Security Weekly Podcast Network (Audio)
Technology
For the Security News, we officially welcome Bill Swearingen to our expert panel of PSW hosts, and discuss the news including hacking shenanigans, QNAP, recovering crypto currency, Android malware, and more!
Then in a pre-recorded segment: Sonar Vulnerability Researchers Thomas Chauchefoin and Paul Gerste conducted research on the security of Visual Studio Code — the most popular code editor out there — which was presented at DEF CON 31 in August. The pair uncovered a few ways for attackers to gain code execution on a victim's computer if they clicked on a specially crafted link or opened a malicious folder in Visual Studio Code, bypassing existing mitigations like Workspace Trust. Developers tend to trust their IDEs and do not expect such security issues to exist. As developers have access to source code and production systems, they make for very interesting targets for threat actors. Important to note is that the security concepts that the two are able to demonstrate apply not just to Visual Studio Code, but to most other code editors. This is also the story of how the researchers got an unexpected $30,000 bounty from Microsoft for these bugs, by mistake!
Segment Resources:
BLOG POSTS Securing Developer Tools: Argument Injection in Visual Studio Code (https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/) Securing Developer Tools: Git Integrations (https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/)
CVEs CVE-2023-36742 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742) CVE-2022-30129 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30129) CVE-2021-43891 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43891)
Visit https://www.securityweekly.com/psw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Show Notes: https://securityweekly.com/psw-804
Stopping Business Logic Attacks: Why a WAF is no Longer Enough - Karl Triebes - ASW #255
SprySocks, Lazarus, Fortinet, Juniper, CISA, AI Art, More News, & Jason Wood - SWN #326
Cyberdog, Pegasus, Webex, Peach Sandstorm, SAP, Caesar, Penn, Aaran Leyland, and More - SWN #325
2023 AT&T Cybersecurity Insights Report: Edge Ecosystem - Theresa Lanowitz, Steve Winterfeld - BSW #320
MDR & Self Sabotage, Detection Difficulty - Jason Lassourreille, Chris Sanders - ESW #331
Ransomware Infection Vectors - Ryan Chapman - PSW #798
Building a Scanner and a Community with Zed Attack Proxy - Simon Bennetts - ASW #254
Mopria, Cisco, Seimens , Word, DarkGate, AP Stylebook, More News, & Jason Wood - SWN #324
Identity is the Perimeter, The Secrets of Top Performing CISOs - Jeff Reich - BSW #319
The one in which Doug interviews Chat GPT - SWN Vault
Why Data Privacy is Being Overhauled in 2023 - Dan Frechtling - ESW Vault
Interview with Dr. Gene Spafford - Eugene Spafford - PSW Vault
Quantum Computing - SWN Vault
Broadening What We Call AppSec - Christien Rioux - ASW Vault
The Nine Cybersecurity Habits - George Finney - BSW Vault
Simplify Your Audit Process, News, BlackHat Interviews - Tomer Bar, Raghu Nandakumara, Erik Huckle - ESW #330
AI cars, Sandstorm, BGP, Earth Estries, DOE, Aria, Aaran Leyland and More - SWN #323
Incident Response: Clouds, SMBs, & More! - Amanda Berlin - PSW #797
How Can Security Be Smart About Using AI? - Jeff Pollard - ASW #253
Mystery, Qakbot, Crates.io, VDP, NetScaler, Entra ID, SynthID, FreeBSD, Jason Wood - SWN #322
Create your
podcast in
minutes
It is Free
Insight Story: Tech Trends Unpacked
Zero-Shot
Fast Forward by Tomorrow Unlocked: Tech past, tech future
The Unbelivable Truth - Series 1 - 26 including specials and pilot
Lex Fridman Podcast