Risky Business

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Two Exabeam engineers sick with Coronavirus following RSA attendance
• Hung jury in Joshua Schulte Vault7 trial
• Qihoo 360 tries to “pull an APT1” but it was just weird and awkward instead
• Corellium releases Android for iPhone hardware toolkit
• Much, much more.

This week’s sponsor interview is with Scott Kuffer of Nucleus Security. They have built a web application that pulls together feeds from all your vulnscanners and vulnerability-related software (Snyk, Burp, whatever), normalises it then lets you slice it, dice it, and send it through to the most relevant project owner/dev team. It’s insanely popular stuff, and Scott pops along this week to talk about vulnerability management and what his last year has looked like as Nucleus’s business has boomed.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Two People Who Attended Cyber Event Contract Coronavirus The EARN IT Act Is a Sneak Attack on Encryption | WIRED Vault 7 court case ends in mistrial on most serious charges Energy Organizations Continue to be Compromised Globally | Dragos Chinese security firm says CIA hacked Chinese targets for the past 11 years | ZDNet Exclusive: This Hack Turns Apple’s iPhone Into An Android Apple Just Demanded Santander And A $50 Billion US Intelligence Contractor Reveal How They Use iPhone Hacking Tech NSO Group works to explain no-show in court for WhatsApp suit, plots defense Facebook sues Namecheap to unmask hackers who registered malicious domains | ZDNet Clearview AI Reports Breach of Customer List - VICE Clearview AI, Facial Recognition Company That Works With Law Enforcement, Says Entire Client List Was Stolen Apple has blocked Clearview AI’s iPhone app for violating its rules | TechCrunch London Police Just Turned On Facial Recognition In One Of The World’s Busiest Shopping Districts This Small Company Is Turning Utah Into a Surveillance Panopticon - VICE Surveillance Firm Banjo Used a Secret Company and Fake Apps to Scrape Social Media - VICE Defense contractor CPI knocked offline by ransomware attack | TechCrunch Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach | TechCrunch Ryuk ransomware hits Fortune 500 company EMCOR | ZDNet One of Roman Abramovich's companies got hit by ransomware | ZDNet Legal services giant Epiq Global offline after ransomware attack | TechCrunch Big health care analytics firm infected with ransomware Croatia's largest petrol station chain impacted by cyber-attack | ZDNet US Railroad Contractor Reports Data Breach After Ransomware Attack DoppelPaymer Hacked Bretagne Télécom Using the Citrix ADC Flaw Zyxel 0day Affects its Firewall Products, Too — Krebs on Security The strange, unexplained journey of ToTok in Google Play fuels user suspicions | Ars Technica Message to our ToTok community Indictment names Group-IB executive in scheme to sell hacked data Chrome 80 update cripples top cybercrime marketplace | ZDNet Brave to generate random browser fingerprints to preserve user privacy | ZDNet Firefox to enable DNS-over-HTTPS by default to US users | TechCrunch Let’s Encrypt deploys new domain validation technology to mitigate BGP hijacking risks | The Daily Swig Microsoft Exchange Server admins urged to treat crypto key flaw as ‘critical’ | The Daily Swig Details about new SMB wormable bug leak in Microsoft Patch Tuesday snafu | ZDNet Zoho zero-day published on Twitter | ZDNet (12) Thijs Alkemade on Twitter: "Last week, I was thinking back about this discussion from @riskybusiness. I decided to have a look at how it works. While doing that, I found a vulnerability that could have been used to gain unauthorized access to an iCloud account. https://t.co/szfFBNWZmy" / Twitter 5 years of Intel CPUs and chipsets have a concerning flaw that’s unfixable | Ars Technica Positive Technologies - learn and secure : Intel x86 Root of Trust: loss of trust AMD processors from 2011 to 2019 vulnerable to two new attacks | ZDNet Intel CPUs vulnerable to new LVI attacks | ZDNet A Flaw in Billions of Wi-Fi Chips Let Attackers Decrypt Data | WIRED Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys | WIRED GadgetProbe: New tool simplifies the exploitation of Java deserialization vulnerabilities | The Daily Swig FBI Warned Of Fraudster’s Paradise: Up To 130,000 Hacked Asus Routers On Sale For A Few Dollars Porn, gore, and gambling habits aired in Virgin Media breach | Ars Technica Hackers Were Inside Citrix for Five Months — Krebs on Security The Case for Limiting Your Browser Extensions — Krebs on Security Hackers are targeting other hackers by infecting their tools with malware | TechCrunch Who's Hacking the Hackers: No Honor Among Thieves Google could have fixed 2FA code-stealing flaw in Authenticator app years ago | ZDNet New action to disrupt world’s largest online criminal network - Microsoft on the Issues This Chinese Whale Lost $45 Million in Bitcoin and BCH Overnight: How it Happened