Security Weekly Podcast Network (Audio)

Interview with Frank Vukovits: Focusing inward: there lie threats also External threats get discussed more than internal threats. There’s a bit of a streetlight effect here: external threats are more visible, easier to track, and sharing external threat intelligence doesn’t infringe on any individual organization’s privacy. That’s why we hear the industry discuss external threats more, though internally-triggered incidents far outnumber external ones. Internal threats, on the other hand, can get personal. Accidental leaks are embarassing. Malicious insiders are a sensitive topic that internal counsel would erase from company memory if they could. Even when disclosure is required, the lawyers are going to minimize the amount of detail that gets out. I was chief incident handler for 5 years of my enterprise career, and never once had to deal with an external threat. I managed dozens of internal cases over those 5 years though. In this interview, we discuss the need for strong internal controls with Frank Vukovits from Delinea. As systems and users inside and outside organizations become increasingly connected, maintaining strong security controls is essential to protect data and systems from both internal and external threats. In this episode, we will explore the importance of strong internal controls around business application security and how they can best be integrated into a broader security program to ensure true enterprise security. This segment is sponsored by Delinea. Visit https://securityweekly.com/delinea to learn more about them! Topic Segment: Personal Disaster Recovery Many of us depend on service providers for our personal email, file storage, and photo storage. The line between personal accounts and work accounts often blur, particularly when it comes to Apple devices. We’re way more dependent on our Microsoft, Apple, Meta, and Google accounts than we used to be. They’re necessary to use home voice assistants, to log into other SaaS applications (Log in with Google/Apple/FB), and even manage our wireless plans (e.g. Google Fi). Getting locked out of any of these accounts can bring someone’s personal and/or work life to a halt, and there are many cases of this happening. I’m not sure if we make it past sharing stories about what can and has happened. Getting into solutions might have to be a separate discussion (also, we may not have any solutions…) Friend of the show and sometimes emergency co-host Guillaume posted about this recently A romance author got locked out of her books A 79 year old got locked out of her iPad with all her family photos. Sadly, this is one of the most common scenarios. Someone either forgets their pin and locks out the device permanently, or a family member dies and didn’t tell anyone their passwords or pins, so the surviving family can’t access data, pay the bills, etc. Google example: Claims of CSAM material after father documents toddler at doctor’s request https://www.theguardian.com/technology/2022/aug/22/google-csam-account-blocked Dec 2025 Apple example: she tried to redeem a gift card that had been tampered with: https://hey.paris/posts/appleid/ Google example: developer lost all his work, because he was working on preventing revenge porn and other sensitive cases, and was building a better model to detect NSFW images: https://medium.com/@russoatlarge_93541/i-built-a-privacy-app-google-banned-me-over-a-dataset-used-in-ai-research-66bc0dfb2310 My partner’s mom’s Instagram account got hacked. Meta locked out all of it (Whatsapp, Instagram, Facebook) and she couldn’t get it reinstated. They wouldn’t even let her open a NEW account. Weekly Enterprise News Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-438

Auld Lang Syne, Ghostpairing, Centerstack, OneView, WAFS, React2Shell Redux, Crypto, Josh Marpet, and More, on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-539

This week in the security news: Linux process injection Threat actors need training too A Linux device "capable of practically anything" The Internet of webcams Hacking cheap devices Automating exploitation with local AI models Lame C2 Smallest SSH backdoor Your RDP is on the Internet These are not the high severity bugs you were looking for Low hanging fruit Your TV is spying on you, again no such thing as "offensive security" MCPs and RCEs Browser extensions collecting your AI chats And flooding TikTok with AI influencers Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-905

Business Security Weekly is well aware of the cybersecurity hiring challenges. From hiring CISOs to finding the right skills to developing your employees, we cover it weekly in the leadership and communications segment. But this week, our guest interview digs into the global cybersecurity hiring trends. Jim McCoy, CEO at Atlas, joins Business Security Weekly to share his expertise on the global workforce needs in the 160 countries where Atlas provides direct Employer of Record services. From CISO hiring to where to build security teams, Jim will help us navigate the cybersecurity hiring challenges most organizations face. In the leadership and communications segment, CISOs, CIOs and Boards: Bridging the Cybersecurity Confidence Gap, Rethinking the CIO-CISO Dynamic in the Age of AI, Transparent Leadership Beats Servant Leadership, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-426

Pornhub, WSL, Santastealer, Geoserver, Webkit, Fortiyomama, Dad's Pix, Aaran Leyland, and More, on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-538

Open source projects benefit from support that takes many shapes. Kat Cosgrove shares her experience across the Kubernetes project and the different ways people can make meaningful contributions to it. One of the underlying themes is that code is written for other people. That means PRs need to be understandable, discussions need to be enlightening, documentation needs to be clear, and collaboration needs to cross all sorts of boundaries. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-361

Interview Segment: Tony Kelly Illuminating Data Blind Spots As data sprawls across clouds and collaboration tools, shadow data and fragmented controls have become some of the biggest blind spots in enterprise security. In this segment, we’ll unpack how Data Security Posture Management (DSPM) helps organizations regain visibility and control over their most sensitive assets. Our guest will break down how DSPM differs from adjacent technologies like DLP, CSPM, and DSP, and how it integrates into broader Zero Trust and cloud security strategies. We’ll also explore how compliance and regulatory pressures are shaping the next evolution of the DSPM market—and what security leaders should be doing now to prepare. Segment Resources: https://static.fortra.com/corporate/pdfs/brochure/fta-corp-fortra-dspm-br.pdf This segment is sponsored by Fortra. Visit https://securityweekly.com/fortra to learn more about them! Topic Segment: We've got passkeys, now what? Over this year on this podcast, we've talked a lot about infostealers. Passkeys are a clear solution to implementing phishing and theft-resistant authentication, but what about all these infostealers stealing OAuth keys and refresh tokens? As long as session hijacking is as simple as moving a cookie from one machine to another, securing authentication seems like solving only half the problem. Locking the front door, but leaving a side door unlocked. After doing some research, it appears that there has been some work on this front, including a few standards that have been introduced: DBSC (Device Bound Session Credentials) for browsers DPoP (Demonstrating Proof of Possession) for OAuth applications We'll address a few key questions in this segment: 1. how do these new standards help stop token theft? 2. how broadly have they been adopted? Segment Resources: FIDO Alliance White Paper: DBSC/DPOP as Complementary Technologies to FIDO Authentication News Segment Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-437

Join Josh Marpet, a seasoned security professional and regular contributor, as he delves into tech's hottest issues. He discusses China's dominance in key technologies and its implications for U.S. competitiveness. The duo also explore Disney's significant investment in OpenAI and the concerns surrounding IP rights for creators. Other hot topics include the risks of AI copilots, a newly exploited GOGS vulnerability, and the decline of traditional passwords in favor of passkeys. Tune in for a rollercoaster of insights!

This week in our technical segment, you will learn how to build a MITM proxy device using Kali Linux, some custom scripts, and a Raspberry PI! In the security news: Hacking Smart BBQ Probes China uses us as a proxy LOLPROX and living off the Hypervisor Are we overreating to React4Shell? Prolific Spyware vendors EDR evaluations and tin foil hats Compiling to Bash! How e-waste became a conference badge Overflows via underflows and reporting to CERT Users are using AI to complete mandatory infosec training! AI in your IDE is not a good idea Cybercrime is on the rise, and its the kids AI can replace humans in power plants Will AI prompt injection ever go away? To use a VPN or to not use a VPN, that is the question Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-904

Organizations rely heavily on Salesforce to manage vasts amounts of sensitive data, but hidden security risks lurk beneath the surface. Misconfigurations, excessive user permissions, and unmonitored third party integrations can expose this data to attackers. How do I secure this data? Justin Hazard, Principal Security Architect at AutoRABIT, joins Business Security Weekly to discuss the security challenges of Salesforce. Justin will discuss how proactive oversight and a strong security posture in Salesforce requires additional capabilities, including: Continuous monitoring of your Salesforce environment, Strict access controls of Salesforce users, and Automated backup of sensitive data. Think your data in Salesforce is safe and secure, think again. This segment is sponsored by AutoRABIT. Visit https://securityweekly.com/autorabit to learn more about them! In the leadership and communications segment, Boards Have a Digital Duty of Care, The CISO’s greatest risk? Department leaders quitting, The 15 Habits of Highly Empathetic People, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-425