Paul's Security Weekly - Episode 412 for Thursday April 2nd, 2015
And now, from the dark corners of the Internet, where exploits run wild, packets aren’t the only things getting sniffed, and the beer flows steady its Paul’s Security Weekly!
- This episode is sponsored by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
- And by Black Hills Information Security, the leaders in penetration testing and active defense. Email firstname.lastname@example.org to request a quote today!
- Sponsored by Black Squirrel. Pentest Networks from Your Browser! Exploit the limits of network security through just a browser. Have a Chrome exploit in your toolkit? Good, but for the rest of us there's Black Squirrel. Visit blacksquirrel.io for more information.
"Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet..."
"Here's your host, a man who could power a small city with the alcohol in his bloodstream Paul Asadoorian"
- Security Weekly Announcements:
- Come to Embedded Device Security Assessments, a 2-day hosted class at the Blackhat Las Vegas on August 1-2 and 3-4 Register Here Today!
- Security Weekly listeners also receive 10% off products in our store with discount code 'IHACKNAKED'
- Security B-sides Orlando is a community driven event seeking to bring together anyone with a passion for making, breaking, or protecting. We welcome newbies and experts and anyone in between. Even if you don’t work in information security, you will be sure to find topics of interest. Please join us on April 11th and 12th in Orlando, Florida, for the 3rd Annual Security B-Sides Orlando Conference.
- Larry teaching SANS 617 Wireless Ethical Hacking and Defense coming up in Austin, TX May 18-23, Baltimore, MD (SANSFIRE) June 13-20, and Berlin, Germany June 22-27
- SOURCE Boston - early bird pricing of $349 is extended to March 31st (full retail is $495/$595 at the door). The CFP also closes tonight at Midnight, but I’m guessing we’re probably not going to see an up-tick on CFP submissions 4 hours before the deadline.
- Question of the week: Winner receives a free Hack Naked T-shirt! Send us your favorite cocktail recipe, winner will see their cocktail featured on the show! Send the email to email@example.com!
"The SOURCE conference is committed to bringing Business, Technology and Security professionals together at one event. Each year we host an amazing group of world-class professionals, and provide an intimate environment for meeting new people, exchanging ideas, and learning about the latest in information security. "
Interview: John McAfee, McAfee Associates
John McAfee pioneered commercial antivirus when he founded McAfee Anti Virus in 1987; he is considered one of the greatest, most controversial and outspoken minds when it comes to Information Security and privacy. Prior to McAfee Associates, John has held positions at NASA, Univac, Xerox, CSC & Lockheed.
- How did you get your start in the security industry?
- How did you come to start an Anti-Virus company? What was that like in the beginning when you were involved?
- Could you provide your insights, ones that you are willing to share publicly, on the Sony Pictures hack?
- Tell us about your current projects that are in the works at "Future Tense Central" ?
- Has profiling of the individual's online activities & data-mining gone beyond the tipping point of no return? What can people do to protect themselves?
- What are your hopes for the future of security and technology?
- Eddie Mize asks you to recap "the power company pwnage story"
- Is it possible to have security on mobile devices?
- What was the driving force behind creating QiKfunder?
- What problems have the security industry failed to address?
- Who does security better, businesses or the military?
- Whats your take on President Obama's recent Executive Order?
- Three words to describe yourself.
- If you were a serial killer, what would be your weapon of choice?
- If you wrote a book about yourself, what would the title be?
- In the proper game of as grabby-grabby, do you prefer to go first or second?
- Pick two celebrities to be your parents.
Segment: The Dapper Hacker
(Credit: Mick Douglas is credited for naming this segment)
The question comes from a listener who asks: As hackers and/or security professionals, how should we dress? I've put together a few different scenarios that I believe are interesting:
- On a penetration test (undercover) - This really depends. Some are quick to point out that if you dress suspicious, you look suspicious. The point here is to dress the part, and have lots of costumes. you can order uniforms online, ebay and the like, to fit the bill if you are a UPS driver or a plumber for the day. I do want to throw in that if you are not straight up focused on one specific persona, dressing nice helps. Really dress up and acting like you are supposed to be there goes a long way. Something about people and how they will trust someone who dresses nice.
- On a penetration test (not undercover) - Try to fit in with the culture, don't over dress and don't underdress. I think for most places "business casual' is appropriate. We hear the term "metal faced hackers" and thats a stereo type we want to avoid. You don't want to be the young and cocky computer hacker with no social skills, or present that appearance on site. Lets face it, people will judge. You also don't want to dress too nice either, as the perception may be all your skills are in managment and asking for TPS reports.
- Dumpster Diving - Here is one where the group believes all black will just get you arrested. Mick likes to dress in a business caual tpe attire with a sport coat, then if caught, pretend like you lost your earing or cell phone in the trash. A likely story, but better than being obvious about it.
- Presenting to Management or C-level - Everyone agrees, dress up, I think the more the better, shows respect and people will take you more seriously, I know that sounds harsh, but its reality.
Reference: Men Disguised As Women Storm NSA HQ - the two men – dressed as women – attempted to smash through a checkpoint and into the data center complex using a stolen Ford Explorer Not really a stealthy way to break into NSA. Though, they were found to be very fashionable.
Now, for the funny ones:
- Cons - try to out-do your peers, mohawks, kilts, tactical gear with lots of patches, women's clothing on men, mens clothing on women, there are really no rules here. Let it loose!
- Working from home - Pajamas are the trend here, pants are optional, and changing your clothes every day is not required (or every week, or whatever).
- Hack Naked - Because, well, we can.
- Travel - Something with lots of pockets and weird stitching, just to keep TSA on their toes.
- Stories of the week is brought to you by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
- And by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com
- Hillary’s emails: Deleted but not gone
- Hotel WiFi Vuln Puts Guests At Risk Yikes: they found a number of hotels where the InnGate was configured to communicate with a PMS. This presents additional security risks in itself, allowing an attacker to potentially identify guests and upcoming guests at a hotel and learn their room number. But PMSes are often, in turn, integrated with a hotel’s phone system, point-of sale system for processing credit card transactions, and the electronic keycard system that controls access to guest rooms. This would potentially give an attacker a gateway to access and exploit these systems as well.
- RSA Bans Booth Babes
- The US Has Used Zero-Day Exploits For Quite A While
- Men Disguised As Women Storm NSA HQ
- Uber Denies It Was Hacked - So Uber says it wasn't breached, but accounts are selling online for $1. Uber says there is no evidence of a breach. Thoughts?
- Flaw Deletes YouTube Videos In Just A Few Clicks - He says he spent seven hours finding the bugs and resisted the near overwhelming urge to "clean up Bieber's channel" LOL. Imagine if commenters could just delete your video? There may be nothing left in the end... Google paid this guy upwards of $5k. Good for them. But why didn't YouTube find this bug first? Why are we relying on the masses to find security bugs?
- Evidence Links China To GitHub Attack - China! APT! Cyber!
- Cross-Site Scripting Vulnerability Discovered In WordPress Photo Gallery Plugin | Fortinet Blog - WP vuln of the week.
- Rush To Release Resulting In Vulnerable Mobile Apps - Most do not run any security tests on either the mobile apps that are developed internally, outsourced from third parties, or purchased from mobile application stores. But, but Why? Security programs need, no must, be more inclusive.
- Pin-pointing China's attack against GitHub - Yeaaa China. Yeaa Cyber War. The crux of the issue is you can mirror anything to Github, so China wants to block it, and DoS it for good measure.
- Remote Code Execution Possible Via Dell System Detect - Okay, I would call this one "bad". Basically anyone running this software, so dude if you got a Dell you might be, means attackers can run code on your box. The program has very weak authentication, and insummary if you get tricked into clicking a link or opening an email, attackers can access a local URL that tells your system to run an executable. Yikes. Dell has fixed this vulnerability, but up to the user to get the new code, tricky.
Jack's Lack of Stories
- White House stories on the Cybersecurity Executive Order
- Pin-pointing China's attack against GitHub, another good post by Rob Graham over at Errata Security
- Matt Green's take on the Truecrypt software audit
- Presedential Emergency powers - Politics aside, what does this really mean? It seems terribly vague.
- GitHub DDoS - Appears to have been targeted largely at privacy/proxy/freedom apps, but on a shared/cloud service, everybody suffers.
- RasPi random host generator - Powers up, and randomly changes mac/hostname/sshkeys. April fools prank, but great for testing NAC, etc. Add some more to the script and have it make random outbound connections to test stuff such as RNA. Due to the random mac, I’d also venture to guess that it could exhaust DHCP pools as well.
- Google drops Chinese CA - After it issued fraudulent google (and other) certificates Goggle dropped the Chinese CNNIC CA from Chrome. Good for them. CNNIC says, "The decision that Google has made is unacceptable and unintelligible"