Paul’s Security Weekly (Video)

"Code of Honor: Embracing Ethics in Cybersecurity" by Ed Skoudis is a book that explores the ethical challenges faced by cybersecurity professionals in today's digital landscape. The book delves into the complex moral dilemmas that arise in the field of cybersecurity, offering guidance on how to navigate these issues while maintaining integrity. The authors provide practical advice and real-world examples to help readers develop a strong ethical framework for decision-making in their cybersecurity careers.

Segment Resources:

• Code of Honor: https://www.montreat.edu/cybersecurity-code/
• Purchase Ed's book here: https://a.co/d/gb3yRxU

Show Notes: https://securityweekly.com/psw-846

Automated tank gauges are leaking more than just fuel, while CUPS is serving up a steaming hot brew of vulnerabilities. Meanwhile, Supermicro's BMC firmware is giving away root access like it's going out of style. If you thought your Kia was safe, think again - all it takes is a license plate and 30 seconds to turn your car into a hacker's joyride. China's been busy building a massive IoT botnet called Raptor Train. It's been chugging along undetected for four years. NIST has decided that your password doesn't need to be a cryptographic masterpiece anymore. No more special characters or arbitrary changes - just make it long and don't use "password123". A Texas hospital is playing a game of "hot potato" with ambulances thanks to a ransomware attack. More thoughts on known exploited vulnerabilities, firmware unpacking tools lowdown, Aruba, Bahama, come-on command injection, and kids changing the name of their school!

Show Notes: https://securityweekly.com/psw-845

This episode of Paul Security Weekly features John Hammond, a senior security researcher from Huntress, discussing malware analysis. Hammond dives into the analysis of Ocean Lotus attacks, highlighting the use of stealthy techniques like alternate data streams and DLL side-loading. The conversation also touches on the challenges of combating attackers who leverage ‘bring your own vulnerable driver’ techniques to gain kernel-level privileges. The hosts discuss the need for secure-by-default configurations and the ongoing struggle to combat attackers who exploit vulnerabilities. The episode concludes with a discussion on how to improve the security of the industry.

Segment Resources:

• https://www.huntress.com/blog/the-hackers-in-the-arena-the-huntress-ctf-retrospective
• https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software

Show Notes: https://securityweekly.com/psw-845

Kayla Williams, Chief Security Information Officer at Devo, discussed the role of AI in cybersecurity and the ongoing issue of burnout for SOC analysts. Working with Wakefield Research, Devo discovered that 83% of IT professionals feel burnt out due to stress, lack of sleep, and anxiety. Many also report that their burnout leads to breaches.

This segment is sponsored by Devo . Visit https://securityweekly.com/devo to learn more about them!

Segment Resources: SOC Analyst Appreciation Day: https://www.socanalystday.com/ Kayla's LinkedIn: https://www.linkedin.com/in/kaylamwilliams1/

Show Notes: https://securityweekly.com/psw-844

This week in the security news, Dr. Doug and Larry explore various technological advancements and their implications with a healthy dose of nostalgia, particularly focusing on health monitoring through Wi-Fi signals, the misconceptions surrounding 5G connectivity, the importance of understanding internet speed needs, and the cybersecurity threats facing water systems. They also discuss the potential chaos that could arise from infrastructure failures and the vulnerabilities present in automated tank gauges, emphasizing the need for better asset management and security measures.

Show Notes: https://securityweekly.com/psw-844

Gain insights into the CISA KEV straight from one of the folks at CISA, Tod Beardsley, in this episode of Below the Surface. Learn how KEV was created, where the data comes from, and how you should use it in your environment.

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!

Show Notes: https://securityweekly.com/psw-843

Apple drops a lawsuit to avoid exposing secrets, what does it mean for the security industry if MS locks down the kernel?, exploding pagers, more things from the past: Adobe Flash exploits, robots get rid of your data, PKFail is still a thing, Android TV malware is back: now with conspiracy theories, DMA attacks, gamers are not nation-state attackers, the story of a .MOBI Whois server, a better bettercap, and when not to trust video baby monitors.

Show Notes: https://securityweekly.com/psw-843

Don't tell the FCC there is a new Flipper firmware release, unpatchable?, argv[0] and sneaking past defenses, protect your registries, someone solved my UART RX problem, PKFail update, legal threats against security researchers documented, EDR bypass whack-a-mole continues, emulating PIs, VScode moonlights as a spy, Want to clone a YubiKey? All you need is $11,000, some fancy gear, and awkwardly close proximity to your victim, and Telegram’s encryption: it’s kinda like putting a 'Keep Out' sign but leaving the door unlocked.

Show Notes: https://securityweekly.com/psw-842

Lee comes on the show to discuss:

• EU CRA - https://en.wikipedia.org/wiki/CyberResilienceAct - its impact on bringing products to market and the challenges of enforcing such laws that require products to be "Secure"
• Recent legislation on disputes for federal agency fines - Chevron deference rule - supreme court decision, uncertainty, more or less clarity - proven in the first court case? opens to more litigation -https://www.nrdc.org/stories/what-happens-if-supreme-court-ends-chevron-deference
• Breach disclosure laws - mandatory disclosure rules from the SEC - https://www.sec.gov/newsroom/press-releases/2024-31
• Defcon cease and desist - “Copyright Act, the Defend Trade Secret Acts, the Computer Fraud and Abuse Act, and the Digital Millennium Copyright Act” - https://securityledger.com/2024/08/a-digital-lock-maker-tried-to-squash-a-def-con-talk-it-happened-anyway-heres-why/

Show Notes: https://securityweekly.com/psw-842

Exploring the Hacking Landscape with Mark Loveless, AKA SimpleNomad

Dive into the intricate world of cybersecurity with our featured guest, Mark Loveless, widely known by his handle SimpleNomad. With a rich history in the realm of information security, Mark is a seasoned professional, researcher, and thought leader.

Mark's journey spans decades, marked by a commitment to uncovering vulnerabilities and understanding the ever-changing threat landscape. As a prominent figure in the cybersecurity community, he has contributed significantly to the field, sharing insights, research findings, and expertise.

Join us in this podcast interview as Mark reflects on his experiences, discusses the evolution of cybersecurity challenges, and shares his perspectives on emerging trends. With a deep understanding of both offensive and defensive security, Mark brings a unique perspective to the conversation, offering valuable insights into the strategies and tactics employed by cybersecurity professionals.

As a respected voice in the industry, Mark Loveless has not only witnessed the evolution of cybersecurity but has actively shaped its trajectory through his contributions to research, writing, and speaking engagements. This episode provides a rare opportunity to gain knowledge from a cybersecurity veteran and explore the nuances of an ever-expanding digital landscape.

Tune in to discover the wisdom and experiences that have defined Mark Loveless's career and gain a deeper understanding of the complexities and challenges inherent in the world of cybersecurity.

Show Notes: https://securityweekly.com/vault-psw-12

This week: I want all the firmware, its not just TP-Link, CVEs for malware, BLE and your health, faking your own death, serial ports, stealthy Linux malware, call this number, finding all the Wordpress plugin vulnerabilities!

Show Notes: https://securityweekly.com/psw-841

Larry and Helen walk us through the AI supply chain landscape. Learn what goes into building and using AI models and the dangers that could lurk within.

Segment Resources:

• Community efforts on AIBOM topic: https://github.com/aibom-squad

Show Notes: https://securityweekly.com/psw-841

This week: YAVD: Yet Another Vulnerable Driver, why bring your own when one already exists, backdoors in MIFARE Classic, wireless hacking tips, AMD sinkclose vulnerability will keep running, you down with SLDP yea you know me, Phrack!, IoTGoats, Pixel vulnerabilities, leaking variables, a DEF CON talk that was not cancelled, Telnet is still a thing, More CNAs, and the last thing Flint Michigan needed was a ransomware attack!

Show Notes: https://securityweekly.com/psw-840

Every week here on the show we talk about vulnerabilities and exploits. Typically we recommend that organizations remediate these vulnerabilities in some way. But how? And more importantly, which ones? Some tools we have to help us are actually not all that helpful at time, such as:

• Mitre Att&ck - Don't get me wrong, this is a great project and Adam and team is doing a great job. However, its not a complete picture as we can't possibly know about every attack vector (or can we?). People seem to think if they cover everything in the framework they will be secure. You can't cover everything in the framework because each technique can be utilized by an attack in a hundred different ways.
• CVSS - Anyone can apply a score, but who is correct? Good that we have a way to score things, but then people will just use this as a basis for what they patch and what they do not. Also, chaining vulnerabilities is a thing, but we seem to lack any way to assign a score to multiple vulnerabilities at once (different from a technique). Also, some things don't get a CVE, how are you tracking, assessing risk, and patching these?
• CISA KEV - Again, love the project and Tod is doing amazing work. However, what about things that do not get a CVE? Also, how do you track every incident of an attacker doing something in the wild? Also, there is frequency, just because something got exploited once, does that mean you need to patch it right away? How are we tracking how often something is exploited as it is not just a binary "yes, its exploited" or "no, it is not".
• EPSS - I do like the concept and Wade and Jay are doing amazing work. However, there seems to be a "gut reaction" thing going on where we do see things being exploited, but the EPSS score is low. How can we get better at predicting? We certainly have enough data, but are we collecting the right data to support a model that can tell us what the attackers will do next?

Show Notes: https://securityweekly.com/psw-840

This week: Option ROMS are a novel way to compromise a system at the lowest level, Sinkclose opens AMD processors up to attacks, at home in your firmware exploiting SMM complete with examples, Sonos speakers get hacked and enable attackers to listen in on your conversations, DEF CON badges use new chips and are not without controversy, lasers that can steal your passwords, it was a regex, Larry updates us on some IoT research, attackers have your SSN, and more updates from last week's hacker summer camp!

Show Notes: https://securityweekly.com/psw-839

Early on in his career Spaf was working with microcode and continued to work on technical projects. As time went on he realized that focusing on the non-technical work, such as policies and shaping our thinking, would help move the needle. Borrowing concepts from his book on the subject, we will delve into some cybersecurity myths such as: Are users really the weakest link? Are cybersecurity vendors truly incentivized to provide better security? Do we agree on what cybersecurity really means? - Do not miss this segment!

Show Notes: https://securityweekly.com/psw-839

Learn what is most interesting at hacker summer camp this year!

Show Notes: https://securityweekly.com/psw-838

This week, Downgrade attacks, bootloader fun, check your firmware before you wreck your firmware, you've got mail server issues, Ivanti is the new Rhianna, you should update your BIOS, Openwrt dominates, and attacking the security tools for fun and profit!

Show Notes: https://securityweekly.com/psw-838

Hacking traffic lights (for real this time), the Docker API strikes again, access Github deleted data, using EDR to elevate privileges on Windows, computers I need in my life, failed experiments and Raspberry PI access points, sitting ducks and TuDoor - its always DNS times 2, null sessions and a blast from the past, chaining UEFI vulnerabilities, pirates exposed, revoking SSL certificates, and using AI to analyze your brain: Multimodal Automated Interpretability Agent!

Show Notes: https://securityweekly.com/psw-837

John is one of the foremost experts in UEFI and joins us to talk about PK Fail! What happens when a vendor in the supply chain accidentally loses a key? It's one of the things that keeps me up at night. Well, now my nightmare scenario has come true as a key has been leaked. Learn how and why and what you can do about it in this segment!

Show Notes: https://securityweekly.com/psw-837

Segment description coming soon!The Crowdstrike incident: what happened and what we can do better, people forget what 0-Day really means, shutting off the heat in January, honeypot evasion and non-functional exploits, what not to use to read eMMC, what if we don't patch DoS related vulnerabilities, a CVSS 10 deserves its own category, port shadow attacks, IPC and DBUS and a very informative and entertaining article, container breakouts, when you are bored on an airplane, Linksys security violations, fake IT workers, Telegram 0-day, and how to be more resilient on the same technology stack!

Show Notes: https://securityweekly.com/psw-836

Doug and the Security Weekly crew talk about vulnerabilities, are we patching the right things? This is the burning question. We will try to answer it.

Segment Resources: https://blog.sonicwall.com/en-us/2024/04/patch-tuesday-which-vulnerabilities-really-need-prioritizing/

Show Notes: https://securityweekly.com/psw-836

Find new flaws in UEFI using STASE, combining vulnerabilities to exploit Sonicwall Devices, remote BMC exploits, Netgear patches, and not a lot of information, 22 minutes before exploited, if the secrets were lost, we'd all be in screwed, Exim has not been replaced by something better and its vulnerable, CISA's red team reports, and attackers use drivers to attack EDR, the saga continues!

Show Notes: https://securityweekly.com/psw-835

Thinking about getting a 3D printer or have one and need a good primer? Check out this segment, we live 3D print a Captain Crunch whistle and talk all about 3D printing for hackers!

Segment Resources:

• Slides used in this segment: https://files.scmagazine.com/wp-content/uploads/2024/07/3D-Printing-for-Hackers.pdf

Major 3D Printer Websites:

• https://vorondesign.com/
• https://www.prusa3d.com/
• https://www.creality.com/
• https://bambulab.com/
• https://elegoo.com

Major 3D File libraries:

• https://printables.com (Prusa)
• https://thingiverse.com
• https://thangs.com
• https://makerworld.com (Bambu Labs)
• https://cults3d.com

Youtube Channels:

• Uncle Jessy
• CnC Kitchen
• The Edge of Tech
• Makers Muse

Show Notes: https://securityweekly.com/psw-835

Bats in your headset, Windows Wifi driver vulnerabilities, Logitech's dongles, lighthttpd is heavy with vulnerabilities, node-ip's not vulnerability, New Intel CPU non-attacks, Blast Radius, Flipper Zero alternatives, will OpenSSH be exploited, emergency Juniper patches, and the D-Link botnet grows.

Show Notes: https://securityweekly.com/psw-834

Iceman comes on the show to talk about RFID and NFC hacking including the tools, techniques, and hardware. We'll also talk about the ethics behind the disclosure of vulnerabilities and weaknesses in these systems that are used in everything from building access to cars.

Segment Resources:

• Youtube channel - https://www.youtube.com/@iceman1001
• Proxmark3 forums - http://www.proxmark.org/forum/index.php
• Proxmark3 Repository - https://github.com/rfidresearchgroup/proxmark3
• Awesome RFID talks - https://github.com/doegox/awesome-rfid-talks

Show Notes: https://securityweekly.com/psw-834

Exploring the Hardware Hacking Realm with Joe Grand, AKA Kingpin

Joe Grand, also known by his hacker pseudonym "Kingpin," stands as a prominent figure in the cybersecurity landscape. With an extensive background in hardware hacking, reverse engineering, and embedded systems, Joe has carved a niche for himself as a respected authority in the field.

As a seasoned security professional, Joe has contributed significantly to the cybersecurity community through his expertise and innovation. With a career spanning decades, he has become a go-to resource for insights into the intricacies of hardware security, emphasizing the critical intersection between hardware and software vulnerabilities.

In our podcast interview, we delve into Joe's journey – from his early forays into hacking to his current role as a thought leader in cybersecurity. Gain a unique perspective on the evolving challenges faced by security professionals, especially in the context of hardware-based threats.

Joe's expertise extends beyond theoretical knowledge, as he has been actively involved in hands-on research and development. As a co-founder of Grand Idea Studio, he has played a pivotal role in developing cutting-edge hardware security tools, contributing to the arsenal of cybersecurity professionals worldwide.

Join us as we explore the world of hardware hacking, reverse engineering, and the broader cybersecurity landscape with Joe Grand. Whether you're an aspiring hacker, a seasoned security professional, or simply curious about the intricacies of cybersecurity, this podcast episode promises deep insights into the mind of a true cybersecurity luminary.

Show Notes: https://securityweekly.com/vault-psw-11

Zyxl NAS devices are under attack and the exploit is pretty simple, A new UEFI vulnerability with a name that some people don't like, that time you setup a load balancer and forgot about it, I love it when there is a vulnerability in a Wifi driver, Polyfill is filling the Internet with supply chain vulnerabilities, open source doesn't mean more secure, what happens when there is a vulnerability in your bootload, The Red Hat Linux kernel model is broken, when disclosure goes wrong, and more IoT router vulnerabilities.

Show Notes: https://securityweekly.com/psw-833

This may be controversial, however, we've been privately discussing how organizations benefit from penetration testing and vulnerability scanning. Do you still need these services as a critical part of your security program? Can't you just patch stuff that is missing patches? Tune in for a lively debate!

Show Notes: https://securityweekly.com/psw-833

Exploring the Strategic Minds in Cybersecurity: A Conversation with Dave Aitel

Welcome to an enlightening episode of our podcast, where we sit down with Dave Aitel, a prominent figure in the cybersecurity landscape. With a robust background in offensive security and an extensive career spanning various facets of the industry, Dave brings a wealth of knowledge and strategic insights to our discussion.

As the Founder and CEO of Immunity Inc., a leading cybersecurity company, Dave has played a pivotal role in shaping the cybersecurity landscape. Join us as we delve into his journey, from his early experiences in cybersecurity to the strategic decisions that have defined his role as a thought leader in the field.

In this episode, we explore Dave's perspectives on the ever-evolving threat landscape, offensive security strategies, and the intricate balance between security and privacy. Gain valuable insights into the methodologies and philosophies that underpin his approach to addressing the challenges posed by cyber threats.

Dave Aitel's expertise extends beyond technical domains; he is also recognized for his contributions to policy discussions on cybersecurity. Discover how his experiences and viewpoints contribute to the broader discourse on cybersecurity policy, technology, and the future of digital defense.

Whether you're a cybersecurity professional, an industry enthusiast, or someone keen on understanding the strategic dimensions of cybersecurity, this podcast episode with Dave Aitel is bound to offer thought-provoking perspectives and strategic insights.

Tune in to explore the intersection of technology, security, and strategy with one of the industry's strategic minds, Dave Aitel.

Show Notes: https://securityweekly.com/vault-psw-10

Skyrocketing IoT vulnerabilities, bricked computers?, MACBORG!, raw dogging source code, PHP strikes again and again, if you have a Netgear WNR614 replace it now, Arm Mali, new OpenSSH feature, weird headphones, decrypting firmware, and VPNs are still being hacked!

Show Notes: https://securityweekly.com/psw-832

We will discuss LLM security in general and some of the issues covered in the OWASP Top 10 for LLMs!

Segment Resources:

• https://genai.owasp.org/

Show Notes: https://securityweekly.com/psw-832

This week: Take on the upstream, how hard is it to patch end-of-life software, hack millions of routers, take over millions of routers, 0-days, and no responses, hack Taylor Swift wristbands, can you detect that covert channel?, and breach reports from Ticketmaster, Snowflake, Santander, and TikTok, and top it all of with C-level DNS servers dropping off the Internet!

Show Notes: https://securityweekly.com/psw-831

Josh comes on the show to discuss all things related to vulnerability tracking and scoring, including the current issues with various systems and organizations including NIST, CVE, Mitre, CVSS, NVD, and more!

Segment Resources:

• NVD blog post Josh wrote: https://anchore.com/blog/navigating-the-nvd-quagmire/
• Josh's Latest post: https://opensourcesecurity.io/2024/06/03/why-are-vulnerabilities-out-of-control-in-2024/

Josh's podcasts:

• https://opensourcesecurity.io/category/podcast/
• https://hackerhistory.com/

Show Notes: https://securityweekly.com/psw-831

Making The World A More Secure Place: Joshua Corman's Journey and Insights

Welcome to an insightful podcast episode featuring Joshua Corman, a prominent figure in the realm of cybersecurity. With a wealth of experience and a keen understanding of the evolving threat landscape, Joshua has established himself as a thought leader and influencer in the cybersecurity community.

In this episode, we explore Joshua's professional journey, from his early days in the industry to his current position as a respected cybersecurity leader. With a focus on practical strategies and real-world challenges, Joshua shares valuable insights into the complexities of modern cybersecurity and the strategies organizations can employ to navigate this dynamic landscape.

As a recognized authority on security, Joshua Corman's expertise spans a range of topics, including risk management, threat intelligence, and the intersection of security with technology and business. Join us as we delve into his experiences, lessons learned, and the principles that guide his approach to addressing the ever-present challenges of cybersecurity.

Whether you are a cybersecurity professional, technology enthusiast, or someone keen on understanding the intricacies of safeguarding digital assets, this podcast offers a unique opportunity to gain perspective from one of the industry's thought leaders. Tune in to discover the wisdom and practical advice Joshua Corman brings to the table, shedding light on the current state of cybersecurity and its future trajectory.

Show Notes: https://securityweekly.com/vault-psw-9

An exploit that makes you more secure, pardon the interruption, water heater company in hot water, IoT devices are vulnerable, Squeege and RDP scraping, free laundry for everyone!, Wifi routers and Apple Air tags, North Koreans fill US IT positions, taking out drones, the NVD backlog, IBM is no longer a security company?, and DNSBombs!

Show Notes: https://securityweekly.com/psw-830

The Security Weekly crew and special guest Seemant Sehgal explore what PTaaS involves, how it differs from traditional penetration testing, and why it's becoming a crucial service for companies of all sizes to protect their digital assets. We'll discuss the how PTaaS is using the latest technologies (e.g machine learning), the benefits of having a third-party service, and real-world scenarios where PTaaS has successfully thwarted potential security breaches. PTaaS can be a game-changer in enhancing your organization’s security posture!

This segment is sponsored by Breachlock. Visit https://securityweekly.com/breachlock to learn more about them!

Show Notes: https://securityweekly.com/psw-830

Vulnrichment (I just like saying that word), Trustworthy Computing Memo V2, SSID confusion, the Flipper Zero accessory for Dads, the state of exploitation, Hackbat, Raspberry PI Connect, leaking VPNs, exploiting faster?, a new Outlook 0-Day?, updating Linux, and a 16-year-old vulnerability.

Show Notes: https://securityweekly.com/psw-829

Has cryptocurrency done more harm than good? Our guest for this segment has some interesting views on its impacts!

Show Notes: https://securityweekly.com/psw-829

Illuminating the Cybersecurity Path: A Conversation with Jeremiah Grossman

Join us for a compelling episode featuring Jeremiah Grossman, a prominent figure in the cybersecurity landscape. As a recognized expert, Jeremiah has played a pivotal role in shaping the discourse around web security and risk management.

Jeremiah's journey in cybersecurity is marked by a series of influential roles, including Chief of Security Strategy at SentinelOne and Founder of WhiteHat Security. With a focus on web application security, he has been a driving force in advocating for innovative approaches to protect organizations from cyber threats.

In this episode, we explore Jeremiah's vast experience and delve into his insights on the ever-evolving cybersecurity challenges. From his early days as a hacker to his current position as a sought-after industry thought leader, Jeremiah shares valuable perspectives on the strategies and philosophies that underpin effective cybersecurity practices.

As a pioneer in the field, Jeremiah has contributed significantly to the development of best practices for identifying and mitigating web-related vulnerabilities. Tune in to gain a deeper understanding of the evolving threat landscape and the proactive measures organizations can take to secure their digital assets.

Whether you're a cybersecurity professional, tech enthusiast, or someone eager to comprehend the complexities of online security, this podcast with Jeremiah Grossman promises to be an illuminating exploration of the past, present, and future of cybersecurity.

Show Notes: https://securityweekly.com/psw-828

In this RSAC 2024 South Stage Keynote, Mikko Hyppönen will look back at the past decade of ransomware evolution and explore how newer innovations, like AI, are shaping its future.

Show Notes: https://securityweekly.com/psw-828

ChatGPT writes exploits, banning default and weak passwords, forget vulnerabilities just get rid of malware, IR blasting for fun and not profit, creating fake people, shattered dreams and passkey, and removing chips.

Show Notes: https://securityweekly.com/psw-827

The Security Weekly crew discusses some of the latest articles and research in cryptography and some background relevant subtopics including the race against quantum computing, key management, creating your own crypto, selecting the right crypto and more!

• https://www.globalsecuritymag.com/keysight-introduces-testing-capabilities-to-strengthen-post-quantum.html
• https://malware.news/t/reversinglabs-hashing-algorithm/81418
• https://www.bleepingcomputer.com/news/security/google-chromes-new-post-quantum-cryptography-may-break-tls-connections/
• https://www.finextra.com/newsarticle/44060/hsbc-and-paypal-tackle-quantum-safe-cryptography-in-payments
• https://blog.trailofbits.com/2024/04/26/announcing-two-new-lms-libraries/
• https://blog.cryptographyengineering.com/2024/04/16/a-quick-post-on-chens-algorithm/

Show Notes: https://securityweekly.com/psw-827

This week the crew discusses: When TVs scan your network, bad things can happen, PuTTY is vulnerable, Crush FTP, vulnerabilities that will never be fixed, CVEs are for vulnerabilities silly, you can test for easily guessable passwords too, FlipperZero can steal all your passwords, more XZ style attacks, more reasons why you shouldn't use a smart lock, and your keystrokes are showing!

Show Notes: https://securityweekly.com/psw-826

On February 27, 2024, PCAST (President’s Council of Advisors on Science and Technology) sent a report to the President with recommendations to bolster the resilience and adaptability of the nation’s cyber-physical infrastructure resources. Phil was part of the team that worked on the report and comes on the show to talk about what was recommended and how we implement the suggestions.

Show Notes: https://securityweekly.com/psw-826

Pioneering the Cyber Battlefield: A Deep Dive with Winn Schwartau, Cybersecurity Luminary

Get ready for an extraordinary episode as we sit down with Winn Schwartau, a true pioneer and luminary in the world of cybersecurity. Winn's impact on the field is nothing short of legendary, and in this podcast interview, we uncover the profound insights and experiences that have shaped his unparalleled career.

Winn Schwartau's journey began long before the mainstream recognition of cybersecurity as a critical discipline. As a thought leader and visionary, he foresaw the digital threats that would come to define our interconnected age. Join us as we delve into the early days of cybersecurity and explore the foresight that led Winn to become a trailblazer in the industry.

An accomplished author, speaker, and strategist, Winn Schwartau has been at the forefront of shaping cybersecurity policies and practices. From his groundbreaking book "Information Warfare" to his influential work on the concept of the "Electronic Pearl Harbor," Winn has consistently pushed the boundaries of conventional thinking in cybersecurity.

In this podcast episode, Winn shares his unique perspective on the evolution of cyber threats, the challenges faced by individuals and organizations, and the urgent need for a paradigm shift in cybersecurity strategy. Prepare to be captivated by the stories and experiences that have fueled Winn's advocacy for a more resilient and secure digital world.

Whether you're a cybersecurity professional, an enthusiast, or simply intrigued by the profound impact of technology on our lives, this conversation with Winn Schwartau promises to be a journey through the past, present, and future of cybersecurity.

Don't miss the chance to gain unparalleled insights from a true cybersecurity luminary. Tune in and discover the wisdom that only Winn Schwartau can bring to the table in this illuminating podcast interview.

Show Notes: https://securityweekly.com/psw-825

Version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) puts greater emphasis on application security than did previous versions of the standard. It also adds a new “customized approach” option that allows merchants and other entities to come up with their own ways to comply with requirements, and which also has implications for application security. Specifically, PCI DSS 4.0 requires that by March 31, 2025, more testing of public-facing applications related to payment processing or other activities be considered “in scope” for compliance. Generally, any system that touches payment-card data is in scope for PCI DSS compliance, whether or not the system or function is public-facing. We'll talk through what organizations should have gotten done by March 31, 2024, and what needs to happen by March 31, 2025.

Segment Resources: https://info.obsglobal.com/pci-4.0-resources

Show Notes: https://securityweekly.com/psw-825

Ahoi new VM attacks ahead! HTTP/2 floods, USB Hid and run, forwarded email tricks, attackers be scanning, a bunch of nerds write software and give it away for free, your TV is on the Internet, Rust library issue, D-Link strikes again, EV charging station vulnerabilities, and rendering all cybersecurity useless.

Show Notes: https://securityweekly.com/psw-824

Jim joins the Security Weekly crew to discuss all things supply chain! Given the recent events with XZ we still have many topics to explore, especially when it comes to practical advice surrounding supply chain threats.

Show Notes: https://securityweekly.com/psw-824

pfSense switches to Linux (April Fools?), Flipper panic in Oz, Tales from the Krypt, Funding to secure the Internet, Abusing SSH on Windows, Blinding EDR, more hotel hacking, Quantum Bleed, and more!

Show Notes: https://securityweekly.com/psw-823

As most of you have probably heard there was a scary supply chain attack against the open source compression software called "xz". The security weekly hosts will break down all the details and provide valuable insights.

• https://blog.qualys.com/vulnerabilities-threat-research/2024/03/29/xz-utils-sshd-backdoor
• https://gynvael.coldwind.pl/?id=782
• https://isc.sans.edu/diary/The+xzutils+backdoor+in+security+advisories+by+national+CSIRTs/30800
• https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
• https://github.com/amlweems/xzbot
• https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/
• https://unicornriot.ninja/2024/xz-utils-software-backdoor-uncovered-in-years-long-hacking-plot/
• https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504
• https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
• https://xeiaso.net/notes/2024/xz-vuln/
• https://infosec.exchange/@[email protected]
• https://github.com/notselwyn/cve-2024-1086?tab=readme-ov-file
• https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd

Show Notes: https://securityweekly.com/psw-823

The PSW crew discusses some crypto topics, such as post-quantum and GoFetch, new Flipper Zero projects, RFID hacking and hotel locks, BlueDucky, side channel attacks and more!

Show Notes: https://securityweekly.com/psw-822

Jason Healey comes on the show to discuss new ideas on whether the new national cybersecurity strategy is working.

Segment Resources:

• DEFRAG Hacker Film Festival short documentary (https://youtu.be/NYvHWcQsIRE) on hackers and their favorite films. For educational purposes only, as we don’t have the rights to the clips.
• YouTube link to Wargames event with Jen Easterly, Matt Devost, Amelia Koran and Kevin Huyck (head of ops for NORAD) (https://youtu.be/iqx6STDYJ7c?si=73WQtSG4RnCGsBcT).
• https://www.lawfaremedia.org/article/which-cyber-regulations-fit-which-sectors
• https://www.lawfaremedia.org/article/the-national-cybersecurity-strategy-breaking-a-50-year-losing-streak
• https://www.lawfaremedia.org/article/twenty-five-years-of-white-house-cyber-policies
• https://www.lawfaremedia.org/article/understanding-offenses-systemwide-advantage-cyberspace

Show Notes: https://securityweekly.com/psw-822

We discuss the always controversial Flipper Zero devices the hidden risks in the undersea cables, and the landscape of government oversight, revealing the intricacies of CVE, KEV, and NVD systems that are the linchpins of our digital safety. The conversation takes a turn to the practicalities of risk management and the impact of individuals on the industry, like Daniel from the curl project, striking a chord with the significance of cybersecurity vulnerabilities compared to environmental pollution. We tackle the challenges of vulnerability prioritization and the importance of a comprehensive approach to managing the ever-evolving threats that target our digital infrastructure.

(00:01) Security Practices and Flipper Zero (07:01) Technology and Privacy Concerns in Cars (17:33) Undersea Cables and NVD Issues (27:45) Government Oversight and Funding for Cybersecurity (33:33) Improving Vulnerability Prioritization in Cybersecurity (45:37) Risk Management and CVE Implementation (58:06) Cybersecurity Budget and Risk Management (01:10:48) Unique Challenges in Cybersecurity Industry (01:16:41) Discussion on Open Source and CNAs (01:26:44) Bluetooth Vulnerabilities and Exploits Discussed (01:39:46) Email Security and Compromised Accounts (01:46:23) Cybersecurity Threats and Vulnerabilities (01:52:06) GPU Security Vulnerabilities Explained

Show Notes: https://securityweekly.com/psw-821

Josh Corman joins us to explore how we can make things more secure, making companies make things more secure, and making regulations that make us make things more secure! We will also touch on supply chain security and the state of vulnerability tracking and scoring.

Show Notes: https://securityweekly.com/psw-821

In the security News end of life routers and exploits, SCCM mis-configurations lead to compromise, apparently you can hack anything with a Flipper Zero, do source code leaks matter?, visibility is important, printer vulnerabilities that no one cares about, friendship gets you firmware, lock hacking continues, VM escapes and risk, and multiple really cool Bluetooth hacking stories.

Show Notes: https://securityweekly.com/psw-820

Omkhar Arasaratnam is the General Manager of the Open Source Software Foundation (OpenSSF) and appears on the show to discuss memory safety, why re-writing software isn't always the best option, open-source software supply chains, and more!

Segment Resources:

• https://openssf.org/blog/2024/02/26/openssf-supports-efforts-to-build-more-secure-and-measurable-software/
• https://www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdf

Show Notes: https://securityweekly.com/psw-820

BiaSciLab from DEF CON joins us to discuss DCNextGen! In the security News: MouseJacking still works, CISA recommends a complete rebuild, memory safety and re-writing code, not all doorbells are created equal, putting a firewall in front of your LLM, rugged gear and vulnerabilities, PLCs are not safe, neither are Windows kernels..

Segment Resources: https://www.defcon.kids https://www.BiaSciLab.com https://www.GirlsWhoHack.com https://www.SecureOpenVote.com

Show Notes: https://securityweekly.com/psw-819

Public information about exploits and vulnerabilities alone is not enough to inform prioritization, especially with the growing rate and variety of CVEs. Dan DeCloss, founder and CTO of PlexTrac, joins the show to discuss solving the challenges of risk prioritization to drive faster, more strategic assessment cycles. Spoiler: The key is adding context and prioritization to risk-scoring equations.

Segment Resources: https://plextrac.com/get-ready-to-prioritize-risk-with-our-new-contextual-scoring-engine/?utmmedium=techptr&utmsource=securityweekly

https://plextrac.com/video/priorities/?utmmedium=techptr&utmsource=securityweekly

This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them!

Show Notes: https://securityweekly.com/psw-819

The latest attacks against WiFi, its illegal to break encryption, BLE Padlocks are as secure as you think, when command not found attacks, how did your vibrator get infected...with malware, the OT jackpot, the backdoor in a random CSRF library, it’s a vulnerability but there is no CVE, car theft and Canada, Glubteba, and settings things on fire!

Show Notes: https://securityweekly.com/psw-818

Jayson joins us to discuss how he is using, and social engineering, AI to help with his security engagements. We also talk about the low-tech tools he employs to get the job done, some tech tools that are in play, and the most important part of any security testing: Talking to people, creating awareness, and great reporting.

Show Notes: https://securityweekly.com/psw-818

Join us in this illuminating podcast episode as we sit down with Wendy Nather, a distinguished thought leader and cybersecurity strategist, who has left an indelible mark on the ever-evolving landscape of digital security.

Wendy's journey in cybersecurity is a narrative woven with expertise, innovation, and a deep understanding of the intersection between technology and risk. With a career that spans strategic roles in both the public and private sectors, Wendy has become a trusted voice in the industry, offering insights that resonate with cybersecurity professionals and enthusiasts alike.

As the Head of Advisory CISOs at Cisco, Wendy Nather brings a unique perspective to our conversation. Explore with us as she shares her experiences navigating the complex cybersecurity challenges faced by organizations today. Wendy's strategic vision has helped shape cybersecurity policies, risk management frameworks, and resilient strategies for a myriad of enterprises.

Dive into Wendy's wealth of knowledge as she discusses the dynamic nature of cyber threats, the importance of proactive cybersecurity measures, and the evolving role of technology in safeguarding our digital future. Her commitment to demystifying complex security concepts and fostering a culture of resilience makes this podcast episode a must-listen for anyone passionate about cybersecurity.

Beyond her corporate role, Wendy is a prolific writer, speaker, and educator, contributing to the collective cybersecurity knowledge base. Join us as we explore her insights on emerging trends, best practices, and the human element in cybersecurity—a facet often overlooked but crucial in building robust defense strategies.

Don't miss this opportunity to gain valuable perspectives from one of the industry's leading minds. Tune in to our podcast and discover the wisdom and foresight that Wendy Nather brings to the world of cybersecurity.

Show Notes: https://securityweekly.com/vault-psw-8

Welcome to a riveting episode of Hacker Heroes, where we sit down with Toby Miller, a distinguished figure in the realm of cybersecurity. Toby brings a wealth of experience and a passion for fortifying digital landscapes against ever-evolving threats.

Armed with a profound understanding of cybersecurity intricacies, Toby has spent years honing his skills in the field. As a seasoned professional, he has not only weathered the storms of the digital frontier but has emerged as a beacon of knowledge and resilience in the face of cyber challenges.

Join us as we delve into Toby's journey, from the early days of his career to his current role as a cybersecurity expert. Gain valuable insights into the dynamic nature of cyber threats, the evolving tactics employed by malicious actors, and the strategies Toby employs to stay one step ahead in the ever-changing cybersecurity landscape.

Toby's expertise extends across a spectrum of cybersecurity domains, including risk management, threat intelligence, and incident response. Discover the mindset that propels him forward in the pursuit of securing digital infrastructures and safeguarding sensitive information.

In this podcast episode, Toby Miller shares anecdotes from the front lines of cybersecurity, offering our listeners a firsthand account of the challenges faced by professionals in the industry. Whether you're a cybersecurity enthusiast, a fellow professional, or someone navigating the digital landscape, Toby's insights are sure to enlighten and inspire.

Show Notes: https://securityweekly.com/psw-817

In this segment, we discuss topics related to physical security and social engineering. We also touch on the challenges and strategies for implementing effective security measures. The discussion highlights the importance of understanding the relationship between physical security and social engineering. The panel emphasizes the need for a comprehensive approach to security, acknowledging that social engineering and physical security often go hand in hand. We stress the significance of testing physical security measures and conducting threat assessments to ensure robust protection against potential threats. The conversation touches on the concept of usability versus security, acknowledging that security measures should provide a balance between effective protection and practical usability. We explore the vulnerabilities of certain security technologies, such as biometrics, and underscore the need for continuous evaluation and adaptation of security measures to mitigate emerging threats.

Show Notes: https://securityweekly.com/psw-817

In the Security News: - Shim Shady, Up Shims Creek, whatever you want to call it, there’s a vulnerability affecting pretty much all Linux distributions (and other operating systems as well), when your toothbrush attacks the Internet, or some claim, glibc has some vulnerabilities, not all got a CVE, and one is for the algorithm lovers, Google shows some love for Rust, beating Bitlocker in 43 seconds, DEF CON was canceled, then uncancelled, and I’m not even joking this time, and the Government is here to "unhack" your router,

Show Notes: https://securityweekly.com/psw-816

As a computer-smitten middle-schooler in the former Soviet Union in the 1970s, to his current and prominent role in the cybersecurity research community, Bratus aims to render the increasingly prevalent and perilous software, hardware, and networks in our lives much safer to use. His fascination with computer security started for real in the 1990s as a mathematics graduate student when a computer he was programming and responsible for at Northeastern University in Boston was taken over by a hacker. That experience set him on his life’s mission to learn as much as he can about the vulnerabilities of software and hardware with the goal of learning how to best minimize or eliminate those vulnerabilities. Noting his embrace of the hacker community for its deep and innovative expertise in this context, Bratus’s portfolio at DARPA could help reduce or entirely remove even some of the most stealthy and unexpected vulnerabilities that reside in software and its logical, computational, and mathematical foundations.

Segment Resources:

• Overall Portfolio: https://www.darpa.mil/staff/dr-sergey-bratus

• Safe Documents: https://www.darpa.mil/news-events/2023-06-14

• Enhanced SBOM for Optimized Software Sustainment: https://sam.gov/opp/d0af3e325a594a8191b94e3f80b6bdcd/view

• V-SPELLS program:  https://www.theregister.com/2023/08/18/darpalegacybinary_patching/

• Digital Corpora Project:  https://www.jpl.nasa.gov/news/jpl-creates-worlds-largest-pdf-archive-to-aid-malware-research

• SocialCyber:  https://www.technologyreview.com/2022/07/14/1055894/us-military-sofware-linux-kernel-open-source/

• Weird Machines:  https://www.darpa.mil/program/hardening-development-toolchains-against-emergent-execution-engines

• Safe Docs: https://www.darpa.mil/news-events/2023-06-14

• Exploit programming:  https://www.usenix.org/publications/login/december-2011-volume-36-number-6/exploit-programming-buffer-ove

Show Notes: https://securityweekly.com/psw-816

Danny Jenkins, CEO & Co-Founder of ThreatLocker, a cybersecurity firm providing Zero Trust endpoint security, is a leading cybersecurity expert with over two decades of experience building and securing corporate networks, including roles on red and blue teams. He is dedicated to educating industry professionals about the latest cyber threats and frequently speaks on the topics of ransomware and Zero Trust.

This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them!

Show Notes: https://securityweekly.com/psw-815

When an RCE really isn’t, your kernel is vulnerable, calling all Windows 3.11 experts, back to Ebay, Turkish websites and credentials, 10 public exploits for the same vulnerability, hacking Bitcoin ATMs, another vulnerability disclosure timeline gone wrong, Flipper Zero tips and how you should not use it to change traffic lights, Windows 11 S mode, and you’re dead (but like in the movie Hackers dead), and more!

Show Notes: https://securityweekly.com/psw-815

In the Security News: Don’t expose your supercomputer, auth bypass and command injection FTW, just patch it, using OSQuery against you, massive credential stuffing, backdoors in Harmony, looking at Android, so basically I am licensing my printer, hacking Tesla, injecting keystrokes over Bluetooth, and remembering the work of David L. Mills.

Show Notes: https://securityweekly.com/psw-814

Matt Coose is the founder and CEO of cybersecurity compliance firm Qmulos, previously the director of Federal Network Security for the National Cyber Security Division of the (DHS).

CISOs carry the ultimate burden and weight of compliance and reporting and are often the last buck. Says Coose, best-of-breed is better described as best-to-bleed-the-budget: it’s a bottom-up, tech-first, reactive approach for acquiring technology as opposed to managing risk. Coose shares his top considerations below for how CISOs can navigate the crowded market of cybersecurity tools when cost is highly scrutinized, but regulations keep growing.

Platforms are what every vendor dreams of being called, but no platform does it all, says Coose.

Coose shares what smart CISOs and mature organizations understand, that others don’t:

• There’s no “buying their way out of security issues or into a better risk posture.” They understand the need to evolve to a top-down, risk-driven, inherently business-aligned, dynamically adaptable, and evidence-based security management strategy.

• That looking at technology choices through the lens of risk controls (and the related data provided by technology that implements those controls) enables credible and transparent strategic tech portfolio management decisions that are immune to vendor preferences or the latest market(ing) fads.

• The need for meaningful security and risk measurement and the difference between leading and lagging indicators.

• The original intent of security and regulatory compliance as a model for proactive and consistent risk management (leading indicator), not just a historical reporting and audit function (lagging indicator).

• That managing risk, compliance, and security as distinct and separate functions is not only wasteful and inefficient, but denies the enterprise the ability to cross-leverage significant people, process, and technology investments

Show Notes: https://securityweekly.com/psw-814

In the Security News: Bricked Xmas, If you can hack a wrench, PixieFail and disclosure woes, exposing Bigpanzi (more Android supply chain issues, 20 years of OpenWRT, Jamming, traffic lights, and batteries don’t work that well in the extreme cold. All that and more on this episode of Paul’s Security Weekly!

Show Notes: https://securityweekly.com/psw-813

With a recent increase in government attention on K–12 cybersecurity, there is a pressing need to shed light on the challenges school districts face in implementing necessary security measures. Why? Budgeting constraints pose significant obstacles in meeting recommended cybersecurity standards. Brian Stephens of Funds For Learning will discuss:

• The financial constraints K–12 schools face and the critical role of funding from federal and state governments in addressing cybersecurity concerns.
• Efforts by Funds For Learning to petition the FCC to expand E-rate funding to support next-generation firewalls and other cybersecurity services.
• By expanding the technologies and solutions eligible for E-rate funding, schools can obtain the necessary resources to protect against the growing threat of third-party data breaches.

Here are links to the most current blog posts about Cybersecurity Notice of Proposed Rulemaking  https://www.fundsforlearning.com/news/2023/11/dont-miss-your-chance-to-impact-e-rate-cybersecurity/, Wi-Fi hotspots https://www.fundsforlearning.com/news/2023/11/wi-fi-hotspots-proposed-for-e-rate-program/ and school bus Wi-Fi https://www.k12dive.com/news/fcc-approves-school-bus-wifi-e-rate/697337/. Funds For Learning also facilitated an informational webinar on the Cyberserucrity Notice for Proposed Rulemaking https://fundsforlearning.app.box.com/s/5gp9qr938qtgs0ug92nkgfvrjvtil4sf. Funds For Learning also conducts an annual survey for E-rate applicants to provide their feedback on the E-rate program. The responses are shared with the FCC through the Funds For Learnings annual E-rate Trends Report. https://www.fundsforlearning.com/e-rate-data/trendsreport/. Lastly, here is an article from Brian about cybersecurity and why it should be funded through E-rate https://www.eschoolnews.com/it-leadership/2023/09/29/will-cybersecurity-receive-e-rate-funding/

Show Notes: https://securityweekly.com/psw-813

The Exploit Prediction Scoring System is Awesome, or so some say, Reflections on InfoSec, Why some people don’t trust science, SSH-Snake, Back in the Driver’s seat, I Hacked My Internet Service Provider, States & Congress wrestle with cybersecurity, Combining AI with human brain cells, analyzing linux-firmware, detecting BLE SPAM, and The I in LLM.

Show Notes: https://securityweekly.com/psw-812

Jared would like to discuss the evolution of purple teaming. Put bluntly, he believes traditional purple team approaches don’t test enough variations of attack techniques, delivering a false sense of detection coverage. He would like to talk about: The shortcomings of red team assessments and why most purple team assessments are too limited. How the testing landscape and requirements have changed (especially as organizations now look to validate vendor tools defense claims). How purple team assessments are evolving with the use of new frameworks like Atomic Testing. And the importance of building and selecting good test cases that cover the many ways attack techniques can be modified.

Show Notes: https://securityweekly.com/psw-812

Unleashing the Power of Crowdsourced Cybersecurity: A Conversation with Casey Ellis, Founder of Bugcrowd

️Meet Casey Ellis, the visionary entrepreneur who has redefined the landscape of cybersecurity through the groundbreaking platform he built – Bugcrowd. As the Founder and Chief Technology Officer of Bugcrowd, Casey Ellis has not only revolutionized the way organizations approach cybersecurity but has also championed the concept of crowdsourced security testing.

With an innate passion for hacking and a deep understanding of the evolving threat landscape, Casey embarked on a mission to democratize cybersecurity. In our upcoming podcast interview, delve into the dynamic journey of a self-proclaimed hacker turned cybersecurity pioneer.

Casey's brainchild, Bugcrowd, serves as a global community of ethical hackers and security professionals who collaborate to uncover and address vulnerabilities in digital systems. Learn how this innovative approach has empowered organizations across industries to proactively secure their digital assets, embracing the power of the collective in the fight against cyber threats.

A trailblazer in the cybersecurity space, Casey Ellis brings a unique perspective to the podcast as he shares insights on the challenges and triumphs of building Bugcrowd from the ground up. Explore the intersections of technology, security, and community-driven solutions with a leader who has not only disrupted the status quo but has also fostered a culture of continuous improvement and collaboration.

Join us for a riveting conversation as we uncover the secrets behind Bugcrowd's success, the evolving role of ethical hacking in today's digital landscape, and Casey's vision for a more secure and interconnected future. Whether you're a cybersecurity enthusiast, a tech aficionado, or simply curious about the forces shaping our digital world, this podcast episode with Casey Ellis is a must-listen.

Show Notes: https://securityweekly.com/vault-psw-7

Dr. Diffie is a pioneer of public-key cryptography and was VP of Information Security and Cryptography at ICANN. He is author of "Privacy on the Line: The Politics of Wiretapping and Encryption".

Show Notes: https://securityweekly.com/vault-psw-6

Firmware security is a deeply technical topic that's hard to get started in. In this episode of Below the Surface, Xeno will discuss some past work in firmware security, and how he has organized resources such as a low level timeline (with over 300 talks), and free MOOC classes, to help teach people about firmware security.

Segment Resources: https://ost2.fyi https://darkmentor.com/timeline.html

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!

Show Notes: https://securityweekly.com/psw-811

AI generated description fun: "As the glasses are filled and the mood lightens, our veteran guests, each with a legendary tale or two tucked under their virtual belts, embark on a journey through the complex landscape of supply chain security. These old dogs share war stories, anecdotes, and hard-earned wisdom about the evolving challenges and threats that have shaped their illustrious careers. From the early days of computing to the present era of interconnected systems, our panelists delve into the intricacies of securing the supply chain. Expect insights on the timeless art of social engineering, the ever-expanding attack surface, and the unforeseen vulnerabilities that emerge when least expected."

Talking points:

• Define the different areas of supply chains * Hardware * Firmware / Low-Level Software * Operating systems and applications * Software you develop yourself
• Open-source software supply chains have interesting problems
• Detecting supply chain issues
• Who is responsible for supply chain security?

Show Notes: https://securityweekly.com/psw-811

Analyzing firmware with EMBA, TinyXML, and the ugly supply chain, ignoring vulnerabilities that allow attackers to turn off your vehicle, Android lock screen bypass and running water, LogoFAIL updates, and the confusing severity, you still haven’t patched Log4Shell, the password is 123456, and an amazing Bluetooth hack that affects you!

Show Notes: https://securityweekly.com/psw-810

Mr. Sharpe is a long-time (+30 years) Cybersecurity, Governance, and Digital Transformation expert with real-world operational experience. Mr. Sharpe has run business units and has influenced national policy. He has spent much of his career helping corporations and government agencies create value while mitigating cyber risk. This gives him a pragmatic understanding of the delicate balance between Business realities, Cybersecurity, and Operational Effectiveness. He began his career at NSA, moving into the Management Consulting ranks building practices at Booz Allen and KPMG. He subsequently co-founded two firms with successful exits, including the Hackett Group (NASDAQ HCKT). He has participated in over 20 M&A transactions. He has delivered to clients in over 20 countries on 6 continents.

Show Notes: https://securityweekly.com/psw-810

In the Security News: If we still can’t change default passwords, we all lose, The Flipper Zero, NO CVE FOR YOU, New tools that are not new at all, The BIOS logo attack vector, a $15 router that has secrets, turns out AI is stupid, and SLAM, dun dun ot, Spectre based on linear address masking,

Show Notes: https://securityweekly.com/psw-809

I like how ChatGPT describes this segment: "Picture a dimly lit room filled with the nostalgic hum of old computers and the subtle clinking of ice in glasses as our hosts delve into the intricacies of vulnerability management. These battle-hardened experts peel back the layers of digital defense, recounting their experiences from the front lines of cyber warfare. From epic zero-day exploits to heart-pounding close calls, these hackers have seen it all, and now they're ready to spill the beans. But it's not just about the exploits and the code. Paul's Security Weekly takes a deep dive into the ethics and practices of vulnerability disclosure. With a touch of humor and a hint of mischief, our hosts explore the delicate balance between responsible disclosure and the thrill of the chase. As they share their war stories, they also reflect on the evolving landscape of cybersecurity and the importance of collaboration in securing the digital frontier."

Show Notes: https://securityweekly.com/psw-809

The Security Weekly crew dives into a discussion on the latest hardware hacking techniques, including the hardware/software/firmware used to conduct various tests and create neat projects. You may be trying to hack a specific device. You may be creating a device to accomplish a specific goal. We will discuss various aspects of hardware hacking and fill you in on the some of the latest devices and tools. Like the Flipper Zero, and why the alternatives are better in some cases, but also why the Flipper Zero gets a bad rap.

Show Notes: https://securityweekly.com/psw-809

We navigate through dangerous cyber terrain, examining real-world examples like the WebP library and the Curl vulnerability. Critical issues in Zyxel firewalls will also be unmasked as we shed light on the urgency of improving vulnerability reporting and cataloging and addressing the often-overlooked problem of overclassifying harmless software bugs.

We then shifted gears to tackle the tricky subject of software vulnerability identification, focusing on a specific CVE that sparked intriguing debates. Learn why pinpointing the source of the vulnerability is vital to effective SBOMs. The journey doesn't end there - we'll uncover a newly discovered Bluetooth vulnerability, aptly named 'BLUFFS', and discuss its potential for exploitation, along with the ingenious solutions proposed by the researchers who unearthed it.

Brace yourself for a riveting finale as we delve into Akamai's recent research on DVR and router attacks, explore the risks of GPS spoofing, and discuss the importance of detection mechanisms. We'll also scrutinize the stereotype of hackers in pop culture, address the importance of handling vulnerabilities in software, and highlight the pressing issue of ransomware targeting healthcare. So buckle up and join us for this critical exploration into the world of software vulnerabilities as we decode the complexities and debunk some security myths.

Show Notes: https://securityweekly.com/psw-808

Our good friend Matt Carpenter joins us to share his thoughts on what's going on in the world of AI and LLMs. Matt is also a hacker specializing in hardware and the crew has some amazing hardware hacking topics to discuss (as usual).

Segment Resources: https://garymarcus.substack.com/p/has-sam-altman-gone-full-gary-marcus

Show Notes: https://securityweekly.com/psw-808

What will the future bring with respect to AI and LLMs? Josh has spent some time thinking about this and brings us some great resources. We'll discuss how to get students involved with AI in a safe and ethical manner. How can we use AI to teach people about cybersecurity? What tools are available and where do they fit into our educational systems that must change and adapt to the times? Join us for a fun discussion on what the future looks like with AI and the youth of today.

Segment Resources: https://docs.google.com/document/d/103FLvNRSwBhq-WgCbuykMvweT6lKf2lAASuP8OuuKIw/edit#heading=h.3inodmot2b77

Show Notes: https://securityweekly.com/psw-808

Brian Snow spent his first 20 years at NSA doing and directing research that developed cryptographic components and secure systems. Many cryptographic systems serving the U.S. government and military use his algorithms; they provide capabilities not previously available and span a range from nuclear command and control to tactical radios for the battlefield. He created and managed NSA's Secure Systems Design division in the 1980s. He has many patents, awards, and honors attesting to his creativity.

Show Notes: https://securityweekly.com/vault-psw-5

In the Security News: SSH under attack, IoT routers have vulnerabilities, the BLE Spam attacks still work against iPhones, there is a longer story behind BLE spam, and Larry is one of the stars, denial of pleasure via BLE, vulnerability disclosure and your blob is showing, the half-day watcher, tapping into cameras, 50 shades of vulnerabilities, Nuclear decay as a random number generator, cachewarp, reptar, attacking Danish critical infrastructure, you can’t patch a house of cards (and your bitcoin may be at risk), All that and more on this episode of Paul’s Security Weekly!

Show Notes: https://securityweekly.com/psw-807

Attackers pursue the shortest path to achieve their goals in your app. With a tri-layered security architecture, you can force hackers to crawl through a triathlon in your app. What’s in the three layers, to detect attacks sooner, slow attackers down, and stop them fast? Let’s take a journey across the three layers and discuss how to gain control of user permissions, secure your cloud computing, and keep your customers and their users safe.

Show Notes: https://securityweekly.com/psw-807

Do people still use mainframes? IoT and firmware security, Apple Find my, Bluetooth is the gift that keeps on giving, to hackers that is, and more!

Show Notes: https://securityweekly.com/psw-806

Austin spends the majority of his time thinking about ways to abuse LLMs, the impact of the attacks, and the effects on society. He brings a truly unique perspective to the way to use, attack, and verify output from AI LLM models. Whether you are just learning the ins and outs of LLMs or you were an early adopter, this segment is for you!

Show Notes: https://securityweekly.com/psw-806

In the Security News: If an exploit falls in the forest do I still need to patch?, Reflections on trusting trust: the source code revealed, prompt injection in your resume, iPhones be updating, a deep dive into vulnerable kernel drivers and wiping SPI flash, cheap to exploit software, to ransom or steal?, oh OAuth, Florida man, door bell shenanigans, don’t pay the ransom, the White House and AI, and quantum teleportation via measurement-induced entanglement. All that and more on this episode of Paul’s Security Weekly!

Show Notes: https://securityweekly.com/psw-805

AI/ML is providing significant benefits in a wide range of application domains but also provides adversaries with a new attack surface. Learn about DARPA's efforts to help evaluate AI/ML and work towards a trust model that will allow us to use these valuable tools safely.

Segment Resources:

• Identifying and Mitigating the Security Risks of Generative AI paper (co-authored by Kathleen): https://arxiv.org/abs/2308.14840
• DARPA’s AI Forward, which will include AI Exploration opportunities and resource material: https://www.darpa.mil/work-with-us/ai-forward
• I2O webpage, important to include because this hosts links to many of the programs Dr. Fisher will discuss: https://www.darpa.mil/i2o

Show Notes: https://securityweekly.com/psw-805

Sonar Vulnerability Researchers Thomas Chauchefoin and Paul Gerste conducted research on the security of Visual Studio Code — the most popular code editor out there — which was presented at DEF CON 31 in August. The pair uncovered a few ways for attackers to gain code execution on a victim's computer if they clicked on a specially crafted link or opened a malicious folder in Visual Studio Code, bypassing existing mitigations like Workspace Trust. Developers tend to trust their IDEs and do not expect such security issues to exist. As developers have access to source code and production systems, they make for very interesting targets for threat actors. Important to note is that the security concepts that the two are able to demonstrate apply not just to Visual Studio Code, but to most other code editors. This is also the story of how the researchers got an unexpected $30,000 bounty from Microsoft for these bugs, by mistake!

Segment Resources:

BLOG POSTS Securing Developer Tools: Argument Injection in Visual Studio Code (https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/) Securing Developer Tools: Git Integrations (https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/)

CVEs CVE-2023-36742 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742) CVE-2022-30129 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30129) CVE-2021-43891 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43891)

Show Notes: https://securityweekly.com/psw-804

We officially welcome Bill Swearingen to our expert panel of PSW hosts, and discuss the news including hacking shenanigans, QNAP, recovering crypto currency, Android malware, and more!

Show Notes: https://securityweekly.com/psw-804

In the Security News: Fried squid is tasty, but the squid proxy is vulnerable, Flipper zero and other tools can now BLE Spam more than just Apple devices, Cisco IOS vulnerability in the web interface, again, is Signal vulnerable?, WinRAR being exploit, still, Math.Random is not really all that random, get your malware samples, and my inside look into Android TV devices, malware, and the horrors of the supply chain! All that and more on this episode of Paul’s Security Weekly!

Show Notes: https://securityweekly.com/psw-803

Chris Rock is a Cyber Mercenary who has worked in the Middle East, US and Asia for the last 30 years working for both government and private organizations. ˇHe is the Chief Information Security Officer and co-founder of SIEMonster. Chris has presented three times at the largest hacking conference in the world, DEFCON in Las Vegas on controversial vulnerabilities. Chris is also the author of the Baby Harvest, a book based on criminals and terrorists using virtual babies and fake deaths for financing. He has also been invited to speak at TED global.

Show Notes: https://securityweekly.com/psw-803

In the Security News: Windows 11 tries to fix legacy authentication, Rapid resets and the world’s largest DDoS attack, we finally get to see the cURL vulnerability, and its pretty ugly, turns out Android TV boxes with pre-installed malware are a hot topic, patch your Netscaler, root for everyone with emergency responder software, learn THIS hacking Tools First, long live Wayland, how to actually hack a WiFi device with a Flipper Zero, scanning open source packages, GNOME bugs and a bonus, security is a great idea until there is a bypass in apparmor,a tool that everyone should have in their kit, and we could talk for hours about 25 hard hitting lessons from Cybersecurity! All that and more on this episode of Paul’s Security Weekly!

Show Notes: https://securityweekly.com/psw-802

Resources we mentioned:

* The Hardware Hackers Handbook is a great start * Do a badge challenge: https://www.cyberark.com/resources/threat-research-blog/an-introduction-to-hardware-hacking  * Take some classes * Do some Arduino stuff: https://www.arduino.cc/  * Take free courses on electrical engineering: https://ocw.mit.edu/courses/6-01sc-introduction-to-electrical-engineering-and-computer-science-i-spring-2011/  (And here: https://www.tinkerforge.com/en/doc/  and here: https://www.youtube.com/watch?v=LSQf3iuluYo&list=PLoFdAHrZtKkhcd9k8ZcR4th8Q8PNOx7iU )

Building a lab - The list:

* Soldering iron (and tools and parts such as Solder, Flux, Tweezer, Soldering wick, Cutter, Wire stripper) * Hot air rework station (can be bundled with soldering iron) * Multi-meter (and lots of associated cables) * Jumper and pinout wires * Breadboard * USB microscope * Bench power supply * Specific lighting (e.g. my document camera has an LED light that works great) * Magnification - magnifying lenses and a headset (esp. if you are old, like us) * USB serial devices (or Bus Pirate if you fancy)

Show Notes: https://securityweekly.com/psw-802

In the Security News: No Flipper Zero for you!, your glibc is hanging out and other Looney Tunables, and it vulnerable, for no reasons, other than the obvious ones, a Russian firm will pay $20m for Android or iPhone 0days, you do what you do and other Exim vulnerability stories, yet another way to become root on Linux, if you ever wanted to read the source code for Sub7, well, now you can, more people want to trash bug bounties (and they are wrong), Curl has something coming, and its not good, tricking AI with your dead grandma’s locket, GPU driver vulnerabilities could lead to something, and the path to the cloud is filled with holes. All that and more on this episode of Paul’s Security Weekly!

Show Notes: https://securityweekly.com/psw-801

Anuj joins us to discuss recent trends in malware. What are the malware authors up to lately? What are the latest techniques for reverse engineering malware? Learn about the latest tools and techniques from Anuj! Anuj is a Principal Threat Researcher at Blackberry, where he performs malware research and reverse engineering. He has more than 15 years of experience in malware analysis and incident response. Anuj also brings his problem-solving abilities to his position as a SANS Certified Instructor and author, which gives him the opportunity to impart his deep technical knowledge and practical skills to students.

Segment Resources: https://www.youtube.com/@sonianuj

Show Notes: https://securityweekly.com/psw-801

Just what are the right skills to have or acquire to work in cybersecurity today? Kayla and the Security Weekly crew talk about it in this segment. We also touch on why we get burnt out and how to avoid it, all in anticipation for SOC Analyst Appreciation Day!

This segment is sponsored by Devo . Visit https://securityweekly.com/devo to learn more about them!

Show Notes: https://securityweekly.com/psw-800

This week, First up its the Security News: libwebp or die: we unravel some of the details behind the webp vulnerability first fixed by Apple and Google, then, hopefully by everyone else, attackers can steal your pixels using your GPU, someone cough China cough has been hacking Cisco routers, Kia boys are still a problem, How the Cult of the Dead Cow plans to save the internet, how iOS updates could break glucose monitors, spamming the CVE database, and when a medium is really a high!

Show Notes: https://securityweekly.com/psw-800

In the Security News: LVFS is not a backdoor, attackers are in physical proximity, when you need to re-cast risk, oh Fortinet, pre-installed backdoors again, deep down the rabbit hole, the buffer overflow is in your BIOS!, what is 345gs5662d34?, a cone is all you need, we are compliant because we said so but we lied, 10 years of updates, Microsoft looks at ncurses and finds bad things, they also lost 38TB of data (Microsoft that is), when MFA isn’t really MFA, China and Russia are cyber attacking things, and MGM and Caesars are in hot water, All that and more on this episode of Paul’s Security Weekly!

Show Notes: https://securityweekly.com/psw-799

Nathan comes on the show to discuss LLMs, such as ChatGPT, the issues we face today and in the future. Learn about prompt injection attacks, jailbreaking, LLMs for threat actors, and more!

Show Notes: https://securityweekly.com/psw-799

Lots in the Security News this week. Stay tuned!

Show Notes: https://securityweekly.com/psw-798 

Ryan has his finger on the pulse of ransomware and response. We discuss how the initial infections are occurring, how they've changed over time, and where they are going in the future!

Segment Resources:

For folks to see my recent presentations: for528.com/playlist

For folks to see the recordings of our recent Ransomware Summit: for528.com/summit23

For folks to watch my recent (free) ransomware workshop: for528.com/workshop23

Materials: for528.com/workshop

Show Notes: https://securityweekly.com/psw-798 

Check out this interview from the PSW Vault, hand picked by main host Paul Asadoorian! This segment was originally published on February 4, 2013. Dr. Spafford is one of the senior, most recognized leaders in the field of computing. He has an on-going record of accomplishment as a senior advisor and consultant on issues of security and intelligence, education, cybercrime and computing policy to a number of major companies, law enforcement organizations, academic and government agencies... [With] over three decades of experience as a researcher and instructor, Professor Spafford has worked in software engineering, reliable distributed computing, host and network security, digital forensics, computing policy, and computing curriculum design. Dr. Spafford is a professor with an appointment in Computer Science at Purdue University, where he has been a member of the faculty since 1987.

Spaf's new book, Cybersecurity Myths and Misperceptions, is available at https://informit.com/cybermyths 

Show Notes: https://securityweekly.com/vault-psw-4 

In the Security News: How not to send all your browser data to Google, apparently Microsoft needs pressure to apply certain fixes, the mutli-hundred-billion-dollar-a-year industry that tries to secure everything above the firmware, security through obscrurity doesn’t work, should you hire cybersecurity consultants, pen testing is key for compliance, defense contractor leaks, inside a McFlurry machine, Barracuda is still chasing hackers, why Linux is more secure than windows, more details on WinRar and middle-out compression, a Wifi worm?, CVE-2020-19909 is almost everything that is wrong with CVE, Tacos, and hacking through a Fire stick! All that and more on this episode of Paul’s Security Weekly!

Show Notes: https://securityweekly.com/psw-797 

Amanda joins us to discuss aspects of incident response, including how to get the right data to support findings related to an incident, SMB challenges, cloud event logging, and more! Amanda works for Blumira and is the co-author of "Defensive Security Handbook: Best Practices for Securing Infrastructure."

Show Notes: https://securityweekly.com/psw-797 

In the Security News: Lora projects are popular, simple checksums are not enough, WinRAR: shareware or native OS?, ATM software is vulnerable, attackers could learn from security researchers (but lets hope they don’t), NoFilter and behavior by design, Apple vs. A security researcher: there are no winners, sneaky npm packages, faster Nmap scans, kali on more phones, more LOl drivers, comparing security benchmarks to the real world, tunnelcrack and why VPNs are over-hyped, Ubuntu has lost its mind, and there’s a Python in the sheets! All that and more on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-796 

Jared has a long, and outstanding, history in cybersecurity. Today, he works for Microsoft helping them run and respond to bug bounty reports. The scale is massive and I think we can all learn a thing or two about vulnerability management and bug bounties!

Segment Resources:

https://www.microsoft.com/en-us/msrc/bounty?rtc=1

https://www.microsoft.com/en-us/msrc

https://msrc.microsoft.com/report/vulnerability/new

https://www.microsoft.com/en-us/msrc/bounty

https://msrc.microsoft.com/blog/

https://jobs.careers.microsoft.com/global/en/search?q=msrc&l=en_us&pg=1&pgSz=20&o=Relevance&flt=true

https://www.microsoft.com/bluehat/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-796 

In the Security News: You should read the NIST CSF, JTAG hacking the original Xbox, tricked into sharing your password, attacking power management software, the vulnerability is in the SDK, tearing apart printers to find vulnerabilities, a pain in the NAS, urllib.parse is vulnerable, hacking the subway, again, how not to implement encryption from OSDP, Intel does a good job with security, and hacking card shuffling machines! All that and more on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-795 

The 2020 Armenian war with Azerbaijan called into action over 100 volunteer incident responders from across the country (and the globe) into action. Our guest for this segment was one of the leads during the 40-day conflict and helped organize teams that responded to everything from websites being attacked and country-wide Internet outages.

[120K Project](https://www.120kproject.com/en)

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-795 

In the Security News: Hacking your Tesla to enable heated seats (and so much more), The Downfall of Intel CPUs, The Inception of AMD CPUs, that’s right we’re talking about 3 different hardware attacks in this episode! Intel issues patches and fixes stuff even though its hard to exploit, Rubber Ducky you’re the one, history of Wii hacking, don’t try this at home Linux updates, we are no longer calling about your vehicle warranty, cool hardware hacking stuff including building your own lightsaber, you Wifi keys are leaking again, the evil FlipperZero, Buskill, complaining publically works sometimes, these are not the CVSS 10.0 flaws you are looking for, when side channel attacks, dumpster diving for plane ticks, and go ahead, try and hack a robotaxi! All that and more on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-794 

Just how prepared are you for the next cybersecurity incident? Depending on the definition, security incidents likely happen daily at most enterprises. Because we can't prevent everything, the key to success is to be in a constant state of readiness. This means regular training with a focus on preparation. Gerard will walk us through tips and tricks to keep our incident response teams in tip-top condition.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-794 

In the Security News: Canon shoots out your Wifi password, I want to be Super Admin, you don’t need fancy hacks to bypass air gaps, U.S. Senator attacks Microsoft, Tenable CEO attacks Microsoft, we should all be hopeful despite the challenges in infosec, SEC requires reporting Cyberattacks within 4 days, Mirai attacks Tomcat, scanning a car before stealing it, a little offensive appliance, no Internet access for you and that will solve the problem, Ubuntu blunders, it’s so secure no one can actually use it, and yet another CPU data leak! All that and more on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-793 

Our good friend Bill Swearingen joins us to talk about some of the incident response work he's been doing lately. Many people have it wrong, you don't need to be a cybersecurity ninja to respond to a security incident. Its about knowing who does what in your organization and executing a plan. Bill has put together a a set of free resources to help the community with incident response as well!

Visit the Awesome Incident Response project here: https://github.com/hevnsnt/Awesome_Incident_Response/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-793 

In the Security News: Cisco hates patching stuff, they hacked a Peleton, so what?, Zenbleeding, stopping Kia Boys, Your BMC is showing, Hacking your toothbrush, Flipper Zero Smoking a Smart Meter was a fake, RFID Tags Inside Amazon Products, Backdoors in Encrypted Police Radios, The Death of Infosec Twitter, and just stop people from accessing the Internet! All that and more on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-792 

Once an incident has occurred and you've responded, then what? Join us for a chat with Sean Metcalf on what we can do to ensure our infrastructure remains resilient after a security incident.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-792 

Sumit comes on the show to teach us a little about PHP type-juggling, introduce a free online security lab, and discuss the new certifications being offered in collaboration with Blackhat.

Segment Resources:

Our SecOps exams: https://secops.group/cyber-security-certifications/

Black Hat's Certified Pentester exam: https://www.blackhat.com/us-23/certified-pentester.html

Vulnmachines platform: https://www.vulnmachines.com/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-791 

This week, up first is the Security News: Microsoft lost its keys, LOL drivers, If you were the CSO, try to keep employees happy but remove their accounts when they leave, gaming device finds a missing child, $3 brute forcing, undocumented instructions are sometimes the best instructions, remote code on your Oscilloscope, fuzzing satellites, routers are great places to hide, typos lead to information leaks of US military emails, pwning yourself, pwning security researchers, getting pwned by a movie, and WormGPT!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-791 

In the security news: Someone is going to get hurt, slow migrations, hiding on the Internet is hard, more Fortinet vulnerabilities, BLackLotus source code, the difficulties with roots of trust, stealthy rootkits, patching made easy?, rowhammer and gaslighting, signing with time machines, memory is complicated, and it’s alive!!! It's alive!!!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-790 

Getting the correct data in the right place for incident response is challenging. JP comes on the show to talk about how he is helping companies with these challenges, getting control of the security data pipeline while helping save costs!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-790 

Welcome to another edition of a Paul's Security Weekly Vault episode! This episode was previously recorded on April 5, 2012 and features an interview with none other than Dan Geer. Unfortunately there is no video for this episode, but the content is still relevant today. 

Dan Geer is a renowned cybersecurity expert and visionary. With a wealth of knowledge and experience in the field, Dan has made significant contributions to our understanding of information security and its implications. In this interview, we'll explore his background, education, and delve into some of his most influential works, such as his paper on the security implications of mono-culture. My co-hosts for this interview included Jack Daniel and John Strand.

At the very end of the interview we talk about Dan giving the keynote at the Source Boston 2012 event. I've included a link to the video of that talk in the show notes for historical reference. ChatGPT summarized this keynote as follows stating: "Dan Geer discusses the claim that the internet is critical infrastructure and explores the potential hypocrisy involved in this assertion."

So, without further ado, enjoy our interview with Dan Geer!

Link to Dan Geer's 2012 Source Boston Keynote: https://www.youtube.com/watch?v=Qb8r0XoNd60

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/vault-psw-3 

In the security news: You got so many CVEs you need your own, dedicated, vulnerability scanner, melting your neighbors with hacking, The FDA’s SBOM and OSS, when the vulnerability scanner has a vulnerability, violating CISA directives at scale, make 2FA a little easier with this device, NSA’s BlackLotus mitigation guide: who needs those certificates anyhow? All that and more on this episode of Paul’s Security Weekly.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-789 

In this segment we welcome Carlos Perez back to the show! Carlos will discuss methods we can use to hide one systems and cover our tracks.

We'll cover how on a system (as administrator) the blue team's struggle using default logs or even on a default install of Sysmon to detect an attacker. Attackers can selectively disable modern event log providers, take action and then re-enable. We will demo this and how to best monitor for this technique.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-789 

In the Security News: There is no national cyber director, time to move away from MoveIT, update Microsoft IIS at least every 6 years, your security system is not secure, for that matter neither is your smart pet feeder, identity management is hard, at least for some, spies using spy gadgets to spy on spies, go ahead and just replace your hardware, secure boot is hard, bypassing the BIOS password (but don’t try this at home, or work for that matter), Rob shaved his beard, what’s new in PCI (drink, are we still drinking on PCI? If so, drink again), if your firmware isn’t patched, no cloud updates for you, and Gigabyte has a backdoor!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-788 

Emilie comes on the show to talk about penetration testing and share her knowledge and stories!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-788 

Check out this interview from the PSW VAULT, hand picked by main host Paul Asadoorian! This segment was originally published on April 9, 2013.

Bill Cheswick logged into his first computer in 1968. Seven years later, he was graduated from Lehigh University in 1975 with a degree resembling Computer Science. Ches has worked on (and against) operating system security for over 35 years. He is probably best known for "Firewalls and Internet Security; Repelling the Wily Hacker", co-authored with Steve Bellovin, which help train the first generation of Internet security experts. 

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/vault-psw-2 

Check out this interview from the PSW VAULT, hand picked by main host Paul Asadoorian! This segment was originally published on October 18, 2015. L0pht Heavy Industries was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area. We learn about the history of the L0pht and the future.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/vault-psw-1

In the security news: keystroke logs are stored in plain-text (and other atrocities in software used in schools), WPBT is the gift that keeps on giving and this time it's Gigabyte, PCI DSS 4.0 (drink!), immutable linux desktops, one packet exploits, neat linux malware, sock puppets, a must read new book about hacks, why SMB why?, boot girls, exposing customers....data, cracking GSM, you MUST use 2fa (not should, must), old wine in a new bottle, lab grown "meat", malicious bookmarks, and ChatGPT's secret reading list! All that and more on this episode of Paul’s Security Weekly.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-787 

Penetration Tester stories, dumb and funny stuff that's crazier than movies.

Segment Resources:

https://www.cyberpointllc.com/index.php

 https://www.cyberpointllc.com/srt.php

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-787 

In the Security News: a cross-platform, post-exploit, red teaming framework, cover your backups, your voice should never be your passport, time to change your fingerprints, a drop in the bucket sucka, Thor will take out those pesky drones, never give your AI friends money, bye-bye PyPi for a while anyhow, bug bounties are broken, you say you want people to update routers, not-too-safe-boot, mystery microcode, Cisco listens to the podcast (they must have heard it from Microsoft), will it run DOOM?, your server is bricked, permentantly, Hell never ends on x86, and coldplay lyrics in your firmware.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw786 

Liam Mayron from Fastly comes on the show to talk about his unique path into information security, the security implications of generative AI, advances in technologies to protect web applications, detecting bots, and enabling better MSP services!

This segment is sponsored by Fastly. Visit https://securityweekly.com/fastly to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw786 

In the security news: How AI Knows Things No One Told It, Dragos Employee Gets Hacked, VMProtect Source Code Leaks, CISA Vulnerabilities, SHA-1 is a Shambles, Microsoft Scans Inside Password Protected Files, Geacon Brings Cobalt Strike Compatability to MacOS, Google Launches Tools to Identify Misleading & AI Images, Cyberstalkers Use New Windows Feature to Spy on iPhones, Texas A&M Prof Flunks all his Students, Wemo Won’t Fix Smart Plug Vulnerability, Catfishing on an industrial scale, and Hacking the Ocean to store Carbon Dioxide

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw785 

Kevin Johnson joins us to discuss pen testing, automated testing, why AI testing is not pen testing!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw785 

In the security news: feel free to cry a bit, honeytokens are the shiny new hotness, it's fixed in the future, backdooring electron, should we move to passkeys, the turbo button, why Cisco hates SMBs, old vulnerabilities are new again, MSI, Boot Guard and some FUD, fake tickets, AI hacking, prompt injection, and the SBOM Bombshell!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw784 

In this talk, Paula Januszkiewicz, renowned cybersecurity expert with years of experience in the field, shares her insights on critical tasks that must be included in any successful penetration testing checklist. She will offer the listeners a sneak peek into her pentesting trick book, discuss the special tools she is using, and highlight the importance of diversifying your pentester's toolkit. This episode is a must-listen for anyone interested in mastering the art of penetration testing.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw784

This week in the Security News: 5-year old vulnerabilities, hijacking packages, EV charging apps that could steal stuff, do we even need software packages, selling hacking tools and ethics, I hate it when vendors fix stuff, HTTPS lock status, no pornhub for you!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw783 

Rob "Mubix" Fuller comes on the show to talk about penetration testing, what's changed over the years? He'll also discuss "Jurassic Malware" and creating games in your BIOS.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw783 

STM32 boards, soldering, decapping chips, RTOS development, lasers, multiple flippers and for what you ask? So I can be alerted about a device I already know is there. The Flipper Zero attracted the attention of news outlets and hackers alike as people have used it to gain access to restricted resources. Is the Flipper Zero that powerful that it needs to be banned? This is a journey of recursion and not taking “no” for an answer. Kailtyn Hendelman joins the PSW crew to discuss the Flipper Zero and using it to hack all the things.

Flipper resources: * [Changing Boot Screen Image on ThinkPad's UEFI](https://www.youtube.com/watch?v=kvqZRTMAlMA -Flipper Zero) *

[A collection of Awesome resources for the Flipper Zero device.](https://github.com/djsime1/awesome-flipperzero) *

[Flipper Zero Unleashed Firmware](https://github.com/DarkFlippers/unleashed-firmware) - This is what Paul is using currently. *

 [A maintained collective of different IR files for the Flipper!](https://github.com/UberGuidoZ/Flipper-IRDB) - Paul uses these as well. *

[Alternative Infrared Remote for Flipperzero](https://github.com/Hong5489/ir_remote)

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw782

In the Security News: SSDs use AI/ML to prevent ransomware (And more buzzword bingo), zombie servers that just won't die, spectral chickens, side-channel attacks, malware-free cyberattacks!, your secret key should be a secret, hacking smart TVs with IR, getting papercuts, people still have AIX, ghosttokens, build back better SBOMs, Salsa for your software, Intel let Google hack things, and they found vulnerabilities, and flase positives on your drug test, All that and more on this episode of Paul’s Security Weekly.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw782 

In the security news: Blizzards, Sleet, Typhoons, Sandstorms and Tsunamis, masking your car stealing tech in a Nokia phone, kill -64, Google doesn't want to fix an RCE, hijacking packages, monitoring macs, beating Roulette, lame advice from Microsoft, are post-authentication vulnerabilities even vulnerabilities?, Ghosts, burpgpt, and do you trust Google? All that and more on this episode of Paul’s Security Weekly.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw781 

We will talk about Supply chain security, the TPM 2.0 vulnerabilities recently discovered by a Quarkslab researcher, bugs in reference implementations, vulnerability disclosure and perhaps various other topics.

Segment Resources:

Vulnerabilities in the TPM2.0 reference implementation

 https://blog.quarkslab.com/vulnerabilities-in-the-tpm-20-reference-implementation-code.html

Vulnerabilities in High Assurance Boot of NXP i.MX microprocessors

https://blog.quarkslab.com/vulnerabilities-in-high-assurance-boot-of-nxp-imx-microprocessors.html

Heap memory corruption in ASN.1 parsing code generated by Objective Systems Inc. ASN1C compiler for C/C++

 https://github.com/programa-stic/security-advisories/blob/master/ObjSys/CVE-2016-5080/README.md

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw781 

In the security news, FBI seizes one of the biggest stolen credential markets, Is catching ransomware the baseline for detection and response? Potential outcomes of the US National Cybersecurity Strategy, Thieves are using headlights to steal cars, China wants to censor generative AI, Tesla sued for snooping on owners through built-in cameras, All that and more, on this episode of Paul’s Security Weekly.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw780

Imagine an illness that requires surgery a few times a month and restricts your mobility. What would that do to your career? In our chat with Billy Boatright today, we'll find out how he not only switched careers despite his illness, he found an advantage in his weaknesses: he turned them into effective social engineering skills. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw780

In the Security News: Rorschach, QNAP and sudo, why bother signing things, why bother having a password, why bother updating firmware, smart screenshotting, TP-Link oh my, music with Grub2, byte arrays and UTF-8, what is my wifi password, Debian and systemd, opening garage doors, downgrade your firmware to be more secure, exploit databases, this is like a movie, unsolved CTFs, and Near-Ultrasound Inaudible Trojans! All that and more on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw779

The approach of cybersecurity workforce development and how someone with such technical background come to designing a degree program with non-traditional approach. What it takes to keep it going?

Segment Resources:

https://go.boisestate.edu/ucore

https://go.boisestate.edu/gcore

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw779

In the Security News: Turning traffic lights green with the flipperzero (and a bunch of other hardware), suspending AV and EDR, Test signing mode, Linux control freaks, hacking the Apple Studio Disaply, Intel;s attack surface reduction claim, the truth about TikTok that everyone is missing, just stop developing AI, but only for 6 months, anyone can connect to Amazon's wireless network, revoking the wrong things, losing your keys, the funny, not-so-funny things about firmware encryption, and exploding thumb drives. All that, and more, on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw778

How to get into reversing embedded firmware? Can the planet really be hacked? We'll go over a couple of fun exploitation examples, see what mistakes were made and maybe what could have been done better to make these devices tougher to break into.

Segment Resources:

Voip phone hacking: Blog: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/avaya-deskphone-decade-old-vulnerability-found-in-phones-firmware/

Def Con presentation (intro to hardware hacking): https://www.youtube.com/watch?v=HuCbr2588-w&ab_channel=DEFCONConference

Medical Research: BBraun infusion pump: https://www.youtube.com/watch?v=6agtnfPjd64&ab_channel=hardwear.io

Medical devices under attack: https://www.rsaconference.com/USA/agenda/session/Code%20Blue%20Medical%20Devices%20Under%20Attack

Hacking DrayTek routers: https://www.youtube.com/watch?v=CD8HfjdDeuM&ab_channel=Hexacon

Philippe's public work: https://github.com/philippelaulheret/talks_blogs_and_fun

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw778

In the Security News: Windows MSI tomfoolery, curl turns 8...point owe, who doesn't need a 7" laptop, glitching the ESP, your image really isn't redacted or cropped, brute forcing pins, SSRF and Lightsail, reversing D-Link firmware for the win, ICMP RCE OMG (but not really), update your Pixel and Samsung, hacking ATMs in 2023, breaking down Fortinet vulnerabilities, Jamming with an Arduino, it 315 Mega hurts, analyzing trojans in your chips, and the 4, er 1, er 3, okay well how to suck at math and the 4 Cs of Cybersecurity! All that, and more, on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw777

We sit down with Nico Waisman to discuss vulnerability research and other security-related topics!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw777

In the security news: AI on your PI, no flipper for you, stealing Tesla's by accident, firmware at scale, the future of the Linux desktop, protect your attributes, SOCKS5 for your Burp, TPM 2.0 vulnerabilities, the world's most vulnerable door device and hiding from "Real" hackers, sandwiches, robot lawyers, poisonis epipens, and profanity in your code! All that, and more, on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw776

Software supply chain attacks, those in which hackers target the "water supply" of software are on the rise. This makes software developers everywhere valid targets. We will discuss the developer perspective on software supply chain attacks.

Segment Resources:

https://in-toto.io

https://sigstore.dev

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw776

In the Security News: Using HDMI radio interference for high-speed data transfer, Top 10 open source software risks, Dumb password rules, Grand Theft Auto, The false promise of ChatGPT, The “Hidden Button”, How a single engineer brought down twitter, Microsoft’s aim to reduce “Tedious” business tasks with new AI tools, The internet is about to get a lot safer, All that, and more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw775

Tune in to ask our PSW hosts anything you want to know! Join the live discussion in our Discord server to ask a question. Visit securityweekly.com/discord for an invite!

Larry Pesce, Jeff Man, Tyler Robinson, and more will be answering your questions, including:

• What is your advice on avoiding burnout? 
• If each of the hosts had to be a distribution of Linux, which one would each of them be?
• Which host is the worst influence?
• Why is security so hard?
• Will any of you be at RSAC this year and where can we come see you?
• What current projects are you working on?

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw775

In the Security News for this week: indistinguishable classifiers, screenshot the /etc/passwd file, what the Zimbra, couple of cool Burp plugins, my voice is my passport. verify me, software is harder to exploit, unless its in firmware, when ChatGPT writes an article, becoming a trusted installer, not the last breach for lastpass, getting fried at the charger, and why hackers love stickers!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw774

Barracuda published its 2023 Email Security Trends report that shows how email-based security attacks affect organizations around the world. 75% of the organizations surveyed for the report had fallen victim to at least one successful email attack in the last 12 months, with those affected facing average costs of more than $1 million for their most expensive attack. 23% said that the cost of email-based attacks has risen dramatically over the last year.

Segment Resources:

 https://assets.barracuda.com/assets/docs/dms/2023-email-security-trends.pdf

This segment is sponsored by Barracuda. Visit https://securityweekly.com/barracuda to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw774

In the Security News: If it can run Linux, it should, TikTok thefts, significant vulnerability findings, and I'm not even joking, typo squatting is lame, what will it take Bruce!, stealing from the TPM, GoAnywhere, including root, what if attackers targeted your yacht?, two for the price of one (exploits), X is really old, and vulnerable, come for a ride on a CHERI-OT and be memory safe, codebreaking old letters, and vulnerable wienermobiles! All that, and more, on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw773

Zero Trust is the buzzword of the 2020’s. Vendors are selling it, the US Federal Government is requiring it, and organizations are implementing it, but what does it really mean (I mean really beyond the hype)? In this segment, Paul and Ron will talk ways combat threats through people, process, and technology Zero Trust Risk Management.

Segment Resources:

Forrester Research Zero Trust blogs: https://www.forrester.com/blogs/category/zero-trust-security-framework-ztx/

Ron Woerner YouTube: https://www.youtube.com/user/ronw68123

VetSec: https://veteransec.org/

Free CISSP Training Program: https://frsecure.com/cissp-mentor-program/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw773

In the Security News: VMware and Ransomware makes you want to run some where, double-free your OpenSSH, download the RIGHT software, you have Docker, I have root, we don't talk about CORS, to vulnerability or not to vulnerability, vulnerability risk scoring, a matter of perspective, very persistent Cisco attacks, running UPNP without all the protections, overflowing a buffer in your bootloader over HTTP, C can be memory safe (but developers will still screw it up), and lasers, microwaves, satellites and the Sun! All that, and more, on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw772

Linux systems are a collection of free and Open Source software-- some packaged by your distro, some built from source. How do you verify that your upstream isn't polluted by bad actors?

Segment Resources:

https://github.com/evilsocket/opensnitch

 https://securityonionsolutions.com/software/

https://deer-run.com/users/hal/

 https://archive.org/details/HalLinuxForensics

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw772

In the Security News for this week: defending against cleaning services, catastrophic mutating events and the future, myths and misconceptions, finding vulnerabilities in logs (And not log4j), SSRF leads to RCE with a PoC, SQLi with XSS bypasses WAF FTW, thinkpad as a server, RPC directory traversal for the win, just directory traversal for the win, Paul gets a Flipper Zero and how he thinkgs he's some sort of hero, sh1mmer your chromebook, and superconductive magic angle graphene!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw771

In a recent survey on purple teaming, 89 percent of respondents who had used the method deemed purple teaming activities “very important” to their security operations. Purple teaming exercises conducted regularly have the power to improve collaboration across teams, ensure issues are identified and remediated more proactively, and provide a means to measure progress over time. With all these benefits, why isn’t everyone doing it? Purple teaming doesn’t have to be such a heavy lift. With the right mindset and tools, any team can get started regardless of resources. This talk will highlight practical tips for getting started with purple teaming exercises and show off PlexTrac Runbooks, a platform designed to plan, execute, report, and remediate collaborative purple teaming engagements so teams can maximize their efforts and improve their security posture.

Segment Resources:

Learn more and book a demo: https://plextrac.com/securityweekly

More information on Runbooks: https://plextrac.com/platform/runbooks/

This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw771

This week in the Security News: GetVariable strikes again, attackers could blow up your computer remotely, escaping containers, null-dereferences and faulty evaluations, 31 new CPU vulnerabilities for AMD, a look into Chrome, santa, not-so-secure secure booting, and malware included!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw770

Open source is the bedrock of most of the world’s software today, so how to raise the floor on software quality across the industry? First, we need better tools to measure the trustworthiness of code based on objective measures, processes that encourage better security practices by developers, and tools and processes that encourage teamwork and shared responsibility for security. Several efforts are underway in major open source communities to address these issues. At the Open Source Security Foundation (OpenSSF), major companies, open source software maintainers, startup companies and government actors are working together to improve open source software supply chain security. Brian will share his view of this landscape, detail the work being done at the OpenSSF, show where those efforts are already bearing fruit, and demonstrate what you and your organization can (must!) do to participate in these efforts.

Segment Resources:

https://openssf.org/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw770

Then, in the Security News: In the security news: Do not panic about RSA encyption, the age old debate: Security vs. Compliance, Cold River, and no not the vodka although it has to do with Russia, the exploit party is happening and someone invited vulnerable drivers, ChatGPT being used to deploy malware, chip vulnerabilities impacting ARM: what you need to know, admin versus admin with Intel AMT and does password expiration help or hurt security?

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw769

Over the last few years, the trend to use Open Source has been migrating into safety-critical applications, such as automotive and medical, which introduces system-level analysis considerations. In a similar fashion, these components are now being considered for the evolution of critical infrastructure systems. In the US, security concerns have prompted some emerging best practices, such as increased transparency of components, via software bill of materials (SBOMs), but this is not the only aspect to keep in mind.

Segment Resources:

* https://www.linux.com/featured/sboms-supporting-safety-critical-software/

* https://elisa.tech/

* https://www.zephyrproject.org/

* https://spdx.dev/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw769

In the Security News: The Roblox prison yard, password manager problems, PyTorch gets torched with a supply chain attack, Oppenheimer cleared, Puckungfu, spice up your persistence with PHP, turning Google home into a wiretap device, Nintendo 3DS remote code execution, Linux kernel remove code execution, steaking cards in 2022 - The API way, and there is no software supply chain... and more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw768

This session explores software supply chain security and the details of System of Trust, a community effort to develop and validate a process for integrating evidence of the organizational, technical, and transactional trustworthiness of supply chain elements for decision makers dealing with supply chain security. This framework is defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service offerings. More importantly, the framework offers a comprehensive, consistent, and repeatable methodology – for evaluating suppliers, supplies, and service offerings alike – that is based on decades of supply chain security experience, deep insights into the complex challenges facing the procurement and operations communities, and broad knowledge of the relevant standards and community best practices.

Segment Resources:

- https://sot.mitre.org/overview/about.html

- https://shiftleft.grammatech.com/automating-supply-chain-integrity

- https://www.reversinglabs.com/conversinglabs/robert_martin_mitre_software_supply_chain_system_of_trust

- https://www.mitre.org/sites/default/files/2022-11/PR-22-01488-20-cybersecurity-benefits-of-sbom-september-2022.pdf

- https://www.mitre.org/sites/default/files/2021-11/prs-21-0278-deliver-uncompromised-securing-critical-software-supply-chain.pdf

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw768

This week, we round out the Holiday Special 2022 with a special guest appearance by Ed Skoudis, where he joins to fill us in on the Holiday Hack Challenge! Then, an utterly chaotic session of security news to close out 2022!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw767

How well do you know your hacker history and trivia? See how you compare to our hosts as we tackle hacker trivia live on the air! Categories will include hacker movies, hacker history, and hacker tools.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw767

Without question, we need more people working in cybersecurity today. Our culture has come a long way to be more open and inviting to new folks, but we still have a lot of work to do. What can you do if you want to break into the field of cybersecurity today? While there is no shortage of resources our experienced hosts will offer their thoughts, opinions, and advice on how you can become the next cybersecurity pro!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw767

While we most likely do not believe that penetration testing is dead it continues to evolve over time. What do penetration tests look like today? Have they become more or less specialized? What is the continuing value of penetration testing? With development and IT moving so fast, how have penetration tests adapted? This discussion will dive into the details of penetration testing today and provide you with a guide to make the most of this activity.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw767

In the Security News: ping of death returns, remembering when the Internet disconnected if your Mom picked up the phone, a 500-year-old cipher is cracked, VLC is always up-to-date, SIM swapper goes to prison, Rust is more secure but your supply chain is not, if you pwn the developer you win, you have too many security tools, Chrome zero days are not news, Log4Shell what changed?, Hive social again, ChatGPT, there's a vulnerability in your SDK, and it takes 3 exploits to pwn Linux, All that, and more, on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw766

Eclypsium's research team has discovered 3 vulnerabilities in BMCs. Nate Warfield comes on the show to tell the full story! This has garnered much attention in the press:

* Original research post: https://eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk/

* https://www.securityweek.com/security-flaws-ami-bmc-can-expose-many-data-centers-clouds-attacks

* https://thehackernews.com/2022/12/new-bmc-supply-chain-vulnerabilities.html

* https://therecord.media/three-vulnerabilities-found-in-popular-baseboard-software/

* https://www.bleepingcomputer.com/news/security/severe-ami-megarac-flaws-impact-servers-from-amd-arm-hpe-dell-others/

* https://duo.com/decipher/trio-of-megarac-bmc-flaws-could-have-long-range-effects

* https://www.csoonline.com/article/3682137/flaws-in-megarac-baseband-management-firmware-impact-many-server-brands.html

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw766

Is there still a network or has it slipped away from us entirely? What about efforts for localization because people do not trust the cloud, its providers or its reliability (ala Twitter vs. the Fediverse?). Do you still need actual hardware firewalls? What about VPNs? How long will these devices still be around as everyone goes to the cloud and SDWAN technologies? And what about identity? If you can nail identity, doesn't that set you up to be a cloud-first organization? Join us for a discussion with Sinan and the security weekly hosts as we tackle these questions!

This segment is sponsored by Barracuda. Visit https://securityweekly.com/barracuda to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw766

We are joined by Josh and Kurt from the amazing Open Source Security Podcast! We're talking about supply chain risks, threats and vulnerabilities in this segment!

Segment Resources:

https://opensourcesecurity.io/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw765

This week in the Security News: When you just wanna hurl, malicious containers, FCC bans stuff, these are not the CVE's you're looking for, Linux password mining, mind the gap, hacking smart watches, & more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw765

In the Security News: Stealing Mastodon passwords, reporting vulnerabilities in open-source privately, labeling does not solve problems, or does it? will it every get patched? geolocating people from photos, no meta-data required, update your firmware on Linux, hacking flow computers, when a driver isn't really a driver, well, its a driver, but not the one you may be thinking of, oops I leaked it again, misconfiguration leads to compromise, harden runner, guard dog and hacking spacecraft via Ethernet!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw764

Navigating the UEFI waters is treacherous. While UEFI has become the standard on most PCs, servers, and laptops, replacing legacy BIOS, it is a complex set of standards and protocols. Jesse joins us to help explain how some of this works and describe how vulnerabilities, specifically with SMM, can manifest and be exploited.

Segment Resources:

[CHIPSEC GitHub] https://github.com/chipsec/chipsec 

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw764

In the Security News: submerged under blankets in a popcorn tin is where they found it, Indirect Branch Tracking, don't hack me bro, we're here from the government to scan your systems, Fizzling out security, static and dynamic analysis for the win, BYODC, Bring your own domain controller, application context matters, if you want an update better have an Intel CPU, one-time programs, urlscan is leaking, hacking load balancers, and its all about the company you keep.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw763

Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is great, but what other value can a pentest provide by shifting your mindset further left or with a more strategic approach? How often do you focus on the overall ROI of your penetration testing program? This talk will explore what it means to “shift left” with your penetration testing by working on a threat informed test plan. Using a threat informed test plan will provide more value from your pentesting program and gain efficiency in your security testing pipeline. This talk applies to both consultants and internal security teams.

Segment Resources:

Hack Your Pentesting Routine WP: https://plextrac.com/resources/white-papers/hack-your-pentesting-routine/

Effective Purple Teaming WP: https://plextrac.com/effective-purple-teaming/

This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw763

In the Security News: last year's open source is tomorrow's vulnerabilities, RepoJacking, I feel like there will always be authenitcation bypass, super charge your hacking, do you have your multipath, RC4 and why not to use it, here's the problem with vulnerability scanners, packages and expired domains, initrd should not be trusted, Apple kernels, oh and did you hear there is a vulnerability in OpenSSL!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw762

Blenster comes on to talk about the Maker Movement, Hackerspaces, community and inclusive cultures, intentionality and kindness as a social cheat code, the right to repair movement, and using tools like the arduino/raspberry Pi to bring your projects to the next level!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw762

This week in the Security News: rethinking vulnerability severity, exploiting the hacker tools, Microsoft "fixes" the vulnerable driver problem, its what you do with the data that matters, what is comprehensive security, deconflictions, moles are always a problem, checking the certs, oh and there is a vulnerability in OpenSSL, well at least one that we know of, currently!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw761

In this segment, we are going to discuss linux security and using the Rust programming language with an Offensive MindSet, and our guest Charles Shirer!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw761

This week in the Security News: A Security Maturity Model for Hardware Development, Palo Alto Networks fixed a high-severity auth bypass flaw in PAN-OS, New UEFI rootkit Black Lotus offered for sale at $5,000, What are SBOMS, & Critical Remote Code Execution issue impacts popular post-exploitation toolkit Cobalt Strike

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw760

Chris Crowley, SOC-Class Course Author, SANS Senior Instructor, and Consultant at Montance® LLC, joins PSW to discuss SOC training and development best practices, including insights from the SANS annual SOC survey.

This segment is sponsored by Devo. Visit https://securityweekly.com/devo to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw760

Michael Meis, associate CISO at the University of Kansas Health System, joins PSW to discuss how the history of warfare has influenced modern-day cybercrime and how cyber leaders can shift to a victory mindset.

This segment is sponsored by Devo. Visit https://securityweekly.com/devo to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw760

This week in the Security News: The secrets of Schneider Electric’s UMAS protocol, Pixel 6 bootloader: Emulation, Securing Developer Tools: A New Supply Chain Attack on PHP, Microsoft Exchange double zero-day – “like ProxyShell, only different”, Tech Journalists Offered Bribes to Write Articles for Major Outlets, & Detecting Deepfake Audio!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw759

As Vice President of Threat Research & Intelligence at BlackBerry, Ismael Valenzuela leads threat research, intelligence, and defensive innovation. Ismael has participated as a security professional in numerous projects around the world for over the past two decades. In this episode, Ismael discusses his journey to become a top cybersecurity expert. We also explore the cybersecurity trends he and his team are seeing, and how cyber attackers are gaining a foothold and maintaining persistence.

Segment Resources:

https://www.blackberry.com/us/en/company/research-and-intelligence

https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger

https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw759

In the Security News: deep access, dell drivers for the win, detecting deep fakes with acoustic tracking, exchanging 0days, I got 99 embedded firmware security problems, executing in SMM, secure boot to the rescue, automation or a crappy pen test, PHP supply chain attacks, pig butchering, fake profiles, & bribing journalists!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw758

Red Balloon Security CEO Ang Cui has spent over a decade looking into the most critical devices supporting our infrastructure. He explains why the insight that launched his company still holds true, and what it will take for security experts, manufacturers and end users to resolve our insecure stasis.

Segment Resources:

https://redballoonsecurity.com/

https://ofrak.com/

https://github.com/redballoonsecurity/ofrak

https://redballoonsecurity.com/def-con-30-badge-fun-with-ofrak/

https://www.wired.com/story/ofrak-iot-reverse-engineering-tool/

https://www.bloomberg.com/news/articles/2022-01-11/researchers-show-how-hackers-can-cut-the-lights-with-rogue-code

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw758

This week, we're joined by Casey Ellis to discuss a Telco breach from a land down under, UK government sits out bug bounty boom but welcomes vulnerability disclosure, Karakurt Data Extortion Group, Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack, being caught with your pants down, & more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw757

Hackers rarely break through crypto or exploit fancy zero days. Most of the time they simply login using stolen credentials. Managing passwords, keys and other forms of secrets does not work at scale. In this segment we’ll look into a more radical approach to infrastructure security: getting rid of secrets entirely and moving to access control based on physical properties of humans and machines.

This segment is sponsored by Teleport. Visit https://securityweekly.com/teleport to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw757

In the Security News: Bloodhound's blind spots, Interactable Giraffe, don't use open-source, it has too many vulnerabilities, MFA fatigue, tamper protection, use-after-freedom, how not to do software updates, hacking gamers, stealing Teslas, safer Linux, trojan putty, there's money in your account, game leak makes history, GPS jammers, Uber blames LAPSUS, spying on your monitor from a zoom call, next-generation IPS with AI and ML for zero day exploit detection, 3D printed meat, and what to do when the highway is covered with what is usually kept in the nightstand...

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw756

Sinan Eren, the VP of Zero Trust at Barracuda joins to discuss various aspects of MFA Fatigue & Authentication with the PSW crew!

Segment Resources: https://assets.barracuda.com/assets/docs/dms/NetSec_Report_The_State_of_IIoT_final.pdf

This segment is sponsored by Barracuda Networks. Visit https://securityweekly.com/barracuda to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw756

In the Security News: you liked the browser so much we put a browser in your browser, hackers are using sock puppets, the patch that kills performance, detect eavesdroppers, no more passwords, one-click account hijack thanks to JavaScript, the return of Shakata Ga Nai, GIFShell (or is it jifshell), Lexmark firmware confusion, and searching for a long lost copy of OS/2!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw755

Analyst burnout and the talent shortage are creating environments where teams are stressed out, overwhelmed, and frustrated. Security Operations managers (or anyone managing teams of security analysts) must empower their analysts with solutions that can make them more effective at their job. No-code automation is the ultimate solution to do that.

Segment Resources:

https://www.tines.com/reports/voice-of-the-soc-analyst/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw755

In the Security News: Lastpas breach, long live John McAfee, Macs getting fewer updates, CPE correlating to CVE, clicky clicky hacks, anti-cheat is not anti-hack, new LVFS release, $8 million zero day, don't sign crappy code, a very handy PI and a site that lets you send poop anonymously is hacked (it was a pretty crappy exploit)!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw754

Training and education is a constant conversation within the cybersecurity community, but it doesn't have to be a hard problem to solve. We will discuss how to bring both valuable and actionable information into the industry and how that makes an impact, even in unexpected ways -- for better or for worse.

Segment Resources:

https://youtube.com/johnhammond010

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw754

This week in the Security News: Crypto Miners Using Tox P2P Messenger as Command and Control Server, 8-year-old Linux Kernel flaw DirtyCred is nasty as Dirty Pipe, & Janet Jackson music video given CVE for crashing laptops, & more!

Segment Resources:

Use code "securityweekly" to save 10% off Hack Red Con tickets at https://www.hackredcon.com/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw753

There's a lot of worry about "fakes" especially in a world rapidly adopting AI/ML, so it's time for solutions. "Solid" is the W3C open standard, extending HTTPS, to upgrade the Web with security paradigms that solve for data integrity. Distributed systems naturally break through digital moats, free control through proper ownership, thus helping expand and achieve the best of the Internet.

Segment Resources:

https://solidproject.org/

https://github.com/inrupt

https://www.flyingpenguin.com/?p=29523

https://alltechishuman.org/davi-ottenheimer

https://www.schneier.com/blog/archives/2020/02/inrupt_tim_bern.html

https://events.inrupt.com/dublin

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw753

Larry, Doug, Lee, Josh, and Chris Blask cover the security news!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw752

We don’t like it, but the hopeful internet we envisioned doesn’t look much like the internet as it exists today. Online conflict is widespread and at times the internet hurts more than it helps. In this podcast, we’ll discuss ways to inform today’s enterprise defense by better understanding strategy, tactics and operational art from government influence operations, electronic warfare, and cyberspace operations.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw752

We welcome the infamous Eclypsium security researchers Mickey and Jesse to talk about Secure Boot vulnerabilities. They walk us through the history of Secure Boot, how it works, previous research they've performed ("Boothole"), and some details on their current research presented at Defcon this year in a talk titled "One bootloader to rule them all". 

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw751

In the Security News, key fob hacks and stealing cars, the best Black hat and defcon talks of all-time, open redirects are still open, the keys to decrypt the wizard of oz are in a strange place, why the Linux desktop sucks, why businesses should all switch to Linux desktops, SGX attacks, let me send you an Uber to take you to the bank, 27-factor authentication, start your management engines, and guess what, your DMs are not private and you should have used Signal.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw751

In the Security News: when hackers are not behind and outage, when hackers are behind re-routing traffic, neat pseudo-keystroke loggers, when XSS leads to code excution, TLS inside, post-quantum encryption that doesn't hold up to pre-quantum computers, Lockbit loading Cobalt Strike using Windows Defender, we love authentication bypass, and impress your co-workers with my Linux command of the week, & more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw750

Guy will go through some of his career choices that eventually led to 25 years in a long and fun career in information and cybersecurity. Infosec has been a fascinating and challenging field which anyone can learn through training and some of the excellent YouTube videos.

Segment Resources:

http://handlers.sans.org/gbruneau/

https://isc.sans.edu/handler_list.html#guy-bruneau

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw750

In the Security News FreeBSD and the software supply chain, open-source implies that its open, hardcoded passwords are always bad, on-again, off-again, on-again, privilege escelation defined, preparing for quantum, so many vulnerabilities, CosmicStrand another UEFI firmware rootkit, & reviving ancient computers!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw749

We’ve heard about the recent abuses for Apple’s AirTags used in tracking and stalking issues in recent months. While tools exist for detection under the Apple ecosystem, limited options exist for Android and none under Linux. We’ll explore the AirTag beacons and showcase some tools for detecting beacons and creating our own for testing under Linux. We’ll also show some ways to take our methods even further as an exercise left unto the reader.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw749

In the Security News for this week: heat waves and outages, GPS trackers are vulnerable, cracks in the Linux firewall, bas password crackers, microcode decryptors, SATA antennas, Okta vulnerabilities not vulnerabilities, updates on former CIA agent and Vault 7 leaks, decompiler explorer, and Tuxedo brings to market a liquid cooled laptop, & more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw748

We are thrilled to welcome Lesley (@hacks4pancakes) back to the show! In this segment, we'll dig into some ICS security topics including some recent threats, monitoring ICS networks for security, incident response for ICS, and more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw748

In the Security News for this week: Raspberry Pi Pico W Adds Wireless, Apple expands commitment to protect users from mercenary spyware, UK health authorities slammed for WhatsApp use in pandemic, Three UEFI Firmware flaws found in tens of Lenovo Notebook models, & a Hack Allows Drone Takeover Via ‘ExpressLRS’ Protocol!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw747

Andy will explain the origin story of BloodHound, as well as where the project is today and where it's going in the future. Andy will also share his current research surrounding Azure attack paths.

Segment Resources:

https://github.com/BloodHoundAD/BloodHound

https://medium.com/p/82667d17187a

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw747

This week in the Security News: Chaining Zoom bugs is possible to hack users in a chat by sending them a message, Microsoft vulnerabilities down for 2021, CISA adds 41 flaws to its Known Exploited Vulnerabilities Catalog, Using NMAP to Assess Hosts in Load Balanced Clusters, Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover, & more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw742

John will go through his mostly random career choices that led to a long and fun career in information/cybersecurity - and how that ties into today's demand to secure the increase complex supply web of chains.

Segment Resources:

SANS Cyberstart initiative - https://www.cyberstartamerica.org/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw742

In the Security News for this week: ICS training bill, 5 myths, VoIP devices and ransomware, miracle exploits, UnRAR and Zimbra, guess what the most common weakness is, security at the device level is NOT simple, keys to the kingdom, and HP says Destructive firmware attacks pose a significant threat to businesses!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw746

Veteran cybersecurity journalist and author Joseph Menn, now at the Washington Post, talks about his books and the best reporting on hacking and defense today. Since he began writing on the subject in 1999, Menn has broken some of the biggest stories in the industry and written two of most widely read books in the Cybersecurity Canon.

Segment Resources:

https://www.amazon.com/Joseph-Menn/e/B001HD1MF6%3Fref=dbs_a_mng_rwt_scns_share https://www.washingtonpost.com/technology/2022/05/01/russia-cyber-attacks-hacking/

https://www.reuters.com/investigates/special-report/usa-politics-beto-orourke/ https://www.reuters.com/article/us-usa-security-rsa/exclusive-secret-contract-tied-nsa-and-security-industry-pioneer-idUSBRE9BJ1C220131220

https://www.reuters.com/article/microsoft-china/insight-microsoft-failed-to-warn-victims-of-chinese-email-hack-former-employees-idUKL1N14I1LU20151231

https://www.wired.com/story/cult-of-the-dead-cow-at-stake-hackers-excerpt/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw746

In the Security News for this week: appliances with holes, gamification and its pitfalls, false rocket sirens, PHP strikes again, new laws we may actually agree with, hacking jacuzzis, Icefall and the state of ICS security, Adobe is blocking anti-virus, Mega is Mega insecure, Microcorruption CTF and DIY NSA playset!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw745

Many people think security is too difficult to learn because it is such a big field, and constantly growing. But it's endlessly fascinating and surprising, once you learn some fundamentals and get used to feeling stupid. My task is to help people get started, and learn how to appreciate this complex and challenging topic.

Segment Resources:

https://samsclass.info/

https://infosecdecoded.com/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw745

This week in the Security News: Big DDOS, tracking smartphones, play Doom in your BIOS, hertzbleed, Apple M1 vulnerability, who will buy NSO, spoof your location data, building system attacks, and a hacker's revenge!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw744

Michigan has a group of volunteers who assist local governments and public services with incident response. The program is relatively mature, and will be presented (along with those of Ohio and Wisconsin) at the upcoming National Governors Association Cybersecurity Summit. Come hear the interview and scoop the governors!

Segment Resources:

Our home page http://micybercorps.org

Our supporting legislation https://www.legislature.mi.gov/documents/mcl/pdf/mcl-Act-132-of-2017.pdf

Our partner organization https://www.michigan.gov/dtmb/services/cybersecurity/cyber-partners

Key article in moving our development forward - https://warontherocks.com/2018/01/estonias-approach-cyber-defense-feasible-united-states/

An article with more info https://www.lawfareblog.com/bridging-state-level-cybersecurity-resources

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw744

This week in the Security News: Analyzing chat logs with Python, consumer reports for IoT, hypothetically BS, the year of the Linux desktop and the year of Linux malware are the same, do you trust Google to tell you open-source software is secure?, Twitter fines, WSL attack vector, Follina, UK Government still won't pay a bounty, and ransomware that makes you a better person!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw743

This segment will be an opportunity to discuss web application client-side security with subject matter expert Matt McGuirk from Source Defense. Modern web applications have a massive and misunderstood attack surface that exists within the webpages they serve. Potential discussion topics: - A visual overview of the problem - A simulated client-side attack - How to evaluate client-side risk on a given web site - What technologies are available to defend against client-side attacks - Historical case studies of landmark attacks

Segment Resources:

"Magecart 101" - a courseware-style overview of the problem for security practioners: https://www.youtube.com/watch?v=T4al8idAE_M

A quick five minute explainer on the problem and Source Defense's solution: https://www.youtube.com/watch?v=f8MO45EQcKY

Source Defense's brand new (as of 5/25/22) "State of the Industry" report for client-side security: https://info.sourcedefense.com/third-party-digital-supply-chain-report-white-papere

This segment is sponsored by Source Defense. Visit https://securityweekly.com/sourcedefense to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw743

In the Security News for this week: Singapore launches safety rating system for e-commerce sites, Watch Out for Zyxel Firewalls RCE Vulnerability, New Bluetooth hack that can unlock your Tesla, Hackers Compromise a String of NFT Discord Channels, a pentester’s attempt to be ‘as realistic as possible’ backfires, & more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw741

In this segment Saumil Shah joins us for a discussion on Firmware Security, complete with a fascinating first-hand demonstration!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw741

The past year has been filled with incredible changes in the cyber security landscape from ICS, Mobile, Cloud, and increased threats from Ransomware. This discussion will focus on crucial and quick discussions surrounding the cyber landscape that has changed quickly and forced organizations to consider revamping many of their policies and preparations. Join us for a humorous, and insightful journey back over the past year filled with examples for practitioners, organizations, and those just starting in cyber security.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw741

In the Security News for this week: Colonial Pipeline facing $1,000,000 fine, cybercrime tracking bill signed into law, Lincoln College Set to Close After Crippling Cyberattack, Nvidia’s LHR limiter bypassed, & North Carolina Becomes the First State to Prohibit Public Entities from Paying Ransoms!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw740

In-depth look at destructive malware and other threats the Barracuda team has been monitoring that you need to be aware of.

This segment is sponsored by Barracuda Networks. Visit https://securityweekly.com/barracuda to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw740

In the Security News for this week: Lessons from Star Wars on threats, more than just your thermal exhaust port, Pegasus spotted again, Python replaces JavaScript?, Read-Only containers, no problem for malware, breaking out of captive portals, its always DNS, except when its not DNS, but this time its DNS and uClibc, you are ordered to block these sites, ransomeware still hurts, DoD contractors remain vulnerable, hiding in network appliances, QUIETEXIT, & more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw739

Especially ICS represents a significant exposure to property and business operations. A scientific research-based approach to loss prevention for traditional property perils can be applied to help protect companies from cyber risk to keep their businesses more resilient.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw739

This week in the Security News: Java’s “psychic paper”, Musk’s plans for Twitter’s algorithm, Bossware, What Google is getting wrong about expired domains, & NFT Tweet Auctions, Silk Road Seizures, 0-Days, & more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw738

Marcus Sachs, the Deputy Director for Research at the McCrary Institute for Cyber and Critical Infrastructure Security, joins to discuss his cryptography collection, service for the US Army & Government, Antique Typewriters, & more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw738

The need to communicate, collaborate and do business on a global level has created a proliferation of cloud based applications and services. Email. Cloud Storage. Messaging platforms. CRM. Digital Apps and Services. Organizations continue to add new cloud channels to support their business needs. But with new channels come new security blind spots that must be addressed. In this session we'll discuss:

Cyber attack trends in the collaboration channel ecosystem

The (yet) unsolved challenges of email security – the main channel of targeted attacks

The rising threat of cloud collaboration and the growing risk of content-borne attacks ...And we will walk though three use cases, their challenges and their deployments.

Segment Resources:

Request a demo and get a FREE coffee on us: https://hubs.la/Q0156lpK0

This segment is sponsored by Perception Point. Visit https://securityweekly.com/perceptionpoint to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw738

Logitech’s Lift is a vertical mouse that’s easier to grasp, CISA warns of attackers now exploiting Windows Print Spooler bug, Google tracked 58,exploited zero-day security holes in 2021, For Russian tech firms, QNAP urges customers to disable UPnP port forwarding on routers Putin’s crackdown ended their global ambitions, & Hackers can infect >100 Lenovo models with unremovable malware. Are you patched?

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw737

Considering that history has always had foreign legions, from Lord Byron fighting in Greece (well fighting might be a bit much), to For Whom the Bell Tolls, to the Flying Tigers, to the Layfayette Escadrille, foreign fighters have often entered war zones for a wide variety of reasons. Today, well, you can join up to a virtual cause and fight for whatever cause you are seeking and fight from the comfort of your own gaming chair. No selling your estates and dashing off to attack Lepanto, although you can do that too if you like. In this segment, we discuss, the computer fraud and abuse act, what it means to be a member of the foreign legion, and revisit the whole idea of hacking back as a security technique! 

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw737

John Alfred is a retired Police Officer that directed a Computer Crimes unit for years. This segment will discuss how that unit got developed, what kinds of skills might be useful to develop in your own units, and what sorts of mistakes are often made trying to operate computer crimes units!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw737

This week in the Security News: Hackers have found a clever new way to steal your Microsoft 365 credentials, Former Ethereum Developer Virgil Griffith Sentenced to 5+ Years in Prison for North Korea Trip, An update to Raspberry Pi OS Bullseye, Bearded Barbie hackers catfish high ranking Israeli officials, & Nginxday!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw736

Amanda Berlin joins us to discuss what she’s been up to since her last appearance on the show. It’s only been a couple of years, but a lot has changed in that time. Tune in to hear about what changes the pandemic brought to the vision and operations of Mental Health Hackers, and how they pivoted to a virtual environment during this time. The crew talks about their experience going from traveling to 15-20+ conferences a year, down to hardly any conferences during Covid, and what their future plans are now that in-person events are coming back around. Amanda fills us in on her current role at Blumira, other business ventures, and where you can find her speaking/running a village in the near future!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw736

Mike Wilkes CISO at SecurityScorecard joins us to discuss third party risk research!

This segment is sponsored by Security Scorecard. Visit https://securityweekly.com/securityscorecard to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw736

In the Security News for this week: Ransomware that was a breeze, getting an eyeful while charging your electric vehicle, scanning for secrets, find my iPhone is useful, WTF Apple moments and why I run Linux, Wyze is not very wise, stopping teen hackers, ranking endpoint detection, & more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw735

Jay comes on the show to talk about container and Kubernetes architecture and security (or lack thereof).

Segment Resources:

Peirates, a Kubernetes penetration testing tool: https://www.inguardians.com/peirates/

Free Kubernetes workshops: https://inguardians.com/kubernetes/

DEF CON Kubernetes CTF https://containersecurityctf.com/

Jay's Black Hat Kubernetes Attack and Defense Training https://www.blackhat.com/us-22/training/schedule/index.html#abusing-and-protecting-kubernetes-linux-and-containers-26473

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw735

Attackers are targeting the systems that control access. This includes Active Directory, Azure AD, and recently Okta. Once they have access to identity, attackers can move onto systems that provide access to data and persistence.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw735

This week in the Security News: Military intelligence, Chrome updates, an exploit for the firewall, racing the kernel, creepy spyware goes away?, weaponizing security complexity, same old tricks, the largest crypto hack, suing journalists, targeting your battery backup, the teenager behind Lapsus$, spring exploits just in time for spring, and hacking your Honda Civic, & more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw734

With an alarming increase in K-12 cybersecurity attacks, districts are considering new ways to protect their students and staff. With the need to increase the cybersecurity talent pipeline, the solution to the problem is much larger than just increasing protective technology measures to keep schools safe. Schools must also be proactive in training the next generation of cybersecurity experts.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw734

Mark is currently involved in building a security operations center for a large organization with an established infrastructure and teams already in place. In this chat, we'll explore the state of the SOC today, the challenges of building one, the reality versus expectations roles, what is SOAR'ing and not, and more. Tangential paths will likely be followed, as information security is fun to talk about in general!

Segment Resources:

http://www.securitybsides.com

https://www.bsidesdc.org

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw734

Check out our latest interview with our good friend Dave Kennedy! When not pumping iron Dave is hard at work understanding and implementing C2 infrastructure. TrevorC2 is a really cool framework that allows for some pretty stealthy C2 communications. Tune-in to learn more! 

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw733

In the Security News: insiders inside NASA, BIND is in a bind again, Lapsus$ is on a tear, ripping at Microsoft and Okta, anonymous hacks printers, The UEFI security rabbit hole goes DEEP, Microtik and Tickbot, Browser-in-the-Browser attacks, Nestle gets attacked for not wanting to hurt babies, just another sabotage, & more! 

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw733

With all of your focus and investment on 3rd party risk management, there is likely still a blind-side that remains unaddressed. It is an area that should be moved to the top of your priority list - both for its potential to cause material losses in the form of response costs and fines and judgements, and for the ease in which it can be mitigated. It is a risk introduced by the 3rd party vendors you rely upon (and the nth parties they work with) to power and enhance your website. The threat of JavaScript based attacks - click-jacking, digital skimming, formjacking, defacement, "Magecart" - exists for any organization collecting sensitive data or conducting transactions through their web properties. Attacks of this type have done damage to some of the biggest brands in the world - costing household names like British Airways tens of millions - and they happen by the hundreds per month. Already in 2022, we've seen headlines of major client-side attacks like the one that hit Segway - potentially impacting nearly a million consumers. This is an area of exposure introduced through your own code, and by your partners, that can only be addressed at the client-side. It remains widely unaddressed, as focus in website security to this point has been on securing the server side. Join us for an exploration of the threat of these attacks, real-world examples of the material impact they have caused, and dialogue on the approaches to mitigating this risk with pros and cons of each.

Segment Resources:

Our core whitepaper

https://info.sourcedefense.com/event/client-side-white-paper-2022?leadsource=White%20Paper

Blog on the blind side topic https://sourcedefense.com/resources/blog/wheres-the-blind-side-in-your-3rd-party-risk-its-on-the-client-side/

Free risk report on attendee's web properties https://sourcedefense.com/check-your-exposure/

This segment is sponsored by Source Defense. Visit https://securityweekly.com/sourcedefense to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw733