In this episode of The Adversarial Podcast, Jerry Perullo, Mario Duarte, and Sounil Yu discuss the latest developments in cybersecurity, geopolitical threats, and emerging trends as 2025 approaches.

00:00 Introduction

02:06 Trump 2.0's effect on security

03:25 Future of CISA

09:00 Future of SEC cyber reports

15:57 Possible Trump 2.0 priorities

19:40 Spying on US Telco

20:20 What is SS7?

24:04 SS7 vs. SMS interception

25:40 Privacy impact of SS7 attacks

30:12 National security

31:17 CISA's guidance for telco

36:58 DPRK targets DAO network, $50M heist using macOS malware

46:30 DOJ indicts 14 DPRK nationals

The Future of SEC/CISA under Trump 2.0. With Trump returning to office, the hosts discuss possible changes to SEC-mandated cybersecurity disclosures and the potential of priorities shifting away from CISA as Jenny Easterly’s resignation looms.

References: https://www.cfodive.com/news/sec-cybersecurity-enforcement-outlook-uncertain-as-trump-returns/735728/, https://www.bankinfosecurity.com/cisa-faces-uncertain-future-under-trump-a-26829

China, Russia, and Iran spying on US Telco networks. Adversaries are abusing SS7 vulnerabilities and are hacking into Telco networks to spy on U.S. citizens. The hosts unpack CISA's new recommendations for encrypted communications and discuss the history of SS7 vulnerabilities.

References: https://www.404media.co/dhs-says-china-russia-iran-and-israel-are-spying-on-people-in-us-with-ss7/, https://www.reuters.com/technology/cybersecurity/china-affiliated-actors-compromised-networks-multiple-telecom-companies-us-says-2024-11-13/, https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf

DPRK Targets macOS hosts in $50M heist from DAO network. The hosts discuss recent DPRK-aligned Mac malware involved in a $50M cryptocurrency heist. The team discusses the sophistication of the attack, parallels to the attacks against US financial services companies, and why the crypto space remains a goldmine for state-sponsored cybercriminals.

References: https://medium.com/@RadiantCapital/radiant-capital-incident-update-e56d8c23829e

DOJ indicts 14 DPRK nationals for fraudulent worker scheme and extortions. We return to the ongoing surge in DPRK-funded actors illegallying work in IT roles within the US using false identities. The hosts unpack raise questions about insider threats and remote work challenges.

References: https://www.justice.gov/opa/pr/fourteen-north-korean-nationals-indicted-carrying-out-multi-year-fraudulent-information?&web_view=true

In this episode of The Adversarial Podcast, Jerry, Mario, and Sounil bring their adversarial insights to a packed discussion of the latest topics in enterprise cybersecurity.

- East Coast vs. West Coast CISOs: The trio explores the divide between East Coast and West Coast CISOs. Is the East too focused on risk? Does the West overfit to AppSec and "shift-left" practices?

- 2024 CISO Budget Report: Where are CISOs spending their increasing budgets in 2024? The hosts chat about the increasing expenses in identity management and generative AI security.

- AI and Crypto Regulation: A discussion of AI and crypto regulation, emphasizing the need for clarity in regulatory goals while raising questions about their broader implications.

- The GitHub Security Gap: The hosts discuss securing GitHub environments in increasingly BYOD environments.

- Pegasus Malware: The group examines modern attack vectors, from sophisticated supply chain threats to Pegasus malware's unexpected victims.

- Deep Fakes and Vishing: Staying on the topic of mobile attacks, the hosts debate how to best hinder deep fake-powered vishing attacks.

- South Korean CEO arrested for adding DDoS feature to satellite receivers: A discussion of a recent story involving supply chain injection of DDoS features in Korea.

In this episode of The Adversarial Podcast, former CISOs Jerry Perullo, Mario Duarte, and Sounil Yu explore critical topics shaping the cybersecurity landscape.

1. Crosspoint Capital’s RSA Innovation Sandbox Model The hosts discuss Crosspoint Capital's controversial $5 million SAFE investment requirement for Innovation Sandbox finalists. They examine the implications for startups, founders, and the cybersecurity ecosystem as a whole, weighing its potential to drive innovation against the risks of stifling participation.

Reference: RSA’s Innovation Sandbox: Cybersecurity Startups Must Accept $5 Million Investment - https://www.securityweek.com/rsa-conference-will-take-equity-in-innovation-sandbox-startup-finalists/

2. The Effectiveness of Phishing Simulations and Training Phishing simulations are dissected, from their role in training effectiveness to their limitations. The hosts share personal experiences, propose smarter testing methods, and stress the need for customized, relevant security awareness programs.

Reference: Understanding the Efficacy of Phishing Training in Practice - https://www.computer.org/csdl/proceedings-article/sp/2025/223600a076/21B7RjYyG9q

3. Insights from a CISA Red Team Report A recent CISA red team assessment of critical infrastructure prompts discussions on systemic security flaws, logging and monitoring challenges, and the importance of infrastructure segmentation. The team critiques current approaches and highlights the risks of improper cleanup after penetration testing.

Reference: Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a

4. Cookie Theft and FBI Warnings The conversation shifts to session cookie theft, a rising threat targeting big identity providers like Google and Microsoft. The hosts explore technical solutions like device-bound session cookies and discuss why such attacks bypass MFA, affecting both enterprises and public users.

Reference: https://www.fbi.gov/contact-us/field-offices/atlanta/news/cybercriminals-are-stealing-cookies-to-bypass-multifactor-authentication

Introduction:

• The episode opens with a discussion on securing devices for employees traveling to high-risk countries, like China, as a way to protect corporate data and maintain customer trust.
• Hosts Jerry, Sounil, and Mario welcome listeners and discuss recent events, including the FS-ISAC Fall Summit in Atlanta and geopolitical implications of the recent election.

Key Topics:

1. Geopolitical Risks:
   • The group explores China's espionage activities and Russia's geopolitical maneuvers, predicting shifts in attacker strategies depending on U.S. political leadership.
   • Concerns about China's possible invasion of Taiwan and its implications for global tech, particularly chip manufacturing, are highlighted.
2. Cybersecurity and Crypto:
   • The hosts discuss the post-election stock market bump, particularly in the tech and crypto sectors, and note the growing reliance on platforms like Coinbase.
   • They debate the perception and reality of cryptocurrency stability.
3. Travel Security Policies:
   • The panel critiques outdated views on China-focused security policies and suggests broadening these policies to apply to all non-extradition countries.
   • Anecdotes on “burner laptops” and espionage myths are shared, emphasizing a need for realistic threat modeling.
4. InfoStealers and SaaS Security:
   • Rising threats from InfoStealer malware, which targets stored credentials, are explored.
   • A specific case involving Snowflake and ServiceNow platforms highlights vulnerabilities tied to single-factor authentication and API misuse.
   • Debate on whether such findings should be within the scope of bug bounty programs arises.
5. Shift Toward Hybrid and On-Prem Models:
   • Discussion on whether critical applications are moving back on-premises due to high cloud costs, especially for AI workloads.
   • The hosts argue the shift is likely economic rather than security-driven.
6. EU Product Liability Directive:
   • The EU’s new directive introduces potential liability for software developers and companies, even extending to individual coders.
   • The implications for open source and global software markets are debated, with concerns about increased costs for doing business in the EU.
7. CrowdStrike vs. Delta Lawsuit:
   • The CrowdStrike-Delta legal battle is analyzed, focusing on issues like the discovery of risk registers and internal chats, and how this might expose Delta's cybersecurity weaknesses.
   • Potential ripple effects for CrowdStrike's reputation and customer base are considered.

Closing Thoughts:

• The episode ends with reflections on regulatory landscapes, including GDPR and how enforcement levels shape software innovation and compliance strategies.
• The hosts tease ongoing developments in the CrowdStrike case as a topic to watch closely.

This episode combines high-level geopolitical discussions with detailed analysis of pressing cybersecurity trends, offering a mix of technical insights and industry perspectives.

(00:00) Intro

(5:15) The CISO job market: present and future

(25:57) Handling beg bounties and VDP

(41:30) Quantum cryptography – how important is cryptography, really?

Stories:

• “Chinese Researchers Reportedly Crack Encryption With Quantum Computer” - https://www.pcmag.com/news/chinese-researchers-reportedly-crack-encryption-with-quantum-computer

Hosts:

• Jerry Perullo: https://www.linkedin.com/in/perullo/
• Mario Duarte: https://www.linkedin.com/in/mario-duarte-7855237/
• Sounil Yu: https://www.linkedin.com/in/sounil/

Producer: Tillson Galloway (linkedin.com/in/tillson)

(00:00) Intro & NIST’s new password complexity requirements

(13:19) CUPS vulnerability: critical or a distraction

(31:26) Federal standards for cybersecurity in health care: should legal responsibility fall on individuals?

(47:30) What constitutes a hack vs a breach?

Stories:

• “NIST Drops Password Complexity, Mandatory Reset Rules” - https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-mandatory-reset-rules
• “Critical Linux CUPS Printing System Flaws Could Allow Remote Command Execution” - https://thehackernews.com/2024/09/critical-linux-cups-printing-system.html
• “Wyden and Warner Introduce Bill to Set Strong Cybersecurity Standards for American Health Care System” - https://www.finance.senate.gov/chairmans-news/wyden-and-warner-introduce-bill-to-set-strong-cybersecurity-standards-for-american-health-care-system

Hosts:

• Jerry Perullo: https://www.linkedin.com/in/perullo/
• Mario Duarte: https://www.linkedin.com/in/mario-duarte-7855237/
• Sounil Yu: https://www.linkedin.com/in/sounil/

(00:00) Intro

(02:24) Exploding pagers: are psychological attacks worse than breaches?

(20:21) Are credit card breaches still a concern in 2024?

(24:57) Infostealer delivered through GitHub Issues: how are trustworthy services being abused?

(31:45) Founder mode: when is it time to switch from "founder mode" to "manager mode?"

(44:02) Is open-source more secure than closed-source?

Stories and books mentioned:

• “Israel planted explosives in Hezbollah's Taiwan-made pagers, say sources” - https://www.reuters.com/world/middle-east/israel-planted-explosives-hezbollahs-taiwan-made-pagers-say-sources-2024-09-18/
• Darkwire, by Joseph Cox - https://www.hachettebookgroup.com/titles/joseph-cox/dark-wire/9781541702691/?lens=publicaffairs
• Kingpin, by Kevin Poulsen - https://www.kingpin.cc/
• “Clever 'GitHub Scanner' campaign abusing repos to push malware” - https://www.bleepingcomputer.com/news/security/clever-github-scanner-campaign-abusing-repos-to-push-malware/
• “Founder Mode” - https://paulgraham.com/foundermode.html
• “On Pioneers, Settlers, Town Planners and Theft” - https://blog.gardeviance.org/2015/03/on-pioneers-settlers-town-planners-and.html

Hosts:

• Jerry Perullo: https://www.linkedin.com/in/perullo/
• Mario Duarte: https://www.linkedin.com/in/mario-duarte-7855237/
• Sounil Yu: https://www.linkedin.com/in/sounil/

Listen as CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss the value of security exams and question the relevance of certain certifications in today’s industry. Then, they debate into the vulnerability disclosure process, exploring how CVEs impact companies outside the SaaS world and whether CISA’s "Secure by Design" initiative is truly effective across industries. Finally, they discuss security misprioritization, from school systems to corporate desktops, and the evolving role of account management in protecting digital crown jewels.

Stories

• LinkedIn Post on ISC2 exams - https://www.linkedin.com/posts/mlockhart_hate-to-see-how-isc2-has-devolved-over-the-activity-7234368996647604225-tKVp

• “Is the vulnerability disclosure process glitched? How CISOs are being left in the dark” - https://www.csoonline.com/article/3491353/is-the-vulnerability-disclosure-process-a-glitch-in-itself-how-cisos-are-being-left-in-the-dark.html
• LinkedIn Post on Chrome DevTools blocked in schools - https://www.linkedin.com/posts/perullo_im-lucky-enough-to-have-my-6th-grade-daughter-activity-7237092980996632577-5T62

00:00 Intro

01:00 ISC2 Exams

20:39 VDP and Secure by Design

35:29 Security controls

49:06 Admin accounts