Episode442

From Paul's Security Weekly
Jump to: navigation, search


Paul's Security Weekly - Episode 442 - 6:00PM

Episode Media

MP3

Intro, Sponsors & Announcements

Paul

This week we interview Ferruh Mavituna, CEO of Netsparker. In our stories of the week, we discuss hacking of coffee pots.

Larry

Broadcasting live from G Unit Studios in Rhode Island, the show where exploits run wild, packets aren’t the only things getting sniffed, systems aren't the only things getting penetrated, functions are the only things getting wrapped, bits aren't the only things getting banged and the cocktails flow steady its Paul’s Security Weekly!

  • Brought to you by Black Hills Information Security, the leaders in penetration testing and active defense. Email consulting@blackhillsinfosec.com to request a quote today!
  • And by Netsparker, the developers of the ONLY false positive free web application security scanners, enabling you to automatically identify vulnerabilities and security flaws in all your websites, web applications and web services. Netsparker scanners are available in two editions, Netsparker Desktop and Netsparker Cloud, the enterprise level online scanning service. For more information visit their website on https//www.netsparker.com/securityweekly/
  • Looking for a career change? Tenable Network Security is hiring! Everything from programmers to researchers, check out all of the available positions at http://securityweekly.com/tenablejobs. If you are listening to this show, check out the following two positions, both technical and both are work from home: Nessus Vulnerability Research Engineer and C Software Engineer
  • Brought to you by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com


Paul: Hello everyone and welcome to Paul's Security Weekly - Episode 442 for Thursday, November 19th 2015

Announcements

  • Use discount code "BLACKFRIDAY" and save 50% on all items in the store, including Hack Naked shirts and limited edition Security Weekly 10-year anniversary hoodies! Visit http://shop.securityweekly.com today!

Guest Interview: Ferruh Mavituna - 6:05PM-6:45PM

EmbedVideo received the bad id "WrBCrnp31XI"" for the service "youtube".

Bio

CEO / Product Architect Ferruh Mavituna has been working in the application security industry for well over a decade and his ambition to ease the process of automatically detecting web application vulnerabilities led him to build Netsparker, and pursued it to the point of commercial reality. Ferruh is also the Netsparker’s Product Architect.

Topics

1. Automation of exploitation and identification of the issues and time management for pen-testers / security guys

2. The discussion of what's current possible to automate and what's not. And possibly what we'll see in the future of automation in web security

3. Scaling issues in web security, how to secure 100+ websites with limited resources? Currently Amazon, Google and various other companies are trying to solve this problem in different means

4. Why SDLC (as in secure dev life cycle) got even more important as the startups and silicon valley culture pushing agile development and frequent deployments are now more prominent in the industry. Huge companies that we trust such as Facebook, Etsy and Dropbox are pushing new code to production multiple times in a day.

5. How Bug Bounties making young researchers (or pentester apprentices) lazy by focusing on the outcome rather than understanding the cause".

6. http://www.appsecweekly.com/flash-same-origin-policy-bypass-with-307/


- Ability to do stuff by brute force i.e. fuzz a page with XSS payloads, see the alert box and you are done

- Ability to understand a vulnerability

Understand the components in play and why a vulnerability really occurs. Proper understanding of this will allow successful exploitation of issues even when straight forward fuzzing will not yield results. A good example would be bypassing MD5 checks in SQL Injections as explained in here : http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/#ByPassingLoginScreens under "Bypassing second MD5 hash check login screens"

- Ability understand patterns of vulnerabilities and even classes of vulnerabilities.


Links

  1. Twitter


Resources

https://continuousassurance.org/

Stories of the Week - 7:00PM-8:00PM

EmbedVideo received the bad id "_C685biIzTw"" for the service "youtube".

Sponsors

  • This segment is sponsored by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
  • And by Tenable Network Security, creators of Nessus, the world's best vulnerability scanner! Jumpstart your security program today and evaluate SecurityCenter CV, THE continuous monitoring solution. www.tenable.com
  • And by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/

Announcements

Paul's Stories

  1. Did Carnegie Mellon Attack Tor for the FBI?
  2. KeeFarce – Extract KeePass Passwords (2.x) From Database
  3. Paris Terrorists Used Double ROT-13 Encryption
  4. Federal Legislation Targets “Swatting” Hoaxes
  5. Clearing the Air on Wi-Fi Software Updates | FCC.gov
  6. It’s Way Too Easy to Hack the Hospital
  7. BadBarcode Internet Of Things Hack PacSec 2015 | Threatpost | The first stop for security news
  8. Siri's Lockscreen Bypass A Growing Privacy Issue For iOS Users
  9. US-China Security Review Commission Discusses 'Hack-Back' Laws
  10. Martel Police Body Camera Virus Found Embedded into Camera | iPower Technologies
  11. Failed Windows 3.1 system blamed for shutting down Paris airport | Ars Technica
  12. Trouble Brewing As iThing Coffee Machine Seems To Be Hackable
  13. Anonymous Declares War On Islamic State
  14. US Lawmakers Advised To Consider Hacking China Back


Larry's Stories

Michael's Stories

  1. This hacker has fought terrorists online since 2010, and he's not impressed by Anonymous

Joff's Stories

Kevin's Stories

  1. NYT Quietly Pulls Article Blaming Encryption In Paris Attacks
  2. CMU statement on allegations of accepting money from FBI to unmask TOR users

Jacks Stories