Podcasts

Almost 500 child sextortion cases have been linked to scam compounds, Oracle’s CSO departs after 37 years, Europol offers a reward for the Qilin ransomware group, and the UK drops its demand for an Apple backdoor.

In this edition of Between Two Nerds Tom Uren and The Grugq talk about whether the cyber industry and intelligence agencies focus too much on technical details and ignore the bigger picture.

This episode is also available on Youtube.

Academics develop a 5G downgrade attack, ransomware hits car salvage yards across North America, multiple VPN apps share the same hardcoded password, and Bangladesh spent $190 million on hacking and surveillance tools.

An HTTP-2 vulnerability enables DDoS attacks, Russia blocks Telegram and WhatsApp voice calls, attackers abuse a zero-day in N-able servers, and the US government is adding trackers to chip shipments.

In this Soap Box edition of the Risky Business podcast Patrick Gray chats with Socket founder Feross Aboukhadijeh about how to measure the reachability of vulnerabilities in applications.

It’s great to know there’s a CVE in a library you’re using, but it’s even better if you can say whether or not that vulnerability actually impacts your application.

They also talk about how Socket started out as a way to discover malicious packages in software projects, but these days it’s playing the CVE game as well.

This episode is also available on Youtube.

Tom Uren and Amberleigh Jack talk about a recent hack of the US courts document management system. It’s about as bad as can be, with multiple threat actors including states and possibly even drug cartels rummaging around in there, possibly for years.

They also discuss Microsoft’s involvement in an Israeli surveillance system and the head of Australia’s security organisation’s blunt warning about espionage.

This episode is also available on Youtube.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• CISA warns about the path from on-prem Exchange to the cloud
• Microsoft awards a crisp zero dollar bill for a report about what a mess its internal Entra-authed apps are
• Everyone and their dog seems to have a shell in US Federal Court information systems
• Google pays $250k for a Chrome sandbox escape
• Attackers use javascript in adult SVG files to … farm facebook likes?!
• SonicWall says users aren’t getting hacked with an 0day… this time.

This week’s episode is sponsored by SpecterOps. Chief product officer Justin Kohler talks about how the flagship Bloodhound tool has evolved to map attack paths anywhere. Bring your own applications, directories and systems into the graph, and join the identity attacks together.

This episode is also available on Youtube.

Russia suspected of hacking a US Court system, researchers break the DarkBit ransomware’s encryption, a new attack can leak sensitive data from AMD processors, and a brute-force campaign targets Fortinet devices.

A security researcher scores $250,000 for a Chrome bug, WinRAR patches another zero-day, new vulnerabilities found in the Tetra communications protocol, and a researcher gains access to Microsoft’s internal network for fun… and no profit.

In this Risky Business News sponsor interview Tom Uren talks to Derek Hanson, Yubico’s Field CTO about making account recovery and onboarding for employees phishing-resistant. They also discuss the problems and opportunities of syncable passkeys.