Risky Business #511 -- Australia, Japan to ban Huawei, Struts drama, DNC lols and more

All the week's news, plus a chat with Zane Lackey...
29 Aug 2018 » Risky Business

We’re going to stick with the revised format this week – we’re going long on news with Adam, then diving right in to the sponsor interview with Zane Lackey of Signal Sciences.

A bunch of you heard my long form, Soap Box interview with Zane from a few weeks back. We’re extending that interview out a bit in this week’s interview. Zane will be outlining what he thinks needs to change in DevSecOps tooling and workflow for things to really work nicely – it’s just a solid 12 minutes of good thinking and advice, that interview, so do stick around for it.

Adam Boileau will join the show to recap the week’s news:

  • Australia and Japan to ban Huawei from their 5G builds
  • Struts bug: Big deal or meh?
  • Voting machine maker ES&S rebuked by researchers AND US gov
  • The DNC phish that wasn’t
  • Recapping Andy Greenberg’s Maersk/Notpetya coverage
  • Instagram adds real 2FA
  • Windows privesc 0day on teh twittarz
  • T-Mobile pwned harder than it initially admitted
  • Log in to Windows with Google accounts
  • Some hilarious Lazarus group shenanigans
  • Much, much more

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

China intensifies criticism of Australia's Huawei 5G ban | afr.com
Japan plans to block Huawei, ZTE from public procurement: report
New critical vulnerability exposes Apache Struts instances to remote attacks
Active Attacks Detected Using Apache Struts Vulnerability CVE-2018-11776
Threat Brief: Information on Critical Apache Struts Vulnerability CVE-2018-11776 - Palo Alto Networks Blog
The Cybersecurity 202: Lawmakers dismiss voting machine maker's claim that spies benefit from election hacking demos - The Washington Post
Rob Joyce on Twitter: "Ignorance of insecurity does not get you security. We need to examine voting machines, SCADA systems, IOT and other important items in our lives. The investigation of these devices by the hacker community is a service, not a threat."
How the U.S. Has Failed to Protect the 2018 Election—and Four Ways to Protect 2020 - Lawfare
Democrats find hackers targeting voter database
DNC says phishing incident was a false alarm
Facebook bans Myanmar general as U.N. calls for independent investigation into Rohingya crisis
Russian trolls targeted Australian voters on Twitter via #auspol and #MH17
Google removes dozens of YouTube channels linked to 'influence operation'
The Untold Story of NotPetya, the Most Devastating Cyberattack in History | WIRED
Scammers Threaten to Review Bomb a Travel Company Unless it Pays Ransom - Motherboard
Instagram Expands 2FA Support Following Recent Wave of Account Hacks
Exploit Published for Unpatched Flaw in Windows Task Scheduler
SandboxEscaper on Twitter: "Here is the alpc bug as 0day: https://t.co/m1T3wDSvPX I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit."
Travel blog of an evil transgirl
Travel blog of an evil transgirl: Disclosures
Hackers Stole Personal Data of 2 Million T-Mobile Customers - Motherboard
You May Soon Be Able to Log Into Windows 10 Using a Google Account
How a hacker network turned stolen press releases into $100 million - The Verge
Cobalt Dickens threat group looks to be similar to indicted hackers
Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware - Securelist
Researchers find way to spy on remote screens—through the webcam mic | Ars Technica
Windows 95 Is Now Available as an App for Windows, macOS and Linux
The adventures of lab ED011—“Nobody would be able to duplicate what happened there” | Ars Technica
Building a Modern Security Program [Book]
The Next-Gen Web Protection Platform - WAF And RASP | Signal Sciences