Episode375

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

Announcements

Paul's Security Weekly - Episode 375 for Thursday May 29th, 2014

And now, from the dark corners of the Internet, where exploits run wild, packets aren’t the only things getting sniffed, and the beer flows steady its Paul’s Security Weekly!

  • This segment is sponsored by Palo Alto Networks creators of THE next-generation firewalls, helping you enforce network security policies based on applications, users, and content. Visit them on the web at www.paloaltonetworks.com
  • and by Tenable Network Security, the creators of Nessus, the worlds best vulnerability scanner. Check out Tenable's other cool products such as the passive vulnerability scanner and SecurityCenter Continuous View. Visit them on the web at www.tenable.com

"Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet..."

"Here's your host, he has a very small number of cells in his vienna sausage, Paul Asadoorian!"

Guest Interview: Pwnie Express

1. Starting with each of the following products, tell us:

Pwn Pad 2014 Pwn Plug R2 Pwn Appliance Pwn Phone 2014

- A little about the hardware and software platform? - Who would want to use this product? - Why they would want to use the product? - How do folks use the product? - How much does the product cost? - What are some of the adapters that you can use to extend the product?

- Which software comes included for wireless assessments? Bluetooth? - How do you get around NAC protected ports? - What are the ways in which you can create a reverse shell outbound of the network? - If you can’t use the network of the target, what else can you do to get an outbound shell? 3g/4g? - How do you setup an account so that you can use a 3g/4g connection outbound? - What are some of the tools used on web application assessments included with the product?

- At some point, there are resource constraints, which products do you make to help solve those issues? - How do I keep track of all of the devices running around doing pen tests in my organization?

- Cool technical demo? (We can put an HD camera on a pwnpad and allow you to do a demo)



Five Questions

  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of Ass Grabby Grabby do you prefer to go first or second?
  5. If you could have dinner with one celebrity, who would it be?

Ten more questions to ask at random:

  1. If you had super powers, what would they be?
  2. A penguin walks through that door right now wearing a sombrero. What does he say and why is he here?
  3. If we came to your house for dinner, what would you prepare for us?"
  4. Pick two celebrities to be your parents."
  5. What do you think about when you are alone in your car?
  6. What song best describes your life?
  7. If you were a Star Trek® [or Star Wars® ] character, which one would it be?
  8. If you were 80 years old, what would you tell your children?
  9. What is the record amount of time you have gone without a shower?
  10. What is the geekiest thing you've ever done/created/bought/said?





Stories

  • This segment is brought to you by http://www.blacksquirrel.io/ - Pentest Networks from Your Browser! Exploit the limits of network security through just a browser. Have a Chrome exploit in your toolkit? Good, but for the rest of us there's Black Squirrel. Visit blacksquirrel.io for more information.
  • and by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
  • and by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at pwnieexpress.com


  • CircleCityCon is Indianapolis's First Hacker Con, Taking place June 13-15, 2014 at the Hyatt Regency Indianapolis. Special promotional code for Security Weekly listeners - Use the code InfoSec2014 for $30 off of each regular priced ticket. Visit circlecitycon.com for tickets and follow @circlecitycon on twitter for more details.

Paul's Stories

  1. [papers - TP-Link TD-W89 Config File Download / Exploiting the Host]
  2. Nagios and NPRE
  3. WordPress: unsafe at any speed
  4. I Forgot My Wallet. Can I Borrow Yours?
  5. LulzSec leader sentenced to time served after cooperating with police
  6. That Snowden chap was SPOT ON says China
  7. I saved Pinterest's business and all I have to show for it is a t-shirt
  8. Windows XP hack resurrects patches for retired OS
  9. Siemens Fixes DoS Flaw in Rugged OS Devices
  10. Half Of eBay Users No Longer Trust It After Breach
  11. Google To Have Botnet Of Cars
  12. Black Hat USA 2014: Focus on Reverse Engineering
  13. HackerOne Bug Bounty Platform Lands Top Microsoft Security Expert
  14. TrueCrypt turmoil latest: Bruce Schneier reveals what he'll use instead
  15. "No

Larry's Stories

Truecrypt...

Jack's Stories

  1. Still fighting that ugly Windows 8.1 update? You aren't alone.
  2. Can't we all just get along? Apparently not, as Guidance Software seems to have blackballed someone- keeping them from retaining their cert or attending CEIC. Maybe there's more to the story, but appears pretty uncool to me.
  3. U.S. may act to keep Chinese hackers out of Def Con hacker event Oh FFS, are the feds still bitter about being uninvited last year?
  4. Patching is Not Security according to Spaf. And he's right- too bad it is all most of us can do, at least in the short term.
  5. Comparison of IPv6 support in operating systems This is sad. It is 2016 and DNS still doesn't work as it should on most platforms. I guess we stick with DHCP6 and maybe try prefix advertisements in another few years.
  6. Huge congrats to Katie Moussouris and the folks Hacker One where Katie is headed after making huge changes at Microsoft over the past few years.
  7. Privacy versus government surveillance: where network effects meet public choice This PDF is Ross Anderson's paper for Workshop on the Economics of Information Security (WEIS) 2014
  8. Microsoft warns against Windows XP security update hack which is what you would expect, but also makes sense.
  9. Root backdoor found in surveillance gear used by law enforcement Embedded systems with backdoors, is that new?
  10. Dave Aitel asks "Why NSA Critics Are Wrong About Internet Vulnerabilities Like 'Heartbleed'?" I don't completely agree with Dave, but he raises some good points.
  11. TrueCrypt Hack, troll, ragequit, whatever- silence means TrueCrypt org can't be trusted, so neither can TrueCrypt. Damn.
  12. US cybercrime laws being used to target security researchers Security researchers say they have been threatened with indictment for their work investigating internet vulnerabilities
  13. Rob Graham asks "Can I drop a pacemaker 0day at DefCon that is capable of killing people?" and other challenging questions.
  14. Oh, my Heartbleed won't die. New Heartbleed attack hits Android devices and routers over Wi-Fi

Joff's Stories