From Security Weekly Wiki
Jump to navigationJump to search
Watch live at http://securityweekly.com/live and join our chat room!

Paul's Security Weekly - Episode 438 - 10:00AM

Episode Media

MP3 pt 1

MP3 pt 2

MP3 pt 3

Intro, Sponsors & Announcements


This week the Security Weekly crew celebrates our 10th anniversary! We are celebrating in style so stay tuned for interviews with Mikko Hiponnen, Ron Gula, former members of the L0pht, panel discussions on bug bounties and mobile security. We'll do a bit of reflecting, hear some listener voicemails and play some hacker trivia. All that more from the you've been lovin' and hatin' for the past 10 years! Oh, and for the next 10 and beyond too, so buckle up, tray tables in the full and upright position, drinks in hand, this is going to be an epic ride...'


Broadcasting live from G Unit Studios in Rhode Island, the show where exploits run wild, packets aren’t the only things getting sniffed, systems aren't the only things getting penetrated, functions are the only things getting wrapped, bits aren't the only things getting banged and the cocktails flow steady its Paul’s Security Weekly!


Now, fire up a packet capture, pour yourself an adult beverage, and give the intern control of your botnet...

Larry: Here's your host, a man who can make a mean drink from Bartending for Dummies, Paul Asadoorian!"

Paul: Hello everyone and welcome to Paul's Security Weekly - Episode 438 for Thursday, October 16th 2015


Introduce hosts, Roadmap for the day, Donate to EFF, go right into the interview...

Guest Interview: Mikko Hyppönen 10:05 AM


Donate to the EFF!


To kick this off today, we start by interviewing Mikko Hypponen the Chief Research Officer at F-Secure Corporation in Finland. He started programming on a Commodore 64 and has been reverse engineering malware since they were spreading on floppies. He's known for tracking down the authors of the first PC virus in history. PC World ranked him among the 50 Most Important People on the Web. He has 110,000 followers on Twitter and his AMA made the front page of reddit. But most importantly: He's the world champion in Xevious the arcade game.


  1. Twitter
  2. News story regarding banned tweet
  3. Cabir mobile phone worm
  4. Celebrity Parents

Link to the tweet that got me banned: https://twitter.com/mikko/status/3102253636

More on that: http://www.zdnet.com/article/twitter-suspends-security-researchers-account-as-a-threat/

Information about the Cabir mobile phone worm: https://www.f-secure.com/v-descs/cabir.shtml

My celebrity parents include Taylor Swift: https://www.youtube.com/watch?v=L26vEW8Xg2g


  1. How did you get your start in information security?
  2. How did you get the job at F-secure?
  3. Going back in history, what are some of the more memorable virus outbreaks that stick out in your mind?
  4. Who is the most successful online criminal you have seen?
  5. What will the next Stuxnet look like?
  6. How did the first mobile malware come about?
  7. Did F-Secure do the response for the cabin worm?
  8. Why don’t we see more worms like Cabir? Has security of close-proximity wireless gotten better?
  9. There was some drama with Your Twitter account, can you tell us about that?
  10. What makes the mobile platform a perfect tool for surveillance?
  11. What are your thoughts on export-grade encryption? Pros and cons
  12. Do you believe end-users are aware of tracking, such as “yellow dots” and choose to ignore this?
  13. Whats your favorite classic arcade game?

Five Questions

  1. Three words to describe yourself.
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby-grabby, do you prefer to go first or second?
  5. Choose two celebrities to be your parents.

L0pht Panel 11:00 AM

EmbedVideo received the bad id "2iuzLRMD-B4"" for the service "youtube".


  • Brought to you by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com

John Tan

Works in the financial industry.


Founded Grand Idea Studio. @joegrand


Space Rogue

Is a strategist with Tenable Network Security. @spacerog

Weld Pond

He is co-founder and CTO Veracode. @WeldPond

Security Weekly Throwback 12:00 PM

  1. 5 Questions Montage
  2. Security Weekly Throwback Clips
  3. Listener Voicemails - (475) 441-4225

Panel: Bug Bounty and Responsible Disclosure 1:00 PM

EmbedVideo received the bad id "4ofNelpMIKE"" for the service "youtube".


  • Brought to you by Black Hills Information Security, the leaders in penetration testing and active defense. Email consulting@blackhillsinfosec.com to request a quote today!

To discuss both responsible disclosure and bug bounty programs, we have brought back Samy Kamkar. We also have joining us Casey Ellis, CEO of BugCrowd and Katie Moussouris Chief Policy Officer of HackerOne.

Katie Moussouris

Katie Moussouris is the Chief Policy Officer for HackerOne, a platform provider for coordinated vulnerability response & structured bounty programs. She is a noted authority on vuln disclosure & advises lawmakers, customers, & researchers to legitimize & promote security research & help make the internet safer for everyone. Katie's earlier Microsoft work encompassed industry-leading initiatives such as Microsoft's bounty programs & Microsoft Vulnerability Research. She is also a subject matter expert for the US National Body of the International Standards Organization (ISO) in vuln disclosure (29147), vuln handling processes (30111), and secure development (27034). Katie is a visiting scholar with MIT Sloan School, doing research on the vulnerability economy and exploit market. She is a New America Foundation Fellow. Katie is an ex-hacker, ex-Linux developer, and persistent disruptor. Follow her and HackerOne on Twitter http://twitter.com/k8em0 and http://twitter.com/hacker0x01

Samy Kamkar

Samy Kamkar is an independent security researcher, best known for creating The MySpace worm, one of the fastest spreading viruses of all time. His open source software and research highlights the insecurities and privacy implications in every day technologies, from the Evercookie which produces virtually immutable respawning cookies, SkyJack, the drone that wirelessly hijacks other drones, and KeySweeper, a wireless keyboard sniffer camouflaged as a USB wall charger. He continues to release new tools and hardware, for examples most recently the ProxyGambit, OpenSesame and ComboBreaker tools.

Casey Ellis

As CEO and co-founder of Bugcrowd, Casey Ellis brings over 14 years of information security experience to lead the company’s technology vision and strategic operation. Prior to Bugcrowd, he served as Chief Security Officer at ScriptRock and as an Information Security Specialist and Account Manager for Vectra Corporation Ltd. Casey has also presented at several security shows including RSA, DerbyCon, BSides, Converge, SOURCE Conference and the AISA National Summit. A former penetration tester, Casey has taken on the role of “white hat” to connect organizations large and small with the power of Bugcrowd’s platform for a revolutionary approach to cybersecurity.

Questions & Topics

  1. How has “responsible” disclosure changed over the years?
  2. What advice do you have for someone who has discovered a vulnerability and does not know how to disclose it?
  3. How much should we fear legal action when disclosing bugs?
  4. How has Bug Bounties changed the disclosure process?
  5. When issuing a bug bounty for a web site, say like Facebook or Google, how do you get around violation CFAA or the web site’s own policies to discover bugs?
  6. What sort of rules should be in place to have a successful bug bounty program?
  7. Why don’t more companies, like Adobe or Oracle, adopt bug bounty programs?
  8. Ethical question: if you get paid for a bug bounty and it doesn’t get fixed what do you do? Ride off into the sunset and never worry about it? As security professionals we like to see things fixed and don’t want to send a message that its good enough because you got paid.
  9. Are the bug bounties enough to keep 0day exploits off the black market? How do we track that?
  10. Where do you see bug bounties going in the next 5 years?

Guest Interview: Ron Gula 2:00 PM

EmbedVideo received the bad id "CvC-ZZ7mUaM"" for the service "youtube".


  • Looking for a career change? Tenable Network Security is hiring! Everything from programmers to researchers, check out all of the available positions at http://securityweekly.com/tenablejobs. If you are listening to this show, check out the following two positions, both technical and both are work from home: Nessus Vulnerability Research Engineer and C Software Engineer
  • And by Tenable Network Security, creators of Nessus, the world's best vulnerability scanner! Jumpstart your security program today and evaluate SecurityCenter CV, THE continuous monitoring solution. www.tenable.com


Frequently sought out by media publications and outlets such as the New York Times, Bloomberg and Forbes, Ron is a leading cybersecurity thinker, innovator, and visionary in the information security industry.



  1. How has vulnerability management changed in the past 10 years?
  2. What can you do to make the most of the vulnerability data collected in your organization?
  3. What is better: 3rd party threat intelligence or threat intel you’ve collected on your own network?
  4. What are some of the more creative ways to identify breaches in your network? Logs, IDS, vulnerabilities, user activity?
  5. In the sea of vulnerability and log data, how do you know which vulnerabilities, log entries and system configurations matter?
  6. Should you rely on 3rd party compliance standards or develop your own? If both, how do you balance the two?
  7. Where do you see vulnerability management going in the next 5 years?
  8. As we move to the cloud and SaaS, how will thing change IT security?
  9. What is your favorite part about being the CEO of Tenable?
  10. What is your favorite science fiction novel?
  11. Best Scify movie you’ve seen recently?

Five Questions

  1. Three words to describe yourself.
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby-grabby, do you prefer to go first or second?
  5. Choose two celebrities to be your parents.

Interview: Peiter "Mudge" Zakto 3:00 PM


  • And by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
EmbedVideo received the bad id "axnWyPEly84"" for the service "youtube".

Panel: Mobile Security and Privacy 4:00 PM

EmbedVideo received the bad id "Jtac7P5e-14"" for the service "youtube".


  • And by Netsparker, the developers of the ONLY false positive free web application security scanners, enabling you to automatically identify vulnerabilities and security flaws in all your websites, web applications and web services. Netsparker scanners are available in two editions, Netsparker Desktop and Netsparker Cloud, the enterprise level online scanning service. For more information visit their website on https//www.netsparker.com/securityweekly/
  • Brought to you by Black Hills Information Security, the leaders in penetration testing and active defense. Email consulting@blackhillsinfosec.com to request a quote today!

David Schwartzberg and Simple Nomad

Questions & Topics

  1. What are some examples of mobile devices leading to damages against and organization?
  2. is the mobile threat real, or is it hype?
  3. Can’t we just put AV software on all our devices and be protected?
  4. How can you best handle sandboxing on the mobile devices? How come we can’t do this well on our desktops, or can we?
  5. What are some tips for maintaining privacy on your mobile device, but still being able to use popular apps and social media (like FB and Twitter)?
  6. Do 0day exploits for mobile devices sell for more money than exploits for desktop apps?
  7. Jailbreaking your phone, will it be legal in a few years?
  8. What do you folks to do lock down your mobile devices?
  9. Is it possible to lock down Android to where you are comfortable with the security?
  10. What do you think of the model of vetting apps? Does it scale?
  11. Is mobile security an issue that will only be truly addressed until something bad (or worse) happens to everyone’s beloved smart phones?
  12. What can Apple and Google do better to improve security of the smart phone platforms?
  13. What is the best way to discover if your mobile device has been successfully attacked?

Bio: Simple Nomad

Simple Nomad has been doing hacker and security-related things for over 30 years, wearing black, white, and gray hats at various points. He has worked as an admin, analyst, and researcher for large and small software and hardware security vendors, major Fortune 500 companies, and government contractors. He has lectured at numerous colleges, private companies, large and small security conferences, and has been interviewed on security-related topics by numerous television, print, and online media outlets. He has never been indicted. He is currently a Senior Security Researcher at Duo Security.

Bio: David Schwartzberg

David Schwartzberg is a Sr. Security Engineer at MobileIron, a mobile security company, where he specializes in mobile and network security. Utilizing his 6 years accounting experience and combined 17 years InfoTech and InfoSec experience, he speaks regularly with technology executives and professionals to help protect their corporate secrets and stay compliant. David is also the founder of Hak4Kidz, the first official youth-based ethical hacking conference in Chicago that is *not* a hackathon in an effort to bring the educational and communal benefits of whitehat hacking conferences to children and young adults.

You can support Hak4Kidz by bidding on a DerbyCon Black Badge here

Security News 5:00 PM

EmbedVideo received the bad id "BqbpMJWDgtU"" for the service "youtube".


  • This segment is sponsored by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more

  • Featuring Hacker Trivia!

Paul's Stories

  1. HP adds protection against firmware attacks to enterprise printers
  2. "Can myriad wireless networks connect as one fast
  3. FireEye Myth and Reality
  4. "No End In Sight For Exposed Internet Of Things
  5. "Google Patches Chrome
  6. WordPress Fixes Critical Stored XSS Error in Akismet
  7. Shocker: Net anarchist builds sneaky 220v USB stick that fries laptops
  8. "You can hack a PC just by looking at it
  9. Cash Reward For Google.com Takeover Man
  10. Hackers Can Steal Your Brain Waves
  11. Half Of IRS's Servers Still Run Doomed Windows Server 2003
  12. Hackers Can Silently Control Siri From 16 Feet Away
  13. 87% of Android devices are exposed to at least one critical vulnerability
  14. 'Fixed' app that fights parking tickets blocked in 3 cities
  15. "Ongoing Flash Vulnerabilities

John's Stories

"Just Google Image Search Me"

Larry's Stories

"I sit when I pee, just like Mike Yaffe"

Kevin's Stories

"I am not Kevin"

Joff's Stories

"I can't wait to dump beer into my laptop and make John buy me a new one"

Laptop Destruction 5:30 PM