Episodes

  • Snake Oilers #3: Bot prevention and distributed "crypto magic" credit card storage

    · Risky Business

    In this edition of Snake Oilers we’re taking a look at two Australian companies and their solutions: Kasada and Haventec. Kasada’s product is a simple one – it’s bot prevention using proof of work and a couple of other things, and Haventech’s solution is a bit more out there. They’ve got a couple of products. One uses device fingerprinting plus a secret for authentication, but they’ve actually come up with something else that’ll be really interesting to people in the payment card processing space. Basically they’ve come up with a way to split credit card info into a few pieces so it can be stored in a distributed way. Part of the info with the user, part with the merchant and part with the processor. It’s a better approach than tokenisation, and will drastically reduce the liability and costs that comes with storing huge amounts of card data on the processor side. Oh, and they’ve solved the chargeback problem on that one too. Links to the companies profiled can be found below. I hope you enjoy the show! Show notes Kasada | Security Redefined Haventec | Revolutionising cyber security Home - Australian Cyber Security Growth Network

    starstarstarstarstar
  • Missing episodes?

    Click here to refresh the feed.

  • Risky Business #476 -- Zeynep Tufekci on machine learning and disinformation

    · Risky Business

    On this week’s show we’re chatting with Zeynep Tufekci about how machine learning accelerates the dissemination of crazy s–t, basically. Zeynep’s September TED talk titled “We’re building a dystopia just to make people click on ads” is a must watch and has been doing the rounds on infosec Twitter over the last couple of weeks. She joins us this week to talk through what we might be able to do about the tendency of online platforms to send people down pretty warped rabbit holes. That’s a fascinating chat. This week’s show is brought to you by Senetas. Senetas is a Melbourne-based company that develops and manufactures layer 2 encryption gear. They also operate the SureDrop secure file sharing platform and are working on a bunch of cloud crypto tech as well. Julian Fay is CTO over at Senetas and he’s along this week to talk us through the bugs Matthew Green and his colleagues found in a bunch of FIPS-certified gear from Fortinet. It’s a really, really illuminating chat. I love it when Julian’s in the sponsor chair because I always learn a lot. Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes Infrastructure for the ‘Bad Rabbit’ Ransomware Appears to Have Shut Down - Motherboard Global ransomware attacks tiptoed around Russian anti-virus products NotPetya ransomware cost Merck more than $310 million British security minister says North Korea was behind WannaCry hack on NHS | The Independent Worker who snuck NSA malware home had his PC backdoored, Kaspersky says | Ars Technica Proud to keep on protecting ' no matter the false allegations in the U.S. media. | Nota Bene: Eugene Kaspersky's Official Blog Equifax Was Warned - Motherboard China Tests the Limits of Its US Hacking Truce | WIRED Google: Chrome is backing away from public key pinning, and here's why | ZDNet YubiHSM 2 is here: Providing root of trust for servers and computing devices | Yubico Francisco Partners Acquires Comodo's SSL Security Business Google's reCaptcha Cracked Again | Threatpost | The first stop for security news Unexplained cyberattacks sow chaos among dark web markets The Fight Over Jordan Hamlett’s ‘Hack’ of Trump’s Tax Returns Facebook, Google, Twitter tell Congress their platforms spread Russian-backed propaganda | Ars Technica LSE Business Review – Blockchain and bitcoin: In search of a critique A Guide to Attacking Domain Trusts – harmj0y Fooling Neural Networks in the Physical World with 3D Adversarial Objects · labsix Training Zeynep Tufekci: We're building a dystopia just to make people click on ads | TED Talk | TED.com Attack of the week: DUHK – A Few Thoughts on Cryptographic Engineering Senetas - a leading provider of high-assurance encryption

    starstarstarstarstar
  • Risky Business #475 -- Matt Tait: US gov needs to put up or shut up on Kaspersky claims

    · Risky Business

    On this week’s show we’re catching up with Matt Tait. Matt’s better known as @pwnallthethings on Twitter. He’s joining us this week to talk about the claims various sources have made against Kaspersky. I say sources because up to this point the only thing we’ve seen is various officials saying people shouldn’t use it. There’s been no official statement from the government or the intelligence community that actually says “don’t use it”. And the situation is getting ridiculous. It’s as clear as mud right now, basically, so Matt will be along later to argue the US government really just needs to back the claims in an official way if they’re to be taken seriously. This week’s show is brought to you by Cylance. This week we’re chatting to Chris Coulter, a seasoned IR professional who’s recently moved from the services arm of Cylance to the product side. We’ll be talking to Chris about IR and where EDR software is going. That one is really worth listening to. It’s easy to look at Cylance today and just see another antivirus company. People have forgotten that they basically shook up the biggest market in infosec and I think they have a solid chance of doing the same thing with a few of their upcoming releases in the EDR and UBA space. So yeah, check out that sponsor interview with Chris Coulter, coming up towards the back of the show! Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes 'BadRabbit' ransomware spreading across Ukraine, Russia Reaper: Calm Before the IoT Security Storm? — Krebs on Security Cisco's Talos Intelligence Group Blog: “Cyber Conflict” Decoy Document Used In Real Cyber Conflict How Russian Firm Might Have Siphoned Tools From the NSA Senator questions DHS's handling of Kaspersky software ban in federal agencies Your ID number may be public - SA data leak is worse than you think - htxt.africa Revealed: the real source of SA's massive data breach - TechCentral Whois Maintainer Accidentally Makes Password Hashes Available For Download | Threatpost | The first stop for security news Beaumont Porg, Esq. on Twitter: "Remember the Word DDE issue found by @sensepost? Copy the DDE from Word into Outlook, then email it to somebody.. No attachment -> calc. https://t.co/jw03p5hTZV" DUHK Attack Exposes Gaps in FIPS Certification | Threatpost | The first stop for security news New OWASP Top 10 includes Apache Struts-type vulns, XXE and poor logging High-severity vulnerability found in SecureDrop system China's vulnerability disclosure system twice as fast as U.S. version The Dark Web’s Most Notorious Thief, Phishkingz, Gets Doxxed Hackers Steal Photos From Plastic Surgeon to the Stars, Claim Trove Includes Royals DHS Alert on Dragonfly APT Contains IOCs, Rules Likely to Trigger False Positives | Threatpost | The first stop for security news The hacker known as "Alex" — Operation Luigi: How I hacked my friend without her noticing

    starstarstarstarstar
  • Risky Business #474 -- Inside new, "invisible" Rowhammer attacks

    · Risky Business

    On this week’s show we’re chatting with Daniel Gruss an infosec researcher doing a postdoc in the Secure Systems group at the Graz University of Technology in Austria. Daniel was one of the authors of a recent paper on a new Rowhammer technique. This one’s pretty clever, basically because it evades all known detection techniques by executing in an Intel SGX enclave. In this week’s feature interview we chat with Dan Guido from Trail of Bits. He’s along this week to talk about his experience in helping to build secure software and security tools for his clients. Of course the big news this week are the so-called “KRACK” attacks against WPA2. Adam’s done his homework on that and joins the news segment to tell you all how bad it is. We also look at the RNG bugs making life hard for smart card vendors and all the other news of the week! Links to everything are below. Oh, and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes What You Should Know About the ‘KRACK’ WiFi Security Weakness — Krebs on Security Falling through the KRACKs – A Few Thoughts on Cryptographic Engineering Factorization Flaw in TPM Chips Makes Attacks on RSA Private Keys Feasible | Threatpost | The first stop for security news Millions of high-security crypto keys crippled by newly discovered flaw | Ars Technica 'Hacking back' legislation is back in Congress The World Once Laughed at North Korean Cyberpower. No More. - The New York Times North Korean Hackers Used Hermes Ransomware to Hide Recent Bank Heist Beaumont Porg, Esq. on Twitter: "Ukraine Intelligence Agency warning of planned large scale disk wiping attack using supply chain: https://t.co/Scm6kcgXSI https://t.co/EebTrrLwzu" October Price Adjustment — Steemit Secret F-35, P-8, C-130 data stolen in Australian defence contractor hack | ZDNet Cyberespionage Group Steps Up Campaigns Against Japanese Firms | Threatpost | The first stop for security news Middle Eastern hacking group is using FinFisher malware to conduct international espionage Exclusive: Microsoft responded quietly after detecting secret database hack in 2013 Equifax website borked again, this time to redirect to fake Flash update | Ars Technica Google’s strongest security, for those who need it most Russia Fines Telegram $14,000 for Not Giving FSB an Encryption Backdoor Web-connected household devices to face mandatory rating over spying fears Want to see something crazy? Open this link on your phone with WiFi turned off. Sexual assault allegations levied against high profile security researcher and activist - The Verge Leveraging the Analog Domain for Security (LADS) Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 KRACK Attacks: Bypassing WPA2 against Android and Linux - YouTube [1710.00551] Another Flip in the Wall of Rowhammer Defenses

    starstarstarstarstar
  • Risky Business #473 -- Kaspersky is officially toast

    · Risky Business

    On this week’s show we’re taking a deep dive into the latest news about Kaspersky and its alleged ties to Russian security services. The New York Times has just published an absolutely blockbuster piece that claims Israeli intelligence infiltrated Kaspersky’s network in 2014 and uncovered slam dunk evidence the company was operating espionage campaigns on behalf of the Russian government. We’ll jump into that in a minute, then in this week’s feature I’ll chat with Dave Aitel of Immunity Inc and get his feelings on the Kaspersky controversy. Casey Ellis is this week’s sponsor guest. He’s joining us this week to talk about how people running their own bug bounties can avoid false negatives. A couple of weeks back we ran a feature here on the show about a guy who had a pretty hard time reporting a legitimate security bug to Microsoft. Casey will be along with some ideas on how companies might do better when managing a lot of inbound bug reports, many of which are bogus. How do you sort the wheat from the chaff. Links to everything are below. Oh, and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes How Israel Caught Russian Hackers Scouring the World for U.S. Secrets - The New York Times Ex-NSA Hackers Are Not Surprised by Bombshell Kaspersky Report - Motherboard Office Depot, Best Buy Pull Kaspersky Products From Shelves Kaspersky and the Third Major Breach of NSA’s Hacking Tools – emptywheel Russia reportedly stole NSA secrets with help of Kaspersky—what we know now | Ars Technica Thread Reader Australian police posed as child abusers for a dark web sting North Korea hacked South's secret joint US war plans – reports | World news | The Guardian Hacking North Korea Won't Stop Its Nuclear Program | WIRED Report: Facebook removed references to Russia from fake-news report | Ars Technica Facebook’s security chief warns fake news is more dangerous and complex than people think | The Independent SEC hack came as internal security team begged for funding | Ars Technica Meet Danny, the Guy Authorities Say Is Selling Encrypted Phones to Organized Crime Cellebrite: Hacking into iPhones is harder than ever In-progress email threads were hacked to spearphish private companies, report says Disqus confirms 2012 database breach impacting 17.5 million users Report: John Kelly's personal phone was compromised for months Market Research Firm Forrester Says Hackers Stole Sensitive Reports Over 37,000 Chrome Users Installed a Fake AdBlock Plus Extension New NIST and DHS Standards Get Ready to Tackle BGP Hijacks Russia Says It Will Ban Cryptocurrency Exchanges ‘Dark Overlord’ Hackers Text Death Threats to Students, Then Dump Voicemails From Victims If macOS High Sierra shows your password instead of the password hint for an encrypted APFS volume - Apple Support Porn Site Becomes Hub for KovCoreG Group Malvertising Campaigns | Threatpost | The first stop for security news T-Mobile Website Allowed Hackers to Access Your Account Data With Just Your Phone Number - Motherboard Critical Windows DNS vulnerability gives hackers the 'keys to the kingdom' Manhattan U.S. Attorney Announces Charges Against Seven Iranians For Conducting Coordinated Campaign Of Cyber Attacks Against U.S. Financial Sector On Behalf Of Islamic Revolutionary Guard Corps-Sponsored Entities | USAO-SDNY | Department of Justice SensePost | Macro-less code exec in msword The confrontation that fueled the fallout between Kaspersky and the U.S. government - Cyberscoop Understanding the Equifax Data Breach | Anna Slomovic| Managing Personal Data Equation Group: The Crown Creator of Cyber-Espionage | Kaspersky Lab [1710.00551] Another Flip in the Wall of Rowhammer Defenses CyberTalks 2017

    starstarstarstarstar
  • Risky Business #472 -- Iran DDoSed banks in 2012, US DoSed DPRK

    · Risky Business

    There is no feature interview in this week’s show – it was a long weekend here in Australia plus a few things came up. But we’ve got a great show for you anyway. We’ll be discussing the week’s news headlines with Adam Boileau who’s back on deck after a short break, and then we’ll get straight into this week’s sponsor interview with Lee Weiner of Rapid7. He’s the Chief Product Officer there and he’s joining us this week to explain why so many vendors are suddenly so obsessed with automation and orchestration. It’s a trend that actually makes a bunch of sense for a bunch of reasons, but the key is 100% going to be in the execution. Links to everything are below. Oh, and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes Clapper: U.S. shelved 'hack backs' due to counterattack fears Trump signed presidential directive ordering actions to pressure North Korea - The Washington Post As US launches DDoS attacks, N. Korea gets more bandwidth—from Russia | Ars Technica 6 Fresh Horrors From Equifax CEO Richard Smith's Congressional Hearing | WIRED Joseph Cox on Twitter: "Former Equifax CEO says company scans failed to identify system that was vuln to Struts bug https://t.co/SMWTVgiOsz https://t.co/SnYLamAqlG" The Equifax Hack Has the Hallmarks of State-Sponsored Pros - Bloomberg Certification Revocation List – GeoTrust Facebook says 10 million U.S. users saw Russia-linked ads Russian Facebook ads featured anti-immigrant messages, puppies, women with rifles | Ars Technica Google admits citing 4chan to spread fake Vegas shooter news | Ars Technica After the Las Vegas Mass Shooting, Watch Out For Hoaxes and Bad Info | WIRED SEC.gov | SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors White House wants to end Social Security numbers as a national ID | Ars Technica Every Yahoo account that existed—all 3 billion—was compromised in 2013 hack | Ars Technica Whole Foods Market Payment Card Investigation Notification - Whole Foods Market Newsroom ICANN Postpones Scheduled DNS Crypto Key Rollover | Threatpost | The first stop for security news Breaking DKIM - on Purpose and by Chance Some MacOS Users Aren't Getting the Firmware Security Patches They Think They Have - Motherboard Understanding the prevalence of web traffic interception Code-execution flaws threaten users of routers, Linux, and other OSes | Ars Technica Three WordPress Plugin Zero-Days Exploited in the Wild Net Neutrality Activists Targeted by Clever Pornhub-Themed Phishing Campaign Security Failure: EpiPen’s Database Of Everyone W... | ClickHole

    starstarstarstarstar
  • Risky Biz Soap Box: Exploit kits are dead, at-scale social engineering the new black

    · Risky Business

    This isn’t the weekly show, this is a deep dive vendor podcast we do 10 times a year. All the vendors who appear in the Soap Box podcasts paid to be here, but you know what? Even though this is sponsored content, it’s really interesting. And this Soap Box edition is a double surprise, because we’re talking about one of the driest topics in infosec: email filtering. But this is actually a really engaging conversation. I was very surprised by how much I enjoyed talking to our guests in this special, Ryan Kalember and Christopher Iezzoni of Proofpoint. Proofpoint, among other things, is a huge player in email security and filtering. This conversation all hinges on a report Proofpoint published called “The Human Factor”. It made some really important observations. For example, the death of popular exploit kits like Angler has just pushed attackers into social engineering at scale as an attack vector. That can be straight up fraud, attached malware or macro stuff, and some of these campaigns involve really sophisticated mass personalisation. The days of exploit kits being used at scale might actually be over. I picked up The Human Factor report the day before we recorded this session and its findings are genuinely interesting. Proofpoint’s Ryan Kalember (SVP, Cybersecurity Strategy) and Christopher Iezzoni (Manager, Threat Research) joined me to discuss report and also to talk about why email filtering is actually interesting again. You can find The Human Factor report here. Show notes The Human Factor 2017 | Proofpoint

    starstarstarstarstar
  • Risky Business #471 -- Good Microsoft, bad Microsoft

    · Risky Business

    On this week’s show we’re taking a look at a mediocre response from Microsoft’s security response centre in the face of a fairly run-of-the-mill bug report. Our guest today found some Microsoft software was failing to validate SSL certificates. He reported it, but Microsoft said it wasn’t a security issue because, drum roll please, the attacker would require man in the middle to exploit the failure. Ummm. What? It all got sorted out eventually, and by sorted out I mean silently patched with no note to customers. So if you have a script running somewhere that’s invoking this tool it’s probably not checking for valid certificates, so that’s fun. In this week’s show notes we’ll be talking with industry legend Jon Oberheide, co-founder of Duo Security, about a couple of things. We’ll be looking at the features platform vendors like Microsoft and Google are now baking into their operating systems that allow companies like Duo to be able to query the health of endpoints. We also have a general conversation about how it is actually the platform vendors who will solve the biggest problems, not so much the security industry. That’s this week’s sponsor interview, with big thanks to Duo Security. The Grugq is this week’s news guest. Links to everything discussed are below, and you can also follow Patrick or The Grugq on Twitter if that’s your thing. Show notes CCleaner malware outbreak is much worse than it first appeared | Ars Technica The CCleaner Malware Fiasco Targeted at Least 18 Specific Tech Firms | WIRED SEC Chairman reveals financial reporting system was hacked | Ars Technica SEC reveals it was hacked, information may have been used for illegal stock trades - The Washington Post Deloitte hit by cyber-attack revealing clients’ secret emails | Business | The Guardian Deloitte: 'Very Few Clients' Impacted by Cyber Attack | Threatpost | The first stop for security news Massive Equifax hack reportedly started 4 months before it was detected | Ars Technica Facebook revamps political-ad rules after discovering Russian ad buys | Ars Technica Obama tried to give Zuckerberg a wake-up call over fake news on Facebook Twitter Will Meet With Senate Intelligence Committee on Russia | WIRED Hundreds of Islamic State Supporters Could Be Giving Away Their Location on Instagram Use of personal devices widespread in Trump’s West Wing – POLITICO China disrupts WhatsApp ahead of Communist Party meeting - BBC News U.S. to Collect Social Media Data of Immigrants | Fortune.com Suspected Iranian Hackers Targeted U.S. Aerospace Sector Cloudflare Now Provides Unmetered DDoS Mitigation Without Extra Costs In a first, Android apps abuse serious “Dirty Cow” bug to backdoor phones | Ars Technica Proof-of-Concept Exploit Code Published for Remote iPhone 7 WiFi Hack Password-theft 0-day imperils users of High Sierra and earlier macOS versions | Ars Technica Adobe Private PGP Key Leak a Blunder, But It Could Have Been Worse | Threatpost | The first stop for security news Cassie Sainsbury’s Whole Defence Case Hinges On A Forgotten Phone Password CAGE's Muhammad Rabbani to appeal against court ruling | UK News | Al Jazeera Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface Canadian Man Gets 9 Months Detention for Serial Swattings, Bomb Threats — Krebs on Security Hackers create memorial for a cockroach named Trevor | CSO Online The Trusted Access Company: Duo Security

    starstarstarstarstar
  • Risky Business #470 -- Project Zero's Natalie Silvanovich on reducing attack surface

    · Risky Business

    Ryan Duff fills in for Adam in this week’s news segment. Ryan used to work at US Cyber Command as a cyber operations tactician but these days he’s in the private sector. He shares his thoughts on the week’s happenings. This week’s feature guest is Google Project Zero’s Natalie Silvanovich. A little while back she fired off a few tweets saying companies are simply not doing enough to minimise the attack surface in their software. She was finding it so frustrating that she tweeted an offer – she said she was happy to turn up at any company that would have her and give a talk on how to minimise attack surface. She’s since done that talk about half a dozen times and she joins us today to give us the general idea of the advice she’s been providing. This week’s sponsor interview is with the man, the legend, Haroon Meer. Haroon is the founder of Thinkst Canary, simple hardware honeypots that work amazingly well. This week Haroon joins the show to talk about how we can avoid the next Equifax. He says a lot of it comes down to empowerment, which sounds like the sort of thing an annoying person with capped teeth would put in their slide deck, but when you hear Haroon explain what he actually means it actually makes sense. See links to show notes below, and follow Patrick or Ryan on Twitter if that’s your thing! Show notes Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk Avast Clarifies Details Surrounding CCleaner Malware Incident Kaspersky software banned from US government agencies | Ars Technica Kaspersky Lab co-founder accepts invitation to testify to U.S. Congress Equifax Suffered Earlier Breach in March | Threatpost | The first stop for security news Unwanted ads on Breitbart lead to massive click fraud revelations, Uber claims | Ars Technica Revenge Hacking Is Hitting the Big Time Dutch bank punishes teenager with charity work after he DDoS'd them The Man Behind Plugin Spam: Mason Soiza Russian Authorities Announce Takedown of RAMP Dark Web Marketplace Users Freak Out After Dark Web Market Goes Down And Funds Go Missing - Motherboard Startup That Sells Zero-Days to Governments Is Offering $1 Million For Tor Hacks - Motherboard The Loopix Anonymity System Wants to Be a More Secure Alternative to Tor Chrome Extension Embeds In-Browser Monero Miner That Drains Your CPU Azure Confidential Computing will keep data secret, even from Microsoft | Ars Technica Security.txt Standard Proposed, Similar to Robots.txt Senator Demands Answers From Telecom Giants on Phone Spying Malware Uses Security Cameras With Infrared Capabilities to Steal Data CynoSure Prime: 320 Million Hashes Exposed

    starstarstarstarstar
  • Risky Biz Soap Box: Consolidation to hit infosec software industry

    · Risky Business

    Cylance, as many of you would know, is a so-called next generation AV company. They were early movers on machine learning tech, and they’ve been tremendously successful. They’re a tech unicorn – clocking up a valuation of over a billion dollars in a very short space of time. Cylance was founded in 2012, and there’s been a lot of movement in the endpoint security space since. There are now a whole swag of next generation endpoint security companies gobbling up the market share of the incumbent AV companies. A lot of them started off in the EDR space and are now doing anti-virus as well. It feels like we’ve reached a consensus point. Endpoint security software should do both EDR and AV. So, Cylance is building out its EDR products. So we’ll be speaking with Cylance’s chief product officer, Rahul Kashyap, about convergence. Not just in terms of what they’re doing, but more broadly. Rahul has been in the security game for a long time. He worked on developing network-based IDS products with Nsecure back in the early 2000s, before taking a job at McAfee. He served as McAfee’s head of vulnerability research for four years before joining Bromium as its chief security architect. Rahul has been on Risky Business before and he’s a guy who very much knows what’s up.

    starstarstarstarstar
  • Risky Business #469 -- More like EquiHAX. AMIRITE??

    · Risky Business

    On this week’s show, of course, we’ll be using the news segment to take a look at the dumpster fire that is the Equifax breach. We’ve got suspicious short trades, executive share sales and an absolutely shambolic response. This one’s got the lot; something for everyone. We’ll also take a look at these latest Bluetooth bugs and of course we’ll recap the rest of the week’s security news. In this week’s feature interview we’re chatting with Emily Crose. After cutting her teeth at CIA, NSA and US Cyber Command, these days Emily works in the private sector, and her hobby at the moment is using machine learning-based image processing to identify problematic social media images. Some social media companies say it’s too hard to identify, for example, ze Nazis. Emily says nope. I would say this week’s show is brought to you by Tenable Network Security, but now I’m just going to say Tenable because these days that’s what they’re calling themselves. And it makes sense. Vulnerability management isn’t really just about what’s on your network anymore. With that in mind, they’ve really changed the messaging of the company. They’re not calling it continuous monitoring anymore, they’re calling it cyber exposure measurement. Corey Bodzin, VP of product operations at Tenable joins the show to walk us through the rationale behind the new messaging. Adam Boileau is this week’s news guest. See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing! Show notes The Equifax Breach: What You Should Know — Krebs on Security Equifax Breach Response Turns Dumpster Fire — Krebs on Security Apache Foundation Refutes Involvement in Equifax Breach | Threatpost | The first stop for security news Suspect trading in Equifax options before breach might have generated millions in profit Dustin Volz on Twitter: "NEWS: Senate Finance Committee leaders Hatch and Wyden ask @Equifax CEO for info on hack, including what stock-selling execs knew and when https://t.co/Dhvyj8MALS" Equifax Stung With Multibillion-Dollar Class-Action Lawsuit After Massive Data Breach Chatbot lets you sue Equifax for up to $25,000 without a lawyer - The Verge Exploit goes public for severe bug affecting high-impact sites | Ars Technica Apache Struts Vulnerabilities May Affect Many of Cisco's Products Facebook May Have More Russian Troll Farms to Worry About | WIRED FBI investigates Russian news agency Sputnik Billions of devices imperiled by new clickless Bluetooth attack | Ars Technica Windows 0-day is exploited to install creepy Finspy malware (again) | Ars Technica Microsoft September Patch Tuesday Fixes 82 Security Issues, Including a Zero-Day Hacking Collective Finds Flaw That Allows Tampering With Election Vote Counts A Simple Design Flaw Makes It Astoundingly Easy To Hack Siri And Alexa Popular D-Link Router Riddled with Vulnerabilities | Threatpost | The first stop for security news Over 1.65 Million Computers Infected With Cryptocurrency Miners in 2017 So Far Bitcoin Price Takes a Tumble Amid Rumors of China Banning Cryptocurrency Trading Bashware: Malware Can Abuse Windows 10's Linux Shell to Bypass Security Software TensorFlow Tenable™ - The Cyber Exposure Company

    starstarstarstarstar
  • Risky Business #468 -- Marcus Hutchins gets "Krebsed," the ICO bubble and more

    · Risky Business

    On this week’s show we’re going to take a look at the ICO bubble. We’ll hear some excerpts from a chat I had with Coinjar CEO Asher Tan and then Adam and I are going to talk about what the hell is happening with all this crypto madness. We also take a look at the scuttling of the Kenyan election over hacking fears, the latest drama with Kaspersky being caught in the middle of geopolitical intrigue, the FSB’s unconventional BBQ in San Francisco and more. This week’s show is brought to you by Netsparker. Netsparker makes an automated webapp testing tool, you can kinda dial up the level of automation you want. They have a few nice tricks in their suite, too, like auto proof of concept exploitation of some bug classes so you can actually prove people need to fix stuff while you drink coffee, that’s nice. In this week’s sponsor interview we’re speaking with Ferruh Mavituna, the founder and CEO of Netsparker, about automated testing at scale. It’s a sponsor interview, but it’s also a pretty generic chat about how you tackle that problem. Basically he says when you’re doing this scanning at scale you really can start with the bad, dumb stuff, because if you’re in an enterprise of any sort of size at all your automated testing is going to spit out a horror-show list. Links to everything are below. Oh, and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes Who Is Marcus Hutchins? — Krebs on Security Solaris update plan is real, but future looks cloudy by design • The Register Bye Bye Solaris, it seems. | Hackaday Kenya's Supreme Court declares presidential election result null Kenyan Elections and Alleged Hacking: A Look at the available evidence | CIPIT Blog The Russian Company That Is a Danger to Our Security - The New York Times Chinese Agency Linked to Cyber-Espionage Operations Will Review Source Code of Foreign Firms Russia's San Francisco consulate is mysteriously burning stuff before it is shut down — Quartz Man Who Refused to Decrypt Hard Drives Still in Prison After Two Years Four Million Time Warner Cable Records Left on Misconfigured AWS S3 | Threatpost | The first stop for security news Military Contractor's Vendor Leaks Resumes in Misconfigured AWS S3 | Threatpost | The first stop for security news Mastercard Internet Gateway Service: Hashing Design Flaw – Tinyhack.com Massive Wave of MongoDB Ransom Attacks Makes 26,000 New Victims Vulnerabilities Discovered in Mobile Bootloaders of Major Vendors Banking Trojan Now Targets Coinbase Users, Not Just Banking Portals Chinese Man Sentenced to Nine Months in Prison for Selling VPN Software Bitcoin falls as China bans initial coin offerings | Ars Technica ICO Bubble? Startups Are Raising Hundreds of Millions of Dollars Via Initial Coin Offerings | Inc.com Coinschedule - Cryptocurrency ICO Statistics SEC's ICO Ruling: What It Means for Investors and Blockchain | Fortune.com The Paris Coin Got it Right | txsrb Ethereum ICO: people invested thousands of dollars in "Useless Ethereum Token" (UET) — Quartz Digital assets in Ethereum blockchain Scaling-Up & Automating Web Application Security (Infosecurity Europe 2017 Tech Talk) - YouTube

    starstarstarstarstar
  • Snake Oilers #2: Part 2: Authentication tech from Yubico and Remediant

    · Risky Business

    This podcast deals with authentication tech – in particular, if you manage a Windows network, you’ll want to listen to this to get an idea of some different approaches to solving some of your authentication challenges. This isn’t our weekly show, this is something we do four times a year – we get a bunch of vendors together and they explain their tech. Last week I published interviews with Crowdstrike, Replicated and AttackIQ, go check them out if you haven’t already, but I wanted to break out these two companies into their own podcast. In this edition we’re going to hear from two companies – Remediant and Yubico. Yubico, of course, makes yubikeys, the hardware authentication device used by companies like Google and Facebook to lock down accounts. I own one, and it wasn’t a freebie, I paid for it. A lot of security people use these USB devices because they work really, really well. What I didn’t know, because I’m a dumbass, is there’s native support for Yubikeys in Windows. So if you want to add hardware-backed two factor authentication to your Windows accounts, this is one way to do it. But before we talk to Yubico, we’re going to hear from Remediant. Remediant is a start up that also makes some interesting Windows auth tech. Now, a lot of Risky Business listeners operate in high security or compliance heavy environments. This will often mean using password vault technology for better privileged account management. Remediant has something they think is better. Basically they have created a tech that lets you enable and disable privileged accounts on, like a time-lock basis. If you have to do some admin work on a box, you log in to your Remediant server, enable that account for a set period of time, then off you go. Easy. It’s a very light touch way of solving some pretty serious management headaches, and it’s very easy to audit, which will keep our friends in heavily regulated environments very happy. Show notes Yubico -- U2F two factor auth hardware, natively supported by Windows Remediant -- an alternative to password vaults

    starstarstarstarstar
  • Risky Business #467 -- HPKP as an attack vector

    · Risky Business

    In this week’s show we recap all the week’s major security news items. St Jude Medical products will be patched in half a million patients, we get the latest with the DreamHost warrant, find out how Hansa marketplace members were de-cloaked by the Dutch cops and more. In this week’s feature interview we chat with Scott Helme about HTTP Public Key Pinning as an attack vector. If someone manages to hack own your domain registrar, they can now cause all sorts of havoc. First, they redirect people to a box they control, then obtain a free, automated domain validated cert for that box, then flick on the HPKP header and pin every visitor to a certificate and key that they control. You get your domain back, sure, but then what? Nobody who visited your site while it was under the attacker’s control can visit it. Yay. So Scott will join us this week to talk about HPKP ransom and what we might do about this situation. This week’s sponsor interview is fascinating. We chat with Homer Strong, director of data science at Cylance, about machine learning explainability and “interrogatability”. Adam Boileau is on a company retreat this week, so Haroon Meer is filling in. Links to everything are below. Oh, and you can follow Patrick or Haroon on Twitter if that’s your thing. Show notes 465,000 Patients Need Software Updates for Their Hackable Pacemakers, FDA Says - Motherboard Mexican Governor Spied on President With Hacking Team Spyware, Lawsuit Alleges - Motherboard Bitcoin: Hacking Coinbase, Cryptocurrency’s ‘Goldman Sachs' | Fortune.com List Of High Profile Cryptocurrency Hacks So Far (August 24th 2017) Narrowing the Scope - DreamHost.blog Troy Hunt: Inside the Massive 711 Million Record Onliner Spambot Dump Leak of >1,700 valid passwords could make the IoT mess much worse | Ars Technica The Companies That Will Track Any Phone on the Planet This Is How Cops Trick Dark-Web Criminals Into Unmasking Themselves Bit Paymer Ransomware Hits Scottish Hospitals Researchers Find a Way to Disable Much-Hated Intel ME Component Courtesy of the NSA China to Impose Real Name Policy for Online Comments Google Error Causes Widespread Internet Outage in Japan bgp-bogus-tls.pdf Researcher Releases Fully Working Exploit Code for iOS Kernel Vulnerability Zerodium Offers $500K for Secure Messaging App Zero Days | Threatpost | The first stop for security news Firmware Update Bricks Samsung Smart TVs in the UK Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet — Krebs on Security Inside an Epic Hotel Room Hacking Spree | WIRED Google Reminding Admins HTTP Pages Will Be Marked 'Not Secure' in October | Threatpost | The first stop for security news Fraudulent Donations Lead to Disbanding of Hutchins Legal Defense Fund | Threatpost | The first stop for security news Deprecated, Insecure Apple Authorization API Can Be Abused to Run Code at Root | Threatpost | The first stop for security news ROPEMAKER Exploit Allows for Changing of Email Post-Delivery | Threatpost | The first stop for security news U.S. spies think the FBI is botching the Kaspersky investigation Hackers snag a $1 laptop by exploiting flaw in point-of-sale systems | ZDNet I'm giving up on HPKP

    starstarstarstarstar
  • Snake Oilers #2: Part 1: Crowdstrike, AttackIQ and Replicated explain their tech

    · Risky Business

    This is part one of our latest Snake Oilers podcast, the sponsored podcast that doesn’t suck! I have to say, when I launched this podcast series I had no idea it would actually wind up being genuinely engaging and interesting. All three interviews in this podcast are top notch and I think anyone working in infosec would do well to listen. The original idea behind these Snake Oilers podcasts was vendors would come on to the show and aggressively pitch their products. But you know what? What they mostly want to do is actually explain what their technology does so people out there in listener land actually know what they do. I’ve broken this special into two parts. In this part we’ll hear from CrowdStrike, Replicated and AttackIQ. On Monday next week I’ll be posting part two with Remediant and Yubico, the makers of Yubikeys. Those two companies both make authentication technology, which is why I split them out on to their own. In this part: Crowdstrike tell us why they think their EDR and AV solution is the best. A lot of you probably didn’t even know Crowdstrike does AV now… they’ve got a pretty compelling endpoint detection and response plus AV pitch. AttackIQ will pitch its software as a way to augment red teaming exercises and help you think of security as a continuous feedback loop Replicated talks through its tech. They take SaaS software and turn it into on-prem or private cloud software Show notes Crowdstrike -- Endpoint Detection and Response (EDR) and Antivirus (AV) software Replicated -- Turns SaaS/cloud software into on-prem/private cloud software AttackIQ -- Attack simulation software

    starstarstarstarstar
  • Risky Business #466 -- Breaking reverse proxies shouldn't be this easy

    · Risky Business

    On this week’s show we chat with James Kettle of Portswigger Web Security about some adventures he had with reverse proxies and malformed host headers. Using some simple tricks, James was able to do some craaaazy stuff and earn himself about $30k in bounties. He’s turned some of his techniques into tools for Burp Suite, so he’ll be joining us to talk about that. In this week’s sponsor interview we’re tackling the new European general data protection regulation. With the new regime due to kick in on May 25 next year, there’s a lot of angst out there, and for good reason. The penalties for mishandling info are up to 4% of global turnover, which is a stiff enough penalty to strike fear into the hearts of CEOs everywhere. Senetas’ is this week’s sponsor. They make layer 2 encryption gear, as well as SureDrop, a GDPR and enterprise friendly dropbox-style service. Senetas Europe’s managing director Graham Wallace joins the show this week to talk about some of the ins and outs of GDPR. Stay tuned for that. As usual, Adam Boileau also joins the show to talk about the week’s security news. Links to everything are below. Oh, and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking - The New York Times Blowing the Whistle on Bad Attribution — Krebs on Security Email Provider ProtonMail Says It Hacked Back, Then Walks Claim Back - Motherboard Enigma ICO Heist Robs Nearly $500,000 in Ethereum From Investors | WIRED IRS Now Has a Tool to Unmask Bitcoin Tax Cheats Brian Krebs Fan Creates New Cryptocurrency Miner for Linux Devices Cryptocurrency Miner Infects Windows PCs via EternalBlue and WMI Ad Trackers on E-Commerce Sites Can Unmask Bitcoin Transactions It's Not Exactly Open Season on the iOS Secure Enclave | Threatpost | The first stop for security news Secret chips in replacement parts can completely hijack your phone’s security | Ars Technica Google Releases Android 8.0 Oreo Android Spyware Linked to Chinese SDK Forces Google to Boot 500 Apps | Threatpost | The first stop for security news Chrome Adds Warning for When Extensions Take Over Your Internet Connection Couple Accused of Using Lowes Website Flaw to Steal Expensive Goods Maersk Shipping Reports $300M Loss Stemming from NotPetya Attack | Threatpost | The first stop for security news #23270 (Allow Tor relays to be configured to block selected hidden services, including racist hate sites) – Tor Bug Tracker & Wiki Fighting Neo-Nazis and the Future of Free Expression | Electronic Frontier Foundation PortSwigger Web Security Blog: Cracking the Lens: Targeting HTTP's Hidden Attack-Surface

    starstarstarstarstar
  • Risky Business #465 -- Charlie Miller on autonomous car security

    · Risky Business

    On this week’s show we chat with Charlie Miller all about the security of autonomous vehicles. As you’ll hear, he says autonomous vehicle security all comes down to some security fundamentals that are, in fact, being taken seriously by carmakers. We’ve got an absolutely fantastic sponsor interview for you this week. This week’s show is brought to you by Senrio. They make an IoT network monitoring solution that’s actually really good. Stephen Ridley is the founder and head honcho at Senrio. He’s a very well known researcher and he joins us this week to talk about a few things. First up he recaps the gSOAP library bugs the Senrio team found. They were a big deal in July, but as you’ll hear, people kinda missed the point. The affected gSOAP library is absolutely everywhere, including in, ahem, browsers. So yeaaaaah. There’s that. Then we move on to the more sponsor-y part of the sponsor interview, talking about Senrio’s experience running the IoT hacking village at DEFCON. It was a great time for them, throwing their product at the most hostile IoT network the world has ever seen. To round out the Stephen Ridley omnibus experience we’ll also hear about a few training courses he’s offering on Android hacking and software exploitation via hardware exploitation. Adam Boileau joins the show to talk about the week’s security news, links to everything are below. Oh, and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes The U.S. Is Trying to Seize 1.3 Million Visitor Logs, DreamHost Says - The Atlantic We Fight for the Users - DreamHost.blog After Shutdown, Daily Stormer Users Are Moving to a Dark Web Version of Site - Motherboard Someone Appears to Be DDoSing the Dark Web Version of The Daily Stormer - Motherboard Researcher Who Stopped WannaCry Pleads Not Guilty to Creating Banking Malware - Motherboard Top Security Firm May Be Leaking 'Terabytes' Of Confidential Data From Fortune 100 Companies | Gizmodo Australia Beware of Security by Press Release — Krebs on Security The Shadow Brokers Have Made Almost $90,000 Selling Hacking Tools by Subscription, Researcher Says - Motherboard HBO offered hackers $250,000 'bug bounty', leaked email claims | Technology | The Guardian Russian Hackers Are Targeting Hotels Across Europe, Researchers Say - Motherboard Attackers Backdoor NetSarang Software Update Mechanism | Threatpost | The first stop for security news Seven More Chrome Extensions Compromised | Threatpost | The first stop for security news Blizzard Entertainment Hit With Weekend DDoS Attack | Threatpost | The first stop for security news Cyberattack leaves millions without mobile phone service in Venezuela — Technology — The Guardian Nigeria Newspaper – Nigeria and World News Smart Locks Bricked by Bad Update | Threatpost | The first stop for security news IMSI Catcher Detection Apps Might Not Be All That Good, Research Suggests - Motherboard Ukrainian Man Arrested, Charged in NotPetya Distribution | Threatpost | The first stop for security news Juniper Issues Security Alert Tied to Routers and Switches | Threatpost | The first stop for security news slides_bh_pdf From random block corruption to privilege escalation: A filesystem attack vector for rowhammer-like attacks | USENIX Legal Hacking Tools Can Be Useful for Journalists, Too - Motherboard Experts in Lather Over ‘gSOAP’ Security Flaw — Krebs on Security Devil's Ivy - Senrio Senrio Training

    starstarstarstarstar
  • Risky Business #464 -- Why your game theory theories are wrong

    · Risky Business

    On this week’s show we’ll be chatting with Kelly Shortridge, formerly a detection manager at BAE, all about her Black Hat talk. It’s all about why most of what you hear about applying game theory to detection strategies is total bullshit. This week’s show is brought to you by Signal Sciences! Signal Sciences makes a killer product focussed on web application and web server security. It’s really popular with the dev ops crowd, which is interesting, because most security products in devops focus on the dev, whereas Signal Sciences focusses more on the ops component. This week we speak to Signal Sciences co-founder Zane Lackey about this burgeoning market for security tooling geared towards non-security people. It’s actually a really interesting conversation. Non security groups at large organisations are having to become security self sufficient and it really is a game changer. More on that with Zane Lackey in this week’s sponsor interview. Adam Boileau is this week’s news guest. See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing! Show notes WannaCry Researcher Indicted for Allegedly Creating Banking Malware - Motherboard Marcus Hutchins' Only Certainty is Uncertainty | Threatpost | The first stop for security news download Hackers Behind WannaCry Cashed Out Bitcoin While No One Was Watching - Motherboard So, about this Googler’s manifesto. – Yonatan Zunger – Medium Internal Messages Show Some Google Employees Supported James Damore’s Manifesto | WIRED Election Officials Still Haven’t Got Clearance to View Russian Hacking Info - Motherboard Attackers Use Typo-Squatting To Steal npm Credentials | Threatpost | The first stop for security news After phishing attacks, Chrome extensions push adware to millions | Ars Technica The FBI Booby-Trapped a Video to Catch a Suspected Tor Sextortionist - Motherboard Cisco deletes Meraki customer data in config bungle - Networking - iTnews Cisco Fixes DoS, Authentication Bypass Vulnerabilities, OSPF Bug | Threatpost | The first stop for security news What happens when someone steals your domain? - MiVote We Anonymously Controlled a Dildo Through the Tor Network - Motherboard O'Reilly Security Conference, October 29 - November 1, 2017, New York, NY A Next-Gen Web Protection Platform - WAF And RASP | Signal Sciences

    starstarstarstarstar
  • Risky Business #463 -- Black Hat's 2017 keynote speaker Alex Stamos joins the show

    · Risky Business

    This week’s feature interview is with Facebook CSO and Black Hat 2017 keynote speaker Alex Stamos. We’ll be digging a little deeper on some of the points he hit on in his talk in Las Vegas this year. I’ve linked through to a video of his keynote in this week’s show notes (below), and I’d really recommend you watch it. It was just very, very good. This week’s show is brought to you by Thinkst Canary. They’re best known for their little Canary honeypots, you put them on your network and they’ll alert you to all sorts of lateral movement. Thinkst’s Founder and chief brain Haroon Meer will be along later on to talk about cloud security. He’ll be echoing some of the points made in our interview a few week’s back with Daniel Grzelak from Atlassian, as well as looking at how you can start to put together a somewhat coherent strategy for detecting when your cloud services get popped. Adam Boileau is this week’s news guest. See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing! Show notes Flash & The Future of Interactive Content | Adobe The Very Best Black Hat Hacks | WIRED Hackers Show Proofs of Concept to Beat Hardware-Based 2FA - Motherboard Same Chinese white hat group hacks into Tesla for second year - Xinhua | English.news.cn At DEF CON, I Watched Hackers Take Voting Machines Apart - Motherboard Salesforce vs. MEATPISTOL Kevin Beaumont on Twitter: "After Merck say they are having manufacturing issues from Petya, CDC say Merck Hepatitis vaccine not being distributed. https://t.co/N3KwAx6K2l" Europol Head Tells Us About its Dark Web Market Sting - Motherboard Alleged Dark Web Kingpin Doxed Himself With His Personal Hotmail Address - Motherboard The Dark Web Gun Trade May Be Bigger Than You Think - Motherboard Darknet administrator arrested over Munich massacre gun Legislation Proposed to Secure Connected IoT Devices | Threatpost | The first stop for security news 'Criminal mastermind' of $4bn bitcoin laundering scheme arrested | Technology | The Guardian Suspended Sentence for Mirai Botmaster Daniel Kaye — Krebs on Security Microsoft expands bug bounty program to cover any Windows flaw | Ars Technica Windows 10 will try to combat ransomware by locking up your data | Ars Technica Hackers' Own Tools Are Full of Vulnerabilities - Motherboard For 20 Years, This Man Has Survived Entirely by Hacking Online Games - Motherboard Facebook Security Boss: Empathy, Inclusion Must Come to Security | Threatpost | The first stop for security news Black Hat 2017 Keynote - Alex Stamos, Facebook... (Starts about 35 minutes in) Canary — know when it matters

    starstarstarstarstar
  • Risky Business #462 -- Does the Australian government want to break encryption?

    · Risky Business

    In this week’s feature interview I speak with the Australian Prime Minister’s cyber security advisor Alastair MacGibbon about what it is that the Australian government is pushing for in terms of industry cooperation around surveillance. There’s been a lot of hype on this one. “Al Mac” joins the show to work through some of it, and honestly, Australia’s push at the moment is the sort of thing I think you can expect to see more of around the world, so this is an interview of global relevance. Some of that conversation hinges on a blog post I wrote on the weekend. If you want to, you can read that here. This week’s show is brought to you by Remediant! Remediant makes a product that’s designed to make lateral movement through a network much harder. Essentially it’s a way to restrict all privileged accounts on your infrastructure until you actually need it. So instead of being able to just log in to your production environment, you can actually set it up so you can enable the privilege you need to a set period of time. It’s a different approach to privilege management than things like password vaults, so if you work in an authentication group you’re going to want to hear what they have to say. Remediant CEO Tim Keeler is this week’s sponsor guest. Adam Boileau is this week’s news guest. We talk about all the continuing notPetya drama at Maersk and FedEx/TNT, the Alphabay latest and more. See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing! Show notes ‘Co-founder’ of AlphaBay dark web for drugs and weapons found dead in cell | The Independent UAE orchestrated hacking of Qatari government sites, sparking regional upheaval, according to U.S. intelligence officials - The Washington Post Advisory Update FedEx’s TNT Express still reeling from Petya cyberattack last month | Air Cargo World FedEx Says Some Damage From NotPetya Ransomware May Be Permanent Damages From a Well Executed Cyber Attack Could Reach $121.4 Billion Experts in Lather Over ‘gSOAP’ Security Flaw — Krebs on Security "Particle" Chrome Extension Sold to New Dev Who Immediately Turns It Into Adware It’s Trivially Easy to Hack into Anybody’s Myspace Account - Motherboard CoinDash Hacked During its ICO | Threatpost | The first stop for security news Cisco Patches Another Critical Ormandy Bug in WebEx Extension | Threatpost | The first stop for security news The Cyber Kill Chain is making us dumber No encryption was harmed in the making of this intercept - Risky Business Why Australia might be on the right encryption-cracking track Remediant

    starstarstarstarstar