From Security Weekly Wiki
Jump to navigationJump to search

Paul's Security Weekly - Episode 501

Episode Audio

Recorded February 16, 2017


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Jeff Man
    Infosec analyst
    Pioneering ex-NSA pen tester
    PCI specialist
    Tribe of Hackers
    InfoSec Curmudgeon
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.
  • Jack Daniel
    Co-Founder of Security BSides and certified security wizard.


  • ITPro.TV courses include Cybersecurity Analyst+, CCNA Cyber Ops, ITIL Operational Support and Analysis, Penetration Testing, Ethical Hacking v9. ITProTV is introducing a new membership level soon. All current Premium Members will be granted the highest membership level available, so ​sign up today! Visit​ itpro.tv/securityweekly and use code ​ SW30.
  • InfoSecWorld - Your 10% off discount code to promote to your members is OS17-SW. This will give them 10% off the main conference or the World Pass.
  • SCADA Security has always been, and continues to be, a hot topic in our industry. Our sponsor Waterfall Security is offering a free book for the first 100 listeners to register titled "SCADA Security: What's Broken and How To Fix It" by Andrew Ginter, Waterfall's VP of Industrial Security. Visit http://securityweekly.com/scada to get your free copy today!
  • Attend the InfoSecWorld conference on April 3-5 in Orlando Florida, tons of great talks and Security Weekly listeners get10% off by using the code OS17-SW. Find out more at infosecworld.misti.com
  • Attend SOURCE Boston on April 24-27th for training and awesome talks! Use the code SECURITYWEEKLY for $100 off either a conference ticket or one of the trainings. Find out more at source conference.com

Interview: David Conrad: ICANN's Role in DNS - 6:00PM-7:00PM

David Conrad[1]

David Conrad is a long-time and active participant in Internet infrastructure, development, and operations. As the CTO of ICANN, David is at the heart the organization’s mission to help maintain the security, resiliency and stability of the global Internet. Prior to being named CTO, David held several different positions at ICANN, including Vice President of Infrastructure & Technology. Before joining ICANN, he helped found several Internet startups, including Nominum, a firm focused on Internet name and address management products and services, and Internet Engines, a startup aimed at providing products and services for software relating to the Internet Systems Consortium.

Tech Segment: Slipping Executables Past Firewalls with Carrie Roberts, Black Hills InfoSec - 7:00-7:30PM

Carrie joined Black Hills InfoSec after working for HP's Global Cyber Security group, where she worked as a network penetration tester. Prior to that position, she was a web application developer and an application developer for PCs and mobile devices. Carrie frequently presents at numerous InfoSec conferences.

Carrie's Full Blog Post on this topic can be found here

Security News - 7:30-8:30PM

Paul's Stories

  1. The More Infosec Changes, the More it Stays the Same - Preach it brother! Authentication is killing us, vendors are still putting out software/hardware with no security, vendors are making laughable claims, organizations are not fixing stuff.
  2. Microsoft February Patch Tuesday Now Rolled into March Update, (Thu, Feb 16th) - Oh, BTW, we're just gonna go ahead and skip Feb 2017 patch Tuesday, k, thx, bye <3 MS. WTF!
  3. RSA 2017: Microsoft Word Intruders step outside Office for the first time - And they are switching back to Flash!
  4. Retailers push back against plans to boost security of online shopping - And let the password debate begin: There will be some lost sales as we saw when we implemented the Verified by Visa/MasterCard SecureCard [scheme]. Not because people are put off, but because people forget their password and simply can’t complete the purchase.
  5. Duqu Malware Techniques Used by Cybercriminals - Meterpreter, Mimilatz and Powershell for the defenders out there, this should not be a secret.
  6. Schneier Brings Campaign for IoT Regulation to RSA - Not sure I agree completely with this approach: Schneier believes that by getting technologists involved in policy it could create a viable career path, like public interest attorneys. It would also stop policy writers and security experts from talking past each other, a la last year’s Apple vs. FBI saga.
  7. No Firewalls, No Problem for Google - This is awesome: The solution was to flip the problem on its head and treat every network as untrusted, and grant access to services based on what was known about users and their device. All access to services, Adkins said, must then be authenticated, authorized and on encrypted connections.
  8. Cris Thomas on Cyberwar Rhetoric
  9. How to Run a Database Vulnerability Scan with Scuba
  10. Researchers Discover Over 170 Million Exposed IoT Devices
  11. HP Hires Christian Slater To Hack Companies For Fun
  12. Xen Project Asks To Limit Security Vulnerability Advisories
  13. New ASLR-busting JavaScript is about to make drive-by exploits much nastier