Podcasts

In this podcast episode, James Wilson is joined by Open Source Malware Security co-founder Paul McCarty to talk about the supply chain attack mitigations coming in NPM v12.

NPM disabling (by default) auto-run install scripts and dynamic dependencies is a positive step forward… but it’ll take years for this new version to be adopted, and these changes do nothing to prevent malicious packages being imported into projects.

Further, Paul thinks disabling these features by default will introduce friction that will cause them to be re-enabled. When the choice is “this builds” and “this is less prone to malware”, the former will always win.

CISA changes federal patching rules due to AI, a House Republican was hacked by Russia, ShinyHunters go on an Oracle hacking spree, and npm will block auto-run install scripts by default.

In this sponsored episode, James Wilson chats with SpecterOps CTO Jared Atkinson about the central role that GitHub has played in recent supply chain compromises. GitHub is where code gets built, tested, and shipped to devices, cloud, and on-prem environments. Understanding the paths an attacker can use to get into GitHub, and where they can pivot to from there, is essential to securing your GitHub repos and CI/CD pipelines.

Tom Uren and James Wilson talk about the European Union’s digital sovereignty push. A divorce from US tech giants is on the cards, but building sovereign infrastructure and chip capacity will be hard. From an American perspective this is an entirely predicable own-goal. You can have internationally competitive tech giants or you can have an aggressive and coercive foreign policy. You can’t have both at the same time.

They also discuss the reanimated corpse of NSO Group. It’s in a hole, but it just keeps digging.

This episode is also available on YouTube

Nightmare Eclipse drops a fresh zero day, Meta says NSO is targeting WhatsApp users again, hackers breach France’s Tchap secure messenger network, Putin disables some Kremlin security cameras, and Gmail be gone! Russia bans logins from foreign email addresses.

On this week’s show special guest co-host Chris Wade, the founder of Corellium turned Cellebrite CTO, joins Patrick Gray and James Wilson to discuss the week’s cybersecurity news.

They cover:

• Microsoft has repos owned, GitHub tokens popped, and a new 0day dropped on them
• Meanwhile, researchers are choosing full disclosure instead of engaging MSRC
• Meta’s AI support agent allowed a staggering 20,000 accounts to be stolen!
• Apple pulls Russia’s MAX messenger from the App Store and disables notifications
• Anthropic gives the public our first Mythos-class model but it won’t do cybersecurity work
• Stripe and Google Tag Manager used in eCommerce website hack campaign
• And much, much more!

This week’s show is brought to you by runZero. HD Moore, runZeros’ founder, drops by in this week’s sponsor interview to talk about the AI vibe shift. Everyone is very worried about getting owned all of a sudden, and it’s really changing the cybersecurity business.

This episode is also available on YouTube.

In this edition of Between Two Nerds Tom Uren and The Grugq speak at the NATO CyCon conference on Cyber Conflict in Tallinn, Estonia. The pair discuss how cyber operations complement conventional military operations and the past, present and future of cyber conflict.

This episode is also available on YouTube.

RubyGems adds dependency-cooldowns to counter supply chain attacks, AT&T and IBM are accused of hiding foreign hacks, Cisco warns of a new SD-WAN zero-day, and Google layoffs hit security teams.

In this podcast Brad Arkin joins James Wilson to talk about how the fear of being left behind in the AI era means enterprises are taking risks that would have been considered insane just a couple of years ago.

Fears around outages or being hacked have been trumped by fears of being labelled an AI laggard.

So where are we all going? Say hello to tech debt-riddled, vibe-coded apps, crazy dependencies on AI providers, and an emerging threat landscape that can’t be mitigated by a contemporary SOC. Sounds like fun, eh?

In this sponsored Soap Box edition of the Risky Business podcast Patrick Gray chats with Edward Wu, founder of Dropzone, about what AI is doing to detection, response and the SOC more generally.

Dropzone makes AI agents that conduct alert investigations in your SOC, but will the SOC as we know it even exist in the future?

Ed has a deep expertise in SOC tech, having previously led AI/ML detection engineering at Extrahop. This interview is a fantastic look at what the future may bring for detection and response professionals.

This episode is also available on YouTube