Risky Business

On this week’s show we’re chatting with Daniel Gruss an infosec researcher doing a postdoc in the Secure Systems group at the Graz University of Technology in Austria.

Daniel was one of the authors of a recent paper on a new Rowhammer technique. This one’s pretty clever, basically because it evades all known detection techniques by executing in an Intel SGX enclave.

In this week’s feature interview we chat with Dan Guido from Trail of Bits. He’s along this week to talk about his experience in helping to build secure software and security tools for his clients.

Of course the big news this week are the so-called “KRACK” attacks against WPA2. Adam’s done his homework on that and joins the news segment to tell you all how bad it is. We also look at the RNG bugs making life hard for smart card vendors and all the other news of the week!

Links to everything are below.

Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes What You Should Know About the ‘KRACK’ WiFi Security Weakness — Krebs on Security Falling through the KRACKs – A Few Thoughts on Cryptographic Engineering Factorization Flaw in TPM Chips Makes Attacks on RSA Private Keys Feasible | Threatpost | The first stop for security news Millions of high-security crypto keys crippled by newly discovered flaw | Ars Technica 'Hacking back' legislation is back in Congress The World Once Laughed at North Korean Cyberpower. No More. - The New York Times North Korean Hackers Used Hermes Ransomware to Hide Recent Bank Heist Beaumont Porg, Esq. on Twitter: "Ukraine Intelligence Agency warning of planned large scale disk wiping attack using supply chain: https://t.co/Scm6kcgXSI https://t.co/EebTrrLwzu" October Price Adjustment — Steemit Secret F-35, P-8, C-130 data stolen in Australian defence contractor hack | ZDNet Cyberespionage Group Steps Up Campaigns Against Japanese Firms | Threatpost | The first stop for security news Middle Eastern hacking group is using FinFisher malware to conduct international espionage Exclusive: Microsoft responded quietly after detecting secret database hack in 2013 Equifax website borked again, this time to redirect to fake Flash update | Ars Technica Google’s strongest security, for those who need it most Russia Fines Telegram $14,000 for Not Giving FSB an Encryption Backdoor Web-connected household devices to face mandatory rating over spying fears Want to see something crazy? Open this link on your phone with WiFi turned off. Sexual assault allegations levied against high profile security researcher and activist - The Verge Leveraging the Analog Domain for Security (LADS) Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 KRACK Attacks: Bypassing WPA2 against Android and Linux - YouTube [1710.00551] Another Flip in the Wall of Rowhammer Defenses