Episode467

From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly - Episode 467 - 6:00PM

This week we interview Jon Searles and Will Genovese, the founders of the NESIT hackerspace and organizers of Bsides Connecticut. In listener feedback this week we will answer the question "should you implement your own crypto?" Security news this week will uncover password breaches galore, Facebook listening to your conversations. Also, congrats! You got a new laptop! And a boatload of vulnerabilities out of the box! And, the information security dreaaaaam, dream dream dream dream..... All that and more so stay tuned.

Episode Audio

Recorded June 2, 2016

Interview: Jon Searles and Will Genovese from BSidesCT and NESIT

Will Genovese - Will Genovese is a co-founder of NESIT hackerspace, co-founder of BSidesCT, and Principal Security Consultant with BHaF Security where he specializes in red team penetration tests, vulnerability assessments, compliance audits, and technical security training for executives, developers, and other security professionals. Will has spoken at Defcon, ExCon, and Bsides. In his spare time he enjoys tinkering with embedded hardware design projects using Raspberry Pi and Arduino, and brushing up on OSINT doxxing techniques.

Jon Searles - BSidesCT Organizer

  1. How did you get your start in information security?
  2. What prompted the creation of the NESIT Hackerspace?
  3. What can we expect for Bsides CT this year?
  4. Jon - What keeps you up at night in your current role?
  5. Will - What is the number one thing that people get wrong with security that leads to a successful pen test?
  6. Jon - Do you engage in pen tests for your current organization? Why or why not? What is the value?
  7. Jon - What are some of the technologies you are most concerned about securing from the following list: Mobile, Cloud, or IoT?


  1. Three words to describe yourself.
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby-grabby, do you prefer to go first or second?
  5. Choose two celebrities to be your parents.
  1. BSidesCT 2016
  2. NESIT HackerSpace

Listener Feedback

This is not a technical segment.

Rolling Your Own Crypto?

I'm working for a company that's interested in encrypting fields in its database, and have given me the assignment. We work with PHP, C#, and Javascript because we have a website clients can access, so I have the option of writing encryption/key storage/etc in PHP, and have been looking at pbkdf2 and openssl for that. MySQL was ruled out for insecure encryption. But I've also heard "don't write your own crypto" because I may despite my best efforts put exploits in the code. What can I do to keep the company secure? I know the company wants to host all our own code, e.g. downloading JQuery rather than linking to it. Does that make a difference?

Security News - 7:00PM-8:00PM

Paul's Stories

  1. Google To Shame Partners That Don't Offer Android Updates Quickly - Google apparently has a list that ranks manufacturers in order of how quickly they update devices to the latest version of Android, currently Marshmallow. I say do it, public shaming works when it comes to security, right?
  2. "Reddit Resets 100 - Passwords for everyone! Passwords everywhere! Tumblr, Reddit, LinkedIN, MySpace!
  3. Adobe Flash: 6 Tips For Blocking Exploit Kits - You only need one: Don't install Flash. Bonus: If you have to, use a Flashblocking plugin. What are the other 4?
  4. SandJacking Attack Puts iOS Devices At Risk to Rogue Apps
  5. Facebook Messenger may soon add end-to-end encryption - Lets release a new Facebook app for chatting, because no one else has that. And we will force people to use it. Oh, and don't bother with encryption because privacy sucks says Facebook. *puke in my mouth a little*
  6. How the Top 5 PC Makers Open Your Laptop to Hackers - Why do I have to run your crappy software? Why can't I just buy the hardware? Why? Why? Why?
  7. "Microsoft Windows zero-day exploit hits the market with $90 - WHO CARES?!?!?!?!? Why is this news?!?!?!?!?!
  8. Printer security: Is your company's data really safe?
  9. Myspace data breach: 360 million accounts affected - Time to reset your MySpace account. While your at it, update your Frappr map, change your Aol username, add some stories to Digg, update your Friendster profile, and ad some Del.icio.us bookmarks.
  10. Report: IT Professionals Far Removed From Reality On Security - A new survey of 5,000 US IT executives found 90% of respondents want to detect within one day cyber incidents that could lead to breaches Dreaaaam, Dream, dream dream, all I have to do is Dream, dream dream dream dream. https://www.youtube.com/watch?v=tbU3zdAgiX8
  11. Your WordPress and Drupal installs are probably obsolete - Of the Top 30 companies in the UK: Of the 773 sites with known versions, 307 have known vulnerabilities referenced in one or more CVEs. That represents 40 per cent of the total number of sites where the version is known and 29% of the overall total. The real percentage of vulnerable CMS instanceslies somewhere in between. There is this thing called vulnerability management, have you heard of it? Can I make my arguement for cloud now?#Moxa Discontinuing Vulnerable Line of ICS Devices - Moxa, a Taiwan-based networking company, announced recently that instead of patching the line of products affected by the vulnerability, UC 7408-LX-Plus, it would discontinue the devices. Will this impact their business? They also have a not-so-good track record at security, and more importantly, a security response.
  12. Shhhh! Facebook Is Listening - This is just creepy: Facebook's mobile app grants itself access to your microphone by talking about a holiday she wanted to take. "I'm really interested in going on an African safari. I think it'd be wonderful to ride in one of those jeeps," she said out loud with her phone in hand. According to the NBC report, under a minute later, the first story in her Facebook feed was about a safari. And a car ad soon appeared on her page.
  13. "TeamViewer denies hack
  14. Has TeamViewer Been Hacked? - Lots going on here, looks like you can be duped into installing a trojan version and/or exploited with a Flash vuln. TeamViewer swears its not a vuln on their site.
  15. Google Feature Finally Addressing The 'I Lost My Phone' Problem - More, my voice is my password crap from Google: "In the latest Google app you can simply say, "Ok Google, show me my Google account," and we'll take you right there.
  16. Lenovo Tells Users to Uninstall Vulnerable Updater - Cross Origin bypass is bad....
  17. Google Patches Two High-Severity Flaws in Chrome
  18. Jeremiah Grossman: 7 Tips to Get the Absolute Best Price from Security Vendors - This is not a bad strategy. The only downside I see is if you need to send email as one of the aliases. I had to do this recently, huge PITA

Larry's Stories

Joff's Stories

Jack's Stories

Kevin's Stories

  1. Lenovo Tells Users to Uninstall Vulnerable Updater
  2. Out-of-Box Exploitation: A Security Analysis of OEM Updaters
  3. Expansion of Secret National Security Letters – A Poison Pill for Email Privacy

Michael's (Santa) Stories