Risky Business #376 -- Sniper rifles, bank safes and Android all pwned

Are 950m devices really at risk? Joshua Drake talks Stagefright bugs...
30 Jul 2015 » Risky Business

This week we're checking in with Josh Drake of Zimperium. With exploitation of Stagefright via Josh's sweet, sweet exploit you'd think the mother of all worms is coming. Well, probably not. Later versions of Android are tricky to exploit, and the diversity of hardware in earlier versions means coming up with one exploit to rule them all isn't really feasible. We'll drill down into that with Josh in a little while.

This week's show is brought to you by Tenable Network Security. Tenable's very own Jack Daniel will be along in this week's sponsor interview to add a bit of context to recent car hacking news. Jack was a mechanic in a previous life. I myself worked for Bosch as an engineer designing automotive electronics in the 90s. So we put our old man pants on and talk about how we arrived in a world where 1.4 million Chrysler owners are patching their vehicles against security flaws using a mailed out USB stick.

Adam Boileau, as usual, joins the show to discuss the week's news headlines.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Hackers Can Disable a Sniper Rifle-Or Change Its Target | WIRED
http://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-t...

Brinks' Super-Secure Smart Safes: Not So Secure | WIRED
http://www.wired.com/2015/07/brinks-super-secure-smart-safes-not-secure/

Researchers Hack Air-Gapped Computer With Simple Cell Phone | WIRED
http://www.wired.com/2015/07/researchers-hack-air-gapped-computer-simple...

US Census Bureau IT systems hacked, data leaked by Anonymous \u2022 The Register
http://www.theregister.co.uk/2015/07/23/us_census_bureau_hacked/

NSA: We'll move your metadata into /dev/null when you stop suing us \u2022 The Register
http://www.theregister.co.uk/2015/07/27/nsa_phone_metadata_latest/

White House Says No Thanks to Snowden Pardon Petition | Threatpost | The first stop for security news
https://threatpost.com/white-house-says-no-thanks-to-snowden-pardon-peti...

New Chrome Extension Helps Combat Keyboard Biometrics | Threatpost | The first stop for security news
https://threatpost.com/new-chrome-extension-helps-combat-keyboard-biomet...

Researchers claim they've developed a better, faster Tor | Ars Technica
http://arstechnica.com/information-technology/2015/07/researchers-claim-...

A public marketplace for hackers-what could possibly go wrong? | Ars Technica
http://arstechnica.com/security/2015/07/a-public-marketplace-for-hackers...

Pakistan bans BlackBerry messaging, e-mail for "security reasons" | Ars Technica
http://arstechnica.com/security/2015/07/pakistan-bans-blackberry-messagi...

What amateurs can learn from security pros about staying safe online | Ars Technica
http://arstechnica.com/security/2015/07/what-amateurs-can-learn-from-sec...

Yahoo Touts Success of Bug Bounty Program | Threatpost | The first stop for security news
https://threatpost.com/yahoo-touts-success-of-bug-bounty-program/114019

Malvertising campaign hits 10 MEELLION users in 10 days \u2022 The Register
http://www.theregister.co.uk/2015/07/29/malvertising_affects_10_million/

Click-Fraud Malware Spreading via JavaScript Attachments | Threatpost | The first stop for security news
https://threatpost.com/click-fraud-malware-spreading-via-javascript-atta...

Group that hacked Anthem shared weaponized 0-days with rival attackers | Ars Technica
http://arstechnica.com/security/2015/07/group-that-hacked-anthem-shared-...

Apple Patches Remote 'Invoice Vulnerability' in iTunes, App Store | Threatpost | The first stop for security news
https://threatpost.com/apple-patches-remote-invoice-vulnerability-in-itu...

Xen reports new guest-host escape, this time through CD-ROMs \u2022 The Register
http://www.theregister.co.uk/2015/07/28/xen_reports_new_guesthost_escape...

PHP File Manager Riddled With Vulnerabilities, Including Backdoor | Threatpost | The first stop for security news
https://threatpost.com/php-file-manager-riddled-with-vulnerabilities-inc...

New vulnerability can put Android phones into permanent vegetative state | Ars Technica
http://arstechnica.com/security/2015/07/new-vulnerability-can-put-androi...

WordPress Patches Critical XSS Vulnerability in All Builds | Threatpost | The first stop for security news
https://threatpost.com/wordpress-patches-critical-xss-vulnerability-in-a...

Valve patches security hole that enabled takeover of Steam accounts | Ars Technica
http://arstechnica.com/gaming/2015/07/valve-patches-security-hole-that-e...

Critical Remotely Exploitable Bug Haunts BIND | Threatpost | The first stop for security news
https://threatpost.com/critical-remotely-exploitable-bug-haunts-bind/114008

950 million Android phones can be hijacked by malicious text messages | Ars Technica
http://arstechnica.com/security/2015/07/950-million-android-phones-can-b...

La Polic\xeda by labjacd | Free Listening on SoundCloud
https://soundcloud.com/labjacd/la-policia