Podcasts

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Spy companies pitch ridiculously invasive approaches to contact tracing
• NSO Group busted running c2 boxes in USA according to WhatsApp lawsuit
• Australian government releases contact tracing app, no idea if it works
• Chinese telcos to get boot from USA
• Much, much more

The US Federal Communications Commission has ordered three Chinese State-owned telcos to ‘show cause’ for why it shouldn’t expunge their license to operate in the United States.

China Telecom Americas, China Unicom Americas and Pacific Networks each have 30 days to prove their operations and subsidiaries are “not subject to the influence and control of the Chinese government.” Among other demands, each must detail affiliations between directors/employees and the CCP/Chinese Government, provide network diagrams, list interconnections with other service providers, provide inventories of network equipment and hand over US subscriber information to avoid license revocation.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Czechs claim state-backed healthcare sector attack preparation
• Pompeo goes full cyber berserker
• New iOS exploit chain targets Uyghur diaspora
• Zoom 0day for $500k? Tell him he’s dreamin’

The United States is on the cusp of making far-reaching changes to how it defends its networks and projects its capabilities in cyberspace. Over the coming months, lawmakers will review the recommendations of the Cyberspace Solarium Commission - a year-long review into US cyber strategy. Will they have the nerve to push for contentious reforms, and who wins and loses in the process? Risky.Biz looks for answers in this three-part series.

Health authorities are revisiting plans to release hastily-developed COVID-19 contact tracing apps that are unsupported by Apple and Google, now that the tech giants are promising developers a built-in contact tracing framework.

Several countries have released, piloted or approved apps that use Bluetooth Low Energy for contact tracing well in advance of the Google-Apple (hereafter ‘Gapple’) announcement. Their experiences are instructive.

Inspired by Singapore’s TraceTogether app, the Czech Republic released the eRouška Android app on April 11. It did not release an iOS version for the same reason TraceTogether struggled with adoption - Apple does not support the use of Bluetooth Low Energy advertisements while apps run in the background, and won’t until apps conform to the Gapple framework. The Android app attracted 100,000 users (1% of population) in its first week.

NHSX - the digital arm of the UK’s NHS - is currently piloting a contact tracing app, but appears likely to pivot to make use of the Gapple framework. The UK Information Commissioner’s Office has signalled conditional support for it.

Snake Oilers is a wholly sponsored podcast series we do here at Risky.Biz where vendors come on to the show to pitch their wonderful, wonderful, magical snake oil to you, the listeners.

In today’s podcast you’ll hear from:

• Kenn White from MongoDB talking about client-side field level encryption
• AlphaSOC’s Chris McNab talking about their latest – they’re not just doing DNS analytics anymore
• SecureStack are making developer-friendly cloud security, provisioning and visibility tooling

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Details about Apple and Google’s contact tracing API and OS changes
• Alex Stamos joins Zoom as outside consultant
• More Zoom news
• US government weighs China Telecom ban following BGP hijacking
• Travelex paid $2.3m to decrypt files in ransomware attack.

Apple and Google have answered a call from policy makers to build a consent-based contact tracing tool for Android or iOS devices.

The two organisations will release OS updates in mid-May that allow health authorities to use ‘contact detection’ APIs developed by Apple and Google to launch multi-platform contact tracing apps.

Under the published design, if two users of these apps have been in close proximity for a designated period of time, their devices exchange a set of identifiers (ephemeral ‘tracing keys’) via Bluetooth Low Energy (BLE). Storage of these anonymised identifiers is decentralised - stored only on user devices.

A common adage in information security is that most startups don’t hire their first full-time security engineer until they’ve got around 300 staff.

If your app only stores public data and has no need to authenticate users, that might not present much of a problem. But when your app needs to be trusted to protect the confidentiality of a person’s political preference, it’s something else entirely.

It’s why Tusk Philanthropies - an organisation devoted to bringing mobile voting to the masses - is playing matchmaker between a half-dozen mobile voting startups and the security experts that can help bring them up to snuff.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• ASD launches offensive action against criminals
• Bio-tech firms working on COVID-19 targeted by ransomware
• Iran targets WHO
• Did you hear there’s a security issue with Zoom? You might not have heard. Don’t worry we’ll tell you about it
• Much, much more