Episode511

From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly - Episode 511

Episode Audio

Recorded on April 27, 2017

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.
  • Carlos Perez
    is currently the Principal Consultant, Team Lead for Research at TrustedSec.
  • Announcements

    Interview: Mimi Herrmann, Taylor and Francis - 6:00PM-7:00PM

    Mimi Herrmann [1]


    Mimi Herrmann is a Network Security engineer currently living in the Washington DC area. She has been in security for over 20 years, doing about a million different things, some of it working for security vendors and some working for users. Currently, Mimi works with the company that creates and maintains all the systems that your Motor Vehicle Administration or DMV connect to when you get a license or register a car, doing pretty much every security related thing you can imagine.

    Tech Segment: Staying Secure at Hacker Conferences, Part 2 - 7:00-7:30PM

    Note: Laptops (Macs) were stolen at a conference, story from a friend.

    11. Never plug your device, phone or laptop, into anything. E.g. Do NOT charge your phone on a public or any USB charging port, ever. Do not plug your laptop into any Ethernet port, ever. Bring a battery pack and appropriate cables to charge your devices.

    12. Never, ever, go to a URL that someone tells you to go to or sends you in a message. Also, never click on a 3d barcode and go to the website inside the barcode, ever.

    13. Do not leave your badge for the conference unattended or let anyone borrow your badge, ever.

    14. Never use an ATM machine or anything that takes credit cards that is not being operated by a person (use discretion, and be aware if you have to use a parking meter, and realize this rule mostly only applies to Defcon).

    15. Always have each other's numbers on your phone, and only ever use Signal to send text messages to each other. See Paul for additional lists of trusted contacts at each conference that you can contact if there is an emergency or you are in varying degree of trouble (e.g. I lost my wallet, I can't find my room, I've had too much to drink and require assistance, I can't find my pants, I am stranded at a party/strip club/gas station/underground poker tournament, I've been arrested, There is a dead hooker in my room, I am trapped in an elevator, I can't find the party, I've been kidnapped by ninjas, etc.. etc...).

    16. On any device you bring to the conference, all of the software and operating systems must be up-to-date. This means your phone is on the latest IOS/Android AND ALL of the apps are updated to the latest version.

    17. If an application is acting funny, error messages, SSL certification errors, or anything that does not seem normal, abort immediately. Never enter your password in this situation, and consider wiping the device at this point in the game.

    18. Any Passports, credit cards, or other access cards with RFID should be left at home or stored in a wallet that blocks all radio communications.

    19. Never tell anyone your room number, and never write down your room number on your key or anything that could be associated with your room key. Put a towel in the door handle and put all electronics in the safe.

    20. Never leave your laptop in your room. If you must, always put the Do Not Disturb/Privacy sign on your door. You don't wait the cleaning staff letting someone into your room to steal your laptop. Also, always lock your hotel room door, use the additional safety latch, and roll up a towel and put it inside the handle to prevent someone from pulling the handle down with a device.

    Security News - 7:30-8:30PM

    Paul's Stories

    1. Advances in Ad Blocking
    2. BGP Hijacking: The Internet is Still/Again Broken, (Thu, Apr 27th)
    3. Murder victims Fitbit contradicts husbands version of events
    4. Lack of Security Talent Afflicts Healthcare
    5. Attack Method Highlights Weaknesses in Microsoft CFG
    6. A vigilante is putting a huge amount of work into infecting IoT devices
    7. Researcher Finds LastPass 2FA Could Become 1FA
    8. Canada Just Ruled To Uphold Net Neutrality
    9. Microsoft Fails Massively Getting Rid Of Security Bulletins

    Joff's Stories

    Carlos's Stories