Three Buddy Problem - Episode 16: We break down the new GCHQ advisory on the history and tactics of Russia’s APT29, the challenges of tracking and defending against these sophisticated espionage programs, the mysterious Salt Typhoon intrusions, the absence of technical indicators (IOCs), the risks of supply chain attacks. We also touch on the surge in zero-day discoveries, the nonstop flow of exploited Ivanti security bugs, and why the CSRB should investigate these network edge device and appliance vendors.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Three Buddy Problem - Episode 15: Juanito checks in from Virus Bulletin with news on the return of Careto/Mask, a ‘milk-carton’ APT linked to Spain. We also cover the latest controversy surrounding IDA Pro's subscription model, a major new YARA update, and ongoing issues with VirusTotal's value and pricing. The conversation shifts to North Korean cyber operations, particularly the infiltration of prominent crypto companies, Tom Rid's essay on Russian disinformation results, and the US government's ICE department using commercial spyware from an Israeli vendor.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Three Buddy Problem - Episode 6: As the dust settles on the CrowdStrike incident that blue-screened 8.5 million Windows computers worldwide, we dig into CrowdStrike’s preliminary incident report, the lack of transparency in the update process and the need for more robust testing and validation. We also discuss Microsoft's responsibility to avoid infinite BSOD loops, risks of deploying EDR agents on critical systems, and how an EU settlement is being blamed for EDR vendors having access to the Windows kernel.

Other topics on the show include Mandiant's attribution capabilities, North Korea’s gov-backed hacking teams launching ransomware on hospitals, KnowBe4 hiring a fake North Korean IT worker, and new developments in the NSO Group surveillance-ware lawsuit.

Hosts: Costin Raiu (Art of Noh), Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek)

David Weston manages the Windows Device and Offensive Security Research teams at Microsoft. He joins the podcast to talk about how proactive red-team exercises push major mitigations to Microsoft's products and the current state of security in the Windows ecosystem.

SVP and Chief Information Security Officer (CISO) at Lending Club, Rich Seiersen, digs into the nuts and bolts of defending a financial services firm, his approach to finding quality cybersecurity talent, and the importance of confronting security with data. (Recorded during fireside chat at SecurityWeek’s CISO Forum).

Founder and CEO of GreyNoise Intelligence Andrew Morris (andrew___morris) talks about his “anti threat-intelligence” company, the ways SOCs are using it to filter through scanning noise and the trials and tribulations of bootstrapping a start-up.

Managing Partner at YL Ventures, Yoav Leitersdorf (ylventures), explains the surge in cybersecurity investments in Israel, the priorities for his $75 million fund and which sectors are ripe for the picking.

Principal Security Researcher at Recorded Future’s Insikt Group, Juan Andrés Guerrero-Saade (juanandres_gs), explains the nuances of good threat intelligence, sheds light on nation-state hacker activity and warns that adversaries don’t have to be “sophisticated” to launch successful attacks.

The founder and CEO of Dragos, Inc. Robert M. Lee (RobertMLee) cuts through the hype around threats to critical infrastructure and offers a matter-of-fact take on active defense, “hacking-back,” and nation-state espionage operations.

VP of Product at RiskIQ Brandon Dixon (@9bplus) delves into nation-state cyber operations, explains why it’s dangerous to underestimate North Korea’s capabilities, and his passion for roasting the perfect coffee bean.

Slack security architect Ryan Huber talks about the gargantuan task of defending an organization with 8 million daily active users, burnout, and fatigue in security teams and a range of issues around bug bounties and penetration testing.

Chief Technology Officer at Quarkslab Ivan Arce (@4dgifts) tells stories about the birth of penetration testing platforms, the concentration of hacking talent in Argentina, and his focus on security problems in the Android ecosystem.

Founder and CEO of Fyde (@FydeApp) Sinan Eren discusses the “iOS-ification” of platforms and the security ramifications, the dangers of running AV software, the iOS vs. Android security argument, and his new venture to address mobile phishing attacks.

Three Buddy Problem - Episode 5: Hot off the press, we dive into the news of the CrowdStrike software update that caused blue screens on computers worldwide, the resulting chaos and potential connections to the Microsoft 365 outage, the fragility of modern computing and the risks of new software paradigms.

We also discuss the AT&T mega-breach and the ransom paid to delete the stolen data; the challenges of ransomware and the uncertainty surrounding the deletion of stolen data; the FBI gaining access to a password-protected phone, the prices for zero-click exploits; and the resurgence of APT 41 with expanding targets.

Plus, some news on upcoming keynote speakers at LabsCon 2024.

Hosts: Costin Raiu (Art of Noh), Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek)

Founder and CTO at Senrio Stephen Ridley (@s7ephen) talks about the abysmal state of IoT security, his recent exploitation of an IP camera, and router to exfiltrate corporate data and his experience as a minority in the security industry.

Founder and CEO at MKACyber Mischel Kwon joins the podcast to address the state of the SOC (Security Operations Center) and how businesses should deal with issues around excessive alerts, incident response times, and outdated metrics.

CISO and VP of Strategy at Digital Shadows Rick Holland discusses his path in the information security industry, advancements in the threat intel space, and his passion for good bar-b-que.

Latacora Security founder Thomas Ptacek joins the podcast to weigh in on the cybersecurity skills shortage, his approach to recruiting and hiring, and what needs to be done to address diversity in the industry.

Co-founder and Chief Security Officer at Signal Sciences Zane Lackey riffs on DevOps, the almost impossible task of defending organizations from intruders, bug bounties versus penetration testing, and the pros and cons of launching a company with venture capital investment.

Thinkst founder Haroon Meer talks about building a security company from scratch without VC funding, using Canaries to pinpoint signs of intruder activity, advancements in security research, and the state of the bug bounty market.

Red teamer and security researcher by day, nerdcore rapper by night, ‘int eighty’ joins the podcast to talk about his work breaking into computer systems, common security mistakes that people make, and his double life as a musician in Dual Core.

Veteran cybersecurity writer Dennis Fisher joins the podcast to talk about his new journalism venture at decipher.sc, his preference for long-form writing, and the trends worth following in the security space.

Tim Maurer, a scholar at the Carnegie Endowment for International Peace, talks about nation state-backed hacking activity and the dangers of breaking trust in the global financial system.

Principal and founding investor at ForgePoint Capital Cybersecurity William Lin talks about venture capital activity in the security space, sectors that are ripe for investment, missed bets on successful companies, and the cybersecurity talent shortage.

Three Buddy Problem - Episode 4: The boys delve into the massive AT&T call logs breach, the Snowflake incidents and the notion of shared-fate/shared responsibilities; news on fresh Apple notifications about mercenary spyware on iPhones and the effectiveness of notifications for different types of controversial targets. Plus, thoughts on Microsoft's zero-day disclosures and useless Patch Tuesday bulletins, AI-powered disinformation campaigns, and the US government's malware sharing initiative fading away.

Hosts: Costin Raiu (Art of Noh), Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek).

Chief Information Security Officer at Turner Broadcasting Pete Chronis discusses his new book on solving the cybersecurity conundrum, the day-to-day grind of securing a global media organization, and the role of the CISO in the modern world.

Adobe’s Chief Security Officer Brad Arkin talks about setting and managing risk management priorities, protecting company infrastructure, the challenges of securing software, and the looming death of Adobe Flash Player.

Director of Security at Facebook Aanchal Gupta joins the podcast to share her story and provide guidance for young women struggling to overcome societal obstacles.

Senior Director of Security and Compliance at Vera Security Tom Conklin talks about the pros and cons of using bug bounty programs, the challenges of managing risk in smaller companies, and why user awareness training is an ongoing headache for security administrators.

Chief Information Security Officer at Fox News, Fox Business, and Fox Television John Terrill joins the podcast to talk about life in the CISO trenches and makes a bold prediction that could significantly change the cybersecurity narrative.

Co-founder and CEO of Recorded Future Christopher Ahlberg discusses the emergence of threat intelligence as a valuable security tool, the morals and ethics surrounding disclosure of nation-state attacks and the importance of tracking adversaries beyond the wall.

As businesses struggle with security awareness training for employees, Elevate Security co-founder Masha Sedova argues that the focus should be on “behavior change” and recommends the use of positive motivation and available tools to get employees to make better security decisions.

Veteran security journalist Paul Roberts talks about the creation of Security Ledger, his work covering cybersecurity, the democratization of media, and hiccups with IoT legislation.

Dino Dai Zovi, co-founder and CTO of Capsule8, joins the podcast to talk about the fallout from the Meltdown and Spectre vulnerabilities, the transition from security research to managing a VC-funded start-up and reminisce about his time as a famous Pwn2Own MacBook hacker.

Sharon Anolik, President and Founder of Privacy Panacea, talks about her work advising corporate clients on privacy and data protection issues, the looming chaos surrounding the European Union’s GDPR (General Data Protection Regulation) and the role she plays on ‘Silicon Valley.’

The 'Three Buddy Problem' Podcast Episode 3: Former NSA computer scientist Dave Aitel (Immunity Inc., Cordyceps Systems) joins Juan Andres Guerrero-Saade for a frank discussion on the OpenSSH unauthenticated remote code execution vulnerability and the challenges around patching and exploitation, the CISA 'secure-by-design' pledge and its impact on software vendor practices, Microsoft lobbying and the CSRB report, and changing face of government's attempts at cybersecurity regulations.

We discuss the disruption caused by political changes and the potential implications for cybersecurity policies, impact from the Supreme Court Chevron ruling, security regulations and the challenges of writing laws for future technology, the role of CISA and its accomplishments, the debate around offensive cyber operations and the responsibility of companies like Google in addressing vulnerabilities.

The need for clear separation between counterterrorism and espionage operations is highlighted, as well as the importance of understanding both defensive and offensive perspectives.

• Costin Raiu is on vacation.

Award-winning security journalist and author Kim Zetter talks about her work tracking cyber-espionage campaigns, why she uses an old school cassette player to record sensitive interviews and the dramatic changes sweeping the security industry.

Dark Reading executive editor Kelly Jackson Higgins joins the podcast to tell security journalism war stories, talk about her new WiFi-enabled refrigerator and some trends worth following closely.

Computer security researcher and CEO of Luta Security, Katie Moussouris. talks about her life in the penetration testing trenches, advocating responsible security research, building bug bounty programs and the challenges of succeeding as a woman in the industry.

The 'Three Buddy Problem' Podcast Episode 2: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade go all-in on the discussion around Google Project Zero disrupting counter-terrorism malware operations.

A deep dive on disruption vs exposure, the effects of US government sanctions on private mercenary hacking companies, hypocricy and the tricky relationship between malware researchers are the intelligence community, and the lack of 'success stories' from so-called benevolent malware.

We also discuss the implications of the TeamViewer breach by a skilled Russian APT, new Microsoft notifications to Midnight Blizzard victims and share thoughts on the Polyfill.io supply chain compromise.

Welcome to Episode 1 of a brand new cybersecurity podcast discussing the biggest news stories of the week. Ryan Naraine hosts a fast-moving conversation with Juan Andres Guerrero-Saade (LABScon) and Costin Raiu (Art of Noh) on the Microsoft Recall debacle, the dark patterns emerging as big-tech embraces AI, Brad Smith's testimony and the lingering effects of the CSRB report, Apple's new Private Cloud Compute (PCC) infrastructure and Cupertino's long game. Oh, we also talk about the KL ban.

Episode sponsors:

• Binarly, the supply chain security experts (https://binarly.io)
• XZ.fail backdoor detector (https://xz.fail)

Cris Neckar is a veteran security researcher now working as a partner at Two Bear Capital. In this episode, he reminisces on the early days of hacking at Neohapsis, his time on the Google Chrome security team, shenanigans at Pwn2Own/Pwnium, and the cat-and-mouse battle for browser exploit chains. We also discuss the zero-day exploit marketplace, the hype and promise of AI, and his mission to help highly technical founders bring products to market.

Episode sponsors:

• Binarly, the supply chain security experts (https://binarly.io)
• XZ.fail backdoor detector (https://xz.fail)

Malware paleontologist Costin Raiu returns for an emergency episode on the XZ Utils software supply chain backdoor. We dig into the timeline of the attack, the characteristics of the backdoor, affected Linux distributions, and the reasons why 'Tia Jan' is the handiwork of a cunning nation-state.

Based on all the clues available, Costin pinpoints three main suspects -- North Korea's Lazarus, China's APT41 or Russia's APT29 -- and warns that there are more of these backdoors lurking in modern software supply chains.

Episode sponsors:

• Binarly, the supply chain security experts (https://binarly.io)
• FwHunt (https://fwhunt.run)

Katie Moussouris founded Luta Security in 2016 and bootstrapped it into a profitable business with a culture of equity and healthy boundaries. She is a pioneer in the world of bug bounties and vulnerability disclosure and serves in multiple advisory roles for the U.S. government, including the new CISA Cyber Safety Review Board (CSRB).

In this episode, Moussouris discusses Luta Security's new Workforce Platform profit-sharing initiative, the changing face of the job market, criticisms of the CSRB's lack of enforcement authority, and looming regulations around zero-day vulnerability data.

Episode sponsors:

• Binarly, the supply chain security experts (https://binarly.io)
• FwHunt (https://fwhunt.run)

Costin Raiu has spent a lifetime in anti-malware research, working on some of the biggest nation-state APT cases in history, including Stuxnet, Duqu, Equation Group, Red October, Turla and Lazarus.

In this exit interview, Costin digs into why he left the GReAT team after 13 years at the helm, ethical questions on exposing certain APT operations, changes in the nation-state malware attribution game, technically impressive APT attacks, and the 'dark spots' where future-thinking APTs are living.

Three Buddy Problem - Episode 14: The buddies are back together for a discussion on Juan’s LABScon keynote and mental health realities, Microsoft rewriting the Windows Recall security architecture, a new CVSS 9.9 Linux CUPS flaw, Kaspersky's controversial transition to Ultra AV, and the intelligence operations surrounding exploding pagers in Lebanon.

(This episode is dedicated to the memory of Jeff Wade from Solis, who was an important part of the LABScon family.)

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Episode sponsors:

• Binarly, the supply chain security experts (https://binarly.io)
• FwHunt (https://fwhunt.run)

Danny Adamitis is a principal information security engineer at Black Lotus Labs, the threat research division within Lumen Technologies. On this episode of the show, we discuss his team's recent discovery of an impossible-to-kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting US critical infrastructure.

Danny digs into the inner workings of the botnet, the global problem end-of-life devices becoming useful tools for malicious actors, and the things network defenders can do today to mitigate threats at this layer.

Episode sponsors:

• Binarly, the supply chain security experts (https://binarly.io)
• FwHunt (https://fwhunt.run)

Allison Miller is founder and CEO of Cartomancy Labs and former CISO and VP of Trust at Reddit. She has spent the past 20 years scaling teams and technology at Bank of America, Google, Electronic Arts, PayPal/eBay, and Visa International.

In this conversation, we discuss the convergence of security with fraud prevention and anti-abuse, the challenges and complexities in IAM implementations, the post-pandemic labor market, the evolving role of CISOs and new realities around CISO exposure to personal liability, thoughts on the 'build vs buy' debate and the nuance and dilemma of paying ransomware demands.

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Rob Ragan, principal architect and security strategist at Bishop Fox, joins the show to share insights on scaling pen testing, the emergence of bug bounty programs, the value of attack surface management, and the role of AI in cybersecurity. We dig into the importance of proactive defense, the challenges of consolidating security tools, and the potential of AI in augmenting human intelligence. The conversation explores the potential of AI models and their impact on various aspects of technology and society and digs into the importance of improving model interaction by allowing more thoughtful and refined responses.

We also discuss how AI can be a superpower, enabling rapid prototyping and idea generation. The discussion concludes with considerations for safeguarding AI models, including transparency, explainability, and potential regulations.

Takeaways:

• Scaling pen testing can be challenging, and maintaining quality becomes difficult as the team grows. Bug bounty programs have been a net positive for businesses, providing valuable insights and incentivizing innovative research.
• Attack surface management plays a crucial role in identifying vulnerabilities and continuously monitoring an organization's security posture.
• Social engineering attacks, such as SIM swapping and phishing, require a multi-faceted defense strategy that includes technical controls, policies, and user education.
• AI has the potential to augment human intelligence and improve efficiency and effectiveness in cybersecurity. Improving model interaction by allowing more thoughtful and refined responses can enhance the user experience. Algorithms can be used to delegate tasks and improve performance, leading to better results in complex tasks.
• AI is an inflection point in technology, comparable to the internet and the industrial revolution. Can be game-changing to automate time-consuming tasks, freeing up human resources for more strategic work.
• Autocomplete and code generation tools like Copilot can significantly speed up coding and reduce errors. AI can be a superpower, enabling rapid prototyping, idea generation, and creative tasks.
• Safeguarding AI models requires transparency, explainability, and consideration of potential biases. Regulations may be necessary to ensure responsible use of AI, but they should not stifle innovation. Global adoption of AI should be encouraged to prevent technological disparities between countries.

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Seth Spergel is managing partner at Merlin Ventures, where he is responsible for identifying cutting-edge companies for Merlin to partner with and invest in. In this episode, Seth talks about helping startups target US federal markets, the current state of deal sizes and valuations, and the red-hot sectors in cybersecurity ripe for venture investment.