
Below the Surface (Audio) - The Supply Chain Security Podcast
A lively discussion of the threats affecting supply chain, specifically focused on firmware and low-level code that is a blind spot for many organizations. This podcast will feature guests from the cybersecurity industry discussing the problems surrounding supply chain-related issues and potential solutions.
Episodes
FortiBleed Uncovered: How Attackers Harvest Credentials from Fortinet Devices - BTS #77
In this episode, we delve into the recent FortiBleed campaign, exploring how attackers harvest credentials from Fortinet devices, the vulnerabilities in password management, and best practices for defenders to mitigate such threats. Key topics FortiBleed campaign details and impact Password hash vulnerabilities in FortiOS AI's role in analyzing large security breaches Credential harvesting techn
Binwalk, Brickstorm, AI Model Madness - BTS #76
summary In this episode of Below the Surface, Paul Asadoorian, Chase Snyder, and Vlad Babkin discuss the implications of AI in cybersecurity, the challenges posed by AI guardrails, and the operational risks associated with applying patches. They also explore vulnerabilities in security tools like Binwalk, the complexities of firmware update tools, and the importance of transparency in software si
Secure Boot Certificates Expiring: What You Need to Know - BTS #75
In this episode of Below the Surface, the team discusses recent cybersecurity trends, including the Verizon DBIR 2026 report, secure boot certificate expirations, and the evolving threat landscape with AI and hardware vulnerabilities. They explore how organizations can adapt their defense strategies to stay ahead of attackers and share insights on supply chain security and malware analysis. http
YellowKey, CVE Enrichment, Chipmaker Breach - BTS #74
In this episode, we explore recent vulnerabilities, the YellowKey BitLocker bypass, supply chain security, CVE data analysis, and the implications of hardware breaches like the one at Foxconn. We also delve into AI's role in vulnerability research and the evolving landscape of cybersecurity threats. Topics https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-
Uncovering Firmware Risks: From Y2K to Modern Malware - BTS #73
In this episode of Below the Surface, hosts Paul Asadoorian, Chase Snyder, and guest Brian Richardson explore the evolution of firmware security, the risks of supply chain vulnerabilities, and the latest threats targeting network edge devices like Cisco ASA and FTD. They discuss historical malware like the Chernobyl virus, modern malware campaigns such as Firestarter, and the challenges of securin
AI-Powered Firmware Hacking: The Future of Vulnerability Discovery - BTS #72
In this episode, the hosts explore the latest in cybersecurity, including AI-driven vulnerability discovery, firmware analysis tools, secure boot complexities, and recent CVE trends. They discuss practical techniques for hacking devices, the challenges of firmware emulation, and the implications of new security policies on consumer and enterprise hardware. Chapters 00:00 Introduction to Hacking an
What Makes a Device a Router? - BTS #71
summary In this episode, the hosts discuss the new FCC regulations regarding consumer routers, exploring the implications for cybersecurity, the definitions of what constitutes a router, and the challenges of manufacturing compliant devices. They delve into the debate surrounding the effectiveness of these regulations in mitigating cyber risks, the role of hardware versus software vulnerabilities
How Cheap KVMs Could Be Your Network's Weak Link - BTS #70
In this episode, we explore the security vulnerabilities of low-cost IP-based KVMs, including firmware flaws, default credentials, and insecure update mechanisms. Two Eclypsium researchers, Paul and Rey, discovered the vulnerabilities and shared the details and behind-the-scenes details! We also discuss real-world testing, vendor responses, and best practices for securing remote management devices
Navigating Network Edge Vulnerabilities - BTS #69
In this episode of Below the Surface, Paul Asadoorian, Vlad Babkin, and Adrian Sanabria discuss the ongoing vulnerabilities in network edge devices, the implications of legacy systems like Avanti, and the strategies employed by threat actors. They explore the importance of monitoring and detection in cybersecurity, as well as innovative deception techniques to enhance security measures against exp
Attacking Power Grids - BTS #68
In this episode, the hosts discuss various cybersecurity threats, including Russian cyber attacks on critical infrastructure, the vulnerabilities in firewalls and VPNs, and the implications of AI in cybersecurity. They explore the increasing trend of using Python for malicious purposes and the challenges posed by gaming anti-cheat drivers. The conversation also touches on the escalation of cyber w
BIOS Password Cracking, Secure Boot, and Stackwarp - BTS #67
In this episode, the hosts discuss various cybersecurity topics, including the challenges of BIOS password cracking, the implications of AMD's Stack Warp vulnerability, and the importance of up-to-date secure boot certificates. They also explore the risks associated with network security appliances, the costs of cybersecurity, and the role of marketing in raising awareness. Additionally, they shar
Beyond the Label: The Truth About Hardware Trust - BTS #66
In this episode of Below the Surface, host Paul Asadoorian is joined by co-hosts Larry Pesci, Joshua Marpet, and Vlad Babkin to delve into the complexities of hardware supply chain security. The discussion is sparked by a presentation from Andrew 'Bunny' Wong at Black Hat Asia, which raised critical questions about how we can trust the silicon in our devices. The conversation explores the challeng
Exploring AI in Firmware Analysis - BTS #65
Summary In this episode, special guest Matt Brown joins us to discuss the integration of AI in firmware analysis, exploring its benefits and challenges. We delve into the transition from traditional methods to AI-driven approaches, emphasizing the importance of prompt specificity for effective vulnerability discovery. The conversation also covers the role of open-source components, the need for gu
Patching, Evil AI, Supply Chain Breaches - BTS #64
Summary In this episode, the hosts discuss various cybersecurity topics, including recent vulnerabilities in Fortinet products, the implications of supply chain breaches, the evolving role of AI in cybersecurity, and updates to the OWASP Top 10 list. They emphasize the importance of firmware security and the need for better visibility and standards in the industry. The conversation highlights the
F5 Breach, Linux Malware, and Hacking Banks - BTS #63
Summary In this episode of Below the Surface, Paul Asadoorian and Chase Snyder delve into various cybersecurity topics, including the use of Raspberry Pi in cyber attacks, the implications of the F5 breach, and the emergence of Polar Edge malware targeting QNAP devices. They also discuss the innovative Two-Face Rust binary technique, the critical nature of authentication bypass vulnerabilities,
Unpacking the F5 Breach, Framework UEFI Shells - BTS #62
In this episode, the hosts discuss the recent F5 breach, exploring the implications of the attack, the tactics used by threat actors, and the importance of vulnerability disclosure. They delve into the complexities of securing network edge devices, the challenges posed by Linux security, and the need for standardization in security practices. The conversation also touches on the future of firmware
Red November, Cisco Vulnerabilities, and Supply Chain Security - BTS #61
In this episode of Below the Surface, the hosts discuss various cybersecurity topics, including the Red November campaign targeting network edge devices, the implications of the Cisco SNMP vulnerability, and the recent vulnerabilities associated with Cisco ASA devices. They also delve into the hybrid Petya ransomware and its connection to supply chain security, emphasizing the need for better visi
HybridPetya and UEFI Threats - BTS #60
In this episode of Below the Surface, the hosts discuss various cybersecurity topics, including the evolution of malware with a focus on Hybrid Petya, the implications of UEFI vulnerabilities, and the security risks associated with Windows 10's end of life. They also explore the vulnerabilities of Cisco ASA devices, the rise of supply chain attacks exemplified by NPM worms, and the persistent thre
Exploit Marketplaces - BTS #59
In this episode of Below the Surface, host Paul Asadoorian speaks with Evan Dornbush, CEO of Desired Effect, about the evolving landscape of exploit marketplaces and vulnerability research. They discuss the challenges researchers face in monetizing their findings, the ethical implications of selling exploits, and the importance of timely intelligence for defenders. The conversation also touches on
UEFI Vulnerabilities and Hardware Risks - BTS #58
In this episode, the hosts discuss various cybersecurity topics, focusing on hardware vulnerabilities, UEFI attack vectors, and the implications of new regulations on device security. They explore the evolution of Mirai variants targeting IoT devices and the challenges of securing firmware. The conversation highlights the need for improved security measures and the complexities of managing vulnera
Interview with Brian Mullen from AMI - BTS #57
In this episode of Below the Surface, host Paul Asadoorian is joined by Brian Mullen, head of SSDLC at AMI, to discuss the complexities of supply chain and firmware security. They explore the challenges of maintaining security in a complicated supply chain, the importance of proactive and reactive security measures, and the implications of end-of-life software. The conversation also touches on the
BTS #56 - Vulnerabilities & Backdoors In IT Infrastructure
In this episode, the hosts discuss various cybersecurity topics, focusing on Nvidia vulnerabilities, the implications of backdoors in technology, and the importance of secure boot and certificate management. They also delve into SonicWall's security challenges and the ongoing debate of building versus buying security solutions, particularly in the context of AI infrastructure and cloud services. A
Netgear, Gigabyte, and Rowhammer Vulnerabilities - BTS #55
In this episode of Below the Surface, the hosts discuss critical cybersecurity topics including vulnerabilities in Netgear and Gigabyte devices, the importance of asset inventory, and the implications of Row Hammer attacks on memory integrity. They emphasize the need for organizations to implement compensating controls and monitor for potential threats, especially in the context of supply chain se
CVE-2024-54085: The First of Its Kind - BTS #54
In this episode, the hosts delve into the critical vulnerabilities associated with Baseboard Management Controllers (BMCs), with a particular focus on CVE-2024-54085. They discuss the ease of exploitation, the potential threat actors involved, and the implications for data center security. The conversation highlights the challenges in detecting and mitigating these vulnerabilities, the importance
Exploring the Evolution of Zero Trust - BTS #53
In this episode, the hosts discuss the evolving landscape of AI infrastructure security, focusing on the complexities of building and maintaining AI data centers. They explore the critical role of Baseboard Management Controllers (BMCs) as an attack surface, the importance of supply chain security, and best practices for hardware procurement. The conversation underscores the importance of validati
Securing the Future of AI Infrastructure - BTS #52
In this episode, the hosts discuss the evolving landscape of AI infrastructure security, focusing on the complexities of building and maintaining AI data centers. They explore the critical role of Baseboard Management Controllers (BMCs) as an attack surface, the importance of supply chain security, and best practices for hardware procurement. The conversation underscores the importance of validati
When Windows 10 Expires - BTS #51
In this episode, the hosts discuss the impending end of life for Windows 10 and the necessary preparations for upgrading to Windows 11. They explore the specific hardware requirements for Windows 11, including the importance of Secure Boot and TPM 2.0, and the challenges enterprises face in managing large-scale migrations. The conversation underscores the importance of meticulous planning to preve
SBOMs, HBOMs, and Supply Chain Visibility - BTS #50
Summary In this episode, Paul Asadoorian and Joshua Marpet delve into the complexities of compliance, inventory management, and the emerging concepts of SBOMs, HBOMs, and FBOMs (no, not that FBOM). They discuss the importance of understanding the components and origins of hardware and software, the challenges of managing technology lifecycles, and the need for clear standards and regulations in th
The Hidden Risks of Open Source Components - BTS #49
In this episode, Paul Asadorian and Josh Bressers delve into the complexities of open source supply chain security, discussing the prevalence of open source components in modern software, the challenges posed by legacy systems, and the critical importance of vulnerability management. They explore the regulatory landscape surrounding software liability and the need for better tools and practices to
Hardware Hacking Tips & Tricks - BTS #48
In this episode, Paul and Chase delve into the world of hardware hacking, focusing on devices like the Flipper Zero and ESP32. They discuss the various applications of these tools, their impact on awareness in the hacking community, and the security implications surrounding their use. The conversation also touches on vulnerabilities in hotel security systems, challenges in remediating legacy syste
BMC&C Part 3 - BTS #47
In this episode, Paul Asadoorian, Vlad Babkin, and Chase Snyder delve into the latest vulnerability disclosures related to Baseboard Management Controllers (BMCs), specifically focusing on AMI Megarac and Redfish. They discuss the nature of the vulnerabilities, the discovery process, and the potential impacts of a BMC compromise. The conversation highlights the importance of understanding BMCs in
Black Basta - Threat Intelligence Insights - BTS #46
In this episode, Paul Asadoorian, Vlad Babkin, and Chase Snyder delve into the recent leaks from the Black Basta ransomware group, exploring the implications of the leaked chat logs, the operational tactics of the group, and the evolving landscape of ransomware attacks. The conversation highlights the importance of understanding threat intelligence derived from these leaks, the significance of tar
Understanding Firmware Vulnerabilities in Network Appliances - BTS #45
In this episode, Paul, Vlad, and Chase discuss the security challenges of Palo Alto devices and network appliances. They explore the vulnerabilities present in these devices, the importance of best practices in device management, and the need for automatic updates. The conversation highlights the evolving nature of firmware vulnerabilities and the necessity for compensating controls to mitigate ri
Network Appliances: A Growing Concern - BTS #44
In this episode, Paul Asadorian and Chase Snyder discuss the latest security threats and vulnerabilities affecting network appliances, particularly focusing on Avanti and Fortinet platforms. They explore the increasing risks associated with these devices, the need for improved security standards, and the challenges of risk management and visibility in network security. The conversation emphasizes
CVE Turns 25 - BTS #43
In this episode, Paul Asidorian, Alec Summers, and Lisa Olson discuss the 25th anniversary of the CVE program, its evolution, and the importance of transparency in vulnerability management. They explore the history of CVE, the process of creating CVE records, and the role of CNAs in ensuring accountability. The conversation also addresses challenges related to end-of-life software vulnerabilities
The China Threat - BTS #42
In this episode, Paul Asadoorian, Allan Alford, and Josh Corman discuss the growing threat posed by China, particularly in the context of cyber operations and geopolitical ambitions. They explore the implications of China's strategies, the vulnerabilities in critical infrastructure, and the need for transparency and trust in digital systems. The conversation highlights the urgency of addressing th
Pacific Rim - BTS #41
In this episode, Paul Asadorian, Larry Pesce, and Evan Dornbusch delve into the recent Sophos reports on threat actors, particularly focusing on the Pacific Rim case. They discuss the implications of the findings, including the tactics used by attackers, the vulnerabilities in network devices, and the challenges of securing appliances. The conversation also highlights the importance of network det
Backdoors in Backdoors
In this episode, Paul Ascidorian and Matt Johansen discuss the recent targeted attacks by Chinese threat actors, particularly focusing on the Volt Typhoon group. They explore the implications of back doors in cybersecurity, the role of ISPs, and the ongoing tension between privacy and security. The conversation delves into historical contexts, the evolution of threat actor tactics, and the shared
The Art of Firmware Scraping - BTS #39
In this episode, Edwin Shuttleworth from Finite State discusses firmware security, insights from the GRRCON Security Conference, and the challenges of firmware analysis. The conversation covers various topics, including firmware scraping techniques, the IoT landscape, types of firmware, the importance of Software Bill of Materials (SBOMs), and emulation in firmware analysis. Edwin shares his exper
Vulnerability Tracking & Scoring - Patrick Garrity - BTS #38
In this episode of Below the Surface, host Paul Ascadorian and guest Patrick Garrity discuss the complexities of vulnerability tracking and prioritization. They explore various sources of vulnerability data, the significance of known exploited vulnerabilities, and the concept of weaponization in cybersecurity. The conversation delves into the challenges posed by supply chain vulnerabilities, the i
Firmware Reverse Engineering - Matt Brown - BTS #37
In this episode, Matt Brown joins the podcast to talk about firmware reverse engineering and supply chains. They discuss Matt's start in information security, his journey into hardware security, and the creation of his YouTube channel. They also explore the vulnerabilities and weaknesses in the supply chain of IoT devices and the challenges of extracting firmware from embedded Linux systems. Matt
Supply Chain Policies - Trey Herr, Stewart Scott - BTS #36
Stewart and Trey join us to talk about driving cybersecurity policies for the nation, what makes a good policy, what makes a bad policy, supply chain research and policies, and overall how we shape policies that benefit cybersecurity. Segment Resources: https://www.atlanticcouncil.org/in-depth-research-reports/report/broken-trust-lessons-from-sunburst/ https://www.atlanticcouncil.org/in-depth-r
The Known Exploited Vulnerability catalogue, aka the KEV - Tod Beardsley - BTS #35
Gain insights into the CISA KEV straight from one of the folks at CISA, Tod Beardsley. Learn how KEV was created, where the data comes from, and how you should use it in your environment. This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Resource: https://cisa.gov/kev Show Notes: https://securityweekly.com/bts-35
EPSS - The Exploit Prediction Scoring System - Jay Jacobs, Wade Baker - BTS #34
Jay Jacobs Co-Founder and Data Scientist and Wade Baker Co-Founder; Data Storyteller from The Cyentia Institute come on the show to talk about The Exploit Prediction Scoring System (EPSS). This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-34
Securing OT Environments - Dr. Ed Harris - BTS #33
Ed Harris joins us to discuss how to secure OT environments, implement effective air gaps, and more! This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-33
Mitre ATT&CK - Adam Pennington - BTS #32
We discuss the various aspects of Mitre Att&ck, including tools, techniques, supply chain aspects, and more! This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-32
Managing Complex Digital Supply Chains - Cassie Crossley - BTS #31
Cassie has a long history of successfully managing a variety of security programs. Today, she leads supply chain efforts for a very large product company. We will tackle topics such as software supply chain management, SBOMs, third-party supply chain challenges, asset management, and more! This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!
Systems Of Trust - Robert Martin - BTS #30
Bob Martin comes on the show to discuss systems of trust, supply chain security and more! This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-30
Supply Chains, Firmware, And Patching - Jason Kikta - BTS #29
Jason joins us to discuss the current enterprise landscape for defending against supply chain attacks, remediating firmware issues, and the current challenges with patch management. This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-29
5G Hackathons - Casey Ellis - BTS #28
Casey recently was involved in an event that brought hackers and 5G technology together, tune-in to learn about the results and how we can use bug bounty programs to improve the security of "things". This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-28
Governance, Compliance, and The Digital Supply Chain - Josh Marpet - BTS #27
In this episode, we disccuss digital supply chain governance and compliance, featuring Josh Marpet from Guarded Risk, hosted by Paul Asadorian and Alan Alford. Specifically, we discuss: The importance of understanding and complying with regulations affecting digital supply chains, such as Executive Order 14028 and the NIST Cybersecurity Framework. The podcast highlighted the impact of EU regulati
What We Don't Know Will Hurt Us - Cheryl Biswas - BTS #26
Cheryl is super passionate about supply chain security and visibility. Tune in to our discussion on how we can collectively get better at reducing the attack surface and working to fix the wide variety of digital supply chain issues we have today. This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-
Supply Chain Threats and Regulations - BTS #25
Paul and Allan will talk a little bit about Allan's background and current work at Eclypsium. Next, we'll cover some of the recent news and topics we've been discussing on our blog including Firewall and VPN appliance security struggles, Shim Shady, Glubteba and other malware targeting UEFI, and some thoughts on recent regulations affecting supply chains such as the EU CRA. This segment is sponsor
Managing Supply Chain Risk - Saša Zdjelar - BTS #24
Saša Zdjelar joins us on this episode to dive into how organizations can manage supply chain risk, including the current challenges we face and how best to deal with them. This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-24
Closing The Supply Chain Visibility Gap - Dr. Olga Livingston - BTS #23
Short of ripping everything apart (hardware and software) and inspecting the components, which is very time-consuming, how do we solve the visibility gap in various supply chains? Dr. Olga Livingston from CISA joins us to discuss! This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-23
SBOMs and Supply Chains - Allan Friedman - BTS #22
We sit down with the father of the SBOM, Allan Friedman, to discuss examples of where we really need SBOMs, how to operationalize SBOMs, and how to identify and deal with bad things that may be in your SBOM! CISA's resources on SBOM are at cisa.gov/SBOM and anyone can find out more or ask for a meeting at SBOM@cisa.dhs.gov This segment is sponsored by Eclypsium. Visit https://securityweekly.com/ec
Supply Chain Risk Management - David Vaughn - BTS #21
We talk about Supply Chain Risk Management in the context of the cloud and US federal government with David Vaughn. This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-21
Network Device Supply Chains and Lateral Movement - Joe Hall - BTS #20
In this episode, we have the privilege of sitting down with renowned security expert Joe Hall to discuss three critical facets of modern cybersecurity: network device security, supply chain threats, and lateral movement. Join us as Joe Hall shares his wealth of knowledge and experience, unraveling the complexities of network device security, the invisible gatekeepers of our digital lives. Discover
A Year in Review on Offensive Security, Defensive Landscapes, and Global Implications - Tyler Robinson - BTS #19
In this episode, we delve into the dynamic world of supply chain security, recapping the significant developments of the past year. Join us as we explore the evolution of offensive security, defensive landscapes, and the key actors shaping the cybersecurity landscape. Our featured guest, Tyler Robinson, Founder and CEO of Dark Element, brings a wealth of expertise to the discussion. With a deep un
Defending Against Supply Chain Attacks - Bri Rolston - BTS #18
Bri has spent her career investigating and defending against critical infrastructure attacks. Hear her take on the current threat landscape, supply chain security, and more! This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-18
Protecting The Digital Supply Chain - Yuriy Bulygin - BTS #17
Dr. Yuriy Bulygin is the CEO and founder of Eclypsium, the digital supply chain security company. Prior to Eclypsium, Yuriy was Chief Threat Researcher at Intel Corporation. He is also the creator of CHIPSEC, the popular open-source firmware and hardware supply chain security assessment framework When enterprises started using CHIPSEC to find vulnerabilities, discover compromised firmware, or just
UEFI & The Digital Supply Chain - Dick Wilkins - BTS #16
Learn about the evolution of UEFI, various aspects of supply chain security surrounding UEFI, and the interactions between links in the supply chain that ultimately end up delivering you a computer or server. Segment Resources: https://uefi.org/sites/default/files/resources/What%20is%20UEFI-Aug31-2023-Final.pdf This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to
Reverse Engineering BMCs and Other Firmware - Vladyslav Babkin - BTS #15
Vlad is part of the Eclypsium research team and has discovered several flaws in BMC ecosystems. He comes on the show to talk about his journey and cover the details behind BMC vulnerabilities and attacks. Segment Resources: https://forum.defcon.org/node/245714 https://eclypsium.com/research/bmcc-lights-out-forever/ https://eclypsium.com/blog/supply-chain-vulnerabilities-put-server-ecosystem-at-ri
Protecting The Federal Supply Chain - John Loucaides - BTS #14
John Loucaides, SVP Strategy at Eclypsium, joins us on the show to discuss protecting the federal supply chain! This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-14
Network Device Supply Chain Security - Nate Warfield - BTS #13
We dig into network devices/appliances, why they are still around, who is attacking them, and how. Just why are attackers using network devices in ransomware campaigns and how do we stop them? Tune-in to find out as Nate Warfield, Director of Threat Research and Intelligence at Eclypsium joins us for this episode! This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium t
Dealing with The Digital Supply Chain - Ramy Houssaini - BTS #12
Ramy Houssaini joins us to discuss the challenges enterprises face when dealing with supply chain threats, risks and vulnerabilities. We'll explore how to identify cybersecurity gaps in your various supply chains, discuss real-world examples such as Log4j and more! Show Notes: https://securityweekly.com/bts-12
SCRM and Supply Chain Security Up and Down the Stack - Steve Orrin - BTS #11
Supply Chain threats and industry / government initiatives like EO 14028 are driving a deeper understanding and a set of requirements for applying supply chain risk management (SCRM) and increased transparency (ex. SBOM) across the software ecosystem up and down the stack. Platform and system firmware present unique challenges for supply chain assurance from the depths of the stack. Segment Reso
Learning About Firmware Security - Xeno Kovah - BTS #10
Firmware security is a deeply technical topic, that's hard to get started in. In this talk, Xeno will discuss some past work in firmware security, and how he has organized resources such as a low level timeline (with over 300 talks), and free MOOC classes, to help teach people about firmware security. Segment Resources: https://ost2.fyi https://darkmentor.com/timeline.html Show Notes: https://se
Accidentally Learning about Security: From Firmware to the Cloud, Brian Richardson - BTS #9
Brian Richardson didn't start out wanting to do marketing or computer security... but after starting his career as a BIOS programmer, he tripped and fell into technical marketing (aka "Binary to English translator"). Brian's here to talk about the importance of hardware & firmware security in a SaaS world. Segment Resources: https://www.youtube.com/watch?v=I2FwiEH6dg4 https://www.youtube.com/watc
BTS #8 - Richard Hughes
The LVFS is a project used by over 130 different vendors, from all positions of the supply chain. It decompresses, decompiles, then analyses firmware looking for issues, and then automatically builds a SBoM for each download. Segment Resources: https://fwupd.org/ https://github.com/fwupd Show Notes: https://securityweekly.com/bts8
Nicholas Starke - BTS #7
Discuss current events in firmware security, such as the techniques utilized in BlackLotus. We will compare Baton Drop with Grub2 capabilities. Segment Resources: https://starkeblog.com/ Show Notes: https://securityweekly.com/bts7
BTS #6 - Vincent Zimmer
This session will provide an overview of the history of host firmware, or BIOS, focusing on the arc of the Unified Extensible Firmware Interface. It will include the development of defenses like UEFI Secure Boot and the challenges in scaling assurance across a broad ecosystem. It will close on works-in-progress and opportunities to build upon the school-of-hard-knocks learnings in this space. Show
BTS #5 - Community Insights: Supply Chain Threats, Critical Firmware Attacks, and more!
In this edition of Below The Surface, we discuss insights Scott collected from various members of our community. Topics include supply chain threats, critical firmware attacks, and more! We also welcome special guest Tyler Robinson! View the full report here: https://eclypsium.com/2022/12/13/december-firmware-threat-report/ This segment is sponsored by Eclypsium. Visit https://securityweekly.co
BTS #4 - Supply Chain Threats, Vulnerable Drivers, OpenSSL Vulnerabilities, and more!
Paul and Scott talk about supply chain threats, vulnerable drivers, leaked source code and keys, and cover what we know about the OpenSSL 3.x vulnerability. This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts4
BTS #3 - Inevitable Attacks, UEFI Vulnerabilities, and more!
This month Scott and Paul discuss the inevitability of attacks against certain sectors, UEFI vulnerabilities galore and so much more! Get the full report here: https://eclypsium.com/2022/10/03/september-firmware-threat-report/ This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts3
BTS #2 - Root Of Trust (Rot)
Paul and Scott break down the Root of Trust (RoT) and other highlights from the August 2022 Below The Surface Threat Report: https://eclypsium.com/2022/08/31/august-firmware-threat-report/ This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts2
BTS #1 - Firmware & Supply Chain Security
Paul Asadoorian and Scott Scheferman sit down to discuss this month's firmware and supply chain threat report. We cover some of the history and latest developments regarding Secure Boot security research, the threats we face securing the firmware supply chain, and some insights into threat actors targeting firmware. View the full report here: https://eclypsium.com/2022/07/27/july-firmware-threat-r
Recommended

The Theory of Psychoanalysis - Carl Jung

A Life Engineered

پادکست بهزاد بلور | Behzad Bolour's Podcast

The Rabbit Hole: Conspiracy Theories

The Swerve Podcast: Obscure Topics | Conspiracy Theories

The Bread and Banter Podcast

The Conspiracy Podcast

Cult of Conspiracy

Dispatches from Reality

The Conspiracy Files

TechnoSnobCast

The Young and Called Podcast .