On this week’s show Patrick and Adam discuss the week’s security news, including:


The SSH backdoor that dreams (or nightmares) are made of
Microsoft gets a solid spanking from the CSRB
Ukraine uses an old Russian WinRAR bug to hack Russia
Push-notifications and social-engineering combined-arms vs Apple
And much, much more.


We have a special guest in this week’s show, Andres Freund, the Postgres developer who discovered the backdoor in the xz Linux compression library.

This week’s show is brought to you by Island, a company that makes a security-focussed enterprise browser. Island’s Bradon Rogers is this week’s sponsor guest and he’ll be joining us to talk about how people are swapping out their Virtual Desktop Infrastructure for enterprise-focussed browsers like theirs.





Show notes




Risky Biz News: Supply chain attack in Linuxland
oss-security - Re: backdoor in upstream xz/liblzma leading to ssh server compromise
Andres Freund (Tech) on X: "@binitamshah FWIW, I didn't actually start looking due to the 500ms - I started looking when I saw failing ssh logins (by the usual automated attempts trying random user/password combinations) using a substantial amount of CPU. Only after that I noticed the slower logins." / X
Andres Freund (Tech) on X: "@riskybusiness Absurdly enough, I was listening to the episode on a cooking break while writing the xz issue up. Couldn't make it up." / X
GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)
research!rsc: The xz attack shell script
DHS report rips Microsoft for ‘cascade’ of errors in China hack - The Washington Post
Review of the Summer 2023 Microsoft Exchange Online Intrusion
Russian researchers say espionage operation using WinRAR bug is linked to Ukraine
Recent ‘MFA Bombing’ Attacks Targeting Apple Users – Krebs on Security
Ransomware gang leaks stolen Scottish healthcare patient data in extortion bid
Ross Anderson, professor and famed author of ‘Security Engineering,’ passes away