On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news with special guest Rob Joyce, a Former Special Assistant to the US President and Director of Cybersecurity for NSA.

They talk through:

• A realistic bluetooth-proximity phishing attack against Passkeys
• A very patient ransomware actor encrypts an entire enterprise with a puny linux webcam processor
• The ESP32 backdoor that is neither a door nor at the back
• The X DDoS that Elon said was Ukraine is claimed by pro-Palestinian hacktivists
• Years later, LastPass hackers are still emptying crypto-wallets
• …and it turns out North Korea nailed {Safe}Wallet with a malicious docker image. Nice!

Rob Joyce recently testified to the US House Select Committee on the Chinese Communist Party, and he explains why DOGE kicking probationary employees to the curb is “devastating” for the national security staff pipeline.

This week’s episode is sponsored by SpecterOps, makers of the Bloodhound identity attack path mapping tool. Chief Product Officer Justin Kohler and Principal Security Researcher Lee Chagolla-Christensen discuss their pragmatic approach to disabling NTLM authentication in Active Directory using Bloodhound’s insight.

This episode is also available on Youtube.

• CVE-2024-9956 - PassKey Account Takeover in All Mobile Browsers | Tobia Righi - Security Researcher
• Feds Link $150M Cyberheist to 2022 LastPass Hacks – Krebs on Security
• Camera off: Akira deploys ransomware via webcam
• Tarlogic detects a hidden feature in the mass-market ESP32 chip that could infect millions of IoT devices
• Alleged Co-Founder of Garantex Arrested in India – Krebs on Security
• 37K+ VMware ESXi instances vulnerable to critical zero-day | Cybersecurity Dive
• Apple patches 0-day exploited in “extremely sophisticated attack” - Ars Technica
• What Really Happened With the DDoS Attacks That Took Down X | WIRED
• Eleven11bot estimates revised downward as researchers point to Mirai variant | Cybersecurity Dive
• Previously unidentified botnet infects unpatched TP-Link Archer home routers | The Record from Recorded Future News
• Safe.eth on X: "Investigation Updates and Community Call to Action" / X
• How to verify Safe{Wallet} transactions on a hardware wallet | Safe{Wallet} Help Center and Support.
• US charges Chinese nationals in cyberattacks on Treasury, dissidents and more | The Record from Recorded Future News
• Former top NSA cyber official: Probationary firings ‘devastating’ to cyber, national security | CyberScoop
• U.S. pauses intelligence sharing with Ukraine used to target Russian forces - The Washington Post

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news:

• Did the US decide to stop caring about Russian cyber, or not?
• Adam stans hard for North Korea’s massive ByBit crypto-theft
• Cellebrite firing Serbia is an example of the system working
• Starlink keeps scam compounds in Myanmar running
• Biggest DDoS botnet yet pushes over 6Tbps

This week’s episode is sponsored by network visibility company Corelight. Vincent Stoffer, field CTO at Corelight joins to talk through where eyes on your network can spot attackers like Salt and Volt Typhoon.

This episode is also available on Youtube.

• Sygnia Preliminary Bybit Investigation Report
• Verichains Bybit Incident Investigation Preliminary Report
• North Koreans finish initial laundering stage after more than $1 billion stolen from Bybit | The Record from Recorded Future News
• Risky Bulletin: Trump administration stops treating Russian hackers as a threat - Risky Business
• Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia? (Story updated)
• Russia to redeploy resources freed up by end of war in Ukraine, warns Finnish intelligence | The Record from Recorded Future News
• FBI urges crypto community to avoid laundering funds from Bybit hack | The Record from Recorded Future News
• Risky Bulletin: Cellebrite bans bad boy Serbia - Risky Business
• Belgium probes suspected Chinese hack of state security service | The Record from Recorded Future News
• Gabbard: UK demand to Apple for backdoor access is 'grave concern' to US | The Record from Recorded Future News
• Elon Musk’s Starlink Is Keeping Modern Slavery Compounds Online | WIRED
• U.S. Soldier Charged in AT&T Hack Searched “Can Hacking Be Treason” – Krebs on Security
• Google Password Manager finally syncs to iOS—here’s how - Ars Technica
• Gmail Security Alert: Google To Ditch SMS Codes For Billions Of Users
• Massive Iran-linked botnet launches DDoS attacks against telecom, gaming platforms | Cybersecurity Dive
• Microsoft-signed driver used in ransomware attacks | Cybersecurity Dive
• London member of ‘Com’ network convicted of making indecent images of children | The Record from Recorded Future News
• Volt Typhoon & Salt Typhoon Attackers Are Evading EDR: What Can You Do? | Corelight

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news:

• North Korea pulls off a 1.5 billion dollar crypto heist
• Apple pulls Advanced Data Protection from the UK
• Black Basta ransomware gang’s internal chats leak
• Russians snoop on Signal with QR codes
• And Myanmar ships thousands of freed scam compound workers to Thailand

Regular guest Lina Lau joins to discuss her work reading Chinese incident response reports on WeChat, and how that has people thinking that … she outed the NSA?

This week’s episode is sponsored by Airlock Digital, and allow-listing tragics Daniel Schell and David Cottingham are along with an amusing tale of using Windows’ own allow-listing software to block EDR from loading.

This episode is also available on Youtube.

• Hackers drained $1.4 billion of cryptocurrency from Bybit exchange, CEO confirms | The Record from Recorded Future News
• CertiK - Bybit Incident Technical Analysis
• Hackers use ‘sophisticated’ macOS malware to steal cryptocurrency, Microsoft says | The Record from Recorded Future News
• EU sanctions North Korean tied to Lazarus group over involvement in Ukraine war | The Record from Recorded Future News
• Sanctions: Iranians Flock to Crypto; Int'l Actions Target Russia - Chainalysis
• Apple turns off iCloud encryption feature in UK following reported government legal order | The Record from Recorded Future News
• Swedish authorities seek backdoor to encrypted messaging apps | The Record from Recorded Future News
• Leaked chat logs expose inner workings of secretive ransomware group - Ars Technica
• Russian state hackers spy on Ukrainian military through Signal app | The Record from Recorded Future News
• Meta Sues Alleged Violent Extortionist For Holding Instagram Accounts Hostage
• Weathering the storm: In the midst of a Typhoon
• Thailand to take in 7,000 rescued from illegal cyber scam hubs in Myanmar | The Record from Recorded Future News
• Genea confirms cyber breach after ‘unauthorised third party’ accesses data | news.com.au — Australia’s leading news site
• Managed healthcare defense contractor to pay $11 million over alleged cyber failings | The Record from Recorded Future News
• Botnet looks for quiet ways to try stolen logins in Microsoft 365 environments | The Record from Recorded Future News
• Director-General's Annual Threat Assessment 2025 | ASIO
• An inside look at NSA (Equation Group) TTPs from China’s lense

In this episode of the Wide World of Cyber podcast Risky Business host Patrick Gray chats with SentinelOne’s Chris Krebs and Alex Stamos about AI, DeepSeek, and regulation.

From its bad transport security to its Chinese ownership and the economic implications of China “entering the chat”, everyone’s freaking out over this new model. But should they be?

Pat, Alex and Chris dissect the model’s significance, the politics of it all and how AI regulation in Europe, the US and China will shape the future of LLMs.

This episode is also available on Youtube.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• Australian spooks scrubbed Medibank data off Zservers bulletproof hosting
• Why device code phishing is the latest trick in confusing poor users about cloud authentication
• Cloudflare gets blocked in Spain, but only on weekends and because of… football?
• Palo Alto has yet another dumb bug
• Adam gushes about Qualys’ latest OpenSSH vulns

Enterprise browser maker Island is this week’s sponsor and Chief Customer Officer Bradon Rogers joins the show to talk about how the adoption of AI everywhere is causing headaches.

This episode is also available on Youtube.

• Five Russians went out drinking. When they got back, Australia had struck
• Dutch police say they took down 127 servers used by sanctioned hosting service | The Record from Recorded Future News
• Further cyber sanctions in response to Medibank Private cyberattack | Defence Ministers
• What is device code phishing, and why are Russian spies so successful at it? - Ars Technica
• Anyone Can Push Updates to the DOGE.gov Website
• Piracy Crisis: Cloudflare Says LaLiga Knew Dangers, Blocked IP Address Anyway (Update) * TorrentFreak
• Palo Alto Networks warns firewall vulnerability is under active exploitation | Cybersecurity Dive
• Qualys TRU Discovers Two Vulnerabilities in OpenSSH: CVE-2025-26465 & CVE-2025-26466 | Qualys Security Blog
• China’s Salt Typhoon hackers targeting Cisco devices used by telcos, universities | The Record from Recorded Future News
• RedMike Exploits Unpatched Cisco Devices in Global Telecommunications Campaign
• A Hacker Group Within Russia’s Notorious Sandworm Unit Is Breaching Western Networks | WIRED
• How Phished Data Turns into Apple & Google Wallets – Krebs on Security
• New hack uses prompt injection to corrupt Gemini’s long-term memory
• Arizona woman pleads guilty to running laptop farm for N. Korean IT workers, faces 9-year sentence | The Record from Recorded Future News
• US reportedly releases Russian cybercrime figure Alexander Vinnik in prisoner swap | The Record from Recorded Future News
• EXCLUSIVE: A Russia-linked Telegram network is inciting terrorism and is behind hate crimes in the UK – HOPE not hate
• Remembering David Jorm - fundraising for Mental Health research

In this SoapBox edition of the show Patrick Gray chats to Fletcher Heisler, the CEO of open-source identity provider Authentik.

The whole idea of Authentik is you can take control of an essential IT and security function: identity. Because Authentik is open source it’s extremely flexible, and if you’re running it yourself, you get to decide where your IDP should sit in your architecture. You can run it on prem if you’re an emergency call centre or you’re operating an airgapped network, or you can spin it up in your cloud environment if you’re a typical enterprise.

Fletcher talks through the reasons Authentik users are decoupling themselves from the major SaaS Identity Providers, and the flexibility that comes from being able to assemble exactly what you need.

This episode is also available on Youtube.