Risky Business

Adam Boileau is along this week to discuss the week’s security news. We cover:

• Follow ups on CapitalOne
• Amazon EBS snapshots exposed
• North Korea bags $2bn in cybercrime spree
• Attempted Coinbase breach postmortem
• Apple’s new research phones for bug hunters
• APT41 busted moonlighting
• Cloudflare finally ditches 8chan
• Leaked Boeing 787 code shredded, full of bugs
• Qualcomm bugs pave path through to Android kernel
• Microsoft gets Tavis’d
• More RDP/RDS bugs
• Much, much more

This week’s sponsor interview is with Jake King of CMD. CMD has developed a control layer for Linux systems that restricts account actions, not just by traditional permissions. Jake will be along this week to talk a little bit about EDR on Linux. He saw a nice talk from some IBM X-Forcers at Black Hat about Linux EDR bypasses and that led to a conversation about Linux EDR generally. It’s interesting stuff

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes What We Can Learn from the Capital One Hack — Krebs on Security E GitHub sued for aiding hacking in Capital One breach | ZDNet Hundreds of exposed Amazon cloud backups found leaking sensitive data | TechCrunch Monzo admits to storing payment card PINs in internal logs | ZDNet One Million Bank Phone Calls Found in Exposed Server - VICE SEC Investigating Data Leak at First American Financial Corp. — Krebs on Security North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report - Reuters An attempted heist at Coinbase was scary good, even though it failed - MIT Technology Review Responding to Firefox 0-days in the wild - The Coinbase Blog Three ads generate 5.5 times more revenue than a web-based cryptojacking script | ZDNet Apple Hands Hackers Secret iPhones In A Bid To Boost Security, Sources Say Apple expands bug bounty to macOS, raises bug rewards | ZDNet Meet APT41, the Chinese hackers moonlighting for personal gain Cloudflare Says It Won’t Ban 8chan, a Hotbed for Terrorist Manifestos - VICE Cloudflare Is Protecting a Site Linked to a Neo-Nazi Terror Group - VICE A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts | WIRED Feds plan to use SecureDrop as a vulnerability reporting portal US military purchased $32.8m worth of electronics with known security risks | ZDNet MICROCHIPS Act wants to secure US govt supply chain against Chinese sabotage | ZDNet Cisco to pay $8.6 million fine for selling government hackable video surveillance technology - The Washington Post Exclusive: Kaspersky Software Lingers On Sensitive Government Systems 2 Years After U.S. Ban New advanced malware, possibly nation sponsored, is targeting US utilities | Ars Technica Yet another hacking group is targeting oil and gas companies, Dragos says NSA's reverse-engineering malware tool, Ghidra, to get new features to save time, boost accuracy A Multimillionaire Surveillance Dealer Steps Out Of The Shadows . . . And His $9 Million WhatsApp Hacking Van Microsoft To Disable VBScript by Default on August 13th These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer - VICE This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station' | WIRED Clever attack uses SQLite databases to hack other apps, malware servers | ZDNet Researchers find security flaws in 40 kernel drivers from 20 vendors | ZDNet Hackers Can Break Into an iPhone Just by Sending a Text | WIRED Microsoft Invites Researchers to Hack Their Azure Security Lab Hackers Take on Darpa's $10 Million Voting Machine | WIRED 13-Year-Old Encryption Bugs Still Haunt Apps and IoT | WIRED Avaya VoIP Phones Harbored 10-year Old Vulnerability Microsoft: Russian state hackers are using IoT devices to breach enterprise networks | ZDNet Black Hat Talk About ‘Time AI’ Causes Uproar, Is Deleted By Conference - VICE Development stops on PowerShell Empire framework after project reaches its goal | ZDNet How AT&T Insiders Were Bribed to 'Unlock' Millions of Phones | WIRED QualPwn vulnerabilities in Qualcomm chips let hackers compromise Android devices | ZDNet Security bugs in popular Cisco switch brand allow hackers to take over devices | ZDNet WordPress team working on daring plan to forcibly update old websites | ZDNet Vulnerability in Microsoft CTF protocol goes back to Windows XP | ZDNet How offense and defense came together to plug a hole in a popular Microsoft program Ancient technique tears a hole through modern web stacks at Black Hat 2019 | The Daily Swig He tried to prank the DMV. Then his vanity license plate backfired big time. *********READING LIST STARTS HERE: How a BlackBerry password cracked one of Australia’s biggest drug hauls Who Owns Your Wireless Service? Crooks Do. — Krebs on Security DARPA Is Building a $10 Million, Open Source, Secure Voting System - VICE Now you can use Android phones, rather than passwords, to log in to Google* | Ars Technica Database from StockX Hack Sold Online, Check If You're Included Silent Windows update patched side channel that leaked data from Intel CPUs | Ars Technica Extortion and alleged ISIS threats: A Saudi embassy learned the hard way about email security - CyberScoop A phishing campaign with nation-state hallmarks is targeting Chinese government agencies - CyberScoop Guardian Firewall iOS App Automatically Blocks the Trackers on Your Phone | WIRED A cyber-espionage group has been stealing files from the Venezuelan military | ZDNet Voter records for 80% of Chile's population left exposed online | ZDNet A Remote-Start App Exposed Thousands of Cars to Hackers | WIRED FTC: Too many people signed up for Equifax cash, so they'll be getting less than $125 | ZDNet Exclusive: Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials - VICE Windows malware strain records users on adult sites | ZDNet State Farm says hackers confirmed valid usernames and passwords in credentials stuffing attack | ZDNet iNSYNQ Ransom Attack Began With Phishing Email — Krebs on Security Android Apps With Over 100M Installs Contain a Clicker Trojan New HTTP/2 Flaws Expose Unpatched Web Servers to DoS Attacks StockX was hacked, exposing millions of customers’ data | TechCrunch CafePress Data Breach Exposes Personal Info of 23 Million Users