Episode sponsors: Binarly, the supply chain security experts (https://binarly.io) XZ.fail backdoor detector (https://xz.fail) Malware paleontologist Costin Raiu returns for an emergency episode on the XZ Utils software supply chain backdoor. We dig into the timeline of the attack, the characteristics of the backdoor, affected Linux distributions, and the reasons why 'Tia Jan' is the handiwork of a cunning nation-state. Based on all the clues available, Costin pinpoints three main suspects -- North Korea's Lazarus, China's APT41 or Russia's APT29 -- and warns that there are more of these backdoors lurking in modern software supply chains.Links:Binarly XZ backdoor detectorXZ Utils Backdoor FAQ (by Dan Goodin)CISA advisory on backdoorThe JiaT75 (Jia Tan) timelineUnedited transcript

Episode sponsors: Binarly, the supply chain security experts (https://binarly.io) FwHunt (https://fwhunt.run) Katie Moussouris founded Luta Security in 2016 and bootstrapped it into a profitable business with a culture of equity and healthy boundaries. She is a pioneer in the world of bug bounties and vulnerability disclosure and serves in multiple advisory roles for the U.S. government, including the new CISA Cyber Safety Review Board (CSRB). In this episode, Moussouris discusses Luta Security's new Workforce Platform profit-sharing initiative, the changing face of the job market, criticisms of the CSRB's lack of enforcement authority, and looming regulations around zero-day vulnerability data.Links:Luta Security Workforce PlatformKatie Moussouris on WikipediaMoussouris: Resist Urge to Match China Vuln Reporting MandateKatie Moussouris on LinkedInCyber Safety Review Board

Costin Raiu, a key figure in anti-malware research known for his work on major nation-state APT cases like Stuxnet and Duqu, reflects on his career and ethical dilemmas in cybersecurity. He shares insights on the pressures leading to burnout in the field and how AI is transforming threat intelligence. Costin discusses the importance of accurate cyber threat attribution and the challenges of balancing privacy with national security. He emphasizes learning from mistakes and the evolving landscape of advanced persistent threats, shedding light on the future of malware research.

Danny Adamitis, a principal information security engineer at Black Lotus Labs, dives into the alarming discovery of a resilient botnet utilizing outdated SOHO routers. He reveals how this covert network aids Volt Typhoon, a Chinese state-sponsored hacking group. The conversation highlights the global danger of obsolete devices and the urgent need for organizations to bolster their network defenses. Danny shares practical strategies for detecting and mitigating threats, emphasizing robust monitoring and awareness of network assets.

Episode sponsors: Binarly, the supply chain security experts (https://binarly.io) FwHunt (https://fwhunt.run) Allison Miller is founder and CEO of Cartomancy Labs and former CISO and VP of Trust at Reddit. She has spent the past 20 years scaling teams and technology at Bank of America, Google, Electronic Arts, PayPal/eBay, and Visa International. In this conversation, we discuss the convergence of security with fraud prevention and anti-abuse, the challenges and complexities in IAM implementations, the post-pandemic labor market, the evolving role of CISOs and new realities around CISO exposure to personal liability, thoughts on the 'build vs buy' debate and the nuance and dilemma of paying ransomware demands.Links:Allison Miller on LinkedInCartomancy LabsSecurity Leaders Spooked by SEC Lawsuit Against SolarWinds CISONew SEC rule on breach disclosure (PDF)Follow Allison Miller on TwitterSponsor: Binarly Supply Chain Security Platform

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Rob Ragan, principal architect and security strategist at Bishop Fox, joins the show to share insights on scaling pen testing, the emergence of bug bounty programs, the value of attack surface management, and the role of AI in cybersecurity. We dig into the importance of proactive defense, the challenges of consolidating security tools, and the potential of AI in augmenting human intelligence. The conversation explores the potential of AI models and their impact on various aspects of technology and society and digs into the importance of improving model interaction by allowing more thoughtful and refined responses. We also discuss how AI can be a superpower, enabling rapid prototyping and idea generation. The discussion concludes with considerations for safeguarding AI models, including transparency, explainability, and potential regulations. Takeaways: Scaling pen testing can be challenging, and maintaining quality becomes difficult as the team grows. Bug bounty programs have been a net positive for businesses, providing valuable insights and incentivizing innovative research. Attack surface management plays a crucial role in identifying vulnerabilities and continuously monitoring an organization's security posture. Social engineering attacks, such as SIM swapping and phishing, require a multi-faceted defense strategy that includes technical controls, policies, and user education. AI has the potential to augment human intelligence and improve efficiency and effectiveness in cybersecurity. Improving model interaction by allowing more thoughtful and refined responses can enhance the user experience. Algorithms can be used to delegate tasks and improve performance, leading to better results in complex tasks. AI is an inflection point in technology, comparable to the internet and the industrial revolution. Can be game-changing to automate time-consuming tasks, freeing up human resources for more strategic work. Autocomplete and code generation tools like Copilot can significantly speed up coding and reduce errors. AI can be a superpower, enabling rapid prototyping, idea generation, and creative tasks. Safeguarding AI models requires transparency, explainability, and consideration of potential biases. Regulations may be necessary to ensure responsible use of AI, but they should not stifle innovation. Global adoption of AI should be encouraged to prevent technological disparities between countries. Links:Rob Ragan's Theoradical.aiTesting LLM Algorithms While AI Tests Us — Testing LLM Algorithms While AI Tests UsLLM Testing Findings Templates — This collection of open-source templates is designed to facilitate the reporting and documentation of vulnerabilities and opportunities for usability improvement in LLM integrations and applications.Rob Ragan on TwitterRob Ragan on LinkedInBishop Fox Labs

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Seth Spergel is managing partner at Merlin Ventures, where he is responsible for identifying cutting-edge companies for Merlin to partner with and invest in. In this episode, Seth talks about helping startups target US federal markets, the current state of deal sizes and valuations, and the red-hot sectors in cybersecurity ripe for venture investment.Links:Seth Spergel bio — Seth has more than 20 years of experience building, selling, and investing in software and startups. Prior to Merlin Ventures, Seth was VP for Infrastructure Technologies at In-Q-Tel, a strategic investment firm that invests in startups that meet the mission needs of government customers. Merlin Ventures portfolioPalo Alto buys Talon, Dig Security — Technology powerhouse Palo Alto Networks is officially on a billion-dollar shopping spree in the cloud data security space.Episode Sponsor: Binarly — The Binarly REsearch team leads the industry in firmware vulnerability disclosure and advisories

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Dan Lorenc is CEO and co-founder of Chainguard, a company that raised $116 million in less than two years to tackle open source supply chain security problems. In this episode, Dan joins Ryan to chat about the demands of building a "growth mode" startup, massive funding rounds and VC expectations, fixing the "crappy" CVE and CVSS ecosystems, managing expectations around SBOMs, and how politicians and lobbyists are framing cybersecurity issues in strange ways.Links:SBOMs - All the right ingredients, but something is still missingOpen Source Development Threatened in EuropeChainguard Images: Reduce your attack surfaceDan Lorenc on LinkedInDan Lorenc on Twitter/XChainguard Raises $61 Million Series BBinarly -- Firmware Supply Chain Security Platform — Binarly is the world's first automated firmware supply chain security platform. Using cutting-edge techniques, Binarly identifies both known and unknown vulnerabilities, misconfigurations, and malicious code in firmware and hardware components.

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Nick Biasini has been working in information security for nearly two decades. In his current role as head of outreach for Cisco Talos Intelligence Group, he leads a team of threat researchers tasked with tracking nation-state APTs, mercenary hacker groups and ransomware cybercriminals. In this episode, Biasini talks about the cryptic world of threat actor attribution, the rise of PSOAs (private sector offensive actors) and why network edge devices are a happy hunting ground for attackers.Links:Nick Biasini on TwitterCisco Talos Library of ReportsNick Biasini on LinkedInBeyond the Veil of Surveillance: Private Sector Offensive Actors (PSOAs)US Gov Mercenary Spyware Clampdown Hits Cytrox, Intellexa

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Allison Nixon is Chief Researcher at Unit 221B and a trailblazer in the world of cybercrime research. In this episode, we deep-drive into the shadowy dynamics of underground criminal communities, high-profile ransomware attacks, teenage hacking groups breaking into big companies, and the challenges of attribution and law enforcement. Allison sheds light on why companies continue to be vulnerable targets and what they're often missing in their cybersecurity strategies.Links:Allison Nixon on TwitterAllison Nixon - Unit 221B bioLas Vegas casino hackers rely on violent threatsCrossing boundaries to facilitate extortion, encryption, and destruction