Podcasts

The EU has a problem attracting and retaining cyber talent, the CEO of Coupang resigns following the company’s security breach, Microsoft expands its bug bounty program to cover third party code, and Chrome and Gogs patch zero-days.

In this sponsored Soap Box edition of the Risky Business podcast, Patrick Gray chats with Jared Atkinson, CTO of SpecterOps, about BloodHound OpenGraph.

OpenGraph enumerates attack paths across platforms and services, not just your primary directories.

A compromised GitHub account to on-prem AD compromise attack path? It’s a thing, and OpenGraph will find it.

Cross-platform attack path enumeration! So good!

This episode is also available on Youtube.

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• There’s a CVSS 10/10 remote code exec in the React javascript server. JS server? U wot mate?
• China is out popping shells with it
• Linux adds support for PCIe bus encryption
• Amnesty International says Intellexa can just TeamViewer into its customers’ surveillance systems
• …and a Belgian murder suspect complains that GrapheneOS’s duress wipe feature failed him?

This week’s episode is sponsored by Kroll Cyber. Simon Onyons is Managing Director at Kroll’s Cyber and Data Resilience arm, and he discusses a problem near to many of our hearts. Just how do you explain cyber risk to the board?

This episode is also available on Youtube.

Linux adds PCIe encryption to help secure cloud servers, Europol cracks down on Violence-as-a-Service providers, the International Criminal Court prepares for cyber-enabled genocide, and Cambodia busts a warehouse full of SMS blasters.

APTs go after the React2Shell vulnerability just hours after public disclosure. CISA remains without a director after the nomination stalls again, NSA is down 2,000 staff this year, and Intellexa is still active despite sanctions.

Tom Uren and Patrick Gray discuss a new report proposing a framework for deciding when cyber operations raise red flags. It suggests seven red flags and could help clarify thinking about how to respond to different operations.

They also discuss Anthropic testifying to Congress and Iran using cyber intelligence to target missile strikes including by sharing it with Houthi rebels who fired at a specific ship.

And finally, we are not reassured by China’s white paper about being a good cyber citizen.

This episode is also available of Youtube.

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news. It’s a quiet week with Thanksgiving in the US, but there’s always some cyber to talk about:

• Airbus rolls out software updates after a cosmic ray bitflips an A320 into a dive
• Krebs tracks down a Scattered Lapsus$ Hunters teen through the usual poor opsec…
• … as Wired publishes an opsec guide for teens.
• Microsoft decides its login portal is worth a Content Security Policy
• South Korean online retailer data breach covers 65% of the country

This week’s episode is sponsored by Nebulock. Founder and CEO Damien Lewke joins to talk through their work bringing more SIgma threat detection rules to MacOS.

This episode is also available on Youtube.

In this edition of Between Two Nerds Tom Uren and The Grugq wonder whether it is possible to deter states from cyber espionage with doxxing and other disruption measures.

This episode is also available on Youtube.

In this Risky Business News sponsor interview, Mike Lashlee, CSO of Mastercard talks to Tom Uren about why the company got into threat intelligence.

Mike talks about bringing together payments insights with threat intel to get strong signals about fraud or crime, the benefits of international collaboration and when it makes sense for your CSO to also be the CISO.

Tom Uren and Amberleigh Jack talk about new research that shows the Chinese-made DeepSeek-R1 AI model produces insecure code when prompts include topics that the Chinese Communist Party dislikes. It’s interesting research, but the CCP doesn’t have a monopoly on imposing AI bias.

They also discuss the complete doxxing of the Iranian cyber espionage group known as APT35 or Charming Kitten.

This episode is also available on Youtube.