Risky Business #743 -- A chat about the xz backdoor with the guy who found it

On this week’s show Patrick and Adam discuss the week’s security news, including:

• The SSH backdoor that dreams (or nightmares) are made of


• Microsoft gets a solid spanking from the CSRB


• Ukraine uses an old Russian WinRAR bug to hack Russia


• Push-notifications and social-engineering combined-arms vs Apple


• And much, much more.

We have a special guest in this week’s show, Andres Freund, the Postgres developer who discovered the backdoor in the xz Linux compression library.

This week’s show is brought to you by Island, a company that makes a security-focussed enterprise browser. Island’s Bradon Rogers is this week’s sponsor guest and he’ll be joining us to talk about how people are swapping out their Virtual Desktop Infrastructure for enterprise-focussed browsers like theirs.

Show notes

• Risky Biz News: Supply chain attack in Linuxland



• oss-security - Re: backdoor in upstream xz/liblzma leading to ssh server compromise



• Andres Freund (Tech) on X: "@binitamshah FWIW, I didn't actually start looking due to the 500ms - I started looking when I saw failing ssh logins (by the usual automated attempts trying random user/password combinations) using a substantial amount of CPU. Only after that I noticed the slower logins." / X



• Andres Freund (Tech) on X: "@riskybusiness Absurdly enough, I was listening to the episode on a cooking break while writing the xz issue up. Couldn't make it up." / X



• GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)



• research!rsc: The xz attack shell script



• DHS report rips Microsoft for ‘cascade’ of errors in China hack - The Washington Post



• Review of the Summer 2023 Microsoft Exchange Online Intrusion



• Russian researchers say espionage operation using WinRAR bug is linked to Ukraine



• Recent ‘MFA Bombing’ Attacks Targeting Apple Users – Krebs on Security



• Ransomware gang leaks stolen Scottish healthcare patient data in extortion bid



• Ross Anderson, professor and famed author of ‘Security Engineering,’ passes away