In this (wholly sponsored) edition of the Snake Oilers podcast, three vendors will drop by to pitch their sweet, sweet snake oil:

• Gravwell pitches its “structure on read” approach to SIEM
• Plextrac describes its red team/pentest reporting platform
• ITProTV’s Don Pezet talks about trends in online training

Show notes

Gravwell

PlexTrac - The Purple Teaming Platform

Learn technology and pass IT certifications with ITProTV

On this week’s show Patrick and Adam discuss the week’s security news, including:

• US DoJ unseals indictments against Sandworm operators
• Twitter backtracks on “hacked materials” policy
• No consensus on Trickbot c2 status
• NSA publishes “most exploited” listicle that’s actually interesting
• Much, much more

Cmd Security is this week’s sponsor. Its CEO Jake King and CTO Mike Sample join the show this week to talk though a new remote access tech release from Hashicorp called Boundary and what it might mean for Linux system observability in your environment.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit | WIRED

UK says Russia was preparing cyber-attacks against the Tokyo Olympics | ZDNet

Sandworm operators indicted - Risky Business

Microsoft says it took down 94% of TrickBot's command and control servers | ZDNet

NSA publishes list of top vulnerabilities currently targeted by Chinese hackers | ZDNet

800,000 SonicWall VPNs vulnerable to new remote code execution bug | ZDNet

VMSA-2020-0023

New York Post Published Hunter Biden Report Amid Newsroom Doubts - The New York Times

Twitter Says It Blocked NY Post Hunter Biden Article Because It Contains Hacked Data

The Media Just Passed a Test It Failed Four Years Ago | WIRED

Brevard voters threatened in emails purportedly from 'Proud Boys'

Google offers details on Chinese hacking group that targeted Biden campaign

Industry alert pins state, local government hacking on suspected Russian group

New York regulator faults Twitter for lax security measures prior to big account breach

German authorities raid FinFisher offices | ZDNet

Shannon Vavra on Twitter: "Details via @hsu_spencer & @kfahim https://t.co/QTRooHnw0I" / Twitter

Encrochat Hack That Brought Down Hundreds of Criminals Faces Legal Challenges

Hackney Council unable to pay housing benefit after cyber attack | Science & Tech News | Sky News

London's Hackney Borough Council hit by hack attack - BBC News

Hackney Council services to be disrupted ‘for some time’

Meet FIN11, a cybercrime outfit going after pharma companies while leaning on extortion

QAnon/8Chan Sites Briefly Knocked Offline — Krebs on Security

Alexander Vinnik heads to trial in France on ransomware, money laundering charges

Alleged KickassTorrents founder Artem Vaulin jumped bail in Poland

Thousands of infected IoT devices used in for-profit anonymity service | Ars Technica

Microsoft adds option to disable JScript in Internet Explorer | ZDNet

Zoom to roll out end-to-end encrypted (E2EE) calls | ZDNet

QRadar: Popular IBM security tool open to remote code execution attacks | The Daily Swig

Google releases Chrome security update to patch actively exploited zero-day | ZDNet

Security testing firm NSS Labs ceases operations, citing coronavirus | TechCrunch

Ryuk in 5 Hours – The DFIR Report

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Yep, it was Cyber Command
• Also Microsoft, Symantec, Lumen and others
• Norwegian parliament hack pinned on Russia
• We finally talk about “ethics in OST”
• More

Netflix senior security engineer Scott Behrens also joins the show this week. This week’s episode if brought to you by Signal Sciences – which is now a part of Fastly – and they suggested we talk to Scott for their sponsor slot this week. So, Scott joins the show to talk through how Netflix handles appsec.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Report: U.S. Cyber Command Behind Trickbot Tricks — Krebs on Security

Persistently Engaging TrickBot: USCYBERCOM Takes on a Notorious Botnet - Lawfare

(1) Ciaran Martin on Twitter: "Fascinating account from ⁦@BobbyChesney⁩ on new adaptation of persistent engagement: the hounds released against #ransomware. https://t.co/Dk5Spcjkmy" / Twitter

Trickbot and the Context of Cyber Warfare – Stranded on Pylos

TrickBot botnet survives takedown attempt, but Microsoft sets new legal precedent | ZDNet

The Man Who Speaks Softly—and Commands a Big Cyber Army | WIRED

FBI/DHS: Government election systems face threat from active Zerologon exploits | Ars Technica

DHS warns that Emotet malware is one of the most prevalent threats today | Ars Technica

Norway says Russian hackers carried out breach at parliament

Russian-speaking hackers target Russian organizations with industrial spying tools

Chinese hackers suspected in cyber-espionage operation against Russia, India

'Mercenary' hacker group runs rampant in Middle East, cybersecurity research shows | Reuters

Lined up in the sights of Vietnamese hackers

Five Eyes governments, India, and Japan make new call for encryption backdoors | ZDNet

Cyber Command and Microsoft pile in on TrickBot - Risky Business

Top reason to apply October, 2020’s Microsoft patches: Ping of Death Redux – Sophos News

German tech giant Software AG down after ransomware attack | ZDNet

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work — Krebs on Security

Malware gangs love open source offensive hacking tools | ZDNet

Researchers map threat actors’ use of open source offensive security tools | The Daily Swig

Researchers Found 55 Flaws in Apple's Corporate Network | WIRED

Swiss Post releases bug bounty safe harbor wording under Creative Commons license | The Daily Swig

In this (wholly sponsored) edition of the Snake Oilers podcast, three vendors will drop by to pitch their sweet, sweet snake oil:

• Vaughan Shanks pitches the Cydarm SOC incident management platform
• Adrian Kitto introduces Detexian, a platform that audits SaaS accounts
• Eric Skinner from Trend Micro talks about XDR

Show notes

Cydarm Technologies – Secure Case Management for Cyber Incident Response

Detexian | Simplifying SaaS Security

Detection & Response (XDR)

On this week’s show Patrick and Adam discuss the week’s security news, including:

• The UHS ransomware attack
• Someone is messing with TrickBot: Did the USA release the hounds?
• US Treasury issues final warning on sanctioned ransomware crews
• Azerbaijan and Armenia going at it
• Fancy Bear owns US government department

Nucleus Security co-founder Scott Kuffer joins the show in this week’s sponsor interview to talk about how they have discovered a LOT of enterprises are actually trying to develop in-house vulnerability management software and how that is not going well.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

A Ransomware Attack Has Struck a Major US Hospital Chain | WIRED

German investigators treating ransomware attack as negligent homicide, reports say

Attacks Aimed at Disrupting the Trickbot Botnet — Krebs on Security

Microsoft: Some ransomware attacks take less than 45 minutes | ZDNet

US Treasury says some ransomware payments may need its express approval | ZDNet

Front companies for Chinese and Iranian APTs doxxed - Risky Business

Chinese Antivirus Firm Was Part of APT41 ‘Supply Chain’ Attack — Krebs on Security

Alleged Iranian hackers balanced espionage with personal cybercrime, US indictment says - CyberScoop

US charges Iranian hackers for breaching US satellite companies | ZDNet

A China-Linked Group Repurposed Hacking Team’s Stealthy Spyware | WIRED

Microsoft says Iranian hackers are exploiting the Zerologon vulnerability | ZDNet

Spies hacked Azerbaijan government officials as Nagorno-Karabakh conflict escalated

North Korea has tried to hack 11 officials of the UN Security Council | ZDNet

Federal Agency Compromised by Malicious Cyber Actor | CISA

Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency | WIRED

Microsoft removed 18 Azure AD apps used by Chinese state-sponsored hacker group | ZDNet

TikTok, WeChat survive in US app stores — one with a deal, the other with a judge's help

Russia wants to ban the use of secure protocols such as TLS 1.3, DoH, DoT, ESNI | ZDNet

Kevin Rudd: «The Dollar is One of the Things China Fears»

Portland passes landmark private sector facial recognition technology ban | The Daily Swig

All four of the world's largest shipping companies have now been hit by cyber-attacks | ZDNet

UN maritime agency says it was hacked | ZDNet

Trump officials hint at update for US maritime cybersecurity

Encrochat Investigation Finds Corrupt Cops Leaking Information to Criminals

KuCoin cryptocurrency exchange hacked for $150 million | ZDNet

GitHub rolls out new Code Scanning security feature to all users | ZDNet

Facebook sues two Chrome extension makers for scraping user data | ZDNet

Senator asks DHS if foreign-controlled browser extensions threaten the US | Ars Technica

A security flaw in Grindr let anyone easily hijack user accounts | TechCrunch

Hackers claim they can now jailbreak Apple's T2 security chip | ZDNet

Critical stored XSS vulnerability in Instagram’s Spark AR Studio nets 14-year-old researcher $25,000 | The Daily Swig

Mozilla shuts down Firefox Send and Firefox Notes services | ZDNet

Member of 'The Dark Overlord' hacking group sentenced to five years in prison | ZDNet

LinkedIn hacker Nikulin sentenced to 7 years in prison after years of legal battles

John McAfee arrested in Spain, charged with tax evasion

This edition of the show is brought to you with the assistance the Hewlett Foundation, which awarded us a grant so we could do these policy-focussed podcasts.

Malcolm Bligh Turnbull served as a member of Parliament from 2004 until 2018, and as Prime Minister from September 2015 until August 2018. But he has been a public figure in Australia for decades. He’s an Oxford-educated lawyer who studied there under a Rhodes scholarship, he’s worked as a journalist, as the personal lawyer to Australian media baron Kerry Packer and was a leader of the ultimately unsuccessful campaign to make Australia a republic in the 1990s.

He can also list a number of achievements in the business world. In 1994 he invested half a million dollars into Australian ISP Ozemail, selling his stake to Worldcom in 1999 for $57m.

As you’ll hear, now he’s returned to private life Turnbull is investing in technology again. He joined the show to talk about cybersecurity in government, Huawei, the 2016 hack-and-leak operation against the DNC – which took place while he was PM – and more.

As regular listeners know, these Soap Box podcasts are wholly sponsored. That means everyone you hear in a Soap Box podcast, paid to be here. But that’s ok, because we manage to book very interesting guests into these things, like today’s guest, Sami Laine.

Officially he’s Okta’s director of technology strategy – but informally he describes his role as being more like a principal security architect.

He joins us to talk about identity as the new perimeter and the massive leap we’ve towards a zero trust future through 2020.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Russia, China, Iran having a red hot go at US political orgs
• Crowdstrike drops report, telcos having a bad time
• MSS owning US government with dumb bugs
• DoJ indicts Iranian script kiddie because reasons
• Proposed TikTok-Oracle deal barely makes sense
• The mother of all Microsoft auth bugs, wow
• Much, much more…

This week’s show is brought to you by Senetas. And we’ve got two sponsor guests for you this week: Senetas CTO Julian Fay will join us, as will Peter Farrely of AUCloud. Senetas uses AUCloud as a partner for its Suredrop file sharing and collaboration platform here in Oz, and Pete is joining us this week to talk through the new Cloud Assessment and Authorisation Framework published by the ACSC. If you work in Australian government IT and security, this one’s for you!

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Exclusive: Microsoft believes Russians that hacked Clinton targeted Biden campaign firm - sources | Reuters

GRU eyes US election - Risky Business

STRONTIUM: Detecting new patterns in credential harvesting - Microsoft Security

Chinese hacking groups are bullying telecoms as 2020 goes on, CrowdStrike says

Report2020OverWatchNowheretoHide.pdf

New CDRThief malware targets VoIP softswitches to steal call detail records | ZDNet

VOS3000 VOS5000 Softswitch by Linknat - A Word-leading VoIP Solutions Provider

Chinese intelligence-linked hackers are exploiting known flaws to target Washington, US says

(8) Eric Geller on Twitter: "DOJ to announce Chinese hacking charges (and arrests!) tomorrow. https://t.co/Wj7KSq9BNd" / Twitter

PAN-OS vulnerabilities add to a torrid year for enterprise software bugs

Public disclosure didn't stop suspected Chinese hackers from targeting the Vatican

Trump says Oracle ' very close' to TikTok deal

Huawei HarmonyOS: Operating system will be on smartphones in 2021

US charges two hackers for defacing US websites following Soleimani killing | ZDNet

FBI says credential stuffing attacks are behind some recent bank hacks | ZDNet

Magento online stores hacked in largest campaign to date | ZDNet

Multibillion-dollar Equinix is the latest data-center firm to face ransomware incident

[Blog] Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)

New BlindSide attack uses speculative execution to bypass ASLR | ZDNet

BLURtooth vulnerability lets attackers overwrite Bluetooth authentication keys | ZDNet

Billions of devices vulnerable to new 'BLESA' Bluetooth security flaw | ZDNet

MITRE releases emulation plan for FIN6 hacking group, more to follow | ZDNet

Internal Facebook systems exposed via unpatched Apache library | The Daily Swig

Porn site users targeted with malicious ads redirecting to exploit kits, malware | ZDNet

Researcher kept a major Bitcoin bug secret for two years to prevent attacks | ZDNet

Vast majority of cyber-attacks on cloud servers aim to mine cryptocurrency | ZDNet

Slovak cryptocurrency exchange ETERBASE discloses $5.4 million hack | ZDNet

Chinese diplomat demands investigation after his Twitter account liked embarrassing posts

Whistleblower Says Facebook Ignored Global Political Manipulation

When you browse Instagram and find former Australian Prime Minister Tony Abbott's passport number

Anatomy of a Cloud Assessment and Authorisation | Cyber.gov.au

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Why integrity and availability are key to developing a COVID vaccine
• China closing the “cyber gap” with USA
• ASPI publishes research on TikTok, WeChat censorship
• Belarusian “news app” was tracking activists
• Julian Assange back in court to fight extradition
• Much, much more

This week’s show is brought to you by Proofpoint, and this week’s sponsor guest is Proofpoint’s senior director of threat research Sherrod DeGrippo. She’ll be telling us about the emergence of some new mid-tier ransomware crews that are targeting people who speak Russian, which is kind of unusual.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Ransomware takes down state-owned bank - Risky Business

How the government is keeping hackers from disrupting coronavirus vaccine research

Chinese cyber power is neck-and-neck with US, Harvard research finds

ASPI finds TikTok censoring LGBTQ+ issues, Uighur crackdown

Google removes Android app that was used to spy on Belarusian protesters | ZDNet

Julian Assange Lays Out His Case Against US Extradition | WIRED

Chilean bank shuts down all branches following ransomware attack | ZDNet

DDoS extortionists posing as cyberspies to run blackmail scam | The Daily Swig

European ISPs report mysterious wave of DDoS attacks | ZDNet

Service NSW confirms 186,000 customers’ data breached in cyber-attack | The Daily Swig

Creepy ‘Geofence’ Finds Anyone Who Went Near a Crime Scene | WIRED

Private Intel Firm Buys Location Data to Track People to their 'Doorstep'

White House publishes a cyber-security rulebook for space systems | ZDNet

Voatz urges Supreme Court to not protect ethical research from prosecution

NSA call records collection ruled illegal by US appeals court | TechCrunch

Facebook explains how it will notify third-parties about bugs in their products | ZDNet

CISA orders agencies to set up vulnerability disclosure programs

A single text is all it took to unleash code-execution worm in Cisco Jabber | Ars Technica

Former IT director gets jail time for selling government's Cisco gear on eBay | ZDNet

Warner Music discloses months-long web skimming incident | ZDNet

A SonicWall cloud bug exposed corporate networks to hackers | TechCrunch

This is a sponsored podcast.

Today we’re chatting with a very special guest, Haroon Meer.

Haroon is the founder of Thinkst Canary. Some call it a deception company, but he doesn’t, as you’ll hear. He says Canary is a detection company and the distinction is important.

In this interview we talk about where Canary came from and recap the last 20 years of Haroon’s security career. We go all the way back to his Sensepost days in 2001, right through to him working for actual royalty in Doha, with a brief detour through him creating an anonymous whistleblower platform for a major broadcaster. You may have heard of Haroon and not known why.

This podcast explains why.

On this week’s show Patrick and Alex discuss the week’s security news, including:

• NZ stock exchange felled by DDoS attack
• DNI cancels in-person election security briefings for Democats
• Russians didn’t hack Michigan voter data
• Sendgrid having a bad time of its own making
• US to doxes historical DPRK crypto laundering infrastructure, processes

This week’s sponsor interview is with VMRay co-founder and sandbox guru Carsten Willems.

Carsten is joining us to talk product this week – VMRay has brought out a stack of new integrations for its sandbox product, you can now connect it to a lot of your existing enterprise kit. He’ll pop in to tell us more.

Links to everything that we discussed are below and you can follow Patrickor Alex on Twitter if that’s your thing.

Show notes

The US exposes how the DPRK cashes out from cybercrime - Risky Business

DDoS extortionists target NZX, Moneygram, Braintree, and other financial services | ZDNet

Democrats furious after intelligence officials cancel in-person election security briefings

No, Michigan voter data wasn’t hacked by the Russians

A Tesla Employee Thwarted an Alleged Ransomware Plot | WIRED

US sues to recover cryptocurrency funds stolen by North Korean hackers | ZDNet

Sendgrid Under Siege from Hacked Accounts — Krebs on Security

Twitter Hack May Have Had Another Mastermind: A 16-Year-Old - The New York Times

Iranian hackers impersonate journalists to set up WhatsApp calls and gain victims' trust | ZDNet

Iranian hackers are selling access to compromised companies on an underground forum | ZDNet

CenturyLink outage led to a 3.5% drop in global web traffic | ZDNet

Cloud company Fastly to purchase app security provider Signal Sciences for $775 million

Cisco says it will issue patch ‘as soon as possible’ for bugs hackers are trying to exploit

Announcing the Expansion of the Clean Network to Safeguard America’s Assets - United States Department of State

How WeChat Censored the Coronavirus Pandemic | WIRED

What China’s new export rules mean for TikTok’s US sale | Financial Times

TikTok's security boss makes his case. Carefully.

(13) Patrick Gray on Twitter: "Don’t. Run. Electron. Apps." / Twitter

(3) Moxie Marlinspike on Twitter: "Yes. One reason software development is so much more expensive than it used to be is that making one app now requires that you write/maintain three apps. Electron enables an organization to have a "native" desktop presence without having to build/maintain a *fourth* one. 1/4" / Twitter

(3) Justin Schuh 😷 on Twitter: "@ThomasClaburn @dinodaizovi @bascule @riskybusiness My fundamental complaint with Electron is that relatively basic usage still demands that non-security devs understand the full security properties of their system and scope broker usage appropriately. That's not reasonable, given it's one of the hardest tasks for security experts" / Twitter

(3) Samuel Attard on Twitter: "@frgx @mweissbacher @dinodaizovi @riskybusiness Legacy code is always a problem. But (a) slack is and has been investing resources in electron 👋 and (b) as of recently Slack has enabled the security features you mentioned. You can read more about that journey here https://t.co/Ju1mH9szF9" / Twitter

Confessions of an ID Theft Kingpin, Part I — Krebs on Security

Confessions of an ID Theft Kingpin, Part II — Krebs on Security

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Former Uber CSO Joe Sullivan charged with obstruction of justice
• Whitehouse to concede WeChat carveouts for US operations in China
• A bunch of news that sounds like it’s from 1997

This week’s sponsor interview is with Bugcrowd’s CTO Casey Ellis. He’s joining us to talk about some US election-related vulnerability disclosure programs that have kicked off in the USA. Voting machine maker ES&S has launched one as has the state of Ohio.

Links to everything that we discussed are below and you can follow Patrickor Adam on Twitter if that’s your thing.

Show notes

Former Uber CSO charged for 2016 hack cover-up | ZDNet

Trump Team Reassures Apple, Others on Using WeChat in China - Bloomberg

TikTok Sues U.S. Government Over Trump Ban - The New York Times

TikTok Complaint

(1) Bobby Chesney on Twitter: "Looking forward to seeing the details of the complaint. But that said, the most TikTok possibly can get here is a delay, and thus possibly a better deal when they are sold. Courts will *not* second-guess the ultimate *merits* determination under IEEPA or CFIUS, full stop. 1/4" / Twitter

Google fixes major Gmail bug seven hours after exploit details go public | ZDNet

Security researcher discloses Safari bug after Apple delays patch | ZDNet

CISA warns of BLINDINGCAN, a new strain of North Korean malware | ZDNet

Taiwan accuses Chinese hackers of aggressive attacks on government agencies

“DeathStalker” hackers are (likely) older and more prolific than we thought | Ars Technica

Hackers Leak Alleged Internal Files of Chinese Social Media Monitoring Firms

FBI, CISA Echo Warnings on ‘Vishing’ Threat — Krebs on Security

Voice Phishers Targeting Corporate VPNs — Krebs on Security

Feds warn election officials of potentially malicious ‘typosquatting’ websites

Cyber Command deploys abroad to fend off foreign hacking ahead of the 2020 election

Report claims a popular iOS SDK is stealing click revenue from other ad networks | ZDNet

Tens of suspects arrested for cashing-out Santander ATMs using software glitch | ZDNet

ATM makers Diebold and NCR deploy fixes for 'deposit forgery' attacks | ZDNet

University of Utah pays $457,000 to ransomware gang | ZDNet

Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites | ZDNet

Weeks after malware disruption, New York hospital is getting back online

WannaRen ransomware author contacts security firm to share decryption key | ZDNet

Top exploits used by ransomware gangs are VPN bugs, but RDP still reigns supreme | ZDNet

Russian National Arrested for Conspiracy to Introduce Malware into a Nevada Company's Computer Network | OPA | Department of Justice

New P2P botnet infects SSH servers all over the world | Ars Technica

Browser fingerprinting ‘more prevalent on the web now than ever before’ – research | The Daily Swig

Bcrypt hashing library bug leaves Node.js applications open to brute-force attacks | The Daily Swig

Google Firebase messaging vulnerability allowed attackers to send push notifications to app users | The Daily Swig

US government built secret iPod with Apple’s help, former engineer says | Ars Technica

Former Uber CSO charged with obstruction of justice - Risky Business

On this week’s show Patrick, Adam and Sherrod DeGrippo discuss the week’s security news, including:

• NSA and FBI doxx GRU malware. Lol.
• Malicious Azure app snags SANS staffer
• Oracle to acquire TikTok?
• Trump weighs Snowden pardon
• Much, much more

This week’s show is brought to you by Airlock Digital. They make allowlist/safelist software that is actually manageable at scale! David Cottingham, an Airlock co-founder, joins the show this week to talk through a few product updates.

Links to everything that we discussed are below and you can follow Patrick, Sherrod or Adam on Twitter if that’s your thing.

Show notes

GRU uses Linux rootkits, everyone else is OAuth phishing - Risky Business

NSA, FBI expose Russian intelligence hacking tool: report - Reuters

For six months, security researchers have secretly distributed an Emotet vaccine across the world | ZDNet

SANS Institute, which drills cyber professionals in defense, suffers data breach

US Army report says many North Korean hackers operate from abroad | ZDNet

Oracle Said to be Weighing Bid for TikTok’s U.S. Business - Bloomberg

Final Senate Intel report details remarkable contact between Trump campaign, Russian spies

Trump Pardon of Edward Snowden Would Backfire - Bloomberg

Secret Service Bought Phone Location Data from Apps, Contract Confirms

The Attack That Broke Twitter Is Hitting Dozens of Companies | WIRED

The Secret SIMs Used By Criminals to Spoof Any Number

An advanced group specializing in corporate espionage is on a hacking spree

Cruise operator Carnival hit by ransomware

Brown-Forman Was Target of Apparent Ransomware Attack - Bloomberg

Blackbaud ransomware attack exposed donor data from two UK charities | The Daily Swig

Medical Debt Collection Firm R1 RCM Hit in Ransomware Attack — Krebs on Security

Canadian government services forced offline after credential stuffing attacks | The Daily Swig

Ukraine arrests gang who ran 20 crypto-exchanges and laundered money for ransomware gangs | ZDNet

Signal adds message requests to stop spam and protect user privacy | ZDNet

Re­VoL­TE attack can decrypt 4G (LTE) calls to eavesdrop on conversations | ZDNet

Sources: Mozilla extends its Google search deal | ZDNet

Remote code execution vulnerability exposed in popular JavaScript serialization package | The Daily Swig

Some email clients are vulnerable to attacks via 'mailto' links | ZDNet

On this week’s show Patrick and Adam discuss the week’s security news, including:

• WeChat joins TikTok in the naughty corner
• TLS 1.3 with ESNI will have a massive impact on censorship AND security
• Belarus goes dark after dodgy election
• Capital One fined $80m
• Much, much more

We’ll be hearing from Dan Guido of Trail of Bits in this week’s sponsor interview. They’ve developed a generic macOS EDR package that you, dear vendor, should absolutely license from them. Dan joins us to explain why.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

America's clean path is slippery - Risky Business

Trump issues executive orders that will ban TikTok, WeChat in 45 days - CyberScoop

China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI | ZDNet

Cat and mouse: Privacy advocates fight back after China tightens surveillance controls | The Daily Swig

DEF CON: New tool brings back 'domain fronting' as 'domain hiding' | ZDNet

Belarus Has Shut Down the Internet Amid a Controversial Election | WIRED

Ohio becomes first state to release vulnerability policy for election-related websites

Top voting vendor ES&S publishes vulnerability disclosure policy

Microsoft bug bounty payouts trebled to reach nearly $14 million in the last year | The Daily Swig

US offers $10 million reward for hackers meddling in US elections | ZDNet

Mozilla lays off 250 employees while it refocuses on commercial products | ZDNet

US financial regulator fines Capital One $80 million over data breach

FBI says an Iranian hacking group is attacking F5 networking devices | ZDNet

Citrix releases fix for software bug that hackers ‘will move quickly to exploit’

Hacker leaks passwords for 900+ enterprise VPN servers | ZDNet

Hacking group has hit Taiwan's prized semiconductor industry, Taiwanese firm says

A mysterious group has hijacked Tor exit nodes to perform SSL stripping attacks | ZDNet

FBI issues warning over Windows 7 end-of-life | ZDNet

Anti-encryption laws yet to be used by Asio or AFP to compel tech firms' help, inquiry told | Australian security and counter-terrorism | The Guardian

WordPress 5.5 rolls out with auto-updates for plugins, themes | The Daily Swig

Snapdragon chip flaws put >1 billion Android phones at risk of data theft | Ars Technica

Researchers found another way to hack Android cellphones via Bluetooth

Insecure satellite Internet is threatening ship and plane safety | Ars Technica

When TLS hacks you: Security friend becomes a foe | The Daily Swig

Top hacks from Black Hat and DEF CON 2020 | The Daily Swig

Security bugs let these car hackers remotely control a Mercedes-Benz | TechCrunch

Black Hat 2020: New HTTP request smuggling variants levied against modern web servers | The Daily Swig

Black Hat 2020: Web cache poisoning offers fresh ways to smash through the web stack | The Daily Swig

(12) Dan Guido on Twitter: "Last Thursday, I was locked out of my cloud MDM, my data was deleted, and MDM agents for every device @trailofbits were silently removed by the vendor, leaving the entire company unmanaged. There was no advance notice and no explanation. This is a warning: Never use Kandji. https://t.co/0zIPZKpCC8" / Twitter

Sinter: New user-mode security enforcement for macOS | Trail of Bits Blog

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Trump’s war on TikTok (featuring guest Alex Stamos)
• Twitter hackers caught. Pretty embarrassing stuff, really.
• NSO implants target Easter Bunny
• Garmin may need a good OFAC lawyer (featuring comment from Dmitri Alperovitch)
• Blackberry cracked after five years leads to multiple arrests in Australia
• Much, much more

Matt Cauthorn of ExtraHop Networks is this week’s news guest. He’ll join us to talk about how the pivot to work from home has changed incident response workflows. The tl;dr is the north-south traffic might look a bit different these days but the east-west shenanigans are still the same.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

TikTok review reduced to meaningless farce - Risky Business

China will not accept U.S. 'theft' of TikTok: China Daily - Reuters

Beware of find-my-phone, Wi-Fi, and Bluetooth, NSA tells mobile users | Ars Technica

Three Individuals Charged For Alleged Roles In Twitter Hack | USAO-NDCA | Department of Justice

How the Alleged Twitter Hackers Got Caught | WIRED

US files superseding indictment against former Twitter employees accused of spying for Saudi Arabia

Twitter prepares to pay up to $250 million for using security data for advertising

Exclusive: Papers leaked before UK election in suspected Russian operation were hacked from ex-trade minister - sources - Reuters

Religious, political leaders in Togo allegedly targeted with NSO Group spyware

'Payment sent' - travel giant CWT pays $4.5 million ransom to cyber criminals - Reuters

Garmin 'paid multi-million dollar ransom to criminals using Arete IR', say sources | Science & Tech News | Sky News

Ransomware gang publishes tens of GBs of internal data from LG and Xerox | ZDNet

Blackberry cracked five years after seizure sparks mass arrests for drug importation

For North Korea, phishing with fake job-recruitment emails never gets old

Suspected Chinese hackers targeting Vatican in advance of Beijing negotiations

CISA, DOD, FBI expose new versions of Chinese malware strain named Taidoor | ZDNet

Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH) | ZDNet

EU sanctions China, Russia, and North Korea for past hacks | ZDNet

Hackers Broke Into Real News Sites to Plant Fake Stories | WIRED

Here's how Army Cyber Command plans to take on information warfare

Exclusive: China-backed hackers 'targeted COVID-19 vaccine firm Moderna' - Reuters

Kaspersky: New hacker-for-hire mercenary group is targeting European law firms | ZDNet

BootHole fixes causing boot problems across multiple Linux distros | ZDNet

Theoretical technique to abuse EMV cards detected used in the real world | ZDNet

Is Your Chip Card Secure? Much Depends on Where You Bank — Krebs on Security

New tool detects shadow admin accounts in AWS and Azure environments | ZDNet

Cloud Native Security: Network Detection and Response | ExtraHop

Soap Box is the wholly sponsored podcast series we do here at Risky.Biz. That means everyone you hear on this podcast paid to be here. In this podcast you’re going to hear my latest interview with Jerrod Chong, Yubico’s Chief Solutions Officer.

Hardware security keys like Yubikeys have come a long way, even over the last couple of years. The biggest change is that the support for hardware keys is borderline ubiquitous now. FIDO2 support is in all the major browsers. You can even use Yubikeys with Google apps on an iPhone. The plumbing is here, it’s arrived.

But there are still some hurdles to overcome before the full potential of hardware security keys will be unlocked. One issue is that if you’re operating an at-scale service, you’re still stuck with the same old problems around account recovery. The process problems.

So in this interview I talk with Jerrod about how far things have come and where they might go next.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Two Chinese nationals charged with freelancing for MSS
• Russia, China hacking COVID-19 research
• The world dodged a bullet on the Windows DNS bug
• Twitter blue tick pwnapalooza
• Much, much more.

This week’s show is brought to you by Corelight. The company’s Chief Product Officer, Brian Dye, will be along for a chat a bit later on. We look at how adopting a zero trust model, sadly, doesn’t mean you can just ignore your network completely, as much as that would be nice.

You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here.

You can subscribe to our new YouTube channel here.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Chinese campaign a sad indictment of infosec - Risky Business

US accuses two Chinese hackers of global hacking campaign, targeting coronavirus vaccine research

Russia’s Latest Hacking Target: Covid-19 Vaccine Projects | WIRED

Secret Trump order gives CIA more powers to launch cyberattacks

Report: CIA received more offensive hacking powers in 2018 | ZDNet

Russia's GRU Hackers Hit US Government and Energy Targets | WIRED

Two more cyber-attacks hit Israel's water system | ZDNet

UK 'almost certain' that 2019 election was target of Russian disinformation operation

Russia spreading coronavirus disinfo aimed at West, say US officials

Twitter says hackers accessed DMs for 36 users in last week's hack | ZDNet

US seeks to drop charges against former Twitter employees accused of spying for Saudi Arabia - The Verge

Microsoft Warns of a 17-Year-Old ‘Wormable’ Bug | WIRED

Hackers actively exploit high-severity networking vulnerabilities | Ars Technica

US cyber officials urge patching of bug affecting up to 40K SAP customers

CISA says 62,000 QNAP NAS devices have been infected with the QSnatch malware | ZDNet

Garmin’s four-day service meltdown was caused by ransomware | Ars Technica

North Korean hackers are stepping up their ransomware game, Kaspersky finds

A vigilante is sabotaging the Emotet botnet by replacing malware payloads with GIFs | ZDNet

FBI warns US companies about backdoors in Chinese tax software | ZDNet

Malware stashed in China-mandated software is more extensive than thought | Ars Technica

Iranian Spies Accidentally Leaked Videos of Themselves Hacking | WIRED

Apple’s Hackable iPhones Are Finally Here | WIRED

Google's Project Zero team won't be applying for Apple's SRD program | ZDNet

NY Charges First American Financial for Massive Data Leak — Krebs on Security

Listen to This Deepfake Audio Impersonating a CEO in Brazen Fraud Attempt

The Rise of Synthetic Audio Deepfakes

GEDmatch confirms data breach after users’ DNA profile data made available to police | TechCrunch

Police Are Buying Access to Hacked Website Data

Wyden Plans Law to Stop Cops From Buying Data That Would Need a Warrant

Breached Data Indexer ‘Data Viper’ Hacked — Krebs on Security

Crooks have acquired proprietary Diebold software to “jackpot” ATMs | Ars Technica

Microsoft's new KDP tech blocks malware by making parts of the Windows kernel read-only | ZDNet

Sony awards $10,000 bug bounty for PlayStation 4 kernel exploit | The Daily Swig

Security Operations Lead » InternetNZ

Normally these Soap Box podcasts – which are wholly sponsored – feature vendors trying to sell you stuff. But this time we’re doing something different: This podcast is an interview with two senior Facebook staffers:

• Pedro Canahuati, VP of Engineering
• Chris Bream, Security Engineering Director.

Why is facebook’s security engineering group sponsoring a Soap Box episode of Risky Biz? They figure lifting the veil a bit on how things are done over there will be good for them. They’re always hiring, right?

Enjoy!

(A reminder – there will be no weekly show this week or next. The weekly Risky Biz news podcast returns on July 29.)

On this week’s show Patrick and Adam discuss the week’s security news, including:

• The latest on the EncroChat hack-related arrests
• Details about the fresh F5 and Citrix bugs
• Natanz go boom
• Paying Wastedlocker ransoms violates Treasury sanctions
• North Korea embraces Magecart (lol)
• Much, much more…

This week’s show is brought to you by Cmd Security. They make a very useful Linux security agent. Essentially they add an additional layer of control to your Linux systems: you can restrict user actions, even for root.

Instead of having one of their own staff on to the show this week they’ve nominated a customer. HPE is a Cmd user, they actually heard about it on the podcast and wound up buying it. So HPE ITOC engineering lead Adam Cardillo and his colleague Curtis Simpson – the ITOC CISO – will both join us in this week’s sponsor interview to talk about how they’re using the software.

You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here.

You can subscribe to our new YouTube channel here.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

VICE - How Police Secretly Took Over a Global Phone Network for Organized Crime

Dutch police find 'torture chamber' with dentist chair after encrypted phones are cracked - ABC News

The network devices are revolting - Risky Business

Hackers Are Exploiting a 5-Alarm Bug in Networking Equipment | WIRED

Hackers are trying to steal admin passwords from F5 BIG-IP devices | ZDNet

Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update

A Second Look at CVE-2019-19781 (Citrix NetScaler / ADC) – Fox-IT International blog

Iran blasts: What is behind mysterious fires at key sites? - BBC News

Talos Blog || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: WastedLocker Goes "Big-Game Hunting" in 2020

Senator warns of political pressure on U.S. probe into hackers of green groups - Reuters

North Korean hackers linked to web skimming (Magecart) attacks, report says | ZDNet

Connection discovered between Chinese hacker group APT15 and defense contractor | ZDNet

lookout-uyghur-malware-tr-us.pdf

Yahoo engineer gets no jail time after hacking 6,000 accounts to look for porn | ZDNet

Feds indict 'fxmsp' in connection with million-dollar hacking operation

US Secret Service reports an increase in hacked managed service providers (MSPs) | ZDNet

Google, Facebook and Twitter Suspend Review of Hong Kong Requests for User Data - WSJ

US tech giants halt Hong Kong police help | TechCrunch

Senate panel advances bill to combat child exploitation, but critics fear it could weaken encryption

(8) Michael Salter on Twitter: "Hard to find media coverage of the EARN IT act that recognises online child abuse as a major social problem that tech companies have an obligation to resolve. Too many journos are repeating industry and astroturfed talking points." / Twitter

(8) Jennifer Hansler on Twitter: ".@SecPompeo says the US is "certainly looking at" banning Chinese social media apps, including TikTok. "I don’t want to get out in front of the President, but it’s something we’re looking at,” he says" / Twitter

German authorities seize 'BlueLeaks' server that hosted data on US cops | ZDNet

Facebook reinstates NSO Group employee accounts amid ongoing lawsuit

Hole-y Guacamole: Flaws in Apache remote desktop tech exposed by new research | The Daily Swig

Microsoft touts free malware-busting virtual machine forensics service | The Daily Swig

Unscheduled fixes released for critical flaw in optional Windows codec | Ars Technica

(1) Wayne Jordan on Twitter: "MS possibly addressing our E5 Azure app (OAuth) granularity concerns with this preview? @riskybusiness https://t.co/MWbUmNipsO" / Twitter

Alexa OBrien › US v. Assange – Superseding Indictment No. 2 Breakdown – Updated

This edition of the Soap Box podcast is brought to you by Proofpoint.

Today’s guest is Proofpoint’s EVP of Cybersecurity Strategy, Ryan Kalember, and the topic is business email compromise, or BEC.

BEC is a big deal, generating billions of dollars in losses every year across basically all industry verticals and levels of government. Until recently, there haven’t been many technical controls that help to mitigate it.

Trying to get on top of this issue is very much in Ryan Kalember’s job description. BEC is a diabolical problem, and as a company with a specialty in email security, Proofpoint is really expected to help clients get on top of it. In this conversation you’ll hear us talk a bunch about the problem and Proofpoint’s approach to trying to minimise BEC.