Risky Business #401 -- Deserialisation attacks are kind of a big deal

YSoSerial makes deserialisation attacks serious...
03 Mar 2016 » Risky Business

On this week's show we get into a serious technical discussion about deserialisation attacks with with one of Adam Boileau's colleagues, Brendan Jamieson about the biggest issue in infosec that no one is talking about -- deserialisation vulnerabilities and their exploitation.

This attack class is a serious problem in enterprise environments thanks to the release of the YSoSerial tool about a year ago. Pen-testers who are across this bug class are finding issues everywhere they look, and hardly anyone is talking about it. But we do, this week.

Also this week we'll chat with Chris Gatford, the big Kahuna over at this week's sponsor HackLabs. I was talking to Chris recently and he mentioned that cryptolocker ransomware really isn't just affecting consumers anymore.

There was the recent news about a hospital in California that got hosed by ransomware, but I always thought that was the exception to the rule and that consumers were the most likely group to be affected by this stuff. Nope, wrong. Ransomware is getting inside corporate networks and causing all sorts of drama, Chris joins us soon to talk about that. Big thanks to HackLabs for its sponsorship of this week's show!

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Apple and FBI Take Their iPhone Hacking Fight to Congress | WIRED
http://www.wired.com/2016/03/apple-and-fbi-iphone-hacking-fight-congress...

Judge Says Apple Doesn't Have to Unlock iPhone in Case Similar to San Bernardino | WIRED
http://www.wired.com/2016/02/judge-says-apple-doesnt-have-to-unlock-ipho...

How the Feds Could Get Into iPhones Without Apple's Help | WIRED
http://www.wired.com/2016/03/feds-might-get-iphones-without-apples-help/

Apple vs. the FBI: Catch up on the iPhone encryption hearing
http://www.engadget.com/2016/03/02/apple-fbi-encryption-congress-hearing/

John McAfee better prepare to eat a shoe because he doesn't know how iPhones work | Ars Technica
http://arstechnica.com/security/2016/03/john-mcafee-better-prepare-to-ea...

US to renegotiate rules on exporting "intrusion software" | Ars Technica
http://arstechnica.com/tech-policy/2016/03/us-to-renegotiate-rules-on-ex...

Hackers did indeed cause Ukrainian power outage, US report concludes | Ars Technica
http://arstechnica.com/security/2016/02/hackers-did-indeed-cause-ukraini...

Brazil detains Facebook VP after he failed to give up user data
http://www.engadget.com/2016/03/01/brazil-detains-facebook-vp-after-he-f...

Brazil court orders release of arrested Facebook exec
http://www.engadget.com/2016/03/02/brazil-orders-release-of-facebook-exec/

FBI's Tor Hack Shows the Risk of Subpoenas to Security Researchers | WIRED
http://www.wired.com/2016/02/fbis-tor-hack-shows-risk-subpoenas-security...

Judge Confirms CMU Paid to Break Tor | Threatpost | The first stop for security news
https://threatpost.com/judge-confirms-dod-funded-research-to-decloak-tor...

Pentagon Launches the Feds' First 'Bug Bounty' for Hackers | WIRED
http://www.wired.com/2016/03/pentagon-launches-feds-first-bug-bounty-hac...

More than 11 million HTTPS websites imperiled by new decryption attack | Ars Technica
http://arstechnica.com/security/2016/03/more-than-13-million-https-websi...

Hacker Says He Can Hijack a $35K Police Drone a Mile Away | WIRED
http://www.wired.com/2016/03/hacker-says-can-hijack-35k-police-drone-mil...

Pirates hacked a shipping firm to find boats to raid
http://www.engadget.com/2016/03/01/pirates-hack-shipping-company/

Windows Defender Advanced Threat Protection uses cloud power to figure out you've been pwned | Ars Technica
http://arstechnica.com/information-technology/2016/03/windows-defender-a...

Payroll data leaked for current, former Snapchat employees | Ars Technica
http://arstechnica.com/security/2016/02/payroll-data-leaked-for-current-...

Thieves Nab IRS PINs to Hijack Tax Refunds - Krebs on Security
http://krebsonsecurity.com/2016/03/thieves-nab-irs-pins-to-hijack-tax-re...

Why The Java Deserialization Bug Is A Big Deal
http://www.darkreading.com/informationweek-home/why-the-java-deserializa...

GitHub - frohoff/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
https://github.com/frohoff/ysoserial

Penetration Testing & Web Application Security - HackLabs
http://www.hacklabs.com/