Risky Business #517 -- Bloomberg's dumpster fire lights up infosec

Bloomberg has previously published false, made-up security stories about imaginary things that didn't happen...
10 Oct 2018 » Risky Business

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • Bloomberg’s shaky, disputed report on hardware back doors
  • A look back on other false reports about imaginary incidents published by Bloomberg
  • GRU operations doxed by GCHQ
  • DOJ charges Russian intelligence officers
  • APT crews targeting MSPs
  • Google+ API exposure the final straw
  • Enterprise TLS interception gear is woefully insecure

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

(9+)Turkish Pipeline Explosion Probably No Cyber ​​Attack - Digital - Süddeutsche.de
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies - Bloomberg
Codebook - October 10, 2018 - Axios
Patrick Gray on Twitter: "Just got this from Bloomberg PR.… "
Apple Bloomberg Congressional Letter
Patrick Gray on Twitter: "Holy shit… "
Report: Apple designing its own servers to avoid snooping | Ars Technica
Apple deleted server supplier after finding infected firmware in servers [Updated] | Ars Technica
New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom - Bloomberg
HHM22137A2 TDK | Mouser Australia
Reckless campaign of cyber attacks by Russian military intelligence service exposed - NCSC Site
Justice Department charges 7 Russian intelligence officers
U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations | OPA | Department of Justice
Gordon Corera on Twitter: "Breaking - Dutch intelligence (with help of British) disrupted a Russian GRU cyber operation targeting OPCW on April 13th. Four Russian intelligence officers escorted out of country."
Advanced Persistent Threat Activity Exploiting Managed Service Providers | US-CERT
Google shuts down Google+ after API bug exposed details for over 500,000 users | ZDNet
Google Plus Will Be Shut Down After User Information Was Exposed - The New York Times
Google forcibly enables G Suite alerts for government-backed attacks | ZDNet
SandboxEscaper on Twitter: "Why did gmail just throw a notification that government attackers are trying to get into my account. Not even kidding -.-"
Google sets new rules for third-party apps to access Gmail data | ZDNet
It's 2018, and network middleware still can't handle TLS without breaking encryption | ZDNet
CEO Pleads Guilty to Selling Encrypted Phones to Organized Crime - Motherboard
Project Zero: 365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools
Microsoft October 2018 Patch Tuesday fixes zero-day exploited by FruityArmor APT | ZDNet
U.S. GAO - Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities
Senetas, a leading provider of encryption technology