From Paul's Security Weekly
- 1 Paul's Security Weekly #584
- 2 Announcements
- 3 Interview: Wietse Venema & Dan Farmer, SATAN - 6:00-7:00PM
- 4 Tech Segment: Sven Morgenroth, Netsparker - 7:00PM-7:30PM
- 5 Security News - 7:30 - 8:30PM
Paul's Security Weekly #584
Recorded November 29, 2018 at G-Unit Studios in Rhode Island!
- If you are interested in quality over quantity and having meaningful conversations instead of just a badge scan, join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass.
- Join us for our Webcast with Chronicle entitled "Intelligence Powered Malware Hunting". This webcast will be held December 5th @3-4pm EST. Go to securityweekly.com/chronicle to register now!
Interview: Wietse Venema & Dan Farmer, SATAN - 6:00-7:00PM
In 1995, Farmer and Wietse Venema (a Dutch programmer and physicist) developed a second vulnerability scanner called the Security Administrator Tool for Analyzing Networks (SATAN). When they published SATAN, some network administrators and law enforcement personnel believed that hackers would use it to identify and break into vulnerable computers. Consequently, SGI terminated Farmer's employment. Within a few years, the use of vulnerability scanners such as SATAN became an accepted method for auditing computer and network security.
Dan Farmer is an American computer security researcher and programmer who was a pioneer in the development of vulnerability scanners for Unix operating systems and computer networks. Dan Farmer is known for Computer Oracle and Password System (COPS) and Security Administrator Tool for Analyzing Networks (SATAN).
- How did you get your start in information security?
- How did the two of you meet?
- Dan, What (or who) prompted you to begin work on COPS, The Computer Oracle and Password System?
- How did UNIX systems administrators receive COPS? Were many even thinking about hardening systems in 1989?
- Are all 12 of the conditions tested by COPS still valid controls on systems today?
- Many believe that discovering vulnerabilities on the system itself is better than scanning over the network, yet you went on to develop a network vulnerability scanner with Wietse, why the change in strategy?
- What was the problem you were trying to solve when you first decided to write SATAN?
- What was the motivation behind giving SATAN away for free?
- How was SATAN received by the security community and others?
- What did you write SATAN in and how did users interact with it?
- When and why did you stop developing SATAN and how come you decided not to turn it into a commercial project?
- Other than your monitor spinning in circles, how else could you detect if your system was being scanned by SATAN?
- SATAN, despite the name, was intended for good, though some may have used it for malicous purposes, was this a concern back then?
- After SATAN you both collaborated on The Coroner's Toolkit (or TCT), what were the goals of this project?
- Do you still review bug reports and/or feature requests for youe open-source projects?
- How has the security of open-source software changed over time, or has it?
- What advice do you have for people just getting into the security field today?
PS. I love this: https://archive.org/details/nc101_hackers
Tech Segment: Sven Morgenroth, Netsparker - 7:00PM-7:30PM
Sven will talk about PHP Object injection vulnerabilities and explain the dangers of PHP's unserialize function. He will show the format of serialized PHP Objects, explain PHP's magic methods and how to write an exploit for a PHP Object Injection vulnerability during his technical demo.
Security News - 7:30 - 8:30PM
- Insiders Are Serious Threats to Cybersecurity in an Organization - Workforce - No amount of training, however, will stop a disgruntled employee with ill intent, or a malicious employee who wants to cause harm to do damage.
- Kubernetes SecurityAre your Container Doors Open?
- Netflix Information Security: Preventing Credential Compromise in AWS
- Hackers Breach Dunkin Donuts Accounts in Credential Stuffing Attack
- The Return of Email Flooding - In addition to hacktivism, email flooding is now being used as a smokescreen for more dangerous phishing techniques such as business email compromise, spearphishing and malware. Criminals use the email flood to distract victims and to exhaust security resources while they perpetrate fraudulent transactions. By the time the targeted person or organization clears the clutter and discovers the legitimate emails notifying them of account changes or suspicious activity, the attackers have made off with the funds.
- Researchers Introduce Smart Greybox Fuzzing | SecurityWeek.Com - In coverage-based greybox fuzzing, the fuzzer is provided a seed file and it randomly flips, deletes, copies or adds bits in order to generate new files that can be parsed by the tested library in order to find potential vulnerabilities. The problem, however, is that in the case of complex file formats, bit flips do not generate valid files. The researchers have overcome this challenge by defining what they call “innovative mutation operators” that work on the virtual file structure rather than the bit level, which helps ensure that files remain valid.
- Announcing the Google Security and Privacy Research Awards
- Sennheiser Debacle: The Consequences of Poorly Secured Certificates - Security Boulevard - The Sennheiser software in question was used to set up and manage softphones that allow users to make phone calls on a computer instead of using a physical phone. To do this, the company needed its headphones and speaker phones to work seamlessly with computer. And the way they did that was by establishing an encrypted Websocket with a browser. That process involved installing a self-signed TLS certificate in the operating system’s trust store, the central place where browser-trusted root CA certificates are stored.
- Las Vegas police crack down on black market pot sales - Hrm... Calhoun did not immediately have the statistics to compare illegal activity related to marijuana before and after the start of recreational sales. However, police said in the last year, detectives seized 457 pounds of THC oil which is up 65 percent from the year before. Detectives also seizes 300 pounds of marijuana wax which is up 60 percent.
- 5 ways open source software companies make money Timescale - From analyzing successful open-source companies today, five common business models emerge: Support, Hosting, Restrictive licensing, Open-core, Hybrid licensing
- 5 ways to better educate developers on application security | TechBeacon - Yet, with most schools teaching advanced computer science concepts in years three and four, getting students up to speed in security is difficult, because a security focus can quickly turn digestible lessons into major projects. "You can make things massively more complicated. Even the typical 'Hello, World'—your basic application—turning that into 'Hello, Secure World' is hundreds of lines. You have turned a very simple introduction into a massive process." —Jeff Williams
- Chinas pornography laws are a backdoor for censorship
- Massage app data breach reveals which clients asked for sexual favors - This will not be a happy ending: A massage app recently left its database containing 309,000 customer profiles exposed to the public, including information about clients who have been accused of sexual misconduct. (and yes, I really added this story just so I could make that joke...)
- Autonomous cyber defences are the future: Richard Stiennon | ZDNet - That means autonomous security orchestration handling everything from detecting an intrusion as early as possible, deciding how to respond, identifying and isolating infected machines, and pushing out updates for firewall rulesets, network segmentation, and access controls. "That's a scary prospect for most us. Most of our processes we don't trust that much, but we have to, to get to the point where we can trust that we can defend ourselves in that automatic way."
- Microsoft Helps Police Shut Down Fake Tech-Support Centers in India - The company also told the Times that Microsoft spots about 150,000 pop-up ads related to the scams every day. To fight back, the company has been dedicating resources to help authorities track down fake call centers in India, where the company says many of fake tech support scams are based.
- Home Routers Under Attack by NSA-Spawned Malware: What to Do - Cybercriminals have learned how to take advantage of the UPnP protocols on older routers and get past the routers to directly attack Windows PCs on home and small-business networks. Akamai has dubbed this flaw “UPnProxy.” The most recent slew of attacks comes from an exploit that Akamai calls “EternalSilence” in a nod to the NSA-developed “Eternal” family of malicious code injections.
- Data Exfil via Smart Bulbs
- Italian authorities have no idea who hacked Hacking Team
- From the “No Shit, Really?” Department, Russian hackers haven't stopped probing the US Power Grid…
- Two Iranians indicted in SanSan attacks on the city of Atlanta
- Microsoft fesses up about what caused their MFA outage