Risky Business #615 -- Dependency confusion is, uh, pretty bad

PLUS: US floats new RU sanctions, TikTok gets stay of execution...
24 Feb 2021 » Risky Business

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

  • USA floats new sanctions against Russia
  • TikTok, WeChat get stay of execution
  • Dependency confusion is ugh
  • US indicts Lazarus crypto-thieves
  • France ties Sandworm crew to Centreon intrusion
  • MORE

This week’s show is brought to you by Thinkst Canary. Thinkst’s founder Haroon Meer is this week’s sponsor guest and he joins us to have a very Haroon-style conversation. We talk about how security controls and detections often fall over when things happen that take place outside of our assumptions: trojaned software updates, attackers hiding in unconventional places like monitors, things like that. That’s a great conversation.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Biden administration planning to sanction Russia for SolarWinds hacks - The Washington Post
SolarWinds hackers targeted NASA, Federal Aviation Administration networks | TechCrunch
SolarWinds hackers studied Microsoft source code for authentication and email | Reuters
Centreon says only 15 entitites were targeted in recent Russian hacking spree | ZDNet
France Ties Russia's Sandworm to a Multiyear Hacking Spree | WIRED
Dax-Côte d’Argent hospital in France hit by ransomware attack | The Daily Swig
FireEye links 0-day attacks on FTA servers & extortion campaign to FIN11 group | ZDNet
China Hijacked an NSA Hacking Tool in 2014—and Used It for Years | WIRED
Biden administration pauses Trump's plans to ban WeChat, TikTok - CyberScoop
North Korean Hackers Accused Of ‘Biggest Cryptocurrency Theft Of 2020’—Their Heists Are Now Worth $1.75 Billion
Feds Indict North Korean Hackers for Years of Heists and Scams | WIRED
Dependency confusion attack mounted via PyPi repo exposes flawed package installer behavior | The Daily Swig
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies | by Alex Birsan | Feb, 2021 | Medium
Microsoft warns enterprises of new 'dependency confusion' attack technique | ZDNet
Microsoft starts removing Flash from Windows devices via new KB4577586 update | ZDNet
Flash version distributed in China after EOL is installing adware | ZDNet
Mexican Politician Removed Over Alleged Ties to Romanian ATM Skimmer Gang — Krebs on Security
(2) The Riviera Maya Gang: Cash, Crime, Killing - YouTube
Spike in ATM Skimming in Mexico? — Krebs on Security
Proofpoint sues Facebook to get permission to use lookalike domains for phishing tests | ZDNet
New malware found on 30,000 Macs has security pros stumped | Ars Technica
Apple Is Going to Make It Harder to Hack iPhones With Zero-Click Attacks
RIPE NCC discloses failed brute-force attack on its SSO service | ZDNet
Lawmakers Demand Answers from Military on Muslim App Data
BIND implements DNS-over-HTTPS to offer enhanced privacy | The Daily Swig
Parler Says It’s Back | WIRED
Security bugs left unpatched in Android app with one billion downloads | ZDNet
Yandex said it caught an employee selling access to users' inboxes | ZDNet
Prosecutor charges former phone company employee in SIM-swap scheme | Ars Technica
Authorities arrest SIM swapping gang that targeted celebrities | ZDNet
Data retention laws: Australian police given new metadata recommendations
Prosecutors Suspend Government Spyware Used in WhatsApp Phishing Attacks
Canary — know when it matters