This episode sponsored by Duo Security.On this week’s show we’re taking a look at a mediocre response from Microsoft’s security response centre in the face of a fairly run-of-the-mill bug report. Our guest today found some Microsoft software was failing to validate SSL certificates. He reported it, but Microsoft said it wasn’t a security issue because, drum roll please, the attacker would require man in the middle to exploit the failure. Ummm. What?
It all got sorted out eventually, and by sorted out I mean silently patched with no note to customers. So if you have a script running somewhere that’s invoking this tool it’s probably not checking for valid certificates, so that’s fun.
In this week’s show notes we’ll be talking with industry legend Jon Oberheide, co-founder of Duo Security, about a couple of things. We’ll be looking at the features platform vendors like Microsoft and Google are now baking into their operating systems that allow companies like Duo to be able to query the health of endpoints. We also have a general conversation about how it is actually the platform vendors who will solve the biggest problems, not so much the security industry. That’s this week’s sponsor interview, with big thanks to Duo Security.
The Grugq is this week’s news guest. Links to everything discussed are below, and you can also follow Patrick or The Grugq on Twitter if that’s your thing.
Show notes
- CCleaner malware outbreak is much worse than it first appeared | Ars Technica
- The CCleaner Malware Fiasco Targeted at Least 18 Specific Tech Firms | WIRED
- SEC Chairman reveals financial reporting system was hacked | Ars Technica
- SEC reveals it was hacked, information may have been used for illegal stock trades - The Washington Post
- Deloitte hit by cyber-attack revealing clients’ secret emails | Business | The Guardian
- Deloitte: 'Very Few Clients' Impacted by Cyber Attack | Threatpost | The first stop for security news
- Massive Equifax hack reportedly started 4 months before it was detected | Ars Technica
- Facebook revamps political-ad rules after discovering Russian ad buys | Ars Technica
- Obama tried to give Zuckerberg a wake-up call over fake news on Facebook
- Twitter Will Meet With Senate Intelligence Committee on Russia | WIRED
- Hundreds of Islamic State Supporters Could Be Giving Away Their Location on Instagram
- Use of personal devices widespread in Trump’s West Wing – POLITICO
- China disrupts WhatsApp ahead of Communist Party meeting - BBC News
- U.S. to Collect Social Media Data of Immigrants | Fortune.com
- Suspected Iranian Hackers Targeted U.S. Aerospace Sector
- Cloudflare Now Provides Unmetered DDoS Mitigation Without Extra Costs
- In a first, Android apps abuse serious “Dirty Cow” bug to backdoor phones | Ars Technica
- Proof-of-Concept Exploit Code Published for Remote iPhone 7 WiFi Hack
- Password-theft 0-day imperils users of High Sierra and earlier macOS versions | Ars Technica
- Adobe Private PGP Key Leak a Blunder, But It Could Have Been Worse | Threatpost | The first stop for security news
- Cassie Sainsbury’s Whole Defence Case Hinges On A Forgotten Phone Password
- CAGE's Muhammad Rabbani to appeal against court ruling | UK News | Al Jazeera
- Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface
- Canadian Man Gets 9 Months Detention for Serial Swattings, Bomb Threats — Krebs on Security
- Hackers create memorial for a cockroach named Trevor | CSO Online
- The Trusted Access Company: Duo Security
