This week the crew discusses: When TVs scan your network, bad things can happen, PuTTY is vulnerable, Crush FTP, vulnerabilities that will never be fixed, CVEs are for vulnerabilities silly, you can test for easily guessable passwords too, FlipperZero can steal all your passwords, more XZ style attacks, more reasons why you shouldn't use a smart lock, and your keystrokes are showing!

Show Notes: https://securityweekly.com/psw-826

On February 27, 2024, PCAST (President’s Council of Advisors on Science and Technology) sent a report to the President with recommendations to bolster the resilience and adaptability of the nation’s cyber-physical infrastructure resources. Phil was part of the team that worked on the report and comes on the show to talk about what was recommended and how we implement the suggestions.

Show Notes: https://securityweekly.com/psw-826

Pioneering the Cyber Battlefield: A Deep Dive with Winn Schwartau, Cybersecurity Luminary

Get ready for an extraordinary episode as we sit down with Winn Schwartau, a true pioneer and luminary in the world of cybersecurity. Winn's impact on the field is nothing short of legendary, and in this podcast interview, we uncover the profound insights and experiences that have shaped his unparalleled career.

Winn Schwartau's journey began long before the mainstream recognition of cybersecurity as a critical discipline. As a thought leader and visionary, he foresaw the digital threats that would come to define our interconnected age. Join us as we delve into the early days of cybersecurity and explore the foresight that led Winn to become a trailblazer in the industry.

An accomplished author, speaker, and strategist, Winn Schwartau has been at the forefront of shaping cybersecurity policies and practices. From his groundbreaking book "Information Warfare" to his influential work on the concept of the "Electronic Pearl Harbor," Winn has consistently pushed the boundaries of conventional thinking in cybersecurity.

In this podcast episode, Winn shares his unique perspective on the evolution of cyber threats, the challenges faced by individuals and organizations, and the urgent need for a paradigm shift in cybersecurity strategy. Prepare to be captivated by the stories and experiences that have fueled Winn's advocacy for a more resilient and secure digital world.

Whether you're a cybersecurity professional, an enthusiast, or simply intrigued by the profound impact of technology on our lives, this conversation with Winn Schwartau promises to be a journey through the past, present, and future of cybersecurity.

Don't miss the chance to gain unparalleled insights from a true cybersecurity luminary. Tune in and discover the wisdom that only Winn Schwartau can bring to the table in this illuminating podcast interview.

Show Notes: https://securityweekly.com/psw-825

Version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) puts greater emphasis on application security than did previous versions of the standard. It also adds a new “customized approach” option that allows merchants and other entities to come up with their own ways to comply with requirements, and which also has implications for application security. Specifically, PCI DSS 4.0 requires that by March 31, 2025, more testing of public-facing applications related to payment processing or other activities be considered “in scope” for compliance. Generally, any system that touches payment-card data is in scope for PCI DSS compliance, whether or not the system or function is public-facing. We'll talk through what organizations should have gotten done by March 31, 2024, and what needs to happen by March 31, 2025.

Segment Resources: https://info.obsglobal.com/pci-4.0-resources

Show Notes: https://securityweekly.com/psw-825

Ahoi new VM attacks ahead! HTTP/2 floods, USB Hid and run, forwarded email tricks, attackers be scanning, a bunch of nerds write software and give it away for free, your TV is on the Internet, Rust library issue, D-Link strikes again, EV charging station vulnerabilities, and rendering all cybersecurity useless.

Show Notes: https://securityweekly.com/psw-824

Jim joins the Security Weekly crew to discuss all things supply chain! Given the recent events with XZ we still have many topics to explore, especially when it comes to practical advice surrounding supply chain threats.

Show Notes: https://securityweekly.com/psw-824

pfSense switches to Linux (April Fools?), Flipper panic in Oz, Tales from the Krypt, Funding to secure the Internet, Abusing SSH on Windows, Blinding EDR, more hotel hacking, Quantum Bleed, and more!

Show Notes: https://securityweekly.com/psw-823

As most of you have probably heard there was a scary supply chain attack against the open source compression software called "xz". The security weekly hosts will break down all the details and provide valuable insights.

• https://blog.qualys.com/vulnerabilities-threat-research/2024/03/29/xz-utils-sshd-backdoor
• https://gynvael.coldwind.pl/?id=782
• https://isc.sans.edu/diary/The+xzutils+backdoor+in+security+advisories+by+national+CSIRTs/30800
• https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
• https://github.com/amlweems/xzbot
• https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/
• https://unicornriot.ninja/2024/xz-utils-software-backdoor-uncovered-in-years-long-hacking-plot/
• https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504
• https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
• https://xeiaso.net/notes/2024/xz-vuln/
• https://infosec.exchange/@[email protected]
• https://github.com/notselwyn/cve-2024-1086?tab=readme-ov-file
• https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd

Show Notes: https://securityweekly.com/psw-823

The PSW crew discusses some crypto topics, such as post-quantum and GoFetch, new Flipper Zero projects, RFID hacking and hotel locks, BlueDucky, side channel attacks and more!

Show Notes: https://securityweekly.com/psw-822

Jason Healey comes on the show to discuss new ideas on whether the new national cybersecurity strategy is working.

Segment Resources:

• DEFRAG Hacker Film Festival short documentary (https://youtu.be/NYvHWcQsIRE) on hackers and their favorite films. For educational purposes only, as we don’t have the rights to the clips.
• YouTube link to Wargames event with Jen Easterly, Matt Devost, Amelia Koran and Kevin Huyck (head of ops for NORAD) (https://youtu.be/iqx6STDYJ7c?si=73WQtSG4RnCGsBcT).
• https://www.lawfaremedia.org/article/which-cyber-regulations-fit-which-sectors
• https://www.lawfaremedia.org/article/the-national-cybersecurity-strategy-breaking-a-50-year-losing-streak
• https://www.lawfaremedia.org/article/twenty-five-years-of-white-house-cyber-policies
• https://www.lawfaremedia.org/article/understanding-offenses-systemwide-advantage-cyberspace

Show Notes: https://securityweekly.com/psw-822

We discuss the always controversial Flipper Zero devices the hidden risks in the undersea cables, and the landscape of government oversight, revealing the intricacies of CVE, KEV, and NVD systems that are the linchpins of our digital safety. The conversation takes a turn to the practicalities of risk management and the impact of individuals on the industry, like Daniel from the curl project, striking a chord with the significance of cybersecurity vulnerabilities compared to environmental pollution. We tackle the challenges of vulnerability prioritization and the importance of a comprehensive approach to managing the ever-evolving threats that target our digital infrastructure.

(00:01) Security Practices and Flipper Zero (07:01) Technology and Privacy Concerns in Cars (17:33) Undersea Cables and NVD Issues (27:45) Government Oversight and Funding for Cybersecurity (33:33) Improving Vulnerability Prioritization in Cybersecurity (45:37) Risk Management and CVE Implementation (58:06) Cybersecurity Budget and Risk Management (01:10:48) Unique Challenges in Cybersecurity Industry (01:16:41) Discussion on Open Source and CNAs (01:26:44) Bluetooth Vulnerabilities and Exploits Discussed (01:39:46) Email Security and Compromised Accounts (01:46:23) Cybersecurity Threats and Vulnerabilities (01:52:06) GPU Security Vulnerabilities Explained

Show Notes: https://securityweekly.com/psw-821