From Security Weekly Wiki
Jump to navigationJump to search

Paul's Security Weekly - Episode 421 - 6:00PM

Episode Media


Intro, Sponsors & Announcements


[Cut to Paul Live Shot]

(Show intro)

[Cut to Larry Live shot]


Broadcasting live from G Unit Studios in Rhode Island, the show where exploits run wild, packets aren’t the only things getting sniffed, and the cocktails flow steady its Paul’s Security Weekly!

[Cut to sponsor logo]

  • Brought to you by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com
  • And by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/

[Cut to security weekly logo]

Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet...

[Cut to live shot of Paul]

Larry: Here's your host, a man who changes your paradigm....with glitter....Paul Asadoorian!"

Paul: Hello everyone and welcome to Paul's Security Weekly - Episode 421 for Thursday June 4th, 2015

  • Introduce hosts and guests


[Cut to Announcement graphics]

  • Ready to learn Combat Firmware Analysis? Register for my Blackhat course "Embedded Device Security Assessments", a 2-day hosted class at Blackhat Las Vegas. Registration includes breakfast, lunch, and access to the Blackhat Briefings Business Hall, Sponsor Workshops, Sponsor Sessions, and Arsenal! Visit http://securityweekly.com/iot to register today!

EmbedVideo received the bad id "HVYBBAqX-wo"" for the service "youtube".

[Cut to shot on Paul]

Guest Interview: Stephen Sims - 6:05PM-6:35PM


Stephen Sims is an industry expert with over 15 years of experience in information technology and security. Stephen currently works out of San Francisco as a consultant performing reverse engineering, exploit development, threat modeling, and penetration testing. Stephen has an MS in information assurance from Norwich University and is a course author and senior instructor for the SANS Institute. He is the author of SANS' only 700-level course, SEC760: Advanced Exploit Development for Penetration Testers, which concentrates on complex heap overflows, patch diffing, and client-side exploits. Stephen is also the lead author on SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking. He holds the GIAC Security Expert (GSE) certification as well as the CISSP, CISA, Immunity NOP, and many other certifications. In his spare time Stephen enjoys snowboarding and writing music.



Five Questions

  1. Three words to describe yourself.
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby-grabby, do you prefer to go first or second?
  5. Choose two celebrities to be your parents.


[Cut to Paul]

  1. If you are working in IT and you want to get into security what are some tips you have for folks?
  2. Which certifications carry the most weight in terms of getting a job in security?

Stories of the Week - 7:30PM-8:00PM

[Play music, Cut to sponsor logo, THEN START RECORDING]


  • 'And by Netsparker, the developers of the ONLY false positive free web application security scanners, enabling you to automatically identify vulnerabilities and security flaws in all your websites, web applications and web services. Netsparker scanners are available in two editions, Netsparker Desktop and Netsparker Cloud, the enterprise level online scanning service. For more information visit their website on https//www.netsparker.com/securityweekly/
  • Brought to you by Black Hills Information Security, the leaders in penetration testing and active defense. Email consulting@blackhillsinfosec.com to request a quote today!
  • This segment is sponsored by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
  • And by Tenable Network Security, creators of Nessus, the world's best vulnerability scanner! Jumpstart your security program today and evaluate SecurityCenter CV, THE continuous monitoring solution. www.tenable.com


[Cut to announcement Graphics] Larry teaching SANS 617 Wireless Ethical Hacking and Defense coming up in Las Vegas, NV, September 14-19, and lots more places so be certain to check the SANS web site for more course offerings!

[End Music]

Paul's Stories

  1. Sniffing and tracking wearable tech and smartphones
  2. An Exploit Kit dedicated to CSRF Pharming | Malware don't need Coffee
  3. Exploit Kit Delivers Pharming Attacks Against SOHO Routers | Threatpost | The first stop for security news
  4. moha99sa/EvilAP_Defender · GitHub
  5. Cyber insurance: Only fools rush in | ITworld
  6. Google Online Security Blog: New Research: Some Tough Questions for ‘Security Questions’
  7. webapps - IPLINK IP-DL-801RT-B - (Url Filter Configuration Panel) Stored XSS
  8. Slew of Vulnerabilities Found in D-Link Storage Devices
  9. Microsoft Windows 10: Three Security Features To Know About
  10. Board Rooms Becoming More Security-Savvy
  11. Script tool a Docker shocker blocker
  12. New Exploit Leaves Most Macs Vulnerable To Permanent Backdooring
  13. New SOHO router security audit uncovers over 60 flaws in 22 models
  14. 95% Of Weapons
  15. IoT Devices Hosted On Vulnerable Clouds In 'Bad Neighborhoods'
  16. The Dark Web Drug Lords Who Got Away
  17. Microsoft accidentally announced its new WiFi service
  18. IoT DANGERS: BYOD’s trashier cousin becoming a right tearaway
  19. Microsoft to Support SSH in Windows
  20. Mad John McAfee: 'Can you live in a society that is more paranoid than I'm supposed to be?'
  21. Branded Vulnerabilities May Change Enterprise Security
  22. Understanding TSA Math

Larry's Stories

  1. Skype messaging DoS - errant characters in a URL cause Skype to crash…so much so that you need to reinstall.
  2. IM-ME garage door opener - Samy carries a pink pager. His opens fixed code garage doors.
  3. Cell jamming students in the classroom - So much fail. Yes, jamming is illegal - that is RF based noise. Exploiting the way a protocol works on the other hand, is not. [The teacher] said a local police officer told him before he deployed the device that "there are no state laws against using them as long as you don’t use them for malicious intent.” Correct. No state laws. Federal ones.
  4. ransomware for all! - Here is a “free” ransomware creator. Uses TOR for anonymity. Devs profit by taking 20% of your paid ransom. This one got me thinking…when will we see the adoption of adaptive ingress and egress filtering to take into account dynamically changing threats, such as TOR exit nodes?