Risky Business #549 -- FSB contractor breached, Equifax fined, NSO Group targets cloud

Another huge week of infosec news...
24 Jul 2019 » Risky Business

Adam Boileau is along this week to discuss the week’s security news. We cover:

  • FSB contractor gets itself a whole lotta owned
  • NSO Group pitches cloud access
  • Hal Martin gets 9 years
  • NSA to launch defensive division
  • Bulgarian breach data exposed
  • DataSpii scandal a 2019 privacy case study
  • Google boots DarkMatter certificates from Chrome and Android
  • Equifax fined $700m
  • Horror show bugs in enterprise VPN concentrators from Palo Alto, Fortinet
  • Microsoft demos ElectionGuard SDK (looks pretty cool)

This week’s sponsor interview is with Casey Ellis of Bugcrowd. We’ll talk about how organisations are increasingly doing bug bounties on technology they use, not just technology they develop. And then we’ll be talking about a new thing Bugcrowd is doing – Bugcrowd for marketplaces.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Hackers breach FSB contractor, expose Tor deanonymization project and more | ZDNet
Report: NSO Group's Pegasus Spyware Can Break Into Cloud Services, Transmit User Data To Server | Gizmodo Australia
Contractor who stole 50TB of NSA data gets nine years in prison | ZDNet
Think FaceApp Is Scary? Wait Till You Hear About Facebook | WIRED
Europe’s Galileo Satellite Outage Serves as a Warning | WIRED
NSA to establish a defense-minded division named the Cybersecurity Directorate | ZDNet
US Govt Rolls Out New DNS Security Measures for .gov Domains
U.S. Cyber Command simulated a seaport cyberattack to test digital readiness
‘We have to hit the problem the way it hits us’: How the FBI tracks a range of hacking threats
Barr Says Police Need Encryption Backdoors, Doesn’t Mention Hacking Tools They Use All the Time - VICE
Bulgaria's hacked database is now available on hacking forums | ZDNet
Bulgaria hacking suspect worked on government cybersecurity before tax agency breach
My browser, the spy: How extensions slurped up browsing histories from 4M users | Ars Technica
More on DataSpii: How extensions hide their data grabs—and how they’re discovered | Ars Technica
Google bans DarkMatter certificates from Chrome and Android | ZDNet
Chances of destructive BlueKeep exploit rise with new explainer posted online | Ars Technica
Teenage hackers are offered a second chance under European experiment
Vigilante Hacker ‘Phineas Fisher’ Denies Working for the Russian Government - VICE
$700 Million Equifax Fine Is Still Too Little, Too Late | WIRED
Flaws in widely used corporate VPNs put company secrets at risk | TechCrunch
Siemens contractor pleads guilty to planting logic bomb in company spreadsheets | ZDNet
Hackers Exploit Jira, Exim Linux Servers to "Keep the Internet Safe'
10,000 Microsoft customers targeted by nation-state attacks in the last year
Mozilla Firefox Tor Mode Likely to Start as a Browser Addon
Firefox to Warn When Saved Logins are Found in Data Breaches
Microsoft demos ElectionGuard technology for securing electronic voting machines | ZDNet
Kazakhstan government is now intercepting all HTTPS traffic | ZDNet
Data Broker LocationSmart Will Fight Class Action Lawsuit Over Selling AT&T Data - VICE
Slack resets passwords for 1% of its users because of 2015 hack | ZDNet
BEC Scams Average $301 Million Per Month In Illegal Transfers
Malicious Python libraries targeting Linux servers removed from PyPI | ZDNet
Gigabyte and Lenovo servers impacted by common BMC firmware flaws | ZDNet
Cracked Tesla 3 Windshield Leads to $10,000 Bug Bounty
Inside Apple Factory Thefts: Secret Tunnels, Hidden Crawl Spaces — The Information