Episode437

From Paul's Security Weekly
Jump to: navigation, search


Paul's Security Weekly - Episode 437 - 6:00PM

Episode Media

MP3

Intro, Sponsors & Announcements

Paul

This week we interview Dafydd Stuttard, creator of Burp Suite. In the stories of the week Paul puts his lawyer hat on, Android vulnerabilities persist, routers get pwned, talks get pulled from security conferences and a whole lot more so stay tuned!'

Larry

Broadcasting live from G Unit Studios in Rhode Island, the show where exploits run wild, packets aren’t the only things getting sniffed, systems aren't the only things getting penetrated, functions are the only things getting wrapped, bits aren't the only things getting banged and the cocktails flow steady its Paul’s Security Weekly!

  • And by Tenable Network Security, creators of Nessus, the world's best vulnerability scanner! Jumpstart your security program today and evaluate SecurityCenter CV, THE continuous monitoring solution. www.tenable.com
  • Brought to you by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com
  • And by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
  • This segment is sponsored by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more

Larry

Now, fire up a packet capture, pour yourself an adult beverage, and give the intern control of your botnet...

Larry: Here's your host, a man who can make a mean drink from Bartending for Dummies, Paul Asadoorian!"

Paul: Hello everyone and welcome to Paul's Security Weekly - Episode 437 for Thursday, October 8th 2015

Announcements

Interview: Dafydd Stuttard - 6:05PM-6:55PM

EmbedVideo received the bad id "UzDWjrayndQ"" for the service "youtube".

Bio

Dafydd Stuttard is the creator of Burp Suite and founder of PortSwigger Web Security, where he leads the ongoing development of Burp. He is author of The Web Application Hacker's Handbook.

Links

  1. PortSwigger Website
  2. Twitter


Stories of the Week - 7:00PM-8:00PM

EmbedVideo received the bad id "AhsyKiO2dNE"" for the service "youtube".

Sponsors

  • And by Netsparker, the developers of the ONLY false positive free web application security scanners, enabling you to automatically identify vulnerabilities and security flaws in all your websites, web applications and web services. Netsparker scanners are available in two editions, Netsparker Desktop and Netsparker Cloud, the enterprise level online scanning service. For more information visit their website on https//www.netsparker.com/securityweekly/
  • Brought to you by Black Hills Information Security, the leaders in penetration testing and active defense. Email consulting@blackhillsinfosec.com to request a quote today!

Announcements

Paul's Stories

  1. Scottrade Breach Affects 4.6 Million Customers
  2. Experian Breach Spills Data on 15 Million T-Mobile Customers
  3. Targeted Attack Exposes OWA Weakness
  4. Canceled Talk Re-Ignites Controversy Over Legitimate Security Research - Another talk pulled, this time for IP cameras.
  5. How A Single Car Could Spread Malware To Thousands More - This was a talk at Derbycon, interesting how attacks against cars can be amplified, such as when a car goes in for service. However, lets separate targeted attacks from the "spray and pray (or prey)" attacks.
  6. Home Routers Vaccinated By Benign Virus - Is this legal? A good thing? Long history of viruses that claim to do good rather than harm, problem is you may be punished under the computer fraud and abuse act...
  7. Edward Snowden Fails At Twitter And Notification Settings
  8. "Data Easily Recovered From eBayed Smartphones - Larry talked about this years ago, with SIM cards. My advice: everyone should "Tom Brady" their phones post-upgrade.
  9. Autonomous Vehicles as Bombs - Right out of science fiction!
  10. What’s in a Boarding Pass Barcode? A Lot
  11. Amazon AWS Web Application Firewall (WAF ) Launched
  12. "Threatening to post a sex tape on Facebook isn't a crime - Sounds like there was no tape, and A LOT more to the story (he could possibly be one of the worst landlords as he was found putting dead cats in the mailboxes, cutting off electricity,etc...). However, the ruling states there was no crime committed for threatening to release a sex tape. While not a crime, damages from this would be served in civil court (had he actually released a sex tape, they could have a case).
  13. Information in Your Boarding Pass's Bar Code - From a boarding pass, on certain airlines, you can glean some PII, and even modify flights. Make sure you shred your boarding passes, or even better use an electronic boarding pass on your phone and delete it once you've arrived at your destination.
  14. Stagefright 2.0 Vuln Affects Nearly All Android Devices - Trey Ford has some smart comments on this story: "The advice I give friends and family is to buy handsets that allow for updates directly from the manufacturer," says Trey Ford, global security strategist at Rapid7. "For those who love Android -- buy directly from Google to remove the carrier-introduced delay when Android releases a security patch. For Google, this is an ecosystem problem. Google manages Android, and does a respectable job shipping patches. They deliver to the carriers, which in turns, the carriers take some time (picture 9-18 months) before those patches are certified and delivered over the air to the devices," Ford says. "In other cases, they don’t bother, as the handset life expectancy is so brief for the consumer. Discerning consumers are paying attention, they want to keep their patches up to date." The problem is the devices direct from Google are expensive compared to the devices you can get from a carrier at a discount with contract. This leaves many vulnerable to such attacks.
  15. Shell Shock Labs: [Part 1[EN] Hacking NETGEAR JWNR2010v5 Router - Authentication Bypass] - By visiting a single page, authentication is removed for all other pages. I kid you not, this is the level of embedded device security, still.
  16. Terminal escape sequences - the new XSS for Linux sysadmins - A reminder to use caution when installing software. Also a reminder that less is more...

Larry's Stories

  1. Rooting the Google OnHub - /me sighs. Yet another IoT device falls, even if it requires local access and a screwdriver.
  2. You too can bust SHA-1 - for only $75,000...
  3. Amazon AWS WAF Announced - Hooray, now we can all deploy shitty code in production in AWS.
  4. OWA attacks - I wish there were more details…sure, an unsigned malware DLL loaded on the server to steal creeds….but how did it get there...

Kevin's Stories

  1. - Meet The Mystery Vigilantes Who Created 'Malware' To Secure 10,000 Routers

Michael's Stories