Paul's Security Weekly (Audio)

Tod Beardsley, Vulnerability Analysis Lead at CISA, offers deep insights into the Known Exploited Vulnerabilities catalog. He explains its creation and practical usage in enhancing cybersecurity. The conversation also touches on the resurgence of pagers for secure communications, the implications of Android TV malware, and the complexity of supply chain vulnerabilities. Additionally, the group humorously explores the quirks of cryptography and the evolution of network security tools, blending technical analysis with engaging anecdotes.

Lee Kim, a cybersecurity and privacy officer at HIMSS, joins the discussion alongside regular contributors Mandy Logan, Sam Bowne, and Lee Neely. They delve into the ramifications of the EU Cyber Resilience Act on product security and the legal complexities arising from recent Supreme Court rulings. The team also addresses cybersecurity breach disclosure laws and the challenges facing security researchers under current regulations. Additional highlights include insights on SEC mandates and the evolving landscape of digital threats, emphasizing the importance of legal knowledge in tech.

Exploring the Hacking Landscape with Mark Loveless, AKA SimpleNomad Dive into the intricate world of cybersecurity with our featured guest, Mark Loveless, widely known by his handle SimpleNomad. With a rich history in the realm of information security, Mark is a seasoned professional, researcher, and thought leader. Mark's journey spans decades, marked by a commitment to uncovering vulnerabilities and understanding the ever-changing threat landscape. As a prominent figure in the cybersecurity community, he has contributed significantly to the field, sharing insights, research findings, and expertise. Join us in this podcast interview as Mark reflects on his experiences, discusses the evolution of cybersecurity challenges, and shares his perspectives on emerging trends. With a deep understanding of both offensive and defensive security, Mark brings a unique perspective to the conversation, offering valuable insights into the strategies and tactics employed by cybersecurity professionals. As a respected voice in the industry, Mark Loveless has not only witnessed the evolution of cybersecurity but has actively shaped its trajectory through his contributions to research, writing, and speaking engagements. This episode provides a rare opportunity to gain knowledge from a cybersecurity veteran and explore the nuances of an ever-expanding digital landscape. Tune in to discover the wisdom and experiences that have defined Mark Loveless's career and gain a deeper understanding of the complexities and challenges inherent in the world of cybersecurity. Show Notes: https://securityweekly.com/vault-psw-12

Larry and Helen walk us through the AI supply chain landscape. Learn what goes into building and using AI models and the dangers that could lurk within. Segment Resources: Community efforts on AIBOM topic: https://github.com/aibom-squad This week: I want all the firmware, its not just TP-Link, CVEs for malware, BLE and your health, faking your own death, serial ports, stealthy Linux malware, call this number, finding all the Wordpress plugin vulnerabilities! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-841

Josh Bressers, a knowledgeable figure in vulnerabilities and exploits, dives into the complexities of patch management. He discusses the limitations of tools like MITRE ATT&CK and CVSS in accurately prioritizing vulnerabilities. The conversation emphasizes the importance of context in patching decisions and addresses the challenges of tracking incidents that lack CVEs. Bressers shares insights on the balance between urgent patches and asset criticality, highlighting personal anecdotes that shed light on navigating the evolving cybersecurity landscape.

Early on in his career Spaf was working with microcode and continued to work on technical projects. As time went on he realized that focusing on the non-technical work, such as policies and shaping our thinking, would help move the needle. Borrowing concepts from his book on the subject, we will delve into some cybersecurity myths such as: Are users really the weakest link? Are cybersecurity vendors truly incentivized to provide better security? Do we agree on what cybersecurity really means? - Do not miss this segment! This week: Option ROMS are a novel way to compromise a system at the lowest level, Sinkclose opens AMD processors up to attacks, at home in your firmware exploiting SMM complete with examples, Sonos speakers get hacked and enable attackers to listen in on your conversations, DEF CON badges use new chips and are not without controversy, lasers that can steal your passwords, it was a regex, Larry updates us on some IoT research, attackers have your SSN, and more updates from last week's hacker summer camp! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-839

This week, Downgrade attacks, bootloader fun, check your firmware before you wreck your firmware, you've got mail server issues, Ivanti is the new Rhianna, you should update your BIOS, Openwrt dominates, and attacking the security tools for fun and profit! Learn what is most interesting at hacker summer camp this year! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-838

John is one of the foremost experts in UEFI and joins us to talk about PK Fail! What happens when a vendor in the supply chain accidentally loses a key? It's one of the things that keeps me up at night. Well, now my nightmare scenario has come true as a key has been leaked. Learn how and why and what you can do about it in this segment! Hacking traffic lights (for real this time), the Docker API strikes again, access Github deleted data, using EDR to elevate privileges on Windows, computers I need in my life, failed experiments and Raspberry PI access points, sitting ducks and TuDoor - its always DNS times 2, null sessions and a blast from the past, chaining UEFI vulnerabilities, pirates exposed, revoking SSL certificates, and using AI to analyze your brain: Multimodal Automated Interpretability Agent! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-837

Douglas McKee, a cybersecurity expert known for his insights on vulnerability prioritization, joins the discussion on critical security topics. They dive into the challenges of patching key vulnerabilities, exploring the implications of CrowdStrike's recent incident. The conversation covers the significance of understanding zero-day vulnerabilities, the misclassification of threats, and the pressing need for small businesses to enhance their cybersecurity strategies. With humor sprinkled in, they also tackle insider threats and the evolving landscape of endpoint security.

David Johnson, a 3D printing expert specifically for hackers, dives into the fascinating world of 3D printing. He shares personal experiences and discusses the accessibility of 3D printing tech like the Ender 3 and Bamboo printers. The conversation takes a nostalgic turn as they explore its role in creating custom gadgets, including a live print of a Captain Crunch whistle. Johnson also reflects on converting AI images into printable designs and the innovative capacity of the 3D printing community, emphasizing creativity and problem-solving in tech.