Risky Business

In this week’s show we recap all the week’s major security news items. St Jude Medical products will be patched in half a million patients, we get the latest with the DreamHost warrant, find out how Hansa marketplace members were de-cloaked by the Dutch cops and more.

In this week’s feature interview we chat with Scott Helme about HTTP Public Key Pinning as an attack vector. If someone manages to hack own your domain registrar, they can now cause all sorts of havoc. First, they redirect people to a box they control, then obtain a free, automated domain validated cert for that box, then flick on the HPKP header and pin every visitor to a certificate and key that they control.

You get your domain back, sure, but then what? Nobody who visited your site while it was under the attacker’s control can visit it. Yay. So Scott will join us this week to talk about HPKP ransom and what we might do about this situation.

This week’s sponsor interview is fascinating. We chat with Homer Strong, director of data science at Cylance, about machine learning explainability and “interrogatability”.

Adam Boileau is on a company retreat this week, so Haroon Meer is filling in. Links to everything are below.

Oh, and you can follow Patrick or Haroon on Twitter if that’s your thing.

Show notes 465,000 Patients Need Software Updates for Their Hackable Pacemakers, FDA Says - Motherboard Mexican Governor Spied on President With Hacking Team Spyware, Lawsuit Alleges - Motherboard Bitcoin: Hacking Coinbase, Cryptocurrency’s ‘Goldman Sachs' | Fortune.com List Of High Profile Cryptocurrency Hacks So Far (August 24th 2017) Narrowing the Scope - DreamHost.blog Troy Hunt: Inside the Massive 711 Million Record Onliner Spambot Dump Leak of >1,700 valid passwords could make the IoT mess much worse | Ars Technica The Companies That Will Track Any Phone on the Planet This Is How Cops Trick Dark-Web Criminals Into Unmasking Themselves Bit Paymer Ransomware Hits Scottish Hospitals Researchers Find a Way to Disable Much-Hated Intel ME Component Courtesy of the NSA China to Impose Real Name Policy for Online Comments Google Error Causes Widespread Internet Outage in Japan bgp-bogus-tls.pdf Researcher Releases Fully Working Exploit Code for iOS Kernel Vulnerability Zerodium Offers $500K for Secure Messaging App Zero Days | Threatpost | The first stop for security news Firmware Update Bricks Samsung Smart TVs in the UK Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet — Krebs on Security Inside an Epic Hotel Room Hacking Spree | WIRED Google Reminding Admins HTTP Pages Will Be Marked 'Not Secure' in October | Threatpost | The first stop for security news Fraudulent Donations Lead to Disbanding of Hutchins Legal Defense Fund | Threatpost | The first stop for security news Deprecated, Insecure Apple Authorization API Can Be Abused to Run Code at Root | Threatpost | The first stop for security news ROPEMAKER Exploit Allows for Changing of Email Post-Delivery | Threatpost | The first stop for security news U.S. spies think the FBI is botching the Kaspersky investigation Hackers snag a $1 laptop by exploiting flaw in point-of-sale systems | ZDNet I'm giving up on HPKP