Paul's Security Weekly (Video-Only)

Security Weekly

About

If you're looking for a bunch of us security nerds to get together and talk shop, then Paul’s Security Weekly is for you. This show features interviews with folks in the security community; technical segments, which are just that, very technical; and security news, which is an open discussion forum for the hosts to express their opinions about the latest security headlines, breaches, new exploits and vulnerabilities, “not” politics, “cyber” policies and more. The topics vary greatly and the atmosphere is relaxed and very conversational. This is a longer show, typically 2+ hours, for those with a long commute.

Available on

Community

961 episodes

The RESTRICT Act, Intel's Attack Surface, & Stop Developing AI (For 6 Months) - PSW #778

In the Security News: Turning traffic lights green with the flipperzero (and a bunch of other hardware), suspending AV and EDR, Test signing mode, Linux control freaks, hacking the Apple Studio Disaply, Intel;s attack surface reduction claim, the truth about TikTok that everyone is missing, just stop developing AI, but only for 6 months, anyone can connect to Amazon's wireless network, revoking the wrong things, losing your keys, the funny, not-so-funny things about firmware encryption, and exploding thumb drives. All that, and more, on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw778

1h 55m
Mar 30
Firmware Hacking! Reversing and Exploitation - Philippe Laulheret - PSW #778

How to get into reversing embedded firmware? Can the planet really be hacked? We'll go over a couple of fun exploitation examples, see what mistakes were made and maybe what could have been done better to make these devices tougher to break into. Segment Resources: Voip phone hacking: Blog: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/avaya-deskphone-decade-old-vulnerability-found-in-phones-firmware/ Def Con presentation (intro to hardware hacking): https://www.youtube.com/watch?v=HuCbr2588-w&ab_channel=DEFCONConference Medical Research: BBraun infusion pump: https://www.youtube.com/watch?v=6agtnfPjd64&ab_channel=hardwear.io Medical devices under attack: https://www.rsaconference.com/USA/agenda/session/Code%20Blue%20Medical%20Devices%20Under%20Attack Hacking DrayTek routers: https://www.youtube.com/watch?v=CD8HfjdDeuM&ab_channel=Hexacon Philippe's public work: https://github.com/philippelaulheret/talks_blogs_and_fun   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw778

1h 1m
Mar 30
7" Laptop, Trojans in Chips, Samsung's Faux Moon, & The 4 C's - PSW #777

In the Security News: Windows MSI tomfoolery, curl turns 8...point owe, who doesn't need a 7" laptop, glitching the ESP, your image really isn't redacted or cropped, brute forcing pins, SSRF and Lightsail, reversing D-Link firmware for the win, ICMP RCE OMG (but not really), update your Pixel and Samsung, hacking ATMs in 2023, breaking down Fortinet vulnerabilities, Jamming with an Arduino, it 315 Mega hurts, analyzing trojans in your chips, and the 4, er 1, er 3, okay well how to suck at math and the 4 Cs of Cybersecurity! All that, and more, on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw777

2h 7m
Mar 23
Vulnerability Research (& Other "Things") - Nico Waisman - PSW #777

We sit down with Nico Waisman to discuss vulnerability research and other security-related topics!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw777

1h 8m
Mar 23
How to Steal a Tesla, AI On Your Pi, Linux Desktop: Future, & SOCKS5 Your Burp - PSW #776

In the security news: AI on your PI, no flipper for you, stealing Tesla's by accident, firmware at scale, the future of the Linux desktop, protect your attributes, SOCKS5 for your Burp, TPM 2.0 vulnerabilities, the world's most vulnerable door device and hiding from "Real" hackers, sandwiches, robot lawyers, poisonis epipens, and profanity in your code! All that, and more, on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw776

1h 46m
Mar 16
Everything's Valid in Code & War: Attacks on the Software Supply Chain - Santiago Torres Arias - PSW #776

Software supply chain attacks, those in which hackers target the "water supply" of software are on the rise. This makes software developers everywhere valid targets. We will discuss the developer perspective on software supply chain attacks. Segment Resources: https://in-toto.io https://sigstore.dev   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw776

1h 3m
Mar 16
Hidden Buttons, Dumb Password Rules, BLE Relay Attack, & Stealthy UEFI - PSW #775

In the Security News: Using HDMI radio interference for high-speed data transfer, Top 10 open source software risks, Dumb password rules, Grand Theft Auto, The false promise of ChatGPT, The “Hidden Button”, How a single engineer brought down twitter, Microsoft’s aim to reduce “Tedious” business tasks with new AI tools, The internet is about to get a lot safer, All that, and more!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw775

1h 49m
Mar 09
Ask Our PSW Hosts Anything! - PSW #775

Tune in to ask our PSW hosts anything you want to know! Join the live discussion in our Discord server to ask a question. Visit securityweekly.com/discord for an invite! Larry Pesce, Jeff Man, Tyler Robinson, and more will be answering your questions, including: __ __   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw775

1h 10m
Mar 09
ChatGPT Articles, What the Zimbra, Burp Plugins, & Vocal Passports - PSW #774

In the Security News for this week: indistinguishable classifiers, screenshot the /etc/passwd file, what the Zimbra, couple of cool Burp plugins, my voice is my passport. verify me, software is harder to exploit, unless its in firmware, when ChatGPT writes an article, becoming a trusted installer, not the last breach for lastpass, getting fried at the charger, and why hackers love stickers!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw774

1h 52m
Mar 02
Phishing Attack & Defense - Asaf Cidon - PSW #774

Barracuda published its 2023 Email Security Trends report that shows how email-based security attacks affect organizations around the world. 75% of the organizations surveyed for the report had fallen victim to at least one successful email attack in the last 12 months, with those affected facing average costs of more than $1 million for their most expensive attack. 23% said that the cost of email-based attacks has risen dramatically over the last year.   Segment Resources:  https://assets.barracuda.com/assets/docs/dms/2023-email-security-trends.pdf   This segment is sponsored by Barracuda. Visit https://securityweekly.com/barracuda to learn more about them!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw774

1h 3m
Mar 02
TikTok Thefts, Typo Squatting is Lame, Stealing from the TPM, & Codebreaking Letters - PSW #773

In the Security News: If it can run Linux, it should, TikTok thefts, significant vulnerability findings, and I'm not even joking, typo squatting is lame, what will it take Bruce!, stealing from the TPM, GoAnywhere, including root, what if attackers targeted your yacht?, two for the price of one (exploits), X is really old, and vulnerable, come for a ride on a CHERI-OT and be memory safe, codebreaking old letters, and vulnerable wienermobiles! All that, and more, on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw773

2h 8m
Feb 16
Zero Trust ≠ Zero Risk: Leveraging Risk Techniques for Zero Trust Acceleration - Ron Woerner - PSW #773

Zero Trust is the buzzword of the 2020’s. Vendors are selling it, the US Federal Government is requiring it, and organizations are implementing it, but what does it really mean (I mean really beyond the hype)? In this segment, Paul and Ron will talk ways combat threats through people, process, and technology Zero Trust Risk Management. Segment Resources: Forrester Research Zero Trust blogs: https://www.forrester.com/blogs/category/zero-trust-security-framework-ztx/ Ron Woerner YouTube: https://www.youtube.com/user/ronw68123 VetSec: https://veteransec.org/ Free CISSP Training Program: https://frsecure.com/cissp-mentor-program/   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw773

59m
Feb 16
The RIGHT Software, Docker vs. Root, CORS, Vuln Risk Scoring, & Cisco Attacks - PSW #772

In the Security News: VMware and Ransomware makes you want to run some where, double-free your OpenSSH, download the RIGHT software, you have Docker, I have root, we don't talk about CORS, to vulnerability or not to vulnerability, vulnerability risk scoring, a matter of perspective, very persistent Cisco attacks, running UPNP without all the protections, overflowing a buffer in your bootloader over HTTP, C can be memory safe (but developers will still screw it up), and lasers, microwaves, satellites and the Sun! All that, and more, on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw772

1h 27m
Feb 09
Linux and FOSS Supply Chain Issues - Hal Pomeranz - PSW #772

Linux systems are a collection of free and Open Source software-- some packaged by your distro, some built from source. How do you verify that your upstream isn't polluted by bad actors? Segment Resources: https://github.com/evilsocket/opensnitch  https://securityonionsolutions.com/software/ https://deer-run.com/users/hal/  https://archive.org/details/HalLinuxForensics   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw772

1h 9m
Feb 09
Super(conductive) Graphene, Yandex Leak, No Fly Lists, & Thinkpad Servers - PSW #771

In the Security News for this week: defending against cleaning services, catastrophic mutating events and the future, myths and misconceptions, finding vulnerabilities in logs (And not log4j), SSRF leads to RCE with a PoC, SQLi with XSS bypasses WAF FTW, thinkpad as a server, RPC directory traversal for the win, just directory traversal for the win, Paul gets a Flipper Zero and how he thinkgs he's some sort of hero, sh1mmer your chromebook, and superconductive magic angle graphene!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw771

2h 6m
Feb 02
The Power of Purple Teaming: Using Runbooks to Standardize and Collaborate - Dan DeCloss - PSW #771

In a recent survey on purple teaming, 89 percent of respondents who had used the method deemed purple teaming activities “very important” to their security operations. Purple teaming exercises conducted regularly have the power to improve collaboration across teams, ensure issues are identified and remediated more proactively, and provide a means to measure progress over time. With all these benefits, why isn’t everyone doing it? Purple teaming doesn’t have to be such a heavy lift. With the right mindset and tools, any team can get started regardless of resources. This talk will highlight practical tips for getting started with purple teaming exercises and show off PlexTrac Runbooks, a platform designed to plan, execute, report, and remediate collaborative purple teaming engagements so teams can maximize their efforts and improve their security posture. Segment Resources: Learn more and book a demo: https://plextrac.com/securityweekly More information on Runbooks: https://plextrac.com/platform/runbooks/ This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them!   Visit https://www.securityweekly.com/psw for all the latest episodes!   Show Notes: https://securityweekly.com/psw771

1h 5m
Feb 02
GetVariable Strikes Again, Linux Santa, AMD Vulns, & Remote Computer Detonation - PSW #770

This week in the Security News: GetVariable strikes again, attackers could blow up your computer remotely, escaping containers, null-dereferences and faulty evaluations, 31 new CPU vulnerabilities for AMD, a look into Chrome, santa, not-so-secure secure booting, and malware included!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw770

1h 49m
Jan 26
How Do We Raise the Floor for Software Quality? - Brian Behlendorf - PSW #770

Open source is the bedrock of most of the world’s software today, so how to raise the floor on software quality across the industry? First, we need better tools to measure the trustworthiness of code based on objective measures, processes that encourage better security practices by developers, and tools and processes that encourage teamwork and shared responsibility for security. Several efforts are underway in major open source communities to address these issues. At the Open Source Security Foundation (OpenSSF), major companies, open source software maintainers, startup companies and government actors are working together to improve open source software supply chain security. Brian will share his view of this landscape, detail the work being done at the OpenSSF, show where those efforts are already bearing fruit, and demonstrate what you and your organization can (must!) do to participate in these efforts. Segment Resources: https://openssf.org/   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw770

58m
Jan 26
Real Time Linux, RSA Encryption, Sec vs. Compliance, Cold River, & ChatGPT - PSW #769

Then, in the Security News: In the security news: Do not panic about RSA encyption, the age old debate: Security vs. Compliance, Cold River, and no not the vodka although it has to do with Russia, the exploit party is happening and someone invited vulnerable drivers, ChatGPT being used to deploy malware, chip vulnerabilities impacting ARM: what you need to know, admin versus admin with Intel AMT and does password expiration help or hurt security?   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw769

1h 52m
Jan 12
Other Considerations for Applying Security into Critical Infrastructure Systems - Kate Stewart - PSW #769

Over the last few years, the trend to use Open Source has been migrating into safety-critical applications, such as automotive and medical, which introduces system-level analysis considerations. In a similar fashion, these components are now being considered for the evolution of critical infrastructure systems. In the US, security concerns have prompted some emerging best practices, such as increased transparency of components, via software bill of materials (SBOMs), but this is not the only aspect to keep in mind. Segment Resources: * https://www.linux.com/featured/sboms-supporting-safety-critical-software/ * https://elisa.tech/ * https://www.zephyrproject.org/ * https://spdx.dev/   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw769

1h 2m
Jan 12
Roblox Prison, 3DS RCE, Puckungfu, Google Home Wiretaps, & Lastpass Hack - PSW #768

In the Security News: The Roblox prison yard, password manager problems, PyTorch gets torched with a supply chain attack, Oppenheimer cleared, Puckungfu, spice up your persistence with PHP, turning Google home into a wiretap device, Nintendo 3DS remote code execution, Linux kernel remove code execution, steaking cards in 2022 - The API way, and there is no software supply chain... and more!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw768

2h 8m
Jan 05
Software Supply Chain Security & MITRE's System of Trust - Robert Martin - PSW #768

This session explores software supply chain security and the details of System of Trust, a community effort to develop and validate a process for integrating evidence of the organizational, technical, and transactional trustworthiness of supply chain elements for decision makers dealing with supply chain security. This framework is defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service offerings. More importantly, the framework offers a comprehensive, consistent, and repeatable methodology – for evaluating suppliers, supplies, and service offerings alike – that is based on decades of supply chain security experience, deep insights into the complex challenges facing the procurement and operations communities, and broad knowledge of the relevant standards and community best practices. Segment Resources: - https://sot.mitre.org/overview/about.html - https://shiftleft.grammatech.com/automating-supply-chain-integrity - https://www.reversinglabs.com/conversinglabs/robert_martin_mitre_software_supply_chain_system_of_trust - https://www.mitre.org/sites/default/files/2022-11/PR-22-01488-20-cybersecurity-benefits-of-sbom-september-2022.pdf - https://www.mitre.org/sites/default/files/2021-11/prs-21-0278-deliver-uncompromised-securing-critical-software-supply-chain.pdf   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw768

59m
Jan 05
Holiday Security News & The Holiday Hack Challenge 2022! - PSW #767

This week, we round out the Holiday Special 2022 with a special guest appearance by Ed Skoudis, where he joins to fill us in on the Holiday Hack Challenge! Then, an utterly chaotic session of security news to close out 2022!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw767

2h 18m
Dec 15, 2022
Hacker Trivia - PSW #767

How well do you know your hacker history and trivia? See how you compare to our hosts as we tackle hacker trivia live on the air! Categories will include hacker movies, hacker history, and hacker tools.   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw767

1h 29m
Dec 15, 2022
How To Get Started in Information Security - PSW #767

Without question, we need more people working in cybersecurity today. Our culture has come a long way to be more open and inviting to new folks, but we still have a lot of work to do. What can you do if you want to break into the field of cybersecurity today? While there is no shortage of resources our experienced hosts will offer their thoughts, opinions, and advice on how you can become the next cybersecurity pro!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw767

1h 28m
Dec 15, 2022
Is Penetration Testing Dead? - PSW #767

While we most likely do not believe that penetration testing is dead it continues to evolve over time. What do penetration tests look like today? Have they become more or less specialized? What is the continuing value of penetration testing? With development and IT moving so fast, how have penetration tests adapted? This discussion will dive into the details of penetration testing today and provide you with a guide to make the most of this activity.   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw767

1h 27m
Dec 14, 2022
Ping of Death, 500 Year Old Ciphers, Pwn The Dev, & Chatbot's Order 66 - PSW #766

In the Security News: ping of death returns, remembering when the Internet disconnected if your Mom picked up the phone, a 500-year-old cipher is cracked, VLC is always up-to-date, SIM swapper goes to prison, Rust is more secure but your supply chain is not, if you pwn the developer you win, you have too many security tools, Chrome zero days are not news, Log4Shell what changed?, Hive social again, ChatGPT, there's a vulnerability in your SDK, and it takes 3 exploits to pwn Linux, All that, and more, on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw766

1h 49m
Dec 08, 2022
Severe BMC Vulnerabilities - Nate Warfield - PSW #766

Eclypsium's research team has discovered 3 vulnerabilities in BMCs. Nate Warfield comes on the show to tell the full story! This has garnered much attention in the press: * Original research post: https://eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk/ * https://www.securityweek.com/security-flaws-ami-bmc-can-expose-many-data-centers-clouds-attacks * https://thehackernews.com/2022/12/new-bmc-supply-chain-vulnerabilities.html * https://therecord.media/three-vulnerabilities-found-in-popular-baseboard-software/ * https://www.bleepingcomputer.com/news/security/severe-ami-megarac-flaws-impact-servers-from-amd-arm-hpe-dell-others/ * https://duo.com/decipher/trio-of-megarac-bmc-flaws-could-have-long-range-effects * https://www.csoonline.com/article/3682137/flaws-in-megarac-baseband-management-firmware-impact-many-server-brands.html   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw766

59m
Dec 08, 2022
To The Cloud! (Or Not Yet?) - Sinan Eren - PSW #766

Is there still a network or has it slipped away from us entirely? What about efforts for localization because people do not trust the cloud, its providers or its reliability (ala Twitter vs. the Fediverse?). Do you still need actual hardware firewalls? What about VPNs? How long will these devices still be around as everyone goes to the cloud and SDWAN technologies? And what about identity? If you can nail identity, doesn't that set you up to be a cloud-first organization? Join us for a discussion with Sinan and the security weekly hosts as we tackle these questions! This segment is sponsored by Barracuda. Visit https://securityweekly.com/barracuda to learn more about them!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw766

56m
Dec 08, 2022
Open Source Security - Josh Bressers, Kurt Seifried - PSW #765

We are joined by Josh and Kurt from the amazing Open Source Security Podcast! We're talking about supply chain risks, threats and vulnerabilities in this segment! Segment Resources: https://opensourcesecurity.io/   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw765

48m
Dec 01, 2022