Paul's Security Weekly - Episode 506
Recorded March 23rd, 2017
1) Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more" Who should take this course: Anyone who wants to learn about modern methods of attack used by today's top bug hunters Instructor: Dawid Czagan, Silesia Security Lab
2) NCC Group Secure Coding Training in C and C++ - Who should take this course: Anyone who wants to Improve the overall security of any C or C++ application Instructor: Robert C. Seacord, NCC Group
More details: http://www.sourceconference.com/boston-2017-training
To register: http://www.sourceconference.com/
Interview: Ferruh Mavituna, NetSparker - 6:00PM-7:00PM
Ferruh Mavituna is the Founder and Product Manager of Netsparker. He developed the first and only proof-based web security scanner with state-of-the-art, accurate vulnerability detection and exploitation features, used by thousands companies around the world today. From 2002-2006, he worked for Turkish Army and Police. Ferruh is a frequent speaker at several conferences about Web Application Security and has released several research papers and tools. Netsparker Hawk: https://www.netsparker.com/blog/docs-and-faqs/netsparker-hawk-detects-ssrf-out-of-band-vulnerabilities/
- What is it? Why is it needed?
- How does it work?
- What type of vulnerabilities does it find that a normal black box approach does not find?
- How reliable is it ? Egress filtering etc...
- How does the framework verify the identified vulnerabilities?
- What about privacy? (Customers can deploy their own private DNS servers.)
Tech Segment: Arlo Wireless Camera System Security
Arlo is a Netgear product line featuring wireless battery-powered cameras. They do update frequently and allow you to manage them from a cloud-based web interface or a mobile app. The cameras are decent quality and the motion settings are not reliable, but overall its a good system for the price. However, I do have some security concerns and more information:
- No two-factor authentication - Fingerprint on mobile as a one factor, but no two-factor.
- Blackbox - Both the cameras and the controllers are 100% controlled from the cloud. Some models have an SD card, but no cloud means no management.
- No Security Settings - Encryption? No settings. Information about DoS protection? Very Little. (Some information: https://community.netgear.com/t5/Arlo-Knowledge-Base/How-does-NETGEAR-keep-my-Arlo-videos-private-and-secure-in-the/ta-p/3003)
- Steal My Camera - You can just grab it and use it one your own network. Tips on protecting your cameras: https://community.netgear.com/t5/Arlo-Idea-Exchange/Theft-Deterrent/idi-p/532
- Firmware updates: https://community.netgear.com/t5/Arlo-Knowledge-Base/How-do-I-update-my-Arlo-firmware-manually/ta-p/4736 - Firmware updates are released automatically to all connected Arlo devices. Automatic updates happen between 3:00 a.m. and 5:00 a.m. to minimize camera downtime.
- Vulnerability (fixed): https://kb.netgear.com/30731/Arlo-WiFi-Default-Password-Security-Vulnerability?cid=wmt_netgear_organic - Arlo WiFi Default Password Security Vulnerability
- Another Vulnerability (fixed): http://blog.newskysecurity.com/2016/09/brute-force-vulnerability-netgear-arlo/ and this: http://blog.newskysecurity.com/2016/09/factory_reset_vuln_in_netgear_arlo/