Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec

Please consider supporting the DefSec podcast here. Links to stories: https://www.computerweekly.com/news/366640648/Emergency-Microsoft-Oracle-patches-point-to-wider-cyber-issues https://www.theregister.com/2026/03/27/security_boffins_harvest_bumper_crop/ https://thehackernews.com/2026/03/the-hidden-cost-of-cybersecurity.html?m=1 https://www.theregister.com/2026/03/24/trivy_compromise_litellm/ https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html?m=1

Please consider supporting the DefSec podcast here. Here are the links we discuss this week: https://www.darkreading.com/identity-access-management-security/more-attackers-logging-in-not-breaking-in https://www.bleepingcomputer.com/news/security/stryker-attack-wiped-tens-of-thousands-of-devices-no-malware-needed/ https://www.csoonline.com/article/4147833/cisa-urges-it-to-harden-endpoint-management-systems-after-cyberattack-by-pro-iranian-group.html https://arstechnica.com/security/2026/03/widely-used-trivy-scanner-compromised-in-ongoing-supply-chain-attack/ https://techcrunch.com/2026/03/21/delve-accused-of-misleading-customers-with-fake-compliance/

This time it’s not a rerun! ]Please consider supporting the DefSec podcast here. Here are the links we discuss this week: https://www.bleepingcomputer.com/news/security/ransomware-payment-rate-drops-to-record-low-as-attacks-surge/ https://www.securityweek.com/recent-cisco-catalyst-sd-wan-vulnerability-now-widely-exploited/ https://www.darkreading.com/cyberattacks-data-breaches/nation-state-actor-ai-malware-assembly-line https://www.cybersecuritydive.com/news/ransomware-identity-ai-cloudflare/813319/ https://thehackernews.com/2026/03/anthropic-finds-22-firefox.html?m=1

Please consider supporting the DefSec podcast here. Here are the links we discuss this week: https://www.bleepingcomputer.com/news/security/amazon-ai-assisted-hacker-breached-600-fortigate-firewalls-in-5-weeks/ https://www.theregister.com/2026/02/16/open_source_registries_fund_security/ https://www.bleepingcomputer.com/news/security/infostealer-malware-found-stealing-openclaw-secrets-for-first-time/ https://www.securityweek.com/api-threats-grow-in-scale-as-ai-expands-the-blast-radius/ https://www.theregister.com/2026/02/19/rmm_rat_trustconnect/

Please consider supporting the DefSec podcast here. Links to this week’s stories: https://www.theregister.com/2026/02/02/notepad_hijacking_lotus_blossom/ https://www.bleepingcomputer.com/news/security/fake-job-recruiters-hide-malware-in-developer-coding-challenges/ https://www.bleepingcomputer.com/news/security/amos-infostealer-targets-macos-through-a-popular-ai-app/ https://www.theregister.com/2026/02/10/ai_agents_messaging_apps_data_leak/ https://www.theregister.com/2026/02/11/payroll_pirates_business_social_engineering/

Please consider supporting the DefSec podcast here. Links to the stories we cover in this episode: https://www.theregister.com/2026/01/29/faster_patching_please_cry_infoseccers/ https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html?m=1 https://www.bleepingcomputer.com/news/security/marquis-blames-ransomware-breach-on-sonicwall-cloud-backup-hack/ https://thehackernews.com/2026/01/researchers-find-175000-publicly.html?m=1 https://www.darkreading.com/application-security/openclaw-ai-runs-wild-business-environments

  Please consider supporting the DefSec podcast here. Links to the stories we cover in this episode: https://www.bleepingcomputer.com/news/security/hackers-exploit-security-testing-apps-to-breach-fortune-500-firms/ https://www.securityweek.com/analysis-of-6-billion-passwords-shows-stagnant-user-behavior/ https://www.theregister.com/2026/01/20/group_ib_ai_cycercrime_subscriptions/ https://www.bleepingcomputer.com/news/security/voidlink-cloud-malware-shows-clear-signs-of-being-ai-generated/ https://arstechnica.com/security/2026/01/mandiant-releases-rainbow-table-that-cracks-weak-admin-password-in-12-hours/

Want to be the first to hear our episodes each week?  Become a Patreon donor here. Links to the stories in this episode: https://www.theregister.com/2026/01/09/pyongyangs_cyberspies_are_turning_qr/ https://www.scworld.com/perspective/five-ways-to-conduct-a-more-secure-hiring-process https://cybersecuritynews.com/vmware-esxi-exploited-toolkit/ https://www.darkreading.com/cyber-risk/ciso-succession-crisis-highlights-turnover-amplifies-security-risks

Want to be the first to hear our episodes each week?  Become a Patreon donor here. Links to this week’s stories: https://www.darkreading.com/cyber-risk/cybersecurity-tech-recommended-by-cyber-insurer-claims-data https://www.bleepingcomputer.com/news/security/trust-wallet-links-85-million-crypto-theft-to-shai-hulud-npm-attack/ https://www.securityweek.com/hacker-claims-theft-of-40-million-conde-nast-records-after-wired-data-leak/ https://databreaches.net/2025/12/30/software-company-lacked-downstream-liability-for-data-breach/ https://techcrunch.com/2025/12/12/home-depot-exposed-access-to-internal-systems-for-a-year-says-researcher/

Want to be the first to hear our episodes each week?  Become a Patreon donor here. Links to this week’s stories: https://www.bleepingcomputer.com/news/security/webrat-malware-spread-via-fake-vulnerability-exploits-on-github/ https://cybersecuritynews.com/mongobleed-poc-exploit-mongodb/ https://cybersecuritynews.com/fortigate-firewall-vulnerability/ https://cybersecuritynews.com/oracle-e-business-suite-hack/

Want to be the first to hear our episodes each week?  Become a Patreon donor here. Merry Christmas and Happy Holidays! Links to this week’s stories: https://krebsonsecurity.com/2025/12/most-parked-domains-now-serving-malicious-content/ https://thehackernews.com/2025/12/russia-linked-hackers-use-microsoft-365.html?m=1 https://cybersecuritynews.com/amazon-catches-north-korean-it-worker/ https://www.darkreading.com/application-security/fake-proof-ai-slop-hobble-defenders https://www.helpnetsecurity.com/2025/12/17/cisco-secure-email-cve-2025-20393/

Want to be the first to hear our episodes each week?  Become a Patreon donor here. Links to this week’s stories: https://www.theregister.com/2025/12/09/hypervisor_ransomware_attacks_increasing https://www.bleepingcomputer.com/news/security/react2shell-flaw-exploited-to-breach-30-orgs-77k-ip-addresses-vulnerable https://www.infosecurity-magazine.com/news/log4shell-downloaded-40-million https://www.infosecurity-magazine.com/news/ncsc-raises-alarms-prompt https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html?m=1

Want to be the first to hear our episodes each week?  Become a Patreon donor here. Links to this week’s stories: https://www.darkreading.com/cyberattacks-data-breaches/advanced-security-phishing-tactics https://www.theregister.com/2025/11/28/posthog_shaihulud/?td=keepreading / https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem https://www.theregister.com/2025/11/27/scattered_lapsus_hunters_zendesk/ https://www.theregister.com/2025/11/25/akira_ransomware_acquisitions Browser extensions pushed malware to 4.3M Chrome, Edge users • The Register

Reposting Episode 331 due to the wrong mp3 attached to the original. Want to be the first to hear our episodes each week?  Become a Patreon donor here. Links to this week’s stories: https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-hardening-recommendations https://www.theregister.com/2025/11/13/chinese_spies_claude_attacks/ / https://www.bleepingcomputer.com/news/security/anthropic-claims-of-claude-ai-automated-cyberattacks-met-with-doubt/ https://www.theregister.com/2025/11/14/selfreplicating_supplychain_attack_poisons_150k/ https://cyberscoop.com/fortinet-delayed-disclosure-exploited-vulnerability/ https://www.bleepingcomputer.com/news/security/piecing-together-the-puzzle-a-qilin-ransomware-investigation/ Repo Want to be the first to hear our episodes each week?  Become a Patreon donor here. Links to this week’s stories: https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-hardening-recommendations https://www.theregister.com/2025/11/13/chinese_spies_claude_attacks/ / https://www.bleepingcomputer.com/news/security/anthropic-claims-of-claude-ai-automated-cyberattacks-met-with-doubt/ https://www.theregister.com/2025/11/14/selfreplicating_supplychain_attack_poisons_150k/ https://cyberscoop.com/fortinet-delayed-disclosure-exploited-vulnerability/ https://www.bleepingcomputer.com/news/security/piecing-together-the-puzzle-a-qilin-ransomware-investigation/

  Want to be the first to hear our episodes each week?  Become a Patreon donor here. Links to this week’s stories: https://www.cybersecuritydive.com/news/nevada-ransomware-attack-traced-back-to-malware-download-by-employee/805011/ https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools https://www.darkreading.com/application-security/owasp-highlights-supply-chain-risks-new-top-10 https://www.computerweekly.com/news/366634363/Google-Dont-get-distracted-by-AI-focus-on-real-cyber-threats

https://www.youtube.com/watch?v=3BaNujBx62Y Want to be the first to hear our episodes each week?  Become a Patreon donor here. Links to this week’s stories: https://www.theregister.com/2025/11/03/mit_sloan_updates_ai_ransomware_paper/ https://www.theregister.com/2025/10/29/ey_exposes_4tb_sql_database/ https://www.darkreading.com/cyber-risk/zombie-projects-rise-again-undermine-security https://www.darkreading.com/cloud-security/cloud-outages-highlight-need-resilient-secure-infrastructure-recovery  

Want to be the first to hear our episodes each week?  Become a Patreon donor here. Links we discuss this week: https://thehackernews.com/2025/10/self-spreading-glassworm-infects-vs.html?m=1 https://www.cybersecuritydive.com/news/artificial-intelligence-security-risks-ey-report/803490/ https://www.cybersecuritydive.com/news/ai-augment-security-identity-soc/803608/ https://www.darkreading.com/cyber-risk/best-end-user-security-awareness-programs-arent-about-awareness-anymore https://www.bleepingcomputer.com/news/security/hackers-now-exploiting-critical-windows-server-wsus-flaw-in-attacks/

Want to be the first to hear our episodes each week?  Become a Patreon donor here. Links to this week’s stories: https://www.cybersecurity-insiders.com/how-ai-will-shape-the-future-of-cyber-defense-a-one-three-and-five-year-outlook/ https://www.helpnetsecurity.com/2025/10/15/f5-big-ip-data-breach/ https://www.bleepingcomputer.com/news/security/fake-lastpass-bitwarden-breach-alerts-lead-to-pc-hijacks/ https://blogs.microsoft.com/on-the-issues/2025/10/16/mddr-2025/ https://www.theguardian.com/technology/2025/oct/19/global-cyber-attack-russian-hack-solarwinds-stress-health

Want to be the first to hear our episodes each week?  Become a Patreon donor here. Here are the stories we discuss this week: https://cybersecuritynews.com/hackers-actively-compromising-databases/ https://www.bleepingcomputer.com/news/security/hackers-target-university-hr-employees-in-payroll-pirate-attacks/ https://securityaffairs.com/183154/security/threat-actors-steal-firewall-configs-impacting-all-sonicwall-cloud-backup-users.html https://www.theregister.com/2025/10/07/gen_ai_shadow_it_secrets/ https://thehackernews.com/2025/10/from-phishing-to-malware-ai-becomes.html?m=1 https://databreaches.net/2025/10/12/from-sizzle-to-drizzle-to-fizzle-the-massive-data-leak-that-wasnt/

Want to be the first to hear our episodes each week?  Become a Patreon donor here. Here are links to the stories we discuss this week: https://www.theregister.com/2025/09/29/postmark_mcp_server_code_hijacked/ https://www.bleepingcomputer.com/news/security/oracle-patches-ebs-zero-day-exploited-in-clop-data-theft-attacks/ https://www.bleepingcomputer.com/news/security/westjet-data-breach-exposes-travel-details-of-12-million-customers/ https://www.cybersecuritydive.com/news/material-cybersecurity-breaches-unreported/760892/ https://www.securityweek.com/red-hat-confirms-gitlab-instance-hack-data-theft/ https://www.securityweek.com/hackers-extorting-salesforce-after-stealing-data-from-dozens-of-customers/ https://databreaches.net/2025/10/04/just-days-before-its-data-might-be-leaked-qantas-airways-obtained-a-permanent-injunction/

  Here are links to the stories we discuss this week: https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign https://thehackernews.com/2025/09/github-mandates-2fa-and-short-lived.html https://www.theregister.com/2025/09/23/gartner_ai_attack/ https://www.bleepingcomputer.com/news/security/sonicwall-releases-sma100-firmware-update-to-wipe-rootkit-malware/ https://www.zdnet.com/article/battered-by-cyberattacks-salesforce-faces-a-trust-problem-and-a-potential-class-action-lawsuit/

  Please follow us on YouTube!  Want episodes a week early?  Consider becoming a Patreon sponsor of the DefSec podcast here. Here are links to the stories we talked about this week: https://krebsonsecurity.com/2025/09/self-replicating-worm-hits-180-software-packages/ https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/ https://blog.lastpass.com/posts/attack-targeting-macs-via-github-pages https://cybersecuritynews.com/finwise-insider-breach/ https://arstechnica.com/security/2025/09/how-weak-passwords-and-other-failings-led-to-catastrophic-breach-of-ascension/

Here are the stories we discuss this week: https://natlawreview.com/article/qantas-airways-cuts-executive-pay-after-cyber-incident-governance-signal-industry https://www.securityweek.com/ransomware-losses-climb-as-ai-pushes-phishing-to-new-heights https://www.bleepingcomputer.com/news/security/hackers-left-empty-handed-after-massive-npm-supply-chain-attack https://www.theregister.com/2025/09/12/huntress_attacker_surveillance LunaLock Ransomware threatens victims by feeding stolen data to AI models FBI warns of Salesforce attacks by UNC6040 and UNC6395 groups

Listen and Watch Defensive Security Episodes a week early by becoming a Patreon donor: https://www.patreon.com/defensivesec Please subscribe to our YouTube channel: Defensive Podcasts – Cyber Security & Infosec. – YouTube Links: https://blog.gitguardian.com/ghostaction-campaign-3-325-secrets-stolen/ https://www.bleepingcomputer.com/news/security/ai-powered-malware-hit-2-180-github-accounts-in-s1ngularity-attack/ https://www.cbc.ca/news/canada/hamilton/cybersecurity-breach-1.7597713 https://www.bleepingcomputer.com/news/security/6-browser-based-attacks-all-security-teams-should-be-ready-for-in-2025/ https://www.bleepingcomputer.com/news/security/hackers-use-new-hexstrike-ai-tool-to-rapidly-exploit-n-day-flaws/

  Links to stories: https://securityaffairs.com/181430/security/after-sharepoint-attacks-microsoft-stops-sharing-poc-exploit-code-with-china.html https://www.cybersecuritydive.com/news/software-vulnerabilities-breaches-checkmarx-report/757793/ https://www.securityinfowatch.com/cybersecurity/article/55309774/even-security-leaders-are-breaking-ai-rules-calypsoai-report https://www.darkreading.com/cyber-risk/cyber-insurers-may-limit-payments-breaches-unpatched-cve https://www.darkreading.com/cyberattacks-data-breaches/fake-employees-pose-real-security-risks

I have no idea why Riverside.fm (the service we use to record the podcast) has such an audio/video sync problem for the first minute or so of the recording. We’re working on it… On to the show. Here are the links for this week’s episode: https://www.bleepingcomputer.com/news/security/new-downgrade-attack-can-bypass-fido-auth-in-microsoft-entra-id https://www.bleepingcomputer.com/news/security/docker-hub-still-hosts-dozens-of-linux-images-with-the-xz-backdoor https://www.darkreading.com/threat-intelligence/charon-ransomware-apt-tactics https://www.securityweek.com/vibe-coding-when-everyones-a-developer-who-secures-the-code https://www.securityweek.com/inside-the-dark-webs-access-economy-how-hackers-sell-the-keys-to-enterprise-networks

Want to support our show? Want to get access to episodes a week before everyone else? Become a patreon sponsor here: https://www.patreon.com/defensivesec If you’re in Atlanta on August 20, you can join us for a LIVE episode at Mission 25. Register here: MCS Mission: Security’25 Our new merch store is live: DefSec Store We’ve added a lot of new items and will continue to do so over time. On to the show.   Here are the links for this week’s episode: https://www.bleepingcomputer.com/news/security/spikes-in-malicious-activity-precede-new-cves-in-80-percent-of-cases/ https://www.bleepingcomputer.com/news/security/hackers-plant-4g-raspberry-pi-on-bank-network-in-failed-atm-heist/ https://nerds.xyz/2025/07/ai-security-flaws-veracode-2025/ https://www.bleepingcomputer.com/news/security/tea-app-leak-worsens-with-second-database-exposing-user-chats/ https://www.cybersecuritydive.com/news/research-llms-attacks-without-humans/754203/

Want to support our show? Want to get access to episodes a week before everyone else? Become a patreon sponsor here: https://www.patreon.com/defensivesec If you’re in Atlanta on August 20, you can join us for a LIVE episode at Mission 25. Register here: MCS Mission: Security’25 Our new merch store is live: DefSec Store We’ve added a lot of new items and will continue to do so over time. On to the show. Here are the links for this week’s episode: https://www.theregister.com/2025/07/26/microsoft_sharepoint_attacks_leak/ https://mashable.com/article/google-gemini-deletes-users-code https://arstechnica.com/security/2025/07/open-source-repositories-are-seeing-a-rash-of-supply-chain-attacks/ https://www.theregister.com/2025/07/23/lawsuit_clorox_vs_cognizant/ https://www.bleepingcomputer.com/news/security/allianz-life-confirms-data-breach-impacts-majority-of-14-million-customers/

  If you’re in Atlanta on August 20, you can join us for a LIVE episode at Mission 25. Register here: MCS Mission: Security’25 Our new merch store is live(ish): DefSec Store – We’ll be adding more items as time goes on. This is managed through Printify, which has a quite expansive range of products to logo up. Also, some of you may know that Jerry is into photography and contemplating creating a calendar with images he’s taken. Let us know if that sounds interesting. Possible themes are: beach sunsets, flowers, or jet fighters, because that’s about all he’s good at taking pictures of.     On to the show. Here are the links for this week’s episode: https://www.bleepingcomputer.com/news/security/lamehug-malware-uses-ai-llm-to-craft-windows-data-theft-commands-in-real-time/ https://arstechnica.com/security/2025/07/hackers-exploit-a-blind-spot-by-hiding-malware-inside-dns-records/ https://www.darkreading.com/remote-workforce/fully-patched-sonicwall-gear-zero-day-attack https://www.bleepingcomputer.com/news/security/new-crushftp-zero-day-exploited-in-attacks-to-hijack-servers/ (for patreon listeners only) https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html?m=1(for patreon listeners only)  

Episode 315 is available for our patreon donors and will be posted for everyone else on Monday, July 28. Going forward, episodes will be released to our patreon donors shortly after recording and will be released to everyone else a week later. If you want to become a patreon donor, you can do so here: https://www.patreon.com/defensivesec Also, our new merch store is live and available here: https://store.defensivesecurity.org It’s a work in progress and please let me know if you have any issued with it. Thank you all and we’ll talk on Monday!  

Want to support us? Want even MORE DefSec? Starting this week, we are providing more DefSec for our Patreon donors. Sign up to be a Patreon donor today: https://www.patreon.com/defensivesec Links: https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/ https://www.axios.com/2025/07/08/scattered-spider-cybercrime-hackers https://www.bleepingcomputer.com/news/security/employee-gets-920-for-credentials-used-in-140-million-bank-heist/ Additional links for Patreon donors: https://www.theregister.com/2025/07/13/fake_it_worker_problem/ https://www.theregister.com/2025/07/09/chatgpt_jailbreak_windows_keys/

Want to support us?  Want even MORE DefSec?  Starting this week, we are providing more DefSec for our Patreon donors.  Sign up to be a Patreon donor today: https://www.patreon.com/defensivesec   https://www.youtube.com/watch?v=BRzMJbBZ490 Links: https://www.csoonline.com/article/4012801/the-top-red-teamer-in-the-us-is-an-ai-bot.html https://www.darkreading.com/endpoint-security/attackers-top-brands-callback-phishing https://www.darkreading.com/cyber-risk/initial-access-broker-self-patches-zero-days https://www.darkreading.com/cybersecurity-operations/ransomware-reshaped-how-cyber-insurers-perform-security-assessments https://www.darkreading.com/endpoint-security/phishing-training-doesnt-work

Want to support us?  Want even MORE DefSec?  Starting this week, we are providing more DefSec for our Patreon donors.  Sign up to be a Patreon donor today: https://www.patreon.com/defensivesec   Links: https://arstechnica.com/security/2025/06/active-exploitation-of-ami-management-tool-imperils-thousands-of-servers/ https://www.bleepingcomputer.com/news/security/man-pleads-guilty-to-hacking-networks-to-pitch-security-services/ https://www.helpnetsecurity.com/2025/06/23/new-hire-phishing-risk/ Patreon exclusive discussions: https://www.helpnetsecurity.com/2025/06/27/cybersecurity-risk-reduction-breach-transparency/ https://www.theregister.com/2025/06/24/vulnerability_management_gap_noone_talks/

    Like what we’re doing with the DefSec Podcast and want to help support us? Donate here: https://www.patreon.com/defensivesec Links: https://www.bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach/ https://www.bleepingcomputer.com/news/security/russian-hackers-bypass-gmail-mfa-using-stolen-app-passwords/ https://www.bleepingcomputer.com/news/security/north-korean-hackers-deepfake-execs-in-zoom-call-to-spread-mac-malware/ https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports

Like what we’re doing with the DefSec Podcast and want to help support us? Donate here: https://www.patreon.com/defensivesec Links:  https://www.bleepingcomputer.com/news/security/sentinelone-shares-new-details-on-china-linked-breach-attempt/https://thehackernews.com/2025/06/new-supply-chain-malware-operation-hits.html?m=1https://www.csoonline.com/article/4002103/cisos-beware-genai-use-is-outpacing-security-controls.htmlhttps://thehackernews.com/2025/06/fin6-uses-aws-hosted-fake-resumes-on.html?m=1

Like what we’re doing with the DefSec Podcast and want to help support us? Donate here: https://www.patreon.com/defensivesec Links:  https://www.theregister.com/2025/06/06/chatgpt_for_evil/https://www.theregister.com/2025/06/06/ransomware_negotiation/https://www.darkreading.com/cyber-risk/how-to-approach-security-era-ai-agentshttps://www.bleepingcomputer.com/news/security/coinbase-breach-tied-to-bribed-taskus-support-agents-in-india/https://www.theregister.com/2025/06/04/kiranapro_cyberattack_deletes_cloud_resources/ / https://x.com/deepakravindran/status/1930776943101894869

Like what we’re doing with the DefSec Podcast and want to help support us? Donate here: https://www.patreon.com/defensivesec In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss a range of topics including the introduction of a new cryptocurrency, Guard Llama Coin, and the implications of recent cybersecurity incidents involving ConnectWise and ransomware attacks. They explore the challenges organizations face in responding to nation-state attacks, the complexities of ransomware tactics, and the importance of employee security awareness. The conversation emphasizes the need for timely patching and proactive security measures to protect against evolving threats. Links:  https://www.theregister.com/2025/05/30/connectwise_compromised_by_sophisticated_government/https://www.darkreading.com/application-security/dragonforce-ransomware-msp-supply-chain-attackhttps://www.darkreading.com/threat-intelligence/3am-ransomware-adopts-email-bombing-vishing

In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss various cybersecurity topics, including a significant data breach at Coinbase, the challenges of cryptocurrency security, the importance of patch management, and the evolving landscape of cyber threats. They also discuss insider threats, the failures of rigid security programs, and the overlooked cybersecurity risks in mergers and acquisitions. The episode concludes with a discussion on emerging threats, particularly the potential for ransomware to infect CPUs. Like what we’re doing and want to help support us? Donate here: https://www.patreon.com/defensivesec Links:https://go.theregister.com/feed/www.theregister.com/2025/05/21/coinbase_confirms_insider_breach_affects/https://www.theregister.com/2025/05/14/improve_patching_strategies/https://www.bleepingcomputer.com/news/security/ransomware-gangs-increasingly-use-skitnet-post-exploitation-malware/https://www.darkreading.com/vulnerabilities-threats/rigid-security-programs-failhttps://www.darkreading.com/cyber-risk/hidden-cybersecurity-risks-mergers-acquisitionshttps://www.theregister.com/2025/05/11/cpu_ransomware_rapid7/

In this episode, Jerry and Andrew discuss  the importance of data security, phishing attacks targeting hiring managers, the implications of paying ransoms, and the recent Disney data breach incident. They emphasize the need for better training for employees and the challenges of managing software supply chains. The conversation highlights the evolving landscape of cyber threats and the necessity for organizations to adopt more robust security practices. Links:https://www.darkreading.com/cyber-risk/venom-spider-phishing-schemehttps://go.theregister.com/feed/www.theregister.com/2025/05/08/powerschool_data_extortionist/https://www.bleepingcomputer.com/news/security/supply-chain-attack-hits-npm-package-with-45-000-weekly-downloads/https://www.theregister.com/2025/05/02/disney_slack_hacker_revealed_to/ Like what we’re doing and want to help support us? Donate here: https://www.patreon.com/defensivesec

In this episode, we discuss the Google Mandiant 2025 M-Trends report.  The report is available here: https://services.google.com/fh/files/misc/m-trends-2025-en.pdf Like what we’re doing and want to help support us? Donate here: https://www.patreon.com/defensivesec

In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss the latest trends in cybersecurity, focusing on the rise of BEC scams and the significant losses attributed to cybercrime in 2024. They explore emerging threats, including social engineering tactics and hardware vulnerabilities, particularly in management interfaces. The conversation also delves into the complexities of vulnerability management, the risks associated with supply chain attacks in open source software, and the alarming rate at which CVEs are being exploited. The hosts emphasize the need for organizations to be proactive in their security measures and to understand the evolving landscape of cyber threats. Links: https://www.cybersecuritydive.com/news/fbi-internet-crime-bec-scams-investment-fraud-losses/746181/ https://www.bleepingcomputer.com/news/security/asus-releases-fix-for-ami-bug-that-lets-hackers-brick-servers/ https://www.theregister.com/2025/04/21/microsoft_apple_patch/ https://thehackernews.com/2025/04/ripples-xrpljs-npm-package-backdoored.html https://thehackernews.com/2025/04/159-cves-exploited-in-q1-2025-283.html Like what we’re doing and want to help support us? Donate here: https://www.patreon.com/defensivesec

Summary In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss various cybersecurity topics, including the rise of ransomware, the importance of backup strategies, and the implications of AI in phishing attacks. They discuss into the challenges of managing non-human identities and the need for effective communication of security metrics. The conversation also touches on the recent Oracle breach and the evolving landscape of cybersecurity threats. Links: https://www.cybersecuritydive.com/news/remote-access-tools-ransomware-entry/745144/ https://www.darkreading.com/cyberattacks-data-breaches/oracle-breach-2-obsolete-servers https://thehackernews.com/2025/04/explosive-growth-of-non-human.html?m=1 https://thehackernews.com/2025/04/security-theater-vanity-metrics-keep.html?m=1 https://www.securityweek.com/ai-now-outsmarts-humans-in-spear-phishing-analysis-shows/ Like what we’re doing and want to help support us? Donate here: https://www.patreon.com/defensivesec

In this episode, Jerry and Andrew discuss various cybersecurity topics, including the recent Oracle Cloud security breach, a GitHub supply chain attack, insider threats, and the implications of AI in cybersecurity. They explore the challenges of maintaining trust in cloud services, the complexities of insider threats, and the evolving landscape of cybercrime driven by AI advancements. The conversation emphasizes the need for robust security measures and the importance of adapting to emerging threats in the cybersecurity realm. Links: https://www.bleepingcomputer.com/news/security/oracle-privately-confirms-cloud-breach-to-customers/ https://www.bleepingcomputer.com/news/security/recent-github-supply-chain-attack-traced-to-leaked-spotbugs-token/ ttps://www.securityweek.com/39-million-secrets-leaked-on-github-in-2024/ https://www.theregister.com/2025/04/02/deel_rippling_espionage/ https://www.securityweek.com/ai-giving-rise-of-the-zero-knowledge-threat-actor/ Like what we’re doing and want to help support us? Donate here: https://www.patreon.com/defensivesec

In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss a range of cybersecurity topics, including the recent Oracle Cloud breach, the challenges of asset management in large environments, and the importance of prioritizing vulnerabilities. They also explore the findings from a pen test report, the implications of emerging threats like Medusa ransomware, and the need for better security practices in organizations. Links: https://www.bleepingcomputer.com/news/security/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid/ https://thehackernews.com/2025/03/10-critical-network-pentest-findings-it.html?m=1 https://www.horizon3.ai/attack-research/attack-blogs/critical-or-clickbait-github-actions-and-apache-tomcat-rce-vulnerabilities-2025/ https://www.forbes.com/sites/daveywinder/2025/03/30/fbi-warns-use-2fa-as-time-traveling-hackers-strike/ https://www.reversinglabs.com/blog/epss-is-not-foolproof-shift-your-appsec-beyond-vulnerabilities Like what we’re doing and want to help support us? Donate here: https://www.patreon.com/defensivesec

Summary In this episode, we celebrate the 300th episode of the Defensive Security Podcast then discuss various cybersecurity topics including the rise of AI-driven threats, the importance of zero trust architecture, best practices for incident response, the impact of human error on security breaches, and the risks associated with collaboration tools. We also cover the dangers of malvertising campaigns exploiting platforms like GitHub. Like what we’re doing and want to help support us? Donate here: https://www.patreon.com/defensivesec Links: https://venturebeat.com/security/51-seconds-to-breach-how-cisos-are-fighting-back-against-lightning-fast-attacks/ https://www.theregister.com/2025/03/10/incident_response_advice/ https://www.scworld.com/news/95-of-data-breaches-involve-human-error-report-reveals https://www.darkreading.com/cyber-risk/remote-access-infra-remains-riskiest-corp-attack-surface https://www.bleepingcomputer.com/news/security/microsoft-says-malvertising-campaign-impacted-1-million-pcs/

Summary In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss various cybersecurity topics, including a Disney employee’s mishap with an AI tool that led to a significant hack, vulnerabilities in VMware ESX hypervisors, and a developer’s sabotage of their ex-employer. They also explore the implications of GitHub repository exposure and the growing risks associated with third-party vendors in cybersecurity. Link to support Andy and Jerry’s work creating the Defensive Security Podcast: https://www.patreon.com/defensivesec Story links: https://www.wsj.com/tech/cybersecurity/disney-employee-ai-tool-hacker-cyberattack-3700c931 https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exploitation-of-esxicape-0091ccc5bdfc https://www.theregister.com/2025/03/08/developer_server_kill_switch/ https://arstechnica.com/information-technology/2025/02/copilot-exposes-private-github-pages-some-removed-by-microsoft/ https://www.darkreading.com/cyber-risk/third-party-risk-top-cybersecurity-claims

In this episode of the Defense of Security podcast, hosts Jerry Bell and Andrew Kalat discuss various cybersecurity topics, including a recent incident involving notorious hackers breaching a company network in under an hour, strategies to defend against deepfake attacks, the targeting of freelance developers by North Korean adversaries, vulnerabilities in Palo Alto firewalls, and the emergence of ghost ransomware. The conversation emphasizes the importance of proactive security measures and the evolving landscape of cyber threats. Want to support the Defensive Security Podcast?  You can donate here: https://www.patreon.com/defensivesec Takeaways: The speed of cyber attacks is increasing, with breaches occurring in under an hour. Organizations must implement robust processes to defend against deepfake attacks. Freelance developers are at risk of being targeted by sophisticated cybercriminals. Palo Alto firewalls are vulnerable to attacks if management interfaces are exposed to the internet. Ghost ransomware is a growing threat, often using familiar tactics to exploit vulnerabilities. Links: https://arstechnica.com/security/2025/02/notorious-crooks-broke-into-a-company-network-in-48-minutes-heres-how/ https://www.darkreading.com/vulnerabilities-threats/4-low-cost-ways-defend-organization-against-deepfakes https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/ https://www.theregister.com/2025/02/19/palo_alto_firewall_attack/ https://hackread.com/fbi-cisa-ghost-ransomware-threat-to-firms-worldwide/

  Become a Patreon supporter of the show here: https://www.patreon.com/defensivesec Links: https://www.cybersecuritydive.com/news/ransomware-gangs–tactics-/739937/ https://www.bleepingcomputer.com/news/security/over-12-000-keriocontrol-firewalls-exposed-to-exploited-rce-flaw/ https://arstechnica.com/information-technology/2025/02/russian-spies-use-device-code-phishing-to-hijack-microsoft-accounts/ https://www.darkreading.com/cyber-risk/open-source-ai-models-pose-risks-of-malicious-code-vulnerabilities https://www.csoonline.com/article/3823429/24-of-vulnerabilities-are-abused-before-a-patch-is-available.html

In this episode of the Defense of Security Podcast, Jerry Bell and Andrew Kalat discuss the evolving landscape of cybersecurity threats, focusing on ransomware tactics that exploit insider threats, the hijacking of LLM resources, and the effectiveness of phishing simulations. They explore how adversaries are increasingly targeting employees to gain access to sensitive data and how organizations can better protect themselves against these threats. The conversation also covers the ethical implications of phishing tests and the need for a more supportive approach to security awareness training. In this episode, Jerry and Andrew discuss the challenges faced by cybersecurity teams, the dynamics between security and other business units, and the importance of learning from incidents to improve security practices. They explore the balance between enabling business operations and maintaining security, the implications of generative AI in the workplace, and the need for effective governance around AI usage. The conversation emphasizes the proactive role security professionals must take in navigating these complexities while ensuring organizational safety.     Takeaways Ransomware attackers are increasingly using insider threats to gain access. Greed can turn employees into insider threats, especially in tough economic times. LLM hijacking is a new tactic that exploits compromised API keys. Phishing simulations may create a rift between users and IT security teams. Punitive measures for phishing failures can lead to underreporting of actual attacks. Security awareness training should focus on protecting users, not punishing them. Adversaries are finding valid API keys to exploit cloud resources. The effectiveness of phishing simulations is being questioned by experts. Organizations need to do a better job at protecting their secrets and credentials. The cybersecurity landscape is rapidly evolving, requiring constant adaptation. Cybersecurity teams often feel like janitors cleaning up after others. Organizational dynamics can create resentment in security teams. Learning from incidents is crucial for improving security practices. Balancing security needs with business operations is essential. Generative AI presents both risks and opportunities for organizations. Effective governance is needed for AI usage in business. Security professionals must help businesses understand risk management. Building relationships across departments can improve security outcomes. AI tools should be used with proper agreements to protect data. The landscape of AI in business is rapidly evolving and requires adaptation. Links https://www.scworld.com/news/ransomware-attackers-turn-to-workers-for-data-breach-access https://www.darkreading.com/application-security/llm-hijackers-deepseek-api-keys https://www.wsj.com/tech/cybersecurity/phishing-tests-the-bane-of-work-life-are-getting-meaner-76f30173 https://www.securityweek.com/security-teams-pay-the-price-the-unfair-reality-of-cyber-incidents/ https://www.darkreading.com/threat-intelligence/employees-sensitive-data-genai-prompts

  In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss various cybersecurity topics, including the alarming statistics surrounding ransomware attacks, the implications of paying ransoms, and the evolving nature of ransomware as a broader category of cyber threats. They also discuss the consolidation of security tools and the skepticism surrounding it, particularly in light of a recent report by Palo Alto and IBM. The conversation shifts to the risks associated with AI, highlighted by the DeepSeek incident, and concludes with a discussion on the importance of securing management interfaces and the ongoing challenges in the cybersecurity landscape.   Links: https://www.infosecurity-magazine.com/news/ransomware-victims-shut-operations/ https://www.cybersecuritydive.com/news/consolidation-security-tools/738912/ https://9to5mac.com/2025/01/31/security-bite-top-macos-threat-found-riding-the-deepseek-wave/ https://www.securityweek.com/sonicwall-confirms-exploitation-of-new-sma-zero-day/ https://www.theregister.com/2025/01/30/deepseek_database_left_open/   Takeaways 58% of ransomware victims had to shut down operations temporarily. Only 13% of victims who paid ransom got all their data back. The ransomware ecosystem relies on the belief that victims will recover their data. Organizations average 83 different security tools, leading to inefficiencies. Speed in deploying AI can compromise security practices. DeepSeek incident highlights risks of using unverified AI models. SonicWall’s zero-day vulnerability emphasizes the need for secure management practices. Security tool consolidation may not always lead to better outcomes. Phishing and RDP compromises are common entry points for ransomware. The evolving nature of ransomware requires a broader understanding of cyber threats.

In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss various cybersecurity topics, including a hidden backdoor in Juniper routers, PayPal’s recent data breach settlement, the exploitation of older Ivanti bugs, the PowerSchool data breach affecting millions, and CISA’s new software security recommendations. The conversation emphasizes the importance of proactive security measures and the evolving landscape of cybersecurity threats.   If you find this podcast useful, please consider supporting us here: https://www.patreon.com/defensivesec Takeaways The hidden backdoor in Juniper routers raises concerns about network security. PayPal’s settlement highlights the need for better data protection practices. Older vulnerabilities in Ivanti products continue to be exploited, stressing the importance of timely patching. The PowerSchool data breach underscores the risks of inadequate credential protection. CISA’s recommendations aim to improve software security across critical infrastructure. Links: https://www.theregister.com/2025/01/25/mysterious_backdoor_juniper_routers/ https://www.bleepingcomputer.com/news/security/paypal-to-pay-2-million-settlement-over-2022-data-breach/ https://www.bleepingcomputer.com/news/security/cisa-hackers-still-exploiting-older-ivanti-bugs-to-breach-networks/ https://www.securityweek.com/millions-impacted-by-powerschool-data-breach/ https://www.securityweek.com/cisa-fbi-update-software-security-recommendations/

“Another day, another data breach.” In this episode of the Defensive Security Podcast, Jerry Bell and Andrew Kalat discuss a significant data breach affecting hotel reservation data, regulatory actions taken against GoDaddy for poor security practices, and the evolving landscape of cyber attacks. They emphasize the importance of proactive defense strategies and innovative detection techniques to combat these threats effectively. Takeaways Data breaches continue to be a common occurrence in the cybersecurity landscape. Regulatory bodies like the FTC are increasingly involved in enforcing security improvements post-breach. Organizations must prioritize security measures to protect sensitive data from breaches. The importance of multi-factor authentication cannot be overstated in preventing credential theft. Ad blockers are not just for user convenience; they are essential for security. Cybersecurity is a shared responsibility across all departments, including marketing and IT. Proactive detection strategies can help identify malicious activity before significant damage occurs. Understanding the attack vectors used by cybercriminals is crucial for effective defense. Regularly updating and patching systems is vital to prevent exploitation of known vulnerabilities. Innovative detection techniques, such as canary accounts, can enhance security monitoring efforts. Links: https://www.bleepingcomputer.com/news/security/otelier-data-breach-exposes-info-hotel-reservations-of-millions/ https://www.bleepingcomputer.com/news/security/ftc-orders-godaddy-to-fix-poor-web-hosting-security-practices/ https://www.bleepingcomputer.com/news/security/hackers-leak-configs-and-vpn-credentials-for-15-000-fortigate-devices/ https://cybersecuritynews.com/hackers-exploiting-companies-google-ads-accounts/ https://www.blackhillsinfosec.com/one-active-directory-account-can-be-your-best-early-warning/

In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss various cybersecurity topics, including the dangers of malware disguised as proof of concept code on GitHub, the alarming rise in phishing attacks, the implications of a recent Treasury hack, and the targeted attacks on Ivanti’s security products. The conversation emphasizes the need for skepticism in security research, the importance of creating a safer environment for users, and the ongoing challenges posed by sophisticated threat actors. Links: https://www.bleepingcomputer.com/news/security/fake-ldapnightmware-exploit-on-github-spreads-infostealer-malware/ https://www.forbes.com/sites/daveywinder/2025/01/09/do-not-click-new-gmail-outlook-apple-mail-warning-for-billions/ https://www.bleepingcomputer.com/news/security/treasury-hackers-also-breached-us-foreign-investments-review-office/ https://www.bleepingcomputer.com/news/security/google-chinese-hackers-likely-behind-ivanti-vpn-zero-day-attacks/

Summary In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss various cybersecurity topics, including a significant incident involving a Tenable plugin update that disrupted Nessus agents worldwide. They delve into the implications of malicious Chrome extensions and sophisticated phishing attacks, particularly focusing on a recent incident involving OAuth trust exploitation. The conversation shifts to new HIPAA cybersecurity rules that aim to enhance security measures in healthcare, followed by a discussion on the rise of AI-generated phishing emails targeting executives. Finally, they explore the challenges of passkey technology in achieving usable security across different platforms.   Links: https://www.bleepingcomputer.com/news/security/bad-tenable-plugin-updates-take-down-nessus-agents-worldwide/ https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/ https://www.darkreading.com/vulnerabilities-threats/hipaa-security-rules-pull-no-punches https://arstechnica.com/security/2025/01/ai-generated-phishing-emails-are-getting-very-good-at-targeting-executives/ https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/

In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss various cybersecurity topics, including the FTC’s order for Marriott and Starwood to enhance their data security measures, a recent hijacking of a Chrome extension, and emerging threats for 2025. They also delve into the implications of AI in cybersecurity, emphasizing the need for governance and risk management as AI technologies become more pervasive in the workplace. Takeaways The FTC has mandated Marriott and Starwood to implement a comprehensive security program for 20 years. Data breaches can lead to significant regulatory actions and long-term consequences for companies. The hijacking of browser extensions poses a serious risk to user data and security. Emerging threats for 2025 include zero-day exploits and supply chain attacks. AI governance is crucial as employees increasingly use AI tools without oversight. Links https://www.bleepingcomputer.com/news/security/ftc-orders-marriott-and-starwood-to-implement-strict-data-security/ https://www.bleepingcomputer.com/news/security/cybersecurity-firms-chrome-extension-hijacked-to-steal-users-data/ https://www.darkreading.com/vulnerabilities-threats/emerging-threats-vulnerabilities-prepare-2025 https://www.securityweek.com/beware-of-shadow-ai-shadow-its-less-well-known-brother/

In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss various cybersecurity topics, including a year-long supply chain attack that compromised 390,000 credentials, the U.S. government’s bounty for information on North Korean IT worker farms, and the alarming number of vulnerabilities found in software containers. They also delve into the implications of the False Claims Act for cybersecurity whistleblowers and the evolving landscape of AI in security.  

In this episode of the Defensive Security Podcast, we discuss the anticipated rise of Mac malware, the economic implications of new top-level domains (TLDs) for phishing, innovative phishing techniques using corrupt documents, and the risks associated with open-source software. We also explore the concept of risk homeostasis in cybersecurity, examining how users’ perceptions of security can influence their behavior and risk-taking. The conversation emphasizes the importance of education, robust security measures, and the need for a deeper understanding of complex systems in the face of evolving threats. If you would like to support this podcast, please consider donating here: https://www.patreon.com/defensivesec Links: https://appleinsider.com/articles/24/12/04/what-a-new-threat-report-says-about-mac-malware-in-2024 https://krebsonsecurity.com/2024/12/why-phishers-love-new-tlds-like-shop-top-and-xyz/ https://www.bleepingcomputer.com/news/security/novel-phishing-campaign-uses-corrupted-word-documents-to-evade-security/ https://www.bleepingcomputer.com/news/security/ultralytics-ai-model-hijacked-to-infect-thousands-with-cryptominer/ and https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection

In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss various topics including their holiday plans, updates on their podcast, and significant cybersecurity incidents. They delve into a recent Wi-Fi breach involving Russian hackers, CrowdStrike’s IT outage and its implications for customer retention, and the discovery of malware exploiting vulnerable device drivers. The conversation emphasizes the importance of security practices such as multi-factor authentication and the challenges of managing cybersecurity risks in a rapidly evolving landscape. In this engaging conversation, Andrew Kalat and Jerry Bell explore various themes in cybersecurity, including the shift towards self-service IT solutions, the rise of phishing as a service, and the evolving landscape of multi-factor authentication. They discuss the implications of new threats like BootKitty and the challenges posed by firmware vulnerabilities. The conversation also touches on the future of cloud security and the often-overlooked role of marketing in cybersecurity threats, culminating in a light-hearted discussion about their pets. You can support the Defensive Security Podcast through our Patreon site here: https://patreon.com/defensivesec Links to the stories we discussed in this episode: https://www.bleepingcomputer.com/news/security/hackers-breach-us-firm-over-wi-fi-from-russia-in-nearest-neighbor-attack/ https://www.cybersecuritydive.com/news/crowdstrike-retains-customers/734203/ https://thehackernews.com/2024/11/researchers-uncover-malware-using-byovd.html?m=1 https://securityaffairs.com/171532/cyber-crime/rockstar-2fa-phaas.html https://arstechnica.com/security/2024/11/code-found-online-exploits-logofail-to-install-bootkitty-linux-backdoor/  

In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss various cybersecurity topics, including the launch of their new podcast, Getting Defensive. They delve into a CISA report on exploited vulnerabilities, highlighting the concerning trend of zero-day vulnerabilities being exploited. The conversation also covers a GitHub incident involving malicious commits aimed at framing a researcher, Microsoft’s new Windows resiliency initiative, and insights from a CISA red team assessment of a critical infrastructure organization. We emphasize the importance of consent in security assessments and the challenges organizations face in managing risks associated with outdated software. Takeaways The launch of the new podcast ‘Getting Defensive’ aims to explore deeper cybersecurity topics. CISA’s report indicates a troubling trend of zero-day vulnerabilities being exploited more frequently. Organizations must prioritize patching and mitigating controls to address vulnerabilities effectively. The GitHub incident highlights the risks of malicious commits and the importance of code review. Microsoft’s Windows resiliency initiative introduces new features to enhance security and system integrity. Consent is crucial in penetration testing and security assessments. Organizations often accept risks associated with outdated software, which can lead to vulnerabilities. Effective monitoring and detection are essential to mitigate potential attacks. Ransomware is not the only threat; organizations must be aware of various attack vectors. The CISA red team assessment provides valuable insights into the security posture of critical infrastructure.   Links: https://www.darkreading.com/cyberattacks-data-breaches/zero-days-wins-superlative-most-exploited-vulns https://www.bleepingcomputer.com/news/security/github-projects-targeted-with-malicious-commits-to-frame-researcher/ https://thehackernews.com/2024/11/microsoft-launches-windows-resiliency.html?m=1 https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a

In this episode of the Defensive Security Podcast, we discuss the theft of cloud credentials, the exploitation of SharePoint vulnerabilities, evolving malware techniques, and the importance of cyber due diligence for suppliers. They reflect on the challenges of managing secrets, the implications of auto-updates, and the need for robust risk management practices in the face of increasing cyber threats. Links: https://www.bleepingcomputer.com/news/security/hackers-steal-15-000-cloud-credentials-from-exposed-git-config-files/ https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-rce-bug-exploited-to-breach-corporate-network/ https://thehackernews.com/2024/11/5-most-common-malware-techniques-in-2024.html https://www.theregister.com/2024/11/06/windows_server_2025_surprise/ https://databreaches.net/2024/11/08/nist-publishes-guide-on-due-diligence-for-cyber-supply-chain-risk-management/

Delta’s Lawsuit, SEC Penalties, and Fortinet’s Zero-Day Exploit In this episode, hosts Jerry Bell and Andrew Kellett discuss current cybersecurity issues, starting with Delta Air Lines’ $500 million lawsuit against CrowdStrike over an IT outage and data breach. They explore SEC penalties imposed on tech companies for downplaying the SolarWinds hack’s impact, followed by an analysis of the Black Basta ransomware group’s new method of posing as IT support via Microsoft Teams. The discussion concludes with concerns about the exploitation of a zero-day vulnerability in Fortinet’s firewall manager, highlighting the need for transparency and timely communication from vendors. Links: https://www.cnbc.com/2024/10/25/delta-suit-against-crowdstrike-after-it-outage-caused-cancellations.html https://go.theregister.com/feed/www.theregister.com/2024/10/22/sec_fines_four_tech_firms/ https://www.bleepingcomputer.com/news/security/black-basta-ransomware-poses-as-it-support-on-microsoft-teams-to-breach-networks/ https://arstechnica.com/security/2024/10/fortinet-stays-mum-on-critical-0-day-reportedly-under-active-exploitation/

“They Can’t All Be Winners” In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat explore several pressing cybersecurity topics as of October 2024. The discussion begins by addressing the rapid increase in vulnerability exploitation speeds, with a highlight that 70% of exploitable flaws in 2023 were zero-days, now being exploited within just five days. They stress the importance of effective patch management and prioritization tactics using tools like the CISA KEV list and Tenable’s Viper score. The episode also touches on the evolving nature of automated and targeted exploits, the critical role of timely patching, and the balance between production disruptions and security risks. The conversation broadens to include evolving endpoint security challenges, ransomware trends, and the need for vigilance in adapting to new threats. Additionally, the hosts discuss innovative ways to counter sophisticated attacks, such as leveraging more secure token-based authentication methods over SMS-based MFA. Lastly, the episode delves into how North Korean IT operatives infiltrate companies to steal sensitive data, the implications for remote work, and the importance of robust identity verification processes in hiring. Throughout, the focus remains on adapting to the dynamic threat landscape and continuous reassessment of security strategies. 00:00 Introduction and Casual Banter 00:41 Current Job Market Challenges 02:02 Cybersecurity Landscape Overview 02:20 Google’s Zero-Day Vulnerability Report 04:03 Importance of Patch Management 05:04 Trends in Exploitation Timelines 11:24 Strategies for Mitigating Vulnerabilities 20:03 Red Team Tool: EDR Silencer 26:52 Microsoft’s Ransomware Defense 27:25 Ransomware Attacks: A Decrease Despite the Increase 28:13 The Role of Unmanaged Devices in Cyber Attacks 28:39 Multi-Factor Authentication: Effectiveness and Adaptation 30:07 The Arms Race in Cybersecurity 30:49 The Importance of Phishing-Resistant MFA 32:11 The Rise of SIM Cloning in Ransomware 32:44 Challenges in Adopting Advanced Security Measures 36:46 North Korean IT Workers: A New Threat 40:50 The Future of Remote Hiring and Verification 49:03 Conclusion and Final Thoughts   Links: https://www.bleepingcomputer.com/news/security/google-70-percent-of-exploited-flaws-disclosed-in-2023-were-zero-days/ https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html https://www.theregister.com/2024/10/15/microsoft_ransomware_attacks/ https://www.bleepingcomputer.com/news/security/undercover-north-korean-it-workers-now-steal-data-extort-employers/

Episode 282: Exploiting Trust in Cybersecurity Practices In episode 282 of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kallett discuss several cybersecurity topics. They highlight a phishing attack outlined by Microsoft, where cybercriminals leverage file-hosting services like OneDrive and Dropbox to exploit trust and compromise identities. The episode also explores concerns about AI systems, like Grammarly sharing company confidential info, and emphasizes the growing need for well-defined governance policies. They touch on a cyberattack affecting American Water’s billing systems and the potential implications for OT systems. The final discussion surrounds Kaspersky’s decision to replace its software on US systems with Ultra AV, raising alarms over cyber responsibilities and government influence over IT.   Links: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/ https://www.tenable.com/blog/cybersecurity-snapshot-employees-are-oversharing-work-info-with-ai-tools-cybersecurity https://go.theregister.com/feed/www.theregister.com/2024/10/07/american_water_cyberattack/ https://www.theregister.com/2024/09/24/ultraav_kaspersky_antivirus/

In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss various cybersecurity events and issues. The episode opens with discussion on the recent weather impacts affecting Asheville and lessons for disaster preparedness in the security industry. A significant portion of the episode is dedicated to CrowdStrike’s recent Capitol Hill testimony, examining the fallout from their admitted testing failures and the implications of needed kernel access for security software. The hosts also explore an ongoing GDPR violation by Meta related to storing user passwords in plain text, and a hyped but less-critical-than-expected Linux vulnerability in the CUPS printing system. Finally, they delve into potential risks associated with AI systems like ChatGPT and the increasing need for security in OT and ICS environments. The episode concludes with a reminder about the essential nature of cybersecurity fundamentals. Links: https://www.cybersecuritydive.com/news/crowdstrike-mea-culpa-testimony-takeaways/727986/ https://www.bleepingcomputer.com/news/legal/ireland-fines-meta-91-million-for-storing-passwords-in-plaintext/ https://thehackernews.com/2024/09/critical-linux-cups-printing-system.html?m=1 https://arstechnica.com/security/2024/09/false-memories-planted-in-chatgpt-give-hacker-persistent-exfiltration-channel/ https://industrialcyber.co/cisa/cisa-alerts-ot-ics-operators-of-ongoing-cyber-threats-especially-across-water-and-wastewater-systems/

In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kellett delve into key cybersecurity topics. They discuss a recent statement by CISA director Jen Easterly on holding software manufacturers accountable for product defects rather than vulnerabilities, and the need for derogatory names for threat actors to deter cybercrime. The episode also covers Disney’s decision to ditch Slack following a data breach, and the impact of valid account misuse in critical infrastructure attacks. Additionally, they explore new tough cyber regulations in the EU under NIS2, and a Google security flaw from a Black Hat presentation concerning dependency confusion in Apache Airflow. The hosts share their thoughts on industry responses, regulations, and how enterprises can improve their security posture. 00:00 Introduction and Podcast Setup 00:59 First Story: CISA Boss on Insecure Software 03:26 Debate on Software Security Responsibility 11:12 Open Source Software Challenges 15:20 Cloud Imposter Vulnerability 22:22 Disney’s Data Breach and Slack 27:37 Slack Data Breach Concerns 29:26 Critical Infrastructure Vulnerabilities 35:21 EU’s New Cyber Regulations 43:42 Global Regulatory Challenges 48:42 Conclusion and Sign-Off Links: https://www.theregister.com/2024/09/20/cisa_sloppy_vendors_cybercrime_villains/ https://www.tenable.com/blog/cloudimposer-executing-code-on-millions-of-google-servers-with-a-single-malicious-package https://www.cnbc.com/2024/09/19/disney-to-ditch-slack-after-july-data-breach-.html https://www.cybersecuritydive.com/news/cisa-critical-infrastructure-attacks/727225/ https://www.cnbc.com/amp/2024/09/20/eu-nis-2-what-tough-new-cyber-regulations-mean-for-big-business.html

In Episode 279 of the Defensive Security Podcast, Jerry Bell and Andrew Kalat discuss the latest cybersecurity news and issues. Stories include Transportation for London requiring in-person password resets after a security incident, Google’s new ‘air-gapped’ backup service, the impact of a rogue ‘Whois’ server, and the ongoing ramifications of the Moveit breach. The episode also explores workforce challenges in cybersecurity, such as the gap between the number of professionals and the actual needs of organizations, and discusses the trend of just-in-time talent versus long-term training and development.   Links: https://www.bleepingcomputer.com/news/security/tfl-requires-in-person-password-resets-for-30-000-employees-after-hack/ https://www.securityweek.com/google-introduces-air-gapped-backup-vault-to-thwart-ransomware/ https://arstechnica.com/security/2024/09/rogue-whois-server-gives-researcher-superpowers-no-one-should-ever-have/ https://www.cybersecuritydive.com/news/global-cyber-workforce-flatlines-isc2/726667/ https://www.cybersecuritydive.com/news/moveit-wisconsin-medicare/726441/ Transcript: Jerry: [00:00:00] Here we go. Today is Sunday, September 15th, 2024. And this is episode 279 of the defensive security podcast. My name is Jerry Bell and joining me today as always is Mr. Andrew Kalat. Andrew: Good evening, Jerry. Happy Sunday to you. Jerry:  Happy Sunday, just a reminder that the thoughts and opinions we express on the show are ours do not represent those of our employers or. Andrew: present, or future. Jerry: for those of us who have employers, that is not that I’m bitter or anything. It’s, Andrew: It’s, I envy your lack of a job. I don’t envy your lack of a paycheck. So that is the conflict. Jerry: It’s very interesting times right now for me. Andrew: Indeed. Jerry: All right. So our first story today comes from bleeping computer. And the title here is TFL, which is transportation for London requires in person, password [00:01:00] resets for 30, 000 employees. So those of you who may not be aware transportation for London had suffered what I guess would has been described as a nebulous security incident. They haven’t really pushed out a lot of information about what happened. They have said that it does not affect customers. But it apparently does impact some back office systems that did take off certain parts of their services offline, like I think. They couldn’t issue refunds. And there were a few other transportation related things that were broken as a result. But I think in the aftermath of trying to make sure that they’ve evicted the bad guy who, by the way, apparently has been arrested. Andrew: That’s rare. Somebody actually got arrested. Jerry: yeah. And not only that, but apparently it was somebody local. Andrew: Oops. Jerry: In in the country which may or may not be associated with an unknown named [00:02:00] threat actor, by the way, that was involved in some other ransomware attacks. Andrew: Kids don’t hack in your own backyard. Jerry: That’s right. Make sure you don’t have extradition treaties with where you’re attacking. So what I thought was most interesting was the, their, the approach here to getting back up and going they, they had disabled. So TFL had disabled the access for all of their employees and the requiring their employees to show up at a designated site to prove their identity in order to regain access. This isn’t the first. Organization that’s done this, but it is something that I suspect a lot of organizations don’t think about the logistics of, in the aftermath of a big hack. And if you’re a large company spread out all over the place, the logistics of that could be pretty daunting. Andrew: Yeah. It’s wild to me that they want in person. [00:03:00] Verification of 30, 000 employees. But given the nature of their company and business, I’m guessing they’re all very centrally located. Used to going to physical offices, but man, can you imagine if you were a remote employee and you don’t have any office anywhere near you, how would you handle that? I’m not, I’m probably not going to get on a plane to go get my password re enabled. Jerry: Exactly. Andrew: You know what it did, remind me of though is, remember back PGP and PGP key signing? Jerry: Oh, the key parties. Yes. Andrew: Yes. Where, You basically, it’s a web of trust and people you trust could verify and sign another key. Like at a key signing party, because we were fun back then, that’s what nerds used to do. And then that’s how you had the circle trust. So maybe they could do something similar where verified employee could verify another employee, then you’ve got the whole insider threat issue, et cetera. Yeah. It just reminded me of, Jerry: No, nobody trusts Bob’s. Andrew: [00:04:00] It’s true. Your friend, Bob, how many times has he been in prison? Most recently, like where Rwanda? I think I heard, Jerry: He’s got the frequent visitor card. Andrew: but yet has some of the best stories. Jerry: He does, he definitely does. so apparently they make reference to a similar incident that happened at Dick’s sporting goods. I will emphasize the sporting goods. They had a similar issue and that is a nationwide retailer here in the U S at least, I don’t know if they’re they’re outside of the U S and so that really wouldn’t be possible, with transportation for London. I assume that most of the people associated with it are local or. Or within a reasonable driving distance or commuting distances, the case may be. But in the situation with a retailer, a nationwide retailer, I think they had to go with virtual in person. So they basically had zoom meetings [00:05:00] with employees and I assume had them show like pictures of their government ID and so on. So the logistics of that is interesting. And. It isn’t really something I’ve spent a lot of time thinking about. And but I know in the aftermath of a big attack like this, establishing, trust and certainty and who has access to your network would be super important. So I think it’s I think it’s worth. Putting into your game plan, Andrew: Yeah, it is. It is a wild one. And what do you trust? Especially in the age of, deep fakes and easily convincing AI copies of other employees. And I don’t know, it’s an interesting one. Jerry: right? Andrew: Ciao. Jerry: our next, yeah, it was it was certainly a an unfolding story, which I don’t think is over yet based on everything I’m reading. Andrew: I did see one quote in here that made me chuckle, which is this is a quote from the transport [00:06:00] agency added on their employee hub. Some customers may ask questions about the security of our network and their data. First and foremost, we must reassure that our network is safe. Okay, define safe. That’s just us being Safe ish. Jerry: safe ish, safe now, Andrew: Safe, safe y. It resembles something that is sometimes called appropriately safe. Based, based on the criteria that we came up with, it’s completely safe. Jerry: which I’m sure is true because they they had also had a clop. Ransomware infection, I guess a couple of months prior to this. So Andrew: What do you use for clop? Is that like a cream? Is that like a, how is that treated typically? Jerry: every time I hear clap, I, it takes me back to the Monty Python, the coconut horse trotting. That’s what I think about when I hear the word clap, Andrew: That’s fair. Jerry: [00:07:00] which is oddly appropriate given that this is in the UK, which is where where Monty Python hails from. Andrew: I thought you say where they have coconuts. Jerry: Only if they’re if they’re transported by swallows. Andrew: You youngins will just have to go. Jerry: Gotta go watch that movie. Alright, it’s worth it. I, by the way, I remember making my son, both my sons watch it, and they protested. And now, I think they’ve each seen it like 30 or 40 times, Andrew: so when you say process, did you like have to duct tape them to a chair and like pry their eyes open and do a whole, yeah, train spotting situation? Jerry: I think they thought it was like an actual movie about the Holy Grail. Andrew: Which, why would they be opposed to that? That could also be interesting. Jerry: I don’t know. Andrew: Indiana Jones did a fine movie on it. Jerry: It’s true. But it, that does not hold a candle to [00:08:00] the Monty Python Holy Grail movie. Let’s just be Andrew: We, we learned a lot. We learned about facing the peril. We learned that Camelot is a silly place. And we learned how to end a movie when you don’t have a better plan. Again, way off topic, but you young’uns will just have to go discover. Do you, Jerry: So back on topic, our next story comes from security week. And the title here is Google introduces air gapped backup vault to thwart ransomware. And I’m going to put quotes as they do over air gapped because as they describe it, it is logically air gapped, not. Actually air gap. So what, and by the way I don’t necessarily mean to take away from the utility of the solution that they’re offering here, but calling it air gap, I think is maybe a little bit of a misnomer. So they are offering Google they being [00:09:00] Google are offering a service where you as a Google cloud customer can store data. Backups to a storage service that does not appear as part of your cloud account. It’s part of a Google managed project that is transparent to your account. So if somebody were to take over your account, for example or to compromise systems within your account, they actually wouldn’t be able to do anything with that backup which I think is a pretty smart the one thing that I was wondering, obviously that you are not necessarily protected in the case that Google’s cloud itself becomes the victim of something bad, but that is, is a kind of a theoretical iss

In episode 278 of the Defensive Security Podcast, Jerry Bell and Andrew Kalat discuss various recent cybersecurity topics. The episode starts with light-hearted banter about vacations before diving into the main topics. Key discussions include a new vulnerability in YubiKey that requires sophisticated physical attacks, resulting in a low overall risk but sparking debate about hardware firmware updates for security keys. Another key topic is Verkada being fined for CAN-SPAM Act violations and lack of proper security measures, including exposing 150,000 live camera feeds. The hosts also explore reports showing diverging trends in security budgets and spending, with some organizations reducing budgets while overall industry spending increases. They highlight the need for effective use of security products and potential over-reliance on third-party services. The episode also delves into the growing threat of deepfake scams targeting businesses, emphasizing the need for robust authentication policies and awareness training to mitigate risks. Finally, the hosts reflect on the broader challenges of balancing security needs with budget constraints in an evolving threat landscape. Links: https://www.bleepingcomputer.com/news/security/new-eucleak-attack-lets-threat-actors-clone-yubikey-fido-keys/ https://www.bleepingcomputer.com/news/security/verkada-to-pay-295-million-for-alleged-can-spam-act-violations/ https://www.cybersecuritydive.com/news/iran-cyberattacks-us-critical-infrastructure/725877/ https://www.theregister.com/2024/09/05/security_spending_boom_slowing/ vs https://www.cybersecuritydive.com/news/infosec-spending-surge-gartner/726081/ https://www.cybersecuritydive.com/news/deepfake-scam-businesses-finance-threat/726043/ Transcript Jerry: All right, here we go. Today is Saturday, September 7th, 2024. And this is episode 278 of the defensive security podcast. And my name is Jerry Bell. And joining me today as always is Mr. Andrew Kalat. Andrew: Good evening. Jerry, how are you? Kind sir. Jerry: Doing fantastic. How are you? Andrew: I’m great. Just got back from a little vacation, which was lovely. Saw a lot of Canada, saw some whales, saw some trains. It was Jerry: Did you see any moose? Andrew: Oddly we did not see a single moose, which was a bummer. We crossed from Toronto to Vancouver on a train and didn’t see a single moose. I saw a metric crap ton of ducks though. I couldn’t believe literally in the thousands. I don’t know why. Jerry: The geese are ducks. Cause Andrew: We saw a Jerry: geese are pretty scary. Andrew: We were sealed away from them, so we were protected. Jerry: I don’t know. Andrew: hard to Jerry: I don’t know. I w I wouldn’t I wouldn’t bet my life on that. Andrew: But yeah, we saw a decent chunk of gooses, but mostly ducks. Jerry: Good deal. Andrew: Indeed. I’m good. Now, catching back up on work. Jerry: And you’re back. Andrew: And you are apparently the Southern Command Center. Jerry: I am for another another day or two. Andrew: Nice. Never sucks to be at the beach. Jerry: It definitely does not. No, no bad days at the beach. Andrew: Nice. Jerry: All right. A reminder before we get started that the thoughts and opinions we express in the show are ours and do not represent those of our employers. Andrew: Past, present, or future. Jerry: That’s right. So our first topic or first story from today comes from bleeping computer. And this one was a bit of a, Oh, what’s the best, a bit controversial, best way to say it, controversial on on the social media sites over the past week. And the title is new leak. I’m not even going to try to pronounce that attack. Let’s threat actors, clone, Yubikey, Fido keys. Andrew: Shut down the internet. Shut Jerry: Shut it down, just throw away your Yubikeys, it’s over. Andrew: And apparently it can happen from 12 miles away with trivial equipment, right? Jerry: No, actually, they the bad actor here actually has to steal it and it takes some pretty sophisticated knowledge and equipment. But apparently the equipment they allege are about, costs about 11, 000. However, the the YubiKey actually has to be disassembled, like they actually have to take the protective cover, protective covering off, and they have to instrument it and, and then they’re able to leverage a vulnerability in an Infineon chip that’s contained in these YubiKeys to extract the private key. And so it’s not a, it’s not a trivial attack. You have to lose physical possession of the token for some period of time. But if you were, The victim of this, it is possible for someone, some adversary, who was willing to put in the time and effort could clone your key unbeknownst to you, and then find a way to reconstitute Packaging and slide it back into your drawer, and you would be none the wiser. Andrew: All seriousness, I think this has a very low likelihood of impacting the average listener to our show or the average person who cares about such things. But if you’re a very high profile target and, some sort of state intelligence service wanted to kidnap you and steal your YubiKey and then gain access to things before those sorts of permissions got revoked in some way, shape or form, I guess that could be viable, but this doesn’t seem like something that would happen to the average person. Jerry: Oh, a hundred percent. And I still think, despite some of the the initial banter about this, you’re much better off using. I’m sure there are definitely certain use cases where you would be concerned about this, but for the average person, I think, like you said, it’s it’s really not a big deal. So this does impact the YubiKey 5 series. And I think also the HSM 2 up through that was released, I think it was in May of 2024. The challenge is that you can’t actually update firmware on Yubikeys. That was a security decision. Andrew: yeah, that seems like a wise security decision if you ask me. Jerry: Yeah, it’s, I have observed quite a few people who who are now trying to find alternate. Security keys because they’ve been that they feel a little dejected by the fact that you can’t update the firmware on them. But I think it’s important to understand that. That actually is a very important security function, right? The ability to not muck with the firmware on these keys is very important. Andrew: right, otherwise a piece of malware could be doing that too. Jerry: Exactly. Andrew: Which not be all that happy Jerry: No. Sad in fact. Andrew: get the sort of knee jerk reaction to, I want to be able to update this to patch for flaws and such, but keep in mind that everything like that can be used by a bad actor just as easily, if not more easily. Be careful what you wish for. Jerry: Yeah. Now what’s interesting is this All of the hoopla around this is about Yubikeys, but the chip, the Infineon chip is actually used by multiple different types of security products, including some EFI. So the secure boot which, I guess at this point, it’s got his own problems already. And then I believe even after, since this particular article has been written, that there are some other. Actual security keys, similar to YubiKeys that have been identified as also using this Infineon chip. So almost certainly going to be vulnerable in the same way Andrew: But I guess, nothing to really panic about. But boy, this got a lot of press. A lot of social media traction. Jerry: it really did. So anyway, I thought it was important to discuss because again, for most people, this is really not a big deal. YubiKey themselves rated the vulnerability as a A CVSS score of 4. 9 to give you an idea. And I think that, that seems right to me. Andrew: Did it get a mascot? Jerry: It did not get a mascot. There was some attempts some valiant attempts made. Andrew: What about a jingle? Jerry: I haven’t seen a jingle yet either, but it did get a name Andrew: All right Jerry: and it has a website. So Andrew: geez. Okay, so mild panic then. If it’s got a name and a website, that equals mild panic. But got a mascot and a jingle, I’m full on panic. Jerry: that, what else are you going to, what are you going to do? If it’s got a jingle, you gotta panic. Andrew: what the tough part is, this is probably like getting traction, perhaps at executive levels who may not have the time or the knowledge to dig into the details and that they’re probably freaking out in certain C suites, but Jerry: Yeah. Andrew: send them our show. Tell them these two random guys on the internet said not to freak out. Jerry: Yeah. I can’t put anything on the internet. That’s not true. That’s right. But, I was I was thinking it’s been a while since YubiKey or UBI has released a new version of the YubiKey. So Andrew: So maybe this is driving an upgrade cycle. Maybe Jerry: maybe Andrew: it themselves. get people to buy new keys. Is that what you’re saying? Jerry, Jerry: it could be just like how the antivirus companies are releasing all the viruses. Yes. That’s right. Andrew: that’s some smart thinking right there. That is, know what? That’s the kind of cutting edge analysis you get on this Jerry: Thought leadership right there. Andrew: man. to get out on this. All right, here’s the plan. Let’s spend 20 years making a company and then break our main thing. So people to buy new things. Jerry: It’s a good idea. It’s solid. I don’t see any any faults in this plan. Andrew: Hey, how’s that working out for CrowdStrike? Jerry: We’ll find out soon. Andrew: Indeed. Jerry: All right. The next story comes from bleeping computer and title is Verkada to pay 2. 95 million for alleged CAN SPAM Act violations. So for those of you, not in the U. S. CAN SPAM was a law passed a couple of years ago, probably more than a couple of years ago at this point, that Unlike you, what you might expect does actually a permit spam in under certain pa

In this episode, Jerry Bell and Andrew Kalat discuss various topics in the cybersecurity landscape, including the influence of cyber insurance on risk reduction for companies and how insurers offer guidance to lower risks. They touch upon the potential challenges with cybersecurity maturity in organizations and the consultant effect. The episode also goes into detail about issues surrounding kernel-level access of security tools, implications of a CrowdStrike outage, and upcoming changes by Microsoft to address these issues. They recount a case about a North Korean operation involving a laptop farm to gain employment in U.S. companies, posing major security concerns. The discussion highlights the pitfalls of relying on end-of-life software, especially in M&A scenarios, and how this could be a significant vulnerability. Lastly, they explore the massive data breaches from Snowflake and the shared security responsibilities between service providers and customers, emphasizing the importance of multi-factor authentication and proper security management. Links: https://www.cybersecuritydive.com/news/insurance-cyber-risk-reduction/724852/ https://arstechnica.com/information-technology/2024/08/crowdstrike-unhappy-with-shady-commentary-from-competitors-after-outage/ https://www.cnbc.com/2024/08/23/microsoft-plans-september-cybersecurity-event-after-crowdstrike-outage.html https://arstechnica.com/security/2024/08/nashville-man-arrested-for-running-laptop-farm-to-get-jobs-for-north-koreans/ https://www.darkreading.com/vulnerabilities-threats/why-end-of-life-for-applications-is-beginning-of-life-for-hackers https://www.cybersecuritydive.com/news/snowflake-security-responsibility-customers/724994/   Transcript: Jerry: Here we go. Today is Saturday, August 24th, and this is episode 277 of the defensive security podcast. My name is Jerry Bell and joining me today as always is Mr. Andrew Kalat. Andrew: Good evening, my good sir Jerry. How are you? Jerry: I am awesome. How are you? Andrew: I’m good. I’m good. I’m getting ready for a little bit of a vacation coming up next week So a little bit of senioritis. If I’m starting to check out on the show, you’ll know why Jerry: Congrats and earned. I know. Andrew: Thank you, but otherwise doing great and happy to be here as always Jerry: Good. Good deal. All right. Just a reminder that the thoughts and opinions we express on this show are ours and do not represent anyone else or including employers, cats, relatives, you name it. Andrew: various sentient plants Jerry: Exactly. Okay. So jumping into some stories today. First one comes from cybersecuritydive. com, which by the way, has a lot of surprisingly good content. Andrew: Yeah, I have enjoyed a lot of what they write. We’ve a couple good stories there Jerry: Yeah. Yeah. So the title here is insurance coverage drives cyber risk reduction for companies, researchers say that the gist of this story is that there were two recent studies done or reports released one from a company called Omeda and another one from Forrester, which I think we all know and love. And I’ll summarize it and say that they’re both reports indicate that companies which have cyber insurance tend to be better at quote, reducing risk more likely detect, respond, and recover from data breaches and malicious attacks compared to organizations without coverage. So I thought that was a little interesting. On the other hand it to me feels like a bit of availability bias, so by that, what I mean is if you go and take a survey of people who go to the gym and work out at the gym on their diet, you will probably will find out that Eat a healthier diet than the public at large. Andrew: But I go. Jerry: you just go. Andrew: I, look, Jerry: I’m not saying, I’m not saying everybody, right? Andrew: least I show up, right? And I’ve been told showing up is half the battle. Jerry: It is half the battle, that’s right. Knowing is the other half. Then doing is the other half. Andrew: I will say, speaking of G. I. Joe quotes, I thought catching on fire was going to be a far bigger problem in my life than it turned out to be. Jerry: That and quicksand. Andrew: I, we were Lot about that as children of Jerry: quick, quicksand. Andrew: Heh. Jerry: QuickSand was, I, I lived in fear of QuickSand, but it turns out it’s really not that big of a concern. Andrew: For as much as I heard stop drop and roll done it Jerry: Yet. Andrew: That’s true. The day is young. Anyway back to your story. I think you’re right I will also say having worked with a number of these companies do interestingly have their own towards trying to keep you from getting hacks. They have to pay out So they do push certain things like and I’ve seen myself and I won’t say it You know, it doesn’t matter where, when, but if you have things like one of the well known EDR tools well deployed, they might cut you a rate on or a break on your rates. Because they have their actuarial table saying, Hey, if you’re using certain bits of technology that lowers your risk of usually ransomware, right? So they Jerry: Sure. Andrew: seems to me, my opinion is that these insurance companies feel that some of the well known EDR brands in a Windows environment It is very effective or decently effective at stopping ransomware, therefore they’re less likely to pay out, therefore they lower your rates. So there might be some of that too. They do to give companies guidance on what they see across their industry to reduce risk. Jerry: I think that, that makes sense. I’ll say, on, on one hand, like I was saying before, I think companies that buy cyber insurance are probably maybe more mature, more invested in, protecting their environment than others. But I think that there’s also this consultant effect when when you want to drive change and whether whatever kind of change that is, reorganizing revamping your security program, justifying additional expenses for anything outside guidance, typically Carries a lot more weight than something that comes from internal. Andrew: Sad but Jerry: and so I think, yeah, anybody who’s been in the industry for a long time or really any amount of time knows that, especially this is a, the CISO trick, right? When you come into a new organization as a CISO, the first thing you do is you go off and you hire a, a big name consultant. You burn a half a million bucks on a consulting engagement. And at that point, it’s not you telling the company, Hey, we’ve got to spend a bunch of money to improve our security program. It’s some, hard to argue with independent third party who is making that assessment. And to some extent you argue with that at your own peril, right? Because now it’s it’s a, it’s an assessment that becomes exhibit a, if something goes wrong and which is, both a blessing and a curse. But my experience is it certainly helps a lot. And I think that this cyber insurance and their somewhat prescriptive guidance and expectations around the kinds of controls and technologies you need to have in place is a very similar kind of thing, right? If you’re engaging with them, they’re going to be opinionated on what you should and shouldn’t be doing and and then like a consulting engagement. It’s a third party giving you that guidance. And so I think that tends to carry a lot more weight. Andrew: Agreed on all points. The only caveat I would say to that is sometimes these recommendations that come from some insurance companies are not customized typically to your particular risk environment or situation. They are very broad approaches to reducing risk across many different types of environments with many different types of risk profiles. Technology stacks and all that sort of stuff. So they’re very somewhat generic recommendations, I think. Jerry: I think you’re probably right. In any event, it’s I thought it was I thought it was quite interesting. Certainly having that insurance can help. I will tell you in my time as a CISO in dealing with customers and to some extent business partners, there was a I would say a growing expectation that you have to have cyber insurance. Actually, I experienced firsthand quite a few customers actually writing into contracts. That you have now, I don’t know how far and wide that permeates the industry, but I think it’s probably becoming a lot more common these days because, companies have this interdependence and so it’s not necessarily just like a cloud service provider where that kind of thing can manifest, look at over the, what now, 12, 13 years we’ve been doing the show. How many times have we talked about a company like, let’s say, Target or Home Depot getting hacked as a result of something happening with one of their suppliers? And so I think, as time goes on, we’re going to see that becoming kind of table stakes to, to have these business relationships, especially with larger and more mature companies. Andrew: Why do you think that is, what do you think that the third party is assuming that you will get from that insurance? Just so you have the ability to recover from an incident and sustain As a going concern or that they assume that if you have insurance, it’s coming with requirements that level up the maturity of your program or what value do you think that third party sees in their business partner having cyber insurance? Jerry: That’s a great question. I think it’s both, actually. I think there is this, naive view that if, if something bad were to happen this insurance would, provide that buffer. It would make sure that, the company didn’t go out of business, but the reality is that, especially, if you look at some of the really large hacks. can happen with relatively small organizations who are, I would say fairly highly leveraged, at least in terms of their insurance policy. So yeah, it’s great. They may have a 5 million i

Check out the latest Defensive Security Podcast Ep. 276! From cow milking robots held ransom to why IT folks dread patching, Jerry Bell and Andrew Kalat cover it all. Tune in and stay informed on the latest in cybersecurity! Summary: In episode 276 of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat delve into a variety of security topics including a ransomware attack on a Swedish farm’s milking machine leading to the tragic death of a cow, issues with patch management in IT industries, and an alarming new wormable IPv6 vulnerability patch from Microsoft. The episode also covers a fascinating study on the exposure and exploitation of AWS credentials left in public places, highlighting the urgency of automating patching and establishing robust credential management systems. The hosts engage listeners with a mix of humor and in-depth technical discussions aimed at shedding light on critical cybersecurity challenges. 00:00 Introduction and Casual Banter 01:14 Milking Robot Ransomware Incident 04:47 Patch Management Challenges 05:41 CrowdStrike Outage and Patching Strategies 08:24 The Importance of Regular Maintenance and Automation 15:01 Technical Debt and Ownership Issues 18:57 Vulnerability Management and Exploitation 25:55 Prioritizing Vulnerability Patching 26:14 AWS Credentials Left in Public: A Case Study 29:06 The Speed of Credential Exploitation 31:05 Container Image Vulnerabilities 37:07 Teaching Secure Development Practices 40:02 Microsoft’s IPv6 Security Bug 43:29 Podcast Wrap-Up and Social Media Plugs-tokens-in-popular-projects/ Links:  https://securityaffairs.com/166839/cyber-crime/cow-milking-robot-hacked.html https://www.theregister.com/2024/07/25/patch_management_study/ https://www.cybersecuritydive.com/news/misguided-lessons-crowdstrike-outage/723991/ https://cybenari.com/2024/08/whats-the-worst-place-to-leave-your-secrets/ https://www.theregister.com/2024/08/14/august_patch_tuesday_ipv6/   Transcript: Jerry: Today is Thursday, August 15th, 2024. And this is episode 276 of the defensive security podcast. My name is Jerry Bell and joining me tonight as always is Mr. Andrew Kalat. Andrew: Good evening, Jerry. Once again, from your southern compound, I see. Jerry: Once again, in the final time for a two whole weeks, and then I’ll be back. Andrew: Alright hopefully next time you come back, you’ll have yet another hurricane to dodge. Jerry: God, I hope not. Andrew: How are you, sir? Jerry: I’m doing great. It’s a, it’s been a great couple of weeks and I’m looking forward to going home for a little bit and then then coming back. How are you? Andrew: I’m good, man. It’s getting towards the end of summer. forward to a fall trip coming up pretty soon, and just cruising along. Livin the dream. Jerry: We will make up for last week’s banter about storms and just get into some stories. But first a reminder that the thoughts and opinions we express are those of us and not our employers. Andrew: Indeed. Which is important because they would probably fire me. You’ve tried. Jerry: I would yeah. So the the first story we have tonight is very Moving. Andrew: I got some beef with these people. Jerry: Great. Very moving. This one comes from security affairs and the title is crooks took control of a cow milking robot, causing the death of a cow. Now, I will tell you that the headline is much more salacious than the actual story that the. When I saw the headline, I thought, oh my God, somebody hacked a robot and it somehow kill the cow, but no, that’s not actually what happened, Andrew: Now, also, let’s just say up front, the death of a cow is terrible, and we are not making light of that. But we are gonna milk this story for a little while. Jerry: that’s very true. Andrew: I’m almost out of cow puns. Jerry: Thank God for that. So, what happened here is this farm in Sweden had their milking machine, I guess is a milking machine ransomware and the farmer noticed that he was no longer able to manage the system, contacted the support for that system. And they said, no, you’ve been ransomware. Actually, the milking machine itself apparently was pretty trivial to get back up and running, but apparently what was lost in the attack was important health information about the cows, including when some of the cows were inseminated. And because of that, they didn’t know that one of the pregnant cows was supposed to have given birth, but actually hadn’t. And so it. What had turned out to be the case is that the cow’s fetus, unfortunately passed away inside the cow and the farmer didn’t know it until they found the cow laying lethargic in it stall, and they called a vet. And unfortunately, at that point it was too late to save the cow. This is an unfortunate situation where a ransomware attack did cause a fatality. Andrew: Yeah, and I think in the interest of accuracy, I think it was in Switzerland, Jerry: Is it switzerland? Okay. I knew it started with a S W. Andrew: That’s fair. You’re close. It’s Europe. Jerry: It’s all up there. Andrew: But yeah, I guess in this theory that if they had a better tracking date when the cow had been inseminated, they would have known that the cow was in distress with labor and could have done something more proactively to save cow and potentially the calf. And unfortunately, because I didn’t have that data, because it was in this ransomwared milking robot machine we ended up with a dead cow and a dead calf. Jerry: So not without grilling the farmer too much. I was I was thinking, that, Andrew: Wow! Jerry: I’m sorry. I was thinking that, they clearly had an ability to recover. And what they thought was the important aspect of that machine’s operation, which was milking, they were able to get that back up and running pretty quickly. But it seemed to me like they were unaware that this other information was in kind tied to that same system. I don’t fully understand. Seems like it’s a little more complicated than I’m, than I’ve got it envisioned in my mind. But very clearly they hadn’t thought through all the the potential harm. A good lesson, I think for us all. Andrew: I feel like we’ve butchered this story. Jerry: The the next story we have for today comes from register. com and the title is patch management still seemingly abysmal because no one wants the job can’t stop laughing. All right. Andrew: A cow died! That’s tragic! Jerry: I’m laughing at your terrible attempts at humor. Andrew: I couldn’t work leather in there. I tried. I kept trying to come up with a leather pun. Jerry: We appreciate your efforts. So anyhow. This next story talks about the challenge that we as an IT industry have with patching. And basically that it is a very boring task that not a lot of people who are in IT actually want to do. And so it, it highlights the importance again of automation and. This in the complimentary story which is titled misguided lessons from CrowdStrike outage could be disastrous from cybersecurity dive. I put these two together for a reason because one of the, one of the. I think takeaways from the recent CrowdStrike disaster is we need to go slower with patching and updates and perhaps not rely on automatic updates. And these 2 articles really point out the folly in that. Number 1, this. Article from the register is pointing out that relying on manual patching is a losing proposition because really nobody wants to do it and it doesn’t scale. It’s, it’s already, it’s IT operations is already a crap job in many instances, and then trying to expect people to to do things manually is a problem. The second article points out the security issues that come along with Adopting that strategy, which is, you’re exposing your environment unduly unnecessarily. And in fact the improvements in. Your security posture and the let the reduction in likelihood of some kind of an attack far outweigh the remote possibility of what happened. Like we saw with CrowdStrike. Now there is a kind of an asterisk at the bottom. They point out the importance of doing staged deployments of patches, which I think is one of the central lessons of the, at least for my Perspective, one of the central lessons of the CrowdStrike disaster is that go fast, but stage it. Andrew: yeah it’s an interesting problem that we’re struggling with here, which is how many times have we saved our own butts without knowing it by automate or rapidly patching? It’s very difficult to prove that negative. And so it’s very difficult to. Weigh the pros and cons empirical data showing where automatic patching or rapid patching solved a problem or avoided a problem versus when patching broke something. Cause all we know about is when it breaks, like when a Microsoft patch rolls out and breaks and that sort of thing. And it’s one of those things where it has to be perfect every time is the feeling from a lot of folks. And if it, if every time we have a problem, we break some of that trust. It hurts the credibility of auto patching or, rapidly patching. The other thing that comes to mind is I would love to get more IT folks and technical operations folks and SREs and DevOps folks, with the concept of patching as just part of regular maintenance. That is, just built into their process. A lot of times it feels like a patch is an interrupt driven or toil type work that they have to stop what they’re doing to go work on this. Where, in my mind, at least the way I look at it from a risk manager perspective, unless something’s on fire or is a known RCE or known exploited, certain criteria. I’m good. Hey, take patch on a monthly cadence and just catch everything up on that monthly cadence, whatever it is. I can work within that cadence. If I’ve got something that I think is a higher priority, we can try to interrupt that or drive a different cadence to get that patched or mitig

Links: https://www.crowdstrike.com/wp-content/uploads/2024/08/Channel-File-291-Incident-Root-Cause-Analysis-08.06.2024.pdf https://www.theregister.com/2024/08/05/crowdstrike_is_not_at_all/ https://www.theverge.com/2024/8/6/24214371/microsoft-delta-letter-crowdstrike-response-comments https://www.linkedin.com/posts/alexstamos_why-crowdstrikes-baffling-bsod-disaster-activity-7224046054076243969-1An8?utm_source=combined_share_message&utm_medium=ios_app https://www.linkedin.com/posts/choff_why-crowdstrikes-baffling-bsod-disaster-activity-7224078879445958658-ymuc?utm_source=combined_share_message&utm_medium=member_ios https://www.securityweek.com/thousands-of-devices-wiped-remotely-following-mobile-guardian-hack/ https://www.bleepingcomputer.com/news/security/stackexchange-abused-to-spread-malicious-pypi-packages-as-answers/ https://www.bleepingcomputer.com/news/security/hunters-international-ransomware-gang-targets-it-workers-with-new-sharprhino-malware/ Transcript: Jerry: Today is Wednesday, August 7th, 2024. And this is episode 275 of the Defensive Security Podcast. My name is Jerry Bell and joining me tonight as always is Mr. Andrew Kalat. Andrew: Good evening, Jerry. How are you? Good, sir. Jerry: I am amazing. It is blistering hot at the beach, but it’s awesome. Andrew: recording from your southern compound. Jerry: I am. Andrew: Nice. Jerry: Yeah, Bell Estate South. Andrew: And Debbie was not an issue. Jerry: Debbie not here. We got probably 45 minutes worth of rain. Andrew: Yeah, it seems, at this point, in real time, stalled out over South Carolina Jerry: Yeah, it looks several feet of rain hitting like Savannah and That is nuts. But no, it was not a big issue here. I was pretty worried. I packed up all my Milwaukee batteries with lights and whatnot in preparation for the worst got extra tranquilizer for my dog who hates storms. But no, it’s been absolutely amazing here. Andrew: So you took the tranks instead? Is that what I’m hearing? Jerry: Absolutely. You gotta sleep somehow. Andrew: That’s fair. I’m glad it was a non event, at least for your little neck of the Jerry: Yeah, it was Nice you could actually see some of the storm clouds off in the distance. And that was the best way to watch a hurricane is when it’s far away. Andrew: That’s true. That A few I’ve been through. Stuck on islands, but Jerry: Yeah, that’s right. since I’ve been here, I have been in the building for two hurricanes, and the building’s been hit by three tornadoes. And then there was also a unsuccessful base jump. Andrew: So we’re saying you are cursed. Is that what we’re saying? Jerry: am the human equivalent to a plastic flamingo. which attracts tornadoes for those who don’t know. Anyway. Yeah. Andrew: after that meteorological update, Jerry: Yeah. just a reminder that the thoughts and opinions we express on the show are ours and do not represent those of our employers past, present, or future. Andrew: maybe even our Jerry: Or our pets. my pet is licking me right now and she says, nope, it’s not her opinion. Andrew: fair, Jerry: Okay I would say that this is going to be a CrowdStrike heavy episode. Andrew: three weeks in a row. Jerry: Yeah, it continues to get more and more interesting. Obviously the main event itself is largely behind us and now we are in the lawyer up phase of the party. Andrew: the blamestorming Jerry: blamestorming has indeed begun. The first topic we have to talk about here is the actual formal full root cause analysis was released yesterday by CrowdStrike and it is a 12 page long document. It has lots of marketing fluff in it. And only I would say a little bit of substance. I don’t think there’s anything that is remarkably telling or revolutionary in the document, but it does indicate technically what went wrong. And it gives some indications of the, potential improvements for their quality assurance, which I think is where a lot of this went wrong. So the, I’m not going to go through the details in uber technical specificity, but the net is that this channel file update is for this inter process communication agent, for lack of a better term, I’ll call it. And that agent, expects configuration files that have 20 parameters, but through some unfortunate bad planningtheir test harness actually was Marking the 21st as a catch all, as an asterisk. It was effectively being marked as not used. And so in this particular update, they actually started using it, and that ended up causing their parser to perform what ultimately ended up being an out of bounds read. Because that parser wasn’t set up to actually read it. And so when that read attempted to happen in kernel space, it tried to access memory. It wasn’t allowed to access, wasn’t allocated. And that caused the blue screen. And because the same thing happened every time it booted up. You just had this endless boot loop until that particular file got removed. I think the more substantive issue, and that’s the kind of thing that can happen, Andrew: So let me restate that to make The application was expecting. a file that had 21 fields in it, and it got a file with 20. Jerry: Yes. Andrew: And where it went to read that 21st, it wasn’t allowed to read, and the way that systems protect themselves to do a kernel panic and shut down if you’re trying to read something you’re not allowed to Jerry: Yes. Andrew: If you’re in Jerry: Windows basically says something is horrifically wrong. This should not happen. Andrew: If I went by that criteria, I’d shut down every day. Jerry: And so if that were to happen in user space, the application that performed that read would crash. But when it happens in kernel space, Windows attempts to protect itself and it blue screens. And so the challenge is that testing harness was built assuming that 21st parameter was always set up as a catch all and so effectively was being ignored. And I think there were really two issues here. One was they didn’t have a very thorough, their testing harness obviously wasn’t, Properly designed, but then they also did not have staged deployments. Like they, what they have a process where once it goes through that test harness and passes it, it goes out far and wide. There is no staged, deployment ring concept that you have in, let’s say, Microsoft Windows updates and whatnot. And because of that, it, it blasted out. Everybody implicitly trusted CrowdStrike updates and those got applied to pretty much as, fast as they were delivered and the rest is now history. Andrew: I think it’s a very complicated series of events that led to this. And I think just reacting to a lot of the zeitgeist in the social media world around this, there’s a lot of angry finger pointing some of which is probably well warranted, but it’s interesting to see how the inner chain came together. And going back to another area I know a little bit about is like aviation incident investigation and things like when space shuttles explode or fall apart, I’ve read a lot of books on those and that sort of thing. Anyway, it’s interesting how there’s very rarely one root cause is where I’m going with this. Usually series of events, an air chain that led to this situation. If one of these situations have been slightly different, this would have been caught and all the Swiss cheese holes lined up just right this situation to happen, not absolving or apologizing for it. It’s just interesting how complex these situations truly are. Compared to how a lot of people will knee jerk their opinions on things, usually based on their own bias around what they care about. Jerry: When I was reading it, it reminded me of the show. I think you’ve probably watched it too called engineering disasters. And the history or the learning in each one of those episodes that a sequence of disconnected things all lined up in just the right way. for that disaster to happen. Andrew: right. Jerry: And I think that is definitely what happened here. Andrew: For everybody involved, but there’s a part of me that finds these things fascinating to watch play out. Jerry: I still think, for me, what is most, troublesome, because this is not unprecedented, right? Obviously the amount of systems that were impacted, is unprecedented, but that’s probably more a function of how interconnected and dependent we are on computers than any point in time. But what’s interesting is that this sort of thing has happened in the past, right? This has happened with Symantec and McAfee and Microsoft probably about five or six different times and several others that I’m probably missing. But one of the things that, distinguishes this from those is that those were much less impactful because they did stage rollouts. And so when it happened, it was devastating to the people who were among the first, the canaries that they had the problem. But this is a different thing. I think that the fundamental Coding and architecture errors are hard to foresee. They’re easy to see in hindsight, right? this is like the signal and the noise thing. The failure is easy to identify after the fact, because it’s obvious. Like you can’t, duh, it’s so obvious that this was going to happen, but it’s only obvious after the fact. Andrew: Certainly. Jerry: weren’t looking at it beforehand and saying, Oh, we’re just going to accept the risk. They just, it wasn’t in their mind. And so, that part I find less, obviously it is the thing that caused it, but what I find most problematic is the fact that they hadn’t adopted what I would call the industry standard practice of the tiered rollouts. Andrew: I’m sure that was an intentional decision. I obviously don’t know for sure. I have no idea about decisions that go on a cross track. I’ve never worked there. However, those in their mind, I would imagine a value in not doing, in Jerry: sure, Andrew: So d

https://www.bleepingcomputer.com/news/security/over-3-000-github-accounts-used-by-malware-distribution-service/ https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/ https://www.darkreading.com/cybersecurity-operations/crowdstrike-outage-losses-estimated-staggering-54b  https://cdn.prod.website-files.com/64b69422439318309c9f1e44/66a24d5478783782964c1f6f_CrowdStrikes%20Impact%20on%20the%20Fortune%20500_%202024%20_Parametrix%20Analysis.pdf https://www.darkreading.com/vulnerabilities-threats/unexpected-lessons-learned-from-the-crowdstrike-event Summary: Episode 274: Malware on GitHub, North Korean Developer Scam & Secure Boot Failures In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss several notable security stories and issues. They start with a malware distribution service that leverages compromised GitHub accounts and WordPress sites. They then cover a security warning from KnowBe4 about hiring a supposed North Korean agent as a senior developer. They dive into the significance of two separate vulnerable firmware signing keys affecting over 500 hardware models. Lastly, they explore the massive financial impact of the recent CrowdStrike outage, with losses estimated at $5.4 billion. Throughout the episode, the hosts provide insights, potential solutions, and share personal experiences related to these cybersecurity challenges. 00:00 Introduction and Casual Banter 00:30 Funemployment and Retirement Reflections 01:54 Disclaimer and First Story Introduction 02:17 Malware Distribution via GitHub 04:24 WordPress Security Issues 8:09 North Korean Developer Incident 14:36 Lessons Learned and Recommendations 23:27 Secure Boot Vulnerabilities 29:19 Cloud Providers and Firmware Security 30:47 The Epidemic of Leaked Keys on GitHub 33:35 Challenges in Development and Security Practices 35:36 CrowdStrike Outage and Its Financial Impact 39:16 Legal and Technical Implications of the Outage 57:33 Concluding Thoughts and Future Plans   Transcript: Episode 274 274 === jerry: [00:00:00] Today is Wednesday, July 31st, 2024. And this is episode 274 of the defensive security podcast. My name is Jerry Bell and joining me tonight as always is Mr. Andrew Kalat. Andrew: Good evening, Jerry. How are you? My good sir. jerry: So good. It hurts. How are you? Andrew: I’m doing good. it’s Wednesday, which is halfway through the week. So I can’t complain too much. jerry: It’s just another day to me though. Andrew: I, how are you enjoying your funemployment? jerry: It is awesome. funny story, when my dad retired, he told me something sad. He said, one of the things that you don’t realize is that the weekend starts losing its appeal, Andrew: Because every day is the weekend. jerry: because it’s just another day and, holidays are just another day. jerry: There’s not really something to look forward to when you’re working. You typically look forward to the weekend. It’s just another day. I am finding that to be true. I’m going to be [00:01:00] spending some time coming up down at the beach, which will be a whole different experience, not having to work and actually be at the beach, which will be cool. Andrew: So you don’t have to wrap your laptop in plastic when you take it surfing with you anymore. jerry: That is very true. No more conference calls while out on the boogie board. Andrew: I will say the random appearance of sharks behind you on your zoom sessions will be missed. Andrew: Of course, we’ll have to find a way to bring that back. I live in jealousy of your funemployment. I will just say that. But not that you didn’t work your ass off and earned it, right? This is 25 years of blood, sweat, and tears given to this industry to get you to this point. So you earned it jerry: I’m going to have to be responsible again at some point, but I am having fun in the meantime. Andrew: as well. You should jerry: before we get into the stories for today I just want to remind everybody that the thoughts and [00:02:00] opinions we express on the show are ours and do not represent anybody else, including employers cats, farm animals, spouses children, et cetera, et cetera. Andrew: there’s that one Lama in Belarus though, that agrees 100 percent with what we have to say. jerry: Very true. Getting into the stories, we have one from bleeping computer and this one is titled over 3000 GitHub accounts used by malware distribution service. I thought this one was particularly interesting and notable. There is a malware distribution as a service that leverages both, let’s call them fake or contrived GitHub accounts, as well as compromised WordPress sites. jerry: And the, what they’re effectively leveraging is the brand reputation of GitHub. And so they have a fairly complicated setup of driving. [00:03:00] Victims through watering hole attacks and SEO type lures to get people to these sites and they have different templates that entice people to download these encrypted zip files that are hosted on GitHub. jerry: And what they’re taking advantage of is two things. Number one, people generally think that GitHub is a reputable place. To find files. And so you’re. Level of concern goes down when you download something that you think is coming from a reputable place. And I think the other, perhaps more problematic angle from my perspective, at least is GitHub is something that most companies allow access to. jerry: it is something that, by design, many companies, not all, encourage their employees to interact with GitHub. And so you really can’t block it. [00:04:00] And or at least it’s more difficult to block it. And because it’s one kind of amorphous. Thing you, you don’t have the ability to granularly say you can go to this aspect or this part of GitHub and not this other part of GitHub. Andrew: Yeah. I agree at all points. It’s absolutely leveraging and abusing the reputation of GitHub to get this malware out there and it’s effective. Using WordPress doesn’t surprise me, just about every day I see some other plugin has a massive vulnerability. So I’m not blaming WordPress, I’m blaming their plugin ecosystem as being highly toxic in the original sense. jerry: I know that WordPress has a lot of detractors, especially in the security community, but It’s over 50 percent of the entire internet. Websites runs WordPress, right? That is pretty impressive. Andrew: There’s something to be said for The amount of coverage or the amount of instances out [00:05:00] there equals how many bad guys are poking at you. So if you’re not widely deployed, you’re probably also not getting widely tested. So there is absolutely some of that aspect of, Hey, if you’re a well used tool, you’re likely to have more security problems. Andrew: So statistically that makes sense, but it’s not a bad tool. Don’t get me wrong. It’s a super useful tool. It’s just amazing how often I see advisories about. Really nasty exploits on various plugins for WordPress. jerry: Yeah. the barrier to entry for plugin development is incredibly low and there are just an absolute ton of them. There’s many thousands. So it isn’t surprising. Andrew: People who are running WordPress sites are not super technical admins. They’re usually marketing folks or content generation folks. So, when they’re looking for, Hey, I need something that makes a pretty picture, do something like this in WordPress, they probably aren’t looking at with the same level of technical rigor you and I might. jerry: I will tell you in in prior [00:06:00] jobs where we had customers hosted on our infrastructure, this was a big problem because, customers would walk away, right? There’s it’s so easy to set up. It’s so easy to set up a WordPress instance, which is by the way, like that’s part of its value proposition, but it’s also part of, I think it’s I think it contributes to the low ongoing attachment or ongoing care and feeding of it. jerry: It’s so easy to set up and then just walk away from and it’s a big problem. I think that the WordPress team themselves have done a pretty good job of mitigating the issues to the extent they can. Most of the, most of it auto updates these days. Andrew: Yeah. jerry: More to go, right? Andrew: what’s interesting to me is the way you describe that often sounds like the same problems we have with SaaS and cloud in general. It’s so easy to set up and walk away from and not manage it well. That we lead to all sorts of similar problems. This story is more about [00:07:00] GitHub and I agree with all your points. Andrew: I just went down my WordPress rant rabbit hole, but yeah, I get it. GitHub is an interesting one. And I don’t have a lot of good solves for that one. jerry: No, it’s It is not a, it’s not an easily solvable issue. I think this is one of those one of those cases where education will help certainly, proper end point detection, I should say end point protection. Will help being able to identify that somebody has downloaded and run something that is potentially malicious on their device. jerry: But beyond that, unless you’re willing to take that leap and not not permit people to access GitHub, it’s hard to defend against. So by the way, if the industry as a whole decided, Hey, this is too risky, the bad guys would just move somewhere else. Andrew: Yeah, absolutely. They’re leveraging whatever has a good solid reputation that has a sort of functionality. It’s not GitHub’s fault. And I think you’re right. If it [00:08:00] wasn’t GitHub, it’d be somebody else that serves the same purpose. function. It’s their victim of their own success in that sense. jerry: 100%. So the the next story we have comes from the know b4 blog. Know B

The Joe Sullivan Verdict – Unfair? – Which Part? (cybertheory.io) Fujitsu Details Non-Ransomware Cyberattack (webpronews.com) 5 Key Questions CISOs Must Ask Themselves About Their Cybersecurity Strategy (thehackernews.com) Sizable Chunk of SEC Charges Vs. SolarWinds Dismissed (darkreading.com) CrowdStrike CEO apologizes for crashing IT systems around the world, details fix | CSO Online Summary: Cybersecurity Updates: Uber’s Legal Trouble, SolarWinds SEC Outcome, and CrowdStrike Outage In Episode 273 of the Defensive Security Podcast, Jerry Bell and Andrew Kalat discuss recent quiet weeks in cybersecurity and correct the record on Uber’s CISO conviction. They delve into essential questions CISOs should consider about their cybersecurity strategies, including budget justification and risk reporting. The episode highlights the significant impact of CrowdStrike’s recent updates causing massive system crashes and explores the court’s decision to dismiss several SEC charges against SolarWinds. The hosts provide insights into navigating cybersecurity complexities and emphasize the importance of effective communication and collaboration within organizations. 00:00 Introduction and Banter 01:52 Correction on Uber’s CISO Conviction 04:07 Recommendations for CISOs 09:28 Fujitsu’s Non-Ransomware Cyber Attack 12:13 Key Questions for CISOs 32:47 Corporate Puffery and SEC Charges 33:15 Internal vs External Communications 33:52 SolarWinds Security Assessment 36:36 CrowdStrike CEO Apologizes 37:16 Global IT Systems Crash 37:57 CrowdStrike’s Kernel-Level Issues 40:55 Industry Reactions and Lessons 42:58 Balancing Security and Risk 49:26 CrowdStrike’s Future and Market Impact 01:03:46 Conclusion and Final Thoughts   Transcript: defensive_security_podcast_episode_273 === jerry: [00:00:00] All right, here we go. Today is Sunday, July 21st, 2024, and this is episode 273 of the Defensive Security Podcast. My name is Jerry Bell, and joining me tonight as always is Mr. Andrew Kalat. Andy: Good evening, Jerry. I’m not sure why we’re bothering to do a show. Nothing’s happened in the past couple of weeks. Andy: It’s been really quiet. jerry: Last week was very quiet. Andy: Yeah, sometimes You just need a couple quiet weeks. jerry: Yeah. Yeah, nothing going on so before we get into the stories a reminder that the thoughts and opinions We express on this podcast do not represent andrew’s employers Andy: Or your potential future employers jerry: or my potential future employers Andy: as you’re currently quote enjoying more time with family end quote jerry: Yes, which by the way Is highly recommended if you can do it. Andy: You’re big thumbs up of being an unemployed bum. jerry: It’s been amazing. Absolutely [00:01:00] amazing. I I forgot what living was like. jerry: I’ll say it that way. Andy: Having watched your career from next door ish, not a far, but not too close. I think you earned it. I think you absolutely earned some downtime. My friend, you’ve worked your ass off. jerry: Thank you. Thank you. It’s been fun. Andy: And I’ve seen your many floral picks. I don’t, I’m not saying that you’re an orchid hoarder, but some of us are concerned. jerry: I actually think that may be a fair characterization. I’m not aware of any 12 step programs for for this disorder here. Andy: There’s a TV show called hoarders where they go into people’s houses who are hoarders and try to help them. I look forward to your episode. jerry: I yes, I won’t say anymore. Won’t say anymore. So before we get into the new stories, I did want to correct the record on something we talked about on the last episode [00:02:00] regarding. Uber’s CISO that had been criminally convicted. Richard Bejtlich on infosec. exchange actually pointed out to us that it was not failure to report the breach that was the problem. It was a few other issues, which is what Mr. Sullivan had actually been convicted of. So I’m going to stick a story into the show notes. That has a very very extensive write up about the issues and that is from cybertheory. io. And in essence, I would distill it down as saying again, I guess he was convicted so it’s not alleged. He was convicted of obstruction of an official government investigation. He was convicted of obstructing the ongoing FTC investigation about the 2013 slash 2014 breach, [00:03:00] which had been disclosed previously. jerry: The FTC was rooting through their business and were asking questions and unfortunately apparently Mr. Sullivan did not provide the information related to this breach in response to open questions. And then furthermore, he was he was convicted of what I’ll summarize as concealment. jerry: He was concealing the fact that there was a felony. And the felony was not something that he had done. The felony was that Uber had been hacked by someone and was being extorted. But because, he had been asked directly, Hey, have you had any, any issues like this? jerry: And he said, no, that becomes a concealment, an additional concealment charge. And so the jury convicted him on both of those charges, not on failure to disclose a breach. Andy: Yeah, it’s we went down the wrong path on that one. We were a little, we put out some bad info. [00:04:00] We were wrong. jerry: So I’m correcting the record and I certainly appreciate Richard for for getting us back on the right track there. jerry: This article, by the way, does have a couple of interesting recommendations that I’ll just throw out there. One of them is hopefully these are fairly obvious. Do not actively conceal information about security incidents or ransomware payments, even if you’re directed to do so by your management. Andy: Yeah. I think, let’s put it out for a second. If you’re in that situation, what do you do? Resign? jerry: Yes. Or do you, Andy: yeah, I think that’s, jerry: I mean you either resign or you have to become a whistleblower. Andy: Yeah, that’s true. Your career has probably ended there at that company either way. Most likely. But it’s better than going to jail. jerry: It’s a lot better than going to jail. I think what I saw is he Sullivan is up for four to eight years in prison, depending on how he’s sentenced. Andy: Feds don’t like it when you lie to them. They really don’t like it. jerry: No, they don’t. Next recommendation is if you’re, if your company’s under investigation, get help and potentially [00:05:00] that means getting your own personal legal representation to help you understand what reporting obligations you may have for any open information requests. And I say that because. In this instance, Sullivan had confirmed with the CEO of Uber at the time about what they were going to disclose and not disclose and the CEO signed off on it. And he also went to the chief privacy lawyer, who by the way, was the person who was managing the FTC investigation and the chief privacy lawyer also signed off on it. Like the joke goes, the HR is not, it’s not your friend. Your legal team may also not be your friend. At some point if you’re in a legally precarious position, you may need your own council, which is crappy. Andy: That is crazy. How much is that going to cost? And wow, that’s it. I don’t [00:06:00] one more reason to think long and hard before accepting a role as CISO at a public company. jerry: Yeah, this, by the way I’m skipping over all sorts of good stuff in this story. So I invite everybody to read it. And it’s a pretty long read. jerry: It, it talks about the differences between the Directors of companies and officers of companies and the different obligations and duties they have related to shareholders and customers and employees and whatnot. And what was very interesting. The point they were making is that CISOs don’t have that kind of a responsibility, right? jerry: They don’t, they’re not corporate officers in the same way. And so what they, what, when you read the article, and I apologize for not sending it to you. I just realized, when you read the article it was very clear that there The author here was pointing out that the government and I suspect with, at the behest of Uber, was really specifically [00:07:00] going after Sullivan, right? jerry: Because in exchange for testimony, people got immunity in order to testify against Sullivan. And that kind of went all up and down, including You know, it’s some of the lawyers. So I, by the way, I think he clearly had some bad judgment here. But, also, he wasn’t the only one. This was a a family affair, but he’s the one who’s really taken taken the beating. Next recommendation was paying a ransom in return for a promise to delete copies of data, not disclosed data does not relieve your responsibility to report the issue in many global laws and regulations. jerry: So just because you’ve gotten an assurance that the, after you’ve paid a ransom that the data has been destroyed, you still in, in almost all cases are going to have a responsibility to report. And, one of the things the the author here says is you really should let everybody know, there’s vehicles to [00:08:00] inform at least in the U S CISA and the FBI, and I’m sure there’s similar agencies in different countries. To help insulate yourself do not alter data or logs to conceal a breach or other crime. That seems pretty self evident, but I think the implication is that. jerry: That’s what happened here. And then also lastly, do not create documents that, contain false information. Andy: Shocking. jerry: Yes. So again, not, nothing in there that is like earth shattering but it’s a good reminder, Andy: yeah. And I, I don’t know if but our good friend Bob actually got out of the South American prison he’s been in for a while, and I heard from him, and he’s doing well, he’s got three new tattoos and lost two fingers, b

Links: https://www.darkreading.com/cybersecurity-operations/a-cisos-guide-to-avoiding-jail-after-a-breach https://www.csoonline.com/article/2512955/us-supreme-court-ruling-will-likely-cause-cyber-regulation-chaos.html/ https://sansec.io/research/polyfill-supply-chain-attack https://www.securityweek.com/over-380k-hosts-still-referencing-malicious-polyfill-domain-censys/ https://www.tenable.com/blog/how-the-regresshion-vulnerability-could-impact-your-cloud-environment   Transcript === [00:00:00] jerry: All right. Here we go. Today is Sunday, July 7th, 2024, and this is episode 272 of the defensive security podcast. My name is Jerry Bell and joining me tonight as always is Mr. Andrew Kalat. Andrew: Good evening, Jerry. This is a newly reestablished record twice in a week or jerry: twice in a week. I can’t believe it. Andrew: I know. Awesome. Yeah. You just had to, quit that crappy job of yours that provided income for your family and pets and you know everything else but now that you’re unemployed house But now that you’re an unemployed bum. jerry: Yeah, I can podcast all I want 24 7 I think i’m gonna become an influencer like i’m gonna just be live all the time now Andrew: you could I really I look forward to you asking me to subscribe and hit that notify button. jerry: That’s right. Hit that subscribe button Andrew: Like leave a rating and a comment jerry: like and subscribe All [00:01:00] right getting with the program we’re we’re getting back into our normal rhythm. As per normal, we’ve got a couple of stories to talk about. The first one comes from Dark Rating and the title is, A CISO’s Guide to Avoiding Jail After a Breach. Andrew: Before we get there. Andrew: I want to throw out the disclaimer that thoughts and opinions do not reflect any of our employers, past, present, or future. jerry: That’s a great point. Or, my cats. Andrew: Unlike you, I have to worry about getting fired. jerry: I still have a boss. She can fire me. Andrew: That’s called divorce, sir. But true. jerry: Yeah. Andrew: Anyway, back to your story. jerry: Anyway, yeah. CISO’s Guide to Avoiding Jail After a Breach. So this is this is following on a upcoming talk at, I think it’s Black Hat talking about how CISOs can try to insulate themselves from the [00:02:00] potential legal harms or legal perils that can arise as a result of their jobs. It’ll be interesting to see what’s actually in that talk, because the article itself, in my estimation, despite what the title says, doesn’t actually give you a lot of actionable information on, How to avoid jail. They do they do a quote Mr. Sullivan, who was the CISO for Uber. jerry: And they give a little bit of background and how it’s interesting that he he is, now a convicted felon. Although I think that’s still working its way through the the appeals process. Though he previously was appointed to a cybersecurity board by president Obama. jerry: And before that he was a federal prosecutor. And in fact, as the article points out, he was one of the process, he was the prosecutor who prosecuted the first DMCA case, which I thought was quite interesting. You didn’t know that about him, but what’s interesting is this article at least is based a lot on [00:03:00] interviews with him and including recommendations on things like communicating with your your board and your executive leadership team. But I’m assuming that He had done that at Uber. Andrew: Yeah, this is such a tough one for me, and it makes, I think a lot of good people make references in the article. I want to shy away from being a CISO if there’s this sort of potential personal liability. When, there’s a lot of factors that come into play about why a company might be breached that aren’t always within the control of the CISO, whether it be budget, whether it be focus, whether it be company priorities, and you have an active adversary who is looking for any possible way to get into your environment. Andrew: So what becomes the benchmark of what constitutes a breach? Negligence up to the point of going to jail is the one that [00:04:00] I’ve struggled with so much and I think those who haven’t really worked in the field much can very easily just point to mistakes that are made, but they don’t necessarily understand the complexity of what goes in to that chain of events and chain of decisions that led to that situation. Andrew: Every job I’ve been in where we were making serious decisions about cybersecurity was a budgetary trade off and a priority trade off and a existential threat to the company if we don’t do X, Y, and Z. Coming from five or six different organizations at the same time coming up to that CFO or the CEO and they have to make hard calls about where that those resources go and those priorities go to keep people employed. And you pair that with a very hostile, third party intentionally trying to breach you it’s a tough situation and I don’t think any of us knows what the rules look like. At this point to keep yourself out of [00:05:00] trouble. You’ve been in this position, not in the, going to jail part, but that this threat was much more meaningful to you in your last role than it is to me. jerry: It is very uncomfortable. I’ll tell you when when the Uber CISO got got charged and the CISO of SolarWinds got charged, that’s It’s an uncomfortable feeling an exposed feeling. In criminal law, there’s this concept of strict liability. jerry: And strict liability basically means, it means the thing happened. And because the thing happened and you are responsible for the thing, it doesn’t matter that, there, there’s no mitigating factors. Your your state of mind, your motivations, , none of that matters in a strict liability case. jerry: And to some extent, it feels like that in this instance, I don’t think it really is, although, when you’re a CISO sometimes that thought can cross your mind. Now in the article, they actually point out that, though the CISO is the [00:06:00] lightning rod when things go wrong. It is not just the CISO that is responsible for, what went wrong. jerry: As they describe it, it takes a community and the results of that community are, as we’ve now seen or is alleged is, being pinned on a particular individual. And I, I think and I know from having read the Uber case I’ve not. I’m not so familiar with the SolarWinds case although I’m obviously familiar with what happened in SolarWinds case, with Uber, it was a situation where they they had a a, basically a data breach and the allegation was that the ad, the adversary was trying to hold it for ransom and they They successfully negotiated having that, at least this is my understanding of how the case went they negotiated a payment through [00:07:00] the bug bounty program to the adversaries, perhaps, maybe adversaries isn’t the right word allegedly deleted the data and because of that, they didn’t report the breach. jerry: And so it was really, the failure to report that breach which the government was coming after him for, basically being deceptive to investors. And it’s not necessarily that he was malicious or what have you, but no, basically my layman’s rate is he was defrauding jerry: investors by withholding information about a breach that he was obligated to report. So that’s a tough situation. And what concerns me is that this is somebody who was a federal prosecutor so I had I had plenty of competent legal counsel surrounding me. jerry: And that was a good thing. It felt good. And I’m quite certain he did too, further he himself [00:08:00] was a prosecutor. And so I have a hard time accepting, and maybe it’s just very naive of me. I’d have a hard time accepting that, He was actually trying to misrepresent things or hide things. jerry: I guess that’s where I’m at on this one. It feels bad and the article points out that, because of this, one of the, one of the whispers as they describe it in the industry is that it’s forcing people who are qualified for the role and understand the perils that they face to shy away from taking that role. jerry: And that then leads to people who are maybe not as qualified taking the role and then obviously not doing as good of a job. And therefore actually, the net effect is a weaker security posture. Andrew: Yeah. I think one thing that you can, if we try to get some advice out of this or try to give some advice out of this, and the one thing they mentioned in For lack of a better [00:09:00] term, tie some other people in the organization to the same decision, right? Andrew: Make sure that your board is aware and your executives are aware and that you’re not the only one holding the risk bag at the end of the day that, if you have to own the risk yourself, then you need to have formal control. Now, in this case, we’re talking about. In theory, he got in trouble because he didn’t notify the SEC and it was a public company, it was material breach. Andrew: And, so stockholders weren’t informed more so than he was negligent in his cybersecurity duties in terms of technical controls and audits and that sort of thing. However, that feels the way things are going. We hear more and more calls for hold companies accountable directly and legally with risk of jail for breaches. Andrew: And this, there’s a lot of nuance here that’s not exactly what happened here. But I find that very troubling and [00:10:00] obviously, I have a bias because I’m in the industry and I would be at risk of that potentially. But I just don’t think it’s that simple. There’s no CISO that has that much control over an environment that they should be solely responsible for taking the fall if a breach were to happen, although that does happen all the time, but it’s one thing to lose your job is another thing to go to jail. jerry: Yeah. And I think that the author here points out

https://www.bleepingcomputer.com/news/security/cosmicstrand-uefi-malware-found-in-gigabyte-asus-motherboards/ https://www.bleepingcomputer.com/news/security/hackers-scan-for-vulnerabilities-within-15-minutes-of-disclosure/ https://www.techcircle.in/2022/07/31/paytm-mall-refutes-cyber-breach-report-says-users-data-safe

  Stories: https://www.scmagazine.com/feature/incident-response/why-solarwinds-just-may-be-one-of-the-most-secure-software-companies-in-the-tech-universe https://www.computerweekly.com/news/252522789/Log4Shell-on-its-way-to-becoming-endemic https://www.bleepingcomputer.com/news/security/hackers-impersonate-cybersecurity-firms-in-callback-phishing-attacks/ https://www.cybersecuritydive.com/news/microsoft-rollback-macro-blocking-office/627004/ jerry: [00:00:00] All right, here we go today. Sunday, July 17th. 2022. And this is episode 268. Of the defensive security podcast. My name is Jerry Bell and joining me tonight as always is Mr. Andrew Kellett. Andy: Hello, Jerry. How are you, sir? jerry: great. How are you doing? Andy: I’m doing good. I see nobody else can see it, but I see this amazing background that you’ve done with your studio and all sorts of cool pictures. Did you take those. jerry: I It did not take those. They are straight off Amazon actually. It’s. jerry: I’ll have to post the picture at some [00:01:00] point, but the pictures are actually sound absorbing panels. Andy: Wow. I there’s jokes. I’m not going to make them, but anyway, I’m doing great. Good to see ya.. jerry: Awesome. Just a reminder that the thoughts and opinions we express on the show are ours and do not represent those of our employers. But as you are apt to point out, they could be for the right price. Andy: That’s true. That’s true. And that, and by the way, what that really means is you’re not going to change our opinions. You’re just going to to hire them. jerry: Correct. right. Sponsor our existing opinions. Andy: Someday that’ll work. jerry: All right. So we have some interesting stories today. The first one comes from SC magazine dot com. The title is why solar winds just might be one of the most secure software companies. In the tech universe. Andy: It’s a pretty interesting one. I went into this a little. Andy: Cynical. But there’s a lot of [00:02:00] really interesting stuff in here. jerry: Yeah there, there is, I think jerry: What I found interesting. A couple of things. One is very obvious. That this is a. Planted attempt to get back into the good graces of the it world. But at the same time, It is very clear that they have made some pretty significant improvements in their security posture. And I think for that, it deserves a. jerry: A discussion. Andy: Yeah, not only improvements, but they’re also. Andy: Having these strong appearance of transparency and sharing lessons learned. Which we appreciate. jerry: Correct. The one thing that I so we’ll get into it a little bit, but they still don’t really tell you. How. The thing happened. Andy: Aliens. jerry: Obviously it was aliens. They did tell you what happened. And so in the. Article here they describe this the [00:03:00] CISO of solar winds describes that the attack didn’t actually. Change their code base. So the attack wasn’t against their code repository. It was actually against one of their build systems. jerry: And so they were the adversary here. Was injecting code. At build time, basically. So it wasn’t something that they could detect through code reviews. It was actually being added as part of the build process. And by inference the head. Pretty good control. At least they assert they had good control over their jerry: source code, but they did not have good control. Over the build process and in the article they go through. The security uplifts they’ve made to their build process, which are quite interesting. Like they I would describe it as they have three parallel. Build channels that are run by three different teams. jerry: And at the end of, at the [00:04:00] end of each of those, there’s a comparison. And if they don’t. They don’t match, if the. They call it a deterministic build. So there are like their security team does one, a dev ops team does another and the QA team does a third. And all building. jerry: The same set of code. They should end up with the same final. Final product. All of the systems are are central to themselves. They don’t commingle. They don’t have access to each others. So there should be a very low opportunity for for an adversary to have access to all three. jerry: Environments and do the same thing they did without being able to detect at the end, when they do the comparison between the three builds, whether it’s a novel approach. I hadn’t thought about it. It seems. jerry: My first blush was, it seemed excessive, but as the more I think about it, It’s probably not a huge amount of [00:05:00] resources to do so maybe it makes sense. Andy: Yeah. Andy: And also, they mentioned that three different people are in charge of it. And so to corrupt it. Or somehow injected. Into all three would take. Somehow corrupting three different individuals, somehow some way. jerry: Yeah, they would have to clue the three teams would have to collude. Andy: Yeah. Andy: Which. Is difficult. jerry: Yeah. jerry: Yep. Absolutely. jerry: So they actually I haven’t looked into it, but they actually say that they’ve open sourced their their approach to this the multi kind of multi what I’ll just call multi-channel build. I thought that was. Interesting. jerry: So There’s a, it’s a good read that they talk about how they changed from their prior model of having one centralized SOC under the. The company CISO to three different SOCs that monitor different. Different aspects of the environment. They went from having a kind of a part-time. jerry: Red team to a [00:06:00] dedicated red team who’s focused on the build environment. I will say the one. Reservation I have is this kind of feels maybe a little bit like they’re fighting the. The last war. And so all the stuff that they’re describing is very focused on. Addressing the thing that failed last time. jerry: And, are they making equal improvements in other areas? Andy: Could be, I would say that. Andy: They’re stuck in a bit of a pickle here where they need to address. The common question is how do you stop this from happening again? That is. That is what most people are going to ask them. It’s what the government’s asking them. That’s what customers asking them. And so there. There’s somewhat forced, whether that’s the most. Andy: Efficient use of resources, not to deal with that problem right there. They have no choice. But I also feel like a lot of the changes they met, build change to their build process. I would catch. A great many other supply chain type. [00:07:00] Attack outcomes. Andy: It seems to me. jerry: Fair. Fair enough. Andy: It’s also interesting because a lot of these things are easy to somewhat. Explain. I bet there’s a lot of devil’s in the details if they had to figure out, they mentioned that they did. They halted all new development of any new features for seven months and turned all attention to security. jerry: Yeah, so it sounded like they moved from I think an on-prem. Dev and build environment to one that was up in AWS so that they could dynamically. Create and destroy them as needed. Andy: Yeah, it’s. It’s an interesting, the fundamental concept that this article is saying is, Hey, once you’ve been breached, And you secure yourself. Andy: Do you have a lower likelihood of being breached in the future. Are you like Dell? You have the board’s attention. Now you have the budget. Now you have the people now have the mandate to secure the company. Andy: And is that true? jerry: think it is situational. that there are some, [00:08:00] I’m drawing a blank. I think that’s one of the hotel change. don’t want to say the wrong name, but I I believe that there are. There are also instances. We’re readily available. Where the contrast true. Like they just keep getting hacked over and over. Andy: And I sometimes wonder if that has to do with the complexity of their environment and the legacy stuff in their environment. If you look at a company like, I don’t know anything about solar winds, but I’m guessing. You know that there is somewhat of a. Fairly modern it footprint that. Maybe somewhat easy to retrofit as opposed to, hotel chain. Andy: Probably some huge data centers that are incredibly archaic in their potential architecture and design and. jerry: That’s a good point. It’s a very good point. It’s a different, it’s very different business model, right? Andy: And they talked about how they’re spending, they’ve got three different tiers of socks now outsourcing two of them. They’re spending a crap ton of money on security. jerry: Yes. Andy: Whether with CrowdStrike watching all their end point [00:09:00] stuff. They mentioned it here. I’m sure that CrowdStrike appreciated that. Their own. Tier three SOC. They’ve got a lot of stuff and they also talking to that now their retention rates for customers are back up in the nineties, which is pretty, pretty good. So I don’t know. Yeah. Clearly this is a PR thing. Andy: But at the same time, I really do appreciate. A company that’s gone through this sharing as much as they’re sharing because the rest of us can learn from it. jerry: Yeah, absolutely. Andy: And the other thing it’s interesting because I look at this, cause I work for software company now. And it’s a small company. It’s nothing the size of these guys. And we don’t have the resources these guys have, but. I think about how many points in our dev chain. Probably could be easily corrupted in a supply chain attack. Andy: That they’re stopping with their model. That, I wonder what. What could I do? Like how much of this could you do on a budget? There’s a huge amount of people environment here. There’s a huge amount of. Of red tape and [00:10:00] bureaucracy and checks and balances that must add tremendously to the cost. Andy: Probably slow things down a little bit, proba

Defensive Security Podcast Episode 267   Links: https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity https://us-cert.cisa.gov/ncas/alerts/aa22-187a https://www.zdnet.com/article/these-are-the-cybersecurity-threats-of-tomorrow-that-you-should-be-thinking-about-today/ jerry: [00:00:00] Alright, here we go. Today is Sunday, July 10th, 2022. And this is episode 267 of the defensive security podcast. My name is Jerry Bell and joining me tonight as always. Is Mr. Andrew Kellett. Andy: Good evening, Jerry, how are you? Good, sir. jerry: I’m doing great. How are you doing? Andy: I’m good man. It’s hot and steamy in Atlanta. Tell you that much. jerry: Yeah. I ‘ve been back for a month from my beach place. And I think today’s the first day that we’ve not had a heat advisory. [00:01:00] Andy: Yeah, that’s crazy. jerry: which it has been brutally hot here. Andy: Now, when you say beach place, you might have to be more specific, cause you’ve got one like seven beach houses now. jerry: Well, the Southern most beach house. Yes. Andy: Yeah. One is the Chateau. One’s technically a compound. jerry: One’s an island, Andy: that’s. Andy: We’re going to have to probably name them because. They’re tough to keep straight. jerry: They definitely are. Yup. Andy: But, I, for one. Appreciate your new land barronness activities. And look forward to. Andy: Jerry Landia being launched and seceding from the United States. jerry: Hell. Yeah. That’s right. Andy: I’ll start applying for citizenship whenever I can. jerry: Good plan. Good plan. All right. A reminder. We should probably already said this, but the thoughts and opinions we expressed on the show are ours and do not represent those of our employers. Andy: But for enough money, they could jerry: yeah. Everything is negotiable. [00:02:00] All right. Couple of really interesting stories crossed my desk. Recently and the first one comes from the US department of justice of all places. And the title here is Aerojet , Rocketdyne agrees to pay $9 million to resolve false claims act allegations. jerry: Of cybersecurity violations in federal government contracts. So the story here is that there’s this act, as you could probably tell by the title called the false claims act that permits an employee of a company who specifically does business with the US government to Sue the company under the false claims act claiming that the company is misrepresenting itself in the execution of its contracts. And if that [00:03:00] lawsuit is successful, the person making the allegation, basically it’s a whistleblower kind of arrangement. The person making the allegation gets a cut of the settlement. And so in this particular case the whistleblower received $2.61 million dollars of the $9 million. Andy: Wow. So his company. In theory was lying on their security controls. And he found out about it or knew about it. And was a whistleblower. About it is getting 2.61 million. jerry: Correct. Correct. Andy: Have to go check everything in my company. I’ll be right back. jerry: I’m guessing that his lawyers will probably take about 2 million of the 2.61, but, Hey, it’s still. jerry: still. money, right? Andy: That’s crazy. It reminds me, it’s probably a lot of our listeners are too young for this, but. The days of the business software Alliance about turning in your employer for using pirated software, that you could get a cut of that, but not in the you [00:04:00] know seven figure range. jerry: Yeah, this is really quite interesting. And what’s more interesting is that there is apparently some indication that the US government may expand the scope of this to include non government contracts and including. Perhaps even like public companies. Under the jurisdiction of the securities and exchange commission. I don’t think that’s ah codified yet. jerry: Probably just ah hyperbole at this point, but holy moly. It really really drives home the point that we need to, do what we say and say what we do. Andy: So what were the gaps or what were the misses that they said they had. jerry: have done a little bit of searching around. I didn’t go through all of the details in that case. Because it was a settlement, there may not be an actual Details available, but I’ve not been able to find the specific details of of what they were not doing. Andy: Yeah. did [00:05:00] go and I cause. I was very curious about this and did do a bunch of searching and found some summaries of the case and some of the legal documentations, and it looks like. The best I was able to get into is there was a matrix of 56 security controls. Or something around those lines, don’t quote me on that and that the company only had satisfactory coverage of five to 10 of them. jerry: Oh, wow. Andy: And there was another one where they did a third-party pen tests who got into the company in four hours. It looks like there’s a bunch of Unpatched vulnerabilities. So it’s in legalese, right? So it’s a little tough to translate into our world at times. Andy: But I’m actually quite curious and I might want to do some more research trying to figure out what exactly were the gaps and I guess at the end of the day, they agreed to these things contractually. And just didn’t do them. jerry: Correct. That’s the net of it. Andy: This is primarily if you’re doing business with the government, the us government. jerry: Correct. Do you have a government contract? jerry: Yeah for now. And I do think that over time, like I said, my [00:06:00] understanding is that the scope of this may make increase. Andy: This is, I really feel like this is huge. This could open the door. Andy: I mean because you and I both know how often those contractual obligations and the way you answer those questions is a little squishy. jerry: Yeah. Yeah. Optimistic, I think. I think optimistic might be. Andy: That’s fair. That’s fair. But it’s also interesting trying to have, federal judges navigate this very complex world. Yeah, that’s it. That’s a crazy story. We’ll see where that goes. jerry: So anyway, it really highlights the point about being very honest and upfront with with what we’re doing. And if we commit to doing something, we need to do it. Andy: Yeah, it just gets fuzzy when there’s business deals on the back end of that answer. jerry: No, I could completely agree. jerry: All right. The the next story also pretty interesting. Also comes from a us government agency. This one comes [00:07:00] from CISA the cybersecurity and infrastructure security agency. I hate the name. I really wish they come up with a different name. It’s the word security way too many times. Anyway that the title here is North Korea state-sponsored cyber actors use Maui ransomware to target the healthcare and public health sectors. jerry: That from a, from a actual actor standpoint or threat actor standpoint, there’s not a ton a ton of innovation here. They’re not doing anything super sophisticated that we don’t see in a lot of other campaigns, but what is most interesting is that the government, the US government has attributed this particular campaign to North Korea. And North Korea is, one of the most, perhaps the most heavily sanctioned country in the world for the us government. And so if you, as a an entity in the US somehow support an [00:08:00] organization or a person or entity in North Korea, you can be subject to penalties from the U S government. jerry: And the point here is if you are a victim of this ransomware campaign and you pay the ransom, you may run a foul of those sanctions and that could end in addition to whatever penalties you might come into as a result of of the breach you may actually run into some pretty significant additional penalties as a result of supporting the north Korean government. Andy: Well, that is an interesting little problem isn’t it? jerry: Yes, it is. Yes, it is. Andy: What you need is a shell company. To run your ransomware payment through. jerry: I have a feeling is a lot of that going on in the world. Andy: we saw some shenanigans with like lawyers doing it as a proxy and with using. In essence [00:09:00] privileged communications to hide it. At least allegedly in some previous stories we’ve covered. But that’s an interesting problem. Yeah. I can see how that would be a challenge. Maybe if you only paid the ransomware, like in bulk wheat shipments. jerry: a barter system. Andy: Because we send them food. jerry: That’s true. Andy: That’s allowed. jerry: so you recover your data by paying in humanitarian aid. Andy: I think Twinkies for data is a perfect campaign. We should launch. jerry: I don’t even know what to say. Andy: Either pay three Bitcoin, which is now probably worth like 30 bucks. I don’t know, I haven’t checked lately or. Andy: Two semis full of Twinkies. jerry: But how are you going to get to Twinkies to them? That’s what I want to know. Andy: They have ships. They make ships that they go on and they go across the sea and then they take them off the ships. Did you not read the books I gave you? jerry: Oh, geez. Showing my ignorance. I will say that there are some recommendations down at the bottom. Some [00:10:00] of them are interesting and things that you haven’t seen a lot of recommended before. But a lot of them are just the normal run of the mill platitudes. Only use secured networks and avoid using public wifi networks. Consider you using an installing a VPN. jerry: No, I get so tired of the, you should consider doing X. Well, okay. I considered it. jerry: You should consider not using administrative rights for your users. Okay. I considered it. Andy: Well, and the real problem here is that ransomware is not one threat. It is the outcome of. jerry: Exactly. Andy: Yeah. That’s why the ransomware

https://www.csoonline.com/article/3660560/uber-cisos-trial-underscores-the-importance-of-truth-transparency-and-trust.html https://thehackernews.com/2022/06/conti-leaks-reveal-ransomware-gangs.html?m=1 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896

Google Exposes Initial Access Broker Ties With Ransomware Actors (bankinfosecurity.com) Okta says hundreds of companies impacted by security breach | TechCrunch Okta: “We made a mistake” delaying the Lapsus$ hack disclosure (bleepingcomputer.com) Microsoft confirms Lapsus$ breach after hackers publish Bing, Cortana source code | TechCrunch DEV-0537 criminal actor targeting organizations for data exfiltration and destruction – Microsoft Security Blog Sabotage: Code added to popular NPM package wiped files in Russia and Belarus | Ars Technica President Biden Signs into Law the Cyber Incident Reporting Act (natlawreview.com) SEC Proposes Rules On Cybersecurity Risk Management, Strategy, Governance, And Incident Disclosure By Public Companies – Technology – United States (mondaq.com)

Adafruit discloses data leak from ex-employee’s GitHub repo (bleepingcomputer.com) Malware now using NVIDIA’s stolen code signing certificates (bleepingcomputer.com) NSA report: This is how you should be securing your network | ZDNet  

https://www.govinfosecurity.com/data-breach-exposes-booking-details-19-million-customers-a-18505 https://www.helpnetsecurity.com/2022/02/11/cloud-security-training/ https://www.bankinfosecurity.com/massive-breach-hits-500-e-commerce-sites-a-18492 https://www.darkreading.com/cloud/linux-malware-on-the-rise-including-illicit-use-of-cobalt-strike https://www.darkreading.com/attacks-breaches/google-cuts-account-compromises-in-half-with-simple-change

https://www.darkreading.com/edge-threat-monitor/most-common-cause-of-data-breach-in-2021-phishing-smishing-bec https://www.bleepingcomputer.com/news/security/fbi-shares-lockbit-ransomware-technical-details-defense-tips/ https://www.csoonline.com/article/3648991/dhs-announces-the-creation-of-the-cyber-safety-review-board.html https://www.darkreading.com/application-security/disclosure-panic-patch-can-we-do-better-

https://www.bleepingcomputer.com/news/security/hackers-are-taking-over-ceo-accounts-with-rogue-oauth-apps/ https://blog.f-secure.com/insight-from-a-large-scale-phishing-study/ https://www.darkreading.com/attacks-breaches/log4j-proved-public-disclosure-still-helps-attackers https://www.csoonline.com/article/3647756/how-to-prioritize-and-remediate-vulnerabilities-in-the-wake-of-log4j-and-microsofts-patch-tuesday-b.html

https://www.csoonline.com/article/3647209/why-you-should-secure-your-embedded-server-management-interfaces.html https://www.csoonline.com/article/3646613/cybercrime-group-elephant-beetle-lurks-inside-networks-for-months.html https://www.zdnet.com/article/when-open-source-developers-go-bad/ https://www.bleepingcomputer.com/news/microsoft/microsoft-resumes-rollout-of-january-windows-server-updates/

https://arstechnica.com/gadgets/2021/07/malicious-pypi-packages-caught-stealing-developer-data-and-injecting-code/ https://arstechnica.com/gadgets/2021/07/feds-list-the-top-30-most-exploited-vulnerabilities-many-are-years-old/ https://www.securityweek.com/hospital-network-reveals-cause-2020-cyberattack https://www.csoonline.com/article/3628331/recent-shadow-it-related-incidents-present-lessons-to-cisos.html https://www.natlawreview.com/article/another-court-orders-production-cybersecurity-firm-s-forensic-report-data-breach https://www.secureworld.io/industry-news/ciso-lawsuit-solarwinds

https://therecord.media/using-vms-to-hide-ransomware-attacks-is-becoming-more-popular/ https://blog.erratasec.com/2021/07/ransomware-quis-custodiet-ipsos-custodes.html?m=1 https://www.databreachtoday.com/how-mespinoza-ransomware-group-hits-targets-a-17086 https://krebsonsecurity.com/2021/07/dont-wanna-pay-ransom-gangs-test-your-backups/ https://arstechnica.com/gadgets/2021/07/kaseya-gets-master-decryptor-to-help-customers-still-suffering-from-revil-attack/

https://www.csoonline.com/article/3623760/printnightmare-vulnerability-explained-exploits-patches-and-workarounds.html#tk.rss_all https://www.securityweek.com/continuous-updates-everything-you-need-know-about-kaseya-ransomware-attack https://www.databreachtoday.com/kaseya-raced-to-patch-before-ransomware-disaster-a-17006

https://www.reuters.com/technology/us-sec-official-says-agency-has-begun-probe-cyber-breach-by-solarwinds-2021-06-21/ https://www.databreachtoday.com/cisa-firewall-rules-could-have-blunted-solarwinds-malware-a-16919 https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/ https://www.bleepingcomputer.com/news/security/microsoft-admits-to-signing-rootkit-malware-in-supply-chain-fiasco/

We’re baaaack

https://www.securityinformed.com/news/intruder-research-mongodb-databases-breached-connected-internet-co-1594211095-ga-co-1594211806-ga.1594215158.html https://www.zdnet.com/article/hackers-are-trying-to-steal-admin-passwords-from-f5-big-ip-devices/ https://www.csoonline.com/article/3564726/privilege-escalation-explained-why-these-flaws-are-so-valuable-to-hackers.html#tk.rss_all https://arstechnica.com/information-technology/2020/06/theft-of-top-secret-cia-hacking-tools-was-result-of-woefully-lax-security/

https://www.bankinfosecurity.com/capital-one-must-turn-over-mandiant-forensics-report-a-14352 https://www.databreachtoday.com/insider-threat-lessons-from-3-incidents-a-14312 https://www.zdnet.com/article/ransomware-deploys-virtual-machines-to-hide-itself-from-antivirus-software/

https://www.securityweek.com/recent-salt-vulnerabilities-exploited-hack-lineageos-ghost-digicert-servers https://www.zdnet.com/article/ransomware-mentioned-in-1000-sec-filings-over-the-past-year/

https://www.zdnet.com/article/dhs-cisa-companies-are-getting-hacked-even-after-patching-pulse-secure-vpns/ https://www.bankinfosecurity.com/attackers-increasingly-using-web-shells-to-create-backdoors-a-14179 https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-hits-los-angeles-county-city-leaks-files/

https://www.tomsguide.com/news/zoom-security-privacy-woes https://www.bankinfosecurity.com/blogs/learn-from-how-others-get-breached-equifax-edition-p-2870 https://www.zdnet.com/article/microsoft-how-one-emotet-infection-took-out-this-organizations-entire-network/ https://www.microsoft.com/security/blog/wp-content/uploads/2020/04/Case-study_Full-Operational-Shutdown.pdf

Be well, be safe, take care of yourselves, and take care of others (from an appropriate distance). https://www.businessinsider.com/coronavirus-apple-secrecy-work-from-home-difficult-2020-3 https://www.csoonline.com/article/3531963/8-key-security-considerations-for-protecting-remote-workers.html https://www.zdnet.com/article/microsoft-99-9-of-compromised-accounts-did-not-use-multi-factor-authentication/

https://www.securityweek.com/state-sponsored-cyberspies-use-sophisticated-server-firewall-bypass-technique https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/ https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf

https://www.darkreading.com/risk/cybercriminals-swap-phishing-for-credential-abuse-vuln-exploits/d/d-id/1337019 https://www.businessinsider.com/phishing-scams-getting-more-sophisticated-what-to-look-out-for-2020-2#hackers-will-start-by-targeting-low-level-employees-then-moving-laterally-to-compromise-executives-accounts-1 https://krebsonsecurity.com/2020/02/hackers-were-inside-citrix-for-five-months/ https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf

https://www.bankinfosecurity.com/judge-rules-insurer-must-pay-for-ransomware-damage-a-13673 https://www.zdnet.com/google-amp/article/new-york-state-wants-to-ban-government-agencies-from-paying-ransomware-demands/ https://www.bankinfosecurity.com/nist-drafts-guidelines-for-coping-ransomware-a-13679 https://arstechnica.com/information-technology/2020/01/dozens-of-companies-have-data-dumped-online-by-ransomware-ring-seeking-leverage/ https://www.bankinfosecurity.com/doppelpaymer-ransomware-threatens-to-dump-victims-data-a-13683

https://www.securityweek.com/attacker-installs-backdoor-blocks-others-exploiting-citrix-adc-vulnerability https://www.securityweek.com/court-approves-equifax-data-breach-settlement https://www.infosecurity-magazine.com/news/equifax-breach-settlement-could/ https://www.natlawreview.com/article/ico-issues-fine-against-national-retailer-security-failings

https://www.irishtimes.com/news/crime-and-law/courts/high-court/firm-being-blackmailed-by-hackers-for-6m-obtains-irish-court-injunction-1.4128069 https://inews.co.uk/inews-lifestyle/travel/travelex-hack-cyber-attack-ransomware-sodinokibi-travel-money-uk-firm-data-breach-explained-1358454 https://securityaffairs.co/wordpress/96046/hacking/microsoft-rdp-brute-force-study.html https://www.zdnet.com/article/company-shuts-down-because-of-ransomware-leaves-300-without-jobs-just-before-holidays/

https://www.wwltv.com/article/news/crime/city-government-in-recovery-mode-after-cyberattack/289-514a376e-16de-4b43-9756-a30baefe4c28 https://arstechnica.com/information-technology/2019/11/hackers-paradise-louisianas-ransomware-disaster-far-from-over/ https://www.csoonline.com/article/3488816/how-a-nuclear-plant-got-hacked.html

https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/ https://www.csoonline.com/article/3454443/how-a-bank-got-hacked-a-study-in-how-not-to-secure-your-networks.html

https://arstechnica.com/information-technology/2019/11/breach-affecting-1-million-was-caught-only-after-hacker-maxed-out-targets-storage/ https://www.csoonline.com/article/3452747/what-you-need-to-know-about-the-new-owasp-api-security-top-10-list.html https://www.securityweek.com/pci-dss-compliance-between-audits-declining-verizon https://krebsonsecurity.com/2019/11/study-ransomware-data-breaches-at-hospitals-tied-to-uptick-in-fatal-heart-attacks/

https://securityaffairs.co/wordpress/92484/data-breach/imperva-data-breach-2.html https://arstechnica.com/information-technology/2019/10/the-count-of-managed-service-providers-getting-hit-with-ransomware-mounts/ https://www.zdnet.com/article/city-of-johannesburg-held-for-ransom-by-hacker-gang/

https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html

https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/

Get well soon, Mr. Kalat!

https://www.theregister.co.uk/2019/03/20/steffan_needham_aws_rampage_prison_sentence_voova/ https://www.zdnet.com/google-amp/article/study-shows-programmers-will-take-the-easy-way-out-and-not-implement-proper-password-security/ https://arstechnica.com/information-technology/2019/03/50-shades-of-greyhat-a-study-in-how-not-to-handle-security-disclosures/ https://matrix.org/blog/2019/04/11/security-incident/index.html

https://www.zdnet.com/article/hackers-wipe-us-servers-of-email-provider-vfemail/ https://www.securityweek.com/russian-state-sponsored-hackers-are-fastest-crowdstrike https://www.zdnet.com/article/icann-there-is-an-ongoing-and-significant-risk-to-dns-infrastructure/ https://www.infosecurity-magazine.com/news/password-managers-no-more-secure-1/ https://www.zdnet.com/article/microsoft-do-these-things-now-to-protect-your-network/

https://www.securityweek.com/hackers-using-rdp-are-increasingly-using-network-tunneling-bypass-protections https://www.zdnet.com/article/trojan-malware-is-back-and-its-the-biggest-hacking-threat-to-your-business/ https://www.csoonline.com/article/3336923/security/phishing-has-become-the-root-of-most-cyber-evil.html https://www.darkreading.com/attacks-breaches/ransomware-attack-via-msp-locks-customers-out-of-systems/d/d-id/1333825 https://www.dlapiper.com/~/media/files/insights/publications/2019/02/dla-piper-gdpr-data-breach-survey-february-2019.pdf

https://www.zdnet.com/article/popular-wordpress-plugin-hacked-by-angry-former-employee/ https://www.zdnet.com/article/notpetya-an-act-of-war-cyber-insurance-firm-taken-to-task-for-refusing-to-pay-out/ https://www.zdnet.com/article/employees-sacked-ceo-fined-in-singhealth-security-breach/ – https://www.zdnet.com/article/firms-fined-1m-for-singhealth-data-security-breach/ https://www.securityweek.com/new-variant-bec-seeks-divert-payroll-deposits https://www.zdnet.com/article/oklahoma-gov-data-leak-exposes-millions-of-department-files-fbi-investigations/

https://lifehacker.com/why-smart-people-make-stupid-mistakes-1831503216 https://www.chicagotribune.com/business/ct-biz-tribune-publishing-malware-20181230-story,amp.html https://www.securityweek.com/was-north-korea-wrongly-accused-ransomware-attacks https://www.healthcareitnews.com/news/staff-lapses-and-it-system-vulnerabilities-are-key-reasons-behind-singhealth-cyberattack https://www.nextgov.com/cybersecurity/2019/01/hhs-releases-voluntary-cybersecurity-practices-health-industry/153835/ https://www.zdnet.com/article/data-of-2-4-million-blur-password-manager-users-left-exposed-online/ https://arstechnica.com/information-technology/2018/12/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mail-and-gmail/

https://arstechnica.com/information-technology/2018/11/hacker-backdoors-widely-used-open-source-software-to-steal-bitcoin/ https://krebsonsecurity.com/2018/11/marriott-data-on-500-million-guests-stolen-in-4-year-breach/ https://krebsonsecurity.com/2018/12/what-the-marriott-breach-says-about-security/

https://www.dutchnews.nl/news/2018/11/internet-con-men-ripped-off-pathe-nl-for-e19m-in-sophisticated-fraud/ https://lifehacker.com/how-password-constraints-give-you-a-false-sense-of-secu-1830564360 https://www.csoonline.com/article/3319704/data-protection/the-end-of-security-as-we-know-it.html https://www.careersinfosecurity.com/breach-settlement-has-unusual-penalty-a-11669 https://motherboard.vice.com/en_us/article/bje8na/massive-data-leaks-keep-happening-because-big-companies-can-afford-to-lose-your-data https://www.zdnet.com/article/city-of-valdez-alaska-admits-to-paying-off-ransomware-infection/

https://www.zdnet.com/article/this-is-how-artificial-intelligence-will-become-weaponized-in-future-cyberattacks/ https://www.securityinfowatch.com/article/12434583/everyone-needs-to-take-responsibility-for-cybersecurity-in-the-workplace https://www.zdnet.com/article/adobe-coldfusion-servers-under-attack-from-apt-group/ https://www.securityweek.com/troubled-waters-how-new-wave-cyber-attacks-targeting-maritime-trade https://securityaffairs.co/wordpress/77676/malware/industrial-facilities-malware.html

https://www.zdnet.com/article/equifax-engineer-who-designed-breach-portal-gets-8-months-of-house-arrest-for-insider-trading/ https://www.csoonline.com/article/3314557/security/ransomware-attack-hits-north-carolina-water-utility-following-hurricane.html https://www.securityweek.com/insurer-anthem-will-pay-record-16m-massive-data-breach https://blog.sucuri.net/2018/10/malicious-redirects-from-newsharecounts-com-tweet-counter.html https://www.thinkadvisor.com/2018/09/26/sec-hits-voya-financial-advisors-with-1m-fine-over/ https://www.healthcareitnews.com/news/debunking-cybersecurity-thought-humans-are-weakest-link

Note: this episode is being re-released to fix a problem with the mp3 download. https://www.tripwire.com/state-of-security/security-data-protection/bec-as-a-service-offers-hacked-business-accounts-for-as-little-as-150/ https://www.bleepingcomputer.com/news/security/ic3-issues-alert-regarding-remote-desktop-protocol-rdp-attacks/ https://krebsonsecurity.com/2018/10/supply-chain-security-is-the-whole-enchilada-but-whos-willing-to-pay-for-it/  

https://motherboard.vice.com/en_us/article/pa8emg/russian-indicted-jp-morgan-chase-hack https://www.zdnet.com/article/us-government-releases-post-mortem-report-on-equifax-hack/ https://www.zdnet.com/article/phishing-alert-north-korean-hacking-attacks-shows-your-email-is-still-the-weakest-link/ https://www.verizon.com/about/news/lifting-lid-cybercrime

https://www.zdnet.com/article/this-destructive-ransomware-has-made-crooks-6m-by-encrypting-data-and-backups/ https://www.bleepingcomputer.com/news/security/reddit-announces-security-breach-after-hackers-bypassed-staffs-2fa/ https://www.databreachtoday.com/art-steal-fin7s-highly-effective-phishing-a-11286 https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

https://www.straitstimes.com/singapore/personal-info-of-15m-singhealth-patients-including-pm-lee-stolen-in-singapores-most https://www.bankinfosecurity.com/labcorp-still-recovering-from-ransomware-attack-a-11235 https://www.securityweek.com/cyber-axis-evil-rewriting-cyber-kill-chain https://arstechnica.com/information-technology/2018/07/prolific-hacking-group-steals-almost-1-million-from-russian-bank/#p3 https://www.bleepingcomputer.com/news/government/us-charges-12-russian-intelligence-officers-for-hacking-dnc-running-dcleaks/

https://www.csoonline.com/article/3285982/data-protection/4-reasons-why-cisos-must-think-like-developers-to-build-cybersecurity-platforms.html https://www.csoonline.com/article/3287655/phishing/stop-training-your-employees-to-fall-for-phishing-attacks.html https://www.bankinfosecurity.com/cryptojacking-displaces-ransomware-as-top-malware-threat-a-11165 https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident_Reports/2018-06-28_Github

https://www.esecurityplanet.com/network-security/security-projects-cisos-should-consider-gartner.html https://www.canadianunderwriter.ca/legal/data-breach-defendant-must-hand-computer-forensics-reports-court-1004133756 https://www.theregister.co.uk/2018/06/26/digitally_signed_malware/ https://www.bankinfosecurity.com/californias-new-privacy-law-its-almost-gdpr-in-us-a-11149 https://blog.erratasec.com/2018/06/lessons-from-npetya-one-year-later.html

https://www.wired.com/story/exactis-database-leak-340-million-records/ https://www.helpnetsecurity.com/2018/06/19/opm-breach-fraud/ https://www.tenable.com/blog/should-you-still-prioritize-exploit-kit-vulnerabilities  

https://www.csoonline.com/article/3276584/ransomware/what-does-a-ransomware-attack-cost-beware-the-hidden-expenses.html https://www.bankinfosecurity.com/mental-health-provider-pays-ransom-to-recover-data-a-11040 https://www.itbusinessedge.com/blogs/data-security/did-we-see-our-first-data-breach-of-the-gdpr-era.html

https://www.zdnet.com/article/wannacry-ransomware-crisis-one-year-on-are-we-ready-for-the-next-global-cyber-attack/ https://www.zdnet.com/article/enterprise-vulnerability-management-as-effective-as-random-chance/ https://www.zdnet.com/article/enterprise-codebases-plagued-by-open-source-vulnerabilities/ https://www.databreachtoday.com/nuance-communications-breach-affected-45000-patients-a-11002

https://www.csoonline.com/article/3262168/ransomware/customers-describe-the-impact-of-the-allscripts-ransomware-attack.html https://www.infosecurity-magazine.com/news/atlanta-city-splurges-27m/ https://arstechnica.com/information-technology/2018/04/insecure-rsa-conference-app-leaked-attendee-data/ https://www.wired.com/story/inside-the-unnerving-supply-chain-attack-that-corrupted-ccleaner/

https://www.verizonenterprise.com/verizon-insights-lab/dbir/

https://www.bankinfosecurity.com/nj-ag-smacks-practice-hefty-fine-for-vendor-breach-a-10774 https://www.bankinfosecurity.com/panera-bread-data-leak-persisted-for-eight-months-a-10760 http://www.eweek.com/security/best-buy-delta-sears-hit-by-third-party-chat-widget-breach http://www.baltimoresun.com/news/maryland/crime/bs-md-ci-hack-folo-20180328-story.html

https://www.csoonline.com/article/3265024/privacy/are-you-letting-gdpr-s-privacy-rules-trump-security.html http://www.zdnet.com/article/doj-indicts-iranian-hackers-for-stealing-data-from-144-us-universities/ https://www.databreachtoday.com/report-guccifer-20-unmasked-at-last-a-10737 https://www.databreachtoday.com/expedias-orbitz-suspects-880000-payment-cards-stolen-a-10729 https://www.csoonline.com/article/3266364/security/samsam-group-deletes-atlantas-contact-portal-after-the-address-goes-public.html https://www.securityweek.com/top-vulnerabilities-exploited-cybercriminals

https://www.theguardian.com/business/2018/mar/14/equifax-insider-trading-data-breach-jun-ying-charged https://gizmodo.com/us-power-company-fined-2-7-million-over-security-flaws-1823745994 https://www.csoonline.com/article/3262551/data-protection/are-your-employees-unwittingly-invalidating-your-cyber-liability-insurance.html https://www.cisecurity.org/controls/

https://www.csoonline.com/article/3258817/data-breach/sec-guidance-on-it-security-would-you-report-security-risks-before-a-breach.html http://www.zdnet.com/article/hackers-are-selling-legitimate-code-signing-certificates-to-evade-malware-detection/ http://au.news.yahoo.com/a/39380423/equifax-expects-net-200-million-in-breach-related-costs-in-2018/ http://www.eweek.com/security/crowdstrike-reveals-time-to-breakout-as-key-cyber-security-metric https://www.securityweek.com/sophisticated-cyberspies-target-middle-east-africa-routers

https://www.bleepingcomputer.com/news/security/destructive-malware-wreaks-havoc-at-pyeongchang-2018-winter-olympics/ https://www.cyberscoop.com/atos-olympics-hack-olympic-destroyer-malware-peyongchang/ https://www.bankinfosecurity.com/blogs/attribution-games-dont-rush-to-blame-p-2594 http://www.zdnet.com/article/meltdown-spectre-flaws-weve-found-new-attack-variants-say-researchers/ https://news.iu.edu/stories/2018/02/iub/releases/13-paper-suggests-agency-to-prevent-cyberattacks.html

https://www.csoonline.com/article/3247653/data-protection/5-mistakes-ive-made-and-how-to-avoid-them.html https://www.csoonline.com/article/3244650/disaster-recovery/why-we-continue-to-fail-lessons-learned-from-the-atlanta-airport-fiasco.html https://www.wired.com/story/meltdown-and-spectre-patches-take-toll/

https://www.upguard.com/breaches/cloud-leak-alteryx?ilink=1 https://krebsonsecurity.com/2017/12/4-years-after-target-the-little-guy-is-the-target/

https://www.csoonline.com/article/3239645/data-protection/3-common-cybersecurity-maturity-failings.html https://www.troyhunt.com/the-trouble-with-politicians-sharing-passwords/ https://krebsonsecurity.com/2017/12/phishers-are-upping-their-game-so-should-you/ https://www.reuters.com/article/us-uber-cyber-payment-exclusive/exclusive-uber-paid-20-year-old-florida-man-to-keep-data-breach-secret-sources-idUSKBN1E101C

http://www.zdnet.com/article/national-credit-federation-leaked-us-citizen-data-through-unsecured-aws-bucket/ http://www.mercurynews.com/2017/11/21/uber-concealed-attack-that-exposed-data-of-57-million/

https://www.theregister.co.uk/2017/11/09/chipzilla_come_closer_closer_listen_dump_ime/ https://www.bankinfosecurity.com/mayer-strengthened-defense-couldnt-stop-massive-breaches-a-10442 http://www.securityweek.com/phishing-poses-biggest-threat-users-google

https://www.bleepingcomputer.com/news/security/59-percent-of-employees-hit-by-ransomware-at-work-paid-ransom-out-of-their-own-pockets/ https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning https://www.csoonline.com/article/3234675/data-protection/6-reasons-why-awareness-programs-fail-even-when-following-best-practices.html https://cyberbalancesheet.com/

https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros https://www.databreachtoday.com/ex-ceo-blames-human-error-tech-failures-for-equifax-breach-a-10349 http://www.zdnet.com/article/wsj-kaspersky-software-likely-used-in-russian-backed-nsa-breach/ https://www.washingtonpost.com/world/national-security/israel-hacked-kaspersky-then-tipped-the-nsa-that-its-tools-had-been-breached/2017/10/10/d48ce774-aa95-11e7-850e-2bdd1236be5d_story.html https://www.bleepingcomputer.com/news/legal/it-admin-trashes-railroad-companys-network-before-he-leaves/

https://arstechnica.com/information-technology/2017/09/ccleaner-backdoor-infecting-millions-delivered-mystery-payload-to-40-pcs/ https://www.theregister.co.uk/2017/09/26/equifax_ceo_resigns/ https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/comment-page-2/ https://www.theregister.co.uk/2017/09/26/deloitte_leak_github_and_google/

https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/ https://www.welivesecurity.com/2017/09/06/security-vulnerability-leaves-fortune-100-firms-vulnerable/ http://nypost.com/2017/09/08/equifax-blames-giant-breach-on-vendor-software-flaw/amp/ https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/

http://www.securityweek.com/three-questions-every-ciso-should-be-able-answer https://arstechnica.com/information-technology/2017/08/powerful-backdoor-found-in-software-used-by-100-banks-and-energy-cos/?amp=1 https://krebsonsecurity.com/2017/08/blowing-the-whistle-on-bad-attribution/ http://www.csoonline.com/article/3213030/security/when-it-comes-to-the-cloud-do-cisos-have-their-heads-in-the-sand.html http://www.zdnet.com/article/petya-ransomware-cyber-attack-costs-could-hit-300m-for-shipping-giant-maersk/ https://www.helpnetsecurity.com/2017/08/24/crystal-finance-millennium-compromised/ https://www.lacyberlab.org/what-los-angeles-cyber-lab

https://www.theregister.co.uk/2017/08/10/salesforce_fires_its_senior_security_engineers_after_defcon_talk/?mt=1502653861726 PR fight ensues after claims of leaked Carbon Black data https://www.theregister.co.uk/2017/08/10/carbon_black_denies_sec_sys_broken/ http://www.databreachtoday.com/ocr-tells-organizations-to-step-up-phishing-scam-awareness-a-10174 https://www.infosecurity-magazine.com/news/anthem-medicare-patients-hit-breach/ https://www.theregister.co.uk/2017/08/07/cba_blames_software_for_money_laundering_miss/

https://www.darkreading.com/vulnerabilities—threats/wannacry-inspires-worm-like-module-in-trickbot/d/d-id/1329491 http://www.securityweek.com/one-million-exposed-adware-hijacked-chrome-extension https://www.darkreading.com/risk/can-your-risk-assessment-stand-up-under-scrutiny/a/d-id/1329435

http://thehackernews.com/2017/07/adwind-rat-malware.html https://www.theregister.co.uk/2017/07/13/swiss_domain_name_hijack/ http://www.databreachtoday.com/fedex-warns-notpetya-will-negatively-affect-profits-a-10118 http://www.cnbc.com/2017/07/21/a-cyberattack-is-going-to-cause-this-tech-company-to-miss-earnings.html http://www.securityweek.com/alarming-percentage-employees-hide-security-incidents-report

http://www.databreachtoday.com/notpetya-patient-zero-ukrainian-accounting-software-vendor-a-10080 http://blog.talosintelligence.com/2017/07/the-medoc-connection.html?m=1 http://www.databreachtoday.com/police-seize-backdoored-firms-servers-to-stop-attacks-a-10083 https://www.bleepingcomputer.com/news/security/m-e-doc-software-was-backdoored-3-times-servers-left-without-updates-since-2013/ https://www.wired.com/story/petya-plague-automatic-software-updates/ https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/https://apnews.com/962db1cd370d4fdda6083d064b94dd1b https://infosec.engineering/notpetya-complex-attacks-and-the-fog-of-war/

http://securityaffairs.co/wordpress/60243/data-breach/dra-data-leak.html https://www.wired.com/story/crash-override-malware/ https://threatpost.com/fin10-extorting-canadian-mining-companies-casinos/126382/ http://variety.com/2017/digital/features/netflix-orange-is-the-new-black-leak-dark-overlord-larson-studios-1202471400/amp/ https://arstechnica.com/information-technology/2017/06/32tb-of-windows-10-beta-builds-driver-source-code-leaked/ https://arstechnica.com/security/2017/06/5-weeks-after-wcry-outbreak-nsa-derived-worm-shuts-down-a-honda-factory/

https://hotforsecurity.bitdefender.com/blog/heartbleed-still-hurting-hard-uk-council-fined-100000-after-data-breach-18205.html https://threatpost.com/ransomware-attack-hobbles-prestigious-university-college-london/126299/ http://www.securityweek.com/web-hosting-provider-pays-1-million-ransomware-attackers https://infosec.engineering/improving-the-effectiveness-of-vulnerability-remediation-targeting/ 

http://www.csoonline.com/article/3198492/security/ceos-risky-behaviors-compromise-security.html https://www.bleepingcomputer.com/news/security/ex-admin-deletes-all-customer-data-and-wipes-servers-of-dutch-hosting-provider http://thehackernews.com/2017/06/intel-amt-firewall-bypass.html http://thehackernews.com/2017/06/microsoft-powerpoint-malware.html

http://www.csoonline.com/article/3198496/compliance/sometimes-it-is-necessary-to-bend-the-rules-a-bit.html http://www.securityweek.com/nature-vs-nurture-bad-cybersecurity-our-dna http://gizmodo.com/top-defense-contractor-left-sensitive-pentagon-files-on-1795669632 https://nakedsecurity.sophos.com/2017/06/02/onelogin-warns-that-attacker-could-be-able-to-decrypt-data/

https://arstechnica.com/security/2017/05/windows-7-not-xp-was-the-reason-last-weeks-wcry-worm-spread-so-widely/ http://www.publictechnology.net/articles/news/nhs-cyber-attack-forces-week-long-council-email-block https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html https://www.grahamcluley.com/companies-keeping-bitcoin-hand-case-ransomware-attacks/ http://www.eweek.com/security/zomato-docusign-breaches-reveal-common-security-risks

http://www.verizonenterprise.com/resources/reports/rp_DBIR_2017_Report_en_xg.pdf

https://www.wsj.com/articles/cybersecurity-startup-tanium-exposed-california-hospitals-network-in-demos-without-permission-1492624287 https://hotforsecurity.bitdefender.com/blog/95-of-enterprise-risk-assessments-find-employees-using-tor-private-vpns-to-bypass-security-report-says-17902.html http://www.csoonline.com/article/3191286/security/most-employees-willing-to-share-sensitive-information-survey-says.html https://www.bleepingcomputer.com/news/security/over-36-000-computers-infected-with-nsas-doublepulsar-malware/

https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch/ https://www.bleepingcomputer.com/news/security/former-sysadmin-accused-of-planting-time-bomb-in-companys-database/ http://www.computerworld.com/article/3189059/security/what-prevents-breaches-process-technology-or-people-one-answer-is-pc-and-one-is-right.html http://www.csoonline.com/article/3187422/network-security/report-30-of-malware-is-zero-day-missed-by-legacy-antivirus.amp.html https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/ http://news.softpedia.com/news/two-laptops-with-hong-kong-s-3-7-million-voters-data-stolen-514346.shtml http://researchcenter.paloaltonetworks.com/2017/03/unit42-threat-brief-credential-theft-keystone-shamoon-2-attacks/

http://www.itworld.com/article/3182431/security/some-https-inspection-tools-might-weaken-security.html https://www.bleepingcomputer.com/news/legal/former-it-admin-accused-of-leaving-backdoor-account-accessing-it-700-times/ http://www.securityweek.com/what-cisos-can-learn-er-doctors http://www.csoonline.com/article/3180762/data-breach/inside-the-russian-hack-of-yahoo-how-they-did-it.html https://arstechnica.com/security/2017/03/microsofts-silence-over-unprecedented-patch-delay-doesnt-smell-right/

http://www.bankinfosecurity.com/emory-healthcare-database-breach-what-happened-a-9745 http://www.networkworld.com/article/3176718/security/dealing-with-overwhelming-volume-of-security-alerts.html#tk.rss_security http://www.networkworld.com/article/3175030/security/trend-micro-report-ransomware-booming.html https://www.helpnetsecurity.com/2017/03/02/yahoo-cookie-forging-incident/ http://www.darkreading.com/risk/new-cybersecurity-regulations-begin-today-for-ny-banks/d/d-id/1328295 http://www.pcworld.com/article/3179348/security/after-cia-leak-intel-security-releases-detection-tool-for-efi-rootkits.html https://arstechnica.com/security/2017/03/wikileaks-publishes-what-it-says-is-trove-of-cia-hacking-tools/ http://www.csoonline.com/article/3177994/security/cia-false-flag-team-repurposed-shamoon-data-wiper-other-malware.html

https://www.bleepingcomputer.com/news/security/malware-used-to-attack-polish-banks-contained-false-flags-blaming-russian-hackers/ http://www.csoonline.com/article/3173639/security/bleeding-clouds-cloudflare-server-errors-blamed-for-leaked-customer-data.html http://www.csoonline.com/article/3174153/security/carders-capitalize-on-cloudflare-problems-claim-150-million-logins-for-sale.amp.html http://www.securityweek.com/what-hackers-think-your-defenses http://www.csoonline.com/article/3171154/security/verizon-knocks-off-350m-from-yahoo-deal-after-breaches.html

https://gallery.technet.microsoft.com/ATA-Playbook-ef0a8e38/file/169827/1/ATA%20Playbook.pdf http://www.securityweek.com/google-shares-data-corporate-email-attacks http://www.databreachtoday.com/reworked-ny-cybersecurity-regulation-takes-effect-in-march-a-9733 http://www.computerworld.com/article/3169386/security/recent-malware-attacks-on-polish-banks-tied-to-wider-hacking-campaign.html#tk.rss_security http://www.computerworld.com/article/3166824/security/polish-banks-on-alert-after-mystery-malware-found-on-computers.html http://www.forbes.com/sites/thomasbrewster/2017/02/16/dnc-fancy-bear-russia-hackers-mac-malware-hacking-team-fbi-fsb/#3998bc7812bc

https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/?amp=1 http://www.darkreading.com/risk/7-tips-for-getting-your-security-budget-approved/d/d-id/1328004 https://www.asd.gov.au/publications/protect/essential-eight-explained.htm http://www.csoonline.com/article/3163068/application-development/how-to-secure-active-directory.html https://securosis.com/mobile/tidal-forces-software-as-a-service-is-the-new-back-office/full

http://www.securityweek.com/cyber-threat-intelligence-shows-majority-cybercrime-not-sophisticated http://www.databreachtoday.com/new-in-depth-analysis-anthem-breach-a-9627 http://www.databreachtoday.com/475000-hipaa-penalty-for-tardy-breach-notification-a-9624 http://www.databreachtoday.com/insurer-slapped-22-million-hipaa-settlement-a-9643 https://krebsonsecurity.com/2017/01/extortionists-wipe-thousands-of-databases-victims-who-pay-up-get-stiffed/ https://securosis.com/mobile/tidal-forces-endpoints-are-different-more-secure-and-less-open/full

http://www.businessinsider.com/russian-hacking-fears-reportedly-triggered-by-vermont-employee-checking-his-email-2017-1 http://www.cio.com/article/3153706/security/4-information-security-threats-that-will-dominate-2017.html http://www.databreachtoday.com/major-breach-insurer-blames-system-integrator-a-9603 http://www.zdnet.com/article/this-ransomware-targets-hr-departments-with-fake-job-applications/ https://securosis.com/mobile/tidal-forces-the-trends-tearing-apart-security-as-we-know-it/full Network Security in the Cloud Age: Everything Changes http://blog.erratasec.com/2017/01/notes-about-ftc-action-against-d-link.html Slack Channel: http://https://defensivesecurity.org/slack-channel/

https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/ http://arstechnica.com/tech-policy/2016/12/disgraced-it-worker-stole-confidential-expedia-e-mails-even-after-he-left/ http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/ http://www.reuters.com/article/us-cyber-heist-bangladesh-exclusive-idUSKBN1411ST http://motherboard.vice.com/read/newly-uncovered-site-suggests-nsa-exploits-for-direct-sale http://arstechnica.com/security/2016/12/what-can-you-do-with-a-billion-yahoo-passwords-lots-of-bad-things/

2016 HOLIDAY PODCAST MASHUP With: PVC Security Podcast: http://www.pvcsec.com/ Brakeing Down Security Podcast: http://www.brakeingsecurity.com/ Advanced Persistent Security Podcast: https://advancedpersistentsecurity.net/ …and Amanda Berlin!

Slack channel:  https://defensivesecurity.org/slack-channel/ http://blog.checkpoint.com/2016/11/24/imagegate-check-point-uncovers-new-method-distributing-malware-images/ http://www.csoonline.com/article/3143713/analytics/shall-we-care-about-zero-day.html http://www.databreachtoday.com/umass-amherst-hit-650000-hipaa-settlement-a-9554 http://arstechnica.com/security/2016/11/elegant-0day-unicorn-underscores-serious-concerns-about-linux-security/ http://www.securityweek.com/disgruntled-gamer-likely-behind-october-us-hacking-expert http://www.theregister.co.uk/2016/11/17/google_hacker_pleads_try_whitelists_not_just_bunk_antivirus_ids/ https://blog.instant2fa.com/an-economic-model-for-security-spending-3d982d05d0c1#.fpcnkz5qn http://www.securityweek.com/when-ransomware-hits-business-paying-unlikely-guarantee-resolution http://www.csoonline.com/article/3142889/security/ransomware-victims-able-to-thwart-attacks-report-says.html

Book recommendations: https://defensivesecurity.org/resources/recommended-books/ Slack channel: http://https://defensivesecurity.org/slack-channel/ http://arstechnica.com/information-technology/2016/11/kaspersky-accuses-microsoft-of-anticompetitive-bundling-of-antivirus-software/ https://nakedsecurity.sophos.com/2016/11/11/yahoo-staff-knew-they-were-breached-two-years-ago/ http://www.csoonline.com/article/3139311/security/412-million-friendfinder-accounts-exposed-by-hackers.html

Overconfidence is putting organizations at higher risk for attacks http://arstechnica.com/security/2016/11/windows-zero-day-exploited-by-same-group-behind-dnc-hack/ http://www.bankinfosecurity.com/those-suing-anthem-seek-security-audit-documents-a-9498 https://it.slashdot.org/story/16/11/05/1744231/it-workers-facing-layoffs-jolted-by-ceos-message

http://www.securityweek.com/shadow-brokers-leaks-servers-allegedly-hacked-nsa http://www.bankinfosecurity.com/online-ad-industry-threatened-by-security-issues-a-9488 http://m.elpasoinc.com/news/local_news/article_92e82ee0-9f84-11e6-b429-0b2b853bae0b.html?mode=jqm http://researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/

Serious Dirty Cow Linux Vulnerability Under Attack http://news.softpedia.com/news/hackers-steal-research-and-user-data-from-japanese-nuclear-research-lab-509380.shtml https://www.databreaches.net/rainbow-childrens-clinic-notifies-33368-patients-of-ransomware-attack/ https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/

http://conferences.oreilly.com/security/network-data-security-ny/public/content/buy-one-get-one-discount https://www.eventbrite.com/e/bsides-atlanta-2016-tickets-27895813128 http://www.cnbc.com/2016/10/14/british-banks-keep-cyber-attacks-under-wraps-to-protect-image.html http://www.lexology.com/library/detail.aspx?g=f17c1e55-5768-4ea6-a7e6-d555c4052eef https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly

http://cybersecurity.oxfordjournals.org/content/early/2016/08/08/cybsec.tyw001 The psychological reasons behind risky password practices http://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html?_r=0 http://www.databreachtoday.com/blogs/yahoo-breach-great-nation-state-cop-out-p-2260

http://www.csoonline.com/article/3119965/security/a-single-ransomware-network-has-pulled-in-121-million.html https://www.sans.org/reading-room/whitepapers/dataprotection/data-breaches-prevention-practical-37267 http://www.bankinfosecurity.com/aligning-cyber-framework-organizations-strategy-goals-a-9401 http://arstechnica.com/security/2016/09/swift-fraudsters-detection-system-bangladesh-bank-heist/ http://www.bankinfosecurity.com/blogs/ransomware-victims-please-come-forward-p-2255 http://www.nytimes.com/2016/09/17/business/dealbook/wells-fargo-warned-workers-against-fake-accounts-but-they-needed-a-paycheck.html

http://news.softpedia.com/news/retiring-sysadmin-fakes-cyber-attack-to-get-away-with-data-theft-507992.shtml https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf http://money.cnn.com/2016/09/08/investing/wells-fargo-created-phony-accounts-bank-fees/index.html http://spectrum.ieee.org/view-from-the-valley/computing/it/facebook-engineers-crash-data-centers-in-realworld-stress-test http://www.bloomberg.com/news/articles/2016-09-08/cisco-s-network-bugs-are-front-and-center-in-bankruptcy-fight

http://www.csoonline.com/article/3110975/techology-business/how-do-you-measure-success-when-it-comes-to-stopping-phishing-attacks.html http://www.databreachtoday.com/equation-group-hacking-tool-dump-5-lessons-a-9358 http://www.csoonline.com/article/3109982/security/attackers-dont-need-vulnerabilities-when-the-basics-work-just-as-well.html http://www.securityweek.com/attacker-uses-virtual-machine-hide-malicious-activity http://www.networkworld.com/article/3110653/security/imperva-application-layer-ddos-attacks-are-on-the-rise.html http://arstechnica.com/security/2016/08/actively-exploited-ios-flaws-that-hijack-iphones-likely-spread-for-years/

https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/ http://www.extremetech.com/extreme/234031-your-guide-to-the-shadow-brokers-nsa-theft-which-puts-the-snowden-leaks-to-shame http://phys.org/news/2016-08-people-software-percent.html http://www.csoonline.com/article/3108025/cyber-attacks-espionage/cerber-ransomware-earns-2-3mil-with-0-3-response-rate.html

http://www.csoonline.com/article/3101863/security/report-only-3-percent-of-u-s-companies-pay-attackers-after-ransomware-infections.html http://www.bankinfosecurity.com/fed-reserve-a-9282 http://www.tripwire.com/state-of-security/featured/does-dropping-malicious-usb-sticks-really-work-yes-worryingly-well/ http://arstechnica.com/security/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/ http://spectrum.ieee.org/tech-talk/telecom/security/nigerian-scammers-infect-themselves-with-own-malware-revealing-new-wirewire-fraud-scheme http://www.csoonline.com/article/3106076/data-protection/disable-wpad-now-or-have-your-accounts-and-private-data-compromised.html http://fortune.com/2016/08/12/delta-airlines-outages/  

http://www.bankinfosecurity.com/report-new-york-fed-fumbled-cyber-heist-response-a-9281 http://motherboard.vice.com/read/ransomware-gang-claims-fortune-500-company-hired-them-to-hack-the-competition http://www.lexology.com/library/detail.aspx?g=d0f4e774-6c6a-4783-b993-4f165f1dcc7e

Tiaracon: http://tiaracon.org/ http://www.cbc.ca/news/technology/antivirus-software-1.3668746 http://www.csoonline.com/article/3089439/business-continuity/9-critical-controls-for-todays-threats.html http://www.bankinfosecurity.com/interviews/heartbleed-update-america-vulnerable-i-3242 http://www.bankinfosecurity.com/blogs/av-wars-sophos-vs-cylance-p-2172 http://www.reuters.com/article/us-cyber-fdic-china-idUSKCN0ZT20M http://blog.talosintel.com/2016/07/ranscam.html

http://blog.erratasec.com/2016/06/etheriumdao-hack-similfied.html#.V3BKyvkrJhE http://www.zdnet.com/article/cvss-scores-are-not-enough-for-modern-security/ http://www.crn.com/news/security/300081157/sophos-slams-cylance-in-blog-post-as-market-for-endpoint-security-heats-up.htm?itc=refresh

http://www.darkreading.com/vulnerabilities—threats/windows-badtunnel-attack-hijacks-network-traffic/d/d-id/1325875 http://krebsonsecurity.com/2016/06/adobe-update-plugs-flash-player-zero-day/ http://krebsonsecurity.com/2016/06/banks-credit-card-breach-at-cicis-pizza/ http://ieee-security.org/TC/SP2016/papers/0824a018.pdf https://securelist.com/blog/research/75027/xdedic-the-shady-world-of-hacked-servers-for-sale/ https://www.washingtonpost.com/world/national-security/guccifer-20-claims-credit-for-dnc-hack/2016/06/15/abdcdf48-3366-11e6-8ff7-7b6c1998b7a0_story.html http://fox4kc.com/2016/06/15/platte-county-commissioners-give-treasurer-one-week-to-repay-funds-lost-to-email-scam/ http://www.abc.net.au/news/2016-06-18/software-legal-battle-could-put-sa-patients’-safety/7522934

TeamViewer Denies Hack, Blames Password Reuse for Compromises http://www.businessinsurance.com/article/20160602/NEWS06/160609935/chubb-p-f-changs-federal-insurance-co-cybersecurity-by-chubb-credit http://www.csoonline.com/article/3075385/backup-recovery/will-your-backups-protect-you-against-ransomware.html#jump http://www.csoonline.com/article/3077434/security/93-of-phishing-emails-are-now-ransomware.html#jump http://venturebeat.com/2016/06/04/federal-reserve-bank-was-hacked-more-than-50-times-between-2011-and-2015/ http://www.csoonline.com/article/3075758/data-breach/up-to-a-dozen-banks-are-reportedly-investigating-potential-swift-breaches.html#jump http://www.theregister.co.uk/2016/06/03/swift_threatens_insecure_bank_suspensions/

Vote for us! https://www.surveymonkey.com/r/secbloggerwards2016 http://www.csoonline.com/article/3071337/cyber-attacks-espionage/cybercriminals-are-increasingly-embracing-a-sophisticated-business-model-approach.html#tk.rss_all https://www.yahoo.com/news/special-report-cyber-thieves-exploit-banks-faith-swift-052100312–finance.html?ref=gs http://www.securityweek.com/google-soon-kill-sslv3-rc4-support-gmail https://threatpost.com/microsoft-warns-of-sneaky-new-macro-trick/118227/ http://www.networkworld.com/article/3073495/security/kansas-heart-hospital-hit-with-ransomware-paid-but-attackers-demanded-2nd-ransom.html

http://www.bankinfosecurity.com/researcher-hacks-symantecs-av-via-email-a-9109 http://www.v3.co.uk/v3-uk/news/2457773/hackers-exploiting-six-year-old-sap-software-flaw-warns-us-cert http://arstechnica.com/security/2016/05/1b-bangladesh-heist-officials-say-swift-technicians-left-bank-vulnerable/ http://www.csoonline.com/article/3069502/data-breach/malware-attacks-on-two-banks-have-links-with-2014-sony-pictures-hack.html https://www.surveymonkey.com/r/secbloggerwards2016

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ https://blog.osvdb.org/2016/04/27/a-note-on-the-verizon-dbir-2016-vulnerabilities-claims/  

http://baesystemsai.blogspot.nl/2016/04/two-bytes-to-951m.html https://threatpost.com/bangladesh-bank-hackers-accessed-swift-system-to-steal-cover-tracks/117637/ http://www.csoonline.com/article/3061229/fraud/swift-banking-network-warns-customers-of-cyberfraud-cases.html http://www.theregister.co.uk/2016/04/22/i_hacked_facebook_and_found_someone_had_beaten_me_to_it/

https://www.helpnetsecurity.com/2016/04/15/eu-data-protection-rules/ http://pastebin.com/raw/0SNSvyjJ https://threatpost.com/apple-deprecates-quick-time-for-windows-wont-patch-new-flaws/117427/ http://www.welivesecurity.com/2016/04/13/medical-data-breach-leads-record-cash-settlement/

https://offensivetechblog.wordpress.com/2016/03/29/systems-admins-we-need-to-talk/ http://m.sfgate.com/business/technology/article/Hackers-broke-into-hospitals-despite-software-7229722.php http://www.wired.co.uk/news/archive/2016-04/06/panama-papers-mossack-fonseca-website-security-problems http://arstechnica.com/security/2016/04/ok-panic-newly-evolved-ransomware-is-bad-news-for-everyone/

https://www.cooley.com/california-attorney-general-2016-data-breach-report http://www.csoonline.com/article/3049392/security/chinese-scammers-take-mattel-to-the-bank-phishing-them-for-3-million.html http://www.oreilly.com/security/newsletter http://conferences.oreilly.com/security/network-data-security-ny

https://threatpost.com/apt-attackers-flying-more-false-flags-than-ever/116814/ http://www.csoonline.com/article/3048334/security/verizons-breach-experts-missed-one-right-under-their-noses.html http://www.wsj.com/articles/hackers-in-bangladesh-bank-account-heist-part-of-larger-breach-1458582678 http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-emergency-after-ransomware-infection/

http://www.csoonline.com/article/3043975/security/compromised-data-goes-public-as-staminus-recovers-from-attack.html#tk.rss_all http://www.darkreading.com/endpoint/patch-management-still-plagues-enterprise/d/d-id/1324615 http://www.welivesecurity.com/2016/03/09/android-trojan-targets-online-banking-users/ http://arstechnica.com/security/2016/03/a-typo-costs-bank-hackers-nearly-1b/ http://www.cnet.com/news/home-depot-offers-19m-to-settle-customers-hacking-lawsuit/

http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf?_ga=1.157194172.685877305.1433735448 https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/ http://www.verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf

http://www.databreachtoday.com/anthem-breach-lessons-one-year-later-a-8897 http://www.dw.com/en/hackers-hold-german-hospital-data-hostage/a-19076030 http://krebsonsecurity.com/2016/02/breached-credit-union-comes-out-of-its-shell/ http://arstechnica.com/security/2016/02/hackers-did-indeed-cause-ukrainian-power-outage-us-report-concludes/

http://www.scmagazineuk.com/russian-bank-licences-revoked-for-using-hackers-to-withdraw-funds/article/474464/ http://arstechnica.com/security/2016/02/hospital-pays-17k-for-ransomware-crypto-key/ http://news.softpedia.com/news/us-school-agrees-to-pay-8-500-to-get-rid-of-ransomware-500684.shtml http://www.scmagazineuk.com/44-of-ransomware-victims-in-the-uk-have-paid-to-recover-their-data/article/475426/ http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/

http://www.tripwire.com/state-of-security/latest-security-news/cisco-patches-critical-asa-ike-buffer-overflow-vulnerability/ http://www.securityweek.com/we-cant-give-preventing-breaches http://www.csoonline.com/article/3033160/security/ransomware-takes-hollywood-hospital-offline-36m-demanded-by-attackers.html http://arstechnica.com/security/2016/02/clever-bank-hack-allowed-crooks-to-make-unlimited-atm-withdrawals/

http://www.theregister.co.uk/2016/02/04/norse_corp_ceo_fired/ http://www.secureworks.com/resources/blog/ransomware-used-as-a-distraction/ http://www.zdnet.com/article/most-windows-flaws-mitigated-by-removing-admin-rights-says-report/ http://mobile.reuters.com/article/idUSKCN0VD14X http://www.csoonline.com/article/3025787/security/defending-against-insider-security-threats-hangs-on-trust.html http://www.securityforrealpeople.com/2016/02/poor-ux-leads-to-poorly-secured-soho.html

Hack in the Box: https://conference.hitb.org/ Circle City Con: https://circlecitycon.com/tickets/ http://www.theregister.co.uk/2016/01/28/nsas_top_hacking_boss_explains_how_to_protect_your_network_from_his_minions/?page=1 https://www.youtube.com/watch?v=bDJb8WOJYdA http://krebsonsecurity.com/2016/01/sources-security-firm-norse-corp-imploding/ http://arstechnica.com/security/2016/01/secret-ssh-backdoor-in-fortinet-hardware-found-in-more-products/

https://blog.malwarebytes.org/intelligence/2016/01/draft-lechiffre-a-manually-run-ransomware/ http://www.tripwire.com/state-of-security/security-data-protection/boeing-supplier-hacked-claims-55-million-worth-of-damage-as-stock-price-falls/ http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/ http://shawnetuma.com/2016/01/08/supervalu-data-breach-class-action-dismissed-for-lack-of-harm/ Hack in the Box: https://conference.hitb.org/ Circle City Con: https://circlecitycon.com/tickets/  

http://arstechnica.com/security/2016/01/security-firm-sued-for-filing-woefully-inadequate-forensics-report/ http://arstechnica.com/security/2016/01/et-tu-fortinet-hard-coded-password-raises-new-backdoor-eavesdropping-fears/ http://www.csoonline.com/article/3021774/security/trend-micro-flaw-could-have-allowed-attacker-to-steal-all-passwords.html

http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/ http://blog.cryptographyengineering.com/2015/12/on-juniper-backdoor.html http://www.databreaches.net/191-million-voters-personal-info-exposed-by-misconfigured-database/ http://darkmatters.norsecorp.com/2015/12/28/the-cybersecurity-information-sharing-act-cisa-passed/