Paul's Security Weekly - Episode 384 for Thursday August 21th, 2014
And now, from the dark corners of the Internet, where exploits run wild, packets aren’t the only things getting sniffed, and the beer flows steady its Paul’s Security Weekly!
- This segment is sponsored by Palo Alto Networks creators of THE next-generation firewalls, helping you enforce network security policies based on applications, users, and content. Visit them on the web at www.paloaltonetworks.com
- and by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
"Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet..."
"Here's your host, a man who covers his butthole and makes sure his fly is up when Dave Kennedy is in the house..., Paul Asadoorian!"
- Announcement - The PVS contest from Tenable! Register Here to enter a contest and win an AR Drone! You must use the PVS to find something cool, details on the registration page.
- Announcement - Join Paul Asadoorian for an awesome webcast titled 5 Things You’re Not Doing With Your Vulnerability Scanner. I promise to keep it real, have ridiculous pictures in the presentation, and show you how to stay regular, with your vulnerability scanner of course!
- Security Weekly Updates:
- SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here.
- Larry is teaching SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses at SANS Las Vegas from October 20-25th.
- You can purchase Hack Naked T-Shirts online via http://shop.securityweekly.com get yours today!
- Attend the show live if you are in the RI area, check http://securityweekly.com/attend for details
Interview: Sarah Edwards
Sarah is an senior digital forensic analyst who has worked with various federal law enforcement agencies. She has performed a variety of investigations including computer intrusions, criminal, counter‐intelligence, counter-narcotic, and counter‐terrorism. Sarah's research and analytical interests include Mac forensics, mobile device forensics, digital profiling and malware reverse engineering. Sarah has presented at the following industry conferences; Shmoocon, CEIC, Bsides*, Defcon, TechnoSecurity, HTCIA and the SANS DFIR Summit. She has a Bachelor of Science in Information Technology from Rochester Institute of Technology and a Masters in Information Assurance from Capitol College. Sarah is the author of the new SANS Mac Forensic Analysis Course - FOR518.
- Three words to describe yourself
- If you were a serial killer, what would be your weapon of choice?
- If you wrote a book about yourself, what would the title be?
- In the popular game of Ass Grabby Grabby do you prefer to go first or second?
- If you could have dinner with one celebrity, who would it be?
Eleven more questions to ask at random:
- If you had super powers, what would they be?
- A penguin walks through that door right now wearing a sombrero. What does he say and why is he here?
- If we came to your house for dinner, what would you prepare for us?
- Pick two celebrities to be your parents.
- What do you think about when you are alone in your car?
- What song best describes your life?
- If you were a Star Trek® [or Star Wars® ] character, which one would it be?
- If you were 80 years old, what would you tell your children?
- What is the record amount of time you have gone without a shower?
- What is the geekiest thing you've ever done/created/bought/said?
- If you could have 5 items fully stocked in your fridge at all times, what would they be?
- This segment is brought to you by Tenable Network Security, the creators of Nessus, the worlds best vulnerability scanner. Check out the new Nessus Enterprise and Nessus Enterprise cloud, engage your IT department in the vulnerability management process today!
- Also by http://www.blacksquirrel.io/ - Pentest Networks from Your Browser! Exploit the limits of network security through just a browser. Have a Chrome exploit in your toolkit? Good, but for the rest of us there's Black Squirrel. Visit blacksquirrel.io for more information.
Dave Kennedy, Guest Apparence
David Kennedy is the President / CEO of TrustedSec, LLC. David is considered a thought leader in the security field and has presented at many conferences worldwide. David has had guest appearances on FoxNews, BBC, and other high-profile media outlets.
- Stories of the week is sponsored by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
- Also by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com
- "Retired US airport body scanners fail to spot guns
- Security of 'Things'
- Researchers find it’s terrifyingly easy to hack traffic lights | Ars Technica
- UPS Admits 51 Stores Hit With Malware For Five Months
- "BuildItSecure.ly - Securing the ""Internet of Things""
- Internet Of Things Security Reaches Tipping Point
- Why you need to do less if you want better security
- Queercon badge writeup - [Larry] - Yes, I totally geek out about the badges more then I should, and the Queercon one was no exception, even though I didn’t get one. I love seeing the hard work and design that goes into them, as well as the game design/social aspect. I will say, the best game badge concept I’ve ever seen was the QuahogCon badge.
- Hacking traffic lights - [Larry] - yes, that time for the Die Hard moment is here. Yep, “WiFi”, with no encryption and no authentication. Now a “non-standard” implementation - 900Mhz WiFi, which can still be had. That was the only barrier to entry… butlook no further…
- SDR tutorials - [Larry] - Mike Ossman promised a video series on SDR tutorials if his HackRF One kickstarter did well. It did, and here is where you can start finding the videos….
- Heartbleed and CHS - [Larry] - OH, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE, DAVE!
- SDR Soundup - [Larry] - A good overview, but I think maybe a little too harsh on the HackRF One.
- RFIDler - [Larry] - I got mine at DEF CON, did you? Well, it is a new RFID hacking platform that is inexpensive and brought to you by folks that also brought you RFIDiot, and my implant cloning on stage at Shmoocon.
- Malware no longer avoids virtual machines - [Larry] - Makes sense, especially based on how many systems are being virtualized that attackers want to control.
- White House cybersecurity czar brags about his lack of technical expertise. In a recent interview with GovInfoSecurity, he argued that his lack of technical expertise gave him an advantage in doing that job. I feel better, how about you?
- The Onion summarizes InfoSec better than we can
- UPS, malware, stuff. Who would have thought places which use random USB drives as part of their biz model would get owned?
- Dear Microsoft, please stop with the crappy updates. Some of us are trying to convice people to patch their shit, and you aren't helping.
- Interesting Android encryption ideas from the smart kids at Georgia Tech.
- That sexy Dave Kennedy dude talks about why you should patch your shit. I'm so glad there has been no silly hype around this.