Risky Business #510 -- Hacky hack hack

All the week's news with Adam Boileau plus Lauren Pearl in the sponsor chair...
22 Aug 2018 » Risky Business

On this week’s show we’ll be running through the week’s security news, then diving right on in to a sponsor interview with Lauren Pearl of Trail of Bits. She’s joining us to talk about something Trail of Bits have been up to lately: adding features to open source software – and auditing open source software – on behalf of its customers.

I do have a feature interview this week, but it’s a long one so I’ll be breaking that out in to a separate podcast. It’s a nice long chat with Bob Lord, the CSO for the Democratic National Committee. You know, the guy who hid “the server”.

The news we’re covering this week:

  • Melbourne teenager hacky-hack hacks Apple
  • Facebook nukes Iranian and RU influence ops
  • Report: Sealed court order seeks Facebook Messenger E2E intercept
  • USG ditches PPD-20 equities process
  • A look at “Intrusion Truth” CN operator doxing ring
  • Microsoft kills RU phishing domains

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Melbourne teen hacked into Apple's secure computer network, court told
Apple reassures customers after Australian media reports hack by teen
Taking Down More Coordinated Inauthentic Behavior | Facebook Newsroom
Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East « Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East | FireEye Inc
Exclusive: U.S. government seeks Facebook help to wiretap Messenger - sources | Reuters
PPD-20 elimination opens arguments over how U.S. should conduct offensive hacking operations
Bobby Chesney on Twitter: "Glad the dual-hat seems likely to hang on for at least a while. With no brakes at NSC, & now change to PPD-20 reducing interagency vetting of offensive mil cyber ops, the deconfliction of T10 & T50 equities that happens organically w/the NSA/CYBERCOM dual-hat looms even larger.… https://t.co/XPvF7nbcLP"
China's National Cybersecurity Standards Considered a Risk for Foreign Firms
Meet 'Intrusion Truth,' the Mysterious Group Doxing Chinese Intel Hackers - Motherboard
Microsoft Just Took Down Six Phishing Domains The Russian Government Was Using To Target US Politics
Google Sued Over Misleading Location Tracking Setting
Gmail's Confidential Mode Lets You Send Self-Destructing Emails
Skype's End-to-End Encryption Goes Live
Hackers Made Half a Million Dollars Pretending They Watched You Watch Porn - Motherboard
Apple Cleans Chinese App Store of Thousands of Fake Apps
GoDaddy Revocation Disclosure - Google Groups
JavaScript Web Apps and Servers Vulnerable to ReDoS Attacks
GitHub - sola-da/ReDoS-vulnerabilities: A list of ReDoS vulnerabilities in npm modules found by the Software Lab at TU Darmstadt. For each vulnerability, there is a proof-of-concept exploit, showing how the slowdown may occur. The resources in this repository are provided for research purpose only. Please read below for more details.
Cloud Product Accidentally Exposes Users' TLS Certificate Private Keys
Zero-Day In Microsoft's VBScript Engine Used By Darkhotel APT
PHP Deserialization Issue Left Unfixed in WordPress CMS
Get an open-source security multiplier | Trail of Bits Blog