OAuth implementation failures, the State of DevOps report, data poisoning generative AIs with Nightshade, implementing spectre attacks with JavaScript and WebAssembly against WebKit, sandboxing apps
Show Notes: https://securityweekly.com/asw-261
The categories of security tools that we're most familiar with have struggled to keep up with how modern apps are designed and what modern devs need. What if instead of being beholden to categories, we created tools that solved problems devs have today in the types of apps they build today? And what if we had more dev leadership to influence security tools as well as secure by design? What would that leadership look like?
Segment Resources:
Show Notes: https://securityweekly.com/asw-261
Dr. Who, iLeakage, Canada, AI, Killnet, NuGet, You might be a North Korean, More News, and Jason Wood, on this Halloween edition of the Security Weekly News.
Show Notes: https://securityweekly.com/swn-338
In the leadership and communications section, Proactive Boards Enable More Reliable Cyber Governance, CISO Best Practices for Managing Cyber Risk, The Evolution of Work: How Can Companies Prepare for What’s to Come?, and more!
Show Notes: https://securityweekly.com/bsw-326
As the workforce increasingly relies on the cloud, the browser has become a critical aspect of enterprise security. Employees now use browsers to access data and applications from various devices and locations, making browsers the primary target for cyber attackers.
Enterprise browsers are specifically designed to address the security challenges of the modern and complex workforce. According to Gartner, "By 2030, enterprise browsers will be the core platform for delivering workforce productivity and security software on managed and unmanaged devices, ensuring a seamless hybrid work experience." Tune in to a discussion with Chrome Enterprise's Robert Shield, where he discusses the importance of an enterprise browser for modern businesses and shares insights on how to improve browser security.
Segment Resources: - Here’s how you can get started with Chrome Enterprise for free: Chrome Enterprise - Chrome Enterprise Landing Page: https://chromeenterprise.google/browser/security - Complimentary Gartner report: Gartner® Emerging Tech: Security – The Future of Enterprise Browsers Report
This segment is sponsored by Google Chrome Enterprise. Visit https://securityweekly.com/chromeenterprise to learn more about them!
Show Notes: https://securityweekly.com/bsw-326
This week, we discuss Island's raise, unicorn status, and what that means for both the enterprise browser market and the cybersecurity market in general. We discuss Censys and the state of the external attack surface management market, or what they're trying to call, "exposure management". We discuss the details of the Okta breach in depth, and why we're worried about the larger impact it could have on the industry and vendor trust in general. Finally, we wrap up with some fun squirrel stories.
Show Notes: https://securityweekly.com/esw-337
Pumpkin Spice, VMWARE, Winter Vivern, RoundCube, Apple, Big-IP, Oktapus, Aaran Leyland, and More on the Security Weekly News.
Show Notes: https://securityweekly.com/swn-337
In the age of remote and hybrid work, employees are now spending most of their time in the browser or virtual meetings, making the browser an increasingly important part of an enterprise's security strategy. According to Gartner, “By 2030, enterprise browsers will be the core platform for delivering workforce productivity and security software on managed and unmanaged devices for a seamless hybrid work experience.”
Learn more about:
Segment Resources:
This segment was sponsored by Google Chrome Enterprise. Visit https://securityweekly.com/chromeenterprise to learn more!
Show Notes: https://securityweekly.com/esw-337
Sonar Vulnerability Researchers Thomas Chauchefoin and Paul Gerste conducted research on the security of Visual Studio Code — the most popular code editor out there — which was presented at DEF CON 31 in August. The pair uncovered a few ways for attackers to gain code execution on a victim's computer if they clicked on a specially crafted link or opened a malicious folder in Visual Studio Code, bypassing existing mitigations like Workspace Trust. Developers tend to trust their IDEs and do not expect such security issues to exist. As developers have access to source code and production systems, they make for very interesting targets for threat actors. Important to note is that the security concepts that the two are able to demonstrate apply not just to Visual Studio Code, but to most other code editors. This is also the story of how the researchers got an unexpected $30,000 bounty from Microsoft for these bugs, by mistake!
Segment Resources:
BLOG POSTS Securing Developer Tools: Argument Injection in Visual Studio Code (https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/) Securing Developer Tools: Git Integrations (https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/)
CVEs CVE-2023-36742 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742) CVE-2022-30129 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30129) CVE-2021-43891 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43891)
Show Notes: https://securityweekly.com/psw-804
We officially welcome Bill Swearingen to our expert panel of PSW hosts, and discuss the news including hacking shenanigans, QNAP, recovering crypto currency, Android malware, and more!
Show Notes: https://securityweekly.com/psw-804
In this interview, we talk to Chad Cardenas about why he created The Syndicate Group, which operates very differently from the typical VC firm with LPs and a collective fund to draw from. We'll discuss how the investor/startup relationship differs, and what the advantages of this model are.
Show Notes: https://securityweekly.com/esw-337
Appsec lessons from the Okta breach, directory traversal (and appsec) lessons from SolarWinds, how CISOs and Boards rank factors around vulns and patching, revisiting cryptocurrency attacks for lessons in business logic and threat modeling, CISA and friends update guidance on Secure Design, and more!
Show Notes: https://securityweekly.com/asw-260
Goatse, Okta, Cisco, Ducktail, 0Auth, China, Spain, More News and Aaran Leyland.
Show Notes: https://securityweekly.com/swn-336
We return to discussions of OAuth and all sorts of authentication. This time around we're looking at the design of authentication protocols, the kinds of trade-offs they weigh for adoption and security, and how a standard evolves over time to keep pace with new attacks and put to rest old mistakes.
Segment resources:
Show Notes: https://securityweekly.com/asw-260
In the leadership and communications section, Cybersecurity should be a business priority for CEOs, What CISOs Should Exclude From SEC Cybersecurity Filings, Effective Communication: The Key to Workplace Success, and more!
Show Notes: https://securityweekly.com/bsw-325
As the CISO role continues to transform from a technician to a risk manager, how do you secure emerging technologies, such as edge computing? By aligning to business objectives. In this segment, Theresa Lanowitz from AT&T Cybersecurity and Scott Stout From Cisco help us break down the challenges of the CISO and how to align security requirements to business outcomes to solve the emerging edge computing use cases. During the interview, we will tackle the Hospital at Home and Manufacturing edge computing uses cases. Tune in for this collaborative session from two of the leading cybersecurity giants.
This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attcybersecurity to learn more about them!
Show Notes: https://securityweekly.com/bsw-325
This week, in the enterprise security news,
All that and more, on this episode of Enterprise Security Weekly.
Show Notes: https://securityweekly.com/esw-336
Skynet, India, North Korea, China, passwords, KeePass, Cisco, AI, Aaran Leyland, and More on the Security Weekly News.
Show Notes: https://securityweekly.com/swn-335
One of the biggest challenges in security today is organizations' reluctance to share attack information. Perhaps legal teams are worried about liability, or maybe execs are just embarrassed about security failures. Whatever the reason, this trend makes it difficult for organizations to help each other. CrowdSec's mission is to make this process automated, anonymized, and seamless for security teams.
We talk to Phillip Humeau, one of CrowdSec's founders, about what it's like to build a such an unconventional cybersecurity business - one based around crowdsourcing and open source software.
Show Notes: https://securityweekly.com/esw-336
Today we interview Shane Sims, CEO of Kivu Consulting. We'll be talking about the current state of cybercrime and insights from incidents his consulting firm has recently worked. We'll discuss some of the latest stats and trends related to ransomware, as well as thoughts on future cybercrime trends. Shane will also share some stories from his time as an FBI agent, working undercover as a cybercriminal.
Segment Resources: Report - Mitigating Ransomware Risk: Determining Optimal Strategies for Business
Show Notes: https://securityweekly.com/esw-336
In the Security News: Fried squid is tasty, but the squid proxy is vulnerable, Flipper zero and other tools can now BLE Spam more than just Apple devices, Cisco IOS vulnerability in the web interface, again, is Signal vulnerable?, WinRAR being exploit, still, Math.Random is not really all that random, get your malware samples, and my inside look into Android TV devices, malware, and the horrors of the supply chain! All that and more on this episode of Paul’s Security Weekly!
Show Notes: https://securityweekly.com/psw-803
Chris Rock is a Cyber Mercenary who has worked in the Middle East, US and Asia for the last 30 years working for both government and private organizations. ˇHe is the Chief Information Security Officer and co-founder of SIEMonster. Chris has presented three times at the largest hacking conference in the world, DEFCON in Las Vegas on controversial vulnerabilities. Chris is also the author of the Baby Harvest, a book based on criminals and terrorists using virtual babies and fake deaths for financing. He has also been invited to speak at TED global.
Show Notes: https://securityweekly.com/psw-803
How HTTP/2's rapid reset is abused for DDoS, a look at the fix for Curl's recent high severity bug, OWASP moves to make CycloneDX a standard, Microsoft deprecates NTLM, VBScript, and old TLS -- while also introducing an AI bug bounty program.
Show Notes: https://securityweekly.com/asw-259
Cisco, Juniper, AVOSLocker, NoEscape, Valve, FreedomGPT, More News and Aaran Leyland.
Show Notes: https://securityweekly.com/swn-334
It's no surprise that OT security has fared poorly over the last 30+ years. To many appsec folks, these systems have uncommon programming languages, unfamiliar hardware, and brittle networking stacks. They also tend to have different threat scenarios. Many of these systems are designed, successfully, to maintain availability. But when a port scan can freeze or crash a device, that availability seems like it hasn't put enough consideration into adversarial environments. We chat about the common failures of OT design and discuss a few ways that systems designed today might still be secure 30 years from now.
Segment Resources: https://linktr.ee/huxley_barbee
BSidesNYC: LinkedIn: https://www.linkedin.com/company/bsidesnyc/ Mastodon: https://infosec.exchange/@BSidesNYC
runZero has a tool that can safely discover your entire OT network: Free trial: https://www.runzero.com/try/signup/
Show Notes: https://securityweekly.com/asw-259