Risky Business #581 -- Chinese telcos under fire in USA, spy firms pitch COVID-19 surveillance

PLUS: NSO Group in hot water over US C2 IPs...
29 Apr 2020 » Risky Business

On this week’s show Patrick and Adam discuss the week’s security news, including:

  • Spy companies pitch ridiculously invasive approaches to contact tracing
  • NSO Group busted running c2 boxes in USA according to WhatsApp lawsuit
  • Australian government releases contact tracing app, no idea if it works
  • Chinese telcos to get boot from USA
  • Much, much more

This week’s show is brought to you by Senetas. This week’s sponsor interview is with listener favourite, Senetas CTO Julian Fay. He’ll be along in this week’s show to talk about an open source project Senetas has put together – oqs-engine.

It’s an OpenSSL engine plugin you can go grab right now if you want to play around with Open Quantum Safe encryption algorithms. Senetas didn’t write the algorithms, but they have squeezed them into this handy OpenSSL engine plugin package. Julian drops in to tell us all about that.

You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here.

You can subscribe to our new YouTube channel here.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Special Report: Cyber-intel firms pitch governments on spy tools to trace coronavirus - Reuters
NSO Employee Abused Phone Hacking Tech to Target a Love Interest - VICE
Facebook: Here’s Proof Israeli WhatsApp Hackers Ran Cyberweapons In America
RIPE opposes China's internet protocols upgrade plan | ZDNet
Chinese telcos have 30 days to prevent US expulsion - Risky Business
Flaw in iPhone, iPads may have allowed hackers to steal data for years - Reuters
That no-click iOS 0-day reported to be under exploit doesn’t exist, Apple says | Ars Technica
Google discloses zero-click bugs impacting several Apple operating systems | ZDNet
Google Sees State-Sponsored Hackers Ramping Up Coronavirus Attacks | WIRED
How Spies Snuck Malware Into the Google Play Store—Again and Again | WIRED
Vietnamese cyber-espionage has pivoted to Beijing's coronavirus response
Researchers used a GIF to prove they could access Microsoft Teams user data
Prague mayor under police protection amid reports of Russian plot | World news | The Guardian
Poland implicates Russia in cyberattack, info op aimed at undercutting U.S. relations
The Covid-19 Pandemic Reveals Ransomware's Long Game | WIRED
Hackers are exploiting a Sophos firewall zero-day | ZDNet
Malicious advertising slingers up the ante during Covid-19 pandemic | The Daily Swig
Hackers have breached 60 ad servers to load their own malicious ads | ZDNet
Unproven Coronavirus Therapy Proves Cash Cow for Shadow Pharmacies — Krebs on Security
Hackers spoof SBA to try to compromise companies' computers
Israel government tells water treatment companies to change passwords | ZDNet
You can now manage Windows 10 devices through G Suite | ZDNet
Nintendo says 160,000 users impacted in recent account hacks | ZDNet
Nintendo isn’t saying, so here’s how to fend off the account hijacking spree | Ars Technica
Another one-line npm package breaks the JavaScript ecosystem | ZDNet
This Tweet Crashes Twitter - VICE
The Air Force wants you to hack its satellite in orbit. Yes, really | TechCrunch
Security researcher identifies new APT group mentioned in 2017 Shadow Brokers leak | ZDNet
NSA shares list of vulnerabilities commonly exploited to plant web shells | ZDNet
Detect and prevent web shell malware | Cyber.gov.au
Instacart Sends Cease-and-Desist to Website That Automatically Placed Orders - VICE
Insomnia Security
GitHub - open-quantum-safe/oqs-engine: [Work in Progress] An OpenSSL ENGINE that enables the use of post-quantum digital signature algorithms from liboqs.
Senetas, a leading provider of encryption technology