Risky Business #396 -- Chris Wysopal on scanning for backdoors

PLUS Martijn Grooten, Haroon Meer and Adam Boileau!
28 Jan 2016 » Risky Business

On this week's show we've got two feature interviews!

We're talking to Chris Wysopal from Veracode about using static analysis techniques to find back doors in software. With Juniper, AMX, Fortinet and Cisco all experiencing either maliciously planted or accidental backdoors, this is a hot topic. Chris joins us to talk about how you go about finding this stuff and whether or not vendors are taking this issue seriously enough.

We also check in with Martijn Grooten, editor of Virus Bulletin. We're having a quick chat to him about how the AV industry is reacting to Tavis Ormandy's latest research into the security of its products. He's been reporting bugs in all sorts of AV products lately and apparently the disclosures are having an impact.

This week's sponsor interview is a special one -- it's with Haroon Meer of Thinkst Applied Research. Thinkst has released some free tools that generate and track honey tokens. Old ideas made easy and workable... he'll be along to explain his new tech. Personally think this stuff is great.. just great... and of course he'll plug his even more awesome commercial stuff, Canary Tools.

Adam Boileau, as always, drops in for a chat about the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Israel's electric authority hit by "severe" hack attack [Updated] | Ars Technica
http://arstechnica.com/security/2016/01/israels-electric-grid-hit-by-sev...

Israeli Electric Authority Attacked, Potential Ransomware | Threatpost | The first stop for security news
https://threatpost.com/israeli-electric-authority-hit-by-severe-cyber-at...

SANS Industrial Control Systems Security Blog | Context for the Claim of a Cyber Attack on the Israeli Electric Grid | SANS Institute
https://ics.sans.org/blog/2016/01/27/context-for-the-claim-of-a-cyber-at...

Wendy's Probes Reports of Credit Card Breach - Krebs on Security
https://krebsonsecurity.com/2016/01/wendys-probes-reports-of-credit-card...

Moment of truth: Feds must say if they used backdoored Juniper firewalls | Ars Technica
http://arstechnica.com/tech-policy/2016/01/moment-of-truth-feds-must-say...

Secret SSH backdoor in Fortinet hardware found in more products | Ars Technica
http://arstechnica.com/security/2016/01/secret-ssh-backdoor-in-fortinet-...

Media devices sold to feds have hidden backdoor with sniffing functions | Ars Technica
http://arstechnica.com/security/2016/01/media-devices-sold-to-feds-have-...

Lenovo SHAREit App Hard-Coded Password | Threatpost | The first stop for security news
https://threatpost.com/hard-coded-password-found-in-lenovo-file-sharing-...

Yet another bill seeks to weaken encryption-by-default on smartphones | Ars Technica
http://arstechnica.com/tech-policy/2016/01/yet-another-bill-seeks-to-wea...

Bill aims to thwart strong crypto, demands smartphone makers be able to decrypt | Ars Technica
http://arstechnica.com/tech-policy/2016/01/bill-aims-to-thwart-strong-cr...

How Amazon customer service was the weak link that spilled my data | Ars Technica
http://arstechnica.com/security/2016/01/how-amazon-customer-service-was-...

"Internet of Things" security is hilariously broken and getting worse | Ars Technica
http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-th...

NYC Launches Investigation Into Hackable Baby Monitors | WIRED
http://www.wired.com/2016/01/nyc-investigating-hackable-baby-monitors/

HD Moore Leaves Rapid7 for Venture Capital Opportunity | Threatpost | The first stop for security news
https://threatpost.com/hd-moore-to-build-new-venture-capital-firm/115969/

Zcash, an Untraceable Bitcoin Alternative, Launches in Alpha | WIRED
http://www.wired.com/2016/01/zcash-an-untraceable-bitcoin-alternative-la...

Government Investigation of Alleged Bitcoin Creator Craig Wright Intensifies - CoinDesk
http://www.coindesk.com/australia-government-bitcoin-creator-craig-wrigh...

Firm Sues Cyber Insurer Over $480K Loss - Krebs on Security
http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/

Scarlet Mimic Behind Espionage Campaign Against Tibetan, Uyghur Activists | Threatpost | The first stop for security news
https://threatpost.com/scarlet-mimic-group-behind-four-year-campaign-aga...

Bot Fraud to Cost Advertisers $7 Billion in 2016 | Threatpost | The first stop for security news
https://threatpost.com/bot-fraud-to-cost-advertisers-7-billion-in-2016/1...

Skype Now Hides Your Internet Address - Krebs on Security
http://krebsonsecurity.com/2016/01/skype-now-hides-your-internet-address/

Cisco MiniUPnP Stack Smashing Protection Attack | Threatpost | The first stop for security news
https://threatpost.com/miniupnp-vulnerability-clears-way-for-stack-smash...

January 2016 Apple Security Patches iOS, OS X, Safari | Threatpost | The first stop for security news
https://threatpost.com/apple-releases-patches-for-ios-os-x-and-safari/11...

OpenSSL to Patch Two Vulnerabilities This Week | Threatpost | The first stop for security news
https://threatpost.com/openssl-to-patch-two-vulnerabilities-this-week/11...

Magento Update Addresses XSS, CSRF Vulnerabilities | Threatpost | The first stop for security news
https://threatpost.com/magento-update-addresses-xss-csrf-vulnerabilities...

Hack Brief: Don't Be Trolled by This iPhone-Crashing Link Meme | WIRED
http://www.wired.com/2016/01/hack-brief-dont-be-trolled-by-this-iphone-c...

iOS cookie theft bug allowed hackers to impersonate users | Ars Technica
http://arstechnica.com/security/2016/01/ios-cookie-theft-bug-allowed-hac...

Oracle Pushes Java Fix: Patch It or Pitch It - Krebs on Security
http://krebsonsecurity.com/2016/01/oracle-pushes-java-fix-patch-it-or-pi...

Canary - know when it matters
https://canary.tools/

canarytokens.net
http://canarytokens.org/generate