From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly #565

Recorded June 21, 2018 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Announcements

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Interview: Galen Hunt, Microsoft - 6:00PM-6:45PM

    Galen Hunt
    is a Distinguished Engineer & Director at Microsoft.
    He founded and lead the team building the Azure Sphere, announced at RSA Conference 2018. Our goal is to make IoT safe for society. Azure Sphere provides an end-to-end solution that enables any device manufacturer to create highly-secured devices; devices possessing all 7 Properties of Highly-Secured Devices.

    He is part of the launch team for Microsoft Research New Experiences and Technologies organization (MSR NExT). In addition to building Azure Sphere, he also manages the Operating Systems Technologies Group. Previously, he led the Operating Systems and Distributed Systems Group as Principal Researcher.


    1. How did you get your start in software and operating systems?
    2. What are some of the problems with IoT security today?
    3. What were the initial challenges you faced when designing a security architecture for Azure Sphere?
    4. Tell us about the new chip that has Wifi and enough resources to support the platform
    5. The SoC has a processor, RAM, Flash and a Wifi radio? Aren't these usually separate chips even in IoT devices?
    6. Tell us about the Azure Sphere architecture as a whole, there is a cloud component correct?
    7. What lessons did you learn from the Xbox Console team?
    8. So, you work for Microsoft and have access to Windows, why did the team choose Linux?
    9. How are you evangelizing and incentivizing IoT companies to use the new platform?


    The Seven Properties of Highly Secure Devices

    1. Hardware-based Root of Trust
    2. Small Trusted Computing Base
    3. Defense in Depth
    4. Compartmentalization
    5. Certificate-based Authentication
    6. Renewable Security
    7. Failure Reporting

    Technical Segment: Starting to Write Nmap Scripts A little Lua and NSE to get you started - 6:45-7:45PM

    Everyone loves using Nmap and the Nmap Scripting Engine. We don't always write NSE scripts though. Writing scripts for can be a bit intimidating at first, but they aren't too bad to get started on. In this tech segment, we will talk a bit about LUA, writing NSE scripts, and then write a couple of simple scripts to interact with Wordpress. Presented by Jason Wood, Founder of Paladin Security

    Download Jason's slides here: Starting to Write Nmap Scripts A little Lua and NSE to get you started

    Jason Wood is the Founder of Paladin Security and has worked in IT and security for longer than he cares to believe possible. Starting out as a lowly sysadmin in the dotcom implosion, he became a trainer, and eventually penetration tester.

    Security News - 7:45PM-8:30PM

    Paul's Stories

    1. Past Its Prime - The Hacker Factor Blog
    2. Perverse Vulnerability from Interaction between 2-Factor Authentication and iOS AutoFill - Schneier on Security
    3. Ridiculously Insecure Smart Lock - Schneier on Security
    4. Algeria Shut Down the Internet to Prevent Students from Cheating on Exams - Schneier on Security
    5. So long! The internets most inept criminal goes to jail
    6. Millions of Roku and Sonos Devices Easily Hacked: What to Do - A better explaination: https://pastebin.com/raw/53HcBbmR
    7. '90s hacker collective man turned infosec VIP: Internet security hasn't improved in 20 years
    8. Yubico snatched my login token vulnerability to claim a $5k Google bug bounty, says bloke - Enter WebUSB, which allows websites to access USB devices. Vervier and Orru found they could craft webpages that masquerade as real sites, such as facebook.com, and could still read from YubiKey tokens. Such a malicious phishing site could therefore trick victims into handing over their Facebook username, password, and two-factor code, and log in as them to cause havoc.
    9. Um, excuse me. Do you have clearance to patch that MRI scanner? - They are really not investing too much effort into upgrading the previously sold medical devices because of security reasons. They might fix something because of health issues very quickly but they're not really looking into improvements that need to be made to [existing] equipment because of cybersecurity. Hospitals, on the other hand, have their arms tied because they cannot change the settings on medical equipment What if I told you that a security issue IS a potential health issue?
    10. How a Nigerian Prince scam victim got his money back after 10 years - Interesting: Following a January 2017 settlement with the US Department of Justice (DOJ) and Federal Trade Commission (FTC), Western Union agreed to pay $586 million into a fund earmarked to repaying victims in the US and Canada, admitting that it turned a blind eye as some of its employees conspired with scammers and used its service for money laundering and fraud.
    11. Meet 'Bro': The Best-Kept Secret of Network Security - In a nutshell, Bro transforms network traffic — in all its volume, variety, and downright weirdness — into exceptionally useful real-time data for security operations. Looks like the newer 16.04 Security Onion release includes an ELK stack, solidifying SO as the platform of choice for Bro and network analysis in the open-source space.

    WTF Stories Of The Week

    1. Couple Arrested For Selling Golden Tickets To Heaven - This story is unbelievable:
      1. The couple, who sold the tickets on the street for $99.99 per ticket, told buyers the tickets were made from solid gold and each ticket reserved the buyer a spot in heaven — simply present the ticket at the pearly gates and you’re in.
      2. The tickets were just wood spray painted gold with ‘Ticket To Heaven – Admit One’ written in marker.
      3. I don’t care what the police say. The tickets are solid gold… it ain’t cut up two by fours I spray painted gold. And it was Jesus who give them to me behind the KFC and said to sell them so I could get me some money to go to outer space. I met an alien named Stevie who said if I got the cash together he’d take me and my wife on his flying saucer to his planet that’s made entirely of crack cocaine. You can smoke all the crack cocaine there you want… totally free. So, try to send an innocent man to jail and see what happens. You should arrest Jesus because he’s the one that gave me the golden tickets and said to sell them. I’m willing to wear a wire and set Jesus up…
      4. We just wanted to leave earth and go to space and smoke rock cocaine. I didn’t do nothing. Tito sold the golden tickets to heaven. I just watched.
    2. We Asked People About the Time They Got so High They Called 911 - I think he just had the munchies: I’ve been a police dispatcher for over 20 years. We don’t get to many calls [about weed], but the most recent one was this elderly guy. He’d eaten a bunch of edibles, and it just went right to his head. He must have been in his 70s or 80s, and the whole family was just totally mortified and embarrassed. He was all of a sudden just dancing and yelling and screaming—his family couldn’t even contain him in his own yard. He wandered off down the street—they were trying to coax him back into the house. He went into a bank, into a McDonald’s, he just wandered everywhere, and put on a sort of show for everyone he saw.

    Larry's Stories

    1. Insider at Tesla stole all the GBs
    2. Commercial airplane hack just a matter of time
    3. China/German Linkedin espionage
    4. Phishing with fonts
    5. 65% of US small businesses fail to act after a cyber attack

    Jason's Stories

    1. Don’t download it! Fake Fortnite app ends in malware…
    2. The girls who used WhatsApp to learn under the noses of IS

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+