Risky Business Podcast

February 24, 2021

Risky Business #615 -- Dependency confusion is, uh, pretty bad

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

  • USA floats new sanctions against Russia
  • TikTok, WeChat get stay of execution
  • Dependency confusion is ugh
  • US indicts Lazarus crypto-thieves
  • France ties Sandworm crew to Centreon intrusion
  • MORE

This week’s show is brought to you by Thinkst Canary. Thinkst’s founder Haroon Meer is this week’s sponsor guest and he joins us to have a very Haroon-style conversation. We talk about how security controls and detections often fall over when things happen that take place outside of our assumptions: trojaned software updates, attackers hiding in unconventional places like monitors, things like that. That’s a great conversation.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #615 -- Dependency confusion is, uh, pretty bad
0:00 / 0:00

Show notes

Biden administration planning to sanction Russia for SolarWinds hacks - The Washington Post

SolarWinds hackers targeted NASA, Federal Aviation Administration networks | TechCrunch

SolarWinds hackers studied Microsoft source code for authentication and email | Reuters

Centreon says only 15 entitites were targeted in recent Russian hacking spree | ZDNet

France Ties Russia's Sandworm to a Multiyear Hacking Spree | WIRED

Dax-Côte d’Argent hospital in France hit by ransomware attack | The Daily Swig

FireEye links 0-day attacks on FTA servers & extortion campaign to FIN11 group | ZDNet

China Hijacked an NSA Hacking Tool in 2014—and Used It for Years | WIRED

Biden administration pauses Trump's plans to ban WeChat, TikTok - CyberScoop

North Korean Hackers Accused Of ‘Biggest Cryptocurrency Theft Of 2020’—Their Heists Are Now Worth $1.75 Billion

Feds Indict North Korean Hackers for Years of Heists and Scams | WIRED

Dependency confusion attack mounted via PyPi repo exposes flawed package installer behavior | The Daily Swig

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies | by Alex Birsan | Feb, 2021 | Medium

Microsoft warns enterprises of new 'dependency confusion' attack technique | ZDNet

Microsoft starts removing Flash from Windows devices via new KB4577586 update | ZDNet

Flash version distributed in China after EOL is installing adware | ZDNet

Mexican Politician Removed Over Alleged Ties to Romanian ATM Skimmer Gang — Krebs on Security

(2) The Riviera Maya Gang: Cash, Crime, Killing - YouTube

Spike in ATM Skimming in Mexico? — Krebs on Security

Proofpoint sues Facebook to get permission to use lookalike domains for phishing tests | ZDNet

New malware found on 30,000 Macs has security pros stumped | Ars Technica

Apple Is Going to Make It Harder to Hack iPhones With Zero-Click Attacks

RIPE NCC discloses failed brute-force attack on its SSO service | ZDNet

Lawmakers Demand Answers from Military on Muslim App Data

BIND implements DNS-over-HTTPS to offer enhanced privacy | The Daily Swig

Parler Says It’s Back | WIRED

Security bugs left unpatched in Android app with one billion downloads | ZDNet

Yandex said it caught an employee selling access to users' inboxes | ZDNet

Prosecutor charges former phone company employee in SIM-swap scheme | Ars Technica

Authorities arrest SIM swapping gang that targeted celebrities | ZDNet

Data retention laws: Australian police given new metadata recommendations

Prosecutors Suspend Government Spyware Used in WhatsApp Phishing Attacks

Canary — know when it matters