Subscribe Share Full episode and show notes IoT , AI/ML , AI benefits/risks FIRESTARTER – PSW #924 This week in the security news: Are you a FIRESTARTER? Eavesdropping via fiber-optic cables Copy Fail – more Linux LPE Github RCE Running Linux on a PS5 BadUSB tricks SilentGlass and HDMI threats Sonicwall and vague details Universities are for porn? The Banshee Before CVEs comes scanning Vendor addresses AirSnitch GitHub and not serious work Routers have country-specific backdoors Phones with Hotspot are fine April 30, 2026 Full Segment Notes This week in the security news: Are you a FIRESTARTER? Eavesdropping via fiber-optic cables Copy Fail - more Linux LPE Github RCE Running Linux on a PS5 BadUSB tricks SilentGlass and HDMI threats Sonicwall and vague details Universities are for porn? The Banshee Before CVEs comes scanning Vendor addresses AirSnitch GitHub and not serious work Routers have country-specific backdoors Phones with Hotspot are fine Hosts Paul Asadoorian @0offset https://securitypodcaster.com Jeff Man https://www.obsglobal.com/ Joshua Marpet https://www.cyturus.com Larry Pesce @haxorthematrix https://www.finitestate.io/ https://breakstuffforfun.com/ Lee Neely Sam Bowne https://samsclass.info/ List of Articles Paul Asadoorian Copy Fail — 732 Bytes to Root This works BTW. Privilege escalation on pretty much all OSes is a huge problem. Once an attacker has a foothold, pretty much game over... GitHub fixes RCE flaw that gave access to millions of private repos Whoops, single git pull gives you root, lovely. It was fixed very quickly. ps5-linux/ps5-linux-loader: Linux payload implementing the HV exploit and a custom bootloader I am super interested in turning a PS5 into a Linux computer, just because apparently now you can... Social Engineering: Building Your Own BadUSB – Hackers Arise Neat article, nothing really new here, but I liked the thought put into it, such as this: "Ironically, the hardest part is often not the electronics but the shell. A believable enclosure matters. One practical trick is to buy the cheapest flash drive available in a local electronics store, remove its internal storage board, and reuse only the casing. Another elegant option is to simply 3D-print a flash drive enclosure that matches the dimensions of the chosen controller. Because many Arduino boards come with micro-USB connectors, the port often needs to be resoldered or adapted to a standard USB-A plug. A fake flash drive with a micro-USB connector would immediately look suspicious. If the board itself is not mechanically strong enough to support direct insertion stress, the USB plug can be fixed to the shell while the controller board connects internally using rigid wires. This transfers unplugging force to the casing instead of the PCB." NCSC launches SilentGlass, a plug-in device to secure HDMI and DisplayPort links I am curious why we need this device, so I asked AI, good discussion points here: SilentGlass addresses a class of hardware-layer threats targeting HDMI/DisplayPort interfaces — threats defined across several well-established research threads. Here's the underlying research that motivated it: "A Monitor Darkly" (Ang Cui, Red Balloon Security) - The most direct foundational work is Ang Cui and Jatin Kataria's DEF CON 2019 research "A Monitor Darkly," which demonstrated that monitor firmware (running on the monitor's internal MCU) is exploitable. They showed monitors can be compromised to intercept, manipulate, or exfiltrate pixel data — effectively making the monitor itself a persistent implant. This is the canonical "compromised monitor as attack vector" research. tomshardware Van Eck Phreaking / TEMPEST - Wim van Eck's 1985 paper established that electromagnetic emanations from display cables can be intercepted at range to reconstruct screen content. This is the basis for NSA/NATO TEMPEST standards. SilentGlass is a modernized, affordable mitigation for this class of signal-leakage threat. linkedin HDMI DDC/CEC Channel Exploitation - HDMI's Display Data Channel (DDC) and Consumer Electronics Control (CEC) are bidirectional communication channels embedded in the cable. Researchers have demonstrated these upstream channels can be used to send commands or exfiltrate data — turning a "display-only" cable into a two-way attack vector. The NCSC specifically calls out that monitors "can process and store sensitive data" and are exploitable for espionage. helpnetsecurity Air-Gap Exfiltration via Display Signals - Ben-Gurion University researchers (Mordechai Guri et al.) published multiple papers — including "BRIGHTNESS" and "AirHopper" — showing how video signals from air-gapped systems can be used as covert exfiltration channels. The NCSC's concern about espionage via display links aligns directly with this research body. linkedin The NCSC's own advisory describes monitors as "highly likely" targets for espionage, disruption, and financial crime — positioning SilentGlass as a hardware enforcement point where software mitigations are insufficient. helpnetsecurity Sandworm Uses SSH-over-Tor Tunnel for Stealthy Long-Term Persistence CVE-2026-42167 Allows Auth Bypass And RCE In ProFTPD – ZeroPath Blog Alleged Silk Typhoon hacker extradited to the United States to face charges This is rare, but it happens. Curious how this will pan out. 89 vulnerabilities in XAPI / Citrix XenServer VMware to KVM migration guide – common pitfalls and how to avoid them Using this to make a note that Claude and Linux KVM/libvirt is an awesome combination. I've completely left the VMWare environment and use KVM. Claude is really great at setting up VMs, converting them, making scripts to make my life easier, etc... For lab VMs I even give Claude console access and/or SSH access to VMs, using Python Expect library, and it can configure things for me. So I can say, "hey Claude, go to this VM for this vendor and configure this feature", and it just does it. I don't have to be an expert on every lab target anymore! SonicOS affected by multiple vulnerabilities For the most severe vulnerability there is not enough information to triage, frustrating that this is all we get: "A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions." - Analyze the CVSS score is interesting, it says AV is A, which means "the attacker must be on the same network segment (LAN, Wi-Fi, VLAN) as the target not exploitable directly from the internet, but not requiring local machine access either." UI:R also means that the victim requires interaction. So confused, which access control mechanism does this refer to? Why are they being to light on details? A Route to Root in a 4G Industrial Router Why are top university websites serving porn? It comes down to shoddy housekeeping. Wait, why are you using CNAMES to point to external domains that you do not control? Ask me about the Wordpress instance we had for this that was not a solution. For example, universities have many clubs or groups. They need a website. We had an instance of WP that allowed students to use a subdomain, like mtnbiking.example.edu. Problem was, it was ALWAYS being hacked. We did have other external domains too, and housekeeping is important. Its a tough problem to solve for colleges and universities.. AI summary: Turns out prestigious .edu domains — Berkeley, Columbia, WashU — have been moonlighting as adult content sites, and no, this wasn't a student project. Scammers exploited "dangling" CNAME records: old DNS entries pointing to long-expired external domains that attackers simply... bought. The result? Hundreds of hijacked subdomains across 34+ universities serving explicit content and scareware, all under the trusted halo of a .edu address. reddit Basically, your alma mater forgot to clean up after itself, and now someone else is using its good name to sell something your parents definitely didn't pay tuition for. The lesson, as always: patch your DNS, not just your software. news.ycombinator I Tested The Banshee Against Flipper Zero: Results Are Insane This device is insane, I want one! The Internet Changes Before the Advisory Drops GreyNoise found that unusual scanning activity on their sensor network consistently precedes CVE disclosures with an 11-day median lead time . That's a head start most defenders never get. Key Numbers: - 147.8M sessions, 18 vendors, 103 days (Dec 2025 – Mar 2026) - ~50% of activity surges preceded a CVE within 3 weeks — 36% above chance (p=0.0015) - CVSS 10.0 vulns like Cisco CVE-2026-20127 showed signals 39 days out The Signal: Watch session volume intensity , not just new IPs. When existing scanners hit a vendor harder than normal, that's your warning. Both channels spiking together (sessions + new IPs) is a high-confidence escalation signal. Most Interesting Finding: Cisco and SonicWall showed a "countdown compression" pattern — surges arriving at shorter and shorter intervals before disclosure, like a heartbeat accelerating before a CVE drops. Who's Doing It: Four distinct attacker infrastructure clusters — from broad residential botnets to tight dedicated VPS operators. Concentrated infrastructure (few IPs, thousands of sessions each) = much closer to disclosure (7.5-day mean vs. 21-day mean for botnets). Why It Matters Now: Mandiant says mean time-to-exploit is now negative 7 days . Verizon DBIR shows 8x increase in network device exploitation YoY. Salt Typhoon hit three vendors in this study (Cisco, Ivanti, Fortinet). The window to act is shrinking. Debate: Half of surges don't precede a CVE — so how do you operationalize a 50% false positive rate without alert fatigue? Zero Day Initiative — CVE-2026-33824: Remote Code Execution in Windows IKEv2 CVE-2026-33824 is a critical (CVSS 9.8) remote code execution vulnerability in Windows' built-in VPN handshake service, called IKEv2. The short version: an attacker on the internet can send specially crafted packets to UDP