Security Weekly Podcast Network (Audio)
Technology
For the Security News, we officially welcome Bill Swearingen to our expert panel of PSW hosts, and discuss the news including hacking shenanigans, QNAP, recovering crypto currency, Android malware, and more!
Then in a pre-recorded segment: Sonar Vulnerability Researchers Thomas Chauchefoin and Paul Gerste conducted research on the security of Visual Studio Code — the most popular code editor out there — which was presented at DEF CON 31 in August. The pair uncovered a few ways for attackers to gain code execution on a victim's computer if they clicked on a specially crafted link or opened a malicious folder in Visual Studio Code, bypassing existing mitigations like Workspace Trust. Developers tend to trust their IDEs and do not expect such security issues to exist. As developers have access to source code and production systems, they make for very interesting targets for threat actors. Important to note is that the security concepts that the two are able to demonstrate apply not just to Visual Studio Code, but to most other code editors. This is also the story of how the researchers got an unexpected $30,000 bounty from Microsoft for these bugs, by mistake!
Segment Resources:
BLOG POSTS Securing Developer Tools: Argument Injection in Visual Studio Code (https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/) Securing Developer Tools: Git Integrations (https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/)
CVEs CVE-2023-36742 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742) CVE-2022-30129 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30129) CVE-2021-43891 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43891)
Visit https://www.securityweekly.com/psw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Show Notes: https://securityweekly.com/psw-804
Deciphering The National Cyber Workforce and Education Strategy - Dr. José-Marie Griffiths - BSW #315
Surging Email Impersonation Threats, Creating Online Kids' Safety Community - Fareedah Shaheed, John Wilson - ESW #326
Midnight Blizzard, Cult of the Dead Cow, Five Eyes, Aaran Leyland, and More News - SWN #315
Incident Response Stories - Bill Swearingen - PSW #793
Identity and Verifiable Credentials in Cars - Eve Maler - ASW #249
Throbbing Elon, China, Dragos, Ransomware, Tomcat, Ivanti, Jason Wood and More - SWN #314
How to Effectively Embrace and Protect Generative AI Tools, Models, & Data - Randy Lariar - BSW #314
Post-Breach: The Hardening Continues - Sean Metcalf - PSW #792
Rethinking the CISO Model, Edge Ecosystem Insights - Nathan Case, Theresa Lanowitz - ESW #325
GameOver(lay), ZenBleed, Maximus, Redline, the SEC, More News & Aaran Leyland - SWN #313
Navigating the Complexities of Development to Create Secure APIs - Kristen Bell - ASW #248
Improving Diversity and Accessibility in Cybersecurity - Laurie Salvail - BSW #313
Citrix, Ivanti, DOJ changes, Elon X, TETRA Radio, Google WEI, Jason Wood, and More - SWN #312
Enhancing Enterprise Security UX: Embracing Zero-ish Trust - Ryan Fried, Juliet Okafor - ESW #324
AirGaps, Slackware, Mitnick, Awareness, Microsoft, Bad API, Aaran Leyland and More - SWN #311
Security Certification - Rohit Misuriya, Sumit Siddharth - PSW #791
Brian Glas - ASW #247
Scotty in Hell, CISA, S3, White House,Microsoft, Mali, Jason Wood and More - SWN #310
Say Easy, Do Hard - BSW #312
SIEM Rules - Eric Capuano, Tim MalcomVetter - ESW #323
Create your
podcast in
minutes
It is Free
Insight Story: Tech Trends Unpacked
Zero-Shot
Fast Forward by Tomorrow Unlocked: Tech past, tech future
The Unbelivable Truth - Series 1 - 26 including specials and pilot
Lex Fridman Podcast