Risky Business

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

• Bloomberg’s shaky, disputed report on hardware back doors
• A look back on other false reports about imaginary incidents published by Bloomberg
• GRU operations doxed by GCHQ
• DOJ charges Russian intelligence officers
• APT crews targeting MSPs
• Google+ API exposure the final straw
• Enterprise TLS interception gear is woefully insecure

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes (9+)Turkish Pipeline Explosion Probably No Cyber ​​Attack - Digital - Süddeutsche.de The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies - Bloomberg Codebook - October 10, 2018 - Axios Patrick Gray on Twitter: "Just got this from Bloomberg PR.… " Apple Bloomberg Congressional Letter Patrick Gray on Twitter: "Holy shit… " Report: Apple designing its own servers to avoid snooping | Ars Technica Apple deleted server supplier after finding infected firmware in servers [Updated] | Ars Technica New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom - Bloomberg HHM22137A2 TDK | Mouser Australia Reckless campaign of cyber attacks by Russian military intelligence service exposed - NCSC Site Justice Department charges 7 Russian intelligence officers U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations | OPA | Department of Justice Gordon Corera on Twitter: "Breaking - Dutch intelligence (with help of British) disrupted a Russian GRU cyber operation targeting OPCW on April 13th. Four Russian intelligence officers escorted out of country." Advanced Persistent Threat Activity Exploiting Managed Service Providers | US-CERT Google shuts down Google+ after API bug exposed details for over 500,000 users | ZDNet Google Plus Will Be Shut Down After User Information Was Exposed - The New York Times Google forcibly enables G Suite alerts for government-backed attacks | ZDNet SandboxEscaper on Twitter: "Why did gmail just throw a notification that government attackers are trying to get into my account. Not even kidding -.-" Google sets new rules for third-party apps to access Gmail data | ZDNet It's 2018, and network middleware still can't handle TLS without breaking encryption | ZDNet CEO Pleads Guilty to Selling Encrypted Phones to Organized Crime - Motherboard Project Zero: 365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools Microsoft October 2018 Patch Tuesday fixes zero-day exploited by FruityArmor APT | ZDNet U.S. GAO - Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities Senetas, a leading provider of encryption technology