The groundbreaking technology addressing employment scams and deepfakes – John Dwyer, Aaron Painter – ESW #393
Full Audio
View Show IndexSegments
1. The groundbreaking technology addressing employment scams and deepfakes – Aaron Painter – ESW #393
Spoiler: it's probably in your pocket or sitting on the table in front of you, right now!
Modern smartphones are conveniently well-suited for identity verification. They have microphones, cameras, depth sensors, and fingerprint readers in some cases. With face scanning quickly becoming the de facto technology used for identity verification, it was a no-brainer for Nametag to build a solution around mobile devices to address employment scams.
Segment Resources:
Guest
Aaron Painter is a global technology executive, cybersecurity expert, and the CEO of Nametag, an identity verification company dedicated to stopping social engineering attacks at the employee IT helpdesk. With a passion for digital security, Aaron has led efforts to protect organizations from rising fraud threats, including deepfake scams and AI-driven identity theft.
Prior to Nametag, Aaron held leadership roles at Microsoft, serving as Vice President across multiple regions, including China, Brazil, and the Middle East. He is the author of Loyal: A Leader’s Guide to Winning Customer and Employee Loyalty, drawing from his experience managing diverse teams worldwide. Aaron has been featured on Bloomberg, Cheddar News, and Forbes, sharing insights on cybersecurity, identity protection, and business transformation.
Hosts
2. Inside look and lessons from a Recent APT Attack on a U.S. Aerospace Company – John Dwyer – ESW #393
Listeners of the show are probably aware (possibly painfully aware) that I spend a lot of time analyzing breaches to understand how failures occurred. Every breach story contains lessons organizations can learn from to avoid suffering the same fate. A few details make today's breach story particularly interesting:
- It was a Chinese APT
- Maybe the B or C team? They seemed to be having a hard time
- Their target was a blind spot for both the defender AND the attacker
Segment Resources:
Guest
John Dwyer is the Director of Security Research at Binary Defense, where he leads a team of experienced security researchers focused on adversary trend analysis, threat hunting, detection engineering and incident response. John previously served as the Head of Research for IBM X-Force and he’s made several contributions to the security community through his creation of the X-Force MFT Detection and Response Toolkit and the Open Threat Hunt Framework (OTHF). He also served at MIT Lincoln Laboratory and Carnegie Mellon’s Software Engineering Institute.
Hosts
3. Breach details need to be transparent and kids need cybersecurity education – ESW #393
This week, in the enterprise security news,
- Semgrep raises a lotta money
- CYE acquires Solvo
- Sophos completes the Secureworks acquisition
- SailPoint prepares for IPO
- Summarizing the 2024 cybersecurity market
- Lawyers that specialize in keeping breach details secret
- Scientists torture AI
- Make sure to offboard your S3 buckets
- extinguish fires with bass
All that and more, on this episode of Enterprise Security Weekly.
Announcements
Security Weekly listeners save $100 on their RSA Conference 2025 Full Conference Pass! RSA Conference will take place April 28 to May 1 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac25 and use the code 5U5SECWEEKLY! We hope to see you there!
Hosts
- 1. FUNDING: Semgrep Announces $100M Series D Funding to Advance AI-Powered Code Security
- 2. ACQUISITIONS: CYE Acquires Solvo, Strengthening Cloud Security Capabilities
I've been saying for a while that it would be really RAD if an external attack surface management (EASM) vendor and a CSPM got together and it was possible to map external exposures to internal assets and vice versa.
This isn't exactly that, but it might be the closest thing we've seen. I'm wasn't familiar with either company before this announcement, but it looks like CYE does "attack route visualization" among other things, like breach cost quantification. I haven't seen anyone go after attack route analysis since Core Security and RedSeal were correlating network infrastructure configs and vuln scan results back in the mid-2000s.
Still interesting if only that I don't see anyone else going after this combination. The result could potentially save teams a LOT of remediation and analysis time.
- 3. ACQUISITIONS: Sophos completes Secureworks Acquisition
We discussed this back in October when the news broke, so this is just the announcement that the deal closed. Sophos is a UK-based company, which might explain the extra time required.
- 4. DUMPSTER FIRES: Joe Levy on LinkedIn: Apparently Sophos has acquired Secureworks. I have never been a fan of…
We really need to kill and bury traditional outbound sales tactics. This makes me want to automate retaliation against folks that keep doing this. Remember that guy that backed up a dump truck and dumped hundreds of thousands of AOL CDs onto the company's front steps?
That's about where I'm at with this right now.
Hmm... it doesn't seem too difficult to auto-enroll corporate spammers in spam, returning the favor and filling their own inboxes with junk. It is also fairly ethical when compared to some of the other knee-jerk responses my brain comes up with.
- 5. IPOS: Thoma Bravo’s SailPoint eyes up to $11.5 billion valuation in US IPO
"Private equity-backed companies are expected to lead the initial public offering market as sponsors look to unload holdings and return capital to investors.
Austin, Texas-based SailPoint and parent Thoma Bravo are offering 47.5 million and 2.5 million shares, respectively, priced between $19 and $21 each to raise a total of up to $1.05 billion."
I don't have too much to say about this, except that PE firms continue to seem to have success with very basic model of:
- take private
- improve efficiency (even though this tends to reduce customer happiness and increase churn) or combine with other, similar/complementary companies
- sell for 2-3x or take public again
- 6. REPORTS: The State of the Cybersecurity Market in 2024
Mike Privette's annual market summary report for 2024 is out and is full of interesting insights, check it out!
- 7. ESSAYS: Three Things I Learned from losing to Wiz Twice
Seems like a bit of a myopic view of the reasons for Wiz's success, but as a product of the lens she viewed the company through, and how she competed with them. Still, a lot of interesting insights to mull over, some of which I'm not sure I fully understand (e.g. "Wiz is marketing-led instead of product-led"??)
- 8. ESSAYS: Kept in the Dark
TL;DR:
- the cybersecurity industry needs to learn from failures to improve
- lawyers specialize in making sure that details of failures don't become known
- the industry has limited information to learn from
I've been frustrated by this for a long time. The irony is that we don't really need to know the identity of the breached company to learn from its failures - they can be anonymous!
Directly related to the following research article: How Privilege Undermines Cybersecurity
The context here for the term "privilege" is attorney-client privilege.
- 9. DUMPSTER FIRES: Scientists Experiment With Subjecting AI to Pain
Sure, why not. What could go wrong?
- 10. LEGISLATION: Senator Hawley Proposes Jail Time for People Who Download DeepSeek
Man, I miss the "Internet is a series of tubes" days. It's hard to tell when legislation is serious, or just trying to make a point, but this feels like it is solidly in "F12 is not a crime" territory.
These attempts to block/ban Chinese tech are such a waste of time.
- The Huawei rip-and-replace efforts never completed, years after they were put in place
- The TikTok ban was delayed
- Bytedance has its SDK baked into thousands of other apps not affected by the ban
- TP-Link is installed in millions of homes and businesses across the US
The bill assumes that it is China that needs the US and not the other way around. As I do more research and testing with models, benchmarks, and AI evaluation tools, the more I notice how much of these frameworks and models are coming from China. It seems likely that severing AI ties might be mutually harmful. I wouldn't be surprised if it hurts us more than it hurts them. An "AI Brexit" if you will.
But then, it's my experience that politicians are more successful when they're seen doing something, regardless of when that something is the right thing to do. Inaction looks worse than wrong action - it is perceived as weakness. Campaigns, appearances, and egos win out over practicality and efficacy.
- 11. RESEARCH: 8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur
It's not an easy read at about 8,000 more words than necessary, but I do love this kind of research that doesn't just talk about potential harm from vulnerabilities and exposures, they demonstrate it.
How ethical their approach was can be debated, but strongly feel that anything less wouldn't make anyone budge. That's one of the major reasons folks hire pentesting firms - they can't get any support and hire a team to demonstrate that systems really are vulnerable/hackable.
As for this research, the TL;DR is "like subdomain takeovers, but with S3 buckets"
- 12. SQUIRREL: researchers at George Mason University use BASS to put out fires
In 2015, researchers at George Mason University developed a technology that uses low-frequency sound waves to extinguish fires. The device emits sound waves in the 30 to 60 hertz range, disrupting the combustion process by separating oxygen from fuel, thus putting out the fire. This method is chemical-free and eco-friendly, with less risk of property damage compared to traditional fire suppression methods.
Imagine how impactful this could be during emergencies, like the recent devastating fires in LA.
