Risky Business #588 -- Catastrophic bugs to plague ICS for years

PLUS: GRU domains doxed by NSA, Facebook dropped 0day on online predator...
17 Jun 2020 » Risky Business

On this week’s show Patrick and Adam discuss the week’s security news, including:

  • Facebook commissioned custom 0day to de-cloak child sex predator
  • IP stack bugs to plague IoT, ICS for years
  • Sandworm was doxxed by the NSA and hardly anyone noticed
  • Congress demands answers on 2015 Juniper NetScreen back door investigation
  • Amazon, Microsoft join moratorium on sale of facial recognition to police
  • Much, much more

This week’s show is brought to you by Signal Sciences. And instead of having one of their staff on the show, they nominated one of their customers to appear instead. So in this week’s sponsored segment we’re going to hear from Keith Hoodlet. Keith is currently the Senior Manager of Application Experience at Thermo Fisher Scientific, a $137 billion company. He built their appsec program and he’ll be along later on to talk through all of that. It’s a rapid-fire interview about how he was able to get started and make a dent quickly. Keith used to co-host the Application Security Weekly podcast and he’s worked for Bugcrowd and Veracode. He’s a cool guy, it’s a great interview, make sure you stick around for that one.

You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here.

You can subscribe to our new YouTube channel here.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Facebook Helped the FBI Hack a Child Predator - VICE
gov.uscourts.insd.77308.131.0.pdf
Ripple20 vulnerabilities will haunt the IoT landscape for years to come | ZDNet
Exclusive: Sandworm's Exim hacks reveal wider Russian activity - Risky Business
Driving Discord through Disinformation and Disruption – Stranded on Pylos
Wyden seeks details on spies' data protection after scathing CIA audit on Vault 7 leaks
wyden-cybersecurity-lapses-letter-to-dni.pdf
Congress asks Juniper for the results of its 2015 NSA backdoor investigation | ZDNet
Wyden House Juniper Letter
Juniper 'fesses up to TWO attacks from 'unauthorised code' • The Register
Amazon Won’t Let Police Use Its Facial-Recognition Tech for One Year | WIRED
Microsoft Won’t Sell Facial Recognition To American Cops After Protests
(5) Richard Grenell on Twitter: "They should now be barred from federal government contracts - there should be consequences for not selling technology to police departments. @realDonaldTrump" / Twitter
Research shows human rights activists in India were targeted with spyware
Italian company exposed as a front for malware operations | ZDNet
US intelligence bill takes aim at commercial spyware makers | TechCrunch
Text - S.3905 - 116th Congress (2019-2020): Intelligence Authorization Act for Fiscal Year 2021 | Congress.gov | Library of Congress
Dating Apps Exposed 845 GB of Explicit Photos, Chats, and More | WIRED
South African bank to replace 12m cards after employees stole master key | ZDNet
Intel will soon bake anti-malware defenses directly into its CPUs | Ars Technica
Arm CPUs impacted by rare side-channel attack | ZDNet
Twitter bans 32k accounts pushing Chinese, Russian, and Turkish propaganda | ZDNet
COVID-19 Tracking Apps ‘A Privacy Trash Fire’ As Norway Nixes Its Own
Zoom Promises To Do Better After Banning Tiananmen Square Protests—Then Builds Tech To Help China’s Censorship
Chinese users saw Zoom as a window through the 'Great Firewall' - Reuters
Coder-Turned-Kingpin Paul Le Roux Gets His Comeuppance | WIRED
Stalkerware detection rates are improving across antivirus products | ZDNet
Lamphone attack lets threat actors recover conversations from your light bulb | ZDNet
Hackers breached A1 Telekom, Austria's largest ISP | ZDNet
Google email domains spoofed by SMTP exploit in G Suite | The Daily Swig
Former eBay Employees Sent Cockroaches, Bloody Pig Mask to Mass. Couple In Harassment Campaign: US Attorney – NBC Boston