Episode348

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

MP3 pt1

MP3 pt2

Announcements

Security Weekly - Episode 347 for Thursday October 10th, 2013

  • Episode 350 of Security Weekly will be recorded and streamed live on October 25, 2013. We are looking for submissions for technical segments, send them to psw -at - securityweekly.com and we will pick the best ones to be featured on the show. We are looking for panel guests as well! Support our chosen charity: Wings For Warriors. This will be an all day event!
  • We've released a book on Offensive Countermeasures! Visit tinyurl.com/OCM-Amazon to add this to your summer reading list.
  • We are looking for sponsors for our weekly webcasts and shows. Contact paul -at- hacknaked.tv for details!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Thursday nights at 9:00PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!

Guest Interview: Thierry Zoller

Thierry Zoller.jpeg

Biography:

Thierry has 14 years experience in information security, designing resistant architectures and systems, managing development and information security teams, ISM policies and high profile penetration tests. Thierry has a security blog over at blog.zoller.lu . Thierry is currently now working as a Practice Lead for Threat and Vulnerability Management at Verizon Business.

  1. How did you get your start in information security?
  2. What advice do you have for others getting their start in information security?
  3. What is your vulnerability disclosure policy and what led to you adopting this particular policy?
  4. What is the coolest security vulnerability/bug you've ever found?
  5. Do you believe its important to make the distinction between a bug and a flaw?
  6. What can we do to improve software security?
  7. Should people run A/V software or is it a complete waste of time?
  8. Are folks underestimating the continued threat of Bluetooth attacks or have we got that all figured out? Or, more likely, now that every smartphone has Wifi and 3g, a web browser and apps, its far easier to attack them via these methods?
  9. Will we ever be able to trust SSL? Tell us a little about SSL audit tool you wrote and some of the features such as fingerprinting…
  10. is privacy dead, did we kill it, has the US Government taken it hostage, or all of the above?
  11. Who are the primary threats and how well coordinated do you find them to be?
  12. How well should we know our enemy?
  13. From a defensive perspective, what is the most innovative and/or effective technology to surface recently?
  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of Ass Grabby Grabby do you prefer to go first or second?
  5. Stranded in a desert island, which tablet would you bring along: a) iPad b) Surface c) Android d) All of the above e) None of the above?

Heather Mahalik from SANS on Advanced Smartphone and Mobile Device Forensics Course

Heather-mahalik.jpg


Biography:

Heather Mahalik is a senior digital forensics analyst at Basis Technology. As the on-site project manager, she uses her experience to manage the cell phone exploitation team and supports media and cell phone forensics efforts in the U.S. government. Heather is a certified SANS instructor and teaching the upcoming course Advanced Smartphone and Mobile Device Forensics.

Stories


Paul's Stories

Jack's Tales of Happiness and Sunshine with Bourbon

  1. I'm sure I'm late to this party but, Tails, a privacy and security focused live distro.
  2. Prepare for a Rantapocalypse
  3. Oooh, cool Update that enables you to delete outdated Windows updates by using a new option in the Disk Cleanup wizard in Windows 7 SP1. Be aware that the next reboot may take a VERY long time.
  4. I haven't heard anything yet but with Microsoft's recent patch issues, this patch is one I would test before widespread deployment.
  5. Popping Penguins, oh my! Probably the worst InfoSec article you will read today^^this year. Stunningly bad. No, that's not an Onion article. And here's some commentary from Space Rogue and Twitter commenters

Larry's Stories

  1. iOS 7 image identification - [Larry] - Thank you again, Dr Krawetz for your image analysis. He discovered that images taken with the camera on iOS 7 add some unique fields to the EXIF metadata in the Maker Notes field, which is typically reserved for manufacturer specific tags. Apple decided to use this tag to include some unusual vaules which refer to CMTime which stores values for time offsets, which though analyis appears to include application usage, time from last boot, standby time and ) I think time since last photo…ExifTool knows how to parse the data, but does not describe the fields….yet.
  2. RfCat intro - [Larry] - Full disclosure I work for InGuardians. @cutaway put together a great introduction to using RfCat, which I have always thought as daunting as being the next step into the SDR market (limited transmit capabilities as opposed to the RTL devices). Cutaway gives us some great tips in how we can use it for general analysis with a "radio app" and then turn that into reception of actual packets, and how to configure the radio - by sniffing the configuration of the radio on the actual device by bus sniffing…this is a great thing as, I've struggled to find any good universally acessible tutorials on RfCat
  3. 5 WiFi security myths to abandon - [Larry] - Wow, 2008 called and wants their myths back…hidden, SSIDs, MAC filtering, Limit IP pool, Disable DHCP, "small networks"

Allison's super cool stuff while drinking a bud and clamato (thanks for that header. Blaaghhhhh -allison)

  1. So I’m the guy who sent the t-shirt out as a thank you. So last week we made fun of Yahoo a bit for only awarding twelve bucks' worth for a bug bounty. Here is their response. Turns out they didn't have an official bug bounty program and it was just one guy paying out of pocket. So it really isn't as scandalous as it initially sounded, and Yahoo is standing up a real bug bounty program soon too. So if you like bug hunting, check out that link for details on prizes.
  2. Going Beyond Vulnerability Rewards Also, check out this link. Google has started offering bounties for open source software that operates a lot of our core infrastructure. Like OpenSSH, OpenSSL, BIND, ISC DHCP. This is very cool and big props to Google for this.
  3. Author of Blackhole exploit kit arrested in Russia Paunch, the author of Blackhole, has been arrested. Blackhole has been the #1 exploit kit for a long time and has been updated by Paunch very frequently in an effort to stay one step ahead from antivirus vendors. Paunch made his money by renting out the kit, rather than developing or delivering the malware itself. Since the arrest, specimens of Blackhole in the wild have not been updated.