Risky Business Podcast

February 24, 2021

Risky Business #615 -- Dependency confusion is, uh, pretty bad

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Co-host at large

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

  • USA floats new sanctions against Russia
  • TikTok, WeChat get stay of execution
  • Dependency confusion is ugh
  • US indicts Lazarus crypto-thieves
  • France ties Sandworm crew to Centreon intrusion
  • MORE

This week’s show is brought to you by Thinkst Canary. Thinkst’s founder Haroon Meer is this week’s sponsor guest and he joins us to have a very Haroon-style conversation. We talk about how security controls and detections often fall over when things happen that take place outside of our assumptions: trojaned software updates, attackers hiding in unconventional places like monitors, things like that. That’s a great conversation.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #615 -- Dependency confusion is, uh, pretty bad
0:00 / 56:50

Show notes

Biden administration planning to sanction Russia for SolarWinds hacks - The Washington Post

SolarWinds hackers targeted NASA, Federal Aviation Administration networks | TechCrunch

SolarWinds hackers studied Microsoft source code for authentication and email | Reuters

Centreon says only 15 entitites were targeted in recent Russian hacking spree | ZDNet

France Ties Russia's Sandworm to a Multiyear Hacking Spree | WIRED

Dax-Côte d’Argent hospital in France hit by ransomware attack | The Daily Swig

FireEye links 0-day attacks on FTA servers & extortion campaign to FIN11 group | ZDNet

China Hijacked an NSA Hacking Tool in 2014—and Used It for Years | WIRED

Biden administration pauses Trump's plans to ban WeChat, TikTok - CyberScoop

North Korean Hackers Accused Of ‘Biggest Cryptocurrency Theft Of 2020’—Their Heists Are Now Worth $1.75 Billion

Feds Indict North Korean Hackers for Years of Heists and Scams | WIRED

Dependency confusion attack mounted via PyPi repo exposes flawed package installer behavior | The Daily Swig

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies | by Alex Birsan | Feb, 2021 | Medium

Microsoft warns enterprises of new 'dependency confusion' attack technique | ZDNet

Microsoft starts removing Flash from Windows devices via new KB4577586 update | ZDNet

Flash version distributed in China after EOL is installing adware | ZDNet

Mexican Politician Removed Over Alleged Ties to Romanian ATM Skimmer Gang — Krebs on Security

(2) The Riviera Maya Gang: Cash, Crime, Killing - YouTube

Spike in ATM Skimming in Mexico? — Krebs on Security

Proofpoint sues Facebook to get permission to use lookalike domains for phishing tests | ZDNet

New malware found on 30,000 Macs has security pros stumped | Ars Technica

Apple Is Going to Make It Harder to Hack iPhones With Zero-Click Attacks

RIPE NCC discloses failed brute-force attack on its SSO service | ZDNet

Lawmakers Demand Answers from Military on Muslim App Data

BIND implements DNS-over-HTTPS to offer enhanced privacy | The Daily Swig

Parler Says It’s Back | WIRED

Security bugs left unpatched in Android app with one billion downloads | ZDNet

Yandex said it caught an employee selling access to users' inboxes | ZDNet

Prosecutor charges former phone company employee in SIM-swap scheme | Ars Technica

Authorities arrest SIM swapping gang that targeted celebrities | ZDNet

Data retention laws: Australian police given new metadata recommendations

Prosecutors Suspend Government Spyware Used in WhatsApp Phishing Attacks

Canary — know when it matters