Risky Business

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Facebook commissioned custom 0day to de-cloak child sex predator
• IP stack bugs to plague IoT, ICS for years
• Sandworm was doxxed by the NSA and hardly anyone noticed
• Congress demands answers on 2015 Juniper NetScreen back door investigation
• Amazon, Microsoft join moratorium on sale of facial recognition to police
• Much, much more

This week’s show is brought to you by Signal Sciences. And instead of having one of their staff on the show, they nominated one of their customers to appear instead. So in this week’s sponsored segment we’re going to hear from Keith Hoodlet. Keith is currently the Senior Manager of Application Experience at Thermo Fisher Scientific, a $137 billion company. He built their appsec program and he’ll be along later on to talk through all of that. It’s a rapid-fire interview about how he was able to get started and make a dent quickly. Keith used to co-host the Application Security Weekly podcast and he’s worked for Bugcrowd and Veracode. He’s a cool guy, it’s a great interview, make sure you stick around for that one.

You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here.

You can subscribe to our new YouTube channel here.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Facebook Helped the FBI Hack a Child Predator - VICE gov.uscourts.insd.77308.131.0.pdf Ripple20 vulnerabilities will haunt the IoT landscape for years to come | ZDNet Exclusive: Sandworm's Exim hacks reveal wider Russian activity - Risky Business Driving Discord through Disinformation and Disruption – Stranded on Pylos Wyden seeks details on spies' data protection after scathing CIA audit on Vault 7 leaks wyden-cybersecurity-lapses-letter-to-dni.pdf Congress asks Juniper for the results of its 2015 NSA backdoor investigation | ZDNet Wyden House Juniper Letter Juniper 'fesses up to TWO attacks from 'unauthorised code' • The Register Amazon Won’t Let Police Use Its Facial-Recognition Tech for One Year | WIRED Microsoft Won’t Sell Facial Recognition To American Cops After Protests (5) Richard Grenell on Twitter: "They should now be barred from federal government contracts - there should be consequences for not selling technology to police departments. @realDonaldTrump" / Twitter Research shows human rights activists in India were targeted with spyware Italian company exposed as a front for malware operations | ZDNet US intelligence bill takes aim at commercial spyware makers | TechCrunch Text - S.3905 - 116th Congress (2019-2020): Intelligence Authorization Act for Fiscal Year 2021 | Congress.gov | Library of Congress Dating Apps Exposed 845 GB of Explicit Photos, Chats, and More | WIRED South African bank to replace 12m cards after employees stole master key | ZDNet Intel will soon bake anti-malware defenses directly into its CPUs | Ars Technica Arm CPUs impacted by rare side-channel attack | ZDNet Twitter bans 32k accounts pushing Chinese, Russian, and Turkish propaganda | ZDNet COVID-19 Tracking Apps ‘A Privacy Trash Fire’ As Norway Nixes Its Own Zoom Promises To Do Better After Banning Tiananmen Square Protests—Then Builds Tech To Help China’s Censorship Chinese users saw Zoom as a window through the 'Great Firewall' - Reuters Coder-Turned-Kingpin Paul Le Roux Gets His Comeuppance | WIRED Stalkerware detection rates are improving across antivirus products | ZDNet Lamphone attack lets threat actors recover conversations from your light bulb | ZDNet Hackers breached A1 Telekom, Austria's largest ISP | ZDNet Google email domains spoofed by SMTP exploit in G Suite | The Daily Swig Former eBay Employees Sent Cockroaches, Bloody Pig Mask to Mass. Couple In Harassment Campaign: US Attorney – NBC Boston