Paul's Security Weekly

Existential Dread and Seawater, MCP, Cloudflare, ESxi, QR Codes, Salt Typhoon, Aaran Leyland, and More on this episode of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-495

In the security news: The train is leaving the station, or is it? The hypervisor will protect you, maybe The best thing about Flippers are the clones Also, the Flipper Zero as an interrogation tool Threats are commercial and open-source Who is still down with FTP? AI bug hunters Firmware for Russian drones Merging Android and ChromOS Protecting your assets with CVSS? Patch Citrixbleed 2 Rowhammer comes to NVIDIA GPUs I hear Microsoft hires Chinese spies Gigabyte motherboards and UEFI vulnerabilities McDonald's AI hiring bot: you want some PII with that? Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-883

Are you running SAP? The clock is ticking... Standard maintenance end-of-life is set for the end of 2027. Migration to S/4HANA must be completed by then (or 2030 if you buy into SAP’s special three-year reprieve). While that may appear to be enough time, companies currently working toward an S/4HANA transition are finding the journey challenging, and that's not including the security challenges. Chris Carter, CEO at Approyo, joins Business Security Weekly to discuss your SAP options, including: ERP Strategy: Stay with SAP or migrate to other solutions? S/4HANA Architecture: All cloud or cloud/on-premise? Security Challenges: Cloud vs. on-premise SAP Migration: Recommendations for success In the leadership and communications section, Where cybersecurity maturity meets confidence in C-suite and board leadership, Has CISO become the least desirable role in business?, How Radical Transparency Is Revolutionizing Leadership, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Note

AI meltdowns, Gigabyte, NCSC, Rowhammer, Gravity Form, Grok, AsyncRat, Josh Marpet and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-494

What are some appsec basics? There's no monolithic appsec role. Broadly speaking, appsec tends to branch into engineering or compliance paths, each with different areas of focus despite having shared vocabularies and the (hopefully!) shared goal of protecting software, data, and users. The better question is, "What do you want to secure?" We discuss the Cybersecurity Skills Framework put together by the OpenSSF and the Linux Foundation and how you might prepare for one of its job families. The important basics aren't about memorizing lists or technical details, but demonstrating experience in working with technologies, understanding how they can fail, and being able to express concerns, recommendations, and curiosity about their security properties. Resources: https://cybersecurityframework.io https://owasp.org/www-project-cheat-sheets/ https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/ https://aflplus.plus/ https://writings.stephenwolfram.com/2023/02/what-is-chatgpt-doing-and-why-does-it-work/ Visit https:

Segment 1: Interview with Monzy Merza - There is a Right and Wrong Way to use AI in the SOC In the rush to score AI funding dollars, a lot of startups build a basic wrapper around existing generative AI services like those offered by OpenAI and Anthropic. As a result, these services are expensive, and don't satisfy many security operations teams' privacy requirements. This is just the tip of the iceberg when discussing the challenges of using AI to aid the SOC. In this interview, we'll dive into the challenge of finding security vendors that care about security, the need for transparency in products, the evolving shared responsibility model, and other topics related to solving security operations challenges. Segment 2: Topic Segment - How much AI is too much AI? In the past few weeks, I've talked to several startup founders who are running into buyers that aren’t allowed to purchase their products, even though they want them and prefer them over the competition. Why? No AI and they’re not allowed to buy. Segm

Tapjacking, ZuChe, PerfektBlue, McHacking, OT in the IT, Add Ons, Josh Marpet, and More on this episode of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-493

This week in the security news: Citrixbleed 2 and so many failures Ruckus leads the way on how not to handle vulnerabilities When you have no egress Applocker bypass So you bought earbuds from TikTok More gadgets and the crazy radio Cheap drones and android apps Best Mario Kart controller ever VSCode: You're forked Bluetooth earbuds and vulnerabilities Do you remember Sound blaster cards? NFC passport chips Whack-a-disk Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-882

SEC settles with SolarWinds. We react! In the leadership and communications section, The Skills and Habits Aspiring CEOs Need to Build, Why People Really Quit — And How Great Managers Make Them Want to Stay, The Small Actions That Become Your Legacy, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-403

Spying on your kids, Bank Robberies, Qantas, LOTL, sudo, Hunters, Aaran Leyland, and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-492

Appsec still deals with ancient vulns like SQL injection and XSS. And now LLMs are generating code along side humans. Sandy Carielli and Janet Worthington join us once again to discuss what all this new code means for appsec practices. On a positive note, the prevalence of those ancient vulns seems to be diminishing, but the rising use of LLMs is expanding a new (but not very different) attack surface. We look at where orgs are investing in appsec, who appsec teams are collaborating with, and whether we need security awareness training for LLMs. Resources: https://www.forrester.com/blogs/application-security-2025-yes-ai-just-made-it-harder-to-do-this-right/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-338

Single Sign On (SSO) and Multi Factor Authentication (MFA) is critical to secure operations for companies of all sizes. Why is the foundation of cybersecurity still locked behind enterprise licensing? Single Sign-On (SSO) and Multi-Factor Authentication (MFA) are essential—not optional—for protecting modern businesses. But today, these critical tools are overpriced, overcomplicated, and reserved for companies that can afford to overpay and have full-time security teams. That’s broken. Cubeless is tearing down the barriers. With Cubeless Verify, we’re delivering SSO and MFA that anyone can use—no IT army required. No hidden fees. No contracts. No catch. Just enterprise-grade security made simple, and free forever. The gatekeepers had their turn. Now it’s yours. Go to https://securityweekly.com/cubelessidv to start using Cubeless Identity today. As AI agents move beyond experiments to becoming critical internal and market-facing enterprise products, secure, scalable identity infrastructure becomes essential to

North Korea, ransomware, social engineering, AI, Apple, Drugs & Iran on this edition of the Security Weekly News! Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-491

This week, we dive into the world of Meshtastic and LoRa—two technologies empowering secure, long-range, and infrastructure-free communication. We'll talk about the origins of Meshtastic, how LoRa radio works, and why mesh networking is revolutionizing off-grid messaging for adventurers, hackers, emergency responders, and privacy advocates alike. We break down the available hardware, walk you through firmware installation, and share real-world use cases of LoRa to create decentralized, encrypted networks. Whether you’re a hacker, a prepper, or just curious about the future of resilient communication, this episode is packed with insights and practical tips you won’t want to miss! This segment is sponsored by ThreatLocker. Visit https://www.securityweekly.com/threatlocker to learn more about them! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-881

New research estimates the value of Zero Trust. Using the Marsh McLennan Cyber Risk Intelligence Center’s proprietary cyber losses dataset from the past eight years, researchers estimated that overall cyber losses could have been potentially reduced by up to 31% had the organizations widely deployed zero-trust security. This adds up to a projected reduction of up to $465 billion in global annual total economic losses. But Zero Trust projects have struggled due to complexity. Rob Allen, Chief Product Officer at ThreatLocker, joins Business Security Weekly to discuss the simplicity of Zero Trust Endpoint Protection and how it can drive value. Rob will discuss how the ThreatLocker® Zero Trust Endpoint Protection Platform offers a unified approach to protecting users, devices, and networks with ease of deployment and management. Zero Trust doesn't have to be complex. This segment is sponsored by ThreatLocker. Visit https://www.securityweekly.com/threatlocker to learn more about them! Visit https://www.securitywee

Sony, Scattered Spider, Hikvision, Cybercrime, Iran, BSODs, Cloudflare, Josh Marpet, and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-490

Manual secure code reviews can be tedious and time intensive if you're just going through checklists. There's plenty of room for linters and compilers and all the grep-like tools to find flaws. Louis Nyffenegger describes the steps of a successful code review process. It's a process that starts with understanding code, which can even benefit from an LLM assistant, and then applies that understanding to a search for developer patterns that lead to common mistakes like mishandling data, not enforcing a control flow, or not defending against unexpected application states. He explains how finding those kinds of more impactful bugs are rewarding for the reviewer and valuable to the code owner. It involves reading a lot of code, but Louis offers tips on how to keep notes, keep an app's context in mind, and keep code secure. Segment Resources: https://pentesterlab.com/live-training/ https://pentesterlab.com/appsecschool https://deepwiki.com https://daniel.haxx.se/blog/2025/05/29/decomplexification/ Visit https://w

Interview with Dave Lewis Organizations believe they have a firm grip on security with SSO and corporate IT policies, but in reality, shadow IT lurks in the background—expanding attack surfaces and exposing sensitive data. Employees bypass security controls for the sake of convenience, while SSO fails to provide the comprehensive security net organizations expect. Talk about the critical weaknesses in traditional SSO implementations, how shadow IT thrives under the radar, and why enterprises continue to experience data breaches despite security investments. Can cover real-world examples of security failures, highlight the role of human behavior in risk, and provide actionable strategies to regain control over enterprise security. This segment is sponsored by 1Password. Visit https://securityweekly.com/1password to learn more about them! Topic Segment: Is AI taking our jerbs or not? I listened to most of a debate between Marcus Hutchins and Daniel Miessler over whether generative AI will be good enough to repl

Broadcom is coming for you, Direct Send, N0auth, UNFI, Cisco, Oneclik, Russ Beauchemin, and More on this episode of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-489

This conversation explores the intersection of cybersecurity and emerging technologies, focusing on innovative hacking techniques, the evolution of vulnerability management, and the critical importance of asset discovery. The discussion also delves into the implications of cyber warfare, the persistent threat of default passwords, and the integration of open source tools in enhancing security measures. The conversation delves into various aspects of cybersecurity, focusing on aircraft tracking, data filtering, the evolution of vulnerability management, and the role of AI in enhancing security measures. The speakers discuss the challenges posed by default credentials and the shared responsibility model in cloud infrastructure. They also explore the limitations of AI in cybersecurity and the potential for future advancements, particularly in localized LLMs. The conversation delves into the intersection of technology, cybersecurity, and privacy, exploring the implications of AI on energy demands, vulnerabilities