Risky Business #771 -- Palo Alto's firewall 0days are very, very stupid

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• Microsoft introduces some sensible sounding post-Crowdstrike changes
• Palo Alto patches hella-stupid bugs in its firewall management webapp
• CISA head Jen Easterly to depart as Trump arrives
• AI grandma tarpits phone scammers in family-tech-support hell
• Academic research supports your gut-reaction; phishing training doesn’t work
• And much, much more.

This week’s episode is sponsored by Greynoise. The always excitable Andrew Morris joins to remind us that the edge-device vulnerabilities Pat and Adam complain about on the show are in fact actually even worse than we make them out to be. Andrew also tells us about a zero-day Greynoise’ AI system truffle-pigged out of their data set.

This episode is also available on Youtube.

Show notes

• Windows security and resiliency: Protecting your business | Windows Experience Blog
• Microsoft revamps how it will disclose vulnerabilities | Cybersecurity Dive
• NIST says exploited vulnerability backlog cleared but end-of-year goal for full list unlikely
• Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
• Palo Alto Networks customers grapple with another actively exploited zero-day | Cybersecurity Dive
• Unpatched zero-days in Fortinet and Palo Alto Networks software
• Palo Alto Networks’ customer migration tool hit by trio of CVE exploits | Cybersecurity Dive
• Readout of President Joe Biden’s Meeting with President Xi Jinping of the People’s Republic of China | The White House
• Easterly to step down from CISA director role on Inauguration Day | Cybersecurity Dive
• Top White House cyber official urges Trump to focus on ransomware, China
• Ransomware gang Akira leaks unprecedented number of victims’ data in one day
• Hacker Is Said to Have Gained Access to File With Damaging Testimony About Gaetz
• 1,400 Pegasus spyware infe