Episode564

From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly #564

Recorded June 14, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jeff Man
    Cryptanalyst,
    infosec analyst, pioneering ex-NSA pen tester, PCI specialist & certified security curmudgeon.
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Announcements

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Ticket Sales are open for Social Engineering RI Conference. Saturday, June 6th at Salve Regina University in Newport RI. Go to - http://se-ri.org/ to register!

    Interview: Jason Haddix, BugCrowd - 6:00PM-6:45PM

    Jason Haddix
    is the VP of Trust and Security at Bugcrowd.
    As the Vice President of Trust & Security Jason works with clients and security researchers to create high value, sustainable, and impactful bug bounty programs. He also works with Bugcrowd to improve the security industry’s relations with researchers. Jason’s interests and areas of expertise include mobile penetration testing, black box Web application auditing, network/infrastructural security assessments, and static analysis. Before joining Bugcrowd, Jason was the director of penetration testing for HP Fortify, and also held the #1 rank on the Bugcrowd leaderboard for 2014. (He currently holds the #11 rank.)

    Jason Haddix Github: https://github.com/jhaddix


    Technical Segment: Bug Bounty Hunting, Keith Hoodlet- 6:45-7:45PM

    Keith will be talking through some of the tools, techniques, and procedures he uses to perform recon, identify targets of interest, and report findings faster and easier.


    Learning:

    Jason Haddix - The Bug Hunter's Methodology v3(ish)

    Tools:

    Bugcrowd programs

    Keith's Bugcrowd public profile

    Keith's Scripts

    AMass Subdomain Enumeration

    SubFinder Subdomain Discovery

    HUNT Burp plugin by Jason Haddix & JP Villanueva at Bugcrowd

    httpscreenshot Docker container

    GoBuster

    JSParser Docker container

    Gitrob

    SimpleMind

    XMind

    Addons:

    00.) FoxyProxy Standar

    01.) Tree Style Tab

    02.) Wappalyzer

    03.) Open Multiple URLs

    04.) Wayback Machine

    05.) Multi Link Plus

    Sites:

    Hurricane Electric

    ViewDNS.info

    OWASP Testing Guide

    Bugcrowd Researcher Tutorials

    Security News - 7:45PM-8:30PM

    Paul's Stories

    Security

    1. Malicious Docker Containers Earn Cryptomining Criminals $90K
    2. The First Lady's bad cyber advice
    3. InfoSec Handlers Diary Blog - From Microtik with Love
    4. Librarian Sues Equifax Over 2017 Data Breach, Wins $600 - “The small claims case was a lot more about raising awareness,” said West, a librarian at the Randolph Technical Career Center who specializes in technology training and frequently conducts talks on privacy and security.
    5. Smart lock can be hacked 'in seconds' - The "major flaw" in its design is that the unlock key for the device is easily discovered because it is generated from the Bluetooth Low Energy ID that is broadcast by the lock. Anyone with a smartphone would be able to pick up this key if they scanned for Bluetooth devices when close to a Tapplock. Using this key in conjunction with commands broadcast by the Tapplock would let attackers successfully open any one they found, said Mr Tierney.
    6. 8 Point Security Checklist For Containers
    7. Which Android phones get regular security updates?
    8. US senators get digging to find out the truth about FCC DDoS attack
    9. AI, SOAR, Containers: Investors Predict What's Next For Cybersecurity
    10. Not everyone is so hot about this free USB fan handed to journalists at Trump-Kim summit

    Cool Story Of The Week

    1. Neighbors of Cold War Air Force deserter knew him as 'Tim' - On June 5, during a passport fraud investigation, the US Department of State's Diplomatic Security Service interviewed an individual claiming to be Barry O'Beirne. After being confronted with inconsistencies about his identity, the individual admitted his true name was William Howard Hughes Jr., and that he deserted from the US Air Force in 1983
    2. Missing Air Force officer found 35 years later - Hughes was involved in classified planning and analysis of NATO’s control, command and communications surveillance systems during the Cold War. He specialized in radar surveillance.
    3. Air Force officer who vanished at height of Cold War turns up in Calif.

    Random and Potentially Interesting Stories

    1. Pennsylvania driver allegedly defecates on another man in road-rage incident - A Pennsylvania man on Friday allegedly defecated on a fellow driver after the two engaged in a road rage argument How the...?
    2. Researchers Studied 160 Million Memes and Found Most of Them Come From Two Websites - when looking at individual subreddits, we find that The Donald is the most active one when it comes to posting memes in general. It is also the subreddit where most racism and politics related memes are posted.
    3. 11 behaviors that indicate you're a 'problem employee'

    Jeff's Stories

    Keith's Stories

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+