Podcasts

In the final show of 2025, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• React2Shell attacks continue, surprising no one
• The unholy combination of OAuth consent phishing, social engineering and Azure CLI
• Venezuela’s state oil firm gets ransomware’d, blames US… but what if it really is a US cyber op?!
• Russian junk-hacktivist gets indicted for cybering critical… err… a car wash and a fountain
• Microsoft finally turns RC4 off by default in Active Directory Kerberos
• Traefik’s TLS verify=on … turns it off, whoopsie 🤡

This week’s episode is sponsored by Sublime Security, makers of an email filtering solution that’s up for dealing with modern problems. Founder and CEO Josh Kamdjou joins to talk about calendar invite phishing, and the extra steps they’ve had to take to reach into people’s calendars and fix the mess.

The Risky Business weekly show is taking holiday break, and will return on 14 January for its twentieth year! Good luck out there, internet friends.

This episode is also available on Youtube.

Most smart devices run outdated web browsers, Ukrainian hacktivists breach a major Russian defense contractor, ransomware hits Venezuela’s state-owned oil company, and hackers are trying to extort PornHub with stolen user data.

In this edition of Between Two Nerds Tom Uren and The Grugq talk to Hamid Kashfi, CEO and founder of DarkCell, talk about the Iranian cyber espionage scene.

Kashfi talks about how the regime once forced people to hack and crushed the domestic security research scene. He describes how and why the government has changed its approach and is now reaping the rewards of improved Iranian capabilities.

This episode is available on Youtube.

Russia is hiring African freelancers for disinformation campaigns, the US is preparing to let contractors run offensive cyber operations, Germany blames Russia for the hack of its air traffic control agency, and Apple patches two WebKit zero-days.

In this sponsored interview Casey Ellis is joined by Push Security’s Field CTO, Mark Orlando. They chat about the ways that browser-based attacks are evolving and how Push Security is finding and cataloging them.

The EU has a problem attracting and retaining cyber talent, the CEO of Coupang resigns following the company’s security breach, Microsoft expands its bug bounty program to cover third party code, and Chrome and Gogs patch zero-days.

In this sponsored Soap Box edition of the Risky Business podcast, Patrick Gray chats with Jared Atkinson, CTO of SpecterOps, about BloodHound OpenGraph.

OpenGraph enumerates attack paths across platforms and services, not just your primary directories.

A compromised GitHub account to on-prem AD compromise attack path? It’s a thing, and OpenGraph will find it.

Cross-platform attack path enumeration! So good!

This episode is also available on Youtube.

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• There’s a CVSS 10/10 remote code exec in the React javascript server. JS server? U wot mate?
• China is out popping shells with it
• Linux adds support for PCIe bus encryption
• Amnesty International says Intellexa can just TeamViewer into its customers’ surveillance systems
• …and a Belgian murder suspect complains that GrapheneOS’s duress wipe feature failed him?

This week’s episode is sponsored by Kroll Cyber. Simon Onyons is Managing Director at Kroll’s Cyber and Data Resilience arm, and he discusses a problem near to many of our hearts. Just how do you explain cyber risk to the board?

This episode is also available on Youtube.

Linux adds PCIe encryption to help secure cloud servers, Europol cracks down on Violence-as-a-Service providers, the International Criminal Court prepares for cyber-enabled genocide, and Cambodia busts a warehouse full of SMS blasters.

APTs go after the React2Shell vulnerability just hours after public disclosure. CISA remains without a director after the nomination stalls again, NSA is down 2,000 staff this year, and Intellexa is still active despite sanctions.