Risky Business

On this week’s show Adam Boileau and Patrick Gray discuss the week’s security news, including:

• Fortinet, Pulse Security VPNs are being exploited in wild
• Imperva’s cloud WAF gets colossally owned
• US authorities fear ransomware attacks against election systems
• Apple fixes re-introduced jailbreak bug
• Telegram design choice puts HK protestors at risk
• Researcher drops two 0days in Valve’s Steam client after bounty spat
• Much, much more

This week’s sponsor guest is Ryan Kalember, EVP of cybersecurity strategy with Proofpoint. Ryan is stopping by this week to touch on a couple of topics. He’ll tell us why Proofpoint didn’t attribute a recent malware campaign targeting US utilities to APT10 despite there being some pretty APT10-like tradecraft used in that particular campaign.

He’ll also talk a bit about how thread hijacking is a giant pain in the ass. That’s where attackers take over a mailbox, then just jump right in replying to existing mail threads. Detecting that is hard, of course, because it’s internal mail. It’s a great little mixed bag interview.

Enjoy!

Show notes Hackers mount attacks on Webmin servers, Pulse Secure, and Fortinet VPNs | ZDNet Hackers are actively trying to steal passwords from two widely used VPNs | Ars Technica Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs The year-long rash of supply chain attacks against open source is getting worse | Ars Technica Cybersecurity Firm Imperva Discloses Breach — Krebs on Security Exclusive: U.S. officials fear ransomware attack against 2020 election - Reuters While one Texas county shook off ransomware, small cities took full punch | Ars Technica Apple patches iPhone jailbreaking bug | ZDNet Alleged 'Snake Oil' Crypto Firm Sues Over Boos at Black Hat | WIRED Hong Kong protesters warn of Telegram feature that can disclose their identities | ZDNet Researcher publishes second Steam zero day after getting banned on Valve's bug bounty program | ZDNet Valve patches recent Steam zero-days, calls turning away researcher 'a mistake' | ZDNet Capital One hacker denied release, will remain in jail | ZDNet Ex-Google and Uber engineer Anthony Levandowski charged with trade secret theft - The Verge Hacker Claims He Can ‘Turn Off 25,000 Cars’ At The Push Of A Button Hackers Could Steal a Tesla Model S by Cloning Its Key Fob—Again | WIRED Microsoft will let some Windows 7 customers get free security updates for an extra year | TechCrunch UK cybersecurity agency warns devs to drop Python 2 due to looming EOL & security risks | ZDNet Inside the Black Market for Bots That Buy Designer Clothes Before They Sell Out - VICE Employees connect nuclear plant to the internet so they can mine cryptocurrency | ZDNet How an NSA researcher plans to allow everyone to guard against firmware attacks NSA-approved cybersecurity law and policy course now available online Protocol used by 630,000 devices can be abused for devastating DDoS attacks | ZDNet Blockbuster indictment against 80 fraud suspects details a complex global scam operation VMware announces plans to acquire Carbon Black for $2.1 billion Firefox and Chrome Fight Back Against Kazakhstan's Spying | WIRED Google Play app with 100 million downloads executed secret payloads | Ars Technica Moscow's blockchain voting system cracked a month before election | ZDNet Microsoft: Using multi-factor authentication blocks 99.9% of account hacks | ZDNet Why is DJI getting the Huawei treatment from the U.S.? - CyberScoop Intel, IBM, Google, Microsoft & others join new security-focused industry group | ZDNet Chinese spies have their sights on cancer research Nasa said to be investigating first allegation of a crime in space - BBC News LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards | Proofpoint AU We are bringing together the world's security expertise Careers at Remediant | Remediant