Coming to you from the same room in Risky Business headquarters Patrick Gray and Adam Boileau discuss the week’s cybersecurity news. They talk through:

• Sonicwall firewalls hand out remote code exec like candy
• Mastercard make a slapstick-grade mistake with their DNS
• The data breach at PowerSchool and other niche SaaS providers
• Academic research proposes taking down Europe’s power grid
• Apple CPUs get a new speculative execution side channel
• And much, much more.

This week’s episode is sponsored by Push Security, who make an identity security product that runs inside browsers. Luke Jennings joins to discuss some of the pitfalls of federated authentication, like attackers using unexpected identity providers to log in to your apps.

This episode is also available on Youtube.

• SonicWall warns hackers targeting critical vulnerability in SMA 1000 series appliances | Cybersecurity Dive
• MasterCard DNS Error Went Unnoticed for Years – Krebs on Security
• Data breach hitting PowerSchool looks very, very bad - Ars Technica
• OpenAI rival DeepSeek limits registration after ‘large-scale malicious attacks’ | The Record from Recorded Future News
• Hackers imitate Kremlin-linked group to target Russian entities | The Record from Recorded Future News
• UK to examine undersea cable vulnerability as Russian spy ship spotted in British waters | The Record from Recorded Future News
• Questions grow over whether Baltic Sea cable damage was sabotage or accidental | The Record from Recorded Future News
• Researchers say new attack could take down the European power grid - Ars Technica
• At least $69 million stolen from crypto platform Phemex in suspected cyberattack | The Record from Recorded Future News
• BreachForums admin to be resentenced after appeals court slams supervised release | The Record from Recorded Future News
• Apple chips can be hacked to leak secrets from Gmail, iCloud, and more - Ars Technica
• Apple fixes zero-day flaw affecting all devices | TechCrunch
• I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny
• Government websites vanish under Trump, from the Constitution to DEI
• Trail of Bits: Director, Technical Marketing
• Push Security: Security Researcher (remote in the USA)

In this sponsored Soap Box edition of the show Patrick Gray talks to Island CEO Michael Fey about some of the cool tricks in the Island enterprise browser. You can use it to tick off so many compliance boxes, and not just cybersecurity boxes.

This is largely a conversation about compliance, but it’s actually interesting and fun. These are words we never thought we’d type!

You can find Island at https://island.io/

This episode is also available on Youtube.

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• The SEC’s cyber incident reporting isn’t very exciting after all
• China Telecom on the way to being thrown out of the US
• The NSA/Cybercom might get two separate hats
• The Cl0p ransomware crew are back and taking responsibility for the Cleo hacks
• (Yet another) File upload bug in Struts makes Java admins weep
• And much, much more.

This episode is sponsored by SpecterOps, who run a pretty top notch offsec/pentest team when they’re not busy making the Bloodhound Enterprise identity attack path enumeration software. SpecterOps’ Robby Winchester joins to talk about how pentest has changed, and how their customers get value from their testing.

This episode is also available Youtube.

• SEC cyber incident reporting rule generates 71 filings in 11 months | Cybersecurity Dive
• US senators, green groups call for accountability over hacking of Exxon critics | Reuters
• Biden Administration Takes First Step to Retaliate Against China Over Hack - The New York Times
• Unfinished business for Trump: Ending the Cyber Command and NSA 'dual hat' | The Record from Recorded Future News
• EU opens investigation into TikTok and the Romanian election – POLITICO
• Clop ransomware claims responsibility for Cleo data theft attacks
• CISA warns of ransomware gangs exploiting Cleo, CyberPanel bugs | The Record from Recorded Future News
• CVE-2024-55956 | AttackerKB
• Apache issues patches for critical Struts 2 RCE bug • The Register
• Japanese game and anime publisher reportedly pays $3 million ransom to Russia-linked hackers | The Record from Recorded Future News
• Israeli spyware firm Paragon acquired by US investment group, report says | Reuters
• How Cryptocurrency Turns to Cash in Russian Banks – Krebs on Security
• Arizona man arrested for alleged involvement in violent online terror networks | CyberScoop
• Russia bans Viber, claiming app facilitates terrorism and drug trafficking | The Record from Recorded Future News

In this edition of the Wild World of Cyber podcast Patrick Gray sits down with SentinelOne’s Chief Intelligence and Public Policy Officer Chris Krebs to talk all about Chinese cyber operations.

They look at the Salt Typhoon and Volt Typhoon campaigns, the last 20 years of Chinese operations, and the evolution of the cyber roles of China’s Ministry of State Security and People’s Liberation Army.

It’s a very dense hour of conversation!

This podcast was recorded in front of an audience at the Museum of Contemporary Art in Sydney.

This episode is also available on Youtube.

In this interview Patrick Gray talks to Yubico’s COO and President Jerrod Chong about a new Yubikey feature: pre-registration.

You can now ship pre-registered Yubikeys to your staff so you don’t need to rely on your staff to enrol them. They’ve achieved this with really slick Okta and Entra ID integrations.

Jerrod also talks about a recent trip to Singapore and concerns he has about the cybersecurity of critical infrastructure in the energy sector.