Risky Business

Adam Boileau is along this week to discuss the week’s security news, which also features comment from Dmitri Alperovitch, Klon Kitchen and The Grugq. We cover:

• Former USAF counterintelligence official indicted over spearphishing, leaking secrets
• Australia’s major political parties targeted by APT crew that totally isn’t Chinese. (It’s Chinese)
• More on the Iran DNS hijacks
• Venezuelans phished by their own government
• China’s mass surveillance of Uyghur Muslims laid bare in data leak
• Millions of Swedes have their healthcare help-line calls exposed
• Bank of Valletta dodges a bullet, catches fraudulent transfers
• VK gets Samy’d
• Calls for GDPR-like law in USA
• Marcus “Malwaretech” Hutchins has a bad week

This week’s sponsor interview is with Jason Haddix of Bugcrowd. He’ll be along to talk a little more about what Bugcrowd calls next-generation pentests. They claim one of their tests is sufficient for compliance purposes under PCI, ISO or NIST and they’ve had a third party auditor prove that for them. They also say the service has really taken off despite being launched only a couple of months ago.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Air Force Defector to Iran Severely Damaged U.S. Intelligence Efforts, Ex-Officials Say - The New York Times Spy Betrayed U.S. to Work for Iran, Charges Say - The New York Times Game of Thrones hacker worked with US defector to hack Air Force employees for Iran | ZDNet Scott Morrison details cyber attack on Australia's major political parties How China and Russia are readying themselves for a US cyber war Chinese traders freeze Australian coal orders amid 40-day customs delays: sources | Reuters A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security Albania expels Iranian diplomats on national security grounds | Reuters Venezuela’s Government Appears To Be Trying to Hack Activists With Phishing Pages - Motherboard China's mass surveillance of Uyghur Muslims in Xinjiang province revealed in data security flaw - ABC News (Australian Broadcasting Corporation) Millions of calls to Swedish healthcare hotline left unprotected online - The Local Hackers tried to steal €13 million from Malta's Bank of Valletta | ZDNet State of the Hack S2E01: #NoEasyBreach REVISITED « State of the Hack S2E01: #NoEasyBreach REVISITED | FireEye Inc Russian hackers 8 times faster than Chinese, Iranians, North Koreans, says report White hats spread VKontakte worm after social network doesn't pay bug bounty | ZDNet You Don't Get To Learn How The FBI Tried To Crack Facebook Messenger Encryption, Judge Rules | Gizmodo Australia GAO gives Congress go-ahead for a GDPR-like privacy legislation | ZDNet NSO Group founders buy back their spyware company MalwareTech loses bid to suppress damning statements made after days of partying | Ars Technica Researchers hide malware in Intel SGX enclaves | ZDNet Google Play Store app rejections up 55% from last year, app suspensions up 66% | ZDNet Behold, the Facebook phishing scam that could dupe even vigilant users | Ars Technica (20) Facebook Popup Phishing Page (Social Login) - YouTube Google backtracks on Chrome modifications that would have crippled ad blockers | ZDNet Scammers Are Filing Fake Trademarks to Steal High-Value Instagram Accounts - Motherboard Google working on new Chrome security feature to 'obliterate DOM XSS' | ZDNet Microsoft patches 0-day vulnerabilities in IE and Exchange | Ars Technica Apple is forcing 2FA on iOS and macOS developers Apple being sued because two-factor authentication on an iPhone or Mac takes too much time Forced Two Factor Auth Will Cause Issues |Apple Developer Forums Aspen Tech Policy Hub - A Silicon Valley-Style Think Tank Next Gen Pen Testing