Episode600

From Paul's Security Weekly
Jump to: navigation, search

Recorded April 11, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Jeff Man
    Cryptanalyst,
    infosec analyst, pioneering ex-NSA pen tester, PCI specialist & certified security curmudgeon.
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.


  • Announcements

    • Register for our upcoming webcast with ServiceNow by going to securityweekly.com/webcasts. If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand.

    • If you have a suggestion for a guest on any of our shows, fill out the form at securityweekly.com/guests. We released our 2019 Security Weekly 25 Index Survey. Please go to securityweekly.com and click the Survey link to help us understand who’s evaluating, using, or formerly used any of the Security Weekly 25 companies. The results will be summarized and presented back to all responders in a private webcast.

    • Some of you told us that you are overwhelmed by the amount of content we distribute! In an attempt to make it a little easier for you to find what you’re interested in, we’ve created our new listener interest list! Sign up for list and select your interests by visiting: securityweekly.com/subscribe and clicking the button to join the list!
    • The Layer 8 Conference has two tracks of talks on social engineering and Open Source Intelligence gathering. The conference is the only one of its kind and will be on Saturday, June 8th in Providence, Rhode Island. Check out the Mental Health Hackers village, the TOOOL lockpick village, the CTF with Trace Labs, all at layer8conference.com
    • John Strand will be teaching Active Defense and Cyber Deception at Black Hat 2019. Please register here! https://www.blackhat.com/us-19/training/schedule/index.html#a-guide-to-active-defense-cyber-deception-and-hacking-back-14124

    Interview: Gabriel Gumbs, Spirion - 6:00-6:30PM

    Gabriel Gumbsis the VP of Product Management at Spirion
    Gabriel Gumbs is the VP of Product Management at Spirion where his focus is on the strategy and technology propelling Spirion’s rapidly-growing security platform. A cybersecurity industry veteran with a 19 year tenure in CyberSecurity, he has spent much of that time as a security practitioner, aligning security innovations with business objectives for Fortune 100 organizations. Gabriel is an information security thought leader, privacy advocate and public speaker.


    1. What is "sensitive" data?
    2. How can you start to develop classifications of data?
    3. Given large data stores and fast networks, how can you detect sensitive data?
    4. What if data is encrypted? How do you detect the sensitivity level at rest and in motion?
    5. Most organizations don't know what assets they have, how can we detect sensitive data on assets we don't know exist?

    Interview: Merissa Villalobos & Jessica Gullick, Women's Society of Cyberjutsu - 6:30 - 7:30PM

    Merissa Villalobos
    is the SoCal Leadership Team at Women's Society of Cyberjutsu.
    Merissa Villalobos is the North America Talent Acquisition Leader for NCC Group, a global security consulting firm and has been recruiting in security for 10 years. She got her start in Virginia, at a Federal Government contractor, filling roles for the intelligence community and various Government Agencies. After returning home to Los Angeles, California, she transitioned from the Government contracting world to security consulting firms, where she has built talent teams from scratch and strategically grown professional services teams by matching diverse talent with the right roles. Due to her passion and dedication to the industry, she has made over 1,000 security hires and counting. In addition to the WSC SoCal Leadership Team, Merissa is a Board Member of ISSA Los Angeles. She is a frequent “con” attendee and volunteer, panelist, and avidly volunteers as a career coach and resume reviewer for events like TiaraCon, Day of Shecurity, LayerOne, Hacking Diversity, and BSides Las Vegas. She is a co-organizer for ShellCon, where she also gave her first talk in 2018, describing the benefits of diversity.

    Topic: What WSC is doing and how they can get involved.

    Jessica Gulick leads Katzcy Consulting, a growth hacker company that helps tech firms grow through strategy, market research, and digital marketing. With 20+ years in cybersecurity, she is a seasoned cybersecurity manager, marketer, consultant, and expert with a substantial network of technical and executive peers. Jessica has led cybersecurity teams delivering over $15M in services to both the government and financial institutions. As a CMO, Jessica has also led global cybersecurity marketing programs. She has been a contributing author to a number of NIST Special Publications on Security in SDLC, Security Categorization, PRISMA, and Training. Jessica has an MBA from Virginia Tech, is a Certified Information Systems Security Professional (CISSP) and is a Certified Project Management Professional (PMP)CEO & Founder, Katzcy



    1. What is the Women's Society of Cyberjutsu?
    2. How do women get involved and how does it help them?
    3. Is it free to join?
    4. How do you help women find careers in tech?
    5. How can someone apply to be a mentor?
    6. There is a study that shows at one time doctors were 85% men, and now its a 50/50 split. How can we use this as a model (or can we?)? (Ref: https://www.athenahealth.com/insight/healthcare-future-female)
    7. What can we do to ensure there is equal pay as this still appear to be a problem!?!?!?!???
    8. What can others do to support WSoC?



    If anyone has questions, they can visit our website at https://womenscyberjutsu.org/ or reach out to me directly, I’m always happy to help!


    For Non-Members

    · How to become a member: https://womenscyberjutsu.org/page/Join

    · May 14-17 - ISSA-LA Summit XI - https://summit.issala.org/

    • Founder, Lisa Jiggetts is speaking
    • Hosting a CTF4Noobz: CTF Workshop + Competition. Thursday, May 16 • 10:00am - 5:20pm in Marion Davies Guest House.
    • We will also have a booth to connect 1-on-1 with people
    • Discount code for your referrals is Community-20off


    - May 26-26 - LayerOne - https://www.layerone.org/venue/

    • We will have a table
    • Discount code soon to come


    - Date TBD Pasadena City College and WSC are hosting a CTF

    • Free training workshops plus finale CTF in June


    - Aug 8 – Las Vegas, during hacker summer camp



    For Paid Members

    - Founder, Lisa Jiggetts is starting a free web hacking study group - "Web Hacking Dojo" (learning plan attached with NCC Group’s recommended reading list)

    · Purpose: to learn web hacking in a group environment, sharing how-to’s, tips, etc. Goal is to have the participants’ at a skill level to work as a pentester, web app (maybe mobile) tester, bug bounty hunter.

    · Once a week, every Tue 630-830pm PST (in-person/online combo)

    · Note: This is peer-to-peer format, led by a facilitator. This is not a class or instructor-led event. It is more like a study group. We are not creating new curriculum, but will be leveraging learning resources already out there. At the end of the cycle, participants can take challenges/play CTF’s which can be used for gauging skill level and possible employment opportunities.

    Security News - 7:30PM-8:30PM

    Paul's Stories

    1. Patch blues-day: Microsoft yanks code after some PCs are rendered super secure (and unbootable) following update - It's all a bit unfortunate, since the patches include security fixes that administrators should really install sooner rather than later. And yes, both the security-only updates and monthly roll-ups are affected. Ugh. Also, your system crashes if you have Sophos (and other) endpoint protection software installed. I am curious how the update broke these systems, could this be an exploit?
    2. Bitcoin mining ban considered by China's economic planner - A notice published online in Mandarin by the country's economic planning agency added "virtual currency mining activities [including] the production process of Bitcoin" to a list of industries that could be shut down. The suggestion is that the power consumed by the industry contributes to pollution and wastes resources. Pollution and waste resources, riiiight.
    3. Yahoo strikes $117.5 million data breach settlement after earlier... - Yahoo has struck a revised $117.5 million settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history. So, 3 billion accounts were affected in this breach, meaning $0.04 per user? Or do I suck at math? Or is that not how it works?
    4. Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords - These attacks will be around for a while: There are two ways to perform such a downgrade hack. The first is to perform a man-in-the-middle attack that modifies the wireless beacons in a way that makes a WPA3-enabled router represent itself as being able to only use WPA2. While a WPA3 client device will eventually detect the spoofed beacons and abort the handshake, this security mechanism isn’t tripped until after the attacker has captured the four-way handshake. A variation of this downgrade attack—usable if the SSID name of the targeted WPA3 network is known—is to forgo the man-in-the-middle tampering and instead create a WPA2-only network with the same name. As long as clients are in transitional mode, they will connect to the WPA2-only access point. As soon as that happens, attackers have the four-way handshake.
    5. Regulating the IoT: Impact and new considerations for cybersecurity and new government regulations - Help Net Security - Not too helpful: Last year, California became the first state in the U.S. to pass a cybersecurity law covering IoT devices: SB-327, set to be put into law in 2020. The law requires that manufacturers of a device that connects directly or indirectly to the internet must be equipped with “reasonable” security features that are designed to prevent unauthorized access, modification or information disclosure. The bill aims to protect consumers as a first step, but could also potentially be applied to larger, enterprise solutions with future revisions.
    6. Docker, Nginx & Letsencrypt: Easy & Secure Reverse Proxy - If you are looking for an easy project to learn Docker, this article is helpful.
    7. How HTML5 Ping Is Used in DDoS Attacks - "The attacker, probably using social engineering, forced users to visit a website that contained malicious JavaScript," Vitaly Simonovich, security researcher at Imperva, told eWEEK. "This script generated links with the target site in the 'ping' attribute and clicked it without personal involvement of the user. Auto-generated clicks reflected as ping back to the victim, continuously, the entire time the user stayed on the webpage."
    8. WikiLeaks Founder Julian Assange arrested and charged in US with computer hacking conspiracy - But why? According to a note released by London’s Metropolitan Police Service, the arrest has happened just after the Ecuadorian government today withdraws the political asylum.
    9. CIOs and CISOs hold off on crucial updates due to potential impact on business operations - Help Net Security - This is actually the most interesting stat in the article: the majority (80%) of CIOs and CISOs having found out that a critical update or patch they thought had been deployed had not actually updated all devices, leaving the business exposed as a result. And this problem is only going to get worse as it becomes easier to deploy new technology and applications, along with the cost going down.

    Lee's Stories

    1. DMSniff POS Malware uses DGA to stay active DMSniff malware uses DGA techniques to avoide detection searches direct memory for card numbers and send them to the C2. Includes 11 variants of DGA.

    Larry's Stories

    DragonsBlood, and not even winning with Charlie Sheen

    Doug's Stories