Episode603

From Paul's Security Weekly
Jump to: navigation, search

Recorded May 9, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Jeff Man
    Cryptanalyst,
    infosec analyst, pioneering ex-NSA pen tester, PCI specialist,
    Tribe of Hackers, & InfoSec Curmudgeon.
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.
  • Lee Neely
    is a Sr. Cyber Analyst at LLNL,SANS Analyst, SANS NewsBites Editor


  • Announcements

    • Some of you told us that you are overwhelmed by the amount of content we distribute! In an attempt to make it a little easier for you to find what you’re interested in, we’ve created our new listener interest list! Sign up for list and select your interests by visiting: securityweekly.com/subscribe and clicking the button to join the list! You can also now submit your suggestions for guests in our recently released guest suggestion form! Go to securityweekly.com/guests and enter your suggestions!
    • Register for our upcoming webcasts with Kaseya & SaltStack by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand
    • Security Weekly is returning to Vegas this August for BlackHat and DefCon! If you would like to request a briefing or sponsor an interview on-site at BlackHat, please go to securityweekly.com/booking and submit your request!
    • Attending KubeCon and CloudNativeCon Europe 2019 in Barcelona May 20-23, 2019? Join your peers at the Cloud-Native Transformation Summit 2019 hosted by Sysdig on May 20th. Our very own Matt Alderman will be emceeing the event. Pre-registration is required. You can add it on during your KubeCon + CloudNativeCon registration.

    Interview: Lesley Carhart, Dragos Inc. - 6:00-6:30PM

    Lesley Carhartis the Principal Threat Analyst at Dragos Inc.
    Lesley has been performing digital forensics and incident response on unconventional systems and advanced adversary attacks for over a decade. Some people, certification companies, and awards presenters think she might be pretty okay at it. In her free time, she fights (willing?) people with knives, and answers people’s infosec questions on Twitter instead of sleeping. Her goal in 2019 is to earn enough exp to become a level 14 rogue.


    • What has it been like moving from IT security to OT security?
    • Do you find it difficult to earn the trust of OT folks in ICS? If you haven't walked a mile in their shoes, they tend to find people who have and trust them much more.
    • DFIR in ICS - What is it like doing forensics in this environment? Firmware? Micro-code?
    • What are some common misconceptions that we can dispell about ICS security:
      • The state of ICS security - is it totally horrible and like hacking in the 90s all over again?
      • Why are there so many security issues in ICS? We are defending critical infrastructure, yet most financial organizations are light years ahead on the security front? True?
      • How are the ICS industries dealing with the problems? Which industries are making the most progress? Which ones are making little progress?
      • Why are so many legacy systems in use in ICS?
      • Legislation will solve all of our problems, right?
      • What ICS threats really keep you awake at night?
    • Tell us about your crazy smart apartment antics

    Interview: Chris Sanders, Applied Network Defense & Rural Technology Fund - 6:30 - 7:30PM

    Chris Sanders is the founder of Applied Network Defense, a company focused on delivering high quality, accessible information security training. He is also the Director of the Rural Technology Fund, a non-profit that donates scholarships and equipment to public schools to further technical education in rural and high poverty areas. He is the author of Applied Network Security Monitoring and Practical Packet Analysis. You can connect with Chris on his blog at http://www.chrissanders.org or on Twitter @chrissanders88.

    Chris blogs at http://www.chrissanders.org. You can learn more about Applied Network Defense at http://www.appliednetworkdefense.com and the RTF at http://www.ruraltechfund.org.



    1. How did you get your start in information security?
    2. What prompted you to be a leader and a teacher in our field?
    3. Why did you set out to author "Applied Network Security Monitoring and Practical Packet Analysis"?
    4. With security shifting to applications, users and data, how important is network security when users are mobile? Apps are in the cloud? Data is accessed from all over?
    5. What network security concepts do you believe will carry forward into the future for years to come?
    6. I just have to know the story behind the free course on the Cuckoos Egg.
    7. What does Applied Network Security do? How many people? When did it start?
    8. What other courses do you offer? Do you teach them all?
    9. What is the most popular course and why?
    10. Tell us about the Rural Technology fund, what is its mission and how did it start?
    11. Is data destruction on old hardware an issue preventing companies from donating hardware?
    12. Is this a global or regional effort?
    13. How can the community get involved?

    Security News - 7:30PM-8:30PM

    Paul's Stories

    1. Locked Computers - Schneier on Security - Best part is from the comments: The problem? Mice were stolen regularly. We've made a contraption: got out one unused backplate from each case, drilled two holes through it and ran mouse cable through them (plus some rubber padding). Then we screwed the backplates back in and closed the cases. The cable run from the serial port plug through the drilled backplate (in and out) and then to the mouse itself. You couldn't steal the mouse now without cutting the cable or opening the locked case. Problem solved - for some time.Some time later someone - probably out of frustration that he can't steal mice - stole all the balls from them. That was over the top. We've closed the venue and posted a message "Closed until all balls are returned". Some patrons must have got really angry at the thief and had a few pleasant words with him - the balls were found in a bag near the door next morning...
    2. Choosing Imagery for Your Security Awareness Program - If the only tip you take from this article is this, you are winning: Instead, look for imagery that works to evoke emotion. You can do this with imagery that is positive, colorful, and inviting. Unexpected image compositions can also help give a modern look and feel to your campaign.
    3. Top 5 Configuration Mistakes That Create Field Days for Hackers - Sometimes I believe we complicate security too much. This article highlights 1. Default passwords 2. Password re-use 3. Exposed remote management services 4. Missing patches 5. Logging disabled or non-existent.
    4. Quantifying Measurable Security - Okay, but so why is Android not-so-secure? Both Android and Chrome OS have dedicated security teams who are tasked with continually enhancing the security of these operating systems through new features and anti-exploitation techniques. In addition, each team leverages a mature and comprehensive security development lifecycle process to ensure that security is always part of the process and not an afterthought.
    5. Facial recognition will not ensure public safety and heres why - This is why it will never work: Detecting faces means also detecting emotions: if you look worried, angry or nervous, the machine will spot it, and think maybe, you’re up to no good…
    6. WordPress 5.2 Brings New Security Features | SecurityWeek.Com - For the first release, WordPress will (by default) soft-fail if the signature is not valid. In future releases, the default will be configured to a hard failure. The reason for this unsafe default is to ensure updates aren't blocked if there’s a bug in the update code, Okay great, you are validating software updates. WTF, is this really how attackers are exploiting Wordpress? No. It's through the plugins. Good solution, wrong problem to solve.
    7. Hackers exploit Jenkins flaw CVE-2018-1000861 to Kerberods malware
    8. Securing satellites: The new space race - Help Net Security - Okay, sign me up: For hackers with deeper pockets, they could realistically launch their own CubeSat into orbit and then conduct hacking operations from there. The benefits are primarily related to proximity to other satellites and not having to wait for a satellite to pass over the ground station to perpetrate an attack. Whatever the method, compromising a satellite is now a realistic and attainable opportunity for hackers.
    9. MobileIron introduces zero sign-on technology to eliminate passwords - Help Net Security
    10. How to Communicate Privately in the Age of Digital Policing
    11. Alpine Linux Docker Images Shipped for 3 Years with Root Accounts Unlocked - This is not a big deal for two reasons: 1) Most Alpine containers do not contain a shell (and certainly you can configure them that way), minimizing the likelyhood that PAM can even be accessed to exploit this flaw 2) This only gets you "root" inside the container, not the host system or any other containers.
    12. Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers - VICE
    13. San Diego man arrested after rifle-shaped bong causes gun scare - I mean okay, for one marijuana is legal in CA. Two, I mean people in CA love their weed, so I can see people getting bored and being like "Dude, ya know man, we should get a bong that's a rifle, like a rifle bong". And if you do that in comfort of your own home, not having to drive or have much other responsibilities, I'm cool with it. However, they smoked out of this thing in a hotel room in full view of a WINDOW. Common sense was absent that day.
    14. 'Software delivered to Boeing' now blamed for 737 MAX warning fiasco
    15. Israel Neutralizes Cyber Attack by Blowing Up A Building With Hackers
    16. Extinguishing the IoT Insecurity Dumpster Fire
    17. Microsoft Windows 10 will get a full built-in Linux Kernel for WSL 2 - If you're going to run Linux, just run Linux... I do want to see a lower cost device, that actually works, that is a small computer that sits in a PCIe slot that you can run Linux on. Heck, I run Linux and I'd still buy one just to have an extra Linux box in my computer.
    18. Amazon workers purloin $100,000 worth of Apple Watches | Cult of Mac

    Larry's Stories

    1. Tenants win rights to have physical keys over smart locks
    2. backdoor getting commands from exchange
    3. Russians compromise three major AV companies
    4. Ever, a photo storage and backup app, reportedly used millions of images uploaded to the service to train a commercial facial recognition system that it offers to law enforcement and private companies. The problem, according to NBC News, Ever didn't disclose this to its app users.
    5. One week after a researcher revealed a publicly configured database exposing more than 275 million sensitive records on Indian citizens, a hacking group removed that data and replaced it with an apparent ransom note.

    Jeff's Stories

    1. Tribe of Hackers Summit The event was live streamed, so here's the whole enchilada (I'm sorry, taco)
    2. Freedom Mobile Server Leak Exposed Customer Data Log files, that explains it. But why were they passed to a third party?
    3. No Reason to Ship Credit Card Data to Third Parties, Says Former Freedom Mobile CISO So much wrong with what is described here - and all fingers point to Freedom Mobile not the third party
    4. “RobbinHood” ransomware takes down Baltimore City government network

    Lee's Stories

    1. Microsoft WSL 2 Announced WLS 2 will include a Linux kernel, with better integration. Still includes Debian package manager.
    2. Discontinued Insulin pump with security flaw in high demand Users are hacking old Insulin pumps, using OpenAPS, to provide looping of insulin for better quality of life.

    Johnny's Stories

    1. Airbnb Superhost Secretly Recorded Guests with Hidden Bedroom Camera The article states: "The unfortunate guest told local news outlets that she worked in information security, and so was more vigilant than the average person when it came to always checking her hotel rooms for signs of surveillance devices. After inspecting and unscrewing the router, the guest found that there was a digital memory card inside." - Honestly, amazing discovery of a hidden camera. Who would think to look inside the router, finding a hidden cam, and then finding out the AirBnB host was filming people in the bedroom since March 19'. Hats off, and check your s#&*!!