Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.
https://risky.biz/
Risky Business #466 -- Breaking reverse proxies shouldn't be this easy
On this week’s show we chat with James Kettle of Portswigger Web Security about some adventures he had with reverse proxies and malformed host headers. Using some simple tricks, James was able to do some craaaazy stuff and earn himself about $30k in bounties. He’s turned some of his techniques into tools for Burp Suite, so he’ll be joining us to talk about that.
In this week’s sponsor interview we’re tackling the new European general data protection regulation. With the new regime due to kick in on May 25 next year, there’s a lot of angst out there, and for good reason. The penalties for mishandling info are up to 4% of global turnover, which is a stiff enough penalty to strike fear into the hearts of CEOs everywhere.
Senetas’ is this week’s sponsor. They make layer 2 encryption gear, as well as SureDrop, a GDPR and enterprise friendly dropbox-style service. Senetas Europe’s managing director Graham Wallace joins the show this week to talk about some of the ins and outs of GDPR. Stay tuned for that.
As usual, Adam Boileau also joins the show to talk about the week’s security news. Links to everything are below.
Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.
Show notes In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking - The New York Times Blowing the Whistle on Bad Attribution — Krebs on Security Email Provider ProtonMail Says It Hacked Back, Then Walks Claim Back - Motherboard Enigma ICO Heist Robs Nearly $500,000 in Ethereum From Investors | WIRED IRS Now Has a Tool to Unmask Bitcoin Tax Cheats Brian Krebs Fan Creates New Cryptocurrency Miner for Linux Devices Cryptocurrency Miner Infects Windows PCs via EternalBlue and WMI Ad Trackers on E-Commerce Sites Can Unmask Bitcoin Transactions It's Not Exactly Open Season on the iOS Secure Enclave | Threatpost | The first stop for security news Secret chips in replacement parts can completely hijack your phone’s security | Ars Technica Google Releases Android 8.0 Oreo Android Spyware Linked to Chinese SDK Forces Google to Boot 500 Apps | Threatpost | The first stop for security news Chrome Adds Warning for When Extensions Take Over Your Internet Connection Couple Accused of Using Lowes Website Flaw to Steal Expensive Goods Maersk Shipping Reports $300M Loss Stemming from NotPetya Attack | Threatpost | The first stop for security news #23270 (Allow Tor relays to be configured to block selected hidden services, including racist hate sites) – Tor Bug Tracker & Wiki Fighting Neo-Nazis and the Future of Free Expression | Electronic Frontier Foundation PortSwigger Web Security Blog: Cracking the Lens: Targeting HTTP's Hidden Attack-Surface