Risky Business #622 -- GitHub weighs exploit ban

PLUS: Should software ship with a "bill of behaviours"?
05 May 2021 » Risky Business

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

  • GitHub weighs banning exploits
  • Ransomware galore
  • Belgian government crippled in DDoS attack
  • Intrusion Truth Twitter account suspended
  • More Pulsesecure victims identified
  • Much, much more

This week’s show is brought to you by ExtraHop networks, and they’ll pop along in this week’s sponsor interview to float a really, really good idea. The Biden administration EO on cybersecurity will mandate software is shipped with a so-called software bill of materials so customers will actually know what’s in their supply chain. Ben Higgins and Ted Driggs from Extrahop will join us today to argue they should also supply a bill of behaviours; data in a standardised form that will tell you things like what domains and IPs the software will connect to.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Belgium's government network goes down after massive DDoS attack | The Record by Recorded Future
Exclusive: Hackers Break Into Glovo, Europe’s $2 Billion Amazon Rival
'Phishing' Sites Buying Workplace Login Details Linked to Well-Funded Startup
GitHub to review its exploit-hosting policy in light of recent scandal | The Record by Recorded Future
More US agencies potentially hacked, this time with Pulse Secure exploits | Ars Technica
Twilio discloses impact from Codecov supply-chain attack
Twitter restricts account of Intrusion Truth, which doxxes suspected Chinese hackers
Suspected Chinese hackers are breaking into nearby military targets
NSA warns defense contractors to double check connections in light of Russian hacking
Hackers disrupt networks at San Diego medical provider, Kansas organ transplant facilitator
Swiss Cloud becomes the latest web hosting provider to suffer a ransomware attack | The Record by Recorded Future
DOJ hiring new liaison prosecutor to hunt cybercriminals in Eastern Europe | The Record by Recorded Future
Babuk gang says it will stop ransomware attacks after DC Police incident | The Record by Recorded Future
Ransomware gang leaks court and prisoner files from Illinois Attorney General Office | The Record by Recorded Future
QNAP warns of AgeLocker ransomware attacks against NAS devices | The Record by Recorded Future
Ransomware gang targets Microsoft SharePoint servers for the first time | The Record by Recorded Future
Feds Arrest an Alleged $336M Bitcoin-Laundering Kingpin | WIRED
An Ambitious Plan to Tackle Ransomware Faces Long Odds | WIRED
Task Force Seeks to Disrupt Ransomware Payments – Krebs on Security
The IRS Wants Help Hacking Cryptocurrency Hardware Wallets
Experian API Exposed Credit Scores of Most Americans – Krebs on Security
Magecart scammers aim at restaurants' online delivery systems
They Told Their Therapists Everything. Hackers Leaked It All | WIRED
XSS in the wild: JavaScript-stuffed orders used to compromise Japanese e-commerce sites | The Daily Swig
Microsoft discloses 'BadAlloc' bugs affecting smart devices, industrial gear | The Record by Recorded Future
Watch A Tesla Have Its Doors Hacked Open By A Drone
Time to update DNS servers to defend against brace of serious BIND vulnerabilities | The Daily Swig
Google Android’s implementation of privacy-preserving contact tracing ‘flawed’ | The Daily Swig
Dell patches 12-year-old driver vulnerability impacting millions of PCs | The Record by Recorded Future
Microsoft will permanently remove Flash from Windows PCs by July 2021 | The Record by Recorded Future
21Nails vulnerabilities impact 60% of the internet's email servers | The Record by Recorded Future
Qualys researchers uncover 21 bugs in Exim mail servers - CyberScoop
New Spectre attack once again sends Intel and AMD scrambling for a fix | Ars Technica
Hall of Fame: Mark Dowd - YouTube
Florida homecoming queen faces up to 16 years after alleged scheme to hack high school contest