SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 272 for Thursday January 5th, 2012.
- Check out our new shows: Hack Naked TV with John Strand, Hack Naked At Night with Larry and Darren, PaulDotCom Espanol with Carlos Perez.
- Larry is teaching SEC617: Wireless Ethical Hacking, Penetration Testing and Defenses 5 times this year (discount code may be in our future):
- Subscribe to our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini. Wether you smoke an occasional cigar or daily, this show is for you! Tune in as we review the latest cigars being relesaed and talk "Stogie Tech".
- Information Security Career Study A new survey on attitudes about careers in information security.
- Don't forget to Read our blog, Participate on our mailing list, Visit PaulDotCom Insider, Follow us on Twitter, Join the IRC channel at irc.freenode.net #pauldotcom, Watch our Videos and Add us on Facebook where we can be "friends"
Guest Interview: Bruce Schneier
6:00 PM ET
We are extremely pleased to welcome Bruce Schneier to the show! Bruce is an internationally renowned security technologist and author. Described by The Economist as a "security guru," he is best known as a refreshingly candid and lucid security critic and commentator. Bruce has authored several books, including "Beyond Fear", "Secrets & Lies", and of course "Applied Cryptography" (which a signed copy sits on my own book shelf as one of my most prized possessions). Bruce is on the show to give us a glimpse into his upcoming book Liars and Outliers: Enabling the Trust that Society Needs to Thrive
When people want to know how security really works, they turn to Bruce Schneier. And when God needs a new secure certificate, he uses Bruce Schneier as the signing authority. Welcome Bruce!
- How did you get your start in information security?
- How has privacy been impacted by technology in the past 20 years? Was privacy always dead, or did we kill it even more with technology?
- What is the relationship between trust and risk? Is is as simple as inverse?
- Its well known that in both information and physical security that people respond to fear and "security theater". We see it all the time as we pass through airports or talk to executives, why is that people feel secure when they really are not?
- What can we do to change people's perception of security beyond "feeling secure"?
- What can we do to manage people's perception of risk? For example, our family and friends put their information on Facebook, companies tend to not put enough investment in security, etc..
- Do you believe that security will fall under public health? For example, states require that your wear your seatbelt, wear a helmet when you ride a motorcycle, and not smoke in public places. Will we see something that requires people to run anti-virus software? Do computers need to come with warning labels, or pictures of viruses infecting computers?
- On a federal level, do you believe the Government should regulate and/or enforce secure coding practices?
Liars and Outliers
- Tell us about the book - what was your goal in writing it?
- Break down what you mean by 'scope of defection' and its relation to trust in society.
- Do you think trust between groups (if we could somehow measure it as a resource), will deteriorate the more the world becomes interconnected, or become stronger as the internet brings people closer to one another?
- Recently several organizations have suffered major security breaches,including HBGary, RSA, and Sony, Stratfor what should organizations be learning from these breaches?
- Looking forward, what security trends, offensive or defensive, scare you the most?
- On the flip side, what trends, if any, in information security give you the most hope?
- Many people believe that if they are using crypto, they are secure. What do you say to those people?
- Does the Comodo breach point to a much larger problem in the way we implement crypto in things like SSL?
- What will the future of cryptography bring? I think many people believe we are working towards "unbreakable" codes, are there really such things?
- Why Squid blogging?
- You seem to take the "Bruce Schneier" phenomenon in stride, the comparisons to Chuck Norris, T-shirts, countless images. What is your most favorite Bruce parody?
Guest Technical Segment: Robin "Digininja" Wood
DigiNinja is a senior security engineer based in the UK and is the creator of many well known open source security projects including Jasager, the Interceptor, KreiosC2, CeWL and the Metasploit DNS and DHCP Exhaustion. He's on tonight to discuss his latest project - ZoneTransfer.me
- Stratfor Passwords - [Larry]- yep, leaked. all 860,000 of them. In MD5 hashes. Good way to test your GPU cracking rig. But on anohter note, some analysis reveals that the same old weak stuff that we see over and over. I like the tone of this article, in that for those free, throwaway accounts for a site you'll likely use the free portion of the service once, who freaking cares.
- WPS fail - [Larry] - in a few days, what has turned into a time consuming attack, has turned into a quick one that can be used to recalculate the WPA password. So, instead of having to brute force all 100 million 8 digit WPS pins, we only need to do 11,000 (which tales about 4 hours) based on the fact that the protocol tells you which half of the key is wrong, Now we get to crack 2 4 digit pins. No lockout. Once the 8 digit pin has been cracked, in can be reused to reveal the actual WPA password… And, it may not even be possible to disable WPS, or not disable accurately.
- Patator - [Larry] - Sick of having multiple tools to do scanning and password bruteforcing with multiple tools that don't work, issue false negatives, or aren't multi-threaded. Enter Parator!
- Authentication bypass? - [Larry] I find some parts of this vulnerability announcement in Siemens SIMATIC products laughable. While there is some truth to the "authentication bypass" based on the weak/predictable session cookies, but default username and password? That's not a bypass, that IS authentication.
- Now that's two factor authentication - [Larry] - Scientists are figuring out ways to use the way you sit to uniquely identify you, IE a butt print. I always knew that Homer Simpson was right when the carny ruined his sofa ass groove.
- Oooh, telnet - [Larry] - Nobody uses telnet anymore
- STRATFOR passwords story and A very different take - an awesome rant from Nick Selby about blaming the victim.
- IE 6 Market share below 1% A moment of silence for the (near) death of Internet Explorer 6. Or not, because I don't believe it.
- ONE MILLION websites infected!!!1!1 and no one cares anymore.