Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security

Episode: 2024-12-02 - C Squad
Release Date: December 4, 2024
Host/Author: Black Hills Information Security

In this episode of "Talkin' About [Infosec] News," the Black Hills Information Security (BHIS) team delves into a range of critical topics within the information security landscape. From vulnerabilities in popular game engines to the latest developments in IoT device security, and recent high-profile data breaches, the hosts provide insightful discussions aimed at both cybersecurity professionals and enthusiasts. The episode also touches on the persistent threat of ransomware and highlights upcoming security initiatives like the Secure Code Summit.

1. Light Banter and Community Building (00:00 - 15:00)

The episode kicks off with the team engaging in friendly banter about their favorite coffee drinks and holiday beverages. Conversations about gaming nostalgia and personal anecdotes set a relaxed tone, fostering a sense of camaraderie among the hosts and listeners.

Notable Quotes:

• Connor [00:01]: "It's a great way to win an award is to throw shade."
• Ryan [00:35]: "I always go for the holiday drinks. It's my favorites."

2. Major Security Alert: Godot Engine Vulnerability (16:02 - 30:40)

The discussion pivots to a significant security vulnerability discovered in the Godot game engine, widely used by indie game developers. Alex, a hobbyist game developer, explains how this vulnerability allows attackers to inject malicious code into PCK files—packages that contain game code. This method enables the distribution of malware through legitimate game updates, bypassing standard virus detection mechanisms.

Key Points:

• Vulnerability Mechanism: The exploit targets the way Godot handles PCK files, allowing unauthorized code execution.
• Impact on Developers: Indie developers, often lacking robust security measures, are particularly at risk.
• Malware Detection: Traditional antivirus solutions may not flag these malicious updates, increasing the threat.

Notable Quotes:

• Alex [16:11]: "If you're a developer and you know what game you're getting, but you're talking about people who mod games, they have to be careful."
• Ryan [18:03]: "It's really hard to catch it. You're taking advantage of the actual code base executables that are running with the game."

3. IoT Device Security and FTC White Paper (30:40 - 67:04)

Wade introduces a discussion on a new white paper from the Federal Trade Commission (FTC) that scrutinizes the security practices of smart device manufacturers. The paper reviewed 184 different smart devices, finding that 89 of them failed to inform consumers about software update timelines and product warranties.

Key Points:

• Executive Order Oversight: An earlier executive order from the Biden administration mandated IoT labels indicating update policies, which many manufacturers have ignored.
• Security Risks: Lack of clear communication on updates leaves devices vulnerable to long-term security breaches.
• Consumer Impact: Users often unknowingly expose sensitive data by using compromised devices, especially in environments like gaming where security is less stringent.

Notable Quotes:

• Corey [33:15]: "But now the FTC is involved, which makes it more. That's more teeth, Right?"
• Kelly [36:31]: "All they care about is like, is it cool?"

4. Recent Data Breaches: Starbucks and Ford (67:04 - 55:25)

The team discusses recent data breaches affecting major corporations such as Starbucks and Ford, highlighting the vulnerabilities introduced through third-party vendors. These breaches emphasize the critical importance of thorough third-party risk assessments and the challenges organizations face in securing their supply chains.

Key Points:

• Third-Party Risks: Breaches in third-party services can have cascading effects on large organizations.
• Penetration Testing Scope: Incorporating vendors into pen testing can help identify and mitigate these risks.
• Industry Impact: Companies are often held accountable for breaches in their supply chain, affecting their reputation and financial standing.

Notable Quotes:

• Corey [50:38]: "And by the way, if you're wondering if your pen test should include your vendors in scope, this might be a reason to maybe talk to them and say, can we pen test you if you."
• Ralph [51:56]: "Ford was another customer... They don't care that a few employees don't get paid, then."

5. Ransomware Trends and Ongoing Challenges (55:25 - 70:00)

The conversation shifts to the persistent threat of ransomware, with the hosts noting that 2024 appears to be a banner year for ransomware activities. They explore the reasons behind the continued rise of ransomware attacks despite advancements in cybersecurity measures.

Key Points:

• Evolution of Attacks: Ransomware techniques are becoming more sophisticated, making them harder to combat.
• Economic Incentives: The profitability of ransomware incentivizes attackers to continue their operations.
• Defense Measures: Organizations must adopt comprehensive security strategies, including robust backup solutions and incident response plans.

Notable Quotes:

• Mike [52:26]: "It's like life, Daniel. There is no finish line. And it. We all still have jobs as. As our audit and assessment capabilities and detection capabilities getting more sophisticated, the attackers get more sophisticated."
• Alex [57:45]: "I personally think it's going to get maybe a little bit worse before it starts getting better."

6. Secure Code Summit and Promotions (70:00 - End)

As the episode draws to a close, the hosts promote the upcoming Secure Code Summit, an event dedicated to enhancing secure coding practices among developers. They also highlight various training sessions and talks that will take place during the summit, encouraging listeners to participate and expand their cybersecurity expertise.

Key Points:

• Event Highlights: Sessions on secure coding, cloud bridging, AI for cyber professionals, and more.
• Training Opportunities: Emphasis on hands-on learning and collaboration to mitigate security vulnerabilities.
• Community Engagement: Encouraging participation to build a stronger, more informed cybersecurity community.

Notable Quotes:

• Corey [69:15]: "We have a summit coming up. It's on the top of a mountain. It's going to be really hard to get to. It's remote."
• Mike [70:30]: "A lot of cool training highlights with BO doing the bridging cloud."

7. Closing Remarks and Future Outlook (70:00 - 72:00)

The team wraps up the episode with reflections on the current state of cybersecurity, emphasizing the need for cultural shifts towards better security practices. They express optimism about increasing cybersecurity awareness and the potential for collaborative efforts to mitigate future threats.

Notable Quotes:

• Mike [60:50]: "I think the good news is it does seem like the infosec culture is starting to permeate a lot more out into the general public."
• Corey [63:39]: "It's more of a conversation about what can we do better? How did things go from your perspective?"

Conclusion

This episode of "Talkin' About [Infosec] News" offers a comprehensive overview of pressing cybersecurity issues, blending technical analysis with engaging discussions. From the vulnerabilities threatening indie game developers to the broader challenges of securing IoT devices and combating ransomware, the BHIS team provides valuable insights and practical advice. The promotion of initiatives like the Secure Code Summit underscores their commitment to fostering a more secure digital environment.

For those interested in staying ahead in the cybersecurity field, this episode serves as a crucial resource, highlighting both current threats and future strategies to enhance information security.