Risky Business #526 -- Huawei arrest in Poland, DPRK SWIFT hack conviction, more from the El Chapo trial

PLUS: A sponsor interview with evil genius JP Smith...
15 Jan 2019 » Risky Business

This week’s podcast features Patrick and Adam talking about the week’s security news, including:

  • Huawei staffer arrested for spying in Poland
  • Conviction in DPRK SWIFT hack against Bangladesh central bank
  • El Chapo used Flexispy to spy on mistresses and staff
  • NSO group on charm offensive
  • Iran hijacking DNS entries, conducting PITM with DV certs
  • Kaspersky tipped NSA on Hal Martin
  • US government certificates expire amid shutdown
  • Idiot sentenced to 10 years prison for DDoSing children’s hospital

This week’s show is brought to you by Trail of Bits! Trail of Bits is a security engineering firm and consultancy based in New York. They aren’t a typical pen-testing firm, they build as well as break.

In this week’s sponsor interview JP Smith from Trail of Bits joins us to talk about the work he put in to CSAW. Not the Centre for Sustainable Architecture with Wood, which is a thing, but the Cyber Security Awareness Worldwide CTF.

JP is a sick man. He’s sick. You’ll hear about the mind-bending CTF challenges he put together for CSAW. Remarkably, some teams were actually able to solve his problems, some of which featured complex numbers mapped to a four dimensional unit sphere being used to drive the rotation of a virtual IBM Selectric typewriter golfball in Second Life. As I say, he’s a sick, sick man.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Poland spy arrest: China telecoms firm Huawei sacks employee - BBC News
Ex-RCBC manager guilty in $81-M heist | The Manila Times Online
Alan Feuer on Twitter: "Chapo would play a little game. He would call people who had the “special” phones and chat with them a while then hang up, secretly activate the mic and listen to what they said about him."
Chapo’s I.T. Guy: Working for a Kingpin Can Cause a Nervous Breakdown - The New York Times
Exclusive: How Mexican drug baron El Chapo was brought down by technology made in Israel
A Worldwide Hacking Spree Uses DNS Trickery to Nab Data | WIRED
Global DNS Hijacking Campaign: DNS Record Manipulation at Scale « Global DNS Hijacking Campaign: DNS Record Manipulation at Scale | FireEye Inc
Exclusive: How a Russian firm helped catch an alleged NSA data thief - POLITICO
.gov security falters during U.S. shutdown | Netcraft
Senators Call on FCC To Investigate T-Mobile, AT&T, and Sprint Selling Location Data to Bounty Hunters - Motherboard
Google Demanded That T-Mobile, Sprint Not Sell Google Fi Customers' Location Data - Motherboard
AT&T to Stop Selling Location Data to Third Parties After Motherboard Investigation - Motherboard
Feds Can't Force You To Unlock Your iPhone With Finger Or Face, Judge Rules
Ryuk ransomware gang probably Russian, not North Korean | ZDNet
Man gets 10 years for cyberattack on Boston Children's Hospital | Boston.com
Hacker 'BestBuy' sentenced to prison for operating Mirai DDoS botnet | ZDNet
Police get report of a shooting only to find out it was a prank - Palo Alto Daily Post
Scooter startup Bird tried to silence a journalist. It did not go well. | TechCrunch
Yet another Qld cop charged with hacking - Security - iTnews
Some of the biggest web hosting sites were vulnerable to simple account takeover hacks | TechCrunch
$900,000 On Offer For Anyone Who Can Hack A Tesla Model 3
SCP implementations impacted by 36-years-old security flaws | ZDNet
Google Chrome's built-in ad blocker to roll out worldwide on July 9 | ZDNet
Gaining access to Uber's user data through AMPScript evaluation – Assetnote
Rahul Sridhar on Twitter: "Here's a short story about cryptography in 2018 in five tweets:"