Paul's Security Weekly - Episode 390 for Thursday October 9th, 2014
And now, from the dark corners of the Internet, where exploits run wild, packets aren’t the only things getting sniffed, and the beer flows steady its Paul’s Security Weekly!
- This segment is sponsored by Palo Alto Networks creators of THE next-generation firewalls, helping you enforce network security policies based on applications, users, and content. Visit them on the web at www.paloaltonetworks.com
- and by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
"Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet..."
"Here's your host, a man who loves the lumps, the lady lumps, Paul Asadoorian"
- Announcement - The PVS contest from Tenable! Register Here to enter a contest and win an AR Drone! You must use the PVS to find something cool, details on the registration page.
- Security Weekly Updates:
- SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here.
- Larry is teaching SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses at SANS Las Vegas from October 20-25th.
Interview: Joe Vest and Ben Clark
Joe and Ben join us this week to talk about the Red Team Field Manual, available on Amazon.
Joe Vest has worked in the IT industry for over 15 years and has focused on application security, penetration testing and red teaming since 2008. Currently he works for Millennium Inc. as red team operator. Like many others in the security industry, he has many letters behind his name. OSCP, CISSP-ISSMP; CISA, GPEN, GCIH, GWAPT, CEH, Security+. Joe does cyber and lots of it.
Ben Clark has been in the information security space for over 10 years. He is currently the Director of Cyber/IT at Millennium Corp. where he is responsible for executing red team engagements for commercial and government clients. He is the author of the RTFM - Red Team Field Manual, which has spent the better part of 8 months as the #1 Best Selling Security and Encryption book on Amazon.
- Three words to describe yourself
- If you were a serial killer, what would be your weapon of choice?
- If you wrote a book about yourself, what would the title be?
- In the popular game of ass grabby grabby do you prefer to go first or second?
- Pick two celebrities to be your parents.
- Stories of the week is sponsored by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com
- Black Hills Information Security, the leaders in penetration testing and active defense. Email email@example.com to request a quote today!
- Pentest Networks from Your Browser! Exploit the limits of network security through just a browser. Have a Chrome exploit in your toolkit? Good, but for the rest of us there's Black Squirrel. Visit blacksquirrel.io for more information.
- Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
- Tenable Network Security, the creators of Nessus, the worlds best vulnerability scanner. Check out the new Nessus Enterprise and Nessus Enterprise cloud, engage your IT department in the vulnerability management process today!
- Marriott fined $600K for jamming wifi - Settled, not went to court. Why? They did do rogue AP containment on MiFi devices…the ones not connected to their networks. Yeah, not cool.
- 6 Month scan of Heartbleed - Robert Graham FTW. Now there is lots of interesting discussion on this one. To quote Twitchy, “Slut shaming, fat shaming, now security researcher shaming"
- BADUSB attack code public - We are all technically screwed.
- Staff say companies vulnerable - Yes, and then they get compromised….then the employees say “We told you so, and you chose not to act”. Interesting reasons why it happened from internal sources...
- PoisonPI - Hey, this guy hacks wireless networks via the postal service…Oh, wait, that’s me! That said, I’m looking to have an off the record conversation with someone from the postal service, UPS and FedEx about how packages are examined in transit, purely for hypothetical research purposes.
- ARRL website hacked - Amateur Radio Relay League…who wants to hack nerds and their ham radio contacts, when all of it is, for the most part a matter of public record?
Jack's Stories of Joy and Wonder
- The Shoulders of InfoSec Project is a new project that Jack started to aggregate info about foundational figures in information security. This is a work in progress, there's an intro blog post at http://blog.shouldersofinfosec.org/, additional info is being added as contributions come in and time permits.
- Mass. Maritime website hacked by apparent Islamic extremist group. Really? Picking on regional maritime schools? Damn, everyone is a target, eh?
- America Must End Its Paranoid War on Hackers. Challenging article at WIRED.
- A.G. Schneiderman Announces Settlement With Firm That Processed Payments For Fraudulent Id Theft Protection Company Commit fraud, get caught, pay everyone back everything, get shut down. Let's see more of these stories.
- Several great password security papers (and a lot of other stuff) from Cormac Herley of Microsoft Research