Episode425

From Paul's Security Weekly
Jump to: navigation, search


Paul's Security Weekly - Episode 425 - 6:00PM

Episode Media

MP3

Intro, Sponsors & Announcements

Paul

[Cut to Paul Live Shot]

This week Vulnerability Scanning with Shay Chen. All that and more so stay tuned!

[Cut to Jack Live shot]

Jack

Broadcasting live from G Unit Studios in Rhode Island, the show where exploits run wild, packets aren’t the only things getting sniffed, and the cocktails flow steady its Paul’s Security Weekly!

[Cut to sponsor logo]

  • And by Netsparker, the developers of the ONLY false positive free web application security scanners, enabling you to automatically identify vulnerabilities and security flaws in all your websites, web applications and web services. Netsparker scanners are available in two editions, Netsparker Desktop and Netsparker Cloud, the enterprise level online scanning service. For more information visit their website on https//www.netsparker.com/securityweekly/
  • Brought to you by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com
  • And by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/

[Cut to security weekly logo]

Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet...

[Cut to live shot of Paul]

Larry: Here's your host, who's been voted one of the finest minds in West Warwick, RI, which is a lot like being named to the ten best-dressed list in Russia, its Paul Asadoorian!"

Paul: Hello everyone and welcome to Paul's Security Weekly - Episode 425 for Thursday July 2nd, 2015

  • Introduce hosts and guests

Announcements

[Cut to Announcement graphics]

  • Ready to learn Combat Firmware Analysis? Register for Paul's Blackhat course "Embedded Device Security Assessments", a 2-day hosted class at Blackhat Las Vegas. Registration includes breakfast, lunch, and access to the Blackhat Briefings Business Hall, Sponsor Workshops, Sponsor Sessions, and Arsenal! Visit http://securityweekly.com/iot to register today!


EmbedVideo received the bad id "tV-b56O4pLo"" for the service "youtube".

[Cut to shot on Paul]

Guest Interview: Shay Chen - 6:05PM-6:55PM

Bio

Shay Chen is an information security Analyst, Researcher, Consultant and Speaker. He is also a prominent blogger, and in addition to the occasional attack vector publication, currently focuses on publishing frameworks, evaluations and comparisons of information security products.

Links

Questions/Topics

  1. How did you get your start in information security?

Five Questions

  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby-grabby, do you prefer to go first or second?
  5. Choose two celebrities to be your parents.

Discussion: Top Ten Reasons to Get Into Information Security- 7:00PM-7:20PM

Sponsored by Tenable Network Security, with currently 60+ openings in engineering! Some details:

  • Vulnerability researchers, requires strong sys admin and scripting skills
  • Compliance researchers, aka audit file and plugin writers, knowledge of federal and industry-specific standards
  • Reverse Engineering has one opening, working with LOTS of different technologies
  • C and C++ SW engineers – especially if you have experience with packet capture, socket programming and protocol development
  • And you can’t build all this great stuff without QA engineers – we like our QA teams to know a little about security. Great for a sys or network admin who wants to move over to the software side. Most require some automation experience.
  • Positions for SW Engineers and Web Application Devs who dig security:
  • Web Backend developers who know about ElasticSearch, data modeling and analytics, as well as Cloud/Amazon Web Services – extra points if you know the Go programming language.
  • User Interface developers who know Javascript, but also have experience building dashboards.
  • Software Engineers who can build enterprise applications using PHP.
  • EVERYTHING REQUIRES STRONG LINUX EXPERIENCE!!!
  1. For the fame and glory
  2. You can apply (or learn) a diverse technical skillset
  3. There are plenty of jobs
  4. Emerging industries always need help with security
  5. You will never be bored
  6. You get to break things
  7. You can love hardware, software, or both
  8. You will get to, most likely have to, create things
  9. You can help define standards as we are still a relatively young industry
  10. There is lots of opportunity to create your own startup in security

Bonus: The pay is good....great? better than average? statistic anyone?

Stories of the Week - 7:30PM-8:00PM

[Play music, Cut to sponsor logo, THEN START RECORDING]

Sponsors

  • Brought to you by Black Hills Information Security, the leaders in penetration testing and active defense. Email consulting@blackhillsinfosec.com to request a quote today!
  • This segment is sponsored by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
  • And by Tenable Network Security, creators of Nessus, the world's best vulnerability scanner! Jumpstart your security program today and evaluate SecurityCenter CV, THE continuous monitoring solution. www.tenable.com

Announcements

[Cut to announcement Graphics] Larry teaching SANS 617 Wireless Ethical Hacking and Defense coming up in Las Vegas, NV, September 14-19, and lots more places so be certain to check the SANS web site for more course offerings!

[End Music]

Paul's Stories

  1. "Amazon just wrote a TLS crypto library in only 6
  2. Attackers Revive Deprecated RIPv1 Routing Protocol in DDoS Attacks
  3. Adobe patches zero-day Flash Player flaw used in targeted attacks
  4. Default SSH Key Found In Many Cisco Appliances
  5. "Hundreds of Dark Web sites cloned and ""booby trapped"""
  6. "Apple lets rip with update spate: OS X
  7. "TV's newest hacker drama ""Mr. Robot"" is technically sound
  8. Windows 10 Wi-Fi Sense feature shares your Wi-Fi network with your friends
  9. CyberUL is a dumb idea

Jack's Stories

  1. A dissertation on An Evaluation of the Effectiveness of EMET 5.1 sadly notable for this quote: "Some pages are missing or have images blacked out due to the Wassenaar Arrangement..."
  2. Following up from a prior conversation on Macs, malware, and market share an older post from Haroon Meer at Sensepost.
  3. Tan comments on some of the detractors of the "CyberUL" sixteen and a half years after his original paper proposing the idea, especially those who haven't actually read everything. I'd love a Steel Cage Death Match on this between Rob and Tan, and unusually, my money wouldn't be on Rob.
  4. Cisco is buying OpenDNS for $635 million, adding to their growing security portfolio.
  5. Sen. Charles Grassley (R-Iowa) has sent a letter to FBI Director James Comey asking for “more specific information about the FBI’s current use of spyware”.

Michael's Stories

  1. Famed Security Researcher Mudge Leaves Google --> a CyberUL | worth paying attention to?
  2. CyberUL is a dumb idea --> Robert Graham weighs in
  3. David Cameron is going to try and ban encryption in Britain --> Wait. What?