Below the Surface (Audio) - The Supply Chain Security Podcast

In this episode, we explore recent vulnerabilities, the YellowKey BitLocker bypass, supply chain security, CVE data analysis, and the implications of hardware breaches like the one at Foxconn. We also delve into AI's role in vulnerability research and the evolving landscape of cybersecurity threats. Topics        Chapters 00:00 Introduction to Vulnerability Research and AI 03:42 NIST and CVE Growth Challenges 06:46 Building Tools for CVE Analysis 10:58 The Complexity of CVSS Scoring 15:08 CISA's Role in Vulnerability Enrichment 18:06 Challenges in CWE and CPE...

Below the Surface (Audio) - The Supply Chain Security Podcast

In this episode of Below the Surface, hosts Paul Asadoorian, Chase Snyder, and guest Brian Richardson explore the evolution of firmware security, the risks of supply chain vulnerabilities, and the latest threats targeting network edge devices like Cisco ASA and FTD. They discuss historical malware like the Chernobyl virus, modern malware campaigns such as Firestarter, and the challenges of securing complex network infrastructure in a rapidly evolving threat landscape. Links: https://www.linkedin.com/news/story/white-house-pushes-back-on-anthropics-mythos-expansion-8741242/ ...

Below the Surface (Audio) - The Supply Chain Security Podcast

In this episode, the hosts explore the latest in cybersecurity, including AI-driven vulnerability discovery, firmware analysis tools, secure boot complexities, and recent CVE trends. They discuss practical techniques for hacking devices, the challenges of firmware emulation, and the implications of new security policies on consumer and enterprise hardware. Chapters 00:00 Introduction to Hacking and Security Updates 03:24 Exploring Samsung TV Hacking 06:34 AI in Vulnerability Research 11:17 The Role of AI in Exploiting Vulnerabilities 15:18 CVE Disclosure and Ethical Considerations 20:43 AI...

Below the Surface (Audio) - The Supply Chain Security Podcast

 summary In this episode, the hosts discuss the new FCC regulations regarding consumer routers, exploring the implications for cybersecurity, the definitions of what constitutes a router, and the challenges of manufacturing compliant devices. They delve into the debate surrounding the effectiveness of these regulations in mitigating cyber risks, the role of hardware versus software vulnerabilities, and the potential impact on consumers and existing devices in homes. In this conversation, the hosts discuss the implications of the FCC's decision to decertify routers and firmware, the...

Below the Surface (Audio) - The Supply Chain Security Podcast

In this episode, we explore the security vulnerabilities of low-cost IP-based KVMs, including firmware flaws, default credentials, and insecure update mechanisms. Two Eclypsium researchers, Paul and Rey, discovered the vulnerabilities and shared the details and behind-the-scenes details! We also discuss real-world testing, vendor responses, and best practices for securing remote management devices in enterprise environments. Chapters 00:00 Introduction to KVM Vulnerabilities 03:00 Research Background and Team Introduction 05:57 Exploring GLINet and Initial Findings 09:03 Firmware Analysis and...

Below the Surface (Audio) - The Supply Chain Security Podcast

In this episode of Below the Surface, Paul Asadoorian, Vlad Babkin, and Adrian Sanabria discuss the ongoing vulnerabilities in network edge devices, the implications of legacy systems like Avanti, and the strategies employed by threat actors. They explore the importance of monitoring and detection in cybersecurity, as well as innovative deception techniques to enhance security measures against exploitation. In this conversation, the speakers delve into various aspects of cybersecurity, including innovative strategies to enhance security, the challenges posed by vendor cooperation, the...

Below the Surface (Audio) - The Supply Chain Security Podcast

In this episode, the hosts discuss various cybersecurity threats, including Russian cyber attacks on critical infrastructure, the vulnerabilities in firewalls and VPNs, and the implications of AI in cybersecurity. They explore the increasing trend of using Python for malicious purposes and the challenges posed by gaming anti-cheat drivers. The conversation also touches on the escalation of cyber warfare and the confused deputy problem in AI, highlighting the need for better security measures and awareness in the industry. Chapters   00:00 Introduction to Cybersecurity Threats 02:52...

Below the Surface (Audio) - The Supply Chain Security Podcast

In this episode, the hosts discuss various cybersecurity topics, including the challenges of BIOS password cracking, the implications of AMD's Stack Warp vulnerability, and the importance of up-to-date secure boot certificates. They also explore the risks associated with network security appliances, the costs of cybersecurity, and the role of marketing in raising awareness. Additionally, they share insights from an X-ray analysis of USB cables, highlighting the differences between quality and counterfeit products.   BIOS password cracking can be complex and time-consuming. Physical...

Below the Surface (Audio) - The Supply Chain Security Podcast

In this episode of Below the Surface, host Paul Asadoorian is joined by co-hosts Larry Pesci, Joshua Marpet, and Vlad Babkin to delve into the complexities of hardware supply chain security. The discussion is sparked by a presentation from Andrew 'Bunny' Wong at Black Hat Asia, which raised critical questions about how we can trust the silicon in our devices. The conversation explores the challenges of validating hardware components, the potential for backdoors in devices, and the implications of counterfeit components in the supply chain. The hosts share anecdotes and insights about their...

Below the Surface (Audio) - The Supply Chain Security Podcast

Summary In this episode, special guest Matt Brown joins us to discuss the integration of AI in firmware analysis, exploring its benefits and challenges. We delve into the transition from traditional methods to AI-driven approaches, emphasizing the importance of prompt specificity for effective vulnerability discovery. The conversation also covers the role of open-source components, the need for guardrails in AI use, and the implications of AI-generated reports in cybersecurity. Additionally, they touch on man-in-the-middle techniques and the future of AI in firmware development, highlighting...