This weeks we discuss the UK's latest attempt to force backdoors into end to end encryption, India's 6 hour reporting mandate is a failure, and how much will getting breached cost you?  It's less than you think!  Unfortunately.

Article 1 - The UK's bad encryption law can't withstand global contemptSupporting Articles:Does a Constitution-free zone really exist in America?Online Safety Bill - UK Parliament

Article 2 - India's absurd infosec reporting rules get just 15 followers

Article 3 - You've been pwned, how much will each stolen customer SSN cost you? How about $7.5k?Supporting Articles:YOUR SOCIAL SECURITY NUMBER IS WORTH LESS THAN A SNICKERS BARThe Unexpected Costs of Identity TheftSupreme Court Cuts Exxon Valdez Oil Spill DamagesExxon Valdez Oil Spill Class Action

If you found this interesting or useful, please follow us on Twitter @serengetisec and subscribe and review on your favorite podcast app!

We discuss The Red Report, a malware focused report from Picus Security.  They analyzed just over half a million malware samples from 2022, and came up with a list of the top ten MITRE ATT&CK techniques seen, and give a VERY DETAILED report on how to catch them.

If you're in IR, Content Development, Threat Hunting, or a Security Operations Analyst, this report is AWESOME.  Highly recommended!

If you're in Vulnerability Management, Risk and Compliance, or strategy, it's less useful.  Very nuts and bolts.  

Report Link - The Picus Red Report 2023 Reveals Most Common MITRE ATT&CK Techniques

If you found this interesting or useful, please follow us on Twitter @serengetisec and subscribe and review on your favorite podcast app!

We discuss women in cybersecurity companies vs on the dark side, the new CyberSecurity Strategy from the White house, and a re-written Smart Contract to get back some stolen cash

Article 1 - Per a court order, Oasis rewrites the rules for Jump Crypto to recover stolen assets

Article 2 - Where are the women in cyber security? On the dark side, study suggestsSupporting Articles:Women in the tech industry: Gaining ground, but facing new headwindsWomen Are Nearly Half of U.S. Workforce but Only 27% of STEM WorkersWomen in the Labor Force

Article 3 - National Cybersecurity Strategy Document: What you need to knowSupporting Articles:FACT SHEET: Biden-⁠Harris Administration Announces National Cybersecurity StrategyNew National Cybersecurity Strategy

If you found this interesting or useful, please follow us on Twitter @serengetisec and subscribe and review on your favorite podcast app!

Had to separate those out, because obviously CISOs aren't human!  No more than Vendors are.  Just kidding!  Here we discuss Gartner's predictions for 2023, the stresses on CISOs (and their surprising low salaries, comparatively), the recent GoDaddy breaches, and finally new ATT&CK Roadmap for 2023!

Article 1 - Predicts 2023: Cybersecurity Industry Focuses on the Human Deal by Gartner®

Article 2 - 1 in 4 CISOs Wants to Say Sayonara to Security

Article 3 - GoDaddy: Hackers stole source code, installed malware in multi-year breach

Article 4 - 2023 ATT&CK Roadmap

If you found this interesting or useful, please follow us on Twitter @serengetisec and subscribe and review on your favorite podcast app!

More AI Discussion!  Yay!  We discuss how Amazon is putting tape guardrails around Chat GPT and where Daniel Miessler thinks AI will drive value in the future.  There are other articles too, I guess.  We discuss Central Bank Digital Currencies briefly, and a ransomware attack that cost a downstream provider $250 million.

Article 1 - ChatGPT Is Ingesting Corporate Secrets

Article 2 - Custom Models Are AI’s Killer App

Article 3 - Rep. Tom Emmer introduces anti-CBDC bill

Article 4 - Chip company loses $250m after ransomware hits supply chain

If you found this interesting or useful, please follow us on Twitter @serengetisec and subscribe and review on your favorite podcast app!

We discuss how much IT staff for gangs make, the NSA asking congress to re-auth it to spy on the world, and swatting targeting Board Members and C-levels, with added snark.

Article 1 - The wages of sin aren't that great if you're a developer choosing the dark sideSupporting Article:Come to the dark side: hunting IT professionals on the dark web

Article 2 - NSA asks Congress to let it get on with that warrantless data harvesting, againSupporting Articles:Section 702 Basics InfographicDecoding 702: What is Section 702?‘Incidental,’ Not Accidental, CollectionRemember the FBI's promise it wasn’t abusing the NSA’s data on US peeps? Well, guess what…

Article 3 - Surge of swatting attacks targets corporate executives and board membersSupporting Article:Inside the Global Fight for White Power

If you found this interesting or useful, please follow us on Twitter @serengetisec and subscribe and review on your favorite podcast app!

In this episode, we discuss Ransomware affecting ships and 3rd party service organizations, new cyberinsurance requirements around MFA and service account, supply chain woes, and finally, attackers getting fancy with MS Verified Publisher status!

Article 1 - Ransomware severs 1,000 ships from on-shore serversSupporting Articles:The Untold Story of NotPetya, the Most Devastating Cyberattack in HistoryTesting Autonomous Remote Control of Ships in Singapore

Article 2 - Tackling the New Cyber Insurance Requirements: Can Your Organization Comply?

Article 3 - Have we learnt nothing from SolarWinds supply chain attacks? Not yet it appearsSupporting Articles:Open Software Supply Chain Attack Reference (OSC&R)OpenVEX Specification

Article 4 - Attackers abuse Microsoft’s 'verified publisher' status to steal dataSupporting Articles:How to defend against OAuth-enabled cloud-based attacksProtect against consent phishingAudit apps and consented permissions

If you found this interesting or useful, please follow us on Twitter @serengetisec and subscribe and review on your favorite podcast app!

Once again, we dip our toes into another report, in constant hope of finding one worth the time it takes to read!

This is one of the better ones, due to approximately half a page on page 30.  What's on that page?  Well, either listen or go to the report and see!

Report Link - Global Threat Intelligence Report

Original Article we briefly discuss - BlackBerry's Inaugural Quarterly Threat Intelligence Report Reveals Threat Actors Launch One Malicious Threat Every Minute

If you found this interesting or useful, please follow us on Twitter @serengetisec and subscribe and review on your favorite podcast app!

Snark abounds in this episode, where we discuss the rich folks at Davos getting a briefing on ransomware, ransomware takings down year over year, passkey moving to replace passwords, and Lastpass breach worse again as Goto was also included!

Article 1 - Ransomware revenue significantly down over 2022Supporting Articles:Anja Shortland on KidnapFBI 2022 Congressional Report on BEC and Real Estate Wire Fraud

Article 2 - How passkeys are changing authenticationSupporting Articles:Secure Quick Reliable LoginPasskeys

Article 3 - View from Davos: The Changing Economics of CybercrimeSupporting Articles:Exposed: Child labour behind smart phone and electric car batteriesHow a big US bank laundered billions from Mexico's murderous drug gangsEconomic Policy: Thoughts for Today and Tomorrow

Article 4 - GoTo revealed that threat actors stole customers’ backups and encryption key for some of themSupporting Articles:GoTo Says Hackers Stole Encrypted Backups, MFA SettingsGoTo Encrypted Backups Stolen in LastPass Breach

If you found this interesting or useful, please follow us on Twitter @serengetisec and subscribe and review on your favorite podcast app!

In our continual search for the most useful Information Security Report, chock full of insight and wisdom, we review the Talos Inaugural Year In Review Report for 2022.  

Spoiler alert - It's mid.  

Report Link - Talos Year in Review 2022

If you found this interesting or useful, please follow us on Twitter @serengetisec and subscribe and review on your favorite podcast app!