Videos

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• There’s a CVSS 10/10 remote code exec in the React javascript server. JS server? U wot mate?
• China is out popping shells with it
• Linux adds support for PCIe bus encryption
• Amnesty International says Intellexa can just TeamViewer into its customers’ surveillance systems
• …and a Belgian murder suspect complains that GrapheneOS’s duress wipe feature failed him?

This week’s episode is sponsored by Kroll Cyber. Simon Onyons is Managing Director at Kroll’s Cyber and Data Resilience arm, and he discusses a problem near to many of our hearts. Just how do you explain cyber risk to the board? …

Tom Uren and Patrick Gray discuss a new report proposing a framework for deciding when cyber operations raise red flags. It suggests seven red flags and could help clarify thinking about how to respond to different operations.

They also discuss Anthropic testifying to Congress and Iran using cyber intelligence to target missile strikes including by sharing it with Houthi rebels who fired at a specific ship.

And finally, we are not reassured by China’s white paper about being a good cyber citizen.

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news. It’s a quiet week with Thanksgiving in the US, but there’s always some cyber to talk about:

• Airbus rolls out software updates after a cosmic ray bitflips an A320 into a dive
• Krebs tracks down a Scattered Lapsus$ Hunters teen through the usual poor opsec…
• … as Wired publishes an opsec guide for teens.
• Microsoft decides its login portal is worth a Content Security Policy
• South Korean online retailer data breach covers 65% of the country

This week’s episode is sponsored by Nebulock. Founder and CEO Damien Lewke joins to talk through their work bringing more SIgma threat detection rules to MacOS. …

In this edition of Between Two Nerds Tom Uren and The Grugq wonder whether it is possible to deter states from cyber espionage with doxxing and other disruption measures.

Tom Uren and Amberleigh Jack talk about new research that shows the Chinese-made DeepSeek-R1 AI model produces insecure code when prompts include topics that the Chinese Communist Party dislikes. It’s interesting research, but the CCP doesn’t have a monopoly on imposing AI bias.

They also discuss the complete doxxing of the Iranian cyber espionage group known as APT35 or Charming Kitten.

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• Salesforce partner Gainsight has customer data stolen
• Crowdstrike fires insider who gave hackers screenshots of internal systems
• Australian Parliament turns off wifi and bluetooth in fear of of visiting Chinese bigwigs
• Shai-Hulud npm/Github worm is back, and rm -rf’ier than ever
• SEC gives up on Solarwinds lawsuit
• Dog eats cryptographer’s key material

This week’s episode is sponsored by runZero. HD Moore pops in to talk about how they’re integrating runZero with Bloodhound-style graph databases. He also discusses uses for driving runZero’s tools with an AI, plus the complexities of shipping AI when the company has a variety of deployment models….

Tom Uren and Amberleigh Jack talk about Anthropic’s discovery of an “AI-orchestrated” cyber espionage campaign. To Tom, it feels a research project, but it’s pretty clear it will be really useful for threat actors that aren’t focussed on specific high-priority targets. Think ransomware, Chinese intellectual property theft and North Korean hackers. But it won’t be so good for Western intelligence agencies.

They also discuss Google’s legal disruption of the China-based Lighthouse phishing as a service operation. Surprisingly, it seems to be working!

Finally, they talk about why the memory safe Rust language has been a triple win for Android.

In this sponsored Soap Box edition of the podcast, Andrew Morris joins Patrick Gray to talk about how Greynoise can often get a 90 day heads up on serious vulnerabilities. Whether it’s malicious actors doing reconnaissance or the affected vendors trying to understand the scope of the problem, it seems that mass scanning activity lines up pretty nicely with typical 90-day disclosure timelines.

A fascinating chat with Andrew, as always.

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• Anthropic says a Chinese APT orchestrated attacks using its AI
• It’s a day ending in -y, so of course there are shamefully bad Fortinet exploits in the wild
• Turns out slashing CISA was a bad idea, now it’s time for a hiring spree
• Researchers brute force entire phone number space against Whatsapp contact discovery API
• DOJ figures out how to make SpaceX turn off scam compounds’ Starlink service

This week’s episode is sponsored by Mastercard. Senior Vice President of Mastercard Cybersecurity Urooj Burney joins to talk about how the roles of fraud and cyber teams in the financial sector are starting to converge. Mastercard also recently acquired Recorded Future, and Urooj talks about how they aim to integrate cyber threat intelligence into the financial world. …

In this edition of Between Two Nerds Tom Uren and The Grugq talk about the strategic “logic” of Russian wiper attacks on the Ukrainian grain sector.