From Security Weekly Wiki
Jump to navigationJump to search

Paul's Security Weekly #556

Recorded April 19, 2018 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Not Kevin
    Senior Security Engineer at Barkly, Co-Founder of Vermont Hackspaces, definitely Not Kevin.

  • Announcements

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Ticket Sales are open for Social Engineering RI Conference. Saturday, June 6th at Salve Regina University in Newport RI. Go to - http://se-ri.org/ to register! We are giving away 2 tickets to this conference. Please send your best meme of Paul and Larry to psw@securityweekly.com.
    • How do you feel about User and Entity Behavior Analytics? What about your SEIM? Check out Logrhythm's webcast on June 14th at 3:00pm-4:00pm.

    Interview: Adrian Sanabria, Savage Security - 6:00PM-6:45PM

    Adrian Sanabria
    is the Director of Research for Savage Security.

    Adrian is the Research Director and Co-Founder of Savage Security. He spent a decade building security programs and defending large financial firms. He also spent many years as a consultant, performing penetration tests, PCI audits and other security-related assessments. Adrian learned the business side of the industry as a research analyst for 451 Research, working closely with vendors and investors. He is an outspoken researcher and doesn't shy away from the truth or being proven wrong. Adrian loves to write about the industry, tell stories and still sees the glass as half full.

    1. How did you get your start in information security?
    2. What prompted the decision to spend a few years of your career as an analyst?
    3. What does an analyst in information security do exactly?
    4. What is the most challenging thing about being an analyst?
    5. What do analysts get right and what do they tend to get wrong?
    6. If you are working in security today defending an enterprise, how can you best use analysts and analyst data?
    7. What do most enterprises get right when it comes to security? Wrong?
    8. What are some of the hot technologies in security today that actually solve problems for customers?
    9. What are some of the trends that are based on FUD and not here to stay?

    Topic: Penetration Testing Is Dead. Long Live Penetration Testing. - 6:45-7:45PM

    We've spent time defining the value of penetration testing, how we can do them better and how organizations can make the most out of this activity. The question today is, "Do we still need penetration tests?". If you are conducting penetration testing today or in the market for some testing, this segment is for you!

    1. Why should we reconsider penetration testing?
    2. What value do we miss out on if we skip penetration tests?
    3. What technologies can replace, at least in part, penetration tests today?
    4. How do we know our applications are secure if we do not have 3rd party evaluations?
    5. How do attack simulations help to change penetration testing?
    6. How do bug bounties or crowd-sourced penetration tests change the landscape?
    7. What can penetration testers do to provide more value?
    8. PCI required a penetration test, do you see this changing?

    Security News - 7:45PM-8:30PM

    Paul's Stories

    1. Microsoft built its own custom Linux OS to secure IoT devices - "Each chip includes custom silicon security technology from Microsoft, inspired by 15 years of experience and learnings from Xbox, to secure this new class of MCUs and the devices they power,"
    2. Another Critical Flaw Found In Drupal CorePatch Your Sites Immediately - Discovered by the Drupal security team, the open source content management framework is vulnerable to cross-site scripting (XSS) vulnerability that resides in a third-party plugin CKEditor which comes pre-integrated in Drupal core to help site administrators and users create interactive content.
    3. Facebook Plans to Build Its Own Chips For Hardware Devices - According to the post, Facebook is looking for an expert in ASIC and FPGA—two custom silicon designs to help it evaluate, develop and drive next-generation technologies within Facebook—particularly in artificial intelligence and machine learning.
    4. The Role of KPIs in Incident Response
    5. Microsoft claims to make Chrome safer with new extension - Chrome already provides effective protection against malicious sites: go somewhere with a poor reputation and you'll get a big, scary red screen telling you that you're about to do something unwise. But Microsoft believes it can do a better job than Google, and it has released a Chrome plugin, Windows Defender Browser Protection, that brings its own anti-phishing protection to Google's browser.
    6. NSA reveals how it beats 0-days - the vast majority of the incidents that the NSA deals with aren’t the latest and greatest in APTs or cutting-edge 0-days – 93% of all security incidents in the last year at the NSA were found to be entirely preventable using best practices they already advocated
    7. Hackers are using botnets to take the hard work out of breaking into networks
    8. The risks of cyber-conflict with Russia
    9. NHS website defaced by hackers
    10. Cloud Credentials: New Attack Surface for Old Problem
    11. IoT Security Concerns Peaking With No End In Sight
    12. Over 2 Million Users Installed Malicious Ad Blockers From Chrome Store
    13. 7 books you must read to be a real software developer
    14. Impregnable 14 Brilliant Defensive Features of Medieval Castles
    15. Your router might secretly be involved in cyber warfare. Here's how to be safe

    Off-Topic Stories Of The Week

    1. Having Big Genitals Can Spell Evolutionary Disaster, say Paleobiologists

    Larry's Stories

    1. Password/passphrase enforcement under windows
    2. the end of domain fronting from Google.
    3. oh, that's NICE. List standard language on hiring for Cyber security
    4. FDA to require updates and better security for medical devices
    5. Robin Wood goes from SNMP to Shell

    Kevin's Stories

    1. Australia joins US and UK in blaming Russian-backed hackers for cyber-attacks "The attacks targeted Cisco routers with “Smart Install” and potentially affected government departments, companies and infrastructure facilities running Cisco equipment."
    2. Stop Using 6-Digit iPhone Passcodes"GrayKey is able to unlock some iPhones in two hours, or three days for phones with six digit passcodes"
    3. Supreme Court Vacates Microsoft Email Privacy Case "The Supreme Court has vacated United States v. Microsoft, a case concerning whether a U.S. communications law can be used by a U.S. law enforcement agency to obtain personal data stored outside of the U.S."
    4. Facebook moves 1.5bn users out of reach of new European privacy law "Facebook has moved more than 1.5 billion users out of reach of European privacy law, despite a promise from Mark Zuckerberg to apply the “spirit” of the legislation globally."

    Jason's Stories

    1. Microsoft, Facebook and other tech giants join forces on cybersecurity
    2. Why ‘remote detonator’ is a bad name for your Wi-Fi network

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+