A TLD Takeover, An LLM CTF, A Firmware Flaw, 6 Truths of Cyber Risk – ASW #299
A takeover of the MOBI TLD for $20, configuring an LLM for a CTF, firmware flaw in an SSD, Microsoft talks kernel resilience, six truths of cyber risk quantification, and more!
Announcements
Don’t lose access to the Security Weekly content you know and love - make sure that you subscribe to your favorite podcasts feeds on an alternative platform like Spotify, YouTube Music, Amazon Music, Apple Podcasts, or anywhere else you listen to podcasts! Visit securityweekly.com/subscribe to find the buttons to subscribe to each show now! We love to see your ratings and feedback so make sure to tell us what you think of the latest episodes.
Hosts
- 1. We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI
Fun read about the journey from a what-if scenario to a much larger impact than the scenario anticipated.
- 2. Taking steps that drive resiliency and security for Windows customers
Not much technical depth here, but it reinforces a secure by design principle of taking responsibility for customer outcomes -- in this case, responsibility of Microsoft to provide feature-equivalent alternatives to kernel drivers and responsibility of vendors to use those alternatives. It also makes a nice (albeit unsurprising) call-out to resiliency. Back in May 2023 we spoke with Kelly Shortridge about the relationship of chaos engineering and resiliency to security. Check it out episode 240.
- 3. Exploring Large Language Models: Local LLM CTF & Lab | Bishop Fox
I know we've seen lots of CTFs around prompt injection. It's the XSS (or SQL injection) of the LLM world.
I liked how this write up focused on a description of how they tuned the LLM and what safeguards they put in place -- including the steps to make the LLM's behavior more deterministic. It reads like the type of steps and details that would be relevant to real-world chatbots.
- 4. 6 Truths of Cyber Risk Quantification
We don't always get into risk discussions, but regular listens will know that some of my common interview questions relate to measuring impact of an appsec activity or putting an exploit into context (which is another way of saying risk). We don't dwell on CVSS scores and we prefer threat modeling discussions to talk about scenarios in ways that include context, realistic consequences, and what audiences are affected. In other words, I usually lean on the risk communication aspects -- and this article goes into many of the ways that risk communication can be better grounded with feedback loops, experience, and even some data.
- 5. RESPOND: Share your feedback about developing with Go – The Go Programming Language
We've been talking a lot about Rust lately, so it's only fair to give Go some attention. Here's a chance to influence the direction of the language and its development environment.
- 6. Node.js Security Newsletter | Node.js Secure Coding | Liran Tal
A new newsletter on Node.js and secure coding from Liran Tal. We spoke with Liran on those topics back in episode 286. He follows a nice hands-on approach to secure coding education with relevant examples from real code and with a focus on the developer's perspective.
- 1. Buffer overflow in Crucial SSDs ????
Some folks figured out that a particular version of Crucial's SSDs, with a particular firmware version have a few vulnerabilities, including a buffer overflow