Podcasts

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• CISA warns about the path from on-prem Exchange to the cloud
• Microsoft awards a crisp zero dollar bill for a report about what a mess its internal Entra-authed apps are
• Everyone and their dog seems to have a shell in US Federal Court information systems
• Google pays $250k for a Chrome sandbox escape
• Attackers use javascript in adult SVG files to … farm facebook likes?!
• SonicWall says users aren’t getting hacked with an 0day… this time.

This week’s episode is sponsored by SpecterOps. Chief product officer Justin Kohler talks about how the flagship Bloodhound tool has evolved to map attack paths anywhere. Bring your own applications, directories and systems into the graph, and join the identity attacks together.

This episode is also available on Youtube.

Russia suspected of hacking a US Court system, researchers break the DarkBit ransomware’s encryption, a new attack can leak sensitive data from AMD processors, and a brute-force campaign targets Fortinet devices.

A security researcher scores $250,000 for a Chrome bug, WinRAR patches another zero-day, new vulnerabilities found in the Tetra communications protocol, and a researcher gains access to Microsoft’s internal network for fun… and no profit.

In this Risky Business News sponsor interview Tom Uren talks to Derek Hanson, Yubico’s Field CTO about making account recovery and onboarding for employees phishing-resistant. They also discuss the problems and opportunities of syncable passkeys.

Federal agencies told to patch a new Exchange flaw, millions of sites are vulnerable to HTTP desync attacks, Trend Micro patches a zero-day, and the Salesforce data breaches continue.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news. Google security engineering VP Heather Adkins drops by to talk about their AI bug hunter, and Risky Business producer Amberleigh Jack makes her main show debut.

This episode explores the rise of AI-powered bug hunting:

• Google’s Project Zero and Deepmind team up to find and report 20 bugs to open source projects
• The XBOW AI bug hunting platform sees success on HackerOne
• Is an AI James Kettle on the horizon?

There’s also plenty of regular cybersecurity news to discuss:

• On-prem Sharepoint’s codebase is maintained out of China… awkward!
• China frets about the US backdooring its NVIDIA chips, how you like ‘dem apples, China?
• SonicWall advises customers to turn off their VPNs
• Hardware controlling Dell laptop fingerprint and card readers has nasty driver bugs
• Russia uses its ISPs to in-the-middle embassy computers and backdoor ‘em.
• The Russian government pushes VK’s Max messenger for everything

This week’s show is sponsored by device management platform Devicie. Head of Solutions Sean Ollerton talks through the impending Windows 10 apocalypse, as Microsoft ends mainstream support. He says Windows 11 isn’t as scary as people make out, but if the update isn’t on your radar now, time is running out.

This episode is also available on Youtube.

Russian companies must migrate to domestic ERP systems; A Thai hospital gets fined over the the dumbest data breach ever; Ohio’s public sector will have to approve ransom payments in public; …and Chanel and Cisco disclose data breaches.

In this edition of Between Two Nerds Tom Uren and The Grugq dissect the Belarusian Cyber Partisans hack of Russian airline Aeroflot. Despite the short-term impact, the airline will likely bounce back quite quickly. But it is still a big win for the Cyber Partisans.

This episode is also available on Youtube.

China accuses the US of new cyberattacks, a $14.5b crypto hack discovered five years later, the US National Cyber Director is named, and Lovense considers legal action over a security flaw disclosure.

In this week’s sponsor interview, Tines’ Field CISO, Matt Muller, chats to Casey Ellis about the interesting and out-of-the-box ways they’ve seen people using the platform. Tines is a platform designed to automate repetitive tasks for IT and security teams. And, as it turns out, it can be used to … gamify shift handover?