Episode501

From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly - Episode 501

Episode Audio

[] Coming Soon

Recorded February 16, 2017

Hosts

  • Jeffrey Man - Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon
  • Jack Daniel - Works for Tenable Network Security and is a co-founder of Security BSides.
  • Larry Pesce, Director of Research and Senior Managing Consultant at InGuardians
    • Larry Pesce, Swami of Security, Oracle of the Online and Hotshot Of Hacking
    • Larry Pesce, destroyer of embedded systems and injector of RF energy.
  • Michael Santarcangelo - founder of SecurityCatalyst.com, author of Into the Breach, and creator of the leadership-driven Straight Talk Framework - with our favorite question, "What problem are you trying to solve?"
  • Joff Thyer - SANS Instructor, Penetration Tester and Security Researcher with Black Hills Information Security.
    • Joff Thyer, Geeking out with the best of them. Known to attract multiple waitresses with a single smile and utterance of g'day. Deployer of cocktail recipes in desperate situations. Hacker of many a thing! If it's got code running on it, it can be hacked.
    • Joff Thyer, musician, proud father, and friend to many.
  • Paul Asadoorian - He is a male who is extremely charming in manner because of his gentlemanly behavior. He has good looks and thinks that women are better than men. He also has a high pain tolerance and likes it kinky.

Announcements

  • ITPro.TV courses include Cybersecurity Analyst+, CCNA Cyber Ops, ITIL Operational Support and Analysis, Penetration Testing, Ethical Hacking v9. ITProTV is introducing a new membership level soon. All current Premium Members will be granted the highest membership level available, so ​sign up today! Visit​ itpro.tv/securityweekly and use code ​ SW30.
  • InfoSecWorld - Your 10% off discount code to promote to your members is OS17-SW. This will give them 10% off the main conference or the World Pass.
  • SCADA Security has always been, and continues to be, a hot topic in our industry. Our sponsor Waterfall Security is offering a free book for the first 100 listeners to register titled "SCADA Security: What's Broken and How To Fix It" by Andrew Ginter, Waterfall's VP of Industrial Security. Visit http://securityweekly.com/scada to get your free copy today!
  • Attend the InfoSecWorld conference on April 3-5 in Orlando Florida, tons of great talks and Security Weekly listeners get10% off by using the code OS17-SW. Find out more at infosecworld.misti.com
  • Attend SOURCE Boston on April 24-27th for training and awesome talks! Use the code SECURITYWEEKLY for $100 off either a conference ticket or one of the trainings. Find out more at source conference.com

Interview: David Conrad: ICANN's Role in DNS - 6:00PM-7:00PM

David Conrad is a long-time and active participant in Internet infrastructure, development, and operations. As the CTO of ICANN, David is at the heart the organization’s mission to help maintain the security, resiliency and stability of the global Internet. Prior to being named CTO, David held several different positions at ICANN, including Vice President of Infrastructure & Technology. Before joining ICANN, he helped found several Internet startups, including Nominum, a firm focused on Internet name and address management products and services, and Internet Engines, a startup aimed at providing products and services for software relating to the Internet Systems Consortium.

Tech Segment: Slipping Executables Past Firewalls with Carrie Roberts, Black Hills InfoSec - 7:00-7:30PM

Carrie joined Black Hills InfoSec after working for HP's Global Cyber Security group, where she worked as a network penetration tester. Prior to that position, she was a web application developer and an application developer for PCs and mobile devices. Carrie frequently presents at numerous InfoSec conferences.

Carrie's Full Blog Post on this topic can be found here

Security News - 7:30-8:30PM

Paul's Stories

  1. The More Infosec Changes, the More it Stays the Same - Preach it brother! Authentication is killing us, vendors are still putting out software/hardware with no security, vendors are making laughable claims, organizations are not fixing stuff.
  2. Microsoft February Patch Tuesday Now Rolled into March Update, (Thu, Feb 16th) - Oh, BTW, we're just gonna go ahead and skip Feb 2017 patch Tuesday, k, thx, bye <3 MS. WTF!
  3. RSA 2017: Microsoft Word Intruders step outside Office for the first time - And they are switching back to Flash!
  4. Retailers push back against plans to boost security of online shopping - And let the password debate begin: There will be some lost sales as we saw when we implemented the Verified by Visa/MasterCard SecureCard [scheme]. Not because people are put off, but because people forget their password and simply can’t complete the purchase.
  5. Duqu Malware Techniques Used by Cybercriminals - Meterpreter, Mimilatz and Powershell for the defenders out there, this should not be a secret.
  6. Schneier Brings Campaign for IoT Regulation to RSA - Not sure I agree completely with this approach: Schneier believes that by getting technologists involved in policy it could create a viable career path, like public interest attorneys. It would also stop policy writers and security experts from talking past each other, a la last year’s Apple vs. FBI saga.
  7. No Firewalls, No Problem for Google - This is awesome: The solution was to flip the problem on its head and treat every network as untrusted, and grant access to services based on what was known about users and their device. All access to services, Adkins said, must then be authenticated, authorized and on encrypted connections.
  8. Cris Thomas on Cyberwar Rhetoric
  9. How to Run a Database Vulnerability Scan with Scuba
  10. Researchers Discover Over 170 Million Exposed IoT Devices
  11. HP Hires Christian Slater To Hack Companies For Fun
  12. Xen Project Asks To Limit Security Vulnerability Advisories
  13. New ASLR-busting JavaScript is about to make drive-by exploits much nastier