Security Weekly Podcast Network (Video)

Despite building up impressive security stacks in the Cloud, organizations are still struggling to keep their environments safe. Pentera recently introduced Pentera Cloud as the first tool to provide automated pentesting capabilities for cloud environments. This conversation will focus on the challenge of security validation and pentesting in the cloud, and how Pentera Cloud is redefining the speed and scale of pentesting in the cloud. This segment is sponsored by Pentera. Visit https://www.securityweekly.com/penterarsac to learn more about them! Jason Keirstead, Cyware's VP of Collective Threat Defense, takes us beyond the AI buzz in cybersecurity. While AI has tremendous potential for cybersecurity, Jason emphasizes its pragmatic and deliberate application to modernize security operations — not as a panacea but as a strategic ally in enhancing threat intelligence, response capabilities, and operational collaboration. We discuss the practical benefits and limitations of AI, offering insights into how security professionals can leverage AI to augment, not replace, human decision-making and creativity in the ongoing fight against cyber threats. This segment is sponsored by Cyware. Visit https://securityweekly.com/cywarersac to learn more about them! Anomali's AI-Powered Security Operations Platform is a cloud-native solution that delivers the industry's most comprehensive set of integrated and automated security functions. Anthony Aurigemma discusses how Anomali Copilot automates mundane tasks and enables better analytics and reasoning for today's security teams – automating half of an analyst's day, enabling them to focus on strategic work. With the ability to augment or replace legacy security systems, Anomali's Security Operations Platform helps security teams deliver intelligent, actionable, and accurate insights to their business. This segment is sponsored by Anomali. Visit https://www.securityweekly.com/anomalirsac to learn more about them! Show Notes: https://securityweekly.com/esw-361

The landscape of phishing attacks continues to rapidly evolve. In 2023, Zscaler ThreatLabz observed a year-over-year increase of 58.2% in global phishing attempts. This surge was characterized by emerging schemes, including voice phishing, recruitment scams, and browser-in-the-browser attacks. This segment is sponsored by Zscaler. Visit https://securityweekly.com/zscalerrsac to learn more about them! In today's complex world, organizations are challenged to modernize their network while also improving their security posture to support digital transformation initiatives. Tim Roddy will talk about what is driving the need for network transformation efforts and why organizations are moving to IAM and SASE (also known as Zero Trust Edge) solutions to support these efforts. He'll discuss the fast-growing SASE market and the demand for SASE delivered as a managed service due to talent shortages. This segment is sponsored by Open Systems. Visit https://securityweekly.com/opensystemsrsac to learn more about them! It's not rocket science, it's network security. And yet for many organizations, the road to securing employees and information often results in trade-offs to performance, agility, scalable services, and user experience. While first-generation SASE solutions promised companies a way out of this complexity, those early deployments failed to resolve the root causes of these growth pains--enter Unified SASE as a Service. Going beyond SASE learn what Unified SASE as a Service is and why you should care. This segment is sponsored by Aryaka. Visit https://securityweekly.com/aryakarsac to learn more about them! Show Notes: https://securityweekly.com/esw-361

Emerging threats are targeting organizations from seemingly every angle. This means security teams must expand their focus to secure as many domains as possible. OpenText is building on its holistic approach to cybersecurity with new innovations that make it easier for organizations to secure themselves against next generation threats. This segment is sponsored by OpenText. Visit https://securityweekly.com/opentextrsac to learn more about them! In reaction to the increasing potential of threat actors unaffected by the current state of cybersecurity measures and vulnerability management tools yielding "rarely actioned reports and long lists of generic remediations" as the attack surface continues to expand, Gartner has suggested a new program: CTEM - Continuous Threat Exposure Management. A continuous threat exposure management (CTEM) program is an integrated, iterative approach to prioritizing potential treatments and continually refining security posture improvements. Join Hive Pro's VP of Product Marketing and former Gartner Analyst, Zaira Pirzada to better understand: - The state of the current threat landscape - The SOC pain points - What Continuous Threat Exposure Management is and best practices to implement it This segment is sponsored by Hive Pro. Visit https://securityweekly.com/hiveprorsac to learn more about them! Traditional Managed Detection and Response (MDR) methods, centered on threat-based security, often miss the bigger picture of evolving cyber risks. This segment explores the shift towards a proactive, risk-based MDR approach, emphasizing the importance of anticipating and mitigating risks before they escalate into threats. We'll discuss the benefits of integrating risk management into security strategies and the key factors organizations should weigh when enhancing their cyber risk reduction efforts. This segment is sponsored by Critical Start. Visit https://securityweekly.com/criticalstartrsac to learn more about them! Show Notes: https://securityweekly.com/esw-361

Illuminating the Cybersecurity Path: A Conversation with Jeremiah Grossman Join us for a compelling episode featuring Jeremiah Grossman, a prominent figure in the cybersecurity landscape. As a recognized expert, Jeremiah has played a pivotal role in shaping the discourse around web security and risk management. Jeremiah's journey in cybersecurity is marked by a series of influential roles, including Chief of Security Strategy at SentinelOne and Founder of WhiteHat Security. With a focus on web application security, he has been a driving force in advocating for innovative approaches to protect organizations from cyber threats. In this episode, we explore Jeremiah's vast experience and delve into his insights on the ever-evolving cybersecurity challenges. From his early days as a hacker to his current position as a sought-after industry thought leader, Jeremiah shares valuable perspectives on the strategies and philosophies that underpin effective cybersecurity practices. As a pioneer in the field, Jeremiah has contributed significantly to the development of best practices for identifying and mitigating web-related vulnerabilities. Tune in to gain a deeper understanding of the evolving threat landscape and the proactive measures organizations can take to secure their digital assets. Whether you're a cybersecurity professional, tech enthusiast, or someone eager to comprehend the complexities of online security, this podcast with Jeremiah Grossman promises to be an illuminating exploration of the past, present, and future of cybersecurity. Show Notes: https://securityweekly.com/psw-828

In this RSAC 2024 South Stage Keynote, Mikko Hyppönen will look back at the past decade of ransomware evolution and explore how newer innovations, like AI, are shaping its future. Show Notes: https://securityweekly.com/psw-828

Tetris, APT42, Kimsuky, Android, ChatRTX, MITRE, Computer Dating, Josh Marpet, and more, on this Edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-384

We already have bug bounties for web apps so it was only a matter of time before we would have bounties for AI-related bugs. Keith Hoodlet shares his experience winning first place in the DOD's inaugural AI bias bounty program. He explains how his education in psychology helped fill in the lack of resources in testing an AI's bias. Then we discuss how organizations should approach the very different concepts of AI security and AI safety. Segment Resources: https://securing.dev/posts/hacking-ai-bias/ https://www.defense.gov/News/Releases/Release/Article/3659519/cdao-launches-first-dod-ai-bias-bounty-focused-on-unknown-risks-in-llms/ Show Notes: https://securityweekly.com/asw-284

A lot of AI security has nothing to do with AI -- things like data privacy, access controls, and identity are concerns for any new software and in many cases AI concerns look more like old-school API concerns. But...there are still important aspects to AI safety and security, from prompt injection to jailbreaking to authenticity. Caleb Sima explains why it's important to understand the different types of AI and the practical tasks necessary to secure how it's used. Segment resources: https://calebsima.com/2023/08/16/demystifing-llms-and-threats/ https://www.youtube.com/watch?v=qgDtOu17E&t=1s Show Notes: https://securityweekly.com/asw-284

Inspired by my co-host Jason Albuquerque, we dig into the hard part of our Say Easy, Do Hard segment. In part 2, we discuss how to train for a cyber instance. We'll cover the elements of a training program that will prepare you for responding to a cyber incident, including: Developing the training program Practice, practice, practice Imposing corrective actions Constantly evaluating/reviewing the success of the training program Show Notes: https://securityweekly.com/bsw-349

Inspired by my co-host Jason Albuquerque, this quarter's Say Easy, Do Hard segment is Train How You Fight. In part 1, we discuss the importance of training for a cyber incident. However, lots of organizations do not take it seriously, causing mistakes during an actual cyber incident. How will the lack of preparation impact your organization during an incident? Show Notes: https://securityweekly.com/bsw-349

Weird Al, Docker, OT, Gitlab, Credit Monitoring, Dropbox, Cisco, AI, Aaran Leyland, and More, on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-383

It's the week before RSA and the news is PACKED. Everyone is trying to get their RSA announcements out all at once. We've got announcements about funding, acquisitions, partnerships, new companies, new products, new features... To make things MORE challenging, everyone is also putting out their big annual reports, like Verizon's DBIR and Mandiant's M-Trends! Finally, we've got some great essays that are worth putting on your reading list, including a particularly fun take on the Verizon DBIR by Kelly Shortridge. Show Notes: https://securityweekly.com/esw-360

It's the most boring part of incident response. Skip it at your peril, however. In this interview, we'll talk to Joe Gross about why preparing for incident response is so important. There's SO MUCH to do, we'll spend some time breaking down the different tasks you need to complete long before an incident occurs. Resources 5 Best Practices for Building a Cyber Incident Response Plan This segment is sponsored by Graylog. Visit https://securityweekly.com/graylog to learn more about them! Show Notes: https://securityweekly.com/esw-360

ChatGPT writes exploits, banning default and weak passwords, forget vulnerabilities just get rid of malware, IR blasting for fun and not profit, creating fake people, shattered dreams and passkey, and removing chips. Show Notes: https://securityweekly.com/psw-827

The Security Weekly crew discusses some of the latest articles and research in cryptography and some background relevant subtopics including the race against quantum computing, key management, creating your own crypto, selecting the right crypto and more! https://www.globalsecuritymag.com/keysight-introduces-testing-capabilities-to-strengthen-post-quantum.html https://malware.news/t/reversinglabs-hashing-algorithm/81418 https://www.bleepingcomputer.com/news/security/google-chromes-new-post-quantum-cryptography-may-break-tls-connections/ https://www.finextra.com/newsarticle/44060/hsbc-and-paypal-tackle-quantum-safe-cryptography-in-payments https://blog.trailofbits.com/2024/04/26/announcing-two-new-lms-libraries/ https://blog.cryptographyengineering.com/2024/04/16/a-quick-post-on-chens-algorithm/ Show Notes: https://securityweekly.com/psw-827

Misusing random numbers, protecting platforms for code repos and package repos, vulns that teach us about designs and defaults, and more! Show Notes: https://securityweekly.com/asw-283

AI, Okta, Chrome, Quantum, Kaiser Permanente, FTC, FCC, NCSC, Josh Marpet, and more, are on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-382

Companies deploy tools (usually lots of tools) to address different threats to supply chain security. Melinda Marks shares some of the chaos those companies still face when trying to prioritize investments, measure risk, and scale their solutions to keep pace with their development. Not only are companies still figuring out supply chain, but now they're bracing for the coming of genAI and how that will just further highlight the current struggles they're having with data security and data privacy. Segment Resources: Complete Survey Results: The Growing Complexity of Securing the Software Supply Chain https://research.esg-global.com/reportaction/515201781/Toc Show Notes: https://securityweekly.com/asw-283

In the leadership and communications section, The Board's Pivotal Role in Steering Cybersecurity, CISO-CEO communication gaps continue to undermine cybersecurity, The Essence of Integrity in Leadership: A Pillar of Trust and Excellence, and more! Show Notes: https://securityweekly.com/bsw-348

A hybrid workforce requires hybrid identity protection. But what are the threats facing a hybrid workforce? As identity becomes the new perimeter, we need to understand the attacks that can allow attackers access to our applications. Eric Woodruff, Product Technical Specialist at Semperis, joins Business Security Weekly to discuss those attacks, including a new attack technique, dubbed Silver SAML. Join this segment to learn how to protect your hybrid workforce. Segment Resources: https://www.semperis.com/blog/meet-silver-saml/&utmsource=cra&utmcampaign=bsw-podcast This segment is sponsored by Semperis. Visit https://securityweekly.com/semperis to learn more about them! Show Notes: https://securityweekly.com/bsw-348

This is a great interview with Adam Shostack on all things threat modeling. He's often the first name that pops into people's heads when threat modeling comes up, and has created or been involved with much of the foundational material around the subject. Adam recently released a whitepaper that focuses on and defines inherent threats. Resources: Here's the Inherent Threats Whitepaper Adam's book, Threat Modeling: Designing for Security Adam's latest book, Threats: What Every Engineer Should Learn from Star Wars We mention the Okta Breach - here's my writeup on it We mention the CSRB report on the Microsoft/Storm breach, here's Adam's blog post on it And finally, Adam mentions the British Library incident report, which is here, and Adam's blog post is here Show Notes: https://securityweekly.com/esw-359

TikTok, Flowmon, Arcane Door, Brokewell, RuggedCom, Deepfakes, Non-Competes, Aaran Leyland, and More, on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-381

We've talked about generative AI in a general sense on our podcast for years, but we haven't done many deep dives into specific security use cases. That ends with this interview, as we discuss how generative AI can improve SecOps with Ely Kahn. Some of the use cases are obvious, while others were a complete surprise to me. Check out this episode if you're looking for some ideas! This segment is sponsored by SentinelOne. Visit https://securityweekly.com/sentinelone to learn more about them! Show Notes: https://securityweekly.com/esw-359

This week the crew discusses: When TVs scan your network, bad things can happen, PuTTY is vulnerable, Crush FTP, vulnerabilities that will never be fixed, CVEs are for vulnerabilities silly, you can test for easily guessable passwords too, FlipperZero can steal all your passwords, more XZ style attacks, more reasons why you shouldn't use a smart lock, and your keystrokes are showing! Show Notes: https://securityweekly.com/psw-826

A clear pattern with startups getting funding this week are "autonomous" products and features. Automated detection engineering Autonomously map and predict malicious infrastructure ..."helps your workforce resolve their own security issues autonomously" automated remediation automated compliance management & reporting I'll believe it when I see it. Don't get me wrong, I think we're in desperate need of more automation when it comes to patching and security decision-making. I just don't think the majority of the market has the level of confidence necessary to trust security products to automate things without a human in the loop. The way LimaCharlie is going about it, with their new bi-directional functionality they're talking up right now, might work, as detections can be VERY specific and fine-grained. We've already seen a round of fully automated guardrail approaches (particularly in the Cloud) fail, however. My prediction? Either what we're seeing isn't truly automated, or it will become a part of the product that no one uses - like Metasploit Pro licenses. Show Notes: https://securityweekly.com/esw-359

On February 27, 2024, PCAST (President's Council of Advisors on Science and Technology) sent a report to the President with recommendations to bolster the resilience and adaptability of the nation's cyber-physical infrastructure resources. Phil was part of the team that worked on the report and comes on the show to talk about what was recommended and how we implement the suggestions. Show Notes: https://securityweekly.com/psw-826

CISA chimes in on the XZ Utils backdoor, PuTTY's private keys and maintaining a secure design, LeakyCLI and maintaining secure secrets in CSPs, LLMs and exploit generation, and more! Show Notes: https://securityweekly.com/asw-282

Robofly, CRUSHFTP, Github, Palo Alto, MITRE, Fancy Bear, Deepfakes, Aaran Leyland, and more, on this Edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-380

How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec community motivated him to create Crash Override and help projects like ZAP gain the support they deserve. Segment resources: https://crashoverride.com/blog/welcome-zap-to-the-open-source-fellowship https://www.zaproxy.org https://crashoverride.com/blog/are-there-too-many-bubbles-of-similar-security-efforts Show Notes: https://securityweekly.com/asw-282

The new SEC Cyber Security Rules require organizations to be ready to report cyber incidents. But what do you actually need to do? Mike Lyborg, Chief Information Security Officer at Swimlane, joins Business Security Weekly to discuss how to prepare. In this interview he'll discuss the key element of your preparation, including: Quantification Materiality Evidence Disclosure Show Notes: https://securityweekly.com/bsw-347

Since 2016, we been hearing about the impending impact of CMMC. But so far, it's only been words. That looks to be changing. Edward Tourinsky, Founder & Managing Principal at DTS, joins Business Security Weekly to discuss the coming impact of CMMC v3. Edward will cover: The background of CMMC Standardization of CMMC CMMC v3 changes and implementation timelines Best practices to prepare Segment Resources: https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program https://www.forbes.com/sites/forbesbusinesscouncil/2024/02/13/the-department-of-defenses-cmmc-requirement-and-what-it-means-for-american-businesses/?sh=7ccbc268b7b5 https://consultdts.com/demystifying-the-cmmc-rule-a-breakdown-of-proposed-regulation/ Show Notes: https://securityweekly.com/bsw-347

Win 95, Cheat Lab, LastPass, Kubernetes, Sandworm, Bloomtech, Frontier, 911, Aaran Leyland, and More, on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-379

This week, Adrian and Tyler discuss some crazy rumors - is it really possible that a cloud security startup valued at over $8 billion in November 2021 just got bought for $200 million??? Some healthy funding for Cyera and Cohesity ($300m and $150m, respectively) Onum, Alethea, Sprinto, Andesite AI, StrikeReady, YL-Backed Miggo, Nymiz, Salvador Technologies, and Simbian all raise smaller seed, A, or B rounds. Akamai picks up API security startup, Noname Security, Zscaler picks up Airgap networks, and it's rumored that Armis will acquire Silk Security for $150M. LimaCharlie seems to be doing some vertical growth, adding its own response and automation capabilities (what they call "bi-directional" capabilities). CISA releases a malware analysis system to the general public. Boostsecurity.io releases "poutine", an open source CI/CD pipeline vulnerability scanner. Some great essays this week, with Phil Venables' Letter from the Future, Ben Hawkes' Robots Dream of Root Shells, and Aileen Lee's 10 year Unicorn anniversary piece. We briefly discuss the 3rd party breach that affected Cisco Duo customers, and the financial impact of Change Healthcare's highly disruptive ransomware incident. Finally, we talk about the latest research on the security of LLMs and the apps using them. It's not looking great. For more details, check out the show notes here: https://www.scmagazine.com/podcast-episode/3188-enterprise-security-weekly-358 Show Notes: https://securityweekly.com/esw-358

Protecting a normal enterprise environment is already difficult. What must it be like protecting a sports team? From the stadium to merch sales to protecting team strategies and even the players - securing an professional sports team and its brand is a cybersecurity challenge on a whole different level. In this interview, we'll talk to Joe McMann about how Binary Defense helps to protect the Cleveland Browns and other professional sports teams. Show Notes: https://securityweekly.com/esw-358

Pioneering the Cyber Battlefield: A Deep Dive with Winn Schwartau, Cybersecurity Luminary Get ready for an extraordinary episode as we sit down with Winn Schwartau, a true pioneer and luminary in the world of cybersecurity. Winn's impact on the field is nothing short of legendary, and in this podcast interview, we uncover the profound insights and experiences that have shaped his unparalleled career. Winn Schwartau's journey began long before the mainstream recognition of cybersecurity as a critical discipline. As a thought leader and visionary, he foresaw the digital threats that would come to define our interconnected age. Join us as we delve into the early days of cybersecurity and explore the foresight that led Winn to become a trailblazer in the industry. An accomplished author, speaker, and strategist, Winn Schwartau has been at the forefront of shaping cybersecurity policies and practices. From his groundbreaking book "Information Warfare" to his influential work on the concept of the "Electronic Pearl Harbor," Winn has consistently pushed the boundaries of conventional thinking in cybersecurity. In this podcast episode, Winn shares his unique perspective on the evolution of cyber threats, the challenges faced by individuals and organizations, and the urgent need for a paradigm shift in cybersecurity strategy. Prepare to be captivated by the stories and experiences that have fueled Winn's advocacy for a more resilient and secure digital world. Whether you're a cybersecurity professional, an enthusiast, or simply intrigued by the profound impact of technology on our lives, this conversation with Winn Schwartau promises to be a journey through the past, present, and future of cybersecurity. Don't miss the chance to gain unparalleled insights from a true cybersecurity luminary. Tune in and discover the wisdom that only Winn Schwartau can bring to the table in this illuminating podcast interview. Show Notes: https://securityweekly.com/psw-825

Version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) puts greater emphasis on application security than did previous versions of the standard. It also adds a new "customized approach" option that allows merchants and other entities to come up with their own ways to comply with requirements, and which also has implications for application security. Specifically, PCI DSS 4.0 requires that by March 31, 2025, more testing of public-facing applications related to payment processing or other activities be considered "in scope" for compliance. Generally, any system that touches payment-card data is in scope for PCI DSS compliance, whether or not the system or function is public-facing. We'll talk through what organizations should have gotten done by March 31, 2024, and what needs to happen by March 31, 2025. Segment Resources: https://info.obsglobal.com/pci-4.0-resources Show Notes: https://securityweekly.com/psw-825

A Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome's V8 Sandbox increases defense, and more! Show Notes: https://securityweekly.com/asw-281

Duo, Steganography, Roku, Palo Alto, Putty, Cerebral, IPOs, SanDisk, Josh Marpet, and more, on this Edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-378

There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadth and depth of security engineering and ways to build the skills that will help you in your appsec career. Segment resources: https://kickstartseceng.com Show Notes: https://securityweekly.com/asw-281

In the leadership and communications section, Navigating Legal Challenges of Generative AI for the Board, Winds of Warning? SEC Charges Threaten to Disrupt Role of CISO, 6 Common Leadership Styles — and How to Decide Which to Use When, and more! Show Notes: https://securityweekly.com/bsw-346

Startup founders dream of success, but it's much harder than it looks. As a former founder, I know the challenges of cultivating an idea, establishing product market fit, growing revenue, and finding the right exit. Trust me, it doesn't always end well. In this interview, we welcome Seth Spergel, Managing Partner at Merlin Ventures, to discuss how to accelerate that journey to lead to a successful outcome. Seth will share Merlin Venture's approach to helping startups tackle the largest markets in the world, including US enterprises and federal. He will also share what success looks like. Segment Resources: https://merlin.vc/advice-for-young-startups-eyeing-federal-what-kind-of-tech-does-the-u-s-government-need/ https://merlin.vc/we-have-liftoff/ https://merlin.vc/portfolio/ https://merlin.vc/dig-security-talon-cyber-security-acquired-by-palo-alto-networks/ https://innovationisrael.org.il/en/digital-reports/ Show Notes: https://securityweekly.com/bsw-346

Combadges, SISENSE, Microsoft, Malware Next-Gen, Lastpass, Palo Alto, Broadband, Aaran Leyland, and More, on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-377

This week, Tyler and Adrian discuss Cyera's $300M Series C, which lands them a $1.4B valuation! But is that still a unicorn? Aileen Lee of Cowboy Ventures, who coined the term back in 2013, recently wrote a piece celebrating the 10th anniversary of the term, and revisiting what it means. We HIGHLY recommend checking it out: https://www.cowboy.vc/news/welcome-back-to-the-unicorn-club-10-years-later They discuss a few other companies that have raised funding or just come out of stealth, including Scrut Automation, Allure Security, TrojAI, Knostic, Prompt Armor. They discuss Eclipsium's binary analysis tooling, and what the future of fully automated security analysis could look like. Wiz acquired Gem, and Veracode acquired Longbow. Adrian LOVES Longbow's website, BTW. They discuss a number of essays, some of which are a must read: Daniel Miessler's Efficient Security Principle Subsalt's series on data privacy challenges Lucky vs Repeatable, a must-read from Morgan Housel AI has Flown the Coop, the latest from our absent co-host, Katie Teitler-Santullo Customer love by Ross Haleliuk and Rami McCarthy We briefly cover some other fun - reverse typosquatting, AI models with built-in RCE, and Microsoft having YET ANOTHER breach. We wrap up discussing Air Canada's short-lived AI-powered support chatbot. Show Notes: https://securityweekly.com/esw-357

Ahoi new VM attacks ahead! HTTP/2 floods, USB Hid and run, forwarded email tricks, attackers be scanning, a bunch of nerds write software and give it away for free, your TV is on the Internet, Rust library issue, D-Link strikes again, EV charging station vulnerabilities, and rendering all cybersecurity useless. Show Notes: https://securityweekly.com/psw-824

In the days when Mirai emerged and took down DynDNS, along with what seemed like half the Internet, DDoS was as active a topic in the headlines as it was behind the scenes (check out Andy Greenberg's amazing story on Mirai on Wired). We don't hear about DDoS attacks as much anymore. What happened? Well, they didn't go away. DDoS attacks are a more common and varied tool of cybercriminals than ever. Today, Michael Smith is going to catch us up on the state of DDoS attacks in 2024, and we'll focus particularly on one cybercrime actor, KillNet. Segment Resources: Understanding DDoS Attacks: What is a DDoS Attack and How Does it Work? What is An Application-Layer DDoS Attack, and How Do I Defend Against Them? 2023 DDoS Statistics and Trends https://en.wikipedia.org/wiki/Killnet Show Notes: https://securityweekly.com/esw-357

Jim joins the Security Weekly crew to discuss all things supply chain! Given the recent events with XZ we still have many topics to explore, especially when it comes to practical advice surrounding supply chain threats. Show Notes: https://securityweekly.com/psw-824

OWASP leaks resumes, defining different types of prompt injection, a secure design example in device-bound sessions, turning an ASVS requirement into practice, Ivanti has its 2000s-era Microsoft moment, HTTP/2 CONTINUATION flood, and more! Show Notes: https://securityweekly.com/asw-280

Dronepocalypse, Privacy, Microsoft, DLINK, Home Depot, Phishing, NIST, VenomRat, Josh Marpet, and more, are on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-376

We look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing warnings. It also has a few lessons about software development, the social and economic dynamics of open source, and strategies for patching software. It's an exciting topic partially because so much other appsec is boring. And that boring stuff is important to get right first. We also talk about what parts of this that orgs should be worried about and what types of threats they should be prioritizing instead. Segment Resources: https://tukaani.org/xz-backdoor/ https://news.risky.biz/risky-biz-news-supply-chain-attack-in-linuxland/ https://www.zdnet.com/article/this-backdoor-almost-infected-linux-everywhere-the-xz-utils-close-call/#ftag=RSSbaffb68 https://therecord.media/malicious-backdoor-code-linux-red-hat-cisa https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 https://duo.com/decipher/carefully-crafted-campaign-led-to-xz-utils-backdoor https://boehs.org/node/everything-i-know-about-the-xz-backdoor Show Notes: https://securityweekly.com/asw-280

In this discussion, we focus on vendor/tool challenges in infosec, from a security leader's perspective. To quote our guest, Ross, "running a security program is often confused with shopping". You can't buy an effective security program any more than you can buy respect, or a black belt in kung fu (there might be holes in these examples, but you hopefully get the point). In fact, buying too much can often create more problems than it solves, especially if you're struggling to fill your staffing needs. In part 2 of this 2-part episode, we'll discuss: - The pros and cons of buying from different types of companies - Who to look to for product recommendations - Is making a plan to "ditch before you hitch" a good or bad idea? - What to do when you inherit a mess Show Notes: https://securityweekly.com/bsw-345