Episode409

From Paul's Security Weekly
Jump to: navigation, search


Episode Media

MP3

Announcements

Paul's Security Weekly - Episode 409 for Thursday March 12th, 2015

And now, from the dark corners of the Internet, where exploits run wild, packets aren’t the only things getting sniffed, and the beer flows steady its Paul’s Security Weekly!

  • This interview is sponsored by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
  • And by Tenable Network Security, creators of Nessus, the world's best vulnerability scanner! Jumpstart your security program today and evaluate SecurityCenter CV, THE continuous monitoring solution. www.tenable.com
  • And by Black Squirrel. Pentest Networks from Your Browser! Exploit the limits of network security through just a browser. Have a Chrome exploit in your toolkit? Good, but for the rest of us there's Black Squirrel. Visit blacksquirrel.io for more information.

"Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet..."

"Here's your host, a man looks very much like Jesse Pinkman, bitch. Paul Asadoorian"

  • Security Weekly Announcements:
    • Cold weather got you down? Warm up to Embedded Device Security Assessments, a 2-day hosted class at the SANS ICS Summit on February 25-26th, Security Weekly listeners receive a 10% discount when using the code SECWEEK10. Register Here Today!
    • Larry teaching SANS 617 Wireless Ethical Hacking and Defense coming up in Orlando April 11-18, Austin, TX May 18-23, Baltimore, MD (SANSFIRE) June 13-20, and Berlin, Germany June 22-27
    • Security Weekly listeners also receive 10% off products in our store with discount code 'IHACKNAKED'

Guest Interview: Keren Elazari

EmbedVideo received the bad id "kJ03KvU1-Mg"" for the service "youtube".


Bio

Keren Elazari is an international recognized cyber security expert. Since 2000, Keren has worked with leading Israeli security firms, government organizations, Big 4 and Fortune 500 companies. Keren holds a CISSP security certification, a BA in History and Philosophy and is currently a senior research fellow and with the Tel Aviv University Science, Security & Technology workshop. In 2012, Keren held the position of Security Teaching Fellow as part of Singularity University’a private think tank, founded by Dr. Ray Kurzweil and sponsored by Google & NASA amongst others. Since 2013, Keren is an industry analyst, covering emerging security trends for GIGAOM research, a leading media hub in California. In 2014, Keren became the first Israeli woman to be invited to speak at the prestigious annual TED conference. Keren’s TED talk has been viewed by 1.4 million people & translated to more than 24 languages and selected for TED’s ‘Most Powerful Ideas’ and Inc.com 'Top 10 TED Talks'.

Questions/Topics

  1. How did you get your start in information security?
  2. What does the word hacker mean to you? How do you define it?
  3. what does the world need hackers?
  4. Hackers have powers, how do we encourage people to use them responsibly and ethically?
  5. Full disclosure forces, in some cases, the companies to fix problems they would otherwise ignore, but it still breaks the law, how to we overcome this problem?
  6. Many will put down anonymous as being criminals, script kiddies, and the like, but what is the value of groups like anonymous in policing the Internet?
  7. Is there a standard definition for "security researcher?"
  8. Seems like a lot of people claim the mantle. Should they? What qualifies someone as a security researcher? What standard should we hold researchers to?
  9. What other industries have free-lance 'researchers' operating on live subjects? What can we learn from them?
  10. Is there a distinction between 'hacker' and 'security researcher?'
  11. How is a 'security researcher' different than a QA tester?
  12. Do bug bounty programs promote or harm the nascent field of 'security research?"
  13. Do we really need to incentivize hackers to 'do the right thing?' Otherwise, aren't they criminals?

Five Questions

  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. If you could have super powers, what would they be?
  5. Pick two celebrities to be your parents.


Links

TED Talk

Vote for Keren's RSA Talk here!

Stories

EmbedVideo received the bad id "vK6Ddmq23j4"" for the service "youtube".

Sponsors

  • Stories of the week is brought to you by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
  • And by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com
  • And by Black Hills Information Security, the leaders in penetration testing and active defense. Email consulting@blackhillsinfosec.com to request a quote today!

Carlos's Stories

Paul's Stories

  1. Identifying When Someone Is Operating a Computer Remotely
  2. Full Disclosure: PHPMoAdmin Unauthorized Remote Code Execution (0-Day)
  3. No Wireshark? No TCPDump? No Problem! - SANS Internet Storm Center
  4. Tool Release – Digital Bond CANBus-Utils « Digital Bond's SCADA Security Portal
  5. DanMcInerney/net-creds · GitHub
  6. Anatomy of a Hack
  7. Apartment complex threatens residents with $10k fines for negative online reviews
  8. Patch Tuesday patches FREAK
  9. CIA spent last 10 years cracking Apple’s encryption
  10. What we know about security features on the Apple Watch
  11. Panda antivirus labels itself as malware
  12. Mattel urged to scrap Wi-Fi mic Barbie after Register investigation
  13. Panda antivirus mistakenly flags itself as malware
  14. Ford
  15. How To Keep Your Smart Home Safe
  16. Some notes on DRAM (#rowhammer)
  17. Latest WordPress bug highlights importance of securing the supply chain

Larry's Stories

  1. Rowhammer - Damn, just damn.
  2. Mandarin Oriental CC Breach - This caught my eye, as I have used my credit card there relatively recently - they make fantastic craft cocktails at the bar in Vegas. Looks like it was perpetrated by malware that evaded ant-virus. /me snickers. Now the interesting thing here is"Technology journalist Brian Krebs reported on Wednesday that he contacted the hotel group after financial industry sources identified a pattern of fraudulent charges on payment cards, all of which had been used recently at Mandarin hotels.” Wait, so Krebs is getting leaked insider information?
  3. Killer USB - This reminds me of the BoFH. So, instead of deploying malware, this one destroys the laptop by dropping 100V into the USB data lines. Hey, who let out the magic smoke?
  4. Podec, the captca busting trojan - Damn, the evolution of captcha busting is here apparently, and this one is terribly effective. It’s also neat in that it is some of the next generation mobile malware.
  5. Geotagging One Hundred Million Twitter Accounts with Total Variation Minimization - This was some of the stuff that @innismir and I postulated towards the end of our twitter metadata research - being able to find your location by analyzing the data of your friends. Yet another one that blows my mind this week.

Joff's stories of his teenage mates of past days

  1. Yet another wordpress vulnerability
  2. The killing USB stick

Jack's Shameless Self Promotion and maybe some stories

There are BSides everywhere. CFPs are open, tickets available, magic is happening.

  1. Need a bullshit sanitizing font? Here it is.
  2. A real power grid haxor pleads guilty
  3. From 2007 to 2015, a cyberwarfare tale on nuclear matters to “prevent” WW III via Matt Suiche
  4. Lethal USB thumbdrive? Yes, please. Introducing the USB Killer
  5. "Quantum computers have failed. So now for the science" Normally I would dismiss this, as folks like Brian Snow have convinced me that it is a real threat to crypto. BUT, when Ross Anderson talks crypto I listen- and you should too.
  6. Rob Graham and rational talk on Rowhammer
  7. A blog post Against DNSSEC from Thomas Ptacek
  8. While you are at sockpuppet.org check out the recipe for The Final Ward, Thomas' variant of the The Final Word.
  9. Volkswagen shuns the cloud over data protection worries.