Risky Business #551 -- Post Vegas edition, more news than we can handle

An amazing bunch of stories to get through...
14 Aug 2019 » Risky Business

Adam Boileau is along this week to discuss the week’s security news. We cover:

  • Follow ups on CapitalOne
  • Amazon EBS snapshots exposed
  • North Korea bags $2bn in cybercrime spree
  • Attempted Coinbase breach postmortem
  • Apple’s new research phones for bug hunters
  • APT41 busted moonlighting
  • Cloudflare finally ditches 8chan
  • Leaked Boeing 787 code shredded, full of bugs
  • Qualcomm bugs pave path through to Android kernel
  • Microsoft gets Tavis’d
  • More RDP/RDS bugs
  • Much, much more

This week’s sponsor interview is with Jake King of CMD. CMD has developed a control layer for Linux systems that restricts account actions, not just by traditional permissions. Jake will be along this week to talk a little bit about EDR on Linux. He saw a nice talk from some IBM X-Forcers at Black Hat about Linux EDR bypasses and that led to a conversation about Linux EDR generally. It’s interesting stuff

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

What We Can Learn from the Capital One Hack — Krebs on Security
GitHub sued for aiding hacking in Capital One breach | ZDNet
Hundreds of exposed Amazon cloud backups found leaking sensitive data | TechCrunch
Monzo admits to storing payment card PINs in internal logs | ZDNet
One Million Bank Phone Calls Found in Exposed Server - VICE
SEC Investigating Data Leak at First American Financial Corp. — Krebs on Security
North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report - Reuters
An attempted heist at Coinbase was scary good, even though it failed - MIT Technology Review
Responding to Firefox 0-days in the wild - The Coinbase Blog
Three ads generate 5.5 times more revenue than a web-based cryptojacking script | ZDNet
Apple Hands Hackers Secret iPhones In A Bid To Boost Security, Sources Say
Apple expands bug bounty to macOS, raises bug rewards | ZDNet
Meet APT41, the Chinese hackers moonlighting for personal gain
Cloudflare Says It Won’t Ban 8chan, a Hotbed for Terrorist Manifestos - VICE
Cloudflare Is Protecting a Site Linked to a Neo-Nazi Terror Group - VICE
A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts | WIRED
Feds plan to use SecureDrop as a vulnerability reporting portal
US military purchased $32.8m worth of electronics with known security risks | ZDNet
MICROCHIPS Act wants to secure US govt supply chain against Chinese sabotage | ZDNet
Cisco to pay $8.6 million fine for selling government hackable video surveillance technology - The Washington Post
Exclusive: Kaspersky Software Lingers On Sensitive Government Systems 2 Years After U.S. Ban
New advanced malware, possibly nation sponsored, is targeting US utilities | Ars Technica
Yet another hacking group is targeting oil and gas companies, Dragos says
NSA's reverse-engineering malware tool, Ghidra, to get new features to save time, boost accuracy
A Multimillionaire Surveillance Dealer Steps Out Of The Shadows . . . And His $9 Million WhatsApp Hacking Van
Microsoft To Disable VBScript by Default on August 13th
These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer - VICE
This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station' | WIRED
Clever attack uses SQLite databases to hack other apps, malware servers | ZDNet
Researchers find security flaws in 40 kernel drivers from 20 vendors | ZDNet
Hackers Can Break Into an iPhone Just by Sending a Text | WIRED
Microsoft Invites Researchers to Hack Their Azure Security Lab
Hackers Take on Darpa's $10 Million Voting Machine | WIRED
13-Year-Old Encryption Bugs Still Haunt Apps and IoT | WIRED
Avaya VoIP Phones Harbored 10-year Old Vulnerability
Microsoft: Russian state hackers are using IoT devices to breach enterprise networks | ZDNet
Black Hat Talk About ‘Time AI’ Causes Uproar, Is Deleted By Conference - VICE
Development stops on PowerShell Empire framework after project reaches its goal | ZDNet
How AT&T Insiders Were Bribed to 'Unlock' Millions of Phones | WIRED
QualPwn vulnerabilities in Qualcomm chips let hackers compromise Android devices | ZDNet
Security bugs in popular Cisco switch brand allow hackers to take over devices | ZDNet
WordPress team working on daring plan to forcibly update old websites | ZDNet
Vulnerability in Microsoft CTF protocol goes back to Windows XP | ZDNet
How offense and defense came together to plug a hole in a popular Microsoft program
Ancient technique tears a hole through modern web stacks at Black Hat 2019 | The Daily Swig
He tried to prank the DMV. Then his vanity license plate backfired big time.
*********READING LIST STARTS HERE: How a BlackBerry password cracked one of Australia’s biggest drug hauls
Who Owns Your Wireless Service? Crooks Do. — Krebs on Security
DARPA Is Building a $10 Million, Open Source, Secure Voting System - VICE
Now you can use Android phones, rather than passwords, to log in to Google* | Ars Technica
Database from StockX Hack Sold Online, Check If You're Included
Silent Windows update patched side channel that leaked data from Intel CPUs | Ars Technica
Extortion and alleged ISIS threats: A Saudi embassy learned the hard way about email security - CyberScoop
A phishing campaign with nation-state hallmarks is targeting Chinese government agencies - CyberScoop
Guardian Firewall iOS App Automatically Blocks the Trackers on Your Phone | WIRED
A cyber-espionage group has been stealing files from the Venezuelan military | ZDNet
Voter records for 80% of Chile's population left exposed online | ZDNet
A Remote-Start App Exposed Thousands of Cars to Hackers | WIRED
FTC: Too many people signed up for Equifax cash, so they'll be getting less than $125 | ZDNet
Exclusive: Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials - VICE
Windows malware strain records users on adult sites | ZDNet
State Farm says hackers confirmed valid usernames and passwords in credentials stuffing attack | ZDNet
iNSYNQ Ransom Attack Began With Phishing Email — Krebs on Security
Android Apps With Over 100M Installs Contain a Clicker Trojan
New HTTP/2 Flaws Expose Unpatched Web Servers to DoS Attacks
StockX was hacked, exposing millions of customers’ data | TechCrunch
CafePress Data Breach Exposes Personal Info of 23 Million Users