Risky Business

Adam Boileau is along this week to discuss the week’s security news. We cover:

• FSB contractor gets itself a whole lotta owned
• NSO Group pitches cloud access
• Hal Martin gets 9 yeaes
• NSA to launch defensive division
• Bulgarian breach data exposed
• DataSpii scandal a 2019 privacy case study
• Google boots DarkMatter certificates from Chrome and Android
• Equifax fined $700m
• Horror show bugs in enterprise VPN concentrators from Palo Alto, Fortinet
• Microsoft demos ElectionGuard SDK (looks pretty cool)

This week’s sponsor interview is with Casey Ellis of Bugcrowd. We’ll talk about how organisations are increasingly doing bug bounties on technology they use, not just technology they develop. And then we’ll be talking about a new thing Bugcrowd is doing – Bugcrowd for marketplaces.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Hackers breach FSB contractor, expose Tor deanonymization project and more | ZDNet Report: NSO Group's Pegasus Spyware Can Break Into Cloud Services, Transmit User Data To Server | Gizmodo Australia Contractor who stole 50TB of NSA data gets nine years in prison | ZDNet Think FaceApp Is Scary? Wait Till You Hear About Facebook | WIRED Europe’s Galileo Satellite Outage Serves as a Warning | WIRED NSA to establish a defense-minded division named the Cybersecurity Directorate | ZDNet US Govt Rolls Out New DNS Security Measures for .gov Domains U.S. Cyber Command simulated a seaport cyberattack to test digital readiness ‘We have to hit the problem the way it hits us’: How the FBI tracks a range of hacking threats Barr Says Police Need Encryption Backdoors, Doesn’t Mention Hacking Tools They Use All the Time - VICE Bulgaria's hacked database is now available on hacking forums | ZDNet Bulgaria hacking suspect worked on government cybersecurity before tax agency breach My browser, the spy: How extensions slurped up browsing histories from 4M users | Ars Technica More on DataSpii: How extensions hide their data grabs—and how they’re discovered | Ars Technica Google bans DarkMatter certificates from Chrome and Android | ZDNet Chances of destructive BlueKeep exploit rise with new explainer posted online | Ars Technica Teenage hackers are offered a second chance under European experiment Vigilante Hacker ‘Phineas Fisher’ Denies Working for the Russian Government - VICE $700 Million Equifax Fine Is Still Too Little, Too Late | WIRED Flaws in widely used corporate VPNs put company secrets at risk | TechCrunch Siemens contractor pleads guilty to planting logic bomb in company spreadsheets | ZDNet Hackers Exploit Jira, Exim Linux Servers to "Keep the Internet Safe' 10,000 Microsoft customers targeted by nation-state attacks in the last year Mozilla Firefox Tor Mode Likely to Start as a Browser Addon Firefox to Warn When Saved Logins are Found in Data Breaches Microsoft demos ElectionGuard technology for securing electronic voting machines | ZDNet Kazakhstan government is now intercepting all HTTPS traffic | ZDNet Data Broker LocationSmart Will Fight Class Action Lawsuit Over Selling AT&T Data - VICE Slack resets passwords for 1% of its users because of 2015 hack | ZDNet BEC Scams Average $301 Million Per Month In Illegal Transfers Malicious Python libraries targeting Linux servers removed from PyPI | ZDNet Gigabyte and Lenovo servers impacted by common BMC firmware flaws | ZDNet Cracked Tesla 3 Windshield Leads to $10,000 Bug Bounty Inside Apple Factory Thefts: Secret Tunnels, Hidden Crawl Spaces — The Information