Security Weekly Podcast Network (Audio)
Technology
For the Security News, we officially welcome Bill Swearingen to our expert panel of PSW hosts, and discuss the news including hacking shenanigans, QNAP, recovering crypto currency, Android malware, and more!
Then in a pre-recorded segment: Sonar Vulnerability Researchers Thomas Chauchefoin and Paul Gerste conducted research on the security of Visual Studio Code — the most popular code editor out there — which was presented at DEF CON 31 in August. The pair uncovered a few ways for attackers to gain code execution on a victim's computer if they clicked on a specially crafted link or opened a malicious folder in Visual Studio Code, bypassing existing mitigations like Workspace Trust. Developers tend to trust their IDEs and do not expect such security issues to exist. As developers have access to source code and production systems, they make for very interesting targets for threat actors. Important to note is that the security concepts that the two are able to demonstrate apply not just to Visual Studio Code, but to most other code editors. This is also the story of how the researchers got an unexpected $30,000 bounty from Microsoft for these bugs, by mistake!
Segment Resources:
BLOG POSTS Securing Developer Tools: Argument Injection in Visual Studio Code (https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/) Securing Developer Tools: Git Integrations (https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/)
CVEs CVE-2023-36742 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742) CVE-2022-30129 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30129) CVE-2021-43891 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43891)
Visit https://www.securityweekly.com/psw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Show Notes: https://securityweekly.com/psw-804
OT Security - Huxley Barbee - ASW #259
Cisco, Juniper, AVOSLocker, NoEscape,Valve, FreedomGPT, More News, & Aaran Leyland - SWN #334
Companies should be hiring CISOs for their leadership talent - Jason Loomis - BSW #324
Trustworthy AI, ISW Interviews - Pamela Gupta - ESW #335
Microsoft, SeroxenRAT, Smart Links, ToddyCAT, ShellBot, More News & Aaran Leyland - SWN #333
Getting Started With Reverse Engineering Hardware - PSW #802
Shifting Focus to Make DevSecOps Successful - Janet Worthington - ASW #258
23andMe, Facebook, GitHub's Secret Scanning, MGM Resorts, Grindr, & Jason Wood - SWN #332
Digital Transformation Breaks Risk Management - Chris Morales - BSW #323
Feet, Google, Apple, Predator, r77, Qualcomm, qakbot, Deepfakes, & Aaran Leyland - SWN #331
Lessons From the Last Year's Breaches, ISW Interviews - ESW #334
Malware Trends - Anuj Soni - PSW #801
Creating Presentations and Training That Engage an Audience - Lina Lau - ASW #257
PKD, NSA, WS_FTP, Exim, Sextortion, BunnyLoader, CISA, More News, and Jason Wood - SWN #330
Risk Management in the Cloud Starts with Identities - Eric Kedrosky - BSW #322
Golden SaaS Age, Edge Computing, Cisco/Splunk - Allie Mellen, Theresa Lanowitz, Yoni Shohet, Chris Goettl - ESW #333
NarcBots, Blacktech, ZenRat, Chrome, CISOs, Privacy, More News & Aaran Leyland - SWN #329
The Right Skills For The Job - Kayla Williams - PSW #800
Supply Chain Security Security with Containers and CI/CD Systems - Kirsten Newcomer - #ASW 256
Y3000, Sandman, ShadowSyndicate, MoveIt, Apple, Predator, More News, and Jason Wood - SWN #328
Create your
podcast in
minutes
It is Free
Insight Story: Tech Trends Unpacked
Zero-Shot
Fast Forward by Tomorrow Unlocked: Tech past, tech future
The Unbelivable Truth - Series 1 - 26 including specials and pilot
Darknet Diaries