Risky Business Podcast

Analysis and news podcasts published weekly

Risky Business Podcast

September 22, 2016

Risky Business #428 -- Cross-platform Tor Browser pwnership with Ryan Duff

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week’s show we’ll be chatting with security researcher Ryan Duff about the rabbit hole that is the Tor Browser Bundle certificate pinning bug. The bug itself is interesting, but the questions it raises about how suitable Tor is for genuinely critical use are, you know, substantial. That’s a really, really interesting chat with Ryan Duff, coming up after the news.

This week’s show is brought to you by Hewlett Packard Enterprise Fortify! Of course HPE Fortify makes both static and dynamic analysis tools to help their customers weed out bugs in their software… but what are the relative strengths of static versus dynamic? Where should you use these tools? As this week’s sponsor guest Michael Farnum explains, the trend these days is to not only use both, but move them both as far to the left as possible in the development cycle. That’s this week’s sponsor interview, coming up a bit later.

Mark Piper is this week’s news guest.

Oh, and do add Patrick on Twitter if that’s your thing.

Risky Business #428 -- Cross-platform Tor Browser pwnership with Ryan Duff
0:00 / 53:20

Risky Business Podcast

September 15, 2016

Risky Business #427 -- Cahill law partner Brad Bondi on MedSec suit

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

We have a great feature interview this week. Risky Business contributor Brian Donohue spoke with Cahill law firm partner Brad Bondi about the suit St Jude Medical has brought against MedSec and Muddy Waters over the short-sell of the medical device manufacturer’s shares. That is an illuminating chat that certainly gave me an understanding of where this all could be heading, both in terms of the upcoming trial and how likely it is we’ll see similar stuff in the future. This week’s show is brought to you by Cylance! These guys basically offer an AV solution that works differently. But you know what? I’ve asked a dozen people what they actually do, and no one has really been able to tell me. So, I talk to Cylance founder and CEO Stuart McClure about the fall out from the House Oversight report into the OPM breach – a report that went in to some detail on Cylance’s role in determining the extent of the breach – but I also talk to him more generally about what it is that Cylance actually does.

Adam Boileau is back in the news chair this week to talk about the week’s information security headlines.

Oh, and do add Patrick or Adam on Twitter if that’s your thing.

Risky Business #427 -- Cahill law partner Brad Bondi on MedSec suit
0:00 / 64:23

Risky Business Podcast

September 08, 2016

Risky Business #426 -- House Oversight Committee drops OPM breach report PLUS St Jude sues MedSec

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week’s feature interview we chat with Stephen Ridley about all things IoT. Stephen is a researcher turned entrepreneur and he’ll be along to talk about the platform consolidation we’re going to see when it comes to “things”. Once that settles, he argues, we’ll get a better idea of the security risks we should really, actually be worried about. In this week’s sponsor interview we’re chatting with Simon Galbally at Senetas.

Senetas, of course, makes high assurance network encryptors and Simon joins us this week to talk about where certification schemes might be headed. Did you know there are no sunset clauses on many of the certification schemes out there? So yeah, you can be using a FIPS certified box that’s riddled with known bugs and yep, it’s still certified. Certifications could start moving towards more continuous models.

Insomnia Security’s Mark Piper is this week’s news guest.

Oh, and do add Patrick on Twitter if that’s your thing.

Risky Business #426 -- House Oversight Committee drops OPM breach report PLUS St Jude sues MedSec
0:00 / 52:55

Risky Business Podcast

September 01, 2016

Risky Business #425 -- MedSec CEO Justine Bone on the Muddy Waters short

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we've landed what looks to be a fairly exclusive interview -- at least as far as the tech press is concerned. Justine Bone will be joining us to explain why the company she works with, MedSec, decided to use vulnerability information on implantable medical devices to drive a short-selling scheme in partnership with Muddy Waters.

This week's show is sponsored by Tenable Network Security. We're doing something a bit different in this week's sponsor interview -- we're chatting with one of Tenable's customers, City of San Diego CISO Gary Hayslip.

They've just invested heavily in Nessus, among other things. Gary drops by to explain what he's been doing since he took the CISO position a few years ago. If you're a CISO it's actually a pretty interesting interview. That team has to deal with everything from embedded devices in cop cars to control systems to its very own POS network. Hey, citizens have to pay for government services somehow, right?

Trail of Bits head honcho Dan Guido is this week's news guest.

Oh, and do add Patrick and Dan on Twitter if that's your thing.

Risky Business #425 -- MedSec CEO Justine Bone on the Muddy Waters short
0:00 / 57:54

Risky Business Podcast

August 25, 2016

Risky Business #424 -- Jess Frazelle on Docker. So hot right now.

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we chat with Jessie Frazelle. Jessie is a former Docker maintainer who now works at Google on all things "containery". So we talk to her about what's up with containers, basically, and where the security pitfalls are. Like it or not, containers are likely going to be used in your environment, so getting to know them is a must. That's this week's feature.

This week's show is brought to you by HP Enterprise Security's Fortify! These guys and gals are a new sponsor, and I'm sure most of you know them. They make both static analysis and dynamic analysis code security tools, and this week we're joined by HPE Fortify's James "Jimmy" Rabon to talk about how this whole newfangled devops/agile thing has changed things for them.

The Grugq also joins the show to talk about the week's security news. He's filling in for Adam Boileau who's frantically getting Kiwicon 10 organised.

Oh, and do add Patrick and The Grugq on Twitter if that's your thing.

Show notes

Completely Wrong - Medium
https://medium.com/@thegrugq/completely-wrong-a300246ad316#.h7zsu81sg

CyberSecPolitics: Why EQGRP Leak is Russia
http://cybersecpolitics.blogspot.com.au/2016/08/why-eqgrp-leak-is-russia...

Shadow Broker Breakdown - Medium
https://medium.com/@thegrugq/shadow-broker-breakdown-b05099eb2f4a#.eqou5...

The NSA Leak Is Real, Snowden Documents Confirm
https://theintercept.com/2016/08/19/the-nsa-was-hacked-snowden-documents...

NSA-linked Cisco exploit poses bigger threat than previously thought | Ars Technica
http://arstechnica.com/security/2016/08/nsa-linked-cisco-exploit-poses-b...

Juniper Acknowledges Equation Group Targeted ScreenOS | Threatpost | The first stop for security news
https://threatpost.com/juniper-acknowledges-equation-group-exploits-targ...

Former NSA Staffers: Rogue Insider Could Be Behind NSA Data Dump | Motherboard
http://motherboard.vice.com/read/former-nsa-staffers-rogue-insider-shado...

The Shadow Brokers Mess Is What Happens When the NSA Hoards Zero-Days | WIRED
https://www.wired.com/2016/08/shadow-brokers-mess-happens-nsa-hoards-zer...

Researcher Grabs VPN Password With Tool From NSA Dump | Motherboard
http://motherboard.vice.com/read/researcher-grabs-cisco-vpn-password-wit...

Commentary: Evidence points to another Snowden at the NSA | Reuters
http://www.reuters.com/article/us-intelligence-nsa-commentary-idUSKCN10X01P

The NSA Data Leakers Might Be Faking Their Awful English To Deceive Us | Motherboard
http://motherboard.vice.com/read/the-shadow-brokers-nsa-leakers-linguist...

Someone Rickrolled the Bitcoin Auction for NSA Exploits | Motherboard
http://motherboard.vice.com/read/someone-rickrolled-the-bitcoin-auction-...

Californian gets 50 months in prison for Chinese 'technology spy' work \u2022 The Register
http://www.theregister.co.uk/2016/08/23/50_months_for_chinese_tech_spy_w...

Lawyer: Dark Web Child Porn Site Ran Better When It Was Taken Over by the FBI | Motherboard
http://motherboard.vice.com/read/lawyer-dark-web-child-porn-site-ran-bet...

A 'Tor General Strike' Wants to Shut Down the Tor Network for a Day | Motherboard
http://motherboard.vice.com/read/a-tor-general-strike-wants-to-shut-down...

EFF Blasts Microsoft Over Windows 10 Rollout | Threatpost | The first stop for security news
https://threatpost.com/eff-blasts-microsoft-over-malicious-windows-10-ro...

Australia Post says use blockchain for voting. Expert: you're kidding \u2022 The Register
http://www.theregister.co.uk/2016/08/22/australia_postblockchain_for_vot...

SSA: Ixnay on txt msg reqmnt 4 e-acct, sry - Krebs on Security
http://krebsonsecurity.com/2016/08/ssa-ixnay-on-txt-msg-reqmnt-4-e-acct-...

Epic Games Forums Hacked, 800,000 User Accounts Exposed | Threatpost | The first stop for security news
https://threatpost.com/epic-games-forums-hacked-sql-injection-vulnerabil...

Malware Infected All Eddie Bauer Stores in U.S., Canada - Krebs on Security
http://krebsonsecurity.com/2016/08/malware-infected-all-eddie-bauer-stor...

Massive Email Bombs Target .Gov Addresses - Krebs on Security
http://krebsonsecurity.com/2016/08/massive-email-bombs-target-gov-addres...

New Brazilian Banking Trojan Uses Windows PowerShell Utility | Threatpost | The first stop for security news
https://threatpost.com/new-brazilian-banking-trojan-uses-windows-powersh...

Browser Address Bar Spoofing Vulnerability Disclosed | Threatpost | The first stop for security news
https://threatpost.com/browser-address-bar-spoofing-vulnerability-disclo...

Software-defined networking is dangerously sniffable \u2022 The Register
http://www.theregister.co.uk/2016/08/23/sdns_normal_behaviour_is_sniffab...

How to Dramatically Improve Corporate IT Security Without Spending Millions - Praetorian.pdf
https://www.praetorian.com/downloads/report/How%20to%20Dramatically%20Im...

Risky Business #424 -- Jess Frazelle on Docker. So hot right now.
0:00 / 55:55

Risky Business Podcast

August 18, 2016

Risky Business #423 -- ShadowBrokers PLUS how2pwn Apple's Secure Enclave

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

This week's feature interview is incredible. We're speaking with David Wang from Azimuth Security. He, his colleague Tarjei Mandt and Mat Solnik of OffCell Research delivered an absolutely blockbuster talk at Black Hat. I didn't see the talk at the time but I got a chance to review the slides and oh-my-god I can't believe this one got so little attention.

While everyone was running around talking about hackable lightbulbs, jeeps and trucks, these three guys basically dropped a how2pwn guide for Apple's Secure Enclave Processor. So, you know, you can basically take their slide deck, add a couple of little tweaks and you're unlocking an iPhone 6s and messing around with a thing you're really not supposed to be messing around with. It's really, really good reversing work and you need to hear this interview.

This week's show is brought to you by Bugcrowd, outsourced bug bounty programs. Bugcrowd founder and CEO Casey Ellis is along this week to talk about Apple's newly launched bounty program. Even though other software companies already have bounty programs, the large rewards involved in this one make it a big deal. We'll get his thoughts on that.

Adam Boileau joins us in this week's news segment to discuss the NSA's shiny toys being all over teh torrentz, as well as other assorted infosec news.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

What We Know About the Exploits Dumped in NSA-Linked Hack | Motherboard
http://motherboard.vice.com/read/what-we-know-about-the-exploits-dumped-...

The Equation Giveaway - Securelist
https://securelist.com/blog/incidents/75812/the-equation-giveaway/

\u200bWhy Github Removed Links to Alleged NSA Data | Motherboard
http://motherboard.vice.com/read/why-github-removed-links-to-alleged-nsa...

Former NSA Staffers: Rogue Insider Could Be Behind NSA Data Dump | Motherboard
http://motherboard.vice.com/read/former-nsa-staffers-rogue-insider-shado...

The Current Highest Bid for Alleged NSA Data is 999,998.371 Bitcoin Short | Motherboard
http://motherboard.vice.com/read/the-shadow-brokers-auction-nsa-data-bit...

Hack of NSA-Linked Group Signals a Cyber Cold War | Motherboard
http://motherboard.vice.com/read/hack-nsa-linked-equation-group-cyber-co...

Why Did Guccifer 2.0 Evolve from Sloppy Hacktivist to Professional Leaker? | Motherboard
http://motherboard.vice.com/read/guccifer-20-evolution-sloppy-hacktivist...

Patrick Gray on Twitter: "Well this basically confirms it's Russia, right? Trolololol-lolol-lolol-lalalalaaaaa!!! https://t.co/YZ4etnZgO3"
https://twitter.com/riskybusiness/status/765347661587238916

Snowden speculates leak of NSA spying tools is tied to Russian DNC hack | Ars Technica
http://arstechnica.com/tech-policy/2016/08/snowden-speculates-leak-of-ns...

Shadow Brokers NSA exploits: doubts about Edward Snowden's tweets | The Cold War Daily
https://coldwardaily.com/2016/08/17/shadow-brokers-nsa-exploits-doubts-a...

Guccifer 2.0 doxes hundreds of House Democrats with massive document dump | Ars Technica
http://arstechnica.com/tech-policy/2016/08/guccifer-2-0-doxes-hundreds-o...

Democratic, GOP leaders got a secret briefing on DNC hack last year | Ars Technica
http://arstechnica.com/tech-policy/2016/08/democrat-gop-leaders-got-a-se...

Court Rules to Extradite Suspected Silk Road Admin From Ireland to the US | Motherboard
http://motherboard.vice.com/read/court-rules-to-extradite-suspected-silk...

\u200bAustralian Authorities Hacked Computers in the US | Motherboard
http://motherboard.vice.com/read/australian-authorities-hacked-computers...

How Researchers Exposed Iranian Cyberattacks Against Hundreds of Activists | Motherboard
http://motherboard.vice.com/read/iran-cyberattacks-against-activists

Wave of Spoofed Encryption Keys Shows Weakness in PGP Implementation | Motherboard
http://motherboard.vice.com/read/wave-of-spoofed-encryption-keys-shows-w...

Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks | Ars Technica
http://arstechnica.com/security/2016/08/linux-bug-leaves-1-4-billion-and...

Almost every Volkswagen sold since 1995 can be unlocked with an Arduino | Ars Technica
http://arstechnica.com/cars/2016/08/hackers-use-arduino-to-unlock-100-mi...

Security Fuckup Megathread - v12.1.4 - i need tp-link for my security hole - The Something Awful Forums
https://forums.somethingawful.com/showthread.php?threadid=3771497&pagenu...

Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open | Ars Technica
http://arstechnica.com/security/2016/08/microsoft-secure-boot-firmware-s...

Adobe Patches Experience Manager; No Flash Update | Threatpost | The first stop for security news
https://threatpost.com/a-month-without-adobe-flash-player-patches/119770/

Cisco confirms NSA-linked zeroday targeted its firewalls for years | Ars Technica
http://arstechnica.com/security/2016/08/cisco-confirms-nsa-linked-zeroda...

Cisco Patches ASA Zero Day Exposed by ShadowBrokers | Threatpost | The first stop for security news
https://threatpost.com/cisco-patches-asa-zero-day-exposed-by-shadowbroke...

us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf
https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-T...

Risky Business #423 -- ShadowBrokers PLUS how2pwn Apple's Secure Enclave
0:00 / 59:24

Risky Business Podcast

August 11, 2016

Risky Business #422 -- #CensusFail, news with Adam and MOAR

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we talk about the week's security news with Adam Boileau and I spill on what my sources have told me about #censusfail.

This week's show is brought to you by Canary.tools. Canary is a fantastic bit of kit -- it's essentially an easily configurable, compact honeypot you can just drop on your network like a dropbox to detect attacks. No begging the data centre people for rack space, just drop it and go. We'll be talking to Canary.tools head honcho Haroon Meer this week about the disconnect between what some startups are pitching to venture capitalists versus what users actually need.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

Census Australia 2016 fail: ABS says website was hacked
http://www.news.com.au/technology/census-fail-abs-spent-nearly-500000-on...

Patrick Gray on Twitter: "Analysis from trusted source of trusted source. Someone's getting fired. I'm a fucking journo and I'm not this dumb: https://t.co/gyQajFDQcQ"
https://twitter.com/riskybusiness/status/763189895292555264

'Angry, bitterly disappointed': Malcolm Turnbull lashes ABS for census failures
http://www.theage.com.au/federal-politics/political-news/angry-bitterly-...

Starting this fall, Apple will pay up to $200,000 for iOS and iCloud bugs | Ars Technica
http://arstechnica.com/apple/2016/08/starting-this-fall-apple-will-pay-u...

Zero-Day Hunters Will Pay Over Twice as Much as Apple's New Bug Bounty Programme | Motherboard
http://motherboard.vice.com/read/zero-day-hunters-will-pay-over-twice-as...

Linux bug leaves USA Today, other top sites vulnerable to serious hijacking attacks | Ars Technica
http://arstechnica.com/security/2016/08/linux-bug-leaves-usa-today-other...

Researchers crack open unusually advanced malware that hid for 5 years | Ars Technica
http://arstechnica.com/security/2016/08/researchers-crack-open-unusually...

Data Breach At Oracle's MICROS Point-of-Sale Division - Krebs on Security
http://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-o...

Apple, Intel, Google Employee Accounts Exposed in Data Breach of Developer Forum | Motherboard
http://motherboard.vice.com/read/apple-intel-google-employee-accounts-ex...

Copperhead OS: The startup that wants to solve Android's woeful security | Ars Technica
http://arstechnica.com/security/2016/08/copperhead-os-fix-android-security/

Major Qualcomm chip security flaws expose 900M Android users | Ars Technica
http://arstechnica.com/security/2016/08/qualcomm-chip-flaws-expose-900-m...

Hackers Could Break Into Your Monitor To Spy on You and Manipulate Your Pixels | Motherboard
http://motherboard.vice.com/read/hackers-could-break-into-your-monitor-t...

Hackers Make the First-Ever Ransomware for Smart Thermostats | Motherboard
http://motherboard.vice.com/read/internet-of-things-ransomware-smart-the...

Afraid of the Dark? Too Bad, Your Smart Bulbs Can Be Hacked | Motherboard
http://motherboard.vice.com/read/hackers-could-take-control-of-your-smar...

Good news-the robocalling scourge may not be unstoppable after all | Ars Technica
http://arstechnica.com/security/2016/08/good-news-the-robocalling-scourg...

IPv6 router bug: Juniper spins out hotfix to thwart DDoS attacks | Ars Technica
http://arstechnica.com/security/2016/08/ipv6-router-bug-juniper-cisco-dd...

PLC Blaster Worm Targets Industrial Control PLCs | Threatpost | The first stop for security news
https://threatpost.com/plc-blaster-worm-targets-industrial-control-syste...

Secure Golden Key Boot: (MS16-094 / CVE-2016-3287, and MS16-100 / CVE-2016-3320)
https://rol.im/securegoldenkeyboot/

Flip Feng Shui - VUSec
https://www.vusec.net/projects/flip-feng-shui/

FreeBSD \xb7 GitHub
https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f

Risky Business #422 -- #CensusFail, news with Adam and MOAR
0:00 / 57:24

Risky Business Podcast

August 06, 2016

Risky Business #421 -- Las Vegas edition with Dan Guido, Andy Greenberg and Zane Lackey

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we speak with Signal Sciences' co-founder Zane Lackey about hackers building defensive tools and software companies. Dan Guido and Andy Greenberg talk about car hacking and the week's security news, and Wade Woolwine of Rapid7 is in the sponsor slot talking about EDR/IDR software.

Show notes

Hackers Fool Tesla S's Autopilot to Hide and Spoof Obstacles | WIRED
https://www.wired.com/2016/08/hackers-fool-tesla-ss-autopilot-hide-spoof...

The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse | WIRED
https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-ac...

Hackers Hijack a Big Rig Truck's Accelerator and Brakes | WIRED
https://www.wired.com/2016/08/researchers-hack-big-rig-truck-hijack-acce...

LastPass Patches Ormandy Remote Compromise Flaw | Threatpost | The first stop for security news
https://threatpost.com/lastpass-patches-ormandy-remote-compromise-flaw/1...

Researchers Bypass Chip and Pin Protections at Black Hat | Threatpost | The first stop for security news
https://threatpost.com/researchers-bypass-chip-and-pin-protections-at-bl...

Oracle EBusiness Suite 'Massive' Attack Surface Assessed | Threatpost | The first stop for security news
https://threatpost.com/oracle-ebusiness-suite-massive-attack-surface-ass...

Yahoo Investigates 200 Million Alleged Accounts For Sale On Dark Web | Threatpost | The first stop for security news
https://threatpost.com/yahoo-investigates-200-million-alleged-accounts-f...

Report claims more than half of UK firms have been hit by ransomware | Ars Technica
http://arstechnica.com/security/2016/08/more-than-half-of-uk-firms-have-...

DNC staffers: FBI didn't tell us for months about possible Russian hack | Ars Technica
http://arstechnica.com/security/2016/08/dnc-staffers-fbi-didnt-tell-us-f...

New attack steals SSNs, e-mail addresses, and more from HTTPS pages | Ars Technica
http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-ad...

Bitcoin value falls off cliff after $77M stolen in Hong Kong exchange hack | Ars Technica
http://arstechnica.com/security/2016/08/bitcoin-value-falls-off-cliff-af...

Social Security Administration Now Requires Two-Factor Authentication - Krebs on Security
http://krebsonsecurity.com/2016/08/social-security-administration-now-re...

The Administrator of the Dark Web's Infamous Hacking Market Has Vanished | Motherboard
http://motherboard.vice.com/read/the-administrator-of-the-dark-webs-infa...

Privacy Activists Launch Database to Track Global Sales of Surveillance Tech | Motherboard
http://motherboard.vice.com/read/privacy-activists-launch-database-to-tr...

How Drones Could Help Hackers Shut Down Power Plants | Motherboard
http://motherboard.vice.com/read/how-drones-could-help-hackers-shut-down...

Home
https://signalsciences.com/

rapid7 edr - Google Search
https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF...

Risky Business #421 -- Las Vegas edition with Dan Guido, Andy Greenberg and Zane Lackey
0:00 / 49:08

Risky Business Podcast

July 29, 2016

Risky Business #420 -- What we don't know about Watergate 2.0

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're taking a look at the DNC leaks, but don't worry, we won't be getting bogged down in the same old angles. Instead, we're going to chat to Lorenzo Franceschi-Bicchierai from VICE motherboard about his experience in interviewing the Guccifer 2 persona.

Then we'll hear from Kevin Poulsen about what these latest developments mean for Wikileaks. It's a topic you're probably sick of hearing about this week, but stick with us, we've got some new angles, and they're relevant.

This week's sponsor interview is an absolute, certified, 24-carat cracker. Bromium is this week's sponsor and its CTO and co-founder, Simon Crosby, pops along to talk about his experience in dealing with the wrath of Tavis Ormandy. Tavis actually managed to dig a custom build of Bromium's software out of VirusTotal and find a really cool bug in it. But there's actually a fair bit more to that story and Simon fills us in.

Adam Boileau, as usual, joins us to discuss the week's security news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

WikiLeaks Dumps 'Erdogan Emails' After Turkey's Failed Coup | WIRED
https://www.wired.com/2016/07/wikileaks-dumps-erdogan-emails-turkeys-fai...

WikiLeaks Put Women in Turkey in Danger, for No Reason
http://www.huffingtonpost.com/zeynep-tufekci/wikileaks-erdogan-emails_b_...

Notorious Hacker 'Phineas Fisher' Says He Hacked The Turkish Government | Motherboard
http://motherboard.vice.com/read/phineas-fisher-turkish-government-hack

ZeroBin
https://zerobin.net/?28625085e55bf0fb#QFl/7wV7jpgLG6aXm3YLzDtFklBTWZtJ3G...

bellingcat - "We've shot four people. Everything's fine." The Turkish Coup through the Eyes of its Plotters - bellingcat
https://www.bellingcat.com/news/mena/2016/07/24/the-turkey-coup-through-...

Snowden Designs a Device to Warn if Your iPhone's Radios Are Snitching | WIRED
https://www.wired.com/2016/07/snowden-designs-device-warn-iphones-radio-...

Edward Snowden on Twitter: "The aversion to sharing #NSA evidence is fear of revealing "sources and methods" of intel collection, but #XKEYSCORE is now publicly known."
https://twitter.com/Snowden/status/757577614873755648

Robert M. Lee on Twitter: "Since my colleagues are afraid to comment - @Snowden this is ridiculous. Also weren't you in T group. Just stop. https://t.co/6Gv5hK7qMi"
https://twitter.com/RobertMLee/status/757715572461219841

Keys to Chimera crypto ransomware allegedly leaked by rival crime gang | Ars Technica
http://arstechnica.com/security/2016/07/keys-to-chimera-crypto-ransomwar...

SentinelOne Offers $1 Million Guarantee To Stop Ransomware
http://www.darkreading.com/vulnerabilities---threats/sentinelone-offers-$1-million-guarantee-to-stop-ransomware/d/d-id/1326363

EFF Files Lawsuit Challenging DMCA's Restrictions Security Researchers | Threatpost | The first stop for security news
https://threatpost.com/eff-files-lawsuit-challenging-dmcas-restrictions-...

Malicious computers caught snooping on Tor-anonymized Dark Web sites | Ars Technica
http://arstechnica.com/security/2016/07/malicious-computers-caught-snoop...

Upcoming Tor Design Battles Hidden Services Snooping | Threatpost | The first stop for security news
https://threatpost.com/upcoming-tor-design-battles-hidden-services-snoop...

NIST Recommends SMS Two-Factor Authentication Deprecation | Threatpost | The first stop for security news
https://threatpost.com/nist-recommends-sms-two-factor-authentication-dep...

How I made LastPass give me all your passwords
https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-yo...

Yahoo Ordered to Explain Data Gathering Procedures in Deleted Email Case | Threatpost | The first stop for security news
https://threatpost.com/yahoo-ordered-to-explain-data-gathering-procedure...

Verizon to End Yahoo Survival Fight With $4.8 Billion Deal - Bloomberg
http://www.bloomberg.com/news/articles/2016-07-24/verizon-said-to-announ...

New attack bypasses HTTPS protection on Macs, Windows, and Linux | Ars Technica
http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-c...

Pornhub Hack Earns Researchers $22,000 | Threatpost | The first stop for security news
https://threatpost.com/pornhub-hack-earns-researchers-22000/119450/

Firefox to Block Flash in August, Disable in 2017 | Threatpost | The first stop for security news
https://threatpost.com/firefox-to-block-flash-in-august-disable-in-2017/...

Alan on Twitter: "spend $150 on a fancy pet feeder that doesn't feed your cat when their servers are offline what a great design https://t.co/ZXMiGuWNFE"
https://twitter.com/alanzeino/status/758209842477604864

15 Vulnerabilities in SAP HANA Outlined | Threatpost | The first stop for security news
https://threatpost.com/15-vulnerabilities-in-sap-hana-outlined/119406/

Wikileaks Dismantling of DNC Is Clear Attack by Putin on Clinton | Observer
http://observer.com/2016/07/wikileaks-dismantling-of-dnc-is-clear-attack...

Why Does DNC Hacker 'Guccifer 2.0' Talk Like This? | Motherboard
https://motherboard.vice.com/read/why-does-dnc-hacker-guccifer-20-talk-l...

A Hat Tip to a White Hat | A Collection of Bromides on Infrastructure
https://blogs.bromium.com/2016/06/21/a-hat-tip-to-a-white-hat/

Risky Business #420 -- What we don't know about Watergate 2.0
0:00 / 58:25

Risky Business Podcast

July 22, 2016

Risky Business #419 -- Brian Krebs on future of bank cybercrime

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're catching up with Brian Krebs of Krebs On Security. He'll be talking to us about recent trends in cybercrime, and he's got a warning for security teams in the banking sector. He says things are going to get pretty sticky, and he's usually right on this stuff.

This week's show is brought to you by Bugcrowd, big thanks to them. And in the sponsor slot we're speaking with HD Moore, who recently joined the company's advisory board. I know HD well and I can tell you he was initially quite sceptical of bounties. So he joins us to talk about why he changed his mind and how he plans on helping Bugcrowd do stuff better.

Adam Boileau, as usual, joins us to discuss the week's security news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

Show notes

WikiLeaks Dumps 'Erdogan Emails' After Turkey's Failed Coup | WIRED
https://www.wired.com/2016/07/wikileaks-dumps-erdogan-emails-turkeys-fai...

Turkey Blocks WikiLeaks After Dump of Government Emails | Motherboard
http://motherboard.vice.com/read/turkey-erdogan-blocks-wikileaks-after-d...

Ethereum Inventor: We Got 'Very Lucky' In Gamble to Save $56M From Hacker | Motherboard
http://motherboard.vice.com/read/ethereum-56m-hacker-the-dao-vitalik-but...

Clever Tool Shields Your Car From Hacks by Watching Its Internal Clocks | WIRED
https://www.wired.com/2016/07/clever-tool-shields-car-hacks-watching-int...

Big Privacy Ruling Says Feds Can't Grab Data Abroad With a Warrant | WIRED
https://www.wired.com/2016/07/big-privacy-ruling-says-feds-cant-grab-dat...

Baseball exec gets 46 months in prison after guessing rival team's password | Ars Technica
http://arstechnica.com/tech-policy/2016/07/baseball-exec-gets-46-months-...

FDIC was hacked by China, and CIO covered it up | Ars Technica
http://arstechnica.com/security/2016/07/fdic-was-hacked-by-china-and-cio...

Hacker 'Phineas Fisher' Speaks on Camera for the First Time-Through a Puppet | Motherboard
http://motherboard.vice.com/read/hacker-phineas-fisher-hacking-team-puppet

Hacker Claims to Have Sold Leaked Terrorism Watchlist 'World-Check' For $20,000 | Motherboard
http://motherboard.vice.com/read/hacker-leaked-terrorism-watchlist-world...

Two Million Passwords Breached in Ubuntu Hack | Threatpost | The first stop for security news
https://threatpost.com/two-million-passwords-breached-in-ubuntu-hack/119...

'Prominent' Admin of Top ISIS Forum Hacked | Motherboard
http://motherboard.vice.com/read/prominent-admin-of-top-isis-jihadi-foru...

Activists Release Nearly 100 Years of TIME Magazine Issues For Free | Motherboard
http://motherboard.vice.com/read/activists-release-nearly-100-years-of-t...

httpoxy
https://httpoxy.org/

Software flaw puts mobile phones and networks at risk of complete takeover | Ars Technica
http://arstechnica.com/security/2016/07/software-flaw-puts-mobile-phones...

Google Chrome Malware Leads to Sketchy Facebook Likes | Threatpost | The first stop for security news
https://threatpost.com/google-chrome-malware-leads-to-sketchy-facebook-l...

Oracle Fixes 276 Vulnerabilites in July Critical Patch Update | Threatpost | The first stop for security news
https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-ju...

Apple Fixes Vulnerabilities Across OS X, iOS, Safari | Threatpost | The first stop for security news
https://threatpost.com/apple-fixes-vulnerabilities-across-os-x-ios-safar...

Cisco Talos - Talos 2016 0171
http://www.talosintelligence.com/reports/TALOS-2016-0171/

Crypto flaw made it easy for attackers to snoop on Juniper customers | Ars Technica
http://arstechnica.com/security/2016/07/crypto-flaw-made-it-easy-for-att...

Meet The Cyber Mercenaries Selling Spyware To Governments | Motherboard
http://motherboard.vice.com/read/meet-the-cyber-mercenaries-selling-spyw...

Carbanak Gang Tied to Russian Security Firm? - Krebs on Security
http://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-securit...

Risky Business #419 -- Brian Krebs on future of bank cybercrime
0:00 / 54:48