Security Weekly Podcast Network (Video)

The many lessons to take away from a 24-year old flaw in glibc and the mastery in crafting an exploit in PHP, changing a fuzzer's configuration to find more flaws, fuzzing LLMs for prompt injection and jailbreaks, security hardening of baseband code, revisiting the threat models in Microsoft's Recall, and more! Show Notes: https://securityweekly.com/asw-302

In the leadership and communications segment, PwC Urges Boards to Give CISOs a Seat at the Table, CISO Salary Surge: Fewer Job Changes, Bigger Paychecks for Experienced Cybersecurity Leaders, Fostering a cybersecurity-first culture: Key leadership insights for building resilient businesses, and more! Show Notes: https://securityweekly.com/bsw-367

Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzing that ZAP has been working on, and what the future looks like for this well-loved project. Segment Resources: https://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/ https://www.zaproxy.org/blog/2024-09-30-improving-fuzzing-payloads-for-llms-with-fuzzai/ https://checkmarx.com/press-releases/checkmarx-joins-forces-with-zap-to-supercharge-dynamic-application-security-testing-dast-for-the-enterprise-and-enhance-community-growth/ KICS: https://github.com/Checkmarx/kics 2MS: https://github.com/Checkmarx/2ms Show Notes: https://securityweekly.com/asw-302

AI Fest, American Water, Broadband, Claroty, Okta, Meta, Phishing, Robocop, Josh Marpet, and more on the Security Weekly News. Show Notes: https://securityweekly.com/swn-420

Get ready for a wild ride in this week's podcast episode, where we dive into the latest security shenanigans! Default Credentials Gone Wild: We’ll kick things off with a look at how default credential scanners are like that friend who shows up to the party but never brings snacks. They're everywhere, but good luck finding one that actually works! Critical Vulnerabilities in Tank Gauges: Next, we’ll discuss how automated tank gauges are now the new playground for hackers. With vulnerabilities that could lead to environmental disasters, it’s like giving a toddler a box of matches—what could possibly go wrong? Cisco Routers: The Forgotten Gear: Cisco's small business routers are like that old car in your driveway—still running but definitely not roadworthy. We’ll explore why you should check your network before it becomes a digital junkyard. Firmware Updates: A Love Story: Richard Hughes has dropped some juicy updates on fwupd 2.0.0, making firmware updates as easy as ordering takeout. But let’s be real, how many of us actually do it? Stealthy Linux Malware: We’ll also uncover Perfctl, the stealthy malware that’s been creeping around Linux systems since 2021. It’s like that one relative who overstays their welcome—hard to get rid of and always looking to borrow money! PrintNightmare Continues: And yes, the PrintNightmare saga is still haunting Windows users. It’s like a horror movie that just won’t end—grab your popcorn! Cyber Shenanigans at Comcast and Truist: We'll wrap up with a juicy breach involving Comcast and Truist Bank that compromised data for millions. Spoiler alert: they didn’t have a great plan for cleaning up the mess. Tune in for all this and more as we navigate the wild world of security news with a wink and a nudge! Show Notes: https://securityweekly.com/psw-846

Does the CISO need to act like a politician? Negotiating budgets, communicating risks, and selling your strategy across the organization does sound a little like a politician. And if that's the case, are you hiring the right campaign staff? Kush Sharma, former CISO for CPR, City of Toronto, and Saputo, joins Business Security Weekly to discuss why you should run your security program like an election campaign. Kush will discuss the other positions you need to hire, not just the technical positions, to help you budget, communicate, and sell your strategy. A politician can't do it all by themself, so why should a CISO? Show Notes: https://securityweekly.com/bsw-367

The way we use browsers has changed, so has the way we need to secure them. Using a secure enterprise browser to execute content away from the endpoint, inside a secure cloud browser is a dramatically more effective and cost-effective approach to protect users and secure access. This segment is sponsored by Menlo Security. Visit https://securityweekly.com/menloisw to learn more about them! Sevco is a cloud-native vulnerability and exposure management platform built atop asset intelligence to enable rapid risk prioritization, mitigation, validation, and metrics. Segment Resources: Customer Testimonials: https://www.sevcosecurity.com/testimonials/ Product Videos: https://www.sevcosecurity.com/sevcoshorts/ This segment is sponsored by Sevco Security. Visit https://securityweekly.com/sevcoisw to learn more about them! Show Notes: https://securityweekly.com/esw-378

Perfctl, Warm Cookie, Pig Butchering, Ivanti, Zimbra, BabyLockerKZ, AI gone Wild, Aaran Leyland, and More, on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-419

Automated tank gauges are leaking more than just fuel, while CUPS is serving up a steaming hot brew of vulnerabilities. Meanwhile, Supermicro's BMC firmware is giving away root access like it's going out of style. If you thought your Kia was safe, think again - all it takes is a license plate and 30 seconds to turn your car into a hacker's joyride. China's been busy building a massive IoT botnet called Raptor Train. It's been chugging along undetected for four years. NIST has decided that your password doesn't need to be a cryptographic masterpiece anymore. No more special characters or arbitrary changes - just make it long and don't use "password123". A Texas hospital is playing a game of "hot potato" with ambulances thanks to a ransomware attack. More thoughts on known exploited vulnerabilities, firmware unpacking tools lowdown, Aruba, Bahama, come-on command injection, and kids changing the name of their school! Show Notes: https://securityweekly.com/psw-845

Our latest in a series of interviews discussing cybersecurity career paths, today we talk to Jayson Grace his path into cybersecurity and his experience building red teams at national labs and purple teams at Meta. We also talk about his community impact, giving talks and building open source tools. Jayson just left Meta for an AI safety startup named Dreadnode, which we'll discuss as well. Segment Resources: CyberSecEval 3: Advancing the Evaluation of Cybersecurity Risks and Capabilities in Large Language Models The [TTPForge] (https://github.com/facebookincubator/TTPForge) is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs). ForgeArmory provides TTPs that can be used with the TTPForge Wired, by Lily Hay Newman: Facebook's ‘Red Team X’ Hunts Bugs Beyond the Social Network's Walls MOSE (Master Of SErvers) is a post exploitation tool for configuration management servers. BSides SF 2024 - Beyond Quick Cash: Rethinking Bug Bounties for Greater Impact BSides LV 2023 - [GF - Enemy Within: Leveraging Purple Teams for Advanced Threat Detection & Prevention - https://www.youtube.com/watch?v=-MT0tNi2vvc Show Notes: https://securityweekly.com/esw-378