From Security Weekly Wiki
Jump to navigationJump to search

Paul's Security Weekly - Episode 423 - 6:00PM

Episode Media


Intro, Sponsors & Announcements


[Cut to Paul Live Shot]

This week we talk OS X security with Patrick Wardle, the vintage bearded man Jack Daniel is back in studio and stories of the week include topics such as bug bounty programs, are they worth it?, the latest big Apple security bug, and hacking LastPass. All that and more so stay tuned!

[Cut to Jack Live shot]


Broadcasting live from G Unit Studios in Rhode Island, the show where exploits run wild, packets aren’t the only things getting sniffed, and the cocktails flow steady its Paul’s Security Weekly!

[Cut to sponsor logo]

  • And by Netsparker, the developers of the ONLY false positive free web application security scanners, enabling you to automatically identify vulnerabilities and security flaws in all your websites, web applications and web services. Netsparker scanners are available in two editions, Netsparker Desktop and Netsparker Cloud, the enterprise level online scanning service. For more information visit their website on https//www.netsparker.com/securityweekly/
  • Brought to you by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com
  • And by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/

[Cut to security weekly logo]

Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet...

[Cut to live shot of Paul]

Larry: Here's your host, a man who changes your paradigm....with glitter....Paul Asadoorian!"

Paul: Hello everyone and welcome to Paul's Security Weekly - Episode 423 for Thursday June 18th, 2015

  • Introduce hosts and guests


[Cut to Announcement graphics]

  • Ready to learn Combat Firmware Analysis? Register for my Blackhat course "Embedded Device Security Assessments", a 2-day hosted class at Blackhat Las Vegas. Registration includes breakfast, lunch, and access to the Blackhat Briefings Business Hall, Sponsor Workshops, Sponsor Sessions, and Arsenal! Visit http://securityweekly.com/iot to register today!

EmbedVideo received the bad id "UdatCkjVL_Y"" for the service "youtube".

[Cut to shot on Paul]

Guest Interview: Patrick Wardle - 6:05PM-6:35PM


Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware.


  1. Twitter
  2. Objective-See
  3. GitHub


  1. People say Macs don't get viruses, is this really true?
  2. Microsoft has made advances in O/S security, how does Apple compare?

Five Questions

  1. Three words to describe yourself.
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby-grabby, do you prefer to go first or second?
  5. Choose two celebrities to be your parents.

Stories of the Week - 7:30PM-8:00PM

[Play music, Cut to sponsor logo, THEN START RECORDING]


  • Brought to you by Black Hills Information Security, the leaders in penetration testing and active defense. Email consulting@blackhillsinfosec.com to request a quote today!
  • This segment is sponsored by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
  • And by Tenable Network Security, creators of Nessus, the world's best vulnerability scanner! Jumpstart your security program today and evaluate SecurityCenter CV, THE continuous monitoring solution. www.tenable.com


[Cut to announcement Graphics] Larry teaching SANS 617 Wireless Ethical Hacking and Defense coming up in Las Vegas, NV, September 14-19, and lots more places so be certain to check the SANS web site for more course offerings!

[End Music]

Paul's Stories

  1. The disruptive effect of open-source startups
  2. US Navy caught trying to buy zero-day security flaws
  3. LinkedIn Goes Public with Its Private Bug Bounty
  4. You’re as secure as your apps’ developers allow them to be
  5. Wi-Fi Hacker Case Reveals Risks Faced By Home Users
  6. The Cardinals May Have Hacked The Astros (NOT linked to Wired on purpose, but rather something i beleive represents Wired) - Dear wired, you led in this article with Patriots Spygate, so F-You. Read Threatpost for real tech journalism, and a nice article on this story. Which states The attack, such as it was, apparently involved Cardinals officials allegedly using passwords previously used by Luhnow and other former Cardinals executives to gain access to the Astros’ internal database that houses player evaluations, statistics, and other information - See more at: https://threatpost.com/fbi-investigating-alleged-attack-on-houston-astros/113342#sthash.mZEVVE9m.dpuf
  7. EFF, ACLU appeal license plate reader case to California Supreme Court - This is a case where you ask "What data is being stored and for how long?". The state goes, "Well, uh, ya know, it varies". And then people freak out. How long do you need to keep license plate data and for what reward? Apparently less than 1% of the license plates on file have identified stolen vehicles...
  8. PowerShell ♥ the Blue Team - Windows PowerShell Blog - Site Home - MSDN Blogs - Windows 10,and the new Powershell, is stepping up security. This is a good thing, That is really all.
  9. "HackerOne Connects Hackers With Companies - Pretty neat company, got a $9 million investment too. Rather than sue people, ignore them, or thank them and not fix the flaws, why not just work with the hackers? That's what HackerOne aims to do, help connect hackers with big companies. How the founders hacked 100 companies and did not get arrested or sued it beyond me, but using that as street cred, I'd recommend these guys.
  10. Research on The Trade-off Between Free Services and Personal Data - I found this interesting people who know more about ways marketers can use their personal information are more likely rather than less likely to accept discounts in exchange for data when presented with a real-life scenario. So the more people know about how their personal information is handled, the MORE likely they are to let you have it, in exchange for something free. Interesting! This means if you are open about how you collect or handle people's information, the more okay they will be with letting you use it or store it. Honesty is the best policy? On the flip side, I suspect that car dealers are selling my information to companies providing warranties for vehicles. I get a lot of calls about this, some for cars that I no longer own.
  11. Google launches Android bug bounty program - I've been on the fence about bug bounty programs. Do we have metrics that show they are actually working? Rhetorical question I suppose. Thing is, bug bounties don't cost the company any money, unless someone finds a bug. So essentially, large companies have convinced a whole bunch of people to work for free, unless they get some results that matter, then they get paid. The model is really messed up, I don't want to say that its one sided, but favors folks who have skill and talent in a specific area. Wouldn't it behove Google to just hire the person who finds these bugs to help them find more and improve application security in the first place?
  12. "Apple OS X and iOS in the vulnerability spotlight - meet ""CORED - This vulnerability highlights something interesting: Dropping 0day with full details has advantages. Sure, the bad guys will use it to create malware. But, the good guys can use it to put protections in your apps. I prefer the open approach. Why? If the public does not know about a vulnerability, we have zero awareness and attacks will be successful. The bad guys will catch wind of the vulnerability and exploit it before a patch is released, and before anyone knows about it. Who knows, Apple could have taken a year or more to fix this problem (as it stands that sat on it for SIX MONTHS!). But now with it public, expect results fast. Not a popular opinion, but its mine, and you know, they are like A-holes, everyone has one.
  13. Should I panic because Lastpass was hacked? and Hack Of LastPass Exposes Hashed Master Passwords - Here's the thing, if you use LastPass, you are probably okay. Passwords to vaults use 100000 iterations in its PBKDF2 algorithm. What the hell does that mean? Robert Graham spells it out for us in a test that replicates trying to crack the password hash: In this case, a 5 letter password has 1 billion combinations, so a fast computer can guess it in a second. Adding one letter, with it's 64 different possibilities, makes this 64 times harder, meaning it'll take a minute. Another letter (7), and it becomes an hour. Another letter (to 8), and it becomes several days. Another letter (9), and it becomes a year. Another letter (10), and it becomes 64 years. Another letter (11), and it's thousands of years, and another letter (12) and its millions of years.. So here's what you need to do 1) Change your password to something that uses more than 12 characters 2) Enable two-factor authentication. LastPass has also made it so that if you try to login from a new device you have to verify it via email. Everyone gets hacked, they key really is to minimize the damages and build layers of protection.