About the show
Security Conversations covers the business of cybersecurity, from the lens of veteran journalist and storyteller Ryan Naraine. Thoughtful conversations with security practitioners on threat intelligence, zero trust, securing cloud deployments, penetration testing, bug bounties, advancements in offensive research and targeted malware espionage activity.
Connect with Ryan on Twitter (Open DMs).
Security Conversations on social media
Episodes
-
Costin Raiu: The GReAT exit interview
January 15th, 2024 | 1 hr 32 mins
apt research, nation-state, zero-day
Episode sponsors:
- Binarly, the supply chain security experts (https://binarly.io)
- FwHunt (https://fwhunt.run)
Costin Raiu has spent a lifetime in anti-malware research, working on some of the biggest nation-state APT cases in history, including Stuxnet, Duqu, Equation Group, Red October, Turla and Lazarus.
In this exit interview, Costin digs into why he left the GReAT team after 13 years at the helm, ethical questions on exposing certain APT operations, changes in the nation-state malware attribution game, technically impressive APT attacks, and the 'dark spots' where future-thinking APTs are living.
-
Danny Adamitis on an 'unkillable' router botnet used by Chinese .gov hackers
January 5th, 2024 | 34 mins 7 secs
china, danny adamitis, lumen technologies, volt typhoon
Episode sponsors:
- Binarly, the supply chain security experts (https://binarly.io)
- FwHunt (https://fwhunt.run)
Danny Adamitis is a principal information security engineer at Black Lotus Labs, the threat research division within Lumen Technologies. On this episode of the show, we discuss his team's recent discovery of an impossible-to-kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting US critical infrastructure.
Danny digs into the inner workings of the botnet, the global problem end-of-life devices becoming useful tools for malicious actors, and the things network defenders can do today to mitigate threats at this layer.
-
Allison Miller talks about CISO life, protecting identities at scale
December 21st, 2023 | 38 mins 12 secs
ciso, iam, identity, ransomware
Episode sponsors:
- Binarly, the supply chain security experts (https://binarly.io)
- FwHunt (https://fwhunt.run)
Allison Miller is founder and CEO of Cartomancy Labs and former CISO and VP of Trust at Reddit. She has spent the past 20 years scaling teams and technology at Bank of America, Google, Electronic Arts, PayPal/eBay, and Visa International.
In this conversation, we discuss the convergence of security with fraud prevention and anti-abuse, the challenges and complexities in IAM implementations, the post-pandemic labor market, the evolving role of CISOs and new realities around CISO exposure to personal liability, thoughts on the 'build vs buy' debate and the nuance and dilemma of paying ransomware demands.
-
Rob Ragan on the excitement of AI solving security problems
December 7th, 2023 | 51 mins 16 secs
artificial intelligence, automation, bug bounties, generative-ai, llms
Episode sponsors:
- Binarly, the firmware security experts (https://binarly.io)
- FwHunt (https://fwhunt.run)
Rob Ragan, principal architect and security strategist at Bishop Fox, joins the show to share insights on scaling pen testing, the emergence of bug bounty programs, the value of attack surface management, and the role of AI in cybersecurity. We dig into the importance of proactive defense, the challenges of consolidating security tools, and the potential of AI in augmenting human intelligence. The conversation explores the leapfrog potential of AI models and their impact on various aspects of technology and society.
-
Seth Spergel on venture capital bets in cybersecurity
November 21st, 2023 | 28 mins 56 secs
artificial intelligence, investments, merlin ventures, venture capital
Episode sponsors:
- Binarly, the firmware security experts (https://binarly.io)
- FwHunt (https://fwhunt.run)
Seth Spergel is managing partner at Merlin Ventures, where he is responsible for identifying cutting-edge companies for Merlin to partner with and invest in. In this episode, Seth talks about helping startups target US federal markets, the current state of deal sizes and valuations, and the red-hot sectors in cybersecurity ripe for venture investment.
-
Dan Lorenc on fixing the 'crappy' CVE ecosystem
November 14th, 2023 | 41 mins 45 secs
chainguard, cve, sboms, supply chain, venture capital
Episode sponsors:
- Binarly, the firmware security experts (https://binarly.io)
- FwHunt (https://fwhunt.run)
Dan Lorenc is CEO and co-founder of Chainguard, a company that raised $116 million in less than two years to tackle open source supply chain security problems. In this episode, Dan joins Ryan to chat about the demands of building a "growth mode" startup, massive funding rounds and VC expectations, fixing the "crappy" CVE and CVSS ecosystems, managing expectations around SBOMs, and how politicians and lobbyists are framing cybersecurity issues in strange ways.
-
Cisco Talos researcher Nick Biasini on chasing APTs, mercenary hackers
November 7th, 2023 | 31 mins 27 secs
cisco talos, nation-state apts, psoas, ransomware
Episode sponsors:
- Binarly (https://binarly.io)
- FwHunt (https://fwhunt.run)
Nick Biasini has been working in information security for nearly two decades. In his current role as head of outreach for Cisco Talos Intelligence Group, he leads a team of threat researchers tasked with tracking nation-state APTs, mercenary hacker groups and ransomware cybercriminals. In this episode, Biasini talks about the cryptic world of threat actor attribution, the rise of PSOAs (private sector offensive actors) and why network edge devices are a happy hunting ground for attackers.
-
Allison Nixon on disturbing elements in cybercriminal ecosystem
November 1st, 2023 | 48 mins 39 secs
lapsu$, ransomware, scattered spider, the-com
Episode sponsors:
- Binarly (https://binarly.io)
- FwHunt (https://fwhunt.run)
Allison Nixon is Chief Researcher at Unit 221B and a trailblazer in the world of cybercrime research. In this episode, we deep-drive into the shadowy dynamics of underground criminal communities, high-profile ransomware attacks, teenage hacking groups breaking into big companies, and the challenges of attribution and law enforcement. Allison sheds light on why companies continue to be vulnerable targets and what they're often missing in their cybersecurity strategies.
-
Dakota Cary on China's weaponization of software vulnerabilities
September 15th, 2023 | 55 mins 48 secs
apts, atlantic council, china, nation-state
Episode sponsors:
- Binarly (https://binarly.io)
- FwHunt (https://fwhunt.run)
Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub, conducting research on China’s efforts to develop its hacking capabilities, artificial-intelligence and cybersecurity research at Chinese universities, the People’s Liberation Army’s efforts to automate software vulnerability discovery, and new policies to improve China’s cybersecurity-talent pipeline.
In this episode, Cary expands on a new report -- 'Sleight of Hand' -- that delves into the changing legal landscape for vulnerability disclosure in China, the PRC's weaponization of software vulnerabilities, nation state-backed threat actors in China and that infamous Bloomberg 'rice grain' spy chip story.
-
Abhishek Arya on Google's AI cybersecurity experiments
September 12th, 2023 | 33 mins 27 secs
google, open source software, openssf, oss-fuzz, supply chain
Episode sponsors:
- Binarly (https://binarly.io)
- FwHunt (https://fwhunt.run)
Abhishek Arya is director of engineering at Google, overseeing open source and supply chain security efforts that include OSS-Fuzz, SLSA, GUAC and OSV DB.
In this episode, Arya talks about some early success experimenting with AI and LLMs on fuzzing and vulnerability management, the industry's over-pivoting on SBOMs, regulations and liability for software vendors, and the long road ahead for securing software supply chains.
-
Dr Sergey Bratus on the 'citizen science' of hacking
August 31st, 2023 | 40 mins 2 secs
amp, darpa, dartmouth, parsers, pdf, safedocs
Episode sponsors:
- Binarly (https://binarly.io)
- FwHunt (https://fwhunt.run)
Dr Sergey Bratus is a Research Associate Professor of Computer Science at Dartmouth College and a program manager at DARPA. In this episode, he discusses his pioneering work on securing parsers and patching long-forgotten devices. He also puts the AI hype into context and showers praise on the labor-of-love "citizen science" of hacking all the things.
-
DARPA's Perri Adams on CTF hacking, new $20M AI Cyber Challenge
August 20th, 2023 | 26 mins 47 secs
ai cyber challenge, aixcc, darpa, def con ctf, rpisec
Episode sponsors:
- Binarly (https://binarly.io)
- FwHunt (https://fwhunt.run)
DARPA program manager Perri Adams joins the conversation to chat about her love for CTF hacking competitions, the hunt for leapfrog security technologies in DARPA’s Information Innovation Office (I2O), and the goal of the new AI Cyber Challenge (AIxCC) offering $20 million in prizes to teams competing to develop AI-driven systems to automatically secure critical code.