Risky Business #494 -- Cisco customers have a bad week, plus a deep dive on WebAuthn

PLUS all the week's security news!
10 Apr 2018 » Risky Business

Regular listeners would know Risky Business is just running the news and sponsor segments at the moment so there’s no feature interview in this week’s show. But that’s fine because we’ve got plenty to get through in the news segment with Adam Boileau.

Then we’ve got a killer sponsor interview for you this week with Nick Steele and James Barclay of Duo Security.

They’re here to talk about WebAuthn. It’s the new authentication spec currently going through the W3C process. Both Nick and James will be along later to talk about what the spec is designed to do, how it works and what its chances of becoming mainstream are, and spoiler alert, those chances are pretty good.

They’ve also provided me with some links for people out there who want to play around with Webauthn, they are below.

Links to all the news items are also below, and you can follow Patrick or Adam on Twitter if that floats your boat.

Show notes

Nation-state hackers hit Cisco switches - Cyberscoop
"Don’t Mess With Our Elections": Vigilante Hackers Strike Russia, Iran - Motherboard
With trade war looming, Chinese cyberattacks may follow - CyberScoop
Police could access US cloud data under planned crime-fighting deal
DHS defends media-monitoring database, calls critics “conspiracy theorists” | Ars Technica
Alex Ionescu on Twitter: "I generally wasn't opposed to the idea of Chrome making sure that people's documents/downloads weren't full of latent ransomware. But pegging my CPU as you run... f*cking... ESET... on my entire drive? I'm glad I switched to Edge on my desktop PC, I guess it's time for the laptop https://t.co/PHNn7gT583"
After Crackdown, Neo-Nazis Are Hosting Propaganda on Censor-Proof Networks - Motherboard
Chinese Government Forces Residents To Install Surveillance App With Awful Security - Motherboard
A Long-Awaited IoT Crisis Is Here, and Many Devices Aren't Ready | WIRED
DARPA is looking to avoid another version of Meltdown or Spectre - CyberScoop
This Tool Can Help Identify Leakers Who Copy and Paste Secret Info - Motherboard
T-Mobile Stores Part of Customers' Passwords In Plaintext, Says It Has 'Amazingly Good' Security - Motherboard
Beware of Bing Chrome Download Ads Pushing Adware/PUP Installers
Three Execs Get Prison Time for Pirating Oracle Firmware Patches
Russia Readies Telegram Ban After App Refused to Hand Over Encryption Keys to FSB
VirusTotal Launches Droidy, Its New Android Sandbox Technology
Researchers Hijack Over 2,000 Subdomains From Legitimate Sites in CloudFront Experiment
Tavis Ormandy on Twitter: "This is amazing, Windows Defender used the open source unrar code, but changed all the signed ints to unsigned for some reason, breaking the code. @halvarflake noticed and got it fixed. Remote SYSTEM memory corruption 😨 https://t.co/gsx9ZMk1Hz"
Australia's Offensive Cyber Capability | Australian Strategic Policy Institute | ASPI
Josh Marshall on Twitter: "oh look "security expert" Rudy Giuliani shows you how to do a special "dark web scan", courtesy of Experian. https://t.co/8DIlUY56Lu"
GitHub - duo-labs/webauthn: A Demonstration of the WebAuthn Specification
GitHub - duo-labs/py_webauthn: A WebAuthn Python module.
ImperialViolet - Security Keys
Web Authentication: An API for accessing Public Key Credentials Level 1
Using Hardware Token-based 2FA with the WebAuthn API – Mozilla Hacks – the Web developer blog
Trying Out Web Authentication (WebAuthn)
Web Authentication: What It Is and What It Means for Passwords | Duo Security