Episode379

From Paul's Security Weekly
Jump to: navigation, search


Episode Media

MP3 pt1

MP3 pt2

Announcements

Paul's Security Weekly - Episode 379 for Thursday July 3rd, 2014

And now, from the dark corners of the Internet, where exploits run wild, packets aren’t the only things getting sniffed, and the beer flows steady its Paul’s Security Weekly!

  • This segment is sponsored by Palo Alto Networks creators of THE next-generation firewalls, helping you enforce network security policies based on applications, users, and content. Visit them on the web at www.paloaltonetworks.com
  • and by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more


"Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet..."

"Here's your host, a huge fan of the little chubby monster, thinks wider is better, and loves the tight shot on his crooked wood", Paul Asadoorian!"

Tech Segment: Disrupting opportunistic SSH Scanners

  • and by Tenable Network Security, the creators of Nessus, the worlds best vulnerability scanner. Check out the new Nessus Enterprise and Nessus Enterprise cloud, engage your IT department in the vulnerability management process today!
  • This segment is brought to you by http://www.blacksquirrel.io/ - Pentest Networks from Your Browser! Exploit the limits of network security through just a browser. Have a Chrome exploit in your toolkit? Good, but for the rest of us there's Black Squirrel. Visit blacksquirrel.io for more information.


By: Ben "Get Out of my House" Jackson


Five Questions

  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of Ass Grabby Grabby do you prefer to go first or second?
  5. If you could have dinner with one celebrity, who would it be?

Ten more questions to ask at random:

  1. If you had super powers, what would they be?
  2. A penguin walks through that door right now wearing a sombrero. What does he say and why is he here?
  3. If we came to your house for dinner, what would you prepare for us?"
  4. Pick two celebrities to be your parents."
  5. What do you think about when you are alone in your car?
  6. What song best describes your life?
  7. If you were a Star Trek® [or Star Wars® ] character, which one would it be?
  8. If you were 80 years old, what would you tell your children?
  9. What is the record amount of time you have gone without a shower?
  10. What is the geekiest thing you've ever done/created/bought/said?

Stories

  • and by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
  • and by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at pwnieexpress.com

Paul's Stories

  1. Remote Access Hack Compromises POS Vendor - Light on details, but seems to be the newer POS systems that use tablets. Wondering what the backend looks like...
  2. Mysterious cyberattack compromises more than a thousand power plant systems - A thousand? Yikes.
  3. Attackers poison legitimate apps to infect sensitive industrial control systems | Ars Technica
  4. Burp Suite Tutorial – Web Application Penetration Testing (Part 1)
  5. Locking down PHP
  6. OpenSSL describes its own sad state of affairs
  7. Netflix Open Sources AWS Monitoring Tool: Security Monkey!
  8. Living Up To Rock Star Status
  9. How to Become a PMP
  10. Exploding Cigarettes and AppSec

Larry's Stories

  1. GSM with a beagle bone Black - [Larry] - Yes, you too can set up your own GSM base station. Sure you’ve been able to do that for a while with OpenBTS, but using it with a small form factor computer is cool. Drone based cell tower anyone?
  2. Ciscohno-you-didnt - [Larry] - Oh no, they did. Yes, default private SSH keys left behind on Unified Communication Domain Manager, world readable. I’m assuming that the SSH key is the same for all devices and is hard coded, In that if you recover one, you recover the private key for all installed implementations.
  3. Hey, Google, can you “unsend" that - [Larry] - A Goldman Sachs contractor accidentally sent an e-mail with boatloads of sensitive customer data to a google e-mails dress by mistake. Uh huh. Sure, by mistake. Now GS wants google to “unsend it”…it more accurately delete it form the gmail recipients mailbox. I see a whole lot wrong here: 1.) why sending sensitive info by e-mail as a matter of business process? 2.) contractor was using who’s e-mail server? 3.) where was DLP in any of this?
  4. Backtrack as a Pineapple - [Larry] - Definitely the DIY version without the nice sexy interface, but still small form factor RasPi
  5. Hackin’ like it is 1980 - [Larry] by leveraging commands that use wild cards in combination with specifically named and craved files, it is possible for arbitrary or other comannds to be run…This is way old school, but is still likely possible on modern *NIX systems including OSX.
  6. Tor nodes illegal in Austria? - [Larry] - Damn, where is CJR when we need him? A gentleman was running a TOR exit node from his home in Austria and it was used to commit computer crimes. He was arrested, charged and found guilty of being an accomplice. Yikes. This sets all kinds of interesting precedence.