Episode328

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

MP3

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 328 for Thursday April 18th, 2013

  • Register for our free webcast Hacking Embedded Systems (No Axe Required) on Tuesday, April 23, 2013 at 2:00 PM EDT to hear Paul talk about hacking embedded systems on the fly, on the cheap no soldering iron required! (we are also looking for sponsors for this webcast so please contact paul -at- hacknaked.tv for details!)
  • Come to Security BSides Rhode Island Two-Day Conference on June 14th and 15th tickets are NOW ON SALE at WePay.com. Featured presentations from Josh Wright , Kevin Finisterre, Kati Rodzon and Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire PaulDotCom crew!
  • If you are in the Boston area, check out BSides Boston with Keynotes by Dan Geer and Josh Corman on Saturday May 18th!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Sunday nights at 8:30PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here! (Web site experiencing problems, will update link when it comes back)

Interview: Dr. Whit Diffie

Dr. Diffie is a pioneer of public-key cryptography and was VP of Information Security and Cryptography at ICANN. He is author of Privacy on the Line: The Politics of Wiretapping and Encryption.

  1. How did you get your start in information security?
  2. It seems like the security field is so broad and can be overwhelming. For people just starting in this industry, where should they focus their time and learning?
  3. What led you to start working on a new crypto algorithm that led to public key cryptography?
  4. Tell us about the genesis for your book and why you wrote it.
  5. Do you think privacy is dead? If not, how can we keep it alive?
  6. What is the Hummingbird algorithm and where would it be optimal?
  7. Are organizations doomed for failure when it comes to security for good, or do you think some day we will be in much better shape?
  8. What do you mean by "A secure internet could not serve our needs"
  9. Why is crime essential to the internet?
  10. How do you think the internet will be different in 100 years?

Interview: Jeremy Zerechak

Announcement

  • Larry teaching SANS SEC617 all over and coming to a city near you in 2013. It isn't too Late to sign up for my class in San Diego this May!
  • If you are interested in hosting SANS Training in the Boston area via the mentor format, please send us an email at mike -at - pauldotcom.com! We're looking for a location that can host 2 hours in the evening, 1 night a week, for 10 weeks.

Interview Details

Jeremy is an accomplished documentarian and film technician. He has produced and directed two award winning feature-length documentaries: Land of Confusion and Code 2600. Jeremy is also a decorated Iraq War veteran and an advocate for veteran rights. He currently teaches film at the Ohio University School of Film.

Stories

Paul's Stories

  1. What is the Real Cost of Security? - Its interesting to see that of a handful? (or maybe undefined amount) of CISO/CSO level executves their defense of choice is still AV and Firewalls. On one hand, I can't say that I blame them. AV protects against known threats (provided it is configured properly) and firewalls do deter a large number of attacks (ever look at your firewall logs to see what is being denied?). However, the top two choices are ill-equipped to deal with a laundry list of threats, including the less-frequent but often more damaging targeted attacks or sohpisticated malware.However, I think you still need AV and Firewalls as they do reduce the threat landscape in some way. However, I don't think you need to spend a whole ton of cash in your budget, AV is available from MS and maybe you don't need that "next generation" firewall. Then you can focus your efforts on patching, vulnerability management, configruation controls/system hardening and all the rest of the defensive measures that actually stop real attackers.
  2. Hitting Back At Hackers: Why Strikeback Is Doomed To Fail – ReadWrite - While "striking back" is a hot topic these days, there is more than meets the eye. Sure, it comes with its problems. I think some will think of "Revenge-based" attacks. L, this isn't a kung fu movie. The hackers have not killed your master. There is no reason to go off into the woods and train for a short period of time, and even though short still becoming a true kung fu master, and going back and destroying your enemies with the 5-point palm exploding heart technique. Its not about revenge, its about defense, information gathering, and protecting your network. It when revenge enters the picture that your efforts will fail and backfire on you.
  3. top-5-mistakes.jpg 800×4 - They clock in as assuming patching is enough, failing to enforce configuration, not enforcing a password policy, not educating users, insecurely storing data. I think that pretty much sums it up, the last one is a little weak, but I see their point.
  4. When Offense and Defense Become One - Great article on the merging of offense and defense, and its not what you think. AV software is a rootkit of sorts, botnet command and control is something we can use to maybe learn how to administer our own systems, etc..
  5. Kali Linux review and a brief history of the BackTrack pentesting distro - Its interesting to look back on where the roots of Backtrack, and the new Kali Linux come from. Its been a long journey, and they finally sat down and re-wrote it, hoping to overcome the dependency hell that is created when you have multiple security tools on the same distro. Can't wait to test it out! Has anyone messed with Kali yet?
  6. iPhone Pen Testing Tools without Jailbreaking - A really great list of tools to keep handy on your iPhone. There are just times when I was like "Ya know, I wish I had some hacking tools with me". Now I plan to install all of these apps so I never leave home without some hacking tools goodness!
  7. Time To Dump Antivirus As Endpoint Protection? - I agree with the Whitelisting recommendation, if you can pull it off. However, the isolation thing always bothered me. Don't just isolate, harden first, then isolate. Often people skip that step, and no system will ever be truly isolated.
  8. Popular home routers contain critical security vulnerabilities - Yet another report of vulnerable embedded devices, specifically home routers. I'm think people just don't care about security on these devices and never will. My spirits are low as this is the second week in a row we've covered a story like this.

Allison's Stories