Risky Business

On this week’s show Patrick and Adam discuss the week’s security news, including:

• WeChat joins TikTok in the naughty corner
• TLS 1.3 with ESNI will have a massive impact on censorship AND security
• Belarus goes dark after dodgy election
• Capital One fined $80m
• Much, much more

We’ll be hearing from Dan Guido of Trail of Bits in this week’s sponsor interview. They’ve developed a generic macOS EDR package that you, dear vendor, should absolutely license from them. Dan joins us to explain why.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes America's clean path is slippery - Risky Business Trump issues executive orders that will ban TikTok, WeChat in 45 days - CyberScoop China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI | ZDNet Cat and mouse: Privacy advocates fight back after China tightens surveillance controls | The Daily Swig DEF CON: New tool brings back 'domain fronting' as 'domain hiding' | ZDNet Belarus Has Shut Down the Internet Amid a Controversial Election | WIRED Ohio becomes first state to release vulnerability policy for election-related websites Top voting vendor ES&S publishes vulnerability disclosure policy Microsoft bug bounty payouts trebled to reach nearly $14 million in the last year | The Daily Swig US offers $10 million reward for hackers meddling in US elections | ZDNet Mozilla lays off 250 employees while it refocuses on commercial products | ZDNet US financial regulator fines Capital One $80 million over data breach FBI says an Iranian hacking group is attacking F5 networking devices | ZDNet Citrix releases fix for software bug that hackers ‘will move quickly to exploit’ Hacker leaks passwords for 900+ enterprise VPN servers | ZDNet Hacking group has hit Taiwan's prized semiconductor industry, Taiwanese firm says A mysterious group has hijacked Tor exit nodes to perform SSL stripping attacks | ZDNet FBI issues warning over Windows 7 end-of-life | ZDNet Anti-encryption laws yet to be used by Asio or AFP to compel tech firms' help, inquiry told | Australian security and counter-terrorism | The Guardian WordPress 5.5 rolls out with auto-updates for plugins, themes | The Daily Swig Snapdragon chip flaws put >1 billion Android phones at risk of data theft | Ars Technica Researchers found another way to hack Android cellphones via Bluetooth Insecure satellite Internet is threatening ship and plane safety | Ars Technica When TLS hacks you: Security friend becomes a foe | The Daily Swig Top hacks from Black Hat and DEF CON 2020 | The Daily Swig Security bugs let these car hackers remotely control a Mercedes-Benz | TechCrunch Black Hat 2020: New HTTP request smuggling variants levied against modern web servers | The Daily Swig Black Hat 2020: Web cache poisoning offers fresh ways to smash through the web stack | The Daily Swig (12) Dan Guido on Twitter: "Last Thursday, I was locked out of my cloud MDM, my data was deleted, and MDM agents for every device @trailofbits were silently removed by the vendor, leaving the entire company unmanaged. There was no advance notice and no explanation. This is a warning: Never use Kandji. https://t.co/0zIPZKpCC8" / Twitter Sinter: New user-mode security enforcement for macOS | Trail of Bits Blog