From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly - Episode 486

Episode Audio

Recorded: October 20, 2016


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Jeff Man
    infosec analyst, pioneering ex-NSA pen tester, PCI specialist & certified security curmudgeon.
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.
  • Jack Daniel
    Co-Founder of Security BSides and certified security wizard.


  • Make sure you visit http://securityweekly.com/subscribe and subscribe to our new shows including Enterprise Security Weekly and Startup Security Weekly. You can also subscribe to all shows individually, as well as a main feed which contains this show, Hack Naked TV and Enterprise Security Weekly.
  • (webcast announcement)

Interview: Adrien de Beaupré - "So You Wanna Be A Pen Tester?"- 6:00-7:00PM

So do you really want to be a penetration tester? We get these questions all the time, and Adrien does too, such as:

  1. what are the top 10 coolest most important hacking tools for penetration testers?
  2. what are the top 10 skills that are important to become the worlds greatest hacker? Answer? make up lots of lies, plagiarize, and write a book!
  3. how do I become the "bestest" cyber hacker?
  4. can you hack my buddies hotmail for me?
  5. do I need a cool hacker handle?
  6. do I really need to learn all that stuff to be a cool hacker?
  7. do I really have to work hard for many years to be a pentester?
  8. I have a $CERT or degree in <insert random cert here> so that makes me an expert!

Listener Feedback: Fixing Pen Test Findings and XMLRPC- 7:00PM-7:30PM

Ed Writes In

Not that long ago "people" started hitting some of our WordPress servers fairly hard via xmlrpc.php and I've taken steps to stop that. Much of the references about this that I've seen are dated and I haven't come across what there is to gain from this activity. Is there something more to this activity than just a DOS that you know of?

John Writes In

Hi Paul,

Your shows are totally awesome. Both Security Weekly and Enterprise Weekly are compulsory listening to anyone involved in infosec.

I'm interested in your approach to remediation of vulnerabilities found in penetration test reports from a timescale viewpoint? Every business will have their own risk appetite and may also be subject to regulatory compliance but for the average enterprise they are normally presented with categories such as critical, high, medium and low scored against CVSS. Is there a standard or formula or industry best practice that sets expectations of timescales?

Any nugget of insight would be great.

Thanks John

Security News - 7:30PM-8:30PM

Paul's Stories

  1. Webcams Used To Attack Twitter And Reddit Recalled
  2. Windows 10 Vulnerability AtomBombing Can Bypass Security Software
  3. Disappearing Messages Added to Signal App
  4. IoT Devices as Proxies for Cybercrime
  5. Telnet, SSH prod of death smashes Cisco broadband boxes offline
  6. How Hackers Plant False Flags to Hide Their Real Identities | Motherboard
  7. Nuclear Power Plant Disrupted by Cyber Attack
  8. JTAG Explained (finally!): Why "IoT" Makers, Software Security Folks, and Device Manufacturers Should Care - Senrio
  9. We're Not Going To Beat Cybercrime In Our Lifetime
  10. MITRE Will Give You $50k To Fingerprint Rogue IoT Devices
  11. IoT Malware Has Apparently Reached Almost All Countries
  12. Sex robots with warm skin to hit dating scene and could benefit relationships
  13. 4 cybersecurity trends you need to be aware of
  14. 4 cybersecurity trends you need to be aware of
  15. Yahoos CISO resigned in 2015 over secret e-mail search tool ordered by feds
  16. Hack Crashes Linux Distros with 48 Characters of Code

Larry's Stories

  1. Image Steganography for C2 - interesting on the use of instagram, and overcoming challenges to refactoring and compression.
  2. Screwing up Fake Idetities 101 - useful for those accounts for phishing/redteaming.
  3. hourly IP to ASN downloadable “database” - Because reasons. Thanks Ben.

Joff's Stories

Michael's (Santa) Stories

Carlos's Stories

Jack's Stories