Risky Business #496 -- The China supply chain problem

WARNING: May contain traces of cyber...
25 Apr 2018 » Risky Business

On this week’s show we hear from Jennifer Bisceglie, the CEO of Interos Solutions, a company that recently prepared a report on supply chain security for the US government’s US-China Economic and Security Review Commission. Risky Business contributor Brian Donohue caught up with Jennifer to talk about the report and really get an idea of what supply chain risks look like from a macro level. The long and the short of it is the supply chain is already very, very opaque, so governments and the private sector will have to work pretty hard to mitigate the risks involved here.

This week’s show is brought to you by Netsparker, the web application security scanning toolmaker. Netsparker was founded nine years ago by this week’s sponsor guest, Ferruh Mavituna. He was a pentester who created Netsparker to help him with his own work. But just recently they raised a bundle of cash: US$40m. We’ll catch up with him and find out if a webapp scanning company with $40m is like the mule with the spinning wheel. It certainly seems like Ferruh has some ambitious plans. We haven’t seen this sort of money being raised by comparable companies so it’s definitely interesting stuff.

In this week’s news we cover off:

  • Mysterious BGP route hijacking for lame Ether theft (??)
  • Google disabling domain fronting
  • Canadian teen charged with downloading documents from a website
  • City of Atlanta spending $2.6m to recover from its ransomware event
  • RSA’s conference app fail
  • White House chaos over Rob Joyce replacement (MAGA!!! MAGAAAAAA!!!!!)
  • Much more

The show notes/links are below, and you can follow Adam, Brian or Patrick on Twitter if that’s your thing.

Show notes

Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency | Ars Technica
Google disables domain-fronting, removing ability to bypass state-level firewalls - Neowin
Teen charged in Nova Scotia government breach says he had 'no malicious intent' | CBC News
Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare | WIRED
Seamus Hughes on Twitter: "A beautiful circle: Company gets ransomwared. Hires IT company to fix it. Unlocks system in record time. FBI figures out the IT company just paid the bitcoin ransom.… https://t.co/7Vrd04GeSA"
Nation-state hackers attempted to use Equifax vulnerability against DoD, NSA official says
Richard Bejtlich on Twitter: "A million times, this. The "basic cyber hygiene" thesis drives me crazy. It's the epitome of static, time-ignorant thinking. "Hygiene" may work against mindless one-shot malware, or one-trick pony script kiddies. It has no place in serious conversations about targeted intrusions.… https://t.co/EtyiHKM0sF"
DNC Lawsuit Against Russia Reveals New Details About 2016 Hack | WIRED
(tech)Darko||Dan on Twitter: "Apparently @RSAConference isn't giving out maps to Expo attendees anymore - they require you to install their app which wants access to everything short of installing a rootkit on your phone. Are you kidding me @RSAsecurity?… https://t.co/QCQeAhzbv5"
RSA conference app leaks user data
SEC fines Yahoo remnant Altaba $35 million for failing to disclose breach
These Ex-Spies Are Harvesting Facebook Photos For A Massive Facial Recognition Database
The Cat-and-Mouse Game Between Apple and the Manufacturer of an iPhone Unlocking Tool - Motherboard
Someone Is Trying to Extort iPhone Crackers GrayShift With Leaked Code - Motherboard
The NSA now officially has a new chief
Trump sends cyberwar strategy to Congress
A cybersecurity power struggle is brewing at the National Security Council
Microsoft-led industry group pledges to not assist government cyberattacks - Cyberscoop
Kaspersky Lab banned from advertising on Twitter
U.S. government weighing sanctions against Kaspersky Lab
Sentencing delayed for FSB's email-popping hacker pawn
Introducing Microsoft Azure Sphere: Secure and power the intelligent edge | Blog | Microsoft Azure
“Drupalgeddon2” touches off arms race to mass-exploit powerful Web servers | Ars Technica
‘Orangeworm’ hacking campaign hits X-ray and MRI machines
Icelandic bitcoin heist suspect arrested in Amsterdam after leaving prison | Ars Technica
A bunch of Red Pills: VMware Escapes | Keen Security Lab Blog
Spoofing Cell Networks with a USB to VGA Adapter | Hackaday
Google Translate
Avast reveals more information detailing how hackers compromised CCleaner | V3
New hacks siphon private cryptocurrency keys from airgapped wallets | Ars Technica
[TITLE] - AARP Research Report