Episode620

From Paul's Security Weekly
Jump to: navigation, search

Recorded September 19, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Lee Neely
    is a Sr. Cyber Analyst at LLNL,SANS Analyst, SANS NewsBites Editor
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.


  • Announcements

    • Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020 and click the register button to register with our discount code!
    • Attend RSA Conference 2020, February 24-28 and join thousands of security professionals, forward-thinking innovators and solution providers for five days of actionable learning, inspiring conversation and breakthrough ideas. Register before January 24 and save $900 on a Full Conference Pass. Save an extra $150 by going to securityweekly.com/rsac2020 and use our code to register!
    • Our next webcast is February 13th with Sri Sundaralingam, Vice President, Product and Solutions Marketing at ExtraHop where we will discuss Cloud Native Network Detection and Response! Register for our upcoming webcasts by visiting securityweekly.com, selecting the webcast drop down from the top menu bar and clicking registration.


    Interview: Jason Lang, TrustedSec - 6:00-6:30PM

    Jason Langis the Sr. Security Consultant of TrustedSec

    • Work on TrustedSec's Adversary Emulation and Threat Research team.
    • Job is red teaming, purple teaming, pentesting
    • In infosec for 10+ years, over 5 in offensive security / pentesting.
    • Enterprise background. Enjoy coding in C#, Powershell, python
    • DerbyCon speaker/trainer
    • "Amish Hacker". Live in the middle of nowhere. Hobbies: woodworking, fly fishing, beekeeping.

      Segment Topic:
      Anything Red/Purple teaming

      Segment Description:
      Modern day red teaming against some of the largest company's in the US. Current passion is Ansible for red teamers (i.e. fast infrastructure buildout)


    Tech Segment: Wes Widner, Hacker Halted Speaker - 6:30 - 7:30PM

    Wes Widneris the Cloud Engineering Manager at CrowdStrike
    Wes Widner engineers clouds with Crowdstrike. Large-scale distributed threat intelligence systems that span a range of threat vectors are his bread and butter. His work history includes data engineering with McAfee Labs’s Global Threat Intelligence department and malware pipelining with Norse Corporation. In his ample spare time, Wes also enjoys teaching children how to hack, ethically of course.

    Segment Topic:
    Audio Security

    Segment Description:
    Personal voice assistants are the wave of the future. So naturally we should wonder about the unique attack vectors they pose. I'd like to discuss my research into this field and share a few tips on how you can keep yourself safe around voice assistants.

    Segment Resources:
    https://github.com/kai5263499/audio-security-awesome


    Security News - 7:30PM-8:30PM

    Paul's Stories

    Template:PSWPaul620

    Larry's Stories

    1. Update on the Coalfire pentesters…
    2. WeWork WiFi - Documents sent on WeWork's unsecured network included financial records, bank account credentials and a cat photo of Nicolas Cage. Play stupid games, win stupid prizes.
    3. Github Acquires Semmle - does that mean we now get free code audits?
    4. Snowden sued for his memoir - because he did not submit it to the publications office first…
    5. MITRE updates the top CWE 25

    Lee's Stories

    1. iOS 13 Flaw Could Provide Access to Contacts without Passcode iOS 13 flaw discovered in beta product. Likely fixed in iOS 13.1 scheduled for release September 20.
    2. Entercom Raido Network Deals with Ransomware-Like Incident Malware infectection stemming from programming department has spread. Internal memo released prohibiting external discussions of issues.
    3. SIM Flaw lets Hackers Hijack any Phone by sending SMS Exploits vulnerability in S@T Browser to obtain location and IMEI information. Fix will require updated (replacement) SIM cards.
    4. Equifax demands more information before making payouts While the Equifax settlement is out there, those signed up for payments are being asked more question before payment is agreed to...
    5. LastPass Fixes Password-Leaking Flaw LastPass browser plugin could expose credentails when used with Opera or Chrome. Update to 4.33.0 to resolve the problem
    6. Cyber Fraud Hits Superannuation As much as $10M AUD was stolen by fraud and ID theft syndicate. Stolen funds laundered through cryptocurrency and untraceable assets back to Australia.
    7. phpMyAdmin CSRF Zero-Day CVE-2019-12922 CSRF vulnerability in phpMyAdmin can be used to delete any server configured through the setup panel. User interaction required to exploit. Not patched yet.
    8. Confidental Data of 24.3 Million Patients Discovered Online590 of 2300 medical imaging systems analyzed world-wide were found to be insecure, revealing X-rays, CT scans, MRI scans, etc plus full names, DOB, exam dates and associated data. 39 servers had neither access control nor HTTPS access.
    9. CFPB probes fake credit card accounts at Bank of America BofA accused of opening accounts without user consent reminiscent of Wells Fargo. BofA also not collecting signature of intent for account openings.
    10. Google Calendars possibly leaking private information online Shared Google Calendars are indexed by their search engine, the links to the indexed content are public. Accessing the link can be used to read/update the corresponding calendar. Review calendar sharing settings.
    11. CookieMiner malware targets Mac, steals passwords and SMS messages, mines for cryptocurrency Hunts for files containing passwords, web auth tokens, private keys for cryptocurrency wallets. Mines for Koto, the Zcash-based cryptocurrency associated with Japan.
    12. New report: AI can't offer protection from 'deepfakes' Beware of quick fixes, true detection is a complex problem, requiring social and technical fixes and detection capabilities.