Episode464

From Paul's Security Weekly
Jump to: navigation, search


Paul's Security Weekly - Episode 464 - 6:00PM

Recorded May 12, 2016 This week we welcome Douglas White, Ph.D. to the show! A fellow Rhode Islander, Doug will be discussing various topics including Digital Forensics. We bring back the listener feedback segment this week and talk about some interesting penetration testing topics. In our stories of the week Pornhub announces a bug bounty program, Linux Torvalds tries to talk about IoT security and Freaking out over the DBIR.

Episode Audio

Announcements

Dr. Douglas White has worked in the technology industry for 30 years and has worked as a programmer, networking admin, security specialist, and consultant. Dr. White teaches courses in Digital Forensics, Computer Networking, and any other class that comes along that involves computers and security. Doug is a core team member of the Rhode Island Cyber Disruption Team which is coordinated by the Rhode Island State Police. Doug White was the first certified instructor for the ISFCE digital forensics boot camps and has worked for a variety of professional training organizations and corporations teaching and working in technology.

  • We will have Douglas White, Ph.D. in studio on the show today!

First segment 6:00PM-7:00PM

Our guest on the show will be Douglas White, Ph.D.

Professor of Networking, Security and Forensics, Director, FANS Lab Doug will be in the Studio with us. Dr. Douglas White has worked in the technology industry for 30 years and has worked as a programmer, networking admin, security specialist, and consultant. Dr. White teaches courses in Digital Forensics, Computer Networking, and any other class that comes along that involves computers and security. Doug is a core team member of the Rhode Island Cyber Disruption Team which is coordinated by the Rhode Island State Police. Doug White was the first certified instructor for the ISFCE digital forensics boot camps and has worked for a variety of professional training organizations and corporations teaching and working in technology.

  1. Three words to describe yourself.
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby-grabby, do you prefer to go first or second?
  5. Choose two celebrities to be your parents.

Listener Feedback Segment

Couple of questions from a listener:

Question # 1

I am a mid-career IT pro and network security engineer who is interested to break into pen testing and offensive security. What are the pros and cons of jumping in and starting to do paid pen test work, learning on the job versus apprenticing / learning from a more established firm or practitioner?


Question # 2

I have an opportunity to perform pen test work under a subcontract with a managed services provider firm. While I have stayed on good terms with the firms' principles, many others that I have known a long time have left that firm due to culture and ethics issues. The firm also has an airtight subcontractor contract that is heavily unfavorable to me and my company (as subcontractor). Is it worth taking the risk of working with a firm like this to get my first paid pen testing gigs? What other risks be aware of going into a situation like this? For example, if the firm doesn't have a solid get out of jail free card document or legal team with security experience?

Stories of the Week - 7:00PM-8:00PM

In the Press:

Paul's Stories

  1. Torvalds on the Internet of Things: Security plays second fiddle - Torvalds again downplaying security: "Job one is to get the job done. In a new industry things will get done without security. Security plays second fiddle. It will be slightly distressing if someone hacks into my home furnace and turns up my heat to 95, I'll be bothered." Torvalds added, "In theory open source can be patched. In practice vendors get in the way."
  2. Windows 10 won't let you share WiFi passwords any more
  3. Hacker Finds Vulnerability In Mr Robot Website - Changed this link out, Forbes makes you register if you visit with an adblocker! WTF!#GCHQ Wants You To Stop Resetting Your Password
  4. Kiddicare Compromised
  5. Panama Papers Now Searchable
  6. Researcher Arrested For Disclosing Election Vulnerabilities
  7. WordPress Redirect Hack via Test0.com/Default7.com - Sucuri Blog
  8. Caleb Madrigal
  9. Freaking out over the DBIR - Rob makes an OUTSTANDING point: "FIRST, they investigated a system and found IoCs (indicators that the system had been compromised). SECOND, they did the correlation between vuln/IDS. They didn't do it the other way around, because such a system produces too much false data."
  10. 5 Things Devs Wish CISOs Knew About DevOps
  11. Top 3 Reasons Why Neglecting Application Security Is Risky Business
  12. Economist Detained for Doing Math on an Airplane
  13. The day we discovered our parents were Russian spies | World news | The Guardian
  14. Push Your ICS Vendor / Integrator To Do It Right
  15. Wendy’s: Breach Affected 5% of Restaurants
  16. Wendy’s admits to payment card malware infection
  17. "Pornhub bug bounty program will pay hackers up to $25 - "I guess people really get off on hacking porn sites", "That's one way to spank malicious attackers", "I hope none of the bug bounty hunters cause an increased load on the site", "Security is hard, implement a bug bounty program", and in other news Pornhub is releasing a new parody adult film titled "Big Booty Bug Bounty Hunters"

Larry's Stories

  1. Shakeup in the Endpoint security market - Virustotal changes the game.
  2. HackRF Jeep unlock replay attack - A simple capture and replay with a hacker can unlock older jeeps…no rolling code needed.
  3. Walmart sues - Over Chip and pin implementation, because it is chip and signature that os required, not chip and pin.
  4. FB CFT - Now opensource.

Joff's Stories

Jack's Stories

  1. The 2016 Verizon DBIR is out. As always, there's some good stuff in there, but not much new- it is sadly a Report Card of Fail in many ways- how many times can we hear that folks need to use 2FA, patch their stuff, segment their networks, etc. etc.? And the vulnerability section didn;t sit well with a lot of folks:
    1. Jericho took exception to the vulnerability section of this year's DBIR and he isn't alone.
    2. Jericho followed up a couple of days later
    3. A response from Kenna Security, who wrote most of the vulnerability section, doesn't seem to answer all of the questions
    4. and Dan Guido further disassembles the vulnerability section.
    5. Rob Graham was also unimpressed
  2. The ThreatButt DZIR might appeal to you if the Verizon DBIR doesn't.
  3. Lots of handy tiny apps thanks to the ever sexy Chris Nickerson for sharing this.
  4. VirusTotal changes the rules and some folks are gonna get hurt, and might deserve it.

Kevin's Stories

Michael's (Santa) Stories

  1. Tracking the Trends in Bringing Our Own Devices to Work --> good to know the trends. Broader, use is up, sanctioned or not. Oh, and it correlates with higher performance. Find a way to make it work.
  2. Collaboration will help combat cybersecurity: David Thodey --> of course. The way forward it what is essential.
  3. IT leaders pick productivity over security —> this is due to low confidence in the domain, inability to measure, and struggles to communicate. Time for some straight talk!
  4. Behind the scenes at security conferences —> note the sorts of talks that get accepted and how to improve the experience for everyone
  5. Twitter Bars Intelligence Agencies From Using Analytics Service -> this is about optics, mostly
  6. The Real “Weakest Link” In Security Isn’t What You Think —> flip the narrative (long overdue) and explore how tech and people combined boost security
  7. Strengthening authentication through big data —> unfounded password hate aside, does more data lead to way to higher levels of assurance for identity proofing and authentication?
  8. This App Knows Exactly Where You Were Standing When You Took A Photo —> cool or creepy?
  9. "CSI: Cyber" Cancelled, Franchise Over --> never watched.... no sad here.