From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly #568

Recorded July 19, 2018 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jack Daniel
    Co-Founder of Security BSides and certified security wizard.
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Patrick Laverty
    is a Pentester for Rapid7
  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • Announcements

    • We just released our 2018 Listener Survey; Please go to securityweekly.com/survey to help us continue to provide you with quality content that doesn't break the build.
    • Mike Thompson joins us to show you how the threat intelligence space is transforming and what techniques security professionals can apply to stay a step ahead of threat actors by mapping their infrastructure. Register now @ securityweekly.com/domaintools
    • Come to our Pool Cabana @ Black Hat and Def Con to pick up a free copy of "Cyber Hero Adventures". Here you will be able to get the comic book signed by Gary Berman.

    Interview: Davi Ottenheimer, flyingpenguin- 6:00PM-6:45PM

    David Ottenheimer
    is the President of flyingpenguin.
    Davi Ottenheimer, President of flyingpenguin, has more than 20 years’ experience managing global security operations and assessments, including a decade of leading incident response and digital forensics. He is Co-Author of the book Securing the Virtual Environment: How to Defend the Enterprise Against Attack, published in May 2012 by Wiley. An expert in compliance, he was a qualified PCI DSS and PA-DSS assessor (QSA and PA-QSA) with K3DES and a former Board Member for the Payment Card Industry Security Alliance and the Silicon Valley chapters of ISACA and OWASP.

    Davi Ottenheimer is a strategist and author focused on cultural disruptions and defense ethics in emerging data platforms and intelligent machines; for more than twenty years’ he has led global teams developing and managing secure systems.

    Technical Segment: Chris Spehn, Mandiant's red team - 6:45-7:45PM

    Chris Spehn
    is a consultant on Mandiant's red team.
    Chris 'Lopi' Spehn (@ConsciousHacker) is a consultant on Mandiant's red team. Chris was formerly a penetration tester for major credit card companies and retailers. Chris is also the founder of Illinois State University's first information security club, participated in CCDC for three years, and received first place in National Cyber League 2012.

    Chris is one of the creators of GreatSCT, a tool designed to generate metasploit payloads that bypass common anti-virus solutions and application whitelisting solutions.

    Security News - 7:45PM-8:30PM

    Paul's Stories

    1. The evolutionary waves of the penetration-testing / vulnerability assessment market - As we see, each new wave doesn't necessarily replace the last -- it's additive. I think this also indicates that the market for assessments has grown considerably, despite those that poo-poo pen tests as an example.
    2. The Fundamental Flaw in Security Awareness Programs - I frequently use the example that employees know that they should not watch pornography at work. While compliance requires that this be stressed, employees know that they can be fired without the training. People know and accept the fact that there are practices that they have to adhere to as part of their job responsibility, as a condition of continued employment. Security managers need to utilize this fact and stop abdicating their responsibility to implement security practices into business processes. This is the core function of any person overseeing a critical responsibility.
    3. The SIM Hijackers - But why? Oh: They were now asking Rachel and Adam to give up her @Rainbow Twitter account. In the buzzing underground market for stolen social media and gaming handles, a short, unique username can go for between $500 and $5,000, according to people involved in the trade and a review of listings on a popular marketplace. Several hackers involved in the market claimed that the Instagram account @t, for example, recently sold for around $40,000 worth of Bitcoin.
    4. Roblox blames virtual 'gang rape' on hack - But how? "The incident involved one bad actor that was able to subvert our protective systems and exploit one instance of a game running on a single server. "We have zero tolerance for this behaviour and we took immediate action to identify how this individual created the offending action and put safeguards in place to prevent it from happening again."
    5. Thousands of Mega logins dumped online, exposing user files | ZDNet - We sent the data to Troy Hunt, who runs data breach notification site Have I Been Pwned, to analyze. His analysis pointed to credential stuffing -- where usernames and passwords are stolen from other sites and ran against other sites -- rather than a direct breach of Mega's systems. He said that 98 percent of the email addresses in the file had already been in a previous breach collected in his database.
    6. Facebook refuses to remove fake news, but will demote it
    7. The Russians Who Allegedly Hacked the DNC Mined Bitcoin to Fund Their Operation

    WTF Story Of The Week

    1. Florida man, 33, posed as housewife to lure men into home where he'd secretly film sex acts for web, cops say - Social engineering gone wrong

    Jack's Stories

    Doug's Stories

    Jason's Stories

    1. Hackers automate the laundering of money via Clash of Clans
    2. 6 Ways to Tell an Insider Has Gone Rogue

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+