PSW #757 – Ev Kontsevoy, Casey Ellis
Hackers rarely break through crypto or exploit fancy zero days. Most of the time they simply login using stolen credentials. Managing passwords, keys and other forms of secrets does not work at scale. In this segment we’ll look into a more radical approach to infrastructure security: getting rid of secrets entirely and moving to access control based on physical properties of humans and machines.
This segment is sponsored by Teleport. Visit https://securityweekly.com/teleport to learn more about them!
This week, we're joined by Casey Ellis to discuss a Telco breach from a land down under, UK government sits out bug bounty boom but welcomes vulnerability disclosure, Karakurt Data Extortion Group, Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack, being caught with your pants down, & more! Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
Full Audio
Segments
1. The Role of Human Behavior in Security & the Future – Ev Kontsevoy – PSW #757
Hackers rarely break through crypto or exploit fancy zero days. Most of the time they simply login using stolen credentials. Managing passwords, keys and other forms of secrets does not work at scale. In this segment we’ll look into a more radical approach to infrastructure security: getting rid of secrets entirely and moving to access control based on physical properties of humans and machines.
This segment is sponsored by Teleport. Visit https://securityweekly.com/teleport to learn more about them!
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts


2. Voltron, Karakurt Extortion, 1 Click Workaround, Snowden Citizenship, & Casey Ellis – PSW #757
This week, we're joined by Casey Ellis to discuss a Telco breach from a land down under, UK government sits out bug bounty boom but welcomes vulnerability disclosure, Karakurt Data Extortion Group, Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack, being caught with your pants down, & more!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Guest

Casey is the Founder, Chairman, and CTO of Bugcrowd. He is an 18-year veteran of information security, servicing clients ranging from startups to multinational corporations as a pentester, security and risk consultant and solutions architect, then most recently as a career entrepreneur. Casey pioneered the Crowdsourced Security as a Service model launching the first bug bounty programs on the Bugcrowd platform in 2012, and co-founded the disclose.io vulnerability disclosure standardization project in 2016.
A proud ex-pat of Sydney Australia, Casey lives with his wife and two kids in the San Francisco Bay Area. He is happy as long as he’s passionately pursuing potential.
Hosts

- 1. FBI Helping Australian Authorities Investigate Massive Optus Data Breach: ReportsAllegedly young attacker, got in over their head; initially tried asking for a $1M ransom to not release the data; then madly backpedaled, apologized, said they deleted the data Some very interesting talking points here: 1. Optus is Australia's 2nd largest mobile telecom. It is a subsidiary of Singtel, a Singaporean government-owned telecom conglomerate that happens to be a huge cybersecurity investor (they bought Trustwave back in 2015 and rumors of them selling it have been swirling for the past few years) 2. The attack vector was apparently an unauthenticated API that gave access to the entire live customer database. It was allegedly part of a test network that wasn't supposed to be exposed to the Internet (whoopsie!) 3. The attacker alleges they would have reported the security issue, but couldn't find any way to do so (no bug bounty, VDP, security contact, Security.txt, DNS security record) 4. They released a 10,200 record sample as proof they had the data, but allegedly "nearly 10 million records" were exfiltrated, making it potentially Australia's biggest breach in terms of impact to individual citizens 5. Was texting individuals, trying to ransom each record individually for $1300 per record. Bold enough to be requesting bank transfer to a domestic (CBA) bank!!
- 2. Tenchi Security’s new newsletter, Alice in Supply Chains

- 1. Digital natives more likely to fall for phishing attacks at work than their Gen X and Boomer colleagues
- 2. Getting Started with the undocumented Tesla BLE API
- 3. Someone is pretending to be me.
- 4. “Girls Who Code” books banned in some US classrooms • The Register
- 5. Say Hello to Crazy Thin ‘Deep Insert’ ATM Skimmers – Krebs on Security