Cyber Security Weekly Podcast MySecurity Media

Dr. Yuriy Bulygin is the CEO and founder of Eclypsium, the digital supply chain security company that helps organizations protect their critical hardware, firmware, and software. Prior to Eclypsium, Yuriy was Chief Threat Researcher and led the Microprocessor Security Analysis team at Intel Corporation, as well as the Advanced Threat Research team at Intel Security. He is also the creator of CHIPSEC, the popular open-source firmware and hardware supply chain security assessment framework. When enterprises started using CHIPSEC to find vulnerabilities, discover compromised firmware, or just poke around hardware systems, Yuriy founded Eclypsium with Alex Bazhaniuk. Since then Eclypsium has been on a mission to protect devices from supply chain risks.In this interview, Yuriy highlights the potential vulnerabilities in the firmware (software running the hardware) in today’s digital devices, and the risk posed by threat actors.Using a typical PC as an example, which involves contributions from over 265 suppliers, each with its components and code, he notes the ubiquity of software, and liken the supply chain of such a device to a “Wild West”:“at any point in the supply chain, at any of those links in the supply chain, a compromise may happen”, and “ all of these components and all the code that is developed by those suppliers and vendors has vulnerabilities.”He elaborated that “even if it's OK now … 3 months from now, it can be compromised because of those vulnerabilities.”To give an example, he referenced the recently discovered threat in the wild – “BlackLotus”, an evolution of threats based on open-source frameworks – e.g. Lojax, MosaicRegressor, Moon bounce - discovered in the past 3 to 4 years. He highlighted the characteristics of such threats:• These UEFI compromises allow attackers to compromise equipment remotely, for access or persistent malware installation. • They cannot be removed by reinstalling operating system or reimaging or even replacing the hard drive.• BlackLotus exploitation of the UEFI system vulnerabilities, particularly the Secure Boot - a fundamental security feature adopted by modern operating systems - sets it apart as an advanced threat, marking the first instance of such threats discovered "in the wild."He explained that compromising firmware is attractive for threat actors for many reasons:• Stay hidden: Detection and protection controls operate at the software application level and above, but there is no equivalent for firmware.• Achieve "Persistence" - where traditional mitigation measures cannot remove the malware/threats.• Simplicity – for example, exploiting firmware vulnerabilities to gain access is much simpler than developing a very complicated exploit chain.• Gain high privileges – Remain hidden and persistent while gaining high level of privileges.

Mr Yeong Zee Kin holds a Master of Laws from Queen Mary University of London and completed his undergraduate law degree at the National University of Singapore. His experience as a Technology, Media and Telecommunications lawyer spans both the private and public sectors. He has spoken and published in areas relating to electronic evidence and intellectual property, as well as legal issues relating to Blockchain and AI deployment. Zee Kin is an internationally recognized expert on AI ethics. He spearheaded the development of Singapore’s Model AI Governance Framework, which won the UNITU WSIS Prize in 2019. He is currently a member of the OECD Network of Experts on AI (ONE AI). In 2019, he was a member of the AI Group of Experts at the OECD (AIGO), which developed the OECD Principles on AI. These principles have been endorsed by the G20 in 2019. He was also an observer participant at the European Commission’s High-Level Expert Group on AI, which fulfilled its mandate in June 2020Zee Kin is also a well-regarded expert on data privacy issues. He has contributed to publications on legal issues relating to data privacy and has spoken at many well-recognised international and domestic platforms on this topic.--In this interview, Zee Kin shares his insights on the legal challenges in the Era of Advanced AIZee Kin highlighted that with the latest AI innovations, the responsibility and legal issues remain largely consistent, but the tools and technology introduce different challenges.For instance, he shared that such concerns around content, child protection, intermediary behavior, data security, data protection, and cybercrime remain, while challenges such as detection of fake content has intensified due to increased tool accessibility and the scalability of threats. Referring to the "Getty vs. Stability AI" case, he shared that the interesting question is the use of copyrighted data to train AI models – which is not new, and the key is to establish a proper legal basis for using such data. Data lineage and the provenance of data have always been important in legal contexts. He also noted that these concerns have also surfaced during the recent governmental responses around the world to the latest AI innovations.Zee Kin also highlighted the challenges with defining terms such as "fairness," "transparency," and "repeatability" – varies by context, where expectations and priorities for AI differ based on its use, such as safety and predictability in medicine, and bias and fairness in personal data applications.Repeatability poses an additional challenge in Generative AI because every iteration of an image or summary will vary (**owing to Generative AI's statistical predictive nature).Zee Kin also shares his views of AI's impact on job security, nothing that there will be emerging opportunities for lawyers to use AI tools for efficiency and error reduction.Recorded at TechLaw Fest 2023, 21st Sept 2023, 3.30pm, Marina Bay Sands, Singapore.#mysecuritytv #cybersecurity #ai #law #ailawyer

Mr Wong Wai Meng is currently the Chief Executive Officer (Data Centres) of Data Centres & Networks Division. He has almost 30 years of experience in the Information and Communications Technology (ICT) industry and currently spearheads the company's thrust towards being one of the leading data centre developers and solution provider in Europe and Asia Pacific. Prior to joining Keppel T&T, Mr Wong was Vice President of BT Advise BT Global Services across Asia Pacific, Middle East, Africa and Turkey (AMEA) where he managed the company's practices in business consulting, systems integration, software development, networking, mobility, collaboration and security. He was also CEO of the BT Frontline group of companies where he played a critical role in the integration of BT Frontline into BT Global Services. Mr Wong now serves as Chair of SGTech Council, Member of the Council and Chair of Digitalisation Committee in Singapore Business Federation, and is active on various industry panels and committees.In November 2022, he won the Top Business Leaders accolade at the Asia-Pacific Cloud & Datacentre AwardsMore recently in August 2023, he was named by the Singapore Computer Society as Tech Leader of the Year 2023.In this interview, Mr Wong shared his insights on the evolution of data centres over the last two decades, from the early computing days to today’s AI and Web3 eras, highlighting the pivotal role of connectivity in transforming how “we consume technology today”. Noting how the shift bring to realisation of a “computer” in our palms and concepts such as “software as a service”, he said these transformations contribute to a trend from on-premises solutions to cloud-based applications. These changes in turn have driven demands for centralisation of services in the cloud, leading to the growth of data centres, and the rise of hyperscalers.Other topics discussed include:1. The impact of AI on the tech industry, and the significance of AI in the context of AI vs. AI scenarios.2. Location considerations for data centres (factors such as power availability, water supply for cooling, and connectivity infrastructure being key considerations); sustainability in data centres (including energy efficiency and the use of renewable energy sources).3. Cybersecurity as a holistic approach to digital trust, which goes beyond just technology and involves governance, data management, and privacy considerations.Mr Wong wrapped up the interview by sharing how the tech industry's perpetual evolution change keep him passionately engaged throughout his career – and the promise of groundbreaking change, making each day a thrilling journey of discovery.Recorded at Tech Week 2023, 12th October 2023, 4pm, Singapore Marina Bay Sands.#mysecuritytv

Dennis Giese is a researcher with focus on the security and privacy of IoT devices.While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kinds of devices.His most known projects are the documentation and hacking of various vacuum robots. His current vacuum robot army consists of over 49 different models from various vendors.Recorded on 18 October, 2023 at The Australian Cyber Conference 2023 - Melbourne with the Australian Information Security Association. #cybercon #IoTsecurity #mysecuritytv

Jane Lo speaks with Ben Verschaeren, Director, Global Solutions, Sophos about cybersecurity opportunities and challenges with Generative AI.With over 19 years in the IT industry, Ben Verschaeren is a seasoned professional based in Melbourne. He leads global strategic initiatives, educates on threat landscapes, and develops training tools focusing on real-world exploits. Ben also directs a global sales engineering team responding to RFPs, and a software engineering team creating high-quality products for various uses. His prior roles include serving as a Solution Architect at JB HiFi, Australia's largest retailer, and at Thiess, the leading mining and construction company in Australia. Ben’s unique blend of sales and engineering experience across diverse sectors enables him to drive tech-forward initiatives with an innovative approach, affirming his position as a key asset in the industry.In this interview, Ben kicked off the interview by sharing his insights on drivers into the wide-spread popularity of the latest AI technology – “generative AI”. On discussing how generative AI could transform the cybersecurity landscape, Ben acknowledged that it could help increase the productivity of cyber defenders, as an “AI” personal assistant – such as “help you write code” or “help you write query”. However, he also cautioned that the technology also introduces new threats.Elaborating on some of the emerging threats, he said that contrary to expectations, malware generated by LLM can be more easily detected than phishing emails and synthetic voice. To mitigate against such threats, he suggested enhancing business processes and controls (for example, robust fund transfer authorisation, to mitigate phishing risk). He also recommended conducting user awareness training regularly to align with the fast-evolving landscape of phishing tactics, emphasising the importance of understanding the "why."Another threat is the potential of generative AI to “hallucinate” when making recommendations for software libraries. He pointed out this issue underscores the need to maintain a SBOM (software bill of materials), and implementing quality controls throughout the software development process.Ben also recommended that organisations looking to embrace AI, develop an “AI policy”, providing guidance in areas such as the types of data or models that to be used during training and deployment. He also shared that middleware solutions are available to anonymise the data entered in the prompt, and check that no personally identifiable information (PII) is included.Wrapping up, Ben notes that rapid pace of generative AI development and “the landscape is changing everyday”, and advises cyber defenders to “stay on top”, “don’t be complacent”, and it is “another area where and different threats are emerging every day”.Recorded at Cloud Expo Asia, Singapore Marina Bay Sands, 12th October 2023.#mysecuritytv #sophos #generativeai #cybersecurity

Recognised by the US Cybersecurity and Infrastructure Security Agency (CISA), Motorola Solutions has established a cyber threat Information Sharing and Analysis Organisation (ISAO) to provide public safety agencies the capabilities they need to defend against attacks.Since January 2022, Motorola Solutions’ Public Safety Threat Alliance observed 350+ cyber attacks impacting public safety organisations worldwide, often resulting in downtime of critical services. Cyber attacks against public safety agencies increased in both 2021 and 2022, with 2022 seeing a 700 percent increase in distributed denial of service (DDoS) attacks for public safety organisations and a 179 percent increase in hacktivist activity.In many Australian states and territories, emergency services use the Motorola Solutions Land Mobile Radio (LMR) communication networks and devices as well as their managed services to help maintain reliable voice and data communications and keep their technology securely and optimised, 24 x 7.However, LMR networks and other critical infrastructures can also be targeted by threat actors (e.g. critical infrastructures including utilities being targeted in the war in Ukraine)Motorola Solutions continues to grow and invest in its portfolio of communications, software and video security products including our cyber security offerings. The ActiveEye platform monitors about 1M cyber attack events on public safety networks each month, with 98 percent auto-triaged by artificial intelligence, and the rest looked at by cybersecurity experts on our team to determine how to mitigate risks.Among Australian customers already using these cyber services are the NSW Telco Authority for which Motorola Solutions are providing a comprehensive suite of public safety services for PSN, including network lifecycle upgrades and 24 x 7 cybersecurity, helping to keep this mission-critical technology up-to-date, secure and performing reliably in any situation.For more information and to get involved, visit Public Safety Threat Alliance -https://www.motorolasolutions.com/psta #motorola #cybersecurity #mysecuritytv #publicsafety #motorolasolutions