Below the Surface (Audio) - The Supply Chain Security Podcast

Eclypsium
  • 5.0 (1)
  • TECHNOLOGY
  • UPDATED BIWEEKLY
Below the Surface (Audio) - The Supply Chain Security Podcast

A lively discussion of the threats affecting supply chain, specifically focused on firmware and low-level code that is a blind spot for many organizations. This podcast will feature guests from the cybersecurity industry discussing the problems surrounding supply chain-related issues and potential solutions. Get the Supply Chain Security Toolkit from Eclypsium here: https://eclypsium.com/go

  1. Pacific Rim - BTS #41

    NOV 6

    Pacific Rim - BTS #41

    In this episode, Paul Asadorian, Larry Pesce, and Evan Dornbusch delve into the recent Sophos reports on threat actors, particularly focusing on the Pacific Rim case. They discuss the implications of the findings, including the tactics used by attackers, the vulnerabilities in network devices, and the challenges of securing appliances. The conversation also highlights the importance of network detection solutions, the impact of zero-day exploits, and the need for a shift in how appliance security is approached, especially concerning firmware backdoors and UEFI threats. In this conversation, the speakers discuss the implications of UEFI attacks, highlighting Sophos' proactive measures in cybersecurity. They emphasize the importance of observing attackers, the role of manufacturers in enhancing security, and the need for better monitoring and visibility in devices. The discussion also touches on the significance of shared responsibility in cybersecurity, learning from transparency in incidents, and the challenges posed by overpowered devices. The speakers advocate for the implementation of security software and the necessity of bills of materials to improve device security.

    1 hr
  2. Backdoors in Backdoors

    OCT 23

    Backdoors in Backdoors

    In this episode, Paul Ascidorian and Matt Johansen discuss the recent targeted attacks by Chinese threat actors, particularly focusing on the Volt Typhoon group. They explore the implications of back doors in cybersecurity, the role of ISPs, and the ongoing tension between privacy and security. The conversation delves into historical contexts, the evolution of threat actor tactics, and the shared responsibility model in cybersecurity. They also highlight the challenges of supply chain security and the visibility issues that make network devices vulnerable to attacks. In this conversation, Paul and Matt discuss the evolution of software security, focusing on the shift from traditional vulnerabilities to emerging threats in network devices. They emphasize the importance of observability and aligning incentives for better security practices. The discussion also highlights the need for innovation in infrastructure security, including the use of modern web frameworks and memory-safe languages to enhance security measures.

    50 min
  3. The Art of Firmware Scraping - BTS

    OCT 8

    The Art of Firmware Scraping - BTS

    In this episode, Edwin Shuttleworth from Finite State discusses firmware security, insights from the GRRCON Security Conference, and the challenges of firmware analysis. The conversation covers various topics, including firmware scraping techniques, the IoT landscape, types of firmware, the importance of Software Bill of Materials (SBOMs), and emulation in firmware analysis. Edwin shares his experiences and offers advice for those looking to get started in firmware reverse engineering.

    1 hr
  4. Vulnerability Tracking & Scoring - Patrick Garrity - BTS #38

    SEP 27

    Vulnerability Tracking & Scoring - Patrick Garrity - BTS #38

    In this episode of Below the Surface, host Paul Ascadorian and guest Patrick Garrity discuss the complexities of vulnerability tracking and prioritization. They explore various sources of vulnerability data, the significance of known exploited vulnerabilities, and the concept of weaponization in cybersecurity. The conversation delves into the challenges posed by supply chain vulnerabilities, the importance of Software Bill of Materials (SBOM), and the impact of user behavior on security. The episode concludes with thoughts on the future of vulnerability management and the need for a more comprehensive approach to cybersecurity.

    56 min
  5. Firmware Reverse Engineering - Matt Brown - BTS #37

    SEP 11

    Firmware Reverse Engineering - Matt Brown - BTS #37

    In this episode, Matt Brown joins the podcast to talk about firmware reverse engineering and supply chains. They discuss Matt's start in information security, his journey into hardware security, and the creation of his YouTube channel. They also explore the vulnerabilities and weaknesses in the supply chain of IoT devices and the challenges of extracting firmware from embedded Linux systems. Matt shares his favorite tools for firmware extraction and the complexities of creating an SBOM in the embedded Linux ecosystem. In this conversation, Paul and Allan discuss the challenges and vulnerabilities in IoT devices. They highlight the lack of security incentives in the IoT industry, the reuse of code across different devices, and the importance of validating firmware updates. They also mention the use of tools like binwalk and unblob for firmware analysis, and the benefits of UART and JTAG for hardware hacking. The conversation emphasizes the need for passion and hands-on experience in exploring IoT security.

    57 min
  6. Supply Chain Policies - Trey Herr, Stewart Scott - BTS #36

    AUG 14

    Supply Chain Policies - Trey Herr, Stewart Scott - BTS #36

    Stewart and Trey join us to talk about driving cybersecurity policies for the nation, what makes a good policy, what makes a bad policy, supply chain research and policies, and overall how we shape policies that benefit cybersecurity. Segment Resources: https://www.atlanticcouncil.org/in-depth-research-reports/report/broken-trust-lessons-from-sunburst/ https://www.atlanticcouncil.org/in-depth-research-reports/report/open-source-software-as-infrastructure/ This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-36

    1 hr
  7. The Known Exploited Vulnerability catalogue, aka the KEV - Tod Beardsley - BTS #35

    JUL 31

    The Known Exploited Vulnerability catalogue, aka the KEV - Tod Beardsley - BTS #35

    Gain insights into the CISA KEV straight from one of the folks at CISA, Tod Beardsley. Learn how KEV was created, where the data comes from, and how you should use it in your environment. This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Resource: https://cisa.gov/kev Show Notes: https://securityweekly.com/bts-35

    56 min
  8. EPSS - The Exploit Prediction Scoring System - Jay Jacobs, Wade Baker - BTS #34

    JUL 17

    EPSS - The Exploit Prediction Scoring System - Jay Jacobs, Wade Baker - BTS #34

    Jay Jacobs Co-Founder and Data Scientist and Wade Baker Co-Founder; Data Storyteller from The Cyentia Institute come on the show to talk about The Exploit Prediction Scoring System (EPSS). This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-34

    1 hr
See All (41)

About

A lively discussion of the threats affecting supply chain, specifically focused on firmware and low-level code that is a blind spot for many organizations. This podcast will feature guests from the cybersecurity industry discussing the problems surrounding supply chain-related issues and potential solutions. Get the Supply Chain Security Toolkit from Eclypsium here: https://eclypsium.com/go

Information

You Might Also Like

To listen to explicit episodes, sign in.

Stay up to date with this show

Sign in or sign up to follow shows, save episodes, and get the latest updates.
Select a country or region

Africa, Middle East, and India

Asia Pacific

Europe

Latin America and the Caribbean

The United States and Canada