Episode401

From Paul's Security Weekly
Jump to: navigation, search


Episode Media

MP3

Sponsors

  • Stories of the week is brought to you by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
  • And by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com
  • And by Black Hills Information Security, the leaders in penetration testing and active defense. Email consulting@blackhillsinfosec.com to request a quote today!

Announcements

Paul's Security Weekly - Episode 401 for Thursday January 8th, 2015

And now, from the dark corners of the Internet, where exploits run wild, packets aren’t the only things getting sniffed, and the beer flows steady its Paul’s Security Weekly!

  • This interview is sponsored by Palo Alto Networks creators of THE next-generation firewalls, helping you enforce network security policies based on applications, users, and content. Visit them on the web at www.paloaltonetworks.com
  • And by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
  • And by Tenable Network Security, the creators of Nessus, the worlds best vulnerability scanner. Check out the new Nessus Enterprise and Nessus Enterprise cloud, engage your IT department in the vulnerability management process today!
  • And by Black Squirrel. Pentest Networks from Your Browser! Exploit the limits of network security through just a browser. Have a Chrome exploit in your toolkit? Good, but for the rest of us there's Black Squirrel. Visit blacksquirrel.io for more information.

"Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet..."

"Here's your host, a man who can count to potato but only on his good flipper on tuesdays, Paul Asadoorian"

  • Security Weekly Announcements:
    • Check out the SteelCon competition. Enter to win a SecurityTube Training course. You must write documentation for an open source project. Details can be found on the website. http://www.steelcon.info/competition/documentation-competition/
    • Larry teaching SANS 617 Wireless Ethical Hacking and Defense coming up in Orlando April 11-18, Austin, TX May 18-23, Baltimore, MD (SANSFIRE) June 13-20, and Berlin, Germany June 22-27

Interview: Reuben Paul

Bio

8 year old CEO, Cyber Security Ambassador, Keynote Speaker, Hacker, The Kung Fu Kid, The ‘Chairperson’ of InfoSec conferences, are a few titles used to describe Reuben Paul. Reuben is 8 years old today and a 3rd grader at Harmony School of Science in Austin, TX. When asked by his 1st grade teacher to illustrate his future career, he drew on a sheet that he wanted to become a Cyber Spy.

Questions/Topics

  1. How did you get your start in information security?
  2. How did you get started developing your apps?
  3. What is your favorite past-time?

MSN news on Child prodigies around the world > http://www.msn.com/en-in/news/photos/child-prodigies-around-the-world/ss-BBeMBFK

KEYE CBS News, Austin - Austin 3rd Grader Expert on Cyber Security > http://www.keyetv.com/news/features/top-stories/stories/austin-3rd-grader-expert-cyber-security-21666.shtml

Channel 2 News, Houston - 8 year old Reuben Paul gives keynote at Houston Security Conference. > http://www.click2houston.com/news/thirdgrader-gives-keynote-speech-at-houston-security-conference/29199744

Daily News and Analysis (India) newspaper article - 8 year old CEO Reuben Paul is a cyber security expert > http://www.dnaindia.com/india/report-eight-year-old-ceo-reuben-paul-is-a-cyber-security-expert-2035237

The Hindu (India) newspaper article - Eight year old woos Cyber experts > http://www.thehindu.com/news/cities/Delhi/eightyearold-woos-cyber-experts/article6601791.ece

InfoSec Professional Magazine article - Reuben Paul: The Eight-Year-Old CEO wants to “Create a Safe and Secure Cyber World For Kids (and their parents)” > http://prudentgames.com/wp-content/uploads/2014/12/Reuben-Paul-Interview-InfoSec-Professional-Magazine-Dec-2014.pdf

SC Magazine article - And a little child shall secure them: The next generation of CISOs > http://www.scmagazine.com/and-a-little-child-shall-secure-them-the-next-generation-of-cisos/article/385054/

TripWire “The State of Security” Interview - 8 year old CEO proves kids are the future of Cybersecurity > http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/8-year-old-ceo-reuben-paul-proves-that-kids-are-the-future-of-cybersecurity/

NDTV new story Indian-Origin Whizkid Reuben Paul Lectures on Cyber Security > http://www.ndtv.com/article/diaspora/indian-origin-whizkid-reuben-paul-lectures-on-cyber-security-621139 Who is Reuben Paul (the 8 year old prodigy and CEO) - http://www.quora.com/Who-is-Reuben-Paul-the-8-year-old-prodigy-and-CEO

Prudent Games CEO - http://prudentgames.com/team/reuben-paul-3/

Fox TV News, Austin - 7 year old earns Black Belt > http://www.myfoxaustin.com/story/23257303/7-year-old-earns-black-belt

Digital Story Telling Competition (DISTCO) 2014 Winner for video biography “The Kung Fu Kid” > http://www.youtube.com/watch?v=B13icCFqUGg

Five Questions

  1. If you had super powers, what would they be?
  2. If you were a Star Trek® [or Star Wars® ] character, which one would it be?
  3. Three words to describe yourself.
  4. Pick two celebrities to be your parents.
  5. What song best describes your life?

Stories

Paul's Stories

  1. Attack Attribution in Cyberspace
  2. "Internet of Things is a threat to privacy
  3. Thieves Jackpot ATMs With ‘Black Box’ Attack
  4. Thunderstrike shocks OS X with firmware bootkit
  5. ‘Self-XSS’ flaw in found Microsoft Dynamics CRM
  6. OpenSSL Fixes Eight Security Vulnerabilities
  7. Anybody can take North Korea offline
  8. IoT Security: How to Protect Applica#[https://www.schneier.com/blog/archives/2015/01/attack_attribut.html Attack Attribution in Cyberspace
  9. "Internet of Things is a threat to privacy
  10. Thieves Jackpot ATMs With ‘Black Box’ Attack
  11. Thunderstrike shocks OS X with firmware bootkit
  12. ‘Self-XSS’ flaw in found Microsoft Dynamics CRM
  13. OpenSSL Fixes Eight Security Vulnerabilities
  14. Anybody can take North Korea offline
  15. The Elephant in the Room is Compliance
  16. Best Defense Against a Cyber-Attack Is to Know Your Adversary
  17. "Home Wi-Fi security's just as good as '90s PC security! Wait
  18. Poll: The Perimeter Has Shattered!
  19. How To Become a CISO: Top Tips
  20. 5 ways to prepare for Internet of things security threats#IoT Security: How to Protect Applications on the Edge
  21. The Elephant in the Room is Compliance
  22. Best Defense Against a Cyber-Attack Is to Know Your Adversary
  23. "Home Wi-Fi security's just as good as '90s PC security! Wait
  24. Poll: The Perimeter Has Shattered!
  25. How To Become a CISO: Top Tips

Larry's Stories

  1. Keurig DRM - [Larry] - Yeah, so much fail. Ok, let’s not argue about the quality of Keurig coffee, but about the quality of the DRM to prevent third party K-cups. Discuss: Patent, licensing, etc.
  2. XFINITY WIFI - [Larry] - All sorts of fail here. Comcast gets to allegedly take over your router…by enabling a free wifi AP for all customers. They get to use your bandwidth. That you pay for. And you can’t shut it off. Also real great for messing with open wifi...
  3. DEAUTH AGAIN? - [Larry] - Yeah, remember the whole fiasco with A Marriott with Deauthing MiFis? Yeah, now they plan on doing this across the board. Uhhh, WAT? Yeah, they have petitioned the FCC to permit this. From the article, "Marriott is asking, therefore, for a unique right: the right to police spectrum privately based on property rights. As Cisco put it in its comment, “Wi-Fi operators may not ‘deputize’ themselves to police the Part 15 radio frequency environment.” but “[Eric Pederson] live[s] in a high-rise apartment building in New York City. I typically see 20-plus of my neighbors’ SSIDs. Yet somehow my Wi-Fi works just fine.”
  4. USBDriveby - [Larry] - USBDriveby on a teensy with Teeensyterpreter. We’ve talked about the teensy before (and no, not just Paul’s manhood), as an embedded device that you can have act as a USB HiD device. This one targets OSX, by changing the hosts file without the need for a password, then net cat outbound. On windows Powershell FTW.
  5. MoonPig - [Larry] - Wow. Initial issue with hardcoded credentials used with the API on the MoonPig App was disclosed in Mid-2013. Changing the customer ID in the API requests revealed infer for each user, including Name, Address and CC info (at least only the last 4…). MoonPig said it was not an issue, due to legacy code and would fix soon. Almost 18 months later, it is still an issue, and not MoonPig has disabled the API and App. Geez, why does public shaming need to be used?
  6. I know, more SONY - [Larry] - So, SONY claims that the massive hack won’t incur any financial hit. That sad part is, they pare probably correct, hence why in some cases the argument for improved security isn’t going to fly. Why do I need to secure this if there is no negative financial impact?

Joff's random verbal emissions

While all of my excellent colleagues have worked so hard on stories, I will admit that I am still suffering from SecWeekly #400 hangover. In particular, I would remind our users that teaching your laptop to drink cocktails results in generally a frustrating computing experience later in the evening. In addition, there is a distinct possibility that you will let the smoke out. Happy New Year listeners!

Jack's stories of wonder

  1. Oh Microsoft, what the...Advanced Notification Service (ANS) "evolving" (pretty much going away). That's great, because there are never any problems with MS patches.
  2. Microsoft update blunders are going out of control Like this one and this one
  3. Google takes legal action against Mississippi State Attorney General for going in the tank for the MPAA
  4. Cyberattack on German Iron Plant Causes ‘Widespread Damage’ and Kim Zetter has this update on the story.
  5. Google, Microsoft throw weight in fight against Marriott Wi-Fi blocking request
  6. U.S. uses trade agreement talks to seek breach investigation immunity for American companies
  7. Senator Warns of DHS Struggle with Cyber Security and maybe not coincidentally DHS releases the wrong FOIA-requested documents, exposing infrastructure vulnerabilities
  8. That's Security 101? Great, show me your 101 list.
  9. The EFF is worried as Stingrays Go Mainstream and Senators question FBI’s legal reasoning behind cell-tower spoofing
  10. Bypassing OpenSSL Certificate Pinning in iOS Apps Good stuff from Matasano