Risky Business #771 -- Palo Alto's firewall 0days are very, very stupid

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• Microsoft introduces some sensible sounding post-Crowdstrike changes
• Palo Alto patches hella-stupid bugs in its firewall management webapp
• CISA head Jen Easterly to depart as Trump arrives
• AI grandma tarpits phone scammers in family-tech-support hell
• Academic research supports your gut-reaction; phishing training doesn’t work
• And much, much more.

This week’s episode is sponsored by Greynoise. The always excitable Andrew Morris joins to remind us that the edge-device vulnerabilities Pat and Adam complain about on the show are in fact actually even worse than we make them out to be. Andrew also tells us about a zero-day Greynoise’ AI system truffle-pigged out of their data set.

This episode is also available on Youtube.

Show notes

• Windows security and resiliency: Protecting your business | Windows Experience Blog
• Microsoft revamps how it will disclose vulnerabilities | Cybersecurity Dive
• NIST says exploited vulnerability backlog cleared but end-of-year goal for full list unlikely
• Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
• Palo Alto Networks customers grapple with another actively exploited zero-day | Cybersecurity Dive
• Unpatched zero-days in Fortinet and Palo Alto Networks software
• Palo Alto Networks’ customer migration tool hit by trio of CVE exploits | Cybersecurity Dive
• Readout of President Joe Biden’s Meeting with President Xi Jinping of the People’s Republic of China | The White House
• Easterly to step down from CISA director role on Inauguration Day | Cybersecurity Dive
• Top White House cyber official urges Trump to focus on ransomware, China
• Ransomware gang Akira leaks unprecedented number of victims’ data in one day
• Hacker Is Said to Have Gained Access to File With Damaging Testimony About Gaetz
• 1,400 Pegasus spyware infections detailed in WhatsApp’s lawsuit filings
• NSO Group admits cutting off 10 customers because they abused its Pegasus spyware, say unsealed court documents | TechCrunch
• Ransomware gang Akira leaks unprecedented number of victims’ data in one day
• Ohio man behind Helix cryptocurrency mixer gets 3-year sentence
• O2 unveils Daisy, the AI granny wasting scammers’ time - Virgin Media O2
• Understanding the Efficacy of Phishing Training in Practice
• Bunnings facial recognition cameras breach Privacy Act, retailer to challenge ruling | news.com.au — Australia’s leading news site
• Nudity, punches in newly released Bunnings CCTV as company found to breach Privacy Act | news.com.au — Australia’s leading news site
• Bitfinex Hack Launderer Heather 'Razzlekhan' Morgan Sentenced to 18 Months in Prison