Risky Business #471 -- Good Microsoft, bad Microsoft

A chat with a bug hunter about a lacklustre response from MSRC...
27 Sep 2017 » Risky Business

On this week’s show we’re taking a look at a mediocre response from Microsoft’s security response centre in the face of a fairly run-of-the-mill bug report. Our guest today found some Microsoft software was failing to validate SSL certificates. He reported it, but Microsoft said it wasn’t a security issue because, drum roll please, the attacker would require man in the middle to exploit the failure. Ummm. What?

It all got sorted out eventually, and by sorted out I mean silently patched with no note to customers. So if you have a script running somewhere that’s invoking this tool it’s probably not checking for valid certificates, so that’s fun.

In this week’s show notes we’ll be talking with industry legend Jon Oberheide, co-founder of Duo Security, about a couple of things. We’ll be looking at the features platform vendors like Microsoft and Google are now baking into their operating systems that allow companies like Duo to be able to query the health of endpoints. We also have a general conversation about how it is actually the platform vendors who will solve the biggest problems, not so much the security industry. That’s this week’s sponsor interview, with big thanks to Duo Security.

The Grugq is this week’s news guest. Links to everything discussed are below, and you can also follow Patrick or The Grugq on Twitter if that’s your thing.

Show notes

CCleaner malware outbreak is much worse than it first appeared | Ars Technica
The CCleaner Malware Fiasco Targeted at Least 18 Specific Tech Firms | WIRED
SEC Chairman reveals financial reporting system was hacked | Ars Technica
SEC reveals it was hacked, information may have been used for illegal stock trades - The Washington Post
Deloitte hit by cyber-attack revealing clients’ secret emails | Business | The Guardian
Deloitte: 'Very Few Clients' Impacted by Cyber Attack | Threatpost | The first stop for security news
Massive Equifax hack reportedly started 4 months before it was detected | Ars Technica
Facebook revamps political-ad rules after discovering Russian ad buys | Ars Technica
Obama tried to give Zuckerberg a wake-up call over fake news on Facebook
Twitter Will Meet With Senate Intelligence Committee on Russia | WIRED
Hundreds of Islamic State Supporters Could Be Giving Away Their Location on Instagram
Use of personal devices widespread in Trump’s West Wing – POLITICO
China disrupts WhatsApp ahead of Communist Party meeting - BBC News
U.S. to Collect Social Media Data of Immigrants | Fortune.com
Suspected Iranian Hackers Targeted U.S. Aerospace Sector
Cloudflare Now Provides Unmetered DDoS Mitigation Without Extra Costs
In a first, Android apps abuse serious “Dirty Cow” bug to backdoor phones | Ars Technica
Proof-of-Concept Exploit Code Published for Remote iPhone 7 WiFi Hack
Password-theft 0-day imperils users of High Sierra and earlier macOS versions | Ars Technica
Adobe Private PGP Key Leak a Blunder, But It Could Have Been Worse | Threatpost | The first stop for security news
Cassie Sainsbury’s Whole Defence Case Hinges On A Forgotten Phone Password
CAGE's Muhammad Rabbani to appeal against court ruling | UK News | Al Jazeera
Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface
Canadian Man Gets 9 Months Detention for Serial Swattings, Bomb Threats — Krebs on Security
Hackers create memorial for a cockroach named Trevor | CSO Online
The Trusted Access Company: Duo Security