Security Weekly
Paul's Security WeeklySubscribe
Security Staff Acquisition & Development, Threat Management, Endpoint/Device Security

UEFI & SMM Vulnerabilities – Jesse Michael – PSW #764

Navigating the UEFI waters is treacherous. While UEFI has become the standard on most PCs, servers, and laptops, replacing legacy BIOS, it is a complex set of standards and protocols. Jesse joins us to help explain how some of this works and describe how vulnerabilities, specifically with SMM, can manifest and be exploited.

Segment Resources: CHIPSEC GitHub

Full episode and show notes

Announcements

  • Join our Discord channel to chat with us throughout the live show today! Visit securityweekly.com/discord to receive an invite and become part of our community.

Guest

Jesse Michael
Jesse Michael
Principal Researcher at Eclypsium

Jesse Michael is an experienced security researcher focused on vulnerability detection and mitigation who has worked at all layers of modern computing environments from exploiting worldwide corporate network infrastructure down to hunting vulnerabilities inside processors at the hardware design level. His primary areas of expertise include reverse engineering embedded firmware and exploit development. He has also presented research at DEF CON, Black Hat, PacSec, Hackito Ergo Sum, Ekoparty, and BSides Portland.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Jeff Man
Jeff Man
Sr. InfoSec Consultant – Online Business Systems at Online Business Sytems
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO
Larry Pesce
Larry Pesce
Product Security Research and Analysis Director at Finite State
Mandy Logan
Mandy Logan
Brainstem Hacker and InfoSec Enthusiast at Redacted
Sam Bowne
Sam Bowne
Founder at Infosec Decoded, Inc.
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

Related

Training
AI and LLMs – Think of the Children – Josh More – PSW #808

What will the future bring with respect to AI and LLMs? Josh has spent some time thinking about this and brings us some great resources. We'll discuss how to get students involved with AI in a safe and ethical manner. How can we use AI to teach people about cybersecurity? What tools are available and where do they fit into our educational systems t...
Leadership
Do You Really Want to Be a CISO? – Spencer Mott – CSP #150

Reaching the level of CISO in a large corporation requires time and determined application as well as aptitude and very specific professional and personal attributes. It's the role against which many security professionals set their career sights without really knowing what they'll be getting themselves into. Fitzgerald, T. 2019. Chapter 14. CISO ...