Risky Business #496 -- The China supply chain problem

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week’s show we hear from Jennifer Bisceglie, the CEO of Interos Solutions, a company that recently prepared a report on supply chain security for the US government’s US-China Economic and Security Review Commission. Risky Business contributor Brian Donohue caught up with Jennifer to talk about the report and really get an idea of what supply chain risks look like from a macro level. The long and the short of it is the supply chain is already very, very opaque, so governments and the private sector will have to work pretty hard to mitigate the risks involved here.

This week’s show is brought to you by Netsparker, the web application security scanning toolmaker. Netsparker was founded nine years ago by this week’s sponsor guest, Ferruh Mavituna. He was a pentester who created Netsparker to help him with his own work. But just recently they raised a bundle of cash: US$40m. We’ll catch up with him and find out if a webapp scanning company with $40m is like the mule with the spinning wheel. It certainly seems like Ferruh has some ambitious plans. We haven’t seen this sort of money being raised by comparable companies so it’s definitely interesting stuff.

In this week’s news we cover off:

  • Mysterious BGP route hijacking for lame Ether theft (??)
  • Google disabling domain fronting
  • Canadian teen charged with downloading documents from a website
  • City of Atlanta spending $2.6m to recover from its ransomware event
  • RSA’s conference app fail
  • White House chaos over Rob Joyce replacement (MAGA!!! MAGAAAAAA!!!!!)
  • Much more

The show notes/links are below, and you can follow Adam, Brian or Patrick on Twitter if that’s your thing.

Risky Business #496 -- The China supply chain problem
0:00 / 0:00

Show notes

Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency | Ars Technica

Google disables domain-fronting, removing ability to bypass state-level firewalls - Neowin

Teen charged in Nova Scotia government breach says he had 'no malicious intent' | CBC News

Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare | WIRED

Seamus Hughes on Twitter: "A beautiful circle: Company gets ransomwared. Hires IT company to fix it. Unlocks system in record time. FBI figures out the IT company just paid the bitcoin ransom.… https://t.co/7Vrd04GeSA"

Nation-state hackers attempted to use Equifax vulnerability against DoD, NSA official says

Richard Bejtlich on Twitter: "A million times, this. The "basic cyber hygiene" thesis drives me crazy. It's the epitome of static, time-ignorant thinking. "Hygiene" may work against mindless one-shot malware, or one-trick pony script kiddies. It has no place in serious conversations about targeted intrusions.… https://t.co/EtyiHKM0sF"

DNC Lawsuit Against Russia Reveals New Details About 2016 Hack | WIRED

(tech)Darko||Dan on Twitter: "Apparently @RSAConference isn't giving out maps to Expo attendees anymore - they require you to install their app which wants access to everything short of installing a rootkit on your phone. Are you kidding me @RSAsecurity?… https://t.co/QCQeAhzbv5"

RSA conference app leaks user data

SEC fines Yahoo remnant Altaba $35 million for failing to disclose breach

These Ex-Spies Are Harvesting Facebook Photos For A Massive Facial Recognition Database

The Cat-and-Mouse Game Between Apple and the Manufacturer of an iPhone Unlocking Tool - Motherboard

Someone Is Trying to Extort iPhone Crackers GrayShift With Leaked Code - Motherboard

The NSA now officially has a new chief

Trump sends cyberwar strategy to Congress

A cybersecurity power struggle is brewing at the National Security Council

Microsoft-led industry group pledges to not assist government cyberattacks - Cyberscoop

Kaspersky Lab banned from advertising on Twitter

U.S. government weighing sanctions against Kaspersky Lab

Sentencing delayed for FSB's email-popping hacker pawn

Introducing Microsoft Azure Sphere: Secure and power the intelligent edge | Blog | Microsoft Azure

“Drupalgeddon2” touches off arms race to mass-exploit powerful Web servers | Ars Technica

‘Orangeworm’ hacking campaign hits X-ray and MRI machines

Icelandic bitcoin heist suspect arrested in Amsterdam after leaving prison | Ars Technica

A bunch of Red Pills: VMware Escapes | Keen Security Lab Blog

Spoofing Cell Networks with a USB to VGA Adapter | Hackaday

Google Translate

Avast reveals more information detailing how hackers compromised CCleaner | V3

New hacks siphon private cryptocurrency keys from airgapped wallets | Ars Technica

[TITLE] - AARP Research Report