Risky Business #735 -- AnyDesk fails the transparency test

PLUS: CISA's executive assistant director for cybersecurity drops by...
07 Feb 2024 » Risky Business

In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about:

  • Thought eels were slippery? Check out AnyDesk’s PR!
  • Why Microsoft’s 365 is a nightmare to secure
  • Cloudflare’s needlessly hostile blog post
  • US Government introduces “Disneyland ban” for spyware peddlers
  • Much, much more…

This week’s feature guest is Eric Goldstein, the executive assistant director for cybersecurity at CISA. He’s joining the show to talk about CISA’s demand that US government agencies unplug their Ivanti appliances. He also chimes in on why the US government is so rattled by Volt Typhoon and addresses a recent report from Politico that claims CISA’s Joint Cyber Defense Collaborative is a bit of a shambles.

This week’s sponsor guest is Dan Guido from Trail of Bits. He joins us to talk about their new Testing Handbook. Trail of Bits does a bunch of audit work and they’ve committed to trying to make bug discovery a one time thing – if you find that bug once, you shouldn’t have to manually find it on another client engagement. Semgrep for the win!

Show notes

AnyDesk initiates extensive credentials reset following cyberattack | Cybersecurity Dive
AnyDesk says software ‘safe to use’ after cyberattack
Former CIA officer who gave WikiLeaks state secrets gets 40-year sentence
Arrests in $400M SIM-Swap Tied to Heist at FTX? – Krebs on Security
Microsoft Breach — What Happened? What Should Azure Admins Do? | by Andy Robbins | Feb, 2024 | Posts By SpecterOps Team Members
Cloudflare hit by follow-on attack from previous Okta breach | Cybersecurity Dive
Thanksgiving 2023 security incident
US announces visa restriction policy targeting spyware abuses
Announcement of a Visa Restriction Policy to Promote Accountability for the Misuse of Commercial Spyware - United States Department of State
Deputy Prime Minister hosts first global conference targeting ‘hackers for hire’ and malicious use of commercial cyber tools - GOV.UK
New Google TAG report: How Commercial Surveillance Vendors work
A Startup Allegedly ‘Hacked the World.’ Then Came the Censorship—and Now the Backlash | WIRED
American businessman settles hacking case in UK against law firm
Crime bosses behind Myanmar cyber ‘fraud dens’ handed over to Chinese government
Another Chicago hospital announces cyberattack
Deepfake scammer walks off with $25 million in first-of-its-kind AI heist | Ars Technica
As if 2 Ivanti vulnerabilities under exploit weren’t bad enough, now there are 3 | Ars Technica
Two new Ivanti bugs discovered as CISA warns of hackers bypassing mitigations
Agencies using vulnerable Ivanti products have until Saturday to disconnect them | Ars Technica
The far right is scaring away Washington's private hacker army - POLITICO
Our thoughts on AIxCC’s competition format | Trail of Bits Blog
How CISA can improve OSS security | Trail of Bits Blog
Securing open-source infrastructure with OSTIF | Trail of Bits Blog
Announcing the Trail of Bits Testing Handbook | Trail of Bits Blog
30 new Semgrep rules: Ansible, Java, Kotlin, shell scripts, and more | Trail of Bits Blog
Publishing Trail of Bits’ CodeQL queries | Trail of Bits Blog
The Unguarded Moment (2002 Digital Remaster) - YouTube
Boy Swallows Universe | Official Trailer | Netflix - YouTube