Join us for this segment as we discuss government regulations and certifications as they apply to supply chain security and vulnerability management, and how understanding the mumbo jumbo can enable organizations to improve their cyber security. In the security news, the crew, (minus Paul) get to gather to discus hacks causing disruptions, in healthcare, donuts and vodka, router and OpenWRT hacks (and the two are not related), Salt/Volt Typhoon means no more texting and 10 year old vulnerabilities and more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-854

The hosts discuss hacker gadgets! We'll cover what we've been hacking on lately and discuss gadgets we want to work on in the future and other gadgets we want to get our hands on. Paul has been working with some M5Stack devices, a guide can be found here: https://securitypodcaster.com/m5stack-hacking-guide/ We will cover the Clockwork PI "uConsole" (RPI CM4) - https://www.clockworkpi.com/uconsole We want the RPI Pico 2 W and the RPI CM5 (https://www.raspberrypi.com/products/) Paul upgraded one of his Flipper Zeros with Momentum Firmware (https://momentum-fw.dev/) Paul and Larry have the new Crowview Note (https://www.kickstarter.com/projects/elecrow/crowview-note-empowering-your-device-as-a-laptop?ref=20bm9i) Larry's List: Cheap Yellow Display - https://github.com/witnessmenow/ESP32-Cheap-Yellow-Display KV4P HT - https://www.kv4p.com/ Lilygo T-Deck - https://lilygo.cc/products/t-deck Helltec LoRa32 https://heltec.org/project/wifi-lora-32-v3/ NRF52840-DK - https://www.mouser.com/ProductDetail/Nordic-Semiconductor/nRF52840-DK?qs=F5EMLAvA7IA76ZLjlwrwMw%3D%3D NRF52840 Dongle - https://www.mouser.com/ProductDetail/Nordic-Semiconductor/nRF52840-Dongle?qs=gTYE2QTfZfTbdrOaMHWEZg%3D%3D&mgh=1 MakerDialry NRF52840 - https://wiki.makerdiary.com/nrf52840-mdk-usb-dongle/ Radioberry - https://www.amazon.com/dp/B0CKN1PW4J Bootkitties and Linux bootkits, Canada realizes banning Flippers is silly, null bytes matter, CVE samples, how dark web marketplaces do security, Perl code from 2014 and vulnerabilities in needrestart, malware in gaming engines, the nearby neighbor attack, this week in security appliances featuring Sonicwall and Fortinet, footguns, and get it off the freakin public Internet! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-853

Aaron Turner, a distinguished cybersecurity expert with a rich history at Microsoft and the Idaho National Laboratory, shares his journey in the tech world. He reflects on his shift from law to hacking, revealing insights from the early days of digital threats. The discussion covers pivotal moments, such as the Code Red worm, and the evolution of security practices. Turner emphasizes the importance of collaboration and innovation in tackling vulnerabilities, particularly in industrial control systems. Insights into the challenges of cybersecurity jobs highlight the need for innovation and flexibility in the field.

Ken Westin, a Senior Solutions Engineer at Lima Charlie and seasoned cybersecurity expert, shares his thrilling journey in stalking cybercriminals. He discusses the dark world of malware and personal safety when tracking down criminals. Ken dives into the alarming vulnerabilities in major platforms like Fortinet and Palo Alto, emphasizing the risks of using commonplace passwords. He also explores the importance of open communication about online safety, innovative tracking methods with USB devices, and how technology evolves alongside cyber threats.

Ed Skoudis, a renowned cybersecurity expert and SANS instructor, joins the discussion, diving into fascinating topics like zip files within zip files that perplex antivirus software. He emphasizes the huge accountability gaps in CVE management, sparked by vendors ignoring vulnerabilities in end-of-life software. The conversation also highlights this year’s Holiday Hack Challenge, focusing on its engaging structure and innovative designs. Additionally, they discuss the evolution of cybersecurity, from legacy system challenges to the importance of proactive vulnerability research.

Kayne McGladrey, an IEEE senior member and expert on cybersecurity in education, dives into the challenges faced by schools in securing their systems. He discusses the urgent need for funding to support cyber tools and training, especially through initiatives like the FCC's K-12 cybersecurity pilot program. The conversation highlights the role of community engagement in enhancing security and the potential of students in cybersecurity operations. Kayne also shares insights on the evolution of cybersecurity strategies and the importance of adapting to an ever-changing landscape.

In this engaging discussion, Dave Lewis, the Global Advisory CISO at 1Password, unpacks the nuances of shadow IT and security debt, drawing from his extensive cybersecurity expertise. He emphasizes the critical human factors in security and the pressing need for organizations to address outdated technologies. The conversation also touches on recent vulnerabilities, the complexities of managing unauthorized tool usage, and the balance between innovation and security, all while sharing insights that underscore the importance of proactive cybersecurity measures.

In this engaging discussion, Andy Syrewicze, a security evangelist at Hornet Security, shares his expertise on creating a 'secure by default' environment in Microsoft 365. He dives into the complexities of cloud migration, the struggles of managing permissions in SharePoint, and the importance of user training. The conversation also covers intriguing topics such as flaws in EDR systems, speculative execution vulnerabilities, and playful tech pranks. With a perfect blend of deep insights and light-hearted moments, Andy offers valuable perspectives on cybersecurity.

New security and vulnerability research is published every day. How can security teams get ahead of the curve and build architecture to combat modern threats and threat actors? Tune-in to a lively discussion about the threat landscape and tips on how to stay ahead of the curve. Segment Resources: https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server Air gaps are still not air gapped, making old exploits new again, chaining exploits for full compromise, patching is overrated, SBOMs are overrated, VPNs are overrated, getting root with a cigarette lighter, you can be any user you want to be, in-memory Linux malware, the Internet Archive is back, we still don't know who created Bitcoin, unhackable phones, and There's No Security Backdoor That's Only For The "Good Guys" ! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-847

Ed Skoudis, a cybersecurity educator and author, joins the discussion alongside Mandy Logan to dive into the ethics of cybersecurity. They explore the moral dilemmas faced by professionals and the significance of a solid ethical framework when dealing with sensitive information. Personal experiences highlight the importance of mentorship and the challenges of whistleblowing. The conversation also touches on vulnerabilities in outdated technologies and key developments in the cybersecurity landscape, emphasizing the urgent need for integrity in the field.