From Security Weekly Wiki
Jump to navigationJump to search

Recorded September 12, 2019 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Lee Neely
    is a Sr. Cyber Analyst at LLNL,SANS Analyst, SANS NewsBites Editor
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.
  • Jeff Man
    Infosec analyst
    Pioneering ex-NSA pen tester
    PCI specialist
    Tribe of Hackers
    InfoSec Curmudgeon
    Currently a Sr. InfoSec Consultant for Online Business Systems.

  • Announcements

    • Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
    • OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!
    • We have officially migrated our mailing list to a new platform! Sign up for the list to receive invites to our virtual trainings, webcasts, and other content relative to your interests by visiting securityweekly.com/subscribe and clicking the button to join the list! You can also submit your suggestions for guests by going to securityweekly.com/guests and submitting the form! We'll review them monthly and reach out if they are a good fit!
    • Our first-ever virtual training is happening on March 19th @11:00am ET, with Adam Kehler & Rob Harvey from Online Business Systems Risk, Security & Privacy Team. In this training you will learn how to generate a complex SHA-256 hashed password and then use password cracking tools to break it. Register for our upcoming trainings by visiting securityweekly.com, selecting the webcast/training drop down from the top menu bar and clicking registration.

    Security News - 6:00-6:30PM

    Paul's Stories

    1. Gamification Can Transform Company Cybersecurity Culture - I don't buy it: According to findings from the American Psychological Association, competition increases physiological and psychological activation, which prepares employees’ minds for increased effort and enables higher performance. In this case, higher performance means being better able to detect and thwart security threats. Sure, its great to create this sort of system, and it does help to a certain extent. However, if you train your employees to look for certain conditions that are malicious, you are going to lose at some point. Attackers change behavior and tactics all the time and you'll end up in a neverending loop that always leaves a gap. Rather than look for certain conditions, change the behavior of the users in clear and concise ways.
    2. Simjacker attack exploited in the wild to track users for at least two years | ZDNet
    3. Ransomware Attack Hits School District Twice in 4 Months | SecurityWeek.Com - This is becoming VERY common. Sitting in open house last night for our son's school turns out they were also victims of a ransomeware attack.
    4. NetCAT: New Attack Lets Hackers Remotely Steal Data From Intel CPUs - Dubbed NetCAT, short for Network Cache ATtack, the new network-based side-channel vulnerability could allow a remote attacker to sniff out sensitive data, such as someone's SSH password, from Intel's CPU cache. Discovered by a team of security researchers from the Vrije University in Amsterdam, the vulnerability, tracked as CVE-2019-11184, resides in a performance optimization feature called Intel's DDIO—short for Data-Direct I/O—which by design grants network devices and other peripherals access to the CPU cache.
    5. Firmware: A New Attack Vector Requiring Industry Leadership - The emergence of firmware as a new attack vector has reignited an age-old debate within industry: Who's responsible for addressing device cybersecurity? Is it the device manufacturer, or is it the company purchasing the device? This "chicken or the egg" debate has hampered cybersecurity for too long.. First, firmware as an attack vector is not new. Second, the device manufacturer must be held responsible, at least in some capacity. Third, just as with software we purchase and run, firmware needs to be checked by the company who is running it to discover any vulnerabilties, backdoors or mis-configuration. Prove me wrong.
    6. Infosec prophet Bruce Schneier (peace be upon him) is only as famous as half of Salt-N-Pepa - Numbers four and five on Redscan's list are Bruce Schneier and Troy Hunt respectively, who rank alongside Sandra Denton (Pepa from 1980s hip-hop duo Salt-N-Pepa) and English footballer Lucy Bronze, who plays for French club Olympique Lyonnais. Push it real good Bruce...
    7. DNS-over-HTTPS Coming to Chrome 78 | SecurityWeek.Com - Yes, more features to make Chrome even slower and resource hungry.
    8. Attacking the VM Worker Process - Microsoft Security Response Center
    9. How a Nearly Forgotten (RIP) Physicist Shaped Your Internet Access - With multiple users sharing one computer, files had to be assigned to individual researchers, and available only to them. The availability was what led Dr. Corbato to develop the password system. In a system now familiar to everyone, every user was given a unique name and password, and their files stored in a way that they were available only to one user.
    10. Security holding back employers from meeting employees remote working expectations - Help Net Security - Interestingly, nine in ten (92%) workers believe it’s their employer’s responsibility to ensure IT security when using a different device or working remotely. However, the research also highlights that IT departments continue to face a balancing act between employee productivity and security – 42% of workers state that their company’s security policies make it more difficult to do their job. I'm convinced this story is 100% crap.
    11. Stealing JWTs in localStorage via XSS
    12. APIs Get Their Own Top 10 Security List
    13. A Definitive Guide to Crowdsourced Vulnerability Management
    14. Logitech keyboards and mice vulnerable to extensive cyber attacks - Mengs demonstrates how to infect a system with a backdoor (remote shell) through which he can control the system remotely by radio. In a way, it's an elegant hack, because he simply piggybacks on the wireless Logitech connection to infect the system and to communicate with the backdoor. That means even computers who are not online are ripe for the hack.
    15. Why Businesses Fail to Address DNS Security Exposures
    16. More than 99% of cyberattacks rely on human interaction - Help Net Security
    17. Stop Using CVSS to Score Risk | SecurityWeek.Com - I agree: I would caution any bug hunter, security analyst, software vendor, or device manufacturer to not rely on CVSS as the pointy end of the stick for prioritizing remediation. It is an important variable in the risk calculation – but it is not an adequate risk qualifier by itself. Prove me and Gunter wrong.

    Lee's Stories

    1. Fileless Malware Attacks up 265% Trend Micro publishes trends for first half of 2019.
    2. China Hacks Asian Telcos to spy on Uighur Travelers Beyond Border installation of spyware on mobile devices, they are now tracking them on non-China services.
    3. New ransomware grows 118% as cybercriminals adopt fresh tactics and code innovations McAfee Labs saw an average of 504 new threats per minute in Q1 2019, and a resurgence of ransomware.
    4. XKCD forum breach exposes 560,000 user accounts number one password "Password" number two "correct battery horse staple."
    5. Soldiers may 'wear' unhackable computers into combat Wearable systems with sensors and strong encryption aid soldiers on the front line. Unhackable? Padding messages with fake data, encrypting smaller chunks for efficiency - may work.
    6. Exploit for BlueKeep Windows Bug Released The Metasploit framework released a "work in progress" exploit for BlueKeep (CVE-2019-0708). Vital to patch immediately. Tenable (and others) can detect unpatched systems.
    7. Telnet Backdoor Vulnerabulities impact IoT Radio Devices Vulnerable telnet server on Telestar Digital GmbH IoT radio devices can be used to obtain privileges. Patch available.
    8. Period Tracker Apps share data with Facebook Lots of sensitive information shared, health, sex life, mood, and more. Beware of side-effects from apps that share information about eating, health, spending or sensitive data.
    9. U.S. Cyber Command trolls North Korea with Malware Release U.S. Cyber command uploaded malware samples to Virus total 9/8/19, these belong tothe HANGMAN family, used by the North Koreans since 2013. HANGMAN wraps communications in SSL, can upload/download/update files and system information. SSL header is standard, buy payload is custom binary protocol.
    10. Wikipedia goes dark across Europe, Middle East after DDOS Attack Details sketchy, but DDOS took Wikipedia out for several parts of the globe.
    11. NSA: Just say NO to Hacking back NSA takes strong stance against hacking back. Hacking back can go wrong so many ways.
    12. Unstall 24 Android Apps infected with new 'Joker' Malware These apps made it into the Google Play store. While removed, if you don't have Play Protect, they require manual removal.
    13. Baltimore CIO, who managed Ransomware response, on leave Scapegoat or legit failure? CIO on indefinite leave for lack of transparency, communication and having a response plan.

    Jeff's Stories

    1. Microsoft Patches 2 Windows Flaws Already Being Exploited
    2. Secret Service Investigates Breach at U.S. Govt IT Contractor
    3. Apple Slaps Google For Stoking Fear Over Massive iPhone Security Breach In Shockingly Rare Rebuttal
    4. Chinese Woman Who Breached Mar-A-Lago Security Found Guilty
    5. New cyber directorate reorgs to help NSA shift focus on nation state adversaries
    6. Google To Fix Malicious Invites Issue For 1 Billion Calendar Users
    7. HGTV’s restoration of Brady Bunch house unveiled—and they didn’t mess it up

    Joff's Stories

    Tech Segment: Peter Smith, Edgewise - 6:30 - 7:30PM

    Peter Smithis the Founder & CEO of Edgewise

    Peter Smith, Edgewise Founder and CEO, is a serial entrepreneur who built and deployed Harvard University’s first NAC system before it became a security category. Peter brings a security practitioner’s perspective to Edgewise with more than ten years of expertise as an infrastructure and security architect of data centers and customer-hosting environments for Harvard University, Endeca Technologies (Oracle), American Express, Fidelity UK, Bank of America, and Nike. Most recently, Peter was on the founding team at Infinio Systems where he led product and technology strategy.

    Segment Topic:
    Peter will be covering the Capital One breach and the AWS metadata service with request forgery

    SE Village Interviews: Chris Kirsch and Micah Zenko - 7:30PM-8:30PM