Episode325

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

Episode 325

MP3

Announcements & Shameless Plugs

Security Weekly - Episode 325 for Thursday March 28th, 2013

  • Register for "Offensive Countermeasures: The Art Of Active Defense": SANSFIRE Washington, DC June 15-16th with John Strand
  • Come to Security BSides Rhode Island One-Day Conference on June 15th tickets are NOW ON SALE at WePay.com. Featured presentations from Josh Wright , Kevin Finisterre, Kati Rodzon and Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire Security Weekly crew!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Thursday nights at 8:30PM EST. Come have a cigar with us!

Guest Technical Segment: Simon Bennetts on OWASP Zed Attack Proxy v 2.0.0

Simon is a Mozilla Security Automation Engineer and ZAP Project Leader. He is also one of the founders of the OWASP Manchester chapter and the OWASP Data Exchange Format project. Simon is on to discuss OWASP's Zed Attack Proxy v 2.0.0

From the OWASP site:

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.


  1. What is the Zed Attack Proxy (ZAP)?
  2. How is it maintained?
  3. How is it different from other proxies, like Burp?
  4. Where do you see ZAP going in the future?
  5. What are ZAP's strengths and limitations?
  6. Are you working on any other OWASP projects?

Announcement

  • We are in the process of archiving and cataloging our technical segments, please visit the Security Weekly Technical Library and we indexed all of the interviews we have conducted. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.
  • Larry teaching SANS SEC617 all over and coming to a city near you in 2013. It isn't too Late to sign up for my class in San Diego this May!

Stories

Paul's Stories

  1. Ubuntu low-mem install for VMs - Nice tip for running Ubuntu VMs. Having

multiple Ubuntu VMs is handy. I mean backtrack is nice. But sometimes you need to run stuff, like firmware analysis tools, vulnerable web applications , or other such software. This allows you to run different versions of Ubuntu as well.

  1. Passcode lock can be bypassed in iOS 6.1.3 as well - I mean really, come on! They just can't seem to lock this feature down.
  2. Remember Your Helmet - Great article about keeping security simple.
  3. Critical Flaw Threatens Millions of BIND Servers - Exploitation i

s easy, ah the memories of easily exploitable Bind vulnerabilities, TSIG anyone?

  1. Too Scared To Scan - Scan in development, use credential

ed scans, scanning is important, crashes happen.

  1. Oz states count cars using Bluetooth
  2. Network security study reveals 26
  3. Whoops! Tiny Bug In NetBSD 6.0 Code Ruins SSH Crypto Keys

Larry's Stories

Jack's Stories

  1. A Kickstarter for a documentary on Hackers in Uganda, Hackers for Charity. The producer of the hacker documentary "Code2600" has set his sights on documenting Johnny Long's work in Uganda.
  2. Kids these days Krypt3ia has some thoughts on the security implications of "digital natives".
  3. A free "intro to computer science" course Free is good, right? A very basic programming class for those who want the basics of coding.
  4. Most IT admins considering quitting due to stress according to a survey by GFI software. The survey seems a bit questionable, small sample size and self selection bias, etc. But, still a few interesting insights.
  5. Critical Flaw Threatens Millions of BIND Servers the article at ThreatPost highlights the issues with Bind on *nix systems. This bug "could not only cause a denial-of-service condition on the server but also could potentially compromise other software on the machine". That could be a problem.
  6. Forget CyberFUD, here's a DoS to worry about Yes, there was the biggest DDoS in history (or not) this week, but this is scarier to me.
  7. Another "kids hack their school to changes grades" story. Here are a couple little guttersnipes, aka "Digital Natives" getting in trouble.
  8. Too scared to scan A sad state of affairs, but true in many organizations.
  9. The first of a new set of posts about better storytelling in business from Michael Santarcangelo, aka Security Catalyst part two is here

Allison's Stuff