Risky Business

We’re going to stick with the revised format this week – we’re going long on news with Adam, then diving right in to the sponsor interview with Zane Lackey of Signal Sciences.

A bunch of you heard my long form, Soap Box interview with Zane from a few weeks back. We’re extending that interview out a bit in this week’s interview. Zane will be outlining what he thinks needs to change in DevSecOps tooling and workflow for things to really work nicely – it’s just a solid 12 minutes of good thinking and advice, that interview, so do stick around for it.

Adam Boileau will join the show to recap the week’s news:

• Australia and Japan to ban Huawei from their 5G builds
• Struts bug: Big deal or meh?
• Voting machine maker ES&S rebuked by researchers AND US gov
• The DNC phish that wasn’t
• Recapping Andy Greenberg’s Maersk/Notpetya coverage
• Instagram adds real 2FA
• Windows privesc 0day on teh twittarz
• T-Mobile pwned harder than it initially admitted
• Log in to Windows with Google accounts
• Some hilarious Lazarus group shenanigans
• Much, much more

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes China intensifies criticism of Australia's Huawei 5G ban | afr.com Japan plans to block Huawei, ZTE from public procurement: report New critical vulnerability exposes Apache Struts instances to remote attacks Active Attacks Detected Using Apache Struts Vulnerability CVE-2018-11776 Threat Brief: Information on Critical Apache Struts Vulnerability CVE-2018-11776 - Palo Alto Networks Blog The Cybersecurity 202: Lawmakers dismiss voting machine maker's claim that spies benefit from election hacking demos - The Washington Post Rob Joyce on Twitter: "Ignorance of insecurity does not get you security. We need to examine voting machines, SCADA systems, IOT and other important items in our lives. The investigation of these devices by the hacker community is a service, not a threat." How the U.S. Has Failed to Protect the 2018 Election—and Four Ways to Protect 2020 - Lawfare Democrats find hackers targeting voter database DNC says phishing incident was a false alarm Facebook bans Myanmar general as U.N. calls for independent investigation into Rohingya crisis Russian trolls targeted Australian voters on Twitter via #auspol and #MH17 Google removes dozens of YouTube channels linked to 'influence operation' The Untold Story of NotPetya, the Most Devastating Cyberattack in History | WIRED Scammers Threaten to Review Bomb a Travel Company Unless it Pays Ransom - Motherboard Instagram Expands 2FA Support Following Recent Wave of Account Hacks Exploit Published for Unpatched Flaw in Windows Task Scheduler SandboxEscaper on Twitter: "Here is the alpc bug as 0day: https://t.co/m1T3wDSvPX I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit." Travel blog of an evil transgirl Travel blog of an evil transgirl: Disclosures Hackers Stole Personal Data of 2 Million T-Mobile Customers - Motherboard You May Soon Be Able to Log Into Windows 10 Using a Google Account How a hacker network turned stolen press releases into $100 million - The Verge Cobalt Dickens threat group looks to be similar to indicted hackers Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware - Securelist Eset-Turla-Outlook-Backdoor.pdf Researchers find way to spy on remote screens—through the webcam mic | Ars Technica Windows 95 Is Now Available as an App for Windows, macOS and Linux The adventures of lab ED011—“Nobody would be able to duplicate what happened there” | Ars Technica Training Building a Modern Security Program [Book] The Next-Gen Web Protection Platform - WAF And RASP | Signal Sciences