Episode584

From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly #584

Recorded November 29, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Carlos Perez
    is currently the Principal Consultant, Team Lead for Research at TrustedSec.
  • Jeff Man
    Cryptanalyst,
    infosec analyst, pioneering ex-NSA pen tester, PCI specialist & certified security curmudgeon.
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Not Kevin
    Senior Security Engineer at Barkly, Co-Founder of Vermont Hackspaces, definitely Not Kevin.
  • Lee Neely
    is the Sr Cyber Analyst at LLNL,SANS Analyst


  • Announcements

    • If you are interested in quality over quantity and having meaningful conversations instead of just a badge scan, join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass.
    • Join us for our Webcast with Chronicle entitled "Intelligence Powered Malware Hunting". This webcast will be held December 5th @3-4pm EST. Go to securityweekly.com/chronicle to register now!

    Interview: Wietse Venema & Dan Farmer, SATAN - 6:00-7:00PM

    Wietse Venema
    is a developer of SATAN.
    Wietse Venema is known from the Postfix open source mail server, from the SATAN network scanner (with Dan Farmer), from the Coroner's Toolkit (also with Dan Farmer), and from the TCP Wrapper. Wietse is currently a software engineer.

    Dan Farmer
    is an Independent Consultant and a developer of SATAN.


    In 1995, Farmer and Wietse Venema (a Dutch programmer and physicist) developed a second vulnerability scanner called the Security Administrator Tool for Analyzing Networks (SATAN). When they published SATAN, some network administrators and law enforcement personnel believed that hackers would use it to identify and break into vulnerable computers. Consequently, SGI terminated Farmer's employment. Within a few years, the use of vulnerability scanners such as SATAN became an accepted method for auditing computer and network security.







    Dan Farmer is an American computer security researcher and programmer who was a pioneer in the development of vulnerability scanners for Unix operating systems and computer networks. Dan Farmer is known for Computer Oracle and Password System (COPS) and Security Administrator Tool for Analyzing Networks (SATAN).


    1. How did you get your start in information security?
    2. How did the two of you meet?
    3. Dan, What (or who) prompted you to begin work on COPS, The Computer Oracle and Password System?
    4. How did UNIX systems administrators receive COPS? Were many even thinking about hardening systems in 1989?
    5. Are all 12 of the conditions tested by COPS still valid controls on systems today?
    6. Many believe that discovering vulnerabilities on the system itself is better than scanning over the network, yet you went on to develop a network vulnerability scanner with Wietse, why the change in strategy?
    7. What was the problem you were trying to solve when you first decided to write SATAN?
    8. What was the motivation behind giving SATAN away for free?
    9. How was SATAN received by the security community and others?
    10. What did you write SATAN in and how did users interact with it?
    11. When and why did you stop developing SATAN and how come you decided not to turn it into a commercial project?
    12. Other than your monitor spinning in circles, how else could you detect if your system was being scanned by SATAN?
    13. SATAN, despite the name, was intended for good, though some may have used it for malicous purposes, was this a concern back then?
    14. After SATAN you both collaborated on The Coroner's Toolkit (or TCT), what were the goals of this project?
    15. Do you still review bug reports and/or feature requests for youe open-source projects?
    16. How has the security of open-source software changed over time, or has it?
    17. What advice do you have for people just getting into the security field today?

    PS. I love this: https://archive.org/details/nc101_hackers

    Tech Segment: Sven Morgenroth, Netsparker - 7:00PM-7:30PM

    Sven Morgenroth, Security Researcher at Netsparker
    Sven Morgenroth is a security researcher at Netsparker. He found filter bypasses for Chrome's XSS auditor and several web application firewalls. He likes to exploit vulnerabilities in creative ways and has hacked his smart TV without even leaving his bed. Sven writes about web application security and documents his research on the Netsparker blog.

    Sven will talk about PHP Object injection vulnerabilities and explain the dangers of PHP's unserialize function. He will show the format of serialized PHP Objects, explain PHP's magic methods and how to write an exploit for a PHP Object Injection vulnerability during his technical demo.


    https://www.netsparker.com/blog/web-security/untrusted-data-unserialize-php/

    Learn more about Netsparker here

    Security News - 7:30 - 8:30PM

    Paul's Stories

    1. Insiders Are Serious Threats to Cybersecurity in an Organization - Workforce - No amount of training, however, will stop a disgruntled employee with ill intent, or a malicious employee who wants to cause harm to do damage.
    2. Kubernetes SecurityAre your Container Doors Open?
    3. Netflix Information Security: Preventing Credential Compromise in AWS
    4. Hackers Breach Dunkin Donuts Accounts in Credential Stuffing Attack
    5. The Return of Email Flooding - In addition to hacktivism, email flooding is now being used as a smokescreen for more dangerous phishing techniques such as business email compromise, spearphishing and malware. Criminals use the email flood to distract victims and to exhaust security resources while they perpetrate fraudulent transactions. By the time the targeted person or organization clears the clutter and discovers the legitimate emails notifying them of account changes or suspicious activity, the attackers have made off with the funds.
    6. Researchers Introduce Smart Greybox Fuzzing | SecurityWeek.Com - In coverage-based greybox fuzzing, the fuzzer is provided a seed file and it randomly flips, deletes, copies or adds bits in order to generate new files that can be parsed by the tested library in order to find potential vulnerabilities. The problem, however, is that in the case of complex file formats, bit flips do not generate valid files. The researchers have overcome this challenge by defining what they call “innovative mutation operators” that work on the virtual file structure rather than the bit level, which helps ensure that files remain valid.
    7. Announcing the Google Security and Privacy Research Awards
    8. Sennheiser Debacle: The Consequences of Poorly Secured Certificates - Security Boulevard - The Sennheiser software in question was used to set up and manage softphones that allow users to make phone calls on a computer instead of using a physical phone. To do this, the company needed its headphones and speaker phones to work seamlessly with computer. And the way they did that was by establishing an encrypted Websocket with a browser. That process involved installing a self-signed TLS certificate in the operating system’s trust store, the central place where browser-trusted root CA certificates are stored.
    9. Las Vegas police crack down on black market pot sales - Hrm... Calhoun did not immediately have the statistics to compare illegal activity related to marijuana before and after the start of recreational sales. However, police said in the last year, detectives seized 457 pounds of THC oil which is up 65 percent from the year before. Detectives also seizes 300 pounds of marijuana wax which is up 60 percent.
    10. 5 ways open source software companies make money Timescale - From analyzing successful open-source companies today, five common business models emerge: Support, Hosting, Restrictive licensing, Open-core, Hybrid licensing
    11. 5 ways to better educate developers on application security | TechBeacon - Yet, with most schools teaching advanced computer science concepts in years three and four, getting students up to speed in security is difficult, because a security focus can quickly turn digestible lessons into major projects. "You can make things massively more complicated. Even the typical 'Hello, World'—your basic application—turning that into 'Hello, Secure World' is hundreds of lines. You have turned a very simple introduction into a massive process." —Jeff Williams
    12. Chinas pornography laws are a backdoor for censorship
    13. Massage app data breach reveals which clients asked for sexual favors - This will not be a happy ending: A massage app recently left its database containing 309,000 customer profiles exposed to the public, including information about clients who have been accused of sexual misconduct. (and yes, I really added this story just so I could make that joke...)
    14. Autonomous cyber defences are the future: Richard Stiennon | ZDNet - That means autonomous security orchestration handling everything from detecting an intrusion as early as possible, deciding how to respond, identifying and isolating infected machines, and pushing out updates for firewall rulesets, network segmentation, and access controls. "That's a scary prospect for most us. Most of our processes we don't trust that much, but we have to, to get to the point where we can trust that we can defend ourselves in that automatic way."
    15. Microsoft Helps Police Shut Down Fake Tech-Support Centers in India - The company also told the Times that Microsoft spots about 150,000 pop-up ads related to the scams every day. To fight back, the company has been dedicating resources to help authorities track down fake call centers in India, where the company says many of fake tech support scams are based.
    16. Home Routers Under Attack by NSA-Spawned Malware: What to Do - Cybercriminals have learned how to take advantage of the UPnP protocols on older routers and get past the routers to directly attack Windows PCs on home and small-business networks. Akamai has dubbed this flaw “UPnProxy.” The most recent slew of attacks comes from an exploit that Akamai calls “EternalSilence” in a nod to the NSA-developed “Eternal” family of malicious code injections.

    Larry's Stories

    1. Data Exfil via Smart Bulbs
    2. Italian authorities have no idea who hacked Hacking Team
    3. From the “No Shit, Really?” Department, Russian hackers haven't stopped probing the US Power Grid…
    4. Two Iranians indicted in SanSan attacks on the city of Atlanta
    5. Microsoft fesses up about what caused their MFA outage

    Jeff's Stories

    1. Amazon Suffered a Data Breach Before Black Friday

    Lee's Stories

    Not Kevin's Stories