first stop for security news
http://threatpost.com/apple-plans-to-extend-2fa-to-icloud/108106

After hacking, Apple to send out more security alerts to users | Ars Technica
http://arstechnica.com/security/2014/09/after-hacking-apple-to-send-out-...

Barclays brings finger-vein biometrics to Internet banking | Ars Technica
http://arstechnica.com/security/2014/09/barclays-brings-finger-vein-biom...

Researchers find data leaks in Instagram, Grindr, OoVoo and more - CNET
http://www.cnet.com/news/researchers-find-data-leaks-in-instagram-grindr...

Salesforce Warns Customers of Dyreza Banker Trojan Attacks | Threatpost | The first stop for security news
http://threatpost.com/salesforce-warns-customers-of-dyreza-banker-trojan...

Traffic Networks Firm Patches Sensor Vulnerabilities | Threatpost | The first stop for security news
http://threatpost.com/traffic-networks-company-patches-sensor-vulnerabil...

Microsoft to patch ASP.NET mess even if you don't \u2022 The Register
http://www.theregister.co.uk/2014/09/11/microsoft_kills_dangerous_aspnet...

Cisco Patches Denial-of-Services Vulnerability in IMC | Threatpost | The first stop for security news
http://threatpost.com/us-cert-warns-of-vulnerability-in-cisco-baseboard-...

September 2014 Microsoft Patch Tuesday security bulletins | Threatpost | The first stop for security news
http://threatpost.com/emet-av-disclosure-leak-plugged-in-ie/108175

Critical Fixes for Adobe, Microsoft Software - Krebs on Security
http://krebsonsecurity.com/2014/09/critical-fixes-for-adobe-microsoft-so...

Apache Warns of Tomcat Remote Code Execution Vulnerability | Threatpost | The first stop for security news
http://threatpost.com/apache-warns-of-tomcat-remote-code-execution-vulne...

Infamous "podcast patent" heads to trial | Ars Technica
http://arstechnica.com/tech-policy/2014/09/jim-logan-says-he-invented-po...

thinkst.com/ts/free/ThinkstScapes-2014-Q2-v1.0.pdf
http://thinkst.com/ts/free/ThinkstScapes-2014-Q2-v1.0.pdf

Embedded Device Security Assessments For The Rest Of Us
http://www.sans.org/course/embedded-device-security-assessments

Risky Business 336 -- Too many cons

0:00 / 70:10

Risky Business Podcast

September 05, 2014

Risky Business #335 -- Whaledump hacker could change NZ government

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

I'm back from a two week holiday in beautiful Indonesia, so we'll be spending most of this show catching up on what I missed while I was away! So there's plenty of news to talk about with Adam Boileau, and also a chat about some very interesting politicking going on in New Zealand.

A hacker going by the name of Whaledump has been dropping leaked emails and documents all over the place that are causing all sorts of headaches for the government. If that wasn't enough, Kim Dot Com has jumped into the fray... apparently he has a big reveal coming on September 15th that could change the course of the NZ election campaign. Is this the future of democracy?

This week's show is brought to you by BugCrowd, big thanks to them.

We'll be chatting with BugCrowd head honcho Casey Ellis all about the skills shortage in infosec, particularly in testing. People interested in a career in infosec are using platforms like BugCrowd as a proving ground, but will that pipeline be enough to satiate the demand for talent out there?

Risky Business #335 -- Whaledump hacker could change NZ government

0:00 / 66:55

Risky Business Podcast

August 14, 2014

Risky Business #334 -- Brian Snow reflects on 34 years at NSA, Snowden

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

On this week's show we're having an extended chat with 34-year NSA veteran Brian Snow. During his career he rose to director level -- he acted as technical director of three divisions within the agency -- before he retired in 2006.

Brian joins us to talk about the Snowden disclosures and how the NSA's culture changed post 9/11.

Brian also had some great comments on quantum crypto concerns that I've broken out into a separate podcast - I've put that one in the RB2 feed along with a recording of a panel I hosted at the Splendour in the Grass music festival a few weeks ago. You can find them in the RB2 feed.

This week's show is brought to you by Tenable Network Security, thanks to them, and in this week's sponsor interview we're chatting with Tenable CEO Ron Gula about continuous monitoring.

Adam Boileau joins us for this week's news, as does special guest Andrew Colley.

Show notes

Why surveillance companies hate the iPhone - The Washington Post
http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/11/why-surveil...

Edward Snowden: The Untold Story | Threat Level | WIRED
http://www.wired.com/2014/08/edward-snowden/#ch-1

Snowden: I Left the NSA Clues, But They Couldn't Find Them | Threat Level | WIRED
http://www.wired.com/2014/08/snowden-breadcrumbs/

Blackphone DEF CON Vulnerabilities Difficult to Exploit | Threatpost | The first stop for security news
http://threatpost.com/fog-lifts-on-rooted-blackphone-merry-go-round/107711

Techno-Archaeologists Used an Abandoned McDonald's to Hijack a Satellite | Motherboard
http://motherboard.vice.com/read/techno-archaeologists-used-an-abandoned...

Anonymous Posts St. Louis Police Dispatch Tapes From Day of Ferguson Shooting | Mother Jones
http://www.motherjones.com/politics/2014/08/anonymous-releases-st-louis-...

Dan Tentler (Viss) on Twitter
https://twitter.com/viss

Obama picks former Googler to head federal tech overhaul - CNET
http://www.cnet.com/news/obama-picks-former-googler-to-head-federal-tech...

Millions of PCs Affected by Mysterious Computrace Backdoor | Threatpost | The first stop for security news
http://threatpost.com/millions-of-pcs-affected-by-mysterious-computrace-...

Study: Uyghur Remain in Crosshairs of Targeted Attacks | Threatpost | The first stop for security news
http://threatpost.com/study-confirms-uyghur-remain-in-crosshairs-of-targ...

The Dole Bludger's Revenge | newmatilda.com
https://newmatilda.com/2014/08/12/dole-bludgers-revenge

Disqus Patches CSRF, Other Flaws in Plugin | Threatpost | The first stop for security news
http://threatpost.com/disqus-patches-csrf-other-flaws-in-plugin/107738

Authentication Bypass Bug Fixed in BlackBerry Z10 | Threatpost | The first stop for security news
http://threatpost.com/authentication-bypass-bug-fixed-in-blackberry-z10/...

IE to Block Older ActiveX Controls, Starting with Java | Threatpost | The first stop for security news
http://threatpost.com/ie-to-block-older-activex-controls-starting-with-j...

Adobe, Microsoft Push Critical Security Fixes - Krebs on Security
http://krebsonsecurity.com/2014/08/adobe-microsoft-push-critical-securit...

Book alleges dirty National Party politics; Greens, Slater to lay complaints - National - NZ Herald News
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11308458

Q&A: Malcolm Turnbull on data retention - Networking - Security - Software - Telco/ISP - News - iTnews.com.au
http://www.itnews.com.au/News/390859,qa-malcolm-turnbull-on-data-retenti...

PILOTS EP | PILOTS
http://pilotsmusicau.bandcamp.com/releases

Risky Business #334 -- Brian Snow reflects on 34 years at NSA, Snowden

0:00 / 67:58

Risky Business Podcast

August 08, 2014

Risky Business #333 -- Yahoo CISO Alex Stamos joins the show

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

We've got an absolute cracker of a show for you this week. I've let it run longer than usual because we've just got some great news and interviews this week.

Our feature interview is with Alex Stamos, Yahoo's CISO. We hear from him on what his job looks like -- Yahoo has a billion users and its business and technology is incredibly diverse. So what has Alex been up to since he took the helm earlier this year? Tune in to find out!

In this week's sponsor interview we chat with Rahul Kashyap, Bromium's Chief Security Architect. Bromium has taken a look at endpoint exploitation trends and it might surprise you to know that in 2014 there have been more public exploits for IE than for Java!

Show notes

Gamma FinFisher hacked: 40 GB of internal documents and source code of government malware published | netzpolitik.org
https://netzpolitik.org/2014/gamma-finfisher-hacked-40-gb-of-internal-do...

Phineas Fisher (GammaGroupPR) on Twitter
https://twitter.com/gammagrouppr

Leaked Files: German Spy Company Helped Bahrain Hack Arab Spring Protesters - The Intercept
https://firstlook.org/theintercept/2014/08/07/leaked-files-german-spy-co...

Russian Hackers Amass Over a Billion Internet Passwords - NYTimes.com
http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-...

Files containing 360 million credentials, 1.25 billion email addresses, located on Deep Web - SC Magazine
http://www.scmagazine.com/files-containing-360-million-credentials-125-b...

Q&A on the Reported Theft of 1.2B Email Accounts - Krebs on Security
http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-emai...

CIA Insider: U.S. Should Buy All Security Exploits, Then Disclose Them | Threat Level | WIRED
http://www.wired.com/2014/08/cia-0day-bounty/

Security expert calls home routers a clear and present danger | Ars Technica
http://arstechnica.com/security/2014/08/security-expert-calls-home-route...

Visit the Wrong Website, and the FBI Could End Up in Your Computer | Threat Level | WIRED
http://www.wired.com/2014/08/operation_torpedo/

Feds' Silk Road Investigation Broke Privacy Laws, Defendant Tells Court | Threat Level | WIRED
http://www.wired.com/2014/08/feds-silk-road-investigation-violated-priva...

Snowden's Russia asylum extended three more years - CNET
http://www.cnet.com/au/news/snowdens-russia-asylum-extended-three-more-y...

Schneier on Security: The US Intelligence Community has a Third Leaker
https://www.schneier.com/blog/archives/2014/08/the_us_intellig.html

Terrorists embracing new Android crypto in wake of Snowden revelations | Ars Technica
http://arstechnica.com/tech-policy/2014/08/terrorists-embracing-new-andr...

Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins | Threat Level | WIRED
http://www.wired.com/2014/08/isp-bitcoin-theft/

How Hackable Is Your Car? Consult This Handy Chart | Autopia | WIRED
http://www.wired.com/2014/08/car-hacking-chart/

Watch This Wireless Hack Pop a Car's Locks in Minutes | Threat Level | WIRED
http://www.wired.com/2014/08/wireless-car-hack/

Can a plane be hacked via in-flight Wi-Fi? Researcher says it's so - CNET
http://www.cnet.com/au/news/can-a-plane-be-hacked-via-inflight-wi-fi-res...

Yes, Hackers Could Build an iPhone Botnet-Thanks to Windows | Threat Level | WIRED
http://www.wired.com/2014/08/yes-hackers-could-build-an-iphone-botnettha...

New Site Recovers Files Locked by Cryptolocker Ransomware - Krebs on Security
http://krebsonsecurity.com/2014/08/new-site-recovers-files-locked-by-cry...

In major shift, Google boosts search rankings of HTTPS-protected sites | Ars Technica
http://arstechnica.com/security/2014/08/in-major-shift-google-boosts-sea...

Thousands of Mozilla developers' e-mail addresses, password hashes exposed | Ars Technica
http://arstechnica.com/security/2014/08/thousands-of-mozilla-developers-...

Oracle Database Redaction 'Trivial to Bypass' | Threatpost | The first stop for security news
http://threatpost.com/oracle-database-redaction-trivial-to-bypass/107631

Critical code execution bug in Samba gives attackers superuser powers | Ars Technica
http://arstechnica.com/security/2014/08/critical-code-execution-bug-in-s...

Microsoft security sandbox for IE: Still broken after all these years | Ars Technica
http://arstechnica.com/security/2014/08/microsoft-security-sandbox-for-i...

Help Australia's PM and attorney-general to define metadata \u2022 The Register
http://www.theregister.co.uk/2014/08/06/help_australias_pm_and_attorneyg...

Conservative Party Web Security
http://www.joshbrodie.co.nz/2014/08/08/conservative-party-web-security.html

Yahoo to begin offering PGP encryption support in Yahoo Mail service | Ars Technica
http://arstechnica.com/security/2014/08/yahoo-to-begin-offering-pgp-encr...

www.bromium.com/sites/default/files/bromium-h1-2014-threat_report.pdf
http://www.bromium.com/sites/default/files/bromium-h1-2014-threat_report...

Dilo by HopeStreet Recordings on SoundCloud - Hear the world's sounds
https://soundcloud.com/hopestreet-recordings/dilo?in=hopestreet-recordin...

Risky Business #333 -- Yahoo CISO Alex Stamos joins the show

0:00 / 78:10

Risky Business Podcast

August 01, 2014

Risky Business #332 -- Evading IDS with Multipath TCP

Presented by

Patrick Gray

CEO and Publisher

Adam Boileau

Technology Editor

In this week's feature interview we're chat with Catherine Pearce of Neohapsis about some research she'll be presenting at BlackHat next week with her colleague Patrick Thomas. They're doing a talk all about Multipath TCP, and yes, it's exactly what it sounds like and yes, it's great for doing stuff like IDS evasion and confusing firewalls.

In this week's sponsor interview we speak with Senetas CTO Julian Fay about the so-called BADA55 paper. Senetas is about to ship elliptic curve algos with its gear -- is it reconsidering now we know that elliptic curves can be subverted? No way! Tune in to find out why.

Show notes

WikiLeaks publishes court suppression order over what Julian Assange calls 'unprecedented' case of censorship | News.com.au
http://www.news.com.au/technology/online/wikileaks-publishes-court-suppr...

Tor security advisory: "relay early" traffic confirmation attack | The Tor Blog
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traff...

Tor hidden services attacks deanonymize users | Threatpost | The first stop for security news
http://threatpost.com/tor-sniffs-out-attacks-trying-to-deanonymize-hidde...

Russia publicly joins war on Tor privacy with $111,000 bounty | Ars Technica
http://arstechnica.com/security/2014/07/russia-publicly-joins-war-on-tor...

Why the Security of USB Is Fundamentally Broken | Threat Level | WIRED
http://www.wired.com/2014/07/usb-security/

Dark Reading Radio: Data Loss Prevention (DLP) Fail
http://www.darkreading.com/perimeter/dark-reading-radio-data-loss-prevention-(dlp)-fail/a/d-id/1297650?

Your iPhone Can Finally Make Free, Encrypted Calls | Threat Level | WIRED
http://www.wired.com/2014/07/free-encrypted-calling-finally-comes-to-the...

arxiv.org/pdf/1407.4923v1.pdf
http://arxiv.org/pdf/1407.4923v1.pdf

Instasheep: Coder builds tool to hijack Instagram accounts over Wi-Fi | Ars Technica
http://arstechnica.com/security/2014/07/instasheep-coder-builds-tool-to-...

seL4 Secure Microkernel Made Open Source | Threatpost | The first stop for security news
http://threatpost.com/secure-microkernel-sel4-code-goes-open-source/107506

Hackers Plundered Israeli Defense Firms that Built 'Iron Dome' Missile Defense System - Krebs on Security
http://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-fir...

CIA admits to spying on Senate committee - CNET
http://www.cnet.com/au/news/cia-admits-to-spying-on-senate-computers/

China rebuffs Canada for 'irresponsible' hacking claims - CNET
http://www.cnet.com/au/news/china-rebuffs-canada-for-irresponsible-hacki...

Service Drains Competitors' Online Ad Budget - Krebs on Security
http://krebsonsecurity.com/2014/07/service-drains-competitors-online-ad-...

The App I Used to Break Into My Neighbor's Home | Threat Level | WIRED
http://www.wired.com/2014/07/keyme-let-me-break-in/

Microsoft Releases EMET 5.0 Exploit Mitigation Tool | Threatpost | The first stop for security news
http://threatpost.com/microsoft-releases-new-version-of-emet-exploit-mit...

Crouching Yeti APT Campaign Stretches Back Four Years | Threatpost | The first stop for security news
http://threatpost.com/crouching-yeti-apt-campaign-stretches-back-four-ye...

New Backoff PoS Malware Identified in Several Attacks | Threatpost | The first stop for security news
http://threatpost.com/new-backoff-pos-malware-identified-in-several-atta...

Neohapsis Labs | Multipath TCP - BlackHat Briefings Teaser
http://labs.neohapsis.com/2014/07/29/multipath-tcp-blackhat-briefings-te...

We Never Change | Every Day Carry
http://everydaycarry.bandcamp.com/track/we-never-change

Risky Business #332 -- Evading IDS with Multipath TCP

0:00 / 53:12