Cyber Security Weekly Podcast MySecurity Media

Jane Lo, Singapore Correspondent speaks with Yakir Kadkoda, Security Researcher and Ilay Goldman, Security Researcher with Aqua SecurityYakir Kadkoda combines his expertise in vulnerability research with a focus on discovering and analyzing new security threats and attack vectors in cloud native environments, supply chain security, and CI/CD processes. Prior to joining Aqua, Yakir worked as a red teamer.Ilay Goldman specializes in discovering and analyzing novel security threats and attack vectors in cloud native environments, supply chain security, and CI/CD processes. Additionally, Ilay conducts research on open-source security and vulnerabilities. Prior to joining Aqua, he worked as a red teamer.In this interview at Black Hat Asia, Yakir and Ilay explain the complexity of a modern software supply chain, and the dependency of a typical software development cycle on open-source code, and the wide array of tools and platforms.They note that in this supply chain ecosystem, there are many vulnerable tools and platforms trusted by majority of developers.To highlight some examples of these vulnerabilities, Yakir and Ilay divide the development flow of many organizations into different phases – Integrated Development Environments (IDEs), Source Code Managers (SCMs), Continuous Integration/ Development (CI/CD), Package management and more. They point out, for instance, the potential of malicious IDE extensions that may be inadvertently trusted by developers, or how threat attackers could compromise accesses to package manager platforms to impersonate malicious packages. They also share how they found tens of thousands of tokens of open source projects that have been leaked by CI/CD platforms, which could be exploited for lateral movement. Wrapping up, they advise that software developers practice security-by-design – that whilst “security takes time”, fixing the problem later may incur even more costs and time.Recorded 11th May 2023, 11am, Black Hat Asia 2023, Singapore Marina Bay Sands#BHasia #mysecuritytv #supplychain #cybersecurity

Jane Lo, Singapore Correspondent speaks with Sandro Pinto, Associate Research Professor and Cristiano Rodrigues, PhD candidate of the University of Minho, Portugal.Sandro holds a PhD in Electronics and Computer Engineering. Sandro has a deep academic background and several years of industry collaboration focusing on operating systems, virtualization, and security for embedded, cyber-physical, and IoT-based systems. He has published 70+ scientific papers in top-tier conferences/journals (e.g., IEEE S&P, USENIX Security) and is a skilled presenter with speaking experience in several academic and industrial conferences (e.g., Black Hat Asia, Hardwear.io, RISC-V Summit, Embedded World). Sandro is a long-term supporter of open-source projects and is currently helping several companies and institutions to make security practical at scale. Cristiano Rodrigues is a PhD candidate at the University of Minho in Portugal, with a master's degree in Electronic and Computer Engineering. Cristiano is a driven and skilled individual with extensive expertise in ardware/software co-design, safety-critical systems, trusted execution environments for microcontrollers, Armv8-M TrustZone, and embedded security for IoT-based systems.In this interview, Sandro and Cristiano gave highlights of their talk on a novel class of microarchitectural timing side-channel attacks affecting MCUs.They shared that while the discovery of Spectre and Meltdown side channel attacks exposed the potential side channel attacks on hidden transient states, there is one class of computing systems apparently is resilient to these attacks: microcontrollers (MCUs).Sandro introduced that MCUs are at the heart of embedded and IoT device (such as smart watches, IoT home devices), and as such resource constraint in terms of computing power, memory and power consumption. As such, he said there is a common belief that MCUs are not vulnerable to such attacks as Spectre or Meltdown, as MCUs microarchitecture is intrinsically simple - compared to the more complex microprocessors powering Cloud infrastructure, server, desktops and hence more vulnerable to side channel attacks.Sandro and Cristiano demonstrated the fallacy of this assumption through their attack on a Smart IoT lock. By mounting a side channel (timing) attack on a Smart lock application (that for example unlock a vault or a door), they were able to retrieve the secret PIN.Sandro also reflected on the challenges and shared some thoughts on increasing the sophistication of the attack (e.g. remote access, alleviate the need for access to code, scaling to multiple types of microcontrollers). Wrapping up, he stressed that sharing the results of their work is part of responsible disclosure, and advised consumers who buy IoT devices with affected microcontrollers to look out for potential announcements from manufacturers. (For an example of a follow-up action from a manufacturer ARM, see: https://developer.arm.com/documentation/ka005578/latest/)Recorded 11th May 2023, 12noon, Black Hat Asia 2023, Singapore Marina Bay Sands#bhasia#cybersecurity #mysecuritytv

Azul is the largest provider of commercial support for OpenJDK, supporting more versions of Java than any other vendor, including Oracle.The University of Sydney has recently selected Azul as the institution’s sole Java provider, switching from Oracle Java. The announcement takes place amid major changes to Oracle Java pricing and a rapid increase in the adoption of OpenJDK-based Java runtimes. By some estimates, usage of Oracle Java has fallen from roughly 75 per cent in 2020 to 34 per cent in 2022.We speak with Scott Sellers, President, CEO and Co-Founder of Azul, visitng Australia from the USA to meet with customers and partners.With more than 30 years of successful leadership in building high technology companies and delivering advanced products to market, Scott provides the overall strategic leadership and visionary direction for Azul Systems. Scott has a consistent proven track record of vision, leadership, and success in enterprise, consumer and scientific markets. Prior to co-founding Azul Systems, Scott founded 3dfx Interactive, a graphics processor company that pioneered the 3D graphics market for personal computers and game consoles. Scott served at 3dfx as Vice President of Engineering, CTO and as a member of the board of directors and delivered 7 award-winning products and developed 14 different graphics processors. After a successful initial public offering, 3dfx was later acquired by NVIDIA Corporation. Prior to 3dfx, Scott was a CPU systems architect at Pellucid, later acquired by MediaVision. Before Pellucid, Scott was a member of the technical staff at Silicon Graphics where he designed high-performance workstations. Scott graduated from Princeton University with a bachelor of science, earning magna c*m laude and Phi Beta Kappa honors. Scott has been granted 8 patents in high performance graphics and computing and is a regularly invited keynote speaker at industry conferences.Read more - https://chiefit.me/university-of-sydney-boards-the-azul-train/#azul #java #mysecuritytv

Jane Lo, Singapore Correspondent speaks with Dagmawi Mulugeta, Threat researcher with Netskope Threat Labs.Dagmawi has his OSCP and has previously worked at Cyrisk (a subsidiary of 4A Security), Sift Security (acquired by Netskope), and ECFMG as a researcher, security engineer, and developer. He has innate interests in public CTFs, exploit development, and abuse of cloud apps. He has his MSc in Cybersecurity from Drexel University.In this interview, Dagmawi shared the behavioural insights found for employees preparing to leave, and how these indicators could enable organizations to protect their data more effectively.He noted the concern that many organisations have with “flight risk” users – that is, employees that are getting ready to leave – taking corporate data with them.A common question to address this concern, is how to efficiently identify such risks - without sifting through hundreds of alerts and spending hundreds of man-hours.Dagmawi shared how they approached this problem by analysing anonymized data of over 4 million users from more than 200 different organizations worldwide., and some interesting key revelations: (i) 15% of leavers used personal cloud apps (e.g. Google drive, Gmail) to take data with them (ii) 2% were violating corporate policy (exfiltrating sensitive corporate information) (iii) majority of the data movement happens 50 days before leaving.Dagmawi highlighted how they identified three key signals to filter out alerts with potential flight risks:a) volume – identifying whether the data being moved is anomalous for the individual in the organisationb) nature of data – whether the data being moved is sensitivec) direction – whether the cloud application is outside of the organisation’s management (e.g. google drive).Wrapping up, Dagmawi recommended that encoding the three signals into the detection systems could help reduce the size for reviews by 43x – that is, for every 50 alerts, the signals could help to filter out the 1 or 2 concerning ones.Recorded 11th May 2023, 3.30pm, Black Hat Asia 2023, Singapore Marina Bay Sands.#bhasia#mysecuritytv #insiderthreat

We speak with Connell Perera, NEC Australia Cyber Security Portfolio Manager.NEC Australia offers a comprehensive range of assessments and managed security services to provide businesses and government departments with peace of mind. NEC Security is focussed on rapidly reducing your risk with a threat focused defence, maximising your security investment through automation and machine learning, and reducing your threat landscape by applying global expertise executed by local experts.Founded on a Zero Trust mindset, NEC Security, with our global partners, continually apply our intelligence to grow your cyber security competency and to build your confidence as a security decision-maker, backed by a complete cyber security defence underpinned by the best people, intelligence, and technology.Protecting your assets, increasing the return on your security investment and effort all whilst reducing your risk is our trusted NEC Security approach.To find out more visit https://www.nec.com.au/solutions/cyber-security#necsecurity#nec#mysecuritytv

We speak with Dr Daniel Floreani, Principal Consultant and Director of CyberOps, a security and blockchain consultancy.Some of Daniel's achievements during 25+ years of experience in the communications industry, in very diverse roles include:- A PhD in communications and experience in the fundamental concepts of Networking and Defence communications. - Experience in very large Defence projects and complex engineering environments. - Exposure to Business Development and Market Creation activities in Space and Internet of Things domainsThe Agora High-Tech with support by CyberOps and Flinders University Present is holding the First Australian Cyber Space Forum, Tuesday 10 October 2023.The Australian Space Cyber Forum will provide an excellent opportunity for Australian stakeholders to meet and network with key national and international space cyber experts. Participation in this forum is targeted at researchers, entrepreneurs, academics, private consultants, public employers, and others with an interest in the space and cyber sectors.The first national edition of the Space Cyber Forum will contain a welcome introduction followed by international speakers such as Prof. Olaf Maennel from Tallinn University of Technology in Estonia, Ms. Clemence Poirer and Mr. Marco Alberti from the European Space Policy Institute in Vienna, and more to come, followed by three specific panels. Each panel will include a discussion on approaches to solving real world issues to help organisations understand what the risks are and how to start to mitigate them, now and into the future.· Panel 1 – ‘Space Cyber – The increasing use of cyber-attacks in the space domain’,· Panel 2 – ‘Cyberspace and Outer Space: between regulation and militarisation’,· Panel 3 – ‘Quantum in Space and its Security Impacts’,Registration Link: https://lnkd.in/gNkAW7et#auspaceforum#australiainspacetv