Three Buddy Problem

The 'Three Buddy Problem' Podcast Episode 3: Former NSA computer scientist Dave Aitel (Immunity Inc., Cordyceps Systems) joins Juan Andres Guerrero-Saade for a frank discussion on the OpenSSH unauthenticated remote code execution vulnerability and the challenges around patching and exploitation, the CISA 'secure-by-design' pledge and its impact on software vendor practices, Microsoft lobbying and the CSRB report, and changing face of government's attempts at cybersecurity regulations. We discuss the disruption caused by political changes and the potential implications for cybersecurity policies, impact from the Supreme Court Chevron ruling, security regulations and the challenges of writing laws for future technology, the role of CISA and its accomplishments, the debate around offensive cyber operations and the responsibility of companies like Google in addressing vulnerabilities. The need for clear separation between counterterrorism and espionage operations is highlighted, as well as the importance of understanding both defensive and offensive perspectives. Costin Raiu is on vacation. Links:Transcript (unedited, AI-generated)Qualys: Remote Unauthenticated Code Execution in OpenSSHCSRB report on Microsoft hackCISA secure-by-design pledgeCCC Talk: Operation Triangulation Lawfare: Responsible Cyber OffenseGoogle: Stop Burning Counterterrorism OperationsFollow Dave Aitel on TwitterJ. A. Guerrero-Saade on TwitterCostin Raiu on TwitterFollow Ryan Naraine (@ryanaraine) on TwitterLABScon - Security Research in Real Time

The 'Three Buddy Problem' Podcast Episode 2: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade go all-in on the discussion around Google Project Zero disrupting counter-terrorism malware operations. A deep dive on disruption vs exposure, the effects of US government sanctions on private mercenary hacking companies, hypocricy and the tricky relationship between malware researchers are the intelligence community, and the lack of 'success stories' from so-called benevolent malware. We also discuss the implications of the TeamViewer breach by a skilled Russian APT, new Microsoft notifications to Midnight Blizzard victims and share thoughts on the Polyfill.io supply chain compromise.Links:Episode transcript (Unedited, AI-generated)Google: Stop Burning Counterterrorism OperationsRussian hackers sanctioned by European CouncilTeamViewer statement on APT29 breachPolyfill supply chain attackRequest a LABScon inviteFollow Costin Raiu on TwitterFollow JAG-S on TwitterFollow Ryan Naraine on Twitter

Cybersecurity experts Juan Andres Guerrero-Saade and Costin Raiu discuss the Microsoft Recall debacle, dark patterns in big tech AI, Brad Smith's testimony, Apple's Private Cloud Compute, and the impact of the CSRB report. They also touch on the KL ban and the EU law on scanning child sexual abuse material, raising concerns about privacy and encryption in tech.

Cris Neckar, a veteran security researcher and partner at Two Bear Capital, shares his insights from the cutting edge of cybersecurity. He reflects on his time with Google Chrome's security team, highlighting the birth of vulnerability reward programs and the Pwn2Own contest. The discussion shifts to the cat-and-mouse dynamic in browser security, zero-day exploits, and the role of AI in enhancing threat detection. Cris also emphasizes the need for mentoring young founders while navigating the complexities of tech investment and innovations in automated security.

Episode sponsors: Binarly, the supply chain security experts (https://binarly.io) XZ.fail backdoor detector (https://xz.fail) Malware paleontologist Costin Raiu returns for an emergency episode on the XZ Utils software supply chain backdoor. We dig into the timeline of the attack, the characteristics of the backdoor, affected Linux distributions, and the reasons why 'Tia Jan' is the handiwork of a cunning nation-state. Based on all the clues available, Costin pinpoints three main suspects -- North Korea's Lazarus, China's APT41 or Russia's APT29 -- and warns that there are more of these backdoors lurking in modern software supply chains.Links:Binarly XZ backdoor detectorXZ Utils Backdoor FAQ (by Dan Goodin)CISA advisory on backdoorThe JiaT75 (Jia Tan) timelineUnedited transcript

Episode sponsors: Binarly, the supply chain security experts (https://binarly.io) FwHunt (https://fwhunt.run) Katie Moussouris founded Luta Security in 2016 and bootstrapped it into a profitable business with a culture of equity and healthy boundaries. She is a pioneer in the world of bug bounties and vulnerability disclosure and serves in multiple advisory roles for the U.S. government, including the new CISA Cyber Safety Review Board (CSRB). In this episode, Moussouris discusses Luta Security's new Workforce Platform profit-sharing initiative, the changing face of the job market, criticisms of the CSRB's lack of enforcement authority, and looming regulations around zero-day vulnerability data.Links:Luta Security Workforce PlatformKatie Moussouris on WikipediaMoussouris: Resist Urge to Match China Vuln Reporting MandateKatie Moussouris on LinkedInCyber Safety Review Board

Costin Raiu, a key figure in anti-malware research known for his work on major nation-state APT cases like Stuxnet and Duqu, reflects on his career and ethical dilemmas in cybersecurity. He shares insights on the pressures leading to burnout in the field and how AI is transforming threat intelligence. Costin discusses the importance of accurate cyber threat attribution and the challenges of balancing privacy with national security. He emphasizes learning from mistakes and the evolving landscape of advanced persistent threats, shedding light on the future of malware research.

Danny Adamitis, a principal information security engineer at Black Lotus Labs, dives into the alarming discovery of a resilient botnet utilizing outdated SOHO routers. He reveals how this covert network aids Volt Typhoon, a Chinese state-sponsored hacking group. The conversation highlights the global danger of obsolete devices and the urgent need for organizations to bolster their network defenses. Danny shares practical strategies for detecting and mitigating threats, emphasizing robust monitoring and awareness of network assets.

Episode sponsors: Binarly, the supply chain security experts (https://binarly.io) FwHunt (https://fwhunt.run) Allison Miller is founder and CEO of Cartomancy Labs and former CISO and VP of Trust at Reddit. She has spent the past 20 years scaling teams and technology at Bank of America, Google, Electronic Arts, PayPal/eBay, and Visa International. In this conversation, we discuss the convergence of security with fraud prevention and anti-abuse, the challenges and complexities in IAM implementations, the post-pandemic labor market, the evolving role of CISOs and new realities around CISO exposure to personal liability, thoughts on the 'build vs buy' debate and the nuance and dilemma of paying ransomware demands.Links:Allison Miller on LinkedInCartomancy LabsSecurity Leaders Spooked by SEC Lawsuit Against SolarWinds CISONew SEC rule on breach disclosure (PDF)Follow Allison Miller on TwitterSponsor: Binarly Supply Chain Security Platform

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Rob Ragan, principal architect and security strategist at Bishop Fox, joins the show to share insights on scaling pen testing, the emergence of bug bounty programs, the value of attack surface management, and the role of AI in cybersecurity. We dig into the importance of proactive defense, the challenges of consolidating security tools, and the potential of AI in augmenting human intelligence. The conversation explores the potential of AI models and their impact on various aspects of technology and society and digs into the importance of improving model interaction by allowing more thoughtful and refined responses. We also discuss how AI can be a superpower, enabling rapid prototyping and idea generation. The discussion concludes with considerations for safeguarding AI models, including transparency, explainability, and potential regulations. Takeaways: Scaling pen testing can be challenging, and maintaining quality becomes difficult as the team grows. Bug bounty programs have been a net positive for businesses, providing valuable insights and incentivizing innovative research. Attack surface management plays a crucial role in identifying vulnerabilities and continuously monitoring an organization's security posture. Social engineering attacks, such as SIM swapping and phishing, require a multi-faceted defense strategy that includes technical controls, policies, and user education. AI has the potential to augment human intelligence and improve efficiency and effectiveness in cybersecurity. Improving model interaction by allowing more thoughtful and refined responses can enhance the user experience. Algorithms can be used to delegate tasks and improve performance, leading to better results in complex tasks. AI is an inflection point in technology, comparable to the internet and the industrial revolution. Can be game-changing to automate time-consuming tasks, freeing up human resources for more strategic work. Autocomplete and code generation tools like Copilot can significantly speed up coding and reduce errors. AI can be a superpower, enabling rapid prototyping, idea generation, and creative tasks. Safeguarding AI models requires transparency, explainability, and consideration of potential biases. Regulations may be necessary to ensure responsible use of AI, but they should not stifle innovation. Global adoption of AI should be encouraged to prevent technological disparities between countries. Links:Rob Ragan's Theoradical.aiTesting LLM Algorithms While AI Tests Us — Testing LLM Algorithms While AI Tests UsLLM Testing Findings Templates — This collection of open-source templates is designed to facilitate the reporting and documentation of vulnerabilities and opportunities for usability improvement in LLM integrations and applications.Rob Ragan on TwitterRob Ragan on LinkedInBishop Fox Labs