From Security Weekly Wiki
Jump to navigationJump to search

Paul's Security Weekly - Episode 506

Episode Audio

Recorded March 23rd, 2017


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Jeff Man
    Infosec analyst
    Pioneering ex-NSA pen tester
    PCI specialist
    Tribe of Hackers
    InfoSec Curmudgeon
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.
  • Jack Daniel
    Co-Founder of Security BSides and certified security wizard.


SOURCE Boston:

1) Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more" Who should take this course: Anyone who wants to learn about modern methods of attack used by today's top bug hunters Instructor: Dawid Czagan, Silesia Security Lab

2) NCC Group Secure Coding Training in C and C++ - Who should take this course: Anyone who wants to Improve the overall security of any C or C++ application Instructor: Robert C. Seacord, NCC Group

More details: http://www.sourceconference.com/boston-2017-training

To register: http://www.sourceconference.com/

Interview: Ferruh Mavituna, NetSparker - 6:00PM-7:00PM

Ferruh Mavituna from Netsparker[1]

Ferruh Mavituna is the Founder and Product Manager of Netsparker. He developed the first and only proof-based web security scanner with state-of-the-art, accurate vulnerability detection and exploitation features, used by thousands companies around the world today. From 2002-2006, he worked for Turkish Army and Police. Ferruh is a frequent speaker at several conferences about Web Application Security and has released several research papers and tools. Netsparker Hawk: https://www.netsparker.com/blog/docs-and-faqs/netsparker-hawk-detects-ssrf-out-of-band-vulnerabilities/

  1. What is it? Why is it needed?
  2. How does it work?
  3. What type of vulnerabilities does it find that a normal black box approach does not find?
  4. How reliable is it ? Egress filtering etc...
  5. How does the framework verify the identified vulnerabilities?
  6. What about privacy? (Customers can deploy their own private DNS servers.)
Arlo HD Security Camera[2]

Tech Segment: Arlo Wireless Camera System Security

Arlo is a Netgear product line featuring wireless battery-powered cameras. They do update frequently and allow you to manage them from a cloud-based web interface or a mobile app. The cameras are decent quality and the motion settings are not reliable, but overall its a good system for the price. However, I do have some security concerns and more information:

The Bad

  1. No two-factor authentication - Fingerprint on mobile as a one factor, but no two-factor.
  2. Blackbox - Both the cameras and the controllers are 100% controlled from the cloud. Some models have an SD card, but no cloud means no management.
  3. No Security Settings - Encryption? No settings. Information about DoS protection? Very Little. (Some information: https://community.netgear.com/t5/Arlo-Knowledge-Base/How-does-NETGEAR-keep-my-Arlo-videos-private-and-secure-in-the/ta-p/3003)
  4. Steal My Camera - You can just grab it and use it one your own network. Tips on protecting your cameras: https://community.netgear.com/t5/Arlo-Idea-Exchange/Theft-Deterrent/idi-p/532

The Good?

  1. Firmware updates: https://community.netgear.com/t5/Arlo-Knowledge-Base/How-do-I-update-my-Arlo-firmware-manually/ta-p/4736 - Firmware updates are released automatically to all connected Arlo devices. Automatic updates happen between 3:00 a.m. and 5:00 a.m. to minimize camera downtime.
  2. Vulnerability (fixed): https://kb.netgear.com/30731/Arlo-WiFi-Default-Password-Security-Vulnerability?cid=wmt_netgear_organic - Arlo WiFi Default Password Security Vulnerability
  3. Another Vulnerability (fixed): http://blog.newskysecurity.com/2016/09/brute-force-vulnerability-netgear-arlo/ and this: http://blog.newskysecurity.com/2016/09/factory_reset_vuln_in_netgear_arlo/

Tech Segment: Secure Online Backups with Don Pezet, ITProTV - 8:00-8:30PM

Don Pezet of IT Pro TV[3]