Episode411

From Paul's Security Weekly
Jump to: navigation, search


Episode Media

MP3

Announcements

Paul's Security Weekly - Episode 411 for Thursday March 26th, 2015

And now, from the dark corners of the Internet, where exploits run wild, packets aren’t the only things getting sniffed, and the beer flows steady its Paul’s Security Weekly!

  • This episode is sponsored by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
  • And by Black Hills Information Security, the leaders in penetration testing and active defense. Email consulting@blackhillsinfosec.com to request a quote today!
  • Sponsored by Black Squirrel. Pentest Networks from Your Browser! Exploit the limits of network security through just a browser. Have a Chrome exploit in your toolkit? Good, but for the rest of us there's Black Squirrel. Visit blacksquirrel.io for more information.


"Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet..."

"Here's your host, a man who is giving Jack a run for his money with the beard (now if he could only transplant it to the top!) Paul Asadoorian"

  • Security Weekly Announcements:
    • Come to Embedded Device Security Assessments, a 2-day hosted class at the Blackhat Las Vegas on August 1-2 and 3-4 Register Here Today!
    • Security Weekly listeners also receive 10% off products in our store with discount code 'IHACKNAKED'
    • Security B-sides Orlando is a community driven event seeking to bring together anyone with a passion for making, breaking, or protecting. We welcome newbies and experts and anyone in between. Even if you don’t work in information security, you will be sure to find topics of interest. Please join us on April 11th and 12th in Orlando, Florida, for the 3rd Annual Security B-Sides Orlando Conference.
    • SOURCE Boston - early bird pricing of $349 is extended to March 31st (full retail is $495/$595 at the door). The CFP also closes tonight at Midnight, but I’m guessing we’re probably not going to see an up-tick on CFP submissions 4 hours before the deadline.

"The SOURCE conference is committed to bringing Business, Technology and Security professionals together at one event. Each year we host an amazing group of world-class professionals, and provide an intimate environment for meeting new people, exchanging ideas, and learning about the latest in information security. "

Guest Interview: Russ McRee

EmbedVideo received the bad id "ohsL2s5V58w"" for the service "youtube".


Bio

Russ McRee, GSE, MSISE, directs the Security Response and Investigations team for Microsoft’s Operating Systems Group (OSG). He writes toolsmith, a monthly column for the ISSA Journal, and has written for numerous other publications including Information Security, (IN)SECURE, SysAdmin, and Linux Magazine. Russ also speaks regularly at events such as DEFCON, Derby Con, BlueHat, Black Hat, SANSFIRE, RSA, and others, and is a SANS Internet Storm Center handler. He serves in the Washington State Guard as an advisor to the Washington Military Department. Russ advocates a holistic approach to the practice of information assurance and, as such maintains holisticinfosec.org. IBM's ISS X-Force cited Russ as the 6th ranked Top Vulnerability Discoverers of 2009.

Questions/Topics

  1. What's the greatest actionable item or set of things that the general public could do to reduce threat?
  2. Threat landscape keeps evolving, & bad guys appear to have the upper hand. What concerns you most or keeps you awake at night?
  3. Did the idea for the toolsmith articles evolve out of his local ISSA or OWASP meetings?

Five Questions

  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. Pick two celebrities to be your parents.
  5. In the proper game of as grabby-grabby, do you prefer to go first or second?


Links/Contact

Toolsmith Articles

Follow Russ on Twitter

Email russ at holisticinfosec dot org

Stories

EmbedVideo received the bad id "36zzOe22G54"" for the service "youtube".

Sponsors

  • Stories of the week is brought to you by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
  • And by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com

Carlos's Stories

Paul's Stories

  1. http://arstechnica.com/security/2015/03/twitch-resets-user-passwords-fol...
  2. https://threatpost.com/cisco-small-business-ip-phones-open-to-remote-eav...
  3. http://arstechnica.com/security/2015/03/all-four-major-browsers-take-a-s...
  4. BIOS Hacking
  5. Maturing Your Vulnerability Management Program – Part 1 | Core Security Blog
  6. 5 Ways to a Kick A$$ Vulnerability Management Program-Part 2
  7. Reverse Engineering Incentives
  8. How I hacked my smart bracelet
  9. The Internet Of Bring-Your-Own Things
  10. Researchers Use Heat To Breach Air-Gapped Systems
  11. Wind Turbine Blown Away By Control System Vulnerability
  12. Romanian Man Extradited To U.S. To Face Hacking Charges
  13. A $60 Gadget That Makes Car Hacking Far Easier
  14. Amazon.com Gives Out A T-Shirt For XSS Issue Reported
  15. Cisco Patches IOS To Stop Automation Exploitation

Joff's Stories

  1. Hacking across air gaps
  2. Cisco VOIP Eaves Dropping
  3. Windows 10 Secure Boot

Jack's Lack of Stories

  1. Web servers enrolled in Pratchett tribute This is a pretty cool, and very Pratchett tribute to Sir Terry. It will be interesting to watch this over time, as of showtime there are over 2000 servers passing the X-Clacks-Overhead "GNU Terry Pratchett" header on Shodan
  2. The Bishop web vuln scanner is a Chrome extension-based vulnerability scanner that claims to "automate tedious tasks of hunting for trivial vulnerabilities on your websites as you browse."
  3. Australia outlaws warrant canaries and you have to think the US and UK are next.