Security Weekly Podcast Network (Audio)
Technology
For the Security News, we officially welcome Bill Swearingen to our expert panel of PSW hosts, and discuss the news including hacking shenanigans, QNAP, recovering crypto currency, Android malware, and more!
Then in a pre-recorded segment: Sonar Vulnerability Researchers Thomas Chauchefoin and Paul Gerste conducted research on the security of Visual Studio Code — the most popular code editor out there — which was presented at DEF CON 31 in August. The pair uncovered a few ways for attackers to gain code execution on a victim's computer if they clicked on a specially crafted link or opened a malicious folder in Visual Studio Code, bypassing existing mitigations like Workspace Trust. Developers tend to trust their IDEs and do not expect such security issues to exist. As developers have access to source code and production systems, they make for very interesting targets for threat actors. Important to note is that the security concepts that the two are able to demonstrate apply not just to Visual Studio Code, but to most other code editors. This is also the story of how the researchers got an unexpected $30,000 bounty from Microsoft for these bugs, by mistake!
Segment Resources:
BLOG POSTS Securing Developer Tools: Argument Injection in Visual Studio Code (https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/) Securing Developer Tools: Git Integrations (https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/)
CVEs CVE-2023-36742 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742) CVE-2022-30129 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30129) CVE-2021-43891 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43891)
Visit https://www.securityweekly.com/psw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Show Notes: https://securityweekly.com/psw-804
What does DoD’s CMMC Requirement Mean for American Businesses - Edward Tuorinsky, Mike Lyborg - BSW #347
Win 95, LastPass, Kubernetes, Sandworm, Bloomtech, Frontier, 911, Aaran Leyland... - SWN #379
From Hackers to Streakers - How Counterintelligence Teams are Protecting the NFL - Joe McMann - ESW #358
PCI 4.0 - Winn Schwartau - PSW #825
Duo, Steganography, Roku, Palo Alto, Putty, Cerebral, IPOs, SanDisk, & Josh Marpet - SWN #378
Demystifying Security Engineering Career Tracks - Karan Dwivedi - ASW #281
From Idea to Success: How to Operationalize a Startup from Zero to Exit - Seth Spergel - BSW #346
Combadges, SISENSE, Microsoft, CISA, Lastpass, Palo Alto, Broadband, Aaran and More - SWN #377
Understanding KillNet and Recent Waves of DDoS Attacks - Michael Smith - ESW #357
Digging Into Supply Chain Security - James McMurry - PSW #824
Dronepocalypse, Microsoft, DLINK, Home Depot, Phishing, NIST, VenomRat, Josh Marpet - SWN #376
Lessons That The XZ Utils Backdoor Spells Out - Farshad Abasi - ASW #280
Understanding the Cybersecurity Ecosystem - Ross Haleliuk - BSW #345
SEXi, Powerhost, Acuity, Layerslider, JSOutProx, Byakugan, Josh Marpet, and More - SWN #375
XZ - Backdoors and The Fragile Supply Chain - PSW #823
Getting Vulnerability Management Back on the Rails - Patrick Garrity - ESW #356
Lena, XZ, WallEscape, AT&T, OWASP, Google, Microsoft, AI, Josh Marpet, and More - SWN #374
Infosec Myths, Mistakes, and Misconceptions - Adrian Sanabria - ASW #279
CISO Soul Searching: Navigating the Evolving Role of the CISO - Harold Rivas - BSW #344
Electric Sheep, Exchange, Darcula, NuGet, Rockwell, FTX, Aaran Leyland, and More - SWN #373
Create your
podcast in
minutes
It is Free
Insight Story: Tech Trends Unpacked
Zero-Shot
Fast Forward by Tomorrow Unlocked: Tech past, tech future
The Unbelivable Truth - Series 1 - 26 including specials and pilot
A Prairie Home Companion: News from Lake Wobegon