In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about:

• Thought eels were slippery? Check out AnyDesk’s PR!
• Why Microsoft’s 365 is a nightmare to secure
• Cloudflare’s needlessly hostile blog post
• US Government introduces “Disneyland ban” for spyware peddlers
• Much, much more…

This week’s feature guest is Eric Goldstein, the executive assistant director for cybersecurity at CISA. He’s joining the show to talk about CISA’s demand that US government agencies unplug their Ivanti appliances. He also chimes in on why the US government is so rattled by Volt Typhoon and addresses a recent report from Politico that claims CISA’s Joint Cyber Defense Collaborative is a bit of a shambles.

This week’s sponsor guest is Dan Guido from Trail of Bits. He joins us to talk about their new Testing Handbook. Trail of Bits does a bunch of audit work and they’ve committed to trying to make bug discovery a one time thing – if you find that bug once, you shouldn’t have to manually find it on another client engagement. Semgrep for the win!

Show notes

• AnyDesk initiates extensive credentials reset following cyberattack | Cybersecurity Dive
• AnyDesk says software ‘safe to use’ after cyberattack
• Former CIA officer who gave WikiLeaks state secrets gets 40-year sentence
• Arrests in $400M SIM-Swap Tied to Heist at FTX? – Krebs on Security
• Microsoft Breach — What Happened? What Should Azure Admins Do? | by Andy Robbins | Feb, 2024 | Posts By SpecterOps Team Members
• Cloudflare hit by follow-on attack from previous Okta breach | Cybersecurity Dive
• Thanksgiving 2023 security incident
• US announces visa restriction policy targeting spyware abuses
• Announcement of a Visa Restriction Policy to Promote Accountability for the Misuse of Commercial Spyware - United States Department of State
• Deputy Prime Minister hosts first global conference targeting ‘hackers for hire’ and malicious use of commercial cyber tools - GOV.UK
• New Google TAG report: How Commercial Surveillance Vendors work
• A Startup Allegedly ‘Hacked the World.’ Then Came the Censorship—and Now the Backlash | WIRED
• American businessman settles hacking case in UK against law firm
• Crime bosses behind Myanmar cyber ‘fraud dens’ handed over to Chinese government
• Another Chicago hospital announces cyberattack
• Deepfake scammer walks off with $25 million in first-of-its-kind AI heist | Ars Technica
• As if 2 Ivanti vulnerabilities under exploit weren’t bad enough, now there are 3 | Ars Technica
• Two new Ivanti bugs discovered as CISA warns of hackers bypassing mitigations
• Agencies using vulnerable Ivanti products have until Saturday to disconnect them | Ars Technica
• The far right is scaring away Washington's private hacker army - POLITICO
• Our thoughts on AIxCC’s competition format | Trail of Bits Blog
• How CISA can improve OSS security | Trail of Bits Blog
• Securing open-source infrastructure with OSTIF | Trail of Bits Blog
• Announcing the Trail of Bits Testing Handbook | Trail of Bits Blog
• 30 new Semgrep rules: Ansible, Java, Kotlin, shell scripts, and more | Trail of Bits Blog
• Publishing Trail of Bits’ CodeQL queries | Trail of Bits Blog
• The Unguarded Moment (2002 Digital Remaster) - YouTube
• Boy Swallows Universe | Official Trailer | Netflix - YouTube