Episode213

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here



Episode Media

MP3

Sponsors & Announcements


PaulDotCom Security Weekly Episode 213 For Thursday September 30th, 2010.

  • Announcing Hack3rcon! The con will take place on Oct 23-24, 2010 at the Charleston Civic Center, alongside CharCon, a gaming conference that will interest many of you as well. Tickets are $40 for the whole weekend.
  • Mark Baggett teaches SANS 504 during SANS San Antonio for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling! November 13th thru 20th.

Special Guest: Bill Brenner, senior editor at CSO Online

Bill is just another journalist, family man, and history buff using his writing and editing skills for the betterment of humanity.

  • QUESTION - Is Pen testing dead?

Guest Interview: Jeff Moss

Jeff Moss (also known as The Dark Tangent), is the founder of the Black Hat and DEF CON computer hacker conferences, and works as a security consultant in Seattle. Just last year, he was sworn in to the President's Homeland Security Advisory Council.

  1. How did you get your start in information security?
  2. Take us back in time when the security industry was just beginning, or maybe not even formed yet, and you had this idea for a security conference out in Vegas.
  3. Were the initial Defcon conferences "crazy" because of the age of the participants, hackers outlook on life in general, just some irresponsible people, all of the above? What are some of the more funny things that have happened at previous Defcon conferences.
  4. At some point you went on to create Blackhat, how did that come about?
  5. How have companies outlooks on security changed over the years? Are making progress by speaking about security issues or is it falling on def ears?
  6. Tell us about your work with the Security Council.

Tech Segment: Scott Hazel

  1. How did you get your start in information security?
  2. What are the critical components to being a successful social engineer?
  3. What tips do you have for people who want to get better at social engineering?
  4. Tell us about the Defcon Social Engineering contest and how you won.

Stories For Discussion

  1. You suck - [Larry] - This is why I think that a physical assessment of your assets is important as well. With a simple household gadget and some cajones, these thieves were able to clean up. See what I did there?
  2. XSS will never be the same - [Larry] - Rsnake, where are you? Now we never have to worry about the dreaded javascript popup with "XSS" anymore. Now, we have frigging ASTEROIDS!
  3. Take over your very own ZeuS botnet - [Larry] - Yes, the attackers make mistakes too. This time the PHP application for the ZeuS botnet allows for uploading of PHP scripts.
  4. Metafuzz - [pauldotcom] - really neat project that you can download a VM, comes with a Ruby library that allows you to easily fuzz protocols or binaries, then lets it run. Stats are posted for a bunch of stuff already, pointing out things that are vulnerable at www.metafuzz.com.
  5. Ironfox - Protect Ya' Applications - Nice little wrapper for applications that runs it in a "bubble". This seems to be a free way to do application white listing and sandboxing, as in only let the apps do what they need to!
  6. Brucon 2010 Baby! - I posted a full write-up here for the Tenable Blog. First, thanks to all Brucon staff and organizers, fantastic conference. They included everything I like to see in conferences and have really set the bar for all cons, including training, presentations, lightening talks, powerpoint karoke, workshops, and podcaster meetup. Make sure I tell you about Joe's talk, Chris's talk, Samy's talk, beer, DVWA workshop, and how I am now an expert on threesomes (NOT like that).
  7. Signal Hackerspace launches radio station - [pauldotcom] - really cool Internet radio station that features music, hacker shows, and information about hacker spaces! These guys gave a lightening talk at Brucon, coold dudes.
  8. Five Irrefutable Laws of Information Security - [pauldotcom] - These come from Intel's CSO, and I will of course dispute them: "Once data lands on the endpoint, it¿s free" - Correction, once an endpoint ACCESSES data, its free. Data does NOT have to be stored onan endpoint in order to fall into the wrong hands. On pen tests, I will go after the endpoints that are accessing the data. Now,its nice when they do contain the data themselves, but accessing it is just as good. "Code wants to be wrong." - I believe its the developers that are enabled to write bad code. Code itself does not want to be wrong, and developers do not want to write bad code. But, they are put in situations that allow them to easily write bade code. Examples, languages make it easy to write bad code, and economics forces developers to write bad code. Remember Pauldotcom's analogy on software security, it can be summed up best by WuTang Clan: Cash Rules Everything Around Me. "Services want to be on." - I totally agree, people want to use technology to make things easier and gain competative advantages. "Users want to click" - I can't dispute that. However, why does browsing the web have to be so dangerous? Is it back to bad code, improperly designed browsers, protocols? Or, is it just human nature that makes us want to click? "Security features want to be bypassed." - Agree with this one, especially for the users, security just gets in the way. It shouldn't, we should bake it in and make it hard to break,but easy to use. Hard to do!

Other Stories of Interest