In the Security News: Using HDMI radio interference for high-speed data transfer, Top 10 open source software risks, Dumb password rules, Grand Theft Auto, The false promise of ChatGPT, The “Hidden Button”, How a single engineer brought down twitter, Microsoft’s aim to reduce “Tedious” business tasks with new AI tools, The internet is about to get a lot safer, All that, and more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw775...
Mar 09, 2023•1 hr 49 min
Tune in to ask our PSW hosts anything you want to know! Join the live discussion in our Discord server to ask a question. Visit securityweekly.com/discord for an invite! Larry Pesce, Jeff Man, Tyler Robinson, and more will be answering your questions, including: What is your advice on avoiding burnout? If each of the hosts had to be a distribution of Linux, which one would each of them be? Which host is the worst influence? Why is security so hard? Will any of you be at RSAC this year and where ...
Mar 09, 2023•1 hr 11 min
In the Security News for this week: indistinguishable classifiers, screenshot the /etc/passwd file, what the Zimbra, couple of cool Burp plugins, my voice is my passport. verify me, software is harder to exploit, unless its in firmware, when ChatGPT writes an article, becoming a trusted installer, not the last breach for lastpass, getting fried at the charger, and why hackers love stickers! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.c...
Mar 02, 2023•1 hr 53 min
Barracuda published its 2023 Email Security Trends report that shows how email-based security attacks affect organizations around the world. 75% of the organizations surveyed for the report had fallen victim to at least one successful email attack in the last 12 months, with those affected facing average costs of more than $1 million for their most expensive attack. 23% said that the cost of email-based attacks has risen dramatically over the last year. Segment Resources: https://assets.barracud...
Mar 02, 2023•1 hr 3 min
In the Security News: If it can run Linux, it should, TikTok thefts, significant vulnerability findings, and I'm not even joking, typo squatting is lame, what will it take Bruce!, stealing from the TPM, GoAnywhere, including root, what if attackers targeted your yacht?, two for the price of one (exploits), X is really old, and vulnerable, come for a ride on a CHERI-OT and be memory safe, codebreaking old letters, and vulnerable wienermobiles! All that, and more, on this episode of Paul’s Securit...
Feb 16, 2023•2 hr 8 min
Zero Trust is the buzzword of the 2020’s. Vendors are selling it, the US Federal Government is requiring it, and organizations are implementing it, but what does it really mean (I mean really beyond the hype)? In this segment, Paul and Ron will talk ways combat threats through people, process, and technology Zero Trust Risk Management. Segment Resources: Forrester Research Zero Trust blogs: https://www.forrester.com/blogs/category/zero-trust-security-framework-ztx/ Ron Woerner YouTube: https://w...
Feb 16, 2023•59 min
In the Security News: VMware and Ransomware makes you want to run some where, double-free your OpenSSH, download the RIGHT software, you have Docker, I have root, we don't talk about CORS, to vulnerability or not to vulnerability, vulnerability risk scoring, a matter of perspective, very persistent Cisco attacks, running UPNP without all the protections, overflowing a buffer in your bootloader over HTTP, C can be memory safe (but developers will still screw it up), and lasers, microwaves, satell...
Feb 09, 2023•1 hr 28 min
Linux systems are a collection of free and Open Source software-- some packaged by your distro, some built from source. How do you verify that your upstream isn't polluted by bad actors? Segment Resources: https://github.com/evilsocket/opensnitch https://securityonionsolutions.com/software/ https://deer-run.com/users/hal/ https://archive.org/details/HalLinuxForensics Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw772...
Feb 09, 2023•1 hr 9 min
In the Security News for this week: defending against cleaning services, catastrophic mutating events and the future, myths and misconceptions, finding vulnerabilities in logs (And not log4j), SSRF leads to RCE with a PoC, SQLi with XSS bypasses WAF FTW, thinkpad as a server, RPC directory traversal for the win, just directory traversal for the win, Paul gets a Flipper Zero and how he thinkgs he's some sort of hero, sh1mmer your chromebook, and superconductive magic angle graphene! Visit https:/...
Feb 02, 2023•2 hr 7 min
In a recent survey on purple teaming, 89 percent of respondents who had used the method deemed purple teaming activities “very important” to their security operations. Purple teaming exercises conducted regularly have the power to improve collaboration across teams, ensure issues are identified and remediated more proactively, and provide a means to measure progress over time. With all these benefits, why isn’t everyone doing it? Purple teaming doesn’t have to be such a heavy lift. With the righ...
Feb 02, 2023•1 hr 5 min
This week in the Security News: GetVariable strikes again, attackers could blow up your computer remotely, escaping containers, null-dereferences and faulty evaluations, 31 new CPU vulnerabilities for AMD, a look into Chrome, santa, not-so-secure secure booting, and malware included! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw770...
Jan 26, 2023•1 hr 49 min
Open source is the bedrock of most of the world’s software today, so how to raise the floor on software quality across the industry? First, we need better tools to measure the trustworthiness of code based on objective measures, processes that encourage better security practices by developers, and tools and processes that encourage teamwork and shared responsibility for security. Several efforts are underway in major open source communities to address these issues. At the Open Source Security Fo...
Jan 26, 2023•58 min
Then, in the Security News: In the security news: Do not panic about RSA encyption, the age old debate: Security vs. Compliance, Cold River, and no not the vodka although it has to do with Russia, the exploit party is happening and someone invited vulnerable drivers, ChatGPT being used to deploy malware, chip vulnerabilities impacting ARM: what you need to know, admin versus admin with Intel AMT and does password expiration help or hurt security? Visit https://www.securityweekly.com/psw for all ...
Jan 12, 2023•1 hr 53 min
Over the last few years, the trend to use Open Source has been migrating into safety-critical applications, such as automotive and medical, which introduces system-level analysis considerations. In a similar fashion, these components are now being considered for the evolution of critical infrastructure systems. In the US, security concerns have prompted some emerging best practices, such as increased transparency of components, via software bill of materials (SBOMs), but this is not the only asp...
Jan 12, 2023•1 hr 2 min
In the Security News: The Roblox prison yard, password manager problems, PyTorch gets torched with a supply chain attack, Oppenheimer cleared, Puckungfu, spice up your persistence with PHP, turning Google home into a wiretap device, Nintendo 3DS remote code execution, Linux kernel remove code execution, steaking cards in 2022 - The API way, and there is no software supply chain... and more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.c...
Jan 05, 2023•2 hr 8 min
This session explores software supply chain security and the details of System of Trust, a community effort to develop and validate a process for integrating evidence of the organizational, technical, and transactional trustworthiness of supply chain elements for decision makers dealing with supply chain security. This framework is defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service offerings. More i...
Jan 05, 2023•59 min
This week, we round out the Holiday Special 2022 with a special guest appearance by Ed Skoudis, where he joins to fill us in on the Holiday Hack Challenge! Then, an utterly chaotic session of security news to close out 2022! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw767
Dec 15, 2022•2 hr 18 min
How well do you know your hacker history and trivia? See how you compare to our hosts as we tackle hacker trivia live on the air! Categories will include hacker movies, hacker history, and hacker tools. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw767
Dec 15, 2022•1 hr 30 min
Without question, we need more people working in cybersecurity today. Our culture has come a long way to be more open and inviting to new folks, but we still have a lot of work to do. What can you do if you want to break into the field of cybersecurity today? While there is no shortage of resources our experienced hosts will offer their thoughts, opinions, and advice on how you can become the next cybersecurity pro! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes...
Dec 15, 2022•1 hr 29 min
While we most likely do not believe that penetration testing is dead it continues to evolve over time. What do penetration tests look like today? Have they become more or less specialized? What is the continuing value of penetration testing? With development and IT moving so fast, how have penetration tests adapted? This discussion will dive into the details of penetration testing today and provide you with a guide to make the most of this activity. Visit https://www.securityweekly.com/psw for a...
Dec 14, 2022•1 hr 27 min
In the Security News: ping of death returns, remembering when the Internet disconnected if your Mom picked up the phone, a 500-year-old cipher is cracked, VLC is always up-to-date, SIM swapper goes to prison, Rust is more secure but your supply chain is not, if you pwn the developer you win, you have too many security tools, Chrome zero days are not news, Log4Shell what changed?, Hive social again, ChatGPT, there's a vulnerability in your SDK, and it takes 3 exploits to pwn Linux, All that, and ...
Dec 08, 2022•1 hr 50 min
Eclypsium's research team has discovered 3 vulnerabilities in BMCs. Nate Warfield comes on the show to tell the full story! This has garnered much attention in the press: * Original research post: https://eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk/ * https://www.securityweek.com/security-flaws-ami-bmc-can-expose-many-data-centers-clouds-attacks * https://thehackernews.com/2022/12/new-bmc-supply-chain-vulnerabilities.html * https://therecord.media/three-vul...
Dec 08, 2022•59 min
Is there still a network or has it slipped away from us entirely? What about efforts for localization because people do not trust the cloud, its providers or its reliability (ala Twitter vs. the Fediverse?). Do you still need actual hardware firewalls? What about VPNs? How long will these devices still be around as everyone goes to the cloud and SDWAN technologies? And what about identity? If you can nail identity, doesn't that set you up to be a cloud-first organization? Join us for a discussio...
Dec 08, 2022•56 min
We are joined by Josh and Kurt from the amazing Open Source Security Podcast! We're talking about supply chain risks, threats and vulnerabilities in this segment! Segment Resources: https://opensourcesecurity.io/ Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw765...
Dec 01, 2022•49 min
This week in the Security News: When you just wanna hurl, malicious containers, FCC bans stuff, these are not the CVE's you're looking for, Linux password mining, mind the gap, hacking smart watches, & more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw765
Dec 01, 2022•2 hr 27 min
In the Security News: Stealing Mastodon passwords, reporting vulnerabilities in open-source privately, labeling does not solve problems, or does it? will it every get patched? geolocating people from photos, no meta-data required, update your firmware on Linux, hacking flow computers, when a driver isn't really a driver, well, its a driver, but not the one you may be thinking of, oops I leaked it again, misconfiguration leads to compromise, harden runner, guard dog and hacking spacecraft via Eth...
Nov 17, 2022•2 hr 18 min
Navigating the UEFI waters is treacherous. While UEFI has become the standard on most PCs, servers, and laptops, replacing legacy BIOS, it is a complex set of standards and protocols. Jesse joins us to help explain how some of this works and describe how vulnerabilities, specifically with SMM, can manifest and be exploited. Segment Resources: [CHIPSEC GitHub] https://github.com/chipsec/chipsec Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekl...
Nov 17, 2022•1 hr 17 min
In the Security News: submerged under blankets in a popcorn tin is where they found it, Indirect Branch Tracking, don't hack me bro, we're here from the government to scan your systems, Fizzling out security, static and dynamic analysis for the win, BYODC, Bring your own domain controller, application context matters, if you want an update better have an Intel CPU, one-time programs, urlscan is leaking, hacking load balancers, and its all about the company you keep. Visit https://www.securitywee...
Nov 10, 2022•2 hr 28 min
Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is great, but what other value can a pentest provide by shifting your mindset further left or with a more strategic approach? How often do you focus on the overall ROI of your penetration testing program? This talk will explore what it means to “shift left” with your penetration testing by working on a threat informed test plan. Using a threat informed test plan will provide more va...
Nov 10, 2022•1 hr
In the Security News: last year's open source is tomorrow's vulnerabilities, RepoJacking, I feel like there will always be authenitcation bypass, super charge your hacking, do you have your multipath, RC4 and why not to use it, here's the problem with vulnerability scanners, packages and expired domains, initrd should not be trusted, Apple kernels, oh and did you hear there is a vulnerability in OpenSSL! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://se...
Nov 03, 2022•1 hr 31 min
