Security Conversations Ryan Naraine

Episode sponsors:



Binarly, the supply chain security experts (https://binarly.io)
XZ.fail backdoor detector (https://xz.fail)


Cris Neckar is a veteran security researcher now working as a partner at Two Bear Capital. In this episode, he reminisces on the early days of hacking at Neohapsis, his time on the Google Chrome security team, shenanigans at Pwn2Own/Pwnium, and the cat-and-mouse battle for browser exploit chains. We also discuss the zero-day exploit marketplace, the hype and promise of AI, and his mission to help highly technical founders bring products to market.
Links:
Unedited transcript (AI-generated)Cris Neckar on LinkedInCris Neckar Bio (Two Bear Capital)Teenager hacks Google Chrome with three 0daysResearch on Trident zero-day flawsCris Neckar podcast transcript (Unedited)

Episode sponsors:



Binarly, the supply chain security experts (https://binarly.io)
XZ.fail backdoor detector (https://xz.fail)


Malware paleontologist Costin Raiu returns for an emergency episode on the XZ Utils software supply chain backdoor. We dig into the timeline of the attack, the characteristics of the backdoor, affected Linux distributions, and the reasons why 'Tia Jan' is the handiwork of a cunning nation-state.


Based on all the clues available, Costin pinpoints three main suspects -- North Korea's Lazarus, China's APT41 or Russia's APT29 -- and warns that there are more of these backdoors lurking in modern software supply chains.
Links:
Binarly XZ backdoor detectorXZ Utils Backdoor FAQ (by Dan Goodin)CISA advisory on backdoorThe JiaT75 (Jia Tan) timelineUnedited transcript

Episode sponsors:



Binarly, the supply chain security experts (https://binarly.io)
FwHunt (https://fwhunt.run)


Katie Moussouris founded Luta Security in 2016 and bootstrapped it into a profitable business with a culture of equity and healthy boundaries. She is a pioneer in the world of bug bounties and vulnerability disclosure and serves in multiple advisory roles for the U.S. government, including the new CISA Cyber Safety Review Board (CSRB).


In this episode, Moussouris discusses Luta Security's new Workforce Platform profit-sharing initiative, the changing face of the job market, criticisms of the CSRB's lack of enforcement authority, and looming regulations around zero-day vulnerability data.
Links:
Luta Security Workforce PlatformKatie Moussouris on WikipediaMoussouris: Resist Urge to Match China Vuln Reporting MandateKatie Moussouris on LinkedInCyber Safety Review Board

Episode sponsors:



Binarly, the supply chain security experts (https://binarly.io)
FwHunt (https://fwhunt.run)


Costin Raiu has spent a lifetime in anti-malware research, working on some of the biggest nation-state APT cases in history, including Stuxnet, Duqu, Equation Group, Red October, Turla and Lazarus.


In this exit interview, Costin digs into why he left the GReAT team after 13 years at the helm, ethical questions on exposing certain APT operations, changes in the nation-state malware attribution game, technically impressive APT attacks, and the 'dark spots' where future-thinking APTs are living.
Links:
Costin Raiu on TwitterHow to Protect Your Phone from Pegasus and Other APTsCostin Raiu: 10 big 'unattributed' APT mysteriesCostin Raiu on the .gov mobile exploitation businessWannaCry Ransomware Linked to North Korean Hackers

Episode sponsors:



Binarly, the supply chain security experts (https://binarly.io)
FwHunt (https://fwhunt.run)


Danny Adamitis is a principal information security engineer at Black Lotus Labs, the threat research division within Lumen Technologies. On this episode of the show, we discuss his team's recent discovery of an impossible-to-kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting US critical infrastructure.


Danny digs into the inner workings of the botnet, the global problem end-of-life devices becoming useful tools for malicious actors, and the things network defenders can do today to mitigate threats at this layer.
Links:
Danny Adamitis on TwitterChinese APT Volt Typhoon Linked to Unkillable SOHO Router BotnetMicrosoft Catches Chinese .Gov Hackers Targeting US Critical InfrastructureThe KV-botnet InvestigationZuoRAT Hijacks SOHO Routers to Silently Stalk NetworksDaniel Adamitis on LinkedIn

Episode sponsors:



Binarly, the supply chain security experts (https://binarly.io)
FwHunt (https://fwhunt.run)


Allison Miller is founder and CEO of Cartomancy Labs and former CISO and VP of Trust at Reddit. She has spent the past 20 years scaling teams and technology at Bank of America, Google, Electronic Arts, PayPal/eBay, and Visa International.


In this conversation, we discuss the convergence of security with fraud prevention and anti-abuse, the challenges and complexities in IAM implementations, the post-pandemic labor market, the evolving role of CISOs and new realities around CISO exposure to personal liability, thoughts on the 'build vs buy' debate and the nuance and dilemma of paying ransomware demands.
Links:
Allison Miller on LinkedInCartomancy LabsSecurity Leaders Spooked by SEC Lawsuit Against SolarWinds CISONew SEC rule on breach disclosure (PDF)Follow Allison Miller on TwitterSponsor: Binarly Supply Chain Security Platform