Episode347

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

MP3 pt1

MP3 pt2

Announcements

PaulDotCom Security Weekly - Episode 347 for Thursday October 3rd, 2013

  • Episode 350 of PaulDotCom will be recorded and streamed live on October 25, 2013. We are looking for submissions for technical segments, send them to psw -at - pauldotcom.com and we will pick the best ones to be featured on the show. We are looking for panel guests as well! Support our chosen charity: Wings For Warriors. This will be an all day event!
  • We've released a book on Offensive Countermeasures! Visit tinyurl.com/OCM-Amazon to add this to your summer reading list.
  • We are looking for sponsors for our weekly webcasts and shows. Contact paul -at- hacknaked.tv for details!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Thursday nights at 9:00PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!

Guest Interview: Jaime "WiK" Filson

WiK.jpg

Biography:

Jaime enjoys long walks on the beach while his computer equipment is busy fuzzing software, cracking passwords, or spidering the internet. He's also the creator of the gitDigger project as well as staff of DEFCON's wireless village.

Five Questions:

  • Three words to describe yourself
  • If you were a serial killer, what would be our weapon of choice?
  • In a game of ass grabby-grabby do you prefer to go first or second?
  • If you wrote a book about yourself, what would the title be?
  • Stranded on a desert island, which tablet would you bring with you if you could choose only one: Android, iPad or Surface?


Technical Segment with Jared DeMott

Jaredemott.jpg

Biography:

Jared DeMott has spoken at security conferences such as Black Hat, Defcon, ToorCon, Shakacon, DakotaCon, GRRCon, and DerbyCon. He is active in the security community by teaching his Application Security course, and has co-authored a book on Fuzzing.

Stories


Paul's Stories

  1. Derbycon 3.0 Videos Tracks 1 & 2
  2. Barclays Bank Branch Bugged In £1.3m Breach
  3. Exploit Disclosure
  4. Facebook Pushes Passwords One Step Closer to Death
  5. Yahoo abandons T-shirt rewards for vulnerability information
  6. iPhone Fingerprint Scanner Hacked; Should You Care? - Forbes
  7. Researchers Unite To #ScanAllTheThings
  8. [http://www.wired.com/wiredenterprise/2013/10/arduinolab/ Thirteen-Year-Olds Hack Their Way Into Space

Greg's Stories

Jack's Tales of Happiness and Sunshine

  1. Wanted: a strong hacker community Sweet!, main stream media gets it right- good article in the Boston Globe about university hackathons.
  2. VPN provider has issues delivering on the P part
  3. Client-side XSS isn't that sexy anymore but you shouldn't annoy researchers who come to you with bugs. Says Sandro Gauci: "Juniper blamed me for responsibly reporting a DOM XSS in their SSL VPN..."
  4. Update that protects from internal URL port scanning from Microsoft for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Embedded Standard 7, Windows Server 2008 R2, Windows 8, Windows RT, and Windows Server 2012

Larry's Stories

  1. Silk Road, busted - [Larry] - This is a link to the filed criminal complaint which outlines the methods in which the agents used to tie The Dread Pirate Roberts to a specific person running the site. Some was not to get busted? 1.) Don't connect to the hosting server over a VPN, not tunneled through TOR. 2.) Don't use your real name and e-mail address at StackOverflow asking for help with tor hidden services, using code similar to that found running on the silk road. 3.) Don't have fake IDs sent to your home address 4.)…
  2. Yahoo bug bounty program! - [Larry] - YAY, on the bandwagon! This should be good, right? Uhhh, so the bounty offered to some researchers who found XSS was a whopping $12.50 each, and the payment was only redeemable at that Yahoo Corporate store which only sells yahoo branded merchandise. Um, Yahoo, that word "bounty" does not mean what you think it means.
  3. TouchID thwarted - [Larry] - and it inly took about a week for the phone to be out to have it hacked. That said, it was fairly complicated and was more than just the gummy bear attack…
  4. Making open hotspots safer, WiFi Alliance style - [Larry] - Hotspot 2.0 will allegedly put customers at ease because the connections are secure and the communication is encrypted. "Also, users should no longer have to search for and choose a network, request the connection to the access point each time and then in many cases re-enter their password. All that can be handled by Passpoint-compatible devices" hmmm. Looks like it is using some additional global SSIDs and some standard and new EAP types.
  5. [1] - [Larry] - New drones with F-16s. Paging Daniel Suarez..

Allison's super cool stuff

  1. Data Broker Giants Hacked by ID Theft Service This is just crazy. For most of this year, ssndob services have existed in the underground that would give you personal information about any arbitrary American you ask for. So, can you imagine what sort of data pool it needs to be able to draw from. It's already been revealed that the annualcreditreport service set up by the government has been abused. Now it's been revealed that LexisNexis, Kroll Background America(Now part of HireRight), Dun & Bradstreet, have all been hacked for a period of at least several months. These are the people we trust our data with, and oftentimes we don't have a choice in giving them our data. LexisNexis made a statement that they found “no evidence that customer or consumer data were reached or retrieved”.
  2. Data Broker Hackers Also Compromised NW3C The same people also compromised the National White Collar Crime Center. This is a taxpayer funded agency. The attackers also got ten years worth of complaints that were sent to the Internet Crime Complaint Center [2], among other things
  3. Adobe To Announce Source Code, Customer Data Breach Adobe got hacked by the same people too. Now their Coldfusion/Acrobat source code is open source, but only for the bad guys.
  4. W3C green-lights adding DRM to the Web's standards Adding DRM to browsers? I really doubt that the major browsers are going to adopt this. If they do, the exploitation potential will be very interesting.
  5. :(
  6. Ross Ulbricht submitted an interview to NPR's StoryCorps