Episode488

From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly - Episode 488

Recorded: November 3, 2016

Hosts

  • Jeffrey Man - Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon
  • Jack Daniel - Works for Tenable Network Security and is a co-founder of Security BSides.
  • Larry Pesce, Director of Research and Senior Managing Consultant at InGuardians
    • Larry Pesce, Swami of Security, Oracle of the Online and Hotshot Of Hacking
    • Larry Pesce, destroyer of embedded systems and injector of RF energy.
  • Michael Santarcangelo - founder of SecurityCatalyst.com, author of Into the Breach, and creator of the leadership-driven Straight Talk Framework - with our favorite question, "What problem are you trying to solve?"
  • Joff Thyer - SANS Instructor, Penetration Tester and Security Researcher with Black Hills Information Security.
    • Joff Thyer, Geeking out with the best of them. Known to attract multiple waitresses with a single smile and utterance of g'day. Deployer of cocktail recipes in desperate situations. Hacker of many a thing! If it's got code running on it, it can be hacked.
    • Joff Thyer, musician, proud father, and friend to many.
  • Paul Asadoorian - He is probably the coolest guy around, but he won't tell you that. He is the kind of guy you want by your side when fighting off an army of 10,000 pygmies with poison arrows. He can tell you what color your underwear is by looking into your eyes. He can eat a cheeseburger in one bite. Scientists have said that he is so hot, he may be the main reason for global warming. His shit doesn't stink; in fact, it smells like car polish. He was refused entry to the USA because his biceps were classified as weapons of mass destruction. He is in the Guinness Book of World Records for completing the most somersaults in a row (126,253).

Episode Audio

MP3

Announcements

  • Make sure you visit http://securityweekly.com/subscribe and subscribe to our new shows including Enterprise Security Weekly and Startup Security Weekly. You can also subscribe to all shows individually, as well as a main feed which contains this show, Hack Naked TV and Enterprise Security Weekly.
  • Mention the survey! http://www.securityweekly.com/survey

Interview: David Koplovitz, ProXPN - 6:00-7:00PM

Over twenty years of experience in corporate leadership and management.

Developed agile products, created solutions, integrated systems and deployed technologies for both external and internal client initiatives.

Specialized in startups for the last 15 years with a focus on developing geographically diverse teams that deliver cost effective solutions with excellence.

  1. What are the use cases for ProXPN?
  2. How do you differentiate yourself in the market? (For our audience, why should they choose ProXPN over someone else?
  3. What are the best methods for evaluating VPN products?
  4. How can enterprises use your product?
  5. What are some of the technologies in use on the backend?
  6. Where do you see the VPN market going in 5 years?
  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby-grabby, do you prefer to go first or second?
  5. Choose two celebrities to be your parents.

Technical Segment: Considerations for Using Intel SGX - 7:00PM-7:30PM

Intel SGX is a newer method of implementing trusted computing.

  • You need to develop software that uses Intel SGX, Then this code, and associated data, would be protected during execution, even if an attacker were to gain administrative privs on the box
  • You can only currently write apps in C/C++
  • Everyone accessing the applications would need to run this software and on hardware that supports Intel SGX.
  • This would mean that all systems on the network would need to be about a year old as SGX is only available on Skylake and later processors: https://github.com/ayeks/SGX-hardware
  • You would only get true protection at both ends when every system on the network is running the software and has the SGX supported hardware
  • There are validation methods in SGX, a remote enclave can create a cryptographic report, essentially letting others know that SGX is in use, so we can validate that a financial institution is in fact using SGX
  • Bad news, while SGX enclaves are protected, it's similar to a firewall, they have to let things in an out in order to operate, and it's speculated that this is where attacks will occur
  • More bad news, it's a doubled edged sword, applications used in the business can be protected, however so can malware. Malware can run in an SGX enclave, and essentially lock out the kernel, operating system and any anti-malware products

Sources:

https://www.virusbulletin.com/virusbulletin/2014/01/sgx-good-bad-and-downright-ugly

Security News - 7:30PM-8:30PM

Paul's Stories

  1. This Evil Office Printer Hijacks Your Cellphone Connection
  2. Three hospitals in England cancel operations over computer virus
  3. Cisco says it'll make IoT safe because it owns the network
  4. Ubiquiti all the things: how I finally fixed my dodgy wifi
  5. Its time to regulate baby monitors
  6. How Hackers Can Steal Your Cell Phone Pictures From Your Crock-Pot
  7. Belkins WeMo Gear Can Hack Android Phones
  8. New, fast-spreading IoT botnet hybridizes two less-effective strains to achieve quick dominance
  9. Fixing the communications breakdown between IT security and the board and c-suite
  10. Alarmed by Admiral's data grab? Wait until insurers can see the contents of your fridge
  11. Admiral Insurance to use algorithms to set insurance prices based on customers' Facebook posts
  12. Flipboard on Flipboard
  13. Google security head says Pixel is as secure as the iPhone
  14. Unsecured Internet of Things gadgets get hacked within 40 minutes of being connected to the net
  15. Webcams Used To Attack Twitter And Reddit Recalled
  16. Windows 10 Vulnerability AtomBombing Can Bypass Security Software
  17. Disappearing Messages Added to Signal App
  18. IoT Devices as Proxies for Cybercrime
  19. Telnet, SSH prod of death smashes Cisco broadband boxes offline
  20. How Hackers Plant False Flags to Hide Their Real Identities | Motherboard
  21. Nuclear Power Plant Disrupted by Cyber Attack
  22. JTAG Explained (finally!): Why "IoT" Makers, Software Security Folks, and Device Manufacturers Should Care - Senrio
  23. We're Not Going To Beat Cybercrime In Our Lifetime
  24. MITRE Will Give You $50k To Fingerprint Rogue IoT Devices
  25. IoT Malware Has Apparently Reached Almost All Countries
  26. Sex robots with warm skin to hit dating scene and could benefit relationships
  27. 4 cybersecurity trends you need to be aware of
  28. 4 cybersecurity trends you need to be aware of
  29. Yahoos CISO resigned in 2015 over secret e-mail search tool ordered by feds
  30. Hack Crashes Linux Distros with 48 Characters of Code

Jack's Stories

  1. IoTpocalyspe, but we can't talk about it properly
  2. Mirai tries to knock a country offline
  3. Oh, look, 2016 and vuln disclosure battles.
  4. Another look at this new "vulnerability disclosure" thing
  5. Hack the planet. Or your car, or toaster- legally now.
  6. The death of thought leadership
  7. Microsoft announces the end of life for EMET
  8. Oh hey, Beau Bullock kinda broke Office 365 two factor auth

Joff's Stories

  1. Critical Flaws in MySQL Give Root Access
  2. Mirai Used to DDoS Liberia

Michael's (Santa) Stories